Analysis
-
max time kernel
150s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
10-03-2024 12:34
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
file.exe
Resource
win10v2004-20240226-en
General
-
Target
file.exe
-
Size
2.4MB
-
MD5
b11c3fad2e48022f58635df7368d6441
-
SHA1
63883fee892ac1e0d44f568913931c0d59b343d1
-
SHA256
2a362d6d3bceaf1159bc245499a778f1ab9c229c3cbd4be4c63a582a716a4c80
-
SHA512
6c68523b259c307e1c4ff4c6809fb20e5d9d9998a32d03ca06eaf29ec8f27bcaca2cafd9b57420b307160b3ebfeac16d234b99f6119f8f3038f4b5bf4b169023
-
SSDEEP
49152:jCqqfqaaK++EFUw2PsQMIZnLzn8FGaqxMBeVBBzKl:jONGXqGY1y
Malware Config
Extracted
smokeloader
pub1
Extracted
smokeloader
2022
http://trad-einmyus.com/index.php
http://tradein-myus.com/index.php
http://trade-inmyus.com/index.php
Extracted
socks5systemz
http://dldnrwd.info/search/?q=67e28dd86c09f220490efa1c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ae8889b5e4fa9281ae978fe71ea771795af8e05c644db22f31dfe339426fa11af66c152adb719a9577e55b8603e983a608fff11c7eb949b32
http://dldnrwd.info/search/?q=67e28dd86c09f220490efa1c7c27d78406abdd88be4b12eab517aa5c96bd86eb958e4d825a8bbc896c58e713bc90c91f36b5281fc235a925ed3e5dd6bd974a95129070b617e96cc92be510b866db52b2e34aec4c2b14a82966836f23d7f210c7ee959a3cc96e971f
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Glupteba payload 8 IoCs
resource yara_rule behavioral2/memory/4772-105-0x0000000002E10000-0x00000000036FB000-memory.dmp family_glupteba behavioral2/memory/4772-107-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral2/memory/4772-196-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral2/memory/4628-204-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral2/memory/4628-404-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral2/memory/4628-553-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral2/memory/1356-607-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral2/memory/1356-619-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Socks5Systemz
Socks5Systemz is a botnet written in C++.
-
Downloads MZ/PE file
-
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 3352 netsh.exe -
Drops startup file 6 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nCKytdSB5KynFC85zAiaClrW.bat jsc.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locXPTpXtGAi2iIwIOCjSk6g.bat jsc.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cAbuhFFm3sGZEGrlbX8f7Nfw.bat jsc.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4WojiqiVx9md8GR8I0C4iz2b.bat jsc.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JNy39JoOJRzNuLwJbwm9miIZ.bat jsc.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rRb0jtjxrnIIVBVBJay5pfS9.bat jsc.exe -
Executes dropped EXE 22 IoCs
pid Process 60 WqvUjjnPluYpb8wCHhD0buwD.exe 316 WqvUjjnPluYpb8wCHhD0buwD.tmp 3296 babyclock.exe 3188 babyclock.exe 1652 u3Xpyo3vzUEhiidl1YpyOYFX.exe 4772 jZ93yVW3Sw1HMmqyFo0txVQs.exe 2308 HYGEKFd3yEB3UbFViv9Y0Trc.exe 2816 syncUpd.exe 3660 BroomSetup.exe 4628 jZ93yVW3Sw1HMmqyFo0txVQs.exe 1356 csrss.exe 3876 q5k45BSDMtuPVECVy92Za6sx.exe 3988 q5k45BSDMtuPVECVy92Za6sx.exe 5100 q5k45BSDMtuPVECVy92Za6sx.exe 3284 q5k45BSDMtuPVECVy92Za6sx.exe 5084 q5k45BSDMtuPVECVy92Za6sx.exe 720 injector.exe 2424 windefender.exe 2356 windefender.exe 5052 Assistant_108.0.5067.20_Setup.exe_sfx.exe 748 assistant_installer.exe 880 assistant_installer.exe -
Loads dropped DLL 14 IoCs
pid Process 316 WqvUjjnPluYpb8wCHhD0buwD.tmp 2308 HYGEKFd3yEB3UbFViv9Y0Trc.exe 2308 HYGEKFd3yEB3UbFViv9Y0Trc.exe 3876 q5k45BSDMtuPVECVy92Za6sx.exe 3988 q5k45BSDMtuPVECVy92Za6sx.exe 5100 q5k45BSDMtuPVECVy92Za6sx.exe 3284 q5k45BSDMtuPVECVy92Za6sx.exe 5084 q5k45BSDMtuPVECVy92Za6sx.exe 748 assistant_installer.exe 748 assistant_installer.exe 880 assistant_installer.exe 880 assistant_installer.exe 2816 syncUpd.exe 2816 syncUpd.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral2/memory/3660-193-0x0000000000400000-0x0000000000930000-memory.dmp upx behavioral2/files/0x000900000002324a-191.dat upx behavioral2/files/0x000700000002326c-444.dat upx behavioral2/files/0x000700000002326c-450.dat upx behavioral2/files/0x000700000002326c-456.dat upx behavioral2/files/0x000700000002326c-463.dat upx behavioral2/files/0x000700000002327a-466.dat upx behavioral2/memory/5100-473-0x0000000000350000-0x0000000000888000-memory.dmp upx behavioral2/files/0x000700000002326c-477.dat upx behavioral2/files/0x000700000002326c-482.dat upx behavioral2/files/0x000900000002324a-618.dat upx behavioral2/files/0x0009000000023298-626.dat upx behavioral2/files/0x0009000000023298-628.dat upx behavioral2/files/0x0009000000023298-630.dat upx behavioral2/memory/2424-632-0x0000000000400000-0x00000000008DF000-memory.dmp upx -
Unexpected DNS network traffic destination 1 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description ioc Destination IP 141.98.234.31 -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" jZ93yVW3Sw1HMmqyFo0txVQs.exe Set value (str) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" csrss.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 4 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\D: q5k45BSDMtuPVECVy92Za6sx.exe File opened (read-only) \??\F: q5k45BSDMtuPVECVy92Za6sx.exe File opened (read-only) \??\D: q5k45BSDMtuPVECVy92Za6sx.exe File opened (read-only) \??\F: q5k45BSDMtuPVECVy92Za6sx.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 8 pastebin.com 10 pastebin.com -
Manipulates WinMonFS driver. 1 IoCs
Roottkits write to WinMonFS to hide directories/files from being detected.
description ioc Process File opened for modification \??\WinMonFS csrss.exe -
Drops file in System32 directory 7 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1700 set thread context of 692 1700 file.exe 88 -
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
description ioc Process File opened (read-only) \??\VBoxMiniRdrDN jZ93yVW3Sw1HMmqyFo0txVQs.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\rss jZ93yVW3Sw1HMmqyFo0txVQs.exe File created C:\Windows\rss\csrss.exe jZ93yVW3Sw1HMmqyFo0txVQs.exe File created C:\Windows\windefender.exe csrss.exe File opened for modification C:\Windows\windefender.exe csrss.exe -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 3140 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
pid pid_target Process procid_target 3064 3536 WerFault.exe 103 3392 2816 WerFault.exe 106 -
NSIS installer 3 IoCs
resource yara_rule behavioral2/files/0x000700000002323d-137.dat nsis_installer_2 behavioral2/files/0x000700000002323d-141.dat nsis_installer_2 behavioral2/files/0x000700000002323d-140.dat nsis_installer_2 -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI u3Xpyo3vzUEhiidl1YpyOYFX.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI u3Xpyo3vzUEhiidl1YpyOYFX.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI u3Xpyo3vzUEhiidl1YpyOYFX.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 syncUpd.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString syncUpd.exe -
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3796 schtasks.exe 4180 schtasks.exe 1700 schtasks.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-671 = "AUS Eastern Daylight Time" jZ93yVW3Sw1HMmqyFo0txVQs.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2341 = "Haiti Daylight Time" jZ93yVW3Sw1HMmqyFo0txVQs.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-192 = "Mountain Standard Time" jZ93yVW3Sw1HMmqyFo0txVQs.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-441 = "Arabian Daylight Time" jZ93yVW3Sw1HMmqyFo0txVQs.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-3051 = "Qyzylorda Daylight Time" jZ93yVW3Sw1HMmqyFo0txVQs.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-771 = "Montevideo Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-742 = "New Zealand Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2452 = "Saint Pierre Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-542 = "Myanmar Standard Time" jZ93yVW3Sw1HMmqyFo0txVQs.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-302 = "Romance Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2872 = "Magallanes Standard Time" jZ93yVW3Sw1HMmqyFo0txVQs.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2322 = "Sakhalin Standard Time" jZ93yVW3Sw1HMmqyFo0txVQs.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-202 = "US Mountain Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-891 = "Morocco Daylight Time" jZ93yVW3Sw1HMmqyFo0txVQs.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-932 = "Coordinated Universal Time" jZ93yVW3Sw1HMmqyFo0txVQs.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-591 = "Malay Peninsula Daylight Time" jZ93yVW3Sw1HMmqyFo0txVQs.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-162 = "Central Standard Time" jZ93yVW3Sw1HMmqyFo0txVQs.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2042 = "Eastern Standard Time (Mexico)" jZ93yVW3Sw1HMmqyFo0txVQs.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2412 = "Marquesas Standard Time" jZ93yVW3Sw1HMmqyFo0txVQs.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2771 = "Omsk Daylight Time" jZ93yVW3Sw1HMmqyFo0txVQs.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-651 = "AUS Central Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2491 = "Aus Central W. Daylight Time" jZ93yVW3Sw1HMmqyFo0txVQs.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-562 = "SE Asia Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-1021 = "Bangladesh Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2571 = "Turks and Caicos Daylight Time" jZ93yVW3Sw1HMmqyFo0txVQs.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-531 = "Sri Lanka Daylight Time" jZ93yVW3Sw1HMmqyFo0txVQs.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2892 = "Sudan Standard Time" windefender.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-681 = "E. Australia Daylight Time" jZ93yVW3Sw1HMmqyFo0txVQs.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-342 = "Egypt Standard Time" jZ93yVW3Sw1HMmqyFo0txVQs.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-335 = "Jordan Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-692 = "Tasmania Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-451 = "Caucasus Daylight Time" jZ93yVW3Sw1HMmqyFo0txVQs.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-562 = "SE Asia Standard Time" jZ93yVW3Sw1HMmqyFo0txVQs.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-104 = "Central Brazilian Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-342 = "Egypt Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-792 = "SA Western Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1861 = "Russia TZ 6 Daylight Time" jZ93yVW3Sw1HMmqyFo0txVQs.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4 q5k45BSDMtuPVECVy92Za6sx.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 0f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e42000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e q5k45BSDMtuPVECVy92Za6sx.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 04000000010000001000000078f2fcaa601f2fb4ebc937ba532e7549030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e19962000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e q5k45BSDMtuPVECVy92Za6sx.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 190000000100000010000000ffac207997bb2cfe865570179ee037b90f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e404000000010000001000000078f2fcaa601f2fb4ebc937ba532e75492000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e q5k45BSDMtuPVECVy92Za6sx.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 5c00000001000000040000000010000004000000010000001000000078f2fcaa601f2fb4ebc937ba532e7549030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996190000000100000010000000ffac207997bb2cfe865570179ee037b92000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e q5k45BSDMtuPVECVy92Za6sx.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 316 WqvUjjnPluYpb8wCHhD0buwD.tmp 316 WqvUjjnPluYpb8wCHhD0buwD.tmp 1652 u3Xpyo3vzUEhiidl1YpyOYFX.exe 1652 u3Xpyo3vzUEhiidl1YpyOYFX.exe 3536 powershell.exe 3536 powershell.exe 3536 powershell.exe 3436 Process not Found 3436 Process not Found 3436 Process not Found 3436 Process not Found 3436 Process not Found 3436 Process not Found 3436 Process not Found 3436 Process not Found 3436 Process not Found 3436 Process not Found 3436 Process not Found 3436 Process not Found 3436 Process not Found 3436 Process not Found 3436 Process not Found 3436 Process not Found 3436 Process not Found 3436 Process not Found 3436 Process not Found 3436 Process not Found 3436 Process not Found 3436 Process not Found 3436 Process not Found 3436 Process not Found 3436 Process not Found 3436 Process not Found 3436 Process not Found 3436 Process not Found 3436 Process not Found 3436 Process not Found 4772 jZ93yVW3Sw1HMmqyFo0txVQs.exe 4772 jZ93yVW3Sw1HMmqyFo0txVQs.exe 3436 Process not Found 3436 Process not Found 3436 Process not Found 3436 Process not Found 3436 Process not Found 3436 Process not Found 3436 Process not Found 3436 Process not Found 3436 Process not Found 3436 Process not Found 3436 Process not Found 3436 Process not Found 3436 Process not Found 3436 Process not Found 3436 Process not Found 3436 Process not Found 3436 Process not Found 3436 Process not Found 3436 Process not Found 3436 Process not Found 3436 Process not Found 3436 Process not Found 3436 Process not Found 3436 Process not Found 3436 Process not Found -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 1652 u3Xpyo3vzUEhiidl1YpyOYFX.exe -
Suspicious use of AdjustPrivilegeToken 63 IoCs
description pid Process Token: SeDebugPrivilege 692 jsc.exe Token: SeDebugPrivilege 3536 powershell.exe Token: SeShutdownPrivilege 3436 Process not Found Token: SeCreatePagefilePrivilege 3436 Process not Found Token: SeShutdownPrivilege 3436 Process not Found Token: SeCreatePagefilePrivilege 3436 Process not Found Token: SeShutdownPrivilege 3436 Process not Found Token: SeCreatePagefilePrivilege 3436 Process not Found Token: SeShutdownPrivilege 3436 Process not Found Token: SeCreatePagefilePrivilege 3436 Process not Found Token: SeShutdownPrivilege 3436 Process not Found Token: SeCreatePagefilePrivilege 3436 Process not Found Token: SeShutdownPrivilege 3436 Process not Found Token: SeCreatePagefilePrivilege 3436 Process not Found Token: SeDebugPrivilege 4772 jZ93yVW3Sw1HMmqyFo0txVQs.exe Token: SeImpersonatePrivilege 4772 jZ93yVW3Sw1HMmqyFo0txVQs.exe Token: SeShutdownPrivilege 3436 Process not Found Token: SeCreatePagefilePrivilege 3436 Process not Found Token: SeShutdownPrivilege 3436 Process not Found Token: SeCreatePagefilePrivilege 3436 Process not Found Token: SeShutdownPrivilege 3436 Process not Found Token: SeCreatePagefilePrivilege 3436 Process not Found Token: SeDebugPrivilege 4908 powershell.exe Token: SeShutdownPrivilege 3436 Process not Found Token: SeCreatePagefilePrivilege 3436 Process not Found Token: SeShutdownPrivilege 3436 Process not Found Token: SeCreatePagefilePrivilege 3436 Process not Found Token: SeDebugPrivilege 3996 powershell.exe Token: SeShutdownPrivilege 3436 Process not Found Token: SeCreatePagefilePrivilege 3436 Process not Found Token: SeDebugPrivilege 904 powershell.exe Token: SeShutdownPrivilege 3436 Process not Found Token: SeCreatePagefilePrivilege 3436 Process not Found Token: SeDebugPrivilege 4284 powershell.exe Token: SeShutdownPrivilege 3436 Process not Found Token: SeCreatePagefilePrivilege 3436 Process not Found Token: SeDebugPrivilege 2980 powershell.exe Token: SeShutdownPrivilege 3436 Process not Found Token: SeCreatePagefilePrivilege 3436 Process not Found Token: SeDebugPrivilege 2252 powershell.exe Token: SeShutdownPrivilege 3436 Process not Found Token: SeCreatePagefilePrivilege 3436 Process not Found Token: SeSystemEnvironmentPrivilege 1356 csrss.exe Token: SeShutdownPrivilege 3436 Process not Found Token: SeCreatePagefilePrivilege 3436 Process not Found Token: SeShutdownPrivilege 3436 Process not Found Token: SeCreatePagefilePrivilege 3436 Process not Found Token: SeShutdownPrivilege 3436 Process not Found Token: SeCreatePagefilePrivilege 3436 Process not Found Token: SeShutdownPrivilege 3436 Process not Found Token: SeCreatePagefilePrivilege 3436 Process not Found Token: SeSecurityPrivilege 3140 sc.exe Token: SeSecurityPrivilege 3140 sc.exe Token: SeShutdownPrivilege 3436 Process not Found Token: SeCreatePagefilePrivilege 3436 Process not Found Token: SeShutdownPrivilege 3436 Process not Found Token: SeCreatePagefilePrivilege 3436 Process not Found Token: SeShutdownPrivilege 3436 Process not Found Token: SeCreatePagefilePrivilege 3436 Process not Found Token: SeShutdownPrivilege 3436 Process not Found Token: SeCreatePagefilePrivilege 3436 Process not Found Token: SeShutdownPrivilege 3436 Process not Found Token: SeCreatePagefilePrivilege 3436 Process not Found -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 316 WqvUjjnPluYpb8wCHhD0buwD.tmp 3436 Process not Found 3436 Process not Found -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3660 BroomSetup.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1700 wrote to memory of 692 1700 file.exe 88 PID 1700 wrote to memory of 692 1700 file.exe 88 PID 1700 wrote to memory of 692 1700 file.exe 88 PID 1700 wrote to memory of 692 1700 file.exe 88 PID 1700 wrote to memory of 692 1700 file.exe 88 PID 1700 wrote to memory of 692 1700 file.exe 88 PID 1700 wrote to memory of 692 1700 file.exe 88 PID 1700 wrote to memory of 692 1700 file.exe 88 PID 1700 wrote to memory of 4412 1700 file.exe 89 PID 1700 wrote to memory of 4412 1700 file.exe 89 PID 1700 wrote to memory of 4412 1700 file.exe 89 PID 692 wrote to memory of 60 692 jsc.exe 96 PID 692 wrote to memory of 60 692 jsc.exe 96 PID 692 wrote to memory of 60 692 jsc.exe 96 PID 60 wrote to memory of 316 60 WqvUjjnPluYpb8wCHhD0buwD.exe 97 PID 60 wrote to memory of 316 60 WqvUjjnPluYpb8wCHhD0buwD.exe 97 PID 60 wrote to memory of 316 60 WqvUjjnPluYpb8wCHhD0buwD.exe 97 PID 316 wrote to memory of 3296 316 WqvUjjnPluYpb8wCHhD0buwD.tmp 98 PID 316 wrote to memory of 3296 316 WqvUjjnPluYpb8wCHhD0buwD.tmp 98 PID 316 wrote to memory of 3296 316 WqvUjjnPluYpb8wCHhD0buwD.tmp 98 PID 316 wrote to memory of 3188 316 WqvUjjnPluYpb8wCHhD0buwD.tmp 99 PID 316 wrote to memory of 3188 316 WqvUjjnPluYpb8wCHhD0buwD.tmp 99 PID 316 wrote to memory of 3188 316 WqvUjjnPluYpb8wCHhD0buwD.tmp 99 PID 692 wrote to memory of 1652 692 jsc.exe 100 PID 692 wrote to memory of 1652 692 jsc.exe 100 PID 692 wrote to memory of 1652 692 jsc.exe 100 PID 692 wrote to memory of 4772 692 jsc.exe 101 PID 692 wrote to memory of 4772 692 jsc.exe 101 PID 692 wrote to memory of 4772 692 jsc.exe 101 PID 4772 wrote to memory of 3536 4772 jZ93yVW3Sw1HMmqyFo0txVQs.exe 103 PID 4772 wrote to memory of 3536 4772 jZ93yVW3Sw1HMmqyFo0txVQs.exe 103 PID 4772 wrote to memory of 3536 4772 jZ93yVW3Sw1HMmqyFo0txVQs.exe 103 PID 692 wrote to memory of 2308 692 jsc.exe 105 PID 692 wrote to memory of 2308 692 jsc.exe 105 PID 692 wrote to memory of 2308 692 jsc.exe 105 PID 2308 wrote to memory of 2816 2308 HYGEKFd3yEB3UbFViv9Y0Trc.exe 106 PID 2308 wrote to memory of 2816 2308 HYGEKFd3yEB3UbFViv9Y0Trc.exe 106 PID 2308 wrote to memory of 2816 2308 HYGEKFd3yEB3UbFViv9Y0Trc.exe 106 PID 2308 wrote to memory of 3660 2308 HYGEKFd3yEB3UbFViv9Y0Trc.exe 111 PID 2308 wrote to memory of 3660 2308 HYGEKFd3yEB3UbFViv9Y0Trc.exe 111 PID 2308 wrote to memory of 3660 2308 HYGEKFd3yEB3UbFViv9Y0Trc.exe 111 PID 3660 wrote to memory of 8 3660 BroomSetup.exe 115 PID 3660 wrote to memory of 8 3660 BroomSetup.exe 115 PID 3660 wrote to memory of 8 3660 BroomSetup.exe 115 PID 8 wrote to memory of 4788 8 cmd.exe 117 PID 8 wrote to memory of 4788 8 cmd.exe 117 PID 8 wrote to memory of 4788 8 cmd.exe 117 PID 8 wrote to memory of 4180 8 cmd.exe 123 PID 8 wrote to memory of 4180 8 cmd.exe 123 PID 8 wrote to memory of 4180 8 cmd.exe 123 PID 4628 wrote to memory of 4908 4628 jZ93yVW3Sw1HMmqyFo0txVQs.exe 120 PID 4628 wrote to memory of 4908 4628 jZ93yVW3Sw1HMmqyFo0txVQs.exe 120 PID 4628 wrote to memory of 4908 4628 jZ93yVW3Sw1HMmqyFo0txVQs.exe 120 PID 4628 wrote to memory of 4180 4628 jZ93yVW3Sw1HMmqyFo0txVQs.exe 123 PID 4628 wrote to memory of 4180 4628 jZ93yVW3Sw1HMmqyFo0txVQs.exe 123 PID 4180 wrote to memory of 3352 4180 cmd.exe 125 PID 4180 wrote to memory of 3352 4180 cmd.exe 125 PID 4628 wrote to memory of 3996 4628 jZ93yVW3Sw1HMmqyFo0txVQs.exe 126 PID 4628 wrote to memory of 3996 4628 jZ93yVW3Sw1HMmqyFo0txVQs.exe 126 PID 4628 wrote to memory of 3996 4628 jZ93yVW3Sw1HMmqyFo0txVQs.exe 126 PID 4628 wrote to memory of 904 4628 jZ93yVW3Sw1HMmqyFo0txVQs.exe 129 PID 4628 wrote to memory of 904 4628 jZ93yVW3Sw1HMmqyFo0txVQs.exe 129 PID 4628 wrote to memory of 904 4628 jZ93yVW3Sw1HMmqyFo0txVQs.exe 129 PID 4628 wrote to memory of 1356 4628 jZ93yVW3Sw1HMmqyFo0txVQs.exe 131 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1700 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"2⤵
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:692 -
C:\Users\Admin\Pictures\WqvUjjnPluYpb8wCHhD0buwD.exe"C:\Users\Admin\Pictures\WqvUjjnPluYpb8wCHhD0buwD.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:60 -
C:\Users\Admin\AppData\Local\Temp\is-75APT.tmp\WqvUjjnPluYpb8wCHhD0buwD.tmp"C:\Users\Admin\AppData\Local\Temp\is-75APT.tmp\WqvUjjnPluYpb8wCHhD0buwD.tmp" /SL5="$E0062,1697450,56832,C:\Users\Admin\Pictures\WqvUjjnPluYpb8wCHhD0buwD.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:316 -
C:\Users\Admin\AppData\Local\BABY-Clock\babyclock.exe"C:\Users\Admin\AppData\Local\BABY-Clock\babyclock.exe" -i5⤵
- Executes dropped EXE
PID:3296
-
-
C:\Users\Admin\AppData\Local\BABY-Clock\babyclock.exe"C:\Users\Admin\AppData\Local\BABY-Clock\babyclock.exe" -s5⤵
- Executes dropped EXE
PID:3188
-
-
-
-
C:\Users\Admin\Pictures\u3Xpyo3vzUEhiidl1YpyOYFX.exe"C:\Users\Admin\Pictures\u3Xpyo3vzUEhiidl1YpyOYFX.exe"3⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1652
-
-
C:\Users\Admin\Pictures\jZ93yVW3Sw1HMmqyFo0txVQs.exe"C:\Users\Admin\Pictures\jZ93yVW3Sw1HMmqyFo0txVQs.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4772 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3536 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3536 -s 17445⤵
- Program crash
PID:3064
-
-
-
C:\Users\Admin\Pictures\jZ93yVW3Sw1HMmqyFo0txVQs.exe"C:\Users\Admin\Pictures\jZ93yVW3Sw1HMmqyFo0txVQs.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:4628 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4908
-
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"5⤵
- Suspicious use of WriteProcessMemory
PID:4180 -
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes6⤵
- Modifies Windows Firewall
PID:3352
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3996
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:904
-
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- Manipulates WinMonFS driver.
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1356 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4284
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F6⤵
- Creates scheduled task(s)
PID:1700
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f6⤵PID:3516
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2980
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2252
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll6⤵
- Executes dropped EXE
PID:720
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F6⤵
- Creates scheduled task(s)
PID:3796 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV17⤵PID:4284
-
-
-
C:\Windows\windefender.exe"C:\Windows\windefender.exe"6⤵
- Executes dropped EXE
PID:2424 -
C:\Windows\SysWOW64\cmd.execmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)7⤵PID:924
-
C:\Windows\SysWOW64\sc.exesc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)8⤵
- Launches sc.exe
- Suspicious use of AdjustPrivilegeToken
PID:3140
-
-
-
-
-
-
-
C:\Users\Admin\Pictures\HYGEKFd3yEB3UbFViv9Y0Trc.exe"C:\Users\Admin\Pictures\HYGEKFd3yEB3UbFViv9Y0Trc.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2308 -
C:\Users\Admin\AppData\Local\Temp\syncUpd.exeC:\Users\Admin\AppData\Local\Temp\syncUpd.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
PID:2816 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2816 -s 10925⤵
- Program crash
PID:3392
-
-
-
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exeC:\Users\Admin\AppData\Local\Temp\BroomSetup.exe4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3660 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "5⤵
- Suspicious use of WriteProcessMemory
PID:8 -
C:\Windows\SysWOW64\chcp.comchcp 12516⤵PID:4788
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F6⤵
- Creates scheduled task(s)
PID:4180
-
-
-
-
-
C:\Users\Admin\Pictures\q5k45BSDMtuPVECVy92Za6sx.exe"C:\Users\Admin\Pictures\q5k45BSDMtuPVECVy92Za6sx.exe" --silent --allusers=03⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Modifies system certificate store
PID:3876 -
C:\Users\Admin\Pictures\q5k45BSDMtuPVECVy92Za6sx.exeC:\Users\Admin\Pictures\q5k45BSDMtuPVECVy92Za6sx.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=108.0.5067.20 --initial-client-data=0x2f4,0x2f8,0x2fc,0x2f0,0x300,0x6e8a21c8,0x6e8a21d4,0x6e8a21e04⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3988
-
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\q5k45BSDMtuPVECVy92Za6sx.exe"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\q5k45BSDMtuPVECVy92Za6sx.exe" --version4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5100
-
-
C:\Users\Admin\Pictures\q5k45BSDMtuPVECVy92Za6sx.exe"C:\Users\Admin\Pictures\q5k45BSDMtuPVECVy92Za6sx.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=3876 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20240310123443" --session-guid=9477b60e-ec3c-4c23-97a4-17043994aafc --server-tracking-blob=Y2JhYTNlZjQ5NGNjYjliOWFiYjdlODFiZDRkMGQyMGJjOTU2MmNkNjk5YTI1Njk1ZjI2ZTU0ZWVjZWI2MDRhYTp7ImNvdW50cnkiOiJHQiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cy8/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1ta3QmdXRtX2NhbXBhaWduPTc2NyIsInN5c3RlbSI6eyJwbGF0Zm9ybSI6eyJhcmNoIjoieDg2XzY0Iiwib3BzeXMiOiJXaW5kb3dzIiwib3BzeXMtdmVyc2lvbiI6IjEwIiwicGFja2FnZSI6IkVYRSJ9fSwidGltZXN0YW1wIjoiMTcxMDA3NDA1OC4yMzY2IiwidXRtIjp7ImNhbXBhaWduIjoiNzY3IiwibWVkaXVtIjoiYXBiIiwic291cmNlIjoibWt0In0sInV1aWQiOiJiZWJiOTdiOC04ZWZiLTQ1NzgtODQ4Ny05MGFiMDY0NWUxNWEifQ== --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=40050000000000004⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
PID:3284 -
C:\Users\Admin\Pictures\q5k45BSDMtuPVECVy92Za6sx.exeC:\Users\Admin\Pictures\q5k45BSDMtuPVECVy92Za6sx.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=108.0.5067.20 --initial-client-data=0x2f0,0x300,0x304,0x2d4,0x308,0x6df221c8,0x6df221d4,0x6df221e05⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5084
-
-
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403101234431\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403101234431\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe"4⤵
- Executes dropped EXE
PID:5052
-
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403101234431\assistant\assistant_installer.exe"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403101234431\assistant\assistant_installer.exe" --version4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:748 -
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403101234431\assistant\assistant_installer.exe"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403101234431\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=108.0.5067.20 --initial-client-data=0x268,0x26c,0x270,0x244,0x274,0x530040,0x53004c,0x5300585⤵
- Executes dropped EXE
- Loads dropped DLL
PID:880
-
-
-
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"2⤵PID:4412
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3536 -ip 35361⤵PID:4700
-
C:\Windows\windefender.exeC:\Windows\windefender.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2356
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2816 -ip 28161⤵PID:2628
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
2Subvert Trust Controls
1Install Root Certificate
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
11KB
MD5a33e5b189842c5867f46566bdbf7a095
SHA1e1c06359f6a76da90d19e8fd95e79c832edb3196
SHA2565abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454
SHA512f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
Filesize
1.8MB
MD53b5b9bd8bbf39e9996072c71dfbcf7ca
SHA1ba59908f0714a7e1682b3edefb0b723fbf8e8a38
SHA25645397a25baca6fdcf93bfa132e6be8c3ef2403b09ec049e164c365310ac1e5a7
SHA512ecf2dc225a7de0e0321d000d8762a2bb4ea97c789ff4940d7e43eb9f76b79b50d3b1543b4ed4c69a82566336eed045d1dfa59d12c4d2df5032904806af101d28
-
Filesize
1.8MB
MD528c62765c0d3951c98331a12febbab59
SHA106894799aa377dca12da424bcf2a6a6f7400c8d8
SHA256d00fa4460a6de61d26a035dd10bebfdcc0f28b81c85728e43e89af3d04da0260
SHA5120ec630eef2e3b6d175732612f94196a738f62a7d79abe9c23497886c3d772c00f3c3896b5f6dac2eadfc91bf47798ee58d7717c96d59260165c3573a591d077d
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403101234431\additional_file0.tmp
Filesize1.8MB
MD56964f8088a5e3f8d44021750b884476e
SHA16c525b6b3775c6851dea2228010edbf8847ec561
SHA256d64e5b0d1b0ee3279043f2989bcecbf93c46aec44f8160dfa52c07ae0008214f
SHA5127c6ec5e82b48d0ead3698125239ba64acc6fb9d5bf3f83c70afb5880f8fe9ab8acf16fcccc46b17c578aee7b5f59a03d305cf6c613c4f2b947f684f7a47bce17
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403101234431\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe
Filesize1.5MB
MD5325917771434da18bf8e162931acd842
SHA16b46cb61a49d1d7f36d13705c65f8e17e139608a
SHA256da6fca3fb342be7ec974da072c62645177c4766d26749f7a17dd664eed141d38
SHA5126f58ec52a3945358891f1217bf7fd19f4753434b658ab7aff5b470669d58a2ce8c8d5c6f9ef20623e325821b90a6e3755b2000f4f7c3ab2ae51409d232f18442
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403101234431\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe
Filesize1.1MB
MD5f9b7262e2c0a029f50822f47a8056366
SHA107799f321fe690a130cefca2b450bc3ab111b9eb
SHA256cbf9df2ef664591ff70e68e477b50077b08fc451ac6c1b02c49187627725fe2f
SHA512a88dcf1a417c79e4c12b8401aad31ec7ba6733150d71411ecffe7d948c374c4bb931afba76d40c06201b4776e0159ddc99adcaece97d979fe59923fffbe681d4
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403101234431\assistant\assistant_installer.exe
Filesize1.0MB
MD597085a8535fedbdf70dc8d0f73e8221a
SHA18aa2f01467572810af012261e65d5d17dc72eb66
SHA2563ca699ded1176b6ef25a94e3af5107604e23cc184cc08adec28181075a7c20a3
SHA512240909582cf3f198c5b90ea5867ec95fb3946082a0a436e132e1bfc64a898aa4380b94a7a18c68d21bcaa3b3b01bc3bfc89bea604584a54659db1f30d818f9ac
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403101234431\assistant\assistant_installer.exe
Filesize529KB
MD527e3fe47d8ba532f2aa8e8b50b116788
SHA1c034cda1d80b531cd02acddaef6507e75f513825
SHA256247bb9a3498635e6ef12c5abe53b5878eb5a2f6ca70fe72241548cb1dca59d8c
SHA512ed9b855ccf2711b79f8b17a1d25ae4e4e44288a8754de726e57dbd8c4ea481681b1ee7a79d3002cd777fe5a03a853508a9acbdec10f1012e975cd926b1dc0305
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403101234431\assistant\dbgcore.dll
Filesize166KB
MD58b6f64e5d3a608b434079e50a1277913
SHA103f431fabf1c99a48b449099455c1575893d9f32
SHA256926d444ffca166e006920412677c4ed2ef159cf0efc0578cb45b824f428f5eb2
SHA512c9aeac62ece564ac64a894300fb9d41d13f22951ead73421854c23c506760d984dff0af92bef2d80f3a66e782f0075832e9c24a50ae6110d27a25c14e065b41c
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403101234431\assistant\dbghelp.dll
Filesize591KB
MD58f01c833b571970575ba12ffa9f55526
SHA1e36754fed61f58f6480ac7b731b7360bbc51c0c4
SHA256331d06e13e24adda6b4ef0a451e01a211d1ea88d6e697ffd7b9487fff006ebc3
SHA5125919bc7a89d47b3aa6702c522c3240c2c272becd462e34f08c9cc8f318cfee2fc89beff3bb0577aefaeadaef9e408933f6daa8c27958089af101c9af32bde151
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403101234431\assistant\dbghelp.dll
Filesize1.2MB
MD5a05345eec5a0724c78550a102593a803
SHA1e4a9777af26a150e92d75d730344db3e30d2f481
SHA2564437f788b0feab37721eff4069cc42e3941e8d4e44b9d42480b9d0b3466494ac
SHA512add11102feb2b60fca720a844c75d0e80a83dddb05764ef01b9132881680e94f876a5da3ae1a6063cec45929611dacf5507a7243571f6cff7334723bc2198fd7
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403101234431\assistant\dbghelp.dll
Filesize807KB
MD573b4b75e8ab57b4826ae37434ddc6e71
SHA1038a1746a41a040bb8a1d66de6494a1e2e2cbb68
SHA256bf3c7d4ce50f80f2a10076f32cf9310f70ab7a847ca3cd80030c71a092e80e0c
SHA512f719714e92ccdc71ab24fe44629f3d2c95d629aa180191a67fe259c28026cce096011474361c56caad5c5f8bb4b26bcc9ec7b977e648ab16cf93b0286c62f23a
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403101234431\opera_package
Filesize16.5MB
MD5ef24d9ea54bc2e91a12b9e18b57191c1
SHA1953cfb323c8553ba53c6b8c67fdd5d2123a1eba1
SHA25606fa294a806e2860e30043e89d5e34ed9a176d126eda63777f83aaec9b8e918c
SHA512ccc59403ecac95259b97e74d43d7ec6ac72c591fb98cad3b320e2e8724ad6cb1c9eef29d328569667b3bd1859ba4efa0d3b25e5a2137a74a75768aa166f70d03
-
Filesize
457KB
MD52c19e573001b16c221065edc3e7b8b41
SHA18dfb9ea571882949d0364ad429261980b0bde784
SHA2564c3929f3e2d68677759a3fd30ca701f884f7c76eb37af42b112e3960491d5801
SHA512a5099a7ccb428573334c8bcefa42448589124f3d1b92e47cd70e3aa7348a2ab98d172b56b183c3d46c896cef4919f38dbc64420ced5b152b6aa02559c7fd5375
-
Filesize
1.1MB
MD50551f7eb5a45268efa4882cadf5d0f4f
SHA153aa3eda93cc8dffb7e3fbf585e3fdb9e21c7d71
SHA256f8dfa02038a056f1ebf9ff0c25674c6c7764c3cda82a966922ba5d5d800d4e29
SHA512e197f663e3263814f74e7d41ced582adff9685f13618dacad3012b0d3db57603c3d758b245685584ba42204b1cd6b5db2bbe5d9dd59cf2a0af4376f3db9b1378
-
Filesize
326KB
MD5bdc1cd113d90fd65ff5240720d4398ef
SHA19f7cede45b8fe9c31b9c6b5692b6fcfc70d332f0
SHA25626b777deb343efb65c25c716dfe1862258c3b19d762754d30bfe87e79c7c5732
SHA5121bd592f2ab74d6a08a6a52d90691652ce04361524700ab97ccb85e2be8b651904056d4fd34cab31a97d1765149de6cf7724772be00be7f8a248ef6c1782059b8
-
Filesize
188KB
MD56eb11c216165ddc393e5335a53c1ba85
SHA1f27df15f40bbe7e9df1fe0e987a33ea4b37ada30
SHA256dca2fbece79c684ad074bac073171e8e44d4b97356d6daa81b7770dd954d5e37
SHA512b03c49977105f6efc48c3a850c9848073ed54cde6508805be009aa76f65fcee6fafc9dd8a3f1f610e8fa5ba0d1b601535b925c01f64919d55979c631d7e473f6
-
Filesize
613KB
MD5c023da23536d39e32d29184f1a6540d0
SHA1a9b20005a2a8f34c1aac9bf849b2c22ec11d6c7c
SHA256f29dbf269e20955d86afd11d06ae3785d4f0246f5157adbea706a51f869c6b12
SHA512447c9b8b30481a1b2704c327b86309dc8b515e4894b42c99a759dc96da4abd340d4643b92e2cded1be4c3b2390dffa41fd751de9da0933215e829e97ea1dc680
-
Filesize
514KB
MD5d34aba3507407dda596c187c2cb01179
SHA199f8d473c7fa4db50ebb564e8dab7562cd199289
SHA2563f13121c2dbc3839c1138ffc40d823e338706bcdecf98fcdc4b9bc6309d11cce
SHA512f4cbd0d79b91f68a11d2041e2c2582bdd018046e58d974b97065c7cd0b057ac3b0017e34924c2a40acdb60231a167e0157e9055eb15b9497df34793c5568772a
-
Filesize
521KB
MD557ed06b82563f3a793a0c1854da3adc2
SHA188dff0aa6bbb675abc8096ad6918249352ef4cb7
SHA256d61c5972b5a68c9bfd63a9fd2b17ae0980f8dbec233e700e70ff6bb2beb0d6aa
SHA512ced927e46cc577f5b14ff3c44e7270dc857cfd17ebf2b28d2bc3d47d35ce8932a6498343401a696b83edfc0add3a43cf5db6a8ae7427606ad475202937777a23
-
Filesize
580KB
MD5bc3fde52b560592f09a8b29afe3b5e88
SHA188d27d3148a99c473a60c78c8cde194c49bc1b71
SHA25680bdbc7555d9fcc80d959cb45d354c60cda8e8b4f902af834a04eb2a8340924f
SHA5125a00eed6a8d8a8952c5d9814665082c46b80402854ac4719c07914a9af8b17558435b470a382d815088c933ce3bd1cded7b9fdde130bdda810ef80ab84b41552
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
281KB
MD5d98e33b66343e7c96158444127a117f6
SHA1bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA2565de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5
-
Filesize
690KB
MD5085aca27fe0b6d4c479500fb4a586129
SHA188e775fab99e3bc02e2bc44b0171b8a70cc5f9a3
SHA2566cdeb9602e2346ea8c4b86eaf32bf07dea3350a9fa4ae99f5c15fcde96055cb7
SHA512a7d37e57f1421a8b407204aad3089995dd2eb6fc03a37dbb0f2b8a3c387143f55e1e41c04059db265f330e96fd17d8d7c56bfc4398810b90b69cbe59e156339b
-
Filesize
2KB
MD5a69559718ab506675e907fe49deb71e9
SHA1bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA2562f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63
-
Filesize
21KB
MD52b342079303895c50af8040a91f30f71
SHA1b11335e1cb8356d9c337cb89fe81d669a69de17e
SHA2562d5d89025911e2e273f90f393624be4819641dbee1606de792362e442e54612f
SHA512550452dadc86ecd205f40668894116790a456fe46e9985d68093d36cf32abf00edecb5c56ff0287464a0e819db7b3cc53926037a116de6c651332a7cc8035d47
-
Filesize
200KB
MD54daa194c9f29f77b6a97afcc50793020
SHA1fa03fe3b16bc39ca17366c7b22bd71d0693cbf6f
SHA256421f8d69e9d99d7e447bae84e0574e19c9210c6f6121944408be0669aa63c56e
SHA5120638935945b3c181b59bda9dc13e53fc88cbbabe046af0460049f6e89688a9cd4e67783b93002330aa94cd25a04db492e1791bad4cc6c634ab6975affd63ba05
-
Filesize
40B
MD5c5c43f0e3d972dd1e7a2185f4f848728
SHA15a5d91e820d252fb9a796ab9b24ff367dc9a0dd0
SHA25651f318280f0ca9126f1b3f20586908c12bfa47719aae4884cfd4d8b5d827d80c
SHA5128f9e093fe3a6c695df112d649e9c0e0a253f7b24f1429ae5b93ff06f8cff93b481d4cb7229073d366f5c73d344ede83376f7e0c948bdc3a9ddcd04f2cd6c6168
-
Filesize
128B
MD511bb3db51f701d4e42d3287f71a6a43e
SHA163a4ee82223be6a62d04bdfe40ef8ba91ae49a86
SHA2566be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331
SHA512907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2
-
Filesize
7KB
MD55b423612b36cde7f2745455c5dd82577
SHA10187c7c80743b44e9e0c193e993294e3b969cc3d
SHA256e0840d2ea74a00dcc545d770b91d9d889e5a82c7bedf1b989e0a89db04685b09
SHA512c26a1e7e96dbd178d961c630abd8e564ef69532f386fb198eb20119a88ecab2fe885d71ac0c90687c18910ce00c445f352a5e8fbf5328f3403964f7c7802414c
-
Filesize
553KB
MD5fb7eac191e9c9b750d2039ec79edea19
SHA1296c528bf34dfa3444e8b11d63cfe3956431fcd0
SHA2561e5d6444bfabff040a71e0d656452e1050034523a96a454e7e9ca14af53825b9
SHA512ac90fd6e17cf0fd03029e348f1c604f4748c32ad52fa7b3fcb92fb181ac1e6754e7312444c7a9598cae19b91e296866b2a4f680280b78e178c8164c19de9bd29
-
Filesize
595KB
MD5f4fe0f9c69dbcdf0ecccf0e8f92e6895
SHA1fada96c7107c270cc30462c95ff60747f0a999a8
SHA256341de9c61303397763325e9ef5633bb74f8dabcfaaa8f79791f488bc180e425a
SHA5121267c5cc297004d4c628e32744283360b77e94e028b6e3f715ca7a13d49709775642b913e322141bd32e50ceb4f1e149d361f258b368cf5b0967afed39ff5083
-
Filesize
674KB
MD52b1ee4ff451d7fc5fac73c16956b9da2
SHA1cd488bdeaa9ad3ba68e3cedee2b3d7c3120cbfe1
SHA2562086fb1cdf52179c52dd7afdd29a9fae503defd979e721f447d48ed9b85c6f0b
SHA512aa94cf386dc51b5be9d551bb5462c234c0f7c0193a74286909020ba6bb86e226da26f01e1c90c322f72d372d2ca4fca11445bbfbec658f4006c85cf46e783590
-
Filesize
2.0MB
MD5328adf79d56fef9b88089e2ccb17c8a0
SHA135a90318f8ab8ec3f99ca37b9d4b212e78867420
SHA256d8e189e63bbe2fe65b973190b5ed8dbad9e7e90d2a086cfc0f1745c3d06e525b
SHA512f16e15cf2f1012ceeba6017590e5f5fa3aec4a6441b29df6808d4f68fdbca4201d53c25aca84cba9549fff052864a5ec7ff7dc9022bd75e07fa4e9b5c8284667
-
Filesize
701KB
MD5c8e4562ad2c711911eb62a3f186114fa
SHA1e01922e5921dbc03ddd251bf9588ed8e4561158f
SHA25623d782c4c411f5bef4e97f13de9a831bf3d8e4cdae8258437824022364780230
SHA512b2c146020d75d24514c7a77fe010c936871c09c69ef3cc32b94c06ae43f0f8047607dbec9c078b8d168352251ea45ecbcb15b20b252ad8f90a2f10eadfc62789
-
Filesize
704KB
MD578441713602f8860f76dcb726d35c787
SHA1be11ed46be79a6bf22290a887cc289d7a9bdeb48
SHA25699e1a8a9641c7592de2101ed1de297d37226036e29f7839ca93c7ad5409a60af
SHA512ab23f06273f4337c2ec0bb8ee53c736cfb93b6b58bb700a43c969be7c233881474afca360d21bad952a0f19f25ee8cb675f8ea7cce1e9f0f41c41033f12baef6
-
Filesize
4.1MB
MD5fbd8c3441a6860996d762513c9db1bc9
SHA1bf1c2916cec7eeb327d0857a1f484268425a7239
SHA256dbdc20d075f94e8979dd5a75f6a26b47d60de1e88552bfda1805abab08f6454a
SHA512c516760a64d2a5c166ba6cc14cda4b558c2f9db53465a98bfc50cc78c9a237809cb7a725f6e987ce32c93f8c49e6f1c1135fe7995bfd47df2c71030842ff6216
-
Filesize
298KB
MD5fa09deca29c8def396ad17def1f710c2
SHA1f1e4666e4af21b6bb582f78ebb2a906e07b8c00a
SHA2564ad7baa7a04d0b7bef58f04306b8d3169cce563d78faeea6e52863cb7ccacec8
SHA5124a21d5398e6741d2bd223a0bd44fd97b8f5a4f704828e76570fe27b5307b4496252b78ace3d7f051212ae0a8fb9388c769b4d2175f40c653db6d2d5767661667
-
Filesize
225KB
MD51cd875544d51cdd655b372af893d6e03
SHA122285b2b0df7560bf7537ff949c95a3dc1133487
SHA256d890bb3b35496f1afedb0b4c70c6483754cb39cd5e827f3cd7eaa94768a799c5
SHA51271f8f6e9539e573d6abd711af178ac7e74a62eb92dad9573e881bb66f42042dcab6fd0417e70cc59579739e8b2f75ef51d5ff5ca92023a6edc6b87ca761d6475
-
Filesize
101KB
MD53f177eb6160b21c77931f37eb4da249e
SHA10ac6a8346e8bf85f4c9c531d7866ac6fe58b811e
SHA25689fc22e29a4d34aa72c1b75d8c7be6b6ce75a215040eccd9dec0cf3ce49522d9
SHA512b4c1fe2d2ae69838210404ea5ef8db0a65999c176f0593801998e59b0c0732171c4ab45a81d10438618e65664321f4e9fa30748ad110b8e248d613c6492d6772
-
Filesize
132KB
MD599dc1fb590df169c7dff4596d46a6f19
SHA132767dade36b24dd34a04cebd2f1e5366ae61eba
SHA2562cec22223b6529340e813d7364a8e04a98de90c7a59edfcd6a1ce4a880c314fd
SHA512ef98844d7ff3620394f1a82cd70afd9991e4d627893eae4895458d59e39c4a356add055b9229d89f294e30db853332fe3e8e0f532d0781c9937bebfb8edddf71
-
Filesize
647KB
MD5c29edf70ca66aed33e5d32af65cab58d
SHA168351f4081266811fa9e6eb03075e2e758719db6
SHA25606968cc02de53f5cfd358eb7658060bb570bc730eabe2fa4a6b86608a1fc48af
SHA51287817fe98a170e58195cb341ea2d819d59e2072594099506a68d483c34549fd4a68ce8864491a5c84befff26a3b4da6c8239ef8b131feb93af3015f1808f8487
-
Filesize
403KB
MD5ddb6e4f97e34da07d4293acd123511ed
SHA1aaf50ed5f5cf3b68aced7c01870c3b68160b9844
SHA25641161aed1471a9797e188c10f813ade74f647238a725ea7ff2dfad98952d391d
SHA5129dd4c4495cf5080e2546e442d9d7f842a644e344b9831d6692daec1f3dfe1866f53f071ee88a5036944472de1b3f74188a65d98aada135b4336bba78b184d515
-
Filesize
172KB
MD538783b735530ec3595f8cfc57704e0a4
SHA1297d2424423506702a6f42fff06b37a89a9fc8e6
SHA25695d772adaee04f58f13c59ab65bcbefe9d6d6b2fc9b0f5fb6b4304902c5b2a8d
SHA512980ff17ecdd36f1efbaced0b9599d4032eb4b27d5836c7d9d26828e478a75c73f4604bb568052aacc7519a54feb517efbf475e4d2610d8af6dbd4d6afb45fb4f
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize2KB
MD5968cb9309758126772781b83adb8a28f
SHA18da30e71accf186b2ba11da1797cf67f8f78b47c
SHA25692099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA5124bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD57641e72088cb15d3865ac77640f5af74
SHA1c5fdd4d5f43029d1063e896a3a4c5d142e208275
SHA25678241c158fcca49f32f07d992e5e6b7a13ba30e5c2596af7347a8f562919f150
SHA512ec08092c05613f0a09e56d6e7bb6ad7758716d470f4b2a98ecd95b6773fd39cbe9331e7e92ddb7d5ff3d5e5e7d09c2626fc5a7b3b3951ae1cf7762f0ac7c18e5
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD5a7d8ecca447a85ae41d88113bbba989f
SHA1caad5c09ea968ae23cbae1d4c39bef4728934500
SHA256e5215e33c62c9516700fdcff44718a40407f984dcc69f08cb20c06c3b43737c8
SHA512d1bc09c7cff479e80bcf529bffa99f9f74c8cd0b9e8233325a1dc9dc4dffe70444f394eef19a46ae5cccdd5108b83fce456492e24b9f95d2764002406aaba131
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD5ae847fdc4f3c7dc40f563818a051061d
SHA1791b6e5c9e3232791295ec34bcbc863b50bf9242
SHA25604557025d7ebfcb50d2c6da4fb10488e7bea1c9d2f0cfabb2fc2082503a89534
SHA51201b0a8a7e2cc85e30416a869f52e08b76bd694b62fbdea8fcc326faaa3e6248c9a010ab3ec9a0136d8ba6ddf4024e3e6bef8e50a399e75a896b2e956d5a46da8
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD57da14cc45752b1b12c596afad3d79458
SHA1502d02daefe7845acaebd301cf00db8ff17f1c57
SHA256d020102224aac8e07a9aa74b8d634eb92bebfd3957694262a0a080d970324ffd
SHA512c305c09b9d437fb9e9de89c4dc517cecfc07d1099d9ab424b92450277c5ab3f10240eb09625b475cff8673f78f54b548238c2b3199b4f956496f81304fa6f1a0
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD56484058066d06ffb003dca57950147e6
SHA1c76f54ad2a32b6082b6e9b584f894244a52c0910
SHA25632025681920f823ec2ed527a59507658a3437c2f92f803978f2f3ff1045d38f4
SHA512612ae7c7706292d6743077658abc298cda3f10fb37e447c96a6ebb938aaa9386c35a73ff29546e2bb8fb515add00fb6a6443321c80b89a0194d8ac0068e3a434
-
Filesize
1.6MB
MD5cf408c1e1d45558c26ecb829483557ac
SHA17828aa5da21ec627b8707abbb5c8801ef674f73e
SHA25693f006af9a8e6bc4ec0e8bf8f5bb09a1c196e4c69f117a9f7174b1d1965eb68f
SHA5120290122f969d3d73a37bb0179f4ace9479e117ef3b684be2f52eac971cfbdf7386f741af6055095416972e7ff0c70bae3cfe6fb5d4226f60f6023889fda39c0f
-
Filesize
1.1MB
MD5aeaef55e36e8d3a0614e3ba13f7f5306
SHA19aa7faf649ff4254899e152be2e3a7ffc7857105
SHA25612e17f1943f7df27d07d8b73aedd3774cde829ccb3619a60de7878d8c9136a3a
SHA5120111b6911dd670f340f6d3f1903823eebee2bc60e23f806d15f017c01cf44c36dd58429362276b78b837f270427c93ff2f614750e1d9a47044337d9c9b0e36cc
-
Filesize
874KB
MD505becb88f11ad383f0349263d6d63200
SHA1fbd286fc2764b52934a68900a416d6e2aab49e5b
SHA2560830be2e292e76f7073ed56b706e80f3c923dcf100ba9503e1ef13cd5debfafa
SHA512d1223bc7201732dcacad4fe0513834155b2f2104cbc5f82bc6b2fdb30f414394cde283b16887f534f11189dc6f0df8f2095df8557bef1a055eee9b75003156ba
-
Filesize
108KB
MD58d1cc6975dc8a7f89e38203f1eb34df1
SHA1584aab721b9a467a4fb99600396caf64830d022a
SHA256fbbaf09b4be45a52d54fb44b2c0f82c10b884696d41ae43f82647f97af02edbc
SHA5122f7026156da8df831312f8dd9f9b6337c2e5c8f3568a3b56384b51a80108cfd5c1f0631c1166cf9b8644e237550bbaf372ae7b97b79a6ec0116c7fe8eae822f4
-
Filesize
2.0MB
MD58e67f58837092385dcf01e8a2b4f5783
SHA1012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA51240d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec
-
Filesize
1.7MB
MD5eee5ddcffbed16222cac0a1b4e2e466e
SHA128b40c88b8ea50b0782e2bcbb4cc0f411035f3d5
SHA2562a40e5dccc7526c4982334941c90f95374460e2a816e84e724e98c4d52ae8c54
SHA5128f88901f3ebd425818db09f268df19ccf8a755603f04e9481bcf02b112a84393f8a900ead77f8f971bfa33fd9fa5636b7494aaee864a0fb04e3273911a4216dc