Analysis
-
max time kernel
119s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
07-03-2024 02:11
Static task
static1
Behavioral task
behavioral1
Sample
29645afd1579bf501163d73ffb4cefe7043e85b47f030a2c633d721a9b10efee.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
29645afd1579bf501163d73ffb4cefe7043e85b47f030a2c633d721a9b10efee.exe
Resource
win10v2004-20240226-en
General
-
Target
29645afd1579bf501163d73ffb4cefe7043e85b47f030a2c633d721a9b10efee.exe
-
Size
161KB
-
MD5
fb8ddd837ad8b94f1faf0b4920ce7b2b
-
SHA1
c3bc51f18a1180be27c4ee0978aaa9e1295dbd4b
-
SHA256
29645afd1579bf501163d73ffb4cefe7043e85b47f030a2c633d721a9b10efee
-
SHA512
db218213ee139583f69b00ea7e33986857cbc73f0e549f996e0dc3b0b34282c838f874a65c13fa7e21adfb8d876ca6cef9421a19171c214b1ea98b1a99f1bc74
-
SSDEEP
1536:IwYZ5gZyjech8y/nK/bobGPgeMWKQxljH3PBe/8YkfbM9Wzw1mE3SmJQENYmAzTa:YiZpyDz/WVPX/9CWz9xmJQMYmAzsX
Malware Config
Extracted
smokeloader
pub1
Extracted
smokeloader
2022
http://trad-einmyus.com/index.php
http://tradein-myus.com/index.php
http://trade-inmyus.com/index.php
Extracted
djvu
http://sajdfue.com/test1/get.php
-
extension
.wisz
-
offline_id
4p0Nzrg1q0ND5of5Gtp2UBjthSXuE8VxnMrd4vt1
-
payload_url
http://sdfjhuz.com/dl/build2.exe
http://sajdfue.com/files/1/build3.exe
-
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. Do not ask assistants from youtube and recovery data sites for help in recovering your data. They can use your free decryption quota and scam you. Our contact is emails in this text document only. You can get and look video overview decrypt tool: https://wetransfer.com/downloads/a832401adcd58098c699f768ffea4f1720240305114308/7e601a Price of private key and decrypt software is $999. Discount 50% available if you contact us first 72 hours, that's price for you is $499. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0853PsawqS
Extracted
lumma
https://resergvearyinitiani.shop/api
https://technologyenterdo.shop/api
https://detectordiscusser.shop/api
https://turkeyunlikelyofw.shop/api
https://associationokeo.shop/api
Signatures
-
DcRat 4 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
description ioc pid Process 1152 schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 29645afd1579bf501163d73ffb4cefe7043e85b47f030a2c633d721a9b10efee.exe Set value (str) \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\7df1bef0-3408-4ac0-ae86-00253b231c8e\\C0C0.exe\" --AutoStart" C0C0.exe 468 schtasks.exe -
Detect ZGRat V1 1 IoCs
resource yara_rule behavioral2/files/0x000a0000000234d0-277.dat family_zgrat_v1 -
Detected Djvu ransomware 9 IoCs
resource yara_rule behavioral2/memory/3092-17-0x0000000003C60000-0x0000000003D7B000-memory.dmp family_djvu behavioral2/memory/500-18-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/500-20-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/500-21-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/500-22-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/500-34-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/2292-40-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/2292-41-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/2292-43-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu -
Djvu Ransomware
Ransomware which is a variant of the STOP family.
-
Glupteba payload 9 IoCs
resource yara_rule behavioral2/memory/2356-97-0x0000000004370000-0x0000000004C5B000-memory.dmp family_glupteba behavioral2/memory/2356-100-0x0000000000400000-0x00000000022EF000-memory.dmp family_glupteba behavioral2/memory/2356-126-0x0000000000400000-0x00000000022EF000-memory.dmp family_glupteba behavioral2/memory/464-157-0x0000000000400000-0x00000000022EF000-memory.dmp family_glupteba behavioral2/memory/2356-159-0x0000000000400000-0x00000000022EF000-memory.dmp family_glupteba behavioral2/memory/464-193-0x0000000000400000-0x00000000022EF000-memory.dmp family_glupteba behavioral2/memory/464-258-0x0000000000400000-0x00000000022EF000-memory.dmp family_glupteba behavioral2/memory/1692-316-0x0000000000400000-0x00000000022EF000-memory.dmp family_glupteba behavioral2/memory/1692-370-0x0000000000400000-0x00000000022EF000-memory.dmp family_glupteba -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Detects Windows executables referencing non-Windows User-Agents 8 IoCs
resource yara_rule behavioral2/memory/2356-100-0x0000000000400000-0x00000000022EF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA behavioral2/memory/2356-126-0x0000000000400000-0x00000000022EF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA behavioral2/memory/464-157-0x0000000000400000-0x00000000022EF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA behavioral2/memory/2356-159-0x0000000000400000-0x00000000022EF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA behavioral2/memory/464-193-0x0000000000400000-0x00000000022EF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA behavioral2/memory/464-258-0x0000000000400000-0x00000000022EF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA behavioral2/memory/1692-316-0x0000000000400000-0x00000000022EF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA behavioral2/memory/1692-370-0x0000000000400000-0x00000000022EF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA -
Detects executables Discord URL observed in first stage droppers 8 IoCs
resource yara_rule behavioral2/memory/2356-100-0x0000000000400000-0x00000000022EF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_DiscordURL behavioral2/memory/2356-126-0x0000000000400000-0x00000000022EF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_DiscordURL behavioral2/memory/464-157-0x0000000000400000-0x00000000022EF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_DiscordURL behavioral2/memory/2356-159-0x0000000000400000-0x00000000022EF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_DiscordURL behavioral2/memory/464-193-0x0000000000400000-0x00000000022EF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_DiscordURL behavioral2/memory/464-258-0x0000000000400000-0x00000000022EF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_DiscordURL behavioral2/memory/1692-316-0x0000000000400000-0x00000000022EF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_DiscordURL behavioral2/memory/1692-370-0x0000000000400000-0x00000000022EF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_DiscordURL -
Detects executables containing URLs to raw contents of a Github gist 8 IoCs
resource yara_rule behavioral2/memory/2356-100-0x0000000000400000-0x00000000022EF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL behavioral2/memory/2356-126-0x0000000000400000-0x00000000022EF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL behavioral2/memory/464-157-0x0000000000400000-0x00000000022EF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL behavioral2/memory/2356-159-0x0000000000400000-0x00000000022EF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL behavioral2/memory/464-193-0x0000000000400000-0x00000000022EF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL behavioral2/memory/464-258-0x0000000000400000-0x00000000022EF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL behavioral2/memory/1692-316-0x0000000000400000-0x00000000022EF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL behavioral2/memory/1692-370-0x0000000000400000-0x00000000022EF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL -
Detects executables containing artifacts associated with disabling Widnows Defender 8 IoCs
resource yara_rule behavioral2/memory/2356-100-0x0000000000400000-0x00000000022EF000-memory.dmp INDICATOR_SUSPICIOUS_DisableWinDefender behavioral2/memory/2356-126-0x0000000000400000-0x00000000022EF000-memory.dmp INDICATOR_SUSPICIOUS_DisableWinDefender behavioral2/memory/464-157-0x0000000000400000-0x00000000022EF000-memory.dmp INDICATOR_SUSPICIOUS_DisableWinDefender behavioral2/memory/2356-159-0x0000000000400000-0x00000000022EF000-memory.dmp INDICATOR_SUSPICIOUS_DisableWinDefender behavioral2/memory/464-193-0x0000000000400000-0x00000000022EF000-memory.dmp INDICATOR_SUSPICIOUS_DisableWinDefender behavioral2/memory/464-258-0x0000000000400000-0x00000000022EF000-memory.dmp INDICATOR_SUSPICIOUS_DisableWinDefender behavioral2/memory/1692-316-0x0000000000400000-0x00000000022EF000-memory.dmp INDICATOR_SUSPICIOUS_DisableWinDefender behavioral2/memory/1692-370-0x0000000000400000-0x00000000022EF000-memory.dmp INDICATOR_SUSPICIOUS_DisableWinDefender -
Detects executables referencing many varying, potentially fake Windows User-Agents 8 IoCs
resource yara_rule behavioral2/memory/2356-100-0x0000000000400000-0x00000000022EF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA behavioral2/memory/2356-126-0x0000000000400000-0x00000000022EF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA behavioral2/memory/464-157-0x0000000000400000-0x00000000022EF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA behavioral2/memory/2356-159-0x0000000000400000-0x00000000022EF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA behavioral2/memory/464-193-0x0000000000400000-0x00000000022EF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA behavioral2/memory/464-258-0x0000000000400000-0x00000000022EF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA behavioral2/memory/1692-316-0x0000000000400000-0x00000000022EF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA behavioral2/memory/1692-370-0x0000000000400000-0x00000000022EF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA -
UPX dump on OEP (original entry point) 2 IoCs
resource yara_rule behavioral2/files/0x00070000000234e8-374.dat UPX behavioral2/memory/3488-380-0x0000000000400000-0x00000000008DF000-memory.dmp UPX -
Downloads MZ/PE file
-
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 1700 netsh.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation C0C0.exe -
Deletes itself 1 IoCs
pid Process 3464 Process not Found -
Executes dropped EXE 8 IoCs
pid Process 3092 C0C0.exe 500 C0C0.exe 4020 C0C0.exe 2292 C0C0.exe 2928 88C4.exe 2356 973D.exe 2920 A363.exe 464 973D.exe -
Modifies file permissions 1 TTPs 1 IoCs
pid Process 4304 icacls.exe -
resource yara_rule behavioral2/files/0x00070000000234e8-374.dat upx behavioral2/memory/3488-380-0x0000000000400000-0x00000000008DF000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\7df1bef0-3408-4ac0-ae86-00253b231c8e\\C0C0.exe\" --AutoStart" C0C0.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 128 api.2ip.ua 127 api.2ip.ua -
Drops file in System32 directory 3 IoCs
description ioc Process File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 3092 set thread context of 500 3092 C0C0.exe 101 PID 4020 set thread context of 2292 4020 C0C0.exe 106 -
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
description ioc Process File opened (read-only) \??\VBoxMiniRdrDN 973D.exe -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 3028 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 1628 2292 WerFault.exe 106 -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 29645afd1579bf501163d73ffb4cefe7043e85b47f030a2c633d721a9b10efee.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 29645afd1579bf501163d73ffb4cefe7043e85b47f030a2c633d721a9b10efee.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 29645afd1579bf501163d73ffb4cefe7043e85b47f030a2c633d721a9b10efee.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 468 schtasks.exe 1152 schtasks.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-412 = "E. Africa Standard Time" 973D.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2431 = "Cuba Daylight Time" 973D.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-751 = "Tonga Daylight Time" 973D.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2141 = "Transbaikal Daylight Time" 973D.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1021 = "Bangladesh Daylight Time" 973D.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-281 = "Central Europe Daylight Time" 973D.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-361 = "GTB Daylight Time" 973D.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-191 = "Mountain Daylight Time" 973D.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-962 = "Paraguay Standard Time" 973D.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-335 = "Jordan Standard Time" 973D.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-364 = "Middle East Daylight Time" 973D.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-3141 = "South Sudan Daylight Time" 973D.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-221 = "Alaskan Daylight Time" 973D.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-111 = "Eastern Daylight Time" 973D.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-52 = "Greenland Standard Time" 973D.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1411 = "Syria Daylight Time" 973D.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-842 = "Argentina Standard Time" 973D.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1501 = "Turkey Daylight Time" 973D.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2391 = "Aleutian Daylight Time" 973D.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-12 = "Azores Standard Time" 973D.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-332 = "E. Europe Standard Time" 973D.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-792 = "SA Western Standard Time" 973D.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2891 = "Sudan Daylight Time" 973D.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2061 = "North Korea Daylight Time" 973D.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-872 = "Pakistan Standard Time" 973D.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-382 = "South Africa Standard Time" 973D.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-82 = "Atlantic Standard Time" 973D.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-671 = "AUS Eastern Daylight Time" 973D.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-152 = "Central America Standard Time" 973D.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-42 = "E. South America Standard Time" 973D.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1722 = "Libya Standard Time" 973D.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2752 = "Tomsk Standard Time" 973D.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2162 = "Altai Standard Time" 973D.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1821 = "Russia TZ 1 Daylight Time" 973D.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-241 = "Samoa Daylight Time" 973D.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2001 = "Cabo Verde Daylight Time" 973D.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1842 = "Russia TZ 4 Standard Time" 973D.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-591 = "Malay Peninsula Daylight Time" 973D.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-631 = "Tokyo Daylight Time" 973D.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-81 = "Atlantic Daylight Time" 973D.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-104 = "Central Brazilian Daylight Time" 973D.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2632 = "Norfolk Standard Time" 973D.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-151 = "Central America Daylight Time" 973D.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-262 = "GMT Standard Time" 973D.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 552 29645afd1579bf501163d73ffb4cefe7043e85b47f030a2c633d721a9b10efee.exe 552 29645afd1579bf501163d73ffb4cefe7043e85b47f030a2c633d721a9b10efee.exe 3464 Process not Found 3464 Process not Found 3464 Process not Found 3464 Process not Found 3464 Process not Found 3464 Process not Found 3464 Process not Found 3464 Process not Found 3464 Process not Found 3464 Process not Found 3464 Process not Found 3464 Process not Found 3464 Process not Found 3464 Process not Found 3464 Process not Found 3464 Process not Found 3464 Process not Found 3464 Process not Found 3464 Process not Found 3464 Process not Found 3464 Process not Found 3464 Process not Found 3464 Process not Found 3464 Process not Found 3464 Process not Found 3464 Process not Found 3464 Process not Found 3464 Process not Found 3464 Process not Found 3464 Process not Found 3464 Process not Found 3464 Process not Found 3464 Process not Found 3464 Process not Found 3464 Process not Found 3464 Process not Found 3464 Process not Found 3464 Process not Found 3464 Process not Found 3464 Process not Found 3464 Process not Found 3464 Process not Found 3464 Process not Found 3464 Process not Found 3464 Process not Found 3464 Process not Found 3464 Process not Found 3464 Process not Found 3464 Process not Found 3464 Process not Found 3464 Process not Found 3464 Process not Found 3464 Process not Found 3464 Process not Found 3464 Process not Found 3464 Process not Found 3464 Process not Found 3464 Process not Found 3464 Process not Found 3464 Process not Found 3464 Process not Found 3464 Process not Found -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 552 29645afd1579bf501163d73ffb4cefe7043e85b47f030a2c633d721a9b10efee.exe -
Suspicious use of AdjustPrivilegeToken 22 IoCs
description pid Process Token: SeShutdownPrivilege 3464 Process not Found Token: SeCreatePagefilePrivilege 3464 Process not Found Token: SeShutdownPrivilege 3464 Process not Found Token: SeCreatePagefilePrivilege 3464 Process not Found Token: SeShutdownPrivilege 3464 Process not Found Token: SeCreatePagefilePrivilege 3464 Process not Found Token: SeShutdownPrivilege 3464 Process not Found Token: SeCreatePagefilePrivilege 3464 Process not Found Token: SeDebugPrivilege 4920 powershell.exe Token: SeShutdownPrivilege 3464 Process not Found Token: SeCreatePagefilePrivilege 3464 Process not Found Token: SeDebugPrivilege 2356 973D.exe Token: SeImpersonatePrivilege 2356 973D.exe Token: SeDebugPrivilege 1172 powershell.exe Token: SeShutdownPrivilege 3464 Process not Found Token: SeCreatePagefilePrivilege 3464 Process not Found Token: SeShutdownPrivilege 3464 Process not Found Token: SeCreatePagefilePrivilege 3464 Process not Found Token: SeDebugPrivilege 832 powershell.exe Token: SeShutdownPrivilege 3464 Process not Found Token: SeCreatePagefilePrivilege 3464 Process not Found Token: SeDebugPrivilege 1356 powershell.exe -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 3464 Process not Found -
Suspicious use of WriteProcessMemory 57 IoCs
description pid Process procid_target PID 3464 wrote to memory of 3092 3464 Process not Found 100 PID 3464 wrote to memory of 3092 3464 Process not Found 100 PID 3464 wrote to memory of 3092 3464 Process not Found 100 PID 3092 wrote to memory of 500 3092 C0C0.exe 101 PID 3092 wrote to memory of 500 3092 C0C0.exe 101 PID 3092 wrote to memory of 500 3092 C0C0.exe 101 PID 3092 wrote to memory of 500 3092 C0C0.exe 101 PID 3092 wrote to memory of 500 3092 C0C0.exe 101 PID 3092 wrote to memory of 500 3092 C0C0.exe 101 PID 3092 wrote to memory of 500 3092 C0C0.exe 101 PID 3092 wrote to memory of 500 3092 C0C0.exe 101 PID 3092 wrote to memory of 500 3092 C0C0.exe 101 PID 3092 wrote to memory of 500 3092 C0C0.exe 101 PID 500 wrote to memory of 4304 500 C0C0.exe 102 PID 500 wrote to memory of 4304 500 C0C0.exe 102 PID 500 wrote to memory of 4304 500 C0C0.exe 102 PID 500 wrote to memory of 4020 500 C0C0.exe 104 PID 500 wrote to memory of 4020 500 C0C0.exe 104 PID 500 wrote to memory of 4020 500 C0C0.exe 104 PID 4020 wrote to memory of 2292 4020 C0C0.exe 106 PID 4020 wrote to memory of 2292 4020 C0C0.exe 106 PID 4020 wrote to memory of 2292 4020 C0C0.exe 106 PID 4020 wrote to memory of 2292 4020 C0C0.exe 106 PID 4020 wrote to memory of 2292 4020 C0C0.exe 106 PID 4020 wrote to memory of 2292 4020 C0C0.exe 106 PID 4020 wrote to memory of 2292 4020 C0C0.exe 106 PID 4020 wrote to memory of 2292 4020 C0C0.exe 106 PID 4020 wrote to memory of 2292 4020 C0C0.exe 106 PID 4020 wrote to memory of 2292 4020 C0C0.exe 106 PID 3464 wrote to memory of 2928 3464 Process not Found 111 PID 3464 wrote to memory of 2928 3464 Process not Found 111 PID 3464 wrote to memory of 2928 3464 Process not Found 111 PID 3464 wrote to memory of 464 3464 Process not Found 112 PID 3464 wrote to memory of 464 3464 Process not Found 112 PID 464 wrote to memory of 4492 464 cmd.exe 114 PID 464 wrote to memory of 4492 464 cmd.exe 114 PID 3464 wrote to memory of 2356 3464 Process not Found 115 PID 3464 wrote to memory of 2356 3464 Process not Found 115 PID 3464 wrote to memory of 2356 3464 Process not Found 115 PID 3464 wrote to memory of 2920 3464 Process not Found 116 PID 3464 wrote to memory of 2920 3464 Process not Found 116 PID 2356 wrote to memory of 4920 2356 973D.exe 117 PID 2356 wrote to memory of 4920 2356 973D.exe 117 PID 2356 wrote to memory of 4920 2356 973D.exe 117 PID 464 wrote to memory of 1172 464 973D.exe 122 PID 464 wrote to memory of 1172 464 973D.exe 122 PID 464 wrote to memory of 1172 464 973D.exe 122 PID 464 wrote to memory of 992 464 973D.exe 124 PID 464 wrote to memory of 992 464 973D.exe 124 PID 992 wrote to memory of 1700 992 cmd.exe 126 PID 992 wrote to memory of 1700 992 cmd.exe 126 PID 464 wrote to memory of 832 464 973D.exe 128 PID 464 wrote to memory of 832 464 973D.exe 128 PID 464 wrote to memory of 832 464 973D.exe 128 PID 464 wrote to memory of 1356 464 973D.exe 130 PID 464 wrote to memory of 1356 464 973D.exe 130 PID 464 wrote to memory of 1356 464 973D.exe 130 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\29645afd1579bf501163d73ffb4cefe7043e85b47f030a2c633d721a9b10efee.exe"C:\Users\Admin\AppData\Local\Temp\29645afd1579bf501163d73ffb4cefe7043e85b47f030a2c633d721a9b10efee.exe"1⤵
- DcRat
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:552
-
C:\Users\Admin\AppData\Local\Temp\C0C0.exeC:\Users\Admin\AppData\Local\Temp\C0C0.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3092 -
C:\Users\Admin\AppData\Local\Temp\C0C0.exeC:\Users\Admin\AppData\Local\Temp\C0C0.exe2⤵
- DcRat
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:500 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Local\7df1bef0-3408-4ac0-ae86-00253b231c8e" /deny *S-1-1-0:(OI)(CI)(DE,DC)3⤵
- Modifies file permissions
PID:4304
-
-
C:\Users\Admin\AppData\Local\Temp\C0C0.exe"C:\Users\Admin\AppData\Local\Temp\C0C0.exe" --Admin IsNotAutoStart IsNotTask3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4020 -
C:\Users\Admin\AppData\Local\Temp\C0C0.exe"C:\Users\Admin\AppData\Local\Temp\C0C0.exe" --Admin IsNotAutoStart IsNotTask4⤵
- Executes dropped EXE
PID:2292 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2292 -s 5685⤵
- Program crash
PID:1628
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2292 -ip 22921⤵PID:3644
-
C:\Users\Admin\AppData\Local\Temp\88C4.exeC:\Users\Admin\AppData\Local\Temp\88C4.exe1⤵
- Executes dropped EXE
PID:2928
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8C7E.bat" "1⤵
- Suspicious use of WriteProcessMemory
PID:464 -
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 12⤵PID:4492
-
-
C:\Users\Admin\AppData\Local\Temp\973D.exeC:\Users\Admin\AppData\Local\Temp\973D.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2356 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4920
-
-
C:\Users\Admin\AppData\Local\Temp\973D.exe"C:\Users\Admin\AppData\Local\Temp\973D.exe"2⤵
- Executes dropped EXE
- Checks for VirtualBox DLLs, possible anti-VM trick
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:464 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1172
-
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"3⤵
- Suspicious use of WriteProcessMemory
PID:992 -
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes4⤵
- Modifies Windows Firewall
PID:1700
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:832
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1356
-
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe3⤵PID:1692
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵PID:436
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- DcRat
- Creates scheduled task(s)
PID:468
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f4⤵PID:2188
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵PID:2656
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵PID:2976
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll4⤵PID:2808
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- DcRat
- Creates scheduled task(s)
PID:1152
-
-
C:\Windows\windefender.exe"C:\Windows\windefender.exe"4⤵PID:3488
-
C:\Windows\SysWOW64\cmd.execmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)5⤵PID:3372
-
C:\Windows\SysWOW64\sc.exesc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)6⤵
- Launches sc.exe
PID:3028
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\A363.exeC:\Users\Admin\AppData\Local\Temp\A363.exe1⤵
- Executes dropped EXE
PID:2920
-
C:\Users\Admin\AppData\Local\Temp\336F.exeC:\Users\Admin\AppData\Local\Temp\336F.exe1⤵PID:1480
-
C:\Windows\windefender.exeC:\Windows\windefender.exe1⤵PID:2696
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Defense Evasion
File and Directory Permissions Modification
1Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
7.4MB
MD5c96c8f6bb68d339098dbc8885d27007a
SHA1880ab4e7a89e9a58056a6a6650fc3bca6beb8b77
SHA256e132abb3e01c827c071cdcc5493929c49afa801198697e7539e42e8d05f06aa5
SHA512c99de85da1ae9d460d0630f789325e40d49a9cd78fa150a61e72bd4185ec979b4a969332a46c2d994bbf1b0361f7cbc5bb0071a6a58ea3bd09f18b5ed5619758
-
Filesize
6.7MB
MD574cf066c5c492eb825b36550b1e38326
SHA18f211213fbd6905b5e44bf2af07e481832198a7f
SHA25624201da166b3e59a7a2b79f24881222c41e35f26642dd757fcc51ec47c9404e4
SHA51224ad3ebb70332741959b13be504ec2b3baee9668bb3a8e8ae314432ac2e084ad11c03f4abfba6f7557273cddb1b3d2e2361c71246f3fd7fccabae218dd8b2e91
-
Filesize
77B
MD555cc761bf3429324e5a0095cab002113
SHA12cc1ef4542a4e92d4158ab3978425d517fafd16d
SHA256d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a
SHA51233f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155
-
Filesize
4.1MB
MD51047d7617f162d488920965b0a8b876c
SHA1059afd73ca2f9b7c358979a6f1cc99c5424281a2
SHA25658b5bdc3cd4730734032dcc2dde7452889e6b6a12f3ae61e142df1121551859c
SHA512698483dca1f3dc3a3056b041a7c70e1609d86dcc4dc9751b04a67810be19c999235372d1a07d5806459f51d513deab91524c6fccd83b554afc331914690b74ac
-
Filesize
2.7MB
MD533668fdebf254ddd8af3b6385f01e27e
SHA1ef5ea8dde1042c56e4e5903d8fd0b6ca5227b29c
SHA256c742cef343418e086d205992ba824ad79e74024b040ef3f3f600efd005ed7475
SHA512f9a4d72636db09b88d21f6640a3884b8bc3a6a672c52b5dce99d6193cbc37211812af5cd034d381035795a60b19bb7fd352ec9f03d79bb0661c625f3a1a270c4
-
Filesize
2.6MB
MD5618950cd2e0ce02df8b425c773d4b56e
SHA1ef4fd4177dda63b61f12bcd073a9fa3cfa68bdbd
SHA256d2efff8562fece66082dcedc6ef752b1e75be38d381b6310047c71d6e2ae1b97
SHA5124feb227a295526b17cbb120b3d4698c4d0835b00aca669ce2d222a892fc129de9bc307387f8de1a4a7f98c29b11976edc814ad6f3e782e2d12c8aae165962e0b
-
Filesize
709KB
MD5b4496d2224777403415440dfe5f13a86
SHA15c175589db78cce01a9730eb85e2898bdafe2a5a
SHA256d3d8cacad2d64836340d846fe35f30eb06a02131ff64c2fb0fa8071065058548
SHA5120bc9d8844df1fc09815b6226186f095dfe2630b0070999a840a07e458b104d03b2fbb969a56e6d62756fc11e7eecc9d25c3cc4a9a2b7d58ba1d9de1cc60d9158
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
281KB
MD5d98e33b66343e7c96158444127a117f6
SHA1bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA2565de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize2KB
MD53d086a433708053f9bf9523e1d87a4e8
SHA1b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA2566f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD5e1d0675341bc0b795e031910b032138a
SHA1f17b8eb408142161f058e16f1b4997e7ba2ed706
SHA256fdf165e4ba4f45cf8bb6a3f9737fe00a7353ba9aa6f1048a5c3232f0031a074c
SHA51260816e982a9162fb1649e3772d59089fcfaed5cb394d33892db9207d2d95d355dfa4c792654dfe9253bf15dad6a887abd4c8c5cfcef1f102fdb1d1fc733aad4b
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD54f670ee42cadd94bd6695c324be6ac4b
SHA1e8c689da2d9181aeebfa83332a6cd453930537ab
SHA25696af4ed93008c8e63c974fa0bad47b008c0c0585fe7c0c5b8f007cc69b3c334f
SHA51220c181a66adaf7cbc35d4707007639e0cb283116f1103e6ffdc81efc9e00939a8ae006820dce82f046f150e2281fdbbd7034787eae6c3d9d3d40a4d818a4bf70
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD5707526883a6475124f6a510cab013ba6
SHA1bcce478b85ffdd73036d7a857901814eb728b730
SHA256e07066d7af895e966076f605d4f5e517ad9d45b9b48eefd4905f4e7c7d5070e6
SHA512b8c4403417ee9cf00efe3b649d4d44d7956942ac0aa602c0b48ca91d8f84f5427d2e38047d0d811cd100cb2db370523b3a6eb7e2e81cfad19a129a19835b34a4
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD501f288b841c906f73b555f812efa2d1e
SHA17438ba0ab2a3fe7b6fdf3e1a172d3d0eab09d537
SHA2568b04fe91632a2f9526a95abdc482f14564bce88e23f7d7fae7f561ca990eec00
SHA512014e287d88227cb16d661b95a839f7e0ae4a029865bb2ba2dbda7db49c2bc64da1524dbd3cf0619cfe9ed1f897b5fc4c33ed1796893843e90be963198ea5b6ea
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD59c918c5db14a0b4f79698289ad80ec73
SHA163e347661974491d72f37abd335b882fb3ca9006
SHA2561239b504afae0a8881ac19ad328a74054c4cd2429610f03af9883b133f5fd2ef
SHA512f7fe0fcaaef743000034dbc289b2452c98c98083feaa1e895947a2c56ded62adab988cf53cdc1fde78f527f51c8686995942781a9481c1936c12ff1d57a965d0
-
Filesize
704KB
MD53598076db97a10ec5dbf02282e499a12
SHA17dc81f6042b58e20c37e62b3c40e8f162426aae7
SHA2565f66fd9993f986d609cb2d2a0c1483e9a963b1f8cd42d7137d90c3c3c3ad1299
SHA51266b955e6a99b8e86a4d9735279506f963db0dd8fca28357e2d4e00ed7a64f980a0c10b1781e25105de8c39226ec4672337147803d00857de34139b0763512c13
-
Filesize
64KB
MD5e31e017c97820e6188b934e0ec3063ab
SHA1ae31efa705255a2e7212527de439c65b1629db82
SHA25618acfc2b6a4518fffd7e44a4c73b8a1dee5a55cc0cf885b9ec79d7ea53239007
SHA5128130999f465b3d13d4a6e188b1175bd931570d4395f87a815d97d6000f9574ae39580eb3803f4cc03730c4acdcede430acc3bea630f195fad45e7ecbbe001197
-
Filesize
2.0MB
MD58e67f58837092385dcf01e8a2b4f5783
SHA1012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA51240d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec