Malware Analysis Report

2024-11-30 02:12

Sample ID 240329-fy67tabc67
Target tmp
SHA256 41cca3fa0f500dc6c17d1f02fc906d2b0c769210af9c4286760b84ecf46cab89
Tags
glupteba stealc zgrat discovery dropper evasion loader persistence rat rootkit spyware stealer themida trojan lumma rhadamanthys
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

41cca3fa0f500dc6c17d1f02fc906d2b0c769210af9c4286760b84ecf46cab89

Threat Level: Known bad

The file tmp was found to be: Known bad.

Malicious Activity Summary

glupteba stealc zgrat discovery dropper evasion loader persistence rat rootkit spyware stealer themida trojan lumma rhadamanthys

Rhadamanthys

ZGRat

Detect ZGRat V1

Modifies firewall policy service

Windows security bypass

Suspicious use of NtCreateUserProcessOtherParentProcess

Glupteba

Glupteba payload

Lumma Stealer

Stealc

Modifies boot configuration data using bcdedit

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Modifies Windows Firewall

Possible attempt to disable PatchGuard

Drops file in Drivers directory

Downloads MZ/PE file

Executes dropped EXE

Loads dropped DLL

Themida packer

Reads data files stored by FTP clients

Drops startup file

Checks computer location settings

Checks BIOS information in registry

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Windows security modification

Checks installed software on the system

Checks whether UAC is enabled

Enumerates connected drives

Manipulates WinMonFS driver.

Adds Run key to start application

Manipulates WinMon driver.

Accesses cryptocurrency files/wallets, possible credential harvesting

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Drops file in System32 directory

Drops file in Windows directory

Launches sc.exe

Checks for VirtualBox DLLs, possible anti-VM trick

Program crash

Enumerates physical storage devices

Unsigned PE

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: LoadsDriver

Checks processor information in registry

Runs ping.exe

Checks SCSI registry key(s)

Modifies data under HKEY_USERS

Creates scheduled task(s)

Modifies system certificate store

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

Suspicious use of SendNotifyMessage

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-29 05:17

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-29 05:17

Reported

2024-03-29 05:20

Platform

win7-20240221-en

Max time kernel

147s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\tmp.exe"

Signatures

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\C:\ = "1" C:\Users\Admin\Pictures\KBthrF5Mw1beUIIRMYVupx5n.exe N/A

Stealc

stealer stealc

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" C:\Users\Admin\Pictures\i3vS9tlYhhipSBsIzVVViAOw.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" C:\Users\Admin\Pictures\i3vS9tlYhhipSBsIzVVViAOw.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" C:\Users\Admin\Pictures\i3vS9tlYhhipSBsIzVVViAOw.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" C:\Users\Admin\Pictures\i3vS9tlYhhipSBsIzVVViAOw.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" C:\Users\Admin\Pictures\i3vS9tlYhhipSBsIzVVViAOw.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" C:\Users\Admin\Pictures\i3vS9tlYhhipSBsIzVVViAOw.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\i3vS9tlYhhipSBsIzVVViAOw.exe = "0" C:\Users\Admin\Pictures\i3vS9tlYhhipSBsIzVVViAOw.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\xn8xcP6R5Y0MisAjbYBpkWI0.exe = "0" C:\Users\Admin\Pictures\xn8xcP6R5Y0MisAjbYBpkWI0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\3lY5kj5zEAhBwTcl9Yy8GsjL.exe = "0" C:\Users\Admin\Pictures\3lY5kj5zEAhBwTcl9Yy8GsjL.exe N/A

ZGRat

rat zgrat

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\Pictures\KBthrF5Mw1beUIIRMYVupx5n.exe N/A

Downloads MZ/PE file

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\system32\drivers\Winmon.sys C:\Windows\rss\csrss.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

Possible attempt to disable PatchGuard

evasion

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\Pictures\KBthrF5Mw1beUIIRMYVupx5n.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\Pictures\KBthrF5Mw1beUIIRMYVupx5n.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MOgbtrbho8mYY7pp8pqnEsZh.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SYv6G2iBvR9VBEPs2wIxo5PK.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GYeQaf1COaEIv8dpGCo6ib7x.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lUAkGPiJ8rm66aKDtHuacopB.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7Boe3fkKCNazqZIHe5XWwECA.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FBMQclWILE7w3WtvAMvvKehR.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\A6buOfxr1yHGKUrYP7SICNI2.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bMZm6Eh7oO5q6wgJGTqjyAnf.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\THHZ974aeHnw0GIApZno2rdr.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe N/A
N/A N/A C:\Users\Admin\Pictures\thMrdJRzne4h9cW8HcH2Ukif.exe N/A
N/A N/A C:\Users\Admin\Pictures\thMrdJRzne4h9cW8HcH2Ukif.exe N/A
N/A N/A C:\Users\Admin\Pictures\thMrdJRzne4h9cW8HcH2Ukif.exe N/A
N/A N/A C:\Users\Admin\Pictures\thMrdJRzne4h9cW8HcH2Ukif.exe N/A
N/A N/A C:\Users\Admin\Pictures\thMrdJRzne4h9cW8HcH2Ukif.exe N/A
N/A N/A C:\Users\Admin\Pictures\thMrdJRzne4h9cW8HcH2Ukif.exe N/A
N/A N/A C:\Users\Admin\Pictures\thMrdJRzne4h9cW8HcH2Ukif.exe N/A
N/A N/A C:\Users\Admin\Pictures\thMrdJRzne4h9cW8HcH2Ukif.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe N/A
N/A N/A C:\Users\Admin\Pictures\i3vS9tlYhhipSBsIzVVViAOw.exe N/A
N/A N/A C:\Users\Admin\Pictures\i3vS9tlYhhipSBsIzVVViAOw.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u1i4.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u1i4.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" C:\Users\Admin\Pictures\i3vS9tlYhhipSBsIzVVViAOw.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" C:\Users\Admin\Pictures\i3vS9tlYhhipSBsIzVVViAOw.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\xn8xcP6R5Y0MisAjbYBpkWI0.exe = "0" C:\Users\Admin\Pictures\xn8xcP6R5Y0MisAjbYBpkWI0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" C:\Users\Admin\Pictures\i3vS9tlYhhipSBsIzVVViAOw.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" C:\Users\Admin\Pictures\i3vS9tlYhhipSBsIzVVViAOw.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" C:\Users\Admin\Pictures\i3vS9tlYhhipSBsIzVVViAOw.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" C:\Users\Admin\Pictures\i3vS9tlYhhipSBsIzVVViAOw.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\i3vS9tlYhhipSBsIzVVViAOw.exe = "0" C:\Users\Admin\Pictures\i3vS9tlYhhipSBsIzVVViAOw.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\3lY5kj5zEAhBwTcl9Yy8GsjL.exe = "0" C:\Users\Admin\Pictures\3lY5kj5zEAhBwTcl9Yy8GsjL.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\Pictures\i3vS9tlYhhipSBsIzVVViAOw.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\Pictures\xn8xcP6R5Y0MisAjbYBpkWI0.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\Pictures\3lY5kj5zEAhBwTcl9Yy8GsjL.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\Pictures\KBthrF5Mw1beUIIRMYVupx5n.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A api.myip.com N/A N/A
N/A api.myip.com N/A N/A
N/A api.myip.com N/A N/A
N/A ipinfo.io N/A N/A

Manipulates WinMon driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMon C:\Windows\rss\csrss.exe N/A

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\GroupPolicy C:\Users\Admin\Pictures\KBthrF5Mw1beUIIRMYVupx5n.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy\gpt.ini C:\Users\Admin\Pictures\KBthrF5Mw1beUIIRMYVupx5n.exe N/A
File created C:\Windows\System32\GroupPolicy\Machine\Registry.pol C:\Users\Admin\Pictures\KBthrF5Mw1beUIIRMYVupx5n.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI C:\Users\Admin\Pictures\KBthrF5Mw1beUIIRMYVupx5n.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\Pictures\KBthrF5Mw1beUIIRMYVupx5n.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2352 set thread context of 2380 N/A C:\Users\Admin\AppData\Local\Temp\tmp.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\Pictures\3lY5kj5zEAhBwTcl9Yy8GsjL.exe N/A
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\Pictures\i3vS9tlYhhipSBsIzVVViAOw.exe N/A
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\Pictures\xn8xcP6R5Y0MisAjbYBpkWI0.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\Pictures\i3vS9tlYhhipSBsIzVVViAOw.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\Pictures\xn8xcP6R5Y0MisAjbYBpkWI0.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\Pictures\xn8xcP6R5Y0MisAjbYBpkWI0.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\Pictures\3lY5kj5zEAhBwTcl9Yy8GsjL.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\Pictures\3lY5kj5zEAhBwTcl9Yy8GsjL.exe N/A
File created C:\Windows\Logs\CBS\CbsPersist_20240329051809.cab C:\Windows\system32\makecab.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\Pictures\i3vS9tlYhhipSBsIzVVViAOw.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\u1i4.1.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\u1i4.1.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\u1i4.1.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\u1i4.0.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\u1i4.0.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-341 = "Egypt Daylight Time" C:\Users\Admin\Pictures\i3vS9tlYhhipSBsIzVVViAOw.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-541 = "Myanmar Daylight Time" C:\Users\Admin\Pictures\i3vS9tlYhhipSBsIzVVViAOw.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-471 = "Ekaterinburg Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-92 = "Pacific SA Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-231 = "Hawaiian Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-512 = "Central Asia Standard Time" C:\Users\Admin\Pictures\i3vS9tlYhhipSBsIzVVViAOw.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-471 = "Ekaterinburg Daylight Time" C:\Users\Admin\Pictures\i3vS9tlYhhipSBsIzVVViAOw.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-371 = "Jerusalem Daylight Time" C:\Users\Admin\Pictures\i3vS9tlYhhipSBsIzVVViAOw.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-384 = "Namibia Daylight Time" C:\Users\Admin\Pictures\i3vS9tlYhhipSBsIzVVViAOw.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-532 = "Sri Lanka Standard Time" C:\Users\Admin\Pictures\i3vS9tlYhhipSBsIzVVViAOw.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-141 = "Canada Central Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-461 = "Afghanistan Daylight Time" C:\Users\Admin\Pictures\i3vS9tlYhhipSBsIzVVViAOw.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-441 = "Arabian Daylight Time" C:\Users\Admin\Pictures\i3vS9tlYhhipSBsIzVVViAOw.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-21 = "Cape Verde Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-472 = "Ekaterinburg Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-1472 = "Magadan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-752 = "Tonga Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-791 = "SA Western Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-452 = "Caucasus Standard Time" C:\Users\Admin\Pictures\i3vS9tlYhhipSBsIzVVViAOw.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-281 = "Central Europe Daylight Time" C:\Users\Admin\Pictures\i3vS9tlYhhipSBsIzVVViAOw.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-172 = "Central Standard Time (Mexico)" C:\Users\Admin\Pictures\i3vS9tlYhhipSBsIzVVViAOw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace\Session C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-221 = "Alaskan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-551 = "North Asia Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-161 = "Central Daylight Time" C:\Users\Admin\Pictures\i3vS9tlYhhipSBsIzVVViAOw.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-581 = "North Asia East Daylight Time" C:\Users\Admin\Pictures\i3vS9tlYhhipSBsIzVVViAOw.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-842 = "Argentina Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-892 = "Morocco Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-211 = "Pacific Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-591 = "Malay Peninsula Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-171 = "Central Daylight Time (Mexico)" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-442 = "Arabian Standard Time" C:\Users\Admin\Pictures\i3vS9tlYhhipSBsIzVVViAOw.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-142 = "Canada Central Standard Time" C:\Users\Admin\Pictures\i3vS9tlYhhipSBsIzVVViAOw.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-451 = "Caucasus Daylight Time" C:\Users\Admin\Pictures\i3vS9tlYhhipSBsIzVVViAOw.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-242 = "Samoa Standard Time" C:\Users\Admin\Pictures\i3vS9tlYhhipSBsIzVVViAOw.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-101 = "Provides DHCP based enforcement for NAP" C:\Windows\system32\netsh.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-232 = "Hawaiian Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-431 = "Iran Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-521 = "N. Central Asia Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1022 = "Bangladesh Standard Time" C:\Users\Admin\Pictures\i3vS9tlYhhipSBsIzVVViAOw.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-171 = "Central Daylight Time (Mexico)" C:\Users\Admin\Pictures\i3vS9tlYhhipSBsIzVVViAOw.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-52 = "Greenland Standard Time" C:\Users\Admin\Pictures\i3vS9tlYhhipSBsIzVVViAOw.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-271 = "Greenwich Daylight Time" C:\Users\Admin\Pictures\i3vS9tlYhhipSBsIzVVViAOw.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-162 = "Central Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-262 = "GMT Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-152 = "Central America Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-512 = "Central Asia Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-352 = "FLE Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-202 = "US Mountain Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-31 = "Mid-Atlantic Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-681 = "E. Australia Daylight Time" C:\Users\Admin\Pictures\i3vS9tlYhhipSBsIzVVViAOw.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1411 = "Syria Daylight Time" C:\Users\Admin\Pictures\i3vS9tlYhhipSBsIzVVViAOw.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-201 = "US Mountain Daylight Time" C:\Users\Admin\Pictures\i3vS9tlYhhipSBsIzVVViAOw.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-4 = "1.0" C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-1021 = "Bangladesh Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-142 = "Canada Central Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-652 = "AUS Central Standard Time" C:\Users\Admin\Pictures\i3vS9tlYhhipSBsIzVVViAOw.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-449 = "Azerbaijan Standard Time" C:\Users\Admin\Pictures\i3vS9tlYhhipSBsIzVVViAOw.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-742 = "New Zealand Standard Time" C:\Users\Admin\Pictures\i3vS9tlYhhipSBsIzVVViAOw.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-302 = "Romance Standard Time" C:\Users\Admin\Pictures\i3vS9tlYhhipSBsIzVVViAOw.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-302 = "Romance Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-572 = "China Standard Time" C:\Users\Admin\Pictures\i3vS9tlYhhipSBsIzVVViAOw.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474 C:\Users\Admin\Pictures\KBthrF5Mw1beUIIRMYVupx5n.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 040000000100000010000000e4a68ac854ac5242460afd72481b2a440f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a41400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f392000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e40f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47419000000010000001000000068cb42b035ea773e52ef50ecf50ec52920000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 C:\Users\Admin\Pictures\KBthrF5Mw1beUIIRMYVupx5n.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 C:\Windows\rss\csrss.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Windows\rss\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 0f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 1400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a32000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 19000000010000001000000014c3bd3549ee225aece13734ad8ca0b81400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3040000000100000010000000e4a68ac854ac5242460afd72481b2a442000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\Pictures\i3vS9tlYhhipSBsIzVVViAOw.exe N/A
N/A N/A C:\Users\Admin\Pictures\xn8xcP6R5Y0MisAjbYBpkWI0.exe N/A
N/A N/A C:\Users\Admin\Pictures\3lY5kj5zEAhBwTcl9Yy8GsjL.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u1i4.0.exe N/A
N/A N/A C:\Users\Admin\Pictures\i3vS9tlYhhipSBsIzVVViAOw.exe N/A
N/A N/A C:\Users\Admin\Pictures\i3vS9tlYhhipSBsIzVVViAOw.exe N/A
N/A N/A C:\Users\Admin\Pictures\i3vS9tlYhhipSBsIzVVViAOw.exe N/A
N/A N/A C:\Users\Admin\Pictures\i3vS9tlYhhipSBsIzVVViAOw.exe N/A
N/A N/A C:\Users\Admin\Pictures\i3vS9tlYhhipSBsIzVVViAOw.exe N/A
N/A N/A C:\Users\Admin\Pictures\xn8xcP6R5Y0MisAjbYBpkWI0.exe N/A
N/A N/A C:\Users\Admin\Pictures\3lY5kj5zEAhBwTcl9Yy8GsjL.exe N/A
N/A N/A C:\Users\Admin\Pictures\xn8xcP6R5Y0MisAjbYBpkWI0.exe N/A
N/A N/A C:\Users\Admin\Pictures\xn8xcP6R5Y0MisAjbYBpkWI0.exe N/A
N/A N/A C:\Users\Admin\Pictures\xn8xcP6R5Y0MisAjbYBpkWI0.exe N/A
N/A N/A C:\Users\Admin\Pictures\xn8xcP6R5Y0MisAjbYBpkWI0.exe N/A
N/A N/A C:\Users\Admin\Pictures\xn8xcP6R5Y0MisAjbYBpkWI0.exe N/A
N/A N/A C:\Users\Admin\Pictures\3lY5kj5zEAhBwTcl9Yy8GsjL.exe N/A
N/A N/A C:\Users\Admin\Pictures\3lY5kj5zEAhBwTcl9Yy8GsjL.exe N/A
N/A N/A C:\Users\Admin\Pictures\3lY5kj5zEAhBwTcl9Yy8GsjL.exe N/A
N/A N/A C:\Users\Admin\Pictures\3lY5kj5zEAhBwTcl9Yy8GsjL.exe N/A
N/A N/A C:\Users\Admin\Pictures\3lY5kj5zEAhBwTcl9Yy8GsjL.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u1i4.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Pictures\i3vS9tlYhhipSBsIzVVViAOw.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\Pictures\i3vS9tlYhhipSBsIzVVViAOw.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Pictures\xn8xcP6R5Y0MisAjbYBpkWI0.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\Pictures\xn8xcP6R5Y0MisAjbYBpkWI0.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Pictures\3lY5kj5zEAhBwTcl9Yy8GsjL.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\Pictures\3lY5kj5zEAhBwTcl9Yy8GsjL.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Pictures\xn8xcP6R5Y0MisAjbYBpkWI0.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\Pictures\xn8xcP6R5Y0MisAjbYBpkWI0.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Pictures\3lY5kj5zEAhBwTcl9Yy8GsjL.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\Pictures\3lY5kj5zEAhBwTcl9Yy8GsjL.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2352 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\tmp.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
PID 2352 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\tmp.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
PID 2352 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\tmp.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
PID 2352 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\tmp.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
PID 2352 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\tmp.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
PID 2352 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\tmp.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
PID 2352 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\tmp.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
PID 2352 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\tmp.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
PID 2352 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\tmp.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
PID 2352 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\tmp.exe C:\Windows\system32\WerFault.exe
PID 2352 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\tmp.exe C:\Windows\system32\WerFault.exe
PID 2352 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\tmp.exe C:\Windows\system32\WerFault.exe
PID 2380 wrote to memory of 1948 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Users\Admin\Pictures\thMrdJRzne4h9cW8HcH2Ukif.exe
PID 2380 wrote to memory of 1948 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Users\Admin\Pictures\thMrdJRzne4h9cW8HcH2Ukif.exe
PID 2380 wrote to memory of 1948 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Users\Admin\Pictures\thMrdJRzne4h9cW8HcH2Ukif.exe
PID 2380 wrote to memory of 1948 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Users\Admin\Pictures\thMrdJRzne4h9cW8HcH2Ukif.exe
PID 2380 wrote to memory of 1544 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Users\Admin\Pictures\OaVCG3E5HaPViLqhA0sldQvH.exe
PID 2380 wrote to memory of 1544 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Users\Admin\Pictures\OaVCG3E5HaPViLqhA0sldQvH.exe
PID 2380 wrote to memory of 1544 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Users\Admin\Pictures\OaVCG3E5HaPViLqhA0sldQvH.exe
PID 2380 wrote to memory of 1544 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Users\Admin\Pictures\OaVCG3E5HaPViLqhA0sldQvH.exe
PID 2380 wrote to memory of 2740 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Users\Admin\Pictures\xn8xcP6R5Y0MisAjbYBpkWI0.exe
PID 2380 wrote to memory of 2740 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Users\Admin\Pictures\xn8xcP6R5Y0MisAjbYBpkWI0.exe
PID 2380 wrote to memory of 2740 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Users\Admin\Pictures\xn8xcP6R5Y0MisAjbYBpkWI0.exe
PID 2380 wrote to memory of 2740 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Users\Admin\Pictures\xn8xcP6R5Y0MisAjbYBpkWI0.exe
PID 2380 wrote to memory of 2980 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Users\Admin\Pictures\3lY5kj5zEAhBwTcl9Yy8GsjL.exe
PID 2380 wrote to memory of 2980 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Users\Admin\Pictures\3lY5kj5zEAhBwTcl9Yy8GsjL.exe
PID 2380 wrote to memory of 2980 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Users\Admin\Pictures\3lY5kj5zEAhBwTcl9Yy8GsjL.exe
PID 2380 wrote to memory of 2980 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Users\Admin\Pictures\3lY5kj5zEAhBwTcl9Yy8GsjL.exe
PID 2380 wrote to memory of 2328 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Users\Admin\Pictures\i3vS9tlYhhipSBsIzVVViAOw.exe
PID 2380 wrote to memory of 2328 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Users\Admin\Pictures\i3vS9tlYhhipSBsIzVVViAOw.exe
PID 2380 wrote to memory of 2328 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Users\Admin\Pictures\i3vS9tlYhhipSBsIzVVViAOw.exe
PID 2380 wrote to memory of 2328 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Users\Admin\Pictures\i3vS9tlYhhipSBsIzVVViAOw.exe
PID 1948 wrote to memory of 540 N/A C:\Users\Admin\Pictures\thMrdJRzne4h9cW8HcH2Ukif.exe C:\Users\Admin\AppData\Local\Temp\u1i4.0.exe
PID 1948 wrote to memory of 540 N/A C:\Users\Admin\Pictures\thMrdJRzne4h9cW8HcH2Ukif.exe C:\Users\Admin\AppData\Local\Temp\u1i4.0.exe
PID 1948 wrote to memory of 540 N/A C:\Users\Admin\Pictures\thMrdJRzne4h9cW8HcH2Ukif.exe C:\Users\Admin\AppData\Local\Temp\u1i4.0.exe
PID 1948 wrote to memory of 540 N/A C:\Users\Admin\Pictures\thMrdJRzne4h9cW8HcH2Ukif.exe C:\Users\Admin\AppData\Local\Temp\u1i4.0.exe
PID 1948 wrote to memory of 1044 N/A C:\Users\Admin\Pictures\thMrdJRzne4h9cW8HcH2Ukif.exe C:\Users\Admin\AppData\Local\Temp\u1i4.1.exe
PID 1948 wrote to memory of 1044 N/A C:\Users\Admin\Pictures\thMrdJRzne4h9cW8HcH2Ukif.exe C:\Users\Admin\AppData\Local\Temp\u1i4.1.exe
PID 1948 wrote to memory of 1044 N/A C:\Users\Admin\Pictures\thMrdJRzne4h9cW8HcH2Ukif.exe C:\Users\Admin\AppData\Local\Temp\u1i4.1.exe
PID 1948 wrote to memory of 1044 N/A C:\Users\Admin\Pictures\thMrdJRzne4h9cW8HcH2Ukif.exe C:\Users\Admin\AppData\Local\Temp\u1i4.1.exe
PID 1352 wrote to memory of 816 N/A C:\Users\Admin\Pictures\i3vS9tlYhhipSBsIzVVViAOw.exe C:\Windows\system32\cmd.exe
PID 1352 wrote to memory of 816 N/A C:\Users\Admin\Pictures\i3vS9tlYhhipSBsIzVVViAOw.exe C:\Windows\system32\cmd.exe
PID 1352 wrote to memory of 816 N/A C:\Users\Admin\Pictures\i3vS9tlYhhipSBsIzVVViAOw.exe C:\Windows\system32\cmd.exe
PID 1352 wrote to memory of 816 N/A C:\Users\Admin\Pictures\i3vS9tlYhhipSBsIzVVViAOw.exe C:\Windows\system32\cmd.exe
PID 816 wrote to memory of 956 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 816 wrote to memory of 956 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 816 wrote to memory of 956 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2380 wrote to memory of 1952 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Users\Admin\Pictures\KBthrF5Mw1beUIIRMYVupx5n.exe
PID 2380 wrote to memory of 1952 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Users\Admin\Pictures\KBthrF5Mw1beUIIRMYVupx5n.exe
PID 2380 wrote to memory of 1952 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Users\Admin\Pictures\KBthrF5Mw1beUIIRMYVupx5n.exe
PID 2380 wrote to memory of 1952 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Users\Admin\Pictures\KBthrF5Mw1beUIIRMYVupx5n.exe
PID 2324 wrote to memory of 2128 N/A C:\Users\Admin\Pictures\xn8xcP6R5Y0MisAjbYBpkWI0.exe C:\Windows\system32\cmd.exe
PID 2324 wrote to memory of 2128 N/A C:\Users\Admin\Pictures\xn8xcP6R5Y0MisAjbYBpkWI0.exe C:\Windows\system32\cmd.exe
PID 2324 wrote to memory of 2128 N/A C:\Users\Admin\Pictures\xn8xcP6R5Y0MisAjbYBpkWI0.exe C:\Windows\system32\cmd.exe
PID 2324 wrote to memory of 2128 N/A C:\Users\Admin\Pictures\xn8xcP6R5Y0MisAjbYBpkWI0.exe C:\Windows\system32\cmd.exe
PID 2128 wrote to memory of 488 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2128 wrote to memory of 488 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2128 wrote to memory of 488 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2192 wrote to memory of 840 N/A C:\Users\Admin\Pictures\3lY5kj5zEAhBwTcl9Yy8GsjL.exe C:\Windows\system32\cmd.exe
PID 2192 wrote to memory of 840 N/A C:\Users\Admin\Pictures\3lY5kj5zEAhBwTcl9Yy8GsjL.exe C:\Windows\system32\cmd.exe
PID 2192 wrote to memory of 840 N/A C:\Users\Admin\Pictures\3lY5kj5zEAhBwTcl9Yy8GsjL.exe C:\Windows\system32\cmd.exe
PID 2192 wrote to memory of 840 N/A C:\Users\Admin\Pictures\3lY5kj5zEAhBwTcl9Yy8GsjL.exe C:\Windows\system32\cmd.exe
PID 840 wrote to memory of 2816 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 840 wrote to memory of 2816 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2352 -s 784

C:\Users\Admin\Pictures\thMrdJRzne4h9cW8HcH2Ukif.exe

"C:\Users\Admin\Pictures\thMrdJRzne4h9cW8HcH2Ukif.exe"

C:\Users\Admin\Pictures\OaVCG3E5HaPViLqhA0sldQvH.exe

"C:\Users\Admin\Pictures\OaVCG3E5HaPViLqhA0sldQvH.exe"

C:\Users\Admin\Pictures\xn8xcP6R5Y0MisAjbYBpkWI0.exe

"C:\Users\Admin\Pictures\xn8xcP6R5Y0MisAjbYBpkWI0.exe"

C:\Users\Admin\Pictures\3lY5kj5zEAhBwTcl9Yy8GsjL.exe

"C:\Users\Admin\Pictures\3lY5kj5zEAhBwTcl9Yy8GsjL.exe"

C:\Users\Admin\Pictures\i3vS9tlYhhipSBsIzVVViAOw.exe

"C:\Users\Admin\Pictures\i3vS9tlYhhipSBsIzVVViAOw.exe"

C:\Users\Admin\AppData\Local\Temp\u1i4.0.exe

"C:\Users\Admin\AppData\Local\Temp\u1i4.0.exe"

C:\Windows\system32\makecab.exe

"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20240329051809.log C:\Windows\Logs\CBS\CbsPersist_20240329051809.cab

C:\Users\Admin\Pictures\i3vS9tlYhhipSBsIzVVViAOw.exe

"C:\Users\Admin\Pictures\i3vS9tlYhhipSBsIzVVViAOw.exe"

C:\Users\Admin\AppData\Local\Temp\u1i4.1.exe

"C:\Users\Admin\AppData\Local\Temp\u1i4.1.exe"

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Users\Admin\Pictures\xn8xcP6R5Y0MisAjbYBpkWI0.exe

"C:\Users\Admin\Pictures\xn8xcP6R5Y0MisAjbYBpkWI0.exe"

C:\Users\Admin\Pictures\3lY5kj5zEAhBwTcl9Yy8GsjL.exe

"C:\Users\Admin\Pictures\3lY5kj5zEAhBwTcl9Yy8GsjL.exe"

C:\Users\Admin\Pictures\KBthrF5Mw1beUIIRMYVupx5n.exe

"C:\Users\Admin\Pictures\KBthrF5Mw1beUIIRMYVupx5n.exe"

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\system32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\system32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe

"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"

C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe

"C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\JDGCGHCGHC.exe"

C:\Users\Admin\AppData\Local\Temp\JDGCGHCGHC.exe

"C:\Users\Admin\AppData\Local\Temp\JDGCGHCGHC.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C ping 2.2.2.2 -n 1 -w 3000 > Nul & Del C:\Users\Admin\AppData\Local\Temp\JDGCGHCGHC.exe

C:\Windows\SysWOW64\PING.EXE

ping 2.2.2.2 -n 1 -w 3000

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Windows Fast Mode" -application OSLOADER

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} device partition=C:

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} osdevice partition=C:

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} systemroot \Windows

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} path \Windows\system32\osloader.exe

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} kernel ntkrnlmp.exe

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} recoveryenabled 0

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nx OptIn

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nointegritychecks 1

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} inherit {bootloadersettings}

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -displayorder {71A3C7FC-F751-4982-AEC1-E958357E6813} -addlast

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -timeout 0

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -default {71A3C7FC-F751-4982-AEC1-E958357E6813}

C:\Windows\system32\bcdedit.exe

C:\Windows\Sysnative\bcdedit.exe /v

C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe

C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe

C:\Windows\system32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 yip.su udp
US 172.67.34.170:443 pastebin.com tcp
US 172.67.169.89:443 yip.su tcp
DE 185.172.128.144:80 185.172.128.144 tcp
US 8.8.8.8:53 piramidglobaltobacco.id udp
AT 5.42.64.17:80 5.42.64.17 tcp
US 8.8.8.8:53 shipofdestiny.com udp
US 8.8.8.8:53 sty.ink udp
US 8.8.8.8:53 operandotwo.com udp
US 8.8.8.8:53 shipofdestiny.com udp
US 8.8.8.8:53 sty.ink udp
US 8.8.8.8:53 namemail.org udp
US 8.8.8.8:53 cu82342.tw1.ru udp
US 8.8.8.8:53 net.geo.opera.com udp
US 172.67.200.219:443 sty.ink tcp
US 172.67.152.98:443 shipofdestiny.com tcp
US 104.21.15.5:443 operandotwo.com tcp
US 172.67.200.219:443 sty.ink tcp
US 172.67.152.98:443 shipofdestiny.com tcp
NL 185.26.182.111:80 net.geo.opera.com tcp
RU 176.57.210.144:443 cu82342.tw1.ru tcp
NL 185.26.182.111:443 net.geo.opera.com tcp
US 8.8.8.8:53 apps.identrust.com udp
SG 217.21.73.190:443 piramidglobaltobacco.id tcp
US 8.8.8.8:53 lawyerbuyer.org udp
US 8.8.8.8:53 lawyerbuyer.org udp
GB 95.101.143.19:80 apps.identrust.com tcp
US 104.21.63.71:443 lawyerbuyer.org tcp
US 172.67.170.65:443 lawyerbuyer.org tcp
DE 185.172.128.90:80 185.172.128.90 tcp
US 8.8.8.8:53 guseman.org udp
US 172.67.173.167:443 guseman.org tcp
DE 185.172.128.65:80 185.172.128.65 tcp
DE 185.172.128.65:80 185.172.128.65 tcp
DE 185.172.128.144:80 185.172.128.144 tcp
DE 185.172.128.209:80 185.172.128.209 tcp
US 8.8.8.8:53 iplogger.com udp
US 8.8.8.8:53 svc.iolo.com udp
US 104.21.76.57:443 iplogger.com tcp
US 20.157.87.45:80 svc.iolo.com tcp
US 8.8.8.8:53 download.iolo.net udp
FR 185.93.2.244:80 download.iolo.net tcp
NL 195.20.16.45:80 195.20.16.45 tcp
US 8.8.8.8:53 api.myip.com udp
US 8.8.8.8:53 api.myip.com udp
US 104.26.8.59:443 api.myip.com tcp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.186.192:443 ipinfo.io tcp
US 34.117.186.192:443 ipinfo.io tcp
US 8.8.8.8:53 6f8e6b41-2de0-4a04-8804-9ce913338c50.uuid.statsexplorer.org udp
US 8.8.8.8:53 svc.iolo.com udp
US 20.157.87.45:80 svc.iolo.com tcp
US 8.8.8.8:53 msdl.microsoft.com udp
US 204.79.197.219:443 msdl.microsoft.com tcp
US 8.8.8.8:53 vsblobprodscussu5shard30.blob.core.windows.net udp
US 20.150.70.36:443 vsblobprodscussu5shard30.blob.core.windows.net tcp
DE 185.172.128.65:80 185.172.128.65 tcp
US 8.8.8.8:53 westus2-2.in.applicationinsights.azure.com udp
US 20.9.155.145:443 westus2-2.in.applicationinsights.azure.com tcp
US 20.9.155.145:443 westus2-2.in.applicationinsights.azure.com tcp
US 8.8.8.8:53 westus2-2.in.applicationinsights.azure.com udp
US 20.9.155.145:443 westus2-2.in.applicationinsights.azure.com tcp
US 20.9.155.145:443 westus2-2.in.applicationinsights.azure.com tcp
US 8.8.8.8:53 vsblobprodscussu5shard20.blob.core.windows.net udp
US 20.150.70.36:443 vsblobprodscussu5shard20.blob.core.windows.net tcp
US 20.9.155.145:443 westus2-2.in.applicationinsights.azure.com tcp
US 20.9.155.145:443 westus2-2.in.applicationinsights.azure.com tcp
US 8.8.8.8:53 stun.ipfire.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 server13.statsexplorer.org udp
US 162.159.134.233:443 cdn.discordapp.com tcp
DE 81.3.27.44:3478 stun.ipfire.org udp
BG 185.82.216.108:443 server13.statsexplorer.org tcp
US 8.8.8.8:53 carsalessystem.com udp
US 104.21.94.82:443 carsalessystem.com tcp
US 20.9.155.145:443 westus2-2.in.applicationinsights.azure.com tcp
US 20.9.155.145:443 westus2-2.in.applicationinsights.azure.com tcp
BG 185.82.216.108:443 server13.statsexplorer.org tcp
US 8.8.8.8:53 westus2-2.in.applicationinsights.azure.com udp
US 20.9.155.148:443 westus2-2.in.applicationinsights.azure.com tcp
US 20.9.155.148:443 westus2-2.in.applicationinsights.azure.com tcp
BG 185.82.216.108:443 server13.statsexplorer.org tcp

Files

memory/2352-0-0x0000000000E50000-0x0000000000E5C000-memory.dmp

memory/2352-1-0x000007FEF5F80000-0x000007FEF696C000-memory.dmp

memory/2352-2-0x000000001B420000-0x000000001B4A0000-memory.dmp

memory/2352-3-0x0000000000B20000-0x0000000000B7E000-memory.dmp

memory/2380-4-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2380-6-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2380-8-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2380-10-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2380-12-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2380-13-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2380-15-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2380-17-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2380-18-0x0000000074DC0000-0x00000000754AE000-memory.dmp

memory/2380-19-0x0000000004CD0000-0x0000000004D10000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 29f65ba8e88c063813cc50a4ea544e93
SHA1 05a7040d5c127e68c25d81cc51271ffb8bef3568
SHA256 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512 e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

C:\Users\Admin\AppData\Local\Temp\Tar30C8.tmp

MD5 435a9ac180383f9fa094131b173a2f7b
SHA1 76944ea657a9db94f9a4bef38f88c46ed4166983
SHA256 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA512 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

\Users\Admin\Pictures\thMrdJRzne4h9cW8HcH2Ukif.exe

MD5 8bc396803bf0c509173078f354cb293b
SHA1 8a8e2298863cf6d5b5ad1c1f1efdb4f372f1cfa0
SHA256 e79bb6f916ff4f4bcca0dd2bb4c16233090265c38f3aeaa4a19bb125138773bb
SHA512 da3e916fb3b662584e3f1c8e5e6ac3c75c2f8aba0113597257cae5e9515944055e59d242efd08155939ea7044c7bf15a242f8d950e0a4a996889cbad1e20cd83

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a50f73ad4ef9b0934ddfa41053956c84
SHA1 e0bccb8b5a80467edcf851c4e24a85b152b1ccc0
SHA256 9c67a6410e36afe005409aa87e58baa2ebbf7dc76bdaed859d23bf9fe7f47b88
SHA512 cc2fab6862f9745b2430bc14695d7fc83b53dbc1c1111dec522d2a8bb0a5655b148bbffac8e2e40ad666e4b836f96947b81a88588d27d9385bfc7d84b1b29e12

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3ee12854598813a5ee6118bf8750daa1
SHA1 74a664fa9b19ea087bbe8ad707dded1f47b4dc17
SHA256 adfe3f3c589091dcbbaf06ab5d43a7953c479984b48381a3a2ea55671e3dd024
SHA512 f130c5f30553c5d06753bb012e19ee3ffa9f27e87fad76b756d32200dc37f0ddedccd8b2b36d247569dcb293d704bcfb7d8db01eef3ba138e761b9264ef62fc4

memory/1948-189-0x0000000000C20000-0x0000000000D20000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 476a3f5b132a12ba42cc7933cb0796af
SHA1 ed87d44e1a32155aff22f60f629442322613d4ae
SHA256 53b09ca7d19262a31e93ee364fa217765d40eae62fd308706012a15f03da384e
SHA512 119a5226015436aee7b6213f7b4966c5433a9290848fe306720fe9b7f3d27da0f4bb70c7deddb15dc58b965f00e43853b8458d024547b1d8181bc7c7949b2708

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2ef87bb41aae002f28972682102b4e54
SHA1 572e379a6cf298392a44391a4cf115dc84f5e371
SHA256 b0c581d019973ed29a601d64c028e9fba1380018d0602e3a926b3c5da3470a89
SHA512 4bed9eeae3c67284877d4e75f511ebdfeaba003e8fcd665ec7e0ceda70d29b395ffb1705d5c4fd94bc72f8742d29620f102536d8e3d1b3ec3ec34ca056fd94d8

memory/1948-270-0x0000000000230000-0x000000000029E000-memory.dmp

\Users\Admin\Pictures\OaVCG3E5HaPViLqhA0sldQvH.exe

MD5 e2a6c1f58b137874e490b8d94382fcdb
SHA1 71529c5d708091b1e1a580227dc52e62a140edd1
SHA256 4801879a7afb9d03f7edcbe76cd9306cb024d80abc8512c4995aa97e8fd52437
SHA512 24d12ce668e5189a4ba80520a4eaf480d17d3a07d8d0d4312964968f8489143df225881ec70e39e0c62e381061626801ead72d70cea164e2c3870bfbd7bc4eff

memory/1948-320-0x0000000000400000-0x0000000000B0E000-memory.dmp

memory/1544-333-0x0000000000400000-0x0000000000B06000-memory.dmp

memory/1544-335-0x0000000000C04000-0x0000000000C2F000-memory.dmp

memory/1544-334-0x0000000000220000-0x0000000000221000-memory.dmp

memory/1544-331-0x00000000002E0000-0x000000000032A000-memory.dmp

\Users\Admin\Pictures\xn8xcP6R5Y0MisAjbYBpkWI0.exe

MD5 80fbcd8bcab6ddca53a467dfc54b2123
SHA1 5394a3de0dc598eeba66870d9070f54e8b137ede
SHA256 fff7af7e094a0f3d5e5b87eebbb5290e3d7570e192426e81909278abf8d0350b
SHA512 d7d14f7465da79ac9bfb1d88431e397e5f13fe7339f819b8e0404110bd73d10224d20c2b68178da3b7504de17c0b475f97ade83ab93d842310cf3baa605ac42c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2c104da4399f979090220bdc4f7b5c7a
SHA1 0090fcaf77b10ab291a803e25881804b56570f82
SHA256 bcbe63581fad6daeeb19bbc0f663b7c99469c9dc677b377a72ceaa963d141c37
SHA512 b99c3824d927c8dd81fde5407dc745f4d4cd00f28d2d8f95cb30cdd28eafbfdc8dded80445a42b430d953ec41d4293fb3e146d94ee800a25f73c7820c3c87f04

memory/2740-410-0x0000000002810000-0x0000000002C08000-memory.dmp

memory/2980-399-0x0000000002770000-0x0000000002B68000-memory.dmp

memory/2740-413-0x0000000000400000-0x0000000000ECD000-memory.dmp

memory/2980-415-0x0000000000400000-0x0000000000ECD000-memory.dmp

memory/2980-414-0x0000000002770000-0x0000000002B68000-memory.dmp

memory/2740-412-0x0000000002C10000-0x00000000034FB000-memory.dmp

memory/2740-411-0x0000000002810000-0x0000000002C08000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e7deb786f9210558dea0d797460590f6
SHA1 2b5b3e62f9bebbc1c8cb83fe62a0d471e2475138
SHA256 c31b7d475df49fe94217cc5ab9fb144d9c30810cb0c60aa07174923333bd22c4
SHA512 64d5d3ee64ce16a31438aacdd99ed3f37a3ac9ec063505b295cf7b495f8640c937cbede60ff3807106284dd8e1a15700b660a17905794c53880bef6301f58c4a

memory/2328-450-0x0000000002920000-0x0000000002D18000-memory.dmp

\Users\Admin\Pictures\i3vS9tlYhhipSBsIzVVViAOw.exe

MD5 ac5f59828c7112f4d6f37f3daea03a4c
SHA1 780cbc00e9a044da535af3f1da25445c893a8e53
SHA256 6b0109f5a9106f6cfa857fd3380aaed9c3d461bd8303d58a22af7a42b658b1fc
SHA512 7b68ba612901c89af3a50c5241c03001911a7f8b4cb60966a8578b9eb9dfdbd3c917391af1c12e75217d557c1c2367971a8a9edd05a3fb0aafe68774e46db873

memory/2328-451-0x0000000002920000-0x0000000002D18000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\u1i4.0.exe

MD5 a533c58be371236669106ab5243b05bb
SHA1 59e8eae350fd911b9d74940fd5a0793f6b4fddc0
SHA256 6f746358af1862e923dee83621f64d56b2e8d8f8936e71d4d6bc565e97e58b09
SHA512 83970ca812ebef5e7c7a4e32c6b6a48d0028f688241441fedfa00e9171592bbc6fa883f0bc7f2603d31f687b1510633bca5468b3ecb96481aa62451c85885f8d

memory/2328-465-0x0000000000400000-0x0000000000ECD000-memory.dmp

memory/2352-469-0x000007FEF5F80000-0x000007FEF696C000-memory.dmp

memory/540-470-0x0000000000250000-0x0000000000350000-memory.dmp

memory/540-471-0x00000000003C0000-0x00000000003E7000-memory.dmp

memory/540-472-0x0000000000400000-0x0000000000AEA000-memory.dmp

memory/1352-474-0x0000000002870000-0x0000000002C68000-memory.dmp

memory/2328-475-0x0000000000400000-0x0000000000ECD000-memory.dmp

memory/1352-491-0x0000000002870000-0x0000000002C68000-memory.dmp

memory/1948-490-0x0000000000400000-0x0000000000B0E000-memory.dmp

\Users\Admin\AppData\Local\Temp\u1i4.1.exe

MD5 397926927bca55be4a77839b1c44de6e
SHA1 e10f3434ef3021c399dbba047832f02b3c898dbd
SHA256 4f07e1095cc915b2d46eb149d1c3be14f3f4b4bd2742517265947fd23bdca5a7
SHA512 cf54136b977fc8af7e8746d78676d0d464362a8cfa2213e392487003b5034562ee802e6911760b98a847bddd36ad664f32d849af84d7e208d4648bd97a2fa954

memory/1352-494-0x0000000000400000-0x0000000000ECD000-memory.dmp

memory/2380-495-0x0000000074DC0000-0x00000000754AE000-memory.dmp

memory/1948-493-0x0000000000C20000-0x0000000000D20000-memory.dmp

memory/2380-496-0x0000000004CD0000-0x0000000004D10000-memory.dmp

memory/1044-497-0x00000000001C0000-0x00000000001C1000-memory.dmp

memory/2352-477-0x000000001B420000-0x000000001B4A0000-memory.dmp

memory/540-514-0x0000000061E00000-0x0000000061EF3000-memory.dmp

memory/2324-528-0x0000000002790000-0x0000000002B88000-memory.dmp

memory/2740-530-0x0000000000400000-0x0000000000ECD000-memory.dmp

\Users\Admin\Pictures\KBthrF5Mw1beUIIRMYVupx5n.exe

MD5 858bb0a3b4fa6a54586402e3ee117076
SHA1 997c31f043347883ea5ed2323a558b6cc5ea9c8e
SHA256 d97a7fc44bf341b9b2b2e65b46dab4f7d329afe15b4308b5aa56d5bfd7b99d35
SHA512 e8374b115f056b5d345c9b5f9c42b3d49e0640d7fad869448f686add6e52b783ecc7fd35ee15a67b944843491a91becf5b7c0bd5603eda01042dd2904c1ad8fd

memory/540-543-0x0000000000400000-0x0000000000AEA000-memory.dmp

memory/2380-548-0x0000000009750000-0x000000000A25A000-memory.dmp

memory/2980-538-0x0000000000400000-0x0000000000ECD000-memory.dmp

memory/2192-533-0x0000000002840000-0x0000000002C38000-memory.dmp

memory/1952-546-0x000000013F430000-0x000000013FF3A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt

MD5 0c224c17858380e3197f77183892bc32
SHA1 a1d196a4ff2387e955c716f3736931535262a36a
SHA256 f5ac0eaa42414b495b897a5fef2d6b8a3bef40c28a297ad1894724b290610116
SHA512 41d0e7cd11149608f96209342b30b7cea4efb6f5ee28496d5b5ddc5eb24354c719b372bec8d604a2aeba8dfa86b866c39f89ee8bd4864c1550741d13f8b3eef4

memory/2192-550-0x0000000002840000-0x0000000002C38000-memory.dmp

memory/1952-554-0x000000013F430000-0x000000013FF3A000-memory.dmp

memory/1952-551-0x000000013F430000-0x000000013FF3A000-memory.dmp

memory/1044-555-0x0000000000400000-0x00000000008AD000-memory.dmp

memory/1352-553-0x0000000000400000-0x0000000000ECD000-memory.dmp

memory/1952-557-0x000000013F430000-0x000000013FF3A000-memory.dmp

memory/2324-567-0x0000000000400000-0x0000000000ECD000-memory.dmp

memory/1952-577-0x000000013F430000-0x000000013FF3A000-memory.dmp

memory/2324-580-0x0000000000400000-0x0000000000ECD000-memory.dmp

memory/540-584-0x0000000000400000-0x0000000000AEA000-memory.dmp

memory/1952-595-0x00000000000E0000-0x00000000000E1000-memory.dmp

memory/1952-597-0x000007FE80010000-0x000007FE80011000-memory.dmp

memory/1952-596-0x0000000077BC0000-0x0000000077D69000-memory.dmp

memory/1952-590-0x000007FEFDCF0000-0x000007FEFDD5C000-memory.dmp

memory/1952-583-0x000000013F430000-0x000000013FF3A000-memory.dmp

memory/2192-576-0x0000000000400000-0x0000000000ECD000-memory.dmp

memory/1952-562-0x000000013F430000-0x000000013FF3A000-memory.dmp

memory/1952-560-0x000000013F430000-0x000000013FF3A000-memory.dmp

memory/2324-559-0x0000000002790000-0x0000000002B88000-memory.dmp

memory/1352-614-0x0000000000400000-0x0000000000ECD000-memory.dmp

memory/2356-613-0x00000000026F0000-0x0000000002AE8000-memory.dmp

memory/1044-619-0x0000000000400000-0x00000000008AD000-memory.dmp

memory/2356-623-0x00000000026F0000-0x0000000002AE8000-memory.dmp

memory/2356-624-0x0000000000400000-0x0000000000ECD000-memory.dmp

memory/2324-625-0x0000000000400000-0x0000000000ECD000-memory.dmp

memory/2192-631-0x0000000000400000-0x0000000000ECD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt

MD5 8ee948007df18a2a8ceb7f34e2e1371c
SHA1 6eab1bec9670fed7292feca2a78b72035389b88e
SHA256 0f5d338bf97798236130783a479ddf240129475f0641bea2c1e13ac47e955424
SHA512 60c4b198227d1ec9685dba41026e0b66672b193742b811bb624f522d0ab75a577709079a84d0118b293076da0c29ecd48a7dc46b0862eb2956eb5b8214c497ab

\Users\Admin\AppData\Local\Temp\csrss\patch.exe

MD5 13aaafe14eb60d6a718230e82c671d57
SHA1 e039dd924d12f264521b8e689426fb7ca95a0a7b
SHA256 f44a7deb678ae7bbaaadf88e4c620d7cdf7e6831a1656c456545b1c06feb4ef3
SHA512 ade02218c0fd1ef9290c3113cf993dd89e87d4fb66fa1b34afdc73c84876123cd742d2a36d8daa95e2a573d2aa7e880f3c8ba0c5c91916ed15e7c4f6ff847de3

\Users\Admin\AppData\Local\Temp\dbghelp.dll

MD5 f0616fa8bc54ece07e3107057f74e4db
SHA1 b33995c4f9a004b7d806c4bb36040ee844781fca
SHA256 6e58fcf4d763022b1f79a3c448eb2ebd8ad1c15df3acf58416893f1cbc699026
SHA512 15242e3f5652d7f1d0e31cebadfe2f238ca3222f0e927eb7feb644ab2b3d33132cf2316ee5089324f20f72f1650ad5bb8dd82b96518386ce5b319fb5ceb8313c

\Users\Admin\AppData\Local\Temp\symsrv.dll

MD5 5c399d34d8dc01741269ff1f1aca7554
SHA1 e0ceed500d3cef5558f3f55d33ba9c3a709e8f55
SHA256 e11e0f7804bfc485b19103a940be3d382f31c1378caca0c63076e27797d7553f
SHA512 8ff9d38b22d73c595cc417427b59f5ca8e1fb7b47a2fa6aef25322bf6e614d6b71339a752d779bd736b4c1057239100ac8cc62629fd5d6556785a69bcdc3d73d

\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

MD5 1afff8d5352aecef2ecd47ffa02d7f7d
SHA1 8b115b84efdb3a1b87f750d35822b2609e665bef
SHA256 c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1
SHA512 e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb

memory/2652-664-0x0000000140000000-0x00000001405E8000-memory.dmp

memory/2512-666-0x000007FEF5F80000-0x000007FEF696C000-memory.dmp

memory/2512-665-0x00000000011A0000-0x0000000004A98000-memory.dmp

\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/2512-695-0x000000001EDC0000-0x000000001EE40000-memory.dmp

memory/540-691-0x0000000000400000-0x0000000000AEA000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 aae29cdbfab7e55ab1c053b25406447f
SHA1 1cbfc65dd9fe11f3a3b818082bdcab84048dbd1c
SHA256 498f654cd157a5f7e51e0066085f9ccfa5ef522a362725887beccca163f5296a
SHA512 e2f38e45b2df6aae3f4d25196957035220edd4ac143103b18a83d6e0614551b419b3dcf387ac09b053cf4c6093a6701e8e30152a27ea2ea7a0d9073216cf15a9

memory/540-676-0x0000000000250000-0x0000000000350000-memory.dmp

\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

memory/2512-718-0x000000001EC30000-0x000000001ED40000-memory.dmp

memory/2512-719-0x00000000003E0000-0x00000000003F0000-memory.dmp

memory/2512-720-0x0000000000580000-0x000000000058C000-memory.dmp

memory/2512-721-0x00000000003F0000-0x0000000000404000-memory.dmp

memory/2512-722-0x0000000000BA0000-0x0000000000BC4000-memory.dmp

memory/2512-732-0x000000013F430000-0x000000013FF3A000-memory.dmp

memory/2512-731-0x00000000005A0000-0x00000000005AA000-memory.dmp

memory/2512-734-0x0000000000D50000-0x0000000000D7A000-memory.dmp

memory/2512-733-0x000000001F570000-0x000000001F622000-memory.dmp

memory/2512-735-0x0000000000E50000-0x0000000000ECA000-memory.dmp

memory/2512-736-0x000000001E630000-0x000000001E692000-memory.dmp

memory/2512-737-0x00000000005B0000-0x00000000005BA000-memory.dmp

memory/2512-741-0x000000001FBF0000-0x000000001FEF0000-memory.dmp

memory/2512-746-0x0000000000D80000-0x0000000000D8A000-memory.dmp

memory/2380-747-0x0000000009750000-0x000000000A25A000-memory.dmp

memory/1952-748-0x000000013F430000-0x000000013FF3A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\JDGCGHCGHC.exe

MD5 fe380780b5c35bd6d54541791151c2be
SHA1 7fe3a583cf91474c733f85cebf3c857682e269e1
SHA256 b64a84d1f88e4e78464a1901c1cb5bbd5f00bb73203d719e64e072157a087b53
SHA512 ba05ba8aa13c4bc1cf98fbf6c08b021e8b19354098e0397fc8e1e5d3dcce367c1063203f24e50d0973193f6535681d0a43486e5dade5d112853b7a2fe8739b6c

C:\Users\Admin\AppData\Local\Microsoft\ApplicationInsights\049b7335d372bd07248452d0b58e37cfb8420ac5b148b226adcb19ae95655a7b\acccff04fa234b00ad1c8f863d317533.tmp

MD5 4ba6d7772a894f75e688dd270c569048
SHA1 bfe5a11ea0f1e25f58e6f746e7c17c05971b0ccb
SHA256 38626c363e7df2b96a4c3309573fea0b988e115592129431405606e8e76c7b13
SHA512 8b932b304155bf15516c9ddda0e3473df49fbaf7ec3eff99ea2f8795ba4ecc08ca098eed7ccc2e972e8dd5d7a3951e387544baadf9f026f6092f54a9d90b5954

C:\Users\Admin\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\AAF33CF37E194E98957768CF9C02DE8E2\download.error

MD5 fd2727132edd0b59fa33733daa11d9ef
SHA1 63e36198d90c4c2b9b09dd6786b82aba5f03d29a
SHA256 3a72dbedc490773f90e241c8b3b839383a63ce36426a4f330a0f754b14b4d23e
SHA512 3e251be7d0e8db92d50092a4c4be3c74f42f3d564c72981f43a8e0fe06427513bfa0f67821a61a503a4f85741f0b150280389f8f4b4f01cdfd98edce5af29e6e

C:\Users\Admin\AppData\Local\Temp\osloader.exe

MD5 e2f68dc7fbd6e0bf031ca3809a739346
SHA1 9c35494898e65c8a62887f28e04c0359ab6f63f5
SHA256 b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4
SHA512 26256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579

C:\Users\Admin\AppData\Local\Temp\Symbols\winload_prod.pdb\768283CA443847FB8822F9DB1F36ECC51\download.error

MD5 fafbf2197151d5ce947872a4b0bcbe16
SHA1 a86eaa2dd9fc6d36fcfb41df7ead8d1166aea020
SHA256 feb122b7916a1e62a7a6ae8d25ea48a2efc86f6e6384f5526e18ffbfc5f5ff71
SHA512 acbd49a111704d001a4ae44d1a071d566452f92311c5c0099d57548eddc9b3393224792c602022df5c3dd19b0a1fb4eff965bf038c8783ae109336699f9d13f6

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-29 05:17

Reported

2024-03-29 05:20

Platform

win10v2004-20240226-en

Max time kernel

77s

Max time network

152s

Command Line

sihost.exe

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Lumma Stealer

stealer lumma

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\C:\ = "1" C:\Users\Admin\Pictures\g8aTWxAZ6ISrf1bOvwaLr4tY.exe N/A

Rhadamanthys

stealer rhadamanthys

Stealc

stealer stealc

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 5116 created 2552 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\system32\sihost.exe

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\Pictures\g8aTWxAZ6ISrf1bOvwaLr4tY.exe N/A

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\Pictures\g8aTWxAZ6ISrf1bOvwaLr4tY.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\Pictures\g8aTWxAZ6ISrf1bOvwaLr4tY.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\KFIJJJEBGC.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\u340.1.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Pictures\lzwu5wOVzRnPH22isp5zmuGP.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\u340.0.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8pNf0XjlyHeGbvr8PPCs35KC.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sS5Ho4d3WEdvDrIdr9ZdRhsv.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Zc0cmZCU279gkJFzqwAmPE3r.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AGkxw2oVIQ2L3rf15f5clDih.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\axP0cmJERAiGZxbTLVEyB9Bi.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VyVLrpA0tgmsU3XsA2g5vTeN.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\yctdd7V3p2x0shXjB7znUfSs.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wYnIXO9GhMk6o51NhnPujgSf.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\O2vqMTaUjItYRq9M37OzmIVi.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sHXIeTRP2eTC0aHKGEDaUdHD.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TbPIe1KSUsjfytWAwMIA5OKP.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\Pictures\aI3g63c9519JvFDEMRzh2hdB.exe N/A
N/A N/A C:\Users\Admin\Pictures\lzwu5wOVzRnPH22isp5zmuGP.exe N/A
N/A N/A C:\Users\Admin\Pictures\X9dPuAGeJQFKnWiWx123pDHg.exe N/A
N/A N/A C:\Users\Admin\Pictures\HPfZv9KywXrFtcs4hA5sx3UY.exe N/A
N/A N/A C:\Users\Admin\Pictures\5UNikksN5GElLavDqb9lakL7.exe N/A
N/A N/A C:\Users\Admin\Pictures\VKyuCsrQFHBItjVhBwKQOwdE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u340.0.exe N/A
N/A N/A C:\Users\Admin\Pictures\ueMmXib5DFAldXwxFdjPQelr.exe N/A
N/A N/A C:\Users\Admin\Pictures\ueMmXib5DFAldXwxFdjPQelr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\ueMmXib5DFAldXwxFdjPQelr.exe N/A
N/A N/A C:\Users\Admin\Pictures\ueMmXib5DFAldXwxFdjPQelr.exe N/A
N/A N/A C:\Users\Admin\Pictures\ueMmXib5DFAldXwxFdjPQelr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u340.1.exe N/A
N/A N/A C:\Users\Admin\Pictures\g8aTWxAZ6ISrf1bOvwaLr4tY.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403290518191\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403290518191\assistant\assistant_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403290518191\assistant\assistant_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KFIJJJEBGC.exe N/A
N/A N/A C:\Users\Admin\Pictures\VKyuCsrQFHBItjVhBwKQOwdE.exe N/A
N/A N/A C:\Users\Admin\Pictures\5UNikksN5GElLavDqb9lakL7.exe N/A
N/A N/A C:\Users\Admin\Pictures\X9dPuAGeJQFKnWiWx123pDHg.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\Pictures\g8aTWxAZ6ISrf1bOvwaLr4tY.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\D: C:\Users\Admin\Pictures\ueMmXib5DFAldXwxFdjPQelr.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\Pictures\ueMmXib5DFAldXwxFdjPQelr.exe N/A
File opened (read-only) \??\D: C:\Users\Admin\Pictures\ueMmXib5DFAldXwxFdjPQelr.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\Pictures\ueMmXib5DFAldXwxFdjPQelr.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.myip.com N/A N/A
N/A api.myip.com N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy C:\Users\Admin\Pictures\g8aTWxAZ6ISrf1bOvwaLr4tY.exe N/A
File created C:\Windows\System32\GroupPolicy\Machine\Registry.pol C:\Users\Admin\Pictures\g8aTWxAZ6ISrf1bOvwaLr4tY.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy\gpt.ini C:\Users\Admin\Pictures\g8aTWxAZ6ISrf1bOvwaLr4tY.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI C:\Users\Admin\Pictures\g8aTWxAZ6ISrf1bOvwaLr4tY.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\Pictures\g8aTWxAZ6ISrf1bOvwaLr4tY.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4728 set thread context of 2952 N/A C:\Users\Admin\AppData\Local\Temp\tmp.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
PID 4544 set thread context of 5116 N/A C:\Users\Admin\Pictures\HPfZv9KywXrFtcs4hA5sx3UY.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\Pictures\VKyuCsrQFHBItjVhBwKQOwdE.exe N/A
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\Pictures\5UNikksN5GElLavDqb9lakL7.exe N/A
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\Pictures\X9dPuAGeJQFKnWiWx123pDHg.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\u340.1.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\u340.1.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\u340.1.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\u340.0.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\u340.0.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-448 = "Azerbaijan Daylight Time" C:\Users\Admin\Pictures\5UNikksN5GElLavDqb9lakL7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-32 = "Mid-Atlantic Standard Time" C:\Users\Admin\Pictures\5UNikksN5GElLavDqb9lakL7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-121 = "SA Pacific Daylight Time" C:\Users\Admin\Pictures\5UNikksN5GElLavDqb9lakL7.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-82 = "Atlantic Standard Time" C:\Users\Admin\Pictures\5UNikksN5GElLavDqb9lakL7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-171 = "Central Daylight Time (Mexico)" C:\Users\Admin\Pictures\VKyuCsrQFHBItjVhBwKQOwdE.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2371 = "Easter Island Daylight Time" C:\Users\Admin\Pictures\5UNikksN5GElLavDqb9lakL7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-532 = "Sri Lanka Standard Time" C:\Users\Admin\Pictures\VKyuCsrQFHBItjVhBwKQOwdE.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-151 = "Central America Daylight Time" C:\Users\Admin\Pictures\5UNikksN5GElLavDqb9lakL7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2892 = "Sudan Standard Time" C:\Users\Admin\Pictures\VKyuCsrQFHBItjVhBwKQOwdE.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1972 = "Belarus Standard Time" C:\Users\Admin\Pictures\5UNikksN5GElLavDqb9lakL7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-105 = "Central Brazilian Standard Time" C:\Users\Admin\Pictures\5UNikksN5GElLavDqb9lakL7.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-742 = "New Zealand Standard Time" C:\Users\Admin\Pictures\5UNikksN5GElLavDqb9lakL7.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-262 = "GMT Standard Time" C:\Users\Admin\Pictures\5UNikksN5GElLavDqb9lakL7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1831 = "Russia TZ 2 Daylight Time" C:\Users\Admin\Pictures\5UNikksN5GElLavDqb9lakL7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-381 = "South Africa Daylight Time" C:\Users\Admin\Pictures\VKyuCsrQFHBItjVhBwKQOwdE.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1661 = "Bahia Daylight Time" C:\Users\Admin\Pictures\5UNikksN5GElLavDqb9lakL7.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-161 = "Central Daylight Time" C:\Users\Admin\Pictures\VKyuCsrQFHBItjVhBwKQOwdE.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-192 = "Mountain Standard Time" C:\Users\Admin\Pictures\5UNikksN5GElLavDqb9lakL7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-71 = "Newfoundland Daylight Time" C:\Users\Admin\Pictures\5UNikksN5GElLavDqb9lakL7.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-431 = "Iran Daylight Time" C:\Users\Admin\Pictures\5UNikksN5GElLavDqb9lakL7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-3051 = "Qyzylorda Daylight Time" C:\Users\Admin\Pictures\5UNikksN5GElLavDqb9lakL7.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2492 = "Aus Central W. Standard Time" C:\Users\Admin\Pictures\5UNikksN5GElLavDqb9lakL7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-412 = "E. Africa Standard Time" C:\Users\Admin\Pictures\VKyuCsrQFHBItjVhBwKQOwdE.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2162 = "Altai Standard Time" C:\Users\Admin\Pictures\5UNikksN5GElLavDqb9lakL7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-331 = "E. Europe Daylight Time" C:\Users\Admin\Pictures\VKyuCsrQFHBItjVhBwKQOwdE.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-72 = "Newfoundland Standard Time" C:\Users\Admin\Pictures\5UNikksN5GElLavDqb9lakL7.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-214 = "Pacific Daylight Time (Mexico)" C:\Users\Admin\Pictures\5UNikksN5GElLavDqb9lakL7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-562 = "SE Asia Standard Time" C:\Users\Admin\Pictures\VKyuCsrQFHBItjVhBwKQOwdE.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1891 = "Russia TZ 3 Daylight Time" C:\Users\Admin\Pictures\5UNikksN5GElLavDqb9lakL7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2142 = "Transbaikal Standard Time" C:\Users\Admin\Pictures\VKyuCsrQFHBItjVhBwKQOwdE.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-11 = "Azores Daylight Time" C:\Users\Admin\Pictures\5UNikksN5GElLavDqb9lakL7.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4 C:\Users\Admin\Pictures\ueMmXib5DFAldXwxFdjPQelr.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 04000000010000001000000078f2fcaa601f2fb4ebc937ba532e75490f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e4190000000100000010000000ffac207997bb2cfe865570179ee037b92000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e C:\Users\Admin\Pictures\ueMmXib5DFAldXwxFdjPQelr.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 5c000000010000000400000000100000190000000100000010000000ffac207997bb2cfe865570179ee037b9030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e199604000000010000001000000078f2fcaa601f2fb4ebc937ba532e75492000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e C:\Users\Admin\Pictures\ueMmXib5DFAldXwxFdjPQelr.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\Pictures\aI3g63c9519JvFDEMRzh2hdB.exe N/A
N/A N/A C:\Users\Admin\Pictures\aI3g63c9519JvFDEMRzh2hdB.exe N/A
N/A N/A C:\Users\Admin\Pictures\aI3g63c9519JvFDEMRzh2hdB.exe N/A
N/A N/A C:\Users\Admin\Pictures\aI3g63c9519JvFDEMRzh2hdB.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\SysWOW64\dialer.exe N/A
N/A N/A C:\Windows\SysWOW64\dialer.exe N/A
N/A N/A C:\Windows\SysWOW64\dialer.exe N/A
N/A N/A C:\Windows\SysWOW64\dialer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u340.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u340.0.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u340.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u340.0.exe N/A
N/A N/A C:\Users\Admin\Pictures\X9dPuAGeJQFKnWiWx123pDHg.exe N/A
N/A N/A C:\Users\Admin\Pictures\X9dPuAGeJQFKnWiWx123pDHg.exe N/A
N/A N/A C:\Users\Admin\Pictures\VKyuCsrQFHBItjVhBwKQOwdE.exe N/A
N/A N/A C:\Users\Admin\Pictures\VKyuCsrQFHBItjVhBwKQOwdE.exe N/A
N/A N/A C:\Users\Admin\Pictures\5UNikksN5GElLavDqb9lakL7.exe N/A
N/A N/A C:\Users\Admin\Pictures\5UNikksN5GElLavDqb9lakL7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\Pictures\VKyuCsrQFHBItjVhBwKQOwdE.exe N/A
N/A N/A C:\Users\Admin\Pictures\VKyuCsrQFHBItjVhBwKQOwdE.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Pictures\X9dPuAGeJQFKnWiWx123pDHg.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\Pictures\X9dPuAGeJQFKnWiWx123pDHg.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Pictures\VKyuCsrQFHBItjVhBwKQOwdE.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\Pictures\VKyuCsrQFHBItjVhBwKQOwdE.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Pictures\5UNikksN5GElLavDqb9lakL7.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\Pictures\5UNikksN5GElLavDqb9lakL7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4728 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\tmp.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
PID 4728 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\tmp.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
PID 4728 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\tmp.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
PID 4728 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\tmp.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
PID 4728 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\tmp.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
PID 4728 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\tmp.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
PID 4728 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\tmp.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
PID 4728 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\tmp.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
PID 2952 wrote to memory of 3604 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Users\Admin\Pictures\aI3g63c9519JvFDEMRzh2hdB.exe
PID 2952 wrote to memory of 3604 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Users\Admin\Pictures\aI3g63c9519JvFDEMRzh2hdB.exe
PID 2952 wrote to memory of 3604 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Users\Admin\Pictures\aI3g63c9519JvFDEMRzh2hdB.exe
PID 2952 wrote to memory of 4032 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Users\Admin\Pictures\lzwu5wOVzRnPH22isp5zmuGP.exe
PID 2952 wrote to memory of 4032 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Users\Admin\Pictures\lzwu5wOVzRnPH22isp5zmuGP.exe
PID 2952 wrote to memory of 4032 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Users\Admin\Pictures\lzwu5wOVzRnPH22isp5zmuGP.exe
PID 2952 wrote to memory of 4336 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Users\Admin\Pictures\X9dPuAGeJQFKnWiWx123pDHg.exe
PID 2952 wrote to memory of 4336 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Users\Admin\Pictures\X9dPuAGeJQFKnWiWx123pDHg.exe
PID 2952 wrote to memory of 4336 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Users\Admin\Pictures\X9dPuAGeJQFKnWiWx123pDHg.exe
PID 2952 wrote to memory of 4544 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Users\Admin\Pictures\HPfZv9KywXrFtcs4hA5sx3UY.exe
PID 2952 wrote to memory of 4544 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Users\Admin\Pictures\HPfZv9KywXrFtcs4hA5sx3UY.exe
PID 2952 wrote to memory of 4544 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Users\Admin\Pictures\HPfZv9KywXrFtcs4hA5sx3UY.exe
PID 2952 wrote to memory of 4724 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Users\Admin\Pictures\5UNikksN5GElLavDqb9lakL7.exe
PID 2952 wrote to memory of 4724 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Users\Admin\Pictures\5UNikksN5GElLavDqb9lakL7.exe
PID 2952 wrote to memory of 4724 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Users\Admin\Pictures\5UNikksN5GElLavDqb9lakL7.exe
PID 2952 wrote to memory of 4416 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Users\Admin\Pictures\VKyuCsrQFHBItjVhBwKQOwdE.exe
PID 2952 wrote to memory of 4416 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Users\Admin\Pictures\VKyuCsrQFHBItjVhBwKQOwdE.exe
PID 2952 wrote to memory of 4416 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Users\Admin\Pictures\VKyuCsrQFHBItjVhBwKQOwdE.exe
PID 4544 wrote to memory of 5116 N/A C:\Users\Admin\Pictures\HPfZv9KywXrFtcs4hA5sx3UY.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4544 wrote to memory of 5116 N/A C:\Users\Admin\Pictures\HPfZv9KywXrFtcs4hA5sx3UY.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4544 wrote to memory of 5116 N/A C:\Users\Admin\Pictures\HPfZv9KywXrFtcs4hA5sx3UY.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4544 wrote to memory of 5116 N/A C:\Users\Admin\Pictures\HPfZv9KywXrFtcs4hA5sx3UY.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4544 wrote to memory of 5116 N/A C:\Users\Admin\Pictures\HPfZv9KywXrFtcs4hA5sx3UY.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4544 wrote to memory of 5116 N/A C:\Users\Admin\Pictures\HPfZv9KywXrFtcs4hA5sx3UY.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4544 wrote to memory of 5116 N/A C:\Users\Admin\Pictures\HPfZv9KywXrFtcs4hA5sx3UY.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4544 wrote to memory of 5116 N/A C:\Users\Admin\Pictures\HPfZv9KywXrFtcs4hA5sx3UY.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4544 wrote to memory of 5116 N/A C:\Users\Admin\Pictures\HPfZv9KywXrFtcs4hA5sx3UY.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4544 wrote to memory of 5116 N/A C:\Users\Admin\Pictures\HPfZv9KywXrFtcs4hA5sx3UY.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4544 wrote to memory of 5116 N/A C:\Users\Admin\Pictures\HPfZv9KywXrFtcs4hA5sx3UY.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4032 wrote to memory of 2524 N/A C:\Users\Admin\Pictures\lzwu5wOVzRnPH22isp5zmuGP.exe C:\Users\Admin\AppData\Local\Temp\u340.0.exe
PID 4032 wrote to memory of 2524 N/A C:\Users\Admin\Pictures\lzwu5wOVzRnPH22isp5zmuGP.exe C:\Users\Admin\AppData\Local\Temp\u340.0.exe
PID 4032 wrote to memory of 2524 N/A C:\Users\Admin\Pictures\lzwu5wOVzRnPH22isp5zmuGP.exe C:\Users\Admin\AppData\Local\Temp\u340.0.exe
PID 5116 wrote to memory of 4284 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\SysWOW64\dialer.exe
PID 5116 wrote to memory of 4284 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\SysWOW64\dialer.exe
PID 5116 wrote to memory of 4284 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\SysWOW64\dialer.exe
PID 5116 wrote to memory of 4284 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\SysWOW64\dialer.exe
PID 5116 wrote to memory of 4284 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\SysWOW64\dialer.exe
PID 2952 wrote to memory of 4004 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Users\Admin\Pictures\ueMmXib5DFAldXwxFdjPQelr.exe
PID 2952 wrote to memory of 4004 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Users\Admin\Pictures\ueMmXib5DFAldXwxFdjPQelr.exe
PID 2952 wrote to memory of 4004 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Users\Admin\Pictures\ueMmXib5DFAldXwxFdjPQelr.exe
PID 4004 wrote to memory of 4124 N/A C:\Users\Admin\Pictures\ueMmXib5DFAldXwxFdjPQelr.exe C:\Users\Admin\Pictures\ueMmXib5DFAldXwxFdjPQelr.exe
PID 4004 wrote to memory of 4124 N/A C:\Users\Admin\Pictures\ueMmXib5DFAldXwxFdjPQelr.exe C:\Users\Admin\Pictures\ueMmXib5DFAldXwxFdjPQelr.exe
PID 4004 wrote to memory of 4124 N/A C:\Users\Admin\Pictures\ueMmXib5DFAldXwxFdjPQelr.exe C:\Users\Admin\Pictures\ueMmXib5DFAldXwxFdjPQelr.exe
PID 4004 wrote to memory of 4740 N/A C:\Users\Admin\Pictures\ueMmXib5DFAldXwxFdjPQelr.exe C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\ueMmXib5DFAldXwxFdjPQelr.exe
PID 4004 wrote to memory of 4740 N/A C:\Users\Admin\Pictures\ueMmXib5DFAldXwxFdjPQelr.exe C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\ueMmXib5DFAldXwxFdjPQelr.exe
PID 4004 wrote to memory of 4740 N/A C:\Users\Admin\Pictures\ueMmXib5DFAldXwxFdjPQelr.exe C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\ueMmXib5DFAldXwxFdjPQelr.exe
PID 4004 wrote to memory of 4492 N/A C:\Users\Admin\Pictures\ueMmXib5DFAldXwxFdjPQelr.exe C:\Users\Admin\Pictures\ueMmXib5DFAldXwxFdjPQelr.exe
PID 4004 wrote to memory of 4492 N/A C:\Users\Admin\Pictures\ueMmXib5DFAldXwxFdjPQelr.exe C:\Users\Admin\Pictures\ueMmXib5DFAldXwxFdjPQelr.exe
PID 4004 wrote to memory of 4492 N/A C:\Users\Admin\Pictures\ueMmXib5DFAldXwxFdjPQelr.exe C:\Users\Admin\Pictures\ueMmXib5DFAldXwxFdjPQelr.exe
PID 4492 wrote to memory of 3292 N/A C:\Users\Admin\Pictures\ueMmXib5DFAldXwxFdjPQelr.exe C:\Users\Admin\Pictures\ueMmXib5DFAldXwxFdjPQelr.exe
PID 4492 wrote to memory of 3292 N/A C:\Users\Admin\Pictures\ueMmXib5DFAldXwxFdjPQelr.exe C:\Users\Admin\Pictures\ueMmXib5DFAldXwxFdjPQelr.exe
PID 4492 wrote to memory of 3292 N/A C:\Users\Admin\Pictures\ueMmXib5DFAldXwxFdjPQelr.exe C:\Users\Admin\Pictures\ueMmXib5DFAldXwxFdjPQelr.exe
PID 4032 wrote to memory of 3236 N/A C:\Users\Admin\Pictures\lzwu5wOVzRnPH22isp5zmuGP.exe C:\Users\Admin\AppData\Local\Temp\u340.1.exe
PID 4032 wrote to memory of 3236 N/A C:\Users\Admin\Pictures\lzwu5wOVzRnPH22isp5zmuGP.exe C:\Users\Admin\AppData\Local\Temp\u340.1.exe
PID 4032 wrote to memory of 3236 N/A C:\Users\Admin\Pictures\lzwu5wOVzRnPH22isp5zmuGP.exe C:\Users\Admin\AppData\Local\Temp\u340.1.exe
PID 2952 wrote to memory of 4292 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Users\Admin\Pictures\g8aTWxAZ6ISrf1bOvwaLr4tY.exe

Processes

C:\Windows\system32\sihost.exe

sihost.exe

C:\Users\Admin\AppData\Local\Temp\tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"

C:\Users\Admin\Pictures\aI3g63c9519JvFDEMRzh2hdB.exe

"C:\Users\Admin\Pictures\aI3g63c9519JvFDEMRzh2hdB.exe"

C:\Users\Admin\Pictures\lzwu5wOVzRnPH22isp5zmuGP.exe

"C:\Users\Admin\Pictures\lzwu5wOVzRnPH22isp5zmuGP.exe"

C:\Users\Admin\Pictures\X9dPuAGeJQFKnWiWx123pDHg.exe

"C:\Users\Admin\Pictures\X9dPuAGeJQFKnWiWx123pDHg.exe"

C:\Users\Admin\Pictures\HPfZv9KywXrFtcs4hA5sx3UY.exe

"C:\Users\Admin\Pictures\HPfZv9KywXrFtcs4hA5sx3UY.exe"

C:\Users\Admin\Pictures\5UNikksN5GElLavDqb9lakL7.exe

"C:\Users\Admin\Pictures\5UNikksN5GElLavDqb9lakL7.exe"

C:\Users\Admin\Pictures\VKyuCsrQFHBItjVhBwKQOwdE.exe

"C:\Users\Admin\Pictures\VKyuCsrQFHBItjVhBwKQOwdE.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4544 -ip 4544

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4544 -s 852

C:\Users\Admin\AppData\Local\Temp\u340.0.exe

"C:\Users\Admin\AppData\Local\Temp\u340.0.exe"

C:\Windows\SysWOW64\dialer.exe

"C:\Windows\system32\dialer.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 5116 -ip 5116

C:\Users\Admin\Pictures\ueMmXib5DFAldXwxFdjPQelr.exe

"C:\Users\Admin\Pictures\ueMmXib5DFAldXwxFdjPQelr.exe" --silent --allusers=0

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5116 -s 616

C:\Users\Admin\Pictures\ueMmXib5DFAldXwxFdjPQelr.exe

C:\Users\Admin\Pictures\ueMmXib5DFAldXwxFdjPQelr.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.35 --initial-client-data=0x298,0x29c,0x2a0,0x274,0x2a4,0x6e77e1d0,0x6e77e1dc,0x6e77e1e8

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\ueMmXib5DFAldXwxFdjPQelr.exe

"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\ueMmXib5DFAldXwxFdjPQelr.exe" --version

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 5116 -ip 5116

C:\Users\Admin\Pictures\ueMmXib5DFAldXwxFdjPQelr.exe

"C:\Users\Admin\Pictures\ueMmXib5DFAldXwxFdjPQelr.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=4004 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20240329051819" --session-guid=1755bc6a-8920-4cf7-8037-89f4d17d6a2b --server-tracking-blob=YTQ3MmVmNjVmZjQ2N2JiYzU2NjFhNmIzODAwMzRjYzUzYjNhOTQ5MDdkNTNiMTFlNWNjODlkNDE0ZWZiMzZhNDp7ImNvdW50cnkiOiJHQiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cy8/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1ta3QmdXRtX2NhbXBhaWduPTc2N180NTYiLCJzeXN0ZW0iOnsicGxhdGZvcm0iOnsiYXJjaCI6Ing4Nl82NCIsIm9wc3lzIjoiV2luZG93cyIsIm9wc3lzLXZlcnNpb24iOiIxMCIsInBhY2thZ2UiOiJFWEUifX0sInRpbWVzdGFtcCI6IjE3MTE2ODk0ODguNjUzMiIsInV0bSI6eyJjYW1wYWlnbiI6Ijc2N180NTYiLCJtZWRpdW0iOiJhcGIiLCJzb3VyY2UiOiJta3QifSwidXVpZCI6ImM3N2MyNzAxLTM4ZDItNGUzOC05ZjczLTk0NjQ3MTJhMDI0NSJ9 --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=3805000000000000

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5116 -s 612

C:\Users\Admin\Pictures\ueMmXib5DFAldXwxFdjPQelr.exe

C:\Users\Admin\Pictures\ueMmXib5DFAldXwxFdjPQelr.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.35 --initial-client-data=0x2a4,0x2a8,0x2ac,0x274,0x2b0,0x6dd2e1d0,0x6dd2e1dc,0x6dd2e1e8

C:\Users\Admin\AppData\Local\Temp\u340.1.exe

"C:\Users\Admin\AppData\Local\Temp\u340.1.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4032 -ip 4032

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4032 -s 1152

C:\Users\Admin\Pictures\g8aTWxAZ6ISrf1bOvwaLr4tY.exe

"C:\Users\Admin\Pictures\g8aTWxAZ6ISrf1bOvwaLr4tY.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3604 -ip 3604

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3604 -s 1148

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403290518191\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe

"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403290518191\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe"

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403290518191\assistant\assistant_installer.exe

"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403290518191\assistant\assistant_installer.exe" --version

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403290518191\assistant\assistant_installer.exe

"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403290518191\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=108.0.5067.20 --initial-client-data=0x268,0x26c,0x270,0x244,0x274,0x1120040,0x112004c,0x1120058

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\KFIJJJEBGC.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2524 -ip 2524

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2524 -s 3068

C:\Users\Admin\AppData\Local\Temp\KFIJJJEBGC.exe

"C:\Users\Admin\AppData\Local\Temp\KFIJJJEBGC.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 2524 -ip 2524

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2524 -s 3556

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C ping 2.2.2.2 -n 1 -w 3000 > Nul & Del C:\Users\Admin\AppData\Local\Temp\KFIJJJEBGC.exe

C:\Windows\SysWOW64\PING.EXE

ping 2.2.2.2 -n 1 -w 3000

C:\Users\Admin\Pictures\VKyuCsrQFHBItjVhBwKQOwdE.exe

"C:\Users\Admin\Pictures\VKyuCsrQFHBItjVhBwKQOwdE.exe"

C:\Users\Admin\Pictures\5UNikksN5GElLavDqb9lakL7.exe

"C:\Users\Admin\Pictures\5UNikksN5GElLavDqb9lakL7.exe"

C:\Users\Admin\Pictures\X9dPuAGeJQFKnWiWx123pDHg.exe

"C:\Users\Admin\Pictures\X9dPuAGeJQFKnWiWx123pDHg.exe"

C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe

"C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 40.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 yip.su udp
US 8.8.8.8:53 pastebin.com udp
US 172.67.169.89:443 yip.su tcp
US 172.67.34.170:443 pastebin.com tcp
US 8.8.8.8:53 piramidglobaltobacco.id udp
DE 185.172.128.144:80 185.172.128.144 tcp
US 8.8.8.8:53 shipofdestiny.com udp
AT 5.42.64.17:80 5.42.64.17 tcp
US 8.8.8.8:53 sty.ink udp
US 8.8.8.8:53 operandotwo.com udp
US 8.8.8.8:53 namemail.org udp
US 8.8.8.8:53 cu82342.tw1.ru udp
US 8.8.8.8:53 net.geo.opera.com udp
SG 217.21.73.190:443 piramidglobaltobacco.id tcp
US 172.67.152.98:443 shipofdestiny.com tcp
US 172.67.152.98:443 shipofdestiny.com tcp
US 172.67.200.219:443 sty.ink tcp
US 172.67.200.219:443 sty.ink tcp
US 172.67.160.247:443 operandotwo.com tcp
RU 176.57.210.144:443 cu82342.tw1.ru tcp
NL 185.26.182.111:80 net.geo.opera.com tcp
US 8.8.8.8:53 89.169.67.172.in-addr.arpa udp
US 8.8.8.8:53 170.34.67.172.in-addr.arpa udp
NL 185.26.182.111:443 net.geo.opera.com tcp
US 8.8.8.8:53 lawyerbuyer.org udp
US 8.8.8.8:53 guseman.org udp
US 104.21.63.71:443 lawyerbuyer.org tcp
US 104.21.63.71:443 lawyerbuyer.org tcp
US 172.67.173.167:443 guseman.org tcp
US 8.8.8.8:53 herdbescuitinjurywu.shop udp
US 172.67.206.194:443 herdbescuitinjurywu.shop tcp
US 8.8.8.8:53 144.128.172.185.in-addr.arpa udp
US 8.8.8.8:53 98.152.67.172.in-addr.arpa udp
US 8.8.8.8:53 219.200.67.172.in-addr.arpa udp
US 8.8.8.8:53 17.64.42.5.in-addr.arpa udp
US 8.8.8.8:53 247.160.67.172.in-addr.arpa udp
US 8.8.8.8:53 144.210.57.176.in-addr.arpa udp
US 8.8.8.8:53 111.182.26.185.in-addr.arpa udp
US 8.8.8.8:53 190.73.21.217.in-addr.arpa udp
US 8.8.8.8:53 71.63.21.104.in-addr.arpa udp
US 8.8.8.8:53 167.173.67.172.in-addr.arpa udp
DE 185.172.128.90:80 185.172.128.90 tcp
US 8.8.8.8:53 90.128.172.185.in-addr.arpa udp
US 8.8.8.8:53 194.206.67.172.in-addr.arpa udp
DE 185.172.128.65:80 185.172.128.65 tcp
DE 185.172.128.65:80 185.172.128.65 tcp
US 8.8.8.8:53 65.128.172.185.in-addr.arpa udp
US 172.67.206.194:443 herdbescuitinjurywu.shop tcp
US 172.67.206.194:443 herdbescuitinjurywu.shop tcp
US 172.67.206.194:443 herdbescuitinjurywu.shop tcp
US 8.8.8.8:53 iplogger.com udp
US 172.67.188.178:443 iplogger.com tcp
DE 185.172.128.144:80 185.172.128.144 tcp
US 8.8.8.8:53 178.188.67.172.in-addr.arpa udp
DE 185.172.128.209:80 185.172.128.209 tcp
US 8.8.8.8:53 209.128.172.185.in-addr.arpa udp
US 8.8.8.8:53 desktop-netinstaller-sub.osp.opera.software udp
US 8.8.8.8:53 autoupdate.geo.opera.com udp
NL 82.145.217.121:443 desktop-netinstaller-sub.osp.opera.software tcp
NL 82.145.216.19:443 autoupdate.geo.opera.com tcp
NL 82.145.216.19:443 autoupdate.geo.opera.com tcp
US 8.8.8.8:53 121.217.145.82.in-addr.arpa udp
US 8.8.8.8:53 19.216.145.82.in-addr.arpa udp
US 8.8.8.8:53 features.opera-api2.com udp
US 8.8.8.8:53 download.opera.com udp
NL 185.26.182.106:443 features.opera-api2.com tcp
NL 185.26.182.122:443 download.opera.com tcp
US 8.8.8.8:53 download5.operacdn.com udp
US 104.18.11.89:443 download5.operacdn.com tcp
US 8.8.8.8:53 svc.iolo.com udp
US 8.8.8.8:53 106.182.26.185.in-addr.arpa udp
US 8.8.8.8:53 122.182.26.185.in-addr.arpa udp
US 8.8.8.8:53 89.11.18.104.in-addr.arpa udp
US 20.157.87.45:80 svc.iolo.com tcp
US 8.8.8.8:53 45.87.157.20.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 172.67.206.194:443 herdbescuitinjurywu.shop tcp
NL 195.20.16.45:80 195.20.16.45 tcp
US 8.8.8.8:53 api.myip.com udp
N/A 224.0.0.251:5353 udp
NL 82.145.217.121:443 desktop-netinstaller-sub.osp.opera.software tcp
US 8.8.8.8:53 45.16.20.195.in-addr.arpa udp
US 104.26.8.59:443 api.myip.com tcp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.186.192:443 ipinfo.io tcp
US 8.8.8.8:53 59.8.26.104.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 192.186.117.34.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 download.iolo.net udp
FR 185.93.2.246:443 download.iolo.net tcp
DE 185.172.128.65:80 185.172.128.65 tcp
US 8.8.8.8:53 246.2.93.185.in-addr.arpa udp
US 8.8.8.8:53 svc.iolo.com udp
US 20.157.87.45:80 svc.iolo.com tcp
US 8.8.8.8:53 westus2-2.in.applicationinsights.azure.com udp
US 20.9.155.148:443 westus2-2.in.applicationinsights.azure.com tcp
US 8.8.8.8:53 148.155.9.20.in-addr.arpa udp
US 8.8.8.8:53 65a1f6d1-72a7-484b-960c-fb9a25d7ec7f.uuid.statsexplorer.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 stun2.l.google.com udp
US 8.8.8.8:53 server6.statsexplorer.org udp
US 162.159.130.233:443 cdn.discordapp.com tcp
ZA 74.125.27.36:19302 stun2.l.google.com udp
BG 185.82.216.108:443 server6.statsexplorer.org tcp
US 8.8.8.8:53 carsalessystem.com udp
US 172.67.221.71:443 carsalessystem.com tcp
US 8.8.8.8:53 36.27.125.74.in-addr.arpa udp
US 8.8.8.8:53 233.130.159.162.in-addr.arpa udp
US 8.8.8.8:53 108.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 71.221.67.172.in-addr.arpa udp
BG 185.82.216.108:443 server6.statsexplorer.org tcp
US 8.8.8.8:53 13.179.89.13.in-addr.arpa udp

Files

memory/4728-0-0x000002E746D60000-0x000002E746D6C000-memory.dmp

memory/4728-1-0x00007FFA63670000-0x00007FFA64131000-memory.dmp

memory/4728-2-0x000002E748980000-0x000002E748990000-memory.dmp

memory/4728-3-0x000002E7613B0000-0x000002E761426000-memory.dmp

memory/4728-4-0x000002E748B40000-0x000002E748B5E000-memory.dmp

memory/4728-5-0x000002E762300000-0x000002E76235E000-memory.dmp

memory/4728-6-0x000002E748980000-0x000002E748990000-memory.dmp

memory/2952-7-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2952-8-0x0000000074550000-0x0000000074D00000-memory.dmp

memory/2952-9-0x0000000005780000-0x0000000005790000-memory.dmp

memory/4728-22-0x00007FFA63670000-0x00007FFA64131000-memory.dmp

C:\Users\Admin\Pictures\pBaCe7kQY80f9EYjrgm6hULI.exe

MD5 90837257e6897a94e846c3ff8c45d69c
SHA1 8503f6132354fe9ce0f176e68e365dde24ed5a52
SHA256 3b31f3475e88fa515a00860a6921f5aa8d78bcf157f01ada3775df809dff7a6d
SHA512 f83dcd0620164a0e8fe646291b6ed5bb76173ec6c2fb79e9ec7ec1af68c2d644a26d894ff1772df8896ed8f22e1c4dc356422ef12835facb75832f815c7d5399

C:\Users\Admin\Pictures\lzwu5wOVzRnPH22isp5zmuGP.exe

MD5 8bc396803bf0c509173078f354cb293b
SHA1 8a8e2298863cf6d5b5ad1c1f1efdb4f372f1cfa0
SHA256 e79bb6f916ff4f4bcca0dd2bb4c16233090265c38f3aeaa4a19bb125138773bb
SHA512 da3e916fb3b662584e3f1c8e5e6ac3c75c2f8aba0113597257cae5e9515944055e59d242efd08155939ea7044c7bf15a242f8d950e0a4a996889cbad1e20cd83

C:\Users\Admin\Pictures\YOzsY0PKjJbndbYZdNWE1nen.exe

MD5 5b423612b36cde7f2745455c5dd82577
SHA1 0187c7c80743b44e9e0c193e993294e3b969cc3d
SHA256 e0840d2ea74a00dcc545d770b91d9d889e5a82c7bedf1b989e0a89db04685b09
SHA512 c26a1e7e96dbd178d961c630abd8e564ef69532f386fb198eb20119a88ecab2fe885d71ac0c90687c18910ce00c445f352a5e8fbf5328f3403964f7c7802414c

C:\Users\Admin\Pictures\F1XhejQ7Y3D3orgtxwQQjMeS.exe

MD5 2138c5b01fec69d776f7dd83d42875d8
SHA1 6e5d127a60cc5dede959e6f3c0d39a1a4c2f55e8
SHA256 cc95e295e498e2acd1b8613d6fd5775d6abd2558bc579570bc7e1335eb9c7b36
SHA512 74d4009d827a11eef9e21893062e537daab7b522ed6e4f1d7234345d2a77abf0a56e4ad5770b40e7f4a4f931da19c8d27536f8dc359c6994b7a3396445dc52fd

C:\Users\Admin\Pictures\aI3g63c9519JvFDEMRzh2hdB.exe

MD5 e2a6c1f58b137874e490b8d94382fcdb
SHA1 71529c5d708091b1e1a580227dc52e62a140edd1
SHA256 4801879a7afb9d03f7edcbe76cd9306cb024d80abc8512c4995aa97e8fd52437
SHA512 24d12ce668e5189a4ba80520a4eaf480d17d3a07d8d0d4312964968f8489143df225881ec70e39e0c62e381061626801ead72d70cea164e2c3870bfbd7bc4eff

C:\Users\Admin\Pictures\X9dPuAGeJQFKnWiWx123pDHg.exe

MD5 80fbcd8bcab6ddca53a467dfc54b2123
SHA1 5394a3de0dc598eeba66870d9070f54e8b137ede
SHA256 fff7af7e094a0f3d5e5b87eebbb5290e3d7570e192426e81909278abf8d0350b
SHA512 d7d14f7465da79ac9bfb1d88431e397e5f13fe7339f819b8e0404110bd73d10224d20c2b68178da3b7504de17c0b475f97ade83ab93d842310cf3baa605ac42c

memory/3604-76-0x0000000002750000-0x000000000279A000-memory.dmp

memory/3604-83-0x0000000000D30000-0x0000000000D31000-memory.dmp

memory/4032-84-0x0000000002770000-0x00000000027DE000-memory.dmp

memory/4032-85-0x0000000000400000-0x0000000000B0E000-memory.dmp

memory/4032-86-0x0000000000CD0000-0x0000000000DD0000-memory.dmp

memory/3604-82-0x0000000000400000-0x0000000000B06000-memory.dmp

memory/3604-73-0x0000000000D40000-0x0000000000E40000-memory.dmp

C:\Users\Admin\Pictures\HPfZv9KywXrFtcs4hA5sx3UY.exe

MD5 7960d8afbbac06f216cceeb1531093bb
SHA1 008221bf66a0749447cffcb86f2d1ec80e23fc76
SHA256 f6e476e8ccb571b9d7a76234953ad428e883ff4712b0062498ba3275d9749b84
SHA512 35d12e81eb892aeb2237049beca61a81469dea5b1c9b7a0b9f49fbf95a95c756509d9e76c732fb10b504f9f9692e1fbe83ea2fd09d791f793a928c01974b8147

C:\Users\Admin\Pictures\VKyuCsrQFHBItjVhBwKQOwdE.exe

MD5 ac5f59828c7112f4d6f37f3daea03a4c
SHA1 780cbc00e9a044da535af3f1da25445c893a8e53
SHA256 6b0109f5a9106f6cfa857fd3380aaed9c3d461bd8303d58a22af7a42b658b1fc
SHA512 7b68ba612901c89af3a50c5241c03001911a7f8b4cb60966a8578b9eb9dfdbd3c917391af1c12e75217d557c1c2367971a8a9edd05a3fb0aafe68774e46db873

memory/4336-121-0x0000000002D40000-0x0000000003139000-memory.dmp

memory/4336-122-0x0000000003140000-0x0000000003A2B000-memory.dmp

memory/4336-123-0x0000000000400000-0x0000000000ECD000-memory.dmp

memory/3604-125-0x0000000003190000-0x0000000003290000-memory.dmp

memory/3604-126-0x0000000003190000-0x0000000003290000-memory.dmp

memory/3604-127-0x0000000003190000-0x0000000003290000-memory.dmp

memory/3604-130-0x0000000003190000-0x0000000003290000-memory.dmp

memory/3604-131-0x0000000003190000-0x0000000003290000-memory.dmp

memory/3604-133-0x0000000003190000-0x0000000003290000-memory.dmp

memory/3604-134-0x0000000003190000-0x0000000003290000-memory.dmp

memory/3604-135-0x0000000003190000-0x0000000003290000-memory.dmp

memory/3604-136-0x0000000003190000-0x0000000003290000-memory.dmp

memory/3604-138-0x0000000003190000-0x0000000003290000-memory.dmp

memory/3604-140-0x0000000003190000-0x0000000003290000-memory.dmp

memory/3604-142-0x0000000003190000-0x0000000003290000-memory.dmp

memory/5116-144-0x0000000000400000-0x000000000046D000-memory.dmp

memory/3604-143-0x0000000003190000-0x0000000003290000-memory.dmp

memory/5116-149-0x0000000000400000-0x000000000046D000-memory.dmp

memory/3604-148-0x0000000003190000-0x0000000003290000-memory.dmp

memory/3604-145-0x0000000003190000-0x0000000003290000-memory.dmp

memory/3604-141-0x0000000003190000-0x0000000003290000-memory.dmp

memory/3604-132-0x0000000003190000-0x0000000003290000-memory.dmp

memory/4544-128-0x00000000002A0000-0x000000000030E000-memory.dmp

memory/3604-151-0x0000000003190000-0x0000000003290000-memory.dmp

memory/3604-152-0x0000000003190000-0x0000000003290000-memory.dmp

memory/3604-153-0x0000000003190000-0x0000000003290000-memory.dmp

memory/3604-154-0x0000000003190000-0x0000000003290000-memory.dmp

memory/3604-155-0x0000000003190000-0x0000000003290000-memory.dmp

memory/3604-156-0x0000000003190000-0x0000000003290000-memory.dmp

memory/3604-157-0x0000000003190000-0x0000000003290000-memory.dmp

memory/3604-158-0x0000000003190000-0x0000000003290000-memory.dmp

memory/3604-159-0x0000000003190000-0x0000000003290000-memory.dmp

memory/3604-160-0x0000000003190000-0x0000000003290000-memory.dmp

memory/3604-161-0x0000000003190000-0x0000000003290000-memory.dmp

memory/3604-165-0x0000000003290000-0x00000000032D0000-memory.dmp

memory/3604-167-0x0000000003290000-0x00000000032D0000-memory.dmp

memory/3604-169-0x0000000003290000-0x00000000032D0000-memory.dmp

memory/3604-172-0x0000000003290000-0x00000000032D0000-memory.dmp

memory/3604-171-0x0000000003290000-0x00000000032D0000-memory.dmp

memory/3604-173-0x0000000003290000-0x00000000032D0000-memory.dmp

memory/3604-176-0x0000000003290000-0x00000000032D0000-memory.dmp

memory/3604-177-0x0000000003290000-0x00000000032D0000-memory.dmp

memory/3604-175-0x0000000003290000-0x00000000032D0000-memory.dmp

memory/3604-174-0x0000000003290000-0x00000000032D0000-memory.dmp

memory/3604-170-0x0000000003290000-0x00000000032D0000-memory.dmp

memory/3604-168-0x0000000003290000-0x00000000032D0000-memory.dmp

memory/3604-166-0x0000000003290000-0x00000000032D0000-memory.dmp

memory/3604-164-0x0000000003190000-0x0000000003290000-memory.dmp

memory/3604-150-0x0000000003190000-0x0000000003290000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\u340.0.exe

MD5 a533c58be371236669106ab5243b05bb
SHA1 59e8eae350fd911b9d74940fd5a0793f6b4fddc0
SHA256 6f746358af1862e923dee83621f64d56b2e8d8f8936e71d4d6bc565e97e58b09
SHA512 83970ca812ebef5e7c7a4e32c6b6a48d0028f688241441fedfa00e9171592bbc6fa883f0bc7f2603d31f687b1510633bca5468b3ecb96481aa62451c85885f8d

memory/5116-195-0x0000000003750000-0x0000000003B50000-memory.dmp

memory/5116-199-0x0000000003750000-0x0000000003B50000-memory.dmp

memory/5116-204-0x00007FFA818B0000-0x00007FFA81AA5000-memory.dmp

memory/5116-209-0x00000000753F0000-0x0000000075605000-memory.dmp

memory/4284-215-0x0000000000690000-0x0000000000699000-memory.dmp

memory/4284-232-0x00000000021B0000-0x00000000025B0000-memory.dmp

C:\Users\Admin\Pictures\ueMmXib5DFAldXwxFdjPQelr.exe

MD5 1a3c783138eca27254041e8cfea976c7
SHA1 d23b8dd4cd3108f0acf5cff2a83d2e778218cb55
SHA256 69315658819d1a27ec90693f7b2f7a280ba2f402672a00da1db7deddd9cb81af
SHA512 feb615cda62882dbdb8158da8505ce730c3a3eef98974dc1052d2510094d78bb95f3d9ac47bb1bc2f59ea2217adb478f3709e5860e52a3b6e2225c312c536cc4

memory/4284-235-0x00007FFA818B0000-0x00007FFA81AA5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Opera_installer_2403290518177124004.dll

MD5 117176ddeaf70e57d1747704942549e4
SHA1 75e3ab6b3469d93cce9ea2f7e22b71b987ccdf2b
SHA256 3c5b34de987116a4d3240e319c0da89a951c96b81e6705476a0fea27b22b20af
SHA512 ca2a356929c92d314aab63d7f3b246d72783212dfa3a4507f28d41a51ca0eedc78e85b1cd453aa8e02c12509f847a0216bb702154f903291c804c8a98ec378b9

memory/4284-238-0x00000000753F0000-0x0000000075605000-memory.dmp

memory/3604-239-0x0000000000400000-0x0000000000B06000-memory.dmp

memory/4032-241-0x0000000000400000-0x0000000000B0E000-memory.dmp

memory/4336-246-0x0000000000400000-0x0000000000ECD000-memory.dmp

memory/4724-271-0x0000000000400000-0x0000000000ECD000-memory.dmp

memory/4416-272-0x0000000000400000-0x0000000000ECD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\u340.1.exe

MD5 397926927bca55be4a77839b1c44de6e
SHA1 e10f3434ef3021c399dbba047832f02b3c898dbd
SHA256 4f07e1095cc915b2d46eb149d1c3be14f3f4b4bd2742517265947fd23bdca5a7
SHA512 cf54136b977fc8af7e8746d78676d0d464362a8cfa2213e392487003b5034562ee802e6911760b98a847bddd36ad664f32d849af84d7e208d4648bd97a2fa954

C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports\settings.dat

MD5 6603fa89fd30e4c07a0180ec6f66cb8b
SHA1 26e71916547b4f7cc2f50b595b7cbd5fa314888d
SHA256 e1ba1f2afa160ea074e8bff01c63868c1230fc4e1f9a3737906984750f294ac5
SHA512 96944d8b52a042c2e64d3d32481271c2210c65f9ef4bf4518b1e5e1206c6bb65de7a38349b43c6dedf5ddf1b74370aa43edd099b240d37c57fb58a48ac495522

memory/2524-314-0x0000000061E00000-0x0000000061EF3000-memory.dmp

C:\Users\Admin\Pictures\g8aTWxAZ6ISrf1bOvwaLr4tY.exe

MD5 858bb0a3b4fa6a54586402e3ee117076
SHA1 997c31f043347883ea5ed2323a558b6cc5ea9c8e
SHA256 d97a7fc44bf341b9b2b2e65b46dab4f7d329afe15b4308b5aa56d5bfd7b99d35
SHA512 e8374b115f056b5d345c9b5f9c42b3d49e0640d7fad869448f686add6e52b783ecc7fd35ee15a67b944843491a91becf5b7c0bd5603eda01042dd2904c1ad8fd

memory/2524-334-0x0000000000400000-0x0000000000AEA000-memory.dmp

memory/4032-352-0x0000000000400000-0x0000000000B0E000-memory.dmp

memory/4336-358-0x0000000000400000-0x0000000000ECD000-memory.dmp

memory/4724-370-0x0000000000400000-0x0000000000ECD000-memory.dmp

memory/4292-371-0x00007FF664D00000-0x00007FF66580A000-memory.dmp

memory/4292-377-0x00007FF664D00000-0x00007FF66580A000-memory.dmp

memory/4292-387-0x00007FF664D00000-0x00007FF66580A000-memory.dmp

memory/4292-391-0x00007FF664D00000-0x00007FF66580A000-memory.dmp

memory/4292-392-0x00007FF664D00000-0x00007FF66580A000-memory.dmp

memory/3236-406-0x0000000000400000-0x00000000008AD000-memory.dmp

C:\Windows\System32\GroupPolicy\gpt.ini

MD5 8ef9853d1881c5fe4d681bfb31282a01
SHA1 a05609065520e4b4e553784c566430ad9736f19f
SHA256 9228f13d82c3dc96b957769f6081e5bac53cffca4ffde0ba1e102d9968f184a2
SHA512 5ddee931a08cfea5bb9d1c36355d47155a24d617c2a11d08364ffc54e593064011dee4fea8ac5b67029cab515d3071f0ba0422bb76af492a3115272ba8feb005

memory/4292-401-0x00007FF664D00000-0x00007FF66580A000-memory.dmp

memory/3604-416-0x0000000000400000-0x0000000000B06000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403290518191\opera_package

MD5 401c352990789be2f40fe8f9c5c7a5ac
SHA1 d7c1e902487511d3f4e1a57abdee8a94d5483ed4
SHA256 f62f4ebc7eca46d9cddfb02cc0305da5efdd6f3601fb0f53da555e19558869a3
SHA512 efc6d4224e3721e91efb2ea8f4b74685cba607260c69d08eac26866c52b8127080a42799d9f76ab1661b8ca63c946fcf35dddf0a63ab3cd258ea44a27dd769c8

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403290518191\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe

MD5 20d293b9bf23403179ca48086ba88867
SHA1 dedf311108f607a387d486d812514a2defbd1b9e
SHA256 fd996b95ae46014edfd630bfc2bf8bc9e626adf883a1da017a8c3973b68ec348
SHA512 5d575c6f0d914583f9bb54f7b884caf9182f26f850da9bdd962f4ed5ed7258316a46fafaf3828dccb6916baaadb681fe1d175a3f4ed59f56066dc7e32b66f7b6

memory/4336-467-0x0000000000400000-0x0000000000ECD000-memory.dmp

memory/4724-469-0x0000000000400000-0x0000000000ECD000-memory.dmp

C:\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

C:\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

memory/4416-485-0x0000000000400000-0x0000000000ECD000-memory.dmp

memory/3236-499-0x0000000000400000-0x00000000008AD000-memory.dmp

memory/2524-494-0x0000000000400000-0x0000000000AEA000-memory.dmp

memory/4292-500-0x00007FF664D00000-0x00007FF66580A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403290518191\assistant\dbgcore.dll

MD5 8b6f64e5d3a608b434079e50a1277913
SHA1 03f431fabf1c99a48b449099455c1575893d9f32
SHA256 926d444ffca166e006920412677c4ed2ef159cf0efc0578cb45b824f428f5eb2
SHA512 c9aeac62ece564ac64a894300fb9d41d13f22951ead73421854c23c506760d984dff0af92bef2d80f3a66e782f0075832e9c24a50ae6110d27a25c14e065b41c

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_t0dkbska.are.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403290518191\assistant\dbghelp.dll

MD5 925ea07f594d3fce3f73ede370d92ef7
SHA1 f67ea921368c288a9d3728158c3f80213d89d7c2
SHA256 6d02ebd4ec9a6093f21cd8ccefb9445fa0ab7b1f69ac868a5cfc5d28ed8d2de9
SHA512 a809851da820d9fdd8fb860a8f549311dcc2579df2c6f6fba74f50d5d8bf94baa834b09fb5476ac248f18d1deb6b47d4fdd6d658889d5d45ca8774a9264483d2

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403290518191\assistant\assistant_installer.exe

MD5 b3f05009b53af6435e86cfd939717e82
SHA1 770877e7c5f03e8d684984fe430bdfcc2cf41b26
SHA256 3ea8d40fcede1fc03e5603246d75d13e8d44d7229d4c390c39a55534053027f7
SHA512 d2dee80aaa79b19f1eb1db85079a05f621780e06bfea9e838b62d757ba29399f9090ec7c6ff553377c9b712f3ba8dd812cdff39f3e28829928e86746a8ac6b27

memory/2524-547-0x0000000000400000-0x0000000000AEA000-memory.dmp

C:\ProgramData\Are.docx

MD5 a33e5b189842c5867f46566bdbf7a095
SHA1 e1c06359f6a76da90d19e8fd95e79c832edb3196
SHA256 5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454
SHA512 f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b

C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt

MD5 0e1df99871c092e52109649b99c7fef2
SHA1 28bb28d967bbfec8a7c60c26a25952cc0d8063a8
SHA256 69979ed51ec106e1c9900aa6399ec2b1aa9dd7ecb5f30f53985444fd374888d0
SHA512 576a0011dfb8587a8812b2227b568fe2f1cf3a70a60d96e0462c7d392191cc4e9d19b9283c5707d21af95979de05d13c46d8d59b4cd04f2b37c7423b8c0f4244

C:\Users\Admin\AppData\Local\Temp\KFIJJJEBGC.exe

MD5 fe380780b5c35bd6d54541791151c2be
SHA1 7fe3a583cf91474c733f85cebf3c857682e269e1
SHA256 b64a84d1f88e4e78464a1901c1cb5bbd5f00bb73203d719e64e072157a087b53
SHA512 ba05ba8aa13c4bc1cf98fbf6c08b021e8b19354098e0397fc8e1e5d3dcce367c1063203f24e50d0973193f6535681d0a43486e5dade5d112853b7a2fe8739b6c

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 7b1a38504447c0fb368e6b1af46d3569
SHA1 8997d0426d2a5c5b2d720789bba18b3b6650ea4f
SHA256 2df0cf47e1699336a3a1659cf17fd84f1c5dae0a793acb15423ef768f004f547
SHA512 cdbf72f0aba2c31d92ae3367a8c2c4be97cc0c469ee8cade3d9fd501991f5eb9f6929e89e50ead32bba0b455e05356f3da30dab6f61a9d3c792d626af0c11405

C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt

MD5 b75e7d8dab0e4d91f49f970d46d0efff
SHA1 6baac7c23fee3619f0984552f329dac90a3dec55
SHA256 e34661d866fe5e68a8c338252c37ffca256fbbe446ded4e244114e512baa7e8d
SHA512 39efe9730612aa566dd4254350b5de97ff21575aa06a8e786b3dc3788d12a092199124e70cc46a4f76ea99e9426311c09df39f7f405bcba83fe115cfabe62c8e

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 1d7f3d1036cc09d2b9c5d8d5acfbb867
SHA1 5a76ade3e2ced7d72b6ce450b074d3c5aaa13b85
SHA256 0725190ee120338da973024f3d633bd17d0009af194000fa0a91dde961a8d76c
SHA512 dc993da2058b91cd4870b0e868963cadd68d0c03aee091691d7ed0a027215ef5114c9d56ec8d9e228cd7d022339d277903fc12481e2e00df758a3915a17d1fd8

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 4d7f4f91cdd900c3de3be8ceabad1049
SHA1 d6cc3498ea69dc4cb2bb52642c5a4932426d4adf
SHA256 d50ac8b94d339ec7d782c6b9177a81cf8a9253b2ca26d62507be02336ccd13b4
SHA512 7fd1e21bdb1947bf6b6a64cdefbb34e86cfd4269e3b25299a4422a8127b186afc015d4498090fb7a3645802a78599548d2abac60cdaca6603b1171791c2a10bd

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 3d086a433708053f9bf9523e1d87a4e8
SHA1 b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA256 6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512 931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 848d06345dc8a47723f6f261d4055eb0
SHA1 bdff964807be8e2753c26e15e67437d12ef1cdec
SHA256 5d8f0e3e96220d95a6b6e0a2c1080a9051b5a7e10264b31957694756f29f1de2
SHA512 699b113410d67ebaa08aa155ac810cede16b6458514a82608170e18278f1d00a95491421868786c7de1a7039bd528945201f32e726b360903f7d98b3dadb1e63

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 912d2057a650207113912155ced88c31
SHA1 b2ab030e3bdfb6dd2dc38069a02b3165b791206b
SHA256 af560443b7f1e3421e76669d657ebb7b35b9f95258c467f3fba13bc98fcea8a4
SHA512 9cacd32c85a19d53b61a70580096574c4289e97efbbf337404420336559991db4b794e5642256f71e19b74265f3fa769652d44b12e2980f4a131f18a38250ea0

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 ec7d996b66a78b13dd3c6c44ee81ee7d
SHA1 8c8aedfbcdafafb148e62d2d56c40e848c18c6f5
SHA256 00a9cb3eec453e2540228b455b487b87fb782c22eaf9c2cb98a419971980d6e9
SHA512 ba77010478a6d6883eb960d10fe645e857b9594e77cca3d35bc9862a542619884a0ef7561512fc76f260f6eaef8c34177da05f579deeea9b4e1eee170e2ef378

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 04116194ff08394c01257cb040466a78
SHA1 4c751b1603e59ca7c860203a5fdbe5064213561b
SHA256 f509f6d6866474d6e39b77fe50493f0db9c92dfc80b28989fc02db1aeca16bbe
SHA512 509a86f86258417236828055a1886cc60d5298a73761f0d2e5cbb01a60cad46bb47b143ede3e251e4455442a93185df7ca3eb96a8cd62cadd73afc2f926fd3d1

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 a15842ddb3b2cf56dfed52fa149c1ec5
SHA1 4009007f9995e42d943f7d41e0b3abcdd4591f9d
SHA256 e5fd9dffc7381ba0bd732f31629dbe72dccf651cddfbbe82d183f596a84f72e6
SHA512 b83e896c6efc7b281e9003eab4cd72c9da4992b82d2d98ff86a3ab17a63872b127599e702c2dde47f85f3057079b88cdc303cbe01751d8207d6d61040203c767