Analysis
-
max time kernel
118s -
max time network
170s -
platform
windows10-2004_x64 -
resource
win10v2004-20240221-en -
resource tags
arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system -
submitted
25-02-2024 22:46
Static task
static1
Behavioral task
behavioral1
Sample
0b31dc8d9eeaa4a6803873a6c1380c72.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
0b31dc8d9eeaa4a6803873a6c1380c72.exe
Resource
win10v2004-20240221-en
General
-
Target
0b31dc8d9eeaa4a6803873a6c1380c72.exe
-
Size
211KB
-
MD5
0b31dc8d9eeaa4a6803873a6c1380c72
-
SHA1
89a3961bb7b5e29ce53cfc9bb64daa216259a85e
-
SHA256
7c94ffaf6d76f18ce6bfc6039f9252a4b71d79e483d822aeab0de9b3189b6d0e
-
SHA512
7c00f36554dfb6b611227255da75b92bb2200ceadcf92f71fd280cad4c55ee64ed588338b4ed73b110cbf054ea4774c71abc2a66220a65549e04b642404fd26d
-
SSDEEP
3072:gyJtJkIZYF/TgVdkyrp90TvT5A70CutWTFlEz/BVwNMtyMz7:gyDahrgVdjrpc5EJkQMz
Malware Config
Extracted
smokeloader
tfd5
Extracted
smokeloader
2022
http://trad-einmyus.com/index.php
http://tradein-myus.com/index.php
http://trade-inmyus.com/index.php
Extracted
djvu
http://habrafa.com/test1/get.php
-
extension
.lkhy
-
offline_id
OxV6DGl22io8sqMOW1zCCOlzPiv4f1Vqzw7Y8zt1
-
payload_url
http://brusuax.com/dl/build2.exe
http://habrafa.com/files/1/build3.exe
-
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. Do not ask assistants from youtube and recovery data sites for help in recovering your data. They can use your free decryption quota and scam you. Our contact is emails in this text document only. You can get and look video overview decrypt tool: https://we.tl/t-uNdL2KHHdy Price of private key and decrypt software is $999. Discount 50% available if you contact us first 72 hours, that's price for you is $499. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0851ASdw
Extracted
lumma
https://resergvearyinitiani.shop/api
https://technologyenterdo.shop/api
https://detectordiscusser.shop/api
https://turkeyunlikelyofw.shop/api
https://associationokeo.shop/api
Signatures
-
DcRat 3 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
Processes:
0b31dc8d9eeaa4a6803873a6c1380c72.exe6C81.exeschtasks.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 0b31dc8d9eeaa4a6803873a6c1380c72.exe Set value (str) \REGISTRY\USER\S-1-5-21-2828415587-3732861812-1919322417-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\f649dd18-3502-4a56-afb9-9fb69a04cd97\\6C81.exe\" --AutoStart" 6C81.exe 1272 schtasks.exe -
Detect ZGRat V1 10 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\FD0E.exe family_zgrat_v1 C:\Users\Admin\AppData\Local\Temp\FD0E.exe family_zgrat_v1 behavioral2/memory/1860-86-0x0000000000B70000-0x000000000111A000-memory.dmp family_zgrat_v1 C:\Users\Admin\AppData\Local\Temp\5BE9.exe family_zgrat_v1 C:\Users\Admin\AppData\Local\Temp\5BE9.exe family_zgrat_v1 behavioral2/memory/2844-158-0x00000000001E0000-0x0000000000832000-memory.dmp family_zgrat_v1 C:\Users\Admin\AppData\Local\Temp\81B1.exe family_zgrat_v1 C:\Users\Admin\AppData\Local\Temp\81B1.exe family_zgrat_v1 C:\containerProviderhost\runtimenetSvc.exe family_zgrat_v1 C:\Windows\RemotePackages\RemoteDesktops\System.exe family_zgrat_v1 -
Detected Djvu ransomware 10 IoCs
Processes:
resource yara_rule behavioral2/memory/1720-22-0x0000000003780000-0x000000000389B000-memory.dmp family_djvu behavioral2/memory/1160-23-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/1160-25-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/1160-26-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/1160-27-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/1160-38-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/1160-55-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/4728-61-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/4728-62-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/4728-64-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu -
Djvu Ransomware
Ransomware which is a variant of the STOP family.
-
Glupteba payload 15 IoCs
Processes:
resource yara_rule behavioral2/memory/4300-72-0x0000000003E40000-0x000000000472B000-memory.dmp family_glupteba behavioral2/memory/4300-73-0x0000000000400000-0x0000000001E0D000-memory.dmp family_glupteba behavioral2/memory/4300-82-0x0000000000400000-0x0000000001E0D000-memory.dmp family_glupteba behavioral2/memory/4300-112-0x0000000000400000-0x0000000001E0D000-memory.dmp family_glupteba behavioral2/memory/4300-113-0x0000000003E40000-0x000000000472B000-memory.dmp family_glupteba behavioral2/memory/4300-146-0x0000000000400000-0x0000000001E0D000-memory.dmp family_glupteba behavioral2/memory/4300-148-0x0000000000400000-0x0000000001E0D000-memory.dmp family_glupteba behavioral2/memory/3080-150-0x0000000000400000-0x0000000001E0D000-memory.dmp family_glupteba behavioral2/memory/4300-173-0x0000000000400000-0x0000000001E0D000-memory.dmp family_glupteba behavioral2/memory/3080-175-0x0000000000400000-0x0000000001E0D000-memory.dmp family_glupteba behavioral2/memory/3080-230-0x0000000000400000-0x0000000001E0D000-memory.dmp family_glupteba behavioral2/memory/3080-281-0x0000000000400000-0x0000000001E0D000-memory.dmp family_glupteba behavioral2/memory/3080-298-0x0000000000400000-0x0000000001E0D000-memory.dmp family_glupteba behavioral2/memory/2404-433-0x0000000000400000-0x0000000001E0D000-memory.dmp family_glupteba behavioral2/memory/2404-518-0x0000000000400000-0x0000000001E0D000-memory.dmp family_glupteba -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Downloads MZ/PE file
-
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
netsh.exepid process 3068 netsh.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
6C81.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2828415587-3732861812-1919322417-1000\Control Panel\International\Geo\Nation 6C81.exe -
Deletes itself 1 IoCs
Processes:
pid process 3356 -
Executes dropped EXE 9 IoCs
Processes:
6C81.exe6C81.exeA4B9.exe6C81.exe6C81.exeC36E.exeEA7F.exeFD0E.exeC36E.exepid process 1720 6C81.exe 1160 6C81.exe 1608 A4B9.exe 3512 6C81.exe 4728 6C81.exe 4300 C36E.exe 4696 EA7F.exe 1860 FD0E.exe 3080 C36E.exe -
Modifies file permissions 1 TTPs 1 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
6C81.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2828415587-3732861812-1919322417-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\f649dd18-3502-4a56-afb9-9fb69a04cd97\\6C81.exe\" --AutoStart" 6C81.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 68 api.2ip.ua 69 api.2ip.ua -
Suspicious use of SetThreadContext 2 IoCs
Processes:
6C81.exe6C81.exedescription pid process target process PID 1720 set thread context of 1160 1720 6C81.exe 6C81.exe PID 3512 set thread context of 4728 3512 6C81.exe 6C81.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 3 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exepid pid_target process target process 4028 4728 WerFault.exe 6C81.exe 4704 3756 WerFault.exe MsBuild.exe 4844 3756 WerFault.exe MsBuild.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
0b31dc8d9eeaa4a6803873a6c1380c72.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 0b31dc8d9eeaa4a6803873a6c1380c72.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 0b31dc8d9eeaa4a6803873a6c1380c72.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 0b31dc8d9eeaa4a6803873a6c1380c72.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies data under HKEY_USERS 64 IoCs
Processes:
C36E.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1662 = "Bahia Standard Time" C36E.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-151 = "Central America Daylight Time" C36E.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-172 = "Central Standard Time (Mexico)" C36E.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-411 = "E. Africa Daylight Time" C36E.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-961 = "Paraguay Daylight Time" C36E.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2322 = "Sakhalin Standard Time" C36E.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2752 = "Tomsk Standard Time" C36E.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-671 = "AUS Eastern Daylight Time" C36E.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-292 = "Central European Standard Time" C36E.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-872 = "Pakistan Standard Time" C36E.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-602 = "Taipei Standard Time" C36E.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-12 = "Azores Standard Time" C36E.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2372 = "Easter Island Standard Time" C36E.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2341 = "Haiti Daylight Time" C36E.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-492 = "India Standard Time" C36E.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-432 = "Iran Standard Time" C36E.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1471 = "Magadan Daylight Time" C36E.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-651 = "AUS Central Daylight Time" C36E.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-281 = "Central Europe Daylight Time" C36E.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2432 = "Cuba Standard Time" C36E.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-335 = "Jordan Standard Time" C36E.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2791 = "Novosibirsk Daylight Time" C36E.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2571 = "Turks and Caicos Daylight Time" C36E.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2162 = "Altai Standard Time" C36E.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-981 = "Kamchatka Daylight Time" C36E.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-741 = "New Zealand Daylight Time" C36E.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-841 = "Argentina Daylight Time" C36E.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-452 = "Caucasus Standard Time" C36E.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-282 = "Central Europe Standard Time" C36E.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-332 = "E. Europe Standard Time" C36E.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2042 = "Eastern Standard Time (Mexico)" C36E.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-541 = "Myanmar Daylight Time" C36E.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1931 = "Russia TZ 11 Daylight Time" C36E.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2612 = "Bougainville Standard Time" C36E.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-261 = "GMT Daylight Time" C36E.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-371 = "Jerusalem Daylight Time" C36E.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2452 = "Saint Pierre Standard Time" C36E.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2891 = "Sudan Daylight Time" C36E.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-501 = "Nepal Daylight Time" C36E.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1502 = "Turkey Standard Time" C36E.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1021 = "Bangladesh Daylight Time" C36E.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-451 = "Caucasus Daylight Time" C36E.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2431 = "Cuba Daylight Time" C36E.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-982 = "Kamchatka Standard Time" C36E.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1801 = "Line Islands Daylight Time" C36E.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1832 = "Russia TZ 2 Standard Time" C36E.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-831 = "SA Eastern Daylight Time" C36E.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2142 = "Transbaikal Standard Time" C36E.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2572 = "Turks and Caicos Standard Time" C36E.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-132 = "US Eastern Standard Time" C36E.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-732 = "Fiji Standard Time" C36E.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-272 = "Greenwich Standard Time" C36E.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-32 = "Mid-Atlantic Standard Time" C36E.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-502 = "Nepal Standard Time" C36E.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-91 = "Pacific SA Daylight Time" C36E.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-361 = "GTB Daylight Time" C36E.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-182 = "Mountain Standard Time (Mexico)" C36E.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-215 = "Pacific Standard Time (Mexico)" C36E.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1911 = "Russia TZ 10 Daylight Time" C36E.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-751 = "Tonga Daylight Time" C36E.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2391 = "Aleutian Daylight Time" C36E.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-342 = "Egypt Standard Time" C36E.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2841 = "Saratov Daylight Time" C36E.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2161 = "Altai Daylight Time" C36E.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
0b31dc8d9eeaa4a6803873a6c1380c72.exepid process 2172 0b31dc8d9eeaa4a6803873a6c1380c72.exe 2172 0b31dc8d9eeaa4a6803873a6c1380c72.exe 3356 3356 3356 3356 3356 3356 3356 3356 3356 3356 3356 3356 3356 3356 3356 3356 3356 3356 3356 3356 3356 3356 3356 3356 3356 3356 3356 3356 3356 3356 3356 3356 3356 3356 3356 3356 3356 3356 3356 3356 3356 3356 3356 3356 3356 3356 3356 3356 3356 3356 3356 3356 3356 3356 3356 3356 3356 3356 3356 3356 3356 3356 -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
0b31dc8d9eeaa4a6803873a6c1380c72.exepid process 2172 0b31dc8d9eeaa4a6803873a6c1380c72.exe -
Suspicious use of AdjustPrivilegeToken 13 IoCs
Processes:
powershell.exeC36E.exedescription pid process Token: SeShutdownPrivilege 3356 Token: SeCreatePagefilePrivilege 3356 Token: SeShutdownPrivilege 3356 Token: SeCreatePagefilePrivilege 3356 Token: SeShutdownPrivilege 3356 Token: SeCreatePagefilePrivilege 3356 Token: SeShutdownPrivilege 3356 Token: SeCreatePagefilePrivilege 3356 Token: SeDebugPrivilege 4844 powershell.exe Token: SeShutdownPrivilege 3356 Token: SeCreatePagefilePrivilege 3356 Token: SeDebugPrivilege 4300 C36E.exe Token: SeImpersonatePrivilege 4300 C36E.exe -
Suspicious use of WriteProcessMemory 54 IoCs
Processes:
cmd.exe6C81.exe6C81.execmd.exe6C81.exeC36E.exeC36E.exedescription pid process target process PID 3356 wrote to memory of 3000 3356 cmd.exe PID 3356 wrote to memory of 3000 3356 cmd.exe PID 3000 wrote to memory of 4720 3000 cmd.exe reg.exe PID 3000 wrote to memory of 4720 3000 cmd.exe reg.exe PID 3356 wrote to memory of 1720 3356 6C81.exe PID 3356 wrote to memory of 1720 3356 6C81.exe PID 3356 wrote to memory of 1720 3356 6C81.exe PID 1720 wrote to memory of 1160 1720 6C81.exe 6C81.exe PID 1720 wrote to memory of 1160 1720 6C81.exe 6C81.exe PID 1720 wrote to memory of 1160 1720 6C81.exe 6C81.exe PID 1720 wrote to memory of 1160 1720 6C81.exe 6C81.exe PID 1720 wrote to memory of 1160 1720 6C81.exe 6C81.exe PID 1720 wrote to memory of 1160 1720 6C81.exe 6C81.exe PID 1720 wrote to memory of 1160 1720 6C81.exe 6C81.exe PID 1720 wrote to memory of 1160 1720 6C81.exe 6C81.exe PID 1720 wrote to memory of 1160 1720 6C81.exe 6C81.exe PID 1720 wrote to memory of 1160 1720 6C81.exe 6C81.exe PID 1160 wrote to memory of 3936 1160 6C81.exe icacls.exe PID 1160 wrote to memory of 3936 1160 6C81.exe icacls.exe PID 1160 wrote to memory of 3936 1160 6C81.exe icacls.exe PID 3356 wrote to memory of 1608 3356 A4B9.exe PID 3356 wrote to memory of 1608 3356 A4B9.exe PID 3356 wrote to memory of 1608 3356 A4B9.exe PID 1160 wrote to memory of 3512 1160 6C81.exe 6C81.exe PID 1160 wrote to memory of 3512 1160 6C81.exe 6C81.exe PID 1160 wrote to memory of 3512 1160 6C81.exe 6C81.exe PID 3356 wrote to memory of 2672 3356 cmd.exe PID 3356 wrote to memory of 2672 3356 cmd.exe PID 2672 wrote to memory of 1892 2672 cmd.exe reg.exe PID 2672 wrote to memory of 1892 2672 cmd.exe reg.exe PID 3512 wrote to memory of 4728 3512 6C81.exe 6C81.exe PID 3512 wrote to memory of 4728 3512 6C81.exe 6C81.exe PID 3512 wrote to memory of 4728 3512 6C81.exe 6C81.exe PID 3512 wrote to memory of 4728 3512 6C81.exe 6C81.exe PID 3512 wrote to memory of 4728 3512 6C81.exe 6C81.exe PID 3512 wrote to memory of 4728 3512 6C81.exe 6C81.exe PID 3512 wrote to memory of 4728 3512 6C81.exe 6C81.exe PID 3512 wrote to memory of 4728 3512 6C81.exe 6C81.exe PID 3512 wrote to memory of 4728 3512 6C81.exe 6C81.exe PID 3512 wrote to memory of 4728 3512 6C81.exe 6C81.exe PID 3356 wrote to memory of 4300 3356 C36E.exe PID 3356 wrote to memory of 4300 3356 C36E.exe PID 3356 wrote to memory of 4300 3356 C36E.exe PID 3356 wrote to memory of 4696 3356 EA7F.exe PID 3356 wrote to memory of 4696 3356 EA7F.exe PID 3356 wrote to memory of 1860 3356 FD0E.exe PID 3356 wrote to memory of 1860 3356 FD0E.exe PID 3356 wrote to memory of 1860 3356 FD0E.exe PID 4300 wrote to memory of 4844 4300 C36E.exe powershell.exe PID 4300 wrote to memory of 4844 4300 C36E.exe powershell.exe PID 4300 wrote to memory of 4844 4300 C36E.exe powershell.exe PID 3080 wrote to memory of 808 3080 C36E.exe powershell.exe PID 3080 wrote to memory of 808 3080 C36E.exe powershell.exe PID 3080 wrote to memory of 808 3080 C36E.exe powershell.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\0b31dc8d9eeaa4a6803873a6c1380c72.exe"C:\Users\Admin\AppData\Local\Temp\0b31dc8d9eeaa4a6803873a6c1380c72.exe"1⤵
- DcRat
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2172
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\486E.bat" "1⤵
- Suspicious use of WriteProcessMemory
PID:3000 -
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 12⤵PID:4720
-
C:\Users\Admin\AppData\Local\Temp\6C81.exeC:\Users\Admin\AppData\Local\Temp\6C81.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1720 -
C:\Users\Admin\AppData\Local\Temp\6C81.exeC:\Users\Admin\AppData\Local\Temp\6C81.exe2⤵
- DcRat
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1160 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Local\f649dd18-3502-4a56-afb9-9fb69a04cd97" /deny *S-1-1-0:(OI)(CI)(DE,DC)3⤵
- Modifies file permissions
PID:3936 -
C:\Users\Admin\AppData\Local\Temp\6C81.exe"C:\Users\Admin\AppData\Local\Temp\6C81.exe" --Admin IsNotAutoStart IsNotTask3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3512 -
C:\Users\Admin\AppData\Local\Temp\6C81.exe"C:\Users\Admin\AppData\Local\Temp\6C81.exe" --Admin IsNotAutoStart IsNotTask4⤵
- Executes dropped EXE
PID:4728 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4728 -s 5685⤵
- Program crash
PID:4028
-
C:\Users\Admin\AppData\Local\Temp\A4B9.exeC:\Users\Admin\AppData\Local\Temp\A4B9.exe1⤵
- Executes dropped EXE
PID:1608
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\B4D7.bat" "1⤵
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 12⤵PID:1892
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4728 -ip 47281⤵PID:4392
-
C:\Users\Admin\AppData\Local\Temp\C36E.exeC:\Users\Admin\AppData\Local\Temp\C36E.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4300 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4844 -
C:\Users\Admin\AppData\Local\Temp\C36E.exe"C:\Users\Admin\AppData\Local\Temp\C36E.exe"2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:3080 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵PID:808
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"3⤵PID:1988
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes4⤵
- Modifies Windows Firewall
PID:3068 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵PID:440
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵PID:4188
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe3⤵PID:2404
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵PID:2824
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- DcRat
- Creates scheduled task(s)
PID:1272 -
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f4⤵PID:1408
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵PID:1764
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵PID:3184
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll4⤵PID:3900
-
C:\Users\Admin\AppData\Local\Temp\EA7F.exeC:\Users\Admin\AppData\Local\Temp\EA7F.exe1⤵
- Executes dropped EXE
PID:4696
-
C:\Users\Admin\AppData\Local\Temp\FD0E.exeC:\Users\Admin\AppData\Local\Temp\FD0E.exe1⤵
- Executes dropped EXE
PID:1860 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe2⤵PID:2232
-
C:\Users\Admin\AppData\Local\Temp\5BE9.exeC:\Users\Admin\AppData\Local\Temp\5BE9.exe1⤵PID:2844
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe2⤵PID:3756
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3756 -s 4363⤵
- Program crash
PID:4704 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3756 -s 4323⤵
- Program crash
PID:4844 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe2⤵PID:1860
-
C:\Users\Admin\AppData\Local\Temp\81B1.exeC:\Users\Admin\AppData\Local\Temp\81B1.exe1⤵PID:4048
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\containerProviderhost\lSHV2TIIXWH4jLBRX.vbe"2⤵PID:4216
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\containerProviderhost\SSJnjC24t.bat" "3⤵PID:1548
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f4⤵
- Modifies registry key
PID:4860 -
C:\containerProviderhost\runtimenetSvc.exe"C:\containerProviderhost/runtimenetSvc.exe"4⤵PID:2288
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\AjfCaQL16X.bat"5⤵PID:4868
-
C:\Windows\system32\chcp.comchcp 650016⤵PID:2808
-
C:\Windows\system32\PING.EXEping -n 10 localhost6⤵
- Runs ping.exe
PID:4896 -
C:\Windows\RemotePackages\RemoteDesktops\System.exe"C:\Windows\RemotePackages\RemoteDesktops\System.exe"6⤵PID:3840
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3756 -ip 37561⤵PID:1224
-
C:\Windows\SysWOW64\dialer.exe"C:\Windows\system32\dialer.exe"1⤵PID:3792
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3756 -ip 37561⤵PID:3228
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Defense Evasion
File and Directory Permissions Modification
1Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
77B
MD555cc761bf3429324e5a0095cab002113
SHA12cc1ef4542a4e92d4158ab3978425d517fafd16d
SHA256d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a
SHA51233f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155
-
Filesize
526KB
MD5ce82ed5b937090512e881f7ed9351eaa
SHA1dd3b34243673a2a96786677f0f4c517de1b3c055
SHA256e97fce83b8cddecf3678a025dd38778e183278b43c77cea75aa82c2afa9e9821
SHA5124b62e88f90020db839b1654dfbc734978f5820027198ab0fb363fbd4c108138725679a8b003ab529cda98ae67d6bfefd1b11a88ec291d5046ea59fca132e0806
-
Filesize
768KB
MD5266f054b0cfcba0530a7231e8d09a99b
SHA13ed2c1300e2d85b1603e5a9052317589e6b7ed9b
SHA25605fa4b3ed672782026fe190d6553cd99ef5b38ba37f70cf89d0de99ff6b50780
SHA5124140284c6195ac45ea2dbf83a7c9b38fba043cff477875737b980fc187be6361f10ed8eb31a0000fc4f2c8732a843272a88d12468790f0806029b0d13b0b4bc8
-
Filesize
742KB
MD53d196de47911047d26c003e31a878038
SHA1c368e8a2dacb6c322064f7f2aeb0b3cbcb274cd9
SHA25619b9c4e7ba38960b14cf6557c7b6b7989009f0a7e368f1936050d1606c4cfc4a
SHA51230871d6b7a9d94a602f21a6f5325f017c735db491351b64d9044b497c0f2d1cd8f0988857a358f29e077047ab5800a6384a2aa2ab17a539c2092d8828e87581b
-
Filesize
3.7MB
MD520de31c5226fde5ddae74894f2e3f618
SHA103b514401eb1c179f4eec5211f646148de8b0426
SHA2566d5060a8430247a2500bd235d4588710f5ae1c3f8fa48b146914c672f8cc394a
SHA512aa43a6436aa1dd518f36281b83e25f09d52e72d2f9df316eda8f32ec11296272acfa257c1d37b5a46a72b047fb14f1a25637e5923de7aa30240be78e888a5039
-
Filesize
1.7MB
MD55650fcd780ba2a27c066848b3d7fadc3
SHA1b9081e5dc28a5fa3df2234aab523501bb32991cb
SHA256c21d644cfc73b7ddc4c19d0f5d7467d808391ff33fca7439c1606288eb63e40c
SHA5128c382bf4c2ecc8341ea2720bf5128d8693963c2a812f9e3a69b9508b3392bad4277e69769bd4f06ebde675094ccf3d58209bbda312d9ecf8ee3620045a7d942c
-
Filesize
5.0MB
MD50904e849f8483792ef67991619ece915
SHA158d04535efa58effb3c5ed53a2462aa96d676b79
SHA256fca631b3198194fcc0c619b5690dbde2e9f38afb1b978bab8ea3f92b572ce1ef
SHA512258fc59050aa455ad56167dd1bbe5e098eefc0f3e950c90d89bac2aa74abb5cfa1710d866c0e28e58dcb2f914736470a4dd9838dd6412b633aee87d71b867cf5
-
Filesize
179B
MD52dddd3e8023e3cd88c2d193a3183a114
SHA16ba940af96cd348f661292ba0fd8b88b1a49b232
SHA2567df4d1702dbd09ea4b8d4ecd527a356a7420eab5c81e3604c97b49e2dd42b25f
SHA512a8bcaebaba6a0df830b5ed8fcdb3ff2eba9096176f388150aa520501b50f9cf774fbf5e68fdc89079a3ee30c1caf49e7b6efc4c1e8250c63723941d6dbe262b8
-
Filesize
4.1MB
MD5c4cd2dabf6fe55752749ff664f9f9820
SHA1b999a991aa6013a1cfe8d0bf5ee3e7ccd79012c9
SHA256ecf58130e5f5905c6ab24345d42aa8ebf185bc45452fe9c93941d774d1d56c2e
SHA512a2b64bbf37b291dbe3937100d228851024b44a953e91de6fedf1636dcaba7b4c02bcbd33fa21f0ce9fbdfde75a14893501ba583b0ddca0dce6968e67af5b6936
-
Filesize
1.4MB
MD59125f073ab9146a41c4372ffcb64106f
SHA1a415c399fb870f3f11ec48dc9c86abd825476b16
SHA256d225ab3011aa70ba2264b38adf0ef079242ddd2710d15a696d6ebe839e4354fc
SHA5120e7e52ac1ec7e0b8c0d6d71da3db89c9c7ff877ae3ea4fb7eb86cff2ea15e51fc1d0c3de57b4f63c6991acf1d23a0c3f7e9f9ae36a7a08778694b98be5fa3cf7
-
Filesize
128KB
MD58cb4a815b78ed4ca1b77b372fa83c06e
SHA17bb3ebdd39b936d38b24928b6392bb16f21d8310
SHA256356c111824df7afe7d7044682a8daed75c92e45c76b5acb3530e3476bfc396d2
SHA5121512da5df4124b522ca00df0c6ff789115279badb9778150b4e38f20d64db4697953d34beb36c7963570e7e8d2f89f8ccf7e3815761f9fd7dd89a2781bacfce3
-
Filesize
8.8MB
MD5ca75882d8187ba628e746abd7eba3869
SHA129a83b3bf4f57fdc37281b74fe4d895064be7224
SHA2565bf15eac50035138c6ab22024def2cd3181cc69e75d1919ab1205fc7c5db8508
SHA5129559fd32fc8510bbf78a0e6e7c6c97e68797730e27140f184e1569b224b2bc09052b876378aa8cceb70533989de41502037f357f99955b2b7b86a749697afc94
-
Filesize
9.7MB
MD578e09df7be2bbd97e6c06db742267982
SHA149fcfa8c02283bc435cb07d74463232b34f3e615
SHA25660eb4857811bc38ce6a3fab3da9893d1d799f9b4ac0f4ccc502c90ac681bdeff
SHA5120498f68a72c1a93b2ae6514f99da3dda68b1530a7fe2fa7abc88b79096cb9b59265374df650cd2000af76b70294038fb70940954a260f78433463fd4f67ab676
-
Filesize
5.7MB
MD5d6c5410b2d9e45c08deaabe2c3e09c65
SHA1e7fd29cf3488283bb7b43a31f965b9849c2d55cf
SHA256f9e3c1a6284370cd7b6f8cb5a54d4d5f639a6fe0eb6c9a293d350e6505a3df75
SHA5123f4a0ba92a7509a2d84aac0fc4d2c8d80144ccc090c664276acb85db487585419f268bb3b27652cdb88010d72ef5bdf66bf56fbfbdf6f4b4a2b2569cb2c3f325
-
Filesize
2.6MB
MD5b5d1b40a3a443d085075c18c856de15c
SHA10d767af1e83a5353ecaa7325e99d124992d53e1b
SHA256a2e3e342dda47ee3b6c0eff3f6453d07a01f749285465564349f1649597e1aa3
SHA5121629183cd69e6e192550638cca7aa85dec142ab8ce0454fe7bf61241acb0e20511de3c454d3e881eb2aed2440b71416d8a17741936153a8bfc31fffdaec26d88
-
Filesize
742KB
MD5544cd51a596619b78e9b54b70088307d
SHA14769ddd2dbc1dc44b758964ed0bd231b85880b65
SHA256dfce2d4d06de6452998b3c5b2dc33eaa6db2bd37810d04e3d02dc931887cfddd
SHA512f56d8b81022bb132d40aa78596da39b5c212d13b84b5c7d2c576bbf403924f1d22e750de3b09d1be30aea359f1b72c5043b19685fc9bf06d8040bfee16b17719
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
281KB
MD5d98e33b66343e7c96158444127a117f6
SHA1bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA2565de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5
-
Filesize
576KB
MD55fc19e08c5473ce9c2eb49ed1ba02e1a
SHA1dcf8114269eb5a521ba640baf06539a8e3511424
SHA2563375dd49e1e34fbb3f42300a52ebe4d880f8115dccc9ae1cd32d10c2f49266f3
SHA512900099f77265346cd0e5eb5e5d8c0fb40684b84fe468ce454d65b3848977c0da9fe27ee3c5510627d2a622cd79d2a50070636f66f6efede2c4ab8beb64dc7039
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize2KB
MD53d086a433708053f9bf9523e1d87a4e8
SHA1b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA2566f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD5a3dc24340d188645cdebe2fcd23ced08
SHA160180c423584d698277d835fd2df835316dbf7e9
SHA2562a3ca623f4d4af100dd58839697ddf6dfb8e1b16e1cf569cda107f8f18ade2c2
SHA512f71fc92735d3069e7c3aea9e01e194e6568dff53ea1102b928d7351c8b77b99013db599996e1717978bed9d232ffb1c9c015bf3fcba664dd06356eec16fa7928
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD53ed124cfee56affc64e8878d0a23da44
SHA13002cbb094eb5b272e5485209f77cf51b51765c5
SHA256ebeabff229be43b1f8fccf80defd3bdf57da185b7c1190bdc56bc0e712d671bd
SHA5127ad7fb165c203139cd5c52156f0a5d04f027d1b3bd5a30a711702714c779115c5706303ceaccd1762a578280899dc068a77e242bd783529f4ef557b43247d29a
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD5e4fc6d3c5ab3f1926d8869c1349d6688
SHA18fc66b6aefee97078d72b604835d35f7626b2fe0
SHA25624a514f06e30dd8a309260d37b720544861d02bda94cc68750800eb815581555
SHA512d5c13cddb5acb8f2d538b60b637ec19ce1073622996eb565db633f6c207cb8dcdd1b92949e3a6138cf9b4e9fd5b6b0033227376319509cd043d14787b411f69a
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD515abbd0c9a3a9fa9690e7e47407ec4e8
SHA1d310de8efc4534aef1882943bb00a9824c34f021
SHA2564ca1929ad79a800831ec1b8e697de3bbcc0671e453af16f07d90b2e5cbc4aaf0
SHA512480cc787c18402c40463a5d7e34e64da6ffcc023aa149a71e9c2e7ad3f69fd7c1540f72c4ef2a3d693e82855482929f9a0137c9781f31354c43f1e00a520eaca
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD57940462eaedbb9f344fce5d9127edd70
SHA102ec495cd2de1ae6f77b67239e6df9b46933c160
SHA25632a14fc4e1a4a87b134c9130962736d9012587d1a9de1702ce2ad99ce4e1606d
SHA512b0d705599d931ad7b48367236f37877b3071b39800b0722b237e2315728aedd8190bbc53c7d33157e8c0fc01fcc048009ff08439c113d3fd398f26abe598ef52
-
Filesize
3.8MB
MD5e7fe0767c5f8b778d2bd973c9d8e20d8
SHA1f4d7e20aee899e16c0297cea8090baf6e6c39722
SHA2560e9708a70a95c25bd9a0c1caa29a3b473ed0a46a74ff030c61df3f98c813f1eb
SHA512ef5acf3a465e5baa84c286763a4b00f8cd34acb35bdb34ff6be7d982516b2b8217d598a7190b7b0146f2041e69c9cc0b074a22fa006e22845bf6da81d7ad926f
-
Filesize
2.6MB
MD52ddc231c26e2e1d968768ac594736c50
SHA151591ff5c9fbca258f8fcc97433d7a78eb24f3ed
SHA256c46f50f2c777c3b08e7424344c950c7e17cbfdd92129ac054e51d1f04b7284d8
SHA5123d8a4a123690998b59ff354df399a92e3be53dfd9a39ede866ffa3abc51351fb45e9676f462d594096fd0b3add73194cb0b5904eb363625a49d5cb55065bd0e8
-
Filesize
180B
MD508387ad767f4e9e7c670d0eeafe302ef
SHA14ba6af1e421c43ee693b6537a06639c3f50a7abf
SHA2562bdca7aa3916a7a0bb6e1b22d895b9696f14c1512554a7af00d5dbc048e43672
SHA51294f7743519a768d233130ba4d2b3ccf62f67f0999382cc984051fe5f8ae02deb17926e01482d1e763447d3f54fb3b548ee241d7a40cf34d45d7e968ce8f6975f
-
Filesize
209B
MD549ca6dc4705e383d4162260db0d5bf84
SHA1b6e1e8f086245aa07a5c2d352e69a9a2fa5c460d
SHA2566fe6c22a6b3c1de777b489d553073631d8c7e2b76738b9700198876521ff7ba4
SHA512684c61fba0a98723a41504bc1e7ce4debe0a785a0eb78f13e1cb291d77aa95aa4e82a80166060be8319a35785f6f710dbbaabf710545c4b9556440477b1bde7f
-
Filesize
3.4MB
MD592bf2463d72a410bf291db2bbb0176f5
SHA1bcc41c9861ce8ad99e2d951c49c50429b4dc8d7f
SHA25692883022e82b89d32c6936ad8f94a35ac1eb0c2313656029977aec1b4973b808
SHA512c803d47482aec6ac9c74ee20b401f03f3f2d4a1cc80770e1cf70319cbb7da715ee204cb15e585dbd6d9df0d9fb81254fdb6f6dae5d2147cbbbd85c3cf5b8d300