locky | 2a879d3004b7f21eef468c9adcd280664a9646389e789aa7c2cbac0cf95538b4

Analysis

max time kernel
122s
max time network
131s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
21-07-2023 08:39

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

client_demo.exe
Size

10.8MB
MD5

9dfa6f391ccc098025b00eb281797e4d
SHA1

43d61d407480fe89bb6c38e50899ba4e43186ab3
SHA256

2a879d3004b7f21eef468c9adcd280664a9646389e789aa7c2cbac0cf95538b4
SHA512

5c5c60f547d97d46b6e689425f38f69df97c40b737b5ebb6ccd8bc89866b1c5bc0b05b68ab38d0cc60c99723e6ac87376cd0a9acdb3da7535a8696b25f8eec74
SSDEEP

98304:Y5s5qBrcvlcYhVA/lCwguUEIPzMcMnD7vd8rVwfcCLOmDsh:Y5scBrcvunNCjEIPzMcMD7F8hyDsh

Score

10^/10

locky discovery ransomware

Malware Config

Signatures

Locky
Ransomware strain released in 2016, with advanced features like anti-analysis.
ransomware locky
Downloads MZ/PE file
Drops startup file 1 IoCs

Processes:

client_demo.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file_ck.exe client_demo.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file_ck.exe	client_demo.exe

Executes dropped EXE 22 IoCs

Processes:

ck_2943905607.execk_1419009782.execk_2580336419.execk_1068215903.execk_852827878.execk_2091199824.execk_3688021634.execk_2904580341.execk_166882831.execk_2377924978.execk_972799692.execk_3417952269.execk_1849789150.execk_48819666.execk_1971355767.execk_2008378331.execk_1156919810.execk_1672148122.execk_4072248145.execk_19198508.execk_1846375565.exesysmon64.exe

pid	process
1016	ck_2943905607.exe
4012	ck_1419009782.exe
3244	ck_2580336419.exe
4664	ck_1068215903.exe
4720	ck_852827878.exe
2480	ck_2091199824.exe
368	ck_3688021634.exe
5076	ck_2904580341.exe
1300	ck_166882831.exe
3504	ck_2377924978.exe
4496	ck_972799692.exe
4028	ck_3417952269.exe
5008	ck_1849789150.exe
1412	ck_48819666.exe
4656	ck_1971355767.exe
1328	ck_2008378331.exe
1940	ck_1156919810.exe
400	ck_1672148122.exe
4516	ck_4072248145.exe
3632	ck_19198508.exe
3400	ck_1846375565.exe
4608	sysmon64.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

client_demo.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	client_demo.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\Count	client_demo.exe

Checks SCSI registry key(s) 3 TTPs 2 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

client_demo.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	client_demo.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	client_demo.exe

Checks processor information in registry 2 TTPs 11 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXEEXCEL.EXEAcroRd32.exePOWERPNT.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	POWERPNT.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	POWERPNT.EXE

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2816 schtasks.exe

pid	process
2816	schtasks.exe

Enumerates system info in registry 2 TTPs 9 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXEWINWORD.EXEPOWERPNT.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	POWERPNT.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE

GoLang User-Agent 3 IoCs
Uses default user-agent string defined by GoLang HTTP packages.

Processes:

description flow ioc

HTTP User-Agent header 28 Go-http-client/1.1
HTTP User-Agent header 7 Go-http-client/1.1
HTTP User-Agent header 26 Go-http-client/1.1

description	flow	ioc
HTTP User-Agent header	28	Go-http-client/1.1
HTTP User-Agent header	7	Go-http-client/1.1
HTTP User-Agent header	26	Go-http-client/1.1

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

AcroRd32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies data under HKEY_USERS 15 IoCs

Processes:

LogonUI.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "77"	LogonUI.exe

Suspicious behavior: AddClipboardFormatListener 4 IoCs

Processes:

WINWORD.EXEPOWERPNT.EXEEXCEL.EXE

pid process

1256 WINWORD.EXE
1256 WINWORD.EXE
412 POWERPNT.EXE
4296 EXCEL.EXE
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exe

pid process

1676 powershell.exe
1676 powershell.exe

pid	process
1676	powershell.exe
1676	powershell.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

Processes:

client_demo.execk_2943905607.execk_1419009782.execk_2580336419.execk_1068215903.execk_852827878.execk_2091199824.execk_3688021634.execk_2904580341.execk_166882831.execk_2377924978.execk_972799692.execk_3417952269.execk_1849789150.execk_48819666.execk_1971355767.execk_2008378331.execk_1156919810.execk_1672148122.execk_4072248145.execk_19198508.execk_1846375565.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1304	client_demo.exe
Token: SeDebugPrivilege	1016	ck_2943905607.exe
Token: SeDebugPrivilege	4012	ck_1419009782.exe
Token: SeDebugPrivilege	3244	ck_2580336419.exe
Token: SeDebugPrivilege	4664	ck_1068215903.exe
Token: SeDebugPrivilege	4720	ck_852827878.exe
Token: SeDebugPrivilege	2480	ck_2091199824.exe
Token: SeDebugPrivilege	368	ck_3688021634.exe
Token: SeDebugPrivilege	5076	ck_2904580341.exe
Token: SeDebugPrivilege	1300	ck_166882831.exe
Token: SeDebugPrivilege	3504	ck_2377924978.exe
Token: SeDebugPrivilege	4496	ck_972799692.exe
Token: SeDebugPrivilege	4028	ck_3417952269.exe
Token: SeDebugPrivilege	5008	ck_1849789150.exe
Token: SeDebugPrivilege	1412	ck_48819666.exe
Token: SeDebugPrivilege	4656	ck_1971355767.exe
Token: SeDebugPrivilege	1328	ck_2008378331.exe
Token: SeDebugPrivilege	1940	ck_1156919810.exe
Token: SeDebugPrivilege	400	ck_1672148122.exe
Token: SeDebugPrivilege	4516	ck_4072248145.exe
Token: SeDebugPrivilege	3632	ck_19198508.exe
Token: SeDebugPrivilege	3400	ck_1846375565.exe
Token: SeDebugPrivilege	1676	powershell.exe
Token: SeShutdownPrivilege	1304	client_demo.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

EXCEL.EXEAcroRd32.exe

pid process

4296 EXCEL.EXE
4296 EXCEL.EXE
4192 AcroRd32.exe

pid	process
4296	EXCEL.EXE
4296	EXCEL.EXE
4192	AcroRd32.exe

Suspicious use of SetWindowsHookEx 28 IoCs

Processes:

WINWORD.EXEPOWERPNT.EXEEXCEL.EXEAcroRd32.exeLogonUI.exe

pid	process
1256	WINWORD.EXE
1256	WINWORD.EXE
1256	WINWORD.EXE
1256	WINWORD.EXE
1256	WINWORD.EXE
1256	WINWORD.EXE
1256	WINWORD.EXE
412	POWERPNT.EXE
412	POWERPNT.EXE
412	POWERPNT.EXE
412	POWERPNT.EXE
4296	EXCEL.EXE
4296	EXCEL.EXE
4296	EXCEL.EXE
4296	EXCEL.EXE
4296	EXCEL.EXE
4296	EXCEL.EXE
4296	EXCEL.EXE
4296	EXCEL.EXE
4296	EXCEL.EXE
4296	EXCEL.EXE
4296	EXCEL.EXE
4296	EXCEL.EXE
4192	AcroRd32.exe
4192	AcroRd32.exe
4192	AcroRd32.exe
4192	AcroRd32.exe
1292	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

client_demo.execk_2943905607.execk_1419009782.execk_2580336419.execk_1068215903.execk_852827878.execk_2091199824.execk_3688021634.execk_2904580341.execk_166882831.execk_2377924978.exeAcroRd32.exe

description	pid	process	target process
PID 1304 wrote to memory of 1016	1304	client_demo.exe	ck_2943905607.exe
PID 1304 wrote to memory of 1016	1304	client_demo.exe	ck_2943905607.exe
PID 1016 wrote to memory of 4012	1016	ck_2943905607.exe	ck_1419009782.exe
PID 1016 wrote to memory of 4012	1016	ck_2943905607.exe	ck_1419009782.exe
PID 4012 wrote to memory of 3244	4012	ck_1419009782.exe	ck_2580336419.exe
PID 4012 wrote to memory of 3244	4012	ck_1419009782.exe	ck_2580336419.exe
PID 3244 wrote to memory of 4664	3244	ck_2580336419.exe	ck_1068215903.exe
PID 3244 wrote to memory of 4664	3244	ck_2580336419.exe	ck_1068215903.exe
PID 4664 wrote to memory of 4720	4664	ck_1068215903.exe	ck_852827878.exe
PID 4664 wrote to memory of 4720	4664	ck_1068215903.exe	ck_852827878.exe
PID 4720 wrote to memory of 2480	4720	ck_852827878.exe	ck_2091199824.exe
PID 4720 wrote to memory of 2480	4720	ck_852827878.exe	ck_2091199824.exe
PID 2480 wrote to memory of 368	2480	ck_2091199824.exe	ck_3688021634.exe
PID 2480 wrote to memory of 368	2480	ck_2091199824.exe	ck_3688021634.exe
PID 368 wrote to memory of 5076	368	ck_3688021634.exe	ck_2904580341.exe
PID 368 wrote to memory of 5076	368	ck_3688021634.exe	ck_2904580341.exe
PID 5076 wrote to memory of 1300	5076	ck_2904580341.exe	ck_166882831.exe
PID 5076 wrote to memory of 1300	5076	ck_2904580341.exe	ck_166882831.exe
PID 1300 wrote to memory of 3504	1300	ck_166882831.exe	ck_2377924978.exe
PID 1300 wrote to memory of 3504	1300	ck_166882831.exe	ck_2377924978.exe
PID 3504 wrote to memory of 4496	3504	ck_2377924978.exe	ck_972799692.exe
PID 3504 wrote to memory of 4496	3504	ck_2377924978.exe	ck_972799692.exe
PID 1304 wrote to memory of 4028	1304	client_demo.exe	ck_3417952269.exe
PID 1304 wrote to memory of 4028	1304	client_demo.exe	ck_3417952269.exe
PID 1304 wrote to memory of 5008	1304	client_demo.exe	ck_1849789150.exe
PID 1304 wrote to memory of 5008	1304	client_demo.exe	ck_1849789150.exe
PID 1304 wrote to memory of 1412	1304	client_demo.exe	ck_48819666.exe
PID 1304 wrote to memory of 1412	1304	client_demo.exe	ck_48819666.exe
PID 1304 wrote to memory of 4656	1304	client_demo.exe	ck_1971355767.exe
PID 1304 wrote to memory of 4656	1304	client_demo.exe	ck_1971355767.exe
PID 1304 wrote to memory of 1328	1304	client_demo.exe	ck_2008378331.exe
PID 1304 wrote to memory of 1328	1304	client_demo.exe	ck_2008378331.exe
PID 1304 wrote to memory of 1940	1304	client_demo.exe	ck_1156919810.exe
PID 1304 wrote to memory of 1940	1304	client_demo.exe	ck_1156919810.exe
PID 1304 wrote to memory of 400	1304	client_demo.exe	ck_1672148122.exe
PID 1304 wrote to memory of 400	1304	client_demo.exe	ck_1672148122.exe
PID 1304 wrote to memory of 4516	1304	client_demo.exe	ck_4072248145.exe
PID 1304 wrote to memory of 4516	1304	client_demo.exe	ck_4072248145.exe
PID 1304 wrote to memory of 3632	1304	client_demo.exe	ck_19198508.exe
PID 1304 wrote to memory of 3632	1304	client_demo.exe	ck_19198508.exe
PID 1304 wrote to memory of 3400	1304	client_demo.exe	ck_1846375565.exe
PID 1304 wrote to memory of 3400	1304	client_demo.exe	ck_1846375565.exe
PID 1304 wrote to memory of 1676	1304	client_demo.exe	powershell.exe
PID 1304 wrote to memory of 1676	1304	client_demo.exe	powershell.exe
PID 1304 wrote to memory of 1600	1304	client_demo.exe	cscript.exe
PID 1304 wrote to memory of 1600	1304	client_demo.exe	cscript.exe
PID 1304 wrote to memory of 3320	1304	client_demo.exe	wscript.exe
PID 1304 wrote to memory of 3320	1304	client_demo.exe	wscript.exe
PID 1304 wrote to memory of 4136	1304	client_demo.exe	cmd.exe
PID 1304 wrote to memory of 4136	1304	client_demo.exe	cmd.exe
PID 1304 wrote to memory of 1256	1304	client_demo.exe	WINWORD.EXE
PID 1304 wrote to memory of 1256	1304	client_demo.exe	WINWORD.EXE
PID 1304 wrote to memory of 412	1304	client_demo.exe	POWERPNT.EXE
PID 1304 wrote to memory of 412	1304	client_demo.exe	POWERPNT.EXE
PID 1304 wrote to memory of 412	1304	client_demo.exe	POWERPNT.EXE
PID 1304 wrote to memory of 4296	1304	client_demo.exe	EXCEL.EXE
PID 1304 wrote to memory of 4296	1304	client_demo.exe	EXCEL.EXE
PID 1304 wrote to memory of 4296	1304	client_demo.exe	EXCEL.EXE
PID 1304 wrote to memory of 4192	1304	client_demo.exe	AcroRd32.exe
PID 1304 wrote to memory of 4192	1304	client_demo.exe	AcroRd32.exe
PID 1304 wrote to memory of 4192	1304	client_demo.exe	AcroRd32.exe
PID 4192 wrote to memory of 3804	4192	AcroRd32.exe	RdrCEF.exe
PID 4192 wrote to memory of 3804	4192	AcroRd32.exe	RdrCEF.exe
PID 4192 wrote to memory of 3804	4192	AcroRd32.exe	RdrCEF.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\client_demo.exe
"C:\Users\Admin\AppData\Local\Temp\client_demo.exe"
1⤵
- Drops startup file
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1304

C:\Users\Admin\checklist\ck_2943905607.exe
C:\Users\Admin/checklist\ck_2943905607.exe --subprocess=true --depth=10
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1016

C:\Users\Admin\checklist\ck_1419009782.exe
C:\Users\Admin/checklist\ck_1419009782.exe --subprocess=true --depth=9
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4012

C:\Users\Admin\checklist\ck_2580336419.exe
C:\Users\Admin/checklist\ck_2580336419.exe --subprocess=true --depth=8
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3244

C:\Users\Admin\checklist\ck_1068215903.exe
C:\Users\Admin/checklist\ck_1068215903.exe --subprocess=true --depth=7
5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4664

C:\Users\Admin\checklist\ck_852827878.exe
C:\Users\Admin/checklist\ck_852827878.exe --subprocess=true --depth=6
6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4720

C:\Users\Admin\checklist\ck_2091199824.exe
C:\Users\Admin/checklist\ck_2091199824.exe --subprocess=true --depth=5
7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2480

C:\Users\Admin\checklist\ck_3688021634.exe
C:\Users\Admin/checklist\ck_3688021634.exe --subprocess=true --depth=4
8⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:368

C:\Users\Admin\checklist\ck_2904580341.exe
C:\Users\Admin/checklist\ck_2904580341.exe --subprocess=true --depth=3
9⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5076

C:\Users\Admin\checklist\ck_166882831.exe
C:\Users\Admin/checklist\ck_166882831.exe --subprocess=true --depth=2
10⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1300

C:\Users\Admin\checklist\ck_2377924978.exe
C:\Users\Admin/checklist\ck_2377924978.exe --subprocess=true --depth=1
11⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3504

C:\Users\Admin\checklist\ck_972799692.exe
C:\Users\Admin/checklist\ck_972799692.exe --subprocess=true --depth=0
12⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4496

C:\Users\Admin\checklist\ck_3417952269.exe
C:\Users\Admin/checklist\ck_3417952269.exe --subprocess=true --depth=0
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4028

C:\Users\Admin\checklist\ck_1849789150.exe
C:\Users\Admin/checklist\ck_1849789150.exe --subprocess=true --depth=0
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5008

C:\Users\Admin\checklist\ck_48819666.exe
C:\Users\Admin/checklist\ck_48819666.exe --subprocess=true --depth=0
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1412

C:\Users\Admin\checklist\ck_1971355767.exe
C:\Users\Admin/checklist\ck_1971355767.exe --subprocess=true --depth=0
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4656

C:\Users\Admin\checklist\ck_2008378331.exe
C:\Users\Admin/checklist\ck_2008378331.exe --subprocess=true --depth=0
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1328

C:\Users\Admin\checklist\ck_1156919810.exe
C:\Users\Admin/checklist\ck_1156919810.exe --subprocess=true --depth=0
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1940

C:\Users\Admin\checklist\ck_1672148122.exe
C:\Users\Admin/checklist\ck_1672148122.exe --subprocess=true --depth=0
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:400

C:\Users\Admin\checklist\ck_4072248145.exe
C:\Users\Admin/checklist\ck_4072248145.exe --subprocess=true --depth=0
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4516

C:\Users\Admin\checklist\ck_19198508.exe
C:\Users\Admin/checklist\ck_19198508.exe --subprocess=true --depth=0
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3632

C:\Users\Admin\checklist\ck_1846375565.exe
C:\Users\Admin/checklist\ck_1846375565.exe --subprocess=true --depth=0
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3400

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -f C:\Users\Admin/checklist\ps_3335992186.ps1
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1676

C:\Windows\system32\cscript.exe
cscript C:\Users\Admin/checklist\vb_1546299684.vbs
2⤵
PID:1600

C:\Windows\system32\wscript.exe
wscript C:\Users\Admin/checklist\js_1394628662.js
2⤵
PID:3320

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin/checklist\bat_376290697.bat
2⤵
PID:4136

C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE" C:\Users\Admin\AppData\Local\Temp\testdoc.doc
2⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1256

C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE
"C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE" C:\Users\Admin\AppData\Local\Temp\testppt.ppt
2⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:412

C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE" C:\Users\Admin\AppData\Local\Temp\testxls.xls
2⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:4296

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" C:\Users\Admin\AppData\Local\Temp\testpdf.pdf
2⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4192

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
3⤵
PID:3804

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=68E466DFA613025C83FE5486F0E2AED0 --mojo-platform-channel-handle=1752 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
4⤵
PID:380

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=EA27FB436FAB5DB186DBB0E34B651A8E --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=EA27FB436FAB5DB186DBB0E34B651A8E --renderer-client-id=2 --mojo-platform-channel-handle=1760 --allow-no-sandbox-job /prefetch:1
4⤵
PID:656

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=F027A9D6F441756D85ACD4BE6A62E822 --mojo-platform-channel-handle=2324 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
4⤵
PID:3080

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=DE018EE187BEDCC39FC563D284A4E4C3 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=DE018EE187BEDCC39FC563D284A4E4C3 --renderer-client-id=5 --mojo-platform-channel-handle=2428 --allow-no-sandbox-job /prefetch:1
4⤵
PID:1544

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=B6D3622432537354408B6DAAE19FD0B0 --mojo-platform-channel-handle=2460 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
4⤵
PID:4648

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=4866D709D642B365D0F1538C886AB63F --mojo-platform-channel-handle=1740 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
4⤵
PID:1468

C:\Users\Admin\AppData\Local\Temp\sysmon64.exe
sysmon64.exe -i -accepteula
2⤵
- Executes dropped EXE
PID:4608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn windowsChecklistTasks /tr "\"C:\Users\Admin\AppData\Local\Temp\client_demo.exe\" --taskscheduler=true" /sc onstart /ru System /F
2⤵
- Creates scheduled task(s)
PID:2816

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2572

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa397a855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:1292

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\6A8F5E9D-0B3A-4213-982E-232DDB51FC29

Filesize
155KB

MD5
6fc586e29214e54b65f5f3a4c3cb9369

SHA1
ffb0c084e1fb2be7f62f8f3ea6800d60d92d9c55

SHA256
91d4b5cbff89dc44553f87a202953a95ab1c1d2cc29869f73ef79e000b0edede

SHA512
bd98529478db8d08bbcff53586da53048a6db9cba283f06271917d7b31d1ba0a22a2de2b355f81f93120ded5a3b9c1a1c2010d1c503e4a5570dcb48ae6508260

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\DLP\TenantInfo.xml

Filesize
76B

MD5
0f8eb2423d2bf6cb5b8bdb44cb170ca3

SHA1
242755226012b4449a49b45491c0b1538ebf6410

SHA256
385347c0cbacdd3c61d2635fbd390e0095a008fd75eeb23af2f14f975c083944

SHA512
a9f23a42340b83a2f59df930d7563e8abd669b9f0955562cd3c2872e2e081f26d6d8b26357972b6d0423af05b2392bddbb46da769788e77fd169b3264ff53886

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vv3htv0o.ggy.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\batdata.txt

Filesize
9B

MD5
92245edefa3ca1ba7367329f40b1a121

SHA1
aacff4310183ff01f975695067059ff41fef07ac

SHA256
fc31d03898315b9fbe2c1ad4e44c0b8652ac10869d0aaef2890ba38b1a379198

SHA512
4d9e5ca92cb60e18cb531f6672f35db1ba28ff501588afa5a28e4d4643220bc4364dfa8561aa194039cd8c68a2a757fd4a6843be6de9b653f4fc9a2be98c2a61

Download Submit
C:\Users\Admin\AppData\Local\Temp\jsdata.txt

Filesize
11B

MD5
49cb57d9cfee11689410ac09126a7a64

SHA1
97fec3ef44686b02ab6a40bdb968d557273fe923

SHA256
c803c13d3ad536a2ba0cdf265f49723c94f9a2c2c553de06f6dadbae29c6559e

SHA512
ac501df1b733599e7b40d6a62528e9f71a9dd5a9658276b488d68a2618626350d373a81d893cc0a1bb1cc48899dd8d3edd1bf04a326e4d7ee632f4343be2737d

Download Submit
C:\Users\Admin\AppData\Local\Temp\logs\msg-2023072100.log

Filesize
5KB

MD5
089b4d8df794c598706594c0c25f8e2d

SHA1
5288947a8950be77f52eb8a06aa6ea3423d01303

SHA256
d82f8295e0e02afd5af1f25c2f3330e6dbcac8a12a92e7d9fbed283643ea549c

SHA512
f42ae1a597923c67ec1fe5a73a2e68426bb794a8b370c00014d63800345b0af0d4e8e504545605cebcee35c31a2bd2b2c09e93b6f0682ca1456268b38245c5bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\logs\msg-2023072100.log

Filesize
5KB

MD5
a8cf7baced4d8d3cefa19b11e7a01fd7

SHA1
69a9ee9cd3e0609a9ab43f338012196a2ab67f0c

SHA256
8f2105338c758de14bf79d78d2e00797cc45d9818e81d6058725c490d5a83137

SHA512
678edb77cb55db465e3fa3e1790e488d3fe68fb9b6322d9e6d82a7fe848941633dd8593907351ca71b33a6bda1cf4e4d0e9d1e7902e33c83360d02cd641e1773

Download Submit
C:\Users\Admin\AppData\Local\Temp\logs\msg-2023072100.log

Filesize
5KB

MD5
0dde52dd2abbf822285c173bf74ad1d0

SHA1
67b5080ee0e428ad050f2b7a0c94bbee4f7f8895

SHA256
65b519978c03ea23ece69b86a1cd390ebddaef3a16f924cd8367d4427525c93a

SHA512
49dcfd4885274fc9131e7397b850a8b2b9353aac9fb81d332446d06c6a77e028be2c05474ac2ad6cf04958a67cc97c83e300eead9d9ac91c0c53ba3e7e500cd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\logs\msg-2023072100.log

Filesize
5KB

MD5
83122e1bba64b754419677e92e12f6ab

SHA1
d36d79e665c8c80ad6013231ea05720ead65e071

SHA256
f8943158f2d45d4c82ae9668bc5d978a796bcfa4222ffd7b8bc7b743847f7c23

SHA512
0b3dce6dc2b1a8c4d6e64cb83f3655e7078d0496cb603a4ba22f9e25d1e64420ce26b2bba21cf5a63b0c382460cc8293fd0303f53e114904f57e260a48be218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\logs\msg-2023072100.log

Filesize
5KB

MD5
bced618f10513a39ed2327fc654678b3

SHA1
755c50bef3728d7e85e6d083c8375a46e32e8138

SHA256
3f268142874253393cdf76c1ddb83404edab70d0c9584fe982ebd3297b11b66b

SHA512
c444e76b1c394924cea13b8f416ed3479694496abce1da3a631fe07edb63e778c7723b238d08a82f8d23736e73d4ce4cef3b6c3a2b4572d02d67096dd71b4ba0

Download Submit
C:\Users\Admin\AppData\Local\Temp\logs\msg-2023072100.log

Filesize
6KB

MD5
8e6a21a79b83579f8afa932aa716da00

SHA1
2245610e00d24e672d5e5a3e0d1d11665d80ef9a

SHA256
a40139cde7551e900f959aebedb96126344660f8e1357fae1d66c559c15fafb5

SHA512
b1a7bcf48fd351db174b481a7e5ef51f9aa4a49be5ec605340c3926a3563e1300d4cbf295e90b5af0dba13a344fe3d8a2f182436573113e42a198187773440eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\logs\msg-2023072100.log

Filesize
6KB

MD5
745ee370b1275a3889651dfbfb5518bb

SHA1
9630611154c23b36ad09d3e7f0640786a6b6b554

SHA256
5123a567301ca48c31ec2ac489b09e20b1d29550d7516216df4ab16c93f3e818

SHA512
4dbddf08617e705bc13e459a58e8d3cb92957ff9f2b7ce6aefc2b82d3d83ae0d95e44079a08a6df5b7882647993ee5f8e91abc0ea640a987033e5a1c1375f1ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\logs\msg-2023072100.log

Filesize
6KB

MD5
7610367532c99b6b94de6f7694800c27

SHA1
936973d80893edb29233dac44f0f21e7c2d6dde7

SHA256
95f124b21bf5061d576c94b9a1091e3d2046b9652e694b1bd324e665707d0374

SHA512
e9dca12ff849816f9fcbb6dd3cc1b98b297ea05a341b2a5e0f18bf4d587d3e271ef7c191585412b3243b42e0986c48d87ec428f5b9e8f7ef81f6775f0cec1c85

Download Submit
C:\Users\Admin\AppData\Local\Temp\logs\msg-2023072100.log

Filesize
6KB

MD5
b1cb2673f1797bc3b6c3fdb8e0f98183

SHA1
c223b07ce1019321f48b2fb6e5b14d7131d864aa

SHA256
f5a72dec4f650f3023a40f419eaa6d633208656192bf4a55b2375b6f1d5ecac4

SHA512
87c401d3f5f5c587a5479a41c58c1c64766c6628f74d88e90f7a9b94055cb06adc359fb9fe5225239b4ec9b8e144c965c3c1ea0b12f3e472885aa13a0e303a40

Download Submit
C:\Users\Admin\AppData\Local\Temp\logs\msg-2023072100.log

Filesize
6KB

MD5
b06fd91ee983133f017af5662edfd9f8

SHA1
1c60d7bd4c71eee59d9b9866de7120d892fad686

SHA256
b9702c13ae85ae0117cb3da57fd43ef351fa2e26f0baa1ecc56e0847540ab575

SHA512
88096aa321712bfd6e3c1eb05bf94c6d232ce9d18600b53c5cd54ced5dcce14344cb6e9b331401f710045b0eb0badeab4ace42b540a0c1be497ecded5e1ca96b

Download Submit
C:\Users\Admin\AppData\Local\Temp\test1.txt

Filesize
26B

MD5
fcde0c914569a9efcb7c76bfd785b3ce

SHA1
f4e5dae15dcec506cce6c829cc3ea51ef253453b

SHA256
a9937ff2b99ba53aea4fe272d795eb0647a8495af8fc35cddbef9db792764ac4

SHA512
00c3b13b2df5b6418123cdd7314a1164a6520382e906f503afc669ad51218d58ec7b1bc8697a8a045c26e93629fe82979b6511e562e0a8e83187ba99928cd4d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\testdoc.doc

Filesize
9KB

MD5
00a450b508a48ada927d6c579e871df3

SHA1
09bfdca4dad01add53450cac339e81ff5b148681

SHA256
48d2db81e61ea7564752e4e34e8ea9ebba4ed01ad94cbcd83df419a5f65b5272

SHA512
27cec9d5104649b543ef3e708600a27a998d4b72b249f3a04dfb309ccbae32ef812dbf191113d52f0840db1ccb2abbc005a6863856be33e58edf8d7e7cca85c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\testppt.ppt

Filesize
20KB

MD5
9db43a5d33b48e6e6ca9b29dd7551926

SHA1
ee051dd863f6d2b33bd8ee538fb9314519e73f3f

SHA256
8344ac2125de888b21aa8a1f3634d1c1c97849e4270378f71c31c1cdfb9d08fe

SHA512
be0335c9cb5d2f10da75f6a7de2e42ee823810010645b38de84e25711f6ed55861d5c80130b3db68231558f3b2701cc2ee35428d311fa797207360bbe07a8250

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbsdata.txt

Filesize
8B

MD5
390e9e1798f59f38e57b3a76c1438773

SHA1
769bfbce3d36eee51b4c336879c799d0c7f5082b

SHA256
a7a05ad7740bf29829d4e422e83edd339a20e4c3500bbc90a0ee8c6767589b42

SHA512
2af23d8cb5a1116dd644205c9e9dc37f75b526bc6d9b9ad9659ba4695306238985b206c16767a379a80c051a06f49e57ddf82dbc87876d94826de19a72cd3066

Download Submit
C:\Users\Admin\checklist\bat_376290697.bat

Filesize
26B

MD5
2389fa213be63948b27b6da889ec0bbf

SHA1
88aebd6e826edd02ae678d578f1db7d28871f0b7

SHA256
f0d91303b4131ea302faca423bc45bdca8845d1121c9385fade860a615f84827

SHA512
f8ee8191f12d114d3c47b98117674e55cfeaf189ffa1bf99a090ebdcc5db7c9418841ad390096400a44b34fe3372c4f1aab3a449405e198046d8f71732032193

Download Submit
C:\Users\Admin\checklist\ck_1068215903.exe

Filesize
10.8MB

MD5
9dfa6f391ccc098025b00eb281797e4d

SHA1
43d61d407480fe89bb6c38e50899ba4e43186ab3

SHA256
2a879d3004b7f21eef468c9adcd280664a9646389e789aa7c2cbac0cf95538b4

SHA512
5c5c60f547d97d46b6e689425f38f69df97c40b737b5ebb6ccd8bc89866b1c5bc0b05b68ab38d0cc60c99723e6ac87376cd0a9acdb3da7535a8696b25f8eec74

Download Submit
C:\Users\Admin\checklist\ck_1068215903.exe

Filesize
10.8MB

MD5
9dfa6f391ccc098025b00eb281797e4d

SHA1
43d61d407480fe89bb6c38e50899ba4e43186ab3

SHA256
2a879d3004b7f21eef468c9adcd280664a9646389e789aa7c2cbac0cf95538b4

SHA512
5c5c60f547d97d46b6e689425f38f69df97c40b737b5ebb6ccd8bc89866b1c5bc0b05b68ab38d0cc60c99723e6ac87376cd0a9acdb3da7535a8696b25f8eec74

Download Submit
C:\Users\Admin\checklist\ck_1156919810.exe

Filesize
10.8MB

MD5
9dfa6f391ccc098025b00eb281797e4d

SHA1
43d61d407480fe89bb6c38e50899ba4e43186ab3

SHA256
2a879d3004b7f21eef468c9adcd280664a9646389e789aa7c2cbac0cf95538b4

SHA512
5c5c60f547d97d46b6e689425f38f69df97c40b737b5ebb6ccd8bc89866b1c5bc0b05b68ab38d0cc60c99723e6ac87376cd0a9acdb3da7535a8696b25f8eec74

Download Submit
C:\Users\Admin\checklist\ck_1156919810.exe

Filesize
10.8MB

MD5
9dfa6f391ccc098025b00eb281797e4d

SHA1
43d61d407480fe89bb6c38e50899ba4e43186ab3

SHA256
2a879d3004b7f21eef468c9adcd280664a9646389e789aa7c2cbac0cf95538b4

SHA512
5c5c60f547d97d46b6e689425f38f69df97c40b737b5ebb6ccd8bc89866b1c5bc0b05b68ab38d0cc60c99723e6ac87376cd0a9acdb3da7535a8696b25f8eec74

Download Submit
C:\Users\Admin\checklist\ck_1419009782.exe

Filesize
10.8MB

MD5
9dfa6f391ccc098025b00eb281797e4d

SHA1
43d61d407480fe89bb6c38e50899ba4e43186ab3

SHA256
2a879d3004b7f21eef468c9adcd280664a9646389e789aa7c2cbac0cf95538b4

SHA512
5c5c60f547d97d46b6e689425f38f69df97c40b737b5ebb6ccd8bc89866b1c5bc0b05b68ab38d0cc60c99723e6ac87376cd0a9acdb3da7535a8696b25f8eec74

Download Submit
C:\Users\Admin\checklist\ck_1419009782.exe

Filesize
10.8MB

MD5
9dfa6f391ccc098025b00eb281797e4d

SHA1
43d61d407480fe89bb6c38e50899ba4e43186ab3

SHA256
2a879d3004b7f21eef468c9adcd280664a9646389e789aa7c2cbac0cf95538b4

SHA512
5c5c60f547d97d46b6e689425f38f69df97c40b737b5ebb6ccd8bc89866b1c5bc0b05b68ab38d0cc60c99723e6ac87376cd0a9acdb3da7535a8696b25f8eec74

Download Submit
C:\Users\Admin\checklist\ck_166882831.exe

Filesize
10.8MB

MD5
9dfa6f391ccc098025b00eb281797e4d

SHA1
43d61d407480fe89bb6c38e50899ba4e43186ab3

SHA256
2a879d3004b7f21eef468c9adcd280664a9646389e789aa7c2cbac0cf95538b4

SHA512
5c5c60f547d97d46b6e689425f38f69df97c40b737b5ebb6ccd8bc89866b1c5bc0b05b68ab38d0cc60c99723e6ac87376cd0a9acdb3da7535a8696b25f8eec74

Download Submit
C:\Users\Admin\checklist\ck_166882831.exe

Filesize
10.8MB

MD5
9dfa6f391ccc098025b00eb281797e4d

SHA1
43d61d407480fe89bb6c38e50899ba4e43186ab3

SHA256
2a879d3004b7f21eef468c9adcd280664a9646389e789aa7c2cbac0cf95538b4

SHA512
5c5c60f547d97d46b6e689425f38f69df97c40b737b5ebb6ccd8bc89866b1c5bc0b05b68ab38d0cc60c99723e6ac87376cd0a9acdb3da7535a8696b25f8eec74

Download Submit
C:\Users\Admin\checklist\ck_1672148122.exe

Filesize
10.8MB

MD5
9dfa6f391ccc098025b00eb281797e4d

SHA1
43d61d407480fe89bb6c38e50899ba4e43186ab3

SHA256
2a879d3004b7f21eef468c9adcd280664a9646389e789aa7c2cbac0cf95538b4

SHA512
5c5c60f547d97d46b6e689425f38f69df97c40b737b5ebb6ccd8bc89866b1c5bc0b05b68ab38d0cc60c99723e6ac87376cd0a9acdb3da7535a8696b25f8eec74

Download Submit
C:\Users\Admin\checklist\ck_1672148122.exe

Filesize
10.8MB

MD5
9dfa6f391ccc098025b00eb281797e4d

SHA1
43d61d407480fe89bb6c38e50899ba4e43186ab3

SHA256
2a879d3004b7f21eef468c9adcd280664a9646389e789aa7c2cbac0cf95538b4

SHA512
5c5c60f547d97d46b6e689425f38f69df97c40b737b5ebb6ccd8bc89866b1c5bc0b05b68ab38d0cc60c99723e6ac87376cd0a9acdb3da7535a8696b25f8eec74

Download Submit
C:\Users\Admin\checklist\ck_1846375565.exe

Filesize
10.8MB

MD5
9dfa6f391ccc098025b00eb281797e4d

SHA1
43d61d407480fe89bb6c38e50899ba4e43186ab3

SHA256
2a879d3004b7f21eef468c9adcd280664a9646389e789aa7c2cbac0cf95538b4

SHA512
5c5c60f547d97d46b6e689425f38f69df97c40b737b5ebb6ccd8bc89866b1c5bc0b05b68ab38d0cc60c99723e6ac87376cd0a9acdb3da7535a8696b25f8eec74

Download Submit
C:\Users\Admin\checklist\ck_1846375565.exe

Filesize
10.8MB

MD5
9dfa6f391ccc098025b00eb281797e4d

SHA1
43d61d407480fe89bb6c38e50899ba4e43186ab3

SHA256
2a879d3004b7f21eef468c9adcd280664a9646389e789aa7c2cbac0cf95538b4

SHA512
5c5c60f547d97d46b6e689425f38f69df97c40b737b5ebb6ccd8bc89866b1c5bc0b05b68ab38d0cc60c99723e6ac87376cd0a9acdb3da7535a8696b25f8eec74

Download Submit
C:\Users\Admin\checklist\ck_1849789150.exe

Filesize
10.8MB

MD5
9dfa6f391ccc098025b00eb281797e4d

SHA1
43d61d407480fe89bb6c38e50899ba4e43186ab3

SHA256
2a879d3004b7f21eef468c9adcd280664a9646389e789aa7c2cbac0cf95538b4

SHA512
5c5c60f547d97d46b6e689425f38f69df97c40b737b5ebb6ccd8bc89866b1c5bc0b05b68ab38d0cc60c99723e6ac87376cd0a9acdb3da7535a8696b25f8eec74

Download Submit
C:\Users\Admin\checklist\ck_1849789150.exe

Filesize
10.8MB

MD5
9dfa6f391ccc098025b00eb281797e4d

SHA1
43d61d407480fe89bb6c38e50899ba4e43186ab3

SHA256
2a879d3004b7f21eef468c9adcd280664a9646389e789aa7c2cbac0cf95538b4

SHA512
5c5c60f547d97d46b6e689425f38f69df97c40b737b5ebb6ccd8bc89866b1c5bc0b05b68ab38d0cc60c99723e6ac87376cd0a9acdb3da7535a8696b25f8eec74

Download Submit
C:\Users\Admin\checklist\ck_19198508.exe

Filesize
10.8MB

MD5
9dfa6f391ccc098025b00eb281797e4d

SHA1
43d61d407480fe89bb6c38e50899ba4e43186ab3

SHA256
2a879d3004b7f21eef468c9adcd280664a9646389e789aa7c2cbac0cf95538b4

SHA512
5c5c60f547d97d46b6e689425f38f69df97c40b737b5ebb6ccd8bc89866b1c5bc0b05b68ab38d0cc60c99723e6ac87376cd0a9acdb3da7535a8696b25f8eec74

Download Submit
C:\Users\Admin\checklist\ck_19198508.exe

Filesize
10.8MB

MD5
9dfa6f391ccc098025b00eb281797e4d

SHA1
43d61d407480fe89bb6c38e50899ba4e43186ab3

SHA256
2a879d3004b7f21eef468c9adcd280664a9646389e789aa7c2cbac0cf95538b4

SHA512
5c5c60f547d97d46b6e689425f38f69df97c40b737b5ebb6ccd8bc89866b1c5bc0b05b68ab38d0cc60c99723e6ac87376cd0a9acdb3da7535a8696b25f8eec74

Download Submit
C:\Users\Admin\checklist\ck_1971355767.exe

Filesize
10.8MB

MD5
9dfa6f391ccc098025b00eb281797e4d

SHA1
43d61d407480fe89bb6c38e50899ba4e43186ab3

SHA256
2a879d3004b7f21eef468c9adcd280664a9646389e789aa7c2cbac0cf95538b4

SHA512
5c5c60f547d97d46b6e689425f38f69df97c40b737b5ebb6ccd8bc89866b1c5bc0b05b68ab38d0cc60c99723e6ac87376cd0a9acdb3da7535a8696b25f8eec74

Download Submit
C:\Users\Admin\checklist\ck_1971355767.exe

Filesize
10.8MB

MD5
9dfa6f391ccc098025b00eb281797e4d

SHA1
43d61d407480fe89bb6c38e50899ba4e43186ab3

SHA256
2a879d3004b7f21eef468c9adcd280664a9646389e789aa7c2cbac0cf95538b4

SHA512
5c5c60f547d97d46b6e689425f38f69df97c40b737b5ebb6ccd8bc89866b1c5bc0b05b68ab38d0cc60c99723e6ac87376cd0a9acdb3da7535a8696b25f8eec74

Download Submit
C:\Users\Admin\checklist\ck_2008378331.exe

Filesize
10.8MB

MD5
9dfa6f391ccc098025b00eb281797e4d

SHA1
43d61d407480fe89bb6c38e50899ba4e43186ab3

SHA256
2a879d3004b7f21eef468c9adcd280664a9646389e789aa7c2cbac0cf95538b4

SHA512
5c5c60f547d97d46b6e689425f38f69df97c40b737b5ebb6ccd8bc89866b1c5bc0b05b68ab38d0cc60c99723e6ac87376cd0a9acdb3da7535a8696b25f8eec74

Download Submit
C:\Users\Admin\checklist\ck_2008378331.exe

Filesize
10.8MB

MD5
9dfa6f391ccc098025b00eb281797e4d

SHA1
43d61d407480fe89bb6c38e50899ba4e43186ab3

SHA256
2a879d3004b7f21eef468c9adcd280664a9646389e789aa7c2cbac0cf95538b4

SHA512
5c5c60f547d97d46b6e689425f38f69df97c40b737b5ebb6ccd8bc89866b1c5bc0b05b68ab38d0cc60c99723e6ac87376cd0a9acdb3da7535a8696b25f8eec74

Download Submit
C:\Users\Admin\checklist\ck_2091199824.exe

Filesize
10.8MB

MD5
9dfa6f391ccc098025b00eb281797e4d

SHA1
43d61d407480fe89bb6c38e50899ba4e43186ab3

SHA256
2a879d3004b7f21eef468c9adcd280664a9646389e789aa7c2cbac0cf95538b4

SHA512
5c5c60f547d97d46b6e689425f38f69df97c40b737b5ebb6ccd8bc89866b1c5bc0b05b68ab38d0cc60c99723e6ac87376cd0a9acdb3da7535a8696b25f8eec74

Download Submit
C:\Users\Admin\checklist\ck_2091199824.exe

Filesize
10.8MB

MD5
9dfa6f391ccc098025b00eb281797e4d

SHA1
43d61d407480fe89bb6c38e50899ba4e43186ab3

SHA256
2a879d3004b7f21eef468c9adcd280664a9646389e789aa7c2cbac0cf95538b4

SHA512
5c5c60f547d97d46b6e689425f38f69df97c40b737b5ebb6ccd8bc89866b1c5bc0b05b68ab38d0cc60c99723e6ac87376cd0a9acdb3da7535a8696b25f8eec74

Download Submit
C:\Users\Admin\checklist\ck_2377924978.exe

Filesize
10.8MB

MD5
9dfa6f391ccc098025b00eb281797e4d

SHA1
43d61d407480fe89bb6c38e50899ba4e43186ab3

SHA256
2a879d3004b7f21eef468c9adcd280664a9646389e789aa7c2cbac0cf95538b4

SHA512
5c5c60f547d97d46b6e689425f38f69df97c40b737b5ebb6ccd8bc89866b1c5bc0b05b68ab38d0cc60c99723e6ac87376cd0a9acdb3da7535a8696b25f8eec74

Download Submit
C:\Users\Admin\checklist\ck_2377924978.exe

Filesize
10.8MB

MD5
9dfa6f391ccc098025b00eb281797e4d

SHA1
43d61d407480fe89bb6c38e50899ba4e43186ab3

SHA256
2a879d3004b7f21eef468c9adcd280664a9646389e789aa7c2cbac0cf95538b4

SHA512
5c5c60f547d97d46b6e689425f38f69df97c40b737b5ebb6ccd8bc89866b1c5bc0b05b68ab38d0cc60c99723e6ac87376cd0a9acdb3da7535a8696b25f8eec74

Download Submit
C:\Users\Admin\checklist\ck_2580336419.exe

Filesize
10.8MB

MD5
9dfa6f391ccc098025b00eb281797e4d

SHA1
43d61d407480fe89bb6c38e50899ba4e43186ab3

SHA256
2a879d3004b7f21eef468c9adcd280664a9646389e789aa7c2cbac0cf95538b4

SHA512
5c5c60f547d97d46b6e689425f38f69df97c40b737b5ebb6ccd8bc89866b1c5bc0b05b68ab38d0cc60c99723e6ac87376cd0a9acdb3da7535a8696b25f8eec74

Download Submit
C:\Users\Admin\checklist\ck_2580336419.exe

Filesize
10.8MB

MD5
9dfa6f391ccc098025b00eb281797e4d

SHA1
43d61d407480fe89bb6c38e50899ba4e43186ab3

SHA256
2a879d3004b7f21eef468c9adcd280664a9646389e789aa7c2cbac0cf95538b4

SHA512
5c5c60f547d97d46b6e689425f38f69df97c40b737b5ebb6ccd8bc89866b1c5bc0b05b68ab38d0cc60c99723e6ac87376cd0a9acdb3da7535a8696b25f8eec74

Download Submit
C:\Users\Admin\checklist\ck_2580336419.exe

Filesize
10.8MB

MD5
9dfa6f391ccc098025b00eb281797e4d

SHA1
43d61d407480fe89bb6c38e50899ba4e43186ab3

SHA256
2a879d3004b7f21eef468c9adcd280664a9646389e789aa7c2cbac0cf95538b4

SHA512
5c5c60f547d97d46b6e689425f38f69df97c40b737b5ebb6ccd8bc89866b1c5bc0b05b68ab38d0cc60c99723e6ac87376cd0a9acdb3da7535a8696b25f8eec74

Download Submit
C:\Users\Admin\checklist\ck_2904580341.exe

Filesize
10.8MB

MD5
9dfa6f391ccc098025b00eb281797e4d

SHA1
43d61d407480fe89bb6c38e50899ba4e43186ab3

SHA256
2a879d3004b7f21eef468c9adcd280664a9646389e789aa7c2cbac0cf95538b4

SHA512
5c5c60f547d97d46b6e689425f38f69df97c40b737b5ebb6ccd8bc89866b1c5bc0b05b68ab38d0cc60c99723e6ac87376cd0a9acdb3da7535a8696b25f8eec74

Download Submit
C:\Users\Admin\checklist\ck_2904580341.exe

Filesize
10.8MB

MD5
9dfa6f391ccc098025b00eb281797e4d

SHA1
43d61d407480fe89bb6c38e50899ba4e43186ab3

SHA256
2a879d3004b7f21eef468c9adcd280664a9646389e789aa7c2cbac0cf95538b4

SHA512
5c5c60f547d97d46b6e689425f38f69df97c40b737b5ebb6ccd8bc89866b1c5bc0b05b68ab38d0cc60c99723e6ac87376cd0a9acdb3da7535a8696b25f8eec74

Download Submit
C:\Users\Admin\checklist\ck_2943905607.exe

Filesize
10.8MB

MD5
9dfa6f391ccc098025b00eb281797e4d

SHA1
43d61d407480fe89bb6c38e50899ba4e43186ab3

SHA256
2a879d3004b7f21eef468c9adcd280664a9646389e789aa7c2cbac0cf95538b4

SHA512
5c5c60f547d97d46b6e689425f38f69df97c40b737b5ebb6ccd8bc89866b1c5bc0b05b68ab38d0cc60c99723e6ac87376cd0a9acdb3da7535a8696b25f8eec74

Download Submit
C:\Users\Admin\checklist\ck_2943905607.exe

Filesize
10.8MB

MD5
9dfa6f391ccc098025b00eb281797e4d

SHA1
43d61d407480fe89bb6c38e50899ba4e43186ab3

SHA256
2a879d3004b7f21eef468c9adcd280664a9646389e789aa7c2cbac0cf95538b4

SHA512
5c5c60f547d97d46b6e689425f38f69df97c40b737b5ebb6ccd8bc89866b1c5bc0b05b68ab38d0cc60c99723e6ac87376cd0a9acdb3da7535a8696b25f8eec74

Download Submit
C:\Users\Admin\checklist\ck_3417952269.exe

Filesize
10.8MB

MD5
9dfa6f391ccc098025b00eb281797e4d

SHA1
43d61d407480fe89bb6c38e50899ba4e43186ab3

SHA256
2a879d3004b7f21eef468c9adcd280664a9646389e789aa7c2cbac0cf95538b4

SHA512
5c5c60f547d97d46b6e689425f38f69df97c40b737b5ebb6ccd8bc89866b1c5bc0b05b68ab38d0cc60c99723e6ac87376cd0a9acdb3da7535a8696b25f8eec74

Download Submit
C:\Users\Admin\checklist\ck_3417952269.exe

Filesize
10.8MB

MD5
9dfa6f391ccc098025b00eb281797e4d

SHA1
43d61d407480fe89bb6c38e50899ba4e43186ab3

SHA256
2a879d3004b7f21eef468c9adcd280664a9646389e789aa7c2cbac0cf95538b4

SHA512
5c5c60f547d97d46b6e689425f38f69df97c40b737b5ebb6ccd8bc89866b1c5bc0b05b68ab38d0cc60c99723e6ac87376cd0a9acdb3da7535a8696b25f8eec74

Download Submit
C:\Users\Admin\checklist\ck_3688021634.exe

Filesize
10.8MB

MD5
9dfa6f391ccc098025b00eb281797e4d

SHA1
43d61d407480fe89bb6c38e50899ba4e43186ab3

SHA256
2a879d3004b7f21eef468c9adcd280664a9646389e789aa7c2cbac0cf95538b4

SHA512
5c5c60f547d97d46b6e689425f38f69df97c40b737b5ebb6ccd8bc89866b1c5bc0b05b68ab38d0cc60c99723e6ac87376cd0a9acdb3da7535a8696b25f8eec74

Download Submit
C:\Users\Admin\checklist\ck_3688021634.exe

Filesize
10.8MB

MD5
9dfa6f391ccc098025b00eb281797e4d

SHA1
43d61d407480fe89bb6c38e50899ba4e43186ab3

SHA256
2a879d3004b7f21eef468c9adcd280664a9646389e789aa7c2cbac0cf95538b4

SHA512
5c5c60f547d97d46b6e689425f38f69df97c40b737b5ebb6ccd8bc89866b1c5bc0b05b68ab38d0cc60c99723e6ac87376cd0a9acdb3da7535a8696b25f8eec74

Download Submit
C:\Users\Admin\checklist\ck_4072248145.exe

Filesize
10.8MB

MD5
9dfa6f391ccc098025b00eb281797e4d

SHA1
43d61d407480fe89bb6c38e50899ba4e43186ab3

SHA256
2a879d3004b7f21eef468c9adcd280664a9646389e789aa7c2cbac0cf95538b4

SHA512
5c5c60f547d97d46b6e689425f38f69df97c40b737b5ebb6ccd8bc89866b1c5bc0b05b68ab38d0cc60c99723e6ac87376cd0a9acdb3da7535a8696b25f8eec74

Download Submit
C:\Users\Admin\checklist\ck_4072248145.exe

Filesize
10.8MB

MD5
9dfa6f391ccc098025b00eb281797e4d

SHA1
43d61d407480fe89bb6c38e50899ba4e43186ab3

SHA256
2a879d3004b7f21eef468c9adcd280664a9646389e789aa7c2cbac0cf95538b4

SHA512
5c5c60f547d97d46b6e689425f38f69df97c40b737b5ebb6ccd8bc89866b1c5bc0b05b68ab38d0cc60c99723e6ac87376cd0a9acdb3da7535a8696b25f8eec74

Download Submit
C:\Users\Admin\checklist\ck_48819666.exe

Filesize
10.8MB

MD5
9dfa6f391ccc098025b00eb281797e4d

SHA1
43d61d407480fe89bb6c38e50899ba4e43186ab3

SHA256
2a879d3004b7f21eef468c9adcd280664a9646389e789aa7c2cbac0cf95538b4

SHA512
5c5c60f547d97d46b6e689425f38f69df97c40b737b5ebb6ccd8bc89866b1c5bc0b05b68ab38d0cc60c99723e6ac87376cd0a9acdb3da7535a8696b25f8eec74

Download Submit
C:\Users\Admin\checklist\ck_48819666.exe

Filesize
10.8MB

MD5
9dfa6f391ccc098025b00eb281797e4d

SHA1
43d61d407480fe89bb6c38e50899ba4e43186ab3

SHA256
2a879d3004b7f21eef468c9adcd280664a9646389e789aa7c2cbac0cf95538b4

SHA512
5c5c60f547d97d46b6e689425f38f69df97c40b737b5ebb6ccd8bc89866b1c5bc0b05b68ab38d0cc60c99723e6ac87376cd0a9acdb3da7535a8696b25f8eec74

Download Submit
C:\Users\Admin\checklist\ck_852827878.exe

Filesize
10.8MB

MD5
9dfa6f391ccc098025b00eb281797e4d

SHA1
43d61d407480fe89bb6c38e50899ba4e43186ab3

SHA256
2a879d3004b7f21eef468c9adcd280664a9646389e789aa7c2cbac0cf95538b4

SHA512
5c5c60f547d97d46b6e689425f38f69df97c40b737b5ebb6ccd8bc89866b1c5bc0b05b68ab38d0cc60c99723e6ac87376cd0a9acdb3da7535a8696b25f8eec74

Download Submit
C:\Users\Admin\checklist\ck_852827878.exe

Filesize
10.8MB

MD5
9dfa6f391ccc098025b00eb281797e4d

SHA1
43d61d407480fe89bb6c38e50899ba4e43186ab3

SHA256
2a879d3004b7f21eef468c9adcd280664a9646389e789aa7c2cbac0cf95538b4

SHA512
5c5c60f547d97d46b6e689425f38f69df97c40b737b5ebb6ccd8bc89866b1c5bc0b05b68ab38d0cc60c99723e6ac87376cd0a9acdb3da7535a8696b25f8eec74

Download Submit
C:\Users\Admin\checklist\ck_972799692.exe

Filesize
10.8MB

MD5
9dfa6f391ccc098025b00eb281797e4d

SHA1
43d61d407480fe89bb6c38e50899ba4e43186ab3

SHA256
2a879d3004b7f21eef468c9adcd280664a9646389e789aa7c2cbac0cf95538b4

SHA512
5c5c60f547d97d46b6e689425f38f69df97c40b737b5ebb6ccd8bc89866b1c5bc0b05b68ab38d0cc60c99723e6ac87376cd0a9acdb3da7535a8696b25f8eec74

Download Submit
C:\Users\Admin\checklist\ck_972799692.exe

Filesize
10.8MB

MD5
9dfa6f391ccc098025b00eb281797e4d

SHA1
43d61d407480fe89bb6c38e50899ba4e43186ab3

SHA256
2a879d3004b7f21eef468c9adcd280664a9646389e789aa7c2cbac0cf95538b4

SHA512
5c5c60f547d97d46b6e689425f38f69df97c40b737b5ebb6ccd8bc89866b1c5bc0b05b68ab38d0cc60c99723e6ac87376cd0a9acdb3da7535a8696b25f8eec74

Download Submit
C:\Users\Admin\checklist\js_1394628662.js

Filesize
190B

MD5
437777ad89877c1f64062dcf5421ae27

SHA1
d5d7bd4e63da54b6c71126162d3d39f01b2690d5

SHA256
6794b058f576795ca724c512fb958ca8582a3c8a7e5a060280374e5b80a4600a

SHA512
3d57246604a21dad60bddbb3e74fa4c3564125a8ccbb5bc609585730f3a58cc33111a0f1eb7baad7d4b020de59fd0dc370b139b19e827ee26c2154458478d679

Download Submit
C:\Users\Admin\checklist\ps_3335992186.ps1

Filesize
65B

MD5
11a2c552fc4ab01bf828135bfb473393

SHA1
61bbbea285f9ddfd0aa115499efac3a5d112d646

SHA256
f76ca89e39fea5076646b99e875f2d8a2406e61731ea074a3d8f02d445a2a231

SHA512
7cdf5600e7c6d004a843a87d5d08ebdb5586eb1860ca363d0f8297ea6489af9e5c2727a5c8e74ecee4003d334db640f62056ea0d1d9d5fcf84e1b09e85cbf879

Download Submit
C:\Users\Admin\checklist\vb_1546299684.vbs

Filesize
117B

MD5
31dd084101619c3933cc87f2065bf210

SHA1
e7716629409d1ad58ba85fd083bb0c44dd5897d5

SHA256
aa07fc026dbedb7e84a3850ab2838dcac04cbf314ad8719055c8eca0fbcf5222

SHA512
1eac20a2e774450cf44183cae2ed52ded7f8411b4edeb94f468b0afffe70086025a4de5e166d5af7c25480220c8cf1423bdb69e474c41387b9cd945456208dac

Download Submit
memory/412-352-0x00007FFE1A4B0000-0x00007FFE1A4C0000-memory.dmp

Filesize
64KB

Download
memory/412-324-0x00007FFE5A430000-0x00007FFE5A625000-memory.dmp

Filesize
2.0MB

Download
memory/412-351-0x00007FFE1A4B0000-0x00007FFE1A4C0000-memory.dmp

Filesize
64KB

Download
memory/412-353-0x00007FFE1A4B0000-0x00007FFE1A4C0000-memory.dmp

Filesize
64KB

Download
memory/412-331-0x00007FFE17B50000-0x00007FFE17B60000-memory.dmp

Filesize
64KB

Download
memory/412-330-0x00007FFE5A430000-0x00007FFE5A625000-memory.dmp

Filesize
2.0MB

Download
memory/412-329-0x00007FFE5A430000-0x00007FFE5A625000-memory.dmp

Filesize
2.0MB

Download
memory/412-327-0x00007FFE17B50000-0x00007FFE17B60000-memory.dmp

Filesize
64KB

Download
memory/412-320-0x00007FFE5A430000-0x00007FFE5A625000-memory.dmp

Filesize
2.0MB

Download
memory/412-326-0x00007FFE5A430000-0x00007FFE5A625000-memory.dmp

Filesize
2.0MB

Download
memory/412-325-0x00007FFE5A430000-0x00007FFE5A625000-memory.dmp

Filesize
2.0MB

Download
memory/412-350-0x00007FFE1A4B0000-0x00007FFE1A4C0000-memory.dmp

Filesize
64KB

Download
memory/412-323-0x00007FFE5A430000-0x00007FFE5A625000-memory.dmp

Filesize
2.0MB

Download
memory/412-321-0x00007FFE5A430000-0x00007FFE5A625000-memory.dmp

Filesize
2.0MB

Download
memory/412-328-0x00007FFE5A430000-0x00007FFE5A625000-memory.dmp

Filesize
2.0MB

Download
memory/412-354-0x00007FFE5A430000-0x00007FFE5A625000-memory.dmp

Filesize
2.0MB

Download
memory/412-318-0x00007FFE5A430000-0x00007FFE5A625000-memory.dmp

Filesize
2.0MB

Download
memory/412-314-0x00007FFE5A430000-0x00007FFE5A625000-memory.dmp

Filesize
2.0MB

Download
memory/412-316-0x00007FFE5A430000-0x00007FFE5A625000-memory.dmp

Filesize
2.0MB

Download
memory/1256-297-0x00007FFE5A430000-0x00007FFE5A625000-memory.dmp

Filesize
2.0MB

Download
memory/1256-285-0x00007FFE1A4B0000-0x00007FFE1A4C0000-memory.dmp

Filesize
64KB

Download
memory/1256-303-0x00007FFE5A430000-0x00007FFE5A625000-memory.dmp

Filesize
2.0MB

Download
memory/1256-310-0x00007FFE5A430000-0x00007FFE5A625000-memory.dmp

Filesize
2.0MB

Download
memory/1256-311-0x00007FFE5A430000-0x00007FFE5A625000-memory.dmp

Filesize
2.0MB

Download
memory/1256-312-0x00007FFE5A430000-0x00007FFE5A625000-memory.dmp

Filesize
2.0MB

Download
memory/1256-302-0x00007FFE5A430000-0x00007FFE5A625000-memory.dmp

Filesize
2.0MB

Download
memory/1256-300-0x00007FFE5A430000-0x00007FFE5A625000-memory.dmp

Filesize
2.0MB

Download
memory/1256-299-0x00007FFE5A430000-0x00007FFE5A625000-memory.dmp

Filesize
2.0MB

Download
memory/1256-295-0x00007FFE5A430000-0x00007FFE5A625000-memory.dmp

Filesize
2.0MB

Download
memory/1256-301-0x00007FFE17B50000-0x00007FFE17B60000-memory.dmp

Filesize
64KB

Download
memory/1256-304-0x00007FFE17B50000-0x00007FFE17B60000-memory.dmp

Filesize
64KB

Download
memory/1256-298-0x00007FFE5A430000-0x00007FFE5A625000-memory.dmp

Filesize
2.0MB

Download
memory/1256-294-0x00007FFE5A430000-0x00007FFE5A625000-memory.dmp

Filesize
2.0MB

Download
memory/1256-293-0x00007FFE1A4B0000-0x00007FFE1A4C0000-memory.dmp

Filesize
64KB

Download
memory/1256-291-0x00007FFE1A4B0000-0x00007FFE1A4C0000-memory.dmp

Filesize
64KB

Download
memory/1256-292-0x00007FFE5A430000-0x00007FFE5A625000-memory.dmp

Filesize
2.0MB

Download
memory/1256-290-0x00007FFE5A430000-0x00007FFE5A625000-memory.dmp

Filesize
2.0MB

Download
memory/1256-289-0x00007FFE5A430000-0x00007FFE5A625000-memory.dmp

Filesize
2.0MB

Download
memory/1256-288-0x00007FFE1A4B0000-0x00007FFE1A4C0000-memory.dmp

Filesize
64KB

Download
memory/1256-287-0x00007FFE1A4B0000-0x00007FFE1A4C0000-memory.dmp

Filesize
64KB

Download
memory/1256-286-0x00007FFE5A430000-0x00007FFE5A625000-memory.dmp

Filesize
2.0MB

Download
memory/1256-296-0x00007FFE5A430000-0x00007FFE5A625000-memory.dmp

Filesize
2.0MB

Download
memory/1676-262-0x00007FFE3B3E0000-0x00007FFE3BEA1000-memory.dmp

Filesize
10.8MB

Download
memory/1676-268-0x00007FFE3B3E0000-0x00007FFE3BEA1000-memory.dmp

Filesize
10.8MB

Download
memory/1676-261-0x000001884F170000-0x000001884F192000-memory.dmp

Filesize
136KB

Download
memory/1676-263-0x0000018867340000-0x0000018867350000-memory.dmp

Filesize
64KB

Download
memory/1676-264-0x0000018867340000-0x0000018867350000-memory.dmp

Filesize
64KB

Download
memory/4296-359-0x00007FFE5A430000-0x00007FFE5A625000-memory.dmp

Filesize
2.0MB

Download
memory/4296-357-0x00007FFE5A430000-0x00007FFE5A625000-memory.dmp

Filesize
2.0MB

Download
memory/4296-356-0x00007FFE5A430000-0x00007FFE5A625000-memory.dmp

Filesize
2.0MB

Download
memory/4296-361-0x00007FFE5A430000-0x00007FFE5A625000-memory.dmp

Filesize
2.0MB

Download
memory/4296-366-0x00007FFE17B50000-0x00007FFE17B60000-memory.dmp

Filesize
64KB

Download
memory/4296-364-0x00007FFE5A430000-0x00007FFE5A625000-memory.dmp

Filesize
2.0MB

Download
memory/4296-363-0x00007FFE5A430000-0x00007FFE5A625000-memory.dmp

Filesize
2.0MB

Download
memory/4296-367-0x00007FFE17B50000-0x00007FFE17B60000-memory.dmp

Filesize
64KB

Download
memory/4296-369-0x00007FFE5A430000-0x00007FFE5A625000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads