Analysis
-
max time kernel
262s -
max time network
300s -
platform
windows10-1703_x64 -
resource
win10-20240221-en -
resource tags
arch:x64arch:x86image:win10-20240221-enlocale:en-usos:windows10-1703-x64system -
submitted
22-02-2024 04:52
Static task
static1
Behavioral task
behavioral1
Sample
f81cc35bd0f7599ab29084c262f6e1237bfec2d77db9820a4b4699d67f93ebf1.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
f81cc35bd0f7599ab29084c262f6e1237bfec2d77db9820a4b4699d67f93ebf1.exe
Resource
win10-20240221-en
General
-
Target
f81cc35bd0f7599ab29084c262f6e1237bfec2d77db9820a4b4699d67f93ebf1.exe
-
Size
215KB
-
MD5
c77c00c8db4fdd527bc6ab395965a520
-
SHA1
b78cc2f961a5c751b905ff683b5ddf496036cbb5
-
SHA256
f81cc35bd0f7599ab29084c262f6e1237bfec2d77db9820a4b4699d67f93ebf1
-
SHA512
43c6155e500bfed88f5b627fbae1b013f30a43cb511d505cebc5ba082081fa9bd2e5b547ac7f5e7a40be979e9829c964d298f58f1d3e93211d7f67d9920ae58a
-
SSDEEP
3072:mWC/TP2QJDkxosWcd+dG/9oxa/ulZ5RX:jTmDkxos0G/9Jul
Malware Config
Extracted
smokeloader
2022
http://selebration17io.io/index.php
http://vacantion18ffeu.cc/index.php
http://valarioulinity1.net/index.php
http://buriatiarutuhuob.net/index.php
http://cassiosssionunu.me/index.php
http://sulugilioiu19.net/index.php
http://goodfooggooftool.net/index.php
http://sjyey.com/tmp/index.php
http://babonwo.ru/tmp/index.php
http://mth.com.ua/tmp/index.php
http://piratia.pw/tmp/index.php
http://go-piratia.ru/tmp/index.php
Extracted
smokeloader
pub1
Extracted
stealc
http://185.172.128.145
-
url_path
/3cd2b41cbde8fc9c.php
Extracted
lumma
https://resergvearyinitiani.shop/api
https://technologyenterdo.shop/api
https://detectordiscusser.shop/api
https://turkeyunlikelyofw.shop/api
https://associationokeo.shop/api
Extracted
socks5systemz
http://bmlwibe.com/search/?q=67e28dd86d58f02d130da81f7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4de8889b5e4fa9281ae978a571ea771795af8e05c646db22f31dfe339426fa11a366c350adb719a9577e55b8603e983a608ef714c7e8939839
Signatures
-
DcRat 4 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
Processes:
f81cc35bd0f7599ab29084c262f6e1237bfec2d77db9820a4b4699d67f93ebf1.exeschtasks.exeschtasks.exeschtasks.exedescription ioc pid Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI f81cc35bd0f7599ab29084c262f6e1237bfec2d77db9820a4b4699d67f93ebf1.exe 5108 schtasks.exe 1016 schtasks.exe 3716 schtasks.exe -
Detect Socks5Systemz Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4792-446-0x00000000009C0000-0x0000000000A62000-memory.dmp family_socks5systemz -
Glupteba payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/5012-188-0x0000000002E00000-0x00000000036EB000-memory.dmp family_glupteba behavioral2/memory/5012-191-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral2/memory/5012-428-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Socks5Systemz
Socks5Systemz is a botnet written in C++.
-
Processes:
288c47bbc1871b439df19ff4df68f076.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\288c47bbc1871b439df19ff4df68f076.exe = "0" 288c47bbc1871b439df19ff4df68f076.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" 288c47bbc1871b439df19ff4df68f076.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" 288c47bbc1871b439df19ff4df68f076.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" 288c47bbc1871b439df19ff4df68f076.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" 288c47bbc1871b439df19ff4df68f076.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" 288c47bbc1871b439df19ff4df68f076.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" 288c47bbc1871b439df19ff4df68f076.exe -
Creates new service(s) 1 TTPs
-
Downloads MZ/PE file
-
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
netsh.exepid Process 3724 netsh.exe -
Stops running service(s) 3 TTPs
-
Deletes itself 1 IoCs
Processes:
pid Process 3368 -
Executes dropped EXE 24 IoCs
Processes:
B76A.exeC92E.exeDAC3.exeDAC3.tmpdvd32plugin.exedvd32plugin.exeE5B1.exeE5B1.exeECB7.exe13F6.exe288c47bbc1871b439df19ff4df68f076.exeInstallSetup4.exeFourthX.exeBroomSetup.exe2405.exenso274C.tmp3C31.exe3C31.tmpvueqjgslwynd.exe288c47bbc1871b439df19ff4df68f076.execsrss.exeinjector.exewindefender.exewindefender.exepid Process 3180 B76A.exe 4828 C92E.exe 3224 DAC3.exe 3216 DAC3.tmp 4280 dvd32plugin.exe 4792 dvd32plugin.exe 1848 E5B1.exe 3840 E5B1.exe 1744 ECB7.exe 4932 13F6.exe 5012 288c47bbc1871b439df19ff4df68f076.exe 4296 InstallSetup4.exe 3076 FourthX.exe 2548 BroomSetup.exe 3896 2405.exe 4924 nso274C.tmp 1836 3C31.exe 864 3C31.tmp 2300 vueqjgslwynd.exe 1440 288c47bbc1871b439df19ff4df68f076.exe 2792 csrss.exe 3236 injector.exe 3788 windefender.exe 4580 windefender.exe -
Loads dropped DLL 11 IoCs
Processes:
regsvr32.exeDAC3.tmpE5B1.exeInstallSetup4.exe3C31.tmpnso274C.tmppid Process 4052 regsvr32.exe 3216 DAC3.tmp 3840 E5B1.exe 4296 InstallSetup4.exe 4296 InstallSetup4.exe 864 3C31.tmp 864 3C31.tmp 864 3C31.tmp 4924 nso274C.tmp 4924 nso274C.tmp 4296 InstallSetup4.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule behavioral2/memory/3840-131-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral2/memory/3840-134-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral2/memory/3840-135-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral2/memory/3840-136-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral2/memory/3840-137-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral2/memory/3840-138-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral2/files/0x000700000001ac60-2183.dat upx -
Unexpected DNS network traffic destination 1 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
Processes:
description ioc Destination IP 141.98.234.31 -
Processes:
288c47bbc1871b439df19ff4df68f076.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" 288c47bbc1871b439df19ff4df68f076.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\288c47bbc1871b439df19ff4df68f076.exe = "0" 288c47bbc1871b439df19ff4df68f076.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" 288c47bbc1871b439df19ff4df68f076.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" 288c47bbc1871b439df19ff4df68f076.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" 288c47bbc1871b439df19ff4df68f076.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" 288c47bbc1871b439df19ff4df68f076.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" 288c47bbc1871b439df19ff4df68f076.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
E5B1.exe288c47bbc1871b439df19ff4df68f076.execsrss.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CSRSS = "\"C:\\ProgramData\\Drivers\\csrss.exe\"" E5B1.exe Set value (str) \REGISTRY\USER\S-1-5-21-2852630833-2010812756-3750823755-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\S-1-5-21-2852630833-2010812756-3750823755-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" csrss.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Manipulates WinMonFS driver. 1 IoCs
Roottkits write to WinMonFS to hide directories/files from being detected.
Processes:
csrss.exedescription ioc Process File opened for modification \??\WinMonFS csrss.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
B76A.exedescription ioc Process File opened for modification \??\PHYSICALDRIVE0 B76A.exe -
Drops file in System32 directory 13 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeFourthX.exedescription ioc Process File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache powershell.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache powershell.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\system32\MRT.exe FourthX.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log powershell.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
E5B1.exedescription pid Process procid_target PID 1848 set thread context of 3840 1848 E5B1.exe 83 -
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
Processes:
288c47bbc1871b439df19ff4df68f076.exedescription ioc Process File opened (read-only) \??\VBoxMiniRdrDN 288c47bbc1871b439df19ff4df68f076.exe -
Drops file in Windows directory 4 IoCs
Processes:
csrss.exe288c47bbc1871b439df19ff4df68f076.exedescription ioc Process File opened for modification C:\Windows\windefender.exe csrss.exe File opened for modification C:\Windows\rss 288c47bbc1871b439df19ff4df68f076.exe File created C:\Windows\rss\csrss.exe 288c47bbc1871b439df19ff4df68f076.exe File created C:\Windows\windefender.exe csrss.exe -
Launches sc.exe 5 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exesc.exepid Process 1500 sc.exe 4720 sc.exe 2696 sc.exe 1408 sc.exe 4832 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
2405.exef81cc35bd0f7599ab29084c262f6e1237bfec2d77db9820a4b4699d67f93ebf1.exedescription ioc Process Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 2405.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 2405.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI f81cc35bd0f7599ab29084c262f6e1237bfec2d77db9820a4b4699d67f93ebf1.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI f81cc35bd0f7599ab29084c262f6e1237bfec2d77db9820a4b4699d67f93ebf1.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI f81cc35bd0f7599ab29084c262f6e1237bfec2d77db9820a4b4699d67f93ebf1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 2405.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
nso274C.tmpdescription ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 nso274C.tmp Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString nso274C.tmp -
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exepid Process 5108 schtasks.exe 1016 schtasks.exe 3716 schtasks.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
288c47bbc1871b439df19ff4df68f076.exepowershell.exepowershell.exepowershell.exenetsh.exepowershell.exepowershell.exepowershell.exepowershell.exedescription ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-31 = "Mid-Atlantic Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-335 = "Jordan Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-911 = "Mauritius Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2791 = "Novosibirsk Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-602 = "Taipei Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Key created \REGISTRY\USER\.DEFAULT\System\CurrentControlSet\Control\NetTrace netsh.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-461 = "Afghanistan Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-12 = "Azores Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-692 = "Tasmania Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-632 = "Tokyo Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-351 = "FLE Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-452 = "Caucasus Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-332 = "E. Europe Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-672 = "AUS Eastern Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-282 = "Central Europe Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2452 = "Saint Pierre Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-932 = "Coordinated Universal Time" 288c47bbc1871b439df19ff4df68f076.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-251 = "Dateline Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-512 = "Central Asia Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-732 = "Fiji Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-792 = "SA Western Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2181 = "Astrakhan Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2342 = "Haiti Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Key created \REGISTRY\USER\.DEFAULT\System\CurrentControlSet netsh.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
f81cc35bd0f7599ab29084c262f6e1237bfec2d77db9820a4b4699d67f93ebf1.exepid Process 4860 f81cc35bd0f7599ab29084c262f6e1237bfec2d77db9820a4b4699d67f93ebf1.exe 4860 f81cc35bd0f7599ab29084c262f6e1237bfec2d77db9820a4b4699d67f93ebf1.exe 3368 3368 3368 3368 3368 3368 3368 3368 3368 3368 3368 3368 3368 3368 3368 3368 3368 3368 3368 3368 3368 3368 3368 3368 3368 3368 3368 3368 3368 3368 3368 3368 3368 3368 3368 3368 3368 3368 3368 3368 3368 3368 3368 3368 3368 3368 3368 3368 3368 3368 3368 3368 3368 3368 3368 3368 3368 3368 3368 3368 3368 3368 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
pid Process 3368 -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
f81cc35bd0f7599ab29084c262f6e1237bfec2d77db9820a4b4699d67f93ebf1.exe2405.exepid Process 4860 f81cc35bd0f7599ab29084c262f6e1237bfec2d77db9820a4b4699d67f93ebf1.exe 3896 2405.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
powershell.exedescription pid Process Token: SeShutdownPrivilege 3368 Token: SeCreatePagefilePrivilege 3368 Token: SeShutdownPrivilege 3368 Token: SeCreatePagefilePrivilege 3368 Token: SeShutdownPrivilege 3368 Token: SeCreatePagefilePrivilege 3368 Token: SeShutdownPrivilege 3368 Token: SeCreatePagefilePrivilege 3368 Token: SeShutdownPrivilege 3368 Token: SeCreatePagefilePrivilege 3368 Token: SeShutdownPrivilege 3368 Token: SeCreatePagefilePrivilege 3368 Token: SeShutdownPrivilege 3368 Token: SeCreatePagefilePrivilege 3368 Token: SeShutdownPrivilege 3368 Token: SeCreatePagefilePrivilege 3368 Token: SeShutdownPrivilege 3368 Token: SeCreatePagefilePrivilege 3368 Token: SeShutdownPrivilege 3368 Token: SeCreatePagefilePrivilege 3368 Token: SeShutdownPrivilege 3368 Token: SeCreatePagefilePrivilege 3368 Token: SeShutdownPrivilege 3368 Token: SeCreatePagefilePrivilege 3368 Token: SeShutdownPrivilege 3368 Token: SeCreatePagefilePrivilege 3368 Token: SeShutdownPrivilege 3368 Token: SeCreatePagefilePrivilege 3368 Token: SeShutdownPrivilege 3368 Token: SeCreatePagefilePrivilege 3368 Token: SeShutdownPrivilege 3368 Token: SeCreatePagefilePrivilege 3368 Token: SeShutdownPrivilege 3368 Token: SeCreatePagefilePrivilege 3368 Token: SeShutdownPrivilege 3368 Token: SeCreatePagefilePrivilege 3368 Token: SeShutdownPrivilege 3368 Token: SeCreatePagefilePrivilege 3368 Token: SeShutdownPrivilege 3368 Token: SeCreatePagefilePrivilege 3368 Token: SeShutdownPrivilege 3368 Token: SeCreatePagefilePrivilege 3368 Token: SeDebugPrivilege 3720 powershell.exe Token: SeIncreaseQuotaPrivilege 3720 powershell.exe Token: SeSecurityPrivilege 3720 powershell.exe Token: SeTakeOwnershipPrivilege 3720 powershell.exe Token: SeLoadDriverPrivilege 3720 powershell.exe Token: SeSystemProfilePrivilege 3720 powershell.exe Token: SeSystemtimePrivilege 3720 powershell.exe Token: SeProfSingleProcessPrivilege 3720 powershell.exe Token: SeIncBasePriorityPrivilege 3720 powershell.exe Token: SeCreatePagefilePrivilege 3720 powershell.exe Token: SeBackupPrivilege 3720 powershell.exe Token: SeRestorePrivilege 3720 powershell.exe Token: SeShutdownPrivilege 3720 powershell.exe Token: SeDebugPrivilege 3720 powershell.exe Token: SeSystemEnvironmentPrivilege 3720 powershell.exe Token: SeRemoteShutdownPrivilege 3720 powershell.exe Token: SeUndockPrivilege 3720 powershell.exe Token: SeManageVolumePrivilege 3720 powershell.exe Token: 33 3720 powershell.exe Token: 34 3720 powershell.exe Token: 35 3720 powershell.exe Token: 36 3720 powershell.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
DAC3.tmp3C31.tmppid Process 3216 DAC3.tmp 864 3C31.tmp -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
BroomSetup.exepid Process 2548 BroomSetup.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
regsvr32.exeDAC3.exeDAC3.tmpE5B1.exe13F6.exeInstallSetup4.exeBroomSetup.exe3C31.exedescription pid Process procid_target PID 3368 wrote to memory of 4848 3368 74 PID 3368 wrote to memory of 4848 3368 74 PID 4848 wrote to memory of 4052 4848 regsvr32.exe 75 PID 4848 wrote to memory of 4052 4848 regsvr32.exe 75 PID 4848 wrote to memory of 4052 4848 regsvr32.exe 75 PID 3368 wrote to memory of 3180 3368 76 PID 3368 wrote to memory of 3180 3368 76 PID 3368 wrote to memory of 3180 3368 76 PID 3368 wrote to memory of 4828 3368 77 PID 3368 wrote to memory of 4828 3368 77 PID 3368 wrote to memory of 4828 3368 77 PID 3368 wrote to memory of 3224 3368 78 PID 3368 wrote to memory of 3224 3368 78 PID 3368 wrote to memory of 3224 3368 78 PID 3224 wrote to memory of 3216 3224 DAC3.exe 79 PID 3224 wrote to memory of 3216 3224 DAC3.exe 79 PID 3224 wrote to memory of 3216 3224 DAC3.exe 79 PID 3216 wrote to memory of 4280 3216 DAC3.tmp 80 PID 3216 wrote to memory of 4280 3216 DAC3.tmp 80 PID 3216 wrote to memory of 4280 3216 DAC3.tmp 80 PID 3216 wrote to memory of 4792 3216 DAC3.tmp 81 PID 3216 wrote to memory of 4792 3216 DAC3.tmp 81 PID 3216 wrote to memory of 4792 3216 DAC3.tmp 81 PID 3368 wrote to memory of 1848 3368 82 PID 3368 wrote to memory of 1848 3368 82 PID 3368 wrote to memory of 1848 3368 82 PID 1848 wrote to memory of 3840 1848 E5B1.exe 83 PID 1848 wrote to memory of 3840 1848 E5B1.exe 83 PID 1848 wrote to memory of 3840 1848 E5B1.exe 83 PID 1848 wrote to memory of 3840 1848 E5B1.exe 83 PID 1848 wrote to memory of 3840 1848 E5B1.exe 83 PID 1848 wrote to memory of 3840 1848 E5B1.exe 83 PID 1848 wrote to memory of 3840 1848 E5B1.exe 83 PID 1848 wrote to memory of 3840 1848 E5B1.exe 83 PID 3368 wrote to memory of 1744 3368 84 PID 3368 wrote to memory of 1744 3368 84 PID 3368 wrote to memory of 1744 3368 84 PID 3368 wrote to memory of 4932 3368 85 PID 3368 wrote to memory of 4932 3368 85 PID 3368 wrote to memory of 4932 3368 85 PID 4932 wrote to memory of 5012 4932 13F6.exe 86 PID 4932 wrote to memory of 5012 4932 13F6.exe 86 PID 4932 wrote to memory of 5012 4932 13F6.exe 86 PID 4932 wrote to memory of 4296 4932 13F6.exe 87 PID 4932 wrote to memory of 4296 4932 13F6.exe 87 PID 4932 wrote to memory of 4296 4932 13F6.exe 87 PID 4932 wrote to memory of 3076 4932 13F6.exe 88 PID 4932 wrote to memory of 3076 4932 13F6.exe 88 PID 4296 wrote to memory of 2548 4296 InstallSetup4.exe 89 PID 4296 wrote to memory of 2548 4296 InstallSetup4.exe 89 PID 4296 wrote to memory of 2548 4296 InstallSetup4.exe 89 PID 3368 wrote to memory of 3896 3368 90 PID 3368 wrote to memory of 3896 3368 90 PID 3368 wrote to memory of 3896 3368 90 PID 2548 wrote to memory of 4456 2548 BroomSetup.exe 91 PID 2548 wrote to memory of 4456 2548 BroomSetup.exe 91 PID 2548 wrote to memory of 4456 2548 BroomSetup.exe 91 PID 4296 wrote to memory of 4924 4296 InstallSetup4.exe 93 PID 4296 wrote to memory of 4924 4296 InstallSetup4.exe 93 PID 4296 wrote to memory of 4924 4296 InstallSetup4.exe 93 PID 3368 wrote to memory of 1836 3368 94 PID 3368 wrote to memory of 1836 3368 94 PID 3368 wrote to memory of 1836 3368 94 PID 1836 wrote to memory of 864 1836 3C31.exe 95 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\f81cc35bd0f7599ab29084c262f6e1237bfec2d77db9820a4b4699d67f93ebf1.exe"C:\Users\Admin\AppData\Local\Temp\f81cc35bd0f7599ab29084c262f6e1237bfec2d77db9820a4b4699d67f93ebf1.exe"1⤵
- DcRat
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4860
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\B5E2.dll1⤵
- Suspicious use of WriteProcessMemory
PID:4848 -
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\B5E2.dll2⤵
- Loads dropped DLL
PID:4052
-
-
C:\Users\Admin\AppData\Local\Temp\B76A.exeC:\Users\Admin\AppData\Local\Temp\B76A.exe1⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
PID:3180
-
C:\Users\Admin\AppData\Local\Temp\C92E.exeC:\Users\Admin\AppData\Local\Temp\C92E.exe1⤵
- Executes dropped EXE
PID:4828
-
C:\Users\Admin\AppData\Local\Temp\DAC3.exeC:\Users\Admin\AppData\Local\Temp\DAC3.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3224 -
C:\Users\Admin\AppData\Local\Temp\is-UFNL0.tmp\DAC3.tmp"C:\Users\Admin\AppData\Local\Temp\is-UFNL0.tmp\DAC3.tmp" /SL5="$302DC,3536428,54272,C:\Users\Admin\AppData\Local\Temp\DAC3.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3216 -
C:\Users\Admin\AppData\Local\DVD32 Plug-in\dvd32plugin.exe"C:\Users\Admin\AppData\Local\DVD32 Plug-in\dvd32plugin.exe" -i3⤵
- Executes dropped EXE
PID:4280
-
-
C:\Users\Admin\AppData\Local\DVD32 Plug-in\dvd32plugin.exe"C:\Users\Admin\AppData\Local\DVD32 Plug-in\dvd32plugin.exe" -s3⤵
- Executes dropped EXE
PID:4792
-
-
-
C:\Users\Admin\AppData\Local\Temp\E5B1.exeC:\Users\Admin\AppData\Local\Temp\E5B1.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1848 -
C:\Users\Admin\AppData\Local\Temp\E5B1.exeC:\Users\Admin\AppData\Local\Temp\E5B1.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
PID:3840
-
-
C:\Users\Admin\AppData\Local\Temp\ECB7.exeC:\Users\Admin\AppData\Local\Temp\ECB7.exe1⤵
- Executes dropped EXE
PID:1744
-
C:\Users\Admin\AppData\Local\Temp\13F6.exeC:\Users\Admin\AppData\Local\Temp\13F6.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4932 -
C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"2⤵
- Executes dropped EXE
PID:5012 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵PID:4104
-
-
C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"3⤵
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:1440 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2968
-
-
C:\Windows\System32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"4⤵PID:3092
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes5⤵
- Modifies Windows Firewall
- Modifies data under HKEY_USERS
PID:3724
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1616
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:3688
-
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Manipulates WinMonFS driver.
- Drops file in Windows directory
PID:2792 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2092
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F5⤵
- DcRat
- Creates scheduled task(s)
PID:1016
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f5⤵PID:3336
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:5004
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:3792
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll5⤵
- Executes dropped EXE
PID:3236
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F5⤵
- DcRat
- Creates scheduled task(s)
PID:3716
-
-
C:\Windows\windefender.exe"C:\Windows\windefender.exe"5⤵
- Executes dropped EXE
PID:3788 -
C:\Windows\SysWOW64\cmd.execmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)6⤵PID:4632
-
C:\Windows\SysWOW64\sc.exesc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)7⤵
- Launches sc.exe
PID:2696
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe"C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4296 -
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exeC:\Users\Admin\AppData\Local\Temp\BroomSetup.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2548 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "4⤵PID:4456
-
C:\Windows\SysWOW64\chcp.comchcp 12515⤵PID:4020
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F5⤵
- DcRat
- Creates scheduled task(s)
PID:5108
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\nso274C.tmpC:\Users\Admin\AppData\Local\Temp\nso274C.tmp3⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
PID:4924
-
-
-
C:\Users\Admin\AppData\Local\Temp\FourthX.exe"C:\Users\Admin\AppData\Local\Temp\FourthX.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3076 -
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3720
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe delete "UTIXDCVF"3⤵
- Launches sc.exe
PID:1408
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart3⤵PID:1312
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart4⤵PID:4800
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe create "UTIXDCVF" binpath= "C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe" start= "auto"3⤵
- Launches sc.exe
PID:4832
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start "UTIXDCVF"3⤵
- Launches sc.exe
PID:1500
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop eventlog3⤵
- Launches sc.exe
PID:4720
-
-
-
C:\Users\Admin\AppData\Local\Temp\2405.exeC:\Users\Admin\AppData\Local\Temp\2405.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:3896
-
C:\Users\Admin\AppData\Local\Temp\3C31.exeC:\Users\Admin\AppData\Local\Temp\3C31.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1836 -
C:\Users\Admin\AppData\Local\Temp\is-VQSHU.tmp\3C31.tmp"C:\Users\Admin\AppData\Local\Temp\is-VQSHU.tmp\3C31.tmp" /SL5="$702A8,4081152,54272,C:\Users\Admin\AppData\Local\Temp\3C31.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
PID:864
-
-
C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exeC:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe1⤵
- Executes dropped EXE
PID:2300 -
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:224
-
-
C:\Windows\windefender.exeC:\Windows\windefender.exe1⤵
- Executes dropped EXE
PID:4580
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
3Windows Service
3Pre-OS Boot
1Bootkit
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
3Windows Service
3Scheduled Task/Job
1Defense Evasion
Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
2Modify Registry
3Pre-OS Boot
1Bootkit
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
11KB
MD5a33e5b189842c5867f46566bdbf7a095
SHA1e1c06359f6a76da90d19e8fd95e79c832edb3196
SHA2565abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454
SHA512f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b
-
Filesize
1.2MB
MD5b6b6dbd2249af53bb8ff7e97c64cfa4c
SHA160d202a5c1ffb9ca23f499957ae039ff2bffccc6
SHA2567cdec457c3ff37b671b31d32d761b0dacf1c7b9e56a175db0af669da4b7355a2
SHA5128c7c17e08da22c07d05b25d83eb692c4b620890157d87d2beef355a4a94aa593eb3c383f4ca617c2bd59153073ef07cc4d006217ea77695a63ab3ef4bad9664e
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
1.3MB
MD5d5ac8347ec7fe6b3267af60cf71255a7
SHA1f8258729ec532f3161b0affd5082fbb5b194805d
SHA256ee209b00280174cb7429c8540fd48f9fdee1634cdc26a6639b32af6f0cbc1c27
SHA5127fc29e5305f71df670ad85ea59a7d30b89dbee5183fb4e5f670a7a7c17a0b0c4898177ac6e4d1d401dddf7c38e106f9ff1f5ca2f33a399009232bcb0a5b47296
-
Filesize
1.1MB
MD556b83c068dc6c8df9c02236e9587cd42
SHA19803091206a0fff470768e67577426cce937a939
SHA256678ad0e61f6de9398cc11b9b36be203c12b690a0b06f06e5a62b1cfd51d0036e
SHA512e270b50ee7a2b70409c2881f3f936013f0034b7e4e66f914dfe97fc94af3e779de6174673a39b9b45b98beede0c04151609f4ee0e4277988d56a7d3ea62830cb
-
Filesize
349KB
MD56531377e552f95f4fc86936c834b6c4f
SHA1d3a95eedbe42b3ae54bddaf9a3f07676ce825882
SHA25644010a545cc1e6372a0c6e263664872e40e592bc0b2fe3b72c27a3a286f64d83
SHA5120694e8d0460aeee4a0672f90ec49f9b984e56238b7673e5afbdbd661571163eeae963c7000f9f8581ff8979ab2f7be71cf0cdb20543afe9ef1211c284d734401
-
Filesize
1.6MB
MD55eafaa84b0e9364b9e2a1fa869d82acb
SHA1623c071827cb4c0a12c8b918f4951db71991a5ff
SHA256ade8963d386a46fa5860f25f10b95a940d098736530041ed019e9499ef6ad4a4
SHA51248ead8d914a766c3fcb38fe3665a1bcb2a87d033cc485e0de7ffd0aaefb6f12454c3116a7de38ba48a6710855d4a44d146f2885c99a7fdfa2d665320a88151fd
-
Filesize
1.1MB
MD53b66557b08111e0f88d2929a0f912d54
SHA1395d4d43ffb7de91181c2def0ca7df444ba7d20f
SHA256d9ff5549256d46c3befb517124b8b650c466572242be5066be76f6628083829d
SHA512e809231114bdfb6591faaf0b8442911bc6838c67d78483168de20c21dc754ff0bb681f0b4083900f7c33d69f011b421476bbde6cdb7b0eb63668974ba2afbabd
-
Filesize
122KB
MD56231b452e676ade27ca0ceb3a3cf874a
SHA1f8236dbf9fa3b2835bbb5a8d08dab3a155f310d1
SHA2569941eee1cafffad854ab2dfd49bf6e57b181efeb4e2d731ba7a28f5ab27e91cf
SHA512f5882a3cded0a4e498519de5679ea12a0ea275c220e318af1762855a94bdac8dc5413d1c5d1a55a7cc31cfebcf4647dcf1f653195536ce1826a3002cf01aa12c
-
Filesize
1.2MB
MD579b1c5df98d3810ec21749780349ffcf
SHA13cc7f65d34f769f69fb980cce070238911fbb886
SHA256bd3facb8ea2d3515a83054f88dfa3588f47236e3773f5cb720c9cbf2e0e429de
SHA51268c57dc48582ceb0bed781fbf91440694232be6d5e8ca24886dca13daffa1ef13663e56c18298c4a77e1d84903c251508ca7cae31b6ef94a2b45e814ab99b55e
-
Filesize
1.4MB
MD581a4b7e8eb05ba5252fcf6f06fa1d8ad
SHA136e9c9a943f841a8f4b48c2f8a22ca1c32861144
SHA256fa6d0da78f7ce3c47e7840075dcd1c5f6d90f42c815f68ce69b1b093b661bde3
SHA5120fd7bbc145abe87470b2f878b67db0e35358fcf06a8ce82b06364e0d6e8b1712e41e0be6010f53478676622237c7e13766f934d264a8a17cdb3f83ca341d0bb4
-
Filesize
149KB
MD58c898b181136238560dc7d857363a362
SHA12eb52e150ce15e1e2770ce8a0aa6463e04241655
SHA256868aaad983185c9de720ab7b1e3089788580f145ba855c5c32e4233bf079dee5
SHA51248bdf0ae698477a0bf99c8775bed611b47a630d1ce69912797fc5a029bc9ac2b514cfd6a2651dfbf9961efb382548faf16030e3dd06ab9d7387365ebf7390cfa
-
Filesize
57KB
MD50a107bf148f82af636813c98bffaf1aa
SHA15d94b205bb3aa52479c87ad9be192580a1fb1ce0
SHA2568acc5a6eacd080c06ee91150388700c910fc300cb3f85585dd4667f20dd11e9d
SHA5127ee46e7081826a8190e67f94009998085e584254d910e3f57dc7d9b5931e1cb6662aa52ef6f3c404a6fe41a30621a51ab5a846131497afaf27b9c20eeed9fb4c
-
Filesize
1.6MB
MD51a5f11fd65b25fdfe3e69eccc28265c3
SHA1a11ac870691fa1e11a65b66cc7f8e7c248e4eaff
SHA256e912690bfbfa7419712c65800f1218650c7be1a5e50f8c74c1a5a0de9942587c
SHA5120630429a6f88026938b81669dcbb8b50ff958f2f46a908bb6d9dc40530ae39f2c859c5a74adb9a824caea67ee9b2ccccbc16ea9aff63e9ac7bf6af3954b5a066
-
Filesize
1.3MB
MD591d1d07a874ad5c5616d302ac8e6f561
SHA1855effd1b0e9d7db5407d6fda1e70fd1d0474d79
SHA256f390e1c5324f2df81127fbc5833e385b97e36557d4ccd2ba0b26a31302194af0
SHA51222a0b2f27b4ea5e96f1fa194158c1ef6351abe6076fe1db35ceaaca229cda80e87171acc9b71c58546f9ba3d3e94dd3f02600b78b1c8fae1d6e5f9e6365d7335
-
Filesize
3.9MB
MD5a97b7709ded87e52ee06c4b8b181034c
SHA1b9d7b8477766d6316329c395eb38cc9fd914a00a
SHA2569f470f144df5ad788b012450bdb5ae2007221434974ae64390081ec523e30169
SHA512b8b9af25459da9e60935a0ffb807d8e3df291e7003f18f1b904817562c345c7652f249121d4ceed48c2d3d013a72393ed3637b74f91f602a6105ac60e55e53f0
-
Filesize
144KB
MD5a071948d0b1884e42a362d980c3403b9
SHA11b22ec256c8fcaca203b73cc0270acca9554110f
SHA256f70e172f986824c12345eb18bbe8361ea0ae9bad8179ab23c0e9ec97660a7358
SHA512a260fd5e418aafda5ae5cced9b67a878e0219ce54f4a22668a8cc6d5c4d7d8f45dcdeef839d7d97cbb5079f0e915daeb5f4e2d71047d374516e0a82883e29408
-
Filesize
2.2MB
MD53b9ed878856f3a69e5b6d76080345c95
SHA131f7e3f63e91f73384a3e3fb00d804d8793b2a5f
SHA2567b05e5025320037f9daf62f8e7fe637086e6b306e84926a8b0d5b29a25ef13fd
SHA512978f25010acafdc0ef4d1b73cb6d01f43423137476e2069e8ab56ca8983170c8d9afda7b678cf79c849cfd20f570662b065d143f40b12e0889196d7b71c08adf
-
Filesize
2.6MB
MD5405fe91c736dfd5d67770881bb147272
SHA1be8f088b303dc625dbecad44264bdf4a7ee8c691
SHA25635cd503f042a7031124b2f5c09c62a3028f344cefc72e82f570f18263bb4379c
SHA512665e902b7b6a51a4496ee382ed4ad8dd67cef564ffc84294c261fc850aed70db688f5f75f3add8b6d0c57aae2f407f100115101856b3c506a0e78725e9fc03a0
-
Filesize
7.0MB
MD5207306451fbe1b6ee1974317bad2021a
SHA1583b15d7e76d0237f36b40821bc63b542ef3094f
SHA256776002c93f9fbf09203b989100f9b59a517e27659daa88e3697aa48d37af58d4
SHA512ada7c88d5ed4365294c6045c2c297fe81703b33284a6b29fc2ca264440aac189c06960529cef24c847d7e6ddde22258614d4c918c0822d9c0ea69a4f66bd8754
-
Filesize
1.3MB
MD5b9db85df6544fb2e9d8edf86a490fddf
SHA161d6f784bddb442230af3a9224f1a63771794ba7
SHA256037568e4264872078e5c58e0c098aac222eafa36620120eb8905d7ad2c04b98e
SHA5129763ffbf3fc0e53de5d4463b2284074489263e628cb35f602505c6a7bd7351004f4454e289616701973074dd755191971a00301bfbe4d3e708dc0c8723091237
-
Filesize
421KB
MD51996a23c7c764a77ccacf5808fec23b0
SHA15a7141b167056bf8f01c067ebe12ed4ccc608dc7
SHA256e40c8e14e8cb8a0667026a35e6e281c7a8a02bdf7bc39b53cfe0605e29372888
SHA512430c8b43c2cbb937d2528fa79c754be1a1b80c95c45c49dba323e3fe6097a7505fc437ddafab54b21d00fba9300b5fa36555535a6fa2eb656b5aa45ccf942e23
-
Filesize
128KB
MD51844d76e7d4331107eeb8fc6274fa9b2
SHA182ae81925c68a662af3b5243db9ae9d0b1721958
SHA2560fddf79ba668abf7a760e7076da3fdcca389e221c5005b10737a75b271da3aa1
SHA5122be6c7a7f25b12ee3082f122fd17ded3697dd97518e41765d49f5141e969b6e4d24f664a6aae29e647c2e8d7518d3a6b1216c8a460a7425ab4c60e5bd60dc947
-
Filesize
5.4MB
MD549608dbbd93509d8b380a26b95fd0e22
SHA1c721e50cef31c20dabe7bda1ca711b72e42dcc8e
SHA256324cd2784ee56feab35c1829b56618b75307ef261ac2e81ae0dc1860d630c4f8
SHA5124938f7c7aa505c1db4abb08025373d6ef5d9f57d4d5a74736ba840f319211480cb1138048bdf33043afd8769b2b7a658a6df66271318204bd0f90b242c488852
-
Filesize
3.2MB
MD5db5cfe996b7849772dd6bdfceb4d3d0e
SHA11f7ebc3bd1bbdf60f225be83dbb5021a8b7ce7d9
SHA256afaedb6c2cb17e5d8f8eb4c21bf005477596d50749b1c5bb2e62305a710adc0f
SHA5127987dc7f9326c3e62bfcef899c631c2e6d871140b9b4ec38c6d373158fe39188edf4ec227f96421e2249c18218daef6d984b6a373772d5f5c5a599f1ccd694c5
-
Filesize
2.8MB
MD51f34fda5244ff14c8e27e692d6bbfc48
SHA164d7cf0ebdd3411e1c1e9744215fb67a60c01617
SHA256578adeab6b3f436600e9b5bd55651cfeb3f2891a9c94d30b2735705e78b50acb
SHA5125270a0e8a0cc2eb64d9b00fa92a459863c1c111fabc00c2ab15492455dc515da4f280a3a9ed620729573f393581aa58ba39666fe737d4f20c666e0134de16674
-
Filesize
2.4MB
MD556eb708e76f68bf4cb83b8b585e7b472
SHA15de9c4ce39b48a35a0ccba651bace072034d4970
SHA256f812a914d2d25bcfc7308d036eaed85ab8c45eceea526485349e8a368565ea29
SHA512d79edbde7adf89ca891b5f36eb69e79ede77c0afaa2928d89efb2a616518025bf3fcaff1e817e745e9f4ced1808fd3e5e35bbf4b8d032d3f7610ec4f7ea9c83f
-
Filesize
274KB
MD5f908986a9a401c359378486bc78c3884
SHA17e0b647b2ba95895bdfbbb345cfa651335e6eebf
SHA25676c3e5219eea16aff8c970c3e4fddfbaa915d4572e493561afd1ff391a8d5949
SHA5125b3d4556d0319abc96fb66977ee023dee734617028cbdc5d9acb5ebda45ff63f294590760b17dc81521c469f19b4b705e91269e989c015ed0950b8d12f39494e
-
Filesize
318KB
MD503e2f1c0a8137b121e0a066272f06141
SHA1036517f6d3186f32c5b7bd28ed1d00317d9f8387
SHA256b204645aa001cf50b9f96616c46ce548575674b990ea4779bf3a548cd8a411c2
SHA512e2f5606cc053243cf4747fb1e65f606656a5d0aaeece27060426f84409be24c899be4e7f0dd02761403362d3d610c731edb550a66541e30bdf17c4c4b6059632
-
Filesize
28KB
MD5b68c06311883b3cea5fb16225d495fa3
SHA1b092330537454602b87a65a621d3f8136c940629
SHA2568edb6e867a4ed0e5f3fe4bb4fda3965162c2ea6cb81a4b89503d40caa9a565be
SHA51231996e5ed5b3ddb2640d3f0579933bf4dd474ac8d557707f202cb07f94a8943d0777d3e271fe518fc825bedb12561dc07f605e814cd9b276bb7cddb764a5baae
-
Filesize
412KB
MD56a87f5c791f9660d1007b5a163ce9d23
SHA1596eb0b150e966295e1833bcf38ee1016ca9d242
SHA25649c9882974cb1da926abce4653b49d0a68a7a0dad0c0009274d6a956aad225ee
SHA5121f5e6b28c8cec4b1fd39c942cd7056abd0f979a66f3ee25b5c9bed99947909a240dc676e764b8750e2356e647b55f39ff65e571dfe0f436e277006e9e6845128
-
Filesize
275KB
MD58ecc17d2df0678a4dd4ecd24915f15cd
SHA1e05782dd5a4da0a2fbd6418f2ca9a738b5185e64
SHA25625e9e66f3cf68811568a4c48f5d5b401aa7b4ce3d1f26a6653ac69fbff2411c1
SHA5127ef3e2161399b4934e1f238c2e75c286327058d512c99231f0252a71fe30848b221ab38e050ac835e9e9ea1aad37055d6e558cc1924f4b36888497abb358ccf7
-
Filesize
1.2MB
MD50961b07158f26d26393a22e86859974e
SHA1e6f54f12a426ce23e51714f05b7d8ff462af57e2
SHA25654325a76735dd25e03879ec602c6cee8fc7cdb49315a2b013750efe42cece28a
SHA512d4ba0006472fbf293b18f5c05b556949392ae5f8f8d53b351e11a0f1ebb56ef37beec0e6dbc5560e076d64cc43e34167b2fa95c809ffb21b2bbf5752ac7f0473
-
Filesize
1.3MB
MD51da12eb5ed9c3654e3e05e07965b07ca
SHA133409895e02523a9272c7c3d4f983f9c9967ae8a
SHA25607311bd84df02d85b6a56555dbe775262535fc6597cd5aa73117d303365b8716
SHA5123c3f6ba87a95ce46b2c0e88add185d3f6fbc7f98a9bc7910bf5ca6bf65fb23f55c7e56886aa784f2307f7e5e207138d7d84eb8c2e7043dc9a4abd74528ef4a17
-
Filesize
1.3MB
MD5833517b362dce1a28f7d320bbf8a42a1
SHA1949e3fcaa1956717bb7c824aaf511cca77581c93
SHA2564c323af4e7545e09789941715baed39c4d15737fccd1f59b2695e85b5128ee9e
SHA512d65e88e366ae27fd0aa868ca75060b4293950c51b2c5c247d1756037e8d76ea6287bc87c3a05316902d316306c1ed506e7a54f46e72da95f82e28fdfa8dbe2a7
-
Filesize
997KB
MD50d186841287a0da01d58f36efe45c296
SHA17cd78b1adb0f2050ccb809a1e880fb7aafa9bc73
SHA25645bc3cc6ac85666f2e2ffe81fc10e8a1b97256f2fbbbecbcb89edd9b98825882
SHA5124741df559792693b5e58fa97c67f1f755fbafad18d7a627fee1d34990460ab4a1592706d980e85018aa02ce5d040406587f726c72899e92eec9b681a851d2029
-
Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
Filesize
281KB
MD5d98e33b66343e7c96158444127a117f6
SHA1bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA2565de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5
-
Filesize
22KB
MD592dc6ef532fbb4a5c3201469a5b5eb63
SHA13e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA2569884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA5129908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3
-
Filesize
689KB
MD51ba055823154222509be8b1cb57f0d49
SHA1a11bdd1f4106f1de2dd075801987965f97c5c2b2
SHA256c2994637d1dca3be7b8237176a71a5dca9a68f1442345f2f950a5b4bf3b0d841
SHA5122a1372383e7ddb3a238c5e38cd5687689f9040f227cb75dffc422fcdf91be4086935cf4a8885b1a571ec3ea5dec150b72cce029e6f389ce6129e318061dfd41a
-
Filesize
689KB
MD5b11909d5e4e08b1a6da220eca474d49f
SHA1b42582ab65d400f3450907ddc0857092c4daa4a8
SHA25697f2d72a0547bb1de12ce60bb94c8550574637d3b9982be7ba4ae55348eb00ff
SHA5128e98b2ad7437da3f35adbbbe92c55b966982df33267cd9959dd6bdc36936693b38789c19624a0e6c6a816f0bfc2cf15f23bdfe1ff060f7d49ac8c0e03682efab
-
Filesize
226KB
MD51d264333dd61f6b795e8b5583203ff9e
SHA188bb193ee2e8b088bd7d3174c2ebe67eab3c6bd6
SHA25671027e689116445930e37ce7c8837654f3d457dff6feabb0a6726d3899b7d1d2
SHA512d1dd4fbda68053b80cd3b889c9f66c6cd2077ed353cd17ddb35cfc6a85d30f7d16150852593e89ac2a4d11bcde7e0d1289c343bb9228d9de86d4c8bc01c6aaa7
-
Filesize
128B
MD511bb3db51f701d4e42d3287f71a6a43e
SHA163a4ee82223be6a62d04bdfe40ef8ba91ae49a86
SHA2566be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331
SHA512907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2
-
Filesize
214KB
MD53dd02e3a7d6552f6312e29bc4189c06a
SHA1c52bb026df26445a1e4ccf66baf61d99ecd1ff8a
SHA256cb34f0fe3c44490fcf75fae3bfbda353d52b8463ad4f12a67c503e9c3d855a70
SHA5124a64121a31e09d6114209fbf91f2ff1d130d8faa7c7d2a739e461c0cf6230072afabd51da34f38d476df1ecec89f111c1d63136a22bba187cc20b66dc7aa4485
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize2KB
MD5db01a2c1c7e70b2b038edf8ad5ad9826
SHA1540217c647a73bad8d8a79e3a0f3998b5abd199b
SHA256413da361d77055dae7007f82b58b366c8783aa72e0b8fbe41519b940c253b38d
SHA512c76ff57fcee5cdf9fdf3116d4e1dc0cf106867bf19ab474b763e242acf5dca9a7509cb837c35e130c3e056636b4e8a4e135512a978bcd3dd641e20f5bf76c3d6
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
Filesize33KB
MD57aac7c53b58a8b0a0b23552816658244
SHA1296b3e96334a230b623c91284b3efb223fca218e
SHA256d9619d2067c02e6cdbe31e2971cd22d05e4f4051ad4257f1011030c656188bc2
SHA5124230577e5cd538dd5c333de1f0cb2c6086c0fbe100c1bbd8bf6a8e6700acef62487e9ecd97f9e7a6da7a9f95c9bffdc023aa68daa062df275cc9909208c85045
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize18KB
MD5efbb7bd0d9e1bfc523146661beb53958
SHA1ad1053b6c245e7ed0e496711f9c930ab1ccc9dec
SHA25673b5b13cfafdef87fe297e0009aa95267436af2fea12b49b2aa6a5bb66383297
SHA51289402d62180a356edc36b735bd6f326df20c0b8e63ff248c59d44102745d365c3184516743086b19c6a5abfc12196697917ab075b70cfdd74d731bfdd8c62f6f
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize18KB
MD5bfedf45e11243a852f6f99233078cd28
SHA1f14063b7d324eb03f864dac1899f1fbb25754e34
SHA2563695c24fb861df4b2624fb4dab745ceec1238cbf4e90de58c300a182d9f69383
SHA5123967a5acdaad569e8fe655a31310eb8874fcac73e21e2034c1490492aa2b6a7674cff18af128da638f51f0326065b8519ed9c55d835e945bcacb66ad385dd8e3
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize18KB
MD5e3914e62a23dcc3c07a382101732c39a
SHA102cd9703f81f57add46c1d6e9cbdd1f77dde1442
SHA2563807e60da220f387b3ddecbc2e6e7786967f1f81b9521f7908f4833ae7d5d262
SHA512d4b7e9d78b329d21ae12652c5f0a1ad0b71cc4c2249754099caf3798bfdeb3eadffc1a735492f13cf0784db4d92de02deb5061a2cebebbc8c529dcdeecba4808
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize18KB
MD5036c94be7691e9f6aabbd6ab24a6a502
SHA16bbe6345b92534741eb8a1b3237f77b61e916414
SHA256f8dcc32e05b38bcfb3cd672c591ff9639404dabfd960022102732ad1ddb90ffd
SHA5122b52e547e60cbfd84a50b0477460daa5686dd6b61f9cd3d668f75eb0d7dc2232be4dae161e7ecd28ed5dacdd9d0cbe98680611a00645bab4d88bea4c4668f51a
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize18KB
MD59fc15a19f74d62d36e895d9d2e128330
SHA148f961724da70398d758da9ceec84db407071cce
SHA256d7c2f6463a24473c6419278c858e931f20b77562a44f8e405368f87756d411f6
SHA51258e754a958665b5d9db72d7e1e66e1aa45dbf111a8343d85998176d00348693d8881fe373f877b1143c41721680d4f0d55aaa4b2b098d687882b127ab4fa53f4
-
Filesize
4.1MB
MD5d122f827c4fc73f9a06d7f6f2d08cd95
SHA1cd1d1dc2c79c0ee394b72efc264cfd54d96e1ee5
SHA256b7a6dcfdd64173ecbcef562fd74aee07f3639fa863bd5740c7e72ddc0592b4fc
SHA5128755979d7383d6cb5e7d63798c9ca8b9c0faeec1fe81907fc75bbbb7be6754ab7b5a09a98492a27f90e3f26951b6891c43d8acd21414fb603cd86a4e10dac986
-
Filesize
2.0MB
MD58e67f58837092385dcf01e8a2b4f5783
SHA1012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA51240d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec
-
Filesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
Filesize
1.1MB
MD5e114e5f9b43b98818152d7ece42a5d16
SHA17e8dfac848a912d2f1997a3ba7eb9de458fe3240
SHA25650079b1e9de89509e5615b62103527de5083c5a21e600e975d3d1f06745eba89
SHA512100f227b3e4add165210d23cab76eb0c59b0363b099d315a884b65c63c77483fbf00fc84b70585d009c054cdfa98d1e92ec9b38633bf903208b668e4024b8cc8
-
Filesize
689KB
MD56dcece9c805f33365b7c109efd71beb5
SHA1edadd660c6b8e165c40ffab8bd55bfb788e0fe70
SHA25668cfc37357ea36f1f08f630d954b1b7b0aec45c2afa907a7302c2abd175fb11a
SHA5126757db07e009e0391d9a48da78a9d8bfa4c5b4b98ace88550b28878b4f2d0cf15b62f017bb465b402a5eb71f9d263b5c63b89956bddf204561cf5738716e27bb
-
Filesize
13KB
MD5a813d18268affd4763dde940246dc7e5
SHA1c7366e1fd925c17cc6068001bd38eaef5b42852f
SHA256e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64
SHA512b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4
-
Filesize
2KB
MD5a69559718ab506675e907fe49deb71e9
SHA1bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA2562f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63
-
Filesize
25KB
MD540d7eca32b2f4d29db98715dd45bfac5
SHA1124df3f617f562e46095776454e1c0c7bb791cc7
SHA25685e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9
SHA5125fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d