Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
300s -
max time network
306s -
platform
windows10-1703_x64 -
resource
win10-20231020-en -
resource tags
arch:x64arch:x86image:win10-20231020-enlocale:en-usos:windows10-1703-x64system -
submitted
23/10/2023, 04:55
Static task
static1
Behavioral task
behavioral1
Sample
a1ff1206764bfee944723aed2f0a7f863a2b9b3d7afe904417133015b9b2e0f5.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
a1ff1206764bfee944723aed2f0a7f863a2b9b3d7afe904417133015b9b2e0f5.exe
Resource
win10-20231020-en
General
-
Target
a1ff1206764bfee944723aed2f0a7f863a2b9b3d7afe904417133015b9b2e0f5.exe
-
Size
263KB
-
MD5
88836cb61b947944f5913e3553fd2dbb
-
SHA1
a357ac41703c0f494bc5afbaaf5d91991f3f59d7
-
SHA256
a1ff1206764bfee944723aed2f0a7f863a2b9b3d7afe904417133015b9b2e0f5
-
SHA512
206a037f2086fb4d37e81e922d0d8f2df7ad84880d57a8c77d0bda9ba0b418d125d5f5de9d77afb2d61af9232dec650417ee85190496fbd326a8ef62a3e42904
-
SSDEEP
6144:mLYysjFGlJQljIz8BzMp5yXzQ5rRRgznyg3:E3lJmIzi9zO4ys
Malware Config
Extracted
smokeloader
2022
http://onualituyrs.org/
http://sumagulituyo.org/
http://snukerukeutit.org/
http://lightseinsteniki.org/
http://liuliuoumumy.org/
http://stualialuyastrelia.net/
http://kumbuyartyty.net/
http://criogetikfenbut.org/
http://tonimiuyaytre.org/
http://tyiuiunuewqy.org/
http://wirtshauspost.at/tmp/
http://msktk.ru/tmp/
http://soetegem.com/tmp/
http://gromograd.ru/tmp/
http://talesofpirates.net/tmp/
Extracted
djvu
http://zexeq.com/raud/get.php
-
extension
.ithh
-
offline_id
9FgVtzPuDnE9NZWeLG9q9D2SjzVyIqJJ4jFNKXt1
-
payload_url
http://colisumy.com/dl/build2.exe
http://zexeq.com/files/1/build3.exe
-
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-cGZhpvUKxk Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0811JOsie
Extracted
smokeloader
pub1
Extracted
vidar
6.1
13088c19c5a97b42d0d1d9573cc9f1b8
https://steamcommunity.com/profiles/76561199563297648
https://t.me/twowheelfun
-
profile_id_v2
13088c19c5a97b42d0d1d9573cc9f1b8
-
user_agent
Mozilla/5.0 (iPad; CPU OS 17_0_3 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.5 Mobile/15E148 Safari/605.1.15
Extracted
smokeloader
up3
Signatures
-
Detected Djvu ransomware 18 IoCs
resource yara_rule behavioral2/memory/3020-25-0x0000000002650000-0x000000000276B000-memory.dmp family_djvu behavioral2/memory/5116-26-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/5116-28-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/5116-29-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/4752-31-0x00000000776C0000-0x0000000077790000-memory.dmp family_djvu behavioral2/memory/5116-30-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/5116-53-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/4752-74-0x00000000776C0000-0x0000000077790000-memory.dmp family_djvu behavioral2/memory/3068-79-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/3068-80-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/3068-83-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/3068-92-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/3068-93-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/3068-99-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/3068-101-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/3068-102-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/3068-106-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/3068-174-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu -
Detects DLL dropped by Raspberry Robin. 5 IoCs
Raspberry Robin.
resource yara_rule behavioral2/memory/4752-32-0x00000000761F0000-0x00000000763B2000-memory.dmp Raspberry_Robin_DLL_MAY_2022 behavioral2/memory/4752-40-0x00000000761F0000-0x00000000763B2000-memory.dmp Raspberry_Robin_DLL_MAY_2022 behavioral2/memory/4752-41-0x00000000761F0000-0x00000000763B2000-memory.dmp Raspberry_Robin_DLL_MAY_2022 behavioral2/memory/4752-76-0x00000000761F0000-0x00000000763B2000-memory.dmp Raspberry_Robin_DLL_MAY_2022 behavioral2/memory/4752-231-0x00000000761F0000-0x00000000763B2000-memory.dmp Raspberry_Robin_DLL_MAY_2022 -
Djvu Ransomware
Ransomware which is a variant of the STOP family.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
resource yara_rule behavioral2/memory/4256-187-0x0000000000400000-0x000000000045A000-memory.dmp family_redline -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 11 IoCs
description pid Process procid_target PID 4708 created 3240 4708 latestX.exe 26 PID 4708 created 3240 4708 latestX.exe 26 PID 4708 created 3240 4708 latestX.exe 26 PID 4708 created 3240 4708 latestX.exe 26 PID 4708 created 3240 4708 latestX.exe 26 PID 3124 created 3240 3124 updater.exe 26 PID 3124 created 3240 3124 updater.exe 26 PID 3124 created 3240 3124 updater.exe 26 PID 3124 created 3240 3124 updater.exe 26 PID 3124 created 3240 3124 updater.exe 26 PID 3124 created 3240 3124 updater.exe 26 -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" 690C.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" 690C.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" 690C.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\690C.exe = "0" 690C.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\d21cbe21e38b385a41a68c5e6dd32f4c.exe = "0" d21cbe21e38b385a41a68c5e6dd32f4c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" 690C.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" 690C.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" 690C.exe -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 1BA2.exe -
Downloads MZ/PE file
-
Drops file in Drivers directory 2 IoCs
description ioc Process File created C:\Windows\System32\drivers\etc\hosts latestX.exe File created C:\Windows\System32\drivers\etc\hosts updater.exe -
Modifies Windows Firewall 1 TTPs 2 IoCs
pid Process 2584 netsh.exe 2428 netsh.exe -
Stops running service(s) 3 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 1BA2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 1BA2.exe -
Deletes itself 1 IoCs
pid Process 3240 Explorer.EXE -
Executes dropped EXE 41 IoCs
pid Process 3020 15F4.exe 4752 1BA2.exe 5116 15F4.exe 5004 15F4.exe 2980 2C9B.exe 3068 15F4.exe 4188 55FF.exe 2104 build2.exe 2272 5A84.exe 2764 toolspub2.exe 2632 d21cbe21e38b385a41a68c5e6dd32f4c.exe 3576 kos2.exe 4540 build3.exe 4708 latestX.exe 2712 set16.exe 2524 690C.exe 3056 build2.exe 4568 K.exe 1536 is-QC97H.tmp 756 toolspub2.exe 1508 MyBurn.exe 4224 MyBurn.exe 2100 build3.exe 1616 d21cbe21e38b385a41a68c5e6dd32f4c.exe 3552 690C.exe 3124 updater.exe 3816 mstsca.exe 3292 csrss.exe 588 injector.exe 2716 mstsca.exe 1016 windefender.exe 1620 windefender.exe 2404 mstsca.exe 2896 mstsca.exe 1092 f801950a962ddba14caaa44bf084b55c.exe 4796 mstsca.exe 3436 autfvji 4528 fitfvji 3892 mstsca.exe 5028 mstsca.exe 3424 mstsca.exe -
Loads dropped DLL 6 IoCs
pid Process 4728 regsvr32.exe 1536 is-QC97H.tmp 1536 is-QC97H.tmp 1536 is-QC97H.tmp 3056 build2.exe 3056 build2.exe -
Modifies file permissions 1 TTPs 1 IoCs
pid Process 3236 icacls.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral2/files/0x000800000001ac12-20.dat themida behavioral2/files/0x000800000001ac12-23.dat themida behavioral2/memory/4752-52-0x0000000001080000-0x0000000001836000-memory.dmp themida behavioral2/memory/4752-223-0x0000000001080000-0x0000000001836000-memory.dmp themida -
Unexpected DNS network traffic destination 1 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description ioc Destination IP 51.159.66.125 -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" 690C.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" 690C.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" 690C.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" 690C.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" 690C.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" 690C.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\690C.exe = "0" 690C.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\d21cbe21e38b385a41a68c5e6dd32f4c.exe = "0" d21cbe21e38b385a41a68c5e6dd32f4c.exe -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2640874492-649017405-3475600720-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe Key opened \REGISTRY\USER\S-1-5-21-2640874492-649017405-3475600720-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe Key opened \REGISTRY\USER\S-1-5-21-2640874492-649017405-3475600720-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2640874492-649017405-3475600720-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\2bfb4ecd-aca4-457b-a4d9-a3c3c0bbe7bf\\15F4.exe\" --AutoStart" 15F4.exe Set value (str) \REGISTRY\USER\S-1-5-21-2640874492-649017405-3475600720-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" 690C.exe Set value (str) \REGISTRY\USER\S-1-5-21-2640874492-649017405-3475600720-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" d21cbe21e38b385a41a68c5e6dd32f4c.exe Set value (str) \REGISTRY\USER\S-1-5-21-2640874492-649017405-3475600720-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" csrss.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 1BA2.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 17 api.2ip.ua 18 api.2ip.ua 28 api.2ip.ua -
Manipulates WinMonFS driver. 1 IoCs
Roottkits write to WinMonFS to hide directories/files from being detected.
description ioc Process File opened for modification \??\WinMonFS csrss.exe -
Drops file in System32 directory 13 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powercfg.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log powershell.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 4752 1BA2.exe -
Suspicious use of SetThreadContext 13 IoCs
description pid Process procid_target PID 3020 set thread context of 5116 3020 15F4.exe 73 PID 5004 set thread context of 3068 5004 15F4.exe 80 PID 4752 set thread context of 4256 4752 1BA2.exe 86 PID 2104 set thread context of 3056 2104 build2.exe 88 PID 2764 set thread context of 756 2764 toolspub2.exe 95 PID 4540 set thread context of 2100 4540 build3.exe 116 PID 3816 set thread context of 2716 3816 mstsca.exe 179 PID 3124 set thread context of 4044 3124 updater.exe 197 PID 3124 set thread context of 5100 3124 updater.exe 198 PID 2404 set thread context of 2896 2404 mstsca.exe 208 PID 2980 set thread context of 824 2980 2C9B.exe 92 PID 4796 set thread context of 3892 4796 mstsca.exe 221 PID 5028 set thread context of 3424 5028 mstsca.exe 223 -
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 2 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
description ioc Process File opened (read-only) \??\VBoxMiniRdrDN 690C.exe File opened (read-only) \??\VBoxMiniRdrDN d21cbe21e38b385a41a68c5e6dd32f4c.exe -
Drops file in Program Files directory 14 IoCs
description ioc Process File created C:\Program Files (x86)\MyBurn\is-4RTU9.tmp is-QC97H.tmp File created C:\Program Files (x86)\MyBurn\is-SGHB5.tmp is-QC97H.tmp File created C:\Program Files\Google\Chrome\updater.exe latestX.exe File created C:\Program Files (x86)\MyBurn\is-54OBV.tmp is-QC97H.tmp File created C:\Program Files (x86)\MyBurn\is-836MF.tmp is-QC97H.tmp File created C:\Program Files (x86)\MyBurn\unins000.dat is-QC97H.tmp File created C:\Program Files (x86)\MyBurn\is-KHLDH.tmp is-QC97H.tmp File opened for modification C:\Program Files (x86)\MyBurn\MyBurn.exe is-QC97H.tmp File created C:\Program Files\Google\Libs\WR64.sys updater.exe File created C:\Program Files (x86)\MyBurn\is-HL85H.tmp is-QC97H.tmp File opened for modification C:\Program Files (x86)\MyBurn\unins000.dat is-QC97H.tmp File created C:\Program Files (x86)\MyBurn\is-DO4RR.tmp is-QC97H.tmp File created C:\Program Files (x86)\MyBurn\Sounds\is-M10OK.tmp is-QC97H.tmp File created C:\Program Files (x86)\MyBurn\Sounds\is-M5KC9.tmp is-QC97H.tmp -
Drops file in Windows directory 6 IoCs
description ioc Process File created C:\Windows\rss\csrss.exe d21cbe21e38b385a41a68c5e6dd32f4c.exe File created C:\Windows\windefender.exe csrss.exe File opened for modification C:\Windows\windefender.exe csrss.exe File opened for modification C:\Windows\rss 690C.exe File created C:\Windows\rss\csrss.exe 690C.exe File opened for modification C:\Windows\rss d21cbe21e38b385a41a68c5e6dd32f4c.exe -
Launches sc.exe 11 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 3008 sc.exe 4728 sc.exe 4464 sc.exe 2736 sc.exe 4476 sc.exe 4212 sc.exe 4044 sc.exe 4876 sc.exe 4744 sc.exe 3432 sc.exe 4296 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 1344 4528 WerFault.exe 218 -
Checks SCSI registry key(s) 3 TTPs 9 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI a1ff1206764bfee944723aed2f0a7f863a2b9b3d7afe904417133015b9b2e0f5.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 5A84.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI autfvji Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI autfvji Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI autfvji Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI a1ff1206764bfee944723aed2f0a7f863a2b9b3d7afe904417133015b9b2e0f5.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI a1ff1206764bfee944723aed2f0a7f863a2b9b3d7afe904417133015b9b2e0f5.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 5A84.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 5A84.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 build2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString build2.exe -
Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3248 schtasks.exe 3620 schtasks.exe 2720 schtasks.exe 4432 schtasks.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 3136 timeout.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-722 = "Central Pacific Standard Time" 690C.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-365 = "Middle East Standard Time" 690C.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-2181 = "Astrakhan Daylight Time" windefender.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powercfg.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-1831 = "Russia TZ 2 Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-2841 = "Saratov Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-42 = "E. South America Standard Time" 690C.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-352 = "FLE Standard Time" 690C.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-742 = "New Zealand Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-131 = "US Eastern Daylight Time" 690C.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-491 = "India Daylight Time" 690C.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1822 = "Russia TZ 1 Standard Time" 690C.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-502 = "Nepal Standard Time" 690C.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-241 = "Samoa Daylight Time" 690C.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-262 = "GMT Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-571 = "China Daylight Time" 690C.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powercfg.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-671 = "AUS Eastern Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2181 = "Astrakhan Daylight Time" 690C.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-401 = "Arabic Daylight Time" windefender.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-361 = "GTB Daylight Time" 690C.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powercfg.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-731 = "Fiji Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2001 = "Cabo Verde Daylight Time" 690C.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-682 = "E. Australia Standard Time" 690C.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1891 = "Russia TZ 3 Daylight Time" 690C.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powercfg.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-301 = "Romance Daylight Time" windefender.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-72 = "Newfoundland Standard Time" 690C.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" powercfg.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-831 = "SA Eastern Daylight Time" 690C.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-752 = "Tonga Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2411 = "Marquesas Daylight Time" 690C.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-2432 = "Cuba Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2751 = "Tomsk Daylight Time" 690C.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3440 a1ff1206764bfee944723aed2f0a7f863a2b9b3d7afe904417133015b9b2e0f5.exe 3440 a1ff1206764bfee944723aed2f0a7f863a2b9b3d7afe904417133015b9b2e0f5.exe 3240 Explorer.EXE 3240 Explorer.EXE 3240 Explorer.EXE 3240 Explorer.EXE 3240 Explorer.EXE 3240 Explorer.EXE 3240 Explorer.EXE 3240 Explorer.EXE 3240 Explorer.EXE 3240 Explorer.EXE 3240 Explorer.EXE 3240 Explorer.EXE 3240 Explorer.EXE 3240 Explorer.EXE 3240 Explorer.EXE 3240 Explorer.EXE 3240 Explorer.EXE 3240 Explorer.EXE 3240 Explorer.EXE 3240 Explorer.EXE 3240 Explorer.EXE 3240 Explorer.EXE 3240 Explorer.EXE 3240 Explorer.EXE 3240 Explorer.EXE 3240 Explorer.EXE 3240 Explorer.EXE 3240 Explorer.EXE 3240 Explorer.EXE 3240 Explorer.EXE 3240 Explorer.EXE 3240 Explorer.EXE 3240 Explorer.EXE 3240 Explorer.EXE 3240 Explorer.EXE 3240 Explorer.EXE 3240 Explorer.EXE 3240 Explorer.EXE 3240 Explorer.EXE 3240 Explorer.EXE 3240 Explorer.EXE 3240 Explorer.EXE 3240 Explorer.EXE 3240 Explorer.EXE 3240 Explorer.EXE 3240 Explorer.EXE 3240 Explorer.EXE 3240 Explorer.EXE 3240 Explorer.EXE 3240 Explorer.EXE 3240 Explorer.EXE 3240 Explorer.EXE 3240 Explorer.EXE 3240 Explorer.EXE 3240 Explorer.EXE 3240 Explorer.EXE 3240 Explorer.EXE 3240 Explorer.EXE 3240 Explorer.EXE 3240 Explorer.EXE 3240 Explorer.EXE 3240 Explorer.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3240 Explorer.EXE -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 616 Process not Found -
Suspicious behavior: MapViewOfSection 7 IoCs
pid Process 3440 a1ff1206764bfee944723aed2f0a7f863a2b9b3d7afe904417133015b9b2e0f5.exe 3240 Explorer.EXE 3240 Explorer.EXE 2272 5A84.exe 3240 Explorer.EXE 3240 Explorer.EXE 3436 autfvji -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 3240 Explorer.EXE Token: SeCreatePagefilePrivilege 3240 Explorer.EXE Token: SeShutdownPrivilege 3240 Explorer.EXE Token: SeCreatePagefilePrivilege 3240 Explorer.EXE Token: SeShutdownPrivilege 3240 Explorer.EXE Token: SeCreatePagefilePrivilege 3240 Explorer.EXE Token: SeShutdownPrivilege 3240 Explorer.EXE Token: SeCreatePagefilePrivilege 3240 Explorer.EXE Token: SeDebugPrivilege 4752 1BA2.exe Token: SeShutdownPrivilege 3240 Explorer.EXE Token: SeCreatePagefilePrivilege 3240 Explorer.EXE Token: SeShutdownPrivilege 3240 Explorer.EXE Token: SeCreatePagefilePrivilege 3240 Explorer.EXE Token: SeShutdownPrivilege 3240 Explorer.EXE Token: SeCreatePagefilePrivilege 3240 Explorer.EXE Token: SeDebugPrivilege 4568 K.exe Token: SeShutdownPrivilege 3240 Explorer.EXE Token: SeCreatePagefilePrivilege 3240 Explorer.EXE Token: SeShutdownPrivilege 3240 Explorer.EXE Token: SeCreatePagefilePrivilege 3240 Explorer.EXE Token: SeShutdownPrivilege 3240 Explorer.EXE Token: SeCreatePagefilePrivilege 3240 Explorer.EXE Token: SeShutdownPrivilege 3240 Explorer.EXE Token: SeCreatePagefilePrivilege 3240 Explorer.EXE Token: SeShutdownPrivilege 3240 Explorer.EXE Token: SeCreatePagefilePrivilege 3240 Explorer.EXE Token: SeShutdownPrivilege 3240 Explorer.EXE Token: SeCreatePagefilePrivilege 3240 Explorer.EXE Token: SeShutdownPrivilege 3240 Explorer.EXE Token: SeCreatePagefilePrivilege 3240 Explorer.EXE Token: SeShutdownPrivilege 3240 Explorer.EXE Token: SeCreatePagefilePrivilege 3240 Explorer.EXE Token: SeShutdownPrivilege 3240 Explorer.EXE Token: SeCreatePagefilePrivilege 3240 Explorer.EXE Token: SeShutdownPrivilege 3240 Explorer.EXE Token: SeCreatePagefilePrivilege 3240 Explorer.EXE Token: SeShutdownPrivilege 3240 Explorer.EXE Token: SeCreatePagefilePrivilege 3240 Explorer.EXE Token: SeShutdownPrivilege 3240 Explorer.EXE Token: SeCreatePagefilePrivilege 3240 Explorer.EXE Token: SeShutdownPrivilege 3240 Explorer.EXE Token: SeCreatePagefilePrivilege 3240 Explorer.EXE Token: SeShutdownPrivilege 3240 Explorer.EXE Token: SeCreatePagefilePrivilege 3240 Explorer.EXE Token: SeShutdownPrivilege 3240 Explorer.EXE Token: SeCreatePagefilePrivilege 3240 Explorer.EXE Token: SeShutdownPrivilege 3240 Explorer.EXE Token: SeCreatePagefilePrivilege 3240 Explorer.EXE Token: SeShutdownPrivilege 3240 Explorer.EXE Token: SeCreatePagefilePrivilege 3240 Explorer.EXE Token: SeShutdownPrivilege 3240 Explorer.EXE Token: SeCreatePagefilePrivilege 3240 Explorer.EXE Token: SeShutdownPrivilege 3240 Explorer.EXE Token: SeCreatePagefilePrivilege 3240 Explorer.EXE Token: SeShutdownPrivilege 3240 Explorer.EXE Token: SeCreatePagefilePrivilege 3240 Explorer.EXE Token: SeDebugPrivilege 3892 powershell.exe Token: SeDebugPrivilege 4744 powershell.exe Token: SeDebugPrivilege 4256 AppLaunch.exe Token: SeShutdownPrivilege 3240 Explorer.EXE Token: SeCreatePagefilePrivilege 3240 Explorer.EXE Token: SeShutdownPrivilege 3240 Explorer.EXE Token: SeCreatePagefilePrivilege 3240 Explorer.EXE Token: SeShutdownPrivilege 3240 Explorer.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3240 wrote to memory of 3020 3240 Explorer.EXE 71 PID 3240 wrote to memory of 3020 3240 Explorer.EXE 71 PID 3240 wrote to memory of 3020 3240 Explorer.EXE 71 PID 3240 wrote to memory of 4752 3240 Explorer.EXE 72 PID 3240 wrote to memory of 4752 3240 Explorer.EXE 72 PID 3240 wrote to memory of 4752 3240 Explorer.EXE 72 PID 3020 wrote to memory of 5116 3020 15F4.exe 73 PID 3020 wrote to memory of 5116 3020 15F4.exe 73 PID 3020 wrote to memory of 5116 3020 15F4.exe 73 PID 3020 wrote to memory of 5116 3020 15F4.exe 73 PID 3020 wrote to memory of 5116 3020 15F4.exe 73 PID 3020 wrote to memory of 5116 3020 15F4.exe 73 PID 3020 wrote to memory of 5116 3020 15F4.exe 73 PID 3020 wrote to memory of 5116 3020 15F4.exe 73 PID 3020 wrote to memory of 5116 3020 15F4.exe 73 PID 3020 wrote to memory of 5116 3020 15F4.exe 73 PID 5116 wrote to memory of 3236 5116 15F4.exe 74 PID 5116 wrote to memory of 3236 5116 15F4.exe 74 PID 5116 wrote to memory of 3236 5116 15F4.exe 74 PID 5116 wrote to memory of 5004 5116 15F4.exe 75 PID 5116 wrote to memory of 5004 5116 15F4.exe 75 PID 5116 wrote to memory of 5004 5116 15F4.exe 75 PID 3240 wrote to memory of 2980 3240 Explorer.EXE 77 PID 3240 wrote to memory of 2980 3240 Explorer.EXE 77 PID 3240 wrote to memory of 1356 3240 Explorer.EXE 78 PID 3240 wrote to memory of 1356 3240 Explorer.EXE 78 PID 1356 wrote to memory of 4728 1356 regsvr32.exe 79 PID 1356 wrote to memory of 4728 1356 regsvr32.exe 79 PID 1356 wrote to memory of 4728 1356 regsvr32.exe 79 PID 5004 wrote to memory of 3068 5004 15F4.exe 80 PID 5004 wrote to memory of 3068 5004 15F4.exe 80 PID 5004 wrote to memory of 3068 5004 15F4.exe 80 PID 5004 wrote to memory of 3068 5004 15F4.exe 80 PID 5004 wrote to memory of 3068 5004 15F4.exe 80 PID 5004 wrote to memory of 3068 5004 15F4.exe 80 PID 5004 wrote to memory of 3068 5004 15F4.exe 80 PID 5004 wrote to memory of 3068 5004 15F4.exe 80 PID 5004 wrote to memory of 3068 5004 15F4.exe 80 PID 5004 wrote to memory of 3068 5004 15F4.exe 80 PID 3240 wrote to memory of 4188 3240 Explorer.EXE 81 PID 3240 wrote to memory of 4188 3240 Explorer.EXE 81 PID 3240 wrote to memory of 4188 3240 Explorer.EXE 81 PID 3068 wrote to memory of 2104 3068 15F4.exe 82 PID 3068 wrote to memory of 2104 3068 15F4.exe 82 PID 3068 wrote to memory of 2104 3068 15F4.exe 82 PID 3240 wrote to memory of 2272 3240 Explorer.EXE 83 PID 3240 wrote to memory of 2272 3240 Explorer.EXE 83 PID 3240 wrote to memory of 2272 3240 Explorer.EXE 83 PID 4188 wrote to memory of 2764 4188 55FF.exe 84 PID 4188 wrote to memory of 2764 4188 55FF.exe 84 PID 4188 wrote to memory of 2764 4188 55FF.exe 84 PID 4188 wrote to memory of 2632 4188 55FF.exe 101 PID 4188 wrote to memory of 2632 4188 55FF.exe 101 PID 4188 wrote to memory of 2632 4188 55FF.exe 101 PID 4188 wrote to memory of 3576 4188 55FF.exe 93 PID 4188 wrote to memory of 3576 4188 55FF.exe 93 PID 4188 wrote to memory of 3576 4188 55FF.exe 93 PID 3068 wrote to memory of 4540 3068 15F4.exe 91 PID 3068 wrote to memory of 4540 3068 15F4.exe 91 PID 3068 wrote to memory of 4540 3068 15F4.exe 91 PID 2980 wrote to memory of 824 2980 2C9B.exe 92 PID 2980 wrote to memory of 824 2980 2C9B.exe 92 PID 2980 wrote to memory of 824 2980 2C9B.exe 92 PID 4188 wrote to memory of 4708 4188 55FF.exe 85 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2640874492-649017405-3475600720-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2640874492-649017405-3475600720-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Deletes itself
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3240 -
C:\Users\Admin\AppData\Local\Temp\a1ff1206764bfee944723aed2f0a7f863a2b9b3d7afe904417133015b9b2e0f5.exe"C:\Users\Admin\AppData\Local\Temp\a1ff1206764bfee944723aed2f0a7f863a2b9b3d7afe904417133015b9b2e0f5.exe"2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3440
-
-
C:\Users\Admin\AppData\Local\Temp\15F4.exeC:\Users\Admin\AppData\Local\Temp\15F4.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3020 -
C:\Users\Admin\AppData\Local\Temp\15F4.exeC:\Users\Admin\AppData\Local\Temp\15F4.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5116 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Local\2bfb4ecd-aca4-457b-a4d9-a3c3c0bbe7bf" /deny *S-1-1-0:(OI)(CI)(DE,DC)4⤵
- Modifies file permissions
PID:3236
-
-
C:\Users\Admin\AppData\Local\Temp\15F4.exe"C:\Users\Admin\AppData\Local\Temp\15F4.exe" --Admin IsNotAutoStart IsNotTask4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:5004 -
C:\Users\Admin\AppData\Local\Temp\15F4.exe"C:\Users\Admin\AppData\Local\Temp\15F4.exe" --Admin IsNotAutoStart IsNotTask5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3068 -
C:\Users\Admin\AppData\Local\9a7de6f9-989a-4ea9-96ac-ee544a56d099\build2.exe"C:\Users\Admin\AppData\Local\9a7de6f9-989a-4ea9-96ac-ee544a56d099\build2.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2104 -
C:\Users\Admin\AppData\Local\9a7de6f9-989a-4ea9-96ac-ee544a56d099\build2.exe"C:\Users\Admin\AppData\Local\9a7de6f9-989a-4ea9-96ac-ee544a56d099\build2.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
PID:3056 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\9a7de6f9-989a-4ea9-96ac-ee544a56d099\build2.exe" & exit8⤵PID:2784
-
C:\Windows\SysWOW64\timeout.exetimeout /t 69⤵
- Delays execution with timeout.exe
PID:3136
-
-
-
-
-
C:\Users\Admin\AppData\Local\9a7de6f9-989a-4ea9-96ac-ee544a56d099\build3.exe"C:\Users\Admin\AppData\Local\9a7de6f9-989a-4ea9-96ac-ee544a56d099\build3.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4540 -
C:\Users\Admin\AppData\Local\9a7de6f9-989a-4ea9-96ac-ee544a56d099\build3.exe"C:\Users\Admin\AppData\Local\9a7de6f9-989a-4ea9-96ac-ee544a56d099\build3.exe"7⤵
- Executes dropped EXE
PID:2100 -
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"8⤵
- Creates scheduled task(s)
PID:3248
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1BA2.exeC:\Users\Admin\AppData\Local\Temp\1BA2.exe2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:4752 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4256
-
-
-
C:\Users\Admin\AppData\Local\Temp\2C9B.exeC:\Users\Admin\AppData\Local\Temp\2C9B.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2980 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe"3⤵PID:824
-
-
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\3343.dll2⤵
- Suspicious use of WriteProcessMemory
PID:1356 -
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\3343.dll3⤵
- Loads dropped DLL
PID:4728
-
-
-
C:\Users\Admin\AppData\Local\Temp\55FF.exeC:\Users\Admin\AppData\Local\Temp\55FF.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4188 -
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2764 -
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"4⤵
- Executes dropped EXE
PID:756
-
-
-
C:\Users\Admin\AppData\Local\Temp\latestX.exe"C:\Users\Admin\AppData\Local\Temp\latestX.exe"3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in Program Files directory
PID:4708
-
-
C:\Users\Admin\AppData\Local\Temp\kos2.exe"C:\Users\Admin\AppData\Local\Temp\kos2.exe"3⤵
- Executes dropped EXE
PID:3576
-
-
C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe"C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe"3⤵
- Executes dropped EXE
PID:2632 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Suspicious use of AdjustPrivilegeToken
PID:3892
-
-
C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe"C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe"4⤵
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
PID:1616 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵PID:3220
-
-
C:\Windows\System32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"5⤵PID:4748
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes6⤵
- Modifies Windows Firewall
PID:2428
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:4780
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2260
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\5A84.exeC:\Users\Admin\AppData\Local\Temp\5A84.exe2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:2272
-
-
C:\Users\Admin\AppData\Local\Temp\690C.exeC:\Users\Admin\AppData\Local\Temp\690C.exe2⤵
- Executes dropped EXE
PID:2524 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4744
-
-
C:\Users\Admin\AppData\Local\Temp\690C.exe"C:\Users\Admin\AppData\Local\Temp\690C.exe"3⤵
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:3552 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:3424 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵PID:5068
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"4⤵PID:2200
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes5⤵
- Modifies Windows Firewall
PID:2584
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:4276
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1516
-
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Manipulates WinMonFS driver.
- Drops file in Windows directory
PID:3292 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:352
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F5⤵
- Creates scheduled task(s)
PID:3620
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f5⤵PID:3320
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:4988
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:5052
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll5⤵
- Executes dropped EXE
PID:588
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F5⤵
- Creates scheduled task(s)
PID:4432
-
-
C:\Windows\windefender.exe"C:\Windows\windefender.exe"5⤵
- Executes dropped EXE
PID:1016 -
C:\Windows\SysWOW64\cmd.execmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)6⤵PID:2740
-
C:\Windows\SysWOW64\sc.exesc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)7⤵
- Launches sc.exe
PID:2736
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\f801950a962ddba14caaa44bf084b55c.exeC:\Users\Admin\AppData\Local\Temp\csrss\f801950a962ddba14caaa44bf084b55c.exe5⤵
- Executes dropped EXE
PID:1092 -
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn "csrss" /f6⤵PID:4208
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn "ScheduledUpdate" /f6⤵PID:2108
-
-
-
-
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe2⤵PID:3508
-
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
PID:4480
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵PID:960
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc2⤵PID:4200
-
C:\Windows\System32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
PID:4476
-
-
C:\Windows\System32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
PID:4212
-
-
C:\Windows\System32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
PID:3008
-
-
C:\Windows\System32\sc.exesc stop bits3⤵
- Launches sc.exe
PID:4044
-
-
C:\Windows\System32\sc.exesc stop dosvc3⤵
- Launches sc.exe
PID:4876
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 02⤵PID:4060
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-ac 03⤵PID:3356
-
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-dc 03⤵PID:992
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-ac 03⤵PID:4600
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-dc 03⤵PID:2720
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }2⤵PID:4904
-
-
C:\Windows\System32\schtasks.exeC:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"2⤵PID:4908
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2052 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:2200
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc2⤵PID:4528
-
C:\Windows\System32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
PID:4744
-
-
C:\Windows\System32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
PID:3432
-
-
C:\Windows\System32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
PID:4728
-
-
C:\Windows\System32\sc.exesc stop bits3⤵
- Launches sc.exe
PID:4296
-
-
C:\Windows\System32\sc.exesc stop dosvc3⤵
- Launches sc.exe
PID:4464
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 02⤵PID:2256
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-ac 03⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:3220
-
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-dc 03⤵PID:2516
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-ac 03⤵PID:3864
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-dc 03⤵PID:376
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:4476
-
-
C:\Windows\System32\conhost.exeC:\Windows\System32\conhost.exe2⤵PID:4044
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe2⤵PID:5100
-
-
C:\Users\Admin\AppData\Local\Temp\K.exe"C:\Users\Admin\AppData\Local\Temp\K.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4568
-
C:\Users\Admin\AppData\Local\Temp\set16.exe"C:\Users\Admin\AppData\Local\Temp\set16.exe"1⤵
- Executes dropped EXE
PID:2712 -
C:\Users\Admin\AppData\Local\Temp\is-73D6Q.tmp\is-QC97H.tmp"C:\Users\Admin\AppData\Local\Temp\is-73D6Q.tmp\is-QC97H.tmp" /SL4 $A00FE "C:\Users\Admin\AppData\Local\Temp\set16.exe" 1281875 522242⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
PID:1536 -
C:\Program Files (x86)\MyBurn\MyBurn.exe"C:\Program Files (x86)\MyBurn\MyBurn.exe" -i3⤵
- Executes dropped EXE
PID:1508
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\system32\net.exe" helpmsg 203⤵PID:5068
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 helpmsg 204⤵PID:4972
-
-
-
C:\Program Files (x86)\MyBurn\MyBurn.exe"C:\Program Files (x86)\MyBurn\MyBurn.exe" -s3⤵
- Executes dropped EXE
PID:4224
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\system32\schtasks.exe" /Query3⤵PID:4640
-
-
-
C:\Program Files\Google\Chrome\updater.exe"C:\Program Files\Google\Chrome\updater.exe"1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
PID:3124
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3816 -
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Executes dropped EXE
PID:2716 -
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"3⤵
- Creates scheduled task(s)
PID:2720
-
-
-
C:\Windows\windefender.exeC:\Windows\windefender.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1620
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2404 -
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Executes dropped EXE
PID:2896
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4796 -
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Executes dropped EXE
PID:3892
-
-
C:\Users\Admin\AppData\Roaming\autfvjiC:\Users\Admin\AppData\Roaming\autfvji1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:3436
-
C:\Users\Admin\AppData\Roaming\fitfvjiC:\Users\Admin\AppData\Roaming\fitfvji1⤵
- Executes dropped EXE
PID:4528 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4528 -s 4962⤵
- Program crash
PID:1344
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5028 -
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Executes dropped EXE
PID:3424
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Defense Evasion
File and Directory Permissions Modification
1Impair Defenses
3Disable or Modify Tools
2Modify Registry
3Virtualization/Sandbox Evasion
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD5f0fd986799e64ba888a8031782181dc7
SHA1df5a8420ebdcb1d036867fbc9c3f9ca143cf587c
SHA256a85af12749a97eeae8f64b767e63780978c859f389139cd153bedb432d1bfb4f
SHA51209d8b0a6e39139c1853b5f05b1f87bbed5f38b51562cd3da8eb87be1125e8b28c2a3409d4977359cf8551a76c045de39c0419ddcef6459d9f87e10a945545233
-
Filesize
2.1MB
MD5f0fd986799e64ba888a8031782181dc7
SHA1df5a8420ebdcb1d036867fbc9c3f9ca143cf587c
SHA256a85af12749a97eeae8f64b767e63780978c859f389139cd153bedb432d1bfb4f
SHA51209d8b0a6e39139c1853b5f05b1f87bbed5f38b51562cd3da8eb87be1125e8b28c2a3409d4977359cf8551a76c045de39c0419ddcef6459d9f87e10a945545233
-
Filesize
2.1MB
MD5f0fd986799e64ba888a8031782181dc7
SHA1df5a8420ebdcb1d036867fbc9c3f9ca143cf587c
SHA256a85af12749a97eeae8f64b767e63780978c859f389139cd153bedb432d1bfb4f
SHA51209d8b0a6e39139c1853b5f05b1f87bbed5f38b51562cd3da8eb87be1125e8b28c2a3409d4977359cf8551a76c045de39c0419ddcef6459d9f87e10a945545233
-
Filesize
5.6MB
MD5bae29e49e8190bfbbf0d77ffab8de59d
SHA14a6352bb47c7e1666a60c76f9b17ca4707872bd9
SHA256f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87
SHA5129e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2
-
Filesize
2.1MB
MD5f0fd986799e64ba888a8031782181dc7
SHA1df5a8420ebdcb1d036867fbc9c3f9ca143cf587c
SHA256a85af12749a97eeae8f64b767e63780978c859f389139cd153bedb432d1bfb4f
SHA51209d8b0a6e39139c1853b5f05b1f87bbed5f38b51562cd3da8eb87be1125e8b28c2a3409d4977359cf8551a76c045de39c0419ddcef6459d9f87e10a945545233
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize1KB
MD5208216f1f2eee6296c31bb469824a9c9
SHA1893c313f37a0a0f955116118323602b1d0d5866a
SHA2567fbb51ca9c4cacdfb181c871866b2a6665cc13b2b6e581a972263f35176a271f
SHA51276ab2fe140fb6e6ea58b0b3caf64102d7aaca1d1ee8d15203cfa13af63c5a9eba5dd68486d066ff31650f1310158081ca5e987f5a093cb47e7a60df3cacb64eb
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
Filesize724B
MD58202a1cd02e7d69597995cabbe881a12
SHA18858d9d934b7aa9330ee73de6c476acf19929ff6
SHA25658f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA51297ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize410B
MD570d80092770bbbdda52a421a41f4eafb
SHA17a61bb87563b373cdee7df3709b49d21fe84619a
SHA2565fa32a63d9a2f8d50761fc81358e87db528f83e941ec473efcf1d1b4edbe7ca3
SHA512f7c782272f206e28f16e4eb2d42bb377523bbc479d272dc61f4f463c25463489763503f68e27d246eafde67a94d2f281df4827f76cdb656e4772bd3350597fce
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
Filesize392B
MD5b42c91cce95e1cd8914bcc0358c7af46
SHA181672658df82963149ef39b45323b526e6dbd797
SHA2566cd8028054c2f523314d7fcb8c428758349757d7b8f70bc51758a04c4f759a85
SHA512a2a8820ca81a0e08d07245e4f65d2c0c1de68ab73bf3d7967ceb54ae04a2fac42cf98e9d56856b4c8d54ea26b6a53a7044259d55c4ce943bc70f8655227f0796
-
Filesize
773KB
MD5952688e5752abd15bb1b900b2db461a3
SHA171a83957ea93085c7894545c5e33c5fcb8c763d3
SHA256256d2ef4432984e12e4dc361e89e1d35ce9b8d55c066f71489bae8827f98c91f
SHA5123445765d8efd53b995291b033c57e35726ba0b2d23e8ed351324fae512f81c49583903307983de211c18f31ef4d17adf5fcb1f12d0104ffa21a3a408793c0c5a
-
Filesize
373KB
MD58012f0388cdda7870e63a5723ff24e9b
SHA108ed4dc8ded91f4aa23324b7eac56a22a883005d
SHA2565f44375ddddaedfcd4f2499d3e121b7d9ee627b751f2d0914a562d35d7c9a551
SHA512f59ce84fd7a3762efb919bb8474226fdb99765f80e4a40a9a66764a1502150fe40804be5363caeda6d27fdcfe44e5897a8c624db9993c2c890d83bbb660c01d3
-
Filesize
373KB
MD58012f0388cdda7870e63a5723ff24e9b
SHA108ed4dc8ded91f4aa23324b7eac56a22a883005d
SHA2565f44375ddddaedfcd4f2499d3e121b7d9ee627b751f2d0914a562d35d7c9a551
SHA512f59ce84fd7a3762efb919bb8474226fdb99765f80e4a40a9a66764a1502150fe40804be5363caeda6d27fdcfe44e5897a8c624db9993c2c890d83bbb660c01d3
-
Filesize
373KB
MD58012f0388cdda7870e63a5723ff24e9b
SHA108ed4dc8ded91f4aa23324b7eac56a22a883005d
SHA2565f44375ddddaedfcd4f2499d3e121b7d9ee627b751f2d0914a562d35d7c9a551
SHA512f59ce84fd7a3762efb919bb8474226fdb99765f80e4a40a9a66764a1502150fe40804be5363caeda6d27fdcfe44e5897a8c624db9993c2c890d83bbb660c01d3
-
Filesize
299KB
MD541b883a061c95e9b9cb17d4ca50de770
SHA11daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319
-
Filesize
299KB
MD541b883a061c95e9b9cb17d4ca50de770
SHA11daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319
-
Filesize
299KB
MD541b883a061c95e9b9cb17d4ca50de770
SHA11daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319
-
Filesize
3KB
MD5ad5cd538ca58cb28ede39c108acb5785
SHA11ae910026f3dbe90ed025e9e96ead2b5399be877
SHA256c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033
SHA512c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13
-
Filesize
2KB
MD51c19c16e21c97ed42d5beabc93391fc5
SHA18ad83f8e0b3acf8dfbbf87931e41f0d664c4df68
SHA2561bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05
SHA5127d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c
-
Filesize
19KB
MD5d66a3fa746131f3bb43f297813b91f22
SHA11d991564fc9f300f6716af119628f57712a7788d
SHA256f8d9ea077211800dea0a54e32aff23b1745e2bd7b9e9d94caa27d45a38abf0d2
SHA5126095856e2b272b3b8dd8d6e12f2eaf365a6b97be96826806035219b9d5a37cf360bc9ec7080f78eea62126f05366502c1532fb22c0760e8c440fde42edee0b57
-
Filesize
1KB
MD5522c91fe8ff2d6eabb0df1db63006c36
SHA1a37cd61d621902693feba433539c744da0ea75f5
SHA2566400c7b0042d9bdd53996af4c766468307837cbc1e9c8f899fe844d6c5409d20
SHA5125e8b330ae0acd0a430c08851c28d3b8c9456659a07bab462ec58d748e0113ea0aef0b06a4dd771c91f2fab6b005609685c40a9db8fe4b9d56a7e5e8dbea42781
-
Filesize
773KB
MD5952688e5752abd15bb1b900b2db461a3
SHA171a83957ea93085c7894545c5e33c5fcb8c763d3
SHA256256d2ef4432984e12e4dc361e89e1d35ce9b8d55c066f71489bae8827f98c91f
SHA5123445765d8efd53b995291b033c57e35726ba0b2d23e8ed351324fae512f81c49583903307983de211c18f31ef4d17adf5fcb1f12d0104ffa21a3a408793c0c5a
-
Filesize
773KB
MD5952688e5752abd15bb1b900b2db461a3
SHA171a83957ea93085c7894545c5e33c5fcb8c763d3
SHA256256d2ef4432984e12e4dc361e89e1d35ce9b8d55c066f71489bae8827f98c91f
SHA5123445765d8efd53b995291b033c57e35726ba0b2d23e8ed351324fae512f81c49583903307983de211c18f31ef4d17adf5fcb1f12d0104ffa21a3a408793c0c5a
-
Filesize
773KB
MD5952688e5752abd15bb1b900b2db461a3
SHA171a83957ea93085c7894545c5e33c5fcb8c763d3
SHA256256d2ef4432984e12e4dc361e89e1d35ce9b8d55c066f71489bae8827f98c91f
SHA5123445765d8efd53b995291b033c57e35726ba0b2d23e8ed351324fae512f81c49583903307983de211c18f31ef4d17adf5fcb1f12d0104ffa21a3a408793c0c5a
-
Filesize
773KB
MD5952688e5752abd15bb1b900b2db461a3
SHA171a83957ea93085c7894545c5e33c5fcb8c763d3
SHA256256d2ef4432984e12e4dc361e89e1d35ce9b8d55c066f71489bae8827f98c91f
SHA5123445765d8efd53b995291b033c57e35726ba0b2d23e8ed351324fae512f81c49583903307983de211c18f31ef4d17adf5fcb1f12d0104ffa21a3a408793c0c5a
-
Filesize
773KB
MD5952688e5752abd15bb1b900b2db461a3
SHA171a83957ea93085c7894545c5e33c5fcb8c763d3
SHA256256d2ef4432984e12e4dc361e89e1d35ce9b8d55c066f71489bae8827f98c91f
SHA5123445765d8efd53b995291b033c57e35726ba0b2d23e8ed351324fae512f81c49583903307983de211c18f31ef4d17adf5fcb1f12d0104ffa21a3a408793c0c5a
-
Filesize
2.6MB
MD53fa323c8a7ee8e017ed04764c35fc6d7
SHA1628798e103654cb81d6b13b5cf3964c841658b39
SHA25609803be467a424041ddccce80a356c38163cec45b2403ef55a99d82b97ad580d
SHA5126844d5a0866d1a2c201b02722410dcf297a15a375c7e041e891d42008b8f6dad0a0a989d9a272536d83a8ff3479303a6bd133670bc60eeed9a13c3f0d45db617
-
Filesize
2.6MB
MD53fa323c8a7ee8e017ed04764c35fc6d7
SHA1628798e103654cb81d6b13b5cf3964c841658b39
SHA25609803be467a424041ddccce80a356c38163cec45b2403ef55a99d82b97ad580d
SHA5126844d5a0866d1a2c201b02722410dcf297a15a375c7e041e891d42008b8f6dad0a0a989d9a272536d83a8ff3479303a6bd133670bc60eeed9a13c3f0d45db617
-
Filesize
6.9MB
MD59fdd904060a215d18a8625e0a43e0edd
SHA1d245b1a8e0e071567551ae46dc85be76f79a58e9
SHA256e77914415de29ddffcc5e6b9ac329db44c7e1fa42ca80e6201f0f0fb69e1c61d
SHA512bbd54382a117a1b462707ecffdbe22d2a17c054c6eeaed243aaeeeebf42e20e136160a1e3dbf6ffbbbec3cea5d77b769d1683c23bf05c24e822f35816d93704a
-
Filesize
1.8MB
MD55641f0d5ce653da3fab7a6f2c0889dd1
SHA1bf145e255c2120d0ad880920af291805b2fe77ed
SHA256374c81769de9a099a0bbb9d4aa3048f7e701f0bab697f028be9faafd413c5ae1
SHA5120c388d7d0f66decf5423ae34953fcb090a25e7e9ef035880786c06590df6ba83783841b91994db1d55e996ba0a0f0d57eda69e4b01145c2d692e31c9d5d48ba8
-
Filesize
11.5MB
MD56020dace849357f1667a1943c8db7291
SHA13cb1268ae732e93e9420e353200f0998d7b1920f
SHA256ebf0fbb2d06f3a42839c341b052cfe7b8b4e0b7e93a5f37a3c426f27a762e63a
SHA51281d8cea19b6bf63aaf7f9f5b94e5d388febc3cbac961d652fbab8c971748dd79760ad265fc6e456d32b4ef67e1257cc3b1f488f79e8a698df61092545bd8a283
-
Filesize
11.5MB
MD56020dace849357f1667a1943c8db7291
SHA13cb1268ae732e93e9420e353200f0998d7b1920f
SHA256ebf0fbb2d06f3a42839c341b052cfe7b8b4e0b7e93a5f37a3c426f27a762e63a
SHA51281d8cea19b6bf63aaf7f9f5b94e5d388febc3cbac961d652fbab8c971748dd79760ad265fc6e456d32b4ef67e1257cc3b1f488f79e8a698df61092545bd8a283
-
Filesize
253KB
MD5e4e3b070a4acfa4234e03434c712a861
SHA192bd6f47c54787f271ede676d912439e8b467f55
SHA256133d73a1e748b52d934e84416ede8b698567ef82648f2123caf108e1382619c0
SHA51233b19db2dd4c1c19ea22e84e3454256ef9a242cc8197085a288ec25e09224ef85ed6882998e85ae453c8d28b71f1b6c674d044068e3622431498665fc7812333
-
Filesize
253KB
MD5e4e3b070a4acfa4234e03434c712a861
SHA192bd6f47c54787f271ede676d912439e8b467f55
SHA256133d73a1e748b52d934e84416ede8b698567ef82648f2123caf108e1382619c0
SHA51233b19db2dd4c1c19ea22e84e3454256ef9a242cc8197085a288ec25e09224ef85ed6882998e85ae453c8d28b71f1b6c674d044068e3622431498665fc7812333
-
Filesize
4.2MB
MD5f14a2e5ca6c536cfc4a0c4bf700945fe
SHA1e0ba2f8b647ded07217ebfa5287d7555d00ee476
SHA2560319a45080e06688bea0619a37a019ce8497b5a56ace43a5735326598b6949cf
SHA512c6dbb61d10ac9f94adf2180d7d92cb1a82c9bbdadf794c171e448f1b7d8eff7385fea7216e74f952ea2a11d803808b6090119c5b916b797745d625dd906e66af
-
Filesize
4.2MB
MD5f14a2e5ca6c536cfc4a0c4bf700945fe
SHA1e0ba2f8b647ded07217ebfa5287d7555d00ee476
SHA2560319a45080e06688bea0619a37a019ce8497b5a56ace43a5735326598b6949cf
SHA512c6dbb61d10ac9f94adf2180d7d92cb1a82c9bbdadf794c171e448f1b7d8eff7385fea7216e74f952ea2a11d803808b6090119c5b916b797745d625dd906e66af
-
Filesize
4.2MB
MD5f14a2e5ca6c536cfc4a0c4bf700945fe
SHA1e0ba2f8b647ded07217ebfa5287d7555d00ee476
SHA2560319a45080e06688bea0619a37a019ce8497b5a56ace43a5735326598b6949cf
SHA512c6dbb61d10ac9f94adf2180d7d92cb1a82c9bbdadf794c171e448f1b7d8eff7385fea7216e74f952ea2a11d803808b6090119c5b916b797745d625dd906e66af
-
Filesize
8KB
MD5ac65407254780025e8a71da7b925c4f3
SHA15c7ae625586c1c00ec9d35caa4f71b020425a6ba
SHA25626cd9cc9a0dd688411a4f0e2fa099b694b88cab6e9ed10827a175f7b5486e42e
SHA51227d87730230d9f594908f904bf298a28e255dced8d515eb0d97e1701078c4405f9f428513c2574d349a7517bd23a3558fb09599a01499ea54590945b981b17ab
-
Filesize
8KB
MD5ac65407254780025e8a71da7b925c4f3
SHA15c7ae625586c1c00ec9d35caa4f71b020425a6ba
SHA25626cd9cc9a0dd688411a4f0e2fa099b694b88cab6e9ed10827a175f7b5486e42e
SHA51227d87730230d9f594908f904bf298a28e255dced8d515eb0d97e1701078c4405f9f428513c2574d349a7517bd23a3558fb09599a01499ea54590945b981b17ab
-
Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
Filesize
4.2MB
MD5cfb47eefb1364872657b05199443bb25
SHA100227917c1dae8fc6f17fdff65741be4f5e57485
SHA2567f4f53a9d3da9de64473196fa04ee1dd681f9ca3cdcccab4e1539fc03ab55102
SHA51281ead4f60b3d0d5069e9443a5023004e1ee17c42a65cba3b4326ad1d17af5a11a81c4b598d8e1b14a086da60f45fd93e5199ca6b1ffb7a6cc7932ded5701c1a6
-
Filesize
4.2MB
MD5cfb47eefb1364872657b05199443bb25
SHA100227917c1dae8fc6f17fdff65741be4f5e57485
SHA2567f4f53a9d3da9de64473196fa04ee1dd681f9ca3cdcccab4e1539fc03ab55102
SHA51281ead4f60b3d0d5069e9443a5023004e1ee17c42a65cba3b4326ad1d17af5a11a81c4b598d8e1b14a086da60f45fd93e5199ca6b1ffb7a6cc7932ded5701c1a6
-
Filesize
4.2MB
MD5cfb47eefb1364872657b05199443bb25
SHA100227917c1dae8fc6f17fdff65741be4f5e57485
SHA2567f4f53a9d3da9de64473196fa04ee1dd681f9ca3cdcccab4e1539fc03ab55102
SHA51281ead4f60b3d0d5069e9443a5023004e1ee17c42a65cba3b4326ad1d17af5a11a81c4b598d8e1b14a086da60f45fd93e5199ca6b1ffb7a6cc7932ded5701c1a6
-
Filesize
642KB
MD5e57693101a63b1f934f462bc7a2ef093
SHA12748ea8c66b980f14c9ce36c1c3061e690cf3ce7
SHA25671267ff94c9fc72cbffaeed3bc2f33cef1eeb1887c29c574d7f26595d1a6235f
SHA5123dcda686a85b19a9c7b4c96d132e90ed43c7df13ce9456beb2b88c278d8068cc3abcbfe25b1607c7b8281d276efb24809730f352927b326254f3208cbdf54a3e
-
Filesize
642KB
MD5e57693101a63b1f934f462bc7a2ef093
SHA12748ea8c66b980f14c9ce36c1c3061e690cf3ce7
SHA25671267ff94c9fc72cbffaeed3bc2f33cef1eeb1887c29c574d7f26595d1a6235f
SHA5123dcda686a85b19a9c7b4c96d132e90ed43c7df13ce9456beb2b88c278d8068cc3abcbfe25b1607c7b8281d276efb24809730f352927b326254f3208cbdf54a3e
-
Filesize
1.5MB
MD5665db9794d6e6e7052e7c469f48de771
SHA1ed9a3f9262f675a03a9f1f70856e3532b095c89f
SHA256c1b31186d170a2a5755f15682860b3cdc60eac7f97a2db9462dee7ca6fcbc196
SHA51269585560e8ac4a2472621dd4da4bf0e636688fc5d710521b0177461f773fcf2a4c7ddb86bc812ecb316985729013212ccfa4992cd1c98f166a4a510e17fcae74
-
Filesize
1.5MB
MD5665db9794d6e6e7052e7c469f48de771
SHA1ed9a3f9262f675a03a9f1f70856e3532b095c89f
SHA256c1b31186d170a2a5755f15682860b3cdc60eac7f97a2db9462dee7ca6fcbc196
SHA51269585560e8ac4a2472621dd4da4bf0e636688fc5d710521b0177461f773fcf2a4c7ddb86bc812ecb316985729013212ccfa4992cd1c98f166a4a510e17fcae74
-
Filesize
5.6MB
MD5bae29e49e8190bfbbf0d77ffab8de59d
SHA14a6352bb47c7e1666a60c76f9b17ca4707872bd9
SHA256f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87
SHA5129e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2
-
Filesize
5.6MB
MD5bae29e49e8190bfbbf0d77ffab8de59d
SHA14a6352bb47c7e1666a60c76f9b17ca4707872bd9
SHA256f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87
SHA5129e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2
-
Filesize
1.5MB
MD5b224196c88f09b615527b2df0e860e49
SHA1f9ae161836a34264458d8c0b2a083c98093f1dec
SHA2562a11969fcc1df03533ad694a68d56f0e3a67ce359663c3cf228040ab5baa5ed8
SHA512d74376c5bd3ba19b8454a17f2f38ab64ad1005b6372c7e162230c822c38f6f8c7d87aef47ef04cb6dceedc731046c30efa6720098cc39b15addd17c809b8296d
-
Filesize
1.5MB
MD5b224196c88f09b615527b2df0e860e49
SHA1f9ae161836a34264458d8c0b2a083c98093f1dec
SHA2562a11969fcc1df03533ad694a68d56f0e3a67ce359663c3cf228040ab5baa5ed8
SHA512d74376c5bd3ba19b8454a17f2f38ab64ad1005b6372c7e162230c822c38f6f8c7d87aef47ef04cb6dceedc731046c30efa6720098cc39b15addd17c809b8296d
-
Filesize
260KB
MD5f39a0110a564f4a1c6b96c03982906ec
SHA108e66c93b575c9ac0a18f06741dabcabc88a358b
SHA256f794a557ad952ff155b4bfe5665b3f448453c3a50c766478d070368cab69f481
SHA512c6659f926f95a8bed1ff779c8445470c3089823abe8c1199f591c313ecee0bd793478cdaab95905c0e8ae2a2b18737daabe887263b7cde1eaaa9ee6976ff7d00
-
Filesize
260KB
MD5f39a0110a564f4a1c6b96c03982906ec
SHA108e66c93b575c9ac0a18f06741dabcabc88a358b
SHA256f794a557ad952ff155b4bfe5665b3f448453c3a50c766478d070368cab69f481
SHA512c6659f926f95a8bed1ff779c8445470c3089823abe8c1199f591c313ecee0bd793478cdaab95905c0e8ae2a2b18737daabe887263b7cde1eaaa9ee6976ff7d00
-
Filesize
260KB
MD5f39a0110a564f4a1c6b96c03982906ec
SHA108e66c93b575c9ac0a18f06741dabcabc88a358b
SHA256f794a557ad952ff155b4bfe5665b3f448453c3a50c766478d070368cab69f481
SHA512c6659f926f95a8bed1ff779c8445470c3089823abe8c1199f591c313ecee0bd793478cdaab95905c0e8ae2a2b18737daabe887263b7cde1eaaa9ee6976ff7d00
-
Filesize
299KB
MD541b883a061c95e9b9cb17d4ca50de770
SHA11daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319
-
Filesize
299KB
MD541b883a061c95e9b9cb17d4ca50de770
SHA11daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319
-
Filesize
299KB
MD541b883a061c95e9b9cb17d4ca50de770
SHA11daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319
-
Filesize
253KB
MD5e4e3b070a4acfa4234e03434c712a861
SHA192bd6f47c54787f271ede676d912439e8b467f55
SHA256133d73a1e748b52d934e84416ede8b698567ef82648f2123caf108e1382619c0
SHA51233b19db2dd4c1c19ea22e84e3454256ef9a242cc8197085a288ec25e09224ef85ed6882998e85ae453c8d28b71f1b6c674d044068e3622431498665fc7812333
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize2KB
MD51c19c16e21c97ed42d5beabc93391fc5
SHA18ad83f8e0b3acf8dfbbf87931e41f0d664c4df68
SHA2561bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05
SHA5127d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize18KB
MD5a174f65a0b9a4b5bf4ee8486773ec35e
SHA186fec4c3c9069addeee9c1831ed89328a2c80d06
SHA25653a522ac4ee1944523ca2acfde7b1b66ae585a79f5d9392a1454b7bc6b09e3b3
SHA51253abf0d0aa1e1de6fb63c5fa93319429432d56e432494934aa961879fe67215fdb389d5c4af0ffe8e6a007c7b3d29090db0e247bec9921ceb56e3b8f9e729b7b
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize18KB
MD5a174f65a0b9a4b5bf4ee8486773ec35e
SHA186fec4c3c9069addeee9c1831ed89328a2c80d06
SHA25653a522ac4ee1944523ca2acfde7b1b66ae585a79f5d9392a1454b7bc6b09e3b3
SHA51253abf0d0aa1e1de6fb63c5fa93319429432d56e432494934aa961879fe67215fdb389d5c4af0ffe8e6a007c7b3d29090db0e247bec9921ceb56e3b8f9e729b7b
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize18KB
MD5ac79083c4cb6599873836111b3657223
SHA10d9ffe36abfa2b073b48d6da4f8017fdfe19b7c3
SHA256b333b2b6dc33d82180adae899f74b8f2605d85c121c4e4852759b651749cbe7b
SHA512865b8cd8584c3194a388c0923a371b60d99f47d50083dcf939bf703154c11895ac32cef91a521e1b2156dbce9b02dd3ca47ad0bda79163f119f3df0d2bd7f944
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize18KB
MD5ac79083c4cb6599873836111b3657223
SHA10d9ffe36abfa2b073b48d6da4f8017fdfe19b7c3
SHA256b333b2b6dc33d82180adae899f74b8f2605d85c121c4e4852759b651749cbe7b
SHA512865b8cd8584c3194a388c0923a371b60d99f47d50083dcf939bf703154c11895ac32cef91a521e1b2156dbce9b02dd3ca47ad0bda79163f119f3df0d2bd7f944
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
Filesize
1.8MB
MD55641f0d5ce653da3fab7a6f2c0889dd1
SHA1bf145e255c2120d0ad880920af291805b2fe77ed
SHA256374c81769de9a099a0bbb9d4aa3048f7e701f0bab697f028be9faafd413c5ae1
SHA5120c388d7d0f66decf5423ae34953fcb090a25e7e9ef035880786c06590df6ba83783841b91994db1d55e996ba0a0f0d57eda69e4b01145c2d692e31c9d5d48ba8
-
Filesize
2KB
MD5a69559718ab506675e907fe49deb71e9
SHA1bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA2562f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63
-
Filesize
12KB
MD57cee19d7e00e9a35fc5e7884fd9d1ad8
SHA12c5e8de13bdb6ddc290a9596113f77129ecd26bc
SHA25658ee49d4b4f6def91c6561fc5a1b73bc86d8a01b23ce0c8ddbf0ed11f13d5ace
SHA512a6955f5aff467f199236ed8a57f4d97af915a3ae81711ff8292e66e66c9f7ee307d7d7aafce09a1bd33c8f7983694cb207fc980d6c3323b475de6278d37bdde8
-
Filesize
12KB
MD57cee19d7e00e9a35fc5e7884fd9d1ad8
SHA12c5e8de13bdb6ddc290a9596113f77129ecd26bc
SHA25658ee49d4b4f6def91c6561fc5a1b73bc86d8a01b23ce0c8ddbf0ed11f13d5ace
SHA512a6955f5aff467f199236ed8a57f4d97af915a3ae81711ff8292e66e66c9f7ee307d7d7aafce09a1bd33c8f7983694cb207fc980d6c3323b475de6278d37bdde8