Analysis
-
max time kernel
300s -
max time network
306s -
platform
windows10-1703_x64 -
resource
win10-20230915-en -
resource tags
arch:x64arch:x86image:win10-20230915-enlocale:en-usos:windows10-1703-x64system -
submitted
15-10-2023 22:22
Static task
static1
Behavioral task
behavioral1
Sample
914f1d5465e5201dc2a565458ac9744aae002a6c7ec55a77384b0b8aac97da40.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
914f1d5465e5201dc2a565458ac9744aae002a6c7ec55a77384b0b8aac97da40.exe
Resource
win10-20230915-en
General
-
Target
914f1d5465e5201dc2a565458ac9744aae002a6c7ec55a77384b0b8aac97da40.exe
-
Size
240KB
-
MD5
b4b15aef4d2769d9e337702ce7aa7567
-
SHA1
e86f505fb4ccbd77cabdc6287b3a4fe0de1b526c
-
SHA256
914f1d5465e5201dc2a565458ac9744aae002a6c7ec55a77384b0b8aac97da40
-
SHA512
30bd7de40cad2620b5883bcbc8c7b7b06787271b941c759ad3581b4b4b83c267bff074a93a76d39d2c45e0598bd7496d52af63d2e81d2449593a105c4a7ee80d
-
SSDEEP
3072:e8MOh+yFRASFi4K+U8Rh68InevzpZ0zvX5DQh1Dk:etkSSvTnRhWnAzpoVQh
Malware Config
Extracted
smokeloader
2022
http://onualituyrs.org/
http://sumagulituyo.org/
http://snukerukeutit.org/
http://lightseinsteniki.org/
http://liuliuoumumy.org/
http://stualialuyastrelia.net/
http://kumbuyartyty.net/
http://criogetikfenbut.org/
http://tonimiuyaytre.org/
http://tyiuiunuewqy.org/
http://wirtshauspost.at/tmp/
http://msktk.ru/tmp/
http://soetegem.com/tmp/
http://gromograd.ru/tmp/
http://talesofpirates.net/tmp/
Extracted
djvu
http://zexeq.com/raud/get.php
-
extension
.pthh
-
offline_id
43WPLl8Cnh3dZoiWhf8tP8Q9CrMBVUL2dwHB2Rt1
-
payload_url
http://colisumy.com/dl/build2.exe
http://zexeq.com/files/1/build3.exe
-
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-dHFDYXqlkk Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0808ASUDr
Extracted
redline
LogsDiller Cloud (TG: @logsdillabot)
146.59.161.13:39199
Extracted
amadey
3.87
http://79.137.192.18/9bDc8sQ/index.php
-
install_dir
577f58beff
-
install_file
yiueea.exe
-
strings_key
a5085075a537f09dec81cc154ec0af4d
Extracted
smokeloader
pub1
Extracted
vidar
6
d37c48c18c73cc0e155c7e1dfde06db9
https://steamcommunity.com/profiles/76561199560322242
https://t.me/cahalgo
-
profile_id_v2
d37c48c18c73cc0e155c7e1dfde06db9
-
user_agent
Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/111.0 uacq
Signatures
-
Detected Djvu ransomware 17 IoCs
resource yara_rule behavioral2/memory/4248-20-0x0000000004950000-0x0000000004A6B000-memory.dmp family_djvu behavioral2/memory/4444-21-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/4444-23-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/4444-25-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/4444-27-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/2860-29-0x00000000011D0000-0x0000000001950000-memory.dmp family_djvu behavioral2/memory/4444-88-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/516-105-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/516-114-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/516-115-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/516-120-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/516-122-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/516-135-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/516-137-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/516-139-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/516-178-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/516-181-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu -
Detects DLL dropped by Raspberry Robin. 6 IoCs
Raspberry Robin.
resource yara_rule behavioral2/memory/2860-45-0x0000000076990000-0x0000000076B52000-memory.dmp Raspberry_Robin_DLL_MAY_2022 behavioral2/memory/2860-44-0x0000000076990000-0x0000000076B52000-memory.dmp Raspberry_Robin_DLL_MAY_2022 behavioral2/memory/2860-48-0x0000000076990000-0x0000000076B52000-memory.dmp Raspberry_Robin_DLL_MAY_2022 behavioral2/memory/2860-49-0x0000000076990000-0x0000000076B52000-memory.dmp Raspberry_Robin_DLL_MAY_2022 behavioral2/memory/2860-103-0x0000000076990000-0x0000000076B52000-memory.dmp Raspberry_Robin_DLL_MAY_2022 behavioral2/memory/2860-246-0x0000000076990000-0x0000000076B52000-memory.dmp Raspberry_Robin_DLL_MAY_2022 -
Djvu Ransomware
Ransomware which is a variant of the STOP family.
-
Glupteba payload 5 IoCs
resource yara_rule behavioral2/memory/3220-138-0x0000000005070000-0x000000000595B000-memory.dmp family_glupteba behavioral2/memory/3220-162-0x0000000000400000-0x0000000002FB8000-memory.dmp family_glupteba behavioral2/memory/3220-231-0x0000000005070000-0x000000000595B000-memory.dmp family_glupteba behavioral2/memory/3220-243-0x0000000000400000-0x0000000002FB8000-memory.dmp family_glupteba behavioral2/memory/3220-262-0x0000000000400000-0x0000000002FB8000-memory.dmp family_glupteba -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral2/memory/2712-54-0x0000000000400000-0x000000000043E000-memory.dmp family_redline behavioral2/memory/3048-230-0x0000000000400000-0x000000000045A000-memory.dmp family_redline -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" 2FBC.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" 2FBC.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" 2FBC.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" 2FBC.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" 2FBC.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" 2FBC.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\2FBC.exe = "0" 2FBC.exe -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ DC7.exe -
Downloads MZ/PE file
-
Modifies Windows Firewall 1 TTPs 1 IoCs
pid Process 3840 netsh.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion DC7.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion DC7.exe -
Deletes itself 1 IoCs
pid Process 3264 Process not Found -
Executes dropped EXE 32 IoCs
pid Process 4248 A9A.exe 4444 A9A.exe 2860 DC7.exe 5008 F4F.exe 2088 1BB5.exe 4008 yiueea.exe 4972 A9A.exe 1836 build3.exe 516 A9A.exe 3220 2FBC.exe 5112 build2.exe 5088 build3.exe 956 build2.exe 1836 build3.exe 2160 yiueea.exe 2460 mstsca.exe 2728 2FBC.exe 3508 mstsca.exe 308 csrss.exe 4136 injector.exe 2104 yiueea.exe 1320 mstsca.exe 4560 windefender.exe 2804 windefender.exe 4632 mstsca.exe 3748 f801950a962ddba14caaa44bf084b55c.exe 1352 mstsca.exe 4924 yiueea.exe 4240 mstsca.exe 4820 mstsca.exe 4864 yiueea.exe 4472 mstsca.exe -
Loads dropped DLL 3 IoCs
pid Process 2200 regsvr32.exe 956 build2.exe 956 build2.exe -
Modifies file permissions 1 TTPs 1 IoCs
pid Process 5116 icacls.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral2/files/0x000800000001af79-28.dat themida behavioral2/files/0x000800000001af79-30.dat themida behavioral2/memory/2860-64-0x00000000011D0000-0x0000000001950000-memory.dmp themida behavioral2/memory/2860-242-0x00000000011D0000-0x0000000001950000-memory.dmp themida -
resource yara_rule behavioral2/files/0x000700000001afa7-2827.dat upx behavioral2/files/0x000700000001afa7-2829.dat upx behavioral2/files/0x000700000001afa7-2830.dat upx behavioral2/files/0x000900000001af6f-2869.dat upx behavioral2/files/0x000900000001af6f-2870.dat upx -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" 2FBC.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" 2FBC.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" 2FBC.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" 2FBC.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" 2FBC.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" 2FBC.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\2FBC.exe = "0" 2FBC.exe -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe Key opened \REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe Key opened \REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\3d959dca-dd88-4285-a6cb-0fa50b106809\\A9A.exe\" --AutoStart" A9A.exe Set value (str) \REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" 2FBC.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA DC7.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 20 api.2ip.ua 21 api.2ip.ua 39 api.2ip.ua -
Manipulates WinMonFS driver. 1 IoCs
Roottkits write to WinMonFS to hide directories/files from being detected.
description ioc Process File opened for modification \??\WinMonFS csrss.exe -
Drops file in System32 directory 7 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive csrss.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log powershell.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 2860 DC7.exe -
Suspicious use of SetThreadContext 10 IoCs
description pid Process procid_target PID 4248 set thread context of 4444 4248 A9A.exe 71 PID 5008 set thread context of 2712 5008 F4F.exe 79 PID 4972 set thread context of 516 4972 A9A.exe 92 PID 5112 set thread context of 956 5112 build2.exe 105 PID 2860 set thread context of 3048 2860 powershell.exe 107 PID 5088 set thread context of 1836 5088 build3.exe 109 PID 2460 set thread context of 3508 2460 mstsca.exe 121 PID 1320 set thread context of 4632 1320 mstsca.exe 155 PID 1352 set thread context of 4240 1352 mstsca.exe 165 PID 4820 set thread context of 4472 4820 mstsca.exe 168 -
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
description ioc Process File opened (read-only) \??\VBoxMiniRdrDN 2FBC.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\windefender.exe csrss.exe File opened for modification C:\Windows\windefender.exe csrss.exe File opened for modification C:\Windows\rss 2FBC.exe File created C:\Windows\rss\csrss.exe 2FBC.exe -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 2388 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
pid pid_target Process procid_target 3428 5008 WerFault.exe 74 3744 956 WerFault.exe 105 -
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 914f1d5465e5201dc2a565458ac9744aae002a6c7ec55a77384b0b8aac97da40.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 914f1d5465e5201dc2a565458ac9744aae002a6c7ec55a77384b0b8aac97da40.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 914f1d5465e5201dc2a565458ac9744aae002a6c7ec55a77384b0b8aac97da40.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI build3.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI build3.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI build3.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString build2.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 build2.exe -
Creates scheduled task(s) 1 TTPs 5 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2720 schtasks.exe 2104 schtasks.exe 168 schtasks.exe 1844 schtasks.exe 2168 schtasks.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-2632 = "Norfolk Standard Time" windefender.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-142 = "Canada Central Standard Time" 2FBC.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-392 = "Arab Standard Time" 2FBC.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1872 = "Russia TZ 7 Standard Time" 2FBC.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-1471 = "Magadan Daylight Time" windefender.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-832 = "SA Eastern Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-192 = "Mountain Standard Time" 2FBC.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-11 = "Azores Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-141 = "Canada Central Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-272 = "Greenwich Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2182 = "Astrakhan Standard Time" 2FBC.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-1021 = "Bangladesh Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-591 = "Malay Peninsula Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-661 = "Cen. Australia Daylight Time" 2FBC.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-661 = "Cen. Australia Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-432 = "Iran Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-2142 = "Transbaikal Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-171 = "Central Daylight Time (Mexico)" 2FBC.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-681 = "E. Australia Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-541 = "Myanmar Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2511 = "Lord Howe Daylight Time" 2FBC.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-672 = "AUS Eastern Standard Time" windefender.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-151 = "Central America Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-771 = "Montevideo Daylight Time" windefender.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-572 = "China Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-2392 = "Aleutian Standard Time" windefender.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-231 = "Hawaiian Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-252 = "Dateline Standard Time" 2FBC.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-911 = "Mauritius Daylight Time" 2FBC.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1871 = "Russia TZ 7 Daylight Time" 2FBC.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-592 = "Malay Peninsula Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-181 = "Mountain Daylight Time (Mexico)" 2FBC.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-741 = "New Zealand Daylight Time" 2FBC.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-431 = "Iran Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-932 = "Coordinated Universal Time" windefender.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 2FBC.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-982 = "Kamchatka Standard Time" 2FBC.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3460 914f1d5465e5201dc2a565458ac9744aae002a6c7ec55a77384b0b8aac97da40.exe 3460 914f1d5465e5201dc2a565458ac9744aae002a6c7ec55a77384b0b8aac97da40.exe 3264 Process not Found 3264 Process not Found 3264 Process not Found 3264 Process not Found 3264 Process not Found 3264 Process not Found 3264 Process not Found 3264 Process not Found 3264 Process not Found 3264 Process not Found 3264 Process not Found 3264 Process not Found 3264 Process not Found 3264 Process not Found 3264 Process not Found 3264 Process not Found 3264 Process not Found 3264 Process not Found 3264 Process not Found 3264 Process not Found 3264 Process not Found 3264 Process not Found 3264 Process not Found 3264 Process not Found 3264 Process not Found 3264 Process not Found 3264 Process not Found 3264 Process not Found 3264 Process not Found 3264 Process not Found 3264 Process not Found 3264 Process not Found 3264 Process not Found 3264 Process not Found 3264 Process not Found 3264 Process not Found 3264 Process not Found 3264 Process not Found 3264 Process not Found 3264 Process not Found 3264 Process not Found 3264 Process not Found 3264 Process not Found 3264 Process not Found 3264 Process not Found 3264 Process not Found 3264 Process not Found 3264 Process not Found 3264 Process not Found 3264 Process not Found 3264 Process not Found 3264 Process not Found 3264 Process not Found 3264 Process not Found 3264 Process not Found 3264 Process not Found 3264 Process not Found 3264 Process not Found 3264 Process not Found 3264 Process not Found 3264 Process not Found 3264 Process not Found -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3264 Process not Found -
Suspicious behavior: MapViewOfSection 6 IoCs
pid Process 3460 914f1d5465e5201dc2a565458ac9744aae002a6c7ec55a77384b0b8aac97da40.exe 3264 Process not Found 3264 Process not Found 3264 Process not Found 3264 Process not Found 1836 build3.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 3264 Process not Found Token: SeCreatePagefilePrivilege 3264 Process not Found Token: SeShutdownPrivilege 3264 Process not Found Token: SeCreatePagefilePrivilege 3264 Process not Found Token: SeShutdownPrivilege 3264 Process not Found Token: SeCreatePagefilePrivilege 3264 Process not Found Token: SeShutdownPrivilege 3264 Process not Found Token: SeCreatePagefilePrivilege 3264 Process not Found Token: SeShutdownPrivilege 3264 Process not Found Token: SeCreatePagefilePrivilege 3264 Process not Found Token: SeShutdownPrivilege 3264 Process not Found Token: SeCreatePagefilePrivilege 3264 Process not Found Token: SeShutdownPrivilege 3264 Process not Found Token: SeCreatePagefilePrivilege 3264 Process not Found Token: SeShutdownPrivilege 3264 Process not Found Token: SeCreatePagefilePrivilege 3264 Process not Found Token: SeShutdownPrivilege 3264 Process not Found Token: SeCreatePagefilePrivilege 3264 Process not Found Token: SeShutdownPrivilege 3264 Process not Found Token: SeCreatePagefilePrivilege 3264 Process not Found Token: SeShutdownPrivilege 3264 Process not Found Token: SeCreatePagefilePrivilege 3264 Process not Found Token: SeShutdownPrivilege 3264 Process not Found Token: SeCreatePagefilePrivilege 3264 Process not Found Token: SeShutdownPrivilege 3264 Process not Found Token: SeCreatePagefilePrivilege 3264 Process not Found Token: SeShutdownPrivilege 3264 Process not Found Token: SeCreatePagefilePrivilege 3264 Process not Found Token: SeDebugPrivilege 2860 powershell.exe Token: SeDebugPrivilege 2712 AppLaunch.exe Token: SeShutdownPrivilege 3264 Process not Found Token: SeCreatePagefilePrivilege 3264 Process not Found Token: SeShutdownPrivilege 3264 Process not Found Token: SeCreatePagefilePrivilege 3264 Process not Found Token: SeShutdownPrivilege 3264 Process not Found Token: SeCreatePagefilePrivilege 3264 Process not Found Token: SeDebugPrivilege 3048 AppLaunch.exe Token: SeShutdownPrivilege 3264 Process not Found Token: SeCreatePagefilePrivilege 3264 Process not Found Token: SeShutdownPrivilege 3264 Process not Found Token: SeCreatePagefilePrivilege 3264 Process not Found Token: SeDebugPrivilege 2860 powershell.exe Token: SeShutdownPrivilege 3264 Process not Found Token: SeCreatePagefilePrivilege 3264 Process not Found Token: SeShutdownPrivilege 3264 Process not Found Token: SeCreatePagefilePrivilege 3264 Process not Found Token: SeDebugPrivilege 3220 2FBC.exe Token: SeImpersonatePrivilege 3220 2FBC.exe Token: SeDebugPrivilege 2212 powershell.exe Token: SeShutdownPrivilege 3264 Process not Found Token: SeCreatePagefilePrivilege 3264 Process not Found Token: SeShutdownPrivilege 3264 Process not Found Token: SeCreatePagefilePrivilege 3264 Process not Found Token: SeShutdownPrivilege 3264 Process not Found Token: SeCreatePagefilePrivilege 3264 Process not Found Token: SeDebugPrivilege 308 powershell.exe Token: SeShutdownPrivilege 3264 Process not Found Token: SeCreatePagefilePrivilege 3264 Process not Found Token: SeShutdownPrivilege 3264 Process not Found Token: SeCreatePagefilePrivilege 3264 Process not Found Token: SeDebugPrivilege 2324 powershell.exe Token: SeShutdownPrivilege 3264 Process not Found Token: SeCreatePagefilePrivilege 3264 Process not Found Token: SeDebugPrivilege 4676 powershell.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3264 wrote to memory of 4248 3264 Process not Found 70 PID 3264 wrote to memory of 4248 3264 Process not Found 70 PID 3264 wrote to memory of 4248 3264 Process not Found 70 PID 4248 wrote to memory of 4444 4248 A9A.exe 71 PID 4248 wrote to memory of 4444 4248 A9A.exe 71 PID 4248 wrote to memory of 4444 4248 A9A.exe 71 PID 4248 wrote to memory of 4444 4248 A9A.exe 71 PID 4248 wrote to memory of 4444 4248 A9A.exe 71 PID 4248 wrote to memory of 4444 4248 A9A.exe 71 PID 4248 wrote to memory of 4444 4248 A9A.exe 71 PID 4248 wrote to memory of 4444 4248 A9A.exe 71 PID 4248 wrote to memory of 4444 4248 A9A.exe 71 PID 4248 wrote to memory of 4444 4248 A9A.exe 71 PID 3264 wrote to memory of 2860 3264 Process not Found 72 PID 3264 wrote to memory of 2860 3264 Process not Found 72 PID 3264 wrote to memory of 2860 3264 Process not Found 72 PID 3264 wrote to memory of 5008 3264 Process not Found 74 PID 3264 wrote to memory of 5008 3264 Process not Found 74 PID 3264 wrote to memory of 5008 3264 Process not Found 74 PID 3264 wrote to memory of 3988 3264 Process not Found 75 PID 3264 wrote to memory of 3988 3264 Process not Found 75 PID 3988 wrote to memory of 2200 3988 regsvr32.exe 76 PID 3988 wrote to memory of 2200 3988 regsvr32.exe 76 PID 3988 wrote to memory of 2200 3988 regsvr32.exe 76 PID 5008 wrote to memory of 3828 5008 F4F.exe 80 PID 5008 wrote to memory of 3828 5008 F4F.exe 80 PID 5008 wrote to memory of 3828 5008 F4F.exe 80 PID 5008 wrote to memory of 3324 5008 F4F.exe 77 PID 5008 wrote to memory of 3324 5008 F4F.exe 77 PID 5008 wrote to memory of 3324 5008 F4F.exe 77 PID 5008 wrote to memory of 2712 5008 F4F.exe 79 PID 5008 wrote to memory of 2712 5008 F4F.exe 79 PID 5008 wrote to memory of 2712 5008 F4F.exe 79 PID 5008 wrote to memory of 2712 5008 F4F.exe 79 PID 5008 wrote to memory of 2712 5008 F4F.exe 79 PID 5008 wrote to memory of 2712 5008 F4F.exe 79 PID 5008 wrote to memory of 2712 5008 F4F.exe 79 PID 5008 wrote to memory of 2712 5008 F4F.exe 79 PID 4444 wrote to memory of 5116 4444 A9A.exe 82 PID 4444 wrote to memory of 5116 4444 A9A.exe 82 PID 4444 wrote to memory of 5116 4444 A9A.exe 82 PID 3264 wrote to memory of 2088 3264 Process not Found 83 PID 3264 wrote to memory of 2088 3264 Process not Found 83 PID 3264 wrote to memory of 2088 3264 Process not Found 83 PID 2088 wrote to memory of 4008 2088 1BB5.exe 86 PID 2088 wrote to memory of 4008 2088 1BB5.exe 86 PID 2088 wrote to memory of 4008 2088 1BB5.exe 86 PID 4444 wrote to memory of 4972 4444 A9A.exe 84 PID 4444 wrote to memory of 4972 4444 A9A.exe 84 PID 4444 wrote to memory of 4972 4444 A9A.exe 84 PID 4008 wrote to memory of 2168 4008 yiueea.exe 87 PID 4008 wrote to memory of 2168 4008 yiueea.exe 87 PID 4008 wrote to memory of 2168 4008 yiueea.exe 87 PID 4008 wrote to memory of 4016 4008 yiueea.exe 89 PID 4008 wrote to memory of 4016 4008 yiueea.exe 89 PID 4008 wrote to memory of 4016 4008 yiueea.exe 89 PID 3264 wrote to memory of 1836 3264 Process not Found 109 PID 3264 wrote to memory of 1836 3264 Process not Found 109 PID 3264 wrote to memory of 1836 3264 Process not Found 109 PID 4972 wrote to memory of 516 4972 A9A.exe 92 PID 4972 wrote to memory of 516 4972 A9A.exe 92 PID 4972 wrote to memory of 516 4972 A9A.exe 92 PID 4972 wrote to memory of 516 4972 A9A.exe 92 PID 4972 wrote to memory of 516 4972 A9A.exe 92 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\914f1d5465e5201dc2a565458ac9744aae002a6c7ec55a77384b0b8aac97da40.exe"C:\Users\Admin\AppData\Local\Temp\914f1d5465e5201dc2a565458ac9744aae002a6c7ec55a77384b0b8aac97da40.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3460
-
C:\Users\Admin\AppData\Local\Temp\A9A.exeC:\Users\Admin\AppData\Local\Temp\A9A.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4248 -
C:\Users\Admin\AppData\Local\Temp\A9A.exeC:\Users\Admin\AppData\Local\Temp\A9A.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4444 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Local\3d959dca-dd88-4285-a6cb-0fa50b106809" /deny *S-1-1-0:(OI)(CI)(DE,DC)3⤵
- Modifies file permissions
PID:5116
-
-
C:\Users\Admin\AppData\Local\Temp\A9A.exe"C:\Users\Admin\AppData\Local\Temp\A9A.exe" --Admin IsNotAutoStart IsNotTask3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4972 -
C:\Users\Admin\AppData\Local\Temp\A9A.exe"C:\Users\Admin\AppData\Local\Temp\A9A.exe" --Admin IsNotAutoStart IsNotTask4⤵
- Executes dropped EXE
PID:516 -
C:\Users\Admin\AppData\Local\9b754f61-960e-4dc1-8228-4eb712c395d4\build2.exe"C:\Users\Admin\AppData\Local\9b754f61-960e-4dc1-8228-4eb712c395d4\build2.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5112 -
C:\Users\Admin\AppData\Local\9b754f61-960e-4dc1-8228-4eb712c395d4\build2.exe"C:\Users\Admin\AppData\Local\9b754f61-960e-4dc1-8228-4eb712c395d4\build2.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
PID:956 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 956 -s 18447⤵
- Program crash
PID:3744
-
-
-
-
C:\Users\Admin\AppData\Local\9b754f61-960e-4dc1-8228-4eb712c395d4\build3.exe"C:\Users\Admin\AppData\Local\9b754f61-960e-4dc1-8228-4eb712c395d4\build3.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5088 -
C:\Users\Admin\AppData\Local\9b754f61-960e-4dc1-8228-4eb712c395d4\build3.exe"C:\Users\Admin\AppData\Local\9b754f61-960e-4dc1-8228-4eb712c395d4\build3.exe"6⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:1836 -
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"7⤵
- Creates scheduled task(s)
PID:2720
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\DC7.exeC:\Users\Admin\AppData\Local\Temp\DC7.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2860 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵PID:4144
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3048
-
-
C:\Users\Admin\AppData\Local\Temp\F4F.exeC:\Users\Admin\AppData\Local\Temp\F4F.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:5008 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵PID:3324
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2712
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵PID:3828
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5008 -s 2562⤵
- Program crash
PID:3428
-
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\123E.dll1⤵
- Suspicious use of WriteProcessMemory
PID:3988 -
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\123E.dll2⤵
- Loads dropped DLL
PID:2200
-
-
C:\Users\Admin\AppData\Local\Temp\1BB5.exeC:\Users\Admin\AppData\Local\Temp\1BB5.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2088 -
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe"C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4008 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN yiueea.exe /TR "C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe" /F3⤵
- Creates scheduled task(s)
PID:2168
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "yiueea.exe" /P "Admin:N"&&CACLS "yiueea.exe" /P "Admin:R" /E&&echo Y|CACLS "..\577f58beff" /P "Admin:N"&&CACLS "..\577f58beff" /P "Admin:R" /E&&Exit3⤵PID:4016
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"4⤵PID:768
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "yiueea.exe" /P "Admin:N"4⤵PID:796
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "yiueea.exe" /P "Admin:R" /E4⤵PID:1352
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\577f58beff" /P "Admin:N"4⤵PID:2444
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"4⤵PID:1012
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\577f58beff" /P "Admin:R" /E4⤵PID:2680
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\23D4.exeC:\Users\Admin\AppData\Local\Temp\23D4.exe1⤵PID:1836
-
C:\Users\Admin\AppData\Local\Temp\2FBC.exeC:\Users\Admin\AppData\Local\Temp\2FBC.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3220 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile2⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2860
-
-
C:\Users\Admin\AppData\Local\Temp\2FBC.exe"C:\Users\Admin\AppData\Local\Temp\2FBC.exe"2⤵
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:2728 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2212
-
-
C:\Windows\System32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"3⤵PID:3328
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes4⤵
- Modifies Windows Firewall
PID:3840
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:308
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2324
-
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Manipulates WinMonFS driver.
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:308 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4676
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
PID:168
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f4⤵PID:4580
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1668
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:4472
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll4⤵
- Executes dropped EXE
PID:4136
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
PID:1844
-
-
C:\Windows\windefender.exe"C:\Windows\windefender.exe"4⤵
- Executes dropped EXE
PID:4560 -
C:\Windows\SysWOW64\cmd.execmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)5⤵PID:1012
-
C:\Windows\SysWOW64\sc.exesc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)6⤵
- Launches sc.exe
PID:2388
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\f801950a962ddba14caaa44bf084b55c.exeC:\Users\Admin\AppData\Local\Temp\csrss\f801950a962ddba14caaa44bf084b55c.exe4⤵
- Executes dropped EXE
PID:3748 -
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn "csrss" /f5⤵PID:1860
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn "ScheduledUpdate" /f5⤵PID:4504
-
-
-
-
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
PID:4192
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵PID:3308
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2460 -
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Executes dropped EXE
PID:3508 -
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"3⤵
- Creates scheduled task(s)
PID:2104
-
-
-
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exeC:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe1⤵
- Executes dropped EXE
PID:2160
-
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exeC:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe1⤵
- Executes dropped EXE
PID:2104
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1320 -
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Executes dropped EXE
PID:4632
-
-
C:\Windows\windefender.exeC:\Windows\windefender.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2804
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1352 -
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Executes dropped EXE
PID:4240
-
-
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exeC:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe1⤵
- Executes dropped EXE
PID:4924
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4820 -
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Executes dropped EXE
PID:4472
-
-
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exeC:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe1⤵
- Executes dropped EXE
PID:4864
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Defense Evasion
File and Directory Permissions Modification
1Impair Defenses
2Disable or Modify Tools
2Modify Registry
3Virtualization/Sandbox Evasion
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
20KB
MD5c9ff7748d8fcef4cf84a5501e996a641
SHA102867e5010f62f97ebb0cfb32cb3ede9449fe0c9
SHA2564d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988
SHA512d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize1KB
MD5b3cc1eab5e14e2d7a01804b22ecf4043
SHA11883aeaac8649c5b6848f2131ec56464b964f8fc
SHA25625d844b5a1806454aa4b221dc31f3423928ffcd816771e7d01797831e0a29324
SHA512adaf9402ac330d8daae46af707650d579c9f20c1080c6d97fd38f8e119a59793dd3ec3998fd2fbea3a578087d64b831cd25664e3442e236477a3b79fe6d387f2
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
Filesize724B
MD58202a1cd02e7d69597995cabbe881a12
SHA18858d9d934b7aa9330ee73de6c476acf19929ff6
SHA25658f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA51297ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize410B
MD5b84c4cd7d6ed422dc6d3c25118d94540
SHA17b9bb756c5282d7b0c433737967d7e7053188962
SHA25606655470ff329d8c6ce6b8e5ad7bf5885c977b8aa0088e25b83f561ef298c323
SHA512882662c1976d6bdda142fc475a7a82bc336445d4c2aeb6607de8d9a19d5c9eecb3d549b2632dd7ea219fee46f05f5825015f0fffbbbf3c8557e83d3e2c0428e6
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
Filesize392B
MD58906e7968aa8d88c2acff4ab201381cf
SHA18cb2a5c2fdcb3fb67c526cf1b8285c0e1a220b23
SHA2566b89c8e055947fe8bcdaab053a9262a1ffe9efaacc7da12cfe57b9b89feeb495
SHA512074f5ff86dd0fe0b694433e38ed76f328eb3c111c0c48ce04a0b372544ec557431ec079bf00f7c19f4f0245475a6c164335fce56c4a60621d19974d81768ec80
-
Filesize
738KB
MD57284de10c970ef4b23460ad9c8b125fe
SHA166c0712a8b92fdcf2a58951449828c70f7bdc1d9
SHA2567ac247d6c3ac3cd5ff3a51d526acac42f44ffa44a80c52cc5808be9713db51ca
SHA5120425bccda444e0283ad85be179a23883b4db07716248b165754fceb0e42ce3596bd0f48385f57f5009cb6c8616c3d41b741be2b92f8a28f5e5acba6295fea7b7
-
Filesize
404KB
MD522f2fd94f57b71f36a31ea18be7d4b34
SHA1a8dc0a1af7978fea291f5306f1937a90ac9b6b5b
SHA256bf1d4645972f8a10ef66d4343d0b3dc5b66ea2050a061e8194e6858a88220454
SHA5125b1811dbded599cf9580efe2093594b31204404ec3f69f8c061fac1f2eee261f9837adf63a4c55a206d39f9071ade5b663615ba05d9a023c69a7f2b0f6bcf173
-
Filesize
404KB
MD522f2fd94f57b71f36a31ea18be7d4b34
SHA1a8dc0a1af7978fea291f5306f1937a90ac9b6b5b
SHA256bf1d4645972f8a10ef66d4343d0b3dc5b66ea2050a061e8194e6858a88220454
SHA5125b1811dbded599cf9580efe2093594b31204404ec3f69f8c061fac1f2eee261f9837adf63a4c55a206d39f9071ade5b663615ba05d9a023c69a7f2b0f6bcf173
-
Filesize
404KB
MD522f2fd94f57b71f36a31ea18be7d4b34
SHA1a8dc0a1af7978fea291f5306f1937a90ac9b6b5b
SHA256bf1d4645972f8a10ef66d4343d0b3dc5b66ea2050a061e8194e6858a88220454
SHA5125b1811dbded599cf9580efe2093594b31204404ec3f69f8c061fac1f2eee261f9837adf63a4c55a206d39f9071ade5b663615ba05d9a023c69a7f2b0f6bcf173
-
Filesize
299KB
MD541b883a061c95e9b9cb17d4ca50de770
SHA11daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319
-
Filesize
299KB
MD541b883a061c95e9b9cb17d4ca50de770
SHA11daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319
-
Filesize
299KB
MD541b883a061c95e9b9cb17d4ca50de770
SHA11daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319
-
Filesize
2KB
MD59af5a87a60049a82350be5c6bef795ca
SHA10e2b48d16c834af94b4510d480fea668bf91bf9f
SHA25647912c6ac2f97589ce845050b9b14d4448a74e9a45ae75391741fc9fe9d55fd9
SHA512fea833740d797be0bf3e80b74e8b3f9d85b4b479d264927bc1151354c77095719e36145f7cd69c848c871f97cfe6d5b3c45e4caea63b66364ccae601382d82ed
-
Filesize
1.9MB
MD5fe7facf5c1db2d17313299c58c6e1ca2
SHA14dc53db5c9c8ac085f329dec8be5d325a1b46ac5
SHA2563a566e1932fd6352dbc9e7cd1e5f40c2ca759fd52dd0283bc6284741d407128b
SHA5121fbb414a57978f8304140fb29f9fb3251ab237b7a776ec5aded99d04ae18b35c7985e956862044c4028c57ae448bc0d45c85a42d94ca440c6063ada3a4318060
-
Filesize
307KB
MD555f845c433e637594aaf872e41fda207
SHA11188348ca7e52f075e7d1d0031918c2cea93362e
SHA256f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA5125a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4
-
Filesize
307KB
MD555f845c433e637594aaf872e41fda207
SHA11188348ca7e52f075e7d1d0031918c2cea93362e
SHA256f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA5125a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4
-
Filesize
227KB
MD52904eb1a3acfc85cdae1ccde6adfeeab
SHA123b4dfea8ef38206792033cb784644967ac79f49
SHA256f8aae657597062b011d3cd9fbf8ea3c909cabe48fc576bd3bc2f2bd100a88a49
SHA51216b6dfab8cbf6f973ba89ce8dcbe98547050fb5fa19e1ecfe552b1565a58c6afca0c6353f1da41b6fc919a5d96750b1788bc175a7a63e04ce12da8b7d8d89d25
-
Filesize
227KB
MD52904eb1a3acfc85cdae1ccde6adfeeab
SHA123b4dfea8ef38206792033cb784644967ac79f49
SHA256f8aae657597062b011d3cd9fbf8ea3c909cabe48fc576bd3bc2f2bd100a88a49
SHA51216b6dfab8cbf6f973ba89ce8dcbe98547050fb5fa19e1ecfe552b1565a58c6afca0c6353f1da41b6fc919a5d96750b1788bc175a7a63e04ce12da8b7d8d89d25
-
Filesize
4.1MB
MD5f0118fdfcadf8262c58b3638c0edc6a9
SHA1a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA2568e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA51299ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837
-
Filesize
4.1MB
MD5f0118fdfcadf8262c58b3638c0edc6a9
SHA1a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA2568e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA51299ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837
-
Filesize
4.1MB
MD5f0118fdfcadf8262c58b3638c0edc6a9
SHA1a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA2568e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA51299ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837
-
Filesize
307KB
MD555f845c433e637594aaf872e41fda207
SHA11188348ca7e52f075e7d1d0031918c2cea93362e
SHA256f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA5125a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4
-
Filesize
307KB
MD555f845c433e637594aaf872e41fda207
SHA11188348ca7e52f075e7d1d0031918c2cea93362e
SHA256f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA5125a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4
-
Filesize
307KB
MD555f845c433e637594aaf872e41fda207
SHA11188348ca7e52f075e7d1d0031918c2cea93362e
SHA256f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA5125a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4
-
Filesize
307KB
MD555f845c433e637594aaf872e41fda207
SHA11188348ca7e52f075e7d1d0031918c2cea93362e
SHA256f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA5125a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4
-
Filesize
307KB
MD555f845c433e637594aaf872e41fda207
SHA11188348ca7e52f075e7d1d0031918c2cea93362e
SHA256f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA5125a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4
-
Filesize
307KB
MD555f845c433e637594aaf872e41fda207
SHA11188348ca7e52f075e7d1d0031918c2cea93362e
SHA256f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA5125a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4
-
Filesize
307KB
MD555f845c433e637594aaf872e41fda207
SHA11188348ca7e52f075e7d1d0031918c2cea93362e
SHA256f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA5125a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4
-
Filesize
738KB
MD57284de10c970ef4b23460ad9c8b125fe
SHA166c0712a8b92fdcf2a58951449828c70f7bdc1d9
SHA2567ac247d6c3ac3cd5ff3a51d526acac42f44ffa44a80c52cc5808be9713db51ca
SHA5120425bccda444e0283ad85be179a23883b4db07716248b165754fceb0e42ce3596bd0f48385f57f5009cb6c8616c3d41b741be2b92f8a28f5e5acba6295fea7b7
-
Filesize
738KB
MD57284de10c970ef4b23460ad9c8b125fe
SHA166c0712a8b92fdcf2a58951449828c70f7bdc1d9
SHA2567ac247d6c3ac3cd5ff3a51d526acac42f44ffa44a80c52cc5808be9713db51ca
SHA5120425bccda444e0283ad85be179a23883b4db07716248b165754fceb0e42ce3596bd0f48385f57f5009cb6c8616c3d41b741be2b92f8a28f5e5acba6295fea7b7
-
Filesize
738KB
MD57284de10c970ef4b23460ad9c8b125fe
SHA166c0712a8b92fdcf2a58951449828c70f7bdc1d9
SHA2567ac247d6c3ac3cd5ff3a51d526acac42f44ffa44a80c52cc5808be9713db51ca
SHA5120425bccda444e0283ad85be179a23883b4db07716248b165754fceb0e42ce3596bd0f48385f57f5009cb6c8616c3d41b741be2b92f8a28f5e5acba6295fea7b7
-
Filesize
738KB
MD57284de10c970ef4b23460ad9c8b125fe
SHA166c0712a8b92fdcf2a58951449828c70f7bdc1d9
SHA2567ac247d6c3ac3cd5ff3a51d526acac42f44ffa44a80c52cc5808be9713db51ca
SHA5120425bccda444e0283ad85be179a23883b4db07716248b165754fceb0e42ce3596bd0f48385f57f5009cb6c8616c3d41b741be2b92f8a28f5e5acba6295fea7b7
-
Filesize
738KB
MD57284de10c970ef4b23460ad9c8b125fe
SHA166c0712a8b92fdcf2a58951449828c70f7bdc1d9
SHA2567ac247d6c3ac3cd5ff3a51d526acac42f44ffa44a80c52cc5808be9713db51ca
SHA5120425bccda444e0283ad85be179a23883b4db07716248b165754fceb0e42ce3596bd0f48385f57f5009cb6c8616c3d41b741be2b92f8a28f5e5acba6295fea7b7
-
Filesize
2.6MB
MD5df26dcbc3c8289a50c8c1857a0640366
SHA1298582ef0a1c2773c973d761e0a7f93db74b9397
SHA256a238e7725be8efddc097f716169100e2043953e76ac26976a4ec4ea2c5fa365d
SHA512de3c637d2f4aed4c2f546fde1b88ba7120ef00ebde04ea52a4a3ce5ccc88f664c6445edc6fbe2ce646473fb9743cebc812f7ec343333ac59f7d93b0a1b363a6c
-
Filesize
2.6MB
MD5df26dcbc3c8289a50c8c1857a0640366
SHA1298582ef0a1c2773c973d761e0a7f93db74b9397
SHA256a238e7725be8efddc097f716169100e2043953e76ac26976a4ec4ea2c5fa365d
SHA512de3c637d2f4aed4c2f546fde1b88ba7120ef00ebde04ea52a4a3ce5ccc88f664c6445edc6fbe2ce646473fb9743cebc812f7ec343333ac59f7d93b0a1b363a6c
-
Filesize
337KB
MD523aca9b594e0ec61e744a486c34ed0ef
SHA144d7b53c310732634fbf48c2f313505cdb62c6a8
SHA25659f7cff19dc1dbd16f7cf67fec46beab356e111b64c0d968d5bcd35dee1f6f61
SHA512dbd56536231acfe82af1ae7fabf1f25419c9f62c8e5191d6f48d5c3a1c22161fc05aa1bbc2bc0c9b9d58574109a8f7db4d6a927915d9d8cdcc7f0f3b3c58ba33
-
Filesize
337KB
MD523aca9b594e0ec61e744a486c34ed0ef
SHA144d7b53c310732634fbf48c2f313505cdb62c6a8
SHA25659f7cff19dc1dbd16f7cf67fec46beab356e111b64c0d968d5bcd35dee1f6f61
SHA512dbd56536231acfe82af1ae7fabf1f25419c9f62c8e5191d6f48d5c3a1c22161fc05aa1bbc2bc0c9b9d58574109a8f7db4d6a927915d9d8cdcc7f0f3b3c58ba33
-
Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
Filesize
3.2MB
MD5f801950a962ddba14caaa44bf084b55c
SHA17cadc9076121297428442785536ba0df2d4ae996
SHA256c3946ec89e15b24b743c46f9acacb58cff47da63f3ce2799d71ed90496b8891f
SHA5124183bc76bdc84fb779e2e573d9a63d7de47096b63b945f9e335bee95ae28eb208f5ee15f6501ac59623b97c5b77f3455ca313512e7d9803e1704ae22a52459c5
-
Filesize
3.2MB
MD5f801950a962ddba14caaa44bf084b55c
SHA17cadc9076121297428442785536ba0df2d4ae996
SHA256c3946ec89e15b24b743c46f9acacb58cff47da63f3ce2799d71ed90496b8891f
SHA5124183bc76bdc84fb779e2e573d9a63d7de47096b63b945f9e335bee95ae28eb208f5ee15f6501ac59623b97c5b77f3455ca313512e7d9803e1704ae22a52459c5
-
Filesize
99KB
MD509031a062610d77d685c9934318b4170
SHA1880f744184e7774f3d14c1bb857e21cc7fe89a6d
SHA256778bd69af403df3c4e074c31b3850d71bf0e64524bea4272a802ca9520b379dd
SHA5129a276e1f0f55d35f2bf38eb093464f7065bdd30a660e6d1c62eed5e76d1fb2201567b89d9ae65d2d89dc99b142159e36fb73be8d5e08252a975d50544a7cda27
-
Filesize
281KB
MD5d98e33b66343e7c96158444127a117f6
SHA1bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA2565de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5
-
Filesize
281KB
MD5d98e33b66343e7c96158444127a117f6
SHA1bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA2565de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5
-
Filesize
299KB
MD541b883a061c95e9b9cb17d4ca50de770
SHA11daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319
-
Filesize
299KB
MD541b883a061c95e9b9cb17d4ca50de770
SHA11daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319
-
Filesize
299KB
MD541b883a061c95e9b9cb17d4ca50de770
SHA11daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319
-
Filesize
299KB
MD541b883a061c95e9b9cb17d4ca50de770
SHA11daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319
-
Filesize
299KB
MD541b883a061c95e9b9cb17d4ca50de770
SHA11daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319
-
Filesize
299KB
MD541b883a061c95e9b9cb17d4ca50de770
SHA11daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319
-
Filesize
299KB
MD541b883a061c95e9b9cb17d4ca50de770
SHA11daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319
-
Filesize
299KB
MD541b883a061c95e9b9cb17d4ca50de770
SHA11daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319
-
Filesize
299KB
MD541b883a061c95e9b9cb17d4ca50de770
SHA11daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319
-
Filesize
299KB
MD541b883a061c95e9b9cb17d4ca50de770
SHA11daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319
-
Filesize
227KB
MD52904eb1a3acfc85cdae1ccde6adfeeab
SHA123b4dfea8ef38206792033cb784644967ac79f49
SHA256f8aae657597062b011d3cd9fbf8ea3c909cabe48fc576bd3bc2f2bd100a88a49
SHA51216b6dfab8cbf6f973ba89ce8dcbe98547050fb5fa19e1ecfe552b1565a58c6afca0c6353f1da41b6fc919a5d96750b1788bc175a7a63e04ce12da8b7d8d89d25
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize2KB
MD51c19c16e21c97ed42d5beabc93391fc5
SHA18ad83f8e0b3acf8dfbbf87931e41f0d664c4df68
SHA2561bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05
SHA5127d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize18KB
MD5b2778e7ea82e81ac4bdbfda0befab3ac
SHA10e1f3395314a78e4dd80f1be49487052dda5d59a
SHA25648bba9d454c1ed867c72782fe28faccb0d317d51e0fa9684cf16610cfa03ee5e
SHA512e527f1a029fcd2e3fdb7d8bb4c08fc6e24dd4e0a26f61bea0633ba4c875a9ddc1aa367d5a3858e5d2749d6ceec85ac221f0c528430821ea72eca4f25ecab3394
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize18KB
MD56f0675af0d0ccbc1e88ee3f6fa0baeb7
SHA17805cb79a43690c3386628b78d64e96bd2993645
SHA256519ff6773da1eb08f9882422e3864b946b20c642314cfbbe7e87cac46cb07163
SHA5129d29edbd9580fdd5906ef584fde25150a20d5379087f029bf0631bcfc05c1aff2920009c9fc45ef2601acf718b0316300c203b5aa89d43722c09165d969dd5c0
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize18KB
MD55dfd6cdc6a6915a49d51ad8e562daeb9
SHA18af39ea1236e39d961194e42a4f4e5b1e13fbcce
SHA25647d1481785b92f89803028befe8fda2a1acd399f1f3851bb487cd8fac9e4be4a
SHA51284952be47c9fb3a104c8c38a120928679137ede07a90331609cf1bee79fbcc7765a15ad31d99b42419892a26f253e7d41e2927404886530607d55d38527a42c4
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize18KB
MD5abae69688db802f07888424de77effbd
SHA110ab6c7333f35c7f11acfdf4947956da8c38c7a0
SHA25644859bd466525f3ecbc80b523e60d55e3f2f97f68a433e8b50cc1d30b0ce350a
SHA5122ba012eda99a15ee4ee0031daaf2da4d146c03df33cf84e496af3eceb1a5cfe908705a22b01fe4f2342a1d9b4958ef3dd90caed28c475394fab947ad5571e0d1
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize18KB
MD54a33b31b80761bf2e7acc31c55381544
SHA194437c7ce587537650a8630adb3440ffefb2400b
SHA256d065e17ec89376e4b0ffa9bbc6dde89443dadf6d61674a867add452762cfdcf8
SHA51235769da541c7cebd8daca89ae61f4380f3fb3972b129782c61897e4017fb8b2edc8237234c12d3142a882ab27c6922fad8c53dd5794f02c06d150e9fe905e78f
-
Filesize
4.1MB
MD5f0118fdfcadf8262c58b3638c0edc6a9
SHA1a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA2568e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA51299ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837
-
Filesize
4.1MB
MD5f0118fdfcadf8262c58b3638c0edc6a9
SHA1a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA2568e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA51299ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837
-
Filesize
2.0MB
MD58e67f58837092385dcf01e8a2b4f5783
SHA1012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA51240d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec
-
Filesize
2.0MB
MD58e67f58837092385dcf01e8a2b4f5783
SHA1012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA51240d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec
-
Filesize
2.0MB
MD58e67f58837092385dcf01e8a2b4f5783
SHA1012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA51240d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
Filesize
1.9MB
MD5fe7facf5c1db2d17313299c58c6e1ca2
SHA14dc53db5c9c8ac085f329dec8be5d325a1b46ac5
SHA2563a566e1932fd6352dbc9e7cd1e5f40c2ca759fd52dd0283bc6284741d407128b
SHA5121fbb414a57978f8304140fb29f9fb3251ab237b7a776ec5aded99d04ae18b35c7985e956862044c4028c57ae448bc0d45c85a42d94ca440c6063ada3a4318060