Analysis
-
max time kernel
91s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
27-02-2024 05:35
Static task
static1
Behavioral task
behavioral1
Sample
bb633d7fb28cf6aac4097726c639462bd7a4362d7752ba5c612ea6c0e18e8d11.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
bb633d7fb28cf6aac4097726c639462bd7a4362d7752ba5c612ea6c0e18e8d11.exe
Resource
win10v2004-20240226-en
General
-
Target
bb633d7fb28cf6aac4097726c639462bd7a4362d7752ba5c612ea6c0e18e8d11.exe
-
Size
163KB
-
MD5
6e1183fe6e9e67f10a9c88f1f744d6e0
-
SHA1
a44aa17fd0c4615eadf796a374ca6cc291736c2e
-
SHA256
bb633d7fb28cf6aac4097726c639462bd7a4362d7752ba5c612ea6c0e18e8d11
-
SHA512
5705a4c6b7c975254691b2871296f0d9cfd44d870d548dfd483df95494890b1110073fc944aca31e82ab9bde3d81c65fad5baa67a5be8e8c83a94d4e00576430
-
SSDEEP
3072:Ai3vfdGdDEaNfQqBJ/dZSURGhL/2UeD8XXRlR:AslGdQaV5f/6FI8Rf
Malware Config
Extracted
smokeloader
2022
http://selebration17io.io/index.php
http://vacantion18ffeu.cc/index.php
http://valarioulinity1.net/index.php
http://buriatiarutuhuob.net/index.php
http://cassiosssionunu.me/index.php
http://sulugilioiu19.net/index.php
http://goodfooggooftool.net/index.php
http://kamsmad.com/tmp/index.php
http://souzhensil.ru/tmp/index.php
http://teplokub.com.ua/tmp/index.php
Extracted
smokeloader
pub1
Extracted
lumma
https://resergvearyinitiani.shop/api
https://technologyenterdo.shop/api
https://detectordiscusser.shop/api
https://turkeyunlikelyofw.shop/api
https://associationokeo.shop/api
Signatures
-
DcRat 4 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
Processes:
bb633d7fb28cf6aac4097726c639462bd7a4362d7752ba5c612ea6c0e18e8d11.exeEFB1.exeschtasks.exeschtasks.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI bb633d7fb28cf6aac4097726c639462bd7a4362d7752ba5c612ea6c0e18e8d11.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CSRSS = "\"C:\\ProgramData\\Drivers\\csrss.exe\"" EFB1.exe 4396 schtasks.exe 976 schtasks.exe -
Glupteba payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/2388-230-0x0000000002D50000-0x000000000363B000-memory.dmp family_glupteba behavioral2/memory/2388-231-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Detect binaries embedding considerable number of MFA browser extension IDs. 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4232-366-0x0000000000400000-0x0000000001A2A000-memory.dmp INDICATOR_SUSPICIOUS_Binary_Embedded_MFA_Browser_Extension_IDs -
Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs. 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4232-366-0x0000000000400000-0x0000000001A2A000-memory.dmp INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs -
Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) 2 IoCs
Processes:
resource yara_rule behavioral2/memory/3816-53-0x0000000000400000-0x0000000002D8C000-memory.dmp INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM behavioral2/memory/3816-134-0x0000000000400000-0x0000000002D8C000-memory.dmp INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM -
Detects Windows executables referencing non-Windows User-Agents 1 IoCs
Processes:
resource yara_rule behavioral2/memory/2388-231-0x0000000000400000-0x0000000000D1C000-memory.dmp INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA -
Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers. 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4232-366-0x0000000000400000-0x0000000001A2A000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers -
Detects executables Discord URL observed in first stage droppers 1 IoCs
Processes:
resource yara_rule behavioral2/memory/2388-231-0x0000000000400000-0x0000000000D1C000-memory.dmp INDICATOR_SUSPICIOUS_EXE_DiscordURL -
Detects executables containing URLs to raw contents of a Github gist 1 IoCs
Processes:
resource yara_rule behavioral2/memory/2388-231-0x0000000000400000-0x0000000000D1C000-memory.dmp INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL -
Detects executables containing artifacts associated with disabling Widnows Defender 1 IoCs
Processes:
resource yara_rule behavioral2/memory/2388-231-0x0000000000400000-0x0000000000D1C000-memory.dmp INDICATOR_SUSPICIOUS_DisableWinDefender -
Detects executables packed with VMProtect. 7 IoCs
Processes:
resource yara_rule behavioral2/memory/3640-117-0x0000000000400000-0x00000000006E8000-memory.dmp INDICATOR_EXE_Packed_VMProtect behavioral2/memory/3640-115-0x0000000000400000-0x00000000006E8000-memory.dmp INDICATOR_EXE_Packed_VMProtect behavioral2/memory/3640-111-0x0000000000400000-0x00000000006E8000-memory.dmp INDICATOR_EXE_Packed_VMProtect behavioral2/memory/3296-121-0x0000000000400000-0x00000000006E8000-memory.dmp INDICATOR_EXE_Packed_VMProtect behavioral2/memory/3296-141-0x0000000000400000-0x00000000006E8000-memory.dmp INDICATOR_EXE_Packed_VMProtect behavioral2/memory/3296-223-0x0000000000400000-0x00000000006E8000-memory.dmp INDICATOR_EXE_Packed_VMProtect behavioral2/memory/3296-303-0x0000000000400000-0x00000000006E8000-memory.dmp INDICATOR_EXE_Packed_VMProtect -
Detects executables referencing many varying, potentially fake Windows User-Agents 1 IoCs
Processes:
resource yara_rule behavioral2/memory/2388-231-0x0000000000400000-0x0000000000D1C000-memory.dmp INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA -
UPX dump on OEP (original entry point) 6 IoCs
Processes:
resource yara_rule behavioral2/memory/4564-37-0x0000000000400000-0x0000000000848000-memory.dmp UPX behavioral2/memory/4564-40-0x0000000000400000-0x0000000000848000-memory.dmp UPX behavioral2/memory/4564-41-0x0000000000400000-0x0000000000848000-memory.dmp UPX behavioral2/memory/4564-44-0x0000000000400000-0x0000000000848000-memory.dmp UPX behavioral2/memory/4564-49-0x0000000000400000-0x0000000000848000-memory.dmp UPX behavioral2/memory/4564-52-0x0000000000400000-0x0000000000848000-memory.dmp UPX -
Creates new service(s) 1 TTPs
-
Downloads MZ/PE file
-
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
netsh.exepid process 4880 netsh.exe -
Stops running service(s) 3 TTPs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
3364.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation 3364.exe -
Deletes itself 1 IoCs
Processes:
pid process 3464 -
Executes dropped EXE 17 IoCs
Processes:
E251.exeEFB1.exeEFB1.exeF2A0.exeFDCD.exeFDCD.tmpcddvdspeed.execddvdspeed.exe3364.exe3EB0.exe288c47bbc1871b439df19ff4df68f076.exeInstallSetup4.exeFourthX.exeBroomSetup.exensr54B5.tmp6E4C.exe288c47bbc1871b439df19ff4df68f076.exepid process 1116 E251.exe 2660 EFB1.exe 4564 EFB1.exe 3816 F2A0.exe 2704 FDCD.exe 616 FDCD.tmp 3640 cddvdspeed.exe 3296 cddvdspeed.exe 3552 3364.exe 3720 3EB0.exe 2388 288c47bbc1871b439df19ff4df68f076.exe 336 InstallSetup4.exe 2512 FourthX.exe 1908 BroomSetup.exe 4232 nsr54B5.tmp 3704 6E4C.exe 764 288c47bbc1871b439df19ff4df68f076.exe -
Loads dropped DLL 10 IoCs
Processes:
regsvr32.exeFDCD.tmpEFB1.exeInstallSetup4.exensr54B5.tmppid process 3116 regsvr32.exe 616 FDCD.tmp 616 FDCD.tmp 616 FDCD.tmp 4564 EFB1.exe 336 InstallSetup4.exe 336 InstallSetup4.exe 4232 nsr54B5.tmp 4232 nsr54B5.tmp 336 InstallSetup4.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule behavioral2/memory/4564-37-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral2/memory/4564-40-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral2/memory/4564-41-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral2/memory/4564-44-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral2/memory/4564-49-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral2/memory/4564-52-0x0000000000400000-0x0000000000848000-memory.dmp upx -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
EFB1.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CSRSS = "\"C:\\ProgramData\\Drivers\\csrss.exe\"" EFB1.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
F2A0.exedescription ioc process File opened for modification \??\PHYSICALDRIVE0 F2A0.exe -
Drops file in System32 directory 1 IoCs
Processes:
FourthX.exedescription ioc process File opened for modification C:\Windows\system32\MRT.exe FourthX.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
EFB1.exedescription pid process target process PID 2660 set thread context of 4564 2660 EFB1.exe EFB1.exe -
Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exepid process 2248 sc.exe 1936 sc.exe 2872 sc.exe 4604 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 3248 4232 WerFault.exe nsr54B5.tmp 1580 764 WerFault.exe 288c47bbc1871b439df19ff4df68f076.exe -
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
bb633d7fb28cf6aac4097726c639462bd7a4362d7752ba5c612ea6c0e18e8d11.exe3EB0.exedescription ioc process Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI bb633d7fb28cf6aac4097726c639462bd7a4362d7752ba5c612ea6c0e18e8d11.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 3EB0.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 3EB0.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 3EB0.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI bb633d7fb28cf6aac4097726c639462bd7a4362d7752ba5c612ea6c0e18e8d11.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI bb633d7fb28cf6aac4097726c639462bd7a4362d7752ba5c612ea6c0e18e8d11.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
nsr54B5.tmpdescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 nsr54B5.tmp Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString nsr54B5.tmp -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 4396 schtasks.exe 976 schtasks.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
288c47bbc1871b439df19ff4df68f076.exepowershell.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-451 = "Caucasus Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-731 = "Fiji Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-262 = "GMT Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-335 = "Jordan Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-291 = "Central European Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-171 = "Central Daylight Time (Mexico)" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-871 = "Pakistan Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-402 = "Arabic Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1971 = "Belarus Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2531 = "Chatham Islands Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-261 = "GMT Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-361 = "GTB Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-981 = "Kamchatka Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2792 = "Novosibirsk Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-384 = "Namibia Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-231 = "Hawaiian Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-621 = "Korea Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2631 = "Norfolk Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-302 = "Romance Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1832 = "Russia TZ 2 Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2941 = "Sao Tome Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1412 = "Syria Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-251 = "Dateline Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2371 = "Easter Island Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-351 = "FLE Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1721 = "Libya Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1972 = "Belarus Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2432 = "Cuba Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-42 = "E. South America Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-41 = "E. South America Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1931 = "Russia TZ 11 Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-572 = "China Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-911 = "Mauritius Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-931 = "Coordinated Universal Time" 288c47bbc1871b439df19ff4df68f076.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1472 = "Magadan Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2942 = "Sao Tome Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-392 = "Arab Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-331 = "E. Europe Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-3051 = "Qyzylorda Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-3141 = "South Sudan Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-651 = "AUS Central Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-232 = "Hawaiian Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-982 = "Kamchatka Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2512 = "Lord Howe Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2871 = "Magallanes Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2791 = "Novosibirsk Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-71 = "Newfoundland Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-3052 = "Qyzylorda Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-682 = "E. Australia Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2372 = "Easter Island Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-872 = "Pakistan Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2141 = "Transbaikal Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-772 = "Montevideo Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-241 = "Samoa Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-452 = "Caucasus Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1471 = "Magadan Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-202 = "US Mountain Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
bb633d7fb28cf6aac4097726c639462bd7a4362d7752ba5c612ea6c0e18e8d11.exepid process 808 bb633d7fb28cf6aac4097726c639462bd7a4362d7752ba5c612ea6c0e18e8d11.exe 808 bb633d7fb28cf6aac4097726c639462bd7a4362d7752ba5c612ea6c0e18e8d11.exe 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
bb633d7fb28cf6aac4097726c639462bd7a4362d7752ba5c612ea6c0e18e8d11.exe3EB0.exepid process 808 bb633d7fb28cf6aac4097726c639462bd7a4362d7752ba5c612ea6c0e18e8d11.exe 3720 3EB0.exe -
Suspicious use of AdjustPrivilegeToken 39 IoCs
Processes:
powershell.exe288c47bbc1871b439df19ff4df68f076.exepowershell.exepowershell.exedescription pid process Token: SeShutdownPrivilege 3464 Token: SeCreatePagefilePrivilege 3464 Token: SeShutdownPrivilege 3464 Token: SeCreatePagefilePrivilege 3464 Token: SeShutdownPrivilege 3464 Token: SeCreatePagefilePrivilege 3464 Token: SeShutdownPrivilege 3464 Token: SeCreatePagefilePrivilege 3464 Token: SeShutdownPrivilege 3464 Token: SeCreatePagefilePrivilege 3464 Token: SeShutdownPrivilege 3464 Token: SeCreatePagefilePrivilege 3464 Token: SeShutdownPrivilege 3464 Token: SeCreatePagefilePrivilege 3464 Token: SeShutdownPrivilege 3464 Token: SeCreatePagefilePrivilege 3464 Token: SeShutdownPrivilege 3464 Token: SeCreatePagefilePrivilege 3464 Token: SeShutdownPrivilege 3464 Token: SeCreatePagefilePrivilege 3464 Token: SeShutdownPrivilege 3464 Token: SeCreatePagefilePrivilege 3464 Token: SeDebugPrivilege 1216 powershell.exe Token: SeShutdownPrivilege 3464 Token: SeCreatePagefilePrivilege 3464 Token: SeShutdownPrivilege 3464 Token: SeCreatePagefilePrivilege 3464 Token: SeShutdownPrivilege 3464 Token: SeCreatePagefilePrivilege 3464 Token: SeShutdownPrivilege 3464 Token: SeCreatePagefilePrivilege 3464 Token: SeShutdownPrivilege 3464 Token: SeCreatePagefilePrivilege 3464 Token: SeShutdownPrivilege 3464 Token: SeCreatePagefilePrivilege 3464 Token: SeDebugPrivilege 2388 288c47bbc1871b439df19ff4df68f076.exe Token: SeImpersonatePrivilege 2388 288c47bbc1871b439df19ff4df68f076.exe Token: SeDebugPrivilege 2408 powershell.exe Token: SeDebugPrivilege 2580 powershell.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
FDCD.tmppid process 616 FDCD.tmp -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
BroomSetup.exepid process 1908 BroomSetup.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
regsvr32.exeEFB1.exeFDCD.exeFDCD.tmp3364.exeInstallSetup4.exeBroomSetup.execmd.exedescription pid process target process PID 3464 wrote to memory of 1116 3464 E251.exe PID 3464 wrote to memory of 1116 3464 E251.exe PID 3464 wrote to memory of 1116 3464 E251.exe PID 3464 wrote to memory of 2960 3464 regsvr32.exe PID 3464 wrote to memory of 2960 3464 regsvr32.exe PID 2960 wrote to memory of 3116 2960 regsvr32.exe regsvr32.exe PID 2960 wrote to memory of 3116 2960 regsvr32.exe regsvr32.exe PID 2960 wrote to memory of 3116 2960 regsvr32.exe regsvr32.exe PID 3464 wrote to memory of 2660 3464 EFB1.exe PID 3464 wrote to memory of 2660 3464 EFB1.exe PID 3464 wrote to memory of 2660 3464 EFB1.exe PID 2660 wrote to memory of 4564 2660 EFB1.exe EFB1.exe PID 2660 wrote to memory of 4564 2660 EFB1.exe EFB1.exe PID 2660 wrote to memory of 4564 2660 EFB1.exe EFB1.exe PID 2660 wrote to memory of 4564 2660 EFB1.exe EFB1.exe PID 2660 wrote to memory of 4564 2660 EFB1.exe EFB1.exe PID 2660 wrote to memory of 4564 2660 EFB1.exe EFB1.exe PID 2660 wrote to memory of 4564 2660 EFB1.exe EFB1.exe PID 2660 wrote to memory of 4564 2660 EFB1.exe EFB1.exe PID 3464 wrote to memory of 3816 3464 F2A0.exe PID 3464 wrote to memory of 3816 3464 F2A0.exe PID 3464 wrote to memory of 3816 3464 F2A0.exe PID 3464 wrote to memory of 2704 3464 FDCD.exe PID 3464 wrote to memory of 2704 3464 FDCD.exe PID 3464 wrote to memory of 2704 3464 FDCD.exe PID 2704 wrote to memory of 616 2704 FDCD.exe FDCD.tmp PID 2704 wrote to memory of 616 2704 FDCD.exe FDCD.tmp PID 2704 wrote to memory of 616 2704 FDCD.exe FDCD.tmp PID 616 wrote to memory of 3640 616 FDCD.tmp cddvdspeed.exe PID 616 wrote to memory of 3640 616 FDCD.tmp cddvdspeed.exe PID 616 wrote to memory of 3640 616 FDCD.tmp cddvdspeed.exe PID 616 wrote to memory of 3296 616 FDCD.tmp cddvdspeed.exe PID 616 wrote to memory of 3296 616 FDCD.tmp cddvdspeed.exe PID 616 wrote to memory of 3296 616 FDCD.tmp cddvdspeed.exe PID 3464 wrote to memory of 3552 3464 3364.exe PID 3464 wrote to memory of 3552 3464 3364.exe PID 3464 wrote to memory of 3552 3464 3364.exe PID 3464 wrote to memory of 3720 3464 3EB0.exe PID 3464 wrote to memory of 3720 3464 3EB0.exe PID 3464 wrote to memory of 3720 3464 3EB0.exe PID 3552 wrote to memory of 2388 3552 3364.exe 288c47bbc1871b439df19ff4df68f076.exe PID 3552 wrote to memory of 2388 3552 3364.exe 288c47bbc1871b439df19ff4df68f076.exe PID 3552 wrote to memory of 2388 3552 3364.exe 288c47bbc1871b439df19ff4df68f076.exe PID 3552 wrote to memory of 336 3552 3364.exe InstallSetup4.exe PID 3552 wrote to memory of 336 3552 3364.exe InstallSetup4.exe PID 3552 wrote to memory of 336 3552 3364.exe InstallSetup4.exe PID 3552 wrote to memory of 2512 3552 3364.exe FourthX.exe PID 3552 wrote to memory of 2512 3552 3364.exe FourthX.exe PID 336 wrote to memory of 1908 336 InstallSetup4.exe BroomSetup.exe PID 336 wrote to memory of 1908 336 InstallSetup4.exe BroomSetup.exe PID 336 wrote to memory of 1908 336 InstallSetup4.exe BroomSetup.exe PID 336 wrote to memory of 4232 336 InstallSetup4.exe nsr54B5.tmp PID 336 wrote to memory of 4232 336 InstallSetup4.exe nsr54B5.tmp PID 336 wrote to memory of 4232 336 InstallSetup4.exe nsr54B5.tmp PID 1908 wrote to memory of 4292 1908 BroomSetup.exe cmd.exe PID 1908 wrote to memory of 4292 1908 BroomSetup.exe cmd.exe PID 1908 wrote to memory of 4292 1908 BroomSetup.exe cmd.exe PID 4292 wrote to memory of 2496 4292 cmd.exe chcp.com PID 4292 wrote to memory of 2496 4292 cmd.exe chcp.com PID 4292 wrote to memory of 2496 4292 cmd.exe chcp.com PID 4292 wrote to memory of 4396 4292 cmd.exe schtasks.exe PID 4292 wrote to memory of 4396 4292 cmd.exe schtasks.exe PID 4292 wrote to memory of 4396 4292 cmd.exe schtasks.exe PID 3464 wrote to memory of 3704 3464 6E4C.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\bb633d7fb28cf6aac4097726c639462bd7a4362d7752ba5c612ea6c0e18e8d11.exe"C:\Users\Admin\AppData\Local\Temp\bb633d7fb28cf6aac4097726c639462bd7a4362d7752ba5c612ea6c0e18e8d11.exe"1⤵
- DcRat
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:808
-
C:\Users\Admin\AppData\Local\Temp\E251.exeC:\Users\Admin\AppData\Local\Temp\E251.exe1⤵
- Executes dropped EXE
PID:1116
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\E938.dll1⤵
- Suspicious use of WriteProcessMemory
PID:2960 -
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\E938.dll2⤵
- Loads dropped DLL
PID:3116
-
-
C:\Users\Admin\AppData\Local\Temp\EFB1.exeC:\Users\Admin\AppData\Local\Temp\EFB1.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Users\Admin\AppData\Local\Temp\EFB1.exeC:\Users\Admin\AppData\Local\Temp\EFB1.exe2⤵
- DcRat
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
PID:4564
-
-
C:\Users\Admin\AppData\Local\Temp\F2A0.exeC:\Users\Admin\AppData\Local\Temp\F2A0.exe1⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
PID:3816
-
C:\Users\Admin\AppData\Local\Temp\FDCD.exeC:\Users\Admin\AppData\Local\Temp\FDCD.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\Users\Admin\AppData\Local\Temp\is-S2LL4.tmp\FDCD.tmp"C:\Users\Admin\AppData\Local\Temp\is-S2LL4.tmp\FDCD.tmp" /SL5="$6011A,2349102,54272,C:\Users\Admin\AppData\Local\Temp\FDCD.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:616 -
C:\Users\Admin\AppData\Local\Mario CD-DVD Speed\cddvdspeed.exe"C:\Users\Admin\AppData\Local\Mario CD-DVD Speed\cddvdspeed.exe" -i3⤵
- Executes dropped EXE
PID:3640
-
-
C:\Users\Admin\AppData\Local\Mario CD-DVD Speed\cddvdspeed.exe"C:\Users\Admin\AppData\Local\Mario CD-DVD Speed\cddvdspeed.exe" -s3⤵
- Executes dropped EXE
PID:3296
-
-
-
C:\Users\Admin\AppData\Local\Temp\3364.exeC:\Users\Admin\AppData\Local\Temp\3364.exe1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3552 -
C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2388 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1216
-
-
C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"3⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:764 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2580
-
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"4⤵PID:632
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes5⤵
- Modifies Windows Firewall
PID:4880
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵PID:1432
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵PID:4500
-
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe4⤵PID:3332
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵PID:1540
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F5⤵
- DcRat
- Creates scheduled task(s)
PID:976
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f5⤵PID:4836
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵PID:4392
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵PID:4340
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 764 -s 7124⤵
- Program crash
PID:1580
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe"C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:336 -
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exeC:\Users\Admin\AppData\Local\Temp\BroomSetup.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1908 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "4⤵
- Suspicious use of WriteProcessMemory
PID:4292 -
C:\Windows\SysWOW64\chcp.comchcp 12515⤵PID:2496
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F5⤵
- DcRat
- Creates scheduled task(s)
PID:4396
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\nsr54B5.tmpC:\Users\Admin\AppData\Local\Temp\nsr54B5.tmp3⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
PID:4232 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4232 -s 23804⤵
- Program crash
PID:3248
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\FourthX.exe"C:\Users\Admin\AppData\Local\Temp\FourthX.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2512 -
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2408
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe delete "UTIXDCVF"3⤵
- Launches sc.exe
PID:1936
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart3⤵PID:2776
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart4⤵PID:408
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe create "UTIXDCVF" binpath= "C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe" start= "auto"3⤵
- Launches sc.exe
PID:2872
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start "UTIXDCVF"3⤵
- Launches sc.exe
PID:4604
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop eventlog3⤵
- Launches sc.exe
PID:2248
-
-
-
C:\Users\Admin\AppData\Local\Temp\3EB0.exeC:\Users\Admin\AppData\Local\Temp\3EB0.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:3720
-
C:\Users\Admin\AppData\Local\Temp\6E4C.exeC:\Users\Admin\AppData\Local\Temp\6E4C.exe1⤵
- Executes dropped EXE
PID:3704
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4232 -ip 42321⤵PID:672
-
C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exeC:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe1⤵PID:3704
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force2⤵PID:3228
-
-
C:\Windows\system32\conhost.exeC:\Windows\system32\conhost.exe2⤵PID:1604
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart2⤵PID:2720
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart3⤵PID:4792
-
-
-
C:\Windows\explorer.exeexplorer.exe2⤵PID:4572
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 764 -ip 7641⤵PID:3412
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
3Windows Service
3Pre-OS Boot
1Bootkit
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
3Windows Service
3Scheduled Task/Job
1Defense Evasion
Impair Defenses
2Disable or Modify System Firewall
1Modify Registry
1Pre-OS Boot
1Bootkit
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
11KB
MD5a33e5b189842c5867f46566bdbf7a095
SHA1e1c06359f6a76da90d19e8fd95e79c832edb3196
SHA2565abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454
SHA512f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b
-
Filesize
192KB
MD53034aefffccf930e8cb12578cbd21d63
SHA159005a981ad09abf45a6b0445d1cf6bd3d68b07d
SHA256e479913f262e8f78c3cc2d681fc5572ec618e864c1c12859c5b481dd4c8600c9
SHA51297dbac6b284851241e0b12f502b4c7b164b91cc2485cb51549d2d7022cc4c9079bcac6452568d5c70e1bfe5ac650558c49231308e74209b443673778d756458d
-
Filesize
64KB
MD5fef383de063d9a06313fef7706559216
SHA1ae4bc1e98fd31ef81be55445e68fadb1e12b9d2e
SHA256a07223dcca324c67db2503a62e049839577f5bdacf3ded6bd2454aafbb7fe649
SHA512f3c3816940245957764a17f708cef9822188669407dfee4faf967fa6831391d2c3a5041054b6238c986c802b391c45089502598d46d558988c16f4c0f271107f
-
Filesize
1.4MB
MD5c41847dcc72b803b411a5d522123af22
SHA1c535fdc369c3ce40b2cd01ea73f935fbc30f6471
SHA256ab5b64fc346d6aff16d4ed1889247068f99729361511f1e9ff4fa91422219b16
SHA5128757a7d965a2f25356e46668d7c4e9dce0ee3603219f886152d00adcbd9821864c1eece49b3d85f88bfed82d56774f79cecbf7a3cda7218f87a510620510d3a2
-
Filesize
2.5MB
MD5b03886cb64c04b828b6ec1b2487df4a4
SHA1a7b9a99950429611931664950932f0e5525294a4
SHA2565dfaa8987f5d0476b835140d8a24fb1d9402e390bbe92b8565da09581bd895fc
SHA51221d1a5a4a218411c2ec29c9ca34ce321f6514e7ca3891eded8c3274aeb230051661a86eda373b9a006554e067de89d816aa1fa864acf0934bbb16a6034930659
-
Filesize
1.3MB
MD5698461fb8169c7e28e7613f6aa808925
SHA149fa69af0d950224e5781d8a5ef7ef963980abc4
SHA2563343d7eb38cc6bab11cfcc998128b9bbd14429c4537ecc24e05cc9d2ce2e4f56
SHA512f086072268de5a320be7d28cd21794e23c09dc6601597cbe387b4a0c2df36b35c8b8f97fdd0155fd1305487ba8e4af4edf53c6b3e8a1631f5549a93c3a7954e9
-
Filesize
1.4MB
MD5f70575e7d334992b81561ac39d07b0db
SHA181bc6baf4356129956dda1faedcadf64d42ce2a4
SHA256594e2b1e876c4032c9ccff06000b297c1c823744b82207a7453bc03b8d4fc6a6
SHA512de21b59057b1a5c0166b7d65eb39b91973317c84f3c48542ef312d2106cbf524e18ace007c85438819b2ffa36037e971d78203c278bcccc2a9fca3fa3b6c4e31
-
Filesize
320KB
MD5fc9adc3be6d2f7b25cca4796edd030b6
SHA1f3fcf562fc81b282f9c57eba3d8a0bbb78eb4a42
SHA256880d80e81efe9cc4486e5ca44be1ffc1dfda08b15811700c482c47aa83e1887f
SHA512c20f4949b1a0227d694ed632fb7e339e407e1a2ccb78919c154d04ed35ea6630d897ec8966d5653f942612a452c87eb23eb15f23cac4b817b76b2a25e4ce71bd
-
Filesize
1.1MB
MD576b128828f81877a5adfad5eb220a4fd
SHA1ea048c8f4c2e8c585ddf0e8f45597186b6bbaaa4
SHA2561ac611ae91a2b51544cd72ede52d8357b95ab618efc8a000acebf5803c2ed2b5
SHA5126a3b7f032aa40d119415adb87aa14ca9f6fc816fc84cb8f9f8e981420d33510129d9b5651d8af9cdc00c55cf94afdfdddd2246c3b505ac9c8276e1f725aa2746
-
Filesize
2.1MB
MD5d847dbfee9bfc8426168aad888ede9bd
SHA1f8b60258c711d19ea1d5413a3aee21262d8b8db7
SHA256fbdbcee82d428a818977ef77349eb7ebcb45b205751547ba4c6df3d0e8bffc07
SHA5124c4f542caa52c03f319698aeb7e05d29c1d13a8a0fed7fbde00ecfd5bf6a033c2be8d6b517f59a46ea66cb182995c6bece0e1ee002b3724e40f5286b700ee9a1
-
Filesize
64KB
MD5fc38310973cf92ef5d0eaf23758c5420
SHA1f67e38d66151d77eb528dd37e9c492dfeb913011
SHA256b2ae25d2170d4ddc0ca6f24766a5a11a82d92c48b33e3f7ddc39f5252cf7f73b
SHA512a041e229870805a1128582fd32fa83b1fccb8c750535ff29a903a1adf8962a412b0719f260033d9bf5b9e9c389a28b148837687441919f226b324ff69d98c77a
-
Filesize
4.1MB
MD5d122f827c4fc73f9a06d7f6f2d08cd95
SHA1cd1d1dc2c79c0ee394b72efc264cfd54d96e1ee5
SHA256b7a6dcfdd64173ecbcef562fd74aee07f3639fa863bd5740c7e72ddc0592b4fc
SHA5128755979d7383d6cb5e7d63798c9ca8b9c0faeec1fe81907fc75bbbb7be6754ab7b5a09a98492a27f90e3f26951b6891c43d8acd21414fb603cd86a4e10dac986
-
Filesize
4.9MB
MD5da89c3cbe8d74701840af90ca40c4830
SHA171b49ccad555b981b3e38dd5d0f6e8b77fd5f5c0
SHA25634229e674b42cb380b109cd98a152e283aa0ce7d05e36f35f80253ffa0aedf6d
SHA5120bcd4bd85fdd582f18272909c0831a46ed4a9d175bd5f64da9a6ec386626427a07c1eac2a4c69baf24ecb670418f7029807c60f1a1587a3242f57d9ad22d7d4e
-
Filesize
6.0MB
MD57f34877b284236a571c85a777d05128c
SHA15cfb8628ad088c6379c870a42a09d4caedb9fdcf
SHA256abc759fb57214026dcf429413f54b13e76a7bcf06e0d0c8f10a03a8372175d3c
SHA512bd7278f820e8d83c734b4b0c537591ebfda734ef5cc7b0c0dafd22de0e88054b09d157c3d56b2c12fcac80dbd14689a0398364b67fb3075d2fa118c94cd74d53
-
Filesize
245KB
MD5fbc2d00d3becdb29396535bc33ec9f1e
SHA1cffe38ebcdb49bc0bba1b38eadee4829c8c7d287
SHA256adab8714a1aca2cb83ffc8b4d87427b8619417a99ea50b85d7584d6aa0620516
SHA51255399ce7a94501adac61c4159578b40200ddcbaa7cda95a9f934716f72ee4640618c0865339e4f78367351631ba9d9a92b6a9848101be9179dbe963e5180bdaa
-
Filesize
2.6MB
MD5b0ca41b249e5621a4033dc3c024af9f0
SHA1de5ffceae5a0aee20d080096792eac80d1866e1c
SHA25609cb7eb67ee77cdac1bf25afdf5c0fd9a7435a74afc7008e761788d8fed9f5ff
SHA5129e6ceb353f42f4fb4e014cfaf7b832ba8c5056fc07787fa44b70abdbb0b9eecd12769f5e2fa3d735a45f86a13e4a0e980d16e8364fea1eff6ddbe20ba8c6ce87
-
Filesize
6.3MB
MD5f14064f9e30af9d49cdfba1004219432
SHA197a4b8e91e0b49d45dfa19031ef7fbd9ad0740b5
SHA256117d1a10799ff42a8f0eea79a152aefc25abc7cf7c984cb30b88ff6e4bb51658
SHA51221408bcadd833800a0217fa43d934b0d55081bfe43ce724f30b4785c679248fdd0ab423e87ec52f6a2586dac68f75d1090d5d328318dd4fdfa612881dd7ed3a7
-
Filesize
6.2MB
MD598032e01a07b787b4416121c3fdf3ae5
SHA165c8dc24c8b5d416c1e51105e190c440762069f3
SHA2568ac72e5a7ff22bd3a80a681d700ffff38d53d112bd017ccd03b17a3e2f1cdec7
SHA5123db2d03a323a6be3014eeba75dc56bd0ad486c23e05824f64399ea9c11da8a958380846a06f672a5153c5754778387e6b07d86fe1c05cca7afe3b1b8f17438fb
-
Filesize
1024KB
MD52ca32a64d491385b9191b77cd9e1245e
SHA13689280aeae1870caec7d5a32c5b0ae6be4f310a
SHA256eee6f86fc319c64e0ea3af8103d282a73fb604af3b1516b1ebc4141cd3039fae
SHA512a004e023c9103608b17d2c9454dd6bc328b3d15a1c86effdfc04eb18d739453f77627b950ebf3be18ae9498ca7029985e60be294398884d153e50a233d9b455f
-
Filesize
5.0MB
MD50904e849f8483792ef67991619ece915
SHA158d04535efa58effb3c5ed53a2462aa96d676b79
SHA256fca631b3198194fcc0c619b5690dbde2e9f38afb1b978bab8ea3f92b572ce1ef
SHA512258fc59050aa455ad56167dd1bbe5e098eefc0f3e950c90d89bac2aa74abb5cfa1710d866c0e28e58dcb2f914736470a4dd9838dd6412b633aee87d71b867cf5
-
Filesize
960KB
MD5febff8f232378a41c400e715db46372c
SHA1977af19ec31d3bbea1b9d7a8e1c93e95f2ef3b62
SHA256ff746003d36aba2a14e761394a46993ac925a6faac05ed854ec428b87d088178
SHA51259bea6564e50197cdae98adb278a4d6af3aa3bd49a5e660bdc480ceb0ac603ff26b981341b10f1a97bba834712e53388db86fd91e7e8e33735bd0b78964ff36f
-
Filesize
2.0MB
MD57aecbe510817ee9636a5bcbff0ee5fdd
SHA16a3f27f7789ccf1b19c948774d84c865a9ac6825
SHA256b4ee4aa0b664fe673986399de8105c600330339971bd8583177fa38dddd13aac
SHA512a681efb97745aed5f73d197730049ff80798d133245d8e8bcb0faf3532a9ef440d1687016c9f666c1f56479c7db003b0388e0a69bb2626f34c86046bc477edae
-
Filesize
768KB
MD558a1c371b6dedfc6c718c0bd415f7aaf
SHA106f273f7cb141b3d091e86a6bff8d813f4db30a1
SHA256e1520b464963f32466d07a3cefee4e8f612b3b6d94e1fed6cf4f3056a624ac3f
SHA512dda61f8a0b4c684e125deba4f9b47ca4ef7f2120935adbb57302e328623117650875f8c072d21a272386d5aa5cf1f8c69d7819b52db4023198348e8aded5bbde
-
Filesize
1.2MB
MD5247c285162337aeaf1c8379228ae9114
SHA1a62bdae9957a18336b87796bc4d4e3c727b02b78
SHA2569be168947aaec1c15d94192efae0f4cdad7999672797bf2039b7e6135f32b1bd
SHA51236f3bb027747f68b3005a91fdc95af325bece872326759d350692581424bdb368ab7d8e69f2ed3fe10ff3a1e522e6c042f9e41c414db5a7606d1af81b6ab3f6e
-
Filesize
1.1MB
MD5b36162057140c2b4b0f863fc05179286
SHA1a8391f0aa1c57af300bf6f7aab321587bb18bf09
SHA2565193bc8abdf519b4a1a5d4e743d761388596a31382fa9918ca623d889b6232e9
SHA512ea208f87a7b23f39ab9425840c9ac6def918cb5b13bf00218da43d69d2ec5a8053c80cb72b8c7a60ae2a0780fcb36eed3ce470f9443da03ff9ad0a63642dd955
-
Filesize
560KB
MD5e6dd149f484e5dd78f545b026f4a1691
SHA13ea5d0fb2de5bfad3dc6dc1744708ccd31102df6
SHA25611243641663323721ba21494a394de70ae70d4ea23c23f2e2a397fcc3cfea1a7
SHA5120defb358d59221c56731745a25250dfea49ecbb411f11f31a92ec20fa2123646f4aaf9fd4999898c39e4674f616bc1bed7ef2368b61a29d595dc7b9340dd058b
-
Filesize
1.4MB
MD5eff97d84ecbc5f1e23a251bb96273275
SHA158410a2c1019875fc578b28f0d5eb8fa808a7a72
SHA2565f97a514565f941ec222ad93fdf882849c9c656abfea7b840ffb8d78e695a8ed
SHA5120caa30823aaf59a63e9d51b18c8e4320b4af8907756d069e7ce28919ee920c5fb94668f9953422af2bc5f9cd7f9f83cbc95f2f3cbb921814d8db03d0d90de61f
-
Filesize
1.2MB
MD5b467afaa58c8c394c60dd3a003da5aa5
SHA125811c8408d7b9bc604605a1131e06f533ff1b10
SHA256a188394902bfe0393b7869912c003cea33b3de114f5f7508ebca1c5ed262a13b
SHA5126409ca5404793238cb5479cecc44f5f8696908a6dfae6a553ef7d41dfeb48eb23e881014151e3013561383d61690b4fe2b12fb7a607a67475253e3da18f95dcc
-
Filesize
1.8MB
MD593df53829d7ff15b36cca0997bdf9523
SHA185961b7b321c9492e276ada800debaa55c9c1d59
SHA256107f6e6bf02253e4453b28539faa31bbcdd8c7048373fd3678aeec3e4faf2e5c
SHA51237edf278c32461498cf9fb723806553f8f99f00eda1e8fd3b314733759f249cc9db11db400b0a2e8985b1bdbb31749f80e4608f03c783e95fe5a144437337f16
-
Filesize
1.6MB
MD539e3485dba00d4aa641a5007a0a5664a
SHA1281ea5d054b2653f23514709f27b36e3a1695de7
SHA25641a4d7a4873b018e4cc9e17943d74e3288abd4863bc6aa38133dd9dab5151fdd
SHA5129297fc7a875667854523095e277c408af30a9b4f1f26ff878d0ed2db88d2dddda273f743399e1db0e3876ef5b10928ca9156eec14e869fd1e68213b6570a8397
-
Filesize
1.1MB
MD556b83c068dc6c8df9c02236e9587cd42
SHA19803091206a0fff470768e67577426cce937a939
SHA256678ad0e61f6de9398cc11b9b36be203c12b690a0b06f06e5a62b1cfd51d0036e
SHA512e270b50ee7a2b70409c2881f3f936013f0034b7e4e66f914dfe97fc94af3e779de6174673a39b9b45b98beede0c04151609f4ee0e4277988d56a7d3ea62830cb
-
Filesize
1.4MB
MD5d1595c627b387677b1fdc35f8ce881d0
SHA1177df5ff81f11a747db10917414d10e7bcb216d0
SHA25685475b69029793ad8d37db633331707e47409f0d8536349d8ce07510eac62cf6
SHA51210011f5215fbfb594695c537fe6794a4dc794fe392019f4e2f93f943b0cca6ffde34a9a3274440f4df63c9debaa031103882b4b6ed6be77534115df086ca9f51
-
Filesize
1.6MB
MD52070026b7db06b39dd6476c97afa194c
SHA1a642b95f2c4ea50b3da347a008b3a06daf06a5ee
SHA256c2a79a1de75bb7e6b9b67aed334a19914a99c235ac0ea8505825105f90d3e1a2
SHA512bf5d149ae468bba39f44cf2269ff424e9afcdd7a2952a6cd59a6c6c7992c146ce23aea83c607e5059bb94f550512421dd7bdf741ac99b928fab32599dedfa8f6
-
Filesize
960KB
MD528158c533348f213e23e5bdac3b09369
SHA1ce453cdc9510ea68131ba32f86430e98920ab21c
SHA256c46f3259eabc8a4e47b562d0bbfaabf0599a2cefb6483020b3cb4b0ba37a61b4
SHA512974e4feeb50ce21ffe784e65df6e2e816fcdfdfc484d3f1a044d58184246b2b247f87c4cee245dc0e20df7a49a3fa0dae73838ddc28922db90e21a4358015eba
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
2KB
MD5a69559718ab506675e907fe49deb71e9
SHA1bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA2562f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63
-
Filesize
13KB
MD5a813d18268affd4763dde940246dc7e5
SHA1c7366e1fd925c17cc6068001bd38eaef5b42852f
SHA256e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64
SHA512b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4
-
Filesize
689KB
MD514db4253fd181e84e26eebc8f4150402
SHA179e77f75b5b8b1386c1bb76324790caaa908ca8d
SHA25665cc67e5c73ef94bcaa28719f3452756967f3e7461199fb7715000db90da6e28
SHA5129939fe82c087fcb38573efbc2692def67877063851c9a67400aba84085f7db4c2d2dcd7685200747f5da9a93f47f6e4ac202dcf1202976a57bcdd8d5b7426f1e
-
Filesize
25KB
MD540d7eca32b2f4d29db98715dd45bfac5
SHA1124df3f617f562e46095776454e1c0c7bb791cc7
SHA25685e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9
SHA5125fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d
-
Filesize
246KB
MD5c7f4dfe314dd61bc9ff56fdffe58bc58
SHA192149a4cc12b6e284f672897408ed7fe2c08cd39
SHA2563eec4a52959c31d4d0cfa6890f27ef9802cfcd0732e4e4450228976ca0698591
SHA51209f9710c21bfec59e10accadafa2922a730ebdddabe346abb5916f9854669c5bd89214d02aba4d22d7a20ac18954cb39cb832024cd734ea9bc73f83c18d01f44
-
Filesize
128B
MD511bb3db51f701d4e42d3287f71a6a43e
SHA163a4ee82223be6a62d04bdfe40ef8ba91ae49a86
SHA2566be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331
SHA512907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize2KB
MD5968cb9309758126772781b83adb8a28f
SHA18da30e71accf186b2ba11da1797cf67f8f78b47c
SHA25692099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA5124bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD52aba90aafc8306316c5452241bd134cc
SHA19c30cd879ed7de82e3206ead4f7e7672381459ac
SHA2566db4173e3b5982adbd6be8ee021998a5d558c528fb1980d82287b4fc86b9ed08
SHA51285d2879cce51d2b3bc28d4fb93b0a1d5c63e7102c804823ebdd0688a38fb0dd7094ba42ca23b3de8af0ab676fe1553abb976c1152228d57f41616d8d013150f1
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD534f76a841ed0bd82883761dd19d487b5
SHA1de9e8b9965e1a9bdefc0f3ccc133277435465639
SHA256f488dd2fb174cb09bd25dae779fd6c478fe738c5872edaeeab38578f58c8d710
SHA5121e0d6d79ead7fe82291b20a4b8d5ed93131a53d74f742238f07b8609dc26a02651dea74193d0bb86d02964be48d91565cca82b292460b54d3e8c993a1c410970
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD578d83f53eba30d5e038b012fff23ac61
SHA1569e17ffafc8604e270bd863990ba046f117c010
SHA25676b36391a414fb593af45bd305e99e91553d3bc3fce5454de11cd4950d921d0d
SHA512187eeaac713448e904b836956b542d53d21b4909b15e411335bdb9273cfb6d765cc9dcba7711e2c351dfa17ea4fcfdfb13db97cd703cc4173c19bb77521ae0ae
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD53c7a3749a76fd55317e8e339e17130a1
SHA1b7bb194de0ac132e056022efd4f784fef7c9b451
SHA2563dcc6488922494427f05c0c26fccac3cba307c530b3b3369596ef9312d39f314
SHA5122e83d22a7a61f7027c308fa2e5e2012b18ad60d81af383eae12190738504786e73c0cf617a608c554bb91a458fc79c5081283b21684a3b121ecd0cf3c6ee9838
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD547ed0dc8d2abb65c55ca4867d82159e9
SHA164fca409524b03cd3a0b1f24e984c4634ce95c2f
SHA256433f4ad1c526c2bb1ba22d551ee27072385bc4ffef9df0feb2402fc13e5d26b5
SHA512b1bc448df383785b1bf3171b5927216579b7fd00b6b8b6fb17d4afad8970afccaabb6e6f4891c8869239b3af473703051aece5d98e7e6adf1c3f3f8a9559e73c
-
Filesize
2.4MB
MD5653b3840686c3a4ca9aabeaab7c7dab6
SHA1374ccbaa38c9ff31928401f498fb00825882dedf
SHA2567b7d9e629088c0e46cb6ada93287a9bb93ce1e2b8599c3e1839590e8a9bd481b
SHA512dbf7e42777544a42a8160f0d9245220ecc151a4dfe0a341640ea6961f9d1f66861a004cd89980c0024b504de54e393337af50cde252e92702ddcd7c5bb0abe80
-
Filesize
2.0MB
MD5b8bbbebf6a96db29f8a6c2c3e2726b72
SHA1074958a02f3c65261dfe5d4c349b7af4849ee707
SHA25625acbb3a7b3a4932482dee31862427ff7d8bb58035d5864a6ea8e6e4c653ae39
SHA5121f63650dc10cb4c074387e8df352c17b58a05305b363bc4042949872aa4eb9221e831a5ef17e73fe8c24cab2715361e0629e775f7b5c790598a7ee5b075c5f74