Analysis
-
max time kernel
113s -
max time network
305s -
platform
windows10-1703_x64 -
resource
win10-20240221-en -
resource tags
arch:x64arch:x86image:win10-20240221-enlocale:en-usos:windows10-1703-x64system -
submitted
22-02-2024 04:48
Static task
static1
Behavioral task
behavioral1
Sample
3ec3ae64bc9b435d1a5dc63e98b3a7d0205a87afbf61ee2e47d06289fe06ee2c.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
3ec3ae64bc9b435d1a5dc63e98b3a7d0205a87afbf61ee2e47d06289fe06ee2c.exe
Resource
win10-20240221-en
General
-
Target
3ec3ae64bc9b435d1a5dc63e98b3a7d0205a87afbf61ee2e47d06289fe06ee2c.exe
-
Size
215KB
-
MD5
beea0c962def411b794fe5fd33f4e5b9
-
SHA1
2c4743812c810d05d42ab11bb9beda423bdd7d2a
-
SHA256
3ec3ae64bc9b435d1a5dc63e98b3a7d0205a87afbf61ee2e47d06289fe06ee2c
-
SHA512
bfff88b479bf97ad6878f1c90197263d9c0cc9485eda0ba5f9ef5bf39b0f02e3236ee31e7ac581348da5497e805cff56853965797b778e01a73c852f6479c6ac
-
SSDEEP
1536:SPWQAMcx0G0QR9UMpkjgwoqC3Pbn2PhNxl0NtC3l6mRB4TG3RS6gGVUxpCQPKRcb:SPtI/j230wrV3Y8Wx1PwBHxDYSc5Dra
Malware Config
Extracted
smokeloader
2022
http://selebration17io.io/index.php
http://vacantion18ffeu.cc/index.php
http://valarioulinity1.net/index.php
http://buriatiarutuhuob.net/index.php
http://cassiosssionunu.me/index.php
http://sulugilioiu19.net/index.php
http://goodfooggooftool.net/index.php
http://sjyey.com/tmp/index.php
http://babonwo.ru/tmp/index.php
http://mth.com.ua/tmp/index.php
http://piratia.pw/tmp/index.php
http://go-piratia.ru/tmp/index.php
Extracted
smokeloader
pub1
Extracted
stealc
http://185.172.128.145
-
url_path
/3cd2b41cbde8fc9c.php
Extracted
lumma
https://resergvearyinitiani.shop/api
https://technologyenterdo.shop/api
https://detectordiscusser.shop/api
https://turkeyunlikelyofw.shop/api
Extracted
socks5systemz
http://bozrhoc.com/search/?q=67e28dd86859a37e420aab497c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa48e8889b5e4fa9281ae978f671ea771795af8e05c646db22f31dfe339426fa11a366c350adb719a9577e55b8603e983a608ef714c7e8969238
Signatures
-
DcRat 5 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
Processes:
schtasks.exeschtasks.exe3ec3ae64bc9b435d1a5dc63e98b3a7d0205a87afbf61ee2e47d06289fe06ee2c.exeschtasks.exe47E5.exedescription ioc pid Process 4744 schtasks.exe 9724 schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 3ec3ae64bc9b435d1a5dc63e98b3a7d0205a87afbf61ee2e47d06289fe06ee2c.exe 6472 schtasks.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CSRSS = "\"C:\\ProgramData\\Drivers\\csrss.exe\"" 47E5.exe -
Glupteba payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/5036-230-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral2/memory/5036-233-0x0000000002D40000-0x000000000362B000-memory.dmp family_glupteba -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Socks5Systemz
Socks5Systemz is a botnet written in C++.
-
Processes:
288c47bbc1871b439df19ff4df68f076.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" 288c47bbc1871b439df19ff4df68f076.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" 288c47bbc1871b439df19ff4df68f076.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" 288c47bbc1871b439df19ff4df68f076.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\288c47bbc1871b439df19ff4df68f076.exe = "0" 288c47bbc1871b439df19ff4df68f076.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" 288c47bbc1871b439df19ff4df68f076.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" 288c47bbc1871b439df19ff4df68f076.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" 288c47bbc1871b439df19ff4df68f076.exe -
Creates new service(s) 1 TTPs
-
Downloads MZ/PE file
-
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
netsh.exepid Process 4952 netsh.exe -
Stops running service(s) 3 TTPs
-
Deletes itself 1 IoCs
Processes:
pid Process 3360 -
Executes dropped EXE 20 IoCs
Processes:
2641.exe3219.exe3D26.exe3D26.tmppowershell.exeConhost.exedvd32plugin.exe47E5.exe4FF5.exe7715.exe288c47bbc1871b439df19ff4df68f076.exeInstallSetup4.exeFourthX.exe288c47bbc1871b439df19ff4df68f076.exeBroomSetup.exensi8B84.tmp9D3D.exe9D3D.tmpvueqjgslwynd.exepid Process 2448 2641.exe 3724 3219.exe 2428 3D26.exe 4728 3D26.tmp 4288 powershell.exe 4600 Conhost.exe 1548 dvd32plugin.exe 4292 47E5.exe 3772 4FF5.exe 1364 7715.exe 5036 288c47bbc1871b439df19ff4df68f076.exe 4736 InstallSetup4.exe 5048 FourthX.exe 324 288c47bbc1871b439df19ff4df68f076.exe 2036 BroomSetup.exe 4196 nsi8B84.tmp 4368 9D3D.exe 3940 9D3D.tmp 324 288c47bbc1871b439df19ff4df68f076.exe 3976 vueqjgslwynd.exe -
Loads dropped DLL 11 IoCs
Processes:
regsvr32.exe3D26.tmp47E5.exeInstallSetup4.exe9D3D.tmpnsi8B84.tmppid Process 2300 regsvr32.exe 4728 3D26.tmp 4292 47E5.exe 4736 InstallSetup4.exe 4736 InstallSetup4.exe 3940 9D3D.tmp 3940 9D3D.tmp 3940 9D3D.tmp 4196 nsi8B84.tmp 4196 nsi8B84.tmp 4736 InstallSetup4.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule behavioral2/memory/4292-129-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral2/memory/4292-127-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral2/memory/4292-131-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral2/memory/4292-133-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral2/memory/4292-135-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral2/memory/4292-136-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral2/memory/4292-242-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral2/memory/4292-265-0x0000000000400000-0x0000000000848000-memory.dmp upx -
Unexpected DNS network traffic destination 1 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
Processes:
description ioc Destination IP 45.155.250.90 -
Processes:
288c47bbc1871b439df19ff4df68f076.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" 288c47bbc1871b439df19ff4df68f076.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" 288c47bbc1871b439df19ff4df68f076.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" 288c47bbc1871b439df19ff4df68f076.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" 288c47bbc1871b439df19ff4df68f076.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\288c47bbc1871b439df19ff4df68f076.exe = "0" 288c47bbc1871b439df19ff4df68f076.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" 288c47bbc1871b439df19ff4df68f076.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" 288c47bbc1871b439df19ff4df68f076.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
47E5.exe288c47bbc1871b439df19ff4df68f076.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CSRSS = "\"C:\\ProgramData\\Drivers\\csrss.exe\"" 47E5.exe Set value (str) \REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" 288c47bbc1871b439df19ff4df68f076.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
2641.exedescription ioc Process File opened for modification \??\PHYSICALDRIVE0 2641.exe -
Drops file in System32 directory 9 IoCs
Processes:
powershell.exevueqjgslwynd.exepowershell.exepowershell.exepowershell.exeFourthX.exedescription ioc Process File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log powershell.exe File opened for modification C:\Windows\system32\MRT.exe vueqjgslwynd.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\system32\MRT.exe FourthX.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache powershell.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
Conhost.exevueqjgslwynd.exedescription pid Process procid_target PID 4600 set thread context of 4292 4600 Conhost.exe 83 PID 3976 set thread context of 4636 3976 vueqjgslwynd.exe 131 PID 3976 set thread context of 2340 3976 vueqjgslwynd.exe 133 -
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
Processes:
288c47bbc1871b439df19ff4df68f076.exedescription ioc Process File opened (read-only) \??\VBoxMiniRdrDN 288c47bbc1871b439df19ff4df68f076.exe -
Drops file in Windows directory 2 IoCs
Processes:
288c47bbc1871b439df19ff4df68f076.exedescription ioc Process File opened for modification C:\Windows\rss 288c47bbc1871b439df19ff4df68f076.exe File created C:\Windows\rss\csrss.exe 288c47bbc1871b439df19ff4df68f076.exe -
Launches sc.exe 5 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exesc.exepid Process 3268 sc.exe 4124 sc.exe 4436 sc.exe 2160 sc.exe 6232 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target Process procid_target 8140 4468 WerFault.exe 137 7148 4292 WerFault.exe 83 -
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
3ec3ae64bc9b435d1a5dc63e98b3a7d0205a87afbf61ee2e47d06289fe06ee2c.exe288c47bbc1871b439df19ff4df68f076.exedescription ioc Process Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 3ec3ae64bc9b435d1a5dc63e98b3a7d0205a87afbf61ee2e47d06289fe06ee2c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 288c47bbc1871b439df19ff4df68f076.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 288c47bbc1871b439df19ff4df68f076.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 288c47bbc1871b439df19ff4df68f076.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 3ec3ae64bc9b435d1a5dc63e98b3a7d0205a87afbf61ee2e47d06289fe06ee2c.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 3ec3ae64bc9b435d1a5dc63e98b3a7d0205a87afbf61ee2e47d06289fe06ee2c.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
nsi8B84.tmpdescription ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 nsi8B84.tmp Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString nsi8B84.tmp -
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exepid Process 4744 schtasks.exe 9724 schtasks.exe 6472 schtasks.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
288c47bbc1871b439df19ff4df68f076.exepowershell.exepowershell.exepowershell.exeexplorer.exepowershell.exenetsh.exedescription ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-571 = "China Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-364 = "Middle East Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-891 = "Morocco Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2321 = "Sakhalin Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-452 = "Caucasus Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2432 = "Cuba Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates explorer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2182 = "Astrakhan Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-212 = "Pacific Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-791 = "SA Western Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2532 = "Chatham Islands Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1841 = "Russia TZ 4 Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-214 = "Pacific Daylight Time (Mexico)" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2492 = "Aus Central W. Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1842 = "Russia TZ 4 Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-492 = "India Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-601 = "Taipei Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-141 = "Canada Central Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-252 = "Dateline Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-272 = "Greenwich Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1821 = "Russia TZ 1 Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-342 = "Egypt Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2571 = "Turks and Caicos Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-572 = "China Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1802 = "Line Islands Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-752 = "Tonga Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2141 = "Transbaikal Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-461 = "Afghanistan Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-391 = "Arab Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-221 = "Alaskan Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2041 = "Eastern Daylight Time (Mexico)" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-231 = "Hawaiian Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-384 = "Namibia Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-542 = "Myanmar Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-621 = "Korea Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-365 = "Middle East Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-772 = "Montevideo Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2792 = "Novosibirsk Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2142 = "Transbaikal Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Key created \REGISTRY\USER\.DEFAULT\System\CurrentControlSet\Control\NetTrace netsh.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-12 = "Azores Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-351 = "FLE Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1911 = "Russia TZ 10 Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
3ec3ae64bc9b435d1a5dc63e98b3a7d0205a87afbf61ee2e47d06289fe06ee2c.exepid Process 4768 3ec3ae64bc9b435d1a5dc63e98b3a7d0205a87afbf61ee2e47d06289fe06ee2c.exe 4768 3ec3ae64bc9b435d1a5dc63e98b3a7d0205a87afbf61ee2e47d06289fe06ee2c.exe 3360 3360 3360 3360 3360 3360 3360 3360 3360 3360 3360 3360 3360 3360 3360 3360 3360 3360 3360 3360 3360 3360 3360 3360 3360 3360 3360 3360 3360 3360 3360 3360 3360 3360 3360 3360 3360 3360 3360 3360 3360 3360 3360 3360 3360 3360 3360 3360 3360 3360 3360 3360 3360 3360 3360 3360 3360 3360 3360 3360 3360 3360 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
pid Process 3360 -
Suspicious behavior: LoadsDriver 1 IoCs
Processes:
pid Process 640 -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
3ec3ae64bc9b435d1a5dc63e98b3a7d0205a87afbf61ee2e47d06289fe06ee2c.exe288c47bbc1871b439df19ff4df68f076.exepid Process 4768 3ec3ae64bc9b435d1a5dc63e98b3a7d0205a87afbf61ee2e47d06289fe06ee2c.exe 324 288c47bbc1871b439df19ff4df68f076.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
powershell.exe288c47bbc1871b439df19ff4df68f076.exepowershell.exepowershell.exepowershell.exedescription pid Process Token: SeShutdownPrivilege 3360 Token: SeCreatePagefilePrivilege 3360 Token: SeShutdownPrivilege 3360 Token: SeCreatePagefilePrivilege 3360 Token: SeShutdownPrivilege 3360 Token: SeCreatePagefilePrivilege 3360 Token: SeShutdownPrivilege 3360 Token: SeCreatePagefilePrivilege 3360 Token: SeShutdownPrivilege 3360 Token: SeCreatePagefilePrivilege 3360 Token: SeShutdownPrivilege 3360 Token: SeCreatePagefilePrivilege 3360 Token: SeShutdownPrivilege 3360 Token: SeCreatePagefilePrivilege 3360 Token: SeShutdownPrivilege 3360 Token: SeCreatePagefilePrivilege 3360 Token: SeShutdownPrivilege 3360 Token: SeCreatePagefilePrivilege 3360 Token: SeShutdownPrivilege 3360 Token: SeCreatePagefilePrivilege 3360 Token: SeShutdownPrivilege 3360 Token: SeCreatePagefilePrivilege 3360 Token: SeShutdownPrivilege 3360 Token: SeCreatePagefilePrivilege 3360 Token: SeShutdownPrivilege 3360 Token: SeCreatePagefilePrivilege 3360 Token: SeShutdownPrivilege 3360 Token: SeCreatePagefilePrivilege 3360 Token: SeShutdownPrivilege 3360 Token: SeCreatePagefilePrivilege 3360 Token: SeShutdownPrivilege 3360 Token: SeCreatePagefilePrivilege 3360 Token: SeShutdownPrivilege 3360 Token: SeCreatePagefilePrivilege 3360 Token: SeDebugPrivilege 4816 powershell.exe Token: SeShutdownPrivilege 3360 Token: SeCreatePagefilePrivilege 3360 Token: SeShutdownPrivilege 3360 Token: SeCreatePagefilePrivilege 3360 Token: SeShutdownPrivilege 3360 Token: SeCreatePagefilePrivilege 3360 Token: SeShutdownPrivilege 3360 Token: SeCreatePagefilePrivilege 3360 Token: SeShutdownPrivilege 3360 Token: SeCreatePagefilePrivilege 3360 Token: SeDebugPrivilege 5036 288c47bbc1871b439df19ff4df68f076.exe Token: SeImpersonatePrivilege 5036 288c47bbc1871b439df19ff4df68f076.exe Token: SeDebugPrivilege 2864 powershell.exe Token: SeShutdownPrivilege 3360 Token: SeCreatePagefilePrivilege 3360 Token: SeShutdownPrivilege 3360 Token: SeCreatePagefilePrivilege 3360 Token: SeDebugPrivilege 4288 powershell.exe Token: SeDebugPrivilege 2852 powershell.exe Token: SeIncreaseQuotaPrivilege 2852 powershell.exe Token: SeSecurityPrivilege 2852 powershell.exe Token: SeTakeOwnershipPrivilege 2852 powershell.exe Token: SeLoadDriverPrivilege 2852 powershell.exe Token: SeSystemProfilePrivilege 2852 powershell.exe Token: SeSystemtimePrivilege 2852 powershell.exe Token: SeProfSingleProcessPrivilege 2852 powershell.exe Token: SeIncBasePriorityPrivilege 2852 powershell.exe Token: SeCreatePagefilePrivilege 2852 powershell.exe Token: SeBackupPrivilege 2852 powershell.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
3D26.tmp9D3D.tmppid Process 4728 3D26.tmp 3940 9D3D.tmp -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
BroomSetup.exepid Process 2036 BroomSetup.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
regsvr32.exe3D26.exe3D26.tmpConhost.exe7715.exeInstallSetup4.exeBroomSetup.execmd.exedescription pid Process procid_target PID 3360 wrote to memory of 2080 3360 74 PID 3360 wrote to memory of 2080 3360 74 PID 2080 wrote to memory of 2300 2080 regsvr32.exe 75 PID 2080 wrote to memory of 2300 2080 regsvr32.exe 75 PID 2080 wrote to memory of 2300 2080 regsvr32.exe 75 PID 3360 wrote to memory of 2448 3360 76 PID 3360 wrote to memory of 2448 3360 76 PID 3360 wrote to memory of 2448 3360 76 PID 3360 wrote to memory of 3724 3360 77 PID 3360 wrote to memory of 3724 3360 77 PID 3360 wrote to memory of 3724 3360 77 PID 3360 wrote to memory of 2428 3360 78 PID 3360 wrote to memory of 2428 3360 78 PID 3360 wrote to memory of 2428 3360 78 PID 2428 wrote to memory of 4728 2428 3D26.exe 79 PID 2428 wrote to memory of 4728 2428 3D26.exe 79 PID 2428 wrote to memory of 4728 2428 3D26.exe 79 PID 4728 wrote to memory of 4288 4728 3D26.tmp 110 PID 4728 wrote to memory of 4288 4728 3D26.tmp 110 PID 4728 wrote to memory of 4288 4728 3D26.tmp 110 PID 3360 wrote to memory of 4600 3360 123 PID 3360 wrote to memory of 4600 3360 123 PID 3360 wrote to memory of 4600 3360 123 PID 4728 wrote to memory of 1548 4728 3D26.tmp 82 PID 4728 wrote to memory of 1548 4728 3D26.tmp 82 PID 4728 wrote to memory of 1548 4728 3D26.tmp 82 PID 4600 wrote to memory of 4292 4600 Conhost.exe 83 PID 4600 wrote to memory of 4292 4600 Conhost.exe 83 PID 4600 wrote to memory of 4292 4600 Conhost.exe 83 PID 4600 wrote to memory of 4292 4600 Conhost.exe 83 PID 4600 wrote to memory of 4292 4600 Conhost.exe 83 PID 4600 wrote to memory of 4292 4600 Conhost.exe 83 PID 4600 wrote to memory of 4292 4600 Conhost.exe 83 PID 4600 wrote to memory of 4292 4600 Conhost.exe 83 PID 3360 wrote to memory of 3772 3360 84 PID 3360 wrote to memory of 3772 3360 84 PID 3360 wrote to memory of 3772 3360 84 PID 3360 wrote to memory of 1364 3360 85 PID 3360 wrote to memory of 1364 3360 85 PID 3360 wrote to memory of 1364 3360 85 PID 1364 wrote to memory of 5036 1364 7715.exe 86 PID 1364 wrote to memory of 5036 1364 7715.exe 86 PID 1364 wrote to memory of 5036 1364 7715.exe 86 PID 1364 wrote to memory of 4736 1364 7715.exe 87 PID 1364 wrote to memory of 4736 1364 7715.exe 87 PID 1364 wrote to memory of 4736 1364 7715.exe 87 PID 1364 wrote to memory of 5048 1364 7715.exe 88 PID 1364 wrote to memory of 5048 1364 7715.exe 88 PID 3360 wrote to memory of 324 3360 103 PID 3360 wrote to memory of 324 3360 103 PID 3360 wrote to memory of 324 3360 103 PID 4736 wrote to memory of 2036 4736 InstallSetup4.exe 90 PID 4736 wrote to memory of 2036 4736 InstallSetup4.exe 90 PID 4736 wrote to memory of 2036 4736 InstallSetup4.exe 90 PID 4736 wrote to memory of 4196 4736 InstallSetup4.exe 91 PID 4736 wrote to memory of 4196 4736 InstallSetup4.exe 91 PID 4736 wrote to memory of 4196 4736 InstallSetup4.exe 91 PID 2036 wrote to memory of 4372 2036 BroomSetup.exe 92 PID 2036 wrote to memory of 4372 2036 BroomSetup.exe 92 PID 2036 wrote to memory of 4372 2036 BroomSetup.exe 92 PID 4372 wrote to memory of 308 4372 cmd.exe 94 PID 4372 wrote to memory of 308 4372 cmd.exe 94 PID 4372 wrote to memory of 308 4372 cmd.exe 94 PID 4372 wrote to memory of 4744 4372 cmd.exe 95 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\3ec3ae64bc9b435d1a5dc63e98b3a7d0205a87afbf61ee2e47d06289fe06ee2c.exe"C:\Users\Admin\AppData\Local\Temp\3ec3ae64bc9b435d1a5dc63e98b3a7d0205a87afbf61ee2e47d06289fe06ee2c.exe"1⤵
- DcRat
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4768
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\249A.dll1⤵
- Suspicious use of WriteProcessMemory
PID:2080 -
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\249A.dll2⤵
- Loads dropped DLL
PID:2300
-
-
C:\Users\Admin\AppData\Local\Temp\2641.exeC:\Users\Admin\AppData\Local\Temp\2641.exe1⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
PID:2448
-
C:\Users\Admin\AppData\Local\Temp\3219.exeC:\Users\Admin\AppData\Local\Temp\3219.exe1⤵
- Executes dropped EXE
PID:3724
-
C:\Users\Admin\AppData\Local\Temp\3D26.exeC:\Users\Admin\AppData\Local\Temp\3D26.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2428 -
C:\Users\Admin\AppData\Local\Temp\is-KIRF6.tmp\3D26.tmp"C:\Users\Admin\AppData\Local\Temp\is-KIRF6.tmp\3D26.tmp" /SL5="$8007A,3536428,54272,C:\Users\Admin\AppData\Local\Temp\3D26.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4728 -
C:\Users\Admin\AppData\Local\DVD32 Plug-in\dvd32plugin.exe"C:\Users\Admin\AppData\Local\DVD32 Plug-in\dvd32plugin.exe" -i3⤵PID:4288
-
-
C:\Users\Admin\AppData\Local\DVD32 Plug-in\dvd32plugin.exe"C:\Users\Admin\AppData\Local\DVD32 Plug-in\dvd32plugin.exe" -s3⤵
- Executes dropped EXE
PID:1548
-
-
-
C:\Users\Admin\AppData\Local\Temp\47E5.exeC:\Users\Admin\AppData\Local\Temp\47E5.exe1⤵PID:4600
-
C:\Users\Admin\AppData\Local\Temp\47E5.exeC:\Users\Admin\AppData\Local\Temp\47E5.exe2⤵
- DcRat
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
PID:4292 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4292 -s 428403⤵
- Program crash
PID:7148
-
-
-
C:\Users\Admin\AppData\Local\Temp\4FF5.exeC:\Users\Admin\AppData\Local\Temp\4FF5.exe1⤵
- Executes dropped EXE
PID:3772
-
C:\Users\Admin\AppData\Local\Temp\7715.exeC:\Users\Admin\AppData\Local\Temp\7715.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1364 -
C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5036 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4816
-
-
C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"3⤵
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
- Suspicious behavior: MapViewOfSection
PID:324 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2864
-
-
C:\Windows\System32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"4⤵PID:4088
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes5⤵
- Modifies Windows Firewall
- Modifies data under HKEY_USERS
PID:4952
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4288
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2500
-
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe4⤵PID:4544
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵PID:8716
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F5⤵
- DcRat
- Creates scheduled task(s)
PID:9724
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f5⤵PID:5232
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵PID:4632
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵PID:1580
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll5⤵PID:692
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F5⤵
- DcRat
- Creates scheduled task(s)
PID:6472
-
-
C:\Windows\windefender.exe"C:\Windows\windefender.exe"5⤵PID:6868
-
C:\Windows\SysWOW64\cmd.execmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)6⤵PID:1504
-
C:\Windows\SysWOW64\sc.exesc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)7⤵
- Launches sc.exe
PID:6232
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe"C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4736 -
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exeC:\Users\Admin\AppData\Local\Temp\BroomSetup.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2036 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "4⤵
- Suspicious use of WriteProcessMemory
PID:4372 -
C:\Windows\SysWOW64\chcp.comchcp 12515⤵PID:308
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F5⤵
- DcRat
- Creates scheduled task(s)
PID:4744
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\nsi8B84.tmpC:\Users\Admin\AppData\Local\Temp\nsi8B84.tmp3⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
PID:4196
-
-
-
C:\Users\Admin\AppData\Local\Temp\FourthX.exe"C:\Users\Admin\AppData\Local\Temp\FourthX.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5048 -
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2852
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe delete "UTIXDCVF"3⤵
- Launches sc.exe
PID:3268
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart3⤵PID:4328
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart4⤵PID:1372
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe create "UTIXDCVF" binpath= "C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe" start= "auto"3⤵
- Launches sc.exe
PID:4124
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start "UTIXDCVF"3⤵
- Launches sc.exe
PID:4436 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4600
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop eventlog3⤵
- Launches sc.exe
PID:2160
-
-
-
C:\Users\Admin\AppData\Local\Temp\7EF6.exeC:\Users\Admin\AppData\Local\Temp\7EF6.exe1⤵PID:324
-
C:\Users\Admin\AppData\Local\Temp\9D3D.exeC:\Users\Admin\AppData\Local\Temp\9D3D.exe1⤵
- Executes dropped EXE
PID:4368 -
C:\Users\Admin\AppData\Local\Temp\is-8DV8J.tmp\9D3D.tmp"C:\Users\Admin\AppData\Local\Temp\is-8DV8J.tmp\9D3D.tmp" /SL5="$B02DE,4081152,54272,C:\Users\Admin\AppData\Local\Temp\9D3D.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
PID:3940
-
-
C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exeC:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
PID:3976 -
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1432
-
-
C:\Windows\system32\conhost.exeC:\Windows\system32\conhost.exe2⤵PID:4636
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart2⤵PID:1600
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart3⤵PID:3356
-
-
-
C:\Windows\explorer.exeexplorer.exe2⤵
- Modifies data under HKEY_USERS
PID:2340
-
-
C:\Users\Admin\AppData\Roaming\tdcrrevC:\Users\Admin\AppData\Roaming\tdcrrev1⤵PID:836
-
C:\Users\Admin\AppData\Roaming\sjcrrevC:\Users\Admin\AppData\Roaming\sjcrrev1⤵PID:4468
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4468 -s 4762⤵
- Program crash
PID:8140
-
-
C:\Windows\windefender.exeC:\Windows\windefender.exe1⤵PID:9628
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
3Windows Service
3Pre-OS Boot
1Bootkit
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
3Windows Service
3Scheduled Task/Job
1Defense Evasion
Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
2Modify Registry
3Pre-OS Boot
1Bootkit
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
11KB
MD5a33e5b189842c5867f46566bdbf7a095
SHA1e1c06359f6a76da90d19e8fd95e79c832edb3196
SHA2565abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454
SHA512f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b
-
Filesize
732KB
MD542870ea4c7b464290729691737e3b256
SHA1dbb1b0709affe264a656c922054f2d5fd208884a
SHA256a2750e34f7fd50611d606b002de3bcc9bc2ac1307c5dc581e53015d20832fc31
SHA512938baecccbeae6551dc72eb0f3215a13f67e575f2e52fc2f64b7105df929139d551f6b1d1bd46d3435dd005a3d88baa29b34017895b2f82d91e49e9bc408bd5d
-
Filesize
434KB
MD585705bfc92a9de320abc2a7eeca9b6f6
SHA168e5a21c5799b9d8aa6bf3dc6d0596c04be46a4e
SHA2565adcd26ca73bf19e9b992b1ee743acb43ba2d9ce5c6e043950c278b13b63d5d6
SHA51244b0d68ac9425ba5b368c05131772660e6fe3e1184a87a89145435d2bcd87f812d353b9e69f4678d84cfbb825b5729171a3a4e09df4e00e730b011f91728b5f6
-
Filesize
2.1MB
MD5994a37c1d4d49c372714e582110d452f
SHA195b0c0c799eb7582cb45155539c22389e8367685
SHA256f263f92ce7128e7662ad9b3bf853b2ef7a242677012818316e4fd16108e6aa3b
SHA51243b25fc53c5ebb278324574d2bd536e74e381ffd535831fe2081582ae0c7bc9221d6f9d8b2e31dc172eee66dc4eaf3d83a3f85eea4a94b803c8457083c79f676
-
Filesize
2.1MB
MD593289e445ff3af1e6627a3141e9db982
SHA1d7a82fc9a4ea4bf231707f67f6185907c16576cb
SHA256929ae1d5d1aee5c152b2329df9c3651be64c6067faba03daab74c806ac65a5e1
SHA512eeca8206efc2db87e9616a88365e0ebe1c64ebb1bf0d7119a2113d07aefbb76c35ba282229b324755690e26805654f647fab7214ff7322d8e7a1790285dbf341
-
Filesize
201KB
MD513063052d2e1c6b4026e52a0e483978a
SHA1aefe9c9cb5601a6498345fa2b17601454cec10f4
SHA2569ebd7dc00d9a4a085bd7c5a4210761f003fc677b165541a213392c79f77017b1
SHA512c16a5eeefe66284c1f0437a5a0059eae7678ffad20f867e2e19824070bdb19b91e354a54b8f5e2a2a068667c676eb1a49955034b5d66bd7a14bbd09237334acd
-
Filesize
735KB
MD5eb692d15442e1eddba6f143c36b0f15c
SHA1a1b16b0a75c924eee50c451c5b691b84ff2ec86a
SHA256fa5d1dd178b3ecf6971c3d05dfa5b5e5f9fb1ffd70bf0eaf2d7c2fe7102ef6d0
SHA512c3c61c8614670b7b4a15fe839071edace9f50341647ca786d998fde554f581ef1564329e1565e3313c056e80ded3c0513a3c4d7cda2b29f08807c2dcf4e437e2
-
Filesize
124KB
MD593da943fa112947bf879d7566b7a2795
SHA1127aba37d388a133728017fa51d7704e4f220d0f
SHA256a9dbe8ef5e57ce97ab1fa67cbce4bbcfbacf4fb725e33be5b1544ee52fd76309
SHA5125aa4d9713e47709cd749631e3b76f7af509f35a53864d43cc5754c59a1f3486c37eb86a5b3b853951bc81a4b9f1a0539261802f94b261c94aa1d03a4e3339475
-
Filesize
122KB
MD56231b452e676ade27ca0ceb3a3cf874a
SHA1f8236dbf9fa3b2835bbb5a8d08dab3a155f310d1
SHA2569941eee1cafffad854ab2dfd49bf6e57b181efeb4e2d731ba7a28f5ab27e91cf
SHA512f5882a3cded0a4e498519de5679ea12a0ea275c220e318af1762855a94bdac8dc5413d1c5d1a55a7cc31cfebcf4647dcf1f653195536ce1826a3002cf01aa12c
-
Filesize
1.6MB
MD5ec6878849a30cad1ddb5ab3ff4921124
SHA10c1208b6d2e153352b8c4ccc345ff30281ab2af9
SHA2563bc2c7cc924b87108429a7d64fdfe54f6804d158c853e5375e61cb4c871e2639
SHA512773e7e196bec58000b626b0ea12adf300381ca324e0c70dc7e262da8d0a12b6c41fd673d78010886233888435a7d426fe1b9fe1f60546ac821992c067c120edb
-
Filesize
421KB
MD51996a23c7c764a77ccacf5808fec23b0
SHA15a7141b167056bf8f01c067ebe12ed4ccc608dc7
SHA256e40c8e14e8cb8a0667026a35e6e281c7a8a02bdf7bc39b53cfe0605e29372888
SHA512430c8b43c2cbb937d2528fa79c754be1a1b80c95c45c49dba323e3fe6097a7505fc437ddafab54b21d00fba9300b5fa36555535a6fa2eb656b5aa45ccf942e23
-
Filesize
1.1MB
MD5fd90364365583c6eb8e380650f58e325
SHA13f3323d7583c215b563aa8f98452d9d950b1a2e5
SHA2562a91f83ebe875f7dfb8980655a4257f1bd31c3aa8496e5001772ac539b2d6593
SHA51203e0471cf8e2e0a927d99cb1afeb5488a053ebf0ccb95e3af7b78001b4453d5e939403de88df97202e8f54c5d11d39b089bf12b288eb08c8565b362f00e7e83d
-
Filesize
1.6MB
MD5d3c015d761ac4697c31779ebd67685fe
SHA16eda243187265592a404feca52bf612ddc66e396
SHA256689272ab8ec16e67eb0c14f37e0928b21b3cf38e467216ed1240177d82e5d7ea
SHA512680b8009fc1392d7269a58821b9a0f71bf93ae4b7a46f8f3c9900ab501a48fa7c882c214377d0b33b6310d6d92259dada20db8b3e6939446b013b2d668a7d7ab
-
Filesize
2.1MB
MD567131bc3915234d08dd8b254bc38667b
SHA1d1c81e5a0aa2bdc793ce16b757138dd27786f42b
SHA2561d32f5d069729d5f49c4b70c9b2cf90d46369f4caa7e9f6f034074a01bf40038
SHA5126b2a35896e1e742b946b9450b1784e386dfdea0317c74e4151ac14e898211d475b7a741479888f8de905e3618ccf23c7ccc68620f8a1b866d25c66c1763595c2
-
Filesize
718KB
MD595c0d1b353b4bc5167e63279dc4a16bb
SHA1f1810c1ea7b4c083cf4f06f44d3358f8c9ce1731
SHA25643632cc12be12b6c6a17b452b1ea19fd92782d509bb1e2ab46d2233d29f6ad9b
SHA5125b29ec3bc89b7a1f7e717ce34a89f594d38fd613364213d5c45e3019afe6eb8e14aceafb8033287c69d2a47d3045f74e56c01da930a0b11cb990f8fc1f5a73e4
-
Filesize
960KB
MD5232abffd9cbf87bdac05b7d6edebe8a9
SHA13b641ba2ff63568f1e7cfa3c3eb5faa2e35fc7d7
SHA256dec50a8977b5fc2a35f3af2d41679370953fdd6221a69b225ff461235868456b
SHA512f785aacf824c51f1a7733548ed0b4e04ad10e6d65d46ab34456700d75db256bc0c1cf54a0ea539075cc18ffb586afd9ec0dd6fca8cc806a15b1ad3a02b70f08c
-
Filesize
2.0MB
MD55cdbf483bec791e4e84fe61cfcfb0c05
SHA1784b1f289c5a52a69e2d008dc63af9febbed0e2e
SHA256682ef3750452953a8a43c753a61d99fbc68795be3a58efed57bcfc0e5e6fe0f5
SHA5129f9fd3ba30788bfe29242d1b5b7467f4d06350cbce9455063a52bb293142791c40790c247a5ebc3f0e7b04bf545322d71bc582356f5954a58f6ccb169e19bd91
-
Filesize
1.8MB
MD50535fe8ba27e4ccb2b457f56ca846192
SHA19f94ed3a45be67320c5a2ba9c9e675d05d05b907
SHA256aa7cd8ecaef01f8a678715ddebb21575213caf156ff80990f3a20552f625c3b8
SHA5122146f91ce4787797c7697006193adf9b812e54ec6824b978becdd41592cd82651b984319eaae7c8ff731e9e9871d82bc84273d727af1814dde5da148d2485d4b
-
Filesize
917KB
MD5ac783a7c1ecee3d02e896bc7c8a99b15
SHA1032d0bf9a240cc452827f28a562a55bff6379881
SHA256f57310dfb74ab0ffb54e788854860b7ec80dc656cbecfd32f83c10cceaf68206
SHA51275e74256c08662e42b674bed1a614c8da74f33232fe0c15931c4550d08214d12785b877d8603a5e6e6d3d1f910415adeb7246e4ccf9732ddd850728ed9de6881
-
Filesize
880KB
MD52897b7b03b8d44a7b58abc96dce48601
SHA1da49015003403edf89cb3fceda9e14d106f7560d
SHA256b0a8c7df8d459cfe5e96ab6d8664838d44ee544915ea578467a547c87ef3b8d4
SHA512de7fb2b2babf6628b2c603a54b847eb2135dee3c2f457448bd39fde42fbaf32417977013fa3cd168e87c916e569f09103e2677d0d17f29b455994d500abee940
-
Filesize
447KB
MD5b6195c664fdb215225768aefa41678a8
SHA185a2de5701abb134ecc07dd75d4ec10a99311c90
SHA2564f5ead078d01127b5f7b5f6fdaa7ad08b14d267f50cb3ea5ee297020a224ad35
SHA5120c5055e962b9e2447da9f402e595a54f39f3c177f41850e2ddca706028e84fd8cdc85875a0c72b9ee126c46ed7b9158f4a8ebf71f8fc72462bc4054cc3d87fc9
-
Filesize
164KB
MD57c9afe07cb22b9e9029cc4e06bf0af0b
SHA1991256dae3d62ce9d3f12af4de37c7372c3815af
SHA2562dec0d15a4d7976cbfd0c9c088e79b24d2f5f4d8f2dbcc3a002e3a17842be6e0
SHA512766edc161c0d161c7345fa8495aac5a3f34cabd0da04a3d4b777db22d60b9bba56b3af1cdaee5e5839148bed425acbc8c16f3743365f47bb3dff352e4dec035e
-
Filesize
176KB
MD5c3d415ee0c331f933cab4402870f8ca7
SHA1231b32c871ff581f45082d9cee9524d08dee2ea5
SHA256ecd68efdc5090f4c4e7914983bcb314d147d0a8af8901450e62882b824d31ed9
SHA51224846d6f5abe93814d5376623e5f257f8b787d1ce4749f8325b4327df13699323131b2f2dcc9e9b290d00afc2b2295f7d2f35e65522fbb75fe803b0074a3b59c
-
Filesize
2.6MB
MD5405fe91c736dfd5d67770881bb147272
SHA1be8f088b303dc625dbecad44264bdf4a7ee8c691
SHA25635cd503f042a7031124b2f5c09c62a3028f344cefc72e82f570f18263bb4379c
SHA512665e902b7b6a51a4496ee382ed4ad8dd67cef564ffc84294c261fc850aed70db688f5f75f3add8b6d0c57aae2f407f100115101856b3c506a0e78725e9fc03a0
-
Filesize
2.0MB
MD5e6afdb718aa8f64a3832d3ca92bf3ce3
SHA1c6a742286efdd5606e1dfdc52826f0cb68fca1a2
SHA256e3d9f8c6b953ba08e398a1b083988a6e2c3c10c6e9e36c0ded05854d9fd7d99d
SHA512d328c5fb691a6a2ac2d1dcade81f164ca14335c6f25cc043c828b9a313a132664407aeecff3217717ef73a038037598b594673077d3be04fd155d046ade7ead6
-
Filesize
689KB
MD592a71f3efd8ccc6ec1a330556ede4255
SHA19c8c6e20b2a3bd1d42bacd982ed0153601a97e6e
SHA2565188d984bca835999078297c9e5581e851733bd21122a316e74423036e1701ba
SHA5123713a941a3bfe0de41f750658ff8f37ec5a092dde875d3a639f8a3b73ee83afa8f2028a6d3a1a0704e0451ca056cd909c6b7edcd68222e56d19b8749274df15b
-
Filesize
818KB
MD52e9265e28463535a5a1047975999a3be
SHA1f733834d0500f78b68a0026a56224275cb7efe06
SHA256c6f34c930576cebc98dc989b9476f75ca7bc6a7a9f01dbd7d8207fdc46fc14bc
SHA51227fcee40384b9616e2b48b40ea13042137616c546ed8bf03dea3998a258806bbf328a097307ee80e812095e7ae23fdf2dc56f3b14b3575d577c9b11d20732793
-
Filesize
192KB
MD558a39dd0defffab93ee366092ca07d8e
SHA1da039d807b3788beaaa896c83aa1be2d089c57e5
SHA25676b005f9436387ee73f08bb5bd0b5da594501d294a0faf5e01f9286356381621
SHA512fd7d0c6485315183934c7799fee0388bd97c88b67f091720b996905b37405adadc5581eddebc2fb81557cb5ecb449668b8a97901da12ff2ad8ea3faa515be7b1
-
Filesize
355KB
MD5d87b0a821f638d77a01f216c1ea870fa
SHA16ec5d82bb5493cfc977f48517306df28b18144c6
SHA25612f7cad34b46c4620e3eb13080577d77fdf25b928f1a7564c8517401a1eb56df
SHA512d872a6cb9a28070e9bb40b7b855007460da5766e47c5f1a7057e71bce4d250f7fcb0b6b2836c16fda5a947b6670241705ea405dcb5d3880b976882008f91c9da
-
Filesize
325KB
MD51b532637c0d2f2f00e6ea7f82f55f707
SHA1912302374fc906daac44e632ec9a590b03c5adb7
SHA25652952d29764033d5834e627d1dade08a44990a327ba8706d2903086ad6a4aaa3
SHA5127320b2d3fe8b849b2a0176c3e08902556fb016ba029923f94900a0d022b0a39dd8017f62bd2d893b1782c39093726ec2a65cdc8e51921c0e0c2f6a9c9be0523b
-
Filesize
1.1MB
MD51490dc87ce122929847fec13c1c8c77c
SHA193d524c764ddf535522df890ad1ee056981e912e
SHA25697da444e1fb45d7abcbd32ba08cb712e99a8141bf3c171b71b38113508e1dabc
SHA512be1adaca3d0025830a63c88fbbbfcaa761bca3fcb003c5078ba24edaaab429d368a3cf34f656775c5d064caabc625db0cf0c994522dfe6fabfcc9b49ffe21ee0
-
Filesize
1.2MB
MD5cb7421612a3bcbe7383b7fe36e871536
SHA12d4912c42710c582867fc523e9330ad0511038e7
SHA256f68b77cbd91e16a2d4006c9b8ce8b0a947059ca0ebea225cd1f782a67f217fdc
SHA512a9f4c3e8bf72d82b9483cedc1dbdbf9f1c8d96c51182aa34b42bf2909dada433d64538d58c6981ccbee5211c3c33846431a33fd063bbbfba96a0b1ac498f7436
-
Filesize
832KB
MD5b29cd31f15d37cebbe2804adc62ce2e9
SHA1e036f370e3b9a849609823c1cf295c07968b91a0
SHA256082ab87e967c75809e40fab5cdfd97aa48c3827b52e26188d9fabfadd5da4bf2
SHA5122a031213cadf534acf2ef564937fa6102f7103d91513498c0c4dfef4f3056a1f568e7db70ef9ad817e75117dbead7b0f5e4e8bf59767f026ca09831f321860f4
-
Filesize
1024KB
MD5a5cff547a0b21ea2b83973e448b9cde4
SHA11ce21af16fc7990a6482813d5da8a01da6128c3d
SHA25671c401cd7cdfb7c753c85656e4b2c14541b4ce56a919ec20882928c97bca8ac7
SHA512d1314a37ed9ef07411c4c4e7b15078bec4c3e1a94823c3ef4e13e1f8958a2a21cce909aec9d5f5ff896b4a6035953f8c2fcdd498dfdf33a469894ea501a37825
-
Filesize
498KB
MD51da1905a1662537c520f84a5ee807ac7
SHA1b316b8479287911b1c6d986c6785562807671230
SHA256338adab2312e5fa65591312e4d54ee983f02311e887e998dab215fafd4c7e8e5
SHA512088b50b19910515b2d58c1dca0e8c9001a1905decb9cf8475487bf87c74313cf016ba575beab06083d7c3d17430388f3987d62acfcff8b2befecd9c22369304e
-
Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
Filesize
281KB
MD5d98e33b66343e7c96158444127a117f6
SHA1bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA2565de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5
-
Filesize
22KB
MD592dc6ef532fbb4a5c3201469a5b5eb63
SHA13e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA2569884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA5129908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3
-
Filesize
173KB
MD51e9951fc53b8f55cab2eb59c9a3e3f76
SHA1ddf3dfc37f76a1471208e24fed623183fc9faa80
SHA2566a33a0db6017947fea77a3ea6e569e8823a2d38c4b9f13a8ed7615861d226ea8
SHA512aadfe9b10191431debe10ae9aaafeb327006d9128f407a245827198b9ab75dc9a41972654b48e6378838761fa6ac293314d0033e086ac97315576b35f8d3b49f
-
Filesize
328KB
MD5a9c6a57c83236d705d75178400d337e4
SHA1380c7778f48ff1ec2f0f42d3677f4a6484d77698
SHA256d61ba0eb06a23d3c5d2225e17012f789f9d6fbadc9186f7131949c0fcf7452dd
SHA512f406ace0aed2e83bd31c3c3a5ba77b4d7ee97311b56fc93fa79f77eefe91e86c733a86c7fb20ee644ac78d76ebe3b16db62b4eec426f6293030a2405ade2e933
-
Filesize
689KB
MD51ba055823154222509be8b1cb57f0d49
SHA1a11bdd1f4106f1de2dd075801987965f97c5c2b2
SHA256c2994637d1dca3be7b8237176a71a5dca9a68f1442345f2f950a5b4bf3b0d841
SHA5122a1372383e7ddb3a238c5e38cd5687689f9040f227cb75dffc422fcdf91be4086935cf4a8885b1a571ec3ea5dec150b72cce029e6f389ce6129e318061dfd41a
-
Filesize
640KB
MD5dfc7d4964a5e3066d6792023d68c0b62
SHA108dbee6af776d8eef98eb944cbcddd03670b6774
SHA256a240cbe746d636de6f3826bbafbb57c65c1762f33719cbea68e3f95e8b696333
SHA51267e3b8b040ab5fd10e6c3d1e25f70ea14a4976d752ab5115c2b9680d3aeebec73eaaee17a7bfc57079e321ee8d3220ef0cf3dba00425b59a96d6fc3b73f6ab30
-
Filesize
226KB
MD51d264333dd61f6b795e8b5583203ff9e
SHA188bb193ee2e8b088bd7d3174c2ebe67eab3c6bd6
SHA25671027e689116445930e37ce7c8837654f3d457dff6feabb0a6726d3899b7d1d2
SHA512d1dd4fbda68053b80cd3b889c9f66c6cd2077ed353cd17ddb35cfc6a85d30f7d16150852593e89ac2a4d11bcde7e0d1289c343bb9228d9de86d4c8bc01c6aaa7
-
Filesize
25KB
MD540d7eca32b2f4d29db98715dd45bfac5
SHA1124df3f617f562e46095776454e1c0c7bb791cc7
SHA25685e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9
SHA5125fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d
-
Filesize
128B
MD511bb3db51f701d4e42d3287f71a6a43e
SHA163a4ee82223be6a62d04bdfe40ef8ba91ae49a86
SHA2566be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331
SHA512907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2
-
Filesize
214KB
MD53dd02e3a7d6552f6312e29bc4189c06a
SHA1c52bb026df26445a1e4ccf66baf61d99ecd1ff8a
SHA256cb34f0fe3c44490fcf75fae3bfbda353d52b8463ad4f12a67c503e9c3d855a70
SHA5124a64121a31e09d6114209fbf91f2ff1d130d8faa7c7d2a739e461c0cf6230072afabd51da34f38d476df1ecec89f111c1d63136a22bba187cc20b66dc7aa4485
-
Filesize
215KB
MD5beea0c962def411b794fe5fd33f4e5b9
SHA12c4743812c810d05d42ab11bb9beda423bdd7d2a
SHA2563ec3ae64bc9b435d1a5dc63e98b3a7d0205a87afbf61ee2e47d06289fe06ee2c
SHA512bfff88b479bf97ad6878f1c90197263d9c0cc9485eda0ba5f9ef5bf39b0f02e3236ee31e7ac581348da5497e805cff56853965797b778e01a73c852f6479c6ac
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize2KB
MD5db01a2c1c7e70b2b038edf8ad5ad9826
SHA1540217c647a73bad8d8a79e3a0f3998b5abd199b
SHA256413da361d77055dae7007f82b58b366c8783aa72e0b8fbe41519b940c253b38d
SHA512c76ff57fcee5cdf9fdf3116d4e1dc0cf106867bf19ab474b763e242acf5dca9a7509cb837c35e130c3e056636b4e8a4e135512a978bcd3dd641e20f5bf76c3d6
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
Filesize41KB
MD50f38a17bbaa7b6f75f51c671be981097
SHA1ee95e5225cfb623b6ddd58902bf72504993e2030
SHA25603f4d293b34e18f429d34282179a04a705d448f3b88b88982486997f6cd51f39
SHA512429100ae213ea857fa3fefea7b512bb616219f76cf2a55a4735776650806d42582ff886cd4779a1406d2bc9d0f514c93e40c3d12d9e764ffa8b880067bd704a2
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize18KB
MD52877a4e4eb0819ecbd0f140d1a29867e
SHA1d076b5f98933f562e963712d5d5d2b17a702fe06
SHA25647f124c600483667209fa56d8382d9ff8068fc346ef8d886783101473722893e
SHA512f2d149b04b251758b77a6b85b2415f8d5675d494ebf8590d4d9d201c189e15b56b17b9e1950ba42b2b78514c6d7e72e130ca05bb0da0b05cad68cad96179b058
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize18KB
MD55a6bda02c47cf53ac56c9570b4074698
SHA13ca4cf6e9e1895533ac2eb742eaadd554db947d1
SHA2560d544a206afa92b2f6a2987d9bce16121b9d0b2b15a3c97fef10f315a9b29ece
SHA512dbdb26d36c150cbe1a5bfadf47f1ddf5d204b4043f256c53ee420aa1c5dd38218db8986045b727cc659ea2f603f1756c2fe03da74485f80b1d6d4b4549094b9b
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize17KB
MD58d7120c0fbb2fc8602af6ff0b29581fb
SHA1236ad775679b5ab4a3f07d4975ae425f4fb9b17e
SHA256772bce5d2257a888ff9757aaf1090a731e6b73e7b717b6b9660d9fea616a5380
SHA51243bd0a38f4efd0f31d1a0a5bfda973625d162a265caf66a37aa563a60c304382c23f6f6f01936767d58a2460995db2ba76b9e2cb60a7ae52a74982afaa22c67c
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize17KB
MD550156ab4a98e3b965f35358e7e588ea6
SHA1ea5ba4d72b6326e25fdafe7b9f57e4a5e31f1f98
SHA25662111f6d8637db96f7688fd40470899e372d3f4ab01308b8710794651c3657d4
SHA5129f33b1ef77d1c808d967fbef5455898c2053f0a21f77e9add5f507eab5cd349b906fbf70c3a498cb7433bd25ed86120af95d483066fc4292757e0dcd466c13da
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize18KB
MD57f53a30b86e351be84714936785454e8
SHA1f8deb6132eb76741fe787518b9ce72a73bfe8b3b
SHA2562c265655979b7865d4281d932ab5c86c4c6d4cb28397637086167e14a1d3f093
SHA512f9a62b16a9c7bb1a18d133b7e98f6b1f69f896af674292c8674f15c7a99e3d291351dfe30cae551784d6ff4b8e5c1f8f8dc6ab49b6a08900ff20fbeff9a3e727
-
Filesize
896KB
MD58c9607a8c8359d15ec05a327be0b80a8
SHA1645ef703da82d57f169789d42c5c88625548bcc1
SHA256924f06d5c5dfa4ac57ea02f3899d9e083a61844d3e86372fc5d71e0e184df233
SHA51260880b8445341e3ad208977d2d328e497243dc6d5d51dc6a35923752f83cc8e621d6ca377d8638ef4415689f6e74e230bfa8a29953d639a5757bdf94a8d5dda1
-
Filesize
576KB
MD589848a95cf00ff11f64f2f17b36cf096
SHA10b457b1790674539c7c8309ef7ed1c9751fbfdbb
SHA2568d585e24302b62dc845fa00622dc2486f2927a4307f780096cbf049bb7d4d4c9
SHA5128ccdb4cb7359c5b3c73621a7ff556432a412fe7b9b3cc998312f80f11de3b3c2321c2f200bf13d56fec0829512a9b8caa031d8ccae04ab47dd01af8192fc87ab
-
Filesize
832KB
MD5b8c50d741d429e4cd6210293c0f0d881
SHA1059f1aa663f344b66b7ab96bd092bfd08ef6b091
SHA256862a2046656a5a5dc1638c6b9ac7c751b90fceae08d37b4e2702b73c45278a8b
SHA512b7e6e142048371568ecdc9bc10c0da83c73125bdff1964839244f0b95eb7fd08a34f42f4fcd26ff5fac52f4350fb28c2505df2ce69c51a2fd0ff76a903d83096
-
Filesize
474KB
MD5a0956ba2ea37ffb5e8c7efc8b391a36b
SHA18ae731438fef748f3a3c17443f87b22c2dccefd6
SHA2567c141d543bbc197ed5ad0e8ff9e074f871522364b8254a3dda65948ac1f17043
SHA512b62d41a36b944c3381e0d1f4ed397d2abe0194c80dc35708ad213d11cbe4c626044d6965981b91dd56212c24dde282525f56e0388d5e2882377638cdf19c944a
-
Filesize
645KB
MD5f6c8c59463bec74c26722cf9a042e6f5
SHA1cef467955d5a48fb2998de5bd2f9f6c2199bd4c2
SHA256bb5cfc4b998fc7cd18def15b23115214c98e42227d811ec9d9791daab04887b3
SHA5124656978e4dc0ba285e0a1a4b24c9a6747c505461b0080a47834e13795d56d51a0b77ab4e009d349f2b4860dd402af96b8f894ae2746530dab60f87ad38de0d4d
-
Filesize
343KB
MD50220f5312066470d86d6a0ed23328929
SHA1d350259cb0f33e39c68ee4116ea2ac5007c2bd65
SHA256ac4ebfedbe8965d8de63f2b7c2614e28b91f8a5eebad729776bace368d8b2bbd
SHA51241bc6151caa482856a20df47658c953a34d34d7d30ec980dda5c92de71d4974c409afcc8fe9ed9e0861d0c59e3e1e4850ba39c5f6ae6f06f2e54f91ed7ab176c
-
Filesize
2KB
MD5a69559718ab506675e907fe49deb71e9
SHA1bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA2562f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63
-
Filesize
13KB
MD5a813d18268affd4763dde940246dc7e5
SHA1c7366e1fd925c17cc6068001bd38eaef5b42852f
SHA256e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64
SHA512b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e