Analysis
-
max time kernel
94s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
27-02-2024 01:44
Static task
static1
Behavioral task
behavioral1
Sample
5cddaacf9782c030db128e3ebfd8f301.exe
Resource
win7-20240221-en
General
-
Target
5cddaacf9782c030db128e3ebfd8f301.exe
-
Size
162KB
-
MD5
5cddaacf9782c030db128e3ebfd8f301
-
SHA1
71bae291b66ecfad6ee79ab150c9b4bdc676f06c
-
SHA256
6d533c8a98cee42c8f797a0b982a0be0da8d7503da8c42e8da10a88bfee9bf23
-
SHA512
bee3cbdeac5a317f58ebb2d621740f8b7e81e47db236327cb0e908bc49886e320e30a95191470953177740f702adfe704a626325ddd2a33f10c8ec3060059797
-
SSDEEP
3072:pR3aImWaDnBilDV8X+Ld1VVuLtKsQfk1RoGJS4dNVEv:pIbWaDBilDVNLdJBsQfk77X
Malware Config
Extracted
smokeloader
2022
http://selebration17io.io/index.php
http://vacantion18ffeu.cc/index.php
http://valarioulinity1.net/index.php
http://buriatiarutuhuob.net/index.php
http://cassiosssionunu.me/index.php
http://sulugilioiu19.net/index.php
http://goodfooggooftool.net/index.php
http://kamsmad.com/tmp/index.php
http://souzhensil.ru/tmp/index.php
http://teplokub.com.ua/tmp/index.php
Extracted
smokeloader
pub1
Extracted
lumma
https://resergvearyinitiani.shop/api
https://technologyenterdo.shop/api
https://detectordiscusser.shop/api
https://turkeyunlikelyofw.shop/api
https://associationokeo.shop/api
Signatures
-
DcRat 4 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
Processes:
5cddaacf9782c030db128e3ebfd8f301.exeF84C.exeschtasks.exeschtasks.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 5cddaacf9782c030db128e3ebfd8f301.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CSRSS = "\"C:\\ProgramData\\Drivers\\csrss.exe\"" F84C.exe 3900 schtasks.exe 1916 schtasks.exe -
Glupteba payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/3336-210-0x0000000002DB0000-0x000000000369B000-memory.dmp family_glupteba behavioral2/memory/3336-211-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral2/memory/3336-226-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Creates new service(s) 1 TTPs
-
Downloads MZ/PE file
-
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
netsh.exepid process 1748 netsh.exe -
Stops running service(s) 3 TTPs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
375C.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation 375C.exe -
Deletes itself 1 IoCs
Processes:
pid process 3512 -
Executes dropped EXE 18 IoCs
Processes:
EC25.exeF84C.exeF84C.exeFACE.exe723.exe723.tmpmmediabuilder.exemmediabuilder.exe375C.exe4901.exe288c47bbc1871b439df19ff4df68f076.exeInstallSetup4.exeFourthX.exeBroomSetup.exenst5A33.tmp70AE.exe288c47bbc1871b439df19ff4df68f076.exevueqjgslwynd.exepid process 2248 EC25.exe 924 F84C.exe 3232 F84C.exe 4028 FACE.exe 2868 723.exe 3588 723.tmp 400 mmediabuilder.exe 2068 mmediabuilder.exe 5104 375C.exe 2020 4901.exe 3336 288c47bbc1871b439df19ff4df68f076.exe 3228 InstallSetup4.exe 2340 FourthX.exe 4432 BroomSetup.exe 2084 nst5A33.tmp 4816 70AE.exe 4332 288c47bbc1871b439df19ff4df68f076.exe 3128 vueqjgslwynd.exe -
Loads dropped DLL 8 IoCs
Processes:
regsvr32.exeF84C.exe723.tmpInstallSetup4.exenst5A33.tmppid process 4856 regsvr32.exe 3232 F84C.exe 3588 723.tmp 3228 InstallSetup4.exe 3228 InstallSetup4.exe 2084 nst5A33.tmp 2084 nst5A33.tmp 3228 InstallSetup4.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule behavioral2/memory/3232-36-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral2/memory/3232-39-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral2/memory/3232-44-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral2/memory/3232-47-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral2/memory/3232-50-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral2/memory/3232-51-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral2/memory/3232-131-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral2/memory/3232-144-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral2/memory/3232-147-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral2/memory/3232-194-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral2/memory/3232-216-0x0000000000400000-0x0000000000848000-memory.dmp upx -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
F84C.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CSRSS = "\"C:\\ProgramData\\Drivers\\csrss.exe\"" F84C.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
FACE.exedescription ioc process File opened for modification \??\PHYSICALDRIVE0 FACE.exe -
Drops file in System32 directory 1 IoCs
Processes:
FourthX.exedescription ioc process File opened for modification C:\Windows\system32\MRT.exe FourthX.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
F84C.exedescription pid process target process PID 924 set thread context of 3232 924 F84C.exe F84C.exe -
Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exepid process 4652 sc.exe 4548 sc.exe 3212 sc.exe 1056 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4492 2084 WerFault.exe nst5A33.tmp -
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
5cddaacf9782c030db128e3ebfd8f301.exe4901.exedescription ioc process Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 5cddaacf9782c030db128e3ebfd8f301.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 4901.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 4901.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 4901.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 5cddaacf9782c030db128e3ebfd8f301.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 5cddaacf9782c030db128e3ebfd8f301.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
nst5A33.tmpdescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 nst5A33.tmp Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString nst5A33.tmp -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 3900 schtasks.exe 1916 schtasks.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
powershell.exe288c47bbc1871b439df19ff4df68f076.exepowershell.exeschtasks.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-411 = "E. Africa Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2341 = "Haiti Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-792 = "SA Western Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs schtasks.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-401 = "Arabic Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-232 = "Hawaiian Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-181 = "Mountain Daylight Time (Mexico)" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-201 = "US Mountain Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs schtasks.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-364 = "Middle East Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-962 = "Paraguay Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2841 = "Saratov Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2752 = "Tomsk Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2392 = "Aleutian Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-342 = "Egypt Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-212 = "Pacific Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2891 = "Sudan Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-591 = "Malay Peninsula Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-572 = "China Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-272 = "Greenwich Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-371 = "Jerusalem Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1911 = "Russia TZ 10 Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2512 = "Lord Howe Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2872 = "Magallanes Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-32 = "Mid-Atlantic Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-772 = "Montevideo Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-11 = "Azores Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-722 = "Central Pacific Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-162 = "Central Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2342 = "Haiti Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2061 = "North Korea Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-561 = "SE Asia Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed schtasks.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates schtasks.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2162 = "Altai Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-161 = "Central Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-271 = "Greenwich Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-241 = "Samoa Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-332 = "E. Europe Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1502 = "Turkey Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-3141 = "South Sudan Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-731 = "Fiji Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-334 = "Jordan Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-621 = "Korea Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-122 = "SA Pacific Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-365 = "Middle East Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-892 = "Morocco Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-242 = "Samoa Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-385 = "Namibia Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-3142 = "South Sudan Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1042 = "Ulaanbaatar Standard Time" 288c47bbc1871b439df19ff4df68f076.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
5cddaacf9782c030db128e3ebfd8f301.exepid process 2556 5cddaacf9782c030db128e3ebfd8f301.exe 2556 5cddaacf9782c030db128e3ebfd8f301.exe 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
5cddaacf9782c030db128e3ebfd8f301.exe4901.exepid process 2556 5cddaacf9782c030db128e3ebfd8f301.exe 2020 4901.exe -
Suspicious use of AdjustPrivilegeToken 40 IoCs
Processes:
powershell.exepowershell.exe288c47bbc1871b439df19ff4df68f076.exepowershell.exepowershell.exedescription pid process Token: SeShutdownPrivilege 3512 Token: SeCreatePagefilePrivilege 3512 Token: SeShutdownPrivilege 3512 Token: SeCreatePagefilePrivilege 3512 Token: SeShutdownPrivilege 3512 Token: SeCreatePagefilePrivilege 3512 Token: SeShutdownPrivilege 3512 Token: SeCreatePagefilePrivilege 3512 Token: SeShutdownPrivilege 3512 Token: SeCreatePagefilePrivilege 3512 Token: SeShutdownPrivilege 3512 Token: SeCreatePagefilePrivilege 3512 Token: SeShutdownPrivilege 3512 Token: SeCreatePagefilePrivilege 3512 Token: SeShutdownPrivilege 3512 Token: SeCreatePagefilePrivilege 3512 Token: SeShutdownPrivilege 3512 Token: SeCreatePagefilePrivilege 3512 Token: SeShutdownPrivilege 3512 Token: SeCreatePagefilePrivilege 3512 Token: SeShutdownPrivilege 3512 Token: SeCreatePagefilePrivilege 3512 Token: SeDebugPrivilege 4972 powershell.exe Token: SeShutdownPrivilege 3512 Token: SeCreatePagefilePrivilege 3512 Token: SeShutdownPrivilege 3512 Token: SeCreatePagefilePrivilege 3512 Token: SeDebugPrivilege 1228 powershell.exe Token: SeShutdownPrivilege 3512 Token: SeCreatePagefilePrivilege 3512 Token: SeDebugPrivilege 3336 288c47bbc1871b439df19ff4df68f076.exe Token: SeImpersonatePrivilege 3336 288c47bbc1871b439df19ff4df68f076.exe Token: SeShutdownPrivilege 3512 Token: SeCreatePagefilePrivilege 3512 Token: SeShutdownPrivilege 3512 Token: SeCreatePagefilePrivilege 3512 Token: SeShutdownPrivilege 3512 Token: SeCreatePagefilePrivilege 3512 Token: SeDebugPrivilege 1916 powershell.exe Token: SeDebugPrivilege 312 powershell.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
723.tmppid process 3588 723.tmp -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
BroomSetup.exepid process 4432 BroomSetup.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
regsvr32.exeF84C.exe723.exe723.tmp375C.exeInstallSetup4.exeBroomSetup.execmd.exedescription pid process target process PID 3512 wrote to memory of 2248 3512 EC25.exe PID 3512 wrote to memory of 2248 3512 EC25.exe PID 3512 wrote to memory of 2248 3512 EC25.exe PID 3512 wrote to memory of 1116 3512 regsvr32.exe PID 3512 wrote to memory of 1116 3512 regsvr32.exe PID 1116 wrote to memory of 4856 1116 regsvr32.exe regsvr32.exe PID 1116 wrote to memory of 4856 1116 regsvr32.exe regsvr32.exe PID 1116 wrote to memory of 4856 1116 regsvr32.exe regsvr32.exe PID 3512 wrote to memory of 924 3512 F84C.exe PID 3512 wrote to memory of 924 3512 F84C.exe PID 3512 wrote to memory of 924 3512 F84C.exe PID 924 wrote to memory of 3232 924 F84C.exe F84C.exe PID 924 wrote to memory of 3232 924 F84C.exe F84C.exe PID 924 wrote to memory of 3232 924 F84C.exe F84C.exe PID 924 wrote to memory of 3232 924 F84C.exe F84C.exe PID 924 wrote to memory of 3232 924 F84C.exe F84C.exe PID 924 wrote to memory of 3232 924 F84C.exe F84C.exe PID 924 wrote to memory of 3232 924 F84C.exe F84C.exe PID 924 wrote to memory of 3232 924 F84C.exe F84C.exe PID 3512 wrote to memory of 4028 3512 FACE.exe PID 3512 wrote to memory of 4028 3512 FACE.exe PID 3512 wrote to memory of 4028 3512 FACE.exe PID 3512 wrote to memory of 2868 3512 723.exe PID 3512 wrote to memory of 2868 3512 723.exe PID 3512 wrote to memory of 2868 3512 723.exe PID 2868 wrote to memory of 3588 2868 723.exe 723.tmp PID 2868 wrote to memory of 3588 2868 723.exe 723.tmp PID 2868 wrote to memory of 3588 2868 723.exe 723.tmp PID 3588 wrote to memory of 400 3588 723.tmp mmediabuilder.exe PID 3588 wrote to memory of 400 3588 723.tmp mmediabuilder.exe PID 3588 wrote to memory of 400 3588 723.tmp mmediabuilder.exe PID 3588 wrote to memory of 2068 3588 723.tmp mmediabuilder.exe PID 3588 wrote to memory of 2068 3588 723.tmp mmediabuilder.exe PID 3588 wrote to memory of 2068 3588 723.tmp mmediabuilder.exe PID 3512 wrote to memory of 5104 3512 375C.exe PID 3512 wrote to memory of 5104 3512 375C.exe PID 3512 wrote to memory of 5104 3512 375C.exe PID 3512 wrote to memory of 2020 3512 4901.exe PID 3512 wrote to memory of 2020 3512 4901.exe PID 3512 wrote to memory of 2020 3512 4901.exe PID 5104 wrote to memory of 3336 5104 375C.exe 288c47bbc1871b439df19ff4df68f076.exe PID 5104 wrote to memory of 3336 5104 375C.exe 288c47bbc1871b439df19ff4df68f076.exe PID 5104 wrote to memory of 3336 5104 375C.exe 288c47bbc1871b439df19ff4df68f076.exe PID 5104 wrote to memory of 3228 5104 375C.exe InstallSetup4.exe PID 5104 wrote to memory of 3228 5104 375C.exe InstallSetup4.exe PID 5104 wrote to memory of 3228 5104 375C.exe InstallSetup4.exe PID 5104 wrote to memory of 2340 5104 375C.exe FourthX.exe PID 5104 wrote to memory of 2340 5104 375C.exe FourthX.exe PID 3228 wrote to memory of 4432 3228 InstallSetup4.exe BroomSetup.exe PID 3228 wrote to memory of 4432 3228 InstallSetup4.exe BroomSetup.exe PID 3228 wrote to memory of 4432 3228 InstallSetup4.exe BroomSetup.exe PID 3228 wrote to memory of 2084 3228 InstallSetup4.exe nst5A33.tmp PID 3228 wrote to memory of 2084 3228 InstallSetup4.exe nst5A33.tmp PID 3228 wrote to memory of 2084 3228 InstallSetup4.exe nst5A33.tmp PID 4432 wrote to memory of 3208 4432 BroomSetup.exe cmd.exe PID 4432 wrote to memory of 3208 4432 BroomSetup.exe cmd.exe PID 4432 wrote to memory of 3208 4432 BroomSetup.exe cmd.exe PID 3208 wrote to memory of 4452 3208 cmd.exe chcp.com PID 3208 wrote to memory of 4452 3208 cmd.exe chcp.com PID 3208 wrote to memory of 4452 3208 cmd.exe chcp.com PID 3512 wrote to memory of 4816 3512 70AE.exe PID 3512 wrote to memory of 4816 3512 70AE.exe PID 3512 wrote to memory of 4816 3512 70AE.exe PID 3208 wrote to memory of 3900 3208 cmd.exe schtasks.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\5cddaacf9782c030db128e3ebfd8f301.exe"C:\Users\Admin\AppData\Local\Temp\5cddaacf9782c030db128e3ebfd8f301.exe"1⤵
- DcRat
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2556
-
C:\Users\Admin\AppData\Local\Temp\EC25.exeC:\Users\Admin\AppData\Local\Temp\EC25.exe1⤵
- Executes dropped EXE
PID:2248
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\F231.dll1⤵
- Suspicious use of WriteProcessMemory
PID:1116 -
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\F231.dll2⤵
- Loads dropped DLL
PID:4856
-
C:\Users\Admin\AppData\Local\Temp\F84C.exeC:\Users\Admin\AppData\Local\Temp\F84C.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:924 -
C:\Users\Admin\AppData\Local\Temp\F84C.exeC:\Users\Admin\AppData\Local\Temp\F84C.exe2⤵
- DcRat
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
PID:3232
-
C:\Users\Admin\AppData\Local\Temp\FACE.exeC:\Users\Admin\AppData\Local\Temp\FACE.exe1⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
PID:4028
-
C:\Users\Admin\AppData\Local\Temp\723.exeC:\Users\Admin\AppData\Local\Temp\723.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2868 -
C:\Users\Admin\AppData\Local\Temp\is-DBO77.tmp\723.tmp"C:\Users\Admin\AppData\Local\Temp\is-DBO77.tmp\723.tmp" /SL5="$D002C,2424585,54272,C:\Users\Admin\AppData\Local\Temp\723.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3588 -
C:\Users\Admin\AppData\Local\Media Builder\mmediabuilder.exe"C:\Users\Admin\AppData\Local\Media Builder\mmediabuilder.exe" -i3⤵
- Executes dropped EXE
PID:400 -
C:\Users\Admin\AppData\Local\Media Builder\mmediabuilder.exe"C:\Users\Admin\AppData\Local\Media Builder\mmediabuilder.exe" -s3⤵
- Executes dropped EXE
PID:2068
-
C:\Users\Admin\AppData\Local\Temp\375C.exeC:\Users\Admin\AppData\Local\Temp\375C.exe1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5104 -
C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3336 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4972 -
C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"3⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:4332 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:312 -
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"4⤵PID:2724
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes5⤵
- Modifies Windows Firewall
PID:1748 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵PID:2064
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵PID:2700
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe4⤵PID:4776
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵PID:764
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F5⤵
- DcRat
- Creates scheduled task(s)
- Modifies data under HKEY_USERS
PID:1916 -
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f5⤵PID:4000
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵PID:4128
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵PID:2076
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll5⤵PID:5060
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll5⤵PID:1980
-
C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe"C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3228 -
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exeC:\Users\Admin\AppData\Local\Temp\BroomSetup.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4432 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "4⤵
- Suspicious use of WriteProcessMemory
PID:3208 -
C:\Windows\SysWOW64\chcp.comchcp 12515⤵PID:4452
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F5⤵
- DcRat
- Creates scheduled task(s)
PID:3900 -
C:\Users\Admin\AppData\Local\Temp\nst5A33.tmpC:\Users\Admin\AppData\Local\Temp\nst5A33.tmp3⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
PID:2084 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2084 -s 19564⤵
- Program crash
PID:4492 -
C:\Users\Admin\AppData\Local\Temp\FourthX.exe"C:\Users\Admin\AppData\Local\Temp\FourthX.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2340 -
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1228 -
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe delete "UTIXDCVF"3⤵
- Launches sc.exe
PID:4652 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart3⤵PID:4956
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart4⤵PID:4260
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe create "UTIXDCVF" binpath= "C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe" start= "auto"3⤵
- Launches sc.exe
PID:4548 -
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start "UTIXDCVF"3⤵
- Launches sc.exe
PID:3212 -
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop eventlog3⤵
- Launches sc.exe
PID:1056
-
C:\Users\Admin\AppData\Local\Temp\4901.exeC:\Users\Admin\AppData\Local\Temp\4901.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:2020
-
C:\Users\Admin\AppData\Local\Temp\70AE.exeC:\Users\Admin\AppData\Local\Temp\70AE.exe1⤵
- Executes dropped EXE
PID:4816
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 2084 -ip 20841⤵PID:2676
-
C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exeC:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe1⤵
- Executes dropped EXE
PID:3128 -
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force2⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1916 -
C:\Windows\system32\conhost.exeC:\Windows\system32\conhost.exe2⤵PID:2268
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart2⤵PID:860
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart3⤵PID:3904
-
C:\Windows\explorer.exeexplorer.exe2⤵PID:232
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
3Windows Service
3Pre-OS Boot
1Bootkit
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
3Windows Service
3Scheduled Task/Job
1Defense Evasion
Impair Defenses
2Disable or Modify System Firewall
1Modify Registry
1Pre-OS Boot
1Bootkit
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
11KB
MD5a33e5b189842c5867f46566bdbf7a095
SHA1e1c06359f6a76da90d19e8fd95e79c832edb3196
SHA2565abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454
SHA512f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
Filesize
2.5MB
MD5b03886cb64c04b828b6ec1b2487df4a4
SHA1a7b9a99950429611931664950932f0e5525294a4
SHA2565dfaa8987f5d0476b835140d8a24fb1d9402e390bbe92b8565da09581bd895fc
SHA51221d1a5a4a218411c2ec29c9ca34ce321f6514e7ca3891eded8c3274aeb230051661a86eda373b9a006554e067de89d816aa1fa864acf0934bbb16a6034930659
-
Filesize
2.1MB
MD5e713ed39b5c4f067e930465a158dcfd3
SHA1510398056d90d6b733dd0e056aa7115cc111dce6
SHA25640dced9e1673384b696dce58e7fd6d6590fc62001613002c72c4b6023f91dc48
SHA5122052796f2601ee5e0316e43b5175e853032857746d9acc25b035a2b9110155b520a96632238122377074de1cdc2c8030e3cf10b824ef716a3077448e3b30b6f8
-
Filesize
2.3MB
MD5dcc3d7bf1945b58e383069eba844c716
SHA19cdcf351b845556ca7774bd337e5c6a4fc7a8545
SHA2561dbfd3ef0ee9e44fe875ca6d60a144d5cf03dbf5d8c16083859714e9873fa923
SHA51291e8cc2bda8d12cc8e24ad664129cbc65d54276b63e2cb3a36e876d6d23fc5f430366858ab8cb4bff4263ecab898a9be8a1d24defff5b88bc2e4b93b1fb3db0c
-
Filesize
1024KB
MD5cf8e6bca18a3374728f4464239d6ca47
SHA1071cb85b0144aae1e90351e99e8f39705dbb70de
SHA2566f0ed636782772442e54a381d39d9d24bef456ed84c353a53b42c49be6280075
SHA5129ee8e5bc13ee97acf7e1c0fbe00c96740dda34bd67043bac432788d3a5a9238d18e6c4a64372b6f13cb787be29c0ea74006a8ead2cd31f9df77f7b0ed19f69c1
-
Filesize
3.2MB
MD5f6bf5c21a8247203eb4280e83fba6664
SHA1e7558d48e41f127dd779c35a7eb1613c74761249
SHA2560774c2e1349c193926417a5f1783ed1961111ab1d30d2383fca93e6525262a6f
SHA51260da2899d4fbc8910a69eb3daad48f96bdd769178ccba6c55e640989514943897a2f9f6a355ed97cb16bacdcceb57eaa7eedacd6901242887c045ae4593f0817
-
Filesize
1.1MB
MD576b128828f81877a5adfad5eb220a4fd
SHA1ea048c8f4c2e8c585ddf0e8f45597186b6bbaaa4
SHA2561ac611ae91a2b51544cd72ede52d8357b95ab618efc8a000acebf5803c2ed2b5
SHA5126a3b7f032aa40d119415adb87aa14ca9f6fc816fc84cb8f9f8e981420d33510129d9b5651d8af9cdc00c55cf94afdfdddd2246c3b505ac9c8276e1f725aa2746
-
Filesize
1.6MB
MD559782185bcf5b215e0db15afa0002e06
SHA18a4e122681e234f1b39647eb6c0cde54d177fe9e
SHA256ff6eec4eee9143ac8234e33d2753a15f00a209cd08ac609e36ad58aa5e60304c
SHA51236bd597ab3c08fb5ce6803ace74951bf5b208125fc15087fd0ffbb0c439b4ffa334b1f527c277eaf8169e6d4b11b4d9ec8cc0c8776ecc3c1938044dc6fe05ec9
-
Filesize
2.5MB
MD5c7fe878e6fc3be20c84b5e85b97efe17
SHA151ebfabdef927465e68c5843ae4f2a930b82a24b
SHA256a4a662c0c92c27d74fc00f6f5e24b1b4116da7d582607161f0570cdfcc0a6040
SHA51224f2fd40425ce1a1585157255b0dbb856635fa2fb08f00419693ebf8e0c774d47890aad7b69adee08b315607b0bc68375421737f4785b577110894028a013289
-
Filesize
7.5MB
MD59a8ced484319575a23b23e72ef064368
SHA1630123e785da8b196387dd67444bb2153f71c054
SHA2562fdc3d510975484e43a2e755f922423b99eb6bcaf387490364fa3cecdb4da8cf
SHA5120500b0cdb012d01e23fbefe2ed2b2c80644d496565ef608fe518b82f65aeb4461f9ad8f4d558b8f3913c739d8fa068e64b35a0dab0871855eb33b50696184336
-
Filesize
8.6MB
MD5b5c2ec343dc281502edf2acb8cd6c48f
SHA16f9eaad5ce27c14f89a6cbf0ba7e7df200e1c5a1
SHA2561fe33d26d59f5f45c4b818ad7fe23edb58959e5798c7a4403b7acb9aca1849b1
SHA5129a1f6a2609b0def69d8cf3138731e0a92313fee71c931af0597875b2d75a00c959ece348aa8e674e4ac2e0b3e9909deee5c8b10f70d08e19eb8a87bc4e680ec2
-
Filesize
163KB
MD50ca68f13f3db569984dbcc9c0be6144a
SHA18c53b9026e3c34bcf20f35af15fc6545cb337936
SHA2569cd86fa59ea2d10f9b9f3293c132f158fcb7dd993fdb706944f9fe9fa409504a
SHA5124c3a3be5fda0f9060a08b95383b5260e4079dbcff73849d2fac88520ae625c33a73c5858b25b717fcccebf03c3ad9b19807de8bcfa7ea22be6648cc965072b7d
-
Filesize
2.6MB
MD5adb29a2b3d4aae105be1eca35da10afc
SHA18496caa674d5bd59c37340e949871e6a33a6a6a9
SHA2569bc8d90c27922ab30615548b2e41d62f15ab2749290713bb3714b53ae21ab4b7
SHA5127dba52ac5bdbaa9dafd8a98503e60636ab8db09ae99faa725b768c739147ca5dd42a6b78c3879b70af9ce7093ac8f1e23d706df7f53e2d64f66de5d13e958df9
-
Filesize
3.3MB
MD5c872c92977f6a8428d1f1bc05244f4a3
SHA1aa1a48a997997717b66b4cc4621ff14d65d14afe
SHA256fae2fe308dee13de2c7a2be3dfac523a3ea62701a68eeea7fa34db79f02da1ea
SHA5120d860841f0fd145c628e7d9f36c59b555f6bfdd4f8768769b74d3c6f67a0d87dcc08c442a3d3891c9831c2f08d40e98413e54c3362a9d842c0776b67e0009963
-
Filesize
1.6MB
MD5b10895f77c325310116cfc47095d9252
SHA14c1ae27fef692ec05ff826aa7eaab519ae5a8e06
SHA256851657de20aed9fdce10b608dce83523d137771c2e1e9582f8d9eecff5a14453
SHA512d21cca7801fcf891e88b39378a7f06179577b218f5660f4cc049b16f03f7bf8f910370734af7b005cf17bc5769fb6aef868e6659a1a648cf374c70d4aa9a7910
-
Filesize
640KB
MD53b8ff5ba60fc77e4bce540bd0f9c09fd
SHA1d9b48cf74f8261a3c98d712a485a09547e01d4de
SHA256e08ba45aa1191f8c5e85a1d0d8ae916326d435f6b9859bc6d23c0672daee0c96
SHA512c491be1946726fe31017080388095e28f141b86f56cf6276882105de491376612f7a928fc59de8661741413e4276ffd827e4142cf7945466ed40da10a6cbf68a
-
Filesize
768KB
MD5a7626d4194736b5c284a09feca2711c1
SHA1121f234a4e436a98036b99ebb5d9dbf0dc659b54
SHA2564550b7b36c6f67222e23fc7bae32689660712e4fc0d2c11515582c89d7429c55
SHA512a74eb41cf0a3a4f36cd86f680e6d03ee2c0c6bbce4841f3acab200e4a13990fce43a7dd17d67eb4119706f1e7b499ddadd079558069c945e713edaf13371e78d
-
Filesize
320KB
MD5301cf70eae176450f29acd86816c0dc5
SHA14dc0ce8c900485ac74978186a330b0e2db46c045
SHA2566447eb57931dd8620bb82793b26a70a7e1c6873378a17ec4cf050782f5896308
SHA5127686814c133c0bf1a953b98e04073932031f8ca8fc5e57a8e661db01aea803ead1abd5554b39bd5643f0aa28e6561622c50c10141179de16f4310c0fb48fd593
-
Filesize
2.3MB
MD570b05ac593ba4afd847436f2dbd542a3
SHA1d8adc1ea4f762639a79f2f2ce2f3dece4a067e27
SHA256dd24bebe073f6d912f3661a5944814beb824e7a655fecccb2245d768eda51a5a
SHA512829eb47e34d72785857b964357edfcfd2e7121ed6292fed5f490a11bc8c3990902b960c7f8a4597c26b1a909befaf5cf3133f274540842d6e8b0d0c9e8fe03b7
-
Filesize
5.0MB
MD50904e849f8483792ef67991619ece915
SHA158d04535efa58effb3c5ed53a2462aa96d676b79
SHA256fca631b3198194fcc0c619b5690dbde2e9f38afb1b978bab8ea3f92b572ce1ef
SHA512258fc59050aa455ad56167dd1bbe5e098eefc0f3e950c90d89bac2aa74abb5cfa1710d866c0e28e58dcb2f914736470a4dd9838dd6412b633aee87d71b867cf5
-
Filesize
2.0MB
MD57aecbe510817ee9636a5bcbff0ee5fdd
SHA16a3f27f7789ccf1b19c948774d84c865a9ac6825
SHA256b4ee4aa0b664fe673986399de8105c600330339971bd8583177fa38dddd13aac
SHA512a681efb97745aed5f73d197730049ff80798d133245d8e8bcb0faf3532a9ef440d1687016c9f666c1f56479c7db003b0388e0a69bb2626f34c86046bc477edae
-
Filesize
576KB
MD5e736096289f39c401f8bad036cddc001
SHA1638ca4b629841616f5236ad883adcb0090762199
SHA25632e27f69b28765479817e017f44c36370942cf33ea4c15658c61d7032a5cbdf0
SHA5128a46d566078d35dbd3e162369ae1a412cddcca23aa128d493eb9ad67fa80edbdb9fc1b4c2826e3b040bf571e29e59426cb740eb1a6b90a8f51c2f93fa59ce1c8
-
Filesize
256KB
MD5aa4d2da41beb1cff9d5e8976a6614c9b
SHA155220085d0eadc5801f11d13a42407abb18164ec
SHA256070358003d65fc59726a1c10c5f12ace47a20891037abc050e63a746b61a86f7
SHA51228d1884ae99281e8dd87d19b3a321741a8473c069531a5afdce52dc0dbd010e0af8cdb1b29d8af601b2eabb00be7a622aa35a385d5d711951a3ed35dea4d445f
-
Filesize
512KB
MD51c93c2b85b451a03a59ca245c05132ec
SHA129e57d8e86d197c7c64ce59fb49720b1d80aaf07
SHA256490dbdbe3216e59c76a1753bf19c8f6d530dfe6d20aa83015ba0e79392ec34c5
SHA512c003a51ebc4fc95085be8a504ba9a10e5c7e67b4bffd6f1092e1ea74b5d31b0dd4e127121746679112c5edcb2a424e904d5a8fe8546f80143a5363d51f674477
-
Filesize
1.3MB
MD56e92468a589a118a0e52a69838812d5a
SHA1f7600765aaf24de6261aceabb2823992d5b7d11a
SHA25689de3a6e7282355c370058f7b4fe364ec79205602c38013dc5f23196cf7a1f2a
SHA512f212a536db73fb5a9798cbd472913ca8dfcad06c724b19930098ec3868ca41f2bb825d9824f6f0aaace763f57c589768206f6565461f79d97ae93591f96fd570
-
Filesize
560KB
MD5e6dd149f484e5dd78f545b026f4a1691
SHA13ea5d0fb2de5bfad3dc6dc1744708ccd31102df6
SHA25611243641663323721ba21494a394de70ae70d4ea23c23f2e2a397fcc3cfea1a7
SHA5120defb358d59221c56731745a25250dfea49ecbb411f11f31a92ec20fa2123646f4aaf9fd4999898c39e4674f616bc1bed7ef2368b61a29d595dc7b9340dd058b
-
Filesize
320KB
MD59e3c0fbd879284ddc1a24e3ae2310922
SHA1ec7dc55591baa85b28453ddfbebc7e5b5bffe02c
SHA2564c3812e784e2b73faa15262bd1126be8479fb3246f5f18bd519c71e70b59594d
SHA5121d82ec2ea8538aad5d74b31053860634825f3b62c0e8dce40d3576791cdef71967eb42792af18e8d088e85ca705365fefa8e635e2e0f6d4b1b0b2a2bab6fa21f
-
Filesize
1.4MB
MD52fe9860d62aeebd600e504a6b6c7a9d2
SHA1edaa583ccc78d914c79389e69d24ce7264a813ef
SHA2561a75104e58525eed39afac6c3de839e436f7e5212390c4b50c8d308c4d0090c7
SHA5125429b0f28ed8745eae7d6f2c517ec6c7fc53a48c04c420fb7fb46363d1a98cb239125cf356a8167f23c55a66bd4f3b2872e6e7d10274531179d91544e7cbef57
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
1.2MB
MD543706993cce342c8b85b1b175f941c96
SHA1d10587600a64da3210a83da771bd7b64d5b81e1f
SHA256bd7e266eea9db4686f795a0c2ae61684537ee997cdda24b9935e7c7af12d785c
SHA5122180ff0458f547c3abb14e0089e7ab2f71d23ec4fe88d6a3596a76839d11dc180022520c0e61dff8b24c3e98dcf082df59279904b02ba3459b1e0298a10ea91d
-
Filesize
448KB
MD57c09db9c2dacb9e2f18b225f9f204f7a
SHA18b2e2227f02371994fb1a5d3839568a713fa7600
SHA2562f0d802802e13e5208a8adf47fb03f66e2ba0625396220a2f6af920bd0fc6674
SHA512ee6eb0cc2ccc30ebcb3a7b70e2bdbbbbaf17d8745576cc1eb5d80744118ac484e42eb202ff4b8c8a59aa380e95b2d5b09d1754d26c3d72bfb0c6f8ef4f85830b
-
Filesize
640KB
MD5b17be9c9cd31a7c69c5dccc4222f3241
SHA10c4f24a70c3f555d8ebee3397a850a08f68051d1
SHA25645c0c53b6d1c5d7694e381ae14a6cd19e44d54dddb7c4aac00fe5fba9483b9ea
SHA512ff0884a00096e018008b5b50876ef6345959eaea8f5a0945a748070df87824ffb47566c50fc1474bf7f988801ffbc8a5c04e273483ee93615de027890efc3787
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
281KB
MD5d98e33b66343e7c96158444127a117f6
SHA1bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA2565de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5
-
Filesize
64KB
MD5a0ab2251d3ceb1349776ff3642e807bb
SHA13a3c78a26b87b9cfc0b9605e94e03eccb288426d
SHA2565b1fffd5f6d7e45458ced266a096de2d1b9af84f71c0bc97b0d2b64a317ae391
SHA512bb11a89847dc5e9c874453df71dfc8089bbe46c2f7b5079543eb0a686fd4c3dcf468a0aba4f156d6fe193d15552a55b9d1cba58fa82cb59e863c4cda82159ea2
-
Filesize
689KB
MD5951ac648539bfaa0f113db5e0406de5b
SHA11b42de9ef8aaf1740de90871c5fc16963a842f43
SHA256bb02f28cc67276b8d6609f80553c4976b2acbd34459af17167f8c1b001a84dfe
SHA512795e654e82d38905841c3af120fb8288e3f81580a559d97266c739d101b335807b99c2592388b3b4af411f626e8d2f3966316152ca62b87a4361a8da78919b2d
-
Filesize
2KB
MD5a69559718ab506675e907fe49deb71e9
SHA1bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA2562f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63
-
Filesize
25KB
MD540d7eca32b2f4d29db98715dd45bfac5
SHA1124df3f617f562e46095776454e1c0c7bb791cc7
SHA25685e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9
SHA5125fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d
-
Filesize
192KB
MD59089c5ddf54262d275ab0ea6ceaebcba
SHA14796313ad8d780936e549ea509c1932deb41e02a
SHA25696766ea71dc59a5b1734aba76c1ab1cbc8459a9ee023e9875359667dbf51ea4a
SHA512ec71801feccd0c900132425d6bc601bcae6e78702b708df80783a752d08c8bdc49f0b0c8e7c37b15a02b381369b8a3c1114d7385796316b834738045f7dc053c
-
Filesize
128KB
MD50ab522cd9cc4a004d8b7b21445b58132
SHA162da3b22a7ef628712fc771cd10fac96bafb558f
SHA2564e6080d8571cd53972a0dfa4f383d61ee95efef520988cf50a17bd569beb6486
SHA5127cc4575c6746eaa92ab837c38203deed2c4beaff6aae6bd60e68edd0a197091695be68f968289db6892f3a96425c334771673daa08c3d8a51be8deb56e75dfc9
-
Filesize
128B
MD511bb3db51f701d4e42d3287f71a6a43e
SHA163a4ee82223be6a62d04bdfe40ef8ba91ae49a86
SHA2566be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331
SHA512907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize2KB
MD5968cb9309758126772781b83adb8a28f
SHA18da30e71accf186b2ba11da1797cf67f8f78b47c
SHA25692099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA5124bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD5c0c8ca691935cdf1a3e382fbdb197cc2
SHA1cf359727fa7d7e043d4d5edd2a7701ac16e270e1
SHA2560d6cedfae688b28f3ec53550d549465be5cf6b9e32d56e7004917d55a0f7615d
SHA51260814fe27a14fab13468b923bfd087c3fc7a89169f33a37f005aed977cf12540c7c51f0751e87be3f63af478d3581e3c9cb9a7c2d108e5be9b2b02a88d980530
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD57363ded56cc8c4fdc26e986428b3ff57
SHA12bc1cc5db0bc6bfbe19442c4c91acc2ef911e1df
SHA256ca8b78e8498dc6ae407a438e68c64d62b4f88d9b1765a20100b6738fe47a93d6
SHA512e8b98a74b07846091e9e3a6bf58673733b6c4c0567f37b10df5590ac919fd216fc16af757d2d61cda33b27314f712a7beee19437c577e494d24c812c00e882e8
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD5a1a6e00ad86306a7e3cf5dfbdc85d668
SHA1648262ea8c7f0e0776f4148f52c2e08e5be62702
SHA256906e75e19d56b8ad5e81772fb789ffb2d39dee2cea68870bb2fc60e061d2ac0c
SHA512c6b77c9499fdefdd132e8b25e4fdefed55a3b5509fa6f7b819a01eafb568b2da26cc5f1b654946be0b5507436dacae3e4e1fc0ed65c8721458a398d60a1b3622
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD59a1fb9e61d5edea2f4624ac4dbc7fdb1
SHA1881abd49ef4742faf67bc0ebda2114afe8754975
SHA256b402713d34ead6b4cf6fc538478138de5432c79cabbda2fd60fb1d476755e046
SHA512721ed59f6b2210bb2e1e9d4dc2b3019761442e36d70ef1be4a5eefabe568274c29180f9db8d03255b2b6a67122989b84058ac92f7b6e71077dd6308f643bb8b0
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD564fed1db05d52eac09cd954ce44867b9
SHA165f2e6e551d50e512160945d13df310f0e692952
SHA2568ffb678a94cad10d604ed312fc31a02fae298e900c0a629f7e58b1ee4d56d33d
SHA5121a0c0bab11e93f7dbf0a66c9ead6b55b2304caba0407d7d8f9fcee227405c0f3e87efcda155033a117967cbab475ab7bdfebfa7565db1db3be88ad44ce9bd9c5
-
Filesize
4.1MB
MD5d122f827c4fc73f9a06d7f6f2d08cd95
SHA1cd1d1dc2c79c0ee394b72efc264cfd54d96e1ee5
SHA256b7a6dcfdd64173ecbcef562fd74aee07f3639fa863bd5740c7e72ddc0592b4fc
SHA5128755979d7383d6cb5e7d63798c9ca8b9c0faeec1fe81907fc75bbbb7be6754ab7b5a09a98492a27f90e3f26951b6891c43d8acd21414fb603cd86a4e10dac986