Analysis
-
max time kernel
150s -
max time network
142s -
platform
windows10-1703_x64 -
resource
win10-20231129-en -
resource tags
arch:x64arch:x86image:win10-20231129-enlocale:en-usos:windows10-1703-x64system -
submitted
09-12-2023 00:45
Static task
static1
Behavioral task
behavioral1
Sample
04b9f290f24c57fc52e7609f076ff6df5b24abb609d81b635cf4a8af824c2267.exe
Resource
win10-20231129-en
General
-
Target
04b9f290f24c57fc52e7609f076ff6df5b24abb609d81b635cf4a8af824c2267.exe
-
Size
230KB
-
MD5
1426a31dd0eee1e9640b0db8d7be5446
-
SHA1
d998699fb4a546a8f93cc02f847ddd82ba5d5872
-
SHA256
04b9f290f24c57fc52e7609f076ff6df5b24abb609d81b635cf4a8af824c2267
-
SHA512
b131537cd7d24e545d6af00fbfa39f62a54653d2be80c4e6d8686fb11158d162ca4e0f737bbc0f4ff0a5e18f412c53e51a9a9b92066895b44b82a615713f0e0f
-
SSDEEP
3072:v0PrzhJEcu1XwwPmFYKlElicEt5BdEBu7Xd4SnRqSoGiWHFK:krzhJE9gEgcEBCIlwSBH
Malware Config
Extracted
smokeloader
2022
http://onualituyrs.org/
http://sumagulituyo.org/
http://snukerukeutit.org/
http://lightseinsteniki.org/
http://liuliuoumumy.org/
http://stualialuyastrelia.net/
http://kumbuyartyty.net/
http://criogetikfenbut.org/
http://tonimiuyaytre.org/
http://tyiuiunuewqy.org/
http://humydrole.com/tmp/index.php
http://trunk-co.ru/tmp/index.php
http://weareelight.com/tmp/index.php
http://pirateking.online/tmp/index.php
http://piratia.pw/tmp/index.php
http://go-piratia.ru/tmp/index.php
Extracted
redline
LogsDiller Cloud (Bot: @logsdillabot)
57.128.155.22:20154
Extracted
smokeloader
pub1
Extracted
lumma
http://opposesicknessopw.pw/api
Signatures
-
Detect ZGRat V1 3 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\1037.exe family_zgrat_v1 C:\Users\Admin\AppData\Local\Temp\1037.exe family_zgrat_v1 behavioral1/memory/2388-19-0x0000000000E30000-0x0000000001344000-memory.dmp family_zgrat_v1 -
Glupteba payload 11 IoCs
Processes:
resource yara_rule behavioral1/memory/756-113-0x0000000002E10000-0x00000000036FB000-memory.dmp family_glupteba behavioral1/memory/756-116-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral1/memory/756-258-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral1/memory/756-318-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral1/memory/756-458-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral1/memory/756-915-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral1/memory/2484-1674-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral1/memory/4596-1678-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral1/memory/4596-1679-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral1/memory/4596-1681-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral1/memory/4596-2425-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba -
Raccoon Stealer V2 payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/4608-32-0x0000000000950000-0x0000000000966000-memory.dmp family_raccoon_v2 behavioral1/memory/4608-33-0x0000000000400000-0x000000000085E000-memory.dmp family_raccoon_v2 -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/4592-69-0x0000000000400000-0x000000000043C000-memory.dmp family_redline -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Processes:
3C4F.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" 3C4F.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" 3C4F.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" 3C4F.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" 3C4F.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" 3C4F.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" 3C4F.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\3C4F.exe = "0" 3C4F.exe -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs
Processes:
23B3.exemi.exeupdater.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 23B3.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ mi.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ updater.exe -
Creates new service(s) 1 TTPs
-
Downloads MZ/PE file
-
Drops file in Drivers directory 2 IoCs
Processes:
mi.exeupdater.exedescription ioc process File created C:\Windows\system32\drivers\etc\hosts mi.exe File created C:\Windows\system32\drivers\etc\hosts updater.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Stops running service(s) 3 TTPs
-
Checks BIOS information in registry 2 TTPs 6 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
updater.exe23B3.exemi.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion updater.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion updater.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 23B3.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 23B3.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion mi.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion mi.exe -
Deletes itself 1 IoCs
Processes:
pid process 3468 -
Executes dropped EXE 15 IoCs
Processes:
1037.exe11BF.exe23B3.exe2682.exe33E1.exe3C4F.exe49BD.exe49BD.tmpmi.exe3C4F.execsrss.exeinjector.exeupdater.exewindefender.exewindefender.exepid process 2388 1037.exe 4608 11BF.exe 3836 23B3.exe 3924 2682.exe 4596 33E1.exe 756 3C4F.exe 4468 49BD.exe 2028 49BD.tmp 3832 mi.exe 2484 3C4F.exe 4596 csrss.exe 3504 injector.exe 3860 updater.exe 2564 windefender.exe 4440 windefender.exe -
Loads dropped DLL 5 IoCs
Processes:
regsvr32.exe1037.exe49BD.tmppid process 3660 regsvr32.exe 2388 1037.exe 2028 49BD.tmp 2028 49BD.tmp 2028 49BD.tmp -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\23B3.exe themida C:\Users\Admin\AppData\Local\Temp\23B3.exe themida behavioral1/memory/3836-55-0x0000000000020000-0x00000000008B2000-memory.dmp themida C:\Users\Admin\AppData\Local\Temp\mi.exe themida C:\Users\Admin\AppData\Local\Temp\mi.exe themida behavioral1/memory/3832-905-0x00007FF64A240000-0x00007FF64AFAE000-memory.dmp themida behavioral1/memory/3832-910-0x00007FF64A240000-0x00007FF64AFAE000-memory.dmp themida behavioral1/memory/3832-911-0x00007FF64A240000-0x00007FF64AFAE000-memory.dmp themida behavioral1/memory/3832-2174-0x00007FF64A240000-0x00007FF64AFAE000-memory.dmp themida C:\ProgramData\Google\Chrome\updater.exe themida C:\ProgramData\Google\Chrome\updater.exe themida -
Processes:
resource yara_rule C:\Windows\windefender.exe upx C:\Windows\windefender.exe upx C:\Windows\windefender.exe upx -
Processes:
3C4F.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" 3C4F.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" 3C4F.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" 3C4F.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" 3C4F.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\3C4F.exe = "0" 3C4F.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" 3C4F.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" 3C4F.exe -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
explorer.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-257917760-896317077-2851672318-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe Key opened \REGISTRY\USER\S-1-5-21-257917760-896317077-2851672318-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe Key opened \REGISTRY\USER\S-1-5-21-257917760-896317077-2851672318-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
csrss.exe3C4F.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-257917760-896317077-2851672318-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-257917760-896317077-2851672318-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" 3C4F.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
mi.exeupdater.exe23B3.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA mi.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA updater.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 23B3.exe -
Manipulates WinMonFS driver. 1 IoCs
Roottkits write to WinMonFS to hide directories/files from being detected.
Processes:
csrss.exedescription ioc process File opened for modification \??\WinMonFS csrss.exe -
Drops file in System32 directory 11 IoCs
Processes:
powershell.exeupdater.exeschtasks.exepowershell.exeConhost.exeConhost.exemi.exepowershell.exepowershell.exedescription ioc process File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log powershell.exe File opened for modification C:\Windows\system32\MRT.exe updater.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log schtasks.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive Conhost.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive Conhost.exe File opened for modification C:\Windows\system32\MRT.exe mi.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive schtasks.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
Processes:
23B3.exemi.exeupdater.exepid process 3836 23B3.exe 3832 mi.exe 3860 updater.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
2682.exe1037.exeupdater.exedescription pid process target process PID 3924 set thread context of 4592 3924 2682.exe AppLaunch.exe PID 2388 set thread context of 3588 2388 1037.exe RegSvcs.exe PID 3860 set thread context of 4692 3860 updater.exe conhost.exe PID 3860 set thread context of 1720 3860 updater.exe explorer.exe -
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
Processes:
3C4F.exedescription ioc process File opened (read-only) \??\VBoxMiniRdrDN 3C4F.exe -
Drops file in Program Files directory 5 IoCs
Processes:
49BD.tmpdescription ioc process File created C:\Program Files (x86)\MDeliveryLIB\uninstall\unins000.dat 49BD.tmp File created C:\Program Files (x86)\MDeliveryLIB\uninstall\is-E0DV7.tmp 49BD.tmp File created C:\Program Files (x86)\MDeliveryLIB\stuff\is-KM07J.tmp 49BD.tmp File created C:\Program Files (x86)\MDeliveryLIB\stuff\is-FCP7K.tmp 49BD.tmp File created C:\Program Files (x86)\MDeliveryLIB\stuff\is-BJIN2.tmp 49BD.tmp -
Drops file in Windows directory 4 IoCs
Processes:
3C4F.execsrss.exedescription ioc process File opened for modification C:\Windows\rss 3C4F.exe File created C:\Windows\rss\csrss.exe 3C4F.exe File created C:\Windows\windefender.exe csrss.exe File opened for modification C:\Windows\windefender.exe csrss.exe -
Launches sc.exe 15 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exepid process 2760 sc.exe 4420 sc.exe 2588 sc.exe 4000 sc.exe 2772 sc.exe 3252 sc.exe 2608 sc.exe 1940 sc.exe 3944 sc.exe 5100 sc.exe 524 sc.exe 4472 sc.exe 4352 sc.exe 2616 sc.exe 1312 sc.exe -
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
33E1.exe04b9f290f24c57fc52e7609f076ff6df5b24abb609d81b635cf4a8af824c2267.exedescription ioc process Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 33E1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 04b9f290f24c57fc52e7609f076ff6df5b24abb609d81b635cf4a8af824c2267.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 04b9f290f24c57fc52e7609f076ff6df5b24abb609d81b635cf4a8af824c2267.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 04b9f290f24c57fc52e7609f076ff6df5b24abb609d81b635cf4a8af824c2267.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 33E1.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 33E1.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 2544 schtasks.exe 3312 schtasks.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
3C4F.exewindefender.exepowershell.exeConhost.exepowershell.exepowershell.exepowershell.exeschtasks.exeConhost.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-572 = "China Standard Time" 3C4F.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-842 = "Argentina Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-1871 = "Russia TZ 7 Daylight Time" windefender.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs Conhost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-791 = "SA Western Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-384 = "Namibia Daylight Time" 3C4F.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-632 = "Tokyo Standard Time" windefender.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-871 = "Pakistan Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1021 = "Bangladesh Daylight Time" 3C4F.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-42 = "E. South America Standard Time" 3C4F.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-462 = "Afghanistan Standard Time" 3C4F.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-742 = "New Zealand Standard Time" 3C4F.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates schtasks.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1912 = "Russia TZ 10 Standard Time" 3C4F.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 schtasks.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-2631 = "Norfolk Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-12 = "Azores Standard Time" 3C4F.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-771 = "Montevideo Daylight Time" 3C4F.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-382 = "South Africa Standard Time" 3C4F.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2391 = "Aleutian Daylight Time" 3C4F.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-232 = "Hawaiian Standard Time" 3C4F.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-2491 = "Aus Central W. Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-434 = "Georgian Daylight Time" 3C4F.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-282 = "Central Europe Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-2061 = "North Korea Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-302 = "Romance Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-1412 = "Syria Standard Time" windefender.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs schtasks.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs schtasks.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs Conhost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-361 = "GTB Daylight Time" 3C4F.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs Conhost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-2772 = "Omsk Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-561 = "SE Asia Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-771 = "Montevideo Daylight Time" windefender.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-2411 = "Marquesas Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-32 = "Mid-Atlantic Standard Time" 3C4F.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-385 = "Namibia Standard Time" 3C4F.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-562 = "SE Asia Standard Time" 3C4F.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates schtasks.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates Conhost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-461 = "Afghanistan Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-151 = "Central America Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-2771 = "Omsk Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-291 = "Central European Daylight Time" 3C4F.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1831 = "Russia TZ 2 Daylight Time" 3C4F.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA schtasks.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
04b9f290f24c57fc52e7609f076ff6df5b24abb609d81b635cf4a8af824c2267.exepid process 4732 04b9f290f24c57fc52e7609f076ff6df5b24abb609d81b635cf4a8af824c2267.exe 4732 04b9f290f24c57fc52e7609f076ff6df5b24abb609d81b635cf4a8af824c2267.exe 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
04b9f290f24c57fc52e7609f076ff6df5b24abb609d81b635cf4a8af824c2267.exe33E1.exepid process 4732 04b9f290f24c57fc52e7609f076ff6df5b24abb609d81b635cf4a8af824c2267.exe 4596 33E1.exe 3468 3468 3468 3468 -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
23B3.exeAppLaunch.exepowershell.execmd.exeschtasks.exepowershell.exeConhost.exeConhost.exepowershell.exepowershell.execsrss.exepowershell.exedescription pid process Token: SeShutdownPrivilege 3468 Token: SeCreatePagefilePrivilege 3468 Token: SeShutdownPrivilege 3468 Token: SeCreatePagefilePrivilege 3468 Token: SeShutdownPrivilege 3468 Token: SeCreatePagefilePrivilege 3468 Token: SeShutdownPrivilege 3468 Token: SeCreatePagefilePrivilege 3468 Token: SeShutdownPrivilege 3468 Token: SeCreatePagefilePrivilege 3468 Token: SeShutdownPrivilege 3468 Token: SeCreatePagefilePrivilege 3468 Token: SeShutdownPrivilege 3468 Token: SeCreatePagefilePrivilege 3468 Token: SeShutdownPrivilege 3468 Token: SeCreatePagefilePrivilege 3468 Token: SeDebugPrivilege 3836 23B3.exe Token: SeDebugPrivilege 4592 AppLaunch.exe Token: SeDebugPrivilege 3456 powershell.exe Token: SeShutdownPrivilege 3468 Token: SeCreatePagefilePrivilege 3468 Token: SeShutdownPrivilege 3468 Token: SeCreatePagefilePrivilege 3468 Token: SeDebugPrivilege 756 cmd.exe Token: SeImpersonatePrivilege 756 cmd.exe Token: SeDebugPrivilege 3312 schtasks.exe Token: SeShutdownPrivilege 3468 Token: SeCreatePagefilePrivilege 3468 Token: SeShutdownPrivilege 3468 Token: SeCreatePagefilePrivilege 3468 Token: SeDebugPrivilege 1596 powershell.exe Token: SeShutdownPrivilege 3468 Token: SeCreatePagefilePrivilege 3468 Token: SeDebugPrivilege 4136 Conhost.exe Token: SeShutdownPrivilege 3468 Token: SeCreatePagefilePrivilege 3468 Token: SeShutdownPrivilege 3468 Token: SeCreatePagefilePrivilege 3468 Token: SeDebugPrivilege 704 Conhost.exe Token: SeShutdownPrivilege 3468 Token: SeCreatePagefilePrivilege 3468 Token: SeDebugPrivilege 3872 powershell.exe Token: SeShutdownPrivilege 3468 Token: SeCreatePagefilePrivilege 3468 Token: SeDebugPrivilege 4412 powershell.exe Token: SeShutdownPrivilege 3468 Token: SeCreatePagefilePrivilege 3468 Token: SeSystemEnvironmentPrivilege 4596 csrss.exe Token: SeDebugPrivilege 4272 powershell.exe Token: SeIncreaseQuotaPrivilege 4272 powershell.exe Token: SeSecurityPrivilege 4272 powershell.exe Token: SeTakeOwnershipPrivilege 4272 powershell.exe Token: SeLoadDriverPrivilege 4272 powershell.exe Token: SeSystemProfilePrivilege 4272 powershell.exe Token: SeSystemtimePrivilege 4272 powershell.exe Token: SeProfSingleProcessPrivilege 4272 powershell.exe Token: SeIncBasePriorityPrivilege 4272 powershell.exe Token: SeCreatePagefilePrivilege 4272 powershell.exe Token: SeBackupPrivilege 4272 powershell.exe Token: SeRestorePrivilege 4272 powershell.exe Token: SeShutdownPrivilege 4272 powershell.exe Token: SeDebugPrivilege 4272 powershell.exe Token: SeSystemEnvironmentPrivilege 4272 powershell.exe Token: SeRemoteShutdownPrivilege 4272 powershell.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
pid process 3468 3468 -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
pid process 3468 3468 -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
regsvr32.exe2682.exe1037.exe49BD.exe3C4F.exeAppLaunch.exe3C4F.execmd.exedescription pid process target process PID 3468 wrote to memory of 2388 3468 1037.exe PID 3468 wrote to memory of 2388 3468 1037.exe PID 3468 wrote to memory of 2388 3468 1037.exe PID 3468 wrote to memory of 4608 3468 11BF.exe PID 3468 wrote to memory of 4608 3468 11BF.exe PID 3468 wrote to memory of 4608 3468 11BF.exe PID 3468 wrote to memory of 3356 3468 regsvr32.exe PID 3468 wrote to memory of 3356 3468 regsvr32.exe PID 3356 wrote to memory of 3660 3356 regsvr32.exe regsvr32.exe PID 3356 wrote to memory of 3660 3356 regsvr32.exe regsvr32.exe PID 3356 wrote to memory of 3660 3356 regsvr32.exe regsvr32.exe PID 3468 wrote to memory of 3836 3468 23B3.exe PID 3468 wrote to memory of 3836 3468 23B3.exe PID 3468 wrote to memory of 3836 3468 23B3.exe PID 3468 wrote to memory of 3924 3468 2682.exe PID 3468 wrote to memory of 3924 3468 2682.exe PID 3468 wrote to memory of 3924 3468 2682.exe PID 3924 wrote to memory of 4592 3924 2682.exe AppLaunch.exe PID 3924 wrote to memory of 4592 3924 2682.exe AppLaunch.exe PID 3924 wrote to memory of 4592 3924 2682.exe AppLaunch.exe PID 3924 wrote to memory of 4592 3924 2682.exe AppLaunch.exe PID 3924 wrote to memory of 4592 3924 2682.exe AppLaunch.exe PID 3924 wrote to memory of 4592 3924 2682.exe AppLaunch.exe PID 3924 wrote to memory of 4592 3924 2682.exe AppLaunch.exe PID 3924 wrote to memory of 4592 3924 2682.exe AppLaunch.exe PID 3468 wrote to memory of 4596 3468 33E1.exe PID 3468 wrote to memory of 4596 3468 33E1.exe PID 3468 wrote to memory of 4596 3468 33E1.exe PID 3468 wrote to memory of 756 3468 3C4F.exe PID 3468 wrote to memory of 756 3468 3C4F.exe PID 3468 wrote to memory of 756 3468 3C4F.exe PID 2388 wrote to memory of 3588 2388 1037.exe RegSvcs.exe PID 2388 wrote to memory of 3588 2388 1037.exe RegSvcs.exe PID 2388 wrote to memory of 3588 2388 1037.exe RegSvcs.exe PID 2388 wrote to memory of 3588 2388 1037.exe RegSvcs.exe PID 2388 wrote to memory of 3588 2388 1037.exe RegSvcs.exe PID 2388 wrote to memory of 3588 2388 1037.exe RegSvcs.exe PID 2388 wrote to memory of 3588 2388 1037.exe RegSvcs.exe PID 2388 wrote to memory of 3588 2388 1037.exe RegSvcs.exe PID 2388 wrote to memory of 3588 2388 1037.exe RegSvcs.exe PID 3468 wrote to memory of 4468 3468 49BD.exe PID 3468 wrote to memory of 4468 3468 49BD.exe PID 3468 wrote to memory of 4468 3468 49BD.exe PID 4468 wrote to memory of 2028 4468 49BD.exe 49BD.tmp PID 4468 wrote to memory of 2028 4468 49BD.exe 49BD.tmp PID 4468 wrote to memory of 2028 4468 49BD.exe 49BD.tmp PID 3468 wrote to memory of 2900 3468 explorer.exe PID 3468 wrote to memory of 2900 3468 explorer.exe PID 3468 wrote to memory of 2900 3468 explorer.exe PID 3468 wrote to memory of 2900 3468 explorer.exe PID 3468 wrote to memory of 2748 3468 explorer.exe PID 3468 wrote to memory of 2748 3468 explorer.exe PID 3468 wrote to memory of 2748 3468 explorer.exe PID 756 wrote to memory of 3456 756 3C4F.exe powershell.exe PID 756 wrote to memory of 3456 756 3C4F.exe powershell.exe PID 756 wrote to memory of 3456 756 3C4F.exe powershell.exe PID 4592 wrote to memory of 3832 4592 AppLaunch.exe mi.exe PID 4592 wrote to memory of 3832 4592 AppLaunch.exe mi.exe PID 2484 wrote to memory of 3312 2484 3C4F.exe schtasks.exe PID 2484 wrote to memory of 3312 2484 3C4F.exe schtasks.exe PID 2484 wrote to memory of 3312 2484 3C4F.exe schtasks.exe PID 2484 wrote to memory of 756 2484 3C4F.exe cmd.exe PID 2484 wrote to memory of 756 2484 3C4F.exe cmd.exe PID 756 wrote to memory of 2732 756 cmd.exe netsh.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
outlook_office_path 1 IoCs
Processes:
explorer.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-257917760-896317077-2851672318-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe -
outlook_win_path 1 IoCs
Processes:
explorer.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-257917760-896317077-2851672318-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\04b9f290f24c57fc52e7609f076ff6df5b24abb609d81b635cf4a8af824c2267.exe"C:\Users\Admin\AppData\Local\Temp\04b9f290f24c57fc52e7609f076ff6df5b24abb609d81b635cf4a8af824c2267.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4732
-
C:\Users\Admin\AppData\Local\Temp\1037.exeC:\Users\Admin\AppData\Local\Temp\1037.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2388 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe2⤵PID:3588
-
C:\Users\Admin\AppData\Local\Temp\11BF.exeC:\Users\Admin\AppData\Local\Temp\11BF.exe1⤵
- Executes dropped EXE
PID:4608
-
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\1C20.dll1⤵
- Loads dropped DLL
PID:3660
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\1C20.dll1⤵
- Suspicious use of WriteProcessMemory
PID:3356
-
C:\Users\Admin\AppData\Local\Temp\23B3.exeC:\Users\Admin\AppData\Local\Temp\23B3.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:3836
-
C:\Users\Admin\AppData\Local\Temp\2682.exeC:\Users\Admin\AppData\Local\Temp\2682.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3924 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4592 -
C:\Users\Admin\AppData\Local\Temp\mi.exe"C:\Users\Admin\AppData\Local\Temp\mi.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Drops file in Drivers directory
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:3832 -
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4272 -
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop WaaSMedicSvc4⤵
- Launches sc.exe
PID:4000 -
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop bits4⤵
- Launches sc.exe
PID:4472 -
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start "GoogleUpdateTaskMachineQC"4⤵
- Launches sc.exe
PID:4420 -
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop eventlog4⤵
- Launches sc.exe
PID:4352 -
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe create "GoogleUpdateTaskMachineQC" binpath= "C:\ProgramData\Google\Chrome\updater.exe" start= "auto"4⤵
- Launches sc.exe
PID:3252 -
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe delete "GoogleUpdateTaskMachineQC"4⤵
- Launches sc.exe
PID:2608 -
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 04⤵PID:3100
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 04⤵PID:4728
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 04⤵PID:2100
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 04⤵PID:4776
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop dosvc4⤵
- Launches sc.exe
PID:2588 -
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop wuauserv4⤵
- Launches sc.exe
PID:1940 -
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop UsoSvc4⤵
- Launches sc.exe
PID:3944 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart4⤵PID:776
-
C:\Users\Admin\AppData\Local\Temp\33E1.exeC:\Users\Admin\AppData\Local\Temp\33E1.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:4596
-
C:\Users\Admin\AppData\Local\Temp\3C4F.exeC:\Users\Admin\AppData\Local\Temp\3C4F.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:756 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3456 -
C:\Users\Admin\AppData\Local\Temp\3C4F.exe"C:\Users\Admin\AppData\Local\Temp\3C4F.exe"2⤵
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:2484 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵PID:3312
-
C:\Windows\System32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:756 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1596 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵PID:4136
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Manipulates WinMonFS driver.
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4596 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵PID:704
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3872 -
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f4⤵PID:1796
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
PID:2544 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4412 -
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll4⤵
- Executes dropped EXE
PID:3504 -
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Drops file in System32 directory
- Creates scheduled task(s)
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3312 -
C:\Windows\windefender.exe"C:\Windows\windefender.exe"4⤵
- Executes dropped EXE
PID:2564 -
C:\Windows\SysWOW64\cmd.execmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)5⤵PID:1488
-
C:\Windows\SysWOW64\sc.exesc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)6⤵
- Launches sc.exe
PID:2772 -
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes2⤵
- Modifies Windows Firewall
PID:2732
-
C:\Users\Admin\AppData\Local\Temp\49BD.exeC:\Users\Admin\AppData\Local\Temp\49BD.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4468 -
C:\Users\Admin\AppData\Local\Temp\is-V0DA0.tmp\49BD.tmp"C:\Users\Admin\AppData\Local\Temp\is-V0DA0.tmp\49BD.tmp" /SL5="$50244,7932209,54272,C:\Users\Admin\AppData\Local\Temp\49BD.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
PID:2028
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
PID:2900
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵PID:2748
-
C:\ProgramData\Google\Chrome\updater.exeC:\ProgramData\Google\Chrome\updater.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Drops file in Drivers directory
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
PID:3860 -
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:4056 -
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop WaaSMedicSvc2⤵
- Launches sc.exe
PID:5100 -
C:\Windows\explorer.exeexplorer.exe2⤵PID:1720
-
C:\Windows\system32\conhost.exeC:\Windows\system32\conhost.exe2⤵PID:4692
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 02⤵PID:2744
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 02⤵PID:3592
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 02⤵PID:5028
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 02⤵PID:4832
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop dosvc2⤵
- Launches sc.exe
PID:2760 -
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop bits2⤵
- Launches sc.exe
PID:524 -
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop wuauserv2⤵
- Launches sc.exe
PID:2616 -
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop UsoSvc2⤵
- Launches sc.exe
PID:1312 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart2⤵PID:1108
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4136
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart1⤵PID:3572
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:704
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart1⤵PID:4824
-
C:\Windows\windefender.exeC:\Windows\windefender.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:4440
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
3Windows Service
3Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
3Windows Service
3Scheduled Task/Job
1Defense Evasion
Impair Defenses
3Disable or Modify Tools
2Modify Registry
3Virtualization/Sandbox Evasion
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8.1MB
MD5b0161afbab78849d10cb7d3f00bb4ec3
SHA1542faa594a2a90b9f37c290a5d6a39bf776ce380
SHA256aac4360aef3be725b0ea05262031a6cfe237fb11dac457d3da66305dacaf1684
SHA51284778ad9f7755c259f4fbdf24287734eb43a1c5ab4fe5bd635ec83c4e982bbaa0f7efc65da7c80ed8aa8a96519ee550337c6e61f609eb9555727f52716fb80dc
-
Filesize
8.1MB
MD5b0161afbab78849d10cb7d3f00bb4ec3
SHA1542faa594a2a90b9f37c290a5d6a39bf776ce380
SHA256aac4360aef3be725b0ea05262031a6cfe237fb11dac457d3da66305dacaf1684
SHA51284778ad9f7755c259f4fbdf24287734eb43a1c5ab4fe5bd635ec83c4e982bbaa0f7efc65da7c80ed8aa8a96519ee550337c6e61f609eb9555727f52716fb80dc
-
Filesize
5.1MB
MD57f4f98a26d4835578f46224112cc6a15
SHA1c5cbaf07ef86ee77e7a079ece95e749e7b93a0f0
SHA256c20f57c4db1ec145b3f2131677c80e8ceb88b11b81dbb1e7bf84983daf514276
SHA512c2fe13271b35c799ea871b54f0d73a61a2ceed5b4f8fa7464bc758908f35185bfe1c43d38c54941c9fef18284334d61ddab506121d7d993ec87752a77eea8c5b
-
Filesize
5.1MB
MD57f4f98a26d4835578f46224112cc6a15
SHA1c5cbaf07ef86ee77e7a079ece95e749e7b93a0f0
SHA256c20f57c4db1ec145b3f2131677c80e8ceb88b11b81dbb1e7bf84983daf514276
SHA512c2fe13271b35c799ea871b54f0d73a61a2ceed5b4f8fa7464bc758908f35185bfe1c43d38c54941c9fef18284334d61ddab506121d7d993ec87752a77eea8c5b
-
Filesize
237KB
MD522a51b329fa194d51f68705a25d7396d
SHA1aada03d8b7f1e28dbf6d72c1503981ccc5bb94da
SHA25682857c5bbab91ba9c66bcd07c9f25c1b140e94fa892e97cc97db82fe06439742
SHA5120d9a8a6b1df054a84bea0c4d38fd3c702f95c7d372bf2255c29611aec38fca5c81b972a2d45135a6488ba313d5674cf5e60e5bc7bdc888bb3524739e473ff821
-
Filesize
237KB
MD522a51b329fa194d51f68705a25d7396d
SHA1aada03d8b7f1e28dbf6d72c1503981ccc5bb94da
SHA25682857c5bbab91ba9c66bcd07c9f25c1b140e94fa892e97cc97db82fe06439742
SHA5120d9a8a6b1df054a84bea0c4d38fd3c702f95c7d372bf2255c29611aec38fca5c81b972a2d45135a6488ba313d5674cf5e60e5bc7bdc888bb3524739e473ff821
-
Filesize
4.1MB
MD5184fc62aeb4c9d78891eb8d509c429e5
SHA14456d00e767b918a5118741985f2e1bc924b8e53
SHA2566b2a111ace1e8469a99e2696a6313352cadf138f5b431d68fdb36a7268df1052
SHA512100eb18ee1ef332862b668769fc64b37429df107873525b3ffcd5a8ccea8ad31fe57bba97cb103c2b444d62113a999a58f7743eb0b8266bb9ff8f116472d854b
-
Filesize
3.0MB
MD5f4cb9c8b7e02e8084008cd61e1899390
SHA1af1a95a823a8c24cab9d8e8aaf46d69b3612dd4b
SHA256a9ef0a36e9924f9742af01b648d7c89624e1e360716adb8fe7f58a6f28c4865e
SHA512e808e95a5f57a13e61f8b77502f0f01c7faf66f2663d4de0b61a308f39520da8d649f32ed886edf446eefd88cf324854bcca059f8c0a6f46148388242e6b65b6
-
Filesize
3.0MB
MD5f4cb9c8b7e02e8084008cd61e1899390
SHA1af1a95a823a8c24cab9d8e8aaf46d69b3612dd4b
SHA256a9ef0a36e9924f9742af01b648d7c89624e1e360716adb8fe7f58a6f28c4865e
SHA512e808e95a5f57a13e61f8b77502f0f01c7faf66f2663d4de0b61a308f39520da8d649f32ed886edf446eefd88cf324854bcca059f8c0a6f46148388242e6b65b6
-
Filesize
439KB
MD5b51bc8f85b7ba047b35022f505066b72
SHA14dd8e61f706c3057995a447d8f1c0c08f8ce6d9a
SHA256fd7e4e6d5b75b5479a9c38e601d6cd2a89c33e65887e6fae2ca6b16735a32757
SHA5127b00852c88bfee57e89415508e0c209faea3733402a6aafb9f87dccde21fe7af9f8f9b9717e6acad9be3c58a6d1d079331e1bb72faae3ce02ca98295966ac3cd
-
Filesize
439KB
MD5b51bc8f85b7ba047b35022f505066b72
SHA14dd8e61f706c3057995a447d8f1c0c08f8ce6d9a
SHA256fd7e4e6d5b75b5479a9c38e601d6cd2a89c33e65887e6fae2ca6b16735a32757
SHA5127b00852c88bfee57e89415508e0c209faea3733402a6aafb9f87dccde21fe7af9f8f9b9717e6acad9be3c58a6d1d079331e1bb72faae3ce02ca98295966ac3cd
-
Filesize
230KB
MD58fe11fc098e2fd9ab2247583fe513a57
SHA14b1d5673a74b86286c7ba4a72e8a0f103ca89017
SHA256691232d9ddf2754581d877ae2803b2f0f09af50187a828bc054ddce6a5e0ab21
SHA5123a76c3d8dc188c99a203951994446a306278a836d1ce4e61628cbd4f9e803512217db47391c8b4765a68d43ecd152d964884612e80de3c48508a383460da7a9e
-
Filesize
230KB
MD58fe11fc098e2fd9ab2247583fe513a57
SHA14b1d5673a74b86286c7ba4a72e8a0f103ca89017
SHA256691232d9ddf2754581d877ae2803b2f0f09af50187a828bc054ddce6a5e0ab21
SHA5123a76c3d8dc188c99a203951994446a306278a836d1ce4e61628cbd4f9e803512217db47391c8b4765a68d43ecd152d964884612e80de3c48508a383460da7a9e
-
Filesize
4.1MB
MD5090951472b82572d79adaee02c2c429e
SHA17db00a5b63a155413e353cf89d721c961487d467
SHA25614c132ab3f1171b719ef63f9c016851b333ffcaa58731f0cf5586f52e30dff3e
SHA5129a159f13b825c13b1dc15ae7eec4abba1b375a5ad1ac2400be2bba38869ba3538b21a88d3a5e88e7cc5d482fa5c9d5becce3a610a4e5c5c65ca84be67b31cb47
-
Filesize
4.1MB
MD5090951472b82572d79adaee02c2c429e
SHA17db00a5b63a155413e353cf89d721c961487d467
SHA25614c132ab3f1171b719ef63f9c016851b333ffcaa58731f0cf5586f52e30dff3e
SHA5129a159f13b825c13b1dc15ae7eec4abba1b375a5ad1ac2400be2bba38869ba3538b21a88d3a5e88e7cc5d482fa5c9d5becce3a610a4e5c5c65ca84be67b31cb47
-
Filesize
4.1MB
MD5090951472b82572d79adaee02c2c429e
SHA17db00a5b63a155413e353cf89d721c961487d467
SHA25614c132ab3f1171b719ef63f9c016851b333ffcaa58731f0cf5586f52e30dff3e
SHA5129a159f13b825c13b1dc15ae7eec4abba1b375a5ad1ac2400be2bba38869ba3538b21a88d3a5e88e7cc5d482fa5c9d5becce3a610a4e5c5c65ca84be67b31cb47
-
Filesize
7.8MB
MD5a72013118002f6cd63ec36bf0f2dc92c
SHA198a6f4dc766e930acc24d319dd5206c0fd0d5107
SHA25640358b737b47e3a1c94e295a7c5166238e0410b5ecffbada08b564cc04938bee
SHA512a0b197a53ada34a0d3478032678577f923bc96a66ac29c45cd52ddeb0968a642df9afdcbfc2a4636f1cd53e192bc1413e95fa48e0e47edbd9cf47a4bed1ab0ea
-
Filesize
7.8MB
MD5a72013118002f6cd63ec36bf0f2dc92c
SHA198a6f4dc766e930acc24d319dd5206c0fd0d5107
SHA25640358b737b47e3a1c94e295a7c5166238e0410b5ecffbada08b564cc04938bee
SHA512a0b197a53ada34a0d3478032678577f923bc96a66ac29c45cd52ddeb0968a642df9afdcbfc2a4636f1cd53e192bc1413e95fa48e0e47edbd9cf47a4bed1ab0ea
-
Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
Filesize
281KB
MD5d98e33b66343e7c96158444127a117f6
SHA1bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA2565de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5
-
Filesize
281KB
MD5d98e33b66343e7c96158444127a117f6
SHA1bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA2565de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5
-
Filesize
694KB
MD55525670a9e72d77b368a9aa4b8c814c1
SHA13fdad952ea00175f3a6e549b5dca4f568e394612
SHA2561180706added2a7899f08f25a9f88ecff5d003ba8964f918d00779565e4a6978
SHA512757249f7e67f82522a8e3079a22c5cf92111626446a32ad3ef876f23885f62d1bb5bf3238d564e23531d062fe18742568dfc00e33b049bb8eef05eb953ef981a
-
Filesize
694KB
MD55525670a9e72d77b368a9aa4b8c814c1
SHA13fdad952ea00175f3a6e549b5dca4f568e394612
SHA2561180706added2a7899f08f25a9f88ecff5d003ba8964f918d00779565e4a6978
SHA512757249f7e67f82522a8e3079a22c5cf92111626446a32ad3ef876f23885f62d1bb5bf3238d564e23531d062fe18742568dfc00e33b049bb8eef05eb953ef981a
-
Filesize
8.1MB
MD5b0161afbab78849d10cb7d3f00bb4ec3
SHA1542faa594a2a90b9f37c290a5d6a39bf776ce380
SHA256aac4360aef3be725b0ea05262031a6cfe237fb11dac457d3da66305dacaf1684
SHA51284778ad9f7755c259f4fbdf24287734eb43a1c5ab4fe5bd635ec83c4e982bbaa0f7efc65da7c80ed8aa8a96519ee550337c6e61f609eb9555727f52716fb80dc
-
Filesize
8.1MB
MD5b0161afbab78849d10cb7d3f00bb4ec3
SHA1542faa594a2a90b9f37c290a5d6a39bf776ce380
SHA256aac4360aef3be725b0ea05262031a6cfe237fb11dac457d3da66305dacaf1684
SHA51284778ad9f7755c259f4fbdf24287734eb43a1c5ab4fe5bd635ec83c4e982bbaa0f7efc65da7c80ed8aa8a96519ee550337c6e61f609eb9555727f52716fb80dc
-
Filesize
230KB
MD58fe11fc098e2fd9ab2247583fe513a57
SHA14b1d5673a74b86286c7ba4a72e8a0f103ca89017
SHA256691232d9ddf2754581d877ae2803b2f0f09af50187a828bc054ddce6a5e0ab21
SHA5123a76c3d8dc188c99a203951994446a306278a836d1ce4e61628cbd4f9e803512217db47391c8b4765a68d43ecd152d964884612e80de3c48508a383460da7a9e
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize2KB
MD51c19c16e21c97ed42d5beabc93391fc5
SHA18ad83f8e0b3acf8dfbbf87931e41f0d664c4df68
SHA2561bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05
SHA5127d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize18KB
MD5f748637728a5dd38c1c0031dc1eb24b6
SHA10e447b2a159344a85f6f7fd8fe12663fe1c02640
SHA256449506f61570e039e96b0fadc1c428ca02296fbffa3cff9ecf3295f8f3c8530d
SHA5124ff6aaebd510c72ab1ed57ce5178693a05e5080a47fd2e15f23e3359d90f1060ba420e5dc8f468c523b6a2a91dc2bda667f6b89e04083e25d59b12fdb28a5ecf
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize18KB
MD509aefb1b0425c944aebdca86f2fbee58
SHA1267cad9d7a62f9aab9b112e1b83a70a2a6d2e96b
SHA2561a101a849d9170c895b8aa1572a8e9293dbde81c8ff94c70abc1df0b1ab680ca
SHA512dd872976fd7d577255a5a834edff97f86bde37e4e5e174361b480e0ebcbaa12241a811251e43f336bdf151ec380ba61107fdae87b598b264f2fac84142fdda4b
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize18KB
MD586d325fab929791922431ad3370bc246
SHA13adfdcc26a32852644b17f981399a13da8c8c2ba
SHA2564785fbe0be7d8187e96a6c4ee2e390267482b9ffa1cf9d897b1383e4437ddd68
SHA512fcc86156d729b6f84857dbfb03f6a4c27792cf93d1e491575776cfae5e07175799f1cfc15c4862aab8c44d6f97483e952857c9d044823aab5e405441e57d2d20
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize18KB
MD5633ccd52679f15f466846c5f17af2daf
SHA1025441c060e952cccee977753bb9a820292d6dd1
SHA256769e1ee03d15fa4b39113b31a988e0bb0a54e7001e874e8d7e4d5317f44fcaad
SHA5123d2da25713ee18139384742fd8a787a1b13397b38b9d2eca5fc4b4174b0bd3ca62d38d4cd9fd81aec338d6a0794136e118a509d545477aca0f8e26604a8cbdc0
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize18KB
MD5994c0b46db63f118b3b092e6f6e8dbb2
SHA1c54a2b03e7132c137f1c31eee9a9f41649956a76
SHA256dc72b45c52ba597f72277dee4f785d83cfb110d8678eed85d3339441408dc322
SHA5121167d338b4f8567e7d8ffb84407b2137e430a8646033e2c3ec1711df9d2521c3c3f38ae07be7cbc62d3b39769bdcb4779628d87ebcf62d92e47f1a3c230b8c5e
-
Filesize
4.1MB
MD5090951472b82572d79adaee02c2c429e
SHA17db00a5b63a155413e353cf89d721c961487d467
SHA25614c132ab3f1171b719ef63f9c016851b333ffcaa58731f0cf5586f52e30dff3e
SHA5129a159f13b825c13b1dc15ae7eec4abba1b375a5ad1ac2400be2bba38869ba3538b21a88d3a5e88e7cc5d482fa5c9d5becce3a610a4e5c5c65ca84be67b31cb47
-
Filesize
4.1MB
MD5090951472b82572d79adaee02c2c429e
SHA17db00a5b63a155413e353cf89d721c961487d467
SHA25614c132ab3f1171b719ef63f9c016851b333ffcaa58731f0cf5586f52e30dff3e
SHA5129a159f13b825c13b1dc15ae7eec4abba1b375a5ad1ac2400be2bba38869ba3538b21a88d3a5e88e7cc5d482fa5c9d5becce3a610a4e5c5c65ca84be67b31cb47
-
Filesize
3KB
MD52d29fd3ae57f422e2b2121141dc82253
SHA1c2464c857779c0ab4f5e766f5028fcc651a6c6b7
SHA25680a60d7ec533d820de20bcedeb41319e7b1def548b6ea73ddbd69455bac4e7a4
SHA512077a5c554663be7b71f181d961f5c98c732bc296dc015ffee30768a648bee3aad62c39c352cf2947432be19519906aeac7dfaf2557d309bb460732abb7fdbc68
-
Filesize
2.0MB
MD58e67f58837092385dcf01e8a2b4f5783
SHA1012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA51240d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec
-
Filesize
2.0MB
MD58e67f58837092385dcf01e8a2b4f5783
SHA1012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA51240d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec
-
Filesize
2.0MB
MD58e67f58837092385dcf01e8a2b4f5783
SHA1012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA51240d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec
-
Filesize
4.1MB
MD5184fc62aeb4c9d78891eb8d509c429e5
SHA14456d00e767b918a5118741985f2e1bc924b8e53
SHA2566b2a111ace1e8469a99e2696a6313352cadf138f5b431d68fdb36a7268df1052
SHA512100eb18ee1ef332862b668769fc64b37429df107873525b3ffcd5a8ccea8ad31fe57bba97cb103c2b444d62113a999a58f7743eb0b8266bb9ff8f116472d854b
-
Filesize
742KB
MD5544cd51a596619b78e9b54b70088307d
SHA14769ddd2dbc1dc44b758964ed0bd231b85880b65
SHA256dfce2d4d06de6452998b3c5b2dc33eaa6db2bd37810d04e3d02dc931887cfddd
SHA512f56d8b81022bb132d40aa78596da39b5c212d13b84b5c7d2c576bbf403924f1d22e750de3b09d1be30aea359f1b72c5043b19685fc9bf06d8040bfee16b17719
-
Filesize
2KB
MD5a69559718ab506675e907fe49deb71e9
SHA1bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA2562f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63
-
Filesize
13KB
MD5a813d18268affd4763dde940246dc7e5
SHA1c7366e1fd925c17cc6068001bd38eaef5b42852f
SHA256e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64
SHA512b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4
-
Filesize
13KB
MD5a813d18268affd4763dde940246dc7e5
SHA1c7366e1fd925c17cc6068001bd38eaef5b42852f
SHA256e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64
SHA512b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4