Analysis
-
max time kernel
214s -
max time network
300s -
platform
windows10-1703_x64 -
resource
win10-20240221-en -
resource tags
arch:x64arch:x86image:win10-20240221-enlocale:en-usos:windows10-1703-x64system -
submitted
27-02-2024 04:49
Static task
static1
Behavioral task
behavioral1
Sample
6d533c8a98cee42c8f797a0b982a0be0da8d7503da8c42e8da10a88bfee9bf23.exe
Resource
win7-20240221-en
General
-
Target
6d533c8a98cee42c8f797a0b982a0be0da8d7503da8c42e8da10a88bfee9bf23.exe
-
Size
162KB
-
MD5
5cddaacf9782c030db128e3ebfd8f301
-
SHA1
71bae291b66ecfad6ee79ab150c9b4bdc676f06c
-
SHA256
6d533c8a98cee42c8f797a0b982a0be0da8d7503da8c42e8da10a88bfee9bf23
-
SHA512
bee3cbdeac5a317f58ebb2d621740f8b7e81e47db236327cb0e908bc49886e320e30a95191470953177740f702adfe704a626325ddd2a33f10c8ec3060059797
-
SSDEEP
3072:pR3aImWaDnBilDV8X+Ld1VVuLtKsQfk1RoGJS4dNVEv:pIbWaDBilDVNLdJBsQfk77X
Malware Config
Extracted
smokeloader
2022
http://selebration17io.io/index.php
http://vacantion18ffeu.cc/index.php
http://valarioulinity1.net/index.php
http://buriatiarutuhuob.net/index.php
http://cassiosssionunu.me/index.php
http://sulugilioiu19.net/index.php
http://goodfooggooftool.net/index.php
http://kamsmad.com/tmp/index.php
http://souzhensil.ru/tmp/index.php
http://teplokub.com.ua/tmp/index.php
Extracted
smokeloader
pub1
Extracted
lumma
https://resergvearyinitiani.shop/api
https://technologyenterdo.shop/api
https://detectordiscusser.shop/api
https://turkeyunlikelyofw.shop/api
https://associationokeo.shop/api
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Glupteba payload 4 IoCs
Processes:
resource yara_rule behavioral2/memory/1004-147-0x0000000002DE0000-0x00000000036CB000-memory.dmp family_glupteba behavioral2/memory/1004-148-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral2/memory/1004-169-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral2/memory/1004-361-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba -
Pitou 2 IoCs
Pitou.
Processes:
resource yara_rule behavioral2/memory/3248-51-0x0000000000400000-0x0000000002D8C000-memory.dmp pitou behavioral2/memory/3248-100-0x0000000000400000-0x0000000002D8C000-memory.dmp pitou -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Creates new service(s) 1 TTPs
-
Downloads MZ/PE file
-
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
netsh.exepid process 2864 netsh.exe -
Stops running service(s) 3 TTPs
-
Deletes itself 1 IoCs
Processes:
pid process 3420 -
Executes dropped EXE 17 IoCs
Processes:
C9D8.exeD9B8.exeD9B8.exeDDA1.exeE737.exeE737.tmpwsiwgaa28B6.exe288c47bbc1871b439df19ff4df68f076.exeInstallSetup4.exeFourthX.exeBroomSetup.exe39CE.exensj434F.tmp7532.exevueqjgslwynd.exe288c47bbc1871b439df19ff4df68f076.exepid process 5116 C9D8.exe 2080 D9B8.exe 4268 D9B8.exe 3248 DDA1.exe 4404 E737.exe 4568 E737.tmp 5016 wsiwgaa 1064 28B6.exe 1004 288c47bbc1871b439df19ff4df68f076.exe 4384 InstallSetup4.exe 2788 FourthX.exe 1128 BroomSetup.exe 4716 39CE.exe 992 nsj434F.tmp 4192 7532.exe 3324 vueqjgslwynd.exe 1816 288c47bbc1871b439df19ff4df68f076.exe -
Loads dropped DLL 10 IoCs
Processes:
regsvr32.exeD9B8.exeE737.tmpInstallSetup4.exensj434F.tmppid process 600 regsvr32.exe 4268 D9B8.exe 4568 E737.tmp 4568 E737.tmp 4568 E737.tmp 4384 InstallSetup4.exe 4384 InstallSetup4.exe 992 nsj434F.tmp 992 nsj434F.tmp 4384 InstallSetup4.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule behavioral2/memory/4268-33-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral2/memory/4268-36-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral2/memory/4268-35-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral2/memory/4268-37-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral2/memory/4268-38-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral2/memory/4268-39-0x0000000000400000-0x0000000000848000-memory.dmp upx -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
D9B8.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CSRSS = "\"C:\\ProgramData\\Drivers\\csrss.exe\"" D9B8.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
DDA1.exedescription ioc process File opened for modification \??\PHYSICALDRIVE0 DDA1.exe -
Drops file in System32 directory 8 IoCs
Processes:
powershell.exepowershell.exepowershell.exeFourthX.exepowershell.exevueqjgslwynd.exedescription ioc process File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache powershell.exe File opened for modification C:\Windows\system32\MRT.exe FourthX.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log powershell.exe File opened for modification C:\Windows\system32\MRT.exe vueqjgslwynd.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
D9B8.exevueqjgslwynd.exedescription pid process target process PID 2080 set thread context of 4268 2080 D9B8.exe D9B8.exe PID 3324 set thread context of 3184 3324 vueqjgslwynd.exe conhost.exe PID 3324 set thread context of 780 3324 vueqjgslwynd.exe explorer.exe -
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
Processes:
288c47bbc1871b439df19ff4df68f076.exedescription ioc process File opened (read-only) \??\VBoxMiniRdrDN 288c47bbc1871b439df19ff4df68f076.exe -
Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exepid process 4348 sc.exe 836 sc.exe 4928 sc.exe 4828 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
39CE.exe6d533c8a98cee42c8f797a0b982a0be0da8d7503da8c42e8da10a88bfee9bf23.exedescription ioc process Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 39CE.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 39CE.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 6d533c8a98cee42c8f797a0b982a0be0da8d7503da8c42e8da10a88bfee9bf23.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 6d533c8a98cee42c8f797a0b982a0be0da8d7503da8c42e8da10a88bfee9bf23.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 6d533c8a98cee42c8f797a0b982a0be0da8d7503da8c42e8da10a88bfee9bf23.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 39CE.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
nsj434F.tmpdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString nsj434F.tmp Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 nsj434F.tmp -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies data under HKEY_USERS 64 IoCs
Processes:
288c47bbc1871b439df19ff4df68f076.exepowershell.exepowershell.exepowershell.exenetsh.exepowershell.exeexplorer.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2431 = "Cuba Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1862 = "Russia TZ 6 Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-202 = "US Mountain Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-449 = "Azerbaijan Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-192 = "Mountain Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-831 = "SA Eastern Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-214 = "Pacific Daylight Time (Mexico)" 288c47bbc1871b439df19ff4df68f076.exe Key created \REGISTRY\USER\.DEFAULT\System\CurrentControlSet netsh.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-272 = "Greenwich Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-721 = "Central Pacific Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-672 = "AUS Eastern Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2002 = "Cabo Verde Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Key created \REGISTRY\USER\.DEFAULT\System\CurrentControlSet\Control\NetTrace\Session netsh.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2041 = "Eastern Daylight Time (Mexico)" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-792 = "SA Western Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-671 = "AUS Eastern Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-434 = "Georgian Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1471 = "Magadan Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-334 = "Jordan Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-982 = "Kamchatka Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1722 = "Libya Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-501 = "Nepal Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-131 = "US Eastern Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-361 = "GTB Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-231 = "Hawaiian Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-215 = "Pacific Standard Time (Mexico)" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-662 = "Cen. Australia Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-331 = "E. Europe Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-491 = "India Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-365 = "Middle East Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-571 = "China Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-332 = "E. Europe Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT explorer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-531 = "Sri Lanka Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2772 = "Omsk Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-211 = "Pacific Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-342 = "Egypt Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-771 = "Montevideo Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-632 = "Tokyo Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
6d533c8a98cee42c8f797a0b982a0be0da8d7503da8c42e8da10a88bfee9bf23.exepid process 364 6d533c8a98cee42c8f797a0b982a0be0da8d7503da8c42e8da10a88bfee9bf23.exe 364 6d533c8a98cee42c8f797a0b982a0be0da8d7503da8c42e8da10a88bfee9bf23.exe 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
6d533c8a98cee42c8f797a0b982a0be0da8d7503da8c42e8da10a88bfee9bf23.exe39CE.exepid process 364 6d533c8a98cee42c8f797a0b982a0be0da8d7503da8c42e8da10a88bfee9bf23.exe 4716 39CE.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
powershell.exepowershell.exepowershell.exedescription pid process Token: SeShutdownPrivilege 3420 Token: SeCreatePagefilePrivilege 3420 Token: SeShutdownPrivilege 3420 Token: SeCreatePagefilePrivilege 3420 Token: SeShutdownPrivilege 3420 Token: SeCreatePagefilePrivilege 3420 Token: SeShutdownPrivilege 3420 Token: SeCreatePagefilePrivilege 3420 Token: SeShutdownPrivilege 3420 Token: SeCreatePagefilePrivilege 3420 Token: SeShutdownPrivilege 3420 Token: SeCreatePagefilePrivilege 3420 Token: SeShutdownPrivilege 3420 Token: SeCreatePagefilePrivilege 3420 Token: SeShutdownPrivilege 3420 Token: SeCreatePagefilePrivilege 3420 Token: SeShutdownPrivilege 3420 Token: SeCreatePagefilePrivilege 3420 Token: SeShutdownPrivilege 3420 Token: SeCreatePagefilePrivilege 3420 Token: SeShutdownPrivilege 3420 Token: SeCreatePagefilePrivilege 3420 Token: SeShutdownPrivilege 3420 Token: SeCreatePagefilePrivilege 3420 Token: SeShutdownPrivilege 3420 Token: SeCreatePagefilePrivilege 3420 Token: SeShutdownPrivilege 3420 Token: SeCreatePagefilePrivilege 3420 Token: SeDebugPrivilege 2228 powershell.exe Token: SeShutdownPrivilege 3420 Token: SeCreatePagefilePrivilege 3420 Token: SeShutdownPrivilege 3420 Token: SeCreatePagefilePrivilege 3420 Token: SeShutdownPrivilege 3420 Token: SeCreatePagefilePrivilege 3420 Token: SeShutdownPrivilege 3420 Token: SeCreatePagefilePrivilege 3420 Token: SeShutdownPrivilege 3420 Token: SeCreatePagefilePrivilege 3420 Token: SeIncreaseQuotaPrivilege 2228 powershell.exe Token: SeSecurityPrivilege 2228 powershell.exe Token: SeTakeOwnershipPrivilege 2228 powershell.exe Token: SeLoadDriverPrivilege 2228 powershell.exe Token: SeSystemProfilePrivilege 2228 powershell.exe Token: SeSystemtimePrivilege 2228 powershell.exe Token: SeProfSingleProcessPrivilege 2228 powershell.exe Token: SeIncBasePriorityPrivilege 2228 powershell.exe Token: SeCreatePagefilePrivilege 2228 powershell.exe Token: SeBackupPrivilege 2228 powershell.exe Token: SeRestorePrivilege 2228 powershell.exe Token: SeShutdownPrivilege 2228 powershell.exe Token: SeDebugPrivilege 2228 powershell.exe Token: SeSystemEnvironmentPrivilege 2228 powershell.exe Token: SeRemoteShutdownPrivilege 2228 powershell.exe Token: SeUndockPrivilege 2228 powershell.exe Token: SeManageVolumePrivilege 2228 powershell.exe Token: 33 2228 powershell.exe Token: 34 2228 powershell.exe Token: 35 2228 powershell.exe Token: 36 2228 powershell.exe Token: SeDebugPrivilege 3768 powershell.exe Token: SeDebugPrivilege 5108 powershell.exe Token: SeAssignPrimaryTokenPrivilege 5108 powershell.exe Token: SeIncreaseQuotaPrivilege 5108 powershell.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
E737.tmppid process 4568 E737.tmp -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
BroomSetup.exepid process 1128 BroomSetup.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
regsvr32.exeD9B8.exeE737.exe28B6.exeInstallSetup4.exeBroomSetup.execmd.exe288c47bbc1871b439df19ff4df68f076.execmd.exedescription pid process target process PID 3420 wrote to memory of 5116 3420 C9D8.exe PID 3420 wrote to memory of 5116 3420 C9D8.exe PID 3420 wrote to memory of 5116 3420 C9D8.exe PID 3420 wrote to memory of 2932 3420 regsvr32.exe PID 3420 wrote to memory of 2932 3420 regsvr32.exe PID 2932 wrote to memory of 600 2932 regsvr32.exe regsvr32.exe PID 2932 wrote to memory of 600 2932 regsvr32.exe regsvr32.exe PID 2932 wrote to memory of 600 2932 regsvr32.exe regsvr32.exe PID 3420 wrote to memory of 2080 3420 D9B8.exe PID 3420 wrote to memory of 2080 3420 D9B8.exe PID 3420 wrote to memory of 2080 3420 D9B8.exe PID 2080 wrote to memory of 4268 2080 D9B8.exe D9B8.exe PID 2080 wrote to memory of 4268 2080 D9B8.exe D9B8.exe PID 2080 wrote to memory of 4268 2080 D9B8.exe D9B8.exe PID 2080 wrote to memory of 4268 2080 D9B8.exe D9B8.exe PID 2080 wrote to memory of 4268 2080 D9B8.exe D9B8.exe PID 2080 wrote to memory of 4268 2080 D9B8.exe D9B8.exe PID 2080 wrote to memory of 4268 2080 D9B8.exe D9B8.exe PID 2080 wrote to memory of 4268 2080 D9B8.exe D9B8.exe PID 3420 wrote to memory of 3248 3420 DDA1.exe PID 3420 wrote to memory of 3248 3420 DDA1.exe PID 3420 wrote to memory of 3248 3420 DDA1.exe PID 3420 wrote to memory of 4404 3420 E737.exe PID 3420 wrote to memory of 4404 3420 E737.exe PID 3420 wrote to memory of 4404 3420 E737.exe PID 4404 wrote to memory of 4568 4404 E737.exe E737.tmp PID 4404 wrote to memory of 4568 4404 E737.exe E737.tmp PID 4404 wrote to memory of 4568 4404 E737.exe E737.tmp PID 3420 wrote to memory of 1064 3420 28B6.exe PID 3420 wrote to memory of 1064 3420 28B6.exe PID 3420 wrote to memory of 1064 3420 28B6.exe PID 1064 wrote to memory of 1004 1064 28B6.exe 288c47bbc1871b439df19ff4df68f076.exe PID 1064 wrote to memory of 1004 1064 28B6.exe 288c47bbc1871b439df19ff4df68f076.exe PID 1064 wrote to memory of 1004 1064 28B6.exe 288c47bbc1871b439df19ff4df68f076.exe PID 1064 wrote to memory of 4384 1064 28B6.exe InstallSetup4.exe PID 1064 wrote to memory of 4384 1064 28B6.exe InstallSetup4.exe PID 1064 wrote to memory of 4384 1064 28B6.exe InstallSetup4.exe PID 1064 wrote to memory of 2788 1064 28B6.exe FourthX.exe PID 1064 wrote to memory of 2788 1064 28B6.exe FourthX.exe PID 4384 wrote to memory of 1128 4384 InstallSetup4.exe BroomSetup.exe PID 4384 wrote to memory of 1128 4384 InstallSetup4.exe BroomSetup.exe PID 4384 wrote to memory of 1128 4384 InstallSetup4.exe BroomSetup.exe PID 3420 wrote to memory of 4716 3420 39CE.exe PID 3420 wrote to memory of 4716 3420 39CE.exe PID 3420 wrote to memory of 4716 3420 39CE.exe PID 1128 wrote to memory of 4292 1128 BroomSetup.exe cmd.exe PID 1128 wrote to memory of 4292 1128 BroomSetup.exe cmd.exe PID 1128 wrote to memory of 4292 1128 BroomSetup.exe cmd.exe PID 4384 wrote to memory of 992 4384 InstallSetup4.exe nsj434F.tmp PID 4384 wrote to memory of 992 4384 InstallSetup4.exe nsj434F.tmp PID 4384 wrote to memory of 992 4384 InstallSetup4.exe nsj434F.tmp PID 4292 wrote to memory of 4496 4292 cmd.exe chcp.com PID 4292 wrote to memory of 4496 4292 cmd.exe chcp.com PID 4292 wrote to memory of 4496 4292 cmd.exe chcp.com PID 3420 wrote to memory of 4192 3420 7532.exe PID 3420 wrote to memory of 4192 3420 7532.exe PID 3420 wrote to memory of 4192 3420 7532.exe PID 4292 wrote to memory of 1376 4292 cmd.exe schtasks.exe PID 4292 wrote to memory of 1376 4292 cmd.exe schtasks.exe PID 4292 wrote to memory of 1376 4292 cmd.exe schtasks.exe PID 1004 wrote to memory of 3768 1004 288c47bbc1871b439df19ff4df68f076.exe powershell.exe PID 1004 wrote to memory of 3768 1004 288c47bbc1871b439df19ff4df68f076.exe powershell.exe PID 1004 wrote to memory of 3768 1004 288c47bbc1871b439df19ff4df68f076.exe powershell.exe PID 2344 wrote to memory of 3080 2344 cmd.exe wusa.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\6d533c8a98cee42c8f797a0b982a0be0da8d7503da8c42e8da10a88bfee9bf23.exe"C:\Users\Admin\AppData\Local\Temp\6d533c8a98cee42c8f797a0b982a0be0da8d7503da8c42e8da10a88bfee9bf23.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:364
-
C:\Users\Admin\AppData\Local\Temp\C9D8.exeC:\Users\Admin\AppData\Local\Temp\C9D8.exe1⤵
- Executes dropped EXE
PID:5116
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\CF09.dll1⤵
- Suspicious use of WriteProcessMemory
PID:2932 -
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\CF09.dll2⤵
- Loads dropped DLL
PID:600
-
C:\Users\Admin\AppData\Local\Temp\D9B8.exeC:\Users\Admin\AppData\Local\Temp\D9B8.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2080 -
C:\Users\Admin\AppData\Local\Temp\D9B8.exeC:\Users\Admin\AppData\Local\Temp\D9B8.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
PID:4268
-
C:\Users\Admin\AppData\Local\Temp\DDA1.exeC:\Users\Admin\AppData\Local\Temp\DDA1.exe1⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
PID:3248
-
C:\Users\Admin\AppData\Local\Temp\E737.exeC:\Users\Admin\AppData\Local\Temp\E737.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4404 -
C:\Users\Admin\AppData\Local\Temp\is-PUJTF.tmp\E737.tmp"C:\Users\Admin\AppData\Local\Temp\is-PUJTF.tmp\E737.tmp" /SL5="$15003A,2349102,54272,C:\Users\Admin\AppData\Local\Temp\E737.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
PID:4568
-
C:\Users\Admin\AppData\Roaming\wsiwgaaC:\Users\Admin\AppData\Roaming\wsiwgaa1⤵
- Executes dropped EXE
PID:5016
-
C:\Users\Admin\AppData\Local\Temp\28B6.exeC:\Users\Admin\AppData\Local\Temp\28B6.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1064 -
C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1004 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3768 -
C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"3⤵
- Executes dropped EXE
- Checks for VirtualBox DLLs, possible anti-VM trick
- Modifies data under HKEY_USERS
PID:1816 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:4656 -
C:\Windows\System32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"4⤵PID:1500
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes5⤵
- Modifies Windows Firewall
- Modifies data under HKEY_USERS
PID:2864 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2376 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:4788 -
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe4⤵PID:8724
-
C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe"C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4384 -
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exeC:\Users\Admin\AppData\Local\Temp\BroomSetup.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1128 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "4⤵
- Suspicious use of WriteProcessMemory
PID:4292 -
C:\Windows\SysWOW64\chcp.comchcp 12515⤵PID:4496
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F5⤵
- Creates scheduled task(s)
PID:1376 -
C:\Users\Admin\AppData\Local\Temp\nsj434F.tmpC:\Users\Admin\AppData\Local\Temp\nsj434F.tmp3⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
PID:992 -
C:\Users\Admin\AppData\Local\Temp\FourthX.exe"C:\Users\Admin\AppData\Local\Temp\FourthX.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2788 -
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2228 -
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe delete "UTIXDCVF"3⤵
- Launches sc.exe
PID:836 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart3⤵
- Suspicious use of WriteProcessMemory
PID:2344 -
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart4⤵PID:3080
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe create "UTIXDCVF" binpath= "C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe" start= "auto"3⤵
- Launches sc.exe
PID:4928 -
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start "UTIXDCVF"3⤵
- Launches sc.exe
PID:4828 -
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop eventlog3⤵
- Launches sc.exe
PID:4348
-
C:\Users\Admin\AppData\Local\Temp\39CE.exeC:\Users\Admin\AppData\Local\Temp\39CE.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:4716
-
C:\Users\Admin\AppData\Local\Temp\7532.exeC:\Users\Admin\AppData\Local\Temp\7532.exe1⤵
- Executes dropped EXE
PID:4192
-
C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exeC:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
PID:3324 -
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5108 -
C:\Windows\system32\conhost.exeC:\Windows\system32\conhost.exe2⤵PID:3184
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart2⤵PID:4912
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart3⤵PID:2512
-
C:\Windows\explorer.exeexplorer.exe2⤵
- Modifies data under HKEY_USERS
PID:780
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
3Windows Service
3Pre-OS Boot
1Bootkit
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
3Windows Service
3Scheduled Task/Job
1Defense Evasion
Impair Defenses
2Disable or Modify System Firewall
1Modify Registry
1Pre-OS Boot
1Bootkit
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
11KB
MD5a33e5b189842c5867f46566bdbf7a095
SHA1e1c06359f6a76da90d19e8fd95e79c832edb3196
SHA2565abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454
SHA512f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b
-
Filesize
2.5MB
MD5b03886cb64c04b828b6ec1b2487df4a4
SHA1a7b9a99950429611931664950932f0e5525294a4
SHA2565dfaa8987f5d0476b835140d8a24fb1d9402e390bbe92b8565da09581bd895fc
SHA51221d1a5a4a218411c2ec29c9ca34ce321f6514e7ca3891eded8c3274aeb230051661a86eda373b9a006554e067de89d816aa1fa864acf0934bbb16a6034930659
-
Filesize
2.1MB
MD5d847dbfee9bfc8426168aad888ede9bd
SHA1f8b60258c711d19ea1d5413a3aee21262d8b8db7
SHA256fbdbcee82d428a818977ef77349eb7ebcb45b205751547ba4c6df3d0e8bffc07
SHA5124c4f542caa52c03f319698aeb7e05d29c1d13a8a0fed7fbde00ecfd5bf6a033c2be8d6b517f59a46ea66cb182995c6bece0e1ee002b3724e40f5286b700ee9a1
-
Filesize
128KB
MD5550ee7188c527b01bfa4d015377d121c
SHA144c45f90daaef2f68d08512a79d0efa86a748f4b
SHA256b236c2da74955dc9bcd4fc696ae78f49edbbc6f06aacaa80f0246da3deb3265d
SHA512677f8a65ca34a290ce916d13966f0511875d5cfc12cc0983d7463a64047528a2407eb62ca8cae392452d06e756b9d07014af52c92d91ec61264c2005468f2a1a
-
Filesize
3.7MB
MD57a80cd42234506c4eca04b6a54d5bf7f
SHA1b571f657031f54fc5c733759b558d43bdf88eedb
SHA2563084537f35cd8e74646264612514628aa49ddda9c1fd79894c8641a9b7768df9
SHA51288e692b05423c082b7fea2a8de7440a035d94af4cabab28ac07c6bb19be2ac3c57d2e05a9a321ca512098786b942ed2f60d4fd13a100fa7832b10d327a78c5a7
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
64KB
MD509daace6074ca06ea3737d622083d5dd
SHA1eb5e13591e3e86cfd51c0f284ca323aace0d1501
SHA256bb7d28c3a4d3efc1b473a7b07c4d4af8ce775d1461eae61f6913c81b745997b2
SHA512b5eff759b219614869d18b50fe80490a75a76db474f5f55d783b991f7fb5ecbc7b904a956a42badb6e6b9b08921b9dc00e567ff786b7ea315a9222c6944cc541
-
Filesize
163KB
MD50ca68f13f3db569984dbcc9c0be6144a
SHA18c53b9026e3c34bcf20f35af15fc6545cb337936
SHA2569cd86fa59ea2d10f9b9f3293c132f158fcb7dd993fdb706944f9fe9fa409504a
SHA5124c3a3be5fda0f9060a08b95383b5260e4079dbcff73849d2fac88520ae625c33a73c5858b25b717fcccebf03c3ad9b19807de8bcfa7ea22be6648cc965072b7d
-
Filesize
2.6MB
MD5be4e08adb67b58113b8ffe1893c6f321
SHA1fd32e0a3ccf052472630ce59ea134b03aecb0f58
SHA256dfade7a38e519c11f4b001bfab3f4c9eeb6f7f077a0533c35a2c2f6820695421
SHA5128bce21d8995e6f8d7a3e0632bfd891206c91be1d77c3db0eff61a15b07f7a58ebfb997b9a6bd9306b5722922136175e7b38d8382766ecc56fc77444c443d393b
-
Filesize
1.9MB
MD503b56deb0a19574e78dd6a5b9a699c61
SHA1440396534b1507f7c80cccd199c00b59081e79e5
SHA256b096e3c3326f1cfe59153b6e5f0702a5fb75519fb055937f76598e451817cb4c
SHA5120144924dc8fd7472108df9154c1dcc671d9e31bfa44a199d0f6cab58cb24c2daf56fac6a4760265e66a949d5bb58a7df8d0c270284f7df56c029cbbe7fe871a5
-
Filesize
2.0MB
MD5807dbd255743cdb219cf957247bfb1e6
SHA1cfad1089d95afedb21cc386b383508689db0a98b
SHA25631beab3ec8f7bd24285387e7fbee7c3212b093a3e59e639aa08c10387ba09e86
SHA512d213e01f6b0385771fbf757bfa335399d4ead1a0575e24ffb30866c8d8686f12fb3e1d50b45c234765d2b66316ec443c628f1010ce4c2aaa5c9200f6d71899a9
-
Filesize
512KB
MD55dac4c5f4289f817e0c7892c76a0aab1
SHA113477d501e005148f8eb2a3b456b41b0f29d058b
SHA256e2b88e200808b33ed0f7c104a2df705c0aa6ce2d97fdd1303a065a45507c8807
SHA5126599db9c89507a285647b2d24521900117c6ef3e14dfd2e72358bdc1f7a0a003ed86888c0d59df4650a6bd18d62a42d1e84abd5dd24294924982ab2606523260
-
Filesize
1.4MB
MD51ec1291e83f28fdf8fb4e264d8f4348c
SHA142ee5f14acbc586461b4a6ed75cc1c527119bc27
SHA2564099ec6dba9b3cc9682431c9aaa48b88b29efc8000524929018eecd1211d5ca9
SHA512a2bd83e207e08fc653d3793f5c5db9f37416d31b75fb61020c0f470135301338947ad36ee5318922cd77cceddfe582c1435dbaf0de25d909b635503b42ef79f2
-
Filesize
5.0MB
MD50904e849f8483792ef67991619ece915
SHA158d04535efa58effb3c5ed53a2462aa96d676b79
SHA256fca631b3198194fcc0c619b5690dbde2e9f38afb1b978bab8ea3f92b572ce1ef
SHA512258fc59050aa455ad56167dd1bbe5e098eefc0f3e950c90d89bac2aa74abb5cfa1710d866c0e28e58dcb2f914736470a4dd9838dd6412b633aee87d71b867cf5
-
Filesize
2.0MB
MD57aecbe510817ee9636a5bcbff0ee5fdd
SHA16a3f27f7789ccf1b19c948774d84c865a9ac6825
SHA256b4ee4aa0b664fe673986399de8105c600330339971bd8583177fa38dddd13aac
SHA512a681efb97745aed5f73d197730049ff80798d133245d8e8bcb0faf3532a9ef440d1687016c9f666c1f56479c7db003b0388e0a69bb2626f34c86046bc477edae
-
Filesize
1.9MB
MD5398ab69b1cdc624298fbc00526ea8aca
SHA1b2c76463ae08bb3a08accfcbf609ec4c2a9c0821
SHA256ca827a18753cf8281d57b7dff32488c0701fe85af56b59eab5a619ae45b5f0be
SHA5123b222a46a8260b7810e2e6686b7c67b690452db02ed1b1e75990f4ac1421ead9ddc21438a419010169258b1ae4b206fbfa22bb716b83788490b7737234e42739
-
Filesize
560KB
MD5e6dd149f484e5dd78f545b026f4a1691
SHA13ea5d0fb2de5bfad3dc6dc1744708ccd31102df6
SHA25611243641663323721ba21494a394de70ae70d4ea23c23f2e2a397fcc3cfea1a7
SHA5120defb358d59221c56731745a25250dfea49ecbb411f11f31a92ec20fa2123646f4aaf9fd4999898c39e4674f616bc1bed7ef2368b61a29d595dc7b9340dd058b
-
Filesize
2.5MB
MD5e4a41feae8a0ea34b8318bf3ddafded3
SHA11234026e5d8872a8b7022850ea889f55370a3ff5
SHA256be482bb853fccfef39948f3b2a01773cb2236dc512cf9cd61e7fdfe26687bcb6
SHA512d825e42389ccfda3e11b30948f44d001710d2ea69b43402f1240f06671621f26499ca4ef1e69d25bea706e5baaf14a8ddfae145d409a9680c413b39f9586c903
-
Filesize
1.9MB
MD5ebb513d4d6d769ae21e14c45f491ca1b
SHA15f97e01f98b58a17e538a71b81b7a24c999c1859
SHA2565e467197e806babc85b146d0456992a2a72060494e4dd0a00dc05813f71381c6
SHA5126e28db09bb87188eeb331f695e9505e80a06286191c29599d0d113e64013a818c0d537040eb527a5da4298adac057ae08928e84cca85d08301c9312e5da36a21
-
Filesize
1.5MB
MD5ae6091485f322e8f312636bff904b057
SHA1ce30c0bdd9938cbdda665a1ee4c14e55c9d30c37
SHA25682115b3ae69efdd2d5ea779f9ea2e6d6a38215feb9ffe8c2391a7cec969ecf32
SHA512d22a538ebe10525053217764c1f1340731228cae0ac5d782fc54a8797fe546429f232789b7023ca8113e7c71d8f270ef5173734bbbf11b21759c9a856aeee2ff
-
Filesize
832KB
MD5f75b9beec810c7d22ac06871935465cc
SHA102a949c1e44035114022079454555c9c145bf8fb
SHA256edbe5331590b5dd47a67f9546820b96f3f2b4590cd4444ec6e6185762c6a2182
SHA512e2e8b13f7e69d46fd1d3a08e08ef0bf661dc690df37583ea653321ac05ccc717a716ec9ac1670e574a87e70c8096bce538b976d7fbb4af9f46cf5c1ad598a37c
-
Filesize
2.0MB
MD528b72e7425d6d224c060d3cf439c668c
SHA1a0a14c90e32e1ffd82558f044c351ad785e4dcd8
SHA256460ba492fbc3163b80bc40813d840e50feb84166db7a300392669afd21132d98
SHA5123e0696b4135f3702da054b80d98a8485fb7f3002c4148a327bc790b0d33c62d442c01890cc047af19a17a149c8c8eb84777c4ff313c95ec6af64a8bf0b2d54b6
-
Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
Filesize
689KB
MD514db4253fd181e84e26eebc8f4150402
SHA179e77f75b5b8b1386c1bb76324790caaa908ca8d
SHA25665cc67e5c73ef94bcaa28719f3452756967f3e7461199fb7715000db90da6e28
SHA5129939fe82c087fcb38573efbc2692def67877063851c9a67400aba84085f7db4c2d2dcd7685200747f5da9a93f47f6e4ac202dcf1202976a57bcdd8d5b7426f1e
-
Filesize
192KB
MD59089c5ddf54262d275ab0ea6ceaebcba
SHA14796313ad8d780936e549ea509c1932deb41e02a
SHA25696766ea71dc59a5b1734aba76c1ab1cbc8459a9ee023e9875359667dbf51ea4a
SHA512ec71801feccd0c900132425d6bc601bcae6e78702b708df80783a752d08c8bdc49f0b0c8e7c37b15a02b381369b8a3c1114d7385796316b834738045f7dc053c
-
Filesize
128KB
MD50ab522cd9cc4a004d8b7b21445b58132
SHA162da3b22a7ef628712fc771cd10fac96bafb558f
SHA2564e6080d8571cd53972a0dfa4f383d61ee95efef520988cf50a17bd569beb6486
SHA5127cc4575c6746eaa92ab837c38203deed2c4beaff6aae6bd60e68edd0a197091695be68f968289db6892f3a96425c334771673daa08c3d8a51be8deb56e75dfc9
-
Filesize
128B
MD511bb3db51f701d4e42d3287f71a6a43e
SHA163a4ee82223be6a62d04bdfe40ef8ba91ae49a86
SHA2566be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331
SHA512907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2
-
Filesize
162KB
MD55cddaacf9782c030db128e3ebfd8f301
SHA171bae291b66ecfad6ee79ab150c9b4bdc676f06c
SHA2566d533c8a98cee42c8f797a0b982a0be0da8d7503da8c42e8da10a88bfee9bf23
SHA512bee3cbdeac5a317f58ebb2d621740f8b7e81e47db236327cb0e908bc49886e320e30a95191470953177740f702adfe704a626325ddd2a33f10c8ec3060059797
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize2KB
MD51c19c16e21c97ed42d5beabc93391fc5
SHA18ad83f8e0b3acf8dfbbf87931e41f0d664c4df68
SHA2561bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05
SHA5127d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize18KB
MD5a0eca20ab85d5bb841117922f97e12b2
SHA1ab79e31c385bbb32dc5f2fc6fa335293f2d504b7
SHA256bf25de7df6bcb6ae5e313d2493be42140d59391edd15e5bf0b59bc26d1c523ad
SHA512d6e204f0dfe0f440c94dbccade9a501a91a676f483933e9ba2ec90118652af2a2be979be1d82c14be1c7eb0c3617ec416696b7f7cb8beea17ed8d41a93871e94
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize18KB
MD5fd8efeaa917d4b4daff90c39b149b694
SHA161ca1b1fe37dc2abcc102133240ee8f2c9c0ba25
SHA256e1621df8f186669e4d8d8653b6361322e4cc4b2dccb2eb2d1bd9c63232e6ccbe
SHA512d17a121a2e37d93db9d35c9b476e8bb1276df043114d9ee3f96151215bc6126c6655685abb433d8ae3a790e0ad62e7c974b69a8f10d65f9873c164c649765e3a
-
Filesize
832KB
MD5b8c50d741d429e4cd6210293c0f0d881
SHA1059f1aa663f344b66b7ab96bd092bfd08ef6b091
SHA256862a2046656a5a5dc1638c6b9ac7c751b90fceae08d37b4e2702b73c45278a8b
SHA512b7e6e142048371568ecdc9bc10c0da83c73125bdff1964839244f0b95eb7fd08a34f42f4fcd26ff5fac52f4350fb28c2505df2ce69c51a2fd0ff76a903d83096
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
1.8MB
MD5936cd56662a1d626a89a41623fc216b2
SHA1c5d69ce27ecbf1f92d79f204786ac088df741a69
SHA25627e8206a2cd1eb494909d58b1e22fbfd02cace1d03cebb98784711a3345e3da6
SHA512dce4dfa8102416a9049f2e30c876ccfb5e8bd235219d81411c89daf196e175e8c1a3c12b59fa18c1ef04f31277f8f0bc6f141ed15340130dffbf1554431dba1b
-
Filesize
2KB
MD5a69559718ab506675e907fe49deb71e9
SHA1bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA2562f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63
-
Filesize
13KB
MD5a813d18268affd4763dde940246dc7e5
SHA1c7366e1fd925c17cc6068001bd38eaef5b42852f
SHA256e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64
SHA512b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4
-
Filesize
25KB
MD540d7eca32b2f4d29db98715dd45bfac5
SHA1124df3f617f562e46095776454e1c0c7bb791cc7
SHA25685e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9
SHA5125fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d