Analysis
-
max time kernel
104s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
07-03-2024 02:22
Static task
static1
Behavioral task
behavioral1
Sample
6d22ba4779752e3cc313f404b9ed0ef664b5b775f97c310149a2b1aceea302a1.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
6d22ba4779752e3cc313f404b9ed0ef664b5b775f97c310149a2b1aceea302a1.exe
Resource
win10v2004-20240226-en
General
-
Target
6d22ba4779752e3cc313f404b9ed0ef664b5b775f97c310149a2b1aceea302a1.exe
-
Size
267KB
-
MD5
469962a84b76a4e6c75f448a739230c3
-
SHA1
7f75e106dc00e16d91dc22d98080c1c61a92186c
-
SHA256
6d22ba4779752e3cc313f404b9ed0ef664b5b775f97c310149a2b1aceea302a1
-
SHA512
5b526017e690f7af60cc2d7e0451cad745358505a69fe48dbdfeb273e29d49c50cc53229dd406b17bfc9bf770c7a70fda70cf940bd268cfb9ad3a9606309f297
-
SSDEEP
3072:D4mRMsbv3SmVddrgPPjGyBplg+sttlRUwsGSBjYgtvUt5pQQsI:nf7VddrgXjGyBpavYZPcJQQs
Malware Config
Extracted
smokeloader
pub1
Extracted
smokeloader
2022
http://trad-einmyus.com/index.php
http://tradein-myus.com/index.php
http://trade-inmyus.com/index.php
Extracted
djvu
http://sajdfue.com/test1/get.php
-
extension
.wisz
-
offline_id
4p0Nzrg1q0ND5of5Gtp2UBjthSXuE8VxnMrd4vt1
-
payload_url
http://sdfjhuz.com/dl/build2.exe
http://sajdfue.com/files/1/build3.exe
-
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. Do not ask assistants from youtube and recovery data sites for help in recovering your data. They can use your free decryption quota and scam you. Our contact is emails in this text document only. You can get and look video overview decrypt tool: https://wetransfer.com/downloads/a832401adcd58098c699f768ffea4f1720240305114308/7e601a Price of private key and decrypt software is $999. Discount 50% available if you contact us first 72 hours, that's price for you is $499. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0853PsawqS
Extracted
lumma
https://resergvearyinitiani.shop/api
https://technologyenterdo.shop/api
https://detectordiscusser.shop/api
https://turkeyunlikelyofw.shop/api
https://associationokeo.shop/api
Signatures
-
DcRat 5 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
description ioc pid Process 2148 schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 6d22ba4779752e3cc313f404b9ed0ef664b5b775f97c310149a2b1aceea302a1.exe Set value (str) \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\511d0edb-adad-495f-abca-6c9fc2231945\\B66F.exe\" --AutoStart" B66F.exe 1132 schtasks.exe 3532 schtasks.exe -
Detect ZGRat V1 3 IoCs
resource yara_rule behavioral2/files/0x00080000000234ca-190.dat family_zgrat_v1 behavioral2/files/0x00080000000234ca-188.dat family_zgrat_v1 behavioral2/memory/1656-192-0x0000000000210000-0x0000000000964000-memory.dmp family_zgrat_v1 -
Detected Djvu ransomware 9 IoCs
resource yara_rule behavioral2/memory/4996-18-0x0000000003C80000-0x0000000003D9B000-memory.dmp family_djvu behavioral2/memory/312-19-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/312-21-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/312-22-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/312-23-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/312-35-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/3248-41-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/3248-42-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/3248-44-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu -
Djvu Ransomware
Ransomware which is a variant of the STOP family.
-
Glupteba payload 9 IoCs
resource yara_rule behavioral2/memory/1512-99-0x00000000044C0000-0x0000000004DAB000-memory.dmp family_glupteba behavioral2/memory/1512-100-0x0000000000400000-0x00000000022EF000-memory.dmp family_glupteba behavioral2/memory/1512-125-0x0000000000400000-0x00000000022EF000-memory.dmp family_glupteba behavioral2/memory/3744-156-0x0000000004530000-0x0000000004E1B000-memory.dmp family_glupteba behavioral2/memory/3744-157-0x0000000000400000-0x00000000022EF000-memory.dmp family_glupteba behavioral2/memory/1512-158-0x0000000000400000-0x00000000022EF000-memory.dmp family_glupteba behavioral2/memory/3744-202-0x0000000000400000-0x00000000022EF000-memory.dmp family_glupteba behavioral2/memory/3744-265-0x0000000000400000-0x00000000022EF000-memory.dmp family_glupteba behavioral2/memory/4552-332-0x0000000000400000-0x00000000022EF000-memory.dmp family_glupteba -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Detects Windows executables referencing non-Windows User-Agents 7 IoCs
resource yara_rule behavioral2/memory/1512-100-0x0000000000400000-0x00000000022EF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA behavioral2/memory/1512-125-0x0000000000400000-0x00000000022EF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA behavioral2/memory/3744-157-0x0000000000400000-0x00000000022EF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA behavioral2/memory/1512-158-0x0000000000400000-0x00000000022EF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA behavioral2/memory/3744-202-0x0000000000400000-0x00000000022EF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA behavioral2/memory/3744-265-0x0000000000400000-0x00000000022EF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA behavioral2/memory/4552-332-0x0000000000400000-0x00000000022EF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA -
Detects executables Discord URL observed in first stage droppers 7 IoCs
resource yara_rule behavioral2/memory/1512-100-0x0000000000400000-0x00000000022EF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_DiscordURL behavioral2/memory/1512-125-0x0000000000400000-0x00000000022EF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_DiscordURL behavioral2/memory/3744-157-0x0000000000400000-0x00000000022EF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_DiscordURL behavioral2/memory/1512-158-0x0000000000400000-0x00000000022EF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_DiscordURL behavioral2/memory/3744-202-0x0000000000400000-0x00000000022EF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_DiscordURL behavioral2/memory/3744-265-0x0000000000400000-0x00000000022EF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_DiscordURL behavioral2/memory/4552-332-0x0000000000400000-0x00000000022EF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_DiscordURL -
Detects executables containing URLs to raw contents of a Github gist 7 IoCs
resource yara_rule behavioral2/memory/1512-100-0x0000000000400000-0x00000000022EF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL behavioral2/memory/1512-125-0x0000000000400000-0x00000000022EF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL behavioral2/memory/3744-157-0x0000000000400000-0x00000000022EF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL behavioral2/memory/1512-158-0x0000000000400000-0x00000000022EF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL behavioral2/memory/3744-202-0x0000000000400000-0x00000000022EF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL behavioral2/memory/3744-265-0x0000000000400000-0x00000000022EF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL behavioral2/memory/4552-332-0x0000000000400000-0x00000000022EF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL -
Detects executables containing artifacts associated with disabling Widnows Defender 7 IoCs
resource yara_rule behavioral2/memory/1512-100-0x0000000000400000-0x00000000022EF000-memory.dmp INDICATOR_SUSPICIOUS_DisableWinDefender behavioral2/memory/1512-125-0x0000000000400000-0x00000000022EF000-memory.dmp INDICATOR_SUSPICIOUS_DisableWinDefender behavioral2/memory/3744-157-0x0000000000400000-0x00000000022EF000-memory.dmp INDICATOR_SUSPICIOUS_DisableWinDefender behavioral2/memory/1512-158-0x0000000000400000-0x00000000022EF000-memory.dmp INDICATOR_SUSPICIOUS_DisableWinDefender behavioral2/memory/3744-202-0x0000000000400000-0x00000000022EF000-memory.dmp INDICATOR_SUSPICIOUS_DisableWinDefender behavioral2/memory/3744-265-0x0000000000400000-0x00000000022EF000-memory.dmp INDICATOR_SUSPICIOUS_DisableWinDefender behavioral2/memory/4552-332-0x0000000000400000-0x00000000022EF000-memory.dmp INDICATOR_SUSPICIOUS_DisableWinDefender -
Detects executables referencing many varying, potentially fake Windows User-Agents 7 IoCs
resource yara_rule behavioral2/memory/1512-100-0x0000000000400000-0x00000000022EF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA behavioral2/memory/1512-125-0x0000000000400000-0x00000000022EF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA behavioral2/memory/3744-157-0x0000000000400000-0x00000000022EF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA behavioral2/memory/1512-158-0x0000000000400000-0x00000000022EF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA behavioral2/memory/3744-202-0x0000000000400000-0x00000000022EF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA behavioral2/memory/3744-265-0x0000000000400000-0x00000000022EF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA behavioral2/memory/4552-332-0x0000000000400000-0x00000000022EF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA -
UPX dump on OEP (original entry point) 1 IoCs
resource yara_rule behavioral2/files/0x000800000002321c-460.dat UPX -
Downloads MZ/PE file
-
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 1540 netsh.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation B66F.exe -
Deletes itself 1 IoCs
pid Process 3472 Process not Found -
Executes dropped EXE 10 IoCs
pid Process 4996 B66F.exe 312 B66F.exe 1900 B66F.exe 3248 B66F.exe 400 1B44.exe 1512 27F8.exe 5096 33F0.exe 3744 27F8.exe 1656 806B.exe 4552 csrss.exe -
Modifies file permissions 1 TTPs 1 IoCs
pid Process 3744 icacls.exe -
resource yara_rule behavioral2/files/0x000800000002321c-460.dat upx -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\511d0edb-adad-495f-abca-6c9fc2231945\\B66F.exe\" --AutoStart" B66F.exe Set value (str) \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" 27F8.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 137 api.2ip.ua 139 api.2ip.ua -
Drops file in System32 directory 6 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 4996 set thread context of 312 4996 B66F.exe 102 PID 1900 set thread context of 3248 1900 B66F.exe 107 -
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
description ioc Process File opened (read-only) \??\VBoxMiniRdrDN 27F8.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\rss 27F8.exe File created C:\Windows\rss\csrss.exe 27F8.exe -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 804 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 3 IoCs
pid pid_target Process procid_target 1156 3248 WerFault.exe 107 3288 3000 WerFault.exe 148 4140 3000 WerFault.exe 148 -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 6d22ba4779752e3cc313f404b9ed0ef664b5b775f97c310149a2b1aceea302a1.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 6d22ba4779752e3cc313f404b9ed0ef664b5b775f97c310149a2b1aceea302a1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 6d22ba4779752e3cc313f404b9ed0ef664b5b775f97c310149a2b1aceea302a1.exe -
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1132 schtasks.exe 3532 schtasks.exe 2148 schtasks.exe -
Enumerates processes with tasklist 1 TTPs 2 IoCs
pid Process 1656 tasklist.exe 4572 tasklist.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2532 = "Chatham Islands Standard Time" 27F8.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-131 = "US Eastern Daylight Time" 27F8.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-442 = "Arabian Standard Time" 27F8.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-31 = "Mid-Atlantic Daylight Time" 27F8.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-681 = "E. Australia Daylight Time" 27F8.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-215 = "Pacific Standard Time (Mexico)" 27F8.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2062 = "North Korea Standard Time" 27F8.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-562 = "SE Asia Standard Time" 27F8.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-252 = "Dateline Standard Time" 27F8.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-411 = "E. Africa Daylight Time" 27F8.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-32 = "Mid-Atlantic Standard Time" 27F8.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-3141 = "South Sudan Daylight Time" 27F8.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-982 = "Kamchatka Standard Time" 27F8.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-532 = "Sri Lanka Standard Time" 27F8.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-222 = "Alaskan Standard Time" 27F8.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-601 = "Taipei Daylight Time" 27F8.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-542 = "Myanmar Standard Time" 27F8.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-871 = "Pakistan Daylight Time" 27F8.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1871 = "Russia TZ 7 Daylight Time" 27F8.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-211 = "Pacific Daylight Time" 27F8.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2432 = "Cuba Standard Time" 27F8.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2042 = "Eastern Standard Time (Mexico)" 27F8.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2771 = "Omsk Daylight Time" 27F8.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-3051 = "Qyzylorda Daylight Time" 27F8.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-572 = "China Standard Time" 27F8.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-112 = "Eastern Standard Time" 27F8.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 2056 PING.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3716 6d22ba4779752e3cc313f404b9ed0ef664b5b775f97c310149a2b1aceea302a1.exe 3716 6d22ba4779752e3cc313f404b9ed0ef664b5b775f97c310149a2b1aceea302a1.exe 3472 Process not Found 3472 Process not Found 3472 Process not Found 3472 Process not Found 3472 Process not Found 3472 Process not Found 3472 Process not Found 3472 Process not Found 3472 Process not Found 3472 Process not Found 3472 Process not Found 3472 Process not Found 3472 Process not Found 3472 Process not Found 3472 Process not Found 3472 Process not Found 3472 Process not Found 3472 Process not Found 3472 Process not Found 3472 Process not Found 3472 Process not Found 3472 Process not Found 3472 Process not Found 3472 Process not Found 3472 Process not Found 3472 Process not Found 3472 Process not Found 3472 Process not Found 3472 Process not Found 3472 Process not Found 3472 Process not Found 3472 Process not Found 3472 Process not Found 3472 Process not Found 3472 Process not Found 3472 Process not Found 3472 Process not Found 3472 Process not Found 3472 Process not Found 3472 Process not Found 3472 Process not Found 3472 Process not Found 3472 Process not Found 3472 Process not Found 3472 Process not Found 3472 Process not Found 3472 Process not Found 3472 Process not Found 3472 Process not Found 3472 Process not Found 3472 Process not Found 3472 Process not Found 3472 Process not Found 3472 Process not Found 3472 Process not Found 3472 Process not Found 3472 Process not Found 3472 Process not Found 3472 Process not Found 3472 Process not Found 3472 Process not Found 3472 Process not Found -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 3716 6d22ba4779752e3cc313f404b9ed0ef664b5b775f97c310149a2b1aceea302a1.exe -
Suspicious use of AdjustPrivilegeToken 31 IoCs
description pid Process Token: SeShutdownPrivilege 3472 Process not Found Token: SeCreatePagefilePrivilege 3472 Process not Found Token: SeShutdownPrivilege 3472 Process not Found Token: SeCreatePagefilePrivilege 3472 Process not Found Token: SeShutdownPrivilege 3472 Process not Found Token: SeCreatePagefilePrivilege 3472 Process not Found Token: SeShutdownPrivilege 3472 Process not Found Token: SeCreatePagefilePrivilege 3472 Process not Found Token: SeDebugPrivilege 4040 powershell.exe Token: SeShutdownPrivilege 3472 Process not Found Token: SeCreatePagefilePrivilege 3472 Process not Found Token: SeDebugPrivilege 1512 27F8.exe Token: SeImpersonatePrivilege 1512 27F8.exe Token: SeDebugPrivilege 1280 powershell.exe Token: SeShutdownPrivilege 3472 Process not Found Token: SeCreatePagefilePrivilege 3472 Process not Found Token: SeShutdownPrivilege 3472 Process not Found Token: SeCreatePagefilePrivilege 3472 Process not Found Token: SeDebugPrivilege 1908 powershell.exe Token: SeShutdownPrivilege 3472 Process not Found Token: SeCreatePagefilePrivilege 3472 Process not Found Token: SeDebugPrivilege 3392 powershell.exe Token: SeShutdownPrivilege 3472 Process not Found Token: SeCreatePagefilePrivilege 3472 Process not Found Token: SeDebugPrivilege 5020 powershell.exe Token: SeShutdownPrivilege 3472 Process not Found Token: SeCreatePagefilePrivilege 3472 Process not Found Token: SeDebugPrivilege 2124 powershell.exe Token: SeShutdownPrivilege 3472 Process not Found Token: SeCreatePagefilePrivilege 3472 Process not Found Token: SeDebugPrivilege 4284 powershell.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3472 wrote to memory of 4996 3472 Process not Found 100 PID 3472 wrote to memory of 4996 3472 Process not Found 100 PID 3472 wrote to memory of 4996 3472 Process not Found 100 PID 4996 wrote to memory of 312 4996 B66F.exe 102 PID 4996 wrote to memory of 312 4996 B66F.exe 102 PID 4996 wrote to memory of 312 4996 B66F.exe 102 PID 4996 wrote to memory of 312 4996 B66F.exe 102 PID 4996 wrote to memory of 312 4996 B66F.exe 102 PID 4996 wrote to memory of 312 4996 B66F.exe 102 PID 4996 wrote to memory of 312 4996 B66F.exe 102 PID 4996 wrote to memory of 312 4996 B66F.exe 102 PID 4996 wrote to memory of 312 4996 B66F.exe 102 PID 4996 wrote to memory of 312 4996 B66F.exe 102 PID 312 wrote to memory of 3744 312 B66F.exe 103 PID 312 wrote to memory of 3744 312 B66F.exe 103 PID 312 wrote to memory of 3744 312 B66F.exe 103 PID 312 wrote to memory of 1900 312 B66F.exe 104 PID 312 wrote to memory of 1900 312 B66F.exe 104 PID 312 wrote to memory of 1900 312 B66F.exe 104 PID 1900 wrote to memory of 3248 1900 B66F.exe 107 PID 1900 wrote to memory of 3248 1900 B66F.exe 107 PID 1900 wrote to memory of 3248 1900 B66F.exe 107 PID 1900 wrote to memory of 3248 1900 B66F.exe 107 PID 1900 wrote to memory of 3248 1900 B66F.exe 107 PID 1900 wrote to memory of 3248 1900 B66F.exe 107 PID 1900 wrote to memory of 3248 1900 B66F.exe 107 PID 1900 wrote to memory of 3248 1900 B66F.exe 107 PID 1900 wrote to memory of 3248 1900 B66F.exe 107 PID 1900 wrote to memory of 3248 1900 B66F.exe 107 PID 3472 wrote to memory of 400 3472 Process not Found 111 PID 3472 wrote to memory of 400 3472 Process not Found 111 PID 3472 wrote to memory of 400 3472 Process not Found 111 PID 3472 wrote to memory of 1848 3472 Process not Found 112 PID 3472 wrote to memory of 1848 3472 Process not Found 112 PID 1848 wrote to memory of 1564 1848 cmd.exe 114 PID 1848 wrote to memory of 1564 1848 cmd.exe 114 PID 3472 wrote to memory of 1512 3472 Process not Found 115 PID 3472 wrote to memory of 1512 3472 Process not Found 115 PID 3472 wrote to memory of 1512 3472 Process not Found 115 PID 3472 wrote to memory of 5096 3472 Process not Found 116 PID 3472 wrote to memory of 5096 3472 Process not Found 116 PID 1512 wrote to memory of 4040 1512 27F8.exe 117 PID 1512 wrote to memory of 4040 1512 27F8.exe 117 PID 1512 wrote to memory of 4040 1512 27F8.exe 117 PID 3744 wrote to memory of 1280 3744 27F8.exe 122 PID 3744 wrote to memory of 1280 3744 27F8.exe 122 PID 3744 wrote to memory of 1280 3744 27F8.exe 122 PID 3472 wrote to memory of 1656 3472 Process not Found 125 PID 3472 wrote to memory of 1656 3472 Process not Found 125 PID 3472 wrote to memory of 1656 3472 Process not Found 125 PID 3744 wrote to memory of 4992 3744 27F8.exe 128 PID 3744 wrote to memory of 4992 3744 27F8.exe 128 PID 4992 wrote to memory of 1540 4992 cmd.exe 130 PID 4992 wrote to memory of 1540 4992 cmd.exe 130 PID 3744 wrote to memory of 1908 3744 27F8.exe 131 PID 3744 wrote to memory of 1908 3744 27F8.exe 131 PID 3744 wrote to memory of 1908 3744 27F8.exe 131 PID 3744 wrote to memory of 3392 3744 27F8.exe 133 PID 3744 wrote to memory of 3392 3744 27F8.exe 133 PID 3744 wrote to memory of 3392 3744 27F8.exe 133 PID 3744 wrote to memory of 4552 3744 27F8.exe 135 PID 3744 wrote to memory of 4552 3744 27F8.exe 135 PID 3744 wrote to memory of 4552 3744 27F8.exe 135 PID 4552 wrote to memory of 5020 4552 csrss.exe 136 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\6d22ba4779752e3cc313f404b9ed0ef664b5b775f97c310149a2b1aceea302a1.exe"C:\Users\Admin\AppData\Local\Temp\6d22ba4779752e3cc313f404b9ed0ef664b5b775f97c310149a2b1aceea302a1.exe"1⤵
- DcRat
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3716
-
C:\Users\Admin\AppData\Local\Temp\B66F.exeC:\Users\Admin\AppData\Local\Temp\B66F.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4996 -
C:\Users\Admin\AppData\Local\Temp\B66F.exeC:\Users\Admin\AppData\Local\Temp\B66F.exe2⤵
- DcRat
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:312 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Local\511d0edb-adad-495f-abca-6c9fc2231945" /deny *S-1-1-0:(OI)(CI)(DE,DC)3⤵
- Modifies file permissions
PID:3744
-
-
C:\Users\Admin\AppData\Local\Temp\B66F.exe"C:\Users\Admin\AppData\Local\Temp\B66F.exe" --Admin IsNotAutoStart IsNotTask3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1900 -
C:\Users\Admin\AppData\Local\Temp\B66F.exe"C:\Users\Admin\AppData\Local\Temp\B66F.exe" --Admin IsNotAutoStart IsNotTask4⤵
- Executes dropped EXE
PID:3248 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3248 -s 5685⤵
- Program crash
PID:1156
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3248 -ip 32481⤵PID:4504
-
C:\Users\Admin\AppData\Local\Temp\1B44.exeC:\Users\Admin\AppData\Local\Temp\1B44.exe1⤵
- Executes dropped EXE
PID:400
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1F0E.bat" "1⤵
- Suspicious use of WriteProcessMemory
PID:1848 -
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 12⤵PID:1564
-
-
C:\Users\Admin\AppData\Local\Temp\27F8.exeC:\Users\Admin\AppData\Local\Temp\27F8.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1512 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4040
-
-
C:\Users\Admin\AppData\Local\Temp\27F8.exe"C:\Users\Admin\AppData\Local\Temp\27F8.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:3744 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1280
-
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"3⤵
- Suspicious use of WriteProcessMemory
PID:4992 -
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes4⤵
- Modifies Windows Firewall
PID:1540
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1908
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3392
-
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4552 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5020
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- DcRat
- Creates scheduled task(s)
PID:1132
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f4⤵PID:1220
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2124
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4284
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll4⤵PID:232
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- DcRat
- Creates scheduled task(s)
PID:3532
-
-
C:\Windows\windefender.exe"C:\Windows\windefender.exe"4⤵PID:1456
-
C:\Windows\SysWOW64\cmd.execmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)5⤵PID:4832
-
C:\Windows\SysWOW64\sc.exesc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)6⤵
- Launches sc.exe
PID:804
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\33F0.exeC:\Users\Admin\AppData\Local\Temp\33F0.exe1⤵
- Executes dropped EXE
PID:5096
-
C:\Users\Admin\AppData\Local\Temp\806B.exeC:\Users\Admin\AppData\Local\Temp\806B.exe1⤵
- Executes dropped EXE
PID:1656 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe2⤵PID:3000
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3000 -s 4283⤵
- Program crash
PID:3288
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3000 -s 4323⤵
- Program crash
PID:4140
-
-
-
C:\Windows\SysWOW64\dialer.exe"C:\Windows\system32\dialer.exe"1⤵PID:2552
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3000 -ip 30001⤵PID:4572
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 3000 -ip 30001⤵PID:2880
-
C:\Users\Admin\AppData\Local\Temp\6F2.exeC:\Users\Admin\AppData\Local\Temp\6F2.exe1⤵PID:628
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k move Jeffrey Jeffrey.bat & Jeffrey.bat & exit2⤵PID:3964
-
C:\Windows\SysWOW64\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
PID:1656
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "wrsa.exe opssvc.exe"3⤵PID:1868
-
-
C:\Windows\SysWOW64\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
PID:4572
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"3⤵PID:3736
-
-
C:\Windows\SysWOW64\cmd.execmd /c md 112833⤵PID:320
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b Sitemap + Sublimedirectory + Cow + Rss + Josh 11283\Http.pif3⤵PID:4604
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b Cdt + Thumbnail + Powers + Tamil + Capabilities + Novel + Cos + Breach + Canal + Hobby + Debut + Patricia + Neural + Translations + Fist + Able + Warner + Shapes + Ancient + Plans + Greg + Go + Drain + Mpeg + Necessary + Robertson + Islam + Generations + Trim + Around + Companion + Maiden + Kills + Eat + Brunswick + Ww + Determines + Login + Heads + Wv + Vampire + Consequence + Tba 11283\F3⤵PID:1476
-
-
C:\Users\Admin\AppData\Local\Temp\11283\Http.pif11283\Http.pif 11283\F3⤵PID:3228
-
-
C:\Windows\SysWOW64\PING.EXEping -n 5 127.0.0.13⤵
- Runs ping.exe
PID:2056
-
-
-
C:\Windows\windefender.exeC:\Windows\windefender.exe1⤵PID:4268
-
C:\Windows\SYSTEM32\cmd.execmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CodeForge.url" & echo URL="C:\Users\Admin\AppData\Local\ByteCraft Systems\CodeForge.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CodeForge.url" & exit1⤵PID:2944
-
C:\Windows\SYSTEM32\cmd.execmd /c schtasks.exe /create /tn "Tex" /tr "wscript 'C:\Users\Admin\AppData\Local\ByteCraft Systems\CodeForge.js'" /sc minute /mo 3 /F1⤵PID:4892
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Tex" /tr "wscript 'C:\Users\Admin\AppData\Local\ByteCraft Systems\CodeForge.js'" /sc minute /mo 3 /F2⤵
- DcRat
- Creates scheduled task(s)
PID:2148
-
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:4284
-
C:\Users\Admin\AppData\Local\Temp\11283\Http.pifC:\Users\Admin\AppData\Local\Temp\11283\Http.pif1⤵PID:1152
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Defense Evasion
File and Directory Permissions Modification
1Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
6.7MB
MD574cf066c5c492eb825b36550b1e38326
SHA18f211213fbd6905b5e44bf2af07e481832198a7f
SHA25624201da166b3e59a7a2b79f24881222c41e35f26642dd757fcc51ec47c9404e4
SHA51224ad3ebb70332741959b13be504ec2b3baee9668bb3a8e8ae314432ac2e084ad11c03f4abfba6f7557273cddb1b3d2e2361c71246f3fd7fccabae218dd8b2e91
-
Filesize
77B
MD555cc761bf3429324e5a0095cab002113
SHA12cc1ef4542a4e92d4158ab3978425d517fafd16d
SHA256d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a
SHA51233f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155
-
Filesize
4.1MB
MD51047d7617f162d488920965b0a8b876c
SHA1059afd73ca2f9b7c358979a6f1cc99c5424281a2
SHA25658b5bdc3cd4730734032dcc2dde7452889e6b6a12f3ae61e142df1121551859c
SHA512698483dca1f3dc3a3056b041a7c70e1609d86dcc4dc9751b04a67810be19c999235372d1a07d5806459f51d513deab91524c6fccd83b554afc331914690b74ac
-
Filesize
5.8MB
MD5f5f878c6b950669b6a550a6dfe7ac587
SHA1fd2254719e1131251e0b7df5098e41300da0c25e
SHA2569eaf442063396e9a7bceabeb977a8f3316f303bec6881598089e92424c1cee36
SHA5128aa4793cd60a96499c6f9335a299e181a767183dabf3f6b9371a9d8b6bde52886b9b557bd66e0cc5e9ca2d9d1f6e1ca7c878f3dbfb87f3f88a695e1ff9516ebd
-
Filesize
5.5MB
MD58550a2827ea5838ec8df7ff6fd10e6ce
SHA1c8ce1f265d516f063f7db92e341a59a4568cc484
SHA25602147ca0fdeec2804183385003397b5b10145d2027327a3b928acc0d2c00d527
SHA512d1d6b8ce2411a8c5191bfb948bbfe455846fa2e6357bd5c7aeb78722776abc6ae529b4701439d1389b9de51b6ba00e8bba0fe39f17f39e423563b463bd61b9c9
-
Filesize
6.3MB
MD57769e93085751e0b35729827dc22e8d5
SHA11d20bac0f5e0e8e28d466834463463cc911a5baa
SHA2568dd36a9b8a11b166aab0584253115650ec392591e7958c0cba3f1adef483f402
SHA512b3b658440f973b7e913681e645b21aa6c102fb4d43480f5e9952f756bfd42288bf2e56a4fef02929994d09cf82c857a7772eb1b6703ab69f924383a2ecdbe56c
-
Filesize
6.1MB
MD55afd5f8e4624cae06458239824bad1e3
SHA1dbb248d1913d293b3ba7f12bc6b2061dd8b793ad
SHA25648ae83cd9f12b756d7e9379d93fd1a3e9f6c101878a53feba6772289f2e4ee80
SHA512a802ea949da4976658a16ed013c364a7d072916cbc097c36dac56cb605341cb7912c7713354673856e4964dfe44a2e9dbd2eed8562e97aa60599562435a5b3d4
-
Filesize
6.2MB
MD582cb18188701699f7fdc25568206741b
SHA1891bc94fe7452d67e5d5a7f5a0f4ed30810eb943
SHA256ae298d771093801978eda259817e71905ae295b411e7e1acec5cc327afa3ce0c
SHA5129bb1293cdfdec7045c0a122698ff3a45417db0245046c91d6204471084dc91fe7e230e73193513cd6cc97beccc244516580eccbee3a4a97382d88315db0e6d6d
-
Filesize
254KB
MD513fd06533f068d719a2b9f300096ca41
SHA1f054659e3fb8516b759b8f819d12acb9c173ab6a
SHA256b43ce17ba094fb6dbfffb9d06874f74f17acc0ca791d49fc2a0e83eeebda06f9
SHA512f8cc9e163900c0594d2d76d0b8cc5a02399c15b68341ec7dd336abb754f7360b9b75623fa3666a1cf8df080e11ef1a759197076b0c7275701812e3b6e02c0422
-
Filesize
280KB
MD5a02c222cf530ee003a3893c4c78770c2
SHA1bdaaf55f6f97ad1c4493f1bb7b683cb3f47aa0f3
SHA256192ca40b43714d9220f9c753befa6b87c9d95ac36d2eea8b762c67e1267981b5
SHA5121225b9d79b853801089c216e75afc3ec093337858cf54657a746c43e6392aa66f9fdbc922bc13472f41407947acde71d2a2cabbdbdd34241e56410d7d61b0368
-
Filesize
709KB
MD5b4496d2224777403415440dfe5f13a86
SHA15c175589db78cce01a9730eb85e2898bdafe2a5a
SHA256d3d8cacad2d64836340d846fe35f30eb06a02131ff64c2fb0fa8071065058548
SHA5120bc9d8844df1fc09815b6226186f095dfe2630b0070999a840a07e458b104d03b2fbb969a56e6d62756fc11e7eecc9d25c3cc4a9a2b7d58ba1d9de1cc60d9158
-
Filesize
276KB
MD59324e493902fe2c6ffcf04f088c34e08
SHA1866c7b4c73f99f673dd3f2035e34d843c262f256
SHA2566f50e1f49fca502dbab2f5d9b5ed372870222ba77e4317806a27bdd032dfd222
SHA512c1d4bbd0444d2bbfb255766c846ec71623833b887609f995a09c95e323ec39137d74d8b55229055561fa2248418fd7cf28f531d467ed79f292f41518d3cee9e0
-
Filesize
279KB
MD5c3a1a56b238bd452b6b59169cc99ec03
SHA188a35ade6f7f14e2df8d731317afc72612074a51
SHA256a1f3e11d023c1b288bf20d8290fbb532397bcf5de9b5094ffd9e01faf15af90f
SHA512163287a8864978a7de323e61e5a168b75e97dcd36e8448a00d05f2e8c00b2a9c878e372a56f12288bb92c86f89a6dd6d56ae0282fb09d919e7ffe85349643525
-
Filesize
276KB
MD5d34ef2c6ce15a8747df5431a864f0613
SHA1fe62b64f13b149525066fe73f227df044255cddb
SHA256879e43c64cb2cb8fcb5df47040d65e4127997f5b845d0a87692a632af3ae04b9
SHA5120e0dfcd55a61c0d42a262cf1fbe7b29d4c10a60902986030d784aa9abdb60fd1e76ba7ca4a1e62b89a90c00b6d02874e827801faec8adcb113209152e4f77c24
-
Filesize
209KB
MD5ba823d75b6712149e7241d1c2f6695ef
SHA19f351074e85afc8254aaa5df0561377c8b68874c
SHA2567d9468f4301186c054a25dd5290770a9acec5c3e03937a5a99ae17d0af786377
SHA512563c98418647956e8892b855e6a9c9b5994e50f8a41c2857c0a06abf59151d729ad53676d38e1f6addd7186b3f707ce06a313f5a3482327624985f9f50bc8167
-
Filesize
283KB
MD5c8599aa35a19083f6c5f80151f55315c
SHA13e315507bc934d0ebdf68328b5d60e7fcab41a3b
SHA256339dbf69ba0f0dfbc7d4833ca4900017f2ab5999484e1194041a538589867e7f
SHA512dc6d2169226606b2880f02cff18eeda182ed39dc55fd29626cfeb464c6c59fddb7f079bfc7386dc30f9fbc089fc8e40649f5b109fbbf172a2710cdd7814ecdf1
-
Filesize
197KB
MD53e929f7b28251914c43d3435f2f437dd
SHA19564974824f4fe1b9b6bdc5bd1e1065fc11678bc
SHA256e870073c8d6fe150149ec7d7fba4e948f7efca3ed51c86fe81a86a60f7e906ad
SHA51241919c496f7989fd7ae2c3d3b122ee69ec3c2f4c89bea0247f6b19b3d8b78fa4264b8733efc707cd98d25f68a15937e644f31eff36068035b0c94a790efd8478
-
Filesize
248KB
MD5309a79e7ee30ead5653c0e33c937bf20
SHA1808165ca516179e0749cd74b57ebf2ec92e77a9e
SHA256a8801707877eed3c2e26a3c17dfe73fa1f497e0c7c50510a2209752f2d28c233
SHA5120bde1c86c60452f042d5d70962d1e78483ee33d69cee5a9fefc47681b9136ff4cf64ba2b2197f050d97f5ff26161e4b79981f1a848f25f48957f2660a706a6b8
-
Filesize
250KB
MD599667047563ffb1f92319045c1fa496f
SHA19eba1534190dac88d7231e00cf2372477479a262
SHA2563f6dfc93ffd2c876839d824993a4234df1d16a3f0b5d284c66e32bc2264867ea
SHA512e8d39f341df2decde92d2bf7066de6ccf3b3b2d6c4e57d353a60ee409fb7d54444d55e8c02a266da4ec94e719e149685120c72c6db7c35e863cef7f1f844c9d9
-
Filesize
243KB
MD571afb2f733859a29cfcf25e58625284c
SHA1248df6b7026fd2771dd65ed3b542ca0185dbb6dc
SHA256d57110136c0fa135b3dd2f4b83d48af60fc8d918372aeec2a3eac0333135f120
SHA512047874d945a67bda6f9e1bbeedf15e728be8ed212683f29dab0ee6d3d26a1265f1b3ab008e8b10c7c8bf6a5bf37f1ca637d54eb5ae99dd7ae67ff4fcdc16e5af
-
Filesize
245KB
MD5b153dbfec41fa6a8b005978bc571befe
SHA19752d98549edff58b4c0ede5a654832c22f97d38
SHA256f59cbe377d6d4df992d6caaa0ccbbe7a5506741c9e63a716a0284cb2ae720814
SHA512eef43707eb9b7e047a8c8307ffac9ce4b1eb0383186280b9112eb278e4fb97c339e14cbbb334eaf9e13719280978a12c7d8d3615e8ab25e176530836799c002a
-
Filesize
255KB
MD5265344b2c8ca35ae60227ff6639481f5
SHA149bf4e7aab05a697409a4cc8f04c5b2ed1e78e79
SHA256349c58fc4a15001ff0875d2a9f797d536045804c99350e0f43203ade07c41b59
SHA5122248bd383433d3dd541eb74f3e2404f83e1f379b11d9e7de9bf6903460cfba9b1955d089439883126ce6c08a67a3e12beb63126a74a1a86dc461ca8f232f442d
-
Filesize
239KB
MD5cd17d8568d3cb4f7a115c0c9657aa3c1
SHA1389429708df886ee004b3d4c54cbb9a2e089859e
SHA256ed71c9321bf22505bc8aeb4eada537151b1d0cce36d4a68a63c312e1d278be3d
SHA512005277a31916c4f81780ede19a26e735a302db57f97b0c643ca1a959165b54f7c911a7ee1d1c79e0df599e9c201d3daa9f7cc48359367753fa152a04a739cd33
-
Filesize
15KB
MD5e121db542d18a526f078c32fd2583af5
SHA169e677442ccb6d6fe1d2a3029cf44aac473f5f55
SHA256fcaf08c62c974ca0fb7537213a7867ab0f9fb41e52dde118b758b7ea05f63ca2
SHA5129d8c2bd284a624b68a2fafd93445648f69ffd47374f1d3cfd1857d2951bbc2a6cbe971fdb5e10d5f513dbb5188d59ee8e5715c86e3a1bf23e6df7feec960bebe
-
Filesize
124KB
MD5dbb02def36f898899c81dbe071eaaf75
SHA1ddd36cf26cffd70cdca8ffa36fc13097c56092c3
SHA256431dfb2a32ca2bdc4f43a7d35521abceab83b069f7a63845e1eccc03133cc1ea
SHA512115536f35f7e99919fd44742199aeebd17979e84bc8f531bbfd019f7641a838bbc8011b8df046563f16df269f6c5c8c7ab900db6f7918026fbe2366b4a88d3a1
-
Filesize
231KB
MD5af66ed102029338945a5ae7af6e68867
SHA12a590d37a9e25203f41fe28be7b3702bdac34e28
SHA2564f5603c2539d330e9576ab577fe08cd58e6a191620e962c570af439ec4808c6b
SHA51283d5afa258752706ce85f5e57a59e04e0c8e2e856eb12d4e419237eaf2669bf1ffbd1ab87eabc34e0e7c3e4584a4288aa39285cfbfd398d04f8bd2248cf27609
-
Filesize
247KB
MD5d2635aadbd169174c362c0052a33e396
SHA1601bf240df1f218670acda168020ba7736cf821c
SHA256de7612db6d35cfd9670d56dfd6497802bbcda88c787e6b83b1438df598bd9e96
SHA5120cdfb4d1560a01a6c5c1406ee7f2ac27229756a7bc35865a3437e05443b9e6eb9ed18c04131268d190c33d03a05c7190381be828c1208ecd0819bade943d2a58
-
Filesize
273KB
MD54c5c9f5368402dd77d8f8e0c31951625
SHA1719e5a648399121cf1402d36734631f95c723d18
SHA256d7d7df376fcf36b624b6b7c42bac9e409997daf2533fb13b47df979080bd89d7
SHA5121077177e69ca516d7fac2f48c650407007b05e6867140f0349779dc9e315da2291c8ecbf63d87533f86447c9920d83dbd1c509f9b97d6e653445cdd6661460ba
-
Filesize
206KB
MD59c5c2a336e6c94e60e8ca1a981235806
SHA1887ed6cee2cc4b3da3acceb5b0553b24ec0e6617
SHA2567726ad699b2cfa9778d6dc2c289c9a4f46b0d9a7c5db2e39e76f18e43ac86070
SHA5121aa7daea097f7064bfbeef2621c4d88b08c77af0b6047cb78f84d749f94a49674f72b007e7a8422407aa045a12dd72d74a53df50811a2ca6eefb2eaf3446c2fb
-
Filesize
220KB
MD5d9bd01e58c378e5a43b47b93ccf11b30
SHA14f57381303c5cb2d6f0012d190ce11d696efde77
SHA256df1836f2bef8704260148cc27c0f83b54e7bba141cb9274de315082f55983d1a
SHA5124ed8db053adec650c71c34c843173bc2f25078ee37099ed91ad922ca57346dfd543949fe14d70b158aeabb0a0c69219548b44866c701cfe45e3c2954a1a00755
-
Filesize
296KB
MD55e136f53a54f61eeb099c76021dba233
SHA11b9f5ffa3b8c1cf3a1ce8fe58786e2b3617825d3
SHA256ed6ad54fc60499182bf34b7dd96c25c04ff155c33fbe205b2579deb03f15a041
SHA512493110347fa229d48e4c6d8a735dc56bfa34d5da3b70d485c56ef35d47b92d694e0ba84784487168be98931699bcf019ff1d831f1dffc2fde1fd27aec7ae03a8
-
Filesize
223KB
MD50c851a1587662cb3c4b3f4e79b9d40e4
SHA1405bcebd4ebefa55e2e51fd9a5f9a468f25020e5
SHA256869aadd31861f94ebedb8c7601f310b4c87091c950040cb56115e83801955e26
SHA512c9fa7643f8c0dda69eea577dcb3868f20f22c68f49e9726f2bd1cb9f4b134a31ea5d5fead51577ba29f795de394549396dff55432df232baba40f025ac2593c8
-
Filesize
742KB
MD5544cd51a596619b78e9b54b70088307d
SHA14769ddd2dbc1dc44b758964ed0bd231b85880b65
SHA256dfce2d4d06de6452998b3c5b2dc33eaa6db2bd37810d04e3d02dc931887cfddd
SHA512f56d8b81022bb132d40aa78596da39b5c212d13b84b5c7d2c576bbf403924f1d22e750de3b09d1be30aea359f1b72c5043b19685fc9bf06d8040bfee16b17719
-
Filesize
248KB
MD5547c335ac69f9da2f963745762672f44
SHA1f9d6f6c943b91988020176a827f592f8f46f2670
SHA2568a7e8e502a6041ccac7c06b222cabc9e7aa39523a1c5edc33097e5506b6ad3cc
SHA5121a1561b11224c74dbe791ee12c67e74ecbb8f8d63720a392ea1f6c9f0b448ff226ae920253e6a00023db74963c83605c82822722b1cc3c2ed8bf6862b22f497c
-
Filesize
187KB
MD5decffdc214d187300d81458730076975
SHA10d26a032a42e2b1d6cce51c88262fb99d5d85045
SHA25681c7087173132ecbecf5d04a7eefc5074d0d2fb54b46f48416f6a2e211a4e927
SHA512615dcffeeaeaebe4d83aa5e8e31e7c48c2ef6ba60890ba92f09ba0b482e1b163e778c46134ed032ccaf1a0c77bfcd9b9391c7b0528b7e3a1274db0bbf4249c76
-
Filesize
241KB
MD57aaaa1a6965448912a128a631bbd06be
SHA1d3917e8d8780c9296c6bba2066a3fccd08e04253
SHA256f9dd85538a77f5e563a03d1d846b2ed4e447fc002c4a3f35f6630fb6b068bf85
SHA51202f233fa2df94f057eb453a571e5ccbe882dafb71a5f65c5ad159ed1aa56157dcf25fb954b9340dd43de0e4413b89447bcb5b5664c6966185710df9802474b52
-
Filesize
270KB
MD59aa3fa871956c05e6c502841714a3ca3
SHA1fe9b5580fd142b32ee94342e5403ff9454517f9e
SHA256fdd3ef368438e0267bb64c89cee31fd6d4cd4207030ff12c14849ae3eb97ea32
SHA51270046f0cd491c13d73a17969a325000c1daa303ee7c7b30fb56cee784002c9d309ff6aad2d9df30b9b80b3f257303a678a01050e24bf6ca92c563a27f0302873
-
Filesize
268KB
MD59ac55fb2a8700521a9fc03c830483b45
SHA107d4aefbc148a0f3af2543f9dc9e07f0a1e9ebb6
SHA256964d3d31f56f7147c8b25f0d26223808aaddc704d13749e282be5e75330c66e1
SHA512ae2b430466ffb8fc4a9e943d514e812cb4f3d4db6260575c36ea5141ea9e0c28d5a92b2a2e85eb96757f87e2efe7412bb3ca5208c55373ce51f608321f0f2505
-
Filesize
213KB
MD55b825ccfab154d5de20e806e687ecb89
SHA1d311d7b23a70f5e1ba875e020d37e05a3a4c4552
SHA25619d5510298ed882c13538159f6d600afb2b0cbca2e21307b23d4ffc7b951b436
SHA512e31cac21acdd002e14b7e40cf0af6efb65ed3b803348d885ca2dc5d38b4b3b03b1548cb78258515a1cce9b6eccefa31fef02ed6212b0e9170c4e4ba71e9d8f03
-
Filesize
269KB
MD5e68e0d804f78aadf2b7da5190971cc56
SHA1b10f5a2dfc947cd7ecdc14bbf37ab4ceb5e1eaf9
SHA256fe05a76fbb09e4fa60386db924b5bff738c3ce9be3bd0a1f9c082317c8c86bee
SHA512e5600c6ab0f3d41b47c0b92f5e32a26eb42ca34392a9e1ba373e2b0b7f884ae4c47949dee26a05ba20a3467299f01b4e50aa2c2acd1a47f5152a83e2abfa7cda
-
Filesize
261KB
MD5a40fabfc3d4fe0e77cf03156b0541015
SHA17a8c301d0a3834a212af25812cb9f51afa8425d4
SHA256fb58698a4c4b63b75f32a80188681d5a7489ac856c2e4f66040ec75d86594864
SHA512f34e5b24f65916dad8cb8bdb920b008b3110dc89f0fd7de378c1dde905738572921098286f2bcc8df1615a4f4dd638c28cef8decb0ae68a8bba29600dd249c11
-
Filesize
212KB
MD5f83e3a79f793337194e79e4bb5c3b073
SHA16d4ef4fc71fbabc6f56265388d87d997e47194dc
SHA256e6c10154860c14f05f94129e411439105ea9da7fe9bb372b5cf107978aed6844
SHA5125133a73e3c9da5cef73cd6504e2bdfad81517a1b3dd8e3bd970ad6c2ba8fd02e305cc7b0884771b313ce44fd181e685be5c21426ed1c6d098bace464c5a02775
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
281KB
MD5d98e33b66343e7c96158444127a117f6
SHA1bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA2565de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize2KB
MD53d086a433708053f9bf9523e1d87a4e8
SHA1b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA2566f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD5380632dc1cfdbe93dd94d1fa157df133
SHA1cdb5498a4604deabfeceff9f1f6f124d79f525a3
SHA25685c0e9009cdc3e35f6f3ec204183c92232e36788cd8f47c11a4543f6615955ec
SHA512ae1fc42a1a0880c655a6796a064cfedc06dd5826deb457fd22b9d4bc3f81a41d3ac0e92256b010c9571df86bdfd9b1b412fc89f0a50dedaf2b2c34f85bdfb65c
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD5943064b39ea5a5396f9de20f46b74c79
SHA199498daff835fb28141e2bd296c0dba94c962bbb
SHA256f34b47bf56e569c60f4413f9ab586fed26f1909f7748e9808915ed70af95e8a3
SHA5122482e32090c43146f9e56c3bc2fcf6c00e047f745cc3bc6ccdec663163bf08aa5c38815b73ca638b09f29c07fad54b1d7081205643524272ad66968f5e89266e
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD57aab8a55a519d4e90f1c75a6fb69437c
SHA149c3562281d5e402aa7b1ac6e3158c7fac8280a2
SHA2561217337eb61a4d7f5935ec8471cc3d7916fba5a5e00c05c81e8539cf66125521
SHA512b24822d1d8ce1e0392a61614ab1b08a3dd7a9f0afd11f7a9d1a0ec230437becac4c90e9545d49e39e8689155d4a6407e853bbf3649dde723841c1690c0229a6e
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD5a5bef6706b71bd1c6dffcdcfb5585990
SHA1fda40dd66ea10f4efd00a67579afdd61afd11764
SHA2567312fde5d3d04a59be26b63e00c634f602cfb60dd6c1db81836d5db3b5f9dbb7
SHA512219fee3c765572ffe242d830308bfaff19657f5e473d9cc1ffc2b4edd5a2f86f80fc4187c25e9a07dae38695977846606b221f3ff9a72fe8f16f74379795c719
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD56032eb9367d61f538ff8d1650b8c5483
SHA1598a522b96db23b33a2c072584785601ac30dafd
SHA256794fb4896c45ef3b4789e5291ec7a1a64aeb1c8859a7f9ea5693cf7314e9597a
SHA512bb08e9ac1fd251b52c21093f670030be6d306b591c41b38057cec6d494683b6ff5351fa5f6acce6ed7c4e1e0f71ff1d2c1a14b6f46d91e19d5e9d0c7d5017368
-
Filesize
2.0MB
MD58e67f58837092385dcf01e8a2b4f5783
SHA1012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA51240d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec