Analysis
-
max time kernel
169s -
max time network
176s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
14-10-2023 10:35
Static task
static1
Behavioral task
behavioral1
Sample
NEAS.9f6b062d11dfeb51158b9d133c7ad76051dfef5678f6af292e87dd464c6aa50fexe_JC.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
NEAS.9f6b062d11dfeb51158b9d133c7ad76051dfef5678f6af292e87dd464c6aa50fexe_JC.exe
Resource
win10v2004-20230915-en
General
-
Target
NEAS.9f6b062d11dfeb51158b9d133c7ad76051dfef5678f6af292e87dd464c6aa50fexe_JC.exe
-
Size
239KB
-
MD5
178ae4687ee8a5761d2003dfd45efdce
-
SHA1
23fbe6bb9b67eb068b746b1518da3c3b91c5e219
-
SHA256
9f6b062d11dfeb51158b9d133c7ad76051dfef5678f6af292e87dd464c6aa50f
-
SHA512
57e20eeb88f4e190036082ae567b3cba3bfa82f63c7010c7721546268950367666ff399e2f9790ad056e598df840bbb8d130bd62a817f88b7a939ffe8150ddf2
-
SSDEEP
3072:azmo3RLrcfbfhlxEPxfnbo7lwThYkoALvY2z5Lf1cZ0pg0Tr:j+Nrcjhkb2lMh/dfeAT
Malware Config
Extracted
smokeloader
2022
http://onualituyrs.org/
http://sumagulituyo.org/
http://snukerukeutit.org/
http://lightseinsteniki.org/
http://liuliuoumumy.org/
http://stualialuyastrelia.net/
http://kumbuyartyty.net/
http://criogetikfenbut.org/
http://tonimiuyaytre.org/
http://tyiuiunuewqy.org/
http://wirtshauspost.at/tmp/
http://msktk.ru/tmp/
http://soetegem.com/tmp/
http://gromograd.ru/tmp/
http://talesofpirates.net/tmp/
Extracted
djvu
http://zexeq.com/raud/get.php
-
extension
.mlrd
-
offline_id
FjtJkuhRHnUARRt9GnbbgUTa6ErhJq4ZM668xSt1
-
payload_url
http://colisumy.com/dl/build2.exe
http://zexeq.com/files/1/build3.exe
-
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-xN3VuzQl0a Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0805JOsie
Extracted
redline
LogsDiller Cloud (TG: @logsdillabot)
51.255.152.132:36011
Extracted
amadey
3.87
http://79.137.192.18/9bDc8sQ/index.php
-
install_dir
577f58beff
-
install_file
yiueea.exe
-
strings_key
a5085075a537f09dec81cc154ec0af4d
Extracted
smokeloader
pub1
Signatures
-
Detected Djvu ransomware 9 IoCs
resource yara_rule behavioral2/memory/2776-20-0x0000000004A70000-0x0000000004B8B000-memory.dmp family_djvu behavioral2/memory/4312-21-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/4312-23-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/4312-27-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/4312-30-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/4312-39-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/864-46-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/864-47-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/864-49-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu -
Djvu Ransomware
Ransomware which is a variant of the STOP family.
-
Glupteba payload 12 IoCs
resource yara_rule behavioral2/memory/1948-111-0x0000000005060000-0x000000000594B000-memory.dmp family_glupteba behavioral2/memory/1948-131-0x0000000000400000-0x0000000002FB8000-memory.dmp family_glupteba behavioral2/memory/1948-175-0x0000000005060000-0x000000000594B000-memory.dmp family_glupteba behavioral2/memory/1948-177-0x0000000000400000-0x0000000002FB8000-memory.dmp family_glupteba behavioral2/memory/1948-212-0x0000000000400000-0x0000000002FB8000-memory.dmp family_glupteba behavioral2/memory/1948-251-0x0000000000400000-0x0000000002FB8000-memory.dmp family_glupteba behavioral2/memory/2404-252-0x0000000000400000-0x0000000002FB8000-memory.dmp family_glupteba behavioral2/memory/2404-310-0x0000000000400000-0x0000000002FB8000-memory.dmp family_glupteba behavioral2/memory/2404-344-0x0000000000400000-0x0000000002FB8000-memory.dmp family_glupteba behavioral2/memory/4420-411-0x0000000000400000-0x0000000002FB8000-memory.dmp family_glupteba behavioral2/memory/4420-416-0x0000000000400000-0x0000000002FB8000-memory.dmp family_glupteba behavioral2/memory/4420-425-0x0000000000400000-0x0000000002FB8000-memory.dmp family_glupteba -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral2/memory/748-50-0x0000000000400000-0x000000000043E000-memory.dmp family_redline behavioral2/memory/1080-141-0x0000000000DC0000-0x0000000000E1A000-memory.dmp family_redline -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Downloads MZ/PE file
-
Modifies Windows Firewall 1 TTPs 1 IoCs
pid Process 1844 netsh.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation 266F.exe Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation A6BF.exe Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation yiueea.exe -
Executes dropped EXE 17 IoCs
pid Process 2776 266F.exe 4312 266F.exe 3552 2AC5.exe 5028 266F.exe 864 266F.exe 3096 87AB.exe 5048 A6BF.exe 3368 yiueea.exe 1848 AAF6.exe 1948 B046.exe 2404 B046.exe 4692 yiueea.exe 4420 csrss.exe 4484 injector.exe 1848 windefender.exe 4636 yiueea.exe 4260 windefender.exe -
Loads dropped DLL 1 IoCs
pid Process 4308 regsvr32.exe -
Modifies file permissions 1 TTPs 1 IoCs
pid Process 2112 icacls.exe -
resource yara_rule behavioral2/files/0x000400000002287c-417.dat upx behavioral2/files/0x000400000002287c-419.dat upx behavioral2/files/0x000400000002287c-423.dat upx behavioral2/memory/1848-424-0x0000000000400000-0x00000000008DF000-memory.dmp upx -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe Key opened \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe Key opened \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\0e8a8bad-7505-47f5-887e-e1e69bfb8286\\266F.exe\" --AutoStart" 266F.exe Set value (str) \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" B046.exe Set value (str) \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" csrss.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 81 api.2ip.ua 82 api.2ip.ua -
Manipulates WinMonFS driver. 1 IoCs
Roottkits write to WinMonFS to hide directories/files from being detected.
description ioc Process File opened for modification \??\WinMonFS csrss.exe -
Drops file in System32 directory 7 IoCs
description ioc Process File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 2776 set thread context of 4312 2776 266F.exe 97 PID 5028 set thread context of 864 5028 266F.exe 104 PID 3552 set thread context of 748 3552 2AC5.exe 107 PID 3096 set thread context of 1080 3096 87AB.exe 127 -
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
description ioc Process File opened (read-only) \??\VBoxMiniRdrDN B046.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\rss B046.exe File created C:\Windows\rss\csrss.exe B046.exe File created C:\Windows\windefender.exe csrss.exe File opened for modification C:\Windows\windefender.exe csrss.exe -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 5112 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 3376 864 WerFault.exe 104 -
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI NEAS.9f6b062d11dfeb51158b9d133c7ad76051dfef5678f6af292e87dd464c6aa50fexe_JC.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI NEAS.9f6b062d11dfeb51158b9d133c7ad76051dfef5678f6af292e87dd464c6aa50fexe_JC.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI NEAS.9f6b062d11dfeb51158b9d133c7ad76051dfef5678f6af292e87dd464c6aa50fexe_JC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI AAF6.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI AAF6.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI AAF6.exe -
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2472 schtasks.exe 2112 schtasks.exe 1224 schtasks.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-931 = "Coordinated Universal Time" B046.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-282 = "Central Europe Standard Time" B046.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-871 = "Pakistan Daylight Time" B046.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-831 = "SA Eastern Daylight Time" B046.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-932 = "Coordinated Universal Time" B046.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-142 = "Canada Central Standard Time" B046.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-111 = "Eastern Daylight Time" B046.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-462 = "Afghanistan Standard Time" B046.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-662 = "Cen. Australia Standard Time" B046.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1502 = "Turkey Standard Time" B046.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-41 = "E. South America Daylight Time" B046.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-365 = "Middle East Standard Time" B046.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1911 = "Russia TZ 10 Daylight Time" B046.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-562 = "SE Asia Standard Time" B046.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-981 = "Kamchatka Daylight Time" B046.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-385 = "Namibia Standard Time" B046.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-791 = "SA Western Daylight Time" B046.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1501 = "Turkey Daylight Time" B046.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-601 = "Taipei Daylight Time" B046.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-652 = "AUS Central Standard Time" B046.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-661 = "Cen. Australia Daylight Time" B046.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1831 = "Russia TZ 2 Daylight Time" B046.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-341 = "Egypt Daylight Time" B046.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1411 = "Syria Daylight Time" B046.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-842 = "Argentina Standard Time" B046.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-961 = "Paraguay Daylight Time" B046.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2342 = "Haiti Standard Time" B046.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-502 = "Nepal Standard Time" B046.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1861 = "Russia TZ 6 Daylight Time" B046.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1871 = "Russia TZ 7 Daylight Time" B046.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1041 = "Ulaanbaatar Daylight Time" B046.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4980 NEAS.9f6b062d11dfeb51158b9d133c7ad76051dfef5678f6af292e87dd464c6aa50fexe_JC.exe 4980 NEAS.9f6b062d11dfeb51158b9d133c7ad76051dfef5678f6af292e87dd464c6aa50fexe_JC.exe 2520 Process not Found 2520 Process not Found 2520 Process not Found 2520 Process not Found 2520 Process not Found 2520 Process not Found 2520 Process not Found 2520 Process not Found 2520 Process not Found 2520 Process not Found 2520 Process not Found 2520 Process not Found 2520 Process not Found 2520 Process not Found 2520 Process not Found 2520 Process not Found 2520 Process not Found 2520 Process not Found 2520 Process not Found 2520 Process not Found 2520 Process not Found 2520 Process not Found 2520 Process not Found 2520 Process not Found 2520 Process not Found 2520 Process not Found 2520 Process not Found 2520 Process not Found 2520 Process not Found 2520 Process not Found 2520 Process not Found 2520 Process not Found 2520 Process not Found 2520 Process not Found 2520 Process not Found 2520 Process not Found 2520 Process not Found 2520 Process not Found 2520 Process not Found 2520 Process not Found 2520 Process not Found 2520 Process not Found 2520 Process not Found 2520 Process not Found 2520 Process not Found 2520 Process not Found 2520 Process not Found 2520 Process not Found 2520 Process not Found 2520 Process not Found 2520 Process not Found 2520 Process not Found 2520 Process not Found 2520 Process not Found 2520 Process not Found 2520 Process not Found 2520 Process not Found 2520 Process not Found 2520 Process not Found 2520 Process not Found 2520 Process not Found 2520 Process not Found -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2520 Process not Found -
Suspicious behavior: MapViewOfSection 6 IoCs
pid Process 4980 NEAS.9f6b062d11dfeb51158b9d133c7ad76051dfef5678f6af292e87dd464c6aa50fexe_JC.exe 2520 Process not Found 2520 Process not Found 2520 Process not Found 2520 Process not Found 1848 AAF6.exe -
Suspicious use of AdjustPrivilegeToken 47 IoCs
description pid Process Token: SeShutdownPrivilege 2520 Process not Found Token: SeCreatePagefilePrivilege 2520 Process not Found Token: SeShutdownPrivilege 2520 Process not Found Token: SeCreatePagefilePrivilege 2520 Process not Found Token: SeShutdownPrivilege 2520 Process not Found Token: SeCreatePagefilePrivilege 2520 Process not Found Token: SeShutdownPrivilege 2520 Process not Found Token: SeCreatePagefilePrivilege 2520 Process not Found Token: SeShutdownPrivilege 2520 Process not Found Token: SeCreatePagefilePrivilege 2520 Process not Found Token: SeShutdownPrivilege 2520 Process not Found Token: SeCreatePagefilePrivilege 2520 Process not Found Token: SeShutdownPrivilege 2520 Process not Found Token: SeCreatePagefilePrivilege 2520 Process not Found Token: SeShutdownPrivilege 2520 Process not Found Token: SeCreatePagefilePrivilege 2520 Process not Found Token: SeShutdownPrivilege 2520 Process not Found Token: SeCreatePagefilePrivilege 2520 Process not Found Token: SeDebugPrivilege 4760 powershell.exe Token: SeDebugPrivilege 1080 jsc.exe Token: SeShutdownPrivilege 2520 Process not Found Token: SeCreatePagefilePrivilege 2520 Process not Found Token: SeDebugPrivilege 1948 B046.exe Token: SeImpersonatePrivilege 1948 B046.exe Token: SeDebugPrivilege 1720 powershell.exe Token: SeShutdownPrivilege 2520 Process not Found Token: SeCreatePagefilePrivilege 2520 Process not Found Token: SeShutdownPrivilege 2520 Process not Found Token: SeCreatePagefilePrivilege 2520 Process not Found Token: SeDebugPrivilege 4088 powershell.exe Token: SeShutdownPrivilege 2520 Process not Found Token: SeCreatePagefilePrivilege 2520 Process not Found Token: SeDebugPrivilege 4380 powershell.exe Token: SeShutdownPrivilege 2520 Process not Found Token: SeCreatePagefilePrivilege 2520 Process not Found Token: SeDebugPrivilege 2976 powershell.exe Token: SeShutdownPrivilege 2520 Process not Found Token: SeCreatePagefilePrivilege 2520 Process not Found Token: SeDebugPrivilege 4064 powershell.exe Token: SeShutdownPrivilege 2520 Process not Found Token: SeCreatePagefilePrivilege 2520 Process not Found Token: SeDebugPrivilege 2064 powershell.exe Token: SeShutdownPrivilege 2520 Process not Found Token: SeCreatePagefilePrivilege 2520 Process not Found Token: SeSystemEnvironmentPrivilege 4420 csrss.exe Token: SeSecurityPrivilege 5112 sc.exe Token: SeSecurityPrivilege 5112 sc.exe -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 2520 Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2520 wrote to memory of 2776 2520 Process not Found 96 PID 2520 wrote to memory of 2776 2520 Process not Found 96 PID 2520 wrote to memory of 2776 2520 Process not Found 96 PID 2776 wrote to memory of 4312 2776 266F.exe 97 PID 2776 wrote to memory of 4312 2776 266F.exe 97 PID 2776 wrote to memory of 4312 2776 266F.exe 97 PID 2776 wrote to memory of 4312 2776 266F.exe 97 PID 2776 wrote to memory of 4312 2776 266F.exe 97 PID 2776 wrote to memory of 4312 2776 266F.exe 97 PID 2776 wrote to memory of 4312 2776 266F.exe 97 PID 2776 wrote to memory of 4312 2776 266F.exe 97 PID 2776 wrote to memory of 4312 2776 266F.exe 97 PID 2776 wrote to memory of 4312 2776 266F.exe 97 PID 2520 wrote to memory of 3552 2520 Process not Found 98 PID 2520 wrote to memory of 3552 2520 Process not Found 98 PID 2520 wrote to memory of 3552 2520 Process not Found 98 PID 4312 wrote to memory of 2112 4312 266F.exe 100 PID 4312 wrote to memory of 2112 4312 266F.exe 100 PID 4312 wrote to memory of 2112 4312 266F.exe 100 PID 4312 wrote to memory of 5028 4312 266F.exe 101 PID 4312 wrote to memory of 5028 4312 266F.exe 101 PID 4312 wrote to memory of 5028 4312 266F.exe 101 PID 5028 wrote to memory of 864 5028 266F.exe 104 PID 5028 wrote to memory of 864 5028 266F.exe 104 PID 5028 wrote to memory of 864 5028 266F.exe 104 PID 5028 wrote to memory of 864 5028 266F.exe 104 PID 5028 wrote to memory of 864 5028 266F.exe 104 PID 5028 wrote to memory of 864 5028 266F.exe 104 PID 5028 wrote to memory of 864 5028 266F.exe 104 PID 5028 wrote to memory of 864 5028 266F.exe 104 PID 5028 wrote to memory of 864 5028 266F.exe 104 PID 5028 wrote to memory of 864 5028 266F.exe 104 PID 3552 wrote to memory of 748 3552 2AC5.exe 107 PID 3552 wrote to memory of 748 3552 2AC5.exe 107 PID 3552 wrote to memory of 748 3552 2AC5.exe 107 PID 3552 wrote to memory of 748 3552 2AC5.exe 107 PID 3552 wrote to memory of 748 3552 2AC5.exe 107 PID 3552 wrote to memory of 748 3552 2AC5.exe 107 PID 3552 wrote to memory of 748 3552 2AC5.exe 107 PID 3552 wrote to memory of 748 3552 2AC5.exe 107 PID 2520 wrote to memory of 3096 2520 Process not Found 108 PID 2520 wrote to memory of 3096 2520 Process not Found 108 PID 2520 wrote to memory of 1964 2520 Process not Found 109 PID 2520 wrote to memory of 1964 2520 Process not Found 109 PID 1964 wrote to memory of 4308 1964 regsvr32.exe 110 PID 1964 wrote to memory of 4308 1964 regsvr32.exe 110 PID 1964 wrote to memory of 4308 1964 regsvr32.exe 110 PID 2520 wrote to memory of 5048 2520 Process not Found 111 PID 2520 wrote to memory of 5048 2520 Process not Found 111 PID 2520 wrote to memory of 5048 2520 Process not Found 111 PID 5048 wrote to memory of 3368 5048 A6BF.exe 112 PID 5048 wrote to memory of 3368 5048 A6BF.exe 112 PID 5048 wrote to memory of 3368 5048 A6BF.exe 112 PID 3368 wrote to memory of 2472 3368 yiueea.exe 113 PID 3368 wrote to memory of 2472 3368 yiueea.exe 113 PID 3368 wrote to memory of 2472 3368 yiueea.exe 113 PID 3368 wrote to memory of 5100 3368 yiueea.exe 114 PID 3368 wrote to memory of 5100 3368 yiueea.exe 114 PID 3368 wrote to memory of 5100 3368 yiueea.exe 114 PID 5100 wrote to memory of 3672 5100 cmd.exe 117 PID 5100 wrote to memory of 3672 5100 cmd.exe 117 PID 5100 wrote to memory of 3672 5100 cmd.exe 117 PID 5100 wrote to memory of 3952 5100 cmd.exe 118 PID 5100 wrote to memory of 3952 5100 cmd.exe 118 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.9f6b062d11dfeb51158b9d133c7ad76051dfef5678f6af292e87dd464c6aa50fexe_JC.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.9f6b062d11dfeb51158b9d133c7ad76051dfef5678f6af292e87dd464c6aa50fexe_JC.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4980
-
C:\Users\Admin\AppData\Local\Temp\266F.exeC:\Users\Admin\AppData\Local\Temp\266F.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\Users\Admin\AppData\Local\Temp\266F.exeC:\Users\Admin\AppData\Local\Temp\266F.exe2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4312 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Local\0e8a8bad-7505-47f5-887e-e1e69bfb8286" /deny *S-1-1-0:(OI)(CI)(DE,DC)3⤵
- Modifies file permissions
PID:2112
-
-
C:\Users\Admin\AppData\Local\Temp\266F.exe"C:\Users\Admin\AppData\Local\Temp\266F.exe" --Admin IsNotAutoStart IsNotTask3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:5028 -
C:\Users\Admin\AppData\Local\Temp\266F.exe"C:\Users\Admin\AppData\Local\Temp\266F.exe" --Admin IsNotAutoStart IsNotTask4⤵
- Executes dropped EXE
PID:864 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 864 -s 5685⤵
- Program crash
PID:3376
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\2AC5.exeC:\Users\Admin\AppData\Local\Temp\2AC5.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3552 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵PID:748
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 864 -ip 8641⤵PID:1080
-
C:\Users\Admin\AppData\Local\Temp\87AB.exeC:\Users\Admin\AppData\Local\Temp\87AB.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3096 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1080
-
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\A036.dll1⤵
- Suspicious use of WriteProcessMemory
PID:1964 -
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\A036.dll2⤵
- Loads dropped DLL
PID:4308
-
-
C:\Users\Admin\AppData\Local\Temp\A6BF.exeC:\Users\Admin\AppData\Local\Temp\A6BF.exe1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5048 -
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe"C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3368 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN yiueea.exe /TR "C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe" /F3⤵
- Creates scheduled task(s)
PID:2472
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "yiueea.exe" /P "Admin:N"&&CACLS "yiueea.exe" /P "Admin:R" /E&&echo Y|CACLS "..\577f58beff" /P "Admin:N"&&CACLS "..\577f58beff" /P "Admin:R" /E&&Exit3⤵
- Suspicious use of WriteProcessMemory
PID:5100 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"4⤵PID:3672
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "yiueea.exe" /P "Admin:N"4⤵PID:3952
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "yiueea.exe" /P "Admin:R" /E4⤵PID:4144
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"4⤵PID:4180
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\577f58beff" /P "Admin:N"4⤵PID:2272
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\577f58beff" /P "Admin:R" /E4⤵PID:1408
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\AAF6.exeC:\Users\Admin\AppData\Local\Temp\AAF6.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:1848
-
C:\Users\Admin\AppData\Local\Temp\B046.exeC:\Users\Admin\AppData\Local\Temp\B046.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1948 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4760
-
-
C:\Users\Admin\AppData\Local\Temp\B046.exe"C:\Users\Admin\AppData\Local\Temp\B046.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:2404 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1720
-
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"3⤵PID:1172
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes4⤵
- Modifies Windows Firewall
PID:1844
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4088
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4380
-
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Manipulates WinMonFS driver.
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4420 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2976
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
PID:2112
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f4⤵PID:764
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4064
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2064
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll4⤵
- Executes dropped EXE
PID:4484
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
PID:1224
-
-
C:\Windows\windefender.exe"C:\Windows\windefender.exe"4⤵
- Executes dropped EXE
PID:1848 -
C:\Windows\SysWOW64\cmd.execmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)5⤵PID:4752
-
C:\Windows\SysWOW64\sc.exesc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)6⤵
- Launches sc.exe
- Suspicious use of AdjustPrivilegeToken
PID:5112
-
-
-
-
-
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
PID:1272
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵PID:2112
-
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exeC:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe1⤵
- Executes dropped EXE
PID:4692
-
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exeC:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe1⤵
- Executes dropped EXE
PID:4636
-
C:\Windows\windefender.exeC:\Windows\windefender.exe1⤵
- Executes dropped EXE
PID:4260
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
728KB
MD5b5a49d7c6a9c31248c0676d0fc921967
SHA1e2226592e6cebf82f5de1e76380bbb01291344bb
SHA256e62936b1d28e5d77393275f6075ec71d424568469a2c7b6cec687553aeacfb22
SHA51220f3f6b77bf6fb5c090730410bd110c017a92a9cae407850d9c254491fd0aca2d14ef7c3b94ca112ca6725360d2264188a335addd8c79d4b7ffde0832a0bbe8c
-
Filesize
728KB
MD5b5a49d7c6a9c31248c0676d0fc921967
SHA1e2226592e6cebf82f5de1e76380bbb01291344bb
SHA256e62936b1d28e5d77393275f6075ec71d424568469a2c7b6cec687553aeacfb22
SHA51220f3f6b77bf6fb5c090730410bd110c017a92a9cae407850d9c254491fd0aca2d14ef7c3b94ca112ca6725360d2264188a335addd8c79d4b7ffde0832a0bbe8c
-
Filesize
728KB
MD5b5a49d7c6a9c31248c0676d0fc921967
SHA1e2226592e6cebf82f5de1e76380bbb01291344bb
SHA256e62936b1d28e5d77393275f6075ec71d424568469a2c7b6cec687553aeacfb22
SHA51220f3f6b77bf6fb5c090730410bd110c017a92a9cae407850d9c254491fd0aca2d14ef7c3b94ca112ca6725360d2264188a335addd8c79d4b7ffde0832a0bbe8c
-
Filesize
728KB
MD5b5a49d7c6a9c31248c0676d0fc921967
SHA1e2226592e6cebf82f5de1e76380bbb01291344bb
SHA256e62936b1d28e5d77393275f6075ec71d424568469a2c7b6cec687553aeacfb22
SHA51220f3f6b77bf6fb5c090730410bd110c017a92a9cae407850d9c254491fd0aca2d14ef7c3b94ca112ca6725360d2264188a335addd8c79d4b7ffde0832a0bbe8c
-
Filesize
728KB
MD5b5a49d7c6a9c31248c0676d0fc921967
SHA1e2226592e6cebf82f5de1e76380bbb01291344bb
SHA256e62936b1d28e5d77393275f6075ec71d424568469a2c7b6cec687553aeacfb22
SHA51220f3f6b77bf6fb5c090730410bd110c017a92a9cae407850d9c254491fd0aca2d14ef7c3b94ca112ca6725360d2264188a335addd8c79d4b7ffde0832a0bbe8c
-
Filesize
728KB
MD5b5a49d7c6a9c31248c0676d0fc921967
SHA1e2226592e6cebf82f5de1e76380bbb01291344bb
SHA256e62936b1d28e5d77393275f6075ec71d424568469a2c7b6cec687553aeacfb22
SHA51220f3f6b77bf6fb5c090730410bd110c017a92a9cae407850d9c254491fd0aca2d14ef7c3b94ca112ca6725360d2264188a335addd8c79d4b7ffde0832a0bbe8c
-
Filesize
1.2MB
MD55b293206e810d2871736e1ecbd9cc196
SHA147c0baadfba1876cb8ffdff6f057f16f2076197f
SHA256f31ce717ef107b5c0901a0c8581553b71ad7a09180e28a1575b0955905519628
SHA512110ae30f84747fb35cc75f6b2608aea5f90f25c3b2c49105deedc121d2ab8036949f58acc3d436b5d4584c9c1a7a30bac74f501b786f4e71d6414950d19fbb32
-
Filesize
1.2MB
MD55b293206e810d2871736e1ecbd9cc196
SHA147c0baadfba1876cb8ffdff6f057f16f2076197f
SHA256f31ce717ef107b5c0901a0c8581553b71ad7a09180e28a1575b0955905519628
SHA512110ae30f84747fb35cc75f6b2608aea5f90f25c3b2c49105deedc121d2ab8036949f58acc3d436b5d4584c9c1a7a30bac74f501b786f4e71d6414950d19fbb32
-
Filesize
307KB
MD555f845c433e637594aaf872e41fda207
SHA11188348ca7e52f075e7d1d0031918c2cea93362e
SHA256f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA5125a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4
-
Filesize
307KB
MD555f845c433e637594aaf872e41fda207
SHA11188348ca7e52f075e7d1d0031918c2cea93362e
SHA256f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA5125a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4
-
Filesize
307KB
MD555f845c433e637594aaf872e41fda207
SHA11188348ca7e52f075e7d1d0031918c2cea93362e
SHA256f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA5125a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4
-
Filesize
307KB
MD555f845c433e637594aaf872e41fda207
SHA11188348ca7e52f075e7d1d0031918c2cea93362e
SHA256f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA5125a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4
-
Filesize
307KB
MD555f845c433e637594aaf872e41fda207
SHA11188348ca7e52f075e7d1d0031918c2cea93362e
SHA256f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA5125a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4
-
Filesize
8.9MB
MD522b5ba8e29ad46aea74520369763650a
SHA15477b1f2384bc99e50cf8414c6adfe2e9c0ab2ec
SHA256ebd8083f3e802cac490686d05a3fe08e2305a6657a9af5ef38fe772496f621ec
SHA51238cb42bbb50a3aca19c3af8af01bf5d46e27841f50df2fc421183550daad6b65f91c3e454705a9e3ad9706a198c7bd928d6e2d1487a369cd7d3788e547e6eead
-
Filesize
2.3MB
MD555f1c499b31e58a29f6dacea7580fb69
SHA1c6e5c6a4bb84374a6b172e8eb0c43aaab5423e1a
SHA256b2fadb2f33351919a782043b2898b201b7420fd1d57800a1d144710156640854
SHA5129c2f2189e686e05585c6afef0cb4608b5c81ec89f48b992c600fa95ede32a51dc1ee53df518f97b3fb1c8c096adbc3534562f3d6af921bd9b1781fa9dd7786e1
-
Filesize
2.3MB
MD555f1c499b31e58a29f6dacea7580fb69
SHA1c6e5c6a4bb84374a6b172e8eb0c43aaab5423e1a
SHA256b2fadb2f33351919a782043b2898b201b7420fd1d57800a1d144710156640854
SHA5129c2f2189e686e05585c6afef0cb4608b5c81ec89f48b992c600fa95ede32a51dc1ee53df518f97b3fb1c8c096adbc3534562f3d6af921bd9b1781fa9dd7786e1
-
Filesize
307KB
MD555f845c433e637594aaf872e41fda207
SHA11188348ca7e52f075e7d1d0031918c2cea93362e
SHA256f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA5125a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4
-
Filesize
307KB
MD555f845c433e637594aaf872e41fda207
SHA11188348ca7e52f075e7d1d0031918c2cea93362e
SHA256f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA5125a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4
-
Filesize
237KB
MD5a0dc2db849379678c981ff38e6864db0
SHA1df1684b25e0fe4af92b0cf0cf4e6dfcac795f458
SHA256eafe43d5f59f732f56db205872cd55690916a0b26874bb080ab752d86704b97d
SHA5126caaf092866e0a1c272adb6790042e0480b621c089701f16c3efd2cabd14874560180ee3d7fa460ee22074a3dfed3a88e72272b479978be85dfb7037cb01ad6b
-
Filesize
237KB
MD5a0dc2db849379678c981ff38e6864db0
SHA1df1684b25e0fe4af92b0cf0cf4e6dfcac795f458
SHA256eafe43d5f59f732f56db205872cd55690916a0b26874bb080ab752d86704b97d
SHA5126caaf092866e0a1c272adb6790042e0480b621c089701f16c3efd2cabd14874560180ee3d7fa460ee22074a3dfed3a88e72272b479978be85dfb7037cb01ad6b
-
Filesize
4.1MB
MD5f0118fdfcadf8262c58b3638c0edc6a9
SHA1a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA2568e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA51299ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837
-
Filesize
4.1MB
MD5f0118fdfcadf8262c58b3638c0edc6a9
SHA1a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA2568e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA51299ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837
-
Filesize
4.1MB
MD5f0118fdfcadf8262c58b3638c0edc6a9
SHA1a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA2568e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA51299ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
281KB
MD5d98e33b66343e7c96158444127a117f6
SHA1bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA2565de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5
-
Filesize
281KB
MD5d98e33b66343e7c96158444127a117f6
SHA1bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA2565de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5
-
Filesize
237KB
MD5a0dc2db849379678c981ff38e6864db0
SHA1df1684b25e0fe4af92b0cf0cf4e6dfcac795f458
SHA256eafe43d5f59f732f56db205872cd55690916a0b26874bb080ab752d86704b97d
SHA5126caaf092866e0a1c272adb6790042e0480b621c089701f16c3efd2cabd14874560180ee3d7fa460ee22074a3dfed3a88e72272b479978be85dfb7037cb01ad6b
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize2KB
MD5968cb9309758126772781b83adb8a28f
SHA18da30e71accf186b2ba11da1797cf67f8f78b47c
SHA25692099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA5124bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD555fd9920200829b586f055722a2aef22
SHA1a4aef2ec9276007752d99d5412a37fba85f1f84e
SHA256777c8a97ceffa7dc6716d4f2790f1bbefb476aa8be6d3e42ea81a7c4c8fcde86
SHA512d4c6be879ff5c9abad43bd8b1848102bcf33a1573e699373f6617ecf041944cd8288d6787bdb04927050d0bab69177a83dd5af550635856a6186ff9dba738a87
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD5641ccd19ce4ad93eebb1e3d36ab67e49
SHA106f9c2a9b20adc199a57494c13c3d3dedae0d087
SHA256c22fc5d325314bec868bacbf6f37f6d4381b04fc2c70ad6b1f8f7aaca845c250
SHA512bc5b6f58f5b49868d98e1ad007fb9681673438b3e5126e7eba11f33a7eb542410b8d83a1dc542bd932a413f03c13c5cb6a81e2776cd1f8b101c811b43b562571
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD51324efa821bd8c908e73d3b35463bdfa
SHA1d772881ccf861760c638808761e9e676f4a5d698
SHA2567c26b83834a27c4b471e7996367fd45195aecf648008f217eda9aa81b82d6d59
SHA51258c431d7c6462762368e36e684976706ad3d11d25ab50ccf8b3bf2ff3533f6150596d1a2b0b308ef254af5235b04d0f3b187e7aa15d2666bb3b3f4653f3b8176
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD5cf774ec496c71aa86acbb6dbdc026afb
SHA1b0ddb3f6155565502111c5d69ec662c8e4ee76b6
SHA256f85dd8618a8a293d8129c6506846c715b613bbbdc4fe16d825a50bdf7c9e4006
SHA512118605927da82e7332d2cfdf5e8248d0acbe75803f072e2b7ec89e64c19406a1540ca9eb0950cb9d4389b98a20e8356f4a53167f18f49c1f2f1aca866892794e
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD56bc7d0cc0b1fc90a53742c4e79e4c27a
SHA1ac986e833416cfe0ae4b4cf7c0452d978c479d55
SHA25683eae1f0bf7f037d12edb7eee788bdf242fd2596575668b2139d81fea6a49051
SHA512538842177d0b619b1dc77958943e3a29ebfed043717f93e99313bab41f76b1e0f5679754c5e22b02c5c8eb307f83287049d51a0581c413160788e10ed6dca888
-
Filesize
4.1MB
MD5f0118fdfcadf8262c58b3638c0edc6a9
SHA1a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA2568e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA51299ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837
-
Filesize
4.1MB
MD5f0118fdfcadf8262c58b3638c0edc6a9
SHA1a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA2568e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA51299ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837
-
Filesize
2.0MB
MD58e67f58837092385dcf01e8a2b4f5783
SHA1012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA51240d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec
-
Filesize
2.0MB
MD58e67f58837092385dcf01e8a2b4f5783
SHA1012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA51240d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec
-
Filesize
2.0MB
MD58e67f58837092385dcf01e8a2b4f5783
SHA1012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA51240d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec