Analysis Overview
SHA256
314cfde234ae41e5316da82a97a6b3f4d77d6116726f8c710799bf491a7b7401
Threat Level: Known bad
The file 79fbd35cae4148d9053cd4590b6d41c0.bin was found to be: Known bad.
Malicious Activity Summary
Glupteba
Glupteba payload
Stealc
Suspicious use of NtCreateUserProcessOtherParentProcess
Modifies firewall policy service
Amadey
Rhadamanthys
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Blocklisted process makes network request
Modifies Windows Firewall
Downloads MZ/PE file
Drops startup file
Reads user/profile data of web browsers
Reads WinSCP keys stored on the system
Checks BIOS information in registry
Reads data files stored by FTP clients
Loads dropped DLL
Executes dropped EXE
Checks computer location settings
Identifies Wine through registry keys
Reads local data of messenger clients
Themida packer
Accesses cryptocurrency files/wallets, possible credential harvesting
Legitimate hosting services abused for malware hosting/C2
Checks whether UAC is enabled
Manipulates WinMonFS driver.
Looks up external IP address via web service
Enumerates connected drives
Adds Run key to start application
Checks installed software on the system
Suspicious use of SetThreadContext
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Drops file in Windows directory
Checks for VirtualBox DLLs, possible anti-VM trick
Launches sc.exe
Enumerates physical storage devices
Unsigned PE
Program crash
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Runs ping.exe
Uses Task Scheduler COM API
Modifies data under HKEY_USERS
Creates scheduled task(s)
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Modifies system certificate store
Checks SCSI registry key(s)
Checks processor information in registry
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-03-30 01:28
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-30 01:28
Reported
2024-03-30 01:31
Platform
win7-20240221-en
Max time kernel
120s
Max time network
125s
Command Line
Signatures
Amadey
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\9c1751ba73fe53ed9385f24750212c6e785843e4c63dbafec8f95d3e6a5088ef.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\9c1751ba73fe53ed9385f24750212c6e785843e4c63dbafec8f95d3e6a5088ef.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\9c1751ba73fe53ed9385f24750212c6e785843e4c63dbafec8f95d3e6a5088ef.exe | N/A |
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\9c1751ba73fe53ed9385f24750212c6e785843e4c63dbafec8f95d3e6a5088ef.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9c1751ba73fe53ed9385f24750212c6e785843e4c63dbafec8f95d3e6a5088ef.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\explorgu.job | C:\Users\Admin\AppData\Local\Temp\9c1751ba73fe53ed9385f24750212c6e785843e4c63dbafec8f95d3e6a5088ef.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9c1751ba73fe53ed9385f24750212c6e785843e4c63dbafec8f95d3e6a5088ef.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9c1751ba73fe53ed9385f24750212c6e785843e4c63dbafec8f95d3e6a5088ef.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\9c1751ba73fe53ed9385f24750212c6e785843e4c63dbafec8f95d3e6a5088ef.exe
"C:\Users\Admin\AppData\Local\Temp\9c1751ba73fe53ed9385f24750212c6e785843e4c63dbafec8f95d3e6a5088ef.exe"
Network
Files
memory/2172-0-0x0000000000E40000-0x00000000012F5000-memory.dmp
memory/2172-1-0x0000000077D50000-0x0000000077D52000-memory.dmp
memory/2172-3-0x00000000027F0000-0x00000000027F1000-memory.dmp
memory/2172-2-0x0000000000E40000-0x00000000012F5000-memory.dmp
memory/2172-5-0x0000000002780000-0x0000000002781000-memory.dmp
memory/2172-4-0x0000000002850000-0x0000000002851000-memory.dmp
memory/2172-6-0x00000000029D0000-0x00000000029D1000-memory.dmp
memory/2172-8-0x0000000000B80000-0x0000000000B81000-memory.dmp
memory/2172-7-0x00000000027E0000-0x00000000027E1000-memory.dmp
memory/2172-12-0x0000000000BD0000-0x0000000000BD1000-memory.dmp
memory/2172-11-0x0000000000B70000-0x0000000000B71000-memory.dmp
memory/2172-13-0x0000000000B10000-0x0000000000B11000-memory.dmp
memory/2172-10-0x00000000029C0000-0x00000000029C1000-memory.dmp
memory/2172-9-0x0000000000BF0000-0x0000000000BF1000-memory.dmp
memory/2172-14-0x0000000000BE0000-0x0000000000BE1000-memory.dmp
memory/2172-15-0x00000000029E0000-0x00000000029E1000-memory.dmp
memory/2172-17-0x0000000000B20000-0x0000000000B21000-memory.dmp
memory/2172-18-0x0000000002C30000-0x0000000002C31000-memory.dmp
memory/2172-22-0x0000000000E40000-0x00000000012F5000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-03-30 01:28
Reported
2024-03-30 01:31
Platform
win10v2004-20240226-en
Max time kernel
150s
Max time network
149s
Command Line
Signatures
Amadey
Glupteba
Glupteba payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies firewall policy service
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\C:\ = "1" | C:\Users\Admin\Pictures\WlXpzdNQqCwp5zWBZcNIhU4C.exe | N/A |
Rhadamanthys
Stealc
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 2716 created 2540 | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | C:\Windows\system32\sihost.exe |
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\9c1751ba73fe53ed9385f24750212c6e785843e4c63dbafec8f95d3e6a5088ef.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\Pictures\WlXpzdNQqCwp5zWBZcNIhU4C.exe | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Downloads MZ/PE file
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\9c1751ba73fe53ed9385f24750212c6e785843e4c63dbafec8f95d3e6a5088ef.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\9c1751ba73fe53ed9385f24750212c6e785843e4c63dbafec8f95d3e6a5088ef.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\Pictures\WlXpzdNQqCwp5zWBZcNIhU4C.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\Pictures\WlXpzdNQqCwp5zWBZcNIhU4C.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\u3pg.0.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\GDBKKFHIEG.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Pictures\1Y79cCMI3cleTlblHGPHGRCX.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\u3pg.1.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OVgCCvhbr5ebMt9lkW77gabd.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SraQNLokWjg12upZ2wXrtdRJ.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Lbtc1gtld9gMlsquYTTxcS5x.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8nH3yLgFtZFxqJT3o2gojvQy.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mCgV0V4Qd3tgYeIQW4qj7jc1.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TOZokqhYexItuT57yqacfmpk.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RZWtXR6IXIvnmzEk0uThXcSu.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VZPNd4IVRn0e3PaZmXO4xPtl.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ipJfVTUCqUkAqGqOAtFQ0GCK.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ytQsfBTZfodORuJtlZ3A5rZI.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | N/A |
Executes dropped EXE
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\9c1751ba73fe53ed9385f24750212c6e785843e4c63dbafec8f95d3e6a5088ef.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe | N/A |
Loads dropped DLL
Reads WinSCP keys stored on the system
Reads data files stored by FTP clients
Reads local data of messenger clients
Reads user/profile data of web browsers
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" | C:\Users\Admin\Pictures\NIUxRdjB8sPu0C84hPzAo11r.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" | C:\Users\Admin\Pictures\4zkJm7OA2N8MS2Ylx3ahFzGK.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" | C:\Users\Admin\Pictures\LHJPOa20shHD2pQeIN4444nP.exe | N/A |
Checks installed software on the system
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\Pictures\WlXpzdNQqCwp5zWBZcNIhU4C.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\D: | C:\Users\Admin\Pictures\BNcDehVmdQj4SgrQU6jnoZTj.exe | N/A |
| File opened (read-only) | \??\F: | C:\Users\Admin\Pictures\BNcDehVmdQj4SgrQU6jnoZTj.exe | N/A |
| File opened (read-only) | \??\D: | C:\Users\Admin\Pictures\BNcDehVmdQj4SgrQU6jnoZTj.exe | N/A |
| File opened (read-only) | \??\F: | C:\Users\Admin\Pictures\BNcDehVmdQj4SgrQU6jnoZTj.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.myip.com | N/A | N/A |
| N/A | api.myip.com | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
Manipulates WinMonFS driver.
| Description | Indicator | Process | Target |
| File opened for modification | \??\WinMonFS | C:\Windows\rss\csrss.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\System32\GroupPolicy\Machine\Registry.pol | C:\Users\Admin\Pictures\WlXpzdNQqCwp5zWBZcNIhU4C.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\System32\GroupPolicy | C:\Users\Admin\Pictures\WlXpzdNQqCwp5zWBZcNIhU4C.exe | N/A |
| File opened for modification | C:\Windows\System32\GroupPolicy\gpt.ini | C:\Users\Admin\Pictures\WlXpzdNQqCwp5zWBZcNIhU4C.exe | N/A |
| File opened for modification | C:\Windows\System32\GroupPolicy\GPT.INI | C:\Users\Admin\Pictures\WlXpzdNQqCwp5zWBZcNIhU4C.exe | N/A |
| File created | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9c1751ba73fe53ed9385f24750212c6e785843e4c63dbafec8f95d3e6a5088ef.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe | N/A |
| N/A | N/A | C:\Users\Admin\Pictures\WlXpzdNQqCwp5zWBZcNIhU4C.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1452 set thread context of 3260 | N/A | C:\Users\Admin\AppData\Local\Temp\1001067001\file300un.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
| PID 4328 set thread context of 2716 | N/A | C:\Users\Admin\Pictures\a4Kdg3J3U4IuDTl57QmvaybL.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Checks for VirtualBox DLLs, possible anti-VM trick
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\VBoxMiniRdrDN | C:\Users\Admin\Pictures\4zkJm7OA2N8MS2Ylx3ahFzGK.exe | N/A |
| File opened (read-only) | \??\VBoxMiniRdrDN | C:\Users\Admin\Pictures\NIUxRdjB8sPu0C84hPzAo11r.exe | N/A |
| File opened (read-only) | \??\VBoxMiniRdrDN | C:\Users\Admin\Pictures\LHJPOa20shHD2pQeIN4444nP.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\explorgu.job | C:\Users\Admin\AppData\Local\Temp\9c1751ba73fe53ed9385f24750212c6e785843e4c63dbafec8f95d3e6a5088ef.exe | N/A |
| File created | C:\Windows\rss\csrss.exe | C:\Users\Admin\Pictures\NIUxRdjB8sPu0C84hPzAo11r.exe | N/A |
| File opened for modification | C:\Windows\rss | C:\Users\Admin\Pictures\LHJPOa20shHD2pQeIN4444nP.exe | N/A |
| File opened for modification | C:\Windows\windefender.exe | C:\Windows\rss\csrss.exe | N/A |
| File opened for modification | C:\Windows\rss | C:\Users\Admin\Pictures\NIUxRdjB8sPu0C84hPzAo11r.exe | N/A |
| File opened for modification | C:\Windows\rss | C:\Users\Admin\Pictures\4zkJm7OA2N8MS2Ylx3ahFzGK.exe | N/A |
| File created | C:\Windows\rss\csrss.exe | C:\Users\Admin\Pictures\4zkJm7OA2N8MS2Ylx3ahFzGK.exe | N/A |
| File created | C:\Windows\rss\csrss.exe | C:\Users\Admin\Pictures\LHJPOa20shHD2pQeIN4444nP.exe | N/A |
| File created | C:\Windows\windefender.exe | C:\Windows\rss\csrss.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
Enumerates physical storage devices
Program crash
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\u3pg.1.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\u3pg.1.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\u3pg.1.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\u3pg.0.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\u3pg.0.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-132 = "US Eastern Standard Time" | C:\Users\Admin\Pictures\NIUxRdjB8sPu0C84hPzAo11r.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-182 = "Mountain Standard Time (Mexico)" | C:\Users\Admin\Pictures\NIUxRdjB8sPu0C84hPzAo11r.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-51 = "Greenland Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-392 = "Arab Standard Time" | C:\Users\Admin\Pictures\NIUxRdjB8sPu0C84hPzAo11r.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-82 = "Atlantic Standard Time" | C:\Users\Admin\Pictures\NIUxRdjB8sPu0C84hPzAo11r.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-981 = "Kamchatka Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-742 = "New Zealand Standard Time" | C:\Users\Admin\Pictures\NIUxRdjB8sPu0C84hPzAo11r.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-442 = "Arabian Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-232 = "Hawaiian Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-1801 = "Line Islands Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-365 = "Middle East Standard Time" | C:\Windows\windefender.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2842 = "Saratov Standard Time" | C:\Users\Admin\Pictures\NIUxRdjB8sPu0C84hPzAo11r.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1471 = "Magadan Daylight Time" | C:\Users\Admin\Pictures\NIUxRdjB8sPu0C84hPzAo11r.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2631 = "Norfolk Daylight Time" | C:\Users\Admin\Pictures\NIUxRdjB8sPu0C84hPzAo11r.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-82 = "Atlantic Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-3051 = "Qyzylorda Daylight Time" | C:\Users\Admin\Pictures\NIUxRdjB8sPu0C84hPzAo11r.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-601 = "Taipei Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2592 = "Tocantins Standard Time" | C:\Windows\windefender.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2322 = "Sakhalin Standard Time" | C:\Users\Admin\Pictures\NIUxRdjB8sPu0C84hPzAo11r.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2341 = "Haiti Daylight Time" | C:\Users\Admin\Pictures\NIUxRdjB8sPu0C84hPzAo11r.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-221 = "Alaskan Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-142 = "Canada Central Standard Time" | C:\Windows\windefender.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 5c000000010000000400000000100000190000000100000010000000ffac207997bb2cfe865570179ee037b90f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e404000000010000001000000078f2fcaa601f2fb4ebc937ba532e75492000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e | C:\Users\Admin\Pictures\BNcDehVmdQj4SgrQU6jnoZTj.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4 | C:\Users\Admin\Pictures\BNcDehVmdQj4SgrQU6jnoZTj.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 04000000010000001000000078f2fcaa601f2fb4ebc937ba532e7549030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996190000000100000010000000ffac207997bb2cfe865570179ee037b92000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e | C:\Users\Admin\Pictures\BNcDehVmdQj4SgrQU6jnoZTj.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u3pg.1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u3pg.1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u3pg.1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u3pg.1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u3pg.1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u3pg.1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u3pg.1.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u3pg.1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u3pg.1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u3pg.1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u3pg.1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u3pg.1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u3pg.1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u3pg.1.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\system32\sihost.exe
sihost.exe
C:\Users\Admin\AppData\Local\Temp\9c1751ba73fe53ed9385f24750212c6e785843e4c63dbafec8f95d3e6a5088ef.exe
"C:\Users\Admin\AppData\Local\Temp\9c1751ba73fe53ed9385f24750212c6e785843e4c63dbafec8f95d3e6a5088ef.exe"
C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe
C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe
C:\Users\Admin\AppData\Local\Temp\1001067001\file300un.exe
"C:\Users\Admin\AppData\Local\Temp\1001067001\file300un.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
C:\Users\Admin\Pictures\1Y79cCMI3cleTlblHGPHGRCX.exe
"C:\Users\Admin\Pictures\1Y79cCMI3cleTlblHGPHGRCX.exe"
C:\Users\Admin\Pictures\a4Kdg3J3U4IuDTl57QmvaybL.exe
"C:\Users\Admin\Pictures\a4Kdg3J3U4IuDTl57QmvaybL.exe"
C:\Users\Admin\Pictures\NIUxRdjB8sPu0C84hPzAo11r.exe
"C:\Users\Admin\Pictures\NIUxRdjB8sPu0C84hPzAo11r.exe"
C:\Users\Admin\Pictures\4zkJm7OA2N8MS2Ylx3ahFzGK.exe
"C:\Users\Admin\Pictures\4zkJm7OA2N8MS2Ylx3ahFzGK.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4328 -ip 4328
C:\Users\Admin\Pictures\LHJPOa20shHD2pQeIN4444nP.exe
"C:\Users\Admin\Pictures\LHJPOa20shHD2pQeIN4444nP.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4328 -s 868
C:\Users\Admin\AppData\Local\Temp\u3pg.0.exe
"C:\Users\Admin\AppData\Local\Temp\u3pg.0.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\dialer.exe
"C:\Windows\system32\dialer.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 2716 -ip 2716
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2716 -s 596
C:\Users\Admin\AppData\Local\Temp\u3pg.1.exe
"C:\Users\Admin\AppData\Local\Temp\u3pg.1.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4804 -ip 4804
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2716 -ip 2716
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2716 -s 580
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4804 -s 1556
C:\Users\Admin\Pictures\WlXpzdNQqCwp5zWBZcNIhU4C.exe
"C:\Users\Admin\Pictures\WlXpzdNQqCwp5zWBZcNIhU4C.exe"
C:\Users\Admin\Pictures\BNcDehVmdQj4SgrQU6jnoZTj.exe
"C:\Users\Admin\Pictures\BNcDehVmdQj4SgrQU6jnoZTj.exe" --silent --allusers=0
C:\Users\Admin\Pictures\BNcDehVmdQj4SgrQU6jnoZTj.exe
C:\Users\Admin\Pictures\BNcDehVmdQj4SgrQU6jnoZTj.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.35 --initial-client-data=0x29c,0x2a0,0x2a4,0x278,0x2a8,0x6e26e1d0,0x6e26e1dc,0x6e26e1e8
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\BNcDehVmdQj4SgrQU6jnoZTj.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\BNcDehVmdQj4SgrQU6jnoZTj.exe" --version
C:\Users\Admin\Pictures\BNcDehVmdQj4SgrQU6jnoZTj.exe
"C:\Users\Admin\Pictures\BNcDehVmdQj4SgrQU6jnoZTj.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=2512 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20240330012915" --session-guid=f82154e1-0773-4538-8cee-4b58da6f5184 --server-tracking-blob=ZTY3NTgzZGUzM2QzNzg1MzRkNjU1ZTFhNTQwYjE1ZDc0MTU0OTZiMmZiN2EyZGE4OWNmMzA2ZjliNDY0N2MyZDp7ImNvdW50cnkiOiJHQiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cy8/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1ta3QmdXRtX2NhbXBhaWduPTc2N180NTYiLCJzeXN0ZW0iOnsicGxhdGZvcm0iOnsiYXJjaCI6Ing4Nl82NCIsIm9wc3lzIjoiV2luZG93cyIsIm9wc3lzLXZlcnNpb24iOiIxMCIsInBhY2thZ2UiOiJFWEUifX0sInRpbWVzdGFtcCI6IjE3MTE3NjIxNDYuMjQ3MiIsInV0bSI6eyJjYW1wYWlnbiI6Ijc2N180NTYiLCJtZWRpdW0iOiJhcGIiLCJzb3VyY2UiOiJta3QifSwidXVpZCI6Ijg0N2RlNWUzLTFlODQtNDBlYy1iMGFiLThhMzI0OWU4ZjVkNyJ9 --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=E803000000000000
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
C:\Users\Admin\Pictures\BNcDehVmdQj4SgrQU6jnoZTj.exe
C:\Users\Admin\Pictures\BNcDehVmdQj4SgrQU6jnoZTj.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.35 --initial-client-data=0x298,0x2a8,0x2ac,0x274,0x2b0,0x6d8ee1d0,0x6d8ee1dc,0x6d8ee1e8
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main
C:\Windows\system32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main
C:\Windows\system32\netsh.exe
netsh wlan show profiles
C:\Users\Admin\Pictures\4zkJm7OA2N8MS2Ylx3ahFzGK.exe
"C:\Users\Admin\Pictures\4zkJm7OA2N8MS2Ylx3ahFzGK.exe"
C:\Users\Admin\Pictures\NIUxRdjB8sPu0C84hPzAo11r.exe
"C:\Users\Admin\Pictures\NIUxRdjB8sPu0C84hPzAo11r.exe"
C:\Users\Admin\Pictures\LHJPOa20shHD2pQeIN4444nP.exe
"C:\Users\Admin\Pictures\LHJPOa20shHD2pQeIN4444nP.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\999976163400_Desktop.zip' -CompressionLevel Optimal
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403300129151\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403300129151\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe"
C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403300129151\assistant\assistant_installer.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403300129151\assistant\assistant_installer.exe" --version
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403300129151\assistant\assistant_installer.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403300129151\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=108.0.5067.20 --initial-client-data=0x270,0x274,0x278,0x24c,0x27c,0x430040,0x43004c,0x430058
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
"C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\GDBKKFHIEG.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 4036 -ip 4036
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4036 -s 2660
C:\Users\Admin\AppData\Local\Temp\GDBKKFHIEG.exe
"C:\Users\Admin\AppData\Local\Temp\GDBKKFHIEG.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C ping 2.2.2.2 -n 1 -w 3000 > Nul & Del C:\Users\Admin\AppData\Local\Temp\GDBKKFHIEG.exe
C:\Windows\SysWOW64\PING.EXE
ping 2.2.2.2 -n 1 -w 3000
C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\windefender.exe
"C:\Windows\windefender.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
C:\Windows\SysWOW64\sc.exe
sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
C:\Windows\windefender.exe
C:\Windows\windefender.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| RU | 185.215.113.32:80 | 185.215.113.32 | tcp |
| AT | 5.42.64.17:80 | 5.42.64.17 | tcp |
| US | 8.8.8.8:53 | 32.113.215.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.64.42.5.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 8.8.8.8:53 | yip.su | udp |
| US | 104.20.67.143:443 | pastebin.com | tcp |
| US | 172.67.169.89:443 | yip.su | tcp |
| US | 8.8.8.8:53 | piramidglobaltobacco.id | udp |
| DE | 185.172.128.144:80 | 185.172.128.144 | tcp |
| US | 8.8.8.8:53 | shipofdestiny.com | udp |
| AT | 5.42.64.17:80 | 5.42.64.17 | tcp |
| US | 8.8.8.8:53 | sty.ink | udp |
| US | 8.8.8.8:53 | operandotwo.com | udp |
| US | 8.8.8.8:53 | namemail.org | udp |
| US | 8.8.8.8:53 | cu82342.tw1.ru | udp |
| US | 8.8.8.8:53 | net.geo.opera.com | udp |
| US | 172.67.152.98:443 | shipofdestiny.com | tcp |
| US | 104.21.13.170:443 | sty.ink | tcp |
| US | 104.21.15.5:443 | operandotwo.com | tcp |
| US | 172.67.152.98:443 | shipofdestiny.com | tcp |
| US | 104.21.13.170:443 | sty.ink | tcp |
| NL | 185.26.182.112:80 | net.geo.opera.com | tcp |
| RU | 176.57.210.144:443 | cu82342.tw1.ru | tcp |
| US | 8.8.8.8:53 | 143.67.20.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 89.169.67.172.in-addr.arpa | udp |
| NL | 185.26.182.112:443 | net.geo.opera.com | tcp |
| SG | 217.21.73.190:443 | piramidglobaltobacco.id | tcp |
| US | 8.8.8.8:53 | lawyerbuyer.org | udp |
| US | 8.8.8.8:53 | guseman.org | udp |
| US | 172.67.170.65:443 | lawyerbuyer.org | tcp |
| US | 172.67.170.65:443 | lawyerbuyer.org | tcp |
| US | 172.67.173.167:443 | guseman.org | tcp |
| DE | 185.172.128.90:80 | 185.172.128.90 | tcp |
| US | 8.8.8.8:53 | 144.128.172.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.152.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 170.13.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 5.15.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 112.182.26.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.210.57.176.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 65.170.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 167.173.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 190.73.21.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 90.128.172.185.in-addr.arpa | udp |
| DE | 185.172.128.65:80 | 185.172.128.65 | tcp |
| DE | 185.172.128.65:80 | 185.172.128.65 | tcp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 65.128.172.185.in-addr.arpa | udp |
| DE | 185.172.128.144:80 | 185.172.128.144 | tcp |
| DE | 185.172.128.209:80 | 185.172.128.209 | tcp |
| US | 8.8.8.8:53 | svc.iolo.com | udp |
| US | 20.157.87.45:80 | svc.iolo.com | tcp |
| US | 8.8.8.8:53 | 45.87.157.20.in-addr.arpa | udp |
| US | 46.226.167.187:80 | 46.226.167.187 | tcp |
| US | 8.8.8.8:53 | api.myip.com | udp |
| US | 104.26.9.59:443 | api.myip.com | tcp |
| US | 8.8.8.8:53 | autoupdate.geo.opera.com | udp |
| US | 8.8.8.8:53 | desktop-netinstaller-sub.osp.opera.software | udp |
| NL | 82.145.216.19:443 | autoupdate.geo.opera.com | tcp |
| NL | 82.145.216.19:443 | autoupdate.geo.opera.com | tcp |
| NL | 82.145.217.121:443 | desktop-netinstaller-sub.osp.opera.software | tcp |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| US | 34.117.186.192:443 | ipinfo.io | tcp |
| US | 8.8.8.8:53 | 187.167.226.46.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.9.26.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.216.145.82.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 121.217.145.82.in-addr.arpa | udp |
| US | 8.8.8.8:53 | download.opera.com | udp |
| US | 8.8.8.8:53 | features.opera-api2.com | udp |
| NL | 82.145.216.16:443 | features.opera-api2.com | tcp |
| US | 8.8.8.8:53 | 192.186.117.34.in-addr.arpa | udp |
| NL | 82.145.216.24:443 | download.opera.com | tcp |
| US | 8.8.8.8:53 | download3.operacdn.com | udp |
| US | 8.8.8.8:53 | 16.216.145.82.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 24.216.145.82.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 243.143.101.95.in-addr.arpa | udp |
| GB | 95.101.143.243:443 | tcp | |
| RU | 185.215.113.32:80 | tcp | |
| US | 8.8.8.8:53 | 152.33.115.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | download.iolo.net | udp |
| FR | 185.93.2.248:443 | download.iolo.net | tcp |
| N/A | 224.0.0.251:5353 | udp | |
| NL | 82.145.217.121:443 | desktop-netinstaller-sub.osp.opera.software | tcp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 248.2.93.185.in-addr.arpa | udp |
| RU | 185.215.113.32:80 | 185.215.113.32 | tcp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| NL | 82.145.217.121:443 | desktop-netinstaller-sub.osp.opera.software | tcp |
| US | 8.8.8.8:53 | download5.operacdn.com | udp |
| US | 104.18.11.89:443 | download5.operacdn.com | tcp |
| US | 8.8.8.8:53 | svc.iolo.com | udp |
| US | 20.157.87.45:80 | svc.iolo.com | tcp |
| US | 8.8.8.8:53 | 89.11.18.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| DE | 185.172.128.65:80 | 185.172.128.65 | tcp |
| US | 8.8.8.8:53 | westus2-2.in.applicationinsights.azure.com | udp |
| US | 20.9.155.148:443 | westus2-2.in.applicationinsights.azure.com | tcp |
| US | 8.8.8.8:53 | 65a86ace-e658-4dcd-8ddd-92da06924e13.uuid.localstats.org | udp |
| US | 8.8.8.8:53 | 148.155.9.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | 66.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | server6.localstats.org | udp |
| US | 8.8.8.8:53 | stun4.l.google.com | udp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| BG | 185.82.216.111:443 | server6.localstats.org | tcp |
| PL | 142.251.98.127:19302 | stun4.l.google.com | udp |
| US | 162.159.134.233:443 | cdn.discordapp.com | tcp |
| US | 8.8.8.8:53 | carsalessystem.com | udp |
| US | 104.21.94.82:443 | carsalessystem.com | tcp |
| US | 8.8.8.8:53 | 127.98.251.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 233.134.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 111.216.82.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.94.21.104.in-addr.arpa | udp |
| BG | 185.82.216.111:443 | server6.localstats.org | tcp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| BG | 185.82.216.111:443 | server6.localstats.org | tcp |
Files
memory/2344-0-0x0000000000F20000-0x00000000013D5000-memory.dmp
memory/2344-1-0x0000000077304000-0x0000000077306000-memory.dmp
memory/2344-2-0x0000000000F20000-0x00000000013D5000-memory.dmp
memory/2344-4-0x00000000058B0000-0x00000000058B1000-memory.dmp
memory/2344-5-0x00000000058E0000-0x00000000058E1000-memory.dmp
memory/2344-3-0x00000000058A0000-0x00000000058A1000-memory.dmp
memory/2344-6-0x0000000005870000-0x0000000005871000-memory.dmp
memory/2344-7-0x0000000005890000-0x0000000005891000-memory.dmp
memory/2344-9-0x00000000058D0000-0x00000000058D1000-memory.dmp
memory/2344-8-0x0000000005880000-0x0000000005881000-memory.dmp
memory/2344-10-0x0000000005900000-0x0000000005901000-memory.dmp
memory/2344-11-0x00000000058F0000-0x00000000058F1000-memory.dmp
memory/2344-16-0x0000000000F20000-0x00000000013D5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe
| MD5 | 79fbd35cae4148d9053cd4590b6d41c0 |
| SHA1 | 3548d8fa1f242206447224068c16ffd30278ede3 |
| SHA256 | 9c1751ba73fe53ed9385f24750212c6e785843e4c63dbafec8f95d3e6a5088ef |
| SHA512 | babf970ee423976f68864c67d9ec7a0771be65465b4ea3c498fd9a9ab98f08124be2a0ec16f7952b237d27d778ef49ef9f48fe8ad66dd9a3f840ffc9a5658a40 |
memory/4496-19-0x0000000000B30000-0x0000000000FE5000-memory.dmp
memory/4496-20-0x0000000000B30000-0x0000000000FE5000-memory.dmp
memory/4496-22-0x0000000005330000-0x0000000005331000-memory.dmp
memory/4496-27-0x0000000005350000-0x0000000005351000-memory.dmp
memory/4496-26-0x0000000005300000-0x0000000005301000-memory.dmp
memory/4496-25-0x00000000052F0000-0x00000000052F1000-memory.dmp
memory/4496-24-0x0000000005360000-0x0000000005361000-memory.dmp
memory/4496-23-0x0000000005310000-0x0000000005311000-memory.dmp
memory/4496-21-0x0000000005320000-0x0000000005321000-memory.dmp
memory/4496-29-0x0000000005370000-0x0000000005371000-memory.dmp
memory/4496-28-0x0000000005380000-0x0000000005381000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1001067001\file300un.exe
| MD5 | 16f67f1a6e10f044bc15abe8c71b3bd6 |
| SHA1 | ce0101205b919899a2a2f577100377c2a6546171 |
| SHA256 | 41cca3fa0f500dc6c17d1f02fc906d2b0c769210af9c4286760b84ecf46cab89 |
| SHA512 | a11db01bf55e3497644918c7dcc6180e0911261f39f062e653f000e1365dc9668fe5bd1d0fee0ae5c740a6477bcea510ba8c5ff6831c3bdb0d7c0590d2487e3c |
memory/1452-49-0x000001C54FF00000-0x000001C54FF0C000-memory.dmp
memory/1452-50-0x00007FFB10F90000-0x00007FFB11A51000-memory.dmp
memory/1452-51-0x000001C5502E0000-0x000001C5502F0000-memory.dmp
memory/1452-52-0x000001C56B390000-0x000001C56B406000-memory.dmp
memory/1452-53-0x000001C551BC0000-0x000001C551BDE000-memory.dmp
memory/1452-54-0x000001C56B410000-0x000001C56B46E000-memory.dmp
memory/3260-55-0x0000000000400000-0x0000000000408000-memory.dmp
memory/3260-56-0x0000000072F10000-0x00000000736C0000-memory.dmp
memory/3260-57-0x0000000005680000-0x0000000005690000-memory.dmp
memory/1452-58-0x00007FFB10F90000-0x00007FFB11A51000-memory.dmp
C:\Users\Admin\Pictures\WaZeGIDKHEGcyN1qLwHoR65u.exe
| MD5 | 5b423612b36cde7f2745455c5dd82577 |
| SHA1 | 0187c7c80743b44e9e0c193e993294e3b969cc3d |
| SHA256 | e0840d2ea74a00dcc545d770b91d9d889e5a82c7bedf1b989e0a89db04685b09 |
| SHA512 | c26a1e7e96dbd178d961c630abd8e564ef69532f386fb198eb20119a88ecab2fe885d71ac0c90687c18910ce00c445f352a5e8fbf5328f3403964f7c7802414c |
C:\Users\Admin\Pictures\ev5TUPhitQeSGuKie2onkCE9.exe
| MD5 | 222e8caff8326f1447bc92a42483a79e |
| SHA1 | aa8c944194827ac18f046df274e286b36e9dc7d3 |
| SHA256 | 7221786173726f92d94cec447e4a0f5c6cd6ae938f6cd517d8b4ab12f31d29c4 |
| SHA512 | 13cb6d9210d84271b76a9209028c39016a15ed773c405a0740281cd7af503c3230d90cfbfc57814f6140fcf17528453963459a406e3a75732ae21d69265b00d0 |
C:\Users\Admin\Pictures\xZfqhCs7PMiNkmFilwDKgoCX.exe
| MD5 | fdaacb076d325b9b448fb8e017bc7c82 |
| SHA1 | ed39b1ea373fff8a12a994a59e8a543d08d90c02 |
| SHA256 | 45af99367c76076e6ac0bbc7e8d332a7e141e3ea1f73bb5aa909897fbe1309e7 |
| SHA512 | 4279b84069e352d9fcf000eb3968dfa45c8d4075e39da003678534928282034dd04cd6ba9fb0bcbea89fae8de48a81137f7e5727ded7c3ea611426eed9c95653 |
C:\Users\Admin\Pictures\1Y79cCMI3cleTlblHGPHGRCX.exe
| MD5 | 6bcb4265ca9f8eeffe10c66614934407 |
| SHA1 | 98ca1be77baa98892625d7659dffec1627042200 |
| SHA256 | 5429e24f3ab3287148c2508bd3e0e6a872ea62f115b67b102444cb5435ab72c8 |
| SHA512 | ca07ce30ab0cda6d0bd2fbef701e3a44f9a1c5d3f3e23ec7201b3ed9eafe9d7f6689cd7a46c7420914a84426af718643b72d557333d96a2de966df5b86dfd784 |
memory/4804-103-0x0000000000690000-0x0000000000790000-memory.dmp
memory/4804-104-0x00000000021B0000-0x000000000221E000-memory.dmp
memory/4804-105-0x0000000000400000-0x0000000000562000-memory.dmp
memory/4496-106-0x0000000000B30000-0x0000000000FE5000-memory.dmp
C:\Users\Admin\Pictures\a4Kdg3J3U4IuDTl57QmvaybL.exe
| MD5 | 7960d8afbbac06f216cceeb1531093bb |
| SHA1 | 008221bf66a0749447cffcb86f2d1ec80e23fc76 |
| SHA256 | f6e476e8ccb571b9d7a76234953ad428e883ff4712b0062498ba3275d9749b84 |
| SHA512 | 35d12e81eb892aeb2237049beca61a81469dea5b1c9b7a0b9f49fbf95a95c756509d9e76c732fb10b504f9f9692e1fbe83ea2fd09d791f793a928c01974b8147 |
C:\Users\Admin\Pictures\NIUxRdjB8sPu0C84hPzAo11r.exe
| MD5 | 4674136df8304d43b93dd56409c0ef88 |
| SHA1 | 6abfd675f89fe668963b546fe0982a60d5fb47e9 |
| SHA256 | 8d5adaa34385cbccafc86381269c6c2b4fec424b386f6b54bd626a7630a0ab2d |
| SHA512 | 4def37495fc2ec5dd256bfdd6afb722a1f554ac391e9eab26f3556309e5dfe3b854b3c19a1ed42fdb5934a2b48069e72cf2ace5bba6a74c80d2f319d1825b725 |
memory/4328-134-0x0000000000AF0000-0x0000000000B5E000-memory.dmp
memory/4328-136-0x0000000072F10000-0x00000000736C0000-memory.dmp
memory/4328-140-0x00000000053D0000-0x00000000053E0000-memory.dmp
memory/2716-148-0x0000000000400000-0x000000000046D000-memory.dmp
memory/2716-160-0x0000000000400000-0x000000000046D000-memory.dmp
C:\Users\Admin\Pictures\LHJPOa20shHD2pQeIN4444nP.exe
| MD5 | 648184f930f8fd4507b238af673d11c0 |
| SHA1 | 8f83ad030dd4cba19dbd3dcf9089e466846a0ecf |
| SHA256 | 4f42175d97bb370b4ccb8fc4ec8faa73191054f9ac43fe79b318ac971aa90cb9 |
| SHA512 | 708b8a2535d4999b103da3bf83eb93a8d67f4191c81eb7473f1848c28c7118330e0ca113f360c2491fb65a2446dd3ddd40bea15e57e48d2550afe418ed5e0ef3 |
memory/956-162-0x0000000002940000-0x0000000002D3A000-memory.dmp
memory/4328-157-0x0000000002E80000-0x0000000004E80000-memory.dmp
memory/2716-163-0x0000000000400000-0x000000000046D000-memory.dmp
memory/3284-164-0x0000000002AF0000-0x0000000002EF5000-memory.dmp
memory/3284-166-0x0000000002F00000-0x00000000037EB000-memory.dmp
memory/4028-168-0x0000000002DC0000-0x00000000036AB000-memory.dmp
memory/956-169-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/3284-170-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/4028-171-0x00000000029B0000-0x0000000002DB6000-memory.dmp
memory/4028-172-0x0000000000400000-0x0000000000D1C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\u3pg.0.exe
| MD5 | 6cfe7e9a1f9ee6a58fd301a69dbe6387 |
| SHA1 | 1ea8709c38d0c005ef5f9152a58412bdd8438ee0 |
| SHA256 | eafd6b767db2a513fe852813899be0d4f57246fe8976b0c27032c78e0a54a3d1 |
| SHA512 | 7f5fe16db88335650c0b24d563f064394fa053707df06904731050d490f95ded9f84ac25b216a9ea14aa4f9da1c0f96e4aa1e92f1c11f334f04e0e1f5b4e5204 |
memory/4328-178-0x0000000072F10000-0x00000000736C0000-memory.dmp
memory/4036-183-0x0000000002270000-0x0000000002297000-memory.dmp
memory/4036-182-0x00000000006A0000-0x00000000007A0000-memory.dmp
memory/3260-184-0x0000000072F10000-0x00000000736C0000-memory.dmp
memory/4036-185-0x0000000000400000-0x000000000063B000-memory.dmp
memory/3260-186-0x0000000005680000-0x0000000005690000-memory.dmp
memory/4220-187-0x0000000004510000-0x0000000004546000-memory.dmp
memory/4220-188-0x0000000072F10000-0x00000000736C0000-memory.dmp
memory/4496-189-0x0000000000B30000-0x0000000000FE5000-memory.dmp
memory/4220-190-0x0000000004BE0000-0x0000000005208000-memory.dmp
memory/4804-191-0x0000000000690000-0x0000000000790000-memory.dmp
memory/880-192-0x0000000004E80000-0x0000000004E90000-memory.dmp
memory/2716-193-0x0000000003EB0000-0x00000000042B0000-memory.dmp
memory/3244-194-0x00000000052C0000-0x00000000052D0000-memory.dmp
memory/2716-195-0x0000000003EB0000-0x00000000042B0000-memory.dmp
memory/4220-197-0x00000000045A0000-0x00000000045B0000-memory.dmp
memory/4220-200-0x00000000045A0000-0x00000000045B0000-memory.dmp
memory/2716-201-0x0000000075380000-0x0000000075595000-memory.dmp
memory/4324-203-0x0000000000480000-0x0000000000489000-memory.dmp
memory/2716-198-0x00007FFB30090000-0x00007FFB30285000-memory.dmp
memory/3244-196-0x00000000052C0000-0x00000000052D0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dr1l4asf.vx1.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4324-229-0x00007FFB30090000-0x00007FFB30285000-memory.dmp
memory/4324-218-0x0000000002180000-0x0000000002580000-memory.dmp
memory/4324-234-0x0000000075380000-0x0000000075595000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\u3pg.1.exe
| MD5 | 397926927bca55be4a77839b1c44de6e |
| SHA1 | e10f3434ef3021c399dbba047832f02b3c898dbd |
| SHA256 | 4f07e1095cc915b2d46eb149d1c3be14f3f4b4bd2742517265947fd23bdca5a7 |
| SHA512 | cf54136b977fc8af7e8746d78676d0d464362a8cfa2213e392487003b5034562ee802e6911760b98a847bddd36ad664f32d849af84d7e208d4648bd97a2fa954 |
memory/4036-255-0x0000000061E00000-0x0000000061EF3000-memory.dmp
C:\Users\Admin\Pictures\WlXpzdNQqCwp5zWBZcNIhU4C.exe
| MD5 | 858bb0a3b4fa6a54586402e3ee117076 |
| SHA1 | 997c31f043347883ea5ed2323a558b6cc5ea9c8e |
| SHA256 | d97a7fc44bf341b9b2b2e65b46dab4f7d329afe15b4308b5aa56d5bfd7b99d35 |
| SHA512 | e8374b115f056b5d345c9b5f9c42b3d49e0640d7fad869448f686add6e52b783ecc7fd35ee15a67b944843491a91becf5b7c0bd5603eda01042dd2904c1ad8fd |
memory/4804-284-0x0000000000400000-0x0000000000562000-memory.dmp
memory/1468-305-0x00007FF67ABF0000-0x00007FF67B6FA000-memory.dmp
memory/1468-314-0x00007FF67ABF0000-0x00007FF67B6FA000-memory.dmp
memory/1468-322-0x00007FF67ABF0000-0x00007FF67B6FA000-memory.dmp
memory/1468-320-0x00007FF67ABF0000-0x00007FF67B6FA000-memory.dmp
memory/1468-323-0x00007FF67ABF0000-0x00007FF67B6FA000-memory.dmp
memory/1468-326-0x00007FF67ABF0000-0x00007FF67B6FA000-memory.dmp
memory/1468-334-0x00007FF67ABF0000-0x00007FF67B6FA000-memory.dmp
C:\Users\Admin\Pictures\BNcDehVmdQj4SgrQU6jnoZTj.exe
| MD5 | 28882b4c74fca6fa682147268c3c3772 |
| SHA1 | 9bbc2e751abf38c8d93e81fedb6a5959d1593627 |
| SHA256 | 6ee4e1c25d81bb140dc6d080dfbe86de80f1a8d35f06b2fbd7b8c4d406bdbdca |
| SHA512 | 9cbe516b701da9cc26869a10764bcfc64f5e4ae1fdaa010d13ce0c0ce35df00cbd40f3741832a5cbaabe66edcd56e1a92dbe8b2c0b5de366dc5905ac5c4e1d93 |
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2403300129145262512.dll
| MD5 | 117176ddeaf70e57d1747704942549e4 |
| SHA1 | 75e3ab6b3469d93cce9ea2f7e22b71b987ccdf2b |
| SHA256 | 3c5b34de987116a4d3240e319c0da89a951c96b81e6705476a0fea27b22b20af |
| SHA512 | ca2a356929c92d314aab63d7f3b246d72783212dfa3a4507f28d41a51ca0eedc78e85b1cd453aa8e02c12509f847a0216bb702154f903291c804c8a98ec378b9 |
C:\Windows\System32\GroupPolicy\gpt.ini
| MD5 | 8ef9853d1881c5fe4d681bfb31282a01 |
| SHA1 | a05609065520e4b4e553784c566430ad9736f19f |
| SHA256 | 9228f13d82c3dc96b957769f6081e5bac53cffca4ffde0ba1e102d9968f184a2 |
| SHA512 | 5ddee931a08cfea5bb9d1c36355d47155a24d617c2a11d08364ffc54e593064011dee4fea8ac5b67029cab515d3071f0ba0422bb76af492a3115272ba8feb005 |
C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports\settings.dat
| MD5 | be2eeab03c8a5f71015b3aaaf5d21cc8 |
| SHA1 | cab3fab75eecb7507615dc2298227b931dff99ff |
| SHA256 | 285ff7c2e4fb561d1a6344c8769b08c533ef4f31a9342dd7f1cda54c61c6532a |
| SHA512 | a086ea86f0119aa38e4435ac23a6461742522664023cfa2055a73f6140cdd84e41332c3bab70395d71a55e05d4c3f2b774547f91bf1bd80ee5a4de0e9cea74a7 |
memory/956-442-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/3284-443-0x0000000000400000-0x0000000000D1C000-memory.dmp
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll
| MD5 | 92fbdfccf6a63acef2743631d16652a7 |
| SHA1 | 971968b1378dd89d59d7f84bf92f16fc68664506 |
| SHA256 | b4588feacc183cd5a089f9bb950827b75df04bd5a6e67c95ff258e4a34aa0d72 |
| SHA512 | b8ea216d4a59d8858fd4128abb555f8dcf3acca9138e663b488f09dc5200db6dc11ecc235a355e801145bbbb44d7beac6147949d75d78b32fe9cfd2fa200d117 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 3d086a433708053f9bf9523e1d87a4e8 |
| SHA1 | b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28 |
| SHA256 | 6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69 |
| SHA512 | 931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | e580dc26b82bb994015bf756ed100059 |
| SHA1 | 0730c3aa85c28c97ef297ad1ffa4149a448457a7 |
| SHA256 | f30eccf99fd750d9d67556100fd4bbe6d811b8b6c93e6d9e625edc58fb1dad03 |
| SHA512 | 7e2a54fdb5f572789256355b505e44cbed4767d8f7b693b2a39bd582a73ee45cec0cf265562de09c56792790c570dcbfe928008a8750ea9892ae95154dd1565c |
memory/4028-495-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/4036-497-0x0000000000400000-0x000000000063B000-memory.dmp
C:\ProgramData\mozglue.dll
| MD5 | c8fd9be83bc728cc04beffafc2907fe9 |
| SHA1 | 95ab9f701e0024cedfbd312bcfe4e726744c4f2e |
| SHA256 | ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a |
| SHA512 | fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040 |
C:\ProgramData\nss3.dll
| MD5 | 1cc453cdf74f31e4d913ff9c10acdde2 |
| SHA1 | 6e85eae544d6e965f15fa5c39700fa7202f3aafe |
| SHA256 | ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5 |
| SHA512 | dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571 |
memory/4496-545-0x0000000000B30000-0x0000000000FE5000-memory.dmp
memory/4328-558-0x0000000000400000-0x00000000008AD000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt
| MD5 | 65bf6eaa0a2eee26d93dd9e160fbc70d |
| SHA1 | 05a0210994537d86bc9138007d0dd0d696cdaa9a |
| SHA256 | 54990f2f212c8ce9dd6a8d5fc7fbb68179423b957b617b10146ddb6bbdf861a1 |
| SHA512 | 49ef9c4e92a5db46eb05880da675b28fb2c876bd7ef1562c7e7541ed43f446b9358096183aa47807f6229b9c752b7f1fa5e1d1b83aeb46ed0b5245935f64c277 |
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
| MD5 | 2afdbe3b99a4736083066a13e4b5d11a |
| SHA1 | 4d4856cf02b3123ac16e63d4a448cdbcb1633546 |
| SHA256 | 8d31b39170909595b518b1a03e9ec950540fabd545ed14817cac5c84b91599ee |
| SHA512 | d89b3c46854153e60e3fa825b394344eee33936d7dbf186af9d95c9adae54428609e3bf21a18d38fce3d96f3e0b8e4e0ed25cb5004fbe288de3aef3a85b1d93f |
memory/3284-622-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/956-609-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/1468-627-0x00007FF67ABF0000-0x00007FF67B6FA000-memory.dmp
memory/6052-643-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/6088-657-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/6096-660-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/4036-661-0x0000000000400000-0x000000000063B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403300129151\opera_package
| MD5 | 401c352990789be2f40fe8f9c5c7a5ac |
| SHA1 | d7c1e902487511d3f4e1a57abdee8a94d5483ed4 |
| SHA256 | f62f4ebc7eca46d9cddfb02cc0305da5efdd6f3601fb0f53da555e19558869a3 |
| SHA512 | efc6d4224e3721e91efb2ea8f4b74685cba607260c69d08eac26866c52b8127080a42799d9f76ab1661b8ca63c946fcf35dddf0a63ab3cd258ea44a27dd769c8 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 11753c28c139dc878c04f432cd9218b7 |
| SHA1 | 82219d026ea1d476927f57c480493707a426eaee |
| SHA256 | 507b691618cf4a92f35237d6c7b57cbe721d5379b81c2ef1dffc53a3e2bf5e6b |
| SHA512 | 30e6c43d6daa22aa149df6921a0c0104bb5ccbd68f70aa4129310a7a6a74174069fae502a784cf145b6a72e24acf6f81fbafe0e740697c2254f6305fbc5d959a |
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403300129151\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe
| MD5 | 20d293b9bf23403179ca48086ba88867 |
| SHA1 | dedf311108f607a387d486d812514a2defbd1b9e |
| SHA256 | fd996b95ae46014edfd630bfc2bf8bc9e626adf883a1da017a8c3973b68ec348 |
| SHA512 | 5d575c6f0d914583f9bb54f7b884caf9182f26f850da9bdd962f4ed5ed7258316a46fafaf3828dccb6916baaadb681fe1d175a3f4ed59f56066dc7e32b66f7b6 |
C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt
| MD5 | 1b7281166c9dc3077ff4ae10dd48aac7 |
| SHA1 | 1a4d601e25f7102572a7c00fc90de19ed096a12c |
| SHA256 | 35513ba2533b12b5a291d8a80ad37d63011105b19c482fce664422897d5d8acc |
| SHA512 | ba706b9d0c5d28cb452deaf7e5e7446659f9599e34d2a62aa4ce15e0b56fab621295ffb4300846aed038ea369434b398410d0efb15587dcff286f6c746be3297 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 70ae5907463367183eaf01f354cc79d1 |
| SHA1 | 6921b0102edf38367c3a401a2a4fa99f27563b63 |
| SHA256 | d565513f21033d43d037ee51d84e9e5c5f05108d23724f097e1997cd4109d2ae |
| SHA512 | 046f6d343ff56aa9f4a0f41a68e8f2f7273a2751819070ab845b5ced9d0ebecdad967b1a7971311d3f6d45244959359514b09e0462f7c11f1b2b654fad1b2fd1 |
memory/4328-735-0x0000000000400000-0x00000000008AD000-memory.dmp
memory/4496-732-0x0000000000B30000-0x0000000000FE5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403300129151\assistant\dbgcore.dll
| MD5 | 8b6f64e5d3a608b434079e50a1277913 |
| SHA1 | 03f431fabf1c99a48b449099455c1575893d9f32 |
| SHA256 | 926d444ffca166e006920412677c4ed2ef159cf0efc0578cb45b824f428f5eb2 |
| SHA512 | c9aeac62ece564ac64a894300fb9d41d13f22951ead73421854c23c506760d984dff0af92bef2d80f3a66e782f0075832e9c24a50ae6110d27a25c14e065b41c |
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403300129151\assistant\assistant_installer.exe
| MD5 | b3f05009b53af6435e86cfd939717e82 |
| SHA1 | 770877e7c5f03e8d684984fe430bdfcc2cf41b26 |
| SHA256 | 3ea8d40fcede1fc03e5603246d75d13e8d44d7229d4c390c39a55534053027f7 |
| SHA512 | d2dee80aaa79b19f1eb1db85079a05f621780e06bfea9e838b62d757ba29399f9090ec7c6ff553377c9b712f3ba8dd812cdff39f3e28829928e86746a8ac6b27 |
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403300129151\assistant\dbghelp.dll
| MD5 | 925ea07f594d3fce3f73ede370d92ef7 |
| SHA1 | f67ea921368c288a9d3728158c3f80213d89d7c2 |
| SHA256 | 6d02ebd4ec9a6093f21cd8ccefb9445fa0ab7b1f69ac868a5cfc5d28ed8d2de9 |
| SHA512 | a809851da820d9fdd8fb860a8f549311dcc2579df2c6f6fba74f50d5d8bf94baa834b09fb5476ac248f18d1deb6b47d4fdd6d658889d5d45ca8774a9264483d2 |
memory/4328-769-0x0000000000400000-0x00000000008AD000-memory.dmp
memory/6052-846-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/6088-847-0x0000000000400000-0x0000000000D1C000-memory.dmp
C:\ProgramData\Are.docx
| MD5 | a33e5b189842c5867f46566bdbf7a095 |
| SHA1 | e1c06359f6a76da90d19e8fd95e79c832edb3196 |
| SHA256 | 5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454 |
| SHA512 | f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | c563a3ec331b2de080532292008ae4c6 |
| SHA1 | e3a546a6437186f45bb8bcd10162d0bdf123cba0 |
| SHA256 | 2be0d4a77ed5076c4ccc31c50900d0981e7cd45f41fc69faaad246cee8e2b9f4 |
| SHA512 | 13109c1ac259605db45d6656079d9a3a71f66383a8c548430b8506e86e0c2470dfacb978d49a9a32c28716d4257c43b8729aa9033150a60f1a049c794e844065 |
C:\Users\Admin\AppData\Local\Temp\GDBKKFHIEG.exe
| MD5 | fe380780b5c35bd6d54541791151c2be |
| SHA1 | 7fe3a583cf91474c733f85cebf3c857682e269e1 |
| SHA256 | b64a84d1f88e4e78464a1901c1cb5bbd5f00bb73203d719e64e072157a087b53 |
| SHA512 | ba05ba8aa13c4bc1cf98fbf6c08b021e8b19354098e0397fc8e1e5d3dcce367c1063203f24e50d0973193f6535681d0a43486e5dade5d112853b7a2fe8739b6c |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | dc75ee19dc5c98888bfd7f7ca03848ed |
| SHA1 | 77225ad80ca79690199d19d592df6ab2912340ec |
| SHA256 | b4929611d5cefe756466c7331d6c277fe11a524339e01cb4f0cdf890cdfbd2c6 |
| SHA512 | 2b77eb4998aadf7be903363eeb67f4041274ee04cf28b59da7d4b5b7abc0d105dc61760a09a80dece0087c22c6c574916de1e6996a9cc2433be4d94a77f3c987 |