Analysis
-
max time kernel
126s -
max time network
131s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
11-03-2024 15:20
Static task
static1
Behavioral task
behavioral1
Sample
New.exe
Resource
win7-20240221-en
General
-
Target
New.exe
-
Size
4.1MB
-
MD5
723ae6ee64497f45e3eb194dc928489c
-
SHA1
9e6e4e5816ee069e0d18bcb132d176df9949d165
-
SHA256
c881060a9d5bf634923f485a8656243c15af8b20cdebfd33a612565693419067
-
SHA512
488accf660b9541f37bf6fc38ad479347a985be42bb765ea3fce0005f28f5ee42b3fa356a077df2836b07a2344d567a9f3b79289129b3a2ba80cc1241ebb180c
-
SSDEEP
49152:36glmRKCncrCQV+8bjrajELExlb0zuFHQLNJYZI06m94H:nOOLSx9+UY
Malware Config
Extracted
smokeloader
pub1
Extracted
smokeloader
2022
http://trad-einmyus.com/index.php
http://tradein-myus.com/index.php
http://trade-inmyus.com/index.php
Extracted
stealc
http://185.172.128.145
-
url_path
/3cd2b41cbde8fc9c.php
Extracted
lumma
https://wisemassiveharmonious.shop/api
https://colorfulequalugliess.shop/api
https://relevantvoicelesskw.shop/api
https://associationokeo.shop/api
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Glupteba payload 8 IoCs
resource yara_rule behavioral2/memory/3528-113-0x0000000003E30000-0x000000000471B000-memory.dmp family_glupteba behavioral2/memory/3528-114-0x0000000000400000-0x0000000001E16000-memory.dmp family_glupteba behavioral2/memory/3528-224-0x0000000000400000-0x0000000001E16000-memory.dmp family_glupteba behavioral2/memory/3528-263-0x0000000000400000-0x0000000001E16000-memory.dmp family_glupteba behavioral2/memory/2980-286-0x0000000000400000-0x0000000001E16000-memory.dmp family_glupteba behavioral2/memory/3528-339-0x0000000000400000-0x0000000001E16000-memory.dmp family_glupteba behavioral2/memory/2980-380-0x0000000000400000-0x0000000001E16000-memory.dmp family_glupteba behavioral2/memory/2980-438-0x0000000000400000-0x0000000001E16000-memory.dmp family_glupteba -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Downloads MZ/PE file
-
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 3936 netsh.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation B6B9.exe -
Drops startup file 6 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pQEHk30ZCMF08XA6daA7M7mV.bat jsc.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2Qbi460fuk6Day3HEHsDNBYs.bat jsc.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\UALiPn0bEEMgv8iaZ5bhcts4.bat jsc.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TLnXuyKCBXc85u8ujglpVXLa.bat jsc.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qHjZKfbREOgWY8Ov407cinWj.bat jsc.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DcqKfeiXWi0YyYCA0mKO1MmI.bat jsc.exe -
Executes dropped EXE 27 IoCs
pid Process 3720 B073aAZciSwTQAxr1ovu1jw3.exe 3528 kBjYDo1GDKG36UlP3F94uh9M.exe 4744 B073aAZciSwTQAxr1ovu1jw3.tmp 1188 riroEZURknx6pNzdF5Mq9Zec.exe 1580 emeditorfree.exe 1984 emeditorfree.exe 4832 8knxBMfGnop5OTwevXH2AlNE.exe 2460 syncUpd.exe 2284 BroomSetup.exe 2980 kBjYDo1GDKG36UlP3F94uh9M.exe 1224 GQJk1dwoGxDl5nhQbEOSw2DU.exe 4876 GQJk1dwoGxDl5nhQbEOSw2DU.exe 1244 GQJk1dwoGxDl5nhQbEOSw2DU.exe 4712 GQJk1dwoGxDl5nhQbEOSw2DU.exe 3220 GQJk1dwoGxDl5nhQbEOSw2DU.exe 2496 csrss.exe 4264 Assistant_108.0.5067.20_Setup.exe_sfx.exe 1216 assistant_installer.exe 2408 assistant_installer.exe 4688 injector.exe 4324 windefender.exe 1520 windefender.exe 2204 B6B9.exe 2436 B6B9.exe 2244 B6B9.exe 624 B6B9.exe 4080 D639.exe -
Loads dropped DLL 14 IoCs
pid Process 4744 B073aAZciSwTQAxr1ovu1jw3.tmp 4832 8knxBMfGnop5OTwevXH2AlNE.exe 4832 8knxBMfGnop5OTwevXH2AlNE.exe 2460 syncUpd.exe 2460 syncUpd.exe 1224 GQJk1dwoGxDl5nhQbEOSw2DU.exe 4876 GQJk1dwoGxDl5nhQbEOSw2DU.exe 1244 GQJk1dwoGxDl5nhQbEOSw2DU.exe 4712 GQJk1dwoGxDl5nhQbEOSw2DU.exe 3220 GQJk1dwoGxDl5nhQbEOSw2DU.exe 1216 assistant_installer.exe 1216 assistant_installer.exe 2408 assistant_installer.exe 2408 assistant_installer.exe -
Modifies file permissions 1 TTPs 1 IoCs
pid Process 4392 icacls.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral2/files/0x0008000000023244-158.dat upx behavioral2/memory/2284-163-0x0000000000400000-0x0000000000930000-memory.dmp upx behavioral2/memory/2284-266-0x0000000000400000-0x0000000000930000-memory.dmp upx behavioral2/files/0x0007000000023264-328.dat upx behavioral2/files/0x0007000000023264-334.dat upx behavioral2/files/0x0007000000023264-343.dat upx behavioral2/files/0x0007000000023264-352.dat upx behavioral2/files/0x0007000000023272-355.dat upx behavioral2/memory/1244-362-0x0000000000750000-0x0000000000C88000-memory.dmp upx behavioral2/files/0x0007000000023264-364.dat upx behavioral2/files/0x0007000000023264-370.dat upx behavioral2/memory/3220-436-0x0000000000370000-0x00000000008A8000-memory.dmp upx behavioral2/files/0x00070000000232d9-698.dat upx -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" kBjYDo1GDKG36UlP3F94uh9M.exe Set value (str) \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\b64cf3ea-884c-4ff1-a323-b7d4346eb5d6\\B6B9.exe\" --AutoStart" B6B9.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 4 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\D: GQJk1dwoGxDl5nhQbEOSw2DU.exe File opened (read-only) \??\F: GQJk1dwoGxDl5nhQbEOSw2DU.exe File opened (read-only) \??\D: GQJk1dwoGxDl5nhQbEOSw2DU.exe File opened (read-only) \??\F: GQJk1dwoGxDl5nhQbEOSw2DU.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
flow ioc 17 pastebin.com 19 pastebin.com 185 bitbucket.org 186 bitbucket.org -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 162 api.2ip.ua 164 api.2ip.ua -
Manipulates WinMonFS driver. 1 IoCs
Roottkits write to WinMonFS to hide directories/files from being detected.
description ioc Process File opened for modification \??\WinMonFS csrss.exe -
Drops file in System32 directory 7 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 3672 set thread context of 2336 3672 New.exe 90 PID 2204 set thread context of 2436 2204 B6B9.exe 168 PID 2244 set thread context of 624 2244 B6B9.exe 173 PID 4080 set thread context of 4592 4080 D639.exe 178 -
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
description ioc Process File opened (read-only) \??\VBoxMiniRdrDN kBjYDo1GDKG36UlP3F94uh9M.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\windefender.exe csrss.exe File opened for modification C:\Windows\rss kBjYDo1GDKG36UlP3F94uh9M.exe File created C:\Windows\rss\csrss.exe kBjYDo1GDKG36UlP3F94uh9M.exe File created C:\Windows\windefender.exe csrss.exe -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 4040 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
pid pid_target Process procid_target 4308 2460 WerFault.exe 103 3132 624 WerFault.exe 173 -
NSIS installer 1 IoCs
resource yara_rule behavioral2/files/0x000700000002323a-121.dat nsis_installer_2 -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI riroEZURknx6pNzdF5Mq9Zec.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI riroEZURknx6pNzdF5Mq9Zec.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI riroEZURknx6pNzdF5Mq9Zec.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 syncUpd.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString syncUpd.exe -
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3128 schtasks.exe 960 schtasks.exe 2276 schtasks.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-385 = "Namibia Standard Time" kBjYDo1GDKG36UlP3F94uh9M.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-531 = "Sri Lanka Daylight Time" windefender.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-411 = "E. Africa Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-1801 = "Line Islands Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2632 = "Norfolk Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-682 = "E. Australia Standard Time" kBjYDo1GDKG36UlP3F94uh9M.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-491 = "India Daylight Time" kBjYDo1GDKG36UlP3F94uh9M.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-532 = "Sri Lanka Standard Time" kBjYDo1GDKG36UlP3F94uh9M.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-434 = "Georgian Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2162 = "Altai Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1021 = "Bangladesh Daylight Time" kBjYDo1GDKG36UlP3F94uh9M.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-981 = "Kamchatka Daylight Time" kBjYDo1GDKG36UlP3F94uh9M.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-872 = "Pakistan Standard Time" kBjYDo1GDKG36UlP3F94uh9M.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2611 = "Bougainville Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2432 = "Cuba Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-364 = "Middle East Daylight Time" kBjYDo1GDKG36UlP3F94uh9M.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2322 = "Sakhalin Standard Time" kBjYDo1GDKG36UlP3F94uh9M.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2571 = "Turks and Caicos Daylight Time" kBjYDo1GDKG36UlP3F94uh9M.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-1822 = "Russia TZ 1 Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-592 = "Malay Peninsula Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2141 = "Transbaikal Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-222 = "Alaskan Standard Time" kBjYDo1GDKG36UlP3F94uh9M.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2491 = "Aus Central W. Daylight Time" kBjYDo1GDKG36UlP3F94uh9M.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2372 = "Easter Island Standard Time" kBjYDo1GDKG36UlP3F94uh9M.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-682 = "E. Australia Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-52 = "Greenland Standard Time" windefender.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1821 = "Russia TZ 1 Daylight Time" kBjYDo1GDKG36UlP3F94uh9M.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-501 = "Nepal Daylight Time" kBjYDo1GDKG36UlP3F94uh9M.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1862 = "Russia TZ 6 Standard Time" kBjYDo1GDKG36UlP3F94uh9M.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-211 = "Pacific Daylight Time" kBjYDo1GDKG36UlP3F94uh9M.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1502 = "Turkey Standard Time" kBjYDo1GDKG36UlP3F94uh9M.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-162 = "Central Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-691 = "Tasmania Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2572 = "Turks and Caicos Standard Time" kBjYDo1GDKG36UlP3F94uh9M.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-3142 = "South Sudan Standard Time" kBjYDo1GDKG36UlP3F94uh9M.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-342 = "Egypt Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-182 = "Mountain Standard Time (Mexico)" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-591 = "Malay Peninsula Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-272 = "Greenwich Standard Time" kBjYDo1GDKG36UlP3F94uh9M.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-231 = "Hawaiian Daylight Time" kBjYDo1GDKG36UlP3F94uh9M.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2411 = "Marquesas Daylight Time" kBjYDo1GDKG36UlP3F94uh9M.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-282 = "Central Europe Standard Time" windefender.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4 GQJk1dwoGxDl5nhQbEOSw2DU.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 04000000010000001000000078f2fcaa601f2fb4ebc937ba532e75490f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e4190000000100000010000000ffac207997bb2cfe865570179ee037b92000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e GQJk1dwoGxDl5nhQbEOSw2DU.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 5c000000010000000400000000100000190000000100000010000000ffac207997bb2cfe865570179ee037b9030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e199604000000010000001000000078f2fcaa601f2fb4ebc937ba532e75492000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e GQJk1dwoGxDl5nhQbEOSw2DU.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3192 powershell.exe 3192 powershell.exe 4744 B073aAZciSwTQAxr1ovu1jw3.tmp 4744 B073aAZciSwTQAxr1ovu1jw3.tmp 1188 riroEZURknx6pNzdF5Mq9Zec.exe 1188 riroEZURknx6pNzdF5Mq9Zec.exe 3428 Process not Found 3428 Process not Found 3428 Process not Found 3428 Process not Found 3428 Process not Found 3428 Process not Found 3428 Process not Found 3428 Process not Found 3428 Process not Found 3428 Process not Found 3428 Process not Found 3428 Process not Found 3428 Process not Found 3428 Process not Found 3428 Process not Found 3428 Process not Found 2460 syncUpd.exe 2460 syncUpd.exe 3428 Process not Found 3428 Process not Found 3428 Process not Found 3428 Process not Found 3428 Process not Found 3428 Process not Found 3428 Process not Found 3428 Process not Found 3428 Process not Found 3428 Process not Found 3428 Process not Found 3428 Process not Found 3428 Process not Found 3428 Process not Found 3428 Process not Found 3428 Process not Found 3428 Process not Found 3428 Process not Found 380 powershell.exe 380 powershell.exe 3428 Process not Found 3428 Process not Found 3428 Process not Found 3428 Process not Found 3428 Process not Found 3428 Process not Found 3428 Process not Found 3428 Process not Found 3428 Process not Found 3428 Process not Found 380 powershell.exe 3428 Process not Found 3428 Process not Found 3428 Process not Found 3428 Process not Found 3428 Process not Found 3428 Process not Found 3428 Process not Found 3428 Process not Found 3428 Process not Found -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 1188 riroEZURknx6pNzdF5Mq9Zec.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 3192 powershell.exe Token: SeDebugPrivilege 2336 jsc.exe Token: SeShutdownPrivilege 3428 Process not Found Token: SeCreatePagefilePrivilege 3428 Process not Found Token: SeShutdownPrivilege 3428 Process not Found Token: SeCreatePagefilePrivilege 3428 Process not Found Token: SeShutdownPrivilege 3428 Process not Found Token: SeCreatePagefilePrivilege 3428 Process not Found Token: SeShutdownPrivilege 3428 Process not Found Token: SeCreatePagefilePrivilege 3428 Process not Found Token: SeShutdownPrivilege 3428 Process not Found Token: SeCreatePagefilePrivilege 3428 Process not Found Token: SeShutdownPrivilege 3428 Process not Found Token: SeCreatePagefilePrivilege 3428 Process not Found Token: SeDebugPrivilege 380 powershell.exe Token: SeShutdownPrivilege 3428 Process not Found Token: SeCreatePagefilePrivilege 3428 Process not Found Token: SeShutdownPrivilege 3428 Process not Found Token: SeCreatePagefilePrivilege 3428 Process not Found Token: SeDebugPrivilege 3528 kBjYDo1GDKG36UlP3F94uh9M.exe Token: SeImpersonatePrivilege 3528 kBjYDo1GDKG36UlP3F94uh9M.exe Token: SeDebugPrivilege 3972 powershell.exe Token: SeShutdownPrivilege 3428 Process not Found Token: SeCreatePagefilePrivilege 3428 Process not Found Token: SeShutdownPrivilege 3428 Process not Found Token: SeCreatePagefilePrivilege 3428 Process not Found Token: SeShutdownPrivilege 3428 Process not Found Token: SeCreatePagefilePrivilege 3428 Process not Found Token: SeShutdownPrivilege 3428 Process not Found Token: SeCreatePagefilePrivilege 3428 Process not Found Token: SeDebugPrivilege 960 powershell.exe Token: SeShutdownPrivilege 3428 Process not Found Token: SeCreatePagefilePrivilege 3428 Process not Found Token: SeShutdownPrivilege 3428 Process not Found Token: SeCreatePagefilePrivilege 3428 Process not Found Token: SeDebugPrivilege 2776 powershell.exe Token: SeShutdownPrivilege 3428 Process not Found Token: SeCreatePagefilePrivilege 3428 Process not Found Token: SeDebugPrivilege 1860 powershell.exe Token: SeShutdownPrivilege 3428 Process not Found Token: SeCreatePagefilePrivilege 3428 Process not Found Token: SeShutdownPrivilege 3428 Process not Found Token: SeCreatePagefilePrivilege 3428 Process not Found Token: SeShutdownPrivilege 3428 Process not Found Token: SeCreatePagefilePrivilege 3428 Process not Found Token: SeShutdownPrivilege 3428 Process not Found Token: SeCreatePagefilePrivilege 3428 Process not Found Token: SeDebugPrivilege 952 powershell.exe Token: SeShutdownPrivilege 3428 Process not Found Token: SeCreatePagefilePrivilege 3428 Process not Found Token: SeShutdownPrivilege 3428 Process not Found Token: SeCreatePagefilePrivilege 3428 Process not Found Token: SeDebugPrivilege 1672 powershell.exe Token: SeShutdownPrivilege 3428 Process not Found Token: SeCreatePagefilePrivilege 3428 Process not Found Token: SeShutdownPrivilege 3428 Process not Found Token: SeCreatePagefilePrivilege 3428 Process not Found Token: SeSystemEnvironmentPrivilege 2496 csrss.exe Token: SeSecurityPrivilege 4040 sc.exe Token: SeSecurityPrivilege 4040 sc.exe Token: SeShutdownPrivilege 3428 Process not Found Token: SeCreatePagefilePrivilege 3428 Process not Found Token: SeShutdownPrivilege 3428 Process not Found Token: SeCreatePagefilePrivilege 3428 Process not Found -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 4744 B073aAZciSwTQAxr1ovu1jw3.tmp -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2284 BroomSetup.exe -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 3428 Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3672 wrote to memory of 3192 3672 New.exe 88 PID 3672 wrote to memory of 3192 3672 New.exe 88 PID 3672 wrote to memory of 2336 3672 New.exe 90 PID 3672 wrote to memory of 2336 3672 New.exe 90 PID 3672 wrote to memory of 2336 3672 New.exe 90 PID 3672 wrote to memory of 2336 3672 New.exe 90 PID 3672 wrote to memory of 2336 3672 New.exe 90 PID 3672 wrote to memory of 2336 3672 New.exe 90 PID 3672 wrote to memory of 2336 3672 New.exe 90 PID 3672 wrote to memory of 2336 3672 New.exe 90 PID 2336 wrote to memory of 3720 2336 jsc.exe 93 PID 2336 wrote to memory of 3720 2336 jsc.exe 93 PID 2336 wrote to memory of 3720 2336 jsc.exe 93 PID 2336 wrote to memory of 3528 2336 jsc.exe 94 PID 2336 wrote to memory of 3528 2336 jsc.exe 94 PID 2336 wrote to memory of 3528 2336 jsc.exe 94 PID 3720 wrote to memory of 4744 3720 B073aAZciSwTQAxr1ovu1jw3.exe 95 PID 3720 wrote to memory of 4744 3720 B073aAZciSwTQAxr1ovu1jw3.exe 95 PID 3720 wrote to memory of 4744 3720 B073aAZciSwTQAxr1ovu1jw3.exe 95 PID 2336 wrote to memory of 1188 2336 jsc.exe 96 PID 2336 wrote to memory of 1188 2336 jsc.exe 96 PID 2336 wrote to memory of 1188 2336 jsc.exe 96 PID 4744 wrote to memory of 1580 4744 B073aAZciSwTQAxr1ovu1jw3.tmp 97 PID 4744 wrote to memory of 1580 4744 B073aAZciSwTQAxr1ovu1jw3.tmp 97 PID 4744 wrote to memory of 1580 4744 B073aAZciSwTQAxr1ovu1jw3.tmp 97 PID 4744 wrote to memory of 1984 4744 B073aAZciSwTQAxr1ovu1jw3.tmp 98 PID 4744 wrote to memory of 1984 4744 B073aAZciSwTQAxr1ovu1jw3.tmp 98 PID 4744 wrote to memory of 1984 4744 B073aAZciSwTQAxr1ovu1jw3.tmp 98 PID 2336 wrote to memory of 4832 2336 jsc.exe 99 PID 2336 wrote to memory of 4832 2336 jsc.exe 99 PID 2336 wrote to memory of 4832 2336 jsc.exe 99 PID 4832 wrote to memory of 2460 4832 8knxBMfGnop5OTwevXH2AlNE.exe 103 PID 4832 wrote to memory of 2460 4832 8knxBMfGnop5OTwevXH2AlNE.exe 103 PID 4832 wrote to memory of 2460 4832 8knxBMfGnop5OTwevXH2AlNE.exe 103 PID 3528 wrote to memory of 380 3528 kBjYDo1GDKG36UlP3F94uh9M.exe 104 PID 3528 wrote to memory of 380 3528 kBjYDo1GDKG36UlP3F94uh9M.exe 104 PID 3528 wrote to memory of 380 3528 kBjYDo1GDKG36UlP3F94uh9M.exe 104 PID 4832 wrote to memory of 2284 4832 8knxBMfGnop5OTwevXH2AlNE.exe 108 PID 4832 wrote to memory of 2284 4832 8knxBMfGnop5OTwevXH2AlNE.exe 108 PID 4832 wrote to memory of 2284 4832 8knxBMfGnop5OTwevXH2AlNE.exe 108 PID 2284 wrote to memory of 3948 2284 BroomSetup.exe 111 PID 2284 wrote to memory of 3948 2284 BroomSetup.exe 111 PID 2284 wrote to memory of 3948 2284 BroomSetup.exe 111 PID 3948 wrote to memory of 224 3948 cmd.exe 113 PID 3948 wrote to memory of 224 3948 cmd.exe 113 PID 3948 wrote to memory of 224 3948 cmd.exe 113 PID 3948 wrote to memory of 3128 3948 cmd.exe 114 PID 3948 wrote to memory of 3128 3948 cmd.exe 114 PID 3948 wrote to memory of 3128 3948 cmd.exe 114 PID 2980 wrote to memory of 3972 2980 kBjYDo1GDKG36UlP3F94uh9M.exe 120 PID 2980 wrote to memory of 3972 2980 kBjYDo1GDKG36UlP3F94uh9M.exe 120 PID 2980 wrote to memory of 3972 2980 kBjYDo1GDKG36UlP3F94uh9M.exe 120 PID 2336 wrote to memory of 1224 2336 jsc.exe 122 PID 2336 wrote to memory of 1224 2336 jsc.exe 122 PID 2336 wrote to memory of 1224 2336 jsc.exe 122 PID 1224 wrote to memory of 4876 1224 GQJk1dwoGxDl5nhQbEOSw2DU.exe 123 PID 1224 wrote to memory of 4876 1224 GQJk1dwoGxDl5nhQbEOSw2DU.exe 123 PID 1224 wrote to memory of 4876 1224 GQJk1dwoGxDl5nhQbEOSw2DU.exe 123 PID 1224 wrote to memory of 1244 1224 GQJk1dwoGxDl5nhQbEOSw2DU.exe 133 PID 1224 wrote to memory of 1244 1224 GQJk1dwoGxDl5nhQbEOSw2DU.exe 133 PID 1224 wrote to memory of 1244 1224 GQJk1dwoGxDl5nhQbEOSw2DU.exe 133 PID 1224 wrote to memory of 4712 1224 GQJk1dwoGxDl5nhQbEOSw2DU.exe 125 PID 1224 wrote to memory of 4712 1224 GQJk1dwoGxDl5nhQbEOSw2DU.exe 125 PID 1224 wrote to memory of 4712 1224 GQJk1dwoGxDl5nhQbEOSw2DU.exe 125 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\New.exe"C:\Users\Admin\AppData\Local\Temp\New.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3672 -
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath $env:UserProfile2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3192
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"2⤵
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2336 -
C:\Users\Admin\Pictures\B073aAZciSwTQAxr1ovu1jw3.exe"C:\Users\Admin\Pictures\B073aAZciSwTQAxr1ovu1jw3.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3720 -
C:\Users\Admin\AppData\Local\Temp\is-4P5A4.tmp\B073aAZciSwTQAxr1ovu1jw3.tmp"C:\Users\Admin\AppData\Local\Temp\is-4P5A4.tmp\B073aAZciSwTQAxr1ovu1jw3.tmp" /SL5="$801E2,1518993,56832,C:\Users\Admin\Pictures\B073aAZciSwTQAxr1ovu1jw3.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4744 -
C:\Users\Admin\AppData\Local\Em Editor Free\emeditorfree.exe"C:\Users\Admin\AppData\Local\Em Editor Free\emeditorfree.exe" -i5⤵
- Executes dropped EXE
PID:1580
-
-
C:\Users\Admin\AppData\Local\Em Editor Free\emeditorfree.exe"C:\Users\Admin\AppData\Local\Em Editor Free\emeditorfree.exe" -s5⤵
- Executes dropped EXE
PID:1984
-
-
-
-
C:\Users\Admin\Pictures\kBjYDo1GDKG36UlP3F94uh9M.exe"C:\Users\Admin\Pictures\kBjYDo1GDKG36UlP3F94uh9M.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3528 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:380
-
-
C:\Users\Admin\Pictures\kBjYDo1GDKG36UlP3F94uh9M.exe"C:\Users\Admin\Pictures\kBjYDo1GDKG36UlP3F94uh9M.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:2980 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3972
-
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"5⤵PID:1380
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes6⤵
- Modifies Windows Firewall
PID:3936
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:960
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2776
-
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- Manipulates WinMonFS driver.
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2496 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1860
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F6⤵
- Creates scheduled task(s)
PID:960 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV17⤵PID:1380
-
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f6⤵PID:4084
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:952
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1672
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll6⤵
- Executes dropped EXE
PID:4688
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F6⤵
- Creates scheduled task(s)
PID:2276
-
-
C:\Windows\windefender.exe"C:\Windows\windefender.exe"6⤵
- Executes dropped EXE
PID:4324 -
C:\Windows\SysWOW64\cmd.execmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)7⤵PID:2056
-
C:\Windows\SysWOW64\sc.exesc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)8⤵
- Launches sc.exe
- Suspicious use of AdjustPrivilegeToken
PID:4040
-
-
-
-
-
-
-
C:\Users\Admin\Pictures\riroEZURknx6pNzdF5Mq9Zec.exe"C:\Users\Admin\Pictures\riroEZURknx6pNzdF5Mq9Zec.exe"3⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1188
-
-
C:\Users\Admin\Pictures\8knxBMfGnop5OTwevXH2AlNE.exe"C:\Users\Admin\Pictures\8knxBMfGnop5OTwevXH2AlNE.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4832 -
C:\Users\Admin\AppData\Local\Temp\syncUpd.exeC:\Users\Admin\AppData\Local\Temp\syncUpd.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:2460 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2460 -s 19845⤵
- Program crash
PID:4308
-
-
-
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exeC:\Users\Admin\AppData\Local\Temp\BroomSetup.exe4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2284 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "5⤵
- Suspicious use of WriteProcessMemory
PID:3948 -
C:\Windows\SysWOW64\chcp.comchcp 12516⤵PID:224
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F6⤵
- Creates scheduled task(s)
PID:3128
-
-
-
-
-
C:\Users\Admin\Pictures\GQJk1dwoGxDl5nhQbEOSw2DU.exe"C:\Users\Admin\Pictures\GQJk1dwoGxDl5nhQbEOSw2DU.exe" --silent --allusers=03⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:1224 -
C:\Users\Admin\Pictures\GQJk1dwoGxDl5nhQbEOSw2DU.exeC:\Users\Admin\Pictures\GQJk1dwoGxDl5nhQbEOSw2DU.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=108.0.5067.24 --initial-client-data=0x2e0,0x2e4,0x2e8,0x2bc,0x2ec,0x6e6221c8,0x6e6221d4,0x6e6221e04⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4876
-
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\GQJk1dwoGxDl5nhQbEOSw2DU.exe"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\GQJk1dwoGxDl5nhQbEOSw2DU.exe" --version4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1244
-
-
C:\Users\Admin\Pictures\GQJk1dwoGxDl5nhQbEOSw2DU.exe"C:\Users\Admin\Pictures\GQJk1dwoGxDl5nhQbEOSw2DU.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=1224 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20240311152112" --session-guid=208ae88d-0526-43b9-85ae-846938541081 --server-tracking-blob=MDI5OTQ3OWM3YzJkNWNhNDNmMDQ4NDRiNzAxZWMxMjgzOTMyMWU1YjlmY2MyODE3YzI2YmIwNjQzZGZjMDVmMzp7ImNvdW50cnkiOiJHQiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cy8/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1ta3QmdXRtX2NhbXBhaWduPTc2NyIsInN5c3RlbSI6eyJwbGF0Zm9ybSI6eyJhcmNoIjoieDg2XzY0Iiwib3BzeXMiOiJXaW5kb3dzIiwib3BzeXMtdmVyc2lvbiI6IjEwIiwicGFja2FnZSI6IkVYRSJ9fSwidGltZXN0YW1wIjoiMTcxMDE3MDQzOS44MjYwIiwidXRtIjp7ImNhbXBhaWduIjoiNzY3IiwibWVkaXVtIjoiYXBiIiwic291cmNlIjoibWt0In0sInV1aWQiOiI4MTYxZTM1MC04OTgyLTQ3NmUtOThlYy1mMDg3YzAzOWFkMjcifQ== --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=54050000000000004⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
PID:4712 -
C:\Users\Admin\Pictures\GQJk1dwoGxDl5nhQbEOSw2DU.exeC:\Users\Admin\Pictures\GQJk1dwoGxDl5nhQbEOSw2DU.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=108.0.5067.24 --initial-client-data=0x2f4,0x2f8,0x2fc,0x2c4,0x300,0x6db121c8,0x6db121d4,0x6db121e05⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3220
-
-
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403111521121\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403111521121\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe"4⤵
- Executes dropped EXE
PID:4264
-
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403111521121\assistant\assistant_installer.exe"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403111521121\assistant\assistant_installer.exe" --version4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1216 -
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403111521121\assistant\assistant_installer.exe"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403111521121\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=108.0.5067.20 --initial-client-data=0x270,0x274,0x278,0x24c,0x27c,0x600040,0x60004c,0x6000585⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2408
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2460 -ip 24601⤵PID:2528
-
C:\Windows\system32\BackgroundTransferHost.exe"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.11⤵PID:1244
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6E94.bat" "1⤵PID:3876
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 12⤵PID:2888
-
-
C:\Windows\windefender.exeC:\Windows\windefender.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1520
-
C:\Users\Admin\AppData\Local\Temp\B6B9.exeC:\Users\Admin\AppData\Local\Temp\B6B9.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2204 -
C:\Users\Admin\AppData\Local\Temp\B6B9.exeC:\Users\Admin\AppData\Local\Temp\B6B9.exe2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
PID:2436 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Local\b64cf3ea-884c-4ff1-a323-b7d4346eb5d6" /deny *S-1-1-0:(OI)(CI)(DE,DC)3⤵
- Modifies file permissions
PID:4392
-
-
C:\Users\Admin\AppData\Local\Temp\B6B9.exe"C:\Users\Admin\AppData\Local\Temp\B6B9.exe" --Admin IsNotAutoStart IsNotTask3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2244 -
C:\Users\Admin\AppData\Local\Temp\B6B9.exe"C:\Users\Admin\AppData\Local\Temp\B6B9.exe" --Admin IsNotAutoStart IsNotTask4⤵
- Executes dropped EXE
PID:624 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 624 -s 5685⤵
- Program crash
PID:3132
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 624 -ip 6241⤵PID:896
-
C:\Users\Admin\AppData\Local\Temp\D639.exeC:\Users\Admin\AppData\Local\Temp\D639.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4080 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵PID:4592
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Defense Evasion
File and Directory Permissions Modification
1Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
2Subvert Trust Controls
1Install Root Certificate
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
11KB
MD5a33e5b189842c5867f46566bdbf7a095
SHA1e1c06359f6a76da90d19e8fd95e79c832edb3196
SHA2565abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454
SHA512f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
Filesize
1.1MB
MD5c472ca448e146d814ab657cc95fb0a12
SHA128c1c8dc0f593622a25d2fb3bfcb7c685b0145f8
SHA2567769f42e9600973ec055bde949de805a7d30793ba12cf7d0a5bd80abf1a3409c
SHA512bfa704c1ba79f3e9f1e5f39e2a59bacce28fdbff65028278c7b573179b203d92598ee0b08513341965cfce041074952a3bb9b83afe7e376beb257eb5bd8b279e
-
Filesize
256KB
MD51f30bb1d3121cbf566cb63e8c06776ee
SHA1988c9f2d7e8e1453d03d79562e0917fa541377e7
SHA256e9e9019a47cf606755f12e46f46913a4957c7f77c1585f71c2d9164ecad15a87
SHA5127278b759e73e88e4cb99811fb9d67e9f9107085c0c42a1baa83072ed59b0da3e39f89e561888edc8fd14dc1244f00f2852d4b3605927c5728ff582d6db39fc6e
-
Filesize
576KB
MD5ad60bd5c56e08f463cb1f9d5fde642cd
SHA1e71df8a16862f186bc6793d5d5e448bee018f041
SHA2569b1db8d4b15d7a25ff7296cab3f618de825e7e4f5b054adc7534abab93132693
SHA51254954a4ad9477ec61964e362a0b9293dc5915241bfc9f723cd6574360c04285c517798fbf121de7211e30b5a0fe3856cb5e12fcc5107bff815c3476a0ab3d7a9
-
Filesize
130KB
MD598909fe4cc1b0f5c09662ccfef21c5d2
SHA1f618453031e85465249eac849f55b3e64bae1a68
SHA256e160053908776988cdc5860348b1782cc326856fb6976f352c0d83c62b1d3eb9
SHA512a6a55687f1b0a887671fe6d6b405131012735eda1b8706fc92f6bf4dabde285f8565a0498347718089abd1996b73726157a012416e48433e955362a338e98d2d
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403111521121\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe
Filesize2.5MB
MD520d293b9bf23403179ca48086ba88867
SHA1dedf311108f607a387d486d812514a2defbd1b9e
SHA256fd996b95ae46014edfd630bfc2bf8bc9e626adf883a1da017a8c3973b68ec348
SHA5125d575c6f0d914583f9bb54f7b884caf9182f26f850da9bdd962f4ed5ed7258316a46fafaf3828dccb6916baaadb681fe1d175a3f4ed59f56066dc7e32b66f7b6
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403111521121\assistant\assistant_installer.exe
Filesize1.9MB
MD5b3f05009b53af6435e86cfd939717e82
SHA1770877e7c5f03e8d684984fe430bdfcc2cf41b26
SHA2563ea8d40fcede1fc03e5603246d75d13e8d44d7229d4c390c39a55534053027f7
SHA512d2dee80aaa79b19f1eb1db85079a05f621780e06bfea9e838b62d757ba29399f9090ec7c6ff553377c9b712f3ba8dd812cdff39f3e28829928e86746a8ac6b27
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403111521121\assistant\dbgcore.DLL
Filesize166KB
MD58b6f64e5d3a608b434079e50a1277913
SHA103f431fabf1c99a48b449099455c1575893d9f32
SHA256926d444ffca166e006920412677c4ed2ef159cf0efc0578cb45b824f428f5eb2
SHA512c9aeac62ece564ac64a894300fb9d41d13f22951ead73421854c23c506760d984dff0af92bef2d80f3a66e782f0075832e9c24a50ae6110d27a25c14e065b41c
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403111521121\assistant\dbghelp.dll
Filesize1.7MB
MD5925ea07f594d3fce3f73ede370d92ef7
SHA1f67ea921368c288a9d3728158c3f80213d89d7c2
SHA2566d02ebd4ec9a6093f21cd8ccefb9445fa0ab7b1f69ac868a5cfc5d28ed8d2de9
SHA512a809851da820d9fdd8fb860a8f549311dcc2579df2c6f6fba74f50d5d8bf94baa834b09fb5476ac248f18d1deb6b47d4fdd6d658889d5d45ca8774a9264483d2
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403111521121\opera_package
Filesize14.6MB
MD5360efb56858be64f43fa1586e44c9f17
SHA1721007f5b2d71047fae49c502c76d8b91e0f5876
SHA256f967395aa0c889a0d8202d9347a1de1050216a0c45995eb756644d4d70d3ff44
SHA51247a759f9fec7d0cd3868d479ee57d4057736e8c13f6c762f1615cd7356cdc7e7754b72c0df5992b488ba466fdb3041e1eb28b0ed4cb3a879f9c836aee9c97944
-
Filesize
77B
MD555cc761bf3429324e5a0095cab002113
SHA12cc1ef4542a4e92d4158ab3978425d517fafd16d
SHA256d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a
SHA51233f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155
-
Filesize
782KB
MD551597fedbf769613eac193b679de833d
SHA177c1fbd676bbaf9ef3f235d6f3d41df8ad6b7945
SHA256b0129dd6f2d2f5bd058cddda97e1f47eedcfaec86995c6d988226c305d50d92c
SHA5127e424c8548ace542cdd51c23b31e3907b9d14a95784f8918f85deb2d263d5e6cec845300b1db25aba6c29d3f9ff2ad768731237ab98430a52b83ed00ff017b23
-
Filesize
512KB
MD5be1ac00f167db10466dd478c5fc84236
SHA188fdd87741500809227220714ebcdf6640ee12a5
SHA256b2327156069cffc46a71de7796fa849247cb1be9e984baf38d3198aba6f0df84
SHA512cf59ba95daaf312b504d5b86e222c9ff93f1b8b09dd0648bb3c712e61b83921bf3c00371c4aae0a9cbc81543a84d225dbc5e4803bd3486bbea2a0d537869a6bf
-
Filesize
1024KB
MD5dda78bf5a869f7b193163fd1a9c054da
SHA1e5a0945ee6abc5be19cf42d3afc08bb2be419128
SHA2566b3516adc6be5724707a7bb708f391765bc90cab33e5e144ece0b57ee8622524
SHA5129e3e7b6e3cdb655b621b7c69d3569536005b0acfd7e10c4e7c8f82ff1a147b85eb54991d7c84bfc7ace739bdbc973f6b799b5b676eaeb3c41befd2c918f86f17
-
Filesize
1.1MB
MD55a18f4fdd9a452d8f3a2692f79946acb
SHA1abbc0892df6dc490fc1974ef835877c1fe585513
SHA256e2cda95bdc19110fcbf8f56001c7c3741a60acb2e88fb9ee0d5f253d190e822e
SHA512ead1438be6aeb7a1730dbc1a954b7b1129739fbf3b3adeaaf6862f4237a711a34dd14b4ef355af270348f5bf42220997f84fa871a6f3f37bfb67bb1999fc5a55
-
Filesize
576KB
MD56585c04ac560776fa8dd6c2b85350b1f
SHA127b918c549a7e0cd3129b2a51f8451ab244f3429
SHA25613624a80c9de106952e6315f00102bf44bfe2ce6192550e3a872d9c223212ef4
SHA5129a40c9a11371b2dcb35a197c78cc991f269f897e281be1c4becbb2d90682b584644dbe367a701d114cfcc742fc4ba34910ff2691e712695986c0983526572bdd
-
Filesize
42KB
MD5f755fe732556cd439a27be40f780b758
SHA1ead634b25d40d27ee54a531e4e36361f08d8246a
SHA256ed98d8bb826ef82fa25113a4d3992ae7951199b2fa7d851c6d14144a027ef6bc
SHA512b1d3ae9fb4b1b3019234dff1add232da3c1c2cf36f39adbce82adc7ed0d0125feb53603088aefc5578ce6bdf17357096e63673055331b1566a322a253f0dbd4a
-
Filesize
512KB
MD5edcabf3acb09e79b542436c67624d50b
SHA1c36b51cd4ff8d95586e4665e64fc611c3c043425
SHA256e2eebe087ade661f6d17f8765a231b8e4a107bbe7b38200c5dd50de142b85347
SHA512e2103a1f4bdf2bbf7b383785d1aba6294e698961f3cf87629962f35abc115573f842016802adddce7fa65c9e803a63b2717cc1a83bf9fd1b71e05132cc674953
-
Filesize
3.8MB
MD5a7e2a8f0dfb1639dc1591c0961b1f861
SHA1cee658bc7c0eb2f0f55b966c9c5201959bdc8d34
SHA2563c1c782496dfbd0fa4534ea89a0d914d40e7c4b0a94d4991c7eebf751501bd46
SHA5123063912ea960f5c63645ac70f47294285ad83dfae0fb36442894372f9083879a67cd6a6539bcc7a13eda2618d2a5aa5302fb89f0cf82920f136ef7c9b203ea0a
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
281KB
MD5d98e33b66343e7c96158444127a117f6
SHA1bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA2565de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5
-
Filesize
690KB
MD5150a46b9c3e09bc0ed8d581669fe605b
SHA1760baa334e4e024e80f27f8e23b900600281a853
SHA2562d574caab0e532210a5541fa9a3d5187bf38bed3ef8809180462d929fd32637f
SHA512d40d747e57c7e4ea33df06ae1c14bea2bc44fcad862432265158a248c1c4a0e4aae5107a1a2db5257a22f0b5223ec6f19401f7491435988da8137c4150009805
-
Filesize
2KB
MD5a69559718ab506675e907fe49deb71e9
SHA1bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA2562f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63
-
Filesize
21KB
MD52b342079303895c50af8040a91f30f71
SHA1b11335e1cb8356d9c337cb89fe81d669a69de17e
SHA2562d5d89025911e2e273f90f393624be4819641dbee1606de792362e442e54612f
SHA512550452dadc86ecd205f40668894116790a456fe46e9985d68093d36cf32abf00edecb5c56ff0287464a0e819db7b3cc53926037a116de6c651332a7cc8035d47
-
Filesize
283KB
MD5099d81985b4d1951c9a0448bdead2e31
SHA13707f6971ecdd856999ca980a1b99b551bea5ff9
SHA256291e511eb00d5f658d345115de7fbd13e416e353bee19cdac8709b0b856da095
SHA512f0a2f1c2542c3f898add88c6505a2fde764c5ff00835fee62ef0fe9523706d9dd617f539e80235c6307fe2af2440cb104465af1f9053dfb3743c2f675b1e71b2
-
Filesize
40B
MD59cdf189636e47aa6042eb5856e0d9057
SHA1afab72399ffb36dec1ad0793151eaa7ec91b9afd
SHA2562da5f500f4eb304dc0b3377c19209c924267e3090c572abb66ce4beb301b1e02
SHA512df1941c3feab837f1c6b870d59cde69d61532e30d4531fe222a0257cc83ad54ee8e66c8476089c5d2c2a0d2fba6239915e08a30f7df831e7bff975cc518d4a80
-
Filesize
128B
MD511bb3db51f701d4e42d3287f71a6a43e
SHA163a4ee82223be6a62d04bdfe40ef8ba91ae49a86
SHA2566be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331
SHA512907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2
-
Filesize
7KB
MD55b423612b36cde7f2745455c5dd82577
SHA10187c7c80743b44e9e0c193e993294e3b969cc3d
SHA256e0840d2ea74a00dcc545d770b91d9d889e5a82c7bedf1b989e0a89db04685b09
SHA512c26a1e7e96dbd178d961c630abd8e564ef69532f386fb198eb20119a88ecab2fe885d71ac0c90687c18910ce00c445f352a5e8fbf5328f3403964f7c7802414c
-
Filesize
2.1MB
MD574fbc954435fb0b73ad76afa3fb1969e
SHA1a9eeba2cace9e8a236cb4bcdf379d71832d7f163
SHA2567fae036851b4231149ee8d331cea9f3cd2d641c14be522909d9c3152d59241ab
SHA512a08710f95d7136cc411172a9ab7135f6f21abd7cf3393f8e71c62cba84cd2fb3d490aae2bc177bc40b6139152fe86a362d7bff28f3ea06920eb37b24a29204a6
-
Filesize
1.8MB
MD53ca2f625386f7a3ca29376148974fa64
SHA1646443709518ef699bae4755b262370ff6e7fbcc
SHA25625749c401805a1d66f16db72ad533a807bcb56c4f2aef449341af1ca92ec66b4
SHA512dbe638a9127d89854b2b36795c8842587b5419805df23404d9c110f4c6cfb29604e5136dd40da17cd8eb31ef56cf1b6bb0fb12e4cab999ad9e583ca4ebbffe79
-
Filesize
2.5MB
MD56e2cba75e503c329503116801611b52f
SHA187fa56666fda240a3e2f0be5bb817d888d35b926
SHA25688fcd287fbf95422454ccd263b0a0915cddaa92e4c86a426d3680b40fa0b29b6
SHA5121dc8ccfc04d3a49d045233831b762f7122d2db000c5f663a50e9425991f3d51ce4d1fc2bf31aeefa5560553a12c25c9cbccc6a912c50fabea8c21776cc5b384b
-
Filesize
1.6MB
MD5177c38eb9eb7af5087cb80b4a68b1281
SHA1a7d0620725792d41222d03bb8c4e2c31ead7847f
SHA256801ae1fee7f3a78340ccedf787d1391930045ba39b1efe077fba0e746b6b1d0b
SHA512a97bd903f361f65929e640075882e2e3d3565b60e968142bb86ae50e848c71ff2363d55ada1c101b98804c96f63b5f81eb254ad68b9dda9a6c07e20c52d87641
-
Filesize
1.8MB
MD55614e2ea9f10d56d3199572664ab4abc
SHA1d2e26e5ac239c00e561d7d92357e27bfbc5e16b3
SHA25694d2ef9e71ef2ce604877a354562e1b367d11dc337b8db3a75fae1bc4354075b
SHA51251fef200adbe6f1b167f68e9810beaf5a429b6a68ec4a756b6aca594889919f6773a57fc177e999a1a75979f1c580a624b11851fe6880de2c436408040abf0ed
-
Filesize
320KB
MD5f8939b114aab258fa56e835d858747c2
SHA198350036dfec6cd033b48a574bb4cba481f6f77c
SHA2567694f25356503f5f00a8d64587f905e7120607d3043114e02b127364c0643074
SHA51251b0affac001a67ee573d77fbe5c616c5cd208cafa6ae13e74283eeb69f12ff5f2160dfe67729617f613f3f4555c5aa505486f42174fb40f7b76a9460f3c9233
-
Filesize
448KB
MD5adb477df157b744465dfd76d5cb50cb7
SHA178c33535400f1bebbbc38f00f2ace5d78b57af5e
SHA256c6cbf9678ca0efe2600cb5025a5f43e2a0b63a76a8b4173320b69170a5ef703d
SHA512d05dfbf9225869f622509d54f207853db943a0d8b73e0eeb8e841880e3f580462dedc1df32656aadc440266333ff34d918c3311f625ec9fe0c8e54443a93dd93
-
Filesize
42KB
MD5348dc4d114e42f5bf85ce09760660246
SHA15f4da836d7e87e5386a7f361ce522d28f4327d0f
SHA2568a70c4aa00e0b939787b572d651f5306687ed06248a2fc8bcedf0b1a1a7c23aa
SHA512c0f8bdf9b6e50e0871905ea5b62c84ab0952c4181b24e32f6c238ecf40e54508b080c404ce97e411409e1240082a81f4178318c7a5454472e5de171d08b350ee
-
Filesize
4.2MB
MD5d184e9f455a3fb4b66cda4f480e2ebf8
SHA11369492c1ce7ce4bd8cee7a9bde706b781fb9f46
SHA256bbecbf128a00477ac026297bac7bd37e623bace32afdda18cd561a8ea5fa06ab
SHA512c4d335b6325e1638cc24476d4248cb5fa45e75564561fdff10c889b6d269fab9bf798f115c3858e50b0a39328845189571a7d67d4318d004a9a5cc0af8afd97e
-
Filesize
3.9MB
MD51b5db3a14abeadec87533581be1ce2cf
SHA12522160144ecab17a9fe716595f43cb007a909a2
SHA256c407fdfdf85ad02428199f989672c2f23d5e916c65341a461fb6071521305080
SHA5124309323b6fa7414402919c3d2624ccd73167e6afb10a278120fa13803c97bd1c5b6808206419ad6949e727f25a5c9da8a650529ac5f3e43f86c7afe80160c98f
-
Filesize
284KB
MD5e474dda04f6f90ba50ebff47395b19c9
SHA1db1dc005639d232a25e074267239fd9e5fcbe6c7
SHA256d5bb21fb44947ee712af26750d6a1df9e91e3baa3c5270eca5f88adbdf329bef
SHA512aa906056618e239ab811a19492ea9b272b67b6b964f704a1679c68bf0ce1dbe1b574361d1d08901436a1d5faa888d0320dc56e84904421ad1134727090250055
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize2KB
MD5968cb9309758126772781b83adb8a28f
SHA18da30e71accf186b2ba11da1797cf67f8f78b47c
SHA25692099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA5124bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD5efd8ad67c3341bab76bcb7f85c8a0acd
SHA11c638d8b2330c7c19ac58b66e311e8472874c6d4
SHA256051003d560bad10b963a231b15b642b216c6ba7a1fb7668ff3c0e5f56053fbf4
SHA51250f22169679e5a691585962717c8aa320037cf62207b66c109036fdda56627bd81bd0bf11b161c04d2ee59ae1c6e8884e06a0d7d3da6cd14ee505f1576ae3ebf
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD5b9c56fef089c22f77c34ed291b6adf0c
SHA1776ade0c003e86a7dc11e8f7e9a4ce6aadb22b54
SHA256d34bf1ff2e2c75e16aab260415d1371dd9234d1fc201c6bad90c41461f7e74af
SHA512adbc3ee356df5e448eac045a5f06cc68f23ccd9568e42967c3483ebe95f6e1f533e60b74574791e773583c9675ef439f70a6a16749422e27e43e5b22291399dc
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD525d3fbd37ff5d6639622a5e0ecdb0e10
SHA17d276361cf23eefb054a10a0467794a7346010e0
SHA256ffe88bba8be83e4f1379f13550002dc4bc131f3b907e6fdc2a189c859b9232ee
SHA512ae561698b7c69f340c8ad1bd2913c3c0ee675571d0f1c3c6e000864c16aeb8145fa9f08c68588efae9757b5145961a4d6d83df7974fce14294a14a0116cace19
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD5fa403614546e98428b577aa8e009c870
SHA1791d84ffe77113cdd0c2636d2df2cbebd9ec2ed4
SHA25630400ee1e76f5b1cb056571b470528af0351ae4bee6c98a744f0ba7aeaf4a79d
SHA512138d5a87f3e9e7983a2b56b2522cb6898b171e594f1bcbb5f0d461e36e0a8e3b1b1c0e9585ed85ba37e75a75c0fed0561795047ebd97e0d4bb89996eceb6b365
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD50152c0fbfba55b85e7f847867afbf00d
SHA10e09c666517e49526a7abefa94512cc30a556238
SHA2564c307d5f7e9006df16213fb3be5ed0e0836032d9aacb83c42d0a150525a9305a
SHA512c71c209ce051cb896784c382d013ed58d95d57c52b469aca4ba3c166ff88bd254ca037019f63afe88b47b8dc13c5483181b4ef0647c89bdf6c69296ebbd43ce5
-
Filesize
2.6MB
MD555c85f58da6671f67922f372d356325c
SHA17ba3811e1dcf31c3829e5c381eb563779798746a
SHA25606badece824c881c0a004fa9874333d5f00f3cc3032efb224762548a274ef208
SHA5128a90cf5d4931cc93546e945587009696387b3c09f36326adf475dd8638ba12e41585ef4c792f740c89cc3e0b2cbb6096036e19d057ec09cadd8262a979729097
-
Filesize
2.0MB
MD57df38c9b9403dc949a2b823b8682e9e5
SHA166ae8c2b251180d2acf6112452f812d44ecd81a1
SHA256d5b48887ce12ec6f40229e9a5091bcc6d0bd35e289257f25c78378316976b1c8
SHA5124a6e4fc56de13e9570fd4267a5c6e6e765a77d03426ae75e375506c946e4acfe8633b8120bb8b8801b0c0e646d69a75ac71b3421183ecd6a1205ddfc4fe88eef
-
Filesize
2.0MB
MD58e67f58837092385dcf01e8a2b4f5783
SHA1012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA51240d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec