Analysis
-
max time kernel
123s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
27-02-2024 01:41
Static task
static1
Behavioral task
behavioral1
Sample
5cddaacf9782c030db128e3ebfd8f301.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
5cddaacf9782c030db128e3ebfd8f301.exe
Resource
win10v2004-20240226-en
General
-
Target
5cddaacf9782c030db128e3ebfd8f301.exe
-
Size
162KB
-
MD5
5cddaacf9782c030db128e3ebfd8f301
-
SHA1
71bae291b66ecfad6ee79ab150c9b4bdc676f06c
-
SHA256
6d533c8a98cee42c8f797a0b982a0be0da8d7503da8c42e8da10a88bfee9bf23
-
SHA512
bee3cbdeac5a317f58ebb2d621740f8b7e81e47db236327cb0e908bc49886e320e30a95191470953177740f702adfe704a626325ddd2a33f10c8ec3060059797
-
SSDEEP
3072:pR3aImWaDnBilDV8X+Ld1VVuLtKsQfk1RoGJS4dNVEv:pIbWaDBilDVNLdJBsQfk77X
Malware Config
Extracted
smokeloader
2022
http://selebration17io.io/index.php
http://vacantion18ffeu.cc/index.php
http://valarioulinity1.net/index.php
http://buriatiarutuhuob.net/index.php
http://cassiosssionunu.me/index.php
http://sulugilioiu19.net/index.php
http://goodfooggooftool.net/index.php
Extracted
smokeloader
pub1
Extracted
lumma
https://resergvearyinitiani.shop/api
https://technologyenterdo.shop/api
https://detectordiscusser.shop/api
https://turkeyunlikelyofw.shop/api
https://associationokeo.shop/api
Signatures
-
DcRat 3 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
Processes:
5cddaacf9782c030db128e3ebfd8f301.exeschtasks.exeschtasks.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 5cddaacf9782c030db128e3ebfd8f301.exe 1804 schtasks.exe 2956 schtasks.exe -
Detect Socks5Systemz Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/492-392-0x00000000008B0000-0x0000000000952000-memory.dmp family_socks5systemz -
Glupteba payload 4 IoCs
Processes:
resource yara_rule behavioral2/memory/996-197-0x0000000002DC0000-0x00000000036AB000-memory.dmp family_glupteba behavioral2/memory/996-198-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral2/memory/996-215-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral2/memory/996-415-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Socks5Systemz
Socks5Systemz is a botnet written in C++.
-
Creates new service(s) 1 TTPs
-
Downloads MZ/PE file
-
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
netsh.exepid process 744 netsh.exe -
Stops running service(s) 3 TTPs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
11A4.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation 11A4.exe -
Deletes itself 1 IoCs
Processes:
pid process 3536 -
Executes dropped EXE 17 IoCs
Processes:
C0C0.exeCE9C.exeCE9C.exeD341.exeDC4A.exeDC4A.tmpschtasks.exemmediabuilder.exe11A4.exe288c47bbc1871b439df19ff4df68f076.exeInstallSetup4.exeFourthX.exeBroomSetup.exe2934.exensh3035.tmp5BBE.exevueqjgslwynd.exepid process 4308 C0C0.exe 4776 CE9C.exe 3800 CE9C.exe 2872 D341.exe 1360 DC4A.exe 396 DC4A.tmp 1804 schtasks.exe 492 mmediabuilder.exe 4784 11A4.exe 996 288c47bbc1871b439df19ff4df68f076.exe 2660 InstallSetup4.exe 1748 FourthX.exe 3112 BroomSetup.exe 2840 2934.exe 4664 nsh3035.tmp 3676 5BBE.exe 4752 vueqjgslwynd.exe -
Loads dropped DLL 8 IoCs
Processes:
regsvr32.exeCE9C.exeDC4A.tmpInstallSetup4.exensh3035.tmppid process 4604 regsvr32.exe 3800 CE9C.exe 396 DC4A.tmp 2660 InstallSetup4.exe 2660 InstallSetup4.exe 4664 nsh3035.tmp 4664 nsh3035.tmp 2660 InstallSetup4.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule behavioral2/memory/3800-37-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral2/memory/3800-41-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral2/memory/3800-39-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral2/memory/3800-42-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral2/memory/3800-43-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral2/memory/3800-44-0x0000000000400000-0x0000000000848000-memory.dmp upx -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
CE9C.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CSRSS = "\"C:\\ProgramData\\Drivers\\csrss.exe\"" CE9C.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
D341.exedescription ioc process File opened for modification \??\PHYSICALDRIVE0 D341.exe -
Drops file in System32 directory 1 IoCs
Processes:
FourthX.exedescription ioc process File opened for modification C:\Windows\system32\MRT.exe FourthX.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
CE9C.exedescription pid process target process PID 4776 set thread context of 3800 4776 CE9C.exe CE9C.exe -
Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exepid process 3624 sc.exe 808 sc.exe 2368 sc.exe 4976 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 3 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exepid pid_target process target process 2672 4664 WerFault.exe nsh3035.tmp 448 996 WerFault.exe 288c47bbc1871b439df19ff4df68f076.exe 1076 1680 WerFault.exe 288c47bbc1871b439df19ff4df68f076.exe -
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
5cddaacf9782c030db128e3ebfd8f301.exe2934.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 5cddaacf9782c030db128e3ebfd8f301.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 5cddaacf9782c030db128e3ebfd8f301.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 5cddaacf9782c030db128e3ebfd8f301.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 2934.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 2934.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 2934.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
nsh3035.tmpdescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 nsh3035.tmp Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString nsh3035.tmp -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 2956 schtasks.exe 1804 schtasks.exe -
Modifies data under HKEY_USERS 46 IoCs
Processes:
powershell.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
5cddaacf9782c030db128e3ebfd8f301.exepid process 2044 5cddaacf9782c030db128e3ebfd8f301.exe 2044 5cddaacf9782c030db128e3ebfd8f301.exe 3536 3536 3536 3536 3536 3536 3536 3536 3536 3536 3536 3536 3536 3536 3536 3536 3536 3536 3536 3536 3536 3536 3536 3536 3536 3536 3536 3536 3536 3536 3536 3536 3536 3536 3536 3536 3536 3536 3536 3536 3536 3536 3536 3536 3536 3536 3536 3536 3536 3536 3536 3536 3536 3536 3536 3536 3536 3536 3536 3536 3536 3536 -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
5cddaacf9782c030db128e3ebfd8f301.exe2934.exepid process 2044 5cddaacf9782c030db128e3ebfd8f301.exe 2840 2934.exe -
Suspicious use of AdjustPrivilegeToken 35 IoCs
Processes:
powershell.exepowershell.exepowershell.exedescription pid process Token: SeShutdownPrivilege 3536 Token: SeCreatePagefilePrivilege 3536 Token: SeShutdownPrivilege 3536 Token: SeCreatePagefilePrivilege 3536 Token: SeShutdownPrivilege 3536 Token: SeCreatePagefilePrivilege 3536 Token: SeShutdownPrivilege 3536 Token: SeCreatePagefilePrivilege 3536 Token: SeShutdownPrivilege 3536 Token: SeCreatePagefilePrivilege 3536 Token: SeShutdownPrivilege 3536 Token: SeCreatePagefilePrivilege 3536 Token: SeShutdownPrivilege 3536 Token: SeCreatePagefilePrivilege 3536 Token: SeShutdownPrivilege 3536 Token: SeCreatePagefilePrivilege 3536 Token: SeShutdownPrivilege 3536 Token: SeCreatePagefilePrivilege 3536 Token: SeShutdownPrivilege 3536 Token: SeCreatePagefilePrivilege 3536 Token: SeShutdownPrivilege 3536 Token: SeCreatePagefilePrivilege 3536 Token: SeDebugPrivilege 3900 powershell.exe Token: SeShutdownPrivilege 3536 Token: SeCreatePagefilePrivilege 3536 Token: SeShutdownPrivilege 3536 Token: SeCreatePagefilePrivilege 3536 Token: SeShutdownPrivilege 3536 Token: SeCreatePagefilePrivilege 3536 Token: SeShutdownPrivilege 3536 Token: SeCreatePagefilePrivilege 3536 Token: SeShutdownPrivilege 3536 Token: SeCreatePagefilePrivilege 3536 Token: SeDebugPrivilege 1948 powershell.exe Token: SeDebugPrivilege 4772 powershell.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
DC4A.tmppid process 396 DC4A.tmp -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
BroomSetup.exepid process 3112 BroomSetup.exe -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
pid process 3536 -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
regsvr32.exeCE9C.exeDC4A.exeDC4A.tmp11A4.exeInstallSetup4.exeBroomSetup.execmd.exedescription pid process target process PID 3536 wrote to memory of 4308 3536 C0C0.exe PID 3536 wrote to memory of 4308 3536 C0C0.exe PID 3536 wrote to memory of 4308 3536 C0C0.exe PID 3536 wrote to memory of 4480 3536 regsvr32.exe PID 3536 wrote to memory of 4480 3536 regsvr32.exe PID 4480 wrote to memory of 4604 4480 regsvr32.exe regsvr32.exe PID 4480 wrote to memory of 4604 4480 regsvr32.exe regsvr32.exe PID 4480 wrote to memory of 4604 4480 regsvr32.exe regsvr32.exe PID 3536 wrote to memory of 4776 3536 CE9C.exe PID 3536 wrote to memory of 4776 3536 CE9C.exe PID 3536 wrote to memory of 4776 3536 CE9C.exe PID 4776 wrote to memory of 3800 4776 CE9C.exe CE9C.exe PID 4776 wrote to memory of 3800 4776 CE9C.exe CE9C.exe PID 4776 wrote to memory of 3800 4776 CE9C.exe CE9C.exe PID 4776 wrote to memory of 3800 4776 CE9C.exe CE9C.exe PID 4776 wrote to memory of 3800 4776 CE9C.exe CE9C.exe PID 4776 wrote to memory of 3800 4776 CE9C.exe CE9C.exe PID 4776 wrote to memory of 3800 4776 CE9C.exe CE9C.exe PID 4776 wrote to memory of 3800 4776 CE9C.exe CE9C.exe PID 3536 wrote to memory of 2872 3536 D341.exe PID 3536 wrote to memory of 2872 3536 D341.exe PID 3536 wrote to memory of 2872 3536 D341.exe PID 3536 wrote to memory of 1360 3536 DC4A.exe PID 3536 wrote to memory of 1360 3536 DC4A.exe PID 3536 wrote to memory of 1360 3536 DC4A.exe PID 1360 wrote to memory of 396 1360 DC4A.exe DC4A.tmp PID 1360 wrote to memory of 396 1360 DC4A.exe DC4A.tmp PID 1360 wrote to memory of 396 1360 DC4A.exe DC4A.tmp PID 396 wrote to memory of 1804 396 DC4A.tmp schtasks.exe PID 396 wrote to memory of 1804 396 DC4A.tmp schtasks.exe PID 396 wrote to memory of 1804 396 DC4A.tmp schtasks.exe PID 396 wrote to memory of 492 396 DC4A.tmp mmediabuilder.exe PID 396 wrote to memory of 492 396 DC4A.tmp mmediabuilder.exe PID 396 wrote to memory of 492 396 DC4A.tmp mmediabuilder.exe PID 3536 wrote to memory of 4784 3536 11A4.exe PID 3536 wrote to memory of 4784 3536 11A4.exe PID 3536 wrote to memory of 4784 3536 11A4.exe PID 4784 wrote to memory of 996 4784 11A4.exe 288c47bbc1871b439df19ff4df68f076.exe PID 4784 wrote to memory of 996 4784 11A4.exe 288c47bbc1871b439df19ff4df68f076.exe PID 4784 wrote to memory of 996 4784 11A4.exe 288c47bbc1871b439df19ff4df68f076.exe PID 4784 wrote to memory of 2660 4784 11A4.exe InstallSetup4.exe PID 4784 wrote to memory of 2660 4784 11A4.exe InstallSetup4.exe PID 4784 wrote to memory of 2660 4784 11A4.exe InstallSetup4.exe PID 4784 wrote to memory of 1748 4784 11A4.exe FourthX.exe PID 4784 wrote to memory of 1748 4784 11A4.exe FourthX.exe PID 2660 wrote to memory of 3112 2660 InstallSetup4.exe BroomSetup.exe PID 2660 wrote to memory of 3112 2660 InstallSetup4.exe BroomSetup.exe PID 2660 wrote to memory of 3112 2660 InstallSetup4.exe BroomSetup.exe PID 3536 wrote to memory of 2840 3536 2934.exe PID 3536 wrote to memory of 2840 3536 2934.exe PID 3536 wrote to memory of 2840 3536 2934.exe PID 3112 wrote to memory of 1196 3112 BroomSetup.exe cmd.exe PID 3112 wrote to memory of 1196 3112 BroomSetup.exe cmd.exe PID 3112 wrote to memory of 1196 3112 BroomSetup.exe cmd.exe PID 2660 wrote to memory of 4664 2660 InstallSetup4.exe nsh3035.tmp PID 2660 wrote to memory of 4664 2660 InstallSetup4.exe nsh3035.tmp PID 2660 wrote to memory of 4664 2660 InstallSetup4.exe nsh3035.tmp PID 1196 wrote to memory of 4796 1196 cmd.exe Conhost.exe PID 1196 wrote to memory of 4796 1196 cmd.exe Conhost.exe PID 1196 wrote to memory of 4796 1196 cmd.exe Conhost.exe PID 3536 wrote to memory of 3676 3536 5BBE.exe PID 3536 wrote to memory of 3676 3536 5BBE.exe PID 3536 wrote to memory of 3676 3536 5BBE.exe PID 1196 wrote to memory of 1804 1196 cmd.exe schtasks.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\5cddaacf9782c030db128e3ebfd8f301.exe"C:\Users\Admin\AppData\Local\Temp\5cddaacf9782c030db128e3ebfd8f301.exe"1⤵
