Malware Analysis Report

2024-11-30 02:06

Sample ID 240330-bv4v3aea5s
Target 79fbd35cae4148d9053cd4590b6d41c0.bin
SHA256 314cfde234ae41e5316da82a97a6b3f4d77d6116726f8c710799bf491a7b7401
Tags
amadey evasion trojan glupteba rhadamanthys stealc discovery dropper loader persistence rootkit spyware stealer themida
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

314cfde234ae41e5316da82a97a6b3f4d77d6116726f8c710799bf491a7b7401

Threat Level: Known bad

The file 79fbd35cae4148d9053cd4590b6d41c0.bin was found to be: Known bad.

Malicious Activity Summary

amadey evasion trojan glupteba rhadamanthys stealc discovery dropper loader persistence rootkit spyware stealer themida

Glupteba

Glupteba payload

Stealc

Suspicious use of NtCreateUserProcessOtherParentProcess

Modifies firewall policy service

Amadey

Rhadamanthys

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Blocklisted process makes network request

Modifies Windows Firewall

Downloads MZ/PE file

Drops startup file

Reads user/profile data of web browsers

Reads WinSCP keys stored on the system

Checks BIOS information in registry

Reads data files stored by FTP clients

Loads dropped DLL

Executes dropped EXE

Checks computer location settings

Identifies Wine through registry keys

Reads local data of messenger clients

Themida packer

Accesses cryptocurrency files/wallets, possible credential harvesting

Legitimate hosting services abused for malware hosting/C2

Checks whether UAC is enabled

Manipulates WinMonFS driver.

Looks up external IP address via web service

Enumerates connected drives

Adds Run key to start application

Checks installed software on the system

Suspicious use of SetThreadContext

Drops file in System32 directory

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Windows directory

Checks for VirtualBox DLLs, possible anti-VM trick

Launches sc.exe

Enumerates physical storage devices

Unsigned PE

Program crash

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Runs ping.exe

Uses Task Scheduler COM API

Modifies data under HKEY_USERS

Creates scheduled task(s)

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Modifies system certificate store

Checks SCSI registry key(s)

Checks processor information in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-30 01:28

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-30 01:28

Reported

2024-03-30 01:31

Platform

win7-20240221-en

Max time kernel

120s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9c1751ba73fe53ed9385f24750212c6e785843e4c63dbafec8f95d3e6a5088ef.exe"

Signatures

Amadey

trojan amadey

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\9c1751ba73fe53ed9385f24750212c6e785843e4c63dbafec8f95d3e6a5088ef.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\9c1751ba73fe53ed9385f24750212c6e785843e4c63dbafec8f95d3e6a5088ef.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\9c1751ba73fe53ed9385f24750212c6e785843e4c63dbafec8f95d3e6a5088ef.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\9c1751ba73fe53ed9385f24750212c6e785843e4c63dbafec8f95d3e6a5088ef.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c1751ba73fe53ed9385f24750212c6e785843e4c63dbafec8f95d3e6a5088ef.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorgu.job C:\Users\Admin\AppData\Local\Temp\9c1751ba73fe53ed9385f24750212c6e785843e4c63dbafec8f95d3e6a5088ef.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c1751ba73fe53ed9385f24750212c6e785843e4c63dbafec8f95d3e6a5088ef.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c1751ba73fe53ed9385f24750212c6e785843e4c63dbafec8f95d3e6a5088ef.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\9c1751ba73fe53ed9385f24750212c6e785843e4c63dbafec8f95d3e6a5088ef.exe

"C:\Users\Admin\AppData\Local\Temp\9c1751ba73fe53ed9385f24750212c6e785843e4c63dbafec8f95d3e6a5088ef.exe"

Network

N/A

Files

memory/2172-0-0x0000000000E40000-0x00000000012F5000-memory.dmp

memory/2172-1-0x0000000077D50000-0x0000000077D52000-memory.dmp

memory/2172-3-0x00000000027F0000-0x00000000027F1000-memory.dmp

memory/2172-2-0x0000000000E40000-0x00000000012F5000-memory.dmp

memory/2172-5-0x0000000002780000-0x0000000002781000-memory.dmp

memory/2172-4-0x0000000002850000-0x0000000002851000-memory.dmp

memory/2172-6-0x00000000029D0000-0x00000000029D1000-memory.dmp

memory/2172-8-0x0000000000B80000-0x0000000000B81000-memory.dmp

memory/2172-7-0x00000000027E0000-0x00000000027E1000-memory.dmp

memory/2172-12-0x0000000000BD0000-0x0000000000BD1000-memory.dmp

memory/2172-11-0x0000000000B70000-0x0000000000B71000-memory.dmp

memory/2172-13-0x0000000000B10000-0x0000000000B11000-memory.dmp

memory/2172-10-0x00000000029C0000-0x00000000029C1000-memory.dmp

memory/2172-9-0x0000000000BF0000-0x0000000000BF1000-memory.dmp

memory/2172-14-0x0000000000BE0000-0x0000000000BE1000-memory.dmp

memory/2172-15-0x00000000029E0000-0x00000000029E1000-memory.dmp

memory/2172-17-0x0000000000B20000-0x0000000000B21000-memory.dmp

memory/2172-18-0x0000000002C30000-0x0000000002C31000-memory.dmp

memory/2172-22-0x0000000000E40000-0x00000000012F5000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-30 01:28

Reported

2024-03-30 01:31

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

149s

Command Line

sihost.exe

Signatures

Amadey

trojan amadey

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\C:\ = "1" C:\Users\Admin\Pictures\WlXpzdNQqCwp5zWBZcNIhU4C.exe N/A

Rhadamanthys

stealer rhadamanthys

Stealc

stealer stealc

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 2716 created 2540 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\system32\sihost.exe

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\9c1751ba73fe53ed9385f24750212c6e785843e4c63dbafec8f95d3e6a5088ef.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\Pictures\WlXpzdNQqCwp5zWBZcNIhU4C.exe N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\9c1751ba73fe53ed9385f24750212c6e785843e4c63dbafec8f95d3e6a5088ef.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\9c1751ba73fe53ed9385f24750212c6e785843e4c63dbafec8f95d3e6a5088ef.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\Pictures\WlXpzdNQqCwp5zWBZcNIhU4C.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\Pictures\WlXpzdNQqCwp5zWBZcNIhU4C.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\u3pg.0.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\GDBKKFHIEG.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Pictures\1Y79cCMI3cleTlblHGPHGRCX.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\u3pg.1.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OVgCCvhbr5ebMt9lkW77gabd.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SraQNLokWjg12upZ2wXrtdRJ.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Lbtc1gtld9gMlsquYTTxcS5x.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8nH3yLgFtZFxqJT3o2gojvQy.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mCgV0V4Qd3tgYeIQW4qj7jc1.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TOZokqhYexItuT57yqacfmpk.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RZWtXR6IXIvnmzEk0uThXcSu.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VZPNd4IVRn0e3PaZmXO4xPtl.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ipJfVTUCqUkAqGqOAtFQ0GCK.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ytQsfBTZfodORuJtlZ3A5rZI.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1001067001\file300un.exe N/A
N/A N/A C:\Users\Admin\Pictures\1Y79cCMI3cleTlblHGPHGRCX.exe N/A
N/A N/A C:\Users\Admin\Pictures\a4Kdg3J3U4IuDTl57QmvaybL.exe N/A
N/A N/A C:\Users\Admin\Pictures\NIUxRdjB8sPu0C84hPzAo11r.exe N/A
N/A N/A C:\Users\Admin\Pictures\4zkJm7OA2N8MS2Ylx3ahFzGK.exe N/A
N/A N/A C:\Users\Admin\Pictures\LHJPOa20shHD2pQeIN4444nP.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u3pg.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u3pg.1.exe N/A
N/A N/A C:\Users\Admin\Pictures\WlXpzdNQqCwp5zWBZcNIhU4C.exe N/A
N/A N/A C:\Users\Admin\Pictures\BNcDehVmdQj4SgrQU6jnoZTj.exe N/A
N/A N/A C:\Users\Admin\Pictures\BNcDehVmdQj4SgrQU6jnoZTj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\BNcDehVmdQj4SgrQU6jnoZTj.exe N/A
N/A N/A C:\Users\Admin\Pictures\BNcDehVmdQj4SgrQU6jnoZTj.exe N/A
N/A N/A C:\Users\Admin\Pictures\BNcDehVmdQj4SgrQU6jnoZTj.exe N/A
N/A N/A C:\Users\Admin\Pictures\4zkJm7OA2N8MS2Ylx3ahFzGK.exe N/A
N/A N/A C:\Users\Admin\Pictures\LHJPOa20shHD2pQeIN4444nP.exe N/A
N/A N/A C:\Users\Admin\Pictures\NIUxRdjB8sPu0C84hPzAo11r.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403300129151\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403300129151\assistant\assistant_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403300129151\assistant\assistant_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GDBKKFHIEG.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\9c1751ba73fe53ed9385f24750212c6e785843e4c63dbafec8f95d3e6a5088ef.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe N/A

Reads WinSCP keys stored on the system

spyware stealer

Reads data files stored by FTP clients

spyware stealer

Reads local data of messenger clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\Pictures\NIUxRdjB8sPu0C84hPzAo11r.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\Pictures\4zkJm7OA2N8MS2Ylx3ahFzGK.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\Pictures\LHJPOa20shHD2pQeIN4444nP.exe N/A

Checks installed software on the system

discovery

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\Pictures\WlXpzdNQqCwp5zWBZcNIhU4C.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\D: C:\Users\Admin\Pictures\BNcDehVmdQj4SgrQU6jnoZTj.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\Pictures\BNcDehVmdQj4SgrQU6jnoZTj.exe N/A
File opened (read-only) \??\D: C:\Users\Admin\Pictures\BNcDehVmdQj4SgrQU6jnoZTj.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\Pictures\BNcDehVmdQj4SgrQU6jnoZTj.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.myip.com N/A N/A
N/A api.myip.com N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\System32\GroupPolicy\Machine\Registry.pol C:\Users\Admin\Pictures\WlXpzdNQqCwp5zWBZcNIhU4C.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy C:\Users\Admin\Pictures\WlXpzdNQqCwp5zWBZcNIhU4C.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy\gpt.ini C:\Users\Admin\Pictures\WlXpzdNQqCwp5zWBZcNIhU4C.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI C:\Users\Admin\Pictures\WlXpzdNQqCwp5zWBZcNIhU4C.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\Pictures\4zkJm7OA2N8MS2Ylx3ahFzGK.exe N/A
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\Pictures\NIUxRdjB8sPu0C84hPzAo11r.exe N/A
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\Pictures\LHJPOa20shHD2pQeIN4444nP.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorgu.job C:\Users\Admin\AppData\Local\Temp\9c1751ba73fe53ed9385f24750212c6e785843e4c63dbafec8f95d3e6a5088ef.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\Pictures\NIUxRdjB8sPu0C84hPzAo11r.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\Pictures\LHJPOa20shHD2pQeIN4444nP.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\Pictures\NIUxRdjB8sPu0C84hPzAo11r.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\Pictures\4zkJm7OA2N8MS2Ylx3ahFzGK.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\Pictures\4zkJm7OA2N8MS2Ylx3ahFzGK.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\Pictures\LHJPOa20shHD2pQeIN4444nP.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\u3pg.1.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\u3pg.1.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\u3pg.1.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\u3pg.0.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\u3pg.0.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-132 = "US Eastern Standard Time" C:\Users\Admin\Pictures\NIUxRdjB8sPu0C84hPzAo11r.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-182 = "Mountain Standard Time (Mexico)" C:\Users\Admin\Pictures\NIUxRdjB8sPu0C84hPzAo11r.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-51 = "Greenland Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-392 = "Arab Standard Time" C:\Users\Admin\Pictures\NIUxRdjB8sPu0C84hPzAo11r.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-82 = "Atlantic Standard Time" C:\Users\Admin\Pictures\NIUxRdjB8sPu0C84hPzAo11r.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-981 = "Kamchatka Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-742 = "New Zealand Standard Time" C:\Users\Admin\Pictures\NIUxRdjB8sPu0C84hPzAo11r.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-442 = "Arabian Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-232 = "Hawaiian Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-1801 = "Line Islands Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-365 = "Middle East Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2842 = "Saratov Standard Time" C:\Users\Admin\Pictures\NIUxRdjB8sPu0C84hPzAo11r.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1471 = "Magadan Daylight Time" C:\Users\Admin\Pictures\NIUxRdjB8sPu0C84hPzAo11r.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2631 = "Norfolk Daylight Time" C:\Users\Admin\Pictures\NIUxRdjB8sPu0C84hPzAo11r.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-82 = "Atlantic Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-3051 = "Qyzylorda Daylight Time" C:\Users\Admin\Pictures\NIUxRdjB8sPu0C84hPzAo11r.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-601 = "Taipei Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2592 = "Tocantins Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2322 = "Sakhalin Standard Time" C:\Users\Admin\Pictures\NIUxRdjB8sPu0C84hPzAo11r.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2341 = "Haiti Daylight Time" C:\Users\Admin\Pictures\NIUxRdjB8sPu0C84hPzAo11r.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-221 = "Alaskan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-142 = "Canada Central Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 5c000000010000000400000000100000190000000100000010000000ffac207997bb2cfe865570179ee037b90f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e404000000010000001000000078f2fcaa601f2fb4ebc937ba532e75492000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e C:\Users\Admin\Pictures\BNcDehVmdQj4SgrQU6jnoZTj.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4 C:\Users\Admin\Pictures\BNcDehVmdQj4SgrQU6jnoZTj.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 04000000010000001000000078f2fcaa601f2fb4ebc937ba532e7549030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996190000000100000010000000ffac207997bb2cfe865570179ee037b92000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e C:\Users\Admin\Pictures\BNcDehVmdQj4SgrQU6jnoZTj.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c1751ba73fe53ed9385f24750212c6e785843e4c63dbafec8f95d3e6a5088ef.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c1751ba73fe53ed9385f24750212c6e785843e4c63dbafec8f95d3e6a5088ef.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u3pg.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u3pg.0.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\dialer.exe N/A
N/A N/A C:\Windows\SysWOW64\dialer.exe N/A
N/A N/A C:\Windows\SysWOW64\dialer.exe N/A
N/A N/A C:\Windows\SysWOW64\dialer.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Users\Admin\Pictures\NIUxRdjB8sPu0C84hPzAo11r.exe N/A
N/A N/A C:\Users\Admin\Pictures\NIUxRdjB8sPu0C84hPzAo11r.exe N/A
N/A N/A C:\Users\Admin\Pictures\LHJPOa20shHD2pQeIN4444nP.exe N/A
N/A N/A C:\Users\Admin\Pictures\LHJPOa20shHD2pQeIN4444nP.exe N/A
N/A N/A C:\Users\Admin\Pictures\4zkJm7OA2N8MS2Ylx3ahFzGK.exe N/A
N/A N/A C:\Users\Admin\Pictures\4zkJm7OA2N8MS2Ylx3ahFzGK.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\Pictures\4zkJm7OA2N8MS2Ylx3ahFzGK.exe N/A
N/A N/A C:\Users\Admin\Pictures\4zkJm7OA2N8MS2Ylx3ahFzGK.exe N/A
N/A N/A C:\Users\Admin\Pictures\4zkJm7OA2N8MS2Ylx3ahFzGK.exe N/A
N/A N/A C:\Users\Admin\Pictures\4zkJm7OA2N8MS2Ylx3ahFzGK.exe N/A
N/A N/A C:\Users\Admin\Pictures\NIUxRdjB8sPu0C84hPzAo11r.exe N/A
N/A N/A C:\Users\Admin\Pictures\NIUxRdjB8sPu0C84hPzAo11r.exe N/A
N/A N/A C:\Users\Admin\Pictures\NIUxRdjB8sPu0C84hPzAo11r.exe N/A
N/A N/A C:\Users\Admin\Pictures\NIUxRdjB8sPu0C84hPzAo11r.exe N/A
N/A N/A C:\Users\Admin\Pictures\4zkJm7OA2N8MS2Ylx3ahFzGK.exe N/A
N/A N/A C:\Users\Admin\Pictures\4zkJm7OA2N8MS2Ylx3ahFzGK.exe N/A
N/A N/A C:\Users\Admin\Pictures\4zkJm7OA2N8MS2Ylx3ahFzGK.exe N/A
N/A N/A C:\Users\Admin\Pictures\4zkJm7OA2N8MS2Ylx3ahFzGK.exe N/A
N/A N/A C:\Users\Admin\Pictures\4zkJm7OA2N8MS2Ylx3ahFzGK.exe N/A
N/A N/A C:\Users\Admin\Pictures\4zkJm7OA2N8MS2Ylx3ahFzGK.exe N/A
N/A N/A C:\Users\Admin\Pictures\NIUxRdjB8sPu0C84hPzAo11r.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Pictures\NIUxRdjB8sPu0C84hPzAo11r.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\Pictures\NIUxRdjB8sPu0C84hPzAo11r.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Pictures\LHJPOa20shHD2pQeIN4444nP.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\Pictures\LHJPOa20shHD2pQeIN4444nP.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Pictures\4zkJm7OA2N8MS2Ylx3ahFzGK.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\Pictures\4zkJm7OA2N8MS2Ylx3ahFzGK.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4496 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe C:\Users\Admin\AppData\Local\Temp\1001067001\file300un.exe
PID 4496 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe C:\Users\Admin\AppData\Local\Temp\1001067001\file300un.exe
PID 1452 wrote to memory of 3260 N/A C:\Users\Admin\AppData\Local\Temp\1001067001\file300un.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
PID 1452 wrote to memory of 3260 N/A C:\Users\Admin\AppData\Local\Temp\1001067001\file300un.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
PID 1452 wrote to memory of 3260 N/A C:\Users\Admin\AppData\Local\Temp\1001067001\file300un.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
PID 1452 wrote to memory of 3260 N/A C:\Users\Admin\AppData\Local\Temp\1001067001\file300un.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
PID 1452 wrote to memory of 3260 N/A C:\Users\Admin\AppData\Local\Temp\1001067001\file300un.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
PID 1452 wrote to memory of 3260 N/A C:\Users\Admin\AppData\Local\Temp\1001067001\file300un.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
PID 1452 wrote to memory of 3260 N/A C:\Users\Admin\AppData\Local\Temp\1001067001\file300un.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
PID 1452 wrote to memory of 3260 N/A C:\Users\Admin\AppData\Local\Temp\1001067001\file300un.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
PID 3260 wrote to memory of 4804 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Users\Admin\Pictures\1Y79cCMI3cleTlblHGPHGRCX.exe
PID 3260 wrote to memory of 4804 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Users\Admin\Pictures\1Y79cCMI3cleTlblHGPHGRCX.exe
PID 3260 wrote to memory of 4804 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Users\Admin\Pictures\1Y79cCMI3cleTlblHGPHGRCX.exe
PID 3260 wrote to memory of 4328 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Users\Admin\Pictures\a4Kdg3J3U4IuDTl57QmvaybL.exe
PID 3260 wrote to memory of 4328 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Users\Admin\Pictures\a4Kdg3J3U4IuDTl57QmvaybL.exe
PID 3260 wrote to memory of 4328 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Users\Admin\Pictures\a4Kdg3J3U4IuDTl57QmvaybL.exe
PID 3260 wrote to memory of 956 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Users\Admin\Pictures\NIUxRdjB8sPu0C84hPzAo11r.exe
PID 3260 wrote to memory of 956 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Users\Admin\Pictures\NIUxRdjB8sPu0C84hPzAo11r.exe
PID 3260 wrote to memory of 956 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Users\Admin\Pictures\NIUxRdjB8sPu0C84hPzAo11r.exe
PID 3260 wrote to memory of 3284 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Users\Admin\Pictures\4zkJm7OA2N8MS2Ylx3ahFzGK.exe
PID 3260 wrote to memory of 3284 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Users\Admin\Pictures\4zkJm7OA2N8MS2Ylx3ahFzGK.exe
PID 3260 wrote to memory of 3284 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Users\Admin\Pictures\4zkJm7OA2N8MS2Ylx3ahFzGK.exe
PID 4328 wrote to memory of 2536 N/A C:\Users\Admin\Pictures\a4Kdg3J3U4IuDTl57QmvaybL.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4328 wrote to memory of 2536 N/A C:\Users\Admin\Pictures\a4Kdg3J3U4IuDTl57QmvaybL.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4328 wrote to memory of 2536 N/A C:\Users\Admin\Pictures\a4Kdg3J3U4IuDTl57QmvaybL.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4328 wrote to memory of 2716 N/A C:\Users\Admin\Pictures\a4Kdg3J3U4IuDTl57QmvaybL.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4328 wrote to memory of 2716 N/A C:\Users\Admin\Pictures\a4Kdg3J3U4IuDTl57QmvaybL.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4328 wrote to memory of 2716 N/A C:\Users\Admin\Pictures\a4Kdg3J3U4IuDTl57QmvaybL.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4328 wrote to memory of 2716 N/A C:\Users\Admin\Pictures\a4Kdg3J3U4IuDTl57QmvaybL.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4328 wrote to memory of 2716 N/A C:\Users\Admin\Pictures\a4Kdg3J3U4IuDTl57QmvaybL.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4328 wrote to memory of 2716 N/A C:\Users\Admin\Pictures\a4Kdg3J3U4IuDTl57QmvaybL.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4328 wrote to memory of 2716 N/A C:\Users\Admin\Pictures\a4Kdg3J3U4IuDTl57QmvaybL.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4328 wrote to memory of 2716 N/A C:\Users\Admin\Pictures\a4Kdg3J3U4IuDTl57QmvaybL.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4328 wrote to memory of 2716 N/A C:\Users\Admin\Pictures\a4Kdg3J3U4IuDTl57QmvaybL.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4328 wrote to memory of 2716 N/A C:\Users\Admin\Pictures\a4Kdg3J3U4IuDTl57QmvaybL.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4328 wrote to memory of 2716 N/A C:\Users\Admin\Pictures\a4Kdg3J3U4IuDTl57QmvaybL.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3260 wrote to memory of 4028 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Users\Admin\Pictures\LHJPOa20shHD2pQeIN4444nP.exe
PID 3260 wrote to memory of 4028 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Users\Admin\Pictures\LHJPOa20shHD2pQeIN4444nP.exe
PID 3260 wrote to memory of 4028 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Users\Admin\Pictures\LHJPOa20shHD2pQeIN4444nP.exe
PID 4804 wrote to memory of 4036 N/A C:\Users\Admin\Pictures\1Y79cCMI3cleTlblHGPHGRCX.exe C:\Users\Admin\AppData\Local\Temp\u3pg.0.exe
PID 4804 wrote to memory of 4036 N/A C:\Users\Admin\Pictures\1Y79cCMI3cleTlblHGPHGRCX.exe C:\Users\Admin\AppData\Local\Temp\u3pg.0.exe
PID 4804 wrote to memory of 4036 N/A C:\Users\Admin\Pictures\1Y79cCMI3cleTlblHGPHGRCX.exe C:\Users\Admin\AppData\Local\Temp\u3pg.0.exe
PID 3284 wrote to memory of 880 N/A C:\Users\Admin\Pictures\4zkJm7OA2N8MS2Ylx3ahFzGK.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4028 wrote to memory of 4220 N/A C:\Users\Admin\Pictures\LHJPOa20shHD2pQeIN4444nP.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3284 wrote to memory of 880 N/A C:\Users\Admin\Pictures\4zkJm7OA2N8MS2Ylx3ahFzGK.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4028 wrote to memory of 4220 N/A C:\Users\Admin\Pictures\LHJPOa20shHD2pQeIN4444nP.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3284 wrote to memory of 880 N/A C:\Users\Admin\Pictures\4zkJm7OA2N8MS2Ylx3ahFzGK.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4028 wrote to memory of 4220 N/A C:\Users\Admin\Pictures\LHJPOa20shHD2pQeIN4444nP.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 956 wrote to memory of 3244 N/A C:\Users\Admin\Pictures\NIUxRdjB8sPu0C84hPzAo11r.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 956 wrote to memory of 3244 N/A C:\Users\Admin\Pictures\NIUxRdjB8sPu0C84hPzAo11r.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 956 wrote to memory of 3244 N/A C:\Users\Admin\Pictures\NIUxRdjB8sPu0C84hPzAo11r.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2716 wrote to memory of 4324 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\SysWOW64\dialer.exe
PID 2716 wrote to memory of 4324 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\SysWOW64\dialer.exe
PID 2716 wrote to memory of 4324 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\SysWOW64\dialer.exe
PID 2716 wrote to memory of 4324 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\SysWOW64\dialer.exe
PID 2716 wrote to memory of 4324 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\SysWOW64\dialer.exe
PID 4804 wrote to memory of 4328 N/A C:\Users\Admin\Pictures\1Y79cCMI3cleTlblHGPHGRCX.exe C:\Windows\System32\Conhost.exe
PID 4804 wrote to memory of 4328 N/A C:\Users\Admin\Pictures\1Y79cCMI3cleTlblHGPHGRCX.exe C:\Windows\System32\Conhost.exe
PID 4804 wrote to memory of 4328 N/A C:\Users\Admin\Pictures\1Y79cCMI3cleTlblHGPHGRCX.exe C:\Windows\System32\Conhost.exe
PID 3260 wrote to memory of 1468 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Users\Admin\Pictures\WlXpzdNQqCwp5zWBZcNIhU4C.exe
PID 3260 wrote to memory of 1468 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Users\Admin\Pictures\WlXpzdNQqCwp5zWBZcNIhU4C.exe
PID 3260 wrote to memory of 2512 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Users\Admin\Pictures\BNcDehVmdQj4SgrQU6jnoZTj.exe
PID 3260 wrote to memory of 2512 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Users\Admin\Pictures\BNcDehVmdQj4SgrQU6jnoZTj.exe
PID 3260 wrote to memory of 2512 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Users\Admin\Pictures\BNcDehVmdQj4SgrQU6jnoZTj.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\sihost.exe

sihost.exe

C:\Users\Admin\AppData\Local\Temp\9c1751ba73fe53ed9385f24750212c6e785843e4c63dbafec8f95d3e6a5088ef.exe

"C:\Users\Admin\AppData\Local\Temp\9c1751ba73fe53ed9385f24750212c6e785843e4c63dbafec8f95d3e6a5088ef.exe"

C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe

C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe

C:\Users\Admin\AppData\Local\Temp\1001067001\file300un.exe

"C:\Users\Admin\AppData\Local\Temp\1001067001\file300un.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"

C:\Users\Admin\Pictures\1Y79cCMI3cleTlblHGPHGRCX.exe

"C:\Users\Admin\Pictures\1Y79cCMI3cleTlblHGPHGRCX.exe"

C:\Users\Admin\Pictures\a4Kdg3J3U4IuDTl57QmvaybL.exe

"C:\Users\Admin\Pictures\a4Kdg3J3U4IuDTl57QmvaybL.exe"

C:\Users\Admin\Pictures\NIUxRdjB8sPu0C84hPzAo11r.exe

"C:\Users\Admin\Pictures\NIUxRdjB8sPu0C84hPzAo11r.exe"

C:\Users\Admin\Pictures\4zkJm7OA2N8MS2Ylx3ahFzGK.exe

"C:\Users\Admin\Pictures\4zkJm7OA2N8MS2Ylx3ahFzGK.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4328 -ip 4328

C:\Users\Admin\Pictures\LHJPOa20shHD2pQeIN4444nP.exe

"C:\Users\Admin\Pictures\LHJPOa20shHD2pQeIN4444nP.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4328 -s 868

C:\Users\Admin\AppData\Local\Temp\u3pg.0.exe

"C:\Users\Admin\AppData\Local\Temp\u3pg.0.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\dialer.exe

"C:\Windows\system32\dialer.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 2716 -ip 2716

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2716 -s 596

C:\Users\Admin\AppData\Local\Temp\u3pg.1.exe

"C:\Users\Admin\AppData\Local\Temp\u3pg.1.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4804 -ip 4804

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2716 -ip 2716

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2716 -s 580

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4804 -s 1556

C:\Users\Admin\Pictures\WlXpzdNQqCwp5zWBZcNIhU4C.exe

"C:\Users\Admin\Pictures\WlXpzdNQqCwp5zWBZcNIhU4C.exe"

C:\Users\Admin\Pictures\BNcDehVmdQj4SgrQU6jnoZTj.exe

"C:\Users\Admin\Pictures\BNcDehVmdQj4SgrQU6jnoZTj.exe" --silent --allusers=0

C:\Users\Admin\Pictures\BNcDehVmdQj4SgrQU6jnoZTj.exe

C:\Users\Admin\Pictures\BNcDehVmdQj4SgrQU6jnoZTj.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.35 --initial-client-data=0x29c,0x2a0,0x2a4,0x278,0x2a8,0x6e26e1d0,0x6e26e1dc,0x6e26e1e8

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\BNcDehVmdQj4SgrQU6jnoZTj.exe

"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\BNcDehVmdQj4SgrQU6jnoZTj.exe" --version

C:\Users\Admin\Pictures\BNcDehVmdQj4SgrQU6jnoZTj.exe

"C:\Users\Admin\Pictures\BNcDehVmdQj4SgrQU6jnoZTj.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=2512 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20240330012915" --session-guid=f82154e1-0773-4538-8cee-4b58da6f5184 --server-tracking-blob=ZTY3NTgzZGUzM2QzNzg1MzRkNjU1ZTFhNTQwYjE1ZDc0MTU0OTZiMmZiN2EyZGE4OWNmMzA2ZjliNDY0N2MyZDp7ImNvdW50cnkiOiJHQiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cy8/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1ta3QmdXRtX2NhbXBhaWduPTc2N180NTYiLCJzeXN0ZW0iOnsicGxhdGZvcm0iOnsiYXJjaCI6Ing4Nl82NCIsIm9wc3lzIjoiV2luZG93cyIsIm9wc3lzLXZlcnNpb24iOiIxMCIsInBhY2thZ2UiOiJFWEUifX0sInRpbWVzdGFtcCI6IjE3MTE3NjIxNDYuMjQ3MiIsInV0bSI6eyJjYW1wYWlnbiI6Ijc2N180NTYiLCJtZWRpdW0iOiJhcGIiLCJzb3VyY2UiOiJta3QifSwidXVpZCI6Ijg0N2RlNWUzLTFlODQtNDBlYy1iMGFiLThhMzI0OWU4ZjVkNyJ9 --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=E803000000000000

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum

C:\Users\Admin\Pictures\BNcDehVmdQj4SgrQU6jnoZTj.exe

C:\Users\Admin\Pictures\BNcDehVmdQj4SgrQU6jnoZTj.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.35 --initial-client-data=0x298,0x2a8,0x2ac,0x274,0x2b0,0x6d8ee1d0,0x6d8ee1dc,0x6d8ee1e8

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main

C:\Windows\system32\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main

C:\Windows\system32\netsh.exe

netsh wlan show profiles

C:\Users\Admin\Pictures\4zkJm7OA2N8MS2Ylx3ahFzGK.exe

"C:\Users\Admin\Pictures\4zkJm7OA2N8MS2Ylx3ahFzGK.exe"

C:\Users\Admin\Pictures\NIUxRdjB8sPu0C84hPzAo11r.exe

"C:\Users\Admin\Pictures\NIUxRdjB8sPu0C84hPzAo11r.exe"

C:\Users\Admin\Pictures\LHJPOa20shHD2pQeIN4444nP.exe

"C:\Users\Admin\Pictures\LHJPOa20shHD2pQeIN4444nP.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\999976163400_Desktop.zip' -CompressionLevel Optimal

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403300129151\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe

"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403300129151\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe"

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403300129151\assistant\assistant_installer.exe

"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403300129151\assistant\assistant_installer.exe" --version

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403300129151\assistant\assistant_installer.exe

"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403300129151\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=108.0.5067.20 --initial-client-data=0x270,0x274,0x278,0x24c,0x27c,0x430040,0x43004c,0x430058

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe

"C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\GDBKKFHIEG.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 4036 -ip 4036

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4036 -s 2660

C:\Users\Admin\AppData\Local\Temp\GDBKKFHIEG.exe

"C:\Users\Admin\AppData\Local\Temp\GDBKKFHIEG.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C ping 2.2.2.2 -n 1 -w 3000 > Nul & Del C:\Users\Admin\AppData\Local\Temp\GDBKKFHIEG.exe

C:\Windows\SysWOW64\PING.EXE

ping 2.2.2.2 -n 1 -w 3000

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 9.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
RU 185.215.113.32:80 185.215.113.32 tcp
AT 5.42.64.17:80 5.42.64.17 tcp
US 8.8.8.8:53 32.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 17.64.42.5.in-addr.arpa udp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 yip.su udp
US 104.20.67.143:443 pastebin.com tcp
US 172.67.169.89:443 yip.su tcp
US 8.8.8.8:53 piramidglobaltobacco.id udp
DE 185.172.128.144:80 185.172.128.144 tcp
US 8.8.8.8:53 shipofdestiny.com udp
AT 5.42.64.17:80 5.42.64.17 tcp
US 8.8.8.8:53 sty.ink udp
US 8.8.8.8:53 operandotwo.com udp
US 8.8.8.8:53 namemail.org udp
US 8.8.8.8:53 cu82342.tw1.ru udp
US 8.8.8.8:53 net.geo.opera.com udp
US 172.67.152.98:443 shipofdestiny.com tcp
US 104.21.13.170:443 sty.ink tcp
US 104.21.15.5:443 operandotwo.com tcp
US 172.67.152.98:443 shipofdestiny.com tcp
US 104.21.13.170:443 sty.ink tcp
NL 185.26.182.112:80 net.geo.opera.com tcp
RU 176.57.210.144:443 cu82342.tw1.ru tcp
US 8.8.8.8:53 143.67.20.104.in-addr.arpa udp
US 8.8.8.8:53 89.169.67.172.in-addr.arpa udp
NL 185.26.182.112:443 net.geo.opera.com tcp
SG 217.21.73.190:443 piramidglobaltobacco.id tcp
US 8.8.8.8:53 lawyerbuyer.org udp
US 8.8.8.8:53 guseman.org udp
US 172.67.170.65:443 lawyerbuyer.org tcp
US 172.67.170.65:443 lawyerbuyer.org tcp
US 172.67.173.167:443 guseman.org tcp
DE 185.172.128.90:80 185.172.128.90 tcp
US 8.8.8.8:53 144.128.172.185.in-addr.arpa udp
US 8.8.8.8:53 98.152.67.172.in-addr.arpa udp
US 8.8.8.8:53 170.13.21.104.in-addr.arpa udp
US 8.8.8.8:53 5.15.21.104.in-addr.arpa udp
US 8.8.8.8:53 112.182.26.185.in-addr.arpa udp
US 8.8.8.8:53 144.210.57.176.in-addr.arpa udp
US 8.8.8.8:53 65.170.67.172.in-addr.arpa udp
US 8.8.8.8:53 167.173.67.172.in-addr.arpa udp
US 8.8.8.8:53 190.73.21.217.in-addr.arpa udp
US 8.8.8.8:53 90.128.172.185.in-addr.arpa udp
DE 185.172.128.65:80 185.172.128.65 tcp
DE 185.172.128.65:80 185.172.128.65 tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 65.128.172.185.in-addr.arpa udp
DE 185.172.128.144:80 185.172.128.144 tcp
DE 185.172.128.209:80 185.172.128.209 tcp
US 8.8.8.8:53 svc.iolo.com udp
US 20.157.87.45:80 svc.iolo.com tcp
US 8.8.8.8:53 45.87.157.20.in-addr.arpa udp
US 46.226.167.187:80 46.226.167.187 tcp
US 8.8.8.8:53 api.myip.com udp
US 104.26.9.59:443 api.myip.com tcp
US 8.8.8.8:53 autoupdate.geo.opera.com udp
US 8.8.8.8:53 desktop-netinstaller-sub.osp.opera.software udp
NL 82.145.216.19:443 autoupdate.geo.opera.com tcp
NL 82.145.216.19:443 autoupdate.geo.opera.com tcp
NL 82.145.217.121:443 desktop-netinstaller-sub.osp.opera.software tcp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.186.192:443 ipinfo.io tcp
US 8.8.8.8:53 187.167.226.46.in-addr.arpa udp
US 8.8.8.8:53 59.9.26.104.in-addr.arpa udp
US 8.8.8.8:53 19.216.145.82.in-addr.arpa udp
US 8.8.8.8:53 121.217.145.82.in-addr.arpa udp
US 8.8.8.8:53 download.opera.com udp
US 8.8.8.8:53 features.opera-api2.com udp
NL 82.145.216.16:443 features.opera-api2.com tcp
US 8.8.8.8:53 192.186.117.34.in-addr.arpa udp
NL 82.145.216.24:443 download.opera.com tcp
US 8.8.8.8:53 download3.operacdn.com udp
US 8.8.8.8:53 16.216.145.82.in-addr.arpa udp
US 8.8.8.8:53 24.216.145.82.in-addr.arpa udp
US 8.8.8.8:53 243.143.101.95.in-addr.arpa udp
GB 95.101.143.243:443 tcp
RU 185.215.113.32:80 tcp
US 8.8.8.8:53 152.33.115.104.in-addr.arpa udp
US 8.8.8.8:53 download.iolo.net udp
FR 185.93.2.248:443 download.iolo.net tcp
N/A 224.0.0.251:5353 udp
NL 82.145.217.121:443 desktop-netinstaller-sub.osp.opera.software tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 248.2.93.185.in-addr.arpa udp
RU 185.215.113.32:80 185.215.113.32 tcp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
NL 82.145.217.121:443 desktop-netinstaller-sub.osp.opera.software tcp
US 8.8.8.8:53 download5.operacdn.com udp
US 104.18.11.89:443 download5.operacdn.com tcp
US 8.8.8.8:53 svc.iolo.com udp
US 20.157.87.45:80 svc.iolo.com tcp
US 8.8.8.8:53 89.11.18.104.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
DE 185.172.128.65:80 185.172.128.65 tcp
US 8.8.8.8:53 westus2-2.in.applicationinsights.azure.com udp
US 20.9.155.148:443 westus2-2.in.applicationinsights.azure.com tcp
US 8.8.8.8:53 65a86ace-e658-4dcd-8ddd-92da06924e13.uuid.localstats.org udp
US 8.8.8.8:53 148.155.9.20.in-addr.arpa udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 66.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 server6.localstats.org udp
US 8.8.8.8:53 stun4.l.google.com udp
US 8.8.8.8:53 cdn.discordapp.com udp
BG 185.82.216.111:443 server6.localstats.org tcp
PL 142.251.98.127:19302 stun4.l.google.com udp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 carsalessystem.com udp
US 104.21.94.82:443 carsalessystem.com tcp
US 8.8.8.8:53 127.98.251.142.in-addr.arpa udp
US 8.8.8.8:53 233.134.159.162.in-addr.arpa udp
US 8.8.8.8:53 111.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 82.94.21.104.in-addr.arpa udp
BG 185.82.216.111:443 server6.localstats.org tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
BG 185.82.216.111:443 server6.localstats.org tcp

Files

memory/2344-0-0x0000000000F20000-0x00000000013D5000-memory.dmp

memory/2344-1-0x0000000077304000-0x0000000077306000-memory.dmp

memory/2344-2-0x0000000000F20000-0x00000000013D5000-memory.dmp

memory/2344-4-0x00000000058B0000-0x00000000058B1000-memory.dmp

memory/2344-5-0x00000000058E0000-0x00000000058E1000-memory.dmp

memory/2344-3-0x00000000058A0000-0x00000000058A1000-memory.dmp

memory/2344-6-0x0000000005870000-0x0000000005871000-memory.dmp

memory/2344-7-0x0000000005890000-0x0000000005891000-memory.dmp

memory/2344-9-0x00000000058D0000-0x00000000058D1000-memory.dmp

memory/2344-8-0x0000000005880000-0x0000000005881000-memory.dmp

memory/2344-10-0x0000000005900000-0x0000000005901000-memory.dmp

memory/2344-11-0x00000000058F0000-0x00000000058F1000-memory.dmp

memory/2344-16-0x0000000000F20000-0x00000000013D5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe

MD5 79fbd35cae4148d9053cd4590b6d41c0
SHA1 3548d8fa1f242206447224068c16ffd30278ede3
SHA256 9c1751ba73fe53ed9385f24750212c6e785843e4c63dbafec8f95d3e6a5088ef
SHA512 babf970ee423976f68864c67d9ec7a0771be65465b4ea3c498fd9a9ab98f08124be2a0ec16f7952b237d27d778ef49ef9f48fe8ad66dd9a3f840ffc9a5658a40

memory/4496-19-0x0000000000B30000-0x0000000000FE5000-memory.dmp

memory/4496-20-0x0000000000B30000-0x0000000000FE5000-memory.dmp

memory/4496-22-0x0000000005330000-0x0000000005331000-memory.dmp

memory/4496-27-0x0000000005350000-0x0000000005351000-memory.dmp

memory/4496-26-0x0000000005300000-0x0000000005301000-memory.dmp

memory/4496-25-0x00000000052F0000-0x00000000052F1000-memory.dmp

memory/4496-24-0x0000000005360000-0x0000000005361000-memory.dmp

memory/4496-23-0x0000000005310000-0x0000000005311000-memory.dmp

memory/4496-21-0x0000000005320000-0x0000000005321000-memory.dmp

memory/4496-29-0x0000000005370000-0x0000000005371000-memory.dmp

memory/4496-28-0x0000000005380000-0x0000000005381000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1001067001\file300un.exe

MD5 16f67f1a6e10f044bc15abe8c71b3bd6
SHA1 ce0101205b919899a2a2f577100377c2a6546171
SHA256 41cca3fa0f500dc6c17d1f02fc906d2b0c769210af9c4286760b84ecf46cab89
SHA512 a11db01bf55e3497644918c7dcc6180e0911261f39f062e653f000e1365dc9668fe5bd1d0fee0ae5c740a6477bcea510ba8c5ff6831c3bdb0d7c0590d2487e3c

memory/1452-49-0x000001C54FF00000-0x000001C54FF0C000-memory.dmp

memory/1452-50-0x00007FFB10F90000-0x00007FFB11A51000-memory.dmp

memory/1452-51-0x000001C5502E0000-0x000001C5502F0000-memory.dmp

memory/1452-52-0x000001C56B390000-0x000001C56B406000-memory.dmp

memory/1452-53-0x000001C551BC0000-0x000001C551BDE000-memory.dmp

memory/1452-54-0x000001C56B410000-0x000001C56B46E000-memory.dmp

memory/3260-55-0x0000000000400000-0x0000000000408000-memory.dmp

memory/3260-56-0x0000000072F10000-0x00000000736C0000-memory.dmp

memory/3260-57-0x0000000005680000-0x0000000005690000-memory.dmp

memory/1452-58-0x00007FFB10F90000-0x00007FFB11A51000-memory.dmp

C:\Users\Admin\Pictures\WaZeGIDKHEGcyN1qLwHoR65u.exe

MD5 5b423612b36cde7f2745455c5dd82577
SHA1 0187c7c80743b44e9e0c193e993294e3b969cc3d
SHA256 e0840d2ea74a00dcc545d770b91d9d889e5a82c7bedf1b989e0a89db04685b09
SHA512 c26a1e7e96dbd178d961c630abd8e564ef69532f386fb198eb20119a88ecab2fe885d71ac0c90687c18910ce00c445f352a5e8fbf5328f3403964f7c7802414c

C:\Users\Admin\Pictures\ev5TUPhitQeSGuKie2onkCE9.exe

MD5 222e8caff8326f1447bc92a42483a79e
SHA1 aa8c944194827ac18f046df274e286b36e9dc7d3
SHA256 7221786173726f92d94cec447e4a0f5c6cd6ae938f6cd517d8b4ab12f31d29c4
SHA512 13cb6d9210d84271b76a9209028c39016a15ed773c405a0740281cd7af503c3230d90cfbfc57814f6140fcf17528453963459a406e3a75732ae21d69265b00d0

C:\Users\Admin\Pictures\xZfqhCs7PMiNkmFilwDKgoCX.exe

MD5 fdaacb076d325b9b448fb8e017bc7c82
SHA1 ed39b1ea373fff8a12a994a59e8a543d08d90c02
SHA256 45af99367c76076e6ac0bbc7e8d332a7e141e3ea1f73bb5aa909897fbe1309e7
SHA512 4279b84069e352d9fcf000eb3968dfa45c8d4075e39da003678534928282034dd04cd6ba9fb0bcbea89fae8de48a81137f7e5727ded7c3ea611426eed9c95653

C:\Users\Admin\Pictures\1Y79cCMI3cleTlblHGPHGRCX.exe

MD5 6bcb4265ca9f8eeffe10c66614934407
SHA1 98ca1be77baa98892625d7659dffec1627042200
SHA256 5429e24f3ab3287148c2508bd3e0e6a872ea62f115b67b102444cb5435ab72c8
SHA512 ca07ce30ab0cda6d0bd2fbef701e3a44f9a1c5d3f3e23ec7201b3ed9eafe9d7f6689cd7a46c7420914a84426af718643b72d557333d96a2de966df5b86dfd784

memory/4804-103-0x0000000000690000-0x0000000000790000-memory.dmp

memory/4804-104-0x00000000021B0000-0x000000000221E000-memory.dmp

memory/4804-105-0x0000000000400000-0x0000000000562000-memory.dmp

memory/4496-106-0x0000000000B30000-0x0000000000FE5000-memory.dmp

C:\Users\Admin\Pictures\a4Kdg3J3U4IuDTl57QmvaybL.exe

MD5 7960d8afbbac06f216cceeb1531093bb
SHA1 008221bf66a0749447cffcb86f2d1ec80e23fc76
SHA256 f6e476e8ccb571b9d7a76234953ad428e883ff4712b0062498ba3275d9749b84
SHA512 35d12e81eb892aeb2237049beca61a81469dea5b1c9b7a0b9f49fbf95a95c756509d9e76c732fb10b504f9f9692e1fbe83ea2fd09d791f793a928c01974b8147

C:\Users\Admin\Pictures\NIUxRdjB8sPu0C84hPzAo11r.exe

MD5 4674136df8304d43b93dd56409c0ef88
SHA1 6abfd675f89fe668963b546fe0982a60d5fb47e9
SHA256 8d5adaa34385cbccafc86381269c6c2b4fec424b386f6b54bd626a7630a0ab2d
SHA512 4def37495fc2ec5dd256bfdd6afb722a1f554ac391e9eab26f3556309e5dfe3b854b3c19a1ed42fdb5934a2b48069e72cf2ace5bba6a74c80d2f319d1825b725

memory/4328-134-0x0000000000AF0000-0x0000000000B5E000-memory.dmp

memory/4328-136-0x0000000072F10000-0x00000000736C0000-memory.dmp

memory/4328-140-0x00000000053D0000-0x00000000053E0000-memory.dmp

memory/2716-148-0x0000000000400000-0x000000000046D000-memory.dmp

memory/2716-160-0x0000000000400000-0x000000000046D000-memory.dmp

C:\Users\Admin\Pictures\LHJPOa20shHD2pQeIN4444nP.exe

MD5 648184f930f8fd4507b238af673d11c0
SHA1 8f83ad030dd4cba19dbd3dcf9089e466846a0ecf
SHA256 4f42175d97bb370b4ccb8fc4ec8faa73191054f9ac43fe79b318ac971aa90cb9
SHA512 708b8a2535d4999b103da3bf83eb93a8d67f4191c81eb7473f1848c28c7118330e0ca113f360c2491fb65a2446dd3ddd40bea15e57e48d2550afe418ed5e0ef3

memory/956-162-0x0000000002940000-0x0000000002D3A000-memory.dmp

memory/4328-157-0x0000000002E80000-0x0000000004E80000-memory.dmp

memory/2716-163-0x0000000000400000-0x000000000046D000-memory.dmp

memory/3284-164-0x0000000002AF0000-0x0000000002EF5000-memory.dmp

memory/3284-166-0x0000000002F00000-0x00000000037EB000-memory.dmp

memory/4028-168-0x0000000002DC0000-0x00000000036AB000-memory.dmp

memory/956-169-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3284-170-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4028-171-0x00000000029B0000-0x0000000002DB6000-memory.dmp

memory/4028-172-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\u3pg.0.exe

MD5 6cfe7e9a1f9ee6a58fd301a69dbe6387
SHA1 1ea8709c38d0c005ef5f9152a58412bdd8438ee0
SHA256 eafd6b767db2a513fe852813899be0d4f57246fe8976b0c27032c78e0a54a3d1
SHA512 7f5fe16db88335650c0b24d563f064394fa053707df06904731050d490f95ded9f84ac25b216a9ea14aa4f9da1c0f96e4aa1e92f1c11f334f04e0e1f5b4e5204

memory/4328-178-0x0000000072F10000-0x00000000736C0000-memory.dmp

memory/4036-183-0x0000000002270000-0x0000000002297000-memory.dmp

memory/4036-182-0x00000000006A0000-0x00000000007A0000-memory.dmp

memory/3260-184-0x0000000072F10000-0x00000000736C0000-memory.dmp

memory/4036-185-0x0000000000400000-0x000000000063B000-memory.dmp

memory/3260-186-0x0000000005680000-0x0000000005690000-memory.dmp

memory/4220-187-0x0000000004510000-0x0000000004546000-memory.dmp

memory/4220-188-0x0000000072F10000-0x00000000736C0000-memory.dmp

memory/4496-189-0x0000000000B30000-0x0000000000FE5000-memory.dmp

memory/4220-190-0x0000000004BE0000-0x0000000005208000-memory.dmp

memory/4804-191-0x0000000000690000-0x0000000000790000-memory.dmp

memory/880-192-0x0000000004E80000-0x0000000004E90000-memory.dmp

memory/2716-193-0x0000000003EB0000-0x00000000042B0000-memory.dmp

memory/3244-194-0x00000000052C0000-0x00000000052D0000-memory.dmp

memory/2716-195-0x0000000003EB0000-0x00000000042B0000-memory.dmp

memory/4220-197-0x00000000045A0000-0x00000000045B0000-memory.dmp

memory/4220-200-0x00000000045A0000-0x00000000045B0000-memory.dmp

memory/2716-201-0x0000000075380000-0x0000000075595000-memory.dmp

memory/4324-203-0x0000000000480000-0x0000000000489000-memory.dmp

memory/2716-198-0x00007FFB30090000-0x00007FFB30285000-memory.dmp

memory/3244-196-0x00000000052C0000-0x00000000052D0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dr1l4asf.vx1.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4324-229-0x00007FFB30090000-0x00007FFB30285000-memory.dmp

memory/4324-218-0x0000000002180000-0x0000000002580000-memory.dmp

memory/4324-234-0x0000000075380000-0x0000000075595000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\u3pg.1.exe

MD5 397926927bca55be4a77839b1c44de6e
SHA1 e10f3434ef3021c399dbba047832f02b3c898dbd
SHA256 4f07e1095cc915b2d46eb149d1c3be14f3f4b4bd2742517265947fd23bdca5a7
SHA512 cf54136b977fc8af7e8746d78676d0d464362a8cfa2213e392487003b5034562ee802e6911760b98a847bddd36ad664f32d849af84d7e208d4648bd97a2fa954

memory/4036-255-0x0000000061E00000-0x0000000061EF3000-memory.dmp

C:\Users\Admin\Pictures\WlXpzdNQqCwp5zWBZcNIhU4C.exe

MD5 858bb0a3b4fa6a54586402e3ee117076
SHA1 997c31f043347883ea5ed2323a558b6cc5ea9c8e
SHA256 d97a7fc44bf341b9b2b2e65b46dab4f7d329afe15b4308b5aa56d5bfd7b99d35
SHA512 e8374b115f056b5d345c9b5f9c42b3d49e0640d7fad869448f686add6e52b783ecc7fd35ee15a67b944843491a91becf5b7c0bd5603eda01042dd2904c1ad8fd

memory/4804-284-0x0000000000400000-0x0000000000562000-memory.dmp

memory/1468-305-0x00007FF67ABF0000-0x00007FF67B6FA000-memory.dmp

memory/1468-314-0x00007FF67ABF0000-0x00007FF67B6FA000-memory.dmp

memory/1468-322-0x00007FF67ABF0000-0x00007FF67B6FA000-memory.dmp

memory/1468-320-0x00007FF67ABF0000-0x00007FF67B6FA000-memory.dmp

memory/1468-323-0x00007FF67ABF0000-0x00007FF67B6FA000-memory.dmp

memory/1468-326-0x00007FF67ABF0000-0x00007FF67B6FA000-memory.dmp

memory/1468-334-0x00007FF67ABF0000-0x00007FF67B6FA000-memory.dmp

C:\Users\Admin\Pictures\BNcDehVmdQj4SgrQU6jnoZTj.exe

MD5 28882b4c74fca6fa682147268c3c3772
SHA1 9bbc2e751abf38c8d93e81fedb6a5959d1593627
SHA256 6ee4e1c25d81bb140dc6d080dfbe86de80f1a8d35f06b2fbd7b8c4d406bdbdca
SHA512 9cbe516b701da9cc26869a10764bcfc64f5e4ae1fdaa010d13ce0c0ce35df00cbd40f3741832a5cbaabe66edcd56e1a92dbe8b2c0b5de366dc5905ac5c4e1d93

C:\Users\Admin\AppData\Local\Temp\Opera_installer_2403300129145262512.dll

MD5 117176ddeaf70e57d1747704942549e4
SHA1 75e3ab6b3469d93cce9ea2f7e22b71b987ccdf2b
SHA256 3c5b34de987116a4d3240e319c0da89a951c96b81e6705476a0fea27b22b20af
SHA512 ca2a356929c92d314aab63d7f3b246d72783212dfa3a4507f28d41a51ca0eedc78e85b1cd453aa8e02c12509f847a0216bb702154f903291c804c8a98ec378b9

C:\Windows\System32\GroupPolicy\gpt.ini

MD5 8ef9853d1881c5fe4d681bfb31282a01
SHA1 a05609065520e4b4e553784c566430ad9736f19f
SHA256 9228f13d82c3dc96b957769f6081e5bac53cffca4ffde0ba1e102d9968f184a2
SHA512 5ddee931a08cfea5bb9d1c36355d47155a24d617c2a11d08364ffc54e593064011dee4fea8ac5b67029cab515d3071f0ba0422bb76af492a3115272ba8feb005

C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports\settings.dat

MD5 be2eeab03c8a5f71015b3aaaf5d21cc8
SHA1 cab3fab75eecb7507615dc2298227b931dff99ff
SHA256 285ff7c2e4fb561d1a6344c8769b08c533ef4f31a9342dd7f1cda54c61c6532a
SHA512 a086ea86f0119aa38e4435ac23a6461742522664023cfa2055a73f6140cdd84e41332c3bab70395d71a55e05d4c3f2b774547f91bf1bd80ee5a4de0e9cea74a7

memory/956-442-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3284-443-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

MD5 92fbdfccf6a63acef2743631d16652a7
SHA1 971968b1378dd89d59d7f84bf92f16fc68664506
SHA256 b4588feacc183cd5a089f9bb950827b75df04bd5a6e67c95ff258e4a34aa0d72
SHA512 b8ea216d4a59d8858fd4128abb555f8dcf3acca9138e663b488f09dc5200db6dc11ecc235a355e801145bbbb44d7beac6147949d75d78b32fe9cfd2fa200d117

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 3d086a433708053f9bf9523e1d87a4e8
SHA1 b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA256 6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512 931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 e580dc26b82bb994015bf756ed100059
SHA1 0730c3aa85c28c97ef297ad1ffa4149a448457a7
SHA256 f30eccf99fd750d9d67556100fd4bbe6d811b8b6c93e6d9e625edc58fb1dad03
SHA512 7e2a54fdb5f572789256355b505e44cbed4767d8f7b693b2a39bd582a73ee45cec0cf265562de09c56792790c570dcbfe928008a8750ea9892ae95154dd1565c

memory/4028-495-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4036-497-0x0000000000400000-0x000000000063B000-memory.dmp

C:\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

C:\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

memory/4496-545-0x0000000000B30000-0x0000000000FE5000-memory.dmp

memory/4328-558-0x0000000000400000-0x00000000008AD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt

MD5 65bf6eaa0a2eee26d93dd9e160fbc70d
SHA1 05a0210994537d86bc9138007d0dd0d696cdaa9a
SHA256 54990f2f212c8ce9dd6a8d5fc7fbb68179423b957b617b10146ddb6bbdf861a1
SHA512 49ef9c4e92a5db46eb05880da675b28fb2c876bd7ef1562c7e7541ed43f446b9358096183aa47807f6229b9c752b7f1fa5e1d1b83aeb46ed0b5245935f64c277

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 2afdbe3b99a4736083066a13e4b5d11a
SHA1 4d4856cf02b3123ac16e63d4a448cdbcb1633546
SHA256 8d31b39170909595b518b1a03e9ec950540fabd545ed14817cac5c84b91599ee
SHA512 d89b3c46854153e60e3fa825b394344eee33936d7dbf186af9d95c9adae54428609e3bf21a18d38fce3d96f3e0b8e4e0ed25cb5004fbe288de3aef3a85b1d93f

memory/3284-622-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/956-609-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1468-627-0x00007FF67ABF0000-0x00007FF67B6FA000-memory.dmp

memory/6052-643-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/6088-657-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/6096-660-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4036-661-0x0000000000400000-0x000000000063B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403300129151\opera_package

MD5 401c352990789be2f40fe8f9c5c7a5ac
SHA1 d7c1e902487511d3f4e1a57abdee8a94d5483ed4
SHA256 f62f4ebc7eca46d9cddfb02cc0305da5efdd6f3601fb0f53da555e19558869a3
SHA512 efc6d4224e3721e91efb2ea8f4b74685cba607260c69d08eac26866c52b8127080a42799d9f76ab1661b8ca63c946fcf35dddf0a63ab3cd258ea44a27dd769c8

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 11753c28c139dc878c04f432cd9218b7
SHA1 82219d026ea1d476927f57c480493707a426eaee
SHA256 507b691618cf4a92f35237d6c7b57cbe721d5379b81c2ef1dffc53a3e2bf5e6b
SHA512 30e6c43d6daa22aa149df6921a0c0104bb5ccbd68f70aa4129310a7a6a74174069fae502a784cf145b6a72e24acf6f81fbafe0e740697c2254f6305fbc5d959a

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403300129151\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe

MD5 20d293b9bf23403179ca48086ba88867
SHA1 dedf311108f607a387d486d812514a2defbd1b9e
SHA256 fd996b95ae46014edfd630bfc2bf8bc9e626adf883a1da017a8c3973b68ec348
SHA512 5d575c6f0d914583f9bb54f7b884caf9182f26f850da9bdd962f4ed5ed7258316a46fafaf3828dccb6916baaadb681fe1d175a3f4ed59f56066dc7e32b66f7b6

C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt

MD5 1b7281166c9dc3077ff4ae10dd48aac7
SHA1 1a4d601e25f7102572a7c00fc90de19ed096a12c
SHA256 35513ba2533b12b5a291d8a80ad37d63011105b19c482fce664422897d5d8acc
SHA512 ba706b9d0c5d28cb452deaf7e5e7446659f9599e34d2a62aa4ce15e0b56fab621295ffb4300846aed038ea369434b398410d0efb15587dcff286f6c746be3297

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 70ae5907463367183eaf01f354cc79d1
SHA1 6921b0102edf38367c3a401a2a4fa99f27563b63
SHA256 d565513f21033d43d037ee51d84e9e5c5f05108d23724f097e1997cd4109d2ae
SHA512 046f6d343ff56aa9f4a0f41a68e8f2f7273a2751819070ab845b5ced9d0ebecdad967b1a7971311d3f6d45244959359514b09e0462f7c11f1b2b654fad1b2fd1

memory/4328-735-0x0000000000400000-0x00000000008AD000-memory.dmp

memory/4496-732-0x0000000000B30000-0x0000000000FE5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403300129151\assistant\dbgcore.dll

MD5 8b6f64e5d3a608b434079e50a1277913
SHA1 03f431fabf1c99a48b449099455c1575893d9f32
SHA256 926d444ffca166e006920412677c4ed2ef159cf0efc0578cb45b824f428f5eb2
SHA512 c9aeac62ece564ac64a894300fb9d41d13f22951ead73421854c23c506760d984dff0af92bef2d80f3a66e782f0075832e9c24a50ae6110d27a25c14e065b41c

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403300129151\assistant\assistant_installer.exe

MD5 b3f05009b53af6435e86cfd939717e82
SHA1 770877e7c5f03e8d684984fe430bdfcc2cf41b26
SHA256 3ea8d40fcede1fc03e5603246d75d13e8d44d7229d4c390c39a55534053027f7
SHA512 d2dee80aaa79b19f1eb1db85079a05f621780e06bfea9e838b62d757ba29399f9090ec7c6ff553377c9b712f3ba8dd812cdff39f3e28829928e86746a8ac6b27

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403300129151\assistant\dbghelp.dll

MD5 925ea07f594d3fce3f73ede370d92ef7
SHA1 f67ea921368c288a9d3728158c3f80213d89d7c2
SHA256 6d02ebd4ec9a6093f21cd8ccefb9445fa0ab7b1f69ac868a5cfc5d28ed8d2de9
SHA512 a809851da820d9fdd8fb860a8f549311dcc2579df2c6f6fba74f50d5d8bf94baa834b09fb5476ac248f18d1deb6b47d4fdd6d658889d5d45ca8774a9264483d2

memory/4328-769-0x0000000000400000-0x00000000008AD000-memory.dmp

memory/6052-846-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/6088-847-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\ProgramData\Are.docx

MD5 a33e5b189842c5867f46566bdbf7a095
SHA1 e1c06359f6a76da90d19e8fd95e79c832edb3196
SHA256 5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454
SHA512 f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 c563a3ec331b2de080532292008ae4c6
SHA1 e3a546a6437186f45bb8bcd10162d0bdf123cba0
SHA256 2be0d4a77ed5076c4ccc31c50900d0981e7cd45f41fc69faaad246cee8e2b9f4
SHA512 13109c1ac259605db45d6656079d9a3a71f66383a8c548430b8506e86e0c2470dfacb978d49a9a32c28716d4257c43b8729aa9033150a60f1a049c794e844065

C:\Users\Admin\AppData\Local\Temp\GDBKKFHIEG.exe

MD5 fe380780b5c35bd6d54541791151c2be
SHA1 7fe3a583cf91474c733f85cebf3c857682e269e1
SHA256 b64a84d1f88e4e78464a1901c1cb5bbd5f00bb73203d719e64e072157a087b53
SHA512 ba05ba8aa13c4bc1cf98fbf6c08b021e8b19354098e0397fc8e1e5d3dcce367c1063203f24e50d0973193f6535681d0a43486e5dade5d112853b7a2fe8739b6c

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 dc75ee19dc5c98888bfd7f7ca03848ed
SHA1 77225ad80ca79690199d19d592df6ab2912340ec
SHA256 b4929611d5cefe756466c7331d6c277fe11a524339e01cb4f0cdf890cdfbd2c6
SHA512 2b77eb4998aadf7be903363eeb67f4041274ee04cf28b59da7d4b5b7abc0d105dc61760a09a80dece0087c22c6c574916de1e6996a9cc2433be4d94a77f3c987