Analysis
-
max time kernel
300s -
max time network
296s -
platform
windows10-1703_x64 -
resource
win10-20230915-en -
resource tags
arch:x64arch:x86image:win10-20230915-enlocale:en-usos:windows10-1703-x64system -
submitted
16-10-2023 04:51
Static task
static1
Behavioral task
behavioral1
Sample
6f2bbd35accc8785877395e1967538459f5e96999c7ad17b96e5208b6e768c63.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
6f2bbd35accc8785877395e1967538459f5e96999c7ad17b96e5208b6e768c63.exe
Resource
win10-20230915-en
General
-
Target
6f2bbd35accc8785877395e1967538459f5e96999c7ad17b96e5208b6e768c63.exe
-
Size
226KB
-
MD5
cb20469403acf9ca0ffd0918d3d577eb
-
SHA1
e448dc3c7d723c19fc3dd717fc3ed9993c94ea74
-
SHA256
6f2bbd35accc8785877395e1967538459f5e96999c7ad17b96e5208b6e768c63
-
SHA512
d8cb95b43fb8c07e8f7a89c27721f0d43f3080019e33a2c49d2f1c11f91d206a89bdb8b98ae3284ac7cd289f7315705037a18ec498c582790d6024e29d374259
-
SSDEEP
3072:0YbIXCbkLmvtqcR+BEYvtF4x4/E9e8azW5UXnxH:1bIXk8agntT/E9rY
Malware Config
Extracted
smokeloader
2022
http://onualituyrs.org/
http://sumagulituyo.org/
http://snukerukeutit.org/
http://lightseinsteniki.org/
http://liuliuoumumy.org/
http://stualialuyastrelia.net/
http://kumbuyartyty.net/
http://criogetikfenbut.org/
http://tonimiuyaytre.org/
http://tyiuiunuewqy.org/
http://wirtshauspost.at/tmp/
http://msktk.ru/tmp/
http://soetegem.com/tmp/
http://gromograd.ru/tmp/
http://talesofpirates.net/tmp/
Extracted
djvu
http://zexeq.com/raud/get.php
-
extension
.pthh
-
offline_id
43WPLl8Cnh3dZoiWhf8tP8Q9CrMBVUL2dwHB2Rt1
-
payload_url
http://colisumy.com/dl/build2.exe
http://zexeq.com/files/1/build3.exe
-
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-dHFDYXqlkk Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0808ASUDr
Extracted
redline
LogsDiller Cloud (TG: @logsdillabot)
146.59.161.13:39199
Extracted
amadey
3.87
http://79.137.192.18/9bDc8sQ/index.php
-
install_dir
577f58beff
-
install_file
yiueea.exe
-
strings_key
a5085075a537f09dec81cc154ec0af4d
Extracted
smokeloader
pub1
Extracted
vidar
6
d37c48c18c73cc0e155c7e1dfde06db9
https://steamcommunity.com/profiles/76561199560322242
https://t.me/cahalgo
-
profile_id_v2
d37c48c18c73cc0e155c7e1dfde06db9
-
user_agent
Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/111.0 uacq
Signatures
-
Detected Djvu ransomware 18 IoCs
resource yara_rule behavioral2/memory/484-22-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/3904-21-0x00000000049A0000-0x0000000004ABB000-memory.dmp family_djvu behavioral2/memory/484-25-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/484-28-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/484-30-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/2124-93-0x0000000004D40000-0x0000000005142000-memory.dmp family_djvu behavioral2/memory/484-92-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/484-116-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/4568-135-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/4568-136-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/4568-137-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/4568-143-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/4568-144-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/4568-166-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/4568-170-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/4568-169-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/4568-247-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/4568-260-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu -
Djvu Ransomware
Ransomware which is a variant of the STOP family.
-
Glupteba payload 5 IoCs
resource yara_rule behavioral2/memory/2124-94-0x0000000005150000-0x0000000005A3B000-memory.dmp family_glupteba behavioral2/memory/2124-109-0x0000000000400000-0x0000000002FB8000-memory.dmp family_glupteba behavioral2/memory/2124-204-0x0000000005150000-0x0000000005A3B000-memory.dmp family_glupteba behavioral2/memory/2124-238-0x0000000000400000-0x0000000002FB8000-memory.dmp family_glupteba behavioral2/memory/2124-506-0x0000000000400000-0x0000000002FB8000-memory.dmp family_glupteba -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
resource yara_rule behavioral2/memory/3208-38-0x0000000000400000-0x000000000043E000-memory.dmp family_redline -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" 281A.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" 281A.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" 281A.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" 281A.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" 281A.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" 281A.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\281A.exe = "0" 281A.exe -
Downloads MZ/PE file
-
Modifies Windows Firewall 1 TTPs 1 IoCs
pid Process 4332 netsh.exe -
Deletes itself 1 IoCs
pid Process 3220 Process not Found -
Executes dropped EXE 28 IoCs
pid Process 3904 D97.exe 484 D97.exe 4468 F2F.exe 4444 175E.exe 4884 yiueea.exe 4364 1CED.exe 2124 281A.exe 3008 D97.exe 4568 D97.exe 5092 build2.exe 4212 build3.exe 2056 build2.exe 4436 yiueea.exe 1964 281A.exe 4172 build3.exe 4368 csrss.exe 1012 injector.exe 1584 yiueea.exe 5000 mstsca.exe 3860 windefender.exe 4956 windefender.exe 4560 f801950a962ddba14caaa44bf084b55c.exe 5104 mstsca.exe 4844 yiueea.exe 3080 yiueea.exe 4748 mstsca.exe 4424 eccrfww 4996 etcrfww -
Loads dropped DLL 3 IoCs
pid Process 1876 regsvr32.exe 2056 build2.exe 2056 build2.exe -
Modifies file permissions 1 TTPs 1 IoCs
pid Process 4500 icacls.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral2/files/0x000700000001b00e-2459.dat upx behavioral2/files/0x000700000001b00e-2462.dat upx behavioral2/files/0x000700000001b00e-2463.dat upx behavioral2/files/0x000600000001b00f-2484.dat upx behavioral2/files/0x000600000001b00f-2485.dat upx -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\281A.exe = "0" 281A.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" 281A.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" 281A.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" 281A.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" 281A.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" 281A.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" 281A.exe -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2445638973-2158012892-84912826-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe Key opened \REGISTRY\USER\S-1-5-21-2445638973-2158012892-84912826-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe Key opened \REGISTRY\USER\S-1-5-21-2445638973-2158012892-84912826-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2445638973-2158012892-84912826-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\a394d5c9-2df9-464f-afa9-17d6e9f9166f\\D97.exe\" --AutoStart" D97.exe Set value (str) \REGISTRY\USER\S-1-5-21-2445638973-2158012892-84912826-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" 281A.exe Set value (str) \REGISTRY\USER\S-1-5-21-2445638973-2158012892-84912826-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" csrss.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 21 api.2ip.ua 22 api.2ip.ua 47 api.2ip.ua -
Manipulates WinMonFS driver. 1 IoCs
Roottkits write to WinMonFS to hide directories/files from being detected.
description ioc Process File opened for modification \??\WinMonFS csrss.exe -
Drops file in System32 directory 7 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe -
Suspicious use of SetThreadContext 6 IoCs
description pid Process procid_target PID 3904 set thread context of 484 3904 D97.exe 71 PID 4468 set thread context of 3208 4468 F2F.exe 76 PID 3008 set thread context of 4568 3008 D97.exe 100 PID 5092 set thread context of 2056 5092 build2.exe 105 PID 4212 set thread context of 4172 4212 build3.exe 120 PID 5000 set thread context of 5104 5000 mstsca.exe 154 -
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
description ioc Process File opened (read-only) \??\VBoxMiniRdrDN 281A.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\windefender.exe csrss.exe File opened for modification C:\Windows\windefender.exe csrss.exe File opened for modification C:\Windows\rss 281A.exe File created C:\Windows\rss\csrss.exe 281A.exe -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 2448 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 3 IoCs
pid pid_target Process procid_target 4548 4468 WerFault.exe 72 4544 2056 WerFault.exe 105 4204 4424 WerFault.exe 160 -
Checks SCSI registry key(s) 3 TTPs 9 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 6f2bbd35accc8785877395e1967538459f5e96999c7ad17b96e5208b6e768c63.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI etcrfww Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI etcrfww Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI etcrfww Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 6f2bbd35accc8785877395e1967538459f5e96999c7ad17b96e5208b6e768c63.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 6f2bbd35accc8785877395e1967538459f5e96999c7ad17b96e5208b6e768c63.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 1CED.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 1CED.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 1CED.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString build2.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 build2.exe -
Creates scheduled task(s) 1 TTPs 5 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4996 schtasks.exe 2664 schtasks.exe 2892 schtasks.exe 5060 schtasks.exe 1444 schtasks.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 281A.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-364 = "Middle East Daylight Time" 281A.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-832 = "SA Eastern Standard Time" 281A.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-671 = "AUS Eastern Daylight Time" windefender.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-961 = "Paraguay Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-301 = "Romance Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2532 = "Chatham Islands Standard Time" 281A.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-571 = "China Daylight Time" 281A.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-391 = "Arab Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-111 = "Eastern Daylight Time" windefender.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-572 = "China Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-214 = "Pacific Daylight Time (Mexico)" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-871 = "Pakistan Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-752 = "Tonga Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-171 = "Central Daylight Time (Mexico)" 281A.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-981 = "Kamchatka Daylight Time" 281A.exe Key created \REGISTRY\USER\.DEFAULT\System\CurrentControlSet netsh.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-281 = "Central Europe Daylight Time" windefender.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-171 = "Central Daylight Time (Mexico)" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2162 = "Altai Standard Time" 281A.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-162 = "Central Standard Time" 281A.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-722 = "Central Pacific Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-2371 = "Easter Island Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1661 = "Bahia Daylight Time" 281A.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-662 = "Cen. Australia Standard Time" 281A.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-841 = "Argentina Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-1021 = "Bangladesh Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-772 = "Montevideo Standard Time" windefender.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-1971 = "Belarus Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-362 = "GTB Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-352 = "FLE Standard Time" 281A.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1871 = "Russia TZ 7 Daylight Time" 281A.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1411 = "Syria Daylight Time" 281A.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-1661 = "Bahia Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-172 = "Central Standard Time (Mexico)" windefender.exe Key created \REGISTRY\USER\.DEFAULT\System\CurrentControlSet\Control\NetTrace netsh.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-512 = "Central Asia Standard Time" 281A.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-105 = "Central Brazilian Standard Time" 281A.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-292 = "Central European Standard Time" 281A.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2792 = "Novosibirsk Standard Time" 281A.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-2772 = "Omsk Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-1912 = "Russia TZ 10 Standard Time" windefender.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4636 6f2bbd35accc8785877395e1967538459f5e96999c7ad17b96e5208b6e768c63.exe 4636 6f2bbd35accc8785877395e1967538459f5e96999c7ad17b96e5208b6e768c63.exe 3220 Process not Found 3220 Process not Found 3220 Process not Found 3220 Process not Found 3220 Process not Found 3220 Process not Found 3220 Process not Found 3220 Process not Found 3220 Process not Found 3220 Process not Found 3220 Process not Found 3220 Process not Found 3220 Process not Found 3220 Process not Found 3220 Process not Found 3220 Process not Found 3220 Process not Found 3220 Process not Found 3220 Process not Found 3220 Process not Found 3220 Process not Found 3220 Process not Found 3220 Process not Found 3220 Process not Found 3220 Process not Found 3220 Process not Found 3220 Process not Found 3220 Process not Found 3220 Process not Found 3220 Process not Found 3220 Process not Found 3220 Process not Found 3220 Process not Found 3220 Process not Found 3220 Process not Found 3220 Process not Found 3220 Process not Found 3220 Process not Found 3220 Process not Found 3220 Process not Found 3220 Process not Found 3220 Process not Found 3220 Process not Found 3220 Process not Found 3220 Process not Found 3220 Process not Found 3220 Process not Found 3220 Process not Found 3220 Process not Found 3220 Process not Found 3220 Process not Found 3220 Process not Found 3220 Process not Found 3220 Process not Found 3220 Process not Found 3220 Process not Found 3220 Process not Found 3220 Process not Found 3220 Process not Found 3220 Process not Found 3220 Process not Found 3220 Process not Found -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3220 Process not Found -
Suspicious behavior: MapViewOfSection 7 IoCs
pid Process 4636 6f2bbd35accc8785877395e1967538459f5e96999c7ad17b96e5208b6e768c63.exe 3220 Process not Found 3220 Process not Found 3220 Process not Found 3220 Process not Found 4364 1CED.exe 4996 etcrfww -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 3220 Process not Found Token: SeCreatePagefilePrivilege 3220 Process not Found Token: SeShutdownPrivilege 3220 Process not Found Token: SeCreatePagefilePrivilege 3220 Process not Found Token: SeShutdownPrivilege 3220 Process not Found Token: SeCreatePagefilePrivilege 3220 Process not Found Token: SeShutdownPrivilege 3220 Process not Found Token: SeCreatePagefilePrivilege 3220 Process not Found Token: SeShutdownPrivilege 3220 Process not Found Token: SeCreatePagefilePrivilege 3220 Process not Found Token: SeShutdownPrivilege 3220 Process not Found Token: SeCreatePagefilePrivilege 3220 Process not Found Token: SeShutdownPrivilege 3220 Process not Found Token: SeCreatePagefilePrivilege 3220 Process not Found Token: SeShutdownPrivilege 3220 Process not Found Token: SeCreatePagefilePrivilege 3220 Process not Found Token: SeShutdownPrivilege 3220 Process not Found Token: SeCreatePagefilePrivilege 3220 Process not Found Token: SeShutdownPrivilege 3220 Process not Found Token: SeCreatePagefilePrivilege 3220 Process not Found Token: SeShutdownPrivilege 3220 Process not Found Token: SeCreatePagefilePrivilege 3220 Process not Found Token: SeDebugPrivilege 3568 powershell.exe Token: SeShutdownPrivilege 3220 Process not Found Token: SeCreatePagefilePrivilege 3220 Process not Found Token: SeShutdownPrivilege 3220 Process not Found Token: SeCreatePagefilePrivilege 3220 Process not Found Token: SeShutdownPrivilege 3220 Process not Found Token: SeCreatePagefilePrivilege 3220 Process not Found Token: SeDebugPrivilege 3208 AppLaunch.exe Token: SeShutdownPrivilege 3220 Process not Found Token: SeCreatePagefilePrivilege 3220 Process not Found Token: SeShutdownPrivilege 3220 Process not Found Token: SeCreatePagefilePrivilege 3220 Process not Found Token: SeDebugPrivilege 2124 281A.exe Token: SeImpersonatePrivilege 2124 281A.exe Token: SeDebugPrivilege 4588 powershell.exe Token: SeShutdownPrivilege 3220 Process not Found Token: SeCreatePagefilePrivilege 3220 Process not Found Token: SeShutdownPrivilege 3220 Process not Found Token: SeCreatePagefilePrivilege 3220 Process not Found Token: SeShutdownPrivilege 3220 Process not Found Token: SeCreatePagefilePrivilege 3220 Process not Found Token: SeDebugPrivilege 4160 powershell.exe Token: SeShutdownPrivilege 3220 Process not Found Token: SeCreatePagefilePrivilege 3220 Process not Found Token: SeDebugPrivilege 4112 powershell.exe Token: SeShutdownPrivilege 3220 Process not Found Token: SeCreatePagefilePrivilege 3220 Process not Found Token: SeShutdownPrivilege 3220 Process not Found Token: SeCreatePagefilePrivilege 3220 Process not Found Token: SeDebugPrivilege 2508 powershell.exe Token: SeShutdownPrivilege 3220 Process not Found Token: SeCreatePagefilePrivilege 3220 Process not Found Token: SeDebugPrivilege 2520 powershell.exe Token: SeShutdownPrivilege 3220 Process not Found Token: SeCreatePagefilePrivilege 3220 Process not Found Token: SeDebugPrivilege 4612 powershell.exe Token: SeShutdownPrivilege 3220 Process not Found Token: SeCreatePagefilePrivilege 3220 Process not Found Token: SeShutdownPrivilege 3220 Process not Found Token: SeCreatePagefilePrivilege 3220 Process not Found Token: SeSystemEnvironmentPrivilege 4368 csrss.exe Token: SeSecurityPrivilege 2448 sc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3220 wrote to memory of 3904 3220 Process not Found 70 PID 3220 wrote to memory of 3904 3220 Process not Found 70 PID 3220 wrote to memory of 3904 3220 Process not Found 70 PID 3904 wrote to memory of 484 3904 D97.exe 71 PID 3904 wrote to memory of 484 3904 D97.exe 71 PID 3904 wrote to memory of 484 3904 D97.exe 71 PID 3904 wrote to memory of 484 3904 D97.exe 71 PID 3904 wrote to memory of 484 3904 D97.exe 71 PID 3904 wrote to memory of 484 3904 D97.exe 71 PID 3904 wrote to memory of 484 3904 D97.exe 71 PID 3904 wrote to memory of 484 3904 D97.exe 71 PID 3904 wrote to memory of 484 3904 D97.exe 71 PID 3904 wrote to memory of 484 3904 D97.exe 71 PID 3220 wrote to memory of 4468 3220 Process not Found 72 PID 3220 wrote to memory of 4468 3220 Process not Found 72 PID 3220 wrote to memory of 4468 3220 Process not Found 72 PID 3220 wrote to memory of 2932 3220 Process not Found 74 PID 3220 wrote to memory of 2932 3220 Process not Found 74 PID 2932 wrote to memory of 1876 2932 regsvr32.exe 75 PID 2932 wrote to memory of 1876 2932 regsvr32.exe 75 PID 2932 wrote to memory of 1876 2932 regsvr32.exe 75 PID 4468 wrote to memory of 1068 4468 F2F.exe 77 PID 4468 wrote to memory of 1068 4468 F2F.exe 77 PID 4468 wrote to memory of 1068 4468 F2F.exe 77 PID 4468 wrote to memory of 3208 4468 F2F.exe 76 PID 4468 wrote to memory of 3208 4468 F2F.exe 76 PID 4468 wrote to memory of 3208 4468 F2F.exe 76 PID 4468 wrote to memory of 3208 4468 F2F.exe 76 PID 4468 wrote to memory of 3208 4468 F2F.exe 76 PID 4468 wrote to memory of 3208 4468 F2F.exe 76 PID 4468 wrote to memory of 3208 4468 F2F.exe 76 PID 4468 wrote to memory of 3208 4468 F2F.exe 76 PID 3220 wrote to memory of 4444 3220 Process not Found 80 PID 3220 wrote to memory of 4444 3220 Process not Found 80 PID 3220 wrote to memory of 4444 3220 Process not Found 80 PID 484 wrote to memory of 4500 484 D97.exe 81 PID 484 wrote to memory of 4500 484 D97.exe 81 PID 484 wrote to memory of 4500 484 D97.exe 81 PID 4444 wrote to memory of 4884 4444 175E.exe 82 PID 4444 wrote to memory of 4884 4444 175E.exe 82 PID 4444 wrote to memory of 4884 4444 175E.exe 82 PID 4884 wrote to memory of 4996 4884 yiueea.exe 83 PID 4884 wrote to memory of 4996 4884 yiueea.exe 83 PID 4884 wrote to memory of 4996 4884 yiueea.exe 83 PID 4884 wrote to memory of 5056 4884 yiueea.exe 85 PID 4884 wrote to memory of 5056 4884 yiueea.exe 85 PID 4884 wrote to memory of 5056 4884 yiueea.exe 85 PID 3220 wrote to memory of 4364 3220 Process not Found 87 PID 3220 wrote to memory of 4364 3220 Process not Found 87 PID 3220 wrote to memory of 4364 3220 Process not Found 87 PID 5056 wrote to memory of 1440 5056 cmd.exe 88 PID 5056 wrote to memory of 1440 5056 cmd.exe 88 PID 5056 wrote to memory of 1440 5056 cmd.exe 88 PID 5056 wrote to memory of 2120 5056 cmd.exe 89 PID 5056 wrote to memory of 2120 5056 cmd.exe 89 PID 5056 wrote to memory of 2120 5056 cmd.exe 89 PID 3220 wrote to memory of 2124 3220 Process not Found 90 PID 3220 wrote to memory of 2124 3220 Process not Found 90 PID 3220 wrote to memory of 2124 3220 Process not Found 90 PID 3220 wrote to memory of 4416 3220 Process not Found 91 PID 3220 wrote to memory of 4416 3220 Process not Found 91 PID 3220 wrote to memory of 4416 3220 Process not Found 91 PID 3220 wrote to memory of 4416 3220 Process not Found 91 PID 3220 wrote to memory of 4588 3220 Process not Found 111 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2445638973-2158012892-84912826-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2445638973-2158012892-84912826-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6f2bbd35accc8785877395e1967538459f5e96999c7ad17b96e5208b6e768c63.exe"C:\Users\Admin\AppData\Local\Temp\6f2bbd35accc8785877395e1967538459f5e96999c7ad17b96e5208b6e768c63.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4636
-
C:\Users\Admin\AppData\Local\Temp\D97.exeC:\Users\Admin\AppData\Local\Temp\D97.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3904 -
C:\Users\Admin\AppData\Local\Temp\D97.exeC:\Users\Admin\AppData\Local\Temp\D97.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:484 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Local\a394d5c9-2df9-464f-afa9-17d6e9f9166f" /deny *S-1-1-0:(OI)(CI)(DE,DC)3⤵
- Modifies file permissions
PID:4500
-
-
C:\Users\Admin\AppData\Local\Temp\D97.exe"C:\Users\Admin\AppData\Local\Temp\D97.exe" --Admin IsNotAutoStart IsNotTask3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3008 -
C:\Users\Admin\AppData\Local\Temp\D97.exe"C:\Users\Admin\AppData\Local\Temp\D97.exe" --Admin IsNotAutoStart IsNotTask4⤵
- Executes dropped EXE
PID:4568 -
C:\Users\Admin\AppData\Local\c912a212-1a04-4ba8-ba15-591a68d330ea\build2.exe"C:\Users\Admin\AppData\Local\c912a212-1a04-4ba8-ba15-591a68d330ea\build2.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5092 -
C:\Users\Admin\AppData\Local\c912a212-1a04-4ba8-ba15-591a68d330ea\build2.exe"C:\Users\Admin\AppData\Local\c912a212-1a04-4ba8-ba15-591a68d330ea\build2.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
PID:2056 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2056 -s 16367⤵
- Program crash
PID:4544
-
-
-
-
C:\Users\Admin\AppData\Local\c912a212-1a04-4ba8-ba15-591a68d330ea\build3.exe"C:\Users\Admin\AppData\Local\c912a212-1a04-4ba8-ba15-591a68d330ea\build3.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4212 -
C:\Users\Admin\AppData\Local\c912a212-1a04-4ba8-ba15-591a68d330ea\build3.exe"C:\Users\Admin\AppData\Local\c912a212-1a04-4ba8-ba15-591a68d330ea\build3.exe"6⤵
- Executes dropped EXE
PID:4172 -
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"7⤵
- Creates scheduled task(s)
PID:2664
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\F2F.exeC:\Users\Admin\AppData\Local\Temp\F2F.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4468 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3208
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵PID:1068
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4468 -s 1402⤵
- Program crash
PID:4548
-
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\12CA.dll1⤵
- Suspicious use of WriteProcessMemory
PID:2932 -
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\12CA.dll2⤵
- Loads dropped DLL
PID:1876
-
-
C:\Users\Admin\AppData\Local\Temp\175E.exeC:\Users\Admin\AppData\Local\Temp\175E.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4444 -
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe"C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4884 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN yiueea.exe /TR "C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe" /F3⤵
- Creates scheduled task(s)
PID:4996
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "yiueea.exe" /P "Admin:N"&&CACLS "yiueea.exe" /P "Admin:R" /E&&echo Y|CACLS "..\577f58beff" /P "Admin:N"&&CACLS "..\577f58beff" /P "Admin:R" /E&&Exit3⤵
- Suspicious use of WriteProcessMemory
PID:5056 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"4⤵PID:1440
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "yiueea.exe" /P "Admin:N"4⤵PID:2120
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "yiueea.exe" /P "Admin:R" /E4⤵PID:4520
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\577f58beff" /P "Admin:N"4⤵PID:2968
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"4⤵PID:3408
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\577f58beff" /P "Admin:R" /E4⤵PID:1848
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1CED.exeC:\Users\Admin\AppData\Local\Temp\1CED.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:4364
-
C:\Users\Admin\AppData\Local\Temp\281A.exeC:\Users\Admin\AppData\Local\Temp\281A.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2124 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3568
-
-
C:\Users\Admin\AppData\Local\Temp\281A.exe"C:\Users\Admin\AppData\Local\Temp\281A.exe"2⤵
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:1964 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4588
-
-
C:\Windows\System32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"3⤵PID:4500
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes4⤵
- Modifies Windows Firewall
- Modifies data under HKEY_USERS
PID:4332
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4160
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4112
-
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Manipulates WinMonFS driver.
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4368 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2508
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
PID:2892
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f4⤵PID:1288
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2520
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4612
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll4⤵
- Executes dropped EXE
PID:1012
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
PID:5060
-
-
C:\Windows\windefender.exe"C:\Windows\windefender.exe"4⤵
- Executes dropped EXE
PID:3860 -
C:\Windows\SysWOW64\cmd.execmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)5⤵PID:32
-
C:\Windows\SysWOW64\sc.exesc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)6⤵
- Launches sc.exe
- Suspicious use of AdjustPrivilegeToken
PID:2448
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\f801950a962ddba14caaa44bf084b55c.exeC:\Users\Admin\AppData\Local\Temp\csrss\f801950a962ddba14caaa44bf084b55c.exe4⤵
- Executes dropped EXE
PID:4560 -
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn "csrss" /f5⤵PID:4484
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn "ScheduledUpdate" /f5⤵PID:5096
-
-
-
-
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
PID:4416
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵PID:4588
-
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exeC:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe1⤵
- Executes dropped EXE
PID:4436
-
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exeC:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe1⤵
- Executes dropped EXE
PID:1584
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5000 -
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Executes dropped EXE
PID:5104 -
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"3⤵
- Creates scheduled task(s)
PID:1444
-
-
-
C:\Windows\windefender.exeC:\Windows\windefender.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:4956
-
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exeC:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe1⤵
- Executes dropped EXE
PID:4844
-
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exeC:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe1⤵
- Executes dropped EXE
PID:3080
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe1⤵
- Executes dropped EXE
PID:4748
-
C:\Users\Admin\AppData\Roaming\eccrfwwC:\Users\Admin\AppData\Roaming\eccrfww1⤵
- Executes dropped EXE
PID:4424 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4424 -s 4802⤵
- Program crash
PID:4204
-
-
C:\Users\Admin\AppData\Roaming\etcrfwwC:\Users\Admin\AppData\Roaming\etcrfww1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:4996
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Defense Evasion
File and Directory Permissions Modification
1Impair Defenses
2Disable or Modify Tools
2Modify Registry
3Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize1KB
MD5aab2c0ac341d244950bd1fc232f6cd54
SHA1024cc43041e8f4e0a113e1c5eafa28dc7afe778d
SHA256a9fc1e5ea4a6d391f361aafe110970589f2d25665e456f43c9f16fa0c716bddd
SHA5128bd7c9d0a827e0444cff4201ccac65a024c8147300c5cdad85a32f409d25b4b37e6ba85598fbb3c1b87a731c260091d7ad2dedc3e062cc159cdb16e7022537d7
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
Filesize724B
MD58202a1cd02e7d69597995cabbe881a12
SHA18858d9d934b7aa9330ee73de6c476acf19929ff6
SHA25658f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA51297ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize410B
MD59ebfe50e169466d92d7d73079ff056ed
SHA1bf0a56decd27a14cca43a3c163130c748c06e7cb
SHA2567d6cd5d17cc66912f0c6b4d01a2d48e8d53b8e026c2a3dc7585ea2d946350790
SHA5128a7b81f854f41326c3e255aa24e8b6bc26ff02dbddf06e046091c252d264d3323f8f28bec4882078bf4dd628d4fd714b888c5eaa9bf89df0dfa3446ec2925c0f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
Filesize392B
MD59f4f5637a6cdadf71b42189ac2db11c2
SHA1fd925aea6b8d05a23bdd15a00e10645c84e3a863
SHA256c4cd6a6ac538c12c37d7727ce19592dccb0845128687b2211cb90c00322881c9
SHA512247aa55a88d3cc49dab7ae7080b7ca31c56591ec8fc7a95064eeeddf1e22260f0246746ca8c2d261cf33f52e64541ea0eedb3e3614638794eb8d1fc89e1e7e62
-
Filesize
1.9MB
MD5fe7facf5c1db2d17313299c58c6e1ca2
SHA14dc53db5c9c8ac085f329dec8be5d325a1b46ac5
SHA2563a566e1932fd6352dbc9e7cd1e5f40c2ca759fd52dd0283bc6284741d407128b
SHA5121fbb414a57978f8304140fb29f9fb3251ab237b7a776ec5aded99d04ae18b35c7985e956862044c4028c57ae448bc0d45c85a42d94ca440c6063ada3a4318060
-
Filesize
307KB
MD555f845c433e637594aaf872e41fda207
SHA11188348ca7e52f075e7d1d0031918c2cea93362e
SHA256f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA5125a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4
-
Filesize
307KB
MD555f845c433e637594aaf872e41fda207
SHA11188348ca7e52f075e7d1d0031918c2cea93362e
SHA256f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA5125a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4
-
Filesize
261KB
MD5df7a50c002e636cf21e25eaa5d53e00d
SHA18cc44f318e30860c1c03cdf03560d5e2df171904
SHA2561b31afd01ea5333c8790b21991b9f13498eda41fd6ed23ba24c1adcea7328f7c
SHA51225a747a551589ed78d6ceb9e1176e609c95eaa961a63a1eef06ce13d8890980f4587a757968ce4e2b28d86c36b90b367881fc16ed136c49e064e4f2dcfb34681
-
Filesize
261KB
MD5df7a50c002e636cf21e25eaa5d53e00d
SHA18cc44f318e30860c1c03cdf03560d5e2df171904
SHA2561b31afd01ea5333c8790b21991b9f13498eda41fd6ed23ba24c1adcea7328f7c
SHA51225a747a551589ed78d6ceb9e1176e609c95eaa961a63a1eef06ce13d8890980f4587a757968ce4e2b28d86c36b90b367881fc16ed136c49e064e4f2dcfb34681
-
Filesize
4.1MB
MD5f0118fdfcadf8262c58b3638c0edc6a9
SHA1a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA2568e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA51299ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837
-
Filesize
4.1MB
MD5f0118fdfcadf8262c58b3638c0edc6a9
SHA1a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA2568e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA51299ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837
-
Filesize
4.1MB
MD5f0118fdfcadf8262c58b3638c0edc6a9
SHA1a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA2568e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA51299ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837
-
Filesize
307KB
MD555f845c433e637594aaf872e41fda207
SHA11188348ca7e52f075e7d1d0031918c2cea93362e
SHA256f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA5125a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4
-
Filesize
307KB
MD555f845c433e637594aaf872e41fda207
SHA11188348ca7e52f075e7d1d0031918c2cea93362e
SHA256f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA5125a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4
-
Filesize
307KB
MD555f845c433e637594aaf872e41fda207
SHA11188348ca7e52f075e7d1d0031918c2cea93362e
SHA256f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA5125a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4
-
Filesize
307KB
MD555f845c433e637594aaf872e41fda207
SHA11188348ca7e52f075e7d1d0031918c2cea93362e
SHA256f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA5125a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4
-
Filesize
307KB
MD555f845c433e637594aaf872e41fda207
SHA11188348ca7e52f075e7d1d0031918c2cea93362e
SHA256f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA5125a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4
-
Filesize
307KB
MD555f845c433e637594aaf872e41fda207
SHA11188348ca7e52f075e7d1d0031918c2cea93362e
SHA256f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA5125a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4
-
Filesize
307KB
MD555f845c433e637594aaf872e41fda207
SHA11188348ca7e52f075e7d1d0031918c2cea93362e
SHA256f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA5125a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4
-
Filesize
715KB
MD5b2c45459a0713d87615afcd993544e4f
SHA13d6065263779f06698a7c031da4d13e1ce46cfe0
SHA2565688b2eaa7d5775f61c6b8bfe504e4073358268aef70d962b577a989ef1c3120
SHA512ebe27e8fdd636f4d5e4306fb587cfcd3e2049c1a92ed6f25d8b72a5c99923080f316ff0c0ea4a5d665a30d47a1fa2e9d75b5ca2164a1f94a83b6bd0ab57984ed
-
Filesize
715KB
MD5b2c45459a0713d87615afcd993544e4f
SHA13d6065263779f06698a7c031da4d13e1ce46cfe0
SHA2565688b2eaa7d5775f61c6b8bfe504e4073358268aef70d962b577a989ef1c3120
SHA512ebe27e8fdd636f4d5e4306fb587cfcd3e2049c1a92ed6f25d8b72a5c99923080f316ff0c0ea4a5d665a30d47a1fa2e9d75b5ca2164a1f94a83b6bd0ab57984ed
-
Filesize
715KB
MD5b2c45459a0713d87615afcd993544e4f
SHA13d6065263779f06698a7c031da4d13e1ce46cfe0
SHA2565688b2eaa7d5775f61c6b8bfe504e4073358268aef70d962b577a989ef1c3120
SHA512ebe27e8fdd636f4d5e4306fb587cfcd3e2049c1a92ed6f25d8b72a5c99923080f316ff0c0ea4a5d665a30d47a1fa2e9d75b5ca2164a1f94a83b6bd0ab57984ed
-
Filesize
715KB
MD5b2c45459a0713d87615afcd993544e4f
SHA13d6065263779f06698a7c031da4d13e1ce46cfe0
SHA2565688b2eaa7d5775f61c6b8bfe504e4073358268aef70d962b577a989ef1c3120
SHA512ebe27e8fdd636f4d5e4306fb587cfcd3e2049c1a92ed6f25d8b72a5c99923080f316ff0c0ea4a5d665a30d47a1fa2e9d75b5ca2164a1f94a83b6bd0ab57984ed
-
Filesize
715KB
MD5b2c45459a0713d87615afcd993544e4f
SHA13d6065263779f06698a7c031da4d13e1ce46cfe0
SHA2565688b2eaa7d5775f61c6b8bfe504e4073358268aef70d962b577a989ef1c3120
SHA512ebe27e8fdd636f4d5e4306fb587cfcd3e2049c1a92ed6f25d8b72a5c99923080f316ff0c0ea4a5d665a30d47a1fa2e9d75b5ca2164a1f94a83b6bd0ab57984ed
-
Filesize
337KB
MD523aca9b594e0ec61e744a486c34ed0ef
SHA144d7b53c310732634fbf48c2f313505cdb62c6a8
SHA25659f7cff19dc1dbd16f7cf67fec46beab356e111b64c0d968d5bcd35dee1f6f61
SHA512dbd56536231acfe82af1ae7fabf1f25419c9f62c8e5191d6f48d5c3a1c22161fc05aa1bbc2bc0c9b9d58574109a8f7db4d6a927915d9d8cdcc7f0f3b3c58ba33
-
Filesize
337KB
MD523aca9b594e0ec61e744a486c34ed0ef
SHA144d7b53c310732634fbf48c2f313505cdb62c6a8
SHA25659f7cff19dc1dbd16f7cf67fec46beab356e111b64c0d968d5bcd35dee1f6f61
SHA512dbd56536231acfe82af1ae7fabf1f25419c9f62c8e5191d6f48d5c3a1c22161fc05aa1bbc2bc0c9b9d58574109a8f7db4d6a927915d9d8cdcc7f0f3b3c58ba33
-
Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
Filesize
3.2MB
MD5f801950a962ddba14caaa44bf084b55c
SHA17cadc9076121297428442785536ba0df2d4ae996
SHA256c3946ec89e15b24b743c46f9acacb58cff47da63f3ce2799d71ed90496b8891f
SHA5124183bc76bdc84fb779e2e573d9a63d7de47096b63b945f9e335bee95ae28eb208f5ee15f6501ac59623b97c5b77f3455ca313512e7d9803e1704ae22a52459c5
-
Filesize
3.2MB
MD5f801950a962ddba14caaa44bf084b55c
SHA17cadc9076121297428442785536ba0df2d4ae996
SHA256c3946ec89e15b24b743c46f9acacb58cff47da63f3ce2799d71ed90496b8891f
SHA5124183bc76bdc84fb779e2e573d9a63d7de47096b63b945f9e335bee95ae28eb208f5ee15f6501ac59623b97c5b77f3455ca313512e7d9803e1704ae22a52459c5
-
Filesize
99KB
MD509031a062610d77d685c9934318b4170
SHA1880f744184e7774f3d14c1bb857e21cc7fe89a6d
SHA256778bd69af403df3c4e074c31b3850d71bf0e64524bea4272a802ca9520b379dd
SHA5129a276e1f0f55d35f2bf38eb093464f7065bdd30a660e6d1c62eed5e76d1fb2201567b89d9ae65d2d89dc99b142159e36fb73be8d5e08252a975d50544a7cda27
-
Filesize
281KB
MD5d98e33b66343e7c96158444127a117f6
SHA1bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA2565de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5
-
Filesize
281KB
MD5d98e33b66343e7c96158444127a117f6
SHA1bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA2565de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5
-
Filesize
715KB
MD5b2c45459a0713d87615afcd993544e4f
SHA13d6065263779f06698a7c031da4d13e1ce46cfe0
SHA2565688b2eaa7d5775f61c6b8bfe504e4073358268aef70d962b577a989ef1c3120
SHA512ebe27e8fdd636f4d5e4306fb587cfcd3e2049c1a92ed6f25d8b72a5c99923080f316ff0c0ea4a5d665a30d47a1fa2e9d75b5ca2164a1f94a83b6bd0ab57984ed
-
Filesize
404KB
MD522f2fd94f57b71f36a31ea18be7d4b34
SHA1a8dc0a1af7978fea291f5306f1937a90ac9b6b5b
SHA256bf1d4645972f8a10ef66d4343d0b3dc5b66ea2050a061e8194e6858a88220454
SHA5125b1811dbded599cf9580efe2093594b31204404ec3f69f8c061fac1f2eee261f9837adf63a4c55a206d39f9071ade5b663615ba05d9a023c69a7f2b0f6bcf173
-
Filesize
404KB
MD522f2fd94f57b71f36a31ea18be7d4b34
SHA1a8dc0a1af7978fea291f5306f1937a90ac9b6b5b
SHA256bf1d4645972f8a10ef66d4343d0b3dc5b66ea2050a061e8194e6858a88220454
SHA5125b1811dbded599cf9580efe2093594b31204404ec3f69f8c061fac1f2eee261f9837adf63a4c55a206d39f9071ade5b663615ba05d9a023c69a7f2b0f6bcf173
-
Filesize
404KB
MD522f2fd94f57b71f36a31ea18be7d4b34
SHA1a8dc0a1af7978fea291f5306f1937a90ac9b6b5b
SHA256bf1d4645972f8a10ef66d4343d0b3dc5b66ea2050a061e8194e6858a88220454
SHA5125b1811dbded599cf9580efe2093594b31204404ec3f69f8c061fac1f2eee261f9837adf63a4c55a206d39f9071ade5b663615ba05d9a023c69a7f2b0f6bcf173
-
Filesize
299KB
MD541b883a061c95e9b9cb17d4ca50de770
SHA11daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319
-
Filesize
299KB
MD541b883a061c95e9b9cb17d4ca50de770
SHA11daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319
-
Filesize
299KB
MD541b883a061c95e9b9cb17d4ca50de770
SHA11daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319
-
Filesize
299KB
MD541b883a061c95e9b9cb17d4ca50de770
SHA11daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319
-
Filesize
299KB
MD541b883a061c95e9b9cb17d4ca50de770
SHA11daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319
-
Filesize
299KB
MD541b883a061c95e9b9cb17d4ca50de770
SHA11daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319
-
Filesize
299KB
MD541b883a061c95e9b9cb17d4ca50de770
SHA11daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319
-
Filesize
299KB
MD541b883a061c95e9b9cb17d4ca50de770
SHA11daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319
-
Filesize
261KB
MD5df7a50c002e636cf21e25eaa5d53e00d
SHA18cc44f318e30860c1c03cdf03560d5e2df171904
SHA2561b31afd01ea5333c8790b21991b9f13498eda41fd6ed23ba24c1adcea7328f7c
SHA51225a747a551589ed78d6ceb9e1176e609c95eaa961a63a1eef06ce13d8890980f4587a757968ce4e2b28d86c36b90b367881fc16ed136c49e064e4f2dcfb34681
-
Filesize
261KB
MD5df7a50c002e636cf21e25eaa5d53e00d
SHA18cc44f318e30860c1c03cdf03560d5e2df171904
SHA2561b31afd01ea5333c8790b21991b9f13498eda41fd6ed23ba24c1adcea7328f7c
SHA51225a747a551589ed78d6ceb9e1176e609c95eaa961a63a1eef06ce13d8890980f4587a757968ce4e2b28d86c36b90b367881fc16ed136c49e064e4f2dcfb34681
-
Filesize
261KB
MD5df7a50c002e636cf21e25eaa5d53e00d
SHA18cc44f318e30860c1c03cdf03560d5e2df171904
SHA2561b31afd01ea5333c8790b21991b9f13498eda41fd6ed23ba24c1adcea7328f7c
SHA51225a747a551589ed78d6ceb9e1176e609c95eaa961a63a1eef06ce13d8890980f4587a757968ce4e2b28d86c36b90b367881fc16ed136c49e064e4f2dcfb34681
-
Filesize
226KB
MD5cb20469403acf9ca0ffd0918d3d577eb
SHA1e448dc3c7d723c19fc3dd717fc3ed9993c94ea74
SHA2566f2bbd35accc8785877395e1967538459f5e96999c7ad17b96e5208b6e768c63
SHA512d8cb95b43fb8c07e8f7a89c27721f0d43f3080019e33a2c49d2f1c11f91d206a89bdb8b98ae3284ac7cd289f7315705037a18ec498c582790d6024e29d374259
-
Filesize
226KB
MD5cb20469403acf9ca0ffd0918d3d577eb
SHA1e448dc3c7d723c19fc3dd717fc3ed9993c94ea74
SHA2566f2bbd35accc8785877395e1967538459f5e96999c7ad17b96e5208b6e768c63
SHA512d8cb95b43fb8c07e8f7a89c27721f0d43f3080019e33a2c49d2f1c11f91d206a89bdb8b98ae3284ac7cd289f7315705037a18ec498c582790d6024e29d374259
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize2KB
MD51c19c16e21c97ed42d5beabc93391fc5
SHA18ad83f8e0b3acf8dfbbf87931e41f0d664c4df68
SHA2561bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05
SHA5127d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize18KB
MD5a3bd44203f3f56b75520cc7a424e54e6
SHA180fd24d6ca658a8173715967747f506c4b6d82fb
SHA2561f5bda7c5272cee03ba1d14fc308dbfe50733bcc618e569ba0cc8440270b2947
SHA5123eb7702b700916a7aa4c6b1143a8d52091e7654ef86fabf42c7c77057ec3f5e1fa1c94b43afd2b0b8c35e613be3cdf22f6ab8261f9c7340a7ed392cf5f6edff2
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize18KB
MD5bfbfa3e6124f1b00dcd8c9c5e3ae715e
SHA12e5a83f69c35cbab63abf8b5954fb50682c26eae
SHA2565bbca2fbcd906fe36057bdd262b0661800b54bb34d28ecb9730f1d6dcb7b1d2f
SHA5125639ff36b004121c08dfa8260fc46060536ce5ab44a726ca70dcf53450fb132a567b6a55b53fca65ef61e6f017a3d9a86bfbc417e8379ff10162309abfc68f99
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize18KB
MD571f60cd3fe75f8a61958cd9ae15f3abf
SHA19317ea86a9b0f890868b0badaca9966700c55c4d
SHA256a019b82921fb2fc7f6bc189160172811072b66eb021f58243a6e115fee0c4636
SHA5127ae3faa1114207390c5071006f63b047d80ed61584d8b5d5d51419e5e1e857ef4ab0d7d7ba6027a741b89404dfd2f1b8a6f60bddd3f0eaa3f6d03e7704bd09a3
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize18KB
MD5d870b603bf4ee001bbd8279866350ef5
SHA1725a48a1852f8b854922feaeee24ab459f4bfe78
SHA256d7fff7c3ff713cf0bfcf82e51a659e72d153303d1b64b52eb1806b1dd9a613ff
SHA5126ff4dde303047b57517aa458e25536f3ff042553c3f35253119305356b850b9d817aa82db68c37fa175c28c86d980eee66fa6cefd773209d5ac12052323a6f95
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize18KB
MD5689a4deacc8efe3483fd613809401f0b
SHA17fa711416b65065e9837030010e10537404f52aa
SHA256b7792b8d71884427b5471b97ba50aee729c3e12ead7e0b6f4a96fe2830672649
SHA5123d0aea178a84c281bccda58695c5e8ddec9015f81913b8b051c48a5e094a3fbcdb35c973d258f4bf39967bd22b79140e4a287e4cbddcbcc536c341e0236360c0
-
Filesize
4.1MB
MD5f0118fdfcadf8262c58b3638c0edc6a9
SHA1a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA2568e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA51299ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837
-
Filesize
4.1MB
MD5f0118fdfcadf8262c58b3638c0edc6a9
SHA1a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA2568e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA51299ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837
-
Filesize
2.0MB
MD58e67f58837092385dcf01e8a2b4f5783
SHA1012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA51240d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec
-
Filesize
2.0MB
MD58e67f58837092385dcf01e8a2b4f5783
SHA1012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA51240d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec
-
Filesize
2.0MB
MD58e67f58837092385dcf01e8a2b4f5783
SHA1012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA51240d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
Filesize
1.9MB
MD5fe7facf5c1db2d17313299c58c6e1ca2
SHA14dc53db5c9c8ac085f329dec8be5d325a1b46ac5
SHA2563a566e1932fd6352dbc9e7cd1e5f40c2ca759fd52dd0283bc6284741d407128b
SHA5121fbb414a57978f8304140fb29f9fb3251ab237b7a776ec5aded99d04ae18b35c7985e956862044c4028c57ae448bc0d45c85a42d94ca440c6063ada3a4318060