- DcRat
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2044
-
C:\Users\Admin\AppData\Local\Temp\C0C0.exeC:\Users\Admin\AppData\Local\Temp\C0C0.exe1⤵
- Executes dropped EXE
PID:4308
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\C620.dll1⤵
- Suspicious use of WriteProcessMemory
PID:4480 -
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\C620.dll2⤵
- Loads dropped DLL
PID:4604
-
C:\Users\Admin\AppData\Local\Temp\CE9C.exeC:\Users\Admin\AppData\Local\Temp\CE9C.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4776 -
C:\Users\Admin\AppData\Local\Temp\CE9C.exeC:\Users\Admin\AppData\Local\Temp\CE9C.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
PID:3800
-
C:\Users\Admin\AppData\Local\Temp\D341.exeC:\Users\Admin\AppData\Local\Temp\D341.exe1⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
PID:2872
-
C:\Users\Admin\AppData\Local\Temp\DC4A.exeC:\Users\Admin\AppData\Local\Temp\DC4A.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1360 -
C:\Users\Admin\AppData\Local\Temp\is-KQHEP.tmp\DC4A.tmp"C:\Users\Admin\AppData\Local\Temp\is-KQHEP.tmp\DC4A.tmp" /SL5="$90118,2424585,54272,C:\Users\Admin\AppData\Local\Temp\DC4A.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:396 -
C:\Users\Admin\AppData\Local\Media Builder\mmediabuilder.exe"C:\Users\Admin\AppData\Local\Media Builder\mmediabuilder.exe" -i3⤵PID:1804
-
C:\Users\Admin\AppData\Local\Media Builder\mmediabuilder.exe"C:\Users\Admin\AppData\Local\Media Builder\mmediabuilder.exe" -s3⤵
- Executes dropped EXE
PID:492
-
C:\Users\Admin\AppData\Local\Temp\11A4.exeC:\Users\Admin\AppData\Local\Temp\11A4.exe1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4784 -
C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"2⤵
- Executes dropped EXE
PID:996 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4772 -
C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"3⤵PID:1680
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵PID:4900
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"4⤵PID:4064
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes5⤵
- Modifies Windows Firewall
PID:744 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵PID:2444
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵PID:4492
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe4⤵PID:4716
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵PID:1916
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F5⤵
- DcRat
- Creates scheduled task(s)
PID:2956 -
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f5⤵PID:2236
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵PID:3212
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵PID:1836
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll5⤵PID:1736
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1680 -s 6124⤵
- Program crash
PID:1076 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 996 -s 8883⤵
- Program crash
PID:448 -
C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe"C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exeC:\Users\Admin\AppData\Local\Temp\BroomSetup.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3112 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "4⤵
- Suspicious use of WriteProcessMemory
PID:1196 -
C:\Windows\SysWOW64\chcp.comchcp 12515⤵PID:4796
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F5⤵
- DcRat
- Executes dropped EXE
- Creates scheduled task(s)
PID:1804 -
C:\Users\Admin\AppData\Local\Temp\nsh3035.tmpC:\Users\Admin\AppData\Local\Temp\nsh3035.tmp3⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
PID:4664 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4664 -s 24524⤵
- Program crash
PID:2672 -
C:\Users\Admin\AppData\Local\Temp\FourthX.exe"C:\Users\Admin\AppData\Local\Temp\FourthX.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1748 -
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3900 -
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe delete "UTIXDCVF"3⤵
- Launches sc.exe
PID:3624 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart3⤵PID:3320
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart4⤵PID:3172
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe create "UTIXDCVF" binpath= "C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe" start= "auto"3⤵
- Launches sc.exe
PID:808 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:4796
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start "UTIXDCVF"3⤵
- Launches sc.exe
PID:2368 -
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop eventlog3⤵
- Launches sc.exe
PID:4976
-
C:\Users\Admin\AppData\Local\Temp\2934.exeC:\Users\Admin\AppData\Local\Temp\2934.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:2840
-
C:\Users\Admin\AppData\Local\Temp\5BBE.exeC:\Users\Admin\AppData\Local\Temp\5BBE.exe1⤵
- Executes dropped EXE
PID:3676
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4664 -ip 46641⤵PID:3708
-
C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exeC:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe1⤵
- Executes dropped EXE
PID:4752 -
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force2⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1948 -
C:\Windows\system32\conhost.exeC:\Windows\system32\conhost.exe2⤵PID:3876
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart2⤵PID:1020
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart3⤵PID:4472
-
C:\Windows\explorer.exeexplorer.exe2⤵PID:688
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 996 -ip 9961⤵PID:1664
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 1680 -ip 16801⤵PID:2180
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
3Windows Service
3Pre-OS Boot
1Bootkit
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
3Windows Service
3Scheduled Task/Job
1Defense Evasion
Impair Defenses
2Disable or Modify System Firewall
1Modify Registry
1Pre-OS Boot
1Bootkit
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
11KB
MD5a33e5b189842c5867f46566bdbf7a095
SHA1e1c06359f6a76da90d19e8fd95e79c832edb3196
SHA2565abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454
SHA512f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b
-
Filesize
896KB
MD5fef5329b1845b83431efb891038c6277
SHA18c915dd7fd63a64b8551d4c8d69d68ab6ebdfcce
SHA25681f0a4363167015c0556692a14b5f70898a1d11962d2b6b25058fbb12c12fab4
SHA51269c9ecb56e3d83dc09c2aefc451402190a371a014c3ec9c56f70328358307be4d1db9b08c77456adaf028203e62c39296bac4019ede05d5f3aff16fca59a45c8
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
1.6MB
MD5324f381f61901b22956e42cf3d16847f
SHA16b9c22fb8f4bff91f411d18c8fa50188b8e3465e
SHA25674bee24ebac144ece1c4a7e2073bf7b7667e60a7c2cac2d2dc0a20dd2841288a
SHA512db16516efdeb9a8f4bf3ea5166312e4d3af08d582e36d4cbbcb55b1e2a3e08d512ea2ba06268b6140796dfb2ebcdda6de613d304b8cfeede7b1eac540f504553
-
Filesize
1.7MB
MD5d36d5fcf6f7e6c67304fed7123a7f816
SHA1e8fd7e15c0e589532c8c2f908f68db1c39b326c5
SHA2561a50d506c0ff940abf59a98a627d7be435a0cdd2f5beb9271a3c5a362ed76657
SHA51239927f760d26def097777f2db9f4267ea226f5c36ad96073572be241293975ccaade37b7d491b4894b748fcc2827a5e1152dfb7bef33eec9bc6b992ae00a02fa
-
Filesize
1.3MB
MD5d5ac8347ec7fe6b3267af60cf71255a7
SHA1f8258729ec532f3161b0affd5082fbb5b194805d
SHA256ee209b00280174cb7429c8540fd48f9fdee1634cdc26a6639b32af6f0cbc1c27
SHA5127fc29e5305f71df670ad85ea59a7d30b89dbee5183fb4e5f670a7a7c17a0b0c4898177ac6e4d1d401dddf7c38e106f9ff1f5ca2f33a399009232bcb0a5b47296
-
Filesize
1.4MB
MD55a27f80f19bad67851d9ffd9bf89b73c
SHA1f5e92bee67485d24bcddb8d625d37d40617bee7d
SHA25665ed6870aa83fae8073b13a096070addb4cf9eaf58c3f6841ffd0b83e4045971
SHA5129925c7711720417e0720afbedacf714e013e9ca865e278ba2dde75699d556f152280974d524a70627a410956b84e5662f3e96a1c7c354d17738a2b1454537f53
-
Filesize
1.1MB
MD5124477310352537f16c4a6c89204050d
SHA105bf58eaa2ad2d229cd312772a0300a853fa7d98
SHA256928392fd3e6a51f0f77cbfe99a6d724f8450175d54fd9977d4d161d6130aa907
SHA512495c85ef55f642f2c8611416fb90cd13075b3000b2eea191bd6473e5512aeecc450c472880ff148705b32489226c965fdc761a7165fba1a4223d4e8bb89705e3
-
Filesize
1.5MB
MD5fa436ac081f0353e4c8a7a20547280d5
SHA17c2006a60a591139e619190b9ff1663d22e7c761
SHA25601f3d6aa8bb750c954f544e8b466c10807cbe274429b07a81155fba8e9e006a6
SHA512a4693cf957b52f05c99d42901ab7403a78ce4272e9825732d2242eb0e3dafb45e882b4068e7fb0ec5d36f345ead4e691100213b3732d6684f04655b409a3c27c
-
Filesize
1024KB
MD5d101cd01ca4fb8de723665804c9e8fb7
SHA1a5a9513a2f0154f9b18403bc2c52d9bb8afb1850
SHA2561f913f7c8875124161e54fb7a4ad98c872584b0cadb72cb63e7a74dda366a169
SHA5122f811a7f51feca560cbfd4bdd9e596371a42d3da32cd6fc6320d94533f48545e1e7ae1bf1cf2a14c3ee1085b2bef220ceac0a91f85c43ead9fcbed889060afa3
-
Filesize
1.6MB
MD5aaf0bb37ae70edf36b650977fe25658f
SHA1dec39feae72f0c5ae84775303e543ca353de6256
SHA256bb578336ff40082f50aa894cd7b33f4078d16277942c35b20da5da995fe21d06
SHA512d0c8bbd2d0fbc4821c2ee12245aa9cd434c138256fc10b7c3717cd4988b3298a221c7da764a2bb67d511870dc9ae52cf018304bb04744212fac2461bd4a055e4
-
Filesize
576KB
MD589848a95cf00ff11f64f2f17b36cf096
SHA10b457b1790674539c7c8309ef7ed1c9751fbfdbb
SHA2568d585e24302b62dc845fa00622dc2486f2927a4307f780096cbf049bb7d4d4c9
SHA5128ccdb4cb7359c5b3c73621a7ff556432a412fe7b9b3cc998312f80f11de3b3c2321c2f200bf13d56fec0829512a9b8caa031d8ccae04ab47dd01af8192fc87ab
-
Filesize
1.6MB
MD5d3c015d761ac4697c31779ebd67685fe
SHA16eda243187265592a404feca52bf612ddc66e396
SHA256689272ab8ec16e67eb0c14f37e0928b21b3cf38e467216ed1240177d82e5d7ea
SHA512680b8009fc1392d7269a58821b9a0f71bf93ae4b7a46f8f3c9900ab501a48fa7c882c214377d0b33b6310d6d92259dada20db8b3e6939446b013b2d668a7d7ab
-
Filesize
2.1MB
MD5a8c70b8503cf28727a8ab611f388ac76
SHA1a841b20bb496d1f052fc4d479ab90b73e988fa0d
SHA256fe5a07e1f54145e52034c341c79c66de11c8ea1e8ba9a0f1c27a82211a225a2e
SHA512a7cf09cd58029d7f035672921c968ba485626263daac008b777a9291f4f51f170593a4919240c57867304fa2be8db2db7b7c62d8ed44c35b6dbc8f30601438b9
-
Filesize
163KB
MD50ca68f13f3db569984dbcc9c0be6144a
SHA18c53b9026e3c34bcf20f35af15fc6545cb337936
SHA2569cd86fa59ea2d10f9b9f3293c132f158fcb7dd993fdb706944f9fe9fa409504a
SHA5124c3a3be5fda0f9060a08b95383b5260e4079dbcff73849d2fac88520ae625c33a73c5858b25b717fcccebf03c3ad9b19807de8bcfa7ea22be6648cc965072b7d
-
Filesize
2.6MB
MD5adb29a2b3d4aae105be1eca35da10afc
SHA18496caa674d5bd59c37340e949871e6a33a6a6a9
SHA2569bc8d90c27922ab30615548b2e41d62f15ab2749290713bb3714b53ae21ab4b7
SHA5127dba52ac5bdbaa9dafd8a98503e60636ab8db09ae99faa725b768c739147ca5dd42a6b78c3879b70af9ce7093ac8f1e23d706df7f53e2d64f66de5d13e958df9
-
Filesize
1.4MB
MD50df5a7dfe70377a12ff756cc94d58f74
SHA1b3a7875a676bdff82c90df9c0387083b981d817b
SHA2562ef4171ff38cbc98e2a6641d949d88704fddb1a05402ff262fc64f91e9654e39
SHA512f2dafef94ad9ed81e0e8078512b4ab961546baf32d4c95b19a6e25715392cf03c5ebf4926a75fcdd0a220d1e8ede888ed6eeda355c5afdc35f0db3103fdae523
-
Filesize
1.6MB
MD5b10895f77c325310116cfc47095d9252
SHA14c1ae27fef692ec05ff826aa7eaab519ae5a8e06
SHA256851657de20aed9fdce10b608dce83523d137771c2e1e9582f8d9eecff5a14453
SHA512d21cca7801fcf891e88b39378a7f06179577b218f5660f4cc049b16f03f7bf8f910370734af7b005cf17bc5769fb6aef868e6659a1a648cf374c70d4aa9a7910
-
Filesize
448KB
MD503cb6141bacb061643b98c2742177f33
SHA1cf55025b420a42639480aa1c47cb9037c82336d0
SHA256df35d9cb0d209fd3ebaa5d258866e640d980278005bd3f5ebd100acac73c38b9
SHA512d55bb9dc9222e23b776a44210e0d2fccf499db1c74c9401b4d267ca9e219e172c9f004445bf719c8290bb95d1737b62bd155b4ec50ee51a66626d1d586d0d1b4
-
Filesize
5.0MB
MD50904e849f8483792ef67991619ece915
SHA158d04535efa58effb3c5ed53a2462aa96d676b79
SHA256fca631b3198194fcc0c619b5690dbde2e9f38afb1b978bab8ea3f92b572ce1ef
SHA512258fc59050aa455ad56167dd1bbe5e098eefc0f3e950c90d89bac2aa74abb5cfa1710d866c0e28e58dcb2f914736470a4dd9838dd6412b633aee87d71b867cf5
-
Filesize
2.0MB
MD57aecbe510817ee9636a5bcbff0ee5fdd
SHA16a3f27f7789ccf1b19c948774d84c865a9ac6825
SHA256b4ee4aa0b664fe673986399de8105c600330339971bd8583177fa38dddd13aac
SHA512a681efb97745aed5f73d197730049ff80798d133245d8e8bcb0faf3532a9ef440d1687016c9f666c1f56479c7db003b0388e0a69bb2626f34c86046bc477edae
-
Filesize
1.4MB
MD5057d4899785c88a4b96a30efac0a7f10
SHA12304be75b31060360a246617e18a147febbcd080
SHA25666e7dcd0c0e64d8f2e89f4e589a6928bd76342c9a7e5c2215bcba0d10c15fbd4
SHA512240b11dbadcc5d84c4b000c13d23507d7f4883a1ea12d5aba15b9252da91f3b755c7951ed4a1218fbcdf1e9e710d227d7ffd5e7fe7c09bceda7d3b05072a2574
-
Filesize
1.4MB
MD5c5c406dbc57f69005ff8854f28e7bd92
SHA1776bc4f2f64e6767c76ae22eaaa3156e92c8693e
SHA256784a1816912b23c7940873f956fd731a9fcf728709c53bceca0cbeadc0b3bec0
SHA51298dd4d749ec7e58f4eb4947e412e1c3d4d5ca28a98fb51d339a6a957acfe8bcae85cb54ef3627b31a9a95659a79f31637f97a6efd0efc43859caa254d447bc32
-
Filesize
1.9MB
MD5398ab69b1cdc624298fbc00526ea8aca
SHA1b2c76463ae08bb3a08accfcbf609ec4c2a9c0821
SHA256ca827a18753cf8281d57b7dff32488c0701fe85af56b59eab5a619ae45b5f0be
SHA5123b222a46a8260b7810e2e6686b7c67b690452db02ed1b1e75990f4ac1421ead9ddc21438a419010169258b1ae4b206fbfa22bb716b83788490b7737234e42739
-
Filesize
560KB
MD5e6dd149f484e5dd78f545b026f4a1691
SHA13ea5d0fb2de5bfad3dc6dc1744708ccd31102df6
SHA25611243641663323721ba21494a394de70ae70d4ea23c23f2e2a397fcc3cfea1a7
SHA5120defb358d59221c56731745a25250dfea49ecbb411f11f31a92ec20fa2123646f4aaf9fd4999898c39e4674f616bc1bed7ef2368b61a29d595dc7b9340dd058b
-
Filesize
1.4MB
MD5b86998919a4e1da5fb28476eae12fa97
SHA1702e008237e7af5035dd6c4d2bfed471638e19ed
SHA2569d28a37835a289dc4327d08651a0cbe33cc319b3600797892d4229762030d783
SHA51218e67397ba6ed962b8fe4011c3822a74ef913b7a3a3c3083b4ca3319183b9f886c699a0027419f0de1c635c2fe3a084f2f6f4c0246369385079a131abe7db9d5
-
Filesize
704KB
MD5029a5147d2f0d080800b095d06298a55
SHA16d53b0c00f128318d23de9db082989e30369baad
SHA256cd1818fa6f2a4cbdd75985ba9e36c6141d206f5728b994875c3af7c874938566
SHA512b035c22bd7b41375cff69882f696d37f8167c12a770da3f6d919d1350789bd1f1d4cfc623fe325c696b3f30e96632bbd1233cdff878df05e8c5b7a153f3c9e1c
-
Filesize
384KB
MD5147b6aa5bd0222e5d58af8984b073c56
SHA1399923e38ba252bffbe5c13b39bcbf41798e15f5
SHA2566a2447d974f6eeaaa5ad420a24faa13417df7ebd5c76d0b872a11183d29c5bd9
SHA512c0002076c0eed73addcaee17d389293eee9b462d02187944ad7c5a5235b78265257efc958473d91bd5e63f3b0a8ed7ed166a550f311c348170914620da519d70
-
Filesize
2.0MB
MD528b72e7425d6d224c060d3cf439c668c
SHA1a0a14c90e32e1ffd82558f044c351ad785e4dcd8
SHA256460ba492fbc3163b80bc40813d840e50feb84166db7a300392669afd21132d98
SHA5123e0696b4135f3702da054b80d98a8485fb7f3002c4148a327bc790b0d33c62d442c01890cc047af19a17a149c8c8eb84777c4ff313c95ec6af64a8bf0b2d54b6
-
Filesize
704KB
MD54b0c012a59404fe817f1f6b79b83aa74
SHA1645324aa66bc9b7b7074d6d0be8f917e05e0095e
SHA2569f982dd9649c268011003f805c41db3d2e1df629aefd9c35724626c87bae8f44
SHA5128821467c4fc3768ecc6d86e8e1c8e9261a9b0d3baed0ebe85bb0b36bf884657dbdf5a24b481cfec21408cddcf39db3746248c7edce3627bda07cbf3b44aaf56a
-
Filesize
384KB
MD56e1c3da5e773acb3dfd13e38cd9c1898
SHA1b9fb4c0bef05310d6528a1fb47dd702970302c56
SHA2567d5ba777ef0835d0a7f38587ac7f6ba1a96a1288114f6157b55ede2d35658ff0
SHA512814bfcac9800d5956fe2cd5dcf23f26fb6572386f829c58fd2a3eea3061a37d312e1766568595bf2e3bd33c3fababe220c8eac4d79712d2170cb3c6711e70ad5
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
281KB
MD5d98e33b66343e7c96158444127a117f6
SHA1bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA2565de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5
-
Filesize
689KB
MD5951ac648539bfaa0f113db5e0406de5b
SHA11b42de9ef8aaf1740de90871c5fc16963a842f43
SHA256bb02f28cc67276b8d6609f80553c4976b2acbd34459af17167f8c1b001a84dfe
SHA512795e654e82d38905841c3af120fb8288e3f81580a559d97266c739d101b335807b99c2592388b3b4af411f626e8d2f3966316152ca62b87a4361a8da78919b2d
-
Filesize
2KB
MD5a69559718ab506675e907fe49deb71e9
SHA1bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA2562f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63
-
Filesize
25KB
MD540d7eca32b2f4d29db98715dd45bfac5
SHA1124df3f617f562e46095776454e1c0c7bb791cc7
SHA25685e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9
SHA5125fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d
-
Filesize
192KB
MD59089c5ddf54262d275ab0ea6ceaebcba
SHA14796313ad8d780936e549ea509c1932deb41e02a
SHA25696766ea71dc59a5b1734aba76c1ab1cbc8459a9ee023e9875359667dbf51ea4a
SHA512ec71801feccd0c900132425d6bc601bcae6e78702b708df80783a752d08c8bdc49f0b0c8e7c37b15a02b381369b8a3c1114d7385796316b834738045f7dc053c
-
Filesize
128B
MD511bb3db51f701d4e42d3287f71a6a43e
SHA163a4ee82223be6a62d04bdfe40ef8ba91ae49a86
SHA2566be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331
SHA512907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize2KB
MD5968cb9309758126772781b83adb8a28f
SHA18da30e71accf186b2ba11da1797cf67f8f78b47c
SHA25692099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA5124bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD5ce2b1a4f202246cc4a91341b3462f9d6
SHA128f8f379304bef33cae2cefe9fe12e651b8d6950
SHA256ebb114bcbee927b1a1a65374f36faec78a6ee3ad5397f57e6cd5a6c9dd9ecc6d
SHA512fda52513711ba70f5d150799dd6855c8f5f2690614d0a204b57cc4318ffd0f125c61e066d93e98062e1af34a78a640e04a3faa22639f6badaf929e3774f6d654
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD55e7dd5caa09ee25339afb81210ca724a
SHA17ab191c78c2328a8c1688d6cc69649cd8d649b6c
SHA2560521d2c2c37bf489c7146f601dc1cf22602adf75510630c9f74f1c63f0eb2d4b
SHA51219e4561fded33f834ee4aa1c66e4add4a6cb5959e014fb612f2401f18b99f1b2e89e5fad767fd26db6b0ac0713bae40a5dcf6701f698137269e305b72f9c9341
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD5d00678065bb6c27633c75d2af0029f49
SHA195cf1326576f434a488e9d31b35e81c30cb00973
SHA256a0848387cc5e0fed636f4deb7d631354d94e08cab2115653a1ac2e6b21cbcec0
SHA512580398d6a66e1007a45c532fe38f8df91bf76b776159404f3e24e327e3da68ab12ad7b0d1f86662bca795cfa77dfd12aa77757db5b122734de52b35400cd3294
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD5a837ad6506341ec3f01cb6058910cf26
SHA173157c603a4d84404e8080b5d44eb3e84c09befb
SHA25640d507ab22907dd795d552ebddca1c5b1f94eba9bbe6ddf1f5aa898481c059bc
SHA51230ffee1e72b3892f6ba96a28a0ec503830bc3a6472cff15ca53f60459dd66a90beafa82415194a4ef5d04a8a7058fedb1e4a4800fcd60a3c79321eebdcf6bac8
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD5d5e575668b4402e3c78cc94470e366d7
SHA1af90b0df5d61297a1413d8bd234bc9f5ea05e1be
SHA2562f35e04df286e597f0d3795f62c6c93546604e7e22fa8281463ff8513326b361
SHA5121370a6d525c13d743d7c473d7869ecdeeec27f49f95474d3a2ed2cf11eb378cc6e1caf901dad096b8c84806f31dd625c0eb9d5486f420b472777089c1e41779d
-
Filesize
832KB
MD5b8c50d741d429e4cd6210293c0f0d881
SHA1059f1aa663f344b66b7ab96bd092bfd08ef6b091
SHA256862a2046656a5a5dc1638c6b9ac7c751b90fceae08d37b4e2702b73c45278a8b
SHA512b7e6e142048371568ecdc9bc10c0da83c73125bdff1964839244f0b95eb7fd08a34f42f4fcd26ff5fac52f4350fb28c2505df2ce69c51a2fd0ff76a903d83096
-
Filesize
1.5MB
MD534666eafe0fffb6a73e31c1e09ecac4f
SHA1ffd5c92070e4a8fab8f8095316d73ccd485f6294
SHA256d429c8dcd6ef1fb942bcf3543e0368f54d62c0519076daecd3bc5f0aa8713232
SHA512542a9e8b722ea5dcc245978d026c7a11b0e7b4f7ed651fa9f4a562bb93ed33eb3edcbc57d075a154520a007898f4bad0734031238898feece2a816e7c99f7966