Analysis
-
max time kernel
78s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
29-02-2024 05:55
Static task
static1
Behavioral task
behavioral1
Sample
d6567cc8e6b82d69347065de9fa8c7d2441ee63185ac52fe0e5e4bc6b2642910.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
d6567cc8e6b82d69347065de9fa8c7d2441ee63185ac52fe0e5e4bc6b2642910.exe
Resource
win10v2004-20240226-en
General
-
Target
d6567cc8e6b82d69347065de9fa8c7d2441ee63185ac52fe0e5e4bc6b2642910.exe
-
Size
261KB
-
MD5
270d3f441e678ec516527bf25c20023d
-
SHA1
4664604103288d56244609208fd8de851a5599a0
-
SHA256
d6567cc8e6b82d69347065de9fa8c7d2441ee63185ac52fe0e5e4bc6b2642910
-
SHA512
b534d84edfd01c4e926b65ba0ddc6604954ef025a012ef6ae1c33e54ee912fcc9f206fd1b4f82247be2938c38716ee13f643d40da4a18290097d9459532cb8c1
-
SSDEEP
3072:rHYuRgCFBQh1Sjw67WXFsFk3zXnE20P+UX/Ig5JiT+yx:DFw1SjBWVsGz3E/+QQAiT
Malware Config
Extracted
smokeloader
2022
http://selebration17io.io/index.php
http://vacantion18ffeu.cc/index.php
http://valarioulinity1.net/index.php
http://buriatiarutuhuob.net/index.php
http://cassiosssionunu.me/index.php
http://sulugilioiu19.net/index.php
http://goodfooggooftool.net/index.php
http://kamsmad.com/tmp/index.php
http://souzhensil.ru/tmp/index.php
http://teplokub.com.ua/tmp/index.php
Extracted
smokeloader
pub1
Extracted
lumma
https://resergvearyinitiani.shop/api
https://technologyenterdo.shop/api
https://detectordiscusser.shop/api
https://turkeyunlikelyofw.shop/api
https://associationokeo.shop/api
Signatures
-
DcRat 4 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
Processes:
BC2C.exeschtasks.exed6567cc8e6b82d69347065de9fa8c7d2441ee63185ac52fe0e5e4bc6b2642910.exeschtasks.exedescription ioc pid Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CSRSS = "\"C:\\ProgramData\\Drivers\\csrss.exe\"" BC2C.exe 3852 schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI d6567cc8e6b82d69347065de9fa8c7d2441ee63185ac52fe0e5e4bc6b2642910.exe 792 schtasks.exe -
Glupteba payload 4 IoCs
Processes:
resource yara_rule behavioral2/memory/4352-101-0x0000000004040000-0x000000000492B000-memory.dmp family_glupteba behavioral2/memory/4352-110-0x0000000000400000-0x0000000001E0F000-memory.dmp family_glupteba behavioral2/memory/4352-142-0x0000000000400000-0x0000000001E0F000-memory.dmp family_glupteba behavioral2/memory/4352-216-0x0000000000400000-0x0000000001E0F000-memory.dmp family_glupteba -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) 3 IoCs
Processes:
resource yara_rule behavioral2/memory/3052-47-0x0000000000400000-0x0000000001A77000-memory.dmp INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM behavioral2/memory/3052-102-0x0000000000400000-0x0000000001A77000-memory.dmp INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM behavioral2/memory/3052-135-0x0000000000400000-0x0000000001A77000-memory.dmp INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM -
Detects Windows executables referencing non-Windows User-Agents 3 IoCs
Processes:
resource yara_rule behavioral2/memory/4352-110-0x0000000000400000-0x0000000001E0F000-memory.dmp INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA behavioral2/memory/4352-142-0x0000000000400000-0x0000000001E0F000-memory.dmp INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA behavioral2/memory/4352-216-0x0000000000400000-0x0000000001E0F000-memory.dmp INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA -
Detects executables Discord URL observed in first stage droppers 3 IoCs
Processes:
resource yara_rule behavioral2/memory/4352-110-0x0000000000400000-0x0000000001E0F000-memory.dmp INDICATOR_SUSPICIOUS_EXE_DiscordURL behavioral2/memory/4352-142-0x0000000000400000-0x0000000001E0F000-memory.dmp INDICATOR_SUSPICIOUS_EXE_DiscordURL behavioral2/memory/4352-216-0x0000000000400000-0x0000000001E0F000-memory.dmp INDICATOR_SUSPICIOUS_EXE_DiscordURL -
Detects executables containing URLs to raw contents of a Github gist 3 IoCs
Processes:
resource yara_rule behavioral2/memory/4352-110-0x0000000000400000-0x0000000001E0F000-memory.dmp INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL behavioral2/memory/4352-142-0x0000000000400000-0x0000000001E0F000-memory.dmp INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL behavioral2/memory/4352-216-0x0000000000400000-0x0000000001E0F000-memory.dmp INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL -
Detects executables containing artifacts associated with disabling Widnows Defender 3 IoCs
Processes:
resource yara_rule behavioral2/memory/4352-110-0x0000000000400000-0x0000000001E0F000-memory.dmp INDICATOR_SUSPICIOUS_DisableWinDefender behavioral2/memory/4352-142-0x0000000000400000-0x0000000001E0F000-memory.dmp INDICATOR_SUSPICIOUS_DisableWinDefender behavioral2/memory/4352-216-0x0000000000400000-0x0000000001E0F000-memory.dmp INDICATOR_SUSPICIOUS_DisableWinDefender -
Detects executables referencing many varying, potentially fake Windows User-Agents 3 IoCs
Processes:
resource yara_rule behavioral2/memory/4352-110-0x0000000000400000-0x0000000001E0F000-memory.dmp INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA behavioral2/memory/4352-142-0x0000000000400000-0x0000000001E0F000-memory.dmp INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA behavioral2/memory/4352-216-0x0000000000400000-0x0000000001E0F000-memory.dmp INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA -
UPX dump on OEP (original entry point) 13 IoCs
Processes:
resource yara_rule behavioral2/memory/4704-18-0x0000000000400000-0x0000000000848000-memory.dmp UPX behavioral2/memory/4704-21-0x0000000000400000-0x0000000000848000-memory.dmp UPX behavioral2/memory/4704-23-0x0000000000400000-0x0000000000848000-memory.dmp UPX behavioral2/memory/4704-25-0x0000000000400000-0x0000000000848000-memory.dmp UPX behavioral2/memory/4704-28-0x0000000000400000-0x0000000000848000-memory.dmp UPX behavioral2/memory/4704-31-0x0000000000400000-0x0000000000848000-memory.dmp UPX behavioral2/memory/4704-131-0x0000000000400000-0x0000000000848000-memory.dmp UPX behavioral2/files/0x000700000002321d-130.dat UPX behavioral2/files/0x000700000002321d-129.dat UPX behavioral2/files/0x000700000002321d-124.dat UPX behavioral2/memory/452-136-0x0000000000400000-0x0000000000930000-memory.dmp UPX behavioral2/memory/4704-153-0x0000000000400000-0x0000000000848000-memory.dmp UPX behavioral2/memory/452-166-0x0000000000400000-0x0000000000930000-memory.dmp UPX -
Downloads MZ/PE file
-
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
netsh.exepid Process 4592 netsh.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
E311.exeInstallSetup_four.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation E311.exe Key value queried \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation InstallSetup_four.exe -
Deletes itself 1 IoCs
Processes:
pid Process 3488 -
Executes dropped EXE 11 IoCs
Processes:
BC2C.exeBC2C.exeD5EF.exeD8B0.exeE311.exeEEBA.exeInstallSetup_four.exe288c47bbc1871b439df19ff4df68f076.exeu12o.0.exeu12o.1.exe288c47bbc1871b439df19ff4df68f076.exepid Process 2932 BC2C.exe 4704 BC2C.exe 440 D5EF.exe 3052 D8B0.exe 1400 E311.exe 4568 EEBA.exe 1392 InstallSetup_four.exe 4352 288c47bbc1871b439df19ff4df68f076.exe 4824 u12o.0.exe 452 u12o.1.exe 4848 288c47bbc1871b439df19ff4df68f076.exe -
Loads dropped DLL 4 IoCs
Processes:
regsvr32.exeBC2C.exeu12o.0.exepid Process 1460 regsvr32.exe 4704 BC2C.exe 4824 u12o.0.exe 4824 u12o.0.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule behavioral2/memory/4704-18-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral2/memory/4704-21-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral2/memory/4704-23-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral2/memory/4704-25-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral2/memory/4704-28-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral2/memory/4704-31-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral2/memory/4704-131-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral2/files/0x000700000002321d-130.dat upx behavioral2/files/0x000700000002321d-129.dat upx behavioral2/files/0x000700000002321d-124.dat upx behavioral2/memory/452-136-0x0000000000400000-0x0000000000930000-memory.dmp upx behavioral2/memory/4704-153-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral2/memory/452-166-0x0000000000400000-0x0000000000930000-memory.dmp upx -
Unexpected DNS network traffic destination 1 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
Processes:
description ioc Destination IP 62.102.148.68 -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
BC2C.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CSRSS = "\"C:\\ProgramData\\Drivers\\csrss.exe\"" BC2C.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
D8B0.exedescription ioc Process File opened for modification \??\PHYSICALDRIVE0 D8B0.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
BC2C.exedescription pid Process procid_target PID 2932 set thread context of 4704 2932 BC2C.exe 93 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 3 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exepid pid_target Process procid_target 5044 1392 WerFault.exe 103 1984 4824 WerFault.exe 106 2252 4848 WerFault.exe 120 -
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
d6567cc8e6b82d69347065de9fa8c7d2441ee63185ac52fe0e5e4bc6b2642910.exeEEBA.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI d6567cc8e6b82d69347065de9fa8c7d2441ee63185ac52fe0e5e4bc6b2642910.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI d6567cc8e6b82d69347065de9fa8c7d2441ee63185ac52fe0e5e4bc6b2642910.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI d6567cc8e6b82d69347065de9fa8c7d2441ee63185ac52fe0e5e4bc6b2642910.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI EEBA.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI EEBA.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI EEBA.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
u12o.0.exedescription ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 u12o.0.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString u12o.0.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid Process 3852 schtasks.exe 792 schtasks.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
288c47bbc1871b439df19ff4df68f076.exepowershell.exedescription ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-602 = "Taipei Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2592 = "Tocantins Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2142 = "Transbaikal Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-42 = "E. South America Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2872 = "Magallanes Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-211 = "Pacific Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1931 = "Russia TZ 11 Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-562 = "SE Asia Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-591 = "Malay Peninsula Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-512 = "Central Asia Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-105 = "Central Brazilian Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-411 = "E. Africa Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1472 = "Magadan Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-242 = "Samoa Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-181 = "Mountain Daylight Time (Mexico)" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-71 = "Newfoundland Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-961 = "Paraguay Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2492 = "Aus Central W. Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-291 = "Central European Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-262 = "GMT Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-432 = "Iran Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-192 = "Mountain Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-449 = "Azerbaijan Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2432 = "Cuba Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2411 = "Marquesas Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-542 = "Myanmar Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-92 = "Pacific SA Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-752 = "Tonga Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-541 = "Myanmar Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-215 = "Pacific Standard Time (Mexico)" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-402 = "Arabic Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-81 = "Atlantic Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-672 = "AUS Eastern Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-161 = "Central Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-891 = "Morocco Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-282 = "Central Europe Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1842 = "Russia TZ 4 Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-151 = "Central America Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2512 = "Lord Howe Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-241 = "Samoa Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-692 = "Tasmania Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-281 = "Central Europe Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-682 = "E. Australia Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-435 = "Georgian Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-372 = "Jerusalem Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-214 = "Pacific Daylight Time (Mexico)" 288c47bbc1871b439df19ff4df68f076.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-3142 = "South Sudan Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2571 = "Turks and Caicos Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-261 = "GMT Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-32 = "Mid-Atlantic Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-962 = "Paraguay Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-382 = "South Africa Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-691 = "Tasmania Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-462 = "Afghanistan Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-104 = "Central Brazilian Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-171 = "Central Daylight Time (Mexico)" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1721 = "Libya Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
d6567cc8e6b82d69347065de9fa8c7d2441ee63185ac52fe0e5e4bc6b2642910.exepid Process 4396 d6567cc8e6b82d69347065de9fa8c7d2441ee63185ac52fe0e5e4bc6b2642910.exe 4396 d6567cc8e6b82d69347065de9fa8c7d2441ee63185ac52fe0e5e4bc6b2642910.exe 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
d6567cc8e6b82d69347065de9fa8c7d2441ee63185ac52fe0e5e4bc6b2642910.exeEEBA.exepid Process 4396 d6567cc8e6b82d69347065de9fa8c7d2441ee63185ac52fe0e5e4bc6b2642910.exe 4568 EEBA.exe -
Suspicious use of AdjustPrivilegeToken 22 IoCs
Processes:
powershell.exe288c47bbc1871b439df19ff4df68f076.exepowershell.exedescription pid Process Token: SeShutdownPrivilege 3488 Token: SeCreatePagefilePrivilege 3488 Token: SeShutdownPrivilege 3488 Token: SeCreatePagefilePrivilege 3488 Token: SeShutdownPrivilege 3488 Token: SeCreatePagefilePrivilege 3488 Token: SeShutdownPrivilege 3488 Token: SeCreatePagefilePrivilege 3488 Token: SeShutdownPrivilege 3488 Token: SeCreatePagefilePrivilege 3488 Token: SeDebugPrivilege 404 powershell.exe Token: SeShutdownPrivilege 3488 Token: SeCreatePagefilePrivilege 3488 Token: SeDebugPrivilege 4352 288c47bbc1871b439df19ff4df68f076.exe Token: SeImpersonatePrivilege 4352 288c47bbc1871b439df19ff4df68f076.exe Token: SeShutdownPrivilege 3488 Token: SeCreatePagefilePrivilege 3488 Token: SeShutdownPrivilege 3488 Token: SeCreatePagefilePrivilege 3488 Token: SeShutdownPrivilege 3488 Token: SeCreatePagefilePrivilege 3488 Token: SeDebugPrivilege 4760 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
u12o.1.exepid Process 452 u12o.1.exe -
Suspicious use of WriteProcessMemory 55 IoCs
Processes:
BC2C.exeregsvr32.exeE311.exeInstallSetup_four.exeu12o.1.execmd.exe288c47bbc1871b439df19ff4df68f076.exe288c47bbc1871b439df19ff4df68f076.exedescription pid Process procid_target PID 3488 wrote to memory of 2932 3488 92 PID 3488 wrote to memory of 2932 3488 92 PID 3488 wrote to memory of 2932 3488 92 PID 2932 wrote to memory of 4704 2932 BC2C.exe 93 PID 2932 wrote to memory of 4704 2932 BC2C.exe 93 PID 2932 wrote to memory of 4704 2932 BC2C.exe 93 PID 2932 wrote to memory of 4704 2932 BC2C.exe 93 PID 2932 wrote to memory of 4704 2932 BC2C.exe 93 PID 2932 wrote to memory of 4704 2932 BC2C.exe 93 PID 2932 wrote to memory of 4704 2932 BC2C.exe 93 PID 2932 wrote to memory of 4704 2932 BC2C.exe 93 PID 3488 wrote to memory of 4616 3488 94 PID 3488 wrote to memory of 4616 3488 94 PID 4616 wrote to memory of 1460 4616 regsvr32.exe 95 PID 4616 wrote to memory of 1460 4616 regsvr32.exe 95 PID 4616 wrote to memory of 1460 4616 regsvr32.exe 95 PID 3488 wrote to memory of 440 3488 97 PID 3488 wrote to memory of 440 3488 97 PID 3488 wrote to memory of 440 3488 97 PID 3488 wrote to memory of 3052 3488 98 PID 3488 wrote to memory of 3052 3488 98 PID 3488 wrote to memory of 3052 3488 98 PID 3488 wrote to memory of 1400 3488 101 PID 3488 wrote to memory of 1400 3488 101 PID 3488 wrote to memory of 1400 3488 101 PID 3488 wrote to memory of 4568 3488 102 PID 3488 wrote to memory of 4568 3488 102 PID 3488 wrote to memory of 4568 3488 102 PID 1400 wrote to memory of 1392 1400 E311.exe 103 PID 1400 wrote to memory of 1392 1400 E311.exe 103 PID 1400 wrote to memory of 1392 1400 E311.exe 103 PID 1400 wrote to memory of 4352 1400 E311.exe 104 PID 1400 wrote to memory of 4352 1400 E311.exe 104 PID 1400 wrote to memory of 4352 1400 E311.exe 104 PID 1392 wrote to memory of 4824 1392 InstallSetup_four.exe 106 PID 1392 wrote to memory of 4824 1392 InstallSetup_four.exe 106 PID 1392 wrote to memory of 4824 1392 InstallSetup_four.exe 106 PID 1392 wrote to memory of 452 1392 InstallSetup_four.exe 107 PID 1392 wrote to memory of 452 1392 InstallSetup_four.exe 107 PID 1392 wrote to memory of 452 1392 InstallSetup_four.exe 107 PID 452 wrote to memory of 3624 452 u12o.1.exe 110 PID 452 wrote to memory of 3624 452 u12o.1.exe 110 PID 452 wrote to memory of 3624 452 u12o.1.exe 110 PID 3624 wrote to memory of 4084 3624 cmd.exe 112 PID 3624 wrote to memory of 4084 3624 cmd.exe 112 PID 3624 wrote to memory of 4084 3624 cmd.exe 112 PID 3624 wrote to memory of 3852 3624 cmd.exe 113 PID 3624 wrote to memory of 3852 3624 cmd.exe 113 PID 3624 wrote to memory of 3852 3624 cmd.exe 113 PID 4352 wrote to memory of 404 4352 288c47bbc1871b439df19ff4df68f076.exe 115 PID 4352 wrote to memory of 404 4352 288c47bbc1871b439df19ff4df68f076.exe 115 PID 4352 wrote to memory of 404 4352 288c47bbc1871b439df19ff4df68f076.exe 115 PID 4848 wrote to memory of 4760 4848 288c47bbc1871b439df19ff4df68f076.exe 123 PID 4848 wrote to memory of 4760 4848 288c47bbc1871b439df19ff4df68f076.exe 123 PID 4848 wrote to memory of 4760 4848 288c47bbc1871b439df19ff4df68f076.exe 123 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\d6567cc8e6b82d69347065de9fa8c7d2441ee63185ac52fe0e5e4bc6b2642910.exe"C:\Users\Admin\AppData\Local\Temp\d6567cc8e6b82d69347065de9fa8c7d2441ee63185ac52fe0e5e4bc6b2642910.exe"1⤵
- DcRat
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4396
-
C:\Users\Admin\AppData\Local\Temp\BC2C.exeC:\Users\Admin\AppData\Local\Temp\BC2C.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2932 -
C:\Users\Admin\AppData\Local\Temp\BC2C.exeC:\Users\Admin\AppData\Local\Temp\BC2C.exe2⤵
- DcRat
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
PID:4704
-
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\C303.dll1⤵
- Suspicious use of WriteProcessMemory
PID:4616 -
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\C303.dll2⤵
- Loads dropped DLL
PID:1460
-
-
C:\Users\Admin\AppData\Local\Temp\D5EF.exeC:\Users\Admin\AppData\Local\Temp\D5EF.exe1⤵
- Executes dropped EXE
PID:440
-
C:\Users\Admin\AppData\Local\Temp\D8B0.exeC:\Users\Admin\AppData\Local\Temp\D8B0.exe1⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
PID:3052
-
C:\Users\Admin\AppData\Local\Temp\E311.exeC:\Users\Admin\AppData\Local\Temp\E311.exe1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1400 -
C:\Users\Admin\AppData\Local\Temp\InstallSetup_four.exe"C:\Users\Admin\AppData\Local\Temp\InstallSetup_four.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1392 -
C:\Users\Admin\AppData\Local\Temp\u12o.0.exe"C:\Users\Admin\AppData\Local\Temp\u12o.0.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
PID:4824 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4824 -s 21484⤵
- Program crash
PID:1984
-
-
-
C:\Users\Admin\AppData\Local\Temp\u12o.1.exe"C:\Users\Admin\AppData\Local\Temp\u12o.1.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:452 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "4⤵
- Suspicious use of WriteProcessMemory
PID:3624 -
C:\Windows\SysWOW64\chcp.comchcp 12515⤵PID:4084
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F5⤵
- DcRat
- Creates scheduled task(s)
PID:3852
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1392 -s 15803⤵
- Program crash
PID:5044
-
-
-
C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4352 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Suspicious use of AdjustPrivilegeToken
PID:404
-
-
C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"3⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:4848 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4760
-
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"4⤵PID:2904
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes5⤵
- Modifies Windows Firewall
PID:4592
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵PID:528
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵PID:1800
-
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe4⤵PID:1712
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵PID:2584
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F5⤵
- DcRat
- Creates scheduled task(s)
PID:792
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f5⤵PID:3372
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵PID:548
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵PID:3604
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll5⤵PID:1716
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4848 -s 7524⤵
- Program crash
PID:2252
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\EEBA.exeC:\Users\Admin\AppData\Local\Temp\EEBA.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:4568
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 1392 -ip 13921⤵PID:528
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4824 -ip 48241⤵PID:4488
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4848 -ip 48481⤵PID:4204
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Pre-OS Boot
1Bootkit
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
1Pre-OS Boot
1Bootkit
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
11KB
MD5a33e5b189842c5867f46566bdbf7a095
SHA1e1c06359f6a76da90d19e8fd95e79c832edb3196
SHA2565abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454
SHA512f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b
-
Filesize
192KB
MD53034aefffccf930e8cb12578cbd21d63
SHA159005a981ad09abf45a6b0445d1cf6bd3d68b07d
SHA256e479913f262e8f78c3cc2d681fc5572ec618e864c1c12859c5b481dd4c8600c9
SHA51297dbac6b284851241e0b12f502b4c7b164b91cc2485cb51549d2d7022cc4c9079bcac6452568d5c70e1bfe5ac650558c49231308e74209b443673778d756458d
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
320KB
MD54df2bf0ae4cdb77998d0c70281d3ca12
SHA1935d164feabd42243aa34f96e8b6af39c93b6306
SHA256e83d04c5b94f9228037452a4d98b9b495e9f0ccae61fd379bc6ca6819ce904d2
SHA512bd8c22fbe054da820656e78eb1f00a2da810d99f31100efc47fc1182a24d014890a158fcd606a0beba011194620c4f9153f3be4b6acdd0c59858cd3d4a2c1138
-
Filesize
185KB
MD5d37ebc874a255f1f295974ba757650b5
SHA1acd897a324ed3d5a881e8acb9950ed0f475051b4
SHA256228564164aac87f17e7ef3e4224073501870be47680b8722fdf3a530433fa7b6
SHA512fe993d0823097d6ad135cd667d8f7b6db817779fed2b8ddba7a5ac76710bc38decbbe5ff7ffb6c2e5273fc5b9474df3c2b6c73e26016f35af2a03164b9cc88e7
-
Filesize
1.1MB
MD5d435a1d6c92b350c824ace24f94d5b58
SHA12de65c5665e7cfbc18e90a58e778d34948a54eca
SHA25694add31e627e99dfba3c4abd0159c0a6fba7736eb925e0829b185e1d148261be
SHA512c3689a2a363277d5f57d6cd52de3e03a9add38a863d03f99ffce5769256d09c19bf5d0c10be7f5659b1bf0e95a7a5185dc37958d8e47a3fe04a57a067c037746
-
Filesize
832KB
MD5a69d289e27bb41f53b03e7385747c0d6
SHA177123493d8b4d4830fda005e853e89b65cafd13f
SHA256e03398b001bf897cb52e69d04d13c7ac1b7edbc2745f6ed9140fe3a8c7942357
SHA512b600855e1080323aaf0c5ffb7913b8329adde7ef8b2441c6c07565b6d08cd0d6f6976db702aac992ca9ffe17af0a17bfa8ccd031a731557d1f6e8bf888195499
-
Filesize
1.9MB
MD5621e14c27db223d3e37d71751c91f0e8
SHA15d89969cfbbf2ce485b14d8fc3bb2699b8139bb9
SHA25632dc53571bc0971c09259932c4e53f7b0cd5493a029bc0ea9b1331a5126a6695
SHA512e359e612d5ee593e8929992940e5514383ce42493eee923e9cae290d352e2abd696ee5d0cc6a7a702265556c61662562efc7f647542397991a06c17e076334bb
-
Filesize
2.6MB
MD569272d604bcfc79a6cf9c8a117524e0a
SHA14c79237f6de3a3e0fb770157a83fb77923b43560
SHA25640632a2f3dca03b4d56b7e4c8db05c054079c6de44c26579f9f4722270840cdb
SHA5128aa579a6e603288afeb757b85f5cf72ea32e88c24100820fd890ff7fb0e6edb7b043c1d9adea0667c7912029293d723fea51fbaea6bb26d6e2170aed4c9d5ee6
-
Filesize
5.0MB
MD568ebfe26368a940eaef266d56903cb89
SHA14d6c23115cc5e1c80ca6c3fccf65d1caf49993c1
SHA25654edfd8a8e37d3dc86818e62f3b5d1b78ec53f02a67942637dbf012a507f8e9a
SHA5126a3a539d151695a952bec28a8c847b948259e04f6d89417cbb93b03fc3b1dcc40655cfa063c016f5afec10b60b14aef1f6331159ead268eab0e3e71cc7168041
-
Filesize
1.9MB
MD5398ab69b1cdc624298fbc00526ea8aca
SHA1b2c76463ae08bb3a08accfcbf609ec4c2a9c0821
SHA256ca827a18753cf8281d57b7dff32488c0701fe85af56b59eab5a619ae45b5f0be
SHA5123b222a46a8260b7810e2e6686b7c67b690452db02ed1b1e75990f4ac1421ead9ddc21438a419010169258b1ae4b206fbfa22bb716b83788490b7737234e42739
-
Filesize
1.9MB
MD5dc1426e7dd017041559c858755cc780d
SHA13a7422e0dfb734a55cbfddef2ab20ad1c20451d2
SHA256740a8baa7a93d6a7e1f515318d8f77fbed0606534b6666186da3f5395177461c
SHA51205a237a6c3ab06397da8bda1a2eeee4af0bda1ad5083864af6d9b0e1b3a94ba0040561db16acdd78f497166cfe835d7ea32d368f752f58cccd1db7f4241790e4
-
Filesize
1.8MB
MD5cc1d3fe7bb167fe18d8a40924e63dee9
SHA1317495a3d8c1fa6c8424e416327b941e6bf7947f
SHA256b48ca9c104c7415f3041524b8261f66dd7914257f1ebf3d80386e69cc79177e3
SHA512e3057926ab3d8de6ffc8913c8de92bf1e5edaa16f4931c21b6180e70bfcda24f707cd1852fefb137d677cbba004d25905dfbba892226b1b4a7a1e45a12279d62
-
Filesize
2.0MB
MD59b1697d40dfd386fdd7e9327844f301a
SHA1e75defb119e2c7b7d3f75ab70a100ec504af5ebf
SHA25669e7b08c127dde5fd1f85e1e8107d06aa686e94aef3fd48ff0bb092b38a0cb1d
SHA5123e945bf24ed81fdc49e974d086a70f9758a17b8656bb0e460dca0be2a84fa0ba065b62b6dd5d55ca1dbe0b4f19ec4f164df84c115244f1cbfddd79611d013d69
-
Filesize
1.6MB
MD5848b1147d8236710ac109f4d231f46d8
SHA19534ecb534f6eb327c160c203b57bb6b7e6b55ca
SHA256791dcd000c5f65ddcf357898a806428d96e0c1a459797bcecea0314c529f7351
SHA512624160e20eeca9644e14fd0b107fc12540a37502314187a26bf8b4d3f37c0afbf83bdd0c62ddea3d0cf9f84184cd2ad5407d491247315e0f047d0778aea6d823
-
Filesize
2.9MB
MD57d6ff218d036991e25d3e4addd1683a4
SHA1a550ffc5db9985efbf385454893e8247b3093c6f
SHA256bdee967eefcefe7aa09b0b306816701d2c5844bad81eb9c30018c4443803c03b
SHA51273c926a58da46807a6da5ffcafdb06c4a067d427cb5276a5f9795eaf8c227104658019b5d047e2c3146e8bf9c92b925f5041de491ad48cbd8d68e77411175216
-
Filesize
554KB
MD5a1b5ee1b9649ab629a7ac257e2392f8d
SHA1dc1b14b6d57589440fb3021c9e06a3e3191968dc
SHA2562bfd95260a4c52d4474cd51e74469fc3de94caed28937ff0ce99ded66af97e65
SHA51250ccbb9fd4ea2da847c6be5988e1e82e28d551b06cc9122b921dbd40eff4b657a81a010cea76f29e88fda06f8c053090b38d04eb89a6d63ec4f42ef68b1cf82b
-
Filesize
512KB
MD5f2d9c4e85e5f9987c9762860e12fd804
SHA116350d9eae3690e40303f60dd508384b049a4150
SHA256f101090194e3e95bcca3cef9f25564a40c1dbb950729040ae03fef4a4db38315
SHA51271eda687f46e774197fe7fa2d630765b7139104fab348308577bd4cf52adcc56e0ffbc442e7683577aa84a144cc7ec97c28c8f7b43b1dc1881f311fb760157a8
-
Filesize
1.7MB
MD5dc223f6ce4c1d7ff421701a415e1cc76
SHA12b5c193ad484287fd0a9897a06e4eb04dec6d2d7
SHA256e326bae5f103f52cbc175b84b986fb9c3e279b60d1941369a17d7666972f145b
SHA512a0edf6527131a567c81d3a5d09d4691c5099126f84bf97727afbf93f733ec4ff7dbba81b3fc44945e097df5e170eaa7088596afb6b4a076a42eccf047548b67e
-
Filesize
2.0MB
MD523996f5917e939a08a336ce049b1a842
SHA153b781cdee8a125c779959640a910a6f08908bd2
SHA25616815e667fa4115c008ffb57771b63ab2b594b12fb34d631508bfbe4da376f4c
SHA51228a67f92bffa4fd4915a279156138e48fb5addbcf30290b13aec29a2cbfd65796760370c134d7a214c0b1191088ab28efc52428074edc97ab004229452a26d3e
-
Filesize
176KB
MD50c3f7f76be32866fafcf1b1d26b831c3
SHA1d7bb7e9437e922de417ce9e9102d2ee6cba7e9e7
SHA256454e17045a7dd1a6a36dc0a8dcf5dfeebcd0ea36436c94d793de80bd9f150fe2
SHA512a09084ab2dd088b85b2dbce2e4973c91a372898eda91419c1a79058a53742cced45d87b1c67b2e8c5528c333a2bf0e16d005edcdf33da40626c3c7b07933ad1d
-
Filesize
380KB
MD50564a9bf638169a89ccb3820a6b9a58e
SHA157373f3b58f7cc2b9ea1808bdabb600d580a9ceb
SHA2569e4b0556f698c9bc9a07c07bf13d60908d31995e0bd73510d9dd690b20b11058
SHA51236b81c374529a9ba5fcbc6fcfebf145c27a7c30916814d63612c04372556d47994a8091cdc5f78dab460bb5296466ce0b284659c8b01883f7960ab08a1631ea6
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
281KB
MD5d98e33b66343e7c96158444127a117f6
SHA1bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA2565de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5
-
Filesize
206KB
MD5d0de3ce247b4ebb9b0778563f7bb3a47
SHA120259867152e73d0027da63f8c351c4e911690ca
SHA256de333c544b3def02e10b7a8d1c3677efbcbb010ecce2b601573dae1584b9cc1f
SHA5123811fe4864c154ee020a6c158557e1d42e8ef954c836192acb19241343ad01a2c21e69960f4780b5e2404bf963de0e51cf01fe0ed2b012c8cbec95b36c21661d
-
Filesize
1.2MB
MD5c5e7334ac8b8e435fa5b16fe87a8a2a5
SHA14ad9b72f59400fcbb160433e274336a74639c644
SHA2569d57dc99061507df3c7bd4081a650cd0dbac6c10c8954f6b17ae97380d939432
SHA512f4480e52d0aabdec94d2587acea030921085e2b3d7f2174aac65cf7cfe093a9ce17651303969372235558ff2469b4ba1f8edf736a02a9e75d2086785f8f90fb0
-
Filesize
1.7MB
MD55b87828ea000c7111084d8beed17175e
SHA1e8aa3848e39c449051702a333e608fafd2e5330f
SHA2561a557fae2d39d06392f4bea760fb72c87f0959a7c3ac66865e36f316866f57d3
SHA51256b0d0e5422b89a4659969f59570962dbb267fde913ed051fbedf3d66653c9c23d15c945a6ae8ce5570af010b3671eb0be085e8afb44c3088def9f423290f385
-
Filesize
1.6MB
MD506246d5f1675d0680bccaa82ae2b26fd
SHA1a73d03970a916cfcd6108e042149eadc54b940eb
SHA256c8a160c92eda31a919466f81f8828eaaa9091f1d66830376e33b32dde7178579
SHA51257fa90a31f7f7e0cffc3b3e7f0dd23d240c1843cdf98da4e587efb8f0b9ab30649995a7dac4a2d57cac46a918f573402dab61d0d3d7fd89b474535ac8b644ad2
-
Filesize
128B
MD511bb3db51f701d4e42d3287f71a6a43e
SHA163a4ee82223be6a62d04bdfe40ef8ba91ae49a86
SHA2566be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331
SHA512907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize2KB
MD5968cb9309758126772781b83adb8a28f
SHA18da30e71accf186b2ba11da1797cf67f8f78b47c
SHA25692099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA5124bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD57011eee5aae307248e34b80d8c0f47a8
SHA15cc6e13e9a2673a30bd9547dac413b1586b57e5a
SHA256090ec5cf802efbb5e8edc439f5a15d60572c341ae7ec5e03077a4781ebc69423
SHA5126a1f0322e1bf3337298fd6ff1591ebb16d935db0708728be30d13951af77b135be15ed43c805f45ee5cb97b98e363c9630c0dd275460e4474480a1d5252c9664
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD56c9ba9f7fee02f83092260ba510a6bda
SHA1062fb40a0d58e08c902f99b012636138547646c6
SHA25601f801f795ad666ddb17faaf36a8a56617b0d797d36479cb9fd5c294e4a0d5dc
SHA512b0ee7230ff661da3f850b1371a040d9b14812bf4b67ecde0093ffccd834390258476b6249bc95289f503f772cfff046374d5558af8eb92986a43ec45210b9866
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD5dc8c2451eaeb60693d67b7c6a4a824eb
SHA1e0f5db63b54afe530a858f50550f209ac5d0150b
SHA256d06799dc1f60cc359a72462c5332437c9381cbd07e4bb8fa61e1e752d09d7d0d
SHA51250b195cfd819a1cdd4d9d5f8962bc466232e9359c51ddb4302c2696d377be9e75d32cb0ec99947cad68e460dacf6081374a612158cee5f55f263940a4e3bc1e0
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD531ee428f8ec83113c318a3159fd712a4
SHA119e4ec4235d44a45aa33fab528a9ae19afeab786
SHA2563da6f96dfbd08c9c9903bc7cc6c356b06853140ded272cb44177a99b56121994
SHA5127cc9999e4091398f537e499cd47e11cc2cac8d014255ae4e56b6ce80ac93177b2632836685c894a6f9a332269d4707953a8c34fb04bea0d7b86e3c9794b94f80
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD5fcfb3e9117e6aabae05b38a8afd3943a
SHA12d2e95a76f11ba24fd0e88097c98e0a4dfcab0e4
SHA2565c915dcf6c56622d43c79aabeb40ecae4e2544312907c367adaa632b1972f21c
SHA51212a48a786a9cb3a5fb083e111706abe426500adf0492a9dbfebe1907e4524e1e3dc0cbb82d9036d1f3b5a1e70dcd0ee709f2e9c22b3e15e4ee6f9c143b226f5a
-
Filesize
4.1MB
MD50c7b8daa9b09bcdf947a020bf28c2f19
SHA1738f89f4da5256d14fe11394cf79e42060a7e98b
SHA256ff0c709f06a8850794f2501c7dc9ce4ffc75f1ab3039218952cd87a067d3d3ff
SHA512b069ef6d30a5afafc4b4e2632cb4f9da65e58dcedb66706921d85a6be97a024c1e786ec51299ba52668a65fe948d499609aa2b4978fb20738dd0b643d84cbcf6