Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
261s -
max time network
301s -
platform
windows10-1703_x64 -
resource
win10-20240221-en -
resource tags
arch:x64arch:x86image:win10-20240221-enlocale:en-usos:windows10-1703-x64system -
submitted
28/03/2024, 22:30
Static task
static1
Behavioral task
behavioral1
Sample
612300066252c3151883d30f69a9b287c323a4a484a35ca553c5a73d3f7d0cfc.exe
Resource
win7-20240221-en
General
-
Target
612300066252c3151883d30f69a9b287c323a4a484a35ca553c5a73d3f7d0cfc.exe
-
Size
424KB
-
MD5
7660d1df7575e664c8f11be23a924bba
-
SHA1
22a6592b490e2ef908f7ecacb7cad34256bdd216
-
SHA256
612300066252c3151883d30f69a9b287c323a4a484a35ca553c5a73d3f7d0cfc
-
SHA512
77c22370eaed5e096a476778d24c26fcd0105d56419bbd1a5af125028dea702aa8537017629920de08f9b7c20d3b9242606e37ace3e456d34730d0e54f20c15e
-
SSDEEP
12288:ryWjrJS5FchtDO/V4Cqi0RlYZTRjzg2AYU:ryoJ8KhtDgVfJLTRjs2AYU
Malware Config
Extracted
stealc
http://185.172.128.209
-
url_path
/3cd2b41cbde8fc9c.php
Extracted
lumma
https://herdbescuitinjurywu.shop/api
Signatures
-
Detects DLL dropped by Raspberry Robin. 2 IoCs
Raspberry Robin.
resource yara_rule behavioral2/memory/4112-122-0x0000000076FA0000-0x0000000077162000-memory.dmp Raspberry_Robin_DLL_MAY_2022 behavioral2/memory/4720-164-0x0000000076FA0000-0x0000000077162000-memory.dmp Raspberry_Robin_DLL_MAY_2022 -
Glupteba payload 14 IoCs
resource yara_rule behavioral2/memory/1844-82-0x0000000002F70000-0x000000000385B000-memory.dmp family_glupteba behavioral2/memory/1844-88-0x0000000000400000-0x0000000000ECD000-memory.dmp family_glupteba behavioral2/memory/220-93-0x0000000000400000-0x0000000000ECD000-memory.dmp family_glupteba behavioral2/memory/1844-202-0x0000000000400000-0x0000000000ECD000-memory.dmp family_glupteba behavioral2/memory/220-235-0x0000000000400000-0x0000000000ECD000-memory.dmp family_glupteba behavioral2/memory/1844-490-0x0000000000400000-0x0000000000ECD000-memory.dmp family_glupteba behavioral2/memory/220-502-0x0000000000400000-0x0000000000ECD000-memory.dmp family_glupteba behavioral2/memory/2428-512-0x0000000000400000-0x0000000000ECD000-memory.dmp family_glupteba behavioral2/memory/1844-1337-0x0000000000400000-0x0000000000ECD000-memory.dmp family_glupteba behavioral2/memory/220-1340-0x0000000000400000-0x0000000000ECD000-memory.dmp family_glupteba behavioral2/memory/2428-1348-0x0000000000400000-0x0000000000ECD000-memory.dmp family_glupteba behavioral2/memory/4616-1434-0x0000000000400000-0x0000000000ECD000-memory.dmp family_glupteba behavioral2/memory/4500-1439-0x0000000000400000-0x0000000000ECD000-memory.dmp family_glupteba behavioral2/memory/5088-1448-0x0000000000400000-0x0000000000ECD000-memory.dmp family_glupteba -
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
description pid Process procid_target PID 4112 created 2148 4112 RegAsm.exe 51 -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" CqOtShqdfSVnXipfjt58rIU4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" CqOtShqdfSVnXipfjt58rIU4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" CqOtShqdfSVnXipfjt58rIU4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" CqOtShqdfSVnXipfjt58rIU4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\YWs5UTxZr5AenkLAi1KwKNOi.exe = "0" YWs5UTxZr5AenkLAi1KwKNOi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\jj90xFDYYdmnsryuuFbp6pnu.exe = "0" jj90xFDYYdmnsryuuFbp6pnu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" CqOtShqdfSVnXipfjt58rIU4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" CqOtShqdfSVnXipfjt58rIU4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\CqOtShqdfSVnXipfjt58rIU4.exe = "0" CqOtShqdfSVnXipfjt58rIU4.exe -
Downloads MZ/PE file
-
Modifies Windows Firewall 2 TTPs 3 IoCs
pid Process 5572 netsh.exe 5640 netsh.exe 5740 netsh.exe -
Drops startup file 11 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\UNbP6USxHNfT6vKup2NsyeA8.bat jsc.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\au0TrLn35OhxNHxFZenTTi4K.bat jsc.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DyhyMTGmG6OTTcv1yn9wYY3z.bat jsc.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\frH58nCLHKpLUXA4bLboSFzW.bat jsc.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ndjbqTGA41DU4KUqTm9wnYzf.bat jsc.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\R188zyb51enl0ft6YOflYJ1j.bat jsc.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7dMpc4I4VTLHUrepCrsqwJaM.bat jsc.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cKLFK3rYwiCWt21gIBbWSMds.bat jsc.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QpFXC2yFdNjznsIFWhCFLGbf.bat jsc.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pTaL3ZxRxBqdVVb76Xo8KRt0.bat jsc.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b0TJJlFYjzcAtYM0XvkBsb5b.bat jsc.exe -
Executes dropped EXE 24 IoCs
pid Process 4636 vZhkWfk1KYIKmH5xpBHIuX0s.exe 4724 qNtH4wYOnE3DxYcBJ1DP3uVO.exe 2072 7pPqcQ1NvLfzcuazweVkDUiS.exe 1844 jj90xFDYYdmnsryuuFbp6pnu.exe 220 CqOtShqdfSVnXipfjt58rIU4.exe 4412 u3ks.0.exe 2428 YWs5UTxZr5AenkLAi1KwKNOi.exe 3432 u3ks.1.exe 4720 QIPYx01QHg4rpj0Z7G8BhZqI.exe 2784 QIPYx01QHg4rpj0Z7G8BhZqI.exe 4116 QIPYx01QHg4rpj0Z7G8BhZqI.exe 560 QIPYx01QHg4rpj0Z7G8BhZqI.exe 1260 QIPYx01QHg4rpj0Z7G8BhZqI.exe 2176 EBGDAAKJJD.exe 4616 jj90xFDYYdmnsryuuFbp6pnu.exe 4500 CqOtShqdfSVnXipfjt58rIU4.exe 5088 YWs5UTxZr5AenkLAi1KwKNOi.exe 5296 Assistant_108.0.5067.20_Setup.exe_sfx.exe 5848 assistant_installer.exe 5740 assistant_installer.exe 2384 csrss.exe 4328 injector.exe 1604 windefender.exe 5324 windefender.exe -
Loads dropped DLL 10 IoCs
pid Process 4412 u3ks.0.exe 4412 u3ks.0.exe 4720 QIPYx01QHg4rpj0Z7G8BhZqI.exe 2784 QIPYx01QHg4rpj0Z7G8BhZqI.exe 560 QIPYx01QHg4rpj0Z7G8BhZqI.exe 1260 QIPYx01QHg4rpj0Z7G8BhZqI.exe 5848 assistant_installer.exe 5848 assistant_installer.exe 5740 assistant_installer.exe 5740 assistant_installer.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" CqOtShqdfSVnXipfjt58rIU4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" CqOtShqdfSVnXipfjt58rIU4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" CqOtShqdfSVnXipfjt58rIU4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" CqOtShqdfSVnXipfjt58rIU4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" CqOtShqdfSVnXipfjt58rIU4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\CqOtShqdfSVnXipfjt58rIU4.exe = "0" CqOtShqdfSVnXipfjt58rIU4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\jj90xFDYYdmnsryuuFbp6pnu.exe = "0" jj90xFDYYdmnsryuuFbp6pnu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" CqOtShqdfSVnXipfjt58rIU4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\YWs5UTxZr5AenkLAi1KwKNOi.exe = "0" YWs5UTxZr5AenkLAi1KwKNOi.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" CqOtShqdfSVnXipfjt58rIU4.exe Set value (str) \REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" YWs5UTxZr5AenkLAi1KwKNOi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" jj90xFDYYdmnsryuuFbp6pnu.exe Set value (str) \REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" csrss.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 4 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\D: QIPYx01QHg4rpj0Z7G8BhZqI.exe File opened (read-only) \??\F: QIPYx01QHg4rpj0Z7G8BhZqI.exe File opened (read-only) \??\D: QIPYx01QHg4rpj0Z7G8BhZqI.exe File opened (read-only) \??\F: QIPYx01QHg4rpj0Z7G8BhZqI.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 2 pastebin.com 3 pastebin.com -
Manipulates WinMonFS driver. 1 IoCs
Roottkits write to WinMonFS to hide directories/files from being detected.
description ioc Process File opened for modification \??\WinMonFS csrss.exe -
Drops file in System32 directory 14 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 3276 set thread context of 324 3276 612300066252c3151883d30f69a9b287c323a4a484a35ca553c5a73d3f7d0cfc.exe 74 PID 2072 set thread context of 4112 2072 7pPqcQ1NvLfzcuazweVkDUiS.exe 84 -
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 3 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
description ioc Process File opened (read-only) \??\VBoxMiniRdrDN CqOtShqdfSVnXipfjt58rIU4.exe File opened (read-only) \??\VBoxMiniRdrDN YWs5UTxZr5AenkLAi1KwKNOi.exe File opened (read-only) \??\VBoxMiniRdrDN jj90xFDYYdmnsryuuFbp6pnu.exe -
Drops file in Windows directory 8 IoCs
description ioc Process File created C:\Windows\rss\csrss.exe CqOtShqdfSVnXipfjt58rIU4.exe File opened for modification C:\Windows\rss YWs5UTxZr5AenkLAi1KwKNOi.exe File created C:\Windows\rss\csrss.exe YWs5UTxZr5AenkLAi1KwKNOi.exe File opened for modification C:\Windows\rss jj90xFDYYdmnsryuuFbp6pnu.exe File created C:\Windows\rss\csrss.exe jj90xFDYYdmnsryuuFbp6pnu.exe File created C:\Windows\windefender.exe csrss.exe File opened for modification C:\Windows\windefender.exe csrss.exe File opened for modification C:\Windows\rss CqOtShqdfSVnXipfjt58rIU4.exe -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 5664 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 3 IoCs
pid pid_target Process procid_target 3400 2072 WerFault.exe 80 2536 4112 WerFault.exe 84 2208 4112 WerFault.exe 84 -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI u3ks.1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI u3ks.1.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI u3ks.1.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 u3ks.0.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString u3ks.0.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 5932 schtasks.exe 5776 schtasks.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-402 = "Arabic Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-141 = "Canada Central Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-2431 = "Cuba Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-271 = "Greenwich Daylight Time" jj90xFDYYdmnsryuuFbp6pnu.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-891 = "Morocco Daylight Time" jj90xFDYYdmnsryuuFbp6pnu.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-891 = "Morocco Daylight Time" CqOtShqdfSVnXipfjt58rIU4.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-492 = "India Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-384 = "Namibia Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-652 = "AUS Central Standard Time" jj90xFDYYdmnsryuuFbp6pnu.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-892 = "Morocco Standard Time" YWs5UTxZr5AenkLAi1KwKNOi.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2062 = "North Korea Standard Time" CqOtShqdfSVnXipfjt58rIU4.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-961 = "Paraguay Daylight Time" jj90xFDYYdmnsryuuFbp6pnu.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-1821 = "Russia TZ 1 Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-365 = "Middle East Standard Time" windefender.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-122 = "SA Pacific Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-231 = "Hawaiian Daylight Time" jj90xFDYYdmnsryuuFbp6pnu.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2771 = "Omsk Daylight Time" CqOtShqdfSVnXipfjt58rIU4.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-92 = "Pacific SA Standard Time" windefender.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Key created \REGISTRY\USER\.DEFAULT\System\CurrentControlSet\Control\NetTrace netsh.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-772 = "Montevideo Standard Time" windefender.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-261 = "GMT Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-661 = "Cen. Australia Daylight Time" CqOtShqdfSVnXipfjt58rIU4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-512 = "Central Asia Standard Time" CqOtShqdfSVnXipfjt58rIU4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-981 = "Kamchatka Daylight Time" CqOtShqdfSVnXipfjt58rIU4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-831 = "SA Eastern Daylight Time" jj90xFDYYdmnsryuuFbp6pnu.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-232 = "Hawaiian Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-252 = "Dateline Standard Time" CqOtShqdfSVnXipfjt58rIU4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-211 = "Pacific Daylight Time" jj90xFDYYdmnsryuuFbp6pnu.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-962 = "Paraguay Standard Time" CqOtShqdfSVnXipfjt58rIU4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-291 = "Central European Daylight Time" windefender.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-241 = "Samoa Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-631 = "Tokyo Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-692 = "Tasmania Standard Time" windefender.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-2532 = "Chatham Islands Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-961 = "Paraguay Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-531 = "Sri Lanka Daylight Time" YWs5UTxZr5AenkLAi1KwKNOi.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1411 = "Syria Daylight Time" YWs5UTxZr5AenkLAi1KwKNOi.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-531 = "Sri Lanka Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-332 = "E. Europe Standard Time" CqOtShqdfSVnXipfjt58rIU4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2451 = "Saint Pierre Daylight Time" YWs5UTxZr5AenkLAi1KwKNOi.exe Key created \REGISTRY\USER\.DEFAULT\System\CurrentControlSet\Control\NetTrace\Session netsh.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-362 = "GTB Standard Time" windefender.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4 QIPYx01QHg4rpj0Z7G8BhZqI.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 04000000010000001000000078f2fcaa601f2fb4ebc937ba532e75490f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e4190000000100000010000000ffac207997bb2cfe865570179ee037b92000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e QIPYx01QHg4rpj0Z7G8BhZqI.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 5c000000010000000400000000100000190000000100000010000000ffac207997bb2cfe865570179ee037b9030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e199604000000010000001000000078f2fcaa601f2fb4ebc937ba532e75492000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e QIPYx01QHg4rpj0Z7G8BhZqI.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 4200 PING.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4724 qNtH4wYOnE3DxYcBJ1DP3uVO.exe 4724 qNtH4wYOnE3DxYcBJ1DP3uVO.exe 4724 qNtH4wYOnE3DxYcBJ1DP3uVO.exe 4724 qNtH4wYOnE3DxYcBJ1DP3uVO.exe 4112 RegAsm.exe 4112 RegAsm.exe 4720 dialer.exe 4720 dialer.exe 4720 dialer.exe 4720 dialer.exe 4412 u3ks.0.exe 4412 u3ks.0.exe 4440 powershell.exe 4440 powershell.exe 3676 powershell.exe 3676 powershell.exe 4440 powershell.exe 4124 powershell.exe 4124 powershell.exe 3676 powershell.exe 4124 powershell.exe 4124 powershell.exe 4440 powershell.exe 3676 powershell.exe 4412 u3ks.0.exe 4412 u3ks.0.exe 4740 SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe 4740 SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe 4740 SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe 4740 SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe 4740 SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe 4740 SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe 4740 SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe 4740 SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe 4740 SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe 4740 SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe 4740 SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe 4740 SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe 4740 SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe 4740 SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe 4740 SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe 4740 SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe 4740 SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe 4740 SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe 4740 SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe 1844 jj90xFDYYdmnsryuuFbp6pnu.exe 1844 jj90xFDYYdmnsryuuFbp6pnu.exe 220 CqOtShqdfSVnXipfjt58rIU4.exe 220 CqOtShqdfSVnXipfjt58rIU4.exe 2428 YWs5UTxZr5AenkLAi1KwKNOi.exe 2428 YWs5UTxZr5AenkLAi1KwKNOi.exe 4740 SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe 4740 SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe 2396 powershell.exe 2396 powershell.exe 4596 powershell.exe 4596 powershell.exe 5112 powershell.exe 5112 powershell.exe 5112 powershell.exe 4596 powershell.exe 2396 powershell.exe 4596 powershell.exe 5112 powershell.exe -
Suspicious use of AdjustPrivilegeToken 26 IoCs
description pid Process Token: SeDebugPrivilege 324 jsc.exe Token: SeDebugPrivilege 4440 powershell.exe Token: SeDebugPrivilege 3676 powershell.exe Token: SeDebugPrivilege 4124 powershell.exe Token: SeDebugPrivilege 4740 SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe Token: SeDebugPrivilege 1844 jj90xFDYYdmnsryuuFbp6pnu.exe Token: SeImpersonatePrivilege 1844 jj90xFDYYdmnsryuuFbp6pnu.exe Token: SeDebugPrivilege 220 CqOtShqdfSVnXipfjt58rIU4.exe Token: SeImpersonatePrivilege 220 CqOtShqdfSVnXipfjt58rIU4.exe Token: SeDebugPrivilege 2428 YWs5UTxZr5AenkLAi1KwKNOi.exe Token: SeImpersonatePrivilege 2428 YWs5UTxZr5AenkLAi1KwKNOi.exe Token: SeDebugPrivilege 4596 powershell.exe Token: SeDebugPrivilege 2396 powershell.exe Token: SeDebugPrivilege 5112 powershell.exe Token: SeDebugPrivilege 5744 powershell.exe Token: SeDebugPrivilege 5664 powershell.exe Token: SeDebugPrivilege 236 powershell.exe Token: SeDebugPrivilege 2004 powershell.exe Token: SeDebugPrivilege 5264 powershell.exe Token: SeDebugPrivilege 5616 powershell.exe Token: SeDebugPrivilege 5236 powershell.exe Token: SeDebugPrivilege 3280 powershell.exe Token: SeDebugPrivilege 5936 powershell.exe Token: SeSystemEnvironmentPrivilege 2384 csrss.exe Token: SeSecurityPrivilege 5664 sc.exe Token: SeSecurityPrivilege 5664 sc.exe -
Suspicious use of FindShellTrayWindow 7 IoCs
pid Process 3432 u3ks.1.exe 3432 u3ks.1.exe 3432 u3ks.1.exe 3432 u3ks.1.exe 3432 u3ks.1.exe 3432 u3ks.1.exe 3432 u3ks.1.exe -
Suspicious use of SendNotifyMessage 7 IoCs
pid Process 3432 u3ks.1.exe 3432 u3ks.1.exe 3432 u3ks.1.exe 3432 u3ks.1.exe 3432 u3ks.1.exe 3432 u3ks.1.exe 3432 u3ks.1.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3276 wrote to memory of 324 3276 612300066252c3151883d30f69a9b287c323a4a484a35ca553c5a73d3f7d0cfc.exe 74 PID 3276 wrote to memory of 324 3276 612300066252c3151883d30f69a9b287c323a4a484a35ca553c5a73d3f7d0cfc.exe 74 PID 3276 wrote to memory of 324 3276 612300066252c3151883d30f69a9b287c323a4a484a35ca553c5a73d3f7d0cfc.exe 74 PID 3276 wrote to memory of 324 3276 612300066252c3151883d30f69a9b287c323a4a484a35ca553c5a73d3f7d0cfc.exe 74 PID 3276 wrote to memory of 324 3276 612300066252c3151883d30f69a9b287c323a4a484a35ca553c5a73d3f7d0cfc.exe 74 PID 3276 wrote to memory of 324 3276 612300066252c3151883d30f69a9b287c323a4a484a35ca553c5a73d3f7d0cfc.exe 74 PID 3276 wrote to memory of 324 3276 612300066252c3151883d30f69a9b287c323a4a484a35ca553c5a73d3f7d0cfc.exe 74 PID 3276 wrote to memory of 324 3276 612300066252c3151883d30f69a9b287c323a4a484a35ca553c5a73d3f7d0cfc.exe 74 PID 3276 wrote to memory of 4512 3276 612300066252c3151883d30f69a9b287c323a4a484a35ca553c5a73d3f7d0cfc.exe 75 PID 3276 wrote to memory of 4512 3276 612300066252c3151883d30f69a9b287c323a4a484a35ca553c5a73d3f7d0cfc.exe 75 PID 3276 wrote to memory of 4512 3276 612300066252c3151883d30f69a9b287c323a4a484a35ca553c5a73d3f7d0cfc.exe 75 PID 324 wrote to memory of 4636 324 jsc.exe 78 PID 324 wrote to memory of 4636 324 jsc.exe 78 PID 324 wrote to memory of 4636 324 jsc.exe 78 PID 324 wrote to memory of 4724 324 jsc.exe 79 PID 324 wrote to memory of 4724 324 jsc.exe 79 PID 324 wrote to memory of 4724 324 jsc.exe 79 PID 324 wrote to memory of 2072 324 jsc.exe 80 PID 324 wrote to memory of 2072 324 jsc.exe 80 PID 324 wrote to memory of 2072 324 jsc.exe 80 PID 324 wrote to memory of 1844 324 jsc.exe 81 PID 324 wrote to memory of 1844 324 jsc.exe 81 PID 324 wrote to memory of 1844 324 jsc.exe 81 PID 324 wrote to memory of 220 324 jsc.exe 83 PID 324 wrote to memory of 220 324 jsc.exe 83 PID 324 wrote to memory of 220 324 jsc.exe 83 PID 2072 wrote to memory of 4112 2072 7pPqcQ1NvLfzcuazweVkDUiS.exe 84 PID 2072 wrote to memory of 4112 2072 7pPqcQ1NvLfzcuazweVkDUiS.exe 84 PID 2072 wrote to memory of 4112 2072 7pPqcQ1NvLfzcuazweVkDUiS.exe 84 PID 2072 wrote to memory of 4112 2072 7pPqcQ1NvLfzcuazweVkDUiS.exe 84 PID 2072 wrote to memory of 4112 2072 7pPqcQ1NvLfzcuazweVkDUiS.exe 84 PID 2072 wrote to memory of 4112 2072 7pPqcQ1NvLfzcuazweVkDUiS.exe 84 PID 2072 wrote to memory of 4112 2072 7pPqcQ1NvLfzcuazweVkDUiS.exe 84 PID 2072 wrote to memory of 4112 2072 7pPqcQ1NvLfzcuazweVkDUiS.exe 84 PID 2072 wrote to memory of 4112 2072 7pPqcQ1NvLfzcuazweVkDUiS.exe 84 PID 2072 wrote to memory of 4112 2072 7pPqcQ1NvLfzcuazweVkDUiS.exe 84 PID 2072 wrote to memory of 4112 2072 7pPqcQ1NvLfzcuazweVkDUiS.exe 84 PID 4636 wrote to memory of 4412 4636 vZhkWfk1KYIKmH5xpBHIuX0s.exe 115 PID 4636 wrote to memory of 4412 4636 vZhkWfk1KYIKmH5xpBHIuX0s.exe 115 PID 4636 wrote to memory of 4412 4636 vZhkWfk1KYIKmH5xpBHIuX0s.exe 115 PID 4112 wrote to memory of 4720 4112 RegAsm.exe 102 PID 4112 wrote to memory of 4720 4112 RegAsm.exe 102 PID 4112 wrote to memory of 4720 4112 RegAsm.exe 102 PID 4112 wrote to memory of 4720 4112 RegAsm.exe 102 PID 4112 wrote to memory of 4720 4112 RegAsm.exe 102 PID 324 wrote to memory of 2428 324 jsc.exe 92 PID 324 wrote to memory of 2428 324 jsc.exe 92 PID 324 wrote to memory of 2428 324 jsc.exe 92 PID 4636 wrote to memory of 3432 4636 vZhkWfk1KYIKmH5xpBHIuX0s.exe 93 PID 4636 wrote to memory of 3432 4636 vZhkWfk1KYIKmH5xpBHIuX0s.exe 93 PID 4636 wrote to memory of 3432 4636 vZhkWfk1KYIKmH5xpBHIuX0s.exe 93 PID 220 wrote to memory of 4440 220 CqOtShqdfSVnXipfjt58rIU4.exe 94 PID 220 wrote to memory of 4440 220 CqOtShqdfSVnXipfjt58rIU4.exe 94 PID 220 wrote to memory of 4440 220 CqOtShqdfSVnXipfjt58rIU4.exe 94 PID 2428 wrote to memory of 3676 2428 YWs5UTxZr5AenkLAi1KwKNOi.exe 95 PID 2428 wrote to memory of 3676 2428 YWs5UTxZr5AenkLAi1KwKNOi.exe 95 PID 2428 wrote to memory of 3676 2428 YWs5UTxZr5AenkLAi1KwKNOi.exe 95 PID 1844 wrote to memory of 4124 1844 jj90xFDYYdmnsryuuFbp6pnu.exe 98 PID 1844 wrote to memory of 4124 1844 jj90xFDYYdmnsryuuFbp6pnu.exe 98 PID 1844 wrote to memory of 4124 1844 jj90xFDYYdmnsryuuFbp6pnu.exe 98 PID 324 wrote to memory of 4720 324 jsc.exe 102 PID 324 wrote to memory of 4720 324 jsc.exe 102 PID 324 wrote to memory of 4720 324 jsc.exe 102 PID 4720 wrote to memory of 2784 4720 QIPYx01QHg4rpj0Z7G8BhZqI.exe 103 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
c:\windows\system32\sihost.exesihost.exe1⤵PID:2148
-
C:\Windows\SysWOW64\dialer.exe"C:\Windows\system32\dialer.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4720
-
-
C:\Users\Admin\AppData\Local\Temp\612300066252c3151883d30f69a9b287c323a4a484a35ca553c5a73d3f7d0cfc.exe"C:\Users\Admin\AppData\Local\Temp\612300066252c3151883d30f69a9b287c323a4a484a35ca553c5a73d3f7d0cfc.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3276 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"2⤵
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:324 -
C:\Users\Admin\Pictures\vZhkWfk1KYIKmH5xpBHIuX0s.exe"C:\Users\Admin\Pictures\vZhkWfk1KYIKmH5xpBHIuX0s.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4636 -
C:\Users\Admin\AppData\Local\Temp\u3ks.0.exe"C:\Users\Admin\AppData\Local\Temp\u3ks.0.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:4412 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\EBGDAAKJJD.exe"5⤵PID:2892
-
C:\Users\Admin\AppData\Local\Temp\EBGDAAKJJD.exe"C:\Users\Admin\AppData\Local\Temp\EBGDAAKJJD.exe"6⤵
- Executes dropped EXE
PID:2176 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C ping 2.2.2.2 -n 1 -w 3000 > Nul & Del C:\Users\Admin\AppData\Local\Temp\EBGDAAKJJD.exe7⤵PID:4140
-
C:\Windows\SysWOW64\PING.EXEping 2.2.2.2 -n 1 -w 30008⤵
- Runs ping.exe
PID:4200
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\u3ks.1.exe"C:\Users\Admin\AppData\Local\Temp\u3ks.1.exe"4⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3432 -
C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe"C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD15⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4740
-
-
-
-
C:\Users\Admin\Pictures\qNtH4wYOnE3DxYcBJ1DP3uVO.exe"C:\Users\Admin\Pictures\qNtH4wYOnE3DxYcBJ1DP3uVO.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4724
-
-
C:\Users\Admin\Pictures\7pPqcQ1NvLfzcuazweVkDUiS.exe"C:\Users\Admin\Pictures\7pPqcQ1NvLfzcuazweVkDUiS.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2072 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4112 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4112 -s 6325⤵
- Program crash
PID:2536
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4112 -s 1845⤵
- Program crash
PID:2208
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2072 -s 8364⤵
- Program crash
PID:3400
-
-
-
C:\Users\Admin\Pictures\jj90xFDYYdmnsryuuFbp6pnu.exe"C:\Users\Admin\Pictures\jj90xFDYYdmnsryuuFbp6pnu.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1844 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4124
-
-
C:\Users\Admin\Pictures\jj90xFDYYdmnsryuuFbp6pnu.exe"C:\Users\Admin\Pictures\jj90xFDYYdmnsryuuFbp6pnu.exe"4⤵
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:4616 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5112
-
-
C:\Windows\System32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"5⤵PID:5672
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes6⤵
- Modifies Windows Firewall
PID:5740
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:236
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5616
-
-
-
-
C:\Users\Admin\Pictures\CqOtShqdfSVnXipfjt58rIU4.exe"C:\Users\Admin\Pictures\CqOtShqdfSVnXipfjt58rIU4.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:220 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4440
-
-
C:\Users\Admin\Pictures\CqOtShqdfSVnXipfjt58rIU4.exe"C:\Users\Admin\Pictures\CqOtShqdfSVnXipfjt58rIU4.exe"4⤵
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:4500 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2396
-
-
C:\Windows\System32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"5⤵PID:5496
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes6⤵
- Modifies Windows Firewall
PID:5572
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5744
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2004
-
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- Manipulates WinMonFS driver.
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2384 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5236
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F6⤵
- Creates scheduled task(s)
PID:5932
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f6⤵PID:5844
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3280
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5936
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll6⤵
- Executes dropped EXE
PID:4328
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F6⤵
- Creates scheduled task(s)
PID:5776
-
-
C:\Windows\windefender.exe"C:\Windows\windefender.exe"6⤵
- Executes dropped EXE
PID:1604 -
C:\Windows\SysWOW64\cmd.execmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)7⤵PID:1548
-
C:\Windows\SysWOW64\sc.exesc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)8⤵
- Launches sc.exe
- Suspicious use of AdjustPrivilegeToken
PID:5664
-
-
-
-
-
-
-
C:\Users\Admin\Pictures\YWs5UTxZr5AenkLAi1KwKNOi.exe"C:\Users\Admin\Pictures\YWs5UTxZr5AenkLAi1KwKNOi.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2428 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3676
-
-
C:\Users\Admin\Pictures\YWs5UTxZr5AenkLAi1KwKNOi.exe"C:\Users\Admin\Pictures\YWs5UTxZr5AenkLAi1KwKNOi.exe"4⤵
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:5088 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4596
-
-
C:\Windows\System32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"5⤵PID:5556
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes6⤵
- Modifies Windows Firewall
- Modifies data under HKEY_USERS
PID:5640
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5664
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5264
-
-
-
-
C:\Users\Admin\Pictures\QIPYx01QHg4rpj0Z7G8BhZqI.exe"C:\Users\Admin\Pictures\QIPYx01QHg4rpj0Z7G8BhZqI.exe" --silent --allusers=03⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:4720 -
C:\Users\Admin\Pictures\QIPYx01QHg4rpj0Z7G8BhZqI.exeC:\Users\Admin\Pictures\QIPYx01QHg4rpj0Z7G8BhZqI.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.35 --initial-client-data=0x2a0,0x2a4,0x2a8,0x27c,0x2ac,0x6d00e1d0,0x6d00e1dc,0x6d00e1e84⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2784
-
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\QIPYx01QHg4rpj0Z7G8BhZqI.exe"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\QIPYx01QHg4rpj0Z7G8BhZqI.exe" --version4⤵
- Executes dropped EXE
PID:4116
-
-
C:\Users\Admin\Pictures\QIPYx01QHg4rpj0Z7G8BhZqI.exe"C:\Users\Admin\Pictures\QIPYx01QHg4rpj0Z7G8BhZqI.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=4720 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20240328223140" --session-guid=24b3a1b9-2282-4901-9ecd-b7d76ca750a7 --server-tracking-blob=ZDI2NGExMTJlZThlYjRmNWY4YWZhYjJhOWM0YTkyMjU3Zjk5NzI3ZDI3NGFmOWM1YTUyMzdkMWI3ZWZiZjMxZTp7ImNvdW50cnkiOiJHQiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cy8/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1ta3QmdXRtX2NhbXBhaWduPTc2N180NTYiLCJzeXN0ZW0iOnsicGxhdGZvcm0iOnsiYXJjaCI6Ing4Nl82NCIsIm9wc3lzIjoiV2luZG93cyIsIm9wc3lzLXZlcnNpb24iOiIxMCIsInBhY2thZ2UiOiJFWEUifX0sInRpbWVzdGFtcCI6IjE3MTE2NjUwNzQuNjY3NyIsInV0bSI6eyJjYW1wYWlnbiI6Ijc2N180NTYiLCJtZWRpdW0iOiJhcGIiLCJzb3VyY2UiOiJta3QifSwidXVpZCI6IjE0ODQ5OWJkLTYyMmEtNGIzOC1hNjFmLTMxNDc4MGM3NDE1MCJ9 --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=B0040000000000004⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
PID:560 -
C:\Users\Admin\Pictures\QIPYx01QHg4rpj0Z7G8BhZqI.exeC:\Users\Admin\Pictures\QIPYx01QHg4rpj0Z7G8BhZqI.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.35 --initial-client-data=0x2b0,0x2b4,0x2b8,0x280,0x2bc,0x6c68e1d0,0x6c68e1dc,0x6c68e1e85⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1260
-
-
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403282231401\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403282231401\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe"4⤵
- Executes dropped EXE
PID:5296
-
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403282231401\assistant\assistant_installer.exe"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403282231401\assistant\assistant_installer.exe" --version4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5848 -
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403282231401\assistant\assistant_installer.exe"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403282231401\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=108.0.5067.20 --initial-client-data=0x248,0x24c,0x250,0x224,0x254,0xe70040,0xe7004c,0xe700585⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5740
-
-
-
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"2⤵PID:4512
-
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s seclogon1⤵PID:4412
-
C:\Windows\windefender.exeC:\Windows\windefender.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:5324
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Defense Evasion
Impair Defenses
3Disable or Modify System Firewall
1Disable or Modify Tools
2Modify Registry
4Subvert Trust Controls
1Install Root Certificate
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
11KB
MD5a33e5b189842c5867f46566bdbf7a095
SHA1e1c06359f6a76da90d19e8fd95e79c832edb3196
SHA2565abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454
SHA512f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
2KB
MD5db01a2c1c7e70b2b038edf8ad5ad9826
SHA1540217c647a73bad8d8a79e3a0f3998b5abd199b
SHA256413da361d77055dae7007f82b58b366c8783aa72e0b8fbe41519b940c253b38d
SHA512c76ff57fcee5cdf9fdf3116d4e1dc0cf106867bf19ab474b763e242acf5dca9a7509cb837c35e130c3e056636b4e8a4e135512a978bcd3dd641e20f5bf76c3d6
-
Filesize
44KB
MD57247129cd0644457905b7d6bf17fd078
SHA1dbf9139b5a1b72141f170d2eae911bbbe7e128c8
SHA256dfa6e0d79449f29310b2a0400dc7fa5a3a6b08182233147a81902d1f80a0f8e4
SHA5129b1ebd7fe485811f10ec02778d90a7f7eccafa0231027b640b94eaed8408107051da7fcc4f17a9aa0eef900fa2595f44be7fd115331fb6da9b10076f5fcf87e0
-
Filesize
19KB
MD58c1a32e3fb85d39d0bfafef4d4137142
SHA1034a11b0558270c332483256cb431054349c64d9
SHA256de9cc05267cc48a3f00936e482683e8004827e9d0d75a50d198188f6d23b6750
SHA512b29bc20dbf53ca706ac622d7c522a8c075ec4f3f3d99c93340b75f2a1ab7e6359f56fd65195ac61eb92ad32a85a68d142a62a605b5cff07a5763748ea83fa47a
-
Filesize
19KB
MD54bf2ed40e33939583d1c964f2ccb4e62
SHA1d2b778445eda9d95468d9686f127c9e872514dc0
SHA256f475309f1ea317b27ec4c0b1df2e194c56da0fa7dc71d1424e9bac032fefbc38
SHA5125499c2f74bb61bbb4435bcc5ffe08730272634082833245a9e2c6e00ea523a083383beb1294d1716373a5b7d625552da520ff6b6d3beaca4516bc7d39423ddc1
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403282231401\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe
Filesize2.5MB
MD520d293b9bf23403179ca48086ba88867
SHA1dedf311108f607a387d486d812514a2defbd1b9e
SHA256fd996b95ae46014edfd630bfc2bf8bc9e626adf883a1da017a8c3973b68ec348
SHA5125d575c6f0d914583f9bb54f7b884caf9182f26f850da9bdd962f4ed5ed7258316a46fafaf3828dccb6916baaadb681fe1d175a3f4ed59f56066dc7e32b66f7b6
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403282231401\assistant\assistant_installer.exe
Filesize1.9MB
MD5b3f05009b53af6435e86cfd939717e82
SHA1770877e7c5f03e8d684984fe430bdfcc2cf41b26
SHA2563ea8d40fcede1fc03e5603246d75d13e8d44d7229d4c390c39a55534053027f7
SHA512d2dee80aaa79b19f1eb1db85079a05f621780e06bfea9e838b62d757ba29399f9090ec7c6ff553377c9b712f3ba8dd812cdff39f3e28829928e86746a8ac6b27
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403282231401\assistant\dbgcore.DLL
Filesize166KB
MD58b6f64e5d3a608b434079e50a1277913
SHA103f431fabf1c99a48b449099455c1575893d9f32
SHA256926d444ffca166e006920412677c4ed2ef159cf0efc0578cb45b824f428f5eb2
SHA512c9aeac62ece564ac64a894300fb9d41d13f22951ead73421854c23c506760d984dff0af92bef2d80f3a66e782f0075832e9c24a50ae6110d27a25c14e065b41c
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403282231401\opera_package
Filesize103.9MB
MD5401c352990789be2f40fe8f9c5c7a5ac
SHA1d7c1e902487511d3f4e1a57abdee8a94d5483ed4
SHA256f62f4ebc7eca46d9cddfb02cc0305da5efdd6f3601fb0f53da555e19558869a3
SHA512efc6d4224e3721e91efb2ea8f4b74685cba607260c69d08eac26866c52b8127080a42799d9f76ab1661b8ca63c946fcf35dddf0a63ab3cd258ea44a27dd769c8
-
Filesize
106KB
MD5fe380780b5c35bd6d54541791151c2be
SHA17fe3a583cf91474c733f85cebf3c857682e269e1
SHA256b64a84d1f88e4e78464a1901c1cb5bbd5f00bb73203d719e64e072157a087b53
SHA512ba05ba8aa13c4bc1cf98fbf6c08b021e8b19354098e0397fc8e1e5d3dcce367c1063203f24e50d0973193f6535681d0a43486e5dade5d112853b7a2fe8739b6c
-
Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
Filesize
3KB
MD555d0e82a4af1868f0fff53eb6c48f59b
SHA1581a182aad6a0a9f5cc47c91334333f74da5c753
SHA256637bc2d2fca925b014d7a5467dde95ec0afadbd2eae6ff4e966e663c218fa9a6
SHA512171039e175e165fffd9906d59ad69de332bed89c4073f4f2c29a4ba1ccf4a1e9b0d216286684daebe2a49a2961f659d8e7d74afec335c41127f145ecc29c7b3e
-
Filesize
2KB
MD5f152b09880d68cbf0ff5722e96c5a6bb
SHA1557b770f8f1cd10be2bba2077a8fa6666c15f04c
SHA256741435123ea37187659d43159faf33be079430ca635361ca2f705bcd6d831b28
SHA512ac9ea99fbb8b1efab7e2bdfc18774565aad63da9153f1f0fa4ab934566583f3188a23682296c90eed4baaa584c599a55a015a431ca12569e2a8e1e70a59108b3
-
Filesize
259KB
MD54524e1a1e2725e159d68b3bca2c1b296
SHA10e3b226d0ebd227b911c5fc25d6a28478ed0a957
SHA25612a5bac24e4e354bfc93a989c398df11ac5ec63c9d9834e0a9062bd8857cdda7
SHA512870e0e4e86593a3f060643b043d41f2aa6108af8075f19c0ba6c9d276a28df5c6f6e02a6cd088eb88382af35a41bcd626ea5add747494d468158abb7e610f3ca
-
Filesize
4.6MB
MD5397926927bca55be4a77839b1c44de6e
SHA1e10f3434ef3021c399dbba047832f02b3c898dbd
SHA2564f07e1095cc915b2d46eb149d1c3be14f3f4b4bd2742517265947fd23bdca5a7
SHA512cf54136b977fc8af7e8746d78676d0d464362a8cfa2213e392487003b5034562ee802e6911760b98a847bddd36ad664f32d849af84d7e208d4648bd97a2fa954
-
Filesize
40B
MD5a3787bef9c43b9a6b0dd90945cf0274f
SHA17d9b1e193fa67119cfd73d0b5c242d4734bb0516
SHA2564fa1686a3855923d89d119cf6155b00031c6f2ae51e68be3c39f8ef7b9c9329a
SHA512f458d3e4775cc5add0271e587f244f4e13f13e514340137a9c37b4dfe16eff1fd9803ebc383f751c82afb6f515ae7216afccd032476604f1f7afa9d4b1d39247
-
Filesize
3KB
MD51bc3401e74975ac17968481f4ea109a2
SHA1a46c2dd8032f771924f2a6ea048f596d98894753
SHA256552e2265686724b77887c809714b97ad70f0d9e6c0be4bf8519d6071c819deb9
SHA51226d047f527aea9ff219a954a5a96a55de89d331885f9113fb532e8e184c49d2dcae94c2cdb005cdf305e73877959c592b635e506b9b1eb60831546b1d0805e95
-
Filesize
3KB
MD5fb1374b164c73b45fb5eae9f38d586f4
SHA1bb3c3d651fe8f6955dd234a990e9bbf03c8688ed
SHA25650b8fbe5a4f74829808694aa4d3a4665bc22755999d8cae649ff19edfee86eec
SHA5128dd1fda4b1857194eac4233c7bdb4619d8ebc57054c58e000781d7cbb36deccf1fd5961f917b109174af04e22d4bae64815ce5e9a42d9b973ef3ed46358f14ad
-
Filesize
437KB
MD57960d8afbbac06f216cceeb1531093bb
SHA1008221bf66a0749447cffcb86f2d1ec80e23fc76
SHA256f6e476e8ccb571b9d7a76234953ad428e883ff4712b0062498ba3275d9749b84
SHA51235d12e81eb892aeb2237049beca61a81469dea5b1c9b7a0b9f49fbf95a95c756509d9e76c732fb10b504f9f9692e1fbe83ea2fd09d791f793a928c01974b8147
-
Filesize
7KB
MD55b423612b36cde7f2745455c5dd82577
SHA10187c7c80743b44e9e0c193e993294e3b969cc3d
SHA256e0840d2ea74a00dcc545d770b91d9d889e5a82c7bedf1b989e0a89db04685b09
SHA512c26a1e7e96dbd178d961c630abd8e564ef69532f386fb198eb20119a88ecab2fe885d71ac0c90687c18910ce00c445f352a5e8fbf5328f3403964f7c7802414c
-
Filesize
5.1MB
MD5d8eeaee3599694b6a4c03fa121da1ad9
SHA11b827152fea138646a52ec006712bf5d82894ac4
SHA256761aeb88c547e1ba71fee7958b2f7102572b1a36e2d74ac9c9b0217d49e3ad0b
SHA51256b8676bb9c21ab66046e61eaa1954d47d86c88f873fa4b5d185f998758daffc9bb1e4ba82ba5515e4d19ee1894ee67889334cc58a5472e1443561a107498092
-
Filesize
4.1MB
MD55f066ebf9264cad80bdb1384ce2a6b34
SHA1a6bfd2df4ad14b8b0f90951b688a7de61f7d4bbc
SHA2565c2b1d90d0299ff70ea73f89a9326628e602cf9f72c425b570ac5272279372e1
SHA5120b0ce2214f57be9155b6eb7de144a96b09a9699fd75e82e4be525a4048a027c509c3f1495f111a3cc1c62b283deb150779d6458b13022095614d502a9805f1c5
-
Filesize
1KB
MD508109775e229793caa016b61cd0d0356
SHA101e26212fbf20720d1461f656cdb9a79d966f246
SHA2563e67a3f678d77c49f9a435e11061b7a5b3aa1d477eb4419462b8b2246dfa1f4d
SHA512f0f0b1d0baa877b454e7e36fce4a19c7546ac893fc241a516d5a61943ecef926c724babe3056f998a6a42c8e8fb7007118540b4caf8472812b7e5dcc8f502aa4
-
Filesize
4.1MB
MD56126c6923b352edf2507639b7fe78e8a
SHA11fd3edb62b8d44673772fb58a05c43d5360e8e5b
SHA25698db3710f7b5e68beb18c0ec584909ad3c92d66bbf093164892d5cd00d1021dd
SHA51293fcbbc0a3f42f9fab3c5e0a5cbc83308b5d93999fa89f449c2b50653860de2fe3dbb42fc463bf34f5f5e5e69390dae8b6a1dfed8e742dcb0059a445cf041736
-
Filesize
372KB
MD5e2a6c1f58b137874e490b8d94382fcdb
SHA171529c5d708091b1e1a580227dc52e62a140edd1
SHA2564801879a7afb9d03f7edcbe76cd9306cb024d80abc8512c4995aa97e8fd52437
SHA51224d12ce668e5189a4ba80520a4eaf480d17d3a07d8d0d4312964968f8489143df225881ec70e39e0c62e381061626801ead72d70cea164e2c3870bfbd7bc4eff
-
Filesize
403KB
MD57fcc0bae1fa98de1d16819e6f85de171
SHA1d8ba9866840e0449ddb78d31d6bcf2762ed3e6e4
SHA25628249276aafcf8911cc5fc8b6adebe10efb7141f3869ab2ec2f0bf5cffc1c82a
SHA51258cf14e662f68b61339dd3517dae6c831a5094ef01eab8e5ee64cf85a23e26b3ffce43912ba62356fdf1a4bbeba7249f55de222154b729b8d85fa48744ddbe29
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize2KB
MD51c19c16e21c97ed42d5beabc93391fc5
SHA18ad83f8e0b3acf8dfbbf87931e41f0d664c4df68
SHA2561bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05
SHA5127d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
Filesize33KB
MD57aac7c53b58a8b0a0b23552816658244
SHA1296b3e96334a230b623c91284b3efb223fca218e
SHA256d9619d2067c02e6cdbe31e2971cd22d05e4f4051ad4257f1011030c656188bc2
SHA5124230577e5cd538dd5c333de1f0cb2c6086c0fbe100c1bbd8bf6a8e6700acef62487e9ecd97f9e7a6da7a9f95c9bffdc023aa68daa062df275cc9909208c85045
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize18KB
MD5d966ccbe0e06b54ebd3976444f374e27
SHA17463a7c697cab1160e6f76b9014eb126ae11d826
SHA2562254cbcdd723d65695d352af298eb97e9da7171c6a595ab285175234281de18f
SHA512fbe3b176c06f54a5741994a5a3ea82f31301c4669ba76dee65eeb19e1c17c73a9516b49f4c7c46a1ca08cfe19ad94474bb61b0f270264c90d7030e14fbd95b60
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize18KB
MD5745b12fe0851ebabf552ea86190c445c
SHA1b7613633810977ae8ef45f4ba9a70b937472a956
SHA256c9e40cc797e4a2cd16255d6da53928e225c8e82b295a40e0e34529bc78ba30c4
SHA51244e663ea37562b5e73a20a99c88cc0dcb8713647c4abd2dc020f28adf427c2475df6e94c0f1394c783e5152a78d8aeb2ea70f562ad2883995f018271e07f30a9
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize18KB
MD557fa6e8abffcc82023026e498c824916
SHA1e9a45cb6eb1d1e87c85bd8d05032778dce6d624d
SHA256b7e41f5fdbf2192876425b262e65cf281116d092717921048ddde8bd510973fd
SHA5126078ebd61ca864ab35693bd9b4b592ab566099b0662bf8e8a2d97bdc5cbc20b8ea65becaf89f374f30da622c9b5e810490675e41a39ee0a166eee15e96d0b80b
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize18KB
MD5efe95f9363b53f4948b4f5f07e14bd1f
SHA19b199d5807653dbdc3e6195098a342f184389a8b
SHA25652fe94e9000a4a7e98194b5270dc787c2b50dd0019fa4f9db31d2276e5d42f78
SHA512d3b207e21b4e7ea6cbfed4ecf72851902b2eec01323d8d972fa7b85a3d75beef39ef7d6650ae40bdc956a58b36bbe64efb0c9eb3009e72ce4a55b5ebdb3dcbf3
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize18KB
MD5939bcea3f97e1b888cdffa5f75fed0e9
SHA1e1300cafd267e2a9085fcc59c0014d96524666b9
SHA2567692c67e33c6a78ac677d03a786067af2844d088f044e1eef0c4e7456bcf2039
SHA512243beab987d5320e1d0698d3df367999df857c205a74e34118f0442a702c48e360ed1adb8946bd4adebce25af33c01fca51e88b220abceee3fb24b64ad69ecf5
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize18KB
MD584af1f29f3911fb1f585736258238401
SHA12a7cb486962ab502c61a3158368954f5bb8cd533
SHA256b0313cadd8081f87a69693613aeb1c4eb0f84b7737bdbf8f5e1f1a12444c8a16
SHA512479abec95b9f3ffe07c949580687d584e91075ce1f6d1e96a849e9aba6c398667441676c624c613a7e9e322c1e488672cefd9baf48c46f9644937abae52741e0
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize18KB
MD51504625c2f27fba285544e5ce3430a2a
SHA1ca84c82a7a7155b0f540af5dd9b54395601aa3ea
SHA256b39bcbe00679ba456ee01686fc06872da73ad7b5fd180463a1646e59bb4b0ac1
SHA5122dd23f889082f7da57f75a9f2818dcb6e948d34b7991672075f225367971dd9f92bbadb42c61f61101faca0b529392374fb320d845b2059a90a683e7f3d1dc49
-
Filesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403282231401\assistant\dbghelp.dll
Filesize1.7MB
MD5925ea07f594d3fce3f73ede370d92ef7
SHA1f67ea921368c288a9d3728158c3f80213d89d7c2
SHA2566d02ebd4ec9a6093f21cd8ccefb9445fa0ab7b1f69ac868a5cfc5d28ed8d2de9
SHA512a809851da820d9fdd8fb860a8f549311dcc2579df2c6f6fba74f50d5d8bf94baa834b09fb5476ac248f18d1deb6b47d4fdd6d658889d5d45ca8774a9264483d2
-
Filesize
4.6MB
MD5117176ddeaf70e57d1747704942549e4
SHA175e3ab6b3469d93cce9ea2f7e22b71b987ccdf2b
SHA2563c5b34de987116a4d3240e319c0da89a951c96b81e6705476a0fea27b22b20af
SHA512ca2a356929c92d314aab63d7f3b246d72783212dfa3a4507f28d41a51ca0eedc78e85b1cd453aa8e02c12509f847a0216bb702154f903291c804c8a98ec378b9