Analysis
-
max time kernel
74s -
max time network
159s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
11-03-2024 14:19
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20240221-en
General
-
Target
file.exe
-
Size
4.1MB
-
MD5
723ae6ee64497f45e3eb194dc928489c
-
SHA1
9e6e4e5816ee069e0d18bcb132d176df9949d165
-
SHA256
c881060a9d5bf634923f485a8656243c15af8b20cdebfd33a612565693419067
-
SHA512
488accf660b9541f37bf6fc38ad479347a985be42bb765ea3fce0005f28f5ee42b3fa356a077df2836b07a2344d567a9f3b79289129b3a2ba80cc1241ebb180c
-
SSDEEP
49152:36glmRKCncrCQV+8bjrajELExlb0zuFHQLNJYZI06m94H:nOOLSx9+UY
Malware Config
Extracted
stealc
http://185.172.128.145
-
url_path
/3cd2b41cbde8fc9c.php
Extracted
smokeloader
pub1
Extracted
smokeloader
2022
http://trad-einmyus.com/index.php
http://tradein-myus.com/index.php
http://trade-inmyus.com/index.php
Extracted
djvu
http://sajdfue.com/test1/get.php
-
extension
.wisz
-
offline_id
4p0Nzrg1q0ND5of5Gtp2UBjthSXuE8VxnMrd4vt1
-
payload_url
http://sdfjhuz.com/dl/build2.exe
http://sajdfue.com/files/1/build3.exe
-
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. Do not ask assistants from youtube and recovery data sites for help in recovering your data. They can use your free decryption quota and scam you. Our contact is emails in this text document only. You can get and look video overview decrypt tool: https://wetransfer.com/downloads/a832401adcd58098c699f768ffea4f1720240305114308/7e601a Price of private key and decrypt software is $999. Discount 50% available if you contact us first 72 hours, that's price for you is $499. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0853PsawqS
Signatures
-
DcRat 9 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
description ioc pid Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\zXE7BplJnOvLoBPuJgzWqDdd.bat regsvcs.exe 5708 schtasks.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MrCh6LTxuAUYHkXUVPJUkWqj.bat regsvcs.exe 5696 schtasks.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\acCvIQIZt1RlxaP49liPXtwA.bat regsvcs.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Z7H8NHbFaHbruCtYhnWdBDJL.bat regsvcs.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\SystemCertificates\CA powershell.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TPPLqD6M1vwXzKOxY6sV2QJZ.bat regsvcs.exe 5576 schtasks.exe -
Detect ZGRat V1 2 IoCs
resource yara_rule behavioral2/files/0x000b0000000232af-505.dat family_zgrat_v1 behavioral2/files/0x000b0000000232af-510.dat family_zgrat_v1 -
Detected Djvu ransomware 3 IoCs
resource yara_rule behavioral2/memory/552-444-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/552-446-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/552-450-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu -
Djvu Ransomware
Ransomware which is a variant of the STOP family.
-
Glupteba payload 10 IoCs
resource yara_rule behavioral2/memory/4024-63-0x0000000003E80000-0x000000000476B000-memory.dmp family_glupteba behavioral2/memory/4024-73-0x0000000000400000-0x0000000001E16000-memory.dmp family_glupteba behavioral2/memory/4024-160-0x0000000003E80000-0x000000000476B000-memory.dmp family_glupteba behavioral2/memory/4024-161-0x0000000000400000-0x0000000001E16000-memory.dmp family_glupteba behavioral2/memory/4024-279-0x0000000000400000-0x0000000001E16000-memory.dmp family_glupteba behavioral2/memory/4024-297-0x0000000000400000-0x0000000001E16000-memory.dmp family_glupteba behavioral2/memory/5324-308-0x0000000000400000-0x0000000001E16000-memory.dmp family_glupteba behavioral2/memory/5324-347-0x0000000000400000-0x0000000001E16000-memory.dmp family_glupteba behavioral2/memory/5324-433-0x0000000000400000-0x0000000001E16000-memory.dmp family_glupteba behavioral2/memory/5324-457-0x0000000000400000-0x0000000001E16000-memory.dmp family_glupteba -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Downloads MZ/PE file
-
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 3960 netsh.exe -
Drops startup file 5 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TPPLqD6M1vwXzKOxY6sV2QJZ.bat regsvcs.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Z7H8NHbFaHbruCtYhnWdBDJL.bat regsvcs.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\zXE7BplJnOvLoBPuJgzWqDdd.bat regsvcs.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MrCh6LTxuAUYHkXUVPJUkWqj.bat regsvcs.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\acCvIQIZt1RlxaP49liPXtwA.bat regsvcs.exe -
Executes dropped EXE 10 IoCs
pid Process 3612 pdlfWc1qvU3mR8y8YECekgzX.exe 4024 VDOzkYNnEOAD6NUHUIHRJhTN.exe 1988 pdlfWc1qvU3mR8y8YECekgzX.tmp 4088 j1QBZ2MSXVaisVyrSyNaaKIZ.exe 4468 syncUpd.exe 3148 aWmYJWP6LEVkakquUiWDAwDX.exe 736 emeditorfree.exe 5016 emeditorfree.exe 692 BroomSetup.exe 5324 VDOzkYNnEOAD6NUHUIHRJhTN.exe -
Loads dropped DLL 5 IoCs
pid Process 1988 pdlfWc1qvU3mR8y8YECekgzX.tmp 4088 j1QBZ2MSXVaisVyrSyNaaKIZ.exe 4088 j1QBZ2MSXVaisVyrSyNaaKIZ.exe 4468 syncUpd.exe 4468 syncUpd.exe -
Modifies file permissions 1 TTPs 1 IoCs
pid Process 1716 icacls.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral2/files/0x0008000000023281-153.dat upx behavioral2/memory/692-155-0x0000000000400000-0x0000000000930000-memory.dmp upx behavioral2/memory/692-243-0x0000000000400000-0x0000000000930000-memory.dmp upx behavioral2/files/0x000a0000000232b4-632.dat upx behavioral2/files/0x000a0000000232b4-634.dat upx behavioral2/files/0x00090000000232bb-652.dat upx behavioral2/files/0x00090000000232bb-658.dat upx behavioral2/files/0x00090000000232bb-664.dat upx behavioral2/files/0x00090000000232bb-671.dat upx behavioral2/files/0x00070000000232cc-674.dat upx behavioral2/files/0x00090000000232bb-683.dat upx behavioral2/files/0x00090000000232bb-694.dat upx -
Unexpected DNS network traffic destination 1 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description ioc Destination IP 152.89.198.214 -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
flow ioc 28 pastebin.com 35 pastebin.com 133 bitbucket.org 134 bitbucket.org -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 109 api.2ip.ua 111 api.2ip.ua -
Drops file in System32 directory 3 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log powershell.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3080 set thread context of 2392 3080 file.exe 97 -
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
description ioc Process File opened (read-only) \??\VBoxMiniRdrDN VDOzkYNnEOAD6NUHUIHRJhTN.exe -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 5672 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
pid pid_target Process procid_target 5972 4468 WerFault.exe 111 5248 776 WerFault.exe 155 -
NSIS installer 1 IoCs
resource yara_rule behavioral2/files/0x000700000002326a-79.dat nsis_installer_2 -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI aWmYJWP6LEVkakquUiWDAwDX.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI aWmYJWP6LEVkakquUiWDAwDX.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI aWmYJWP6LEVkakquUiWDAwDX.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 syncUpd.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString syncUpd.exe -
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 5708 schtasks.exe 5696 schtasks.exe 5576 schtasks.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-602 = "Taipei Standard Time" VDOzkYNnEOAD6NUHUIHRJhTN.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-911 = "Mauritius Daylight Time" VDOzkYNnEOAD6NUHUIHRJhTN.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-752 = "Tonga Standard Time" VDOzkYNnEOAD6NUHUIHRJhTN.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-441 = "Arabian Daylight Time" VDOzkYNnEOAD6NUHUIHRJhTN.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-721 = "Central Pacific Daylight Time" VDOzkYNnEOAD6NUHUIHRJhTN.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-251 = "Dateline Daylight Time" VDOzkYNnEOAD6NUHUIHRJhTN.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2591 = "Tocantins Daylight Time" VDOzkYNnEOAD6NUHUIHRJhTN.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-41 = "E. South America Daylight Time" VDOzkYNnEOAD6NUHUIHRJhTN.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-772 = "Montevideo Standard Time" VDOzkYNnEOAD6NUHUIHRJhTN.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1501 = "Turkey Daylight Time" VDOzkYNnEOAD6NUHUIHRJhTN.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-448 = "Azerbaijan Daylight Time" VDOzkYNnEOAD6NUHUIHRJhTN.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1662 = "Bahia Standard Time" VDOzkYNnEOAD6NUHUIHRJhTN.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-452 = "Caucasus Standard Time" VDOzkYNnEOAD6NUHUIHRJhTN.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-262 = "GMT Standard Time" VDOzkYNnEOAD6NUHUIHRJhTN.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2412 = "Marquesas Standard Time" VDOzkYNnEOAD6NUHUIHRJhTN.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1021 = "Bangladesh Daylight Time" VDOzkYNnEOAD6NUHUIHRJhTN.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-451 = "Caucasus Daylight Time" VDOzkYNnEOAD6NUHUIHRJhTN.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-682 = "E. Australia Standard Time" VDOzkYNnEOAD6NUHUIHRJhTN.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-332 = "E. Europe Standard Time" VDOzkYNnEOAD6NUHUIHRJhTN.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1042 = "Ulaanbaatar Standard Time" VDOzkYNnEOAD6NUHUIHRJhTN.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2792 = "Novosibirsk Standard Time" VDOzkYNnEOAD6NUHUIHRJhTN.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-511 = "Central Asia Daylight Time" VDOzkYNnEOAD6NUHUIHRJhTN.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1721 = "Libya Daylight Time" VDOzkYNnEOAD6NUHUIHRJhTN.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2871 = "Magallanes Daylight Time" VDOzkYNnEOAD6NUHUIHRJhTN.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-681 = "E. Australia Daylight Time" VDOzkYNnEOAD6NUHUIHRJhTN.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2632 = "Norfolk Standard Time" VDOzkYNnEOAD6NUHUIHRJhTN.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-931 = "Coordinated Universal Time" VDOzkYNnEOAD6NUHUIHRJhTN.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-401 = "Arabic Daylight Time" VDOzkYNnEOAD6NUHUIHRJhTN.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-151 = "Central America Daylight Time" VDOzkYNnEOAD6NUHUIHRJhTN.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-171 = "Central Daylight Time (Mexico)" VDOzkYNnEOAD6NUHUIHRJhTN.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-572 = "China Standard Time" VDOzkYNnEOAD6NUHUIHRJhTN.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2001 = "Cabo Verde Daylight Time" VDOzkYNnEOAD6NUHUIHRJhTN.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-232 = "Hawaiian Standard Time" VDOzkYNnEOAD6NUHUIHRJhTN.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1821 = "Russia TZ 1 Daylight Time" VDOzkYNnEOAD6NUHUIHRJhTN.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2531 = "Chatham Islands Daylight Time" VDOzkYNnEOAD6NUHUIHRJhTN.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-51 = "Greenland Daylight Time" VDOzkYNnEOAD6NUHUIHRJhTN.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-211 = "Pacific Daylight Time" VDOzkYNnEOAD6NUHUIHRJhTN.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-242 = "Samoa Standard Time" VDOzkYNnEOAD6NUHUIHRJhTN.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1832 = "Russia TZ 2 Standard Time" VDOzkYNnEOAD6NUHUIHRJhTN.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-122 = "SA Pacific Standard Time" VDOzkYNnEOAD6NUHUIHRJhTN.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-201 = "US Mountain Daylight Time" VDOzkYNnEOAD6NUHUIHRJhTN.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1428 powershell.exe 1428 powershell.exe 1428 powershell.exe 1988 pdlfWc1qvU3mR8y8YECekgzX.tmp 1988 pdlfWc1qvU3mR8y8YECekgzX.tmp 3148 aWmYJWP6LEVkakquUiWDAwDX.exe 3148 aWmYJWP6LEVkakquUiWDAwDX.exe 4468 syncUpd.exe 4468 syncUpd.exe 3372 Process not Found 3372 Process not Found 3372 Process not Found 3372 Process not Found 3372 Process not Found 3372 Process not Found 3372 Process not Found 3372 Process not Found 3372 Process not Found 3372 Process not Found 3372 Process not Found 3372 Process not Found 3372 Process not Found 3372 Process not Found 3372 Process not Found 3372 Process not Found 3372 Process not Found 3372 Process not Found 3372 Process not Found 3372 Process not Found 3372 Process not Found 3372 Process not Found 3372 Process not Found 3372 Process not Found 3372 Process not Found 3372 Process not Found 3372 Process not Found 3372 Process not Found 3372 Process not Found 3372 Process not Found 3372 Process not Found 3372 Process not Found 4468 syncUpd.exe 4468 syncUpd.exe 4468 syncUpd.exe 4468 syncUpd.exe 4468 syncUpd.exe 4468 syncUpd.exe 3372 Process not Found 3372 Process not Found 4468 syncUpd.exe 4468 syncUpd.exe 4468 syncUpd.exe 4468 syncUpd.exe 4468 syncUpd.exe 4468 syncUpd.exe 4468 syncUpd.exe 4468 syncUpd.exe 4468 syncUpd.exe 4468 syncUpd.exe 4468 syncUpd.exe 4468 syncUpd.exe 4468 syncUpd.exe 4468 syncUpd.exe 4468 syncUpd.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 3148 aWmYJWP6LEVkakquUiWDAwDX.exe -
Suspicious use of AdjustPrivilegeToken 24 IoCs
description pid Process Token: SeDebugPrivilege 1428 powershell.exe Token: SeDebugPrivilege 2392 regsvcs.exe Token: SeDebugPrivilege 4732 powershell.exe Token: SeShutdownPrivilege 3372 Process not Found Token: SeCreatePagefilePrivilege 3372 Process not Found Token: SeShutdownPrivilege 3372 Process not Found Token: SeCreatePagefilePrivilege 3372 Process not Found Token: SeShutdownPrivilege 3372 Process not Found Token: SeCreatePagefilePrivilege 3372 Process not Found Token: SeShutdownPrivilege 3372 Process not Found Token: SeCreatePagefilePrivilege 3372 Process not Found Token: SeDebugPrivilege 4024 VDOzkYNnEOAD6NUHUIHRJhTN.exe Token: SeImpersonatePrivilege 4024 VDOzkYNnEOAD6NUHUIHRJhTN.exe Token: SeShutdownPrivilege 3372 Process not Found Token: SeCreatePagefilePrivilege 3372 Process not Found Token: SeDebugPrivilege 5584 powershell.exe Token: SeShutdownPrivilege 3372 Process not Found Token: SeCreatePagefilePrivilege 3372 Process not Found Token: SeShutdownPrivilege 3372 Process not Found Token: SeCreatePagefilePrivilege 3372 Process not Found Token: SeDebugPrivilege 1300 powershell.exe Token: SeShutdownPrivilege 3372 Process not Found Token: SeCreatePagefilePrivilege 3372 Process not Found Token: SeDebugPrivilege 5328 powershell.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1988 pdlfWc1qvU3mR8y8YECekgzX.tmp -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 692 BroomSetup.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3080 wrote to memory of 1428 3080 file.exe 95 PID 3080 wrote to memory of 1428 3080 file.exe 95 PID 3080 wrote to memory of 2392 3080 file.exe 97 PID 3080 wrote to memory of 2392 3080 file.exe 97 PID 3080 wrote to memory of 2392 3080 file.exe 97 PID 3080 wrote to memory of 2392 3080 file.exe 97 PID 3080 wrote to memory of 2392 3080 file.exe 97 PID 3080 wrote to memory of 2392 3080 file.exe 97 PID 3080 wrote to memory of 2392 3080 file.exe 97 PID 3080 wrote to memory of 2392 3080 file.exe 97 PID 2392 wrote to memory of 3612 2392 regsvcs.exe 103 PID 2392 wrote to memory of 3612 2392 regsvcs.exe 103 PID 2392 wrote to memory of 3612 2392 regsvcs.exe 103 PID 2392 wrote to memory of 4024 2392 regsvcs.exe 104 PID 2392 wrote to memory of 4024 2392 regsvcs.exe 104 PID 2392 wrote to memory of 4024 2392 regsvcs.exe 104 PID 3612 wrote to memory of 1988 3612 pdlfWc1qvU3mR8y8YECekgzX.exe 107 PID 3612 wrote to memory of 1988 3612 pdlfWc1qvU3mR8y8YECekgzX.exe 107 PID 3612 wrote to memory of 1988 3612 pdlfWc1qvU3mR8y8YECekgzX.exe 107 PID 2392 wrote to memory of 4088 2392 regsvcs.exe 110 PID 2392 wrote to memory of 4088 2392 regsvcs.exe 110 PID 2392 wrote to memory of 4088 2392 regsvcs.exe 110 PID 4088 wrote to memory of 4468 4088 j1QBZ2MSXVaisVyrSyNaaKIZ.exe 111 PID 4088 wrote to memory of 4468 4088 j1QBZ2MSXVaisVyrSyNaaKIZ.exe 111 PID 4088 wrote to memory of 4468 4088 j1QBZ2MSXVaisVyrSyNaaKIZ.exe 111 PID 2392 wrote to memory of 3148 2392 regsvcs.exe 113 PID 2392 wrote to memory of 3148 2392 regsvcs.exe 113 PID 2392 wrote to memory of 3148 2392 regsvcs.exe 113 PID 1988 wrote to memory of 736 1988 pdlfWc1qvU3mR8y8YECekgzX.tmp 114 PID 1988 wrote to memory of 736 1988 pdlfWc1qvU3mR8y8YECekgzX.tmp 114 PID 1988 wrote to memory of 736 1988 pdlfWc1qvU3mR8y8YECekgzX.tmp 114 PID 1988 wrote to memory of 5016 1988 pdlfWc1qvU3mR8y8YECekgzX.tmp 115 PID 1988 wrote to memory of 5016 1988 pdlfWc1qvU3mR8y8YECekgzX.tmp 115 PID 1988 wrote to memory of 5016 1988 pdlfWc1qvU3mR8y8YECekgzX.tmp 115 PID 4088 wrote to memory of 692 4088 j1QBZ2MSXVaisVyrSyNaaKIZ.exe 118 PID 4088 wrote to memory of 692 4088 j1QBZ2MSXVaisVyrSyNaaKIZ.exe 118 PID 4088 wrote to memory of 692 4088 j1QBZ2MSXVaisVyrSyNaaKIZ.exe 118 PID 4024 wrote to memory of 4732 4024 VDOzkYNnEOAD6NUHUIHRJhTN.exe 116 PID 4024 wrote to memory of 4732 4024 VDOzkYNnEOAD6NUHUIHRJhTN.exe 116 PID 4024 wrote to memory of 4732 4024 VDOzkYNnEOAD6NUHUIHRJhTN.exe 116 PID 692 wrote to memory of 5592 692 BroomSetup.exe 123 PID 692 wrote to memory of 5592 692 BroomSetup.exe 123 PID 692 wrote to memory of 5592 692 BroomSetup.exe 123 PID 5592 wrote to memory of 5684 5592 cmd.exe 125 PID 5592 wrote to memory of 5684 5592 cmd.exe 125 PID 5592 wrote to memory of 5684 5592 cmd.exe 125 PID 5592 wrote to memory of 5708 5592 cmd.exe 126 PID 5592 wrote to memory of 5708 5592 cmd.exe 126 PID 5592 wrote to memory of 5708 5592 cmd.exe 126 PID 3372 wrote to memory of 968 3372 Process not Found 131 PID 3372 wrote to memory of 968 3372 Process not Found 131 PID 968 wrote to memory of 5448 968 cmd.exe 133 PID 968 wrote to memory of 5448 968 cmd.exe 133 PID 5324 wrote to memory of 5584 5324 VDOzkYNnEOAD6NUHUIHRJhTN.exe 134 PID 5324 wrote to memory of 5584 5324 VDOzkYNnEOAD6NUHUIHRJhTN.exe 134 PID 5324 wrote to memory of 5584 5324 VDOzkYNnEOAD6NUHUIHRJhTN.exe 134 PID 5324 wrote to memory of 5812 5324 VDOzkYNnEOAD6NUHUIHRJhTN.exe 136 PID 5324 wrote to memory of 5812 5324 VDOzkYNnEOAD6NUHUIHRJhTN.exe 136 PID 5812 wrote to memory of 3960 5812 cmd.exe 138 PID 5812 wrote to memory of 3960 5812 cmd.exe 138 PID 5324 wrote to memory of 1300 5324 VDOzkYNnEOAD6NUHUIHRJhTN.exe 139 PID 5324 wrote to memory of 1300 5324 VDOzkYNnEOAD6NUHUIHRJhTN.exe 139 PID 5324 wrote to memory of 1300 5324 VDOzkYNnEOAD6NUHUIHRJhTN.exe 139 PID 5324 wrote to memory of 5328 5324 VDOzkYNnEOAD6NUHUIHRJhTN.exe 141 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3080 -
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath $env:UserProfile2⤵
- DcRat
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1428
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"2⤵
- DcRat
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2392 -
C:\Users\Admin\Pictures\pdlfWc1qvU3mR8y8YECekgzX.exe"C:\Users\Admin\Pictures\pdlfWc1qvU3mR8y8YECekgzX.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3612 -
C:\Users\Admin\AppData\Local\Temp\is-GJCT3.tmp\pdlfWc1qvU3mR8y8YECekgzX.tmp"C:\Users\Admin\AppData\Local\Temp\is-GJCT3.tmp\pdlfWc1qvU3mR8y8YECekgzX.tmp" /SL5="$80090,1518993,56832,C:\Users\Admin\Pictures\pdlfWc1qvU3mR8y8YECekgzX.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1988 -
C:\Users\Admin\AppData\Local\Em Editor Free\emeditorfree.exe"C:\Users\Admin\AppData\Local\Em Editor Free\emeditorfree.exe" -i5⤵
- Executes dropped EXE
PID:736
-
-
C:\Users\Admin\AppData\Local\Em Editor Free\emeditorfree.exe"C:\Users\Admin\AppData\Local\Em Editor Free\emeditorfree.exe" -s5⤵
- Executes dropped EXE
PID:5016
-
-
-
-
C:\Users\Admin\Pictures\VDOzkYNnEOAD6NUHUIHRJhTN.exe"C:\Users\Admin\Pictures\VDOzkYNnEOAD6NUHUIHRJhTN.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4024 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4732
-
-
C:\Users\Admin\Pictures\VDOzkYNnEOAD6NUHUIHRJhTN.exe"C:\Users\Admin\Pictures\VDOzkYNnEOAD6NUHUIHRJhTN.exe"4⤵
- Executes dropped EXE
- Checks for VirtualBox DLLs, possible anti-VM trick
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:5324 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5584
-
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"5⤵
- Suspicious use of WriteProcessMemory
PID:5812 -
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes6⤵
- Modifies Windows Firewall
PID:3960
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1300
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5328
-
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe5⤵PID:1692
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵PID:5672
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F6⤵
- DcRat
- Creates scheduled task(s)
PID:5696
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f6⤵PID:5668
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵PID:5376
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵PID:1192
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll6⤵PID:6116
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F6⤵
- DcRat
- Creates scheduled task(s)
PID:5576
-
-
C:\Windows\windefender.exe"C:\Windows\windefender.exe"6⤵PID:968
-
C:\Windows\SysWOW64\cmd.execmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)7⤵PID:5884
-
C:\Windows\SysWOW64\sc.exesc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)8⤵
- Launches sc.exe
PID:5672
-
-
-
-
-
-
-
C:\Users\Admin\Pictures\j1QBZ2MSXVaisVyrSyNaaKIZ.exe"C:\Users\Admin\Pictures\j1QBZ2MSXVaisVyrSyNaaKIZ.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4088 -
C:\Users\Admin\AppData\Local\Temp\syncUpd.exeC:\Users\Admin\AppData\Local\Temp\syncUpd.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:4468 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4468 -s 23725⤵
- Program crash
PID:5972
-
-
-
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exeC:\Users\Admin\AppData\Local\Temp\BroomSetup.exe4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:692 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "5⤵
- Suspicious use of WriteProcessMemory
PID:5592 -
C:\Windows\SysWOW64\chcp.comchcp 12516⤵PID:5684
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F6⤵
- DcRat
- Creates scheduled task(s)
PID:5708
-
-
-
-
-
C:\Users\Admin\Pictures\aWmYJWP6LEVkakquUiWDAwDX.exe"C:\Users\Admin\Pictures\aWmYJWP6LEVkakquUiWDAwDX.exe"3⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3148
-
-
C:\Users\Admin\Pictures\S9bpWUSHmYnccwU6BrdZHNx5.exe"C:\Users\Admin\Pictures\S9bpWUSHmYnccwU6BrdZHNx5.exe" --silent --allusers=03⤵PID:5888
-
C:\Users\Admin\Pictures\S9bpWUSHmYnccwU6BrdZHNx5.exeC:\Users\Admin\Pictures\S9bpWUSHmYnccwU6BrdZHNx5.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=108.0.5067.24 --initial-client-data=0x2f0,0x2f4,0x2f8,0x2cc,0x2fc,0x6e4121c8,0x6e4121d4,0x6e4121e04⤵PID:5268
-
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\S9bpWUSHmYnccwU6BrdZHNx5.exe"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\S9bpWUSHmYnccwU6BrdZHNx5.exe" --version4⤵PID:1476
-
-
C:\Users\Admin\Pictures\S9bpWUSHmYnccwU6BrdZHNx5.exe"C:\Users\Admin\Pictures\S9bpWUSHmYnccwU6BrdZHNx5.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=5888 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20240311142110" --session-guid=e13e9559-45cb-4e14-84b3-b5fd697c8c06 --server-tracking-blob=YTk3NWNjZDc5YjQ4Yzk1OWRmNGVlNzQ1OWUwZmU0OTc0MmVmMTRiMTU0MDIyNDY3YWFkOThlMDcxNGEzMzU3MDp7ImNvdW50cnkiOiJHQiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cy8/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1ta3QmdXRtX2NhbXBhaWduPTc2NyIsInN5c3RlbSI6eyJwbGF0Zm9ybSI6eyJhcmNoIjoieDg2XzY0Iiwib3BzeXMiOiJXaW5kb3dzIiwib3BzeXMtdmVyc2lvbiI6IjEwIiwicGFja2FnZSI6IkVYRSJ9fSwidGltZXN0YW1wIjoiMTcxMDE2Njc3Ny43MjIzIiwidXRtIjp7ImNhbXBhaWduIjoiNzY3IiwibWVkaXVtIjoiYXBiIiwic291cmNlIjoibWt0In0sInV1aWQiOiI3NzE2MWZjOS0wMDI5LTQ0NzAtYWE1MC1hNzJiNmQ1MGNkY2MifQ== --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=9C050000000000004⤵PID:1672
-
C:\Users\Admin\Pictures\S9bpWUSHmYnccwU6BrdZHNx5.exeC:\Users\Admin\Pictures\S9bpWUSHmYnccwU6BrdZHNx5.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=108.0.5067.24 --initial-client-data=0x2fc,0x300,0x304,0x2cc,0x308,0x6d9021c8,0x6d9021d4,0x6d9021e05⤵PID:5376
-
-
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403111421101\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403111421101\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe"4⤵PID:6132
-
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403111421101\assistant\assistant_installer.exe"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403111421101\assistant\assistant_installer.exe" --version4⤵PID:4544
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403111421101\assistant\assistant_installer.exe"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403111421101\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=108.0.5067.20 --initial-client-data=0x268,0x26c,0x270,0x244,0x274,0xc50040,0xc5004c,0xc500585⤵PID:6120
-
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=4080 --field-trial-handle=2744,i,16362475727591565961,3676688664819797550,262144 --variations-seed-version /prefetch:31⤵PID:5416
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4072 --field-trial-handle=2744,i,16362475727591565961,3676688664819797550,262144 --variations-seed-version /prefetch:81⤵PID:5892
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CA7F.bat" "1⤵
- Suspicious use of WriteProcessMemory
PID:968 -
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 12⤵PID:5448
-
-
C:\Users\Admin\AppData\Local\Temp\1593.exeC:\Users\Admin\AppData\Local\Temp\1593.exe1⤵PID:5008
-
C:\Users\Admin\AppData\Local\Temp\1593.exeC:\Users\Admin\AppData\Local\Temp\1593.exe2⤵PID:552
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Local\b252c0fd-10e5-4d1b-8086-868448a9ca5f" /deny *S-1-1-0:(OI)(CI)(DE,DC)3⤵
- Modifies file permissions
PID:1716
-
-
C:\Users\Admin\AppData\Local\Temp\1593.exe"C:\Users\Admin\AppData\Local\Temp\1593.exe" --Admin IsNotAutoStart IsNotTask3⤵PID:1884
-
C:\Users\Admin\AppData\Local\Temp\1593.exe"C:\Users\Admin\AppData\Local\Temp\1593.exe" --Admin IsNotAutoStart IsNotTask4⤵PID:776
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 776 -s 5685⤵
- Program crash
PID:5248
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4468 -ip 44681⤵PID:1044
-
C:\Users\Admin\AppData\Local\Temp\38AC.exeC:\Users\Admin\AppData\Local\Temp\38AC.exe1⤵PID:5256
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵PID:5300
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 776 -ip 7761⤵PID:4080
-
C:\Windows\windefender.exeC:\Windows\windefender.exe1⤵PID:4156
Network
MITRE ATT&CK Enterprise v15
Persistence
Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Defense Evasion
File and Directory Permissions Modification
1Impair Defenses
1Disable or Modify System Firewall
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
11KB
MD5a33e5b189842c5867f46566bdbf7a095
SHA1e1c06359f6a76da90d19e8fd95e79c832edb3196
SHA2565abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454
SHA512f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b
-
Filesize
960KB
MD5c50f8ffa8a216c19442b1e68daf3713a
SHA17d249939b1c04db72e57091499b52fb3dfbd6586
SHA256031c6e90cf7280afa0819560e1e882aa62d53ef3930b67fd36951bcd484a3016
SHA512478a68fd49676130ce9ecf511354a0223b8e2fd84e181c00f4ed48bf240e2e9b504de13232a0376d086f5b1f09db25c00255185c9c86e87e1e52be6aed62d0de
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
Filesize
1.7MB
MD549fc5d878e59f728efd5427c905efbba
SHA135db9693fdd780fe3b4869dde52080dcd856d724
SHA256fb04dbdeb681ff10f950aa2e225ae0168f165f9611e409f8b1eef1d45e13c2a8
SHA5121dece436bb60fca62f0bd07f78c6069e933cea87ff464c0444f57b2bae64f75bd5e0113a1465b32f933563cc13b5e20dbc47062c2db8add39314070afa2b4cca
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\9b7eef56-73eb-4b37-8132-86faba443da9.tmp
Filesize2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
40B
MD520d4b8fa017a12a108c87f540836e250
SHA11ac617fac131262b6d3ce1f52f5907e31d5f6f00
SHA2566028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d
SHA512507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856
-
Filesize
895KB
MD53a3b67404eb1d1300060b7e5884e2325
SHA1eb8b2abfdfaaf80230c9d2db6297a428c1b11e73
SHA25667c5b5e5e679c027dc4bd7f6796f5167fefd1303b78b12b8fcf85bf7b2309d3c
SHA512793e4ca10f305f8719069414b6a9d5211da300ef11f80ddf98bc6876ff1e25fa8edfb311fad059ddc234ccc6c560dd3ebc9390628f13dba5f10e8088c9bc9dc3
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403111421101\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe
Filesize2.5MB
MD520d293b9bf23403179ca48086ba88867
SHA1dedf311108f607a387d486d812514a2defbd1b9e
SHA256fd996b95ae46014edfd630bfc2bf8bc9e626adf883a1da017a8c3973b68ec348
SHA5125d575c6f0d914583f9bb54f7b884caf9182f26f850da9bdd962f4ed5ed7258316a46fafaf3828dccb6916baaadb681fe1d175a3f4ed59f56066dc7e32b66f7b6
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403111421101\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe
Filesize2.1MB
MD5954d8eaf098bfb9609509bf09c201374
SHA102cb116621285a4640048822da6f01d6b16e6d4d
SHA2564f49c4b52ec28b4a6b3e5435a906be8652a4d16c04345050d60f942849612b0c
SHA512167e8465dd9fc345d53ee93afb08c8be74ab4b3a29c178490502eee6dc3f9413a3a68e873de63728bbd768bd5a3710d3a8c0d0a9fbc266006fd5dcef610825bd
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403111421101\assistant\assistant_installer.exe
Filesize1.1MB
MD5720b7591615ada96ef3f92dbd6bb7315
SHA15dc09adfd221f65143404c84357efb6f05b1991f
SHA2564ebd8dca718391f84771350af13f6b4db22f8d533ae6deb9a4f2edfe778d60b7
SHA51281cf27d5c969001f43571ed9398a6e001c13e98065ba6bf4588a71ad9bf00f6605af60801b6ef0439104bd87fc294b65d82f5cee119aab754f1ce78defa6f8c7
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403111421101\assistant\dbgcore.DLL
Filesize82KB
MD5fa8d56546648d8c0acf1c17c540fd543
SHA17c58b6b7388ab12ef3035d63a5e3830f763e5a6a
SHA256a82101ba4ec593aaf627af7db83ab6aa88e99f170b6a1163677ef3e0a57c158a
SHA512e278a2a1d12b49b98ab5334d46018a434c28ace3da27af50dd5092bd68a8cc6b559f0be0fbe277df7d5b51ccc702d03071620735d66828b2b700c40ded687ff7
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403111421101\assistant\dbgcore.dll
Filesize64KB
MD5202e9e27500f1419bb023c5ac54618a8
SHA1836082a6139de74a623730bd98797c78da7234dd
SHA2563f775c5caf649aaf03825cdf6cf29eddaf881c6a0552d0da12ff4ba875aef4f2
SHA5125fbd6b74b42e090cb6089a94293a4a80390a64a18fd58affabd31a0c18d30bbc5f5bcba7d932c6f8394c17a37319ad8386d26ff1f7f93ffdd93fe918904852b0
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403111421101\assistant\dbghelp.dll
Filesize768KB
MD5a2e2c6d725dea1c49eb40b0e7b134e1b
SHA1c425999011065bc87c40806e4adf39c006350fe1
SHA256b345407859596eec3f014f1f3e47aaba9bd63fe20be26e3125e2762bb207778d
SHA51210ce4fcde83f478579e99156842d46109a96e5d1c93ec9cb066df5606545f8b5c1b5013cec472691daba97a97842c05fb25f1582df8fbb03317c4f4079580042
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403111421101\assistant\dbghelp.dll
Filesize832KB
MD5f4bf4aabbf848470e96c109867fc0b66
SHA11cc1e36db5fd9730984d7bb33f5ef177400185b5
SHA256a80804664d4389c02754d4f8c8ce8fa506f386c45a9597b5298cc5c636c91359
SHA51273882ae42faed532fa550e4aa1a426a6b87e0716d71482cac53fa957ee3a595a7c88430cf3c8e8950cc455119f42cfdf0c206c6f4f66a01e792215762c1edb47
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403111421101\opera_package
Filesize2.4MB
MD5b11a82be27ba5ec5a6d6fd7ff20e8ab0
SHA19f074f5a86c0aae449f2bc445748ae870a996010
SHA25627fadf5046749f37dce63d901f7085a63ce637c06430bd62af6bf3ab3fa2082e
SHA512f58e217e234915aee0e80e364a84f086f1744d0b795318aff66b3e165dba5736f371a3bd798a53b0bf57006ce8356f5500769340a84a58dc09d18ffdf139a891
-
Filesize
627KB
MD52f89637e05e9e78d7e98c8ee34da535e
SHA131f005ef288cfef2b5ac9e4f246bc9d22098c479
SHA2563f44b8b747480bc28c43bff52e49ae9a38e635a014ce6de51cef9810ce46c2da
SHA51287a15db9dd58f168495e21b02f068c39e6be69b5b033dbb909ca3f067ab7f7241368a24e931c0f1a317bf8a927bcd1162c4f6666ab6633bdbfe45d9aaaee435b
-
Filesize
782KB
MD551597fedbf769613eac193b679de833d
SHA177c1fbd676bbaf9ef3f235d6f3d41df8ad6b7945
SHA256b0129dd6f2d2f5bd058cddda97e1f47eedcfaec86995c6d988226c305d50d92c
SHA5127e424c8548ace542cdd51c23b31e3907b9d14a95784f8918f85deb2d263d5e6cec845300b1db25aba6c29d3f9ff2ad768731237ab98430a52b83ed00ff017b23
-
Filesize
530KB
MD5756931963ef47d8261e3090770710355
SHA1074e49a53dc0dea819a2ce9b487982f0ac114d86
SHA2566a103e31e7c1990a5f21e6ad483805b01fdbabe9fd9454f42aab0eda9b5d67cf
SHA512231458212051567f7549a7d24d0d956219e33480fbba3428b2259d571265802aa9b8727998f6c5bf62e30c1ec673619506b5cb9d1220c738af0685be2ec397ce
-
Filesize
512KB
MD5aeb2c8333650e3e57fe5109330c1435a
SHA1e529dcf82531151201d08e9eea8cb54ada7cce9c
SHA256eb7e8e099214c01040756833d3ec9c724d7e0242a79b67c92471836e7eab1245
SHA5123a66f34e6de7a24c3f45cdf9e422feca8d06686c8e8588f5220aabdfe66d41868f1db415afd10288e953590b21d01752b65567ea2e4838d424962a1a23725614
-
Filesize
1.7MB
MD5eee5ddcffbed16222cac0a1b4e2e466e
SHA128b40c88b8ea50b0782e2bcbb4cc0f411035f3d5
SHA2562a40e5dccc7526c4982334941c90f95374460e2a816e84e724e98c4d52ae8c54
SHA5128f88901f3ebd425818db09f268df19ccf8a755603f04e9481bcf02b112a84393f8a900ead77f8f971bfa33fd9fa5636b7494aaee864a0fb04e3273911a4216dc
-
Filesize
77B
MD555cc761bf3429324e5a0095cab002113
SHA12cc1ef4542a4e92d4158ab3978425d517fafd16d
SHA256d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a
SHA51233f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155
-
Filesize
1.8MB
MD599f28be37c48d4c06ff5baf21caf0747
SHA1031ab5b90017e6ffab5d005e566813717592ef4f
SHA2565a6f8fc1ba4dda4a971ed228b929e00338700bf02976150d8dd1bfc4f6c84f5d
SHA512b68e65b9aebc4c872f874af6218523d9b4cdcb4b104678e75abc3f3e6262187674cb65ceb760ef981f61ad58e9e007f2a4711158ca9082eaff49a21bae97711d
-
Filesize
1.3MB
MD5db74d30f6dc1e54664f7619e5bced29e
SHA1b859c93690f3d6d963ce0283d15dd35c040432e1
SHA256524e706265138addf45dee4dbe6298373f510d58ebd2de0ffa3d256f1fae86f5
SHA51262919b6bd7313de293e4e5c0a0f3caef1b49087c81e0e45bfab56a486fa9fdfe0f2f5381c1f58715460e1758ab14275ad404835246c7815de62d72348a76bcb3
-
Filesize
826KB
MD5fe30c4340b7c7c05c5d81249881e3b7d
SHA124c7bb0ea94312d16194bc5757cbe22c96055b87
SHA256129957b71bf2730ad183b33613bd1045d33937706b86c5e30052c2f1ef91277e
SHA51216fa420979b1f1d15e77ea9b51aa47752bb8995c90438e232cb38d9730f5be8b63360507f9ce256612a2e5229e3c57ac7715d217af2a25544ca211115e672651
-
Filesize
635KB
MD5b4039abd92499f0d7522c23a91990f59
SHA1b03558ded00b283d3b614e21114c1191269fa1fe
SHA256c6372da1a7e790561058fb4abfd8755c62662b894b08f55dcebd5ebe9288be71
SHA51269db107c95d758203e02f6790281c079ba877811fc31bc2cebb586b1a434b8d2a7433d420edaa32c647241930f51c496cff8bffe14c721dfb7ca538e857662e9
-
Filesize
694KB
MD5b2934e8fe78e03093eeb61ba28fa872c
SHA16f59af6a62931a237dd6f1aa01d580458fa335aa
SHA2560623a94a65aad33351ecea5671827b340e6de19ee615cb38c380a39a670b1bb3
SHA512c23713f9ae5ee5e50cf86441f07608ad888a46df82e015420325130c1a44238300f25501ea83c11647206493404c3707a4b0259086cce05ec32e4a1621992604
-
Filesize
149KB
MD54e09e841c58ecf306e78feea83cea8e1
SHA12b419d945d46a6b255328080135bdd3058c8dc03
SHA256b632441531b193e315ff276c17af62f8e61bd93e880b108ee9b8d917870455d6
SHA51261a946287dedb5ccedb47cf808ff4cf1d7b371ca8041062ca812977ce9f29d7188cedadbb57d140270e16f57c6bc3c87d270a99d707b9608b0ac4a52ed8b4706
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
281KB
MD5d98e33b66343e7c96158444127a117f6
SHA1bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA2565de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5
-
Filesize
2KB
MD5a69559718ab506675e907fe49deb71e9
SHA1bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA2562f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63
-
Filesize
690KB
MD5150a46b9c3e09bc0ed8d581669fe605b
SHA1760baa334e4e024e80f27f8e23b900600281a853
SHA2562d574caab0e532210a5541fa9a3d5187bf38bed3ef8809180462d929fd32637f
SHA512d40d747e57c7e4ea33df06ae1c14bea2bc44fcad862432265158a248c1c4a0e4aae5107a1a2db5257a22f0b5223ec6f19401f7491435988da8137c4150009805
-
Filesize
21KB
MD52b342079303895c50af8040a91f30f71
SHA1b11335e1cb8356d9c337cb89fe81d669a69de17e
SHA2562d5d89025911e2e273f90f393624be4819641dbee1606de792362e442e54612f
SHA512550452dadc86ecd205f40668894116790a456fe46e9985d68093d36cf32abf00edecb5c56ff0287464a0e819db7b3cc53926037a116de6c651332a7cc8035d47
-
Filesize
283KB
MD5099d81985b4d1951c9a0448bdead2e31
SHA13707f6971ecdd856999ca980a1b99b551bea5ff9
SHA256291e511eb00d5f658d345115de7fbd13e416e353bee19cdac8709b0b856da095
SHA512f0a2f1c2542c3f898add88c6505a2fde764c5ff00835fee62ef0fe9523706d9dd617f539e80235c6307fe2af2440cb104465af1f9053dfb3743c2f675b1e71b2
-
Filesize
40B
MD592a4a8eff29af16c824751c951006034
SHA17ab76569685eb09444039794d66ba02a5eee0781
SHA256fea1afd3a05138180be400ad188944037fe5a351de8eb7d54c9c69323f35c839
SHA512126146f1bb0fa8e0c6429681d62ceb96e16a33c994bdf502a34af5a66160904f5af907b819458e4005ca550d05ed1f34eacc10a73caa801897669f326865d09e
-
Filesize
128B
MD511bb3db51f701d4e42d3287f71a6a43e
SHA163a4ee82223be6a62d04bdfe40ef8ba91ae49a86
SHA2566be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331
SHA512907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2
-
Filesize
7KB
MD55b423612b36cde7f2745455c5dd82577
SHA10187c7c80743b44e9e0c193e993294e3b969cc3d
SHA256e0840d2ea74a00dcc545d770b91d9d889e5a82c7bedf1b989e0a89db04685b09
SHA512c26a1e7e96dbd178d961c630abd8e564ef69532f386fb198eb20119a88ecab2fe885d71ac0c90687c18910ce00c445f352a5e8fbf5328f3403964f7c7802414c
-
Filesize
1.4MB
MD541150f0446da63df089d815ecaf253c4
SHA1afc1d9578dbe7ab962c44a79daac108a9336e791
SHA256b3d2c50e19cb90a661c586551f03ab9d6ec3b0bc6ab44e61415c0d5f1b838e05
SHA512721bbad616231fff51000e2b2f1e8741b2bcbc0543896928ec1a5a77143756cbd93c55a9510a7780a88ebab7795641a9a128dc35eb4f68912c447b1f4959137a
-
Filesize
741KB
MD52fbbf7bf54bc7501da0bf4256f510c3f
SHA131ce09b049432d902aa3c9c6356360bebe802749
SHA256d8fc823ccd276ca09ba6b2388202b6627a64f6ff92d0cf47570c166020dacbc4
SHA512556d4997306576cada90c5715e619a2527f40f7e424fde0efe181f6ec2698a5ead21bf5333a7a1e2eed95c43a5c442051d10d87ebb4046c9c6d592c0e7b38c99
-
Filesize
1.2MB
MD5c05bb37077cb577f5e6db5fdbf52af7f
SHA17525115320e8b88c73ca2a314f3ff470a3d76499
SHA256e23bb0af48141c2164d614fa351209b4e1e9941a9a613b117057a2e1fa1abd0d
SHA5127564b20bf0ce0d1c5c0ac7eb688cd58116bced47a5c957087310a939debc4922bce27fc5d7ea056e49776a169ef2b2a87a611776cdcc373802ed97c18250edf3
-
Filesize
707KB
MD5f06607ed24891f735f809a8379f739f9
SHA1988d58d8250945a5a29646d386bc1ad6d787a70b
SHA256d61a6e24fb66d0f28d5c6892910d7aa66c5ee61dd84acff77ba1f143f1bd0105
SHA5122429c5d193920455a92f160a1847a91237e2225b68a64dee301ed42230252b32b7a224511b7040611240ad6457e2a4b2c02e404a00aafcaa99a974f28962a41d
-
Filesize
346KB
MD5b1fdbcc8f7e1323b1ae74cc79e7b24b3
SHA103b12f34b8fcf39fa2c7f5610f8012991c28654c
SHA2566c690ccdbf9fb013c9c4baae363c7ae397ea821fbab667a1a26dde0bc6f7f59c
SHA512d91df905e36f2fc9a0990490ae1793dc6bf5896e4df5fa06d5c24c9a07028621a7ae123a04a98f0e2d36a10d1fdde98b4307f4cd15642174651405e2acfb63df
-
Filesize
3.1MB
MD5662b7d9316e9ece81c1bb758ef1fcaba
SHA1a24c80f9cd7dd4e6215defb640abd0a26f14e4de
SHA2567f500246aec0fadc2a1b98c03ef9c51ad7a982f40d250be02e226c0186e59220
SHA512ce4d4edc36d0f2cf19f944f205dbfc84264b9a7663d352e3b1b9e97ce692c53a5c9ef587fb56936887919e9b229070d5fd3fe00375c87db42914b2e841763e37
-
Filesize
2.2MB
MD5367438b39d3e6e775036497c69c6246c
SHA1b73461e5bdd466af00d57d07c22728bac322f65f
SHA256125fd354ae4cd5b545c35bb75997189131fdffc0b46f4e9ece0a2c2075dc14bb
SHA51257cf4a855dc32e9a1b83ef81ffb26e3ad4e6f09f79c0208cdead01188c40cb3e3e87199f9edd0c3aec383b79178cf67fc8f11786209e75b8e9af2878fd90d0b7
-
Filesize
1.6MB
MD50dd818d2fb073230a3a72333c61f9902
SHA15dcb3563d887ce28bacab5a7027fe055e20a82cd
SHA256f901cec6bc29e552107f4a5ba735187681bc2cae56750f6b555956e486383f33
SHA5129d1f60f8d83f7912707baa5593f6f8113f2b0cc293143ee5ab793d3b5c26ca342bb1eb5861912497c06932866f79593c4d829900d2ce68371acf9726eb0fc786
-
Filesize
1.4MB
MD5e3fb8c6bc14ba6d7691d6510c4a1cc8e
SHA1552144000009654622cbb405d4b956fbed05bd28
SHA2563976e258a5c5151ae1ebe1af80ca58be4631f982007351e2c01bb261b01308c6
SHA51295e2fe3c3a5f88cafe75710c35773730fd97863b84bda2b4dc4a808ea9960b353549f075d94b066d43512533fba947e3c8628c79936d1a0d33ebb490b6753df2
-
Filesize
284KB
MD5e474dda04f6f90ba50ebff47395b19c9
SHA1db1dc005639d232a25e074267239fd9e5fcbe6c7
SHA256d5bb21fb44947ee712af26750d6a1df9e91e3baa3c5270eca5f88adbdf329bef
SHA512aa906056618e239ab811a19492ea9b272b67b6b964f704a1679c68bf0ce1dbe1b574361d1d08901436a1d5faa888d0320dc56e84904421ad1134727090250055
-
Filesize
2.1MB
MD5068db75101316d6596dfcac7d85a2a3f
SHA1da92a2110c04537ee26b310366e7edcb1a45565d
SHA256c05e91459daf1a52e713c813e875443667838094d7c03b04b6667642736aad74
SHA5120f23eccad06f9cacca36e27ac35129afda1497cfc0d1267c3f48ddafa652d7266bb44aed1255cc8d1f8118c7fc7a0077e7674dc613a9c74969ace9d7d6dfe821
-
Filesize
1.8MB
MD53ca2f625386f7a3ca29376148974fa64
SHA1646443709518ef699bae4755b262370ff6e7fbcc
SHA25625749c401805a1d66f16db72ad533a807bcb56c4f2aef449341af1ca92ec66b4
SHA512dbe638a9127d89854b2b36795c8842587b5419805df23404d9c110f4c6cfb29604e5136dd40da17cd8eb31ef56cf1b6bb0fb12e4cab999ad9e583ca4ebbffe79
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize2KB
MD5968cb9309758126772781b83adb8a28f
SHA18da30e71accf186b2ba11da1797cf67f8f78b47c
SHA25692099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA5124bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD5611cb8ccde253e4f3bc65d2f322905b3
SHA1fe4df19cc69115cdafe40898c22628e4b2810f68
SHA2563d88bd0dbae70f6267c653f0713672d28d52914b022783741b2a539405117cc1
SHA512f9cc4ea1d109f779b71c1a3b31b5f00570f024d1cb0cb0dbd51e5b8b6a0abff2a9d9bee627d2a7a69e05e375ad83116d0bbdc81a4385f5920bbe2b1cde267885
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD5e14c0ab26986712248a8cbf2a55e0323
SHA11112de76af4b0f5f9e4374ca45f2d016470581c3
SHA2561c787fb2b6264c7f6be3c9899690c0ea6de5632df8c0f36c73996104c8a09521
SHA51278d9003fc4e6bb1811822045d119b45ba928c4e451f269ac1e03f4ac07a7a3d8061e9e297a09f2a60e17ecb8e0e8ed043eb0d71d3e00b03b4e45315045c4ab82
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD57b4d837fa82a59db9afc06a80b157deb
SHA13f7446a730059ea0d50d71e458bf1c74384416b1
SHA25660c56e075d91b33bb92310aa483466ac038ddaaf92a12e0e1691722db6d3146f
SHA5122f09e293e1deb2c8d15f240c797102bec134c5eec7e21d475f7cde605102193c82c53e1deb36cb6e7c0bbc283fbceaa37dbb6f2d8d572292897506a94bee1002
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD5e93b5f6f5dcd769f05557f9453930640
SHA152d8ca01f7b4b0a1a993153f5c0ac33604ea858e
SHA2567f489e52e5e6fe7ab6afd55d49fc90716010f313008d4a7deb21d0678c1dee2e
SHA512d9a6a986204df8f64bbe6cf4af416f36259303bfc9edf5142def4719aea121c22d3ee25822d9b6fd6302d41234599899a70ae4de5a7d7065a3645abf6316f846
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD546c6d160fe941ee526213b55931f0e91
SHA1b6d3553cc4528e942131105d19d0d2a714581e58
SHA256152bcf977016bf079e47f20e716057fb7f4e772015802dd00d3eee7b1874f7c0
SHA5122f695fc1a146f5fa64db746bc7cf81155cd78399d575576e07af9abcf3975e828ce0f2b6cc91b9f116eff034f2c5c4db4d9a1ea5cb0249753a572628c4db5766
-
Filesize
260KB
MD5b3624bc72696cead56ccc0b86e4bdda6
SHA1d49d39705a3f8bd836b084acd72eee974c62d4f4
SHA256e9b30abe493a9ff8b87e0c15b99fd0322736ca6f54fe13d453b6e416d8454fca
SHA512abff8f4bfab43d951629cfd30cced1a5caccb54e5ca895474bcccff49359773e54e81185d2da5b4b9f8c72073be056d228613727fe0b7bd41d3c356b2c35caea
-
Filesize
3.0MB
MD525c7b4c4349aa1d805e400a11a4806f9
SHA1424f4329b643e3cc08a2153db5bedf9a13b56fd5
SHA2568e3786c788981fc42e788744715d67e86e2c87acbe00a6e4831935c4de701861
SHA512b40286933d8b1ab7f08c5731455fd44dcd2eac006a4528b6a20e047925b5e308d61162f1221e6e5ccefe41490ef2ceda01b42b0ffee033205aa6f8d1900fdaf1
-
Filesize
1.0MB
MD57ca8d87366480bdee9964513a59627a9
SHA1736db2077c4dd9097246964851f87f1a8dad39d1
SHA256e3849569450d0409d855811fdf2cfd11dba45553ae7302711b42e06c342a05c3
SHA51296fcb9c7854a4e03e875495ef3b4866513f0d8afddee5914a34851d3fd8d685ca73983a8503f33bf9033232795b34ddfc3aabeebe28ca53b4a44f0de23223e9b
-
Filesize
2.0MB
MD58e67f58837092385dcf01e8a2b4f5783
SHA1012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA51240d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec