Analysis
-
max time kernel
30s -
max time network
129s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
11-03-2024 02:04
Static task
static1
Behavioral task
behavioral1
Sample
2a362d6d3bceaf1159bc245499a778f1ab9c229c3cbd4be4c63a582a716a4c80.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2a362d6d3bceaf1159bc245499a778f1ab9c229c3cbd4be4c63a582a716a4c80.exe
Resource
win10v2004-20240226-en
General
-
Target
2a362d6d3bceaf1159bc245499a778f1ab9c229c3cbd4be4c63a582a716a4c80.exe
-
Size
2.4MB
-
MD5
b11c3fad2e48022f58635df7368d6441
-
SHA1
63883fee892ac1e0d44f568913931c0d59b343d1
-
SHA256
2a362d6d3bceaf1159bc245499a778f1ab9c229c3cbd4be4c63a582a716a4c80
-
SHA512
6c68523b259c307e1c4ff4c6809fb20e5d9d9998a32d03ca06eaf29ec8f27bcaca2cafd9b57420b307160b3ebfeac16d234b99f6119f8f3038f4b5bf4b169023
-
SSDEEP
49152:jCqqfqaaK++EFUw2PsQMIZnLzn8FGaqxMBeVBBzKl:jONGXqGY1y
Malware Config
Extracted
smokeloader
pub1
Extracted
smokeloader
2022
http://trad-einmyus.com/index.php
http://tradein-myus.com/index.php
http://trade-inmyus.com/index.php
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Glupteba payload 7 IoCs
resource yara_rule behavioral2/memory/1640-109-0x0000000002D80000-0x000000000366B000-memory.dmp family_glupteba behavioral2/memory/1640-110-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral2/memory/1640-166-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral2/memory/1640-167-0x0000000002D80000-0x000000000366B000-memory.dmp family_glupteba behavioral2/memory/3176-169-0x0000000000FB0000-0x00000000013B3000-memory.dmp family_glupteba behavioral2/memory/3176-170-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral2/memory/3176-269-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Detects Windows executables referencing non-Windows User-Agents 4 IoCs
resource yara_rule behavioral2/memory/1640-110-0x0000000000400000-0x0000000000D1C000-memory.dmp INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA behavioral2/memory/1640-166-0x0000000000400000-0x0000000000D1C000-memory.dmp INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA behavioral2/memory/3176-170-0x0000000000400000-0x0000000000D1C000-memory.dmp INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA behavioral2/memory/3176-269-0x0000000000400000-0x0000000000D1C000-memory.dmp INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA -
Detects executables (downlaoders) containing URLs to raw contents of a paste 1 IoCs
resource yara_rule behavioral2/memory/4480-0-0x0000000000400000-0x0000000000408000-memory.dmp INDICATOR_SUSPICIOUS_EXE_RawPaste_URL -
Detects executables Discord URL observed in first stage droppers 4 IoCs
resource yara_rule behavioral2/memory/1640-110-0x0000000000400000-0x0000000000D1C000-memory.dmp INDICATOR_SUSPICIOUS_EXE_DiscordURL behavioral2/memory/1640-166-0x0000000000400000-0x0000000000D1C000-memory.dmp INDICATOR_SUSPICIOUS_EXE_DiscordURL behavioral2/memory/3176-170-0x0000000000400000-0x0000000000D1C000-memory.dmp INDICATOR_SUSPICIOUS_EXE_DiscordURL behavioral2/memory/3176-269-0x0000000000400000-0x0000000000D1C000-memory.dmp INDICATOR_SUSPICIOUS_EXE_DiscordURL -
Detects executables containing URLs to raw contents of a Github gist 4 IoCs
resource yara_rule behavioral2/memory/1640-110-0x0000000000400000-0x0000000000D1C000-memory.dmp INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL behavioral2/memory/1640-166-0x0000000000400000-0x0000000000D1C000-memory.dmp INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL behavioral2/memory/3176-170-0x0000000000400000-0x0000000000D1C000-memory.dmp INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL behavioral2/memory/3176-269-0x0000000000400000-0x0000000000D1C000-memory.dmp INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL -
Detects executables containing artifacts associated with disabling Widnows Defender 4 IoCs
resource yara_rule behavioral2/memory/1640-110-0x0000000000400000-0x0000000000D1C000-memory.dmp INDICATOR_SUSPICIOUS_DisableWinDefender behavioral2/memory/1640-166-0x0000000000400000-0x0000000000D1C000-memory.dmp INDICATOR_SUSPICIOUS_DisableWinDefender behavioral2/memory/3176-170-0x0000000000400000-0x0000000000D1C000-memory.dmp INDICATOR_SUSPICIOUS_DisableWinDefender behavioral2/memory/3176-269-0x0000000000400000-0x0000000000D1C000-memory.dmp INDICATOR_SUSPICIOUS_DisableWinDefender -
Detects executables packed with VMProtect. 7 IoCs
resource yara_rule behavioral2/memory/996-77-0x0000000000400000-0x00000000005B9000-memory.dmp INDICATOR_EXE_Packed_VMProtect behavioral2/memory/996-78-0x0000000000400000-0x00000000005B9000-memory.dmp INDICATOR_EXE_Packed_VMProtect behavioral2/memory/996-81-0x0000000000400000-0x00000000005B9000-memory.dmp INDICATOR_EXE_Packed_VMProtect behavioral2/memory/2052-84-0x0000000000400000-0x00000000005B9000-memory.dmp INDICATOR_EXE_Packed_VMProtect behavioral2/memory/2052-118-0x0000000000400000-0x00000000005B9000-memory.dmp INDICATOR_EXE_Packed_VMProtect behavioral2/memory/2052-138-0x0000000000400000-0x00000000005B9000-memory.dmp INDICATOR_EXE_Packed_VMProtect behavioral2/memory/2052-273-0x0000000000400000-0x00000000005B9000-memory.dmp INDICATOR_EXE_Packed_VMProtect -
Detects executables referencing many varying, potentially fake Windows User-Agents 4 IoCs
resource yara_rule behavioral2/memory/1640-110-0x0000000000400000-0x0000000000D1C000-memory.dmp INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA behavioral2/memory/1640-166-0x0000000000400000-0x0000000000D1C000-memory.dmp INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA behavioral2/memory/3176-170-0x0000000000400000-0x0000000000D1C000-memory.dmp INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA behavioral2/memory/3176-269-0x0000000000400000-0x0000000000D1C000-memory.dmp INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA -
Downloads MZ/PE file
-
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 4980 netsh.exe -
Drops startup file 5 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6irhTGsiPKWfASUsb93L7aDx.bat CasPol.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coA3Xnx8JT5OL07A29dOVXuG.bat CasPol.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1mHuWi8cjnAZXsdd9cWRrcVz.bat CasPol.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cgAwUuCakky44HLKdefSzHQX.bat CasPol.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SoS8mlckjV3rEyFc3oM19cTZ.bat CasPol.exe -
Executes dropped EXE 10 IoCs
pid Process 912 WUAGGju0i3yPEjsoJcJMrxF0.exe 4136 7Jloo403NPf7I4gPKDCa99AS.exe 656 7Jloo403NPf7I4gPKDCa99AS.tmp 996 babyclock32.exe 2052 babyclock32.exe 1640 IsGgrPfWzLiRLcI1GkALIqJd.exe 3176 IsGgrPfWzLiRLcI1GkALIqJd.exe 1916 csrss.exe 5032 TGXiSJLzcb5QPbsV5SG2Q1gF.exe 4608 syncUpd.exe -
Loads dropped DLL 2 IoCs
pid Process 656 7Jloo403NPf7I4gPKDCa99AS.tmp 5032 TGXiSJLzcb5QPbsV5SG2Q1gF.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" IsGgrPfWzLiRLcI1GkALIqJd.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 6 pastebin.com 7 pastebin.com -
Drops file in System32 directory 7 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2000 set thread context of 4480 2000 2a362d6d3bceaf1159bc245499a778f1ab9c229c3cbd4be4c63a582a716a4c80.exe 89 -
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
description ioc Process File opened (read-only) \??\VBoxMiniRdrDN IsGgrPfWzLiRLcI1GkALIqJd.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\rss\csrss.exe IsGgrPfWzLiRLcI1GkALIqJd.exe File opened for modification C:\Windows\rss IsGgrPfWzLiRLcI1GkALIqJd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
pid pid_target Process procid_target 2504 1640 WerFault.exe 102 1184 3176 WerFault.exe 111 -
NSIS installer 3 IoCs
resource yara_rule behavioral2/files/0x000700000002324a-293.dat nsis_installer_2 behavioral2/files/0x000700000002324a-297.dat nsis_installer_2 behavioral2/files/0x000700000002324a-296.dat nsis_installer_2 -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI WUAGGju0i3yPEjsoJcJMrxF0.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI WUAGGju0i3yPEjsoJcJMrxF0.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI WUAGGju0i3yPEjsoJcJMrxF0.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 syncUpd.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString syncUpd.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4624 schtasks.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2592 = "Tocantins Standard Time" IsGgrPfWzLiRLcI1GkALIqJd.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1891 = "Russia TZ 3 Daylight Time" IsGgrPfWzLiRLcI1GkALIqJd.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2341 = "Haiti Daylight Time" IsGgrPfWzLiRLcI1GkALIqJd.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-831 = "SA Eastern Daylight Time" IsGgrPfWzLiRLcI1GkALIqJd.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2392 = "Aleutian Standard Time" IsGgrPfWzLiRLcI1GkALIqJd.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-452 = "Caucasus Standard Time" IsGgrPfWzLiRLcI1GkALIqJd.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-381 = "South Africa Daylight Time" IsGgrPfWzLiRLcI1GkALIqJd.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-442 = "Arabian Standard Time" IsGgrPfWzLiRLcI1GkALIqJd.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-434 = "Georgian Daylight Time" IsGgrPfWzLiRLcI1GkALIqJd.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-192 = "Mountain Standard Time" IsGgrPfWzLiRLcI1GkALIqJd.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-215 = "Pacific Standard Time (Mexico)" IsGgrPfWzLiRLcI1GkALIqJd.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1042 = "Ulaanbaatar Standard Time" IsGgrPfWzLiRLcI1GkALIqJd.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-335 = "Jordan Standard Time" IsGgrPfWzLiRLcI1GkALIqJd.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-32 = "Mid-Atlantic Standard Time" IsGgrPfWzLiRLcI1GkALIqJd.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1661 = "Bahia Daylight Time" IsGgrPfWzLiRLcI1GkALIqJd.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-562 = "SE Asia Standard Time" IsGgrPfWzLiRLcI1GkALIqJd.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2412 = "Marquesas Standard Time" IsGgrPfWzLiRLcI1GkALIqJd.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-741 = "New Zealand Daylight Time" IsGgrPfWzLiRLcI1GkALIqJd.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2062 = "North Korea Standard Time" IsGgrPfWzLiRLcI1GkALIqJd.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-121 = "SA Pacific Daylight Time" IsGgrPfWzLiRLcI1GkALIqJd.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-592 = "Malay Peninsula Standard Time" IsGgrPfWzLiRLcI1GkALIqJd.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2161 = "Altai Daylight Time" IsGgrPfWzLiRLcI1GkALIqJd.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-662 = "Cen. Australia Standard Time" IsGgrPfWzLiRLcI1GkALIqJd.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2871 = "Magallanes Daylight Time" IsGgrPfWzLiRLcI1GkALIqJd.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-181 = "Mountain Daylight Time (Mexico)" IsGgrPfWzLiRLcI1GkALIqJd.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-214 = "Pacific Daylight Time (Mexico)" IsGgrPfWzLiRLcI1GkALIqJd.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-492 = "India Standard Time" IsGgrPfWzLiRLcI1GkALIqJd.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2531 = "Chatham Islands Daylight Time" IsGgrPfWzLiRLcI1GkALIqJd.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1801 = "Line Islands Daylight Time" IsGgrPfWzLiRLcI1GkALIqJd.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-72 = "Newfoundland Standard Time" IsGgrPfWzLiRLcI1GkALIqJd.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1831 = "Russia TZ 2 Daylight Time" IsGgrPfWzLiRLcI1GkALIqJd.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-451 = "Caucasus Daylight Time" IsGgrPfWzLiRLcI1GkALIqJd.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1412 = "Syria Standard Time" IsGgrPfWzLiRLcI1GkALIqJd.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-152 = "Central America Standard Time" IsGgrPfWzLiRLcI1GkALIqJd.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-242 = "Samoa Standard Time" IsGgrPfWzLiRLcI1GkALIqJd.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 656 7Jloo403NPf7I4gPKDCa99AS.tmp 656 7Jloo403NPf7I4gPKDCa99AS.tmp 912 WUAGGju0i3yPEjsoJcJMrxF0.exe 912 WUAGGju0i3yPEjsoJcJMrxF0.exe 3448 Process not Found 3448 Process not Found 3448 Process not Found 3448 Process not Found 3448 Process not Found 3448 Process not Found 3448 Process not Found 3448 Process not Found 3448 Process not Found 3448 Process not Found 3448 Process not Found 3448 Process not Found 3448 Process not Found 3448 Process not Found 3448 Process not Found 3448 Process not Found 3448 Process not Found 3448 Process not Found 3448 Process not Found 3448 Process not Found 3448 Process not Found 3448 Process not Found 3448 Process not Found 3448 Process not Found 3448 Process not Found 3448 Process not Found 3448 Process not Found 3448 Process not Found 3448 Process not Found 3448 Process not Found 3448 Process not Found 3448 Process not Found 3448 Process not Found 3448 Process not Found 3448 Process not Found 3448 Process not Found 3448 Process not Found 3448 Process not Found 3448 Process not Found 3448 Process not Found 3448 Process not Found 3448 Process not Found 3448 Process not Found 3448 Process not Found 3448 Process not Found 3448 Process not Found 3448 Process not Found 3448 Process not Found 3448 Process not Found 3448 Process not Found 3448 Process not Found 3448 Process not Found 3448 Process not Found 3448 Process not Found 3448 Process not Found 3448 Process not Found 3448 Process not Found 3448 Process not Found 3448 Process not Found 3448 Process not Found -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 912 WUAGGju0i3yPEjsoJcJMrxF0.exe -
Suspicious use of AdjustPrivilegeToken 30 IoCs
description pid Process Token: SeDebugPrivilege 4480 CasPol.exe Token: SeDebugPrivilege 4640 powershell.exe Token: SeShutdownPrivilege 3448 Process not Found Token: SeCreatePagefilePrivilege 3448 Process not Found Token: SeDebugPrivilege 1640 IsGgrPfWzLiRLcI1GkALIqJd.exe Token: SeImpersonatePrivilege 1640 IsGgrPfWzLiRLcI1GkALIqJd.exe Token: SeShutdownPrivilege 3448 Process not Found Token: SeCreatePagefilePrivilege 3448 Process not Found Token: SeDebugPrivilege 2712 powershell.exe Token: SeShutdownPrivilege 3448 Process not Found Token: SeCreatePagefilePrivilege 3448 Process not Found Token: SeShutdownPrivilege 3448 Process not Found Token: SeCreatePagefilePrivilege 3448 Process not Found Token: SeDebugPrivilege 5092 powershell.exe Token: SeShutdownPrivilege 3448 Process not Found Token: SeCreatePagefilePrivilege 3448 Process not Found Token: SeDebugPrivilege 2432 powershell.exe Token: SeShutdownPrivilege 3448 Process not Found Token: SeCreatePagefilePrivilege 3448 Process not Found Token: SeShutdownPrivilege 3448 Process not Found Token: SeCreatePagefilePrivilege 3448 Process not Found Token: SeDebugPrivilege 3036 powershell.exe Token: SeShutdownPrivilege 3448 Process not Found Token: SeCreatePagefilePrivilege 3448 Process not Found Token: SeDebugPrivilege 1948 powershell.exe Token: SeShutdownPrivilege 3448 Process not Found Token: SeCreatePagefilePrivilege 3448 Process not Found Token: SeDebugPrivilege 3300 powershell.exe Token: SeShutdownPrivilege 3448 Process not Found Token: SeCreatePagefilePrivilege 3448 Process not Found -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 656 7Jloo403NPf7I4gPKDCa99AS.tmp -
Suspicious use of WriteProcessMemory 63 IoCs
description pid Process procid_target PID 2000 wrote to memory of 4480 2000 2a362d6d3bceaf1159bc245499a778f1ab9c229c3cbd4be4c63a582a716a4c80.exe 89 PID 2000 wrote to memory of 4480 2000 2a362d6d3bceaf1159bc245499a778f1ab9c229c3cbd4be4c63a582a716a4c80.exe 89 PID 2000 wrote to memory of 4480 2000 2a362d6d3bceaf1159bc245499a778f1ab9c229c3cbd4be4c63a582a716a4c80.exe 89 PID 2000 wrote to memory of 4480 2000 2a362d6d3bceaf1159bc245499a778f1ab9c229c3cbd4be4c63a582a716a4c80.exe 89 PID 2000 wrote to memory of 4480 2000 2a362d6d3bceaf1159bc245499a778f1ab9c229c3cbd4be4c63a582a716a4c80.exe 89 PID 2000 wrote to memory of 4480 2000 2a362d6d3bceaf1159bc245499a778f1ab9c229c3cbd4be4c63a582a716a4c80.exe 89 PID 2000 wrote to memory of 4480 2000 2a362d6d3bceaf1159bc245499a778f1ab9c229c3cbd4be4c63a582a716a4c80.exe 89 PID 2000 wrote to memory of 4480 2000 2a362d6d3bceaf1159bc245499a778f1ab9c229c3cbd4be4c63a582a716a4c80.exe 89 PID 2000 wrote to memory of 4952 2000 2a362d6d3bceaf1159bc245499a778f1ab9c229c3cbd4be4c63a582a716a4c80.exe 90 PID 2000 wrote to memory of 4952 2000 2a362d6d3bceaf1159bc245499a778f1ab9c229c3cbd4be4c63a582a716a4c80.exe 90 PID 2000 wrote to memory of 4952 2000 2a362d6d3bceaf1159bc245499a778f1ab9c229c3cbd4be4c63a582a716a4c80.exe 90 PID 4480 wrote to memory of 912 4480 CasPol.exe 97 PID 4480 wrote to memory of 912 4480 CasPol.exe 97 PID 4480 wrote to memory of 912 4480 CasPol.exe 97 PID 4480 wrote to memory of 4136 4480 CasPol.exe 98 PID 4480 wrote to memory of 4136 4480 CasPol.exe 98 PID 4480 wrote to memory of 4136 4480 CasPol.exe 98 PID 4136 wrote to memory of 656 4136 7Jloo403NPf7I4gPKDCa99AS.exe 99 PID 4136 wrote to memory of 656 4136 7Jloo403NPf7I4gPKDCa99AS.exe 99 PID 4136 wrote to memory of 656 4136 7Jloo403NPf7I4gPKDCa99AS.exe 99 PID 656 wrote to memory of 996 656 7Jloo403NPf7I4gPKDCa99AS.tmp 100 PID 656 wrote to memory of 996 656 7Jloo403NPf7I4gPKDCa99AS.tmp 100 PID 656 wrote to memory of 996 656 7Jloo403NPf7I4gPKDCa99AS.tmp 100 PID 656 wrote to memory of 2052 656 7Jloo403NPf7I4gPKDCa99AS.tmp 101 PID 656 wrote to memory of 2052 656 7Jloo403NPf7I4gPKDCa99AS.tmp 101 PID 656 wrote to memory of 2052 656 7Jloo403NPf7I4gPKDCa99AS.tmp 101 PID 4480 wrote to memory of 1640 4480 CasPol.exe 102 PID 4480 wrote to memory of 1640 4480 CasPol.exe 102 PID 4480 wrote to memory of 1640 4480 CasPol.exe 102 PID 1640 wrote to memory of 4640 1640 IsGgrPfWzLiRLcI1GkALIqJd.exe 106 PID 1640 wrote to memory of 4640 1640 IsGgrPfWzLiRLcI1GkALIqJd.exe 106 PID 1640 wrote to memory of 4640 1640 IsGgrPfWzLiRLcI1GkALIqJd.exe 106 PID 3176 wrote to memory of 2712 3176 IsGgrPfWzLiRLcI1GkALIqJd.exe 115 PID 3176 wrote to memory of 2712 3176 IsGgrPfWzLiRLcI1GkALIqJd.exe 115 PID 3176 wrote to memory of 2712 3176 IsGgrPfWzLiRLcI1GkALIqJd.exe 115 PID 3176 wrote to memory of 1604 3176 IsGgrPfWzLiRLcI1GkALIqJd.exe 118 PID 3176 wrote to memory of 1604 3176 IsGgrPfWzLiRLcI1GkALIqJd.exe 118 PID 1604 wrote to memory of 4980 1604 cmd.exe 120 PID 1604 wrote to memory of 4980 1604 cmd.exe 120 PID 3176 wrote to memory of 5092 3176 IsGgrPfWzLiRLcI1GkALIqJd.exe 121 PID 3176 wrote to memory of 5092 3176 IsGgrPfWzLiRLcI1GkALIqJd.exe 121 PID 3176 wrote to memory of 5092 3176 IsGgrPfWzLiRLcI1GkALIqJd.exe 121 PID 3176 wrote to memory of 2432 3176 IsGgrPfWzLiRLcI1GkALIqJd.exe 123 PID 3176 wrote to memory of 2432 3176 IsGgrPfWzLiRLcI1GkALIqJd.exe 123 PID 3176 wrote to memory of 2432 3176 IsGgrPfWzLiRLcI1GkALIqJd.exe 123 PID 3176 wrote to memory of 1916 3176 IsGgrPfWzLiRLcI1GkALIqJd.exe 125 PID 3176 wrote to memory of 1916 3176 IsGgrPfWzLiRLcI1GkALIqJd.exe 125 PID 3176 wrote to memory of 1916 3176 IsGgrPfWzLiRLcI1GkALIqJd.exe 125 PID 1916 wrote to memory of 3036 1916 csrss.exe 128 PID 1916 wrote to memory of 3036 1916 csrss.exe 128 PID 1916 wrote to memory of 3036 1916 csrss.exe 128 PID 4480 wrote to memory of 5032 4480 CasPol.exe 130 PID 4480 wrote to memory of 5032 4480 CasPol.exe 130 PID 4480 wrote to memory of 5032 4480 CasPol.exe 130 PID 5032 wrote to memory of 4608 5032 TGXiSJLzcb5QPbsV5SG2Q1gF.exe 131 PID 5032 wrote to memory of 4608 5032 TGXiSJLzcb5QPbsV5SG2Q1gF.exe 131 PID 5032 wrote to memory of 4608 5032 TGXiSJLzcb5QPbsV5SG2Q1gF.exe 131 PID 1916 wrote to memory of 1948 1916 csrss.exe 136 PID 1916 wrote to memory of 1948 1916 csrss.exe 136 PID 1916 wrote to memory of 1948 1916 csrss.exe 136 PID 1916 wrote to memory of 3300 1916 csrss.exe 138 PID 1916 wrote to memory of 3300 1916 csrss.exe 138 PID 1916 wrote to memory of 3300 1916 csrss.exe 138 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2a362d6d3bceaf1159bc245499a778f1ab9c229c3cbd4be4c63a582a716a4c80.exe"C:\Users\Admin\AppData\Local\Temp\2a362d6d3bceaf1159bc245499a778f1ab9c229c3cbd4be4c63a582a716a4c80.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2000 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"2⤵
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4480 -
C:\Users\Admin\Pictures\WUAGGju0i3yPEjsoJcJMrxF0.exe"C:\Users\Admin\Pictures\WUAGGju0i3yPEjsoJcJMrxF0.exe"3⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:912
-
-
C:\Users\Admin\Pictures\7Jloo403NPf7I4gPKDCa99AS.exe"C:\Users\Admin\Pictures\7Jloo403NPf7I4gPKDCa99AS.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4136 -
C:\Users\Admin\AppData\Local\Temp\is-DA9JQ.tmp\7Jloo403NPf7I4gPKDCa99AS.tmp"C:\Users\Admin\AppData\Local\Temp\is-DA9JQ.tmp\7Jloo403NPf7I4gPKDCa99AS.tmp" /SL5="$100062,1507995,56832,C:\Users\Admin\Pictures\7Jloo403NPf7I4gPKDCa99AS.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:656 -
C:\Users\Admin\AppData\Local\Baby-Clock\babyclock32.exe"C:\Users\Admin\AppData\Local\Baby-Clock\babyclock32.exe" -i5⤵
- Executes dropped EXE
PID:996
-
-
C:\Users\Admin\AppData\Local\Baby-Clock\babyclock32.exe"C:\Users\Admin\AppData\Local\Baby-Clock\babyclock32.exe" -s5⤵
- Executes dropped EXE
PID:2052
-
-
-
-
C:\Users\Admin\Pictures\IsGgrPfWzLiRLcI1GkALIqJd.exe"C:\Users\Admin\Pictures\IsGgrPfWzLiRLcI1GkALIqJd.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1640 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4640
-
-
C:\Users\Admin\Pictures\IsGgrPfWzLiRLcI1GkALIqJd.exe"C:\Users\Admin\Pictures\IsGgrPfWzLiRLcI1GkALIqJd.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:3176 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2712
-
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"5⤵
- Suspicious use of WriteProcessMemory
PID:1604 -
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes6⤵
- Modifies Windows Firewall
PID:4980
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5092
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2432
-
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1916 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3036
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F6⤵
- Creates scheduled task(s)
PID:4624
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f6⤵PID:4040
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1948
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3300
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3176 -s 8605⤵
- Program crash
PID:1184
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1640 -s 7724⤵
- Program crash
PID:2504
-
-
-
C:\Users\Admin\Pictures\TGXiSJLzcb5QPbsV5SG2Q1gF.exe"C:\Users\Admin\Pictures\TGXiSJLzcb5QPbsV5SG2Q1gF.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:5032 -
C:\Users\Admin\AppData\Local\Temp\syncUpd.exeC:\Users\Admin\AppData\Local\Temp\syncUpd.exe4⤵
- Executes dropped EXE
- Checks processor information in registry
PID:4608
-
-
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"2⤵PID:4952
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 1640 -ip 16401⤵PID:4092
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3176 -ip 31761⤵PID:2696
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.7MB
MD5bc08e67b94b11746f182cb0ba04bcadb
SHA1dde094a51001a45bff038c60606b337c3e6cd29d
SHA256552ea7ab33e15376011367ac58f528332e0ccc02c8b24af2631ba1e89412af11
SHA5121eafb0a4d6f7c814d257617aee384322013e7131bc14c437855079f07b3f81dc07651994f78fe4a6a48ad22235c7f608841b59fda48dd31fff5b1e6ce7e13d11
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
690KB
MD54a607c9064c51c4d0a06ef4ccb3a2fde
SHA15f62f2f02c20ed2b5602faf5a846896439a6cb97
SHA25647a5acb1426e2e182dfc78121d907b384c2d70306d4e20e0dcb690154aa9faa4
SHA5129468f2d7bb7cc26cbca9aff55cf9250260b8a98d863c9eced303436d4f3ce2d2e5127a27dc2335df2661f909eb5994afad99b9a1f5c05674689e3d2febfb7e02
-
Filesize
2KB
MD5a69559718ab506675e907fe49deb71e9
SHA1bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA2562f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63
-
Filesize
21KB
MD52b342079303895c50af8040a91f30f71
SHA1b11335e1cb8356d9c337cb89fe81d669a69de17e
SHA2562d5d89025911e2e273f90f393624be4819641dbee1606de792362e442e54612f
SHA512550452dadc86ecd205f40668894116790a456fe46e9985d68093d36cf32abf00edecb5c56ff0287464a0e819db7b3cc53926037a116de6c651332a7cc8035d47
-
Filesize
199KB
MD5dba6db51ea13e585aee6136021836641
SHA1591b41e2249cc40a9523680a2d1b162ba238c0d8
SHA2566223c0847ecdb1f05b88fafe144aee708e65933e094c70016ea51f3d2b89bc81
SHA5128201c37ada5306aebe6f87ce8967f1fc4c85a6105b5851ec0204a5538f54b9223637dadcfb64f81ab40b8c001c6ecaebdb90e62bf7734e41c4b540ca141b4f98
-
Filesize
1.8MB
MD5384a85dc78e3a70405e6f43b1b4c3eff
SHA1389edb8fe727154200b755f8630cc2e4f412ff7d
SHA25605586a0378f018a7b737e8fba731ee382777205dba15d5ea97323aef32efd5c6
SHA512bc8dd48b8881c94e49c777ca19190e338527681191052074c68819e48016b0c325cf62a748da7e610b8ad0b8ee6c5199634f25c6b5dc18631864bc6741444c36
-
Filesize
2.8MB
MD56d3ddbcc4f4e4ba1e68019a2a8e61a6c
SHA1bc8dcacc5f39d305461562caf1f592f8fdfcf525
SHA2563c4fc184f36fe129f7863829c5f2aa187056ab6d54f8ae190657feb2fd2d25d7
SHA512cfd91c725fe05b76a3469de4617233b5c5e3cfa577ca452d29866661df6c10dd5f5f91a9547556a57adae20cf46b9192dfdb337eebc4c2f04b18d228dbdf4d4d
-
Filesize
2.9MB
MD5834f158cb7015bc5cf054462333771f1
SHA106cb38f0195fb4516be489372ff89ddbab51ef19
SHA25614a40df737b124b13d770bd659cf025e85aa70beb8547085ebd19b412655d506
SHA5121af08d3e2ab28804ba23905795729a71bc3eba3ba926ff25bf66eff1d71b48653308470881825537753932f6598d13050fbfa8785ba589785d5c421cf7dc3563
-
Filesize
3.2MB
MD548e1c5da36289cc425fce9b0787ef9f1
SHA16802f075c91b4cb28a0019f5ebd06406d1e1484d
SHA2560c0a23bf639c828b83b52dc3712d5a51c7bf16686ae4d23988edabee2223f430
SHA5123f9532e8fdd4e46baf6bc5c52b2404c8631106029fd2b2b6b4f04e94326ea38c3475f3669197aeadc1a68686e6ffc664ca7213f48cc0282cdd5ca638562bb09f
-
Filesize
419KB
MD547051bd95ee81b33689e8d9a997868e3
SHA18420f1a99016eb42cf7aa9f10053713a2356e1fd
SHA25648c90ba7fd07d53f0d02c78bdd4299d7408d0dc4ef34a90aca298b5e270cd0e7
SHA512e6c26c437f7f1cc87ef8d5beea866bcf443fe06b243a1e1909036d7db4c11f85e7fbce0cad62f7e2551bb16970181a2c80e8b15abf9d5fe24f58017faee70a4e
-
Filesize
1.0MB
MD5041b836221b2ab7a15973598c5818ac4
SHA167a1e1b29758d82b01ec9bdf9b0b2b6a81eb1040
SHA256e749cf008ef068572ae939404d3b685a40a86f1804289bc2481a435021f7665e
SHA5124954ea1c86991ba655d1ee9bd0af387c4418a99fa86acf20435d1e80af803d29e4c6669e6db1421895c8abcf0d9dc0c59b55af53b86744cec34a7fef09949841
-
Filesize
493KB
MD51276364611db8d4137baa58872f02ea9
SHA15dcc4fc2e7d577f859c0d1a4079c33be90953d57
SHA256fc92270acbff28b305682daeee0fda487d9100f6665652acaabfe6c9c277807c
SHA5126dd4704e41a92001dec1eb6a1d9b8dca5467429bbdeb2ca5e2259f5253c5b0060c5c6bf7df91d02e29f4d4286bef44661afcb4d0d795717a80e77261436238df
-
Filesize
828KB
MD5834b668664f9e26697d6681ce2f8c0c4
SHA1bf3aa5893da9d97d27cdc9a84e9e74e91dc22555
SHA2564a7cf88f3d2fab9d689443a32a9b02867c707542f36ae57cb796e2e425d15560
SHA51282a17da4b22afa2adcbd8e66ed8350e025ef40702ecf38de48348d162a793415160e4d892fa4c94e11e2a79e1d50e58e4fe3a8cbcda41f82f9620e19f6d5da7b
-
Filesize
172KB
MD538783b735530ec3595f8cfc57704e0a4
SHA1297d2424423506702a6f42fff06b37a89a9fc8e6
SHA25695d772adaee04f58f13c59ab65bcbefe9d6d6b2fc9b0f5fb6b4304902c5b2a8d
SHA512980ff17ecdd36f1efbaced0b9599d4032eb4b27d5836c7d9d26828e478a75c73f4604bb568052aacc7519a54feb517efbf475e4d2610d8af6dbd4d6afb45fb4f
-
Filesize
7KB
MD55b423612b36cde7f2745455c5dd82577
SHA10187c7c80743b44e9e0c193e993294e3b969cc3d
SHA256e0840d2ea74a00dcc545d770b91d9d889e5a82c7bedf1b989e0a89db04685b09
SHA512c26a1e7e96dbd178d961c630abd8e564ef69532f386fb198eb20119a88ecab2fe885d71ac0c90687c18910ce00c445f352a5e8fbf5328f3403964f7c7802414c
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize2KB
MD5968cb9309758126772781b83adb8a28f
SHA18da30e71accf186b2ba11da1797cf67f8f78b47c
SHA25692099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA5124bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD55c855c93bc700485843fa70d354f6625
SHA1890757e1af1d87f3a1f1f959b6c46a574d841125
SHA2562ffa2196ffbb4bd62debd7ea81ff52796270a95bb5ad41aec32b0a62c5d99b52
SHA512ce4e3c47bd1e53f9104e4b1cb038d64062021d8f5d398419cd2281d747389d08399780e37c0de83522722a44f14908399d8dbf40cce34f632a2df179b51a27ff
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD5f47d150047538b9acb484cb1051b5a98
SHA1d5971ae1c5918a8917592608381faa13f309fb7f
SHA25630caa3009e5211891fe7c20ef027792254d7d4d3357c5259e4a5f5677e7eb116
SHA512e46d9c6b6f5d4a3d8b9a25b50122ce713e01266a02329abd6e978fbf22a18009f1c020e88a25ec3c1a92c26d2ad2e065831cb153b6e5d2e811cae0196f999d3c
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD56533d07c61da90f9c5607b45c46ccbbe
SHA109943ed4f834c32bbedcd5b00bdeb39ea46e68d2
SHA25617570b65f5843fbe9c0f5b2e67f8ac7d68cdf156b9b07aba9fc577916c9e543c
SHA512b28e042770f44edea27d5f7bd454cc6f6f31febca98d0b4816898f2aa223b0752c5b3cec1a564b8a42c0516d97ed1ef1613e8e507eb81b3d27f9d675800eee4d
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD5bceff11e773c96c2f5f462ca3d2c88eb
SHA1e26234866dbdb3ebb4fd608a664f986f38c5f6aa
SHA256c94df1eb5b9f077f6402d0e824c2969950380377e3be5a0cc8e281bb6e029fbe
SHA512c1ca0b58072f28d28663ccc98d17a9debfb6ea1eed10340563ec053bb5ad790983d7554aa5e4fbf338ba67271b570a549df6564623bf7293160f52965eb3c4c7
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD5b1a0ac18d1959aa3f1756ef43d3e3d86
SHA163a2e6204ffa57fd555deb65021276e1542ff4f2
SHA256b47f239904a0205039b73512c365c47487aeadd32846e9ce1e6b2901766545ee
SHA512466455eef62f25cb6a7c9724b6a409dac3bbd7d1d284f528550cc5c54bcc97e3047e32d13ae4be32eacd447adf5da1cd3a78e2b9f48b1421dac860b72c502f36
-
Filesize
1.2MB
MD54777f647bab1bfbf97d0a2c0114a297f
SHA158db98b5cca3f9fd244871bc8cf79c58d16fa6f5
SHA256912de65d4895b7dab10c3e95e721e7de859bf408d90ef849ec84def4f86c798a
SHA5123dddd72d76e3eeda7c059cbf8c48eec04451e0e733b0245df81910ae8a93aeaeabc89b8a9ef364b6e9f9a93a7b8bbf49a42807ff16b8ba239ba51e6466ab3930
-
Filesize
998KB
MD58bb391edaa934118785acab7cfd3ca44
SHA1811ca7b8c0bb42d5acf64fdc94ad9967e1f54086
SHA256e7fd006c3dc713f412bc66177e49cd851f5881d94a45bd41710a9800a4716539
SHA51216c3cc8795b52b5d3a2891e8d53a8a27e34fa34f8fe6f8a9c456412f8242ebe091616e344b814be31f975e0bb2a9ddf4959b81c3a121fd728a4d288a27973d64