Analysis
-
max time kernel
82s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20240221-en -
resource tags
arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system -
submitted
24-02-2024 23:38
Static task
static1
Behavioral task
behavioral1
Sample
5212ecaf2c3880d92f371356d84105be.exe
Resource
win7-20240221-en
General
-
Target
5212ecaf2c3880d92f371356d84105be.exe
-
Size
254KB
-
MD5
5212ecaf2c3880d92f371356d84105be
-
SHA1
d17cc3b0083fef207a84eefbb927ac9a79ef01ae
-
SHA256
cc4cb393dfc2c8fef2d76f297554a93cbec91244fe7ad5dc3ab533018d52fc84
-
SHA512
a1987d88d57e2a835f81b771da0bd8f8d26800d023d088558a688979bd876a8f142fdfe2b2462907be6401152fc3ec7dd87bae0749e118c9ca82080963253a09
-
SSDEEP
3072:Gl6mR5pZ1bjBUEzlFJYPBWk8XMF5uaaaETz:+XpZRj2yY5p4RaavT
Malware Config
Extracted
smokeloader
2022
http://selebration17io.io/index.php
http://vacantion18ffeu.cc/index.php
http://valarioulinity1.net/index.php
http://buriatiarutuhuob.net/index.php
http://cassiosssionunu.me/index.php
http://sulugilioiu19.net/index.php
http://goodfooggooftool.net/index.php
Extracted
stealc
http://185.172.128.145
-
url_path
/3cd2b41cbde8fc9c.php
Extracted
lumma
https://resergvearyinitiani.shop/api
https://technologyenterdo.shop/api
https://detectordiscusser.shop/api
https://turkeyunlikelyofw.shop/api
https://associationokeo.shop/api
Signatures
-
DcRat 5 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
Processes:
5212ecaf2c3880d92f371356d84105be.exeAC2E.exeschtasks.exeschtasks.exeschtasks.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 5212ecaf2c3880d92f371356d84105be.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CSRSS = "\"C:\\ProgramData\\Drivers\\csrss.exe\"" AC2E.exe 4144 schtasks.exe 708 schtasks.exe 1972 schtasks.exe -
Glupteba payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/4856-213-0x0000000002E90000-0x000000000377B000-memory.dmp family_glupteba behavioral2/memory/4856-223-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Creates new service(s) 1 TTPs
-
Downloads MZ/PE file
-
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
netsh.exepid process 3608 netsh.exe -
Stops running service(s) 3 TTPs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
D323.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000\Control Panel\International\Geo\Nation D323.exe -
Deletes itself 1 IoCs
Processes:
pid process 3372 -
Executes dropped EXE 17 IoCs
Processes:
AC2E.exeAC2E.exeBEBE.exeC3EF.exeD323.exe288c47bbc1871b439df19ff4df68f076.exeE11E.exeInstallSetup4.exeE507.exeFourthX.exeE11E.tmptrafaret.exeBroomSetup.exetrafaret.exensd1E1.tmpwindefender.exe288c47bbc1871b439df19ff4df68f076.exepid process 2336 AC2E.exe 3724 AC2E.exe 2800 BEBE.exe 2864 C3EF.exe 3336 D323.exe 4856 288c47bbc1871b439df19ff4df68f076.exe 1596 E11E.exe 3972 InstallSetup4.exe 4288 E507.exe 3984 FourthX.exe 1952 E11E.tmp 3228 trafaret.exe 3440 BroomSetup.exe 1080 trafaret.exe 2460 nsd1E1.tmp 668 windefender.exe 1868 288c47bbc1871b439df19ff4df68f076.exe -
Loads dropped DLL 10 IoCs
Processes:
regsvr32.exeAC2E.exeE11E.tmpInstallSetup4.exensd1E1.tmppid process 2880 regsvr32.exe 3724 AC2E.exe 1952 E11E.tmp 1952 E11E.tmp 1952 E11E.tmp 3972 InstallSetup4.exe 3972 InstallSetup4.exe 2460 nsd1E1.tmp 2460 nsd1E1.tmp 3972 InstallSetup4.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule behavioral2/memory/3724-17-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral2/memory/3724-20-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral2/memory/3724-21-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral2/memory/3724-22-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral2/memory/3724-29-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral2/memory/3724-30-0x0000000000400000-0x0000000000848000-memory.dmp upx C:\Windows\windefender.exe upx -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
AC2E.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CSRSS = "\"C:\\ProgramData\\Drivers\\csrss.exe\"" AC2E.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
C3EF.exedescription ioc process File opened for modification \??\PHYSICALDRIVE0 C3EF.exe -
Drops file in System32 directory 6 IoCs
Processes:
windefender.exepowershell.exeFourthX.exepowershell.exedescription ioc process File opened for modification C:\Windows\system32\MRT.exe windefender.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log powershell.exe File opened for modification C:\Windows\system32\MRT.exe FourthX.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log powershell.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
