Malware Analysis Report

2024-11-30 02:09

Sample ID 240329-ccjylsfa85
Target cac7fc4ae9c97eba7455992b2d41449ee257ec485c562bfc7245a90033b1d774
SHA256 cac7fc4ae9c97eba7455992b2d41449ee257ec485c562bfc7245a90033b1d774
Tags
glupteba stealc zgrat discovery dropper evasion loader persistence ransomware rat rootkit spyware stealer themida trojan rhadamanthys upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

cac7fc4ae9c97eba7455992b2d41449ee257ec485c562bfc7245a90033b1d774

Threat Level: Known bad

The file cac7fc4ae9c97eba7455992b2d41449ee257ec485c562bfc7245a90033b1d774 was found to be: Known bad.

Malicious Activity Summary

glupteba stealc zgrat discovery dropper evasion loader persistence ransomware rat rootkit spyware stealer themida trojan rhadamanthys upx

Stealc

Glupteba

Windows security bypass

ZGRat

Detect ZGRat V1

Rhadamanthys

Modifies firewall policy service

Glupteba payload

Suspicious use of NtCreateUserProcessOtherParentProcess

Detects DLL dropped by Raspberry Robin.

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Modifies boot configuration data using bcdedit

Modifies Windows Firewall

Possible attempt to disable PatchGuard

Drops file in Drivers directory

Downloads MZ/PE file

Reads data files stored by FTP clients

Reads user/profile data of web browsers

Windows security modification

Themida packer

Drops startup file

Executes dropped EXE

UPX packed file

Reads user/profile data of local email clients

Checks BIOS information in registry

Loads dropped DLL

Enumerates connected drives

Adds Run key to start application

Checks whether UAC is enabled

Checks installed software on the system

Manipulates WinMonFS driver.

Accesses cryptocurrency files/wallets, possible credential harvesting

Manipulates WinMon driver.

Looks up external IP address via web service

Legitimate hosting services abused for malware hosting/C2

Drops file in System32 directory

Suspicious use of SetThreadContext

Suspicious use of NtSetInformationThreadHideFromDebugger

Launches sc.exe

Checks for VirtualBox DLLs, possible anti-VM trick

Drops file in Windows directory

Program crash

Enumerates physical storage devices

Creates scheduled task(s)

Suspicious use of SendNotifyMessage

Suspicious behavior: LoadsDriver

Modifies system certificate store

Suspicious use of AdjustPrivilegeToken

Runs ping.exe

Uses Task Scheduler COM API

Suspicious use of FindShellTrayWindow

Checks processor information in registry

Modifies data under HKEY_USERS

Suspicious use of WriteProcessMemory

Checks SCSI registry key(s)

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-29 01:55

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-29 01:55

Reported

2024-03-29 02:00

Platform

win7-20240221-en

Max time kernel

294s

Max time network

273s

Command Line

"C:\Users\Admin\AppData\Local\Temp\cac7fc4ae9c97eba7455992b2d41449ee257ec485c562bfc7245a90033b1d774.exe"

Signatures

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\C:\ = "1" C:\Users\Admin\Pictures\A7f4GQvHwSkuWqFphQ8BqUvO.exe N/A

Stealc

stealer stealc

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\IwSN88VFekLWFrwgiwxtlwrs.exe = "0" C:\Users\Admin\Pictures\IwSN88VFekLWFrwgiwxtlwrs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\JNdY3i8xKCQ3vvXlSBIg1WYG.exe = "0" C:\Users\Admin\Pictures\JNdY3i8xKCQ3vvXlSBIg1WYG.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" C:\Users\Admin\Pictures\IwSN88VFekLWFrwgiwxtlwrs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" C:\Users\Admin\Pictures\IwSN88VFekLWFrwgiwxtlwrs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" C:\Users\Admin\Pictures\IwSN88VFekLWFrwgiwxtlwrs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" C:\Users\Admin\Pictures\IwSN88VFekLWFrwgiwxtlwrs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" C:\Users\Admin\Pictures\IwSN88VFekLWFrwgiwxtlwrs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" C:\Users\Admin\Pictures\IwSN88VFekLWFrwgiwxtlwrs.exe N/A

ZGRat

rat zgrat

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\Pictures\A7f4GQvHwSkuWqFphQ8BqUvO.exe N/A

Downloads MZ/PE file

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\system32\drivers\Winmon.sys C:\Windows\rss\csrss.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

Possible attempt to disable PatchGuard

evasion

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\Pictures\A7f4GQvHwSkuWqFphQ8BqUvO.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\Pictures\A7f4GQvHwSkuWqFphQ8BqUvO.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JAcRULfX9lJgcI5R0LFTk3pD.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pWZbrYJwzXloUeHjjVKDHyuf.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\H0fPEQUnMEevUe2HQ6rREBdA.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JVswAr7mkeU7QDODP4oBwN0h.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\yAaaZxTS18B3xGpuaTRX5szt.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5KxcVYetUDRRI1fafJz79FEb.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\YCvVJEjmgSRoNGXpE0BPtRUr.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\YjvyF6cWFkLaatkh15BqjPmR.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vntxwULZL7DP0t50yD8sd04B.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe N/A
N/A N/A C:\Users\Admin\Pictures\Xwdgu0vdWYM5M4JY6vcSG7kg.exe N/A
N/A N/A C:\Users\Admin\Pictures\Xwdgu0vdWYM5M4JY6vcSG7kg.exe N/A
N/A N/A C:\Users\Admin\Pictures\Xwdgu0vdWYM5M4JY6vcSG7kg.exe N/A
N/A N/A C:\Users\Admin\Pictures\Xwdgu0vdWYM5M4JY6vcSG7kg.exe N/A
N/A N/A C:\Users\Admin\Pictures\IwSN88VFekLWFrwgiwxtlwrs.exe N/A
N/A N/A C:\Users\Admin\Pictures\IwSN88VFekLWFrwgiwxtlwrs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\Pictures\Xwdgu0vdWYM5M4JY6vcSG7kg.exe N/A
N/A N/A C:\Users\Admin\Pictures\Xwdgu0vdWYM5M4JY6vcSG7kg.exe N/A
N/A N/A C:\Users\Admin\Pictures\Xwdgu0vdWYM5M4JY6vcSG7kg.exe N/A
N/A N/A C:\Users\Admin\Pictures\Xwdgu0vdWYM5M4JY6vcSG7kg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u1oo.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u1oo.0.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\IwSN88VFekLWFrwgiwxtlwrs.exe = "0" C:\Users\Admin\Pictures\IwSN88VFekLWFrwgiwxtlwrs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\JNdY3i8xKCQ3vvXlSBIg1WYG.exe = "0" C:\Users\Admin\Pictures\JNdY3i8xKCQ3vvXlSBIg1WYG.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" C:\Users\Admin\Pictures\IwSN88VFekLWFrwgiwxtlwrs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" C:\Users\Admin\Pictures\IwSN88VFekLWFrwgiwxtlwrs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" C:\Users\Admin\Pictures\IwSN88VFekLWFrwgiwxtlwrs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" C:\Users\Admin\Pictures\IwSN88VFekLWFrwgiwxtlwrs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" C:\Users\Admin\Pictures\IwSN88VFekLWFrwgiwxtlwrs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" C:\Users\Admin\Pictures\IwSN88VFekLWFrwgiwxtlwrs.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\Pictures\JNdY3i8xKCQ3vvXlSBIg1WYG.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "\"C:\\Users\\Admin\\.BLRVzdv\\svchost.exe\"" C:\Users\Admin\AppData\Local\Temp\cac7fc4ae9c97eba7455992b2d41449ee257ec485c562bfc7245a90033b1d774.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\Pictures\IwSN88VFekLWFrwgiwxtlwrs.exe N/A

Checks installed software on the system

discovery

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\Pictures\A7f4GQvHwSkuWqFphQ8BqUvO.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.myip.com N/A N/A
N/A api.myip.com N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A

Manipulates WinMon driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMon C:\Windows\rss\csrss.exe N/A

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\GroupPolicy C:\Users\Admin\Pictures\A7f4GQvHwSkuWqFphQ8BqUvO.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy\gpt.ini C:\Users\Admin\Pictures\A7f4GQvHwSkuWqFphQ8BqUvO.exe N/A
File created C:\Windows\System32\GroupPolicy\Machine\Registry.pol C:\Users\Admin\Pictures\A7f4GQvHwSkuWqFphQ8BqUvO.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI C:\Users\Admin\Pictures\A7f4GQvHwSkuWqFphQ8BqUvO.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\Pictures\A7f4GQvHwSkuWqFphQ8BqUvO.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\Pictures\IwSN88VFekLWFrwgiwxtlwrs.exe N/A
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\Pictures\JNdY3i8xKCQ3vvXlSBIg1WYG.exe N/A
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\Pictures\WeuTVJxUIrABfpxWjSAwDt4P.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\Pictures\JNdY3i8xKCQ3vvXlSBIg1WYG.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\Pictures\JNdY3i8xKCQ3vvXlSBIg1WYG.exe N/A
File created C:\Windows\Logs\CBS\CbsPersist_20240329015603.cab C:\Windows\system32\makecab.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\Pictures\IwSN88VFekLWFrwgiwxtlwrs.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\Pictures\IwSN88VFekLWFrwgiwxtlwrs.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\u1oo.1.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\u1oo.1.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\u1oo.1.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\u1oo.0.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\u1oo.0.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-41 = "E. South America Daylight Time" C:\Users\Admin\Pictures\IwSN88VFekLWFrwgiwxtlwrs.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-421 = "Russian Daylight Time" C:\Users\Admin\Pictures\IwSN88VFekLWFrwgiwxtlwrs.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-449 = "Azerbaijan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-202 = "US Mountain Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-292 = "Central European Standard Time" C:\Users\Admin\Pictures\IwSN88VFekLWFrwgiwxtlwrs.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-131 = "US Eastern Daylight Time" C:\Users\Admin\Pictures\IwSN88VFekLWFrwgiwxtlwrs.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-202 = "US Mountain Standard Time" C:\Users\Admin\Pictures\IwSN88VFekLWFrwgiwxtlwrs.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-441 = "Arabian Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-592 = "Malay Peninsula Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-351 = "FLE Daylight Time" C:\Users\Admin\Pictures\IwSN88VFekLWFrwgiwxtlwrs.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1022 = "Bangladesh Standard Time" C:\Users\Admin\Pictures\IwSN88VFekLWFrwgiwxtlwrs.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-434 = "Georgian Daylight Time" C:\Users\Admin\Pictures\IwSN88VFekLWFrwgiwxtlwrs.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-52 = "Greenland Standard Time" C:\Users\Admin\Pictures\IwSN88VFekLWFrwgiwxtlwrs.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-51 = "Greenland Daylight Time" C:\Users\Admin\Pictures\IwSN88VFekLWFrwgiwxtlwrs.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-751 = "Tonga Daylight Time" C:\Users\Admin\Pictures\IwSN88VFekLWFrwgiwxtlwrs.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-932 = "Coordinated Universal Time" C:\Users\Admin\Pictures\IwSN88VFekLWFrwgiwxtlwrs.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-103 = "Microsoft Corporation" C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-11 = "Azores Daylight Time" C:\Users\Admin\Pictures\IwSN88VFekLWFrwgiwxtlwrs.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-161 = "Central Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-682 = "E. Australia Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-192 = "Mountain Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-91 = "Pacific SA Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-791 = "SA Western Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-391 = "Arab Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-4 = "1.0" C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-1021 = "Bangladesh Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-292 = "Central European Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-171 = "Central Daylight Time (Mexico)" C:\Users\Admin\Pictures\IwSN88VFekLWFrwgiwxtlwrs.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1412 = "Syria Standard Time" C:\Users\Admin\Pictures\IwSN88VFekLWFrwgiwxtlwrs.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Users\Admin\Pictures\WeuTVJxUIrABfpxWjSAwDt4P.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-671 = "AUS Eastern Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-72 = "Newfoundland Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-962 = "Paraguay Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-571 = "China Daylight Time" C:\Users\Admin\Pictures\IwSN88VFekLWFrwgiwxtlwrs.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-371 = "Jerusalem Daylight Time" C:\Users\Admin\Pictures\IwSN88VFekLWFrwgiwxtlwrs.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-961 = "Paraguay Daylight Time" C:\Users\Admin\Pictures\IwSN88VFekLWFrwgiwxtlwrs.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-364 = "Middle East Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-831 = "SA Eastern Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-842 = "Argentina Standard Time" C:\Users\Admin\Pictures\IwSN88VFekLWFrwgiwxtlwrs.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-622 = "Korea Standard Time" C:\Users\Admin\Pictures\IwSN88VFekLWFrwgiwxtlwrs.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-632 = "Tokyo Standard Time" C:\Users\Admin\Pictures\IwSN88VFekLWFrwgiwxtlwrs.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-252 = "Dateline Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-412 = "E. Africa Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-411 = "E. Africa Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-211 = "Pacific Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-242 = "Samoa Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-362 = "GTB Standard Time" C:\Users\Admin\Pictures\IwSN88VFekLWFrwgiwxtlwrs.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1472 = "Magadan Standard Time" C:\Users\Admin\Pictures\IwSN88VFekLWFrwgiwxtlwrs.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-212 = "Pacific Standard Time" C:\Users\Admin\Pictures\IwSN88VFekLWFrwgiwxtlwrs.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-561 = "SE Asia Daylight Time" C:\Users\Admin\Pictures\IwSN88VFekLWFrwgiwxtlwrs.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-21 = "Cape Verde Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-232 = "Hawaiian Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-682 = "E. Australia Standard Time" C:\Users\Admin\Pictures\IwSN88VFekLWFrwgiwxtlwrs.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-281 = "Central Europe Daylight Time" C:\Users\Admin\Pictures\IwSN88VFekLWFrwgiwxtlwrs.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-192 = "Mountain Standard Time" C:\Users\Admin\Pictures\IwSN88VFekLWFrwgiwxtlwrs.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-191 = "Mountain Daylight Time" C:\Users\Admin\Pictures\IwSN88VFekLWFrwgiwxtlwrs.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-522 = "N. Central Asia Standard Time" C:\Users\Admin\Pictures\IwSN88VFekLWFrwgiwxtlwrs.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-931 = "Coordinated Universal Time" C:\Users\Admin\Pictures\IwSN88VFekLWFrwgiwxtlwrs.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-512 = "Central Asia Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-291 = "Central European Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-141 = "Canada Central Daylight Time" C:\Users\Admin\Pictures\IwSN88VFekLWFrwgiwxtlwrs.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-334 = "Jordan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-302 = "Romance Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-572 = "China Standard Time" C:\Windows\windefender.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e40f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47419000000010000001000000068cb42b035ea773e52ef50ecf50ec52920000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 C:\Windows\rss\csrss.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Windows\rss\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 040000000100000010000000e4a68ac854ac5242460afd72481b2a441400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a319000000010000001000000014c3bd3549ee225aece13734ad8ca0b82000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\Pictures\IwSN88VFekLWFrwgiwxtlwrs.exe N/A
N/A N/A C:\Users\Admin\Pictures\IwSN88VFekLWFrwgiwxtlwrs.exe N/A
N/A N/A C:\Users\Admin\Pictures\IwSN88VFekLWFrwgiwxtlwrs.exe N/A
N/A N/A C:\Users\Admin\Pictures\IwSN88VFekLWFrwgiwxtlwrs.exe N/A
N/A N/A C:\Users\Admin\Pictures\IwSN88VFekLWFrwgiwxtlwrs.exe N/A
N/A N/A C:\Users\Admin\Pictures\IwSN88VFekLWFrwgiwxtlwrs.exe N/A
N/A N/A C:\Users\Admin\Pictures\JNdY3i8xKCQ3vvXlSBIg1WYG.exe N/A
N/A N/A C:\Users\Admin\Pictures\JNdY3i8xKCQ3vvXlSBIg1WYG.exe N/A
N/A N/A C:\Users\Admin\Pictures\JNdY3i8xKCQ3vvXlSBIg1WYG.exe N/A
N/A N/A C:\Users\Admin\Pictures\JNdY3i8xKCQ3vvXlSBIg1WYG.exe N/A
N/A N/A C:\Users\Admin\Pictures\JNdY3i8xKCQ3vvXlSBIg1WYG.exe N/A
N/A N/A C:\Users\Admin\Pictures\JNdY3i8xKCQ3vvXlSBIg1WYG.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u1oo.0.exe N/A
N/A N/A C:\Users\Admin\Pictures\WeuTVJxUIrABfpxWjSAwDt4P.exe N/A
N/A N/A C:\Users\Admin\Pictures\WeuTVJxUIrABfpxWjSAwDt4P.exe N/A
N/A N/A C:\Users\Admin\Pictures\WeuTVJxUIrABfpxWjSAwDt4P.exe N/A
N/A N/A C:\Users\Admin\Pictures\WeuTVJxUIrABfpxWjSAwDt4P.exe N/A
N/A N/A C:\Users\Admin\Pictures\WeuTVJxUIrABfpxWjSAwDt4P.exe N/A
N/A N/A C:\Users\Admin\Pictures\WeuTVJxUIrABfpxWjSAwDt4P.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Pictures\IwSN88VFekLWFrwgiwxtlwrs.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\Pictures\IwSN88VFekLWFrwgiwxtlwrs.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Pictures\JNdY3i8xKCQ3vvXlSBIg1WYG.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\Pictures\JNdY3i8xKCQ3vvXlSBIg1WYG.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Pictures\WeuTVJxUIrABfpxWjSAwDt4P.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\Pictures\WeuTVJxUIrABfpxWjSAwDt4P.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2324 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\cac7fc4ae9c97eba7455992b2d41449ee257ec485c562bfc7245a90033b1d774.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
PID 2324 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\cac7fc4ae9c97eba7455992b2d41449ee257ec485c562bfc7245a90033b1d774.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
PID 2324 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\cac7fc4ae9c97eba7455992b2d41449ee257ec485c562bfc7245a90033b1d774.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
PID 2324 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\cac7fc4ae9c97eba7455992b2d41449ee257ec485c562bfc7245a90033b1d774.exe C:\Windows\system32\cmd.exe
PID 2324 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\cac7fc4ae9c97eba7455992b2d41449ee257ec485c562bfc7245a90033b1d774.exe C:\Windows\system32\cmd.exe
PID 2324 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\cac7fc4ae9c97eba7455992b2d41449ee257ec485c562bfc7245a90033b1d774.exe C:\Windows\system32\cmd.exe
PID 2716 wrote to memory of 1472 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2716 wrote to memory of 1472 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2716 wrote to memory of 1472 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2324 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\cac7fc4ae9c97eba7455992b2d41449ee257ec485c562bfc7245a90033b1d774.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 2324 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\cac7fc4ae9c97eba7455992b2d41449ee257ec485c562bfc7245a90033b1d774.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 2324 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\cac7fc4ae9c97eba7455992b2d41449ee257ec485c562bfc7245a90033b1d774.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 2324 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\cac7fc4ae9c97eba7455992b2d41449ee257ec485c562bfc7245a90033b1d774.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 2324 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\cac7fc4ae9c97eba7455992b2d41449ee257ec485c562bfc7245a90033b1d774.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 2324 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\cac7fc4ae9c97eba7455992b2d41449ee257ec485c562bfc7245a90033b1d774.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 2324 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\cac7fc4ae9c97eba7455992b2d41449ee257ec485c562bfc7245a90033b1d774.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 2324 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\cac7fc4ae9c97eba7455992b2d41449ee257ec485c562bfc7245a90033b1d774.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 2324 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\cac7fc4ae9c97eba7455992b2d41449ee257ec485c562bfc7245a90033b1d774.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 2324 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\cac7fc4ae9c97eba7455992b2d41449ee257ec485c562bfc7245a90033b1d774.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 2324 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\cac7fc4ae9c97eba7455992b2d41449ee257ec485c562bfc7245a90033b1d774.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 2324 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\cac7fc4ae9c97eba7455992b2d41449ee257ec485c562bfc7245a90033b1d774.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 2572 wrote to memory of 2372 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe C:\Users\Admin\Pictures\Y26ARuyOzJqGmxuwLn691vVn.exe
PID 2572 wrote to memory of 2372 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe C:\Users\Admin\Pictures\Y26ARuyOzJqGmxuwLn691vVn.exe
PID 2572 wrote to memory of 2372 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe C:\Users\Admin\Pictures\Y26ARuyOzJqGmxuwLn691vVn.exe
PID 2572 wrote to memory of 2372 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe C:\Users\Admin\Pictures\Y26ARuyOzJqGmxuwLn691vVn.exe
PID 2572 wrote to memory of 708 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe C:\Users\Admin\Pictures\IwSN88VFekLWFrwgiwxtlwrs.exe
PID 2572 wrote to memory of 708 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe C:\Users\Admin\Pictures\IwSN88VFekLWFrwgiwxtlwrs.exe
PID 2572 wrote to memory of 708 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe C:\Users\Admin\Pictures\IwSN88VFekLWFrwgiwxtlwrs.exe
PID 2572 wrote to memory of 708 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe C:\Users\Admin\Pictures\IwSN88VFekLWFrwgiwxtlwrs.exe
PID 2572 wrote to memory of 2184 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe C:\Users\Admin\Pictures\Xwdgu0vdWYM5M4JY6vcSG7kg.exe
PID 2572 wrote to memory of 2184 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe C:\Users\Admin\Pictures\Xwdgu0vdWYM5M4JY6vcSG7kg.exe
PID 2572 wrote to memory of 2184 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe C:\Users\Admin\Pictures\Xwdgu0vdWYM5M4JY6vcSG7kg.exe
PID 2572 wrote to memory of 2184 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe C:\Users\Admin\Pictures\Xwdgu0vdWYM5M4JY6vcSG7kg.exe
PID 2572 wrote to memory of 2336 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe C:\Users\Admin\Pictures\JNdY3i8xKCQ3vvXlSBIg1WYG.exe
PID 2572 wrote to memory of 2336 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe C:\Users\Admin\Pictures\JNdY3i8xKCQ3vvXlSBIg1WYG.exe
PID 2572 wrote to memory of 2336 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe C:\Users\Admin\Pictures\JNdY3i8xKCQ3vvXlSBIg1WYG.exe
PID 2572 wrote to memory of 2336 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe C:\Users\Admin\Pictures\JNdY3i8xKCQ3vvXlSBIg1WYG.exe
PID 2184 wrote to memory of 1964 N/A C:\Users\Admin\Pictures\Xwdgu0vdWYM5M4JY6vcSG7kg.exe C:\Users\Admin\AppData\Local\Temp\u1oo.0.exe
PID 2184 wrote to memory of 1964 N/A C:\Users\Admin\Pictures\Xwdgu0vdWYM5M4JY6vcSG7kg.exe C:\Users\Admin\AppData\Local\Temp\u1oo.0.exe
PID 2184 wrote to memory of 1964 N/A C:\Users\Admin\Pictures\Xwdgu0vdWYM5M4JY6vcSG7kg.exe C:\Users\Admin\AppData\Local\Temp\u1oo.0.exe
PID 2184 wrote to memory of 1964 N/A C:\Users\Admin\Pictures\Xwdgu0vdWYM5M4JY6vcSG7kg.exe C:\Users\Admin\AppData\Local\Temp\u1oo.0.exe
PID 2740 wrote to memory of 1704 N/A C:\Users\Admin\Pictures\IwSN88VFekLWFrwgiwxtlwrs.exe C:\Windows\system32\cmd.exe
PID 2740 wrote to memory of 1704 N/A C:\Users\Admin\Pictures\IwSN88VFekLWFrwgiwxtlwrs.exe C:\Windows\system32\cmd.exe
PID 2740 wrote to memory of 1704 N/A C:\Users\Admin\Pictures\IwSN88VFekLWFrwgiwxtlwrs.exe C:\Windows\system32\cmd.exe
PID 2740 wrote to memory of 1704 N/A C:\Users\Admin\Pictures\IwSN88VFekLWFrwgiwxtlwrs.exe C:\Windows\system32\cmd.exe
PID 1704 wrote to memory of 1196 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1704 wrote to memory of 1196 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1704 wrote to memory of 1196 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2308 wrote to memory of 1756 N/A C:\Users\Admin\Pictures\JNdY3i8xKCQ3vvXlSBIg1WYG.exe C:\Windows\system32\cmd.exe
PID 2308 wrote to memory of 1756 N/A C:\Users\Admin\Pictures\JNdY3i8xKCQ3vvXlSBIg1WYG.exe C:\Windows\system32\cmd.exe
PID 2308 wrote to memory of 1756 N/A C:\Users\Admin\Pictures\JNdY3i8xKCQ3vvXlSBIg1WYG.exe C:\Windows\system32\cmd.exe
PID 2308 wrote to memory of 1756 N/A C:\Users\Admin\Pictures\JNdY3i8xKCQ3vvXlSBIg1WYG.exe C:\Windows\system32\cmd.exe
PID 1756 wrote to memory of 1900 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1756 wrote to memory of 1900 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1756 wrote to memory of 1900 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2740 wrote to memory of 1284 N/A C:\Users\Admin\Pictures\IwSN88VFekLWFrwgiwxtlwrs.exe C:\Windows\rss\csrss.exe
PID 2740 wrote to memory of 1284 N/A C:\Users\Admin\Pictures\IwSN88VFekLWFrwgiwxtlwrs.exe C:\Windows\rss\csrss.exe
PID 2740 wrote to memory of 1284 N/A C:\Users\Admin\Pictures\IwSN88VFekLWFrwgiwxtlwrs.exe C:\Windows\rss\csrss.exe
PID 2740 wrote to memory of 1284 N/A C:\Users\Admin\Pictures\IwSN88VFekLWFrwgiwxtlwrs.exe C:\Windows\rss\csrss.exe
PID 2572 wrote to memory of 2136 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe C:\Users\Admin\Pictures\WeuTVJxUIrABfpxWjSAwDt4P.exe
PID 2572 wrote to memory of 2136 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe C:\Users\Admin\Pictures\WeuTVJxUIrABfpxWjSAwDt4P.exe
PID 2572 wrote to memory of 2136 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe C:\Users\Admin\Pictures\WeuTVJxUIrABfpxWjSAwDt4P.exe
PID 2572 wrote to memory of 2136 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe C:\Users\Admin\Pictures\WeuTVJxUIrABfpxWjSAwDt4P.exe
PID 1284 wrote to memory of 2596 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\cac7fc4ae9c97eba7455992b2d41449ee257ec485c562bfc7245a90033b1d774.exe

"C:\Users\Admin\AppData\Local\Temp\cac7fc4ae9c97eba7455992b2d41449ee257ec485c562bfc7245a90033b1d774.exe"

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath $env:UserProfile

C:\Windows\system32\cmd.exe

"cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\.BLRVzdv\svchost.exe"' & exit

C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\.BLRVzdv\svchost.exe"'

C:\Users\Admin\Pictures\Y26ARuyOzJqGmxuwLn691vVn.exe

"C:\Users\Admin\Pictures\Y26ARuyOzJqGmxuwLn691vVn.exe"

C:\Users\Admin\Pictures\IwSN88VFekLWFrwgiwxtlwrs.exe

"C:\Users\Admin\Pictures\IwSN88VFekLWFrwgiwxtlwrs.exe"

C:\Users\Admin\Pictures\Xwdgu0vdWYM5M4JY6vcSG7kg.exe

"C:\Users\Admin\Pictures\Xwdgu0vdWYM5M4JY6vcSG7kg.exe"

C:\Windows\system32\makecab.exe

"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20240329015603.log C:\Windows\Logs\CBS\CbsPersist_20240329015603.cab

C:\Users\Admin\Pictures\IwSN88VFekLWFrwgiwxtlwrs.exe

"C:\Users\Admin\Pictures\IwSN88VFekLWFrwgiwxtlwrs.exe"

C:\Users\Admin\Pictures\JNdY3i8xKCQ3vvXlSBIg1WYG.exe

"C:\Users\Admin\Pictures\JNdY3i8xKCQ3vvXlSBIg1WYG.exe"

C:\Users\Admin\AppData\Local\Temp\u1oo.0.exe

"C:\Users\Admin\AppData\Local\Temp\u1oo.0.exe"

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Users\Admin\Pictures\JNdY3i8xKCQ3vvXlSBIg1WYG.exe

"C:\Users\Admin\Pictures\JNdY3i8xKCQ3vvXlSBIg1WYG.exe"

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Users\Admin\Pictures\WeuTVJxUIrABfpxWjSAwDt4P.exe

"C:\Users\Admin\Pictures\WeuTVJxUIrABfpxWjSAwDt4P.exe"

C:\Windows\system32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\system32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Users\Admin\Pictures\WeuTVJxUIrABfpxWjSAwDt4P.exe

"C:\Users\Admin\Pictures\WeuTVJxUIrABfpxWjSAwDt4P.exe"

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe

"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Users\Admin\AppData\Local\Temp\u1oo.1.exe

"C:\Users\Admin\AppData\Local\Temp\u1oo.1.exe"

C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe

"C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1

C:\Users\Admin\Pictures\A7f4GQvHwSkuWqFphQ8BqUvO.exe

"C:\Users\Admin\Pictures\A7f4GQvHwSkuWqFphQ8BqUvO.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\JKKEHJDHJK.exe"

C:\Users\Admin\AppData\Local\Temp\JKKEHJDHJK.exe

"C:\Users\Admin\AppData\Local\Temp\JKKEHJDHJK.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C ping 2.2.2.2 -n 1 -w 3000 > Nul & Del C:\Users\Admin\AppData\Local\Temp\JKKEHJDHJK.exe

C:\Windows\SysWOW64\PING.EXE

ping 2.2.2.2 -n 1 -w 3000

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Windows Fast Mode" -application OSLOADER

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} device partition=C:

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} osdevice partition=C:

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} systemroot \Windows

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} path \Windows\system32\osloader.exe

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} kernel ntkrnlmp.exe

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} recoveryenabled 0

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nx OptIn

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nointegritychecks 1

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} inherit {bootloadersettings}

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -displayorder {71A3C7FC-F751-4982-AEC1-E958357E6813} -addlast

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -timeout 0

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -default {71A3C7FC-F751-4982-AEC1-E958357E6813}

C:\Windows\system32\bcdedit.exe

C:\Windows\Sysnative\bcdedit.exe /v

C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe

C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe

C:\Windows\system32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 yip.su udp
US 172.67.34.170:443 pastebin.com tcp
US 104.21.79.77:443 yip.su tcp
US 8.8.8.8:53 piramidglobaltobacco.id udp
US 8.8.8.8:53 shipofdestiny.com udp
US 8.8.8.8:53 sty.ink udp
US 8.8.8.8:53 operandotwo.com udp
AT 5.42.64.17:80 5.42.64.17 tcp
DE 185.172.128.144:80 185.172.128.144 tcp
US 8.8.8.8:53 shipofdestiny.com udp
US 8.8.8.8:53 sty.ink udp
US 8.8.8.8:53 cu82342.tw1.ru udp
US 8.8.8.8:53 namemail.org udp
US 8.8.8.8:53 net.geo.opera.com udp
SG 217.21.73.190:443 piramidglobaltobacco.id tcp
US 172.67.152.98:443 shipofdestiny.com tcp
US 172.67.160.247:443 operandotwo.com tcp
US 104.21.13.170:443 sty.ink tcp
RU 176.57.210.144:443 cu82342.tw1.ru tcp
US 104.21.32.142:443 shipofdestiny.com tcp
US 172.67.200.219:443 sty.ink tcp
NL 185.26.182.111:80 net.geo.opera.com tcp
US 8.8.8.8:53 lawyerbuyer.org udp
US 104.21.63.71:443 lawyerbuyer.org tcp
US 8.8.8.8:53 apps.identrust.com udp
US 104.21.63.71:443 lawyerbuyer.org tcp
GB 95.101.143.19:80 apps.identrust.com tcp
US 8.8.8.8:53 guseman.org udp
US 172.67.173.167:443 guseman.org tcp
NL 185.26.182.111:443 net.geo.opera.com tcp
DE 185.172.128.90:80 185.172.128.90 tcp
DE 185.172.128.65:80 185.172.128.65 tcp
DE 185.172.128.65:80 185.172.128.65 tcp
DE 185.172.128.144:80 185.172.128.144 tcp
DE 185.172.128.209:80 185.172.128.209 tcp
US 8.8.8.8:53 96b888af-7aa2-4603-90a2-606976dbfe12.uuid.statsexplorer.org udp
US 8.8.8.8:53 iplogger.com udp
US 104.21.76.57:443 iplogger.com tcp
US 8.8.8.8:53 msdl.microsoft.com udp
US 204.79.197.219:443 msdl.microsoft.com tcp
US 8.8.8.8:53 udp
US 20.150.79.68:443 vsblobprodscussu5shard30.blob.core.windows.net tcp
US 8.8.8.8:53 svc.iolo.com udp
US 20.157.87.45:80 svc.iolo.com tcp
US 8.8.8.8:53 download.iolo.net udp
FR 143.244.56.49:80 download.iolo.net tcp
US 20.157.87.45:80 svc.iolo.com tcp
US 8.8.8.8:53 westus2-2.in.applicationinsights.azure.com udp
US 20.9.155.145:443 westus2-2.in.applicationinsights.azure.com tcp
US 20.9.155.145:443 westus2-2.in.applicationinsights.azure.com tcp
NL 195.20.16.45:80 195.20.16.45 tcp
US 8.8.8.8:53 api.myip.com udp
US 104.26.8.59:443 api.myip.com tcp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.186.192:443 ipinfo.io tcp
US 34.117.186.192:443 ipinfo.io tcp
US 8.8.8.8:53 westus2-2.in.applicationinsights.azure.com udp
US 20.9.155.148:443 westus2-2.in.applicationinsights.azure.com tcp
US 20.9.155.148:443 westus2-2.in.applicationinsights.azure.com tcp
DE 185.172.128.65:80 185.172.128.65 tcp
US 20.9.155.148:443 westus2-2.in.applicationinsights.azure.com tcp
US 20.9.155.148:443 westus2-2.in.applicationinsights.azure.com tcp
US 8.8.8.8:53 westus2-2.in.applicationinsights.azure.com udp
US 20.9.155.148:443 westus2-2.in.applicationinsights.azure.com tcp
US 20.9.155.148:443 westus2-2.in.applicationinsights.azure.com tcp
US 204.79.197.219:443 msdl.microsoft.com tcp
US 204.79.197.219:443 msdl.microsoft.com tcp
US 8.8.8.8:53 vsblobprodscussu5shard20.blob.core.windows.net udp
US 20.150.70.36:443 vsblobprodscussu5shard20.blob.core.windows.net tcp
US 8.8.8.8:53 westus2-2.in.applicationinsights.azure.com udp
US 20.9.155.145:443 westus2-2.in.applicationinsights.azure.com tcp
US 20.9.155.145:443 westus2-2.in.applicationinsights.azure.com tcp
US 8.8.8.8:53 server4.statsexplorer.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 stun4.l.google.com udp
BG 185.82.216.108:443 server4.statsexplorer.org tcp
US 162.159.134.233:443 cdn.discordapp.com tcp
CH 172.217.210.127:19302 stun4.l.google.com udp
US 8.8.8.8:53 carsalessystem.com udp
US 172.67.221.71:443 carsalessystem.com tcp
BG 185.82.216.108:443 server4.statsexplorer.org tcp
US 8.8.8.8:53 westus2-2.in.applicationinsights.azure.com udp
US 20.9.155.145:443 westus2-2.in.applicationinsights.azure.com tcp
US 20.9.155.145:443 westus2-2.in.applicationinsights.azure.com tcp
BG 185.82.216.108:443 server4.statsexplorer.org tcp

Files

memory/1976-4-0x000000001B500000-0x000000001B7E2000-memory.dmp

memory/1976-5-0x0000000002340000-0x0000000002348000-memory.dmp

memory/1976-6-0x000007FEF5C90000-0x000007FEF662D000-memory.dmp

memory/1976-7-0x0000000002C10000-0x0000000002C90000-memory.dmp

memory/1976-8-0x000007FEF5C90000-0x000007FEF662D000-memory.dmp

memory/1976-9-0x0000000002C10000-0x0000000002C90000-memory.dmp

memory/1976-10-0x0000000002C10000-0x0000000002C90000-memory.dmp

memory/1976-13-0x000007FEF5C90000-0x000007FEF662D000-memory.dmp

memory/2572-14-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2572-20-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2572-18-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2572-16-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2572-22-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2572-23-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2572-27-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2572-25-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2572-28-0x0000000074940000-0x000000007502E000-memory.dmp

memory/2572-29-0x0000000001230000-0x0000000001270000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 29f65ba8e88c063813cc50a4ea544e93
SHA1 05a7040d5c127e68c25d81cc51271ffb8bef3568
SHA256 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512 e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

C:\Users\Admin\AppData\Local\Temp\Tar2AEE.tmp

MD5 435a9ac180383f9fa094131b173a2f7b
SHA1 76944ea657a9db94f9a4bef38f88c46ed4166983
SHA256 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA512 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

\Users\Admin\Pictures\Y26ARuyOzJqGmxuwLn691vVn.exe

MD5 e2a6c1f58b137874e490b8d94382fcdb
SHA1 71529c5d708091b1e1a580227dc52e62a140edd1
SHA256 4801879a7afb9d03f7edcbe76cd9306cb024d80abc8512c4995aa97e8fd52437
SHA512 24d12ce668e5189a4ba80520a4eaf480d17d3a07d8d0d4312964968f8489143df225881ec70e39e0c62e381061626801ead72d70cea164e2c3870bfbd7bc4eff

memory/2372-133-0x0000000000B80000-0x0000000000C80000-memory.dmp

memory/2372-134-0x00000000002A0000-0x00000000002EA000-memory.dmp

memory/2372-137-0x0000000000400000-0x0000000000B06000-memory.dmp

memory/2372-138-0x00000000002A0000-0x00000000002EA000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e6ca870d420340cb375720c986ce54eb
SHA1 e33c2ea84c037bc11b39f2c05b1a9af78523e9a9
SHA256 dba6cef09ac55a39653bf5e662493e3a455e39e52b84fc8e17038a66d3699495
SHA512 f0a3c33e48bdc58e7038507a2b9490a07f6affee36c2f68355bd030da45a05395c0ed32e1b519ce1d508d37f75ece60ee54b62c9e877340c8035c90ae3157217

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3a131eed3153235ed8c03f3f885ba131
SHA1 edb102ab8baa798b411b9c8a89e03ef1678c6824
SHA256 529a5570bf38975128b89c430a048c6e89e9409082d1cb8ae8126777b9bef91c
SHA512 5eeb4e1aba94cdd0b7d7be1e97df524120899a28e1f2f378ed4e24f79e608483c536ec2e9607ff22ebbd568bef59fd1dcb97c2dfab5af007e38750a5a3b9bd04

\Users\Admin\Pictures\IwSN88VFekLWFrwgiwxtlwrs.exe

MD5 80fbcd8bcab6ddca53a467dfc54b2123
SHA1 5394a3de0dc598eeba66870d9070f54e8b137ede
SHA256 fff7af7e094a0f3d5e5b87eebbb5290e3d7570e192426e81909278abf8d0350b
SHA512 d7d14f7465da79ac9bfb1d88431e397e5f13fe7339f819b8e0404110bd73d10224d20c2b68178da3b7504de17c0b475f97ade83ab93d842310cf3baa605ac42c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 debcc6bf311d5a1117a7cb8698a34952
SHA1 8393f518d1a33837813931f3c7fcb15bdc8aff56
SHA256 9e27f4ff599e894a55c6856104eb97f913f423523c9442fd675e876899500a5f
SHA512 96d87cababd57c791d32daa1197416ef553fdfd7c97850e38647fdbb256faaba060d18cbf81efbe2c6ce639af26a12118d32717f9cf1cedf2aba7c163d3641f2

memory/708-217-0x0000000002730000-0x0000000002B28000-memory.dmp

memory/708-230-0x0000000002730000-0x0000000002B28000-memory.dmp

memory/708-257-0x0000000002B30000-0x000000000341B000-memory.dmp

C:\Users\Admin\Pictures\Xwdgu0vdWYM5M4JY6vcSG7kg.exe

MD5 8bc396803bf0c509173078f354cb293b
SHA1 8a8e2298863cf6d5b5ad1c1f1efdb4f372f1cfa0
SHA256 e79bb6f916ff4f4bcca0dd2bb4c16233090265c38f3aeaa4a19bb125138773bb
SHA512 da3e916fb3b662584e3f1c8e5e6ac3c75c2f8aba0113597257cae5e9515944055e59d242efd08155939ea7044c7bf15a242f8d950e0a4a996889cbad1e20cd83

memory/708-252-0x0000000000400000-0x0000000000ECD000-memory.dmp

memory/2572-294-0x0000000074940000-0x000000007502E000-memory.dmp

memory/2184-296-0x00000000022A0000-0x000000000230E000-memory.dmp

memory/2184-295-0x00000000002C0000-0x00000000003C0000-memory.dmp

memory/2184-297-0x0000000000400000-0x0000000000B0E000-memory.dmp

memory/708-320-0x0000000000400000-0x0000000000ECD000-memory.dmp

memory/2740-321-0x00000000025F0000-0x00000000029E8000-memory.dmp

memory/708-322-0x0000000002730000-0x0000000002B28000-memory.dmp

memory/2740-323-0x00000000025F0000-0x00000000029E8000-memory.dmp

memory/2740-331-0x0000000000400000-0x0000000000ECD000-memory.dmp

memory/2572-333-0x0000000001230000-0x0000000001270000-memory.dmp

memory/2336-343-0x0000000002830000-0x0000000002C28000-memory.dmp

\Users\Admin\AppData\Local\Temp\u1oo.0.exe

MD5 a533c58be371236669106ab5243b05bb
SHA1 59e8eae350fd911b9d74940fd5a0793f6b4fddc0
SHA256 6f746358af1862e923dee83621f64d56b2e8d8f8936e71d4d6bc565e97e58b09
SHA512 83970ca812ebef5e7c7a4e32c6b6a48d0028f688241441fedfa00e9171592bbc6fa883f0bc7f2603d31f687b1510633bca5468b3ecb96481aa62451c85885f8d

memory/2336-368-0x0000000002830000-0x0000000002C28000-memory.dmp

memory/1964-369-0x0000000000CB0000-0x0000000000DB0000-memory.dmp

memory/1964-370-0x0000000000220000-0x0000000000247000-memory.dmp

memory/1964-371-0x0000000000400000-0x0000000000AEA000-memory.dmp

memory/2336-372-0x0000000000400000-0x0000000000ECD000-memory.dmp

memory/2308-386-0x0000000002830000-0x0000000002C28000-memory.dmp

memory/2336-387-0x0000000000400000-0x0000000000ECD000-memory.dmp

memory/2308-399-0x0000000002830000-0x0000000002C28000-memory.dmp

memory/2308-400-0x0000000000400000-0x0000000000ECD000-memory.dmp

memory/1284-450-0x0000000002700000-0x0000000002AF8000-memory.dmp

memory/2740-461-0x0000000000400000-0x0000000000ECD000-memory.dmp

memory/2740-462-0x00000000025F0000-0x00000000029E8000-memory.dmp

memory/2372-463-0x0000000000400000-0x0000000000B06000-memory.dmp

memory/1284-464-0x0000000002700000-0x0000000002AF8000-memory.dmp

memory/1284-465-0x0000000002B00000-0x00000000033EB000-memory.dmp

memory/1284-466-0x0000000000400000-0x0000000000ECD000-memory.dmp

C:\Users\Admin\Pictures\WeuTVJxUIrABfpxWjSAwDt4P.exe

MD5 ac5f59828c7112f4d6f37f3daea03a4c
SHA1 780cbc00e9a044da535af3f1da25445c893a8e53
SHA256 6b0109f5a9106f6cfa857fd3380aaed9c3d461bd8303d58a22af7a42b658b1fc
SHA512 7b68ba612901c89af3a50c5241c03001911a7f8b4cb60966a8578b9eb9dfdbd3c917391af1c12e75217d557c1c2367971a8a9edd05a3fb0aafe68774e46db873

memory/2136-479-0x0000000002830000-0x0000000002C28000-memory.dmp

memory/2308-480-0x0000000000400000-0x0000000000ECD000-memory.dmp

memory/2184-481-0x00000000002C0000-0x00000000003C0000-memory.dmp

memory/2184-482-0x0000000000400000-0x0000000000B0E000-memory.dmp

memory/2136-484-0x0000000000400000-0x0000000000ECD000-memory.dmp

memory/2136-483-0x0000000002830000-0x0000000002C28000-memory.dmp

memory/1920-488-0x00000000026E0000-0x0000000002AD8000-memory.dmp

memory/2136-489-0x0000000000400000-0x0000000000ECD000-memory.dmp

memory/1920-490-0x00000000026E0000-0x0000000002AD8000-memory.dmp

memory/1964-491-0x0000000000CB0000-0x0000000000DB0000-memory.dmp

memory/1964-492-0x0000000000400000-0x0000000000AEA000-memory.dmp

memory/1920-493-0x0000000000400000-0x0000000000ECD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe

MD5 13aaafe14eb60d6a718230e82c671d57
SHA1 e039dd924d12f264521b8e689426fb7ca95a0a7b
SHA256 f44a7deb678ae7bbaaadf88e4c620d7cdf7e6831a1656c456545b1c06feb4ef3
SHA512 ade02218c0fd1ef9290c3113cf993dd89e87d4fb66fa1b34afdc73c84876123cd742d2a36d8daa95e2a573d2aa7e880f3c8ba0c5c91916ed15e7c4f6ff847de3

memory/3004-496-0x0000000140000000-0x00000001405E8000-memory.dmp

\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

\Users\Admin\AppData\Local\Temp\dbghelp.dll

MD5 f0616fa8bc54ece07e3107057f74e4db
SHA1 b33995c4f9a004b7d806c4bb36040ee844781fca
SHA256 6e58fcf4d763022b1f79a3c448eb2ebd8ad1c15df3acf58416893f1cbc699026
SHA512 15242e3f5652d7f1d0e31cebadfe2f238ca3222f0e927eb7feb644ab2b3d33132cf2316ee5089324f20f72f1650ad5bb8dd82b96518386ce5b319fb5ceb8313c

\Users\Admin\AppData\Local\Temp\symsrv.dll

MD5 5c399d34d8dc01741269ff1f1aca7554
SHA1 e0ceed500d3cef5558f3f55d33ba9c3a709e8f55
SHA256 e11e0f7804bfc485b19103a940be3d382f31c1378caca0c63076e27797d7553f
SHA512 8ff9d38b22d73c595cc417427b59f5ca8e1fb7b47a2fa6aef25322bf6e614d6b71339a752d779bd736b4c1057239100ac8cc62629fd5d6556785a69bcdc3d73d

memory/3004-529-0x0000000140000000-0x00000001405E8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

MD5 1afff8d5352aecef2ecd47ffa02d7f7d
SHA1 8b115b84efdb3a1b87f750d35822b2609e665bef
SHA256 c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1
SHA512 e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb

memory/1920-510-0x0000000000400000-0x0000000000ECD000-memory.dmp

memory/1964-530-0x0000000061E00000-0x0000000061EF3000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5b4a6435cc8ced395ad9039006838e28
SHA1 6811d7805bb66480d017a32dcac12296d619b5f4
SHA256 61e60662237cfd9ba6b4660dcf6b8862b1f83e57d8a696e64edf859c99591bb4
SHA512 d41b001e2109daec6d859f0379107e0c7f1c7ba9f7472616d3949a641a470cf3183110a2cc7e7652812eef1763204ab7c65bcf59e2e6d5d279971c2a7026f41a

memory/1964-583-0x0000000000400000-0x0000000000AEA000-memory.dmp

memory/1284-587-0x0000000000400000-0x0000000000ECD000-memory.dmp

memory/1964-589-0x0000000000400000-0x0000000000AEA000-memory.dmp

\Users\Admin\AppData\Local\Temp\u1oo.1.exe

MD5 397926927bca55be4a77839b1c44de6e
SHA1 e10f3434ef3021c399dbba047832f02b3c898dbd
SHA256 4f07e1095cc915b2d46eb149d1c3be14f3f4b4bd2742517265947fd23bdca5a7
SHA512 cf54136b977fc8af7e8746d78676d0d464362a8cfa2213e392487003b5034562ee802e6911760b98a847bddd36ad664f32d849af84d7e208d4648bd97a2fa954

memory/2184-604-0x0000000000400000-0x0000000000B0E000-memory.dmp

memory/1604-605-0x0000000000230000-0x0000000000231000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt

MD5 4f1a4b4cd0f7d1d944beec6b67fe2942
SHA1 8642b29d2944106ee7cd78943966baec334600fe
SHA256 65f0909a1091216e54c3881361f8825a876491246c0c682d24eb5c4789e755dd
SHA512 c19973508fdd751e9da9b5df881b355e35ccda73b95ed1d9ee0e510a595c5788487e6fd5607a8f6ff858ce462816ff247ffcfed867f7baa31706ff27d618149c

memory/1284-629-0x0000000000400000-0x0000000000ECD000-memory.dmp

memory/1604-642-0x0000000000400000-0x00000000008AD000-memory.dmp

memory/1376-643-0x000007FEF52D0000-0x000007FEF5CBC000-memory.dmp

memory/1284-644-0x0000000000400000-0x0000000000ECD000-memory.dmp

memory/1376-645-0x00000000008C0000-0x00000000041B8000-memory.dmp

memory/1376-646-0x000000001E860000-0x000000001E8E0000-memory.dmp

memory/1376-647-0x000000001F030000-0x000000001F140000-memory.dmp

memory/1376-649-0x00000000002B0000-0x00000000002BC000-memory.dmp

memory/1376-648-0x0000000000290000-0x00000000002A0000-memory.dmp

memory/1376-650-0x00000000002A0000-0x00000000002B4000-memory.dmp

memory/1376-651-0x0000000000450000-0x0000000000474000-memory.dmp

memory/1376-660-0x000000001EB60000-0x000000001EC12000-memory.dmp

memory/1376-659-0x000000001DF20000-0x000000001DF4A000-memory.dmp

memory/1376-658-0x0000000000480000-0x000000000048A000-memory.dmp

memory/1376-661-0x000000001E8E0000-0x000000001E95A000-memory.dmp

memory/1376-662-0x000000001F510000-0x000000001F572000-memory.dmp

memory/1376-663-0x00000000008A0000-0x00000000008AA000-memory.dmp

memory/1376-667-0x000000001FCA0000-0x000000001FFA0000-memory.dmp

memory/1376-669-0x00000000058E0000-0x00000000058EA000-memory.dmp

\Users\Admin\Pictures\A7f4GQvHwSkuWqFphQ8BqUvO.exe

MD5 858bb0a3b4fa6a54586402e3ee117076
SHA1 997c31f043347883ea5ed2323a558b6cc5ea9c8e
SHA256 d97a7fc44bf341b9b2b2e65b46dab4f7d329afe15b4308b5aa56d5bfd7b99d35
SHA512 e8374b115f056b5d345c9b5f9c42b3d49e0640d7fad869448f686add6e52b783ecc7fd35ee15a67b944843491a91becf5b7c0bd5603eda01042dd2904c1ad8fd

memory/332-697-0x000000013FC50000-0x000000014075A000-memory.dmp

memory/332-700-0x000000013FC50000-0x000000014075A000-memory.dmp

memory/1284-699-0x0000000000400000-0x0000000000ECD000-memory.dmp

memory/332-703-0x000000013FC50000-0x000000014075A000-memory.dmp

memory/332-701-0x000000013FC50000-0x000000014075A000-memory.dmp

memory/332-704-0x000000013FC50000-0x000000014075A000-memory.dmp

memory/332-706-0x000000013FC50000-0x000000014075A000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\ApplicationInsights\f40fa09571ae3e4604ca1ef5093c12d04345052412cd199086553bfab6d3b7c7\a17357ff652345a99412ecde3231f750.tmp

MD5 96276fad0894e2d6e0d2996099a8e9bf
SHA1 b60c1e5d2086cb2c819aea6ea0c6cea58ec8cd67
SHA256 bc0121cdcc7b84f89014d3219ecd7f1f413149ecf47608d5c4b7e7de1aeab542
SHA512 d69fdbc6515f7eb9012b1f701278c578107a06025eca7c635a1c6245084c91e8a565ff481ffb513970b841c743b3ca8917e8b726a6a09701f8e5444911865163

\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

C:\Users\Admin\AppData\Local\Temp\JKKEHJDHJK.exe

MD5 fe380780b5c35bd6d54541791151c2be
SHA1 7fe3a583cf91474c733f85cebf3c857682e269e1
SHA256 b64a84d1f88e4e78464a1901c1cb5bbd5f00bb73203d719e64e072157a087b53
SHA512 ba05ba8aa13c4bc1cf98fbf6c08b021e8b19354098e0397fc8e1e5d3dcce367c1063203f24e50d0973193f6535681d0a43486e5dade5d112853b7a2fe8739b6c

\Users\Admin\AppData\Local\Temp\osloader.exe

MD5 e2f68dc7fbd6e0bf031ca3809a739346
SHA1 9c35494898e65c8a62887f28e04c0359ab6f63f5
SHA256 b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4
SHA512 26256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579

C:\Users\Admin\AppData\Local\Temp\Symbols\winload_prod.pdb\768283CA443847FB8822F9DB1F36ECC51\download.error

MD5 fafbf2197151d5ce947872a4b0bcbe16
SHA1 a86eaa2dd9fc6d36fcfb41df7ead8d1166aea020
SHA256 feb122b7916a1e62a7a6ae8d25ea48a2efc86f6e6384f5526e18ffbfc5f5ff71
SHA512 acbd49a111704d001a4ae44d1a071d566452f92311c5c0099d57548eddc9b3393224792c602022df5c3dd19b0a1fb4eff965bf038c8783ae109336699f9d13f6

\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe

MD5 d98e78fd57db58a11f880b45bb659767
SHA1 ab70c0d3bd9103c07632eeecee9f51d198ed0e76
SHA256 414035cc96d8bcc87ed173852a839ffbb45882a98c7a6f7b821e1668891deef0
SHA512 aafbd3eee102d0b682c4c854d69d50bac077e48f7f0dd8a5f913c6c73027aed7231d99fc9d716511759800da8c4f0f394b318821e9e47f6e62e436c8725a7831

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-29 01:55

Reported

2024-03-29 02:00

Platform

win10-20240214-en

Max time kernel

300s

Max time network

301s

Command Line

sihost.exe

Signatures

Detects DLL dropped by Raspberry Robin.

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\C:\ = "1" C:\Users\Admin\Pictures\Z0uxFQ4XeLEBdwIGRhhsXODH.exe N/A

Rhadamanthys

stealer rhadamanthys

Stealc

stealer stealc

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 3280 created 3052 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe c:\windows\system32\sihost.exe

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" C:\Users\Admin\Pictures\IghSIiMRWjcDqhHAnwMpJ3Pr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" C:\Users\Admin\Pictures\IghSIiMRWjcDqhHAnwMpJ3Pr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\IghSIiMRWjcDqhHAnwMpJ3Pr.exe = "0" C:\Users\Admin\Pictures\IghSIiMRWjcDqhHAnwMpJ3Pr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\Vj9LM9ZmQJ40BIJ6KDDVSjWD.exe = "0" C:\Users\Admin\Pictures\Vj9LM9ZmQJ40BIJ6KDDVSjWD.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\tWzJFY5lCEs971jzvjtpChBA.exe = "0" C:\Users\Admin\Pictures\tWzJFY5lCEs971jzvjtpChBA.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" C:\Users\Admin\Pictures\IghSIiMRWjcDqhHAnwMpJ3Pr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" C:\Users\Admin\Pictures\IghSIiMRWjcDqhHAnwMpJ3Pr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" C:\Users\Admin\Pictures\IghSIiMRWjcDqhHAnwMpJ3Pr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" C:\Users\Admin\Pictures\IghSIiMRWjcDqhHAnwMpJ3Pr.exe N/A

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\Pictures\Z0uxFQ4XeLEBdwIGRhhsXODH.exe N/A

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\Pictures\Z0uxFQ4XeLEBdwIGRhhsXODH.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\Pictures\Z0uxFQ4XeLEBdwIGRhhsXODH.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cx0JGQso4gy8sH8AIHWY0Owm.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DxDWc1S1MFA7WAcNE4aOX5bZ.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JQST9ZeBIXXJ99KlwgfzRjaP.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QQ37gBKMZBRKaP4QMweZNbDo.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EApJY0tLVz74ywj3ILC7JrRa.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\H5vCWu7iHLbVGeM3k6J3QFc7.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IIKVeu9o4xHTIbBSXPFJ8CXV.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rXUsKiEAh28wwHNYhXAkqihR.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XjpNgF7vN5mvnlfWtUA8Ktg1.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\odvbPXePQz0fzyxnQnzasHgv.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\C5pmJiCKxmHfn9lw6rROCkAU.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\Pictures\N8IxbZuGvwIbcTDjUev4TVvC.exe N/A
N/A N/A C:\Users\Admin\Pictures\QQImI0DQ5Np0eWvJ5E5C5PIv.exe N/A
N/A N/A C:\Users\Admin\Pictures\Vj9LM9ZmQJ40BIJ6KDDVSjWD.exe N/A
N/A N/A C:\Users\Admin\Pictures\P4Ygqg9O1rahNMDuFMMeqCfW.exe N/A
N/A N/A C:\Users\Admin\Pictures\IghSIiMRWjcDqhHAnwMpJ3Pr.exe N/A
N/A N/A C:\Users\Admin\Pictures\tWzJFY5lCEs971jzvjtpChBA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u3mc.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u3mc.1.exe N/A
N/A N/A C:\Users\Admin\Pictures\Z0uxFQ4XeLEBdwIGRhhsXODH.exe N/A
N/A N/A C:\Users\Admin\Pictures\tWzJFY5lCEs971jzvjtpChBA.exe N/A
N/A N/A C:\Users\Admin\Pictures\IghSIiMRWjcDqhHAnwMpJ3Pr.exe N/A
N/A N/A C:\Users\Admin\Pictures\Vj9LM9ZmQJ40BIJ6KDDVSjWD.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FBAKEHIEBK.exe N/A
N/A N/A C:\Users\Admin\Pictures\bbyxybZHJR10CmNKMjucykb4.exe N/A
N/A N/A C:\Users\Admin\Pictures\bbyxybZHJR10CmNKMjucykb4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\bbyxybZHJR10CmNKMjucykb4.exe N/A
N/A N/A C:\Users\Admin\Pictures\bbyxybZHJR10CmNKMjucykb4.exe N/A
N/A N/A C:\Users\Admin\Pictures\bbyxybZHJR10CmNKMjucykb4.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403290156551\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403290156551\assistant\assistant_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403290156551\assistant\assistant_installer.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" C:\Users\Admin\Pictures\IghSIiMRWjcDqhHAnwMpJ3Pr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\IghSIiMRWjcDqhHAnwMpJ3Pr.exe = "0" C:\Users\Admin\Pictures\IghSIiMRWjcDqhHAnwMpJ3Pr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\tWzJFY5lCEs971jzvjtpChBA.exe = "0" C:\Users\Admin\Pictures\tWzJFY5lCEs971jzvjtpChBA.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" C:\Users\Admin\Pictures\IghSIiMRWjcDqhHAnwMpJ3Pr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" C:\Users\Admin\Pictures\IghSIiMRWjcDqhHAnwMpJ3Pr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" C:\Users\Admin\Pictures\IghSIiMRWjcDqhHAnwMpJ3Pr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" C:\Users\Admin\Pictures\IghSIiMRWjcDqhHAnwMpJ3Pr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\Vj9LM9ZmQJ40BIJ6KDDVSjWD.exe = "0" C:\Users\Admin\Pictures\Vj9LM9ZmQJ40BIJ6KDDVSjWD.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" C:\Users\Admin\Pictures\IghSIiMRWjcDqhHAnwMpJ3Pr.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3356371483-1660115160-1611493187-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "\"C:\\Users\\Admin\\.BLRVzdv\\svchost.exe\"" C:\Users\Admin\AppData\Local\Temp\cac7fc4ae9c97eba7455992b2d41449ee257ec485c562bfc7245a90033b1d774.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3356371483-1660115160-1611493187-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\Pictures\IghSIiMRWjcDqhHAnwMpJ3Pr.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3356371483-1660115160-1611493187-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\Pictures\Vj9LM9ZmQJ40BIJ6KDDVSjWD.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3356371483-1660115160-1611493187-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\Pictures\tWzJFY5lCEs971jzvjtpChBA.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3356371483-1660115160-1611493187-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\Pictures\Z0uxFQ4XeLEBdwIGRhhsXODH.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\D: C:\Users\Admin\Pictures\bbyxybZHJR10CmNKMjucykb4.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\Pictures\bbyxybZHJR10CmNKMjucykb4.exe N/A
File opened (read-only) \??\D: C:\Users\Admin\Pictures\bbyxybZHJR10CmNKMjucykb4.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\Pictures\bbyxybZHJR10CmNKMjucykb4.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.myip.com N/A N/A

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI C:\Users\Admin\Pictures\Z0uxFQ4XeLEBdwIGRhhsXODH.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy C:\Users\Admin\Pictures\Z0uxFQ4XeLEBdwIGRhhsXODH.exe N/A
File created C:\Windows\System32\GroupPolicy\Machine\Registry.pol C:\Users\Admin\Pictures\Z0uxFQ4XeLEBdwIGRhhsXODH.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy\gpt.ini C:\Users\Admin\Pictures\Z0uxFQ4XeLEBdwIGRhhsXODH.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\Pictures\Z0uxFQ4XeLEBdwIGRhhsXODH.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\Pictures\IghSIiMRWjcDqhHAnwMpJ3Pr.exe N/A
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\Pictures\Vj9LM9ZmQJ40BIJ6KDDVSjWD.exe N/A
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\Pictures\tWzJFY5lCEs971jzvjtpChBA.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\Pictures\tWzJFY5lCEs971jzvjtpChBA.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\Pictures\tWzJFY5lCEs971jzvjtpChBA.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\Pictures\IghSIiMRWjcDqhHAnwMpJ3Pr.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\Pictures\IghSIiMRWjcDqhHAnwMpJ3Pr.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\Pictures\Vj9LM9ZmQJ40BIJ6KDDVSjWD.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\Pictures\Vj9LM9ZmQJ40BIJ6KDDVSjWD.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\u3mc.1.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\u3mc.1.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\u3mc.1.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\u3mc.0.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\u3mc.0.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-662 = "Cen. Australia Standard Time" C:\Users\Admin\Pictures\tWzJFY5lCEs971jzvjtpChBA.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1822 = "Russia TZ 1 Standard Time" C:\Users\Admin\Pictures\tWzJFY5lCEs971jzvjtpChBA.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1911 = "Russia TZ 10 Daylight Time" C:\Users\Admin\Pictures\tWzJFY5lCEs971jzvjtpChBA.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-2451 = "Saint Pierre Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-401 = "Arabic Daylight Time" C:\Users\Admin\Pictures\tWzJFY5lCEs971jzvjtpChBA.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2791 = "Novosibirsk Daylight Time" C:\Users\Admin\Pictures\tWzJFY5lCEs971jzvjtpChBA.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2771 = "Omsk Daylight Time" C:\Users\Admin\Pictures\tWzJFY5lCEs971jzvjtpChBA.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-161 = "Central Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1801 = "Line Islands Daylight Time" C:\Users\Admin\Pictures\tWzJFY5lCEs971jzvjtpChBA.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-1932 = "Russia TZ 11 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-214 = "Pacific Daylight Time (Mexico)" C:\Users\Admin\Pictures\tWzJFY5lCEs971jzvjtpChBA.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-791 = "SA Western Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-491 = "India Daylight Time" C:\Users\Admin\Pictures\tWzJFY5lCEs971jzvjtpChBA.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-981 = "Kamchatka Daylight Time" C:\Users\Admin\Pictures\tWzJFY5lCEs971jzvjtpChBA.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1932 = "Russia TZ 11 Standard Time" C:\Users\Admin\Pictures\tWzJFY5lCEs971jzvjtpChBA.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-171 = "Central Daylight Time (Mexico)" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-872 = "Pakistan Standard Time" C:\Users\Admin\Pictures\tWzJFY5lCEs971jzvjtpChBA.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1042 = "Ulaanbaatar Standard Time" C:\Users\Admin\Pictures\IghSIiMRWjcDqhHAnwMpJ3Pr.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-222 = "Alaskan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-201 = "US Mountain Daylight Time" C:\Users\Admin\Pictures\tWzJFY5lCEs971jzvjtpChBA.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-364 = "Middle East Daylight Time" C:\Users\Admin\Pictures\tWzJFY5lCEs971jzvjtpChBA.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-192 = "Mountain Standard Time" C:\Users\Admin\Pictures\tWzJFY5lCEs971jzvjtpChBA.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1912 = "Russia TZ 10 Standard Time" C:\Users\Admin\Pictures\tWzJFY5lCEs971jzvjtpChBA.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-2391 = "Aleutian Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-2842 = "Saratov Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-142 = "Canada Central Standard Time" C:\Users\Admin\Pictures\tWzJFY5lCEs971jzvjtpChBA.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4 C:\Users\Admin\Pictures\bbyxybZHJR10CmNKMjucykb4.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 04000000010000001000000078f2fcaa601f2fb4ebc937ba532e75490f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e4190000000100000010000000ffac207997bb2cfe865570179ee037b92000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e C:\Users\Admin\Pictures\bbyxybZHJR10CmNKMjucykb4.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 5c000000010000000400000000100000190000000100000010000000ffac207997bb2cfe865570179ee037b9030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e199604000000010000001000000078f2fcaa601f2fb4ebc937ba532e75492000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e C:\Users\Admin\Pictures\bbyxybZHJR10CmNKMjucykb4.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\Pictures\QQImI0DQ5Np0eWvJ5E5C5PIv.exe N/A
N/A N/A C:\Users\Admin\Pictures\QQImI0DQ5Np0eWvJ5E5C5PIv.exe N/A
N/A N/A C:\Users\Admin\Pictures\QQImI0DQ5Np0eWvJ5E5C5PIv.exe N/A
N/A N/A C:\Users\Admin\Pictures\QQImI0DQ5Np0eWvJ5E5C5PIv.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\SysWOW64\dialer.exe N/A
N/A N/A C:\Windows\SysWOW64\dialer.exe N/A
N/A N/A C:\Windows\SysWOW64\dialer.exe N/A
N/A N/A C:\Windows\SysWOW64\dialer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u3mc.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u3mc.0.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\Pictures\IghSIiMRWjcDqhHAnwMpJ3Pr.exe N/A
N/A N/A C:\Users\Admin\Pictures\IghSIiMRWjcDqhHAnwMpJ3Pr.exe N/A
N/A N/A C:\Users\Admin\Pictures\tWzJFY5lCEs971jzvjtpChBA.exe N/A
N/A N/A C:\Users\Admin\Pictures\tWzJFY5lCEs971jzvjtpChBA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u3mc.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u3mc.0.exe N/A
N/A N/A C:\Users\Admin\Pictures\Vj9LM9ZmQJ40BIJ6KDDVSjWD.exe N/A
N/A N/A C:\Users\Admin\Pictures\Vj9LM9ZmQJ40BIJ6KDDVSjWD.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\Pictures\IghSIiMRWjcDqhHAnwMpJ3Pr.exe N/A
N/A N/A C:\Users\Admin\Pictures\IghSIiMRWjcDqhHAnwMpJ3Pr.exe N/A
N/A N/A C:\Users\Admin\Pictures\IghSIiMRWjcDqhHAnwMpJ3Pr.exe N/A
N/A N/A C:\Users\Admin\Pictures\IghSIiMRWjcDqhHAnwMpJ3Pr.exe N/A
N/A N/A C:\Users\Admin\Pictures\IghSIiMRWjcDqhHAnwMpJ3Pr.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Pictures\IghSIiMRWjcDqhHAnwMpJ3Pr.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\Pictures\IghSIiMRWjcDqhHAnwMpJ3Pr.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Pictures\tWzJFY5lCEs971jzvjtpChBA.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\Pictures\tWzJFY5lCEs971jzvjtpChBA.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Pictures\Vj9LM9ZmQJ40BIJ6KDDVSjWD.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\Pictures\Vj9LM9ZmQJ40BIJ6KDDVSjWD.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4224 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Local\Temp\cac7fc4ae9c97eba7455992b2d41449ee257ec485c562bfc7245a90033b1d774.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
PID 4224 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Local\Temp\cac7fc4ae9c97eba7455992b2d41449ee257ec485c562bfc7245a90033b1d774.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
PID 4224 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Local\Temp\cac7fc4ae9c97eba7455992b2d41449ee257ec485c562bfc7245a90033b1d774.exe C:\Windows\SYSTEM32\cmd.exe
PID 4224 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Local\Temp\cac7fc4ae9c97eba7455992b2d41449ee257ec485c562bfc7245a90033b1d774.exe C:\Windows\SYSTEM32\cmd.exe
PID 4224 wrote to memory of 644 N/A C:\Users\Admin\AppData\Local\Temp\cac7fc4ae9c97eba7455992b2d41449ee257ec485c562bfc7245a90033b1d774.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 4224 wrote to memory of 644 N/A C:\Users\Admin\AppData\Local\Temp\cac7fc4ae9c97eba7455992b2d41449ee257ec485c562bfc7245a90033b1d774.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 4224 wrote to memory of 644 N/A C:\Users\Admin\AppData\Local\Temp\cac7fc4ae9c97eba7455992b2d41449ee257ec485c562bfc7245a90033b1d774.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 4224 wrote to memory of 644 N/A C:\Users\Admin\AppData\Local\Temp\cac7fc4ae9c97eba7455992b2d41449ee257ec485c562bfc7245a90033b1d774.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 4224 wrote to memory of 644 N/A C:\Users\Admin\AppData\Local\Temp\cac7fc4ae9c97eba7455992b2d41449ee257ec485c562bfc7245a90033b1d774.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 4224 wrote to memory of 644 N/A C:\Users\Admin\AppData\Local\Temp\cac7fc4ae9c97eba7455992b2d41449ee257ec485c562bfc7245a90033b1d774.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 4224 wrote to memory of 644 N/A C:\Users\Admin\AppData\Local\Temp\cac7fc4ae9c97eba7455992b2d41449ee257ec485c562bfc7245a90033b1d774.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 4224 wrote to memory of 644 N/A C:\Users\Admin\AppData\Local\Temp\cac7fc4ae9c97eba7455992b2d41449ee257ec485c562bfc7245a90033b1d774.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 4600 wrote to memory of 3744 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\schtasks.exe
PID 4600 wrote to memory of 3744 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\schtasks.exe
PID 644 wrote to memory of 4692 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe C:\Users\Admin\Pictures\N8IxbZuGvwIbcTDjUev4TVvC.exe
PID 644 wrote to memory of 4692 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe C:\Users\Admin\Pictures\N8IxbZuGvwIbcTDjUev4TVvC.exe
PID 644 wrote to memory of 4692 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe C:\Users\Admin\Pictures\N8IxbZuGvwIbcTDjUev4TVvC.exe
PID 644 wrote to memory of 2324 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe C:\Users\Admin\Pictures\QQImI0DQ5Np0eWvJ5E5C5PIv.exe
PID 644 wrote to memory of 2324 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe C:\Users\Admin\Pictures\QQImI0DQ5Np0eWvJ5E5C5PIv.exe
PID 644 wrote to memory of 2324 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe C:\Users\Admin\Pictures\QQImI0DQ5Np0eWvJ5E5C5PIv.exe
PID 644 wrote to memory of 4132 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe C:\Users\Admin\Pictures\Vj9LM9ZmQJ40BIJ6KDDVSjWD.exe
PID 644 wrote to memory of 4132 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe C:\Users\Admin\Pictures\Vj9LM9ZmQJ40BIJ6KDDVSjWD.exe
PID 644 wrote to memory of 4132 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe C:\Users\Admin\Pictures\Vj9LM9ZmQJ40BIJ6KDDVSjWD.exe
PID 644 wrote to memory of 1352 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe C:\Users\Admin\Pictures\P4Ygqg9O1rahNMDuFMMeqCfW.exe
PID 644 wrote to memory of 1352 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe C:\Users\Admin\Pictures\P4Ygqg9O1rahNMDuFMMeqCfW.exe
PID 644 wrote to memory of 1352 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe C:\Users\Admin\Pictures\P4Ygqg9O1rahNMDuFMMeqCfW.exe
PID 4132 wrote to memory of 1836 N/A C:\Users\Admin\Pictures\Vj9LM9ZmQJ40BIJ6KDDVSjWD.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4132 wrote to memory of 1836 N/A C:\Users\Admin\Pictures\Vj9LM9ZmQJ40BIJ6KDDVSjWD.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4132 wrote to memory of 1836 N/A C:\Users\Admin\Pictures\Vj9LM9ZmQJ40BIJ6KDDVSjWD.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1352 wrote to memory of 2532 N/A C:\Users\Admin\Pictures\P4Ygqg9O1rahNMDuFMMeqCfW.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1352 wrote to memory of 2532 N/A C:\Users\Admin\Pictures\P4Ygqg9O1rahNMDuFMMeqCfW.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1352 wrote to memory of 2532 N/A C:\Users\Admin\Pictures\P4Ygqg9O1rahNMDuFMMeqCfW.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1352 wrote to memory of 3280 N/A C:\Users\Admin\Pictures\P4Ygqg9O1rahNMDuFMMeqCfW.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1352 wrote to memory of 3280 N/A C:\Users\Admin\Pictures\P4Ygqg9O1rahNMDuFMMeqCfW.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1352 wrote to memory of 3280 N/A C:\Users\Admin\Pictures\P4Ygqg9O1rahNMDuFMMeqCfW.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1352 wrote to memory of 3280 N/A C:\Users\Admin\Pictures\P4Ygqg9O1rahNMDuFMMeqCfW.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1352 wrote to memory of 3280 N/A C:\Users\Admin\Pictures\P4Ygqg9O1rahNMDuFMMeqCfW.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1352 wrote to memory of 3280 N/A C:\Users\Admin\Pictures\P4Ygqg9O1rahNMDuFMMeqCfW.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1352 wrote to memory of 3280 N/A C:\Users\Admin\Pictures\P4Ygqg9O1rahNMDuFMMeqCfW.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1352 wrote to memory of 3280 N/A C:\Users\Admin\Pictures\P4Ygqg9O1rahNMDuFMMeqCfW.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1352 wrote to memory of 3280 N/A C:\Users\Admin\Pictures\P4Ygqg9O1rahNMDuFMMeqCfW.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1352 wrote to memory of 3280 N/A C:\Users\Admin\Pictures\P4Ygqg9O1rahNMDuFMMeqCfW.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1352 wrote to memory of 3280 N/A C:\Users\Admin\Pictures\P4Ygqg9O1rahNMDuFMMeqCfW.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 644 wrote to memory of 2004 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe C:\Users\Admin\Pictures\IghSIiMRWjcDqhHAnwMpJ3Pr.exe
PID 644 wrote to memory of 2004 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe C:\Users\Admin\Pictures\IghSIiMRWjcDqhHAnwMpJ3Pr.exe
PID 644 wrote to memory of 2004 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe C:\Users\Admin\Pictures\IghSIiMRWjcDqhHAnwMpJ3Pr.exe
PID 644 wrote to memory of 200 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe C:\Users\Admin\Pictures\tWzJFY5lCEs971jzvjtpChBA.exe
PID 644 wrote to memory of 200 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe C:\Users\Admin\Pictures\tWzJFY5lCEs971jzvjtpChBA.exe
PID 644 wrote to memory of 200 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe C:\Users\Admin\Pictures\tWzJFY5lCEs971jzvjtpChBA.exe
PID 4692 wrote to memory of 3808 N/A C:\Users\Admin\Pictures\N8IxbZuGvwIbcTDjUev4TVvC.exe C:\Users\Admin\AppData\Local\Temp\u3mc.0.exe
PID 4692 wrote to memory of 3808 N/A C:\Users\Admin\Pictures\N8IxbZuGvwIbcTDjUev4TVvC.exe C:\Users\Admin\AppData\Local\Temp\u3mc.0.exe
PID 4692 wrote to memory of 3808 N/A C:\Users\Admin\Pictures\N8IxbZuGvwIbcTDjUev4TVvC.exe C:\Users\Admin\AppData\Local\Temp\u3mc.0.exe
PID 3280 wrote to memory of 3804 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\SysWOW64\dialer.exe
PID 3280 wrote to memory of 3804 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\SysWOW64\dialer.exe
PID 3280 wrote to memory of 3804 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\SysWOW64\dialer.exe
PID 3280 wrote to memory of 3804 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\SysWOW64\dialer.exe
PID 3280 wrote to memory of 3804 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\SysWOW64\dialer.exe
PID 2004 wrote to memory of 744 N/A C:\Users\Admin\Pictures\IghSIiMRWjcDqhHAnwMpJ3Pr.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2004 wrote to memory of 744 N/A C:\Users\Admin\Pictures\IghSIiMRWjcDqhHAnwMpJ3Pr.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2004 wrote to memory of 744 N/A C:\Users\Admin\Pictures\IghSIiMRWjcDqhHAnwMpJ3Pr.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 200 wrote to memory of 4280 N/A C:\Users\Admin\Pictures\tWzJFY5lCEs971jzvjtpChBA.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 200 wrote to memory of 4280 N/A C:\Users\Admin\Pictures\tWzJFY5lCEs971jzvjtpChBA.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 200 wrote to memory of 4280 N/A C:\Users\Admin\Pictures\tWzJFY5lCEs971jzvjtpChBA.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4692 wrote to memory of 1808 N/A C:\Users\Admin\Pictures\N8IxbZuGvwIbcTDjUev4TVvC.exe C:\Users\Admin\AppData\Local\Temp\u3mc.1.exe

Uses Task Scheduler COM API

persistence

Processes

c:\windows\system32\sihost.exe

sihost.exe

C:\Users\Admin\AppData\Local\Temp\cac7fc4ae9c97eba7455992b2d41449ee257ec485c562bfc7245a90033b1d774.exe

"C:\Users\Admin\AppData\Local\Temp\cac7fc4ae9c97eba7455992b2d41449ee257ec485c562bfc7245a90033b1d774.exe"

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath $env:UserProfile

C:\Windows\SYSTEM32\cmd.exe

"cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\.BLRVzdv\svchost.exe"' & exit

C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\.BLRVzdv\svchost.exe"'

C:\Users\Admin\Pictures\N8IxbZuGvwIbcTDjUev4TVvC.exe

"C:\Users\Admin\Pictures\N8IxbZuGvwIbcTDjUev4TVvC.exe"

C:\Users\Admin\Pictures\QQImI0DQ5Np0eWvJ5E5C5PIv.exe

"C:\Users\Admin\Pictures\QQImI0DQ5Np0eWvJ5E5C5PIv.exe"

C:\Users\Admin\Pictures\Vj9LM9ZmQJ40BIJ6KDDVSjWD.exe

"C:\Users\Admin\Pictures\Vj9LM9ZmQJ40BIJ6KDDVSjWD.exe"

C:\Users\Admin\Pictures\P4Ygqg9O1rahNMDuFMMeqCfW.exe

"C:\Users\Admin\Pictures\P4Ygqg9O1rahNMDuFMMeqCfW.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1352 -s 844

C:\Users\Admin\Pictures\IghSIiMRWjcDqhHAnwMpJ3Pr.exe

"C:\Users\Admin\Pictures\IghSIiMRWjcDqhHAnwMpJ3Pr.exe"

C:\Users\Admin\Pictures\tWzJFY5lCEs971jzvjtpChBA.exe

"C:\Users\Admin\Pictures\tWzJFY5lCEs971jzvjtpChBA.exe"

C:\Users\Admin\AppData\Local\Temp\u3mc.0.exe

"C:\Users\Admin\AppData\Local\Temp\u3mc.0.exe"

C:\Windows\SysWOW64\dialer.exe

"C:\Windows\system32\dialer.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3280 -s 628

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3280 -s 648

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\u3mc.1.exe

"C:\Users\Admin\AppData\Local\Temp\u3mc.1.exe"

C:\Users\Admin\Pictures\Z0uxFQ4XeLEBdwIGRhhsXODH.exe

"C:\Users\Admin\Pictures\Z0uxFQ4XeLEBdwIGRhhsXODH.exe"

C:\Users\Admin\Pictures\tWzJFY5lCEs971jzvjtpChBA.exe

"C:\Users\Admin\Pictures\tWzJFY5lCEs971jzvjtpChBA.exe"

C:\Users\Admin\Pictures\IghSIiMRWjcDqhHAnwMpJ3Pr.exe

"C:\Users\Admin\Pictures\IghSIiMRWjcDqhHAnwMpJ3Pr.exe"

\??\c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s fhsvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum

C:\Users\Admin\Pictures\Vj9LM9ZmQJ40BIJ6KDDVSjWD.exe

"C:\Users\Admin\Pictures\Vj9LM9ZmQJ40BIJ6KDDVSjWD.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\FBAKEHIEBK.exe"

C:\Users\Admin\AppData\Local\Temp\FBAKEHIEBK.exe

"C:\Users\Admin\AppData\Local\Temp\FBAKEHIEBK.exe"

C:\Users\Admin\Pictures\bbyxybZHJR10CmNKMjucykb4.exe

"C:\Users\Admin\Pictures\bbyxybZHJR10CmNKMjucykb4.exe" --silent --allusers=0

C:\Users\Admin\Pictures\bbyxybZHJR10CmNKMjucykb4.exe

C:\Users\Admin\Pictures\bbyxybZHJR10CmNKMjucykb4.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.35 --initial-client-data=0x2a0,0x2a4,0x2a8,0x27c,0x2ac,0x6aa2e1d0,0x6aa2e1dc,0x6aa2e1e8

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C ping 2.2.2.2 -n 1 -w 3000 > Nul & Del C:\Users\Admin\AppData\Local\Temp\FBAKEHIEBK.exe

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\bbyxybZHJR10CmNKMjucykb4.exe

"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\bbyxybZHJR10CmNKMjucykb4.exe" --version

C:\Users\Admin\Pictures\bbyxybZHJR10CmNKMjucykb4.exe

"C:\Users\Admin\Pictures\bbyxybZHJR10CmNKMjucykb4.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=4136 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20240329015655" --session-guid=5fc05d8e-be95-4c03-8d81-32c60104b8ba --server-tracking-blob=MzU0MDE5MWFiMzkxMGM2Zjc5MzEwODRiZGVjNmRiMjk0OTAxNTEwM2RlMDYxNThkNWM1ZmZmYTMyYmU2MjQ5OTp7ImNvdW50cnkiOiJHQiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cy8/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1ta3QmdXRtX2NhbXBhaWduPTc2N180NTYiLCJzeXN0ZW0iOnsicGxhdGZvcm0iOnsiYXJjaCI6Ing4Nl82NCIsIm9wc3lzIjoiV2luZG93cyIsIm9wc3lzLXZlcnNpb24iOiIxMCIsInBhY2thZ2UiOiJFWEUifX0sInRpbWVzdGFtcCI6IjE3MTE2NzczNjAuOTYwNCIsInV0bSI6eyJjYW1wYWlnbiI6Ijc2N180NTYiLCJtZWRpdW0iOiJhcGIiLCJzb3VyY2UiOiJta3QifSwidXVpZCI6ImUzYzc4MmM0LWUxZmQtNDQ0MC1iMzA2LTA4OTVjOWFjMjEzZCJ9 --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=4804000000000000

C:\Users\Admin\Pictures\bbyxybZHJR10CmNKMjucykb4.exe

C:\Users\Admin\Pictures\bbyxybZHJR10CmNKMjucykb4.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.35 --initial-client-data=0x2ac,0x2b0,0x2b4,0x27c,0x2b8,0x6cf6e1d0,0x6cf6e1dc,0x6cf6e1e8

C:\Windows\SysWOW64\PING.EXE

ping 2.2.2.2 -n 1 -w 3000

C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe

"C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1

C:\Windows\System32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\System32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\System32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403290156551\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe

"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403290156551\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe"

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403290156551\assistant\assistant_installer.exe

"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403290156551\assistant\assistant_installer.exe" --version

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403290156551\assistant\assistant_installer.exe

"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403290156551\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=108.0.5067.20 --initial-client-data=0x248,0x24c,0x250,0x224,0x254,0x1010040,0x101004c,0x1010058

Network

Country Destination Domain Proto
US 8.8.8.8:53 yip.su udp
US 8.8.8.8:53 pastebin.com udp
US 104.20.68.143:443 pastebin.com tcp
US 104.21.79.77:443 yip.su tcp
US 8.8.8.8:53 piramidglobaltobacco.id udp
US 8.8.8.8:53 shipofdestiny.com udp
DE 185.172.128.144:80 185.172.128.144 tcp
US 8.8.8.8:53 sty.ink udp
AT 5.42.64.17:80 5.42.64.17 tcp
US 8.8.8.8:53 operandotwo.com udp
US 8.8.8.8:53 namemail.org udp
US 8.8.8.8:53 cu82342.tw1.ru udp
US 8.8.8.8:53 net.geo.opera.com udp
SG 217.21.73.190:443 piramidglobaltobacco.id tcp
US 172.67.200.219:443 sty.ink tcp
US 172.67.160.247:443 operandotwo.com tcp
US 172.67.200.219:443 sty.ink tcp
US 104.21.32.142:443 shipofdestiny.com tcp
US 104.21.32.142:443 shipofdestiny.com tcp
NL 185.26.182.111:80 net.geo.opera.com tcp
RU 176.57.210.144:443 cu82342.tw1.ru tcp
NL 185.26.182.111:443 net.geo.opera.com tcp
US 8.8.8.8:53 lawyerbuyer.org udp
US 8.8.8.8:53 guseman.org udp
US 104.21.63.71:443 lawyerbuyer.org tcp
US 104.21.63.71:443 lawyerbuyer.org tcp
US 172.67.173.167:443 guseman.org tcp
DE 185.172.128.90:80 185.172.128.90 tcp
US 8.8.8.8:53 143.68.20.104.in-addr.arpa udp
US 8.8.8.8:53 77.79.21.104.in-addr.arpa udp
US 8.8.8.8:53 144.128.172.185.in-addr.arpa udp
US 8.8.8.8:53 247.160.67.172.in-addr.arpa udp
US 8.8.8.8:53 219.200.67.172.in-addr.arpa udp
US 8.8.8.8:53 142.32.21.104.in-addr.arpa udp
US 8.8.8.8:53 17.64.42.5.in-addr.arpa udp
US 8.8.8.8:53 111.182.26.185.in-addr.arpa udp
US 8.8.8.8:53 144.210.57.176.in-addr.arpa udp
US 8.8.8.8:53 71.63.21.104.in-addr.arpa udp
US 8.8.8.8:53 190.73.21.217.in-addr.arpa udp
US 8.8.8.8:53 90.128.172.185.in-addr.arpa udp
US 8.8.8.8:53 167.173.67.172.in-addr.arpa udp
DE 185.172.128.65:80 tcp
US 8.8.8.8:53 65.128.172.185.in-addr.arpa udp
US 172.67.206.194:443 tcp
DE 185.172.128.65:80 tcp
US 172.67.206.194:443 tcp
DE 185.172.128.144:80 185.172.128.144 tcp
US 8.8.8.8:53 217.110.86.104.in-addr.arpa udp
DE 185.172.128.209:80 185.172.128.209 tcp
US 172.67.206.194:443 tcp
US 8.8.8.8:53 udp
US 172.67.188.178:443 iplogger.com tcp
US 8.8.8.8:53 udp
US 20.157.87.45:80 svc.iolo.com tcp
US 8.8.8.8:53 45.87.157.20.in-addr.arpa udp
US 8.8.8.8:53 download.iolo.net udp
FR 185.93.2.246:443 download.iolo.net tcp
US 8.8.8.8:53 246.2.93.185.in-addr.arpa udp
US 46.226.167.187:80 46.226.167.187 tcp
US 8.8.8.8:53 api.myip.com udp
DE 185.172.128.65:80 185.172.128.65 tcp
US 8.8.8.8:53 187.167.226.46.in-addr.arpa udp
US 104.26.9.59:443 api.myip.com tcp
US 8.8.8.8:53 123.182.26.185.in-addr.arpa udp
US 8.8.8.8:53 121.217.145.82.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
NL 82.145.217.121:443 tcp
NL 185.26.182.122:443 tcp
NL 82.145.216.15:443 tcp
US 104.18.11.89:443 tcp
US 8.8.8.8:53 svc.iolo.com udp
US 20.157.87.45:80 svc.iolo.com tcp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 172.67.206.194:443 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 21c2a9df-fcda-4231-8d5d-d114f250b2b4.uuid.statsexplorer.org udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 server7.statsexplorer.org udp
US 8.8.8.8:53 stun1.l.google.com udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.130.233:443 cdn.discordapp.com tcp
BE 172.253.120.127:19302 stun1.l.google.com udp
BG 185.82.216.108:443 server7.statsexplorer.org tcp
US 8.8.8.8:53 carsalessystem.com udp
US 172.67.221.71:443 carsalessystem.com tcp
US 8.8.8.8:53 127.120.253.172.in-addr.arpa udp
US 8.8.8.8:53 233.130.159.162.in-addr.arpa udp
US 8.8.8.8:53 108.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 71.221.67.172.in-addr.arpa udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
NL 185.26.182.123:443 tcp
NL 185.26.182.123:443 tcp
US 8.8.8.8:53 udp
US 34.117.186.192:443 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
PL 93.184.221.240:80 tcp
PL 93.184.221.240:80 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
NL 82.145.217.121:443 desktop-netinstaller-sub.osp.opera.software tcp
US 8.8.8.8:53 download3.operacdn.com udp
GB 95.101.143.243:443 download3.operacdn.com tcp
US 8.8.8.8:53 243.143.101.95.in-addr.arpa udp
BG 185.82.216.108:443 server7.statsexplorer.org tcp
US 8.8.8.8:53 5.173.189.20.in-addr.arpa udp
BG 185.82.216.108:443 server7.statsexplorer.org tcp
N/A 127.0.0.1:31465 tcp
BG 185.82.216.108:443 server7.statsexplorer.org tcp
BG 185.82.216.108:443 server7.statsexplorer.org tcp

Files

memory/1120-4-0x00007FFBF6E20000-0x00007FFBF780C000-memory.dmp

memory/1120-5-0x000001FDB8C10000-0x000001FDB8C20000-memory.dmp

memory/1120-6-0x000001FDB8C10000-0x000001FDB8C20000-memory.dmp

memory/1120-7-0x000001FDB8D30000-0x000001FDB8D52000-memory.dmp

memory/1120-10-0x000001FDB8DE0000-0x000001FDB8E56000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mgvntfk1.qtm.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/1120-23-0x000001FDB8C10000-0x000001FDB8C20000-memory.dmp

memory/644-46-0x0000000000400000-0x0000000000408000-memory.dmp

memory/644-47-0x0000000073490000-0x0000000073B7E000-memory.dmp

memory/644-48-0x00000000056A0000-0x00000000056B0000-memory.dmp

memory/1120-54-0x00007FFBF6E20000-0x00007FFBF780C000-memory.dmp

C:\Users\Admin\Pictures\GkGjbCC617Rh74yAt5ks7bqT.exe

MD5 5b423612b36cde7f2745455c5dd82577
SHA1 0187c7c80743b44e9e0c193e993294e3b969cc3d
SHA256 e0840d2ea74a00dcc545d770b91d9d889e5a82c7bedf1b989e0a89db04685b09
SHA512 c26a1e7e96dbd178d961c630abd8e564ef69532f386fb198eb20119a88ecab2fe885d71ac0c90687c18910ce00c445f352a5e8fbf5328f3403964f7c7802414c

C:\Users\Admin\Pictures\yfjc7hFwLOcvZOhsyQ1zQx7r.exe

MD5 5febc2b3d69c3959b212099269296c88
SHA1 6cdf7d7e94be12fd8428fc41a1423e913fbe03c8
SHA256 7c11788d29a302b666ca2ce9cc3d3f8ecc7b86731716c3ade64465e6eb03b9c7
SHA512 360a1bc1dddc68c939725a0ddba407b3177fe07e8fac20fbe0c3ed69f8a4f8743fdbc5a1d008e683bc7eb3ea101c7050f13851af3580f35f3b922ecaf388f6f0

C:\Users\Admin\Pictures\jeH6qDsNSlQMc84MuhbRi5kk.exe

MD5 7cefadd5271844f29a195a870478f177
SHA1 3ac282bef8c1c50fc893e5713294884efa3c4d0b
SHA256 72faefe15a0426b0035bf88e4bedd5d8b2d152b999eb18e690ecb6225cf2e8bf
SHA512 0fefea2407b5f3880e195313fba2a4c60a7383b0308d1ebbf11bca8f4d443ef6fd6053be24dfca2c4eac5c39cb1ccb52f4473e52a46fb2eedff66986d7b44aa2

C:\Users\Admin\Pictures\N8IxbZuGvwIbcTDjUev4TVvC.exe

MD5 8bc396803bf0c509173078f354cb293b
SHA1 8a8e2298863cf6d5b5ad1c1f1efdb4f372f1cfa0
SHA256 e79bb6f916ff4f4bcca0dd2bb4c16233090265c38f3aeaa4a19bb125138773bb
SHA512 da3e916fb3b662584e3f1c8e5e6ac3c75c2f8aba0113597257cae5e9515944055e59d242efd08155939ea7044c7bf15a242f8d950e0a4a996889cbad1e20cd83

memory/4692-81-0x0000000000DB0000-0x0000000000EB0000-memory.dmp

memory/4692-82-0x00000000027B0000-0x000000000281E000-memory.dmp

memory/4692-83-0x0000000000400000-0x0000000000B0E000-memory.dmp

C:\Users\Admin\Pictures\QQImI0DQ5Np0eWvJ5E5C5PIv.exe

MD5 e2a6c1f58b137874e490b8d94382fcdb
SHA1 71529c5d708091b1e1a580227dc52e62a140edd1
SHA256 4801879a7afb9d03f7edcbe76cd9306cb024d80abc8512c4995aa97e8fd52437
SHA512 24d12ce668e5189a4ba80520a4eaf480d17d3a07d8d0d4312964968f8489143df225881ec70e39e0c62e381061626801ead72d70cea164e2c3870bfbd7bc4eff

memory/2324-93-0x0000000002720000-0x000000000276A000-memory.dmp

memory/2324-92-0x0000000000B70000-0x0000000000C70000-memory.dmp

memory/2324-95-0x0000000000C80000-0x0000000000C81000-memory.dmp

memory/2324-94-0x0000000000400000-0x0000000000B06000-memory.dmp

C:\Users\Admin\Pictures\Vj9LM9ZmQJ40BIJ6KDDVSjWD.exe

MD5 80fbcd8bcab6ddca53a467dfc54b2123
SHA1 5394a3de0dc598eeba66870d9070f54e8b137ede
SHA256 fff7af7e094a0f3d5e5b87eebbb5290e3d7570e192426e81909278abf8d0350b
SHA512 d7d14f7465da79ac9bfb1d88431e397e5f13fe7339f819b8e0404110bd73d10224d20c2b68178da3b7504de17c0b475f97ade83ab93d842310cf3baa605ac42c

memory/4132-104-0x0000000002C40000-0x0000000003046000-memory.dmp

memory/4132-105-0x0000000003050000-0x000000000393B000-memory.dmp

memory/4132-106-0x0000000000400000-0x0000000000ECD000-memory.dmp

C:\Users\Admin\Pictures\P4Ygqg9O1rahNMDuFMMeqCfW.exe

MD5 7960d8afbbac06f216cceeb1531093bb
SHA1 008221bf66a0749447cffcb86f2d1ec80e23fc76
SHA256 f6e476e8ccb571b9d7a76234953ad428e883ff4712b0062498ba3275d9749b84
SHA512 35d12e81eb892aeb2237049beca61a81469dea5b1c9b7a0b9f49fbf95a95c756509d9e76c732fb10b504f9f9692e1fbe83ea2fd09d791f793a928c01974b8147

memory/1352-114-0x00000000008F0000-0x000000000095E000-memory.dmp

memory/1352-115-0x0000000073490000-0x0000000073B7E000-memory.dmp

memory/644-116-0x0000000073490000-0x0000000073B7E000-memory.dmp

memory/1352-118-0x0000000005210000-0x0000000005220000-memory.dmp

memory/3280-120-0x0000000000400000-0x000000000046D000-memory.dmp

memory/3280-123-0x0000000000400000-0x000000000046D000-memory.dmp

memory/1352-125-0x0000000002B00000-0x0000000004B00000-memory.dmp

C:\Users\Admin\AppData\Local\PgGtTkeoCy8lqaEq6X46K8Jg.exe

MD5 ac5f59828c7112f4d6f37f3daea03a4c
SHA1 780cbc00e9a044da535af3f1da25445c893a8e53
SHA256 6b0109f5a9106f6cfa857fd3380aaed9c3d461bd8303d58a22af7a42b658b1fc
SHA512 7b68ba612901c89af3a50c5241c03001911a7f8b4cb60966a8578b9eb9dfdbd3c917391af1c12e75217d557c1c2367971a8a9edd05a3fb0aafe68774e46db873

memory/1836-129-0x0000000073490000-0x0000000073B7E000-memory.dmp

memory/1836-131-0x0000000000FC0000-0x0000000000FF6000-memory.dmp

memory/4692-133-0x0000000000DB0000-0x0000000000EB0000-memory.dmp

memory/1836-142-0x0000000006D20000-0x0000000007348000-memory.dmp

memory/1836-145-0x0000000000F70000-0x0000000000F80000-memory.dmp

memory/1836-143-0x0000000000F70000-0x0000000000F80000-memory.dmp

memory/3280-137-0x0000000000400000-0x000000000046D000-memory.dmp

memory/2004-151-0x0000000002C30000-0x000000000302D000-memory.dmp

memory/4692-150-0x0000000000400000-0x0000000000B0E000-memory.dmp

memory/2004-152-0x0000000003030000-0x000000000391B000-memory.dmp

memory/2324-153-0x0000000000B70000-0x0000000000C70000-memory.dmp

memory/4132-154-0x0000000002C40000-0x0000000003046000-memory.dmp

memory/2004-155-0x0000000000400000-0x0000000000ECD000-memory.dmp

memory/200-156-0x00000000029F0000-0x0000000002DEA000-memory.dmp

memory/1836-157-0x0000000006B90000-0x0000000006BB2000-memory.dmp

memory/200-158-0x0000000000400000-0x0000000000ECD000-memory.dmp

memory/1836-159-0x00000000073C0000-0x0000000007426000-memory.dmp

memory/1836-160-0x0000000007430000-0x0000000007496000-memory.dmp

memory/2324-162-0x0000000000400000-0x0000000000ECD000-memory.dmp

memory/2324-164-0x0000000000400000-0x0000000000ECD000-memory.dmp

memory/1836-163-0x00000000074A0000-0x00000000077F0000-memory.dmp

memory/2324-165-0x0000000000400000-0x0000000000ECD000-memory.dmp

memory/2324-166-0x0000000000400000-0x0000000000ECD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\u3mc.0.exe

MD5 a533c58be371236669106ab5243b05bb
SHA1 59e8eae350fd911b9d74940fd5a0793f6b4fddc0
SHA256 6f746358af1862e923dee83621f64d56b2e8d8f8936e71d4d6bc565e97e58b09
SHA512 83970ca812ebef5e7c7a4e32c6b6a48d0028f688241441fedfa00e9171592bbc6fa883f0bc7f2603d31f687b1510633bca5468b3ecb96481aa62451c85885f8d

memory/2324-171-0x0000000000400000-0x0000000000ECD000-memory.dmp

memory/2324-173-0x0000000000400000-0x0000000000ECD000-memory.dmp

memory/2324-175-0x0000000000400000-0x0000000000ECD000-memory.dmp

memory/1836-174-0x0000000007870000-0x000000000788C000-memory.dmp

memory/1836-176-0x0000000007900000-0x000000000794B000-memory.dmp

memory/2324-177-0x0000000000400000-0x0000000000ECD000-memory.dmp

memory/2324-178-0x0000000000400000-0x0000000000ECD000-memory.dmp

memory/2324-180-0x00000000028D0000-0x00000000028D2000-memory.dmp

memory/2324-179-0x0000000000400000-0x0000000000ECD000-memory.dmp

memory/2324-181-0x00000000028D0000-0x00000000028D1000-memory.dmp

memory/3280-182-0x0000000003490000-0x0000000003890000-memory.dmp

memory/2324-183-0x00000000028D0000-0x00000000028D1000-memory.dmp

memory/3280-187-0x00007FFC04770000-0x00007FFC0494B000-memory.dmp

memory/2324-192-0x00000000028D0000-0x00000000028D1000-memory.dmp

memory/3804-193-0x0000000002A10000-0x0000000002A19000-memory.dmp

memory/2324-194-0x00000000028D0000-0x00000000028D1000-memory.dmp

memory/2324-191-0x00000000028D0000-0x00000000028D1000-memory.dmp

memory/3280-190-0x0000000074E00000-0x0000000074FC2000-memory.dmp

memory/3804-203-0x0000000004600000-0x0000000004A00000-memory.dmp

memory/3804-206-0x00007FFC04770000-0x00007FFC0494B000-memory.dmp

memory/3804-211-0x0000000074E00000-0x0000000074FC2000-memory.dmp

memory/2324-188-0x00000000028D0000-0x00000000028D1000-memory.dmp

memory/2324-186-0x00000000028D0000-0x00000000028D1000-memory.dmp

memory/3280-185-0x0000000003490000-0x0000000003890000-memory.dmp

memory/2324-184-0x00000000028D0000-0x00000000028D1000-memory.dmp

memory/2324-364-0x0000000000400000-0x0000000000B06000-memory.dmp

memory/4692-369-0x0000000000400000-0x0000000000B0E000-memory.dmp

memory/3808-370-0x0000000061E00000-0x0000000061EF3000-memory.dmp

memory/4132-383-0x0000000000400000-0x0000000000ECD000-memory.dmp

memory/2004-475-0x0000000000400000-0x0000000000ECD000-memory.dmp

memory/200-478-0x0000000000400000-0x0000000000ECD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\u3mc.1.exe

MD5 397926927bca55be4a77839b1c44de6e
SHA1 e10f3434ef3021c399dbba047832f02b3c898dbd
SHA256 4f07e1095cc915b2d46eb149d1c3be14f3f4b4bd2742517265947fd23bdca5a7
SHA512 cf54136b977fc8af7e8746d78676d0d464362a8cfa2213e392487003b5034562ee802e6911760b98a847bddd36ad664f32d849af84d7e208d4648bd97a2fa954

memory/4692-767-0x0000000000400000-0x0000000000B0E000-memory.dmp

memory/3808-781-0x0000000000400000-0x0000000000AEA000-memory.dmp

C:\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

memory/4132-1142-0x0000000000400000-0x0000000000ECD000-memory.dmp

memory/3808-1149-0x0000000000400000-0x0000000000AEA000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 8d1d9030c0c0289eab28a4d0a26b8bd8
SHA1 5af2b814fe8c0febd0c284a173d848eba419feda
SHA256 068f1fe52ff6b06de53ee32f147705d0c9425b9be34fa8a1ad7c1d67ddde29b3
SHA512 693c63f667b1810077e9b7ea66c1c4c06e56a088836239ae8c62a6a1f97806bbb54fe3a061fe8ff32e6cd9bfde10e0be53fcb89064b2c757858364c9d5217112

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 db01a2c1c7e70b2b038edf8ad5ad9826
SHA1 540217c647a73bad8d8a79e3a0f3998b5abd199b
SHA256 413da361d77055dae7007f82b58b366c8783aa72e0b8fbe41519b940c253b38d
SHA512 c76ff57fcee5cdf9fdf3116d4e1dc0cf106867bf19ab474b763e242acf5dca9a7509cb837c35e130c3e056636b4e8a4e135512a978bcd3dd641e20f5bf76c3d6

memory/2004-1172-0x0000000000400000-0x0000000000ECD000-memory.dmp

memory/200-1179-0x0000000000400000-0x0000000000ECD000-memory.dmp

memory/3808-1180-0x0000000000400000-0x0000000000AEA000-memory.dmp

memory/1808-1181-0x0000000000400000-0x00000000008AD000-memory.dmp

C:\Users\Admin\Pictures\Z0uxFQ4XeLEBdwIGRhhsXODH.exe

MD5 858bb0a3b4fa6a54586402e3ee117076
SHA1 997c31f043347883ea5ed2323a558b6cc5ea9c8e
SHA256 d97a7fc44bf341b9b2b2e65b46dab4f7d329afe15b4308b5aa56d5bfd7b99d35
SHA512 e8374b115f056b5d345c9b5f9c42b3d49e0640d7fad869448f686add6e52b783ecc7fd35ee15a67b944843491a91becf5b7c0bd5603eda01042dd2904c1ad8fd

memory/2004-1186-0x0000000000400000-0x0000000000ECD000-memory.dmp

memory/200-1188-0x0000000000400000-0x0000000000ECD000-memory.dmp

memory/3808-1192-0x0000000000400000-0x0000000000AEA000-memory.dmp

memory/4696-1194-0x00007FF6FA370000-0x00007FF6FAE7A000-memory.dmp

C:\ProgramData\Are.docx

MD5 a33e5b189842c5867f46566bdbf7a095
SHA1 e1c06359f6a76da90d19e8fd95e79c832edb3196
SHA256 5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454
SHA512 f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b

memory/4696-1196-0x00007FF6FA370000-0x00007FF6FAE7A000-memory.dmp

memory/4696-1199-0x00007FF6FA370000-0x00007FF6FAE7A000-memory.dmp

memory/4696-1202-0x00007FF6FA370000-0x00007FF6FAE7A000-memory.dmp

memory/4696-1205-0x00007FF6FA370000-0x00007FF6FAE7A000-memory.dmp

memory/4696-1206-0x00007FF6FA370000-0x00007FF6FAE7A000-memory.dmp

memory/4696-1207-0x00007FF6FA370000-0x00007FF6FAE7A000-memory.dmp

C:\Windows\System32\GroupPolicy\gpt.ini

MD5 8ef9853d1881c5fe4d681bfb31282a01
SHA1 a05609065520e4b4e553784c566430ad9736f19f
SHA256 9228f13d82c3dc96b957769f6081e5bac53cffca4ffde0ba1e102d9968f184a2
SHA512 5ddee931a08cfea5bb9d1c36355d47155a24d617c2a11d08364ffc54e593064011dee4fea8ac5b67029cab515d3071f0ba0422bb76af492a3115272ba8feb005

memory/200-1212-0x0000000000400000-0x0000000000ECD000-memory.dmp

memory/2004-1213-0x0000000000400000-0x0000000000ECD000-memory.dmp

memory/4132-1231-0x0000000000400000-0x0000000000ECD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\FBAKEHIEBK.exe

MD5 fe380780b5c35bd6d54541791151c2be
SHA1 7fe3a583cf91474c733f85cebf3c857682e269e1
SHA256 b64a84d1f88e4e78464a1901c1cb5bbd5f00bb73203d719e64e072157a087b53
SHA512 ba05ba8aa13c4bc1cf98fbf6c08b021e8b19354098e0397fc8e1e5d3dcce367c1063203f24e50d0973193f6535681d0a43486e5dade5d112853b7a2fe8739b6c

C:\Users\Admin\Pictures\bbyxybZHJR10CmNKMjucykb4.exe

MD5 4fee53fbf9429fb27d0f3cf3171afd79
SHA1 21ec7243c95265995ca64f72fb43778dd746fd64
SHA256 559bbdac07131a682808b9e12c17a6ac35c0aa87a04de5b8a819c0d8d6a036a5
SHA512 da498ebb925f808adce6ff7ab8da478fbd6263ee8027c13e8ddc3dbae78cdb7784a29556c67d475eb143c99576781eea1a3c543982cd5b69c9cd51a574181542

\Users\Admin\AppData\Local\Temp\Opera_installer_2403290156550704136.dll

MD5 117176ddeaf70e57d1747704942549e4
SHA1 75e3ab6b3469d93cce9ea2f7e22b71b987ccdf2b
SHA256 3c5b34de987116a4d3240e319c0da89a951c96b81e6705476a0fea27b22b20af
SHA512 ca2a356929c92d314aab63d7f3b246d72783212dfa3a4507f28d41a51ca0eedc78e85b1cd453aa8e02c12509f847a0216bb702154f903291c804c8a98ec378b9

C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports\settings.dat

MD5 4008c69350d065c2caac69b1df19eacd
SHA1 f24e2f6361499a92543fe7f9644543b3cd99e789
SHA256 490510b29fc66c0ee6a344149c34b61d4fbeef7b77b1eee81db517367f9e53fa
SHA512 9248a61445f3703773a798cdc7587d9e20ad5ae14a2621e142300f89e8dae09885fe3a9aa55592b52988ef3dc75b263146e07755dac6b951e2f19b8e7afaf20d

C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt

MD5 a8b7fceb8bd2e752079697eafbe5dcc0
SHA1 711c1eccaa7d6cb5c602527510d01dc4785e100a
SHA256 b35b8cda581efecbd803fd4f74ff89e68b5b20c6bccbfc5507fc91f51507f4bb
SHA512 c827403414cc07d352400164ffb9384ef672005a66da8b6f370059ae70a94e3d70f8b5d8adc2de296109f9be76e203a337ea1fc42b1ab0225f4e162f5080a491

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

MD5 eb437e79fad240e0bd8687a2436efffa
SHA1 e1bb1a1dfc2d71bed406290c45ae8f18d7bd184d
SHA256 2bc5b5261e9c87e26d6d571fd6e5766f406b7db30484cfc462591693072562cf
SHA512 8720d41012df133f6f93a9bab5ae4ee4023eaf81194b2de569213a1924a561c5d23816e921258101b7f70e9e61a8ad2a3959a179d4a6ef1f27a8ba1e6469b69f

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 0511dc20eb76f28c5c841cb5ce9ea1d7
SHA1 eec72db0ff580a17cf537b8134c345917ddcc052
SHA256 11346120135029336eda3e7eff6a002a2bf7d34978abb5df1ca30c6a5376bb9f
SHA512 9534a182ad8ce3717216922889f5656bba7872a10f3d0bd003e26a3c9f21f24e6c4cd5c1b2f988fb797929f4e31edae62c9ff76c3017389051fbffee9c20508d

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 684b7791153127a994055ba80117e8ec
SHA1 4bb831384546a06fecf6895fe9a1896133075043
SHA256 1855dd8d1a549b8a4b05d2b59155abbcc013efcd5213acc816f0d4109d0119f2
SHA512 d8ab2ec8fda14a27299415f014e181934beab9ef19bf85dacfe2f397a04ee3093737e8985d5e86928fd31f282cb91a35ec816e4e09418bd3f73bf62c8ca8ed25

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 fb91f1a2a6b2e6c541657dcaef1ecdcd
SHA1 7acddc7ae99792860be05d132440230d7572657f
SHA256 17a885718e932486d9d10011d97ee97420504566669c8cf245d723d67071edf6
SHA512 15f7b26f4e925da4be2c6b21d06b4e30690bce5a60d8bc8b14c6230eae1565a985f20c5be83ceb536069f8c2da988ab47539b442a93957b9a86d09af0766f8b9

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 5743a88cca06d6ba1818ea6fe24ec7a0
SHA1 8d10c37c8aafee15010959ac0ed8b16b02eecadc
SHA256 1b0d10f316a40ec4e6821a7a268cd93015b2838308e5b544c3fb5af731b2de53
SHA512 7c37c4e7a94e798b0013f03cf63a45278602197ea0584a5a0f4fcbf8037d75de86d08f607063d5926659adcbe58fe1e115f46bd7592440aeb20b88de132115f0

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 57c41475d76f2bd7f324b3dadb29b0a1
SHA1 4c018329e3e21682ba672261d633ef40d883fb0d
SHA256 ef9bca6edcc093354b6de7eeab59597cbd308dd9ca46e5bd909770862ef999c1
SHA512 be9cd4a5862530e14fbdbc3c4bb0bd987863ac8d276f81dba4d037c9a85d801924a3f69783768c2d160f6e629ac332f57a17e6c0f531fb1a758a645b47daa7de

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 588fc8c667ccb8344a237cd51575762e
SHA1 79d2397a1c0537cd81a3a1e3610552a859bc5375
SHA256 6356263528fe90a5a4421d71043ac150c253cf96a41a6725ad207e142808ac43
SHA512 316153efa9b5483cc63ebfc7b33dfae5592954b6acc061631b15f06fd3f28a84bf4fc45237a8ab7f51d8ea8f6c40ba658caad27edf8aceab55896347d9dc4c0a

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 ef610a5688dd1ccb2d8122abf90a7eaf
SHA1 72fa7b39966a62060d6a2ac4ad777b32258a6b6e
SHA256 ce22cbf0f19bdbc17b457e128da709f4c00701e55fa8a65d21f8d82d1e8ce369
SHA512 a4ecfbab3b76171802098cae2f6c36293e2cda10c8f74a6f7eb4b6710d4af33c55b82df3a0dc87a8623ee170b1488f0fefcf3f29424a27feba4de9a0b3fe53bb

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403290156551\opera_package

MD5 401c352990789be2f40fe8f9c5c7a5ac
SHA1 d7c1e902487511d3f4e1a57abdee8a94d5483ed4
SHA256 f62f4ebc7eca46d9cddfb02cc0305da5efdd6f3601fb0f53da555e19558869a3
SHA512 efc6d4224e3721e91efb2ea8f4b74685cba607260c69d08eac26866c52b8127080a42799d9f76ab1661b8ca63c946fcf35dddf0a63ab3cd258ea44a27dd769c8

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403290156551\additional_file0.tmp

MD5 20d293b9bf23403179ca48086ba88867
SHA1 dedf311108f607a387d486d812514a2defbd1b9e
SHA256 fd996b95ae46014edfd630bfc2bf8bc9e626adf883a1da017a8c3973b68ec348
SHA512 5d575c6f0d914583f9bb54f7b884caf9182f26f850da9bdd962f4ed5ed7258316a46fafaf3828dccb6916baaadb681fe1d175a3f4ed59f56066dc7e32b66f7b6

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403290156551\assistant\assistant_installer.exe

MD5 b3f05009b53af6435e86cfd939717e82
SHA1 770877e7c5f03e8d684984fe430bdfcc2cf41b26
SHA256 3ea8d40fcede1fc03e5603246d75d13e8d44d7229d4c390c39a55534053027f7
SHA512 d2dee80aaa79b19f1eb1db85079a05f621780e06bfea9e838b62d757ba29399f9090ec7c6ff553377c9b712f3ba8dd812cdff39f3e28829928e86746a8ac6b27