Analysis
-
max time kernel
87s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
27-02-2024 01:41
Static task
static1
Behavioral task
behavioral1
Sample
5cddaacf9782c030db128e3ebfd8f301.exe
Resource
win7-20240221-en
General
-
Target
5cddaacf9782c030db128e3ebfd8f301.exe
-
Size
162KB
-
MD5
5cddaacf9782c030db128e3ebfd8f301
-
SHA1
71bae291b66ecfad6ee79ab150c9b4bdc676f06c
-
SHA256
6d533c8a98cee42c8f797a0b982a0be0da8d7503da8c42e8da10a88bfee9bf23
-
SHA512
bee3cbdeac5a317f58ebb2d621740f8b7e81e47db236327cb0e908bc49886e320e30a95191470953177740f702adfe704a626325ddd2a33f10c8ec3060059797
-
SSDEEP
3072:pR3aImWaDnBilDV8X+Ld1VVuLtKsQfk1RoGJS4dNVEv:pIbWaDBilDVNLdJBsQfk77X
Malware Config
Extracted
smokeloader
2022
http://selebration17io.io/index.php
http://vacantion18ffeu.cc/index.php
http://valarioulinity1.net/index.php
http://buriatiarutuhuob.net/index.php
http://cassiosssionunu.me/index.php
http://sulugilioiu19.net/index.php
http://goodfooggooftool.net/index.php
http://kamsmad.com/tmp/index.php
http://souzhensil.ru/tmp/index.php
http://teplokub.com.ua/tmp/index.php
Extracted
smokeloader
pub1
Extracted
lumma
https://resergvearyinitiani.shop/api
https://technologyenterdo.shop/api
https://detectordiscusser.shop/api
https://turkeyunlikelyofw.shop/api
https://associationokeo.shop/api
Signatures
-
DcRat 5 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
Processes:
DB20.exeschtasks.exeschtasks.exeschtasks.exe5cddaacf9782c030db128e3ebfd8f301.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CSRSS = "\"C:\\ProgramData\\Drivers\\csrss.exe\"" DB20.exe 4236 schtasks.exe 2532 schtasks.exe 840 schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 5cddaacf9782c030db128e3ebfd8f301.exe -
Glupteba payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/1980-220-0x0000000002E20000-0x000000000370B000-memory.dmp family_glupteba behavioral2/memory/1980-222-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral2/memory/1980-244-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Creates new service(s) 1 TTPs
-
Downloads MZ/PE file
-
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
netsh.exepid process 1500 netsh.exe -
Stops running service(s) 3 TTPs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
2A3D.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\Control Panel\International\Geo\Nation 2A3D.exe -
Deletes itself 1 IoCs
Processes:
pid process 3340 -
Executes dropped EXE 16 IoCs
Processes:
CE2D.exeDB20.exeDB20.exeDDB1.exeE8BE.exeE8BE.tmpmmediabuilder.exemmediabuilder.exe2A3D.exe37EA.exe288c47bbc1871b439df19ff4df68f076.exeInstallSetup4.exeFourthX.exeBroomSetup.exensw49A8.tmp5093.exepid process 5032 CE2D.exe 1540 DB20.exe 1056 DB20.exe 1716 DDB1.exe 4880 E8BE.exe 1984 E8BE.tmp 4100 mmediabuilder.exe 1696 mmediabuilder.exe 3420 2A3D.exe 4716 37EA.exe 1980 288c47bbc1871b439df19ff4df68f076.exe 464 InstallSetup4.exe 4644 FourthX.exe 4532 BroomSetup.exe 3180 nsw49A8.tmp 1324 5093.exe -
Loads dropped DLL 7 IoCs
Processes:
regsvr32.exeDB20.exeE8BE.tmpInstallSetup4.exensw49A8.tmppid process 4124 regsvr32.exe 1056 DB20.exe 1984 E8BE.tmp 464 InstallSetup4.exe 464 InstallSetup4.exe 3180 nsw49A8.tmp 3180 nsw49A8.tmp -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule behavioral2/memory/1056-46-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral2/memory/1056-47-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral2/memory/1056-42-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral2/memory/1056-37-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral2/memory/1056-51-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral2/memory/1056-50-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral2/memory/1056-134-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral2/memory/1056-143-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral2/memory/1056-228-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral2/memory/1056-256-0x0000000000400000-0x0000000000848000-memory.dmp upx -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
DB20.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CSRSS = "\"C:\\ProgramData\\Drivers\\csrss.exe\"" DB20.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
DDB1.exedescription ioc process File opened for modification \??\PHYSICALDRIVE0 DDB1.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
DB20.exedescription pid process target process PID 1540 set thread context of 1056 1540 DB20.exe DB20.exe -
Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exepid process 2992 sc.exe 1940 sc.exe 3508 sc.exe 3992 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 4016 3180 WerFault.exe nsw49A8.tmp 4968 1980 WerFault.exe 288c47bbc1871b439df19ff4df68f076.exe -
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
37EA.exe5cddaacf9782c030db128e3ebfd8f301.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 37EA.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 37EA.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 37EA.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 5cddaacf9782c030db128e3ebfd8f301.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 5cddaacf9782c030db128e3ebfd8f301.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 5cddaacf9782c030db128e3ebfd8f301.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
nsw49A8.tmpdescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 nsw49A8.tmp Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString nsw49A8.tmp -
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exepid process 4236 schtasks.exe 2532 schtasks.exe 840 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
5cddaacf9782c030db128e3ebfd8f301.exepid process 1328 5cddaacf9782c030db128e3ebfd8f301.exe 1328 5cddaacf9782c030db128e3ebfd8f301.exe 3340 3340 3340 3340 3340 3340 3340 3340 3340 3340 3340 3340 3340 3340 3340 3340 3340 3340 3340 3340 3340 3340 3340 3340 3340 3340 3340 3340 3340 3340 3340 3340 3340 3340 3340 3340 3340 3340 3340 3340 3340 3340 3340 3340 3340 3340 3340 3340 3340 3340 3340 3340 3340 3340 3340 3340 3340 3340 3340 3340 3340 3340 -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
5cddaacf9782c030db128e3ebfd8f301.exe37EA.exepid process 1328 5cddaacf9782c030db128e3ebfd8f301.exe 4716 37EA.exe -
Suspicious use of AdjustPrivilegeToken 23 IoCs
Processes:
powershell.exedescription pid process Token: SeShutdownPrivilege 3340 Token: SeCreatePagefilePrivilege 3340 Token: SeShutdownPrivilege 3340 Token: SeCreatePagefilePrivilege 3340 Token: SeShutdownPrivilege 3340 Token: SeCreatePagefilePrivilege 3340 Token: SeShutdownPrivilege 3340 Token: SeCreatePagefilePrivilege 3340 Token: SeShutdownPrivilege 3340 Token: SeCreatePagefilePrivilege 3340 Token: SeShutdownPrivilege 3340 Token: SeCreatePagefilePrivilege 3340 Token: SeShutdownPrivilege 3340 Token: SeCreatePagefilePrivilege 3340 Token: SeShutdownPrivilege 3340 Token: SeCreatePagefilePrivilege 3340 Token: SeShutdownPrivilege 3340 Token: SeCreatePagefilePrivilege 3340 Token: SeShutdownPrivilege 3340 Token: SeCreatePagefilePrivilege 3340 Token: SeShutdownPrivilege 3340 Token: SeCreatePagefilePrivilege 3340 Token: SeDebugPrivilege 4956 powershell.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
E8BE.tmppid process 1984 E8BE.tmp -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
BroomSetup.exepid process 4532 BroomSetup.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
regsvr32.exeDB20.exeE8BE.exeE8BE.tmp2A3D.exeInstallSetup4.exeBroomSetup.execmd.exedescription pid process target process PID 3340 wrote to memory of 5032 3340 CE2D.exe PID 3340 wrote to memory of 5032 3340 CE2D.exe PID 3340 wrote to memory of 5032 3340 CE2D.exe PID 3340 wrote to memory of 5096 3340 regsvr32.exe PID 3340 wrote to memory of 5096 3340 regsvr32.exe PID 5096 wrote to memory of 4124 5096 regsvr32.exe regsvr32.exe PID 5096 wrote to memory of 4124 5096 regsvr32.exe regsvr32.exe PID 5096 wrote to memory of 4124 5096 regsvr32.exe regsvr32.exe PID 3340 wrote to memory of 1540 3340 DB20.exe PID 3340 wrote to memory of 1540 3340 DB20.exe PID 3340 wrote to memory of 1540 3340 DB20.exe PID 1540 wrote to memory of 1056 1540 DB20.exe DB20.exe PID 1540 wrote to memory of 1056 1540 DB20.exe DB20.exe PID 1540 wrote to memory of 1056 1540 DB20.exe DB20.exe PID 1540 wrote to memory of 1056 1540 DB20.exe DB20.exe PID 1540 wrote to memory of 1056 1540 DB20.exe DB20.exe PID 1540 wrote to memory of 1056 1540 DB20.exe DB20.exe PID 1540 wrote to memory of 1056 1540 DB20.exe DB20.exe PID 1540 wrote to memory of 1056 1540 DB20.exe DB20.exe PID 3340 wrote to memory of 1716 3340 DDB1.exe PID 3340 wrote to memory of 1716 3340 DDB1.exe PID 3340 wrote to memory of 1716 3340 DDB1.exe PID 3340 wrote to memory of 4880 3340 E8BE.exe PID 3340 wrote to memory of 4880 3340 E8BE.exe PID 3340 wrote to memory of 4880 3340 E8BE.exe PID 4880 wrote to memory of 1984 4880 E8BE.exe E8BE.tmp PID 4880 wrote to memory of 1984 4880 E8BE.exe E8BE.tmp PID 4880 wrote to memory of 1984 4880 E8BE.exe E8BE.tmp PID 1984 wrote to memory of 4100 1984 E8BE.tmp mmediabuilder.exe PID 1984 wrote to memory of 4100 1984 E8BE.tmp mmediabuilder.exe PID 1984 wrote to memory of 4100 1984 E8BE.tmp mmediabuilder.exe PID 1984 wrote to memory of 1696 1984 E8BE.tmp mmediabuilder.exe PID 1984 wrote to memory of 1696 1984 E8BE.tmp mmediabuilder.exe PID 1984 wrote to memory of 1696 1984 E8BE.tmp mmediabuilder.exe PID 3340 wrote to memory of 3420 3340 2A3D.exe PID 3340 wrote to memory of 3420 3340 2A3D.exe PID 3340 wrote to memory of 3420 3340 2A3D.exe PID 3340 wrote to memory of 4716 3340 37EA.exe PID 3340 wrote to memory of 4716 3340 37EA.exe PID 3340 wrote to memory of 4716 3340 37EA.exe PID 3420 wrote to memory of 1980 3420 2A3D.exe 288c47bbc1871b439df19ff4df68f076.exe PID 3420 wrote to memory of 1980 3420 2A3D.exe 288c47bbc1871b439df19ff4df68f076.exe PID 3420 wrote to memory of 1980 3420 2A3D.exe 288c47bbc1871b439df19ff4df68f076.exe PID 3420 wrote to memory of 464 3420 2A3D.exe InstallSetup4.exe PID 3420 wrote to memory of 464 3420 2A3D.exe InstallSetup4.exe PID 3420 wrote to memory of 464 3420 2A3D.exe InstallSetup4.exe PID 3420 wrote to memory of 4644 3420 2A3D.exe FourthX.exe PID 3420 wrote to memory of 4644 3420 2A3D.exe FourthX.exe PID 464 wrote to memory of 4532 464 InstallSetup4.exe BroomSetup.exe PID 464 wrote to memory of 4532 464 InstallSetup4.exe BroomSetup.exe PID 464 wrote to memory of 4532 464 InstallSetup4.exe BroomSetup.exe PID 464 wrote to memory of 3180 464 InstallSetup4.exe nsw49A8.tmp PID 464 wrote to memory of 3180 464 InstallSetup4.exe nsw49A8.tmp PID 464 wrote to memory of 3180 464 InstallSetup4.exe nsw49A8.tmp PID 4532 wrote to memory of 2892 4532 BroomSetup.exe cmd.exe PID 4532 wrote to memory of 2892 4532 BroomSetup.exe cmd.exe PID 4532 wrote to memory of 2892 4532 BroomSetup.exe cmd.exe PID 3340 wrote to memory of 1324 3340 5093.exe PID 3340 wrote to memory of 1324 3340 5093.exe PID 3340 wrote to memory of 1324 3340 5093.exe PID 2892 wrote to memory of 3872 2892 cmd.exe chcp.com PID 2892 wrote to memory of 3872 2892 cmd.exe chcp.com PID 2892 wrote to memory of 3872 2892 cmd.exe chcp.com PID 2892 wrote to memory of 4236 2892 cmd.exe schtasks.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\5cddaacf9782c030db128e3ebfd8f301.exe"C:\Users\Admin\AppData\Local\Temp\5cddaacf9782c030db128e3ebfd8f301.exe"1⤵
- DcRat
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1328
-
C:\Users\Admin\AppData\Local\Temp\CE2D.exeC:\Users\Admin\AppData\Local\Temp\CE2D.exe1⤵
- Executes dropped EXE
PID:5032
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\D38D.dll1⤵
- Suspicious use of WriteProcessMemory
PID:5096 -
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\D38D.dll2⤵
- Loads dropped DLL
PID:4124
-
C:\Users\Admin\AppData\Local\Temp\DB20.exeC:\Users\Admin\AppData\Local\Temp\DB20.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1540 -
C:\Users\Admin\AppData\Local\Temp\DB20.exeC:\Users\Admin\AppData\Local\Temp\DB20.exe2⤵
- DcRat
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
PID:1056
-
C:\Users\Admin\AppData\Local\Temp\DDB1.exeC:\Users\Admin\AppData\Local\Temp\DDB1.exe1⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
PID:1716
-
C:\Users\Admin\AppData\Local\Temp\E8BE.exeC:\Users\Admin\AppData\Local\Temp\E8BE.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4880 -
C:\Users\Admin\AppData\Local\Temp\is-LLDFO.tmp\E8BE.tmp"C:\Users\Admin\AppData\Local\Temp\is-LLDFO.tmp\E8BE.tmp" /SL5="$80060,2424585,54272,C:\Users\Admin\AppData\Local\Temp\E8BE.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1984 -
C:\Users\Admin\AppData\Local\Media Builder\mmediabuilder.exe"C:\Users\Admin\AppData\Local\Media Builder\mmediabuilder.exe" -i3⤵
- Executes dropped EXE
PID:4100 -
C:\Users\Admin\AppData\Local\Media Builder\mmediabuilder.exe"C:\Users\Admin\AppData\Local\Media Builder\mmediabuilder.exe" -s3⤵
- Executes dropped EXE
PID:1696
-
C:\Users\Admin\AppData\Local\Temp\2A3D.exeC:\Users\Admin\AppData\Local\Temp\2A3D.exe1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3420 -
C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"2⤵
- Executes dropped EXE
PID:1980 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4956 -
C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"3⤵PID:5104
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵PID:3228
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"4⤵PID:4336
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes5⤵
- Modifies Windows Firewall
PID:1500 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵PID:1736
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵PID:2224
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe4⤵PID:2424
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵PID:716
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F5⤵
- DcRat
- Creates scheduled task(s)
PID:2532 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵PID:1664
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f5⤵PID:2452
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵PID:4460
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll5⤵PID:2792
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F5⤵
- DcRat
- Creates scheduled task(s)
PID:840 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1980 -s 8483⤵
- Program crash
PID:4968 -
C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe"C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:464 -
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exeC:\Users\Admin\AppData\Local\Temp\BroomSetup.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4532 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "4⤵
- Suspicious use of WriteProcessMemory
PID:2892 -
C:\Windows\SysWOW64\chcp.comchcp 12515⤵PID:3872
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F5⤵
- DcRat
- Creates scheduled task(s)
PID:4236 -
C:\Users\Admin\AppData\Local\Temp\nsw49A8.tmpC:\Users\Admin\AppData\Local\Temp\nsw49A8.tmp3⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
PID:3180 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3180 -s 20004⤵
- Program crash
PID:4016 -
C:\Users\Admin\AppData\Local\Temp\FourthX.exe"C:\Users\Admin\AppData\Local\Temp\FourthX.exe"2⤵
- Executes dropped EXE
PID:4644 -
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force3⤵PID:2296
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe delete "UTIXDCVF"3⤵
- Launches sc.exe
PID:2992 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart3⤵PID:4488
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart4⤵PID:2424
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe create "UTIXDCVF" binpath= "C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe" start= "auto"3⤵
- Launches sc.exe
PID:1940 -
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start "UTIXDCVF"3⤵
- Launches sc.exe
PID:3508 -
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop eventlog3⤵
- Launches sc.exe
PID:3992
-
C:\Users\Admin\AppData\Local\Temp\37EA.exeC:\Users\Admin\AppData\Local\Temp\37EA.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:4716
-
C:\Users\Admin\AppData\Local\Temp\5093.exeC:\Users\Admin\AppData\Local\Temp\5093.exe1⤵
- Executes dropped EXE
PID:1324
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3180 -ip 31801⤵PID:1256
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1980 -ip 19801⤵PID:5012
-
C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exeC:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe1⤵PID:4232
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force2⤵PID:4888
-
C:\Windows\system32\conhost.exeC:\Windows\system32\conhost.exe2⤵PID:4848
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart2⤵PID:1412
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart3⤵PID:4184
-
C:\Windows\explorer.exeexplorer.exe2⤵PID:2560
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
3Windows Service
3Pre-OS Boot
1Bootkit
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
3Windows Service
3Scheduled Task/Job
1Defense Evasion
Impair Defenses
2Disable or Modify System Firewall
1Modify Registry
1Pre-OS Boot
1Bootkit
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
11KB
MD5a33e5b189842c5867f46566bdbf7a095
SHA1e1c06359f6a76da90d19e8fd95e79c832edb3196
SHA2565abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454
SHA512f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
Filesize
2.5MB
MD5b03886cb64c04b828b6ec1b2487df4a4
SHA1a7b9a99950429611931664950932f0e5525294a4
SHA2565dfaa8987f5d0476b835140d8a24fb1d9402e390bbe92b8565da09581bd895fc
SHA51221d1a5a4a218411c2ec29c9ca34ce321f6514e7ca3891eded8c3274aeb230051661a86eda373b9a006554e067de89d816aa1fa864acf0934bbb16a6034930659
-
Filesize
2.4MB
MD53bfb15ed0b9fb528f4cc1a11f5b77d15
SHA1091f12f70d30f535a2bbc50fdf9f7ecddcb4e014
SHA25613e0f6590b249a52a6f7ae4b2f4e5148f191b2ffc7af6b06c74734dda990529d
SHA512dab088ad2c777572f7529ba1f9a0d399898f0750409af88bb26205bd06fa255dfce3a5ff56e0308e325410fec0a121e6daaf178410e7807d5d1c88a525def23e
-
Filesize
1.4MB
MD5f17fe65293447914b13d35fe2513749a
SHA1d597a20f656c2f674ed67b93b107fc98704ab04c
SHA25680946f2ee1fc33f707579aede366bfebd438817abd42e2a41dc466ff35bae81a
SHA512fd8eaa1d17b20bf0ee9fc15882f52ef04840e2957b594267d4be395869fb62a86c631b007fe48f210027b3df399d5187c15d44cbd9de93625684c6e8b53134dc
-
Filesize
1.1MB
MD5124477310352537f16c4a6c89204050d
SHA105bf58eaa2ad2d229cd312772a0300a853fa7d98
SHA256928392fd3e6a51f0f77cbfe99a6d724f8450175d54fd9977d4d161d6130aa907
SHA512495c85ef55f642f2c8611416fb90cd13075b3000b2eea191bd6473e5512aeecc450c472880ff148705b32489226c965fdc761a7165fba1a4223d4e8bb89705e3
-
Filesize
3.1MB
MD562529eb440decb9151687caa9728c97b
SHA1101814c05cae4892ebc2de787223ca1f4dcb4aed
SHA2560030bad31bb465a35b4ca0ba5a21eaf0f570f54e7a3ffecb1d98f76ce728e728
SHA51282d7f0d5a032977ccf1bdf7a2672e58c0f2e41a7a159e654687974e88d557362396d047e3ca3e1aca125e3d59c2a66cd667232f7a2ba3c0b5caacc9921cbf113
-
Filesize
1.5MB
MD534666eafe0fffb6a73e31c1e09ecac4f
SHA1ffd5c92070e4a8fab8f8095316d73ccd485f6294
SHA256d429c8dcd6ef1fb942bcf3543e0368f54d62c0519076daecd3bc5f0aa8713232
SHA512542a9e8b722ea5dcc245978d026c7a11b0e7b4f7ed651fa9f4a562bb93ed33eb3edcbc57d075a154520a007898f4bad0734031238898feece2a816e7c99f7966
-
Filesize
450KB
MD5e5bdc6f3e7e9173a92e6410dbbdf4457
SHA10e23c3fae88a45599fa9d815b091859812ebc23d
SHA2569d5035df884f710dc8647c7cf12c255ba281b48ca228e4736017da57ec92f975
SHA5127e131071bba6e2d43804a798b9ddf4ce07d005253f058f27f5e1b0282f50fad5d9e376b52421929b0015cc482adce770e3611f9ab5a089e60243de8352be4fbc
-
Filesize
1.2MB
MD56bdb234305778c39ec1121b20dbb5b46
SHA19397990981227c7b06a4ad4d1a2b030d38fcd6e1
SHA2560e50b406c6cd99dda7328f15c6dad4c1bf4c5b0a12a2476ee69e58e7d544233b
SHA5126a58cafa3ed7cbbd091da4f240ff88e517d40167d1f901352cdde871931636bcc934f69937b830851969dc15dc1b04c6ce9d7cd689f5a9f864c60a5ad198777a
-
Filesize
310KB
MD56bf98bc4393f34131d011482eda568d4
SHA187849cb3777d15a2d89f80f1ce340c341bd1a4d2
SHA256bf394de2f9120bca0515fc1141f48f0b1c0fc6acf631b69eaba1400e3308a35c
SHA512a11c201124fe41a12e32106940f8296b665088bfcc4d6b2a258f08002e93104ef287641b92ca5edfe89d2aaa95365c2b5e1192c9820b6040c759e97a7f800a5a
-
Filesize
8.7MB
MD5ceae65ee17ff158877706edfe2171501
SHA1b1f807080da9c25393c85f5d57105090f5629500
SHA2560dac8a3fe3c63611b49db21b2756b781cc4c9117c64007e0c23e6d3e7ca9ee49
SHA5125214febfab691b53ca132e75e217e82a77e438250695d521dbf6bc1770d828f2e79a0070fd746a73e29acc11bf9a62ceafb1cf85547c7c0178d49a740ff9ae7b
-
Filesize
163KB
MD50ca68f13f3db569984dbcc9c0be6144a
SHA18c53b9026e3c34bcf20f35af15fc6545cb337936
SHA2569cd86fa59ea2d10f9b9f3293c132f158fcb7dd993fdb706944f9fe9fa409504a
SHA5124c3a3be5fda0f9060a08b95383b5260e4079dbcff73849d2fac88520ae625c33a73c5858b25b717fcccebf03c3ad9b19807de8bcfa7ea22be6648cc965072b7d
-
Filesize
320KB
MD5abbed7400cb68d38906634bd66ee43da
SHA12356169d73ec780e5f3bb056cf8dec2e6eaf0d30
SHA25638f5532f8edd63f0204ce9c429e6c02b430446734f2592271a523b78dd8e461d
SHA51234c4acf0843a2cdc8a71c01f40b1d05739a5346d264b5c36c1b60b8e68225d3fc127dfcde62c9862c29254e634f73f0019e225e1b098a50eba54b40b0eb438f4
-
Filesize
1.8MB
MD59347963f1eb6809960649b8132b9cef9
SHA1e09b58b4c6472d8017fb71195dee02752f0cd17d
SHA256167b7bc94aea4124dfa1615d54138bfbaef519fb519923c7e2e0f2bef5ff0e45
SHA5128771ec5df147d94c196bedafdae421fbcf40e0c9991c5d54b312a62793b5516e316d94a1784146eea7d8beda8b0eaa9810f102f542c329ac0363b7c0ac59bd91
-
Filesize
2.4MB
MD508020e607d441a30c943110958c3c119
SHA1e10917fc4dbb0129c257104f1bbf657eab313f49
SHA25615e1c0272cd04b5cb98d2234ed32d17c95a3019b7ca42e29ea886533663158f2
SHA512a43255f546abaf8369591714efcaeee5b6031fe79d466c64ebb0141a25859332b0bd59079d9f275cf23be2b41de2461cd051d8eeabc32e4d966b6b806c8554c0
-
Filesize
2.9MB
MD52ffc5121c7c00cf53cec8421429c9c43
SHA1f8264794c48a637a761b203a142cab1bdcc3fad2
SHA2561a8cda31ec134d6461cadb3fcbc3b3667e2082c50b6501284485a96be6638c74
SHA512649d61d81adcc793cae3c45f00e40267f5c9f84d361a0e34b74bf1ae658737966bffeed63b40d3b80ad8b21769f50a57274a48836612c76eddf0ec448a9dea7d
-
Filesize
1.1MB
MD5ac37a77b268afe3463035a826c5233aa
SHA10b1f9549cd160dbc38ed5aefe4a4ad0b11dec672
SHA2563c5e94dbf117b1063b20203c7498c4324126cbd94ae3a30969e17e54d6bcf03c
SHA5128eb08d42ecaa7254703971ccc83c766753abddadea219b3b3cc86fac1ef861b201c448341c555e4e186d5130a1221175b454c057626cd2a0657741657b2e5fb8
-
Filesize
5.0MB
MD50904e849f8483792ef67991619ece915
SHA158d04535efa58effb3c5ed53a2462aa96d676b79
SHA256fca631b3198194fcc0c619b5690dbde2e9f38afb1b978bab8ea3f92b572ce1ef
SHA512258fc59050aa455ad56167dd1bbe5e098eefc0f3e950c90d89bac2aa74abb5cfa1710d866c0e28e58dcb2f914736470a4dd9838dd6412b633aee87d71b867cf5
-
Filesize
1.2MB
MD54a29cf76ac589f126e7c12309318da51
SHA154128454b38d8bf87eb05ec3938f7312e41edb7f
SHA256f57d59d3b086cba961a1ba469e27c7e5030dd8449c70e4435647faf5c1061a52
SHA512608242687b1bb5b89ec0795d369613d3e54d9087d33acaa19d0d31bd6c63d64792a0a4a7bf79bc4f26c7e74f5cd1f987c10fbc8adfc2c544f3808228f5f564c2
-
Filesize
448KB
MD5b3b83e44a9580165e083fc3b6ebea7ae
SHA1308cee6647694e8dd3438eda2493fcfbfc47d80a
SHA256e5e32fd8d17492811487a4cf393c8898e75dd2cb834d084e2a23d3ec322d97e1
SHA5127a83493cecee83eec6b24a8f46046b2fca3bd6c03fdefc7364a2fe74e0e4ed38527ac9f638f7ffade95c76bd9b0fd912f81bf57cdb2d7b5b3f41ebb12335198d
-
Filesize
128KB
MD55d33a9c72c8008f9e70509724c85e00f
SHA1e5f9407b5cace0e3f9d2b0f40e9ae99edca4efe7
SHA256ca3b25e9c35a70a254d5128460b5cdfc03ae5c66d675a6306bab884d124b37bc
SHA512709a1b1fc7c5f26e2827fbcfc62ac88226f82d7ca27efc5641c6bd33551e29c758dfe4534612cbefde0dc31fa48991755e93aeca2c76bb864894a978a6eeedf6
-
Filesize
1.7MB
MD5b73b13620f82e24559a5adc75072ccc5
SHA1152a2acdc433928c05d891af5b624efb77b14d94
SHA256492cdaf4386e89cf3d92561c95b68984a666a1ecbcaacdece69171ae41790a3f
SHA51299f45a110a9b576e53cc220277fcedc02d2b9fec189e7a1f31bb018703936345c8050a561e0b8551922c97aa2a5ccee15827482fc81f845dc86ed1d62dc300ed
-
Filesize
192KB
MD57f434979261c289f4b611eaf4488aab3
SHA14cf8b86e70a8627dfc0de78f380d0c6086ecdcb8
SHA2568ba6525efdad26932ccd1b33672f207d8648faac28621d87d81c7cf990e7a73b
SHA512212adf4ae65ebcf27532aa33ecb5fabde12e396a2c4b64580295b0971ab103994011048bd69fbaf561cefcfac2daaadcdea133d19a5ead5af128f131d16003a7
-
Filesize
1.1MB
MD5ca2753b2c6e3eb37b245757746a00c86
SHA1d266219dcd811e5139f2b3a120dc3485e3ebdc61
SHA256ed0b9b8e5eee059282a2452a6e25eb04e930c387a41010de45a65d2fb66ec5d3
SHA512a5ac3231db412dff1ea34f77b675f86dc9d7d8cc1062011d1ff551fde2b8b598aa345a130d95b26384a7e1a59521489a9a5cead9695e24dbbd0fb9d395f858f6
-
Filesize
560KB
MD5e6dd149f484e5dd78f545b026f4a1691
SHA13ea5d0fb2de5bfad3dc6dc1744708ccd31102df6
SHA25611243641663323721ba21494a394de70ae70d4ea23c23f2e2a397fcc3cfea1a7
SHA5120defb358d59221c56731745a25250dfea49ecbb411f11f31a92ec20fa2123646f4aaf9fd4999898c39e4674f616bc1bed7ef2368b61a29d595dc7b9340dd058b
-
Filesize
1.1MB
MD50a83fc4ef75e93c9e8b42101223da373
SHA17fab2117c1ad79274d8b044f5bd6af478d858213
SHA256c006d186ef33965ba68fd6948da1053b81e054d3a63a415ed80d7e09a9af9516
SHA5126ca61e8d3b78c5fa61f4c46512d2229e2517972957a7a038b6b5dbf9747b5269bcd547497d1494e028d21ec444802e96c63e6a1209ca690e8736b6fbd038c971
-
Filesize
768KB
MD5a7626d4194736b5c284a09feca2711c1
SHA1121f234a4e436a98036b99ebb5d9dbf0dc659b54
SHA2564550b7b36c6f67222e23fc7bae32689660712e4fc0d2c11515582c89d7429c55
SHA512a74eb41cf0a3a4f36cd86f680e6d03ee2c0c6bbce4841f3acab200e4a13990fce43a7dd17d67eb4119706f1e7b499ddadd079558069c945e713edaf13371e78d
-
Filesize
1.2MB
MD55ca7fc407124217ed4ac456d5369e951
SHA15defeaea509bafe38005a9232d94282b59525ef3
SHA256dff322ad2a276c1108b45e701c5af4f94a664fb25b72e95b3b29b60bd034a120
SHA512dacc7e70b13b59f4dc7d47f2b254c510d6603f1c3cb59213569cc267057beb2a8952dc5fd1fda2fe3747d94144c1526c85c454af9e7a6e47a0c41f40cbd5f572
-
Filesize
1.8MB
MD5be6df3d38e61bcc99c41c4f80aa3ef48
SHA102de2f7ef9d2f9e83b19f37b67fd0bdd1825832f
SHA256ab3ab0bac897a52314b6239cdf59973c80ccd15d54750ceb5a6b8a0212483b76
SHA512796fbf4c2bdce2ba8f16f7206d4c9fbbf59832fb93d98b99e476bb587db95348b6f77b368cf29bc6c763c245fbce7866bb711e0f7304a0dfed3ebfb4ce702494
-
Filesize
960KB
MD5cf71d723e6a3a2abdb69313657a0862f
SHA19fae6ddc3f0a9e3c874a278435946d83f3f9ab1c
SHA256ed443d39cd06137b2b8c8a54057b8a855a84960f41c4bb53ed81028293dfe125
SHA512b140ee2a326a7727c80b3c817f266a6f3299102d113cdecf674f70613e90f83b4466fec1b91a3639cc5722e6d5b6c3baabe46d8dabc330c881a5732b32d36d6e
-
Filesize
192KB
MD5b45b646c5c3131dbbb69c15d98255ab1
SHA1391cb13c4a7d43b683444f6c3a87305de5004a37
SHA256e107f6f456b4f9c1138e7e0f1c7d4b88db97f62cb5e624da3e574d59681dd7a1
SHA51213edee5cc6e7a05339aeb9ac4c91f7c787ba887192523f977a4eaac61aeecaccad01791ebee78ddf51196563397a3d52b064af0c897c241e6caf0466c9b7f479
-
Filesize
1.1MB
MD50159c753801f7e27ae10b8527805eb8c
SHA1aa87fef2ddf7159ae08194089e4d4178d5dbe009
SHA256db2b1d24d4ae5442db39be1d3aae8329b9a2c752e402fb6669b27343c15ccd8c
SHA5124fd68d99b5bada4e40c271b50f27b5f5e7ae330609a05087eca6cc0ff8e746487de43ca322f80d26f843e06e31d53d5cf4d0a1d8ec1bf455cc901e967cd54c3a
-
Filesize
2.0MB
MD5819a5ef7a8ef0fac982b7771c1753b43
SHA1c216891c0521bdb85fd29cd7097cdc4a7a305858
SHA256efef5d7757a65912158c301bd1aa18880f693f9acfe7ffb14a87f4340b262b50
SHA5129bb66c99dce90f363c11062cd659c5920662e88f0e76af88428a2a33e323762bf89dfa442ffb275463eb78baec036f3e29153a06a9a91a61926f29f47fc986ad
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
281KB
MD5d98e33b66343e7c96158444127a117f6
SHA1bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA2565de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5
-
Filesize
2KB
MD5a69559718ab506675e907fe49deb71e9
SHA1bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA2562f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63
-
Filesize
689KB
MD5951ac648539bfaa0f113db5e0406de5b
SHA11b42de9ef8aaf1740de90871c5fc16963a842f43
SHA256bb02f28cc67276b8d6609f80553c4976b2acbd34459af17167f8c1b001a84dfe
SHA512795e654e82d38905841c3af120fb8288e3f81580a559d97266c739d101b335807b99c2592388b3b4af411f626e8d2f3966316152ca62b87a4361a8da78919b2d
-
Filesize
25KB
MD540d7eca32b2f4d29db98715dd45bfac5
SHA1124df3f617f562e46095776454e1c0c7bb791cc7
SHA25685e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9
SHA5125fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d
-
Filesize
192KB
MD59089c5ddf54262d275ab0ea6ceaebcba
SHA14796313ad8d780936e549ea509c1932deb41e02a
SHA25696766ea71dc59a5b1734aba76c1ab1cbc8459a9ee023e9875359667dbf51ea4a
SHA512ec71801feccd0c900132425d6bc601bcae6e78702b708df80783a752d08c8bdc49f0b0c8e7c37b15a02b381369b8a3c1114d7385796316b834738045f7dc053c
-
Filesize
128B
MD511bb3db51f701d4e42d3287f71a6a43e
SHA163a4ee82223be6a62d04bdfe40ef8ba91ae49a86
SHA2566be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331
SHA512907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize2KB
MD53d086a433708053f9bf9523e1d87a4e8
SHA1b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA2566f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD5d1cbedaa594413755c98c3a726effcc0
SHA1e64f3f94e55bd61cfa83a639c8e256a314913417
SHA256102e4077134f2a2fc2377cad536b03d6e71be680282078435509c513481418b3
SHA51231751dc9c065347eae84f2ef408710daf4e5f7f1d2e67d87452a7dce399d3fe68bfab94ca0b56de21bc9eec60248a77e342d11ee671ad30608c61af248f306f3
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD507c9e2bab22f7789dce0ab01e6ab73d9
SHA136b6a405fb2c629f3dfe9231cfd15a411ec993de
SHA256689d9c6e12a058fd31c831812f6ad1eb3969a1863c61b71c1f7de55153a65e28
SHA5123228adb5bbfa109d861cce0731d348845b74857efa14c66c7e2422a17a059d83c913db4e9fc0ec9917310c5d94d0a45131e0b0676178b5fd5d151b74d09fd7ff
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD5175d04cdee0f6fec9b1e876029364cc3
SHA11216ca309edcba55f0e1892b2f0b2547ef72a273
SHA256795ac3d8c3a2f683ade05812f5ce665b5358f6bc563e866fcd6ccb4cb4022605
SHA51226dd197fd3926beccea9dae42271f02533ebce689fcace36e7e379a649eea1879277e76f14238465b27bfe99cbd92d31789b89e5d4fc001907dca2285f4f6710
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD553478ab38941e7a24473ebc8b456d71d
SHA14fdf29301f5643a2879046a3d6df8e9d94067040
SHA2565ae49958ef6818234a9a95122962541c4c9e57218dea38083ba60f6c280d1c61
SHA51271ae082268455f2aedb743112b3ed406a3390976b9ace57839ca03f94fe0a009836772fe0519769933a31cca7112e38b365f5bfec30a7a7f32733609ee6302e8
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD55147d39ec695e21c5691c8dc1bb70d30
SHA1def3f69ae6be7317a3b9a1b279063aed25e99fb1
SHA256cd5d2d2d56c429d682a0c443b8173fd501f52afd3850643b86a0528785bb72f5
SHA51295fa8e3ec8a6f2249b4fcf7331d64757156ccd36bc6e9c0aa986e9b8c6edae2fc01fdf7f4ec12ea003928186fd3c0abe023b7ff8f2d27546ede9caf1af57ce3c
-
Filesize
1.3MB
MD569d8541afe9eb5d47b8a4ec080212d19
SHA12bd9cda3c37de1569edc024935374ef90a8d186b
SHA2565731567f5316e5c8535d8b9aa0ec8c2c839b89dbba2dd9aacbc76e46b26080b7
SHA51256aa8cc13b79695bf1c0e1ce51302d569411d22072dbfca1943e97a3d5fe5e6f7c66ce341f8f065de73a85c9d29c820570202aa6977d89e3e5a979ccceec0c95
-
Filesize
4.1MB
MD5d122f827c4fc73f9a06d7f6f2d08cd95
SHA1cd1d1dc2c79c0ee394b72efc264cfd54d96e1ee5
SHA256b7a6dcfdd64173ecbcef562fd74aee07f3639fa863bd5740c7e72ddc0592b4fc
SHA5128755979d7383d6cb5e7d63798c9ca8b9c0faeec1fe81907fc75bbbb7be6754ab7b5a09a98492a27f90e3f26951b6891c43d8acd21414fb603cd86a4e10dac986