AC2E.exewindefender.exedescription pid process target process PID 2336 set thread context of 3724 2336 AC2E.exe AC2E.exe PID 668 set thread context of 3900 668 windefender.exe conhost.exe PID 668 set thread context of 4396 668 windefender.exe explorer.exe -
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
Processes:
288c47bbc1871b439df19ff4df68f076.exedescription ioc process File opened (read-only) \??\VBoxMiniRdrDN 288c47bbc1871b439df19ff4df68f076.exe -
Launches sc.exe 5 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exesc.exepid process 3148 sc.exe 1220 sc.exe 4364 sc.exe 5016 sc.exe 4268 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 3 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exepid pid_target process target process 3640 4288 WerFault.exe E507.exe 3484 2460 WerFault.exe nsd1E1.tmp 3844 1868 WerFault.exe 288c47bbc1871b439df19ff4df68f076.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
5212ecaf2c3880d92f371356d84105be.exedescription ioc process Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 5212ecaf2c3880d92f371356d84105be.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 5212ecaf2c3880d92f371356d84105be.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 5212ecaf2c3880d92f371356d84105be.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
nsd1E1.tmpdescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 nsd1E1.tmp Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString nsd1E1.tmp -
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exepid process 1972 schtasks.exe 4144 schtasks.exe 708 schtasks.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
288c47bbc1871b439df19ff4df68f076.exepowershell.exepowershell.exeexplorer.exepowershell.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2372 = "Easter Island Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1891 = "Russia TZ 3 Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2572 = "Turks and Caicos Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-241 = "Samoa Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-631 = "Tokyo Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates explorer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-449 = "Azerbaijan Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-742 = "New Zealand Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2431 = "Cuba Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1802 = "Line Islands Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-151 = "Central America Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-302 = "Romance Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2942 = "Sao Tome Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-841 = "Argentina Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2182 = "Astrakhan Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-672 = "AUS Eastern Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1822 = "Russia TZ 1 Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-591 = "Malay Peninsula Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-961 = "Paraguay Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-392 = "Arab Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-362 = "GTB Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-432 = "Iran Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1872 = "Russia TZ 7 Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-214 = "Pacific Daylight Time (Mexico)" 288c47bbc1871b439df19ff4df68f076.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2062 = "North Korea Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1471 = "Magadan Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1831 = "Russia TZ 2 Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-431 = "Iran Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-892 = "Morocco Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2631 = "Norfolk Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-441 = "Arabian Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2592 = "Tocantins Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1661 = "Bahia Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-622 = "Korea Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-652 = "AUS Central Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-171 = "Central Daylight Time (Mexico)" 288c47bbc1871b439df19ff4df68f076.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-142 = "Canada Central Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-451 = "Caucasus Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2142 = "Transbaikal Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-511 = "Central Asia Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-962 = "Paraguay Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-202 = "US Mountain Standard Time" 288c47bbc1871b439df19ff4df68f076.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
5212ecaf2c3880d92f371356d84105be.exepid process 3988 5212ecaf2c3880d92f371356d84105be.exe 3988 5212ecaf2c3880d92f371356d84105be.exe 3372 3372 3372 3372 3372 3372 3372 3372 3372 3372 3372 3372 3372 3372 3372 3372 3372 3372 3372 3372 3372 3372 3372 3372 3372 3372 3372 3372 3372 3372 3372 3372 3372 3372 3372 3372 3372 3372 3372 3372 3372 3372 3372 3372 3372 3372 3372 3372 3372 3372 3372 3372 3372 3372 3372 3372 3372 3372 3372 3372 3372 3372 -
Suspicious behavior: LoadsDriver 1 IoCs
Processes:
pid process 656 -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
5212ecaf2c3880d92f371356d84105be.exepid process 3988 5212ecaf2c3880d92f371356d84105be.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
Processes:
powershell.exepowershell.exe288c47bbc1871b439df19ff4df68f076.exepowershell.exepowershell.exeexplorer.exepowershell.exedescription pid process Token: SeShutdownPrivilege 3372 Token: SeCreatePagefilePrivilege 3372 Token: SeShutdownPrivilege 3372 Token: SeCreatePagefilePrivilege 3372 Token: SeShutdownPrivilege 3372 Token: SeCreatePagefilePrivilege 3372 Token: SeShutdownPrivilege 3372 Token: SeCreatePagefilePrivilege 3372 Token: SeShutdownPrivilege 3372 Token: SeCreatePagefilePrivilege 3372 Token: SeShutdownPrivilege 3372 Token: SeCreatePagefilePrivilege 3372 Token: SeShutdownPrivilege 3372 Token: SeCreatePagefilePrivilege 3372 Token: SeShutdownPrivilege 3372 Token: SeCreatePagefilePrivilege 3372 Token: SeShutdownPrivilege 3372 Token: SeCreatePagefilePrivilege 3372 Token: SeShutdownPrivilege 3372 Token: SeCreatePagefilePrivilege 3372 Token: SeShutdownPrivilege 3372 Token: SeCreatePagefilePrivilege 3372 Token: SeShutdownPrivilege 3372 Token: SeCreatePagefilePrivilege 3372 Token: SeDebugPrivilege 2536 powershell.exe Token: SeShutdownPrivilege 3372 Token: SeCreatePagefilePrivilege 3372 Token: SeShutdownPrivilege 3372 Token: SeCreatePagefilePrivilege 3372 Token: SeDebugPrivilege 2168 powershell.exe Token: SeShutdownPrivilege 3372 Token: SeCreatePagefilePrivilege 3372 Token: SeShutdownPrivilege 3372 Token: SeCreatePagefilePrivilege 3372 Token: SeShutdownPrivilege 3372 Token: SeCreatePagefilePrivilege 3372 Token: SeShutdownPrivilege 3372 Token: SeCreatePagefilePrivilege 3372 Token: SeDebugPrivilege 4856 288c47bbc1871b439df19ff4df68f076.exe Token: SeImpersonatePrivilege 4856 288c47bbc1871b439df19ff4df68f076.exe Token: SeDebugPrivilege 2368 powershell.exe Token: SeDebugPrivilege 4804 powershell.exe Token: SeLockMemoryPrivilege 4396 explorer.exe Token: SeShutdownPrivilege 3372 Token: SeCreatePagefilePrivilege 3372 Token: SeShutdownPrivilege 3372 Token: SeCreatePagefilePrivilege 3372 Token: SeDebugPrivilege 2412 powershell.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
E11E.tmppid process 1952 E11E.tmp -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
BroomSetup.exepid process 3440 BroomSetup.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
AC2E.exeregsvr32.exeD323.exeE11E.exeE11E.tmpInstallSetup4.exeBroomSetup.execmd.exe288c47bbc1871b439df19ff4df68f076.exedescription pid process target process PID 3372 wrote to memory of 2336 3372 AC2E.exe PID 3372 wrote to memory of 2336 3372 AC2E.exe PID 3372 wrote to memory of 2336 3372 AC2E.exe PID 2336 wrote to memory of 3724 2336 AC2E.exe AC2E.exe PID 2336 wrote to memory of 3724 2336 AC2E.exe AC2E.exe PID 2336 wrote to memory of 3724 2336 AC2E.exe AC2E.exe PID 2336 wrote to memory of 3724 2336 AC2E.exe AC2E.exe PID 2336 wrote to memory of 3724 2336 AC2E.exe AC2E.exe PID 2336 wrote to memory of 3724 2336 AC2E.exe AC2E.exe PID 2336 wrote to memory of 3724 2336 AC2E.exe AC2E.exe PID 2336 wrote to memory of 3724 2336 AC2E.exe AC2E.exe PID 3372 wrote to memory of 1176 3372 regsvr32.exe PID 3372 wrote to memory of 1176 3372 regsvr32.exe PID 1176 wrote to memory of 2880 1176 regsvr32.exe regsvr32.exe PID 1176 wrote to memory of 2880 1176 regsvr32.exe regsvr32.exe PID 1176 wrote to memory of 2880 1176 regsvr32.exe regsvr32.exe PID 3372 wrote to memory of 2800 3372 BEBE.exe PID 3372 wrote to memory of 2800 3372 BEBE.exe PID 3372 wrote to memory of 2800 3372 BEBE.exe PID 3372 wrote to memory of 2864 3372 C3EF.exe PID 3372 wrote to memory of 2864 3372 C3EF.exe PID 3372 wrote to memory of 2864 3372 C3EF.exe PID 3372 wrote to memory of 3336 3372 D323.exe PID 3372 wrote to memory of 3336 3372 D323.exe PID 3372 wrote to memory of 3336 3372 D323.exe PID 3336 wrote to memory of 4856 3336 D323.exe 288c47bbc1871b439df19ff4df68f076.exe PID 3336 wrote to memory of 4856 3336 D323.exe 288c47bbc1871b439df19ff4df68f076.exe PID 3336 wrote to memory of 4856 3336 D323.exe 288c47bbc1871b439df19ff4df68f076.exe PID 3372 wrote to memory of 1596 3372 E11E.exe PID 3372 wrote to memory of 1596 3372 E11E.exe PID 3372 wrote to memory of 1596 3372 E11E.exe PID 3336 wrote to memory of 3972 3336 D323.exe InstallSetup4.exe PID 3336 wrote to memory of 3972 3336 D323.exe InstallSetup4.exe PID 3336 wrote to memory of 3972 3336 D323.exe InstallSetup4.exe PID 3336 wrote to memory of 3984 3336 D323.exe FourthX.exe PID 3336 wrote to memory of 3984 3336 D323.exe FourthX.exe PID 3372 wrote to memory of 4288 3372 E507.exe PID 3372 wrote to memory of 4288 3372 E507.exe PID 3372 wrote to memory of 4288 3372 E507.exe PID 1596 wrote to memory of 1952 1596 E11E.exe E11E.tmp PID 1596 wrote to memory of 1952 1596 E11E.exe E11E.tmp PID 1596 wrote to memory of 1952 1596 E11E.exe E11E.tmp PID 1952 wrote to memory of 3228 1952 E11E.tmp trafaret.exe PID 1952 wrote to memory of 3228 1952 E11E.tmp trafaret.exe PID 1952 wrote to memory of 3228 1952 E11E.tmp trafaret.exe PID 3972 wrote to memory of 3440 3972 InstallSetup4.exe BroomSetup.exe PID 3972 wrote to memory of 3440 3972 InstallSetup4.exe BroomSetup.exe PID 3972 wrote to memory of 3440 3972 InstallSetup4.exe BroomSetup.exe PID 1952 wrote to memory of 1080 1952 E11E.tmp trafaret.exe PID 1952 wrote to memory of 1080 1952 E11E.tmp trafaret.exe PID 1952 wrote to memory of 1080 1952 E11E.tmp trafaret.exe PID 3972 wrote to memory of 2460 3972 InstallSetup4.exe nsd1E1.tmp PID 3972 wrote to memory of 2460 3972 InstallSetup4.exe nsd1E1.tmp PID 3972 wrote to memory of 2460 3972 InstallSetup4.exe nsd1E1.tmp PID 3440 wrote to memory of 4500 3440 BroomSetup.exe cmd.exe PID 3440 wrote to memory of 4500 3440 BroomSetup.exe cmd.exe PID 3440 wrote to memory of 4500 3440 BroomSetup.exe cmd.exe PID 4500 wrote to memory of 3364 4500 cmd.exe chcp.com PID 4500 wrote to memory of 3364 4500 cmd.exe chcp.com PID 4500 wrote to memory of 3364 4500 cmd.exe chcp.com PID 4500 wrote to memory of 4144 4500 cmd.exe schtasks.exe PID 4500 wrote to memory of 4144 4500 cmd.exe schtasks.exe PID 4500 wrote to memory of 4144 4500 cmd.exe schtasks.exe PID 4856 wrote to memory of 2536 4856 288c47bbc1871b439df19ff4df68f076.exe powershell.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\5212ecaf2c3880d92f371356d84105be.exe"C:\Users\Admin\AppData\Local\Temp\5212ecaf2c3880d92f371356d84105be.exe"1⤵
- DcRat
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3988
-
C:\Users\Admin\AppData\Local\Temp\AC2E.exeC:\Users\Admin\AppData\Local\Temp\AC2E.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2336 -
C:\Users\Admin\AppData\Local\Temp\AC2E.exeC:\Users\Admin\AppData\Local\Temp\AC2E.exe2⤵
- DcRat
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
PID:3724
-
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\B269.dll1⤵
- Suspicious use of WriteProcessMemory
PID:1176 -
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\B269.dll2⤵
- Loads dropped DLL
PID:2880
-
-
C:\Users\Admin\AppData\Local\Temp\BEBE.exeC:\Users\Admin\AppData\Local\Temp\BEBE.exe1⤵
- Executes dropped EXE
PID:2800
-
C:\Users\Admin\AppData\Local\Temp\C3EF.exeC:\Users\Admin\AppData\Local\Temp\C3EF.exe1⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
PID:2864
-
C:\Users\Admin\AppData\Local\Temp\D323.exeC:\Users\Admin\AppData\Local\Temp\D323.exe1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3336 -
C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4856 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2536
-
-
C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"3⤵
- Executes dropped EXE
- Checks for VirtualBox DLLs, possible anti-VM trick
- Modifies data under HKEY_USERS
PID:1868 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4804
-
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"4⤵PID:3200
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes5⤵
- Modifies Windows Firewall
PID:3608
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2412
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵PID:1948
-
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe4⤵PID:4468
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵PID:4064
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F5⤵
- DcRat
- Creates scheduled task(s)
PID:708
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f5⤵PID:4428
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵PID:1680
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵PID:3476
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll5⤵PID:1976
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F5⤵
- DcRat
- Creates scheduled task(s)
PID:1972
-
-
C:\Windows\windefender.exe"C:\Windows\windefender.exe"5⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
PID:668 -
C:\Windows\SysWOW64\cmd.execmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)6⤵PID:4800
-
C:\Windows\SysWOW64\sc.exesc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)7⤵
- Launches sc.exe
PID:4268
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1868 -s 6044⤵
- Program crash
PID:3844
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\FourthX.exe"C:\Users\Admin\AppData\Local\Temp\FourthX.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3984 -
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2168
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe delete "UTIXDCVF"3⤵
- Launches sc.exe
PID:3148
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart3⤵PID:2428
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart4⤵PID:1000
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe create "UTIXDCVF" binpath= "C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe" start= "auto"3⤵
- Launches sc.exe
PID:1220
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start "UTIXDCVF"3⤵
- Launches sc.exe
PID:4364
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop eventlog3⤵
- Launches sc.exe
PID:5016
-
-
-
C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe"C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3972 -
C:\Users\Admin\AppData\Local\Temp\nsd1E1.tmpC:\Users\Admin\AppData\Local\Temp\nsd1E1.tmp3⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
PID:2460 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2460 -s 19804⤵
- Program crash
PID:3484
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\E11E.exeC:\Users\Admin\AppData\Local\Temp\E11E.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1596 -
C:\Users\Admin\AppData\Local\Temp\is-EHOUO.tmp\E11E.tmp"C:\Users\Admin\AppData\Local\Temp\is-EHOUO.tmp\E11E.tmp" /SL5="$D01D6,4323177,54272,C:\Users\Admin\AppData\Local\Temp\E11E.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1952 -
C:\Users\Admin\AppData\Local\Trafaret\trafaret.exe"C:\Users\Admin\AppData\Local\Trafaret\trafaret.exe" -i3⤵
- Executes dropped EXE
PID:3228
-
-
C:\Users\Admin\AppData\Local\Trafaret\trafaret.exe"C:\Users\Admin\AppData\Local\Trafaret\trafaret.exe" -s3⤵
- Executes dropped EXE
PID:1080
-
-
-
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exeC:\Users\Admin\AppData\Local\Temp\BroomSetup.exe1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3440 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:4500 -
C:\Windows\SysWOW64\chcp.comchcp 12513⤵PID:3364
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F3⤵
- DcRat
- Creates scheduled task(s)
PID:4144
-
-
-
C:\Users\Admin\AppData\Local\Temp\E507.exeC:\Users\Admin\AppData\Local\Temp\E507.exe1⤵
- Executes dropped EXE
PID:4288 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4288 -s 5442⤵
- Program crash
PID:3640
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4288 -ip 42881⤵PID:1044
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2460 -ip 24601⤵PID:3580
-
C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exeC:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe1⤵PID:668
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2368
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart2⤵PID:436
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart3⤵PID:2760
-
-
-
C:\Windows\system32\conhost.exeC:\Windows\system32\conhost.exe2⤵PID:3900
-
-
C:\Windows\explorer.exeexplorer.exe2⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4396
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1868 -ip 18681⤵PID:4156
-
C:\Users\Admin\AppData\Roaming\hvhiscvC:\Users\Admin\AppData\Roaming\hvhiscv1⤵PID:5076
-
C:\Windows\windefender.exeC:\Windows\windefender.exe1⤵PID:3624
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
3Windows Service
3Pre-OS Boot
1Bootkit
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
3Windows Service
3Scheduled Task/Job
1Defense Evasion
Impair Defenses
2Disable or Modify System Firewall
1Modify Registry
1Pre-OS Boot
1Bootkit
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
11KB
MD5a33e5b189842c5867f46566bdbf7a095
SHA1e1c06359f6a76da90d19e8fd95e79c832edb3196
SHA2565abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454
SHA512f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
Filesize
4.1MB
MD5d122f827c4fc73f9a06d7f6f2d08cd95
SHA1cd1d1dc2c79c0ee394b72efc264cfd54d96e1ee5
SHA256b7a6dcfdd64173ecbcef562fd74aee07f3639fa863bd5740c7e72ddc0592b4fc
SHA5128755979d7383d6cb5e7d63798c9ca8b9c0faeec1fe81907fc75bbbb7be6754ab7b5a09a98492a27f90e3f26951b6891c43d8acd21414fb603cd86a4e10dac986
-
Filesize
1.2MB
MD57c277165dcead3616b33d9432afcb485
SHA1b725f0009bb07f8c3f434adc10ccc8d78967ea62
SHA256a3548e60aee3eacd24068a097a0fd848bf9d61a19e54a88068b5be7539384c30
SHA5122f5d098b0ca693dc399479f293ce38b0254149481dcc397715cff47a55b870c2a3ae7824cc1587838ce0f511633fecc961384e836bbccde66734207d1f5e8105
-
Filesize
896KB
MD58c9607a8c8359d15ec05a327be0b80a8
SHA1645ef703da82d57f169789d42c5c88625548bcc1
SHA256924f06d5c5dfa4ac57ea02f3899d9e083a61844d3e86372fc5d71e0e184df233
SHA51260880b8445341e3ad208977d2d328e497243dc6d5d51dc6a35923752f83cc8e621d6ca377d8638ef4415689f6e74e230bfa8a29953d639a5757bdf94a8d5dda1
-
Filesize
603KB
MD5c641189e2f1dca765716924b00fb0541
SHA15020e7e18acafb0a699ec8bcbb0db81448a2a756
SHA256ee15357441bf9b47d392fb578324ccd39c386f2b7794b35930887e2df90da548
SHA5124919a6acf4ceb57ff9db4f9ab687406a63503e9c9d4261f727d1b285409f24f876b8c578690ef441f3130525a73588546801d41dcdd97b5327fe321c55fb0318
-
Filesize
2.6MB
MD5ebaab163ec9e1f38820a34b5828be9aa
SHA12ccba5c552cd8fcfe519aa72b792b45cb5e6f202
SHA2562ba79f789f828068059b982ca35a855d2198938f51d294f53e455cfc004efb1e
SHA51205352680056e5592608d1aa0198e32542a40cc630fd16306661dec4d20e6608d458d481c07429afc7351b4ac0f7c1aaa5bb01a21d7a222270191ee215d3b759a
-
Filesize
4.5MB
MD57d63cf07abdec06195b109fd4e12abdd
SHA1a2201683645c9dcd12ac315f84260557e95b0ddd
SHA25617ac52e3f7b18fd7199266992b22ed36a909be46020b7ec305e8a0a146a264c7
SHA5126402c59ff7b1a8033e55dc7bd7afa7b9b350cccbb64923cc4e9121a00fe262f6488f07de7387edf7126402638e3d2518d64c992df534e5e5de9ef32c0498e6b3
-
Filesize
1.8MB
MD5147f5f5bbc80b2ad753993e15f3f32c2
SHA116d73b4abeef12cf76414338901eb7bbef46775f
SHA25640dc1ae099f2278650c0aa599ba00f659a87996208133d6a64b0cc5cbb5fe990
SHA5129c43aaa68161ef04c60e3f64c3fd54426dfd387f0013f009f3da94d45f19e514cd41de7b95865c47f55e5800222fd74736659138bb96406aa37f9cdc8e5799b6
-
Filesize
2.0MB
MD5b66379323022a073f1f7cdefed747401
SHA114cfd615676b85960154df8273ca841f4a0e268b
SHA25619a75f92a288042be52f1d38976909a22f81e92d22b69b6ab2f1f4d5856448db
SHA51294b8dbe483f2f624723b831186bfcabc52eb74b8293f7acc4e3152ccdaef86885e2fb89453b91a78493795c99edc96e47dbbd489f92aec4cb30c21c064eb052b
-
Filesize
1.6MB
MD5d3d95f1cc5b650d22b7ed57ba3a22a21
SHA153c9bee12417a661ad62eaa2bd6026124b07b10d
SHA256d7481ea51076dddf99dfaaa197a8e586c8f80e6f116a5d62b984af0903ccda64
SHA5128c8108e7b4ce4a7b5ac07e64ba1c7cda19d653010d49de5635d33eafc0dc8151fd9f00d983c52ed91fe5b13d71c521eb06c7cf3f3084955be3f26f47f9da2fb5
-
Filesize
1.9MB
MD5acd072a27fbf42bc036802413e4eaf4e
SHA10809cd2d902abb1b08f1baecee9a7a5b3c576eb4
SHA2564035730ac652c1b60915e87640812ca98cab3659b9606a2560f47f0926a2261e
SHA51206d709ac73067720aa18bb1af52e44ce2850014882b68394505abc5f88d147f62c45332fd6b5bf94fdffe26ae6210bc474fa17217f68494e636b54006578884b
-
Filesize
2.6MB
MD55914dfecbcaf98a93fdb043df706df1f
SHA179ea43b28ff425338045b46ff0246668b0bf9a1e
SHA256c083f31e9d48652ee47464c3fde4e7d92a63a6110fa1602e20c6e4f6c11f7f48
SHA5120763827ea5b942e79fc57bad80ac4e0a7ff345ca02b8749f02415c0a82f97c9c81587aeef056a51765033b084dcc78de3875f24979225268a2f131f007f320d8
-
Filesize
320KB
MD57e16dda41b2ae464d9612815f0d3d6eb
SHA11b2486381b4e1cade80e200638f64d9fc4693ed5
SHA256492a2edab7086f7989f9fb74f662683b7a12f47691c04ee6c764e335a0cbf2b1
SHA5124549699fa1fdb320b22b5ac456a72d219c09a83b11cccdb9d49cfac26428721b710873304cc7109a6802bd79b52325ff6380e55c5b14a42dda6b1221c4f8e72b
-
Filesize
560KB
MD5e6dd149f484e5dd78f545b026f4a1691
SHA13ea5d0fb2de5bfad3dc6dc1744708ccd31102df6
SHA25611243641663323721ba21494a394de70ae70d4ea23c23f2e2a397fcc3cfea1a7
SHA5120defb358d59221c56731745a25250dfea49ecbb411f11f31a92ec20fa2123646f4aaf9fd4999898c39e4674f616bc1bed7ef2368b61a29d595dc7b9340dd058b
-
Filesize
1.7MB
MD55432ccce8ac6890762a57543fc7fc6fe
SHA12a0dd2d54d22635f370cafc0a228fc1fe36eccce
SHA256ad38ac932048d0129f07dd0e2149605115949f7f22fb865b279a154b247363ab
SHA5128e4448b923f0306acfa0c7b3e5113235c1fad45f49d9a0210cd50fac2e458c03a037892ae613ec8cfc53d1e003d8be72336a3b993dc74c7beeea29e292664a88
-
Filesize
2.2MB
MD5c7c8b71baee8f80c0acedc1db40c7824
SHA1c7a28bd64fb3fa4bebef1bff7578670ad9163af4
SHA256a1c20a49291d74e860492e5f87e48a2faef4236c4c0f95212b56d2909775cdb4
SHA512829722298eb7950cb7a63d844fd0cdaa1ede33f87d6997e146a5bf185f546aaa43ec58eaeceab739d070366acbaf67f33d29b1a9e51d917d6d087b57fc44dc9b
-
Filesize
3.4MB
MD587be654dbdd7f39aa9c2e9c67ce38d72
SHA1b72b6f46e6521bdbe7d464ca2a80409776f7b391
SHA256a31c3f09551693cce24d47d8a7f139425d60ae8dd766d53622d008e5fb2be53e
SHA512d5edff77fddd8886691318f00ae10909feb0875948fae347773170139113a5c522c01dcf1622f9e048a8d65da0aa1a946bc6f3c61db68909301e68658160ca71
-
Filesize
3.2MB
MD5ef57e765f5b96c096eb42ec8f174292f
SHA1b3743ff221876e8051e90843e8b3cc38b4bb58b7
SHA25697d85610932322191c3a7797061d9feeb268a878beaba568192c2beec5e3ed4e
SHA5120652fcf82161cbbb7b4d9b02ea0fa14e889cf2151fd352b0d8a24fed4146a28a40f09157333f76992d118372ac5a179a926417d21c44b0142b00b1229d8bc142
-
Filesize
2.5MB
MD5b03886cb64c04b828b6ec1b2487df4a4
SHA1a7b9a99950429611931664950932f0e5525294a4
SHA2565dfaa8987f5d0476b835140d8a24fb1d9402e390bbe92b8565da09581bd895fc
SHA51221d1a5a4a218411c2ec29c9ca34ce321f6514e7ca3891eded8c3274aeb230051661a86eda373b9a006554e067de89d816aa1fa864acf0934bbb16a6034930659
-
Filesize
64KB
MD502df76a7b45d874395b4274c2e5b7b1f
SHA11b8d7060e9fa5204fa74efeb4192a168b778e9ca
SHA2562f84a4b95126d6047929174a1d44106d9d4f62ba23c77e10218f79eca126d7a9
SHA5125675e3895878a8b558aa4a31e06ea9858ece0dde7eca67d7e80033a96571786790ddaa0a53859f84222eb87e6eaa451245e41b31b8b66ab946a50072d6ab249e
-
Filesize
1.1MB
MD556b83c068dc6c8df9c02236e9587cd42
SHA19803091206a0fff470768e67577426cce937a939
SHA256678ad0e61f6de9398cc11b9b36be203c12b690a0b06f06e5a62b1cfd51d0036e
SHA512e270b50ee7a2b70409c2881f3f936013f0034b7e4e66f914dfe97fc94af3e779de6174673a39b9b45b98beede0c04151609f4ee0e4277988d56a7d3ea62830cb
-
Filesize
2.0MB
MD528b72e7425d6d224c060d3cf439c668c
SHA1a0a14c90e32e1ffd82558f044c351ad785e4dcd8
SHA256460ba492fbc3163b80bc40813d840e50feb84166db7a300392669afd21132d98
SHA5123e0696b4135f3702da054b80d98a8485fb7f3002c4148a327bc790b0d33c62d442c01890cc047af19a17a149c8c8eb84777c4ff313c95ec6af64a8bf0b2d54b6
-
Filesize
320KB
MD565c145064bb3e087c2ec0ae6034c2df0
SHA15ec0f6d5fa4a931f5964c709ed79efae1520fefe
SHA2562d8e8d5d3302cf18163d55b4e452c95fcec38931dcc8acf3ad2e0c2d8740376e
SHA5127a87a15a1df889f38994f9a26313ab040ae596a7faeeb07faa556d932235486a295a2039fb3b70c0d5c806e136dfdb2c0ccfd58a17e7a68b1594559c59933f3f
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
281KB
MD5d98e33b66343e7c96158444127a117f6
SHA1bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA2565de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5
-
Filesize
640KB
MD55cc29afdf740599b3a6cba5b64b9d4ae
SHA1249103d58e2f09c1452de388fc101f3e425954bf
SHA2569cd4688f7c3fe38c579a6a8d28a9d4c6b9652336b885cc1fe5cee4f5e293e69a
SHA5121311e3f4590577942d742b660f1ab1e805c66a71dc6d358722084d2e6571e1e2f8c029b4ae7a4ebbad27df99f915b9cca81c1c9a0596862f11be17bbf792bf76
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
2KB
MD5a69559718ab506675e907fe49deb71e9
SHA1bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA2562f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63
-
Filesize
13KB
MD5a813d18268affd4763dde940246dc7e5
SHA1c7366e1fd925c17cc6068001bd38eaef5b42852f
SHA256e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64
SHA512b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4
-
Filesize
264KB
MD5593c6bba2414d94e5e05d505074793dc
SHA11315c0ffbecf2e1eea0f5ac63adce7cc403ea9e8
SHA25644a0af487346e24e3a06361a917a81ec151ddb8b7a1c558294cfc283a35ce4ec
SHA5126e9d0191723db1caf54f50d1ba249079f74c0b8cdb745fefb283a248279375248c6ddc27f70b1887678c5e5e22fc9a58cec1a613e758b3a96d2c72a5b7da5257
-
Filesize
25KB
MD540d7eca32b2f4d29db98715dd45bfac5
SHA1124df3f617f562e46095776454e1c0c7bb791cc7
SHA25685e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9
SHA5125fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d
-
Filesize
384KB
MD5fbfe6bc7887cc98ffe373edf03621841
SHA1346afa7ff4d42a241dfe443cdecefd0961c08412
SHA2561921c256755b2ca3d97216df201b6233737937f28d735267166a7f782b878942
SHA5120e743487d9ab2de6db60941def2d1e950134834f0c847b968270ba85cfee2d9abf0b9a516883f0477e8b409afd9945fb77c3e9f836e71aa4cd0b415db3c1a89b
-
Filesize
64KB
MD524ee18fc0b741e34a244b5c7db9b76d9
SHA1bc0f432ee01e052479e735d0155b46ff5edf9232
SHA2568eb891ab450fcd0a88e10125c74c4ebe46900eea3fe2f54fb788f8a1d3fa9664
SHA512eeedf4d0905938807f7c481eb1cc7f843ed5339575c457ef36847979316227a21ec2958090726559bb3704cdca23371625da3aa75fc123994205424e7add3c84
-
Filesize
896KB
MD5e0f66942f8d0f2f50bb4fe927c8f34b7
SHA16b2aa63466ce1e48d2268b950048ef8df7578fb7
SHA256e1bcbe82e46638a1c722f7f32cc6081d788b6f19b98c403143354dcd56009c6d
SHA512b0f6e6ecf98327d5008ea5098b4949e01cf38fc92d4f65ec300ce24fd1cade98d3c3f03db4d3c6ebdafeebb351dd37439a23d41924d00bd564961da3746b481b
-
Filesize
128B
MD511bb3db51f701d4e42d3287f71a6a43e
SHA163a4ee82223be6a62d04bdfe40ef8ba91ae49a86
SHA2566be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331
SHA512907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2
-
Filesize
254KB
MD55212ecaf2c3880d92f371356d84105be
SHA1d17cc3b0083fef207a84eefbb927ac9a79ef01ae
SHA256cc4cb393dfc2c8fef2d76f297554a93cbec91244fe7ad5dc3ab533018d52fc84
SHA512a1987d88d57e2a835f81b771da0bd8f8d26800d023d088558a688979bd876a8f142fdfe2b2462907be6401152fc3ec7dd87bae0749e118c9ca82080963253a09
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize2KB
MD5968cb9309758126772781b83adb8a28f
SHA18da30e71accf186b2ba11da1797cf67f8f78b47c
SHA25692099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA5124bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD5ad1efd1029ac62ba32573f0fe0ade720
SHA1815cb801d13eee3f9528271c7106ba1ba2d3565c
SHA25652339f644deccb160ae7baf5729e7f37d1e8191abc4fc0e17bdf0a08e08e43b7
SHA5122f6dcb353027c7f128c4376db5b3048188109b3c326d17150ae60b131e7b746a18432db3729166b74d003251beca07f290dc8a446bb95fe854c2efc252b99d70
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD50a6a3607c17c1772153cd2df46245d13
SHA1227e6494c0487628b784394618901b7659f3edfc
SHA256ccb31bd53e0dd05f5548443705466b25ea68006243e3f50ce4205b566e79f627
SHA51281bebcbaf56d8ae4ba43233c3a83d9120a918d4ea5f6ecb104597b784623521a7e8ece3f9bf5d9159116ae5bb8c17cccfd922f94a32b0f95426086cdfd788a02
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD54a151730ffc576b3fac742c3d414685b
SHA19f848dd585c9b0feba892e894ec6b291feaac9c8
SHA256761e558d1322a94e551f2a3507de8c5643122153289e9e9b981507f22939a77f
SHA5125d89312f6e0208120f067b5a3e789a92ee624190fd614ce4c1dd6d33e7fe94467c0e7b74b4b77f14477fe8c8c2a8a233bf281962f41c55efd34b1d124f73f845
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD55af975cf787dd9320c2801f2884ec4d0
SHA10f06dbb9be2f882d5d270ee93e17b4e66ad475eb
SHA256fbc5da56ea5e53d9f255e6647bc9fe237dda2e5279973e7e588c70d3375256a8
SHA512fdebcf40683e2bc042bb2102fbf0f686c5521f4490c2ecfb8e65099c3851c66a51c88a16da5cca2d809f76262db3950509aed0d8f599b3f75bf5d6d781c5e167
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD5a42cf8df08b568bd775daa06d500de27
SHA1717186c0c8647e8b831f15b40475692e686b6221
SHA256d6a80511c9fc0f7a0862a269c26da1a6e543799af18f4bef2d8de19401692045
SHA512dd89b0326482ea936310a419f0112174b0099cd65be3b74c38b73127392f9605e4113e20f28f495640526149088d2c20fc35db4118bd9dfe89fdd92e91ca6f48
-
Filesize
1.1MB
MD5dee6f72532b423c83b1483ef216a83d3
SHA106a812a3c174067dcf15447be310608fe0235a0b
SHA256e02a6c5a59aa4d07173f6fc254dabff117e1519a5d49fe1428d854ab5be007a0
SHA5127a41ce71088edff82af7963381c84871e72ee1bc6fb1889d79015103baa040a31f4433ff52604af45fd6787401ddd9e0d222b015d8b0a22640ec3e3a61580974
-
Filesize
2.0MB
MD58e67f58837092385dcf01e8a2b4f5783
SHA1012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA51240d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec