Analysis
-
max time kernel
67s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
03-11-2023 02:08
Static task
static1
Behavioral task
behavioral1
Sample
NEAS.693c14bc43b49bae8d393fe1c5a51300_JC.exe
Resource
win7-20231023-en
windows7-x64
14 signatures
150 seconds
General
-
Target
NEAS.693c14bc43b49bae8d393fe1c5a51300_JC.exe
-
Size
368KB
-
MD5
693c14bc43b49bae8d393fe1c5a51300
-
SHA1
445c720c5628b40e9bc90b846873b1b79289da10
-
SHA256
5b6162ddd7028e8373edf5cb507aa7a984f13f289ab259a71573a40ed66a9450
-
SHA512
55f5269d7202c637a302c4adcef894562a8c20708ca2ea90dd19e194aef0ac53d68a7ca03f103c29cf28ec7d7fc03c54eeb817b3f8ece2cc7b1255e1df0cb0d2
-
SSDEEP
3072:zo4L5tpV+CSA1AAPoCpxW5ATBfUNjpS1svkTVC9FieYTTLprx/m3qT4S826guKqu:FtpvoCpcNQ1jQdiG/2UzuEP/Nnrry
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" svchost.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" svchost.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" svchost.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" NEAS.693c14bc43b49bae8d393fe1c5a51300_JC.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" NEAS.693c14bc43b49bae8d393fe1c5a51300_JC.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" NEAS.693c14bc43b49bae8d393fe1c5a51300_JC.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" NEAS.693c14bc43b49bae8d393fe1c5a51300_JC.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" NEAS.693c14bc43b49bae8d393fe1c5a51300_JC.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" NEAS.693c14bc43b49bae8d393fe1c5a51300_JC.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" NEAS.693c14bc43b49bae8d393fe1c5a51300_JC.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" NEAS.693c14bc43b49bae8d393fe1c5a51300_JC.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" NEAS.693c14bc43b49bae8d393fe1c5a51300_JC.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" NEAS.693c14bc43b49bae8d393fe1c5a51300_JC.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" svchost.exe -
Adds policy Run key to start application 2 TTPs 10 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sys = "C:\\WINDOWS\\Fonts\\Fonts.exe" Global.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run system.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sys = "C:\\WINDOWS\\Fonts\\Fonts.exe" system.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run system.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run NEAS.693c14bc43b49bae8d393fe1c5a51300_JC.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sys = "C:\\WINDOWS\\Fonts\\Fonts.exe" NEAS.693c14bc43b49bae8d393fe1c5a51300_JC.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run Global.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sys = "C:\\WINDOWS\\Fonts\\Fonts.exe" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sys = "C:\\WINDOWS\\Fonts\\Fonts.exe" system.exe -
Drops file in Drivers directory 5 IoCs
description ioc Process File created C:\WINDOWS\SysWOW64\drivers\drivers.cab.exe NEAS.693c14bc43b49bae8d393fe1c5a51300_JC.exe File opened for modification C:\WINDOWS\SysWOW64\drivers\drivers.cab.exe Global.exe File created C:\WINDOWS\SysWOW64\drivers\drivers.cab.exe svchost.exe File created C:\WINDOWS\SysWOW64\drivers\drivers.cab.exe system.exe File created C:\WINDOWS\SysWOW64\drivers\drivers.cab.exe system.exe -
Sets file execution options in registry 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\boot.exe Global.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "C:\\WINDOWS\\Media\\rndll32.pif" system.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ctfmon.exe\Debugger = "C:\\WINDOWS\\Fonts\\Fonts.exe" system.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe system.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\auto.exe\Debugger = "C:\\WINDOWS\\system32\\drivers\\drivers.cab.exe" system.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "C:\\WINDOWS\\Fonts\\tskmgr.exe" NEAS.693c14bc43b49bae8d393fe1c5a51300_JC.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autorun.exe NEAS.693c14bc43b49bae8d393fe1c5a51300_JC.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "C:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpHost.com" NEAS.693c14bc43b49bae8d393fe1c5a51300_JC.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ctfmon.exe Global.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "C:\\WINDOWS\\Fonts\\tskmgr.exe" Global.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "C:\\WINDOWS\\Fonts\\tskmgr.exe" svchost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe system.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autorun.exe system.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\auto.exe\Debugger = "C:\\WINDOWS\\system32\\drivers\\drivers.cab.exe" system.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autorun.exe\Debugger = "C:\\WINDOWS\\system32\\drivers\\drivers.cab.exe" system.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "C:\\WINDOWS\\Media\\rndll32.pif" NEAS.693c14bc43b49bae8d393fe1c5a51300_JC.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autorun.exe\Debugger = "C:\\WINDOWS\\system32\\drivers\\drivers.cab.exe" Global.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autoruns.exe Global.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\boot.exe system.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "C:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpHost.com" system.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\boot.exe system.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe NEAS.693c14bc43b49bae8d393fe1c5a51300_JC.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autoruns.exe\Debugger = "C:\\WINDOWS\\system32\\drivers\\drivers.cab.exe" Global.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "C:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpHost.com" Global.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autoruns.exe svchost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe system.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ctfmon.exe system.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\auto.exe system.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autoruns.exe\Debugger = "C:\\WINDOWS\\system32\\drivers\\drivers.cab.exe" NEAS.693c14bc43b49bae8d393fe1c5a51300_JC.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\auto.exe NEAS.693c14bc43b49bae8d393fe1c5a51300_JC.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\boot.exe\Debugger = "C:\\WINDOWS\\Fonts\\fonts.exe" system.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\boot.exe NEAS.693c14bc43b49bae8d393fe1c5a51300_JC.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autoruns.exe\Debugger = "C:\\WINDOWS\\system32\\drivers\\drivers.cab.exe" svchost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe svchost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe Global.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "C:\\WINDOWS\\Fonts\\tskmgr.exe" system.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ctfmon.exe NEAS.693c14bc43b49bae8d393fe1c5a51300_JC.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autorun.exe\Debugger = "C:\\WINDOWS\\system32\\drivers\\drivers.cab.exe" NEAS.693c14bc43b49bae8d393fe1c5a51300_JC.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe Global.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ctfmon.exe svchost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\auto.exe svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\boot.exe\Debugger = "C:\\WINDOWS\\Fonts\\fonts.exe" system.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\auto.exe\Debugger = "C:\\WINDOWS\\system32\\drivers\\drivers.cab.exe" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "C:\\WINDOWS\\Media\\rndll32.pif" svchost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\auto.exe system.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe NEAS.693c14bc43b49bae8d393fe1c5a51300_JC.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\auto.exe\Debugger = "C:\\WINDOWS\\system32\\drivers\\drivers.cab.exe" NEAS.693c14bc43b49bae8d393fe1c5a51300_JC.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe NEAS.693c14bc43b49bae8d393fe1c5a51300_JC.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe Global.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autorun.exe svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ctfmon.exe\Debugger = "C:\\WINDOWS\\Fonts\\Fonts.exe" system.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "C:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpHost.com" system.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autorun.exe Global.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\auto.exe\Debugger = "C:\\WINDOWS\\system32\\drivers\\drivers.cab.exe" Global.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe system.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ctfmon.exe\Debugger = "C:\\WINDOWS\\Fonts\\Fonts.exe" NEAS.693c14bc43b49bae8d393fe1c5a51300_JC.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ctfmon.exe\Debugger = "C:\\WINDOWS\\Fonts\\Fonts.exe" Global.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\auto.exe Global.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "C:\\WINDOWS\\Media\\rndll32.pif" Global.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe svchost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ctfmon.exe system.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autoruns.exe system.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe system.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\Control Panel\International\Geo\Nation NEAS.693c14bc43b49bae8d393fe1c5a51300_JC.exe Key value queried \REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\Control Panel\International\Geo\Nation Global.exe Key value queried \REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\Control Panel\International\Geo\Nation svchost.exe -
Executes dropped EXE 4 IoCs
pid Process 3364 Global.exe 2928 svchost.exe 1440 system.exe 2376 system.exe -
Modifies system executable filetype association 2 TTPs 10 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt = "1" system.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\NeverShowExt = "1" NEAS.693c14bc43b49bae8d393fe1c5a51300_JC.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\NeverShowExt = "1" Global.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt = "1" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\NeverShowExt = "1" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt = "1" system.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\NeverShowExt = "1" system.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt = "1" NEAS.693c14bc43b49bae8d393fe1c5a51300_JC.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt = "1" Global.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\NeverShowExt = "1" system.exe -
resource yara_rule behavioral2/memory/4940-1-0x0000000002B10000-0x0000000003BCA000-memory.dmp upx behavioral2/memory/4940-5-0x0000000002B10000-0x0000000003BCA000-memory.dmp upx behavioral2/memory/4940-6-0x0000000002B10000-0x0000000003BCA000-memory.dmp upx behavioral2/memory/4940-10-0x0000000002B10000-0x0000000003BCA000-memory.dmp upx behavioral2/memory/4940-12-0x0000000002B10000-0x0000000003BCA000-memory.dmp upx behavioral2/memory/4940-18-0x0000000002B10000-0x0000000003BCA000-memory.dmp upx behavioral2/memory/4940-19-0x0000000002B10000-0x0000000003BCA000-memory.dmp upx behavioral2/memory/4940-30-0x0000000002B10000-0x0000000003BCA000-memory.dmp upx behavioral2/memory/4940-62-0x0000000002B10000-0x0000000003BCA000-memory.dmp upx behavioral2/memory/4940-69-0x0000000002B10000-0x0000000003BCA000-memory.dmp upx behavioral2/memory/4940-71-0x0000000002B10000-0x0000000003BCA000-memory.dmp upx behavioral2/memory/4940-72-0x0000000002B10000-0x0000000003BCA000-memory.dmp upx behavioral2/memory/4940-73-0x0000000002B10000-0x0000000003BCA000-memory.dmp upx behavioral2/memory/4940-74-0x0000000002B10000-0x0000000003BCA000-memory.dmp upx behavioral2/memory/4940-78-0x0000000002B10000-0x0000000003BCA000-memory.dmp upx behavioral2/memory/4940-123-0x0000000002B10000-0x0000000003BCA000-memory.dmp upx behavioral2/memory/2928-155-0x0000000002E80000-0x0000000003F3A000-memory.dmp upx behavioral2/memory/2928-157-0x0000000002E80000-0x0000000003F3A000-memory.dmp upx behavioral2/memory/2928-158-0x0000000002E80000-0x0000000003F3A000-memory.dmp upx behavioral2/memory/2928-167-0x0000000002E80000-0x0000000003F3A000-memory.dmp upx behavioral2/memory/2928-170-0x0000000002E80000-0x0000000003F3A000-memory.dmp upx behavioral2/memory/2928-176-0x0000000002E80000-0x0000000003F3A000-memory.dmp upx behavioral2/memory/2928-177-0x0000000002E80000-0x0000000003F3A000-memory.dmp upx behavioral2/memory/2928-179-0x0000000002E80000-0x0000000003F3A000-memory.dmp upx behavioral2/memory/2928-178-0x0000000002E80000-0x0000000003F3A000-memory.dmp upx behavioral2/memory/2928-182-0x0000000002E80000-0x0000000003F3A000-memory.dmp upx behavioral2/memory/2928-183-0x0000000002E80000-0x0000000003F3A000-memory.dmp upx behavioral2/memory/2928-185-0x0000000002E80000-0x0000000003F3A000-memory.dmp upx behavioral2/memory/2928-189-0x0000000002E80000-0x0000000003F3A000-memory.dmp upx behavioral2/memory/2928-200-0x0000000002E80000-0x0000000003F3A000-memory.dmp upx behavioral2/memory/2928-203-0x0000000002E80000-0x0000000003F3A000-memory.dmp upx behavioral2/memory/2928-206-0x0000000002E80000-0x0000000003F3A000-memory.dmp upx -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" svchost.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" NEAS.693c14bc43b49bae8d393fe1c5a51300_JC.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc NEAS.693c14bc43b49bae8d393fe1c5a51300_JC.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" NEAS.693c14bc43b49bae8d393fe1c5a51300_JC.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" NEAS.693c14bc43b49bae8d393fe1c5a51300_JC.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" NEAS.693c14bc43b49bae8d393fe1c5a51300_JC.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" NEAS.693c14bc43b49bae8d393fe1c5a51300_JC.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" NEAS.693c14bc43b49bae8d393fe1c5a51300_JC.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" svchost.exe -
Adds Run key to start application 2 TTPs 15 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ = "C:\\WINDOWS\\system32\\dllcache\\Default.exe" NEAS.693c14bc43b49bae8d393fe1c5a51300_JC.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "C:\\WINDOWS\\system\\KEYBOARD.exe" NEAS.693c14bc43b49bae8d393fe1c5a51300_JC.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ = "C:\\WINDOWS\\system32\\dllcache\\Default.exe" system.exe Set value (str) \REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ = "C:\\WINDOWS\\system32\\dllcache\\Default.exe" system.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ = "C:\\WINDOWS\\system32\\dllcache\\Default.exe" system.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "C:\\WINDOWS\\system\\KEYBOARD.exe" Global.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ = "C:\\WINDOWS\\system32\\dllcache\\Default.exe" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "C:\\WINDOWS\\system\\KEYBOARD.exe" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ = "C:\\WINDOWS\\system32\\dllcache\\Default.exe" Global.exe Set value (str) \REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ = "C:\\WINDOWS\\system32\\dllcache\\Default.exe" system.exe Set value (str) \REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ = "C:\\WINDOWS\\system32\\dllcache\\Default.exe" NEAS.693c14bc43b49bae8d393fe1c5a51300_JC.exe Set value (str) \REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ = "C:\\WINDOWS\\system32\\dllcache\\Default.exe" Global.exe Set value (str) \REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ = "C:\\WINDOWS\\system32\\dllcache\\Default.exe" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "C:\\WINDOWS\\system\\KEYBOARD.exe" system.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "C:\\WINDOWS\\system\\KEYBOARD.exe" system.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" NEAS.693c14bc43b49bae8d393fe1c5a51300_JC.exe -
Enumerates connected drives 3 TTPs 4 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: NEAS.693c14bc43b49bae8d393fe1c5a51300_JC.exe File opened (read-only) \??\E: svchost.exe File opened (read-only) \??\G: svchost.exe File opened (read-only) \??\H: svchost.exe -
Drops autorun.inf file 1 TTPs 12 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification C:\WINDOWS\SysWOW64\dllcache\autorun.inf NEAS.693c14bc43b49bae8d393fe1c5a51300_JC.exe File created C:\WINDOWS\SysWOW64\dllcache\autorun.inf NEAS.693c14bc43b49bae8d393fe1c5a51300_JC.exe File opened for modification C:\WINDOWS\SysWOW64\dllcache\autorun.inf Global.exe File created C:\autorun.inf Global.exe File opened for modification C:\WINDOWS\SysWOW64\dllcache\autorun.inf system.exe File opened for modification C:\WINDOWS\SysWOW64\dllcache\autorun.inf system.exe File opened for modification C:\WINDOWS\SysWOW64\dllcache\autorun.inf svchost.exe File opened for modification C:\autorun.inf Global.exe File opened for modification D:\autorun.inf Global.exe File created D:\autorun.inf Global.exe File opened for modification F:\autorun.inf Global.exe File created F:\autorun.inf Global.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\WINDOWS\SysWOW64\dllcache\svchost.exe svchost.exe File opened for modification C:\WINDOWS\SysWOW64\dllcache\tskmgr.exe Global.exe File opened for modification C:\WINDOWS\SysWOW64\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\Global.exe Global.exe File opened for modification C:\WINDOWS\SysWOW64\dllcache svchost.exe File created C:\WINDOWS\SysWOW64\dllcache\Default.exe NEAS.693c14bc43b49bae8d393fe1c5a51300_JC.exe File opened for modification C:\WINDOWS\SysWOW64\dllcache Global.exe File created C:\WINDOWS\SysWOW64\regedit.exe Global.exe File created C:\WINDOWS\SysWOW64\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\svchost.exe system.exe File opened for modification C:\WINDOWS\SysWOW64\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\svchost.exe system.exe File created C:\WINDOWS\SysWOW64\dllcache\tskmgr.exe NEAS.693c14bc43b49bae8d393fe1c5a51300_JC.exe File opened for modification C:\WINDOWS\SysWOW64\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\svchost.exe NEAS.693c14bc43b49bae8d393fe1c5a51300_JC.exe File opened for modification C:\WINDOWS\SysWOW64\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E)\svchost.exe NEAS.693c14bc43b49bae8d393fe1c5a51300_JC.exe File created C:\WINDOWS\SysWOW64\dllcache\Default.exe svchost.exe File created C:\WINDOWS\SysWOW64\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\svchost.exe NEAS.693c14bc43b49bae8d393fe1c5a51300_JC.exe File created C:\WINDOWS\SysWOW64\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\Global.exe NEAS.693c14bc43b49bae8d393fe1c5a51300_JC.exe File opened for modification C:\WINDOWS\SysWOW64\dllcache\Default.exe Global.exe File opened for modification C:\WINDOWS\SysWOW64\dllcache\svchost.exe Global.exe File created C:\WINDOWS\SysWOW64\dllcache\svchost.exe system.exe File created C:\WINDOWS\SysWOW64\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\Global.exe system.exe File opened for modification C:\WINDOWS\SysWOW64\dllcache NEAS.693c14bc43b49bae8d393fe1c5a51300_JC.exe File opened for modification C:\WINDOWS\SysWOW64\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E)\Global.exe NEAS.693c14bc43b49bae8d393fe1c5a51300_JC.exe File created C:\WINDOWS\SysWOW64\dllcache\Global.exe NEAS.693c14bc43b49bae8d393fe1c5a51300_JC.exe File opened for modification C:\WINDOWS\SysWOW64\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\Global.exe svchost.exe File opened for modification C:\WINDOWS\SysWOW64\dllcache system.exe File created C:\WINDOWS\SysWOW64\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\Global.exe system.exe File opened for modification C:\WINDOWS\SysWOW64\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\Global.exe system.exe File created C:\WINDOWS\SysWOW64\regedit.exe system.exe File opened for modification C:\WINDOWS\SysWOW64\dllcache\autorun.inf NEAS.693c14bc43b49bae8d393fe1c5a51300_JC.exe File opened for modification C:\WINDOWS\SysWOW64\dllcache\ Global.exe File created C:\WINDOWS\SysWOW64\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe svchost.exe File opened for modification C:\WINDOWS\SysWOW64\dllcache\autorun.inf svchost.exe File created C:\WINDOWS\SysWOW64\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe system.exe File created C:\WINDOWS\SysWOW64\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe system.exe File created C:\WINDOWS\SysWOW64\dllcache\Global.exe system.exe File opened for modification C:\WINDOWS\SysWOW64\dllcache\autorun.inf system.exe File created C:\WINDOWS\SysWOW64\dllcache\svchost.exe NEAS.693c14bc43b49bae8d393fe1c5a51300_JC.exe File created C:\WINDOWS\SysWOW64\regedit.exe NEAS.693c14bc43b49bae8d393fe1c5a51300_JC.exe File created C:\WINDOWS\SysWOW64\regedit.exe svchost.exe File opened for modification C:\WINDOWS\SysWOW64\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\svchost.exe system.exe File opened for modification C:\WINDOWS\SysWOW64\dllcache\ system.exe File created C:\WINDOWS\SysWOW64\dllcache\svchost.exe system.exe File created C:\WINDOWS\SysWOW64\dllcache\autorun.inf NEAS.693c14bc43b49bae8d393fe1c5a51300_JC.exe File opened for modification C:\WINDOWS\SysWOW64\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe Global.exe File created C:\WINDOWS\SysWOW64\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\svchost.exe svchost.exe File opened for modification C:\WINDOWS\SysWOW64\dllcache system.exe File opened for modification C:\WINDOWS\SysWOW64\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\Global.exe system.exe File opened for modification C:\WINDOWS\SysWOW64\dllcache\ system.exe File created C:\WINDOWS\SysWOW64\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\svchost.exe system.exe File created C:\WINDOWS\SysWOW64\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe NEAS.693c14bc43b49bae8d393fe1c5a51300_JC.exe File opened for modification C:\WINDOWS\SysWOW64\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe NEAS.693c14bc43b49bae8d393fe1c5a51300_JC.exe File opened for modification C:\WINDOWS\SysWOW64\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\svchost.exe svchost.exe File opened for modification C:\WINDOWS\SysWOW64\dllcache\Global.exe Global.exe File created C:\WINDOWS\SysWOW64\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\Global.exe Global.exe File created C:\WINDOWS\SysWOW64\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\Global.exe svchost.exe File created C:\WINDOWS\SysWOW64\dllcache\Global.exe svchost.exe File created C:\WINDOWS\SysWOW64\dllcache\Default.exe system.exe File opened for modification C:\WINDOWS\SysWOW64\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\svchost.exe Global.exe File created C:\WINDOWS\SysWOW64\dllcache\Global.exe system.exe File opened for modification C:\WINDOWS\SysWOW64\dllcache\autorun.inf system.exe File opened for modification C:\WINDOWS\SysWOW64\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E} NEAS.693c14bc43b49bae8d393fe1c5a51300_JC.exe File opened for modification C:\WINDOWS\SysWOW64\dllcache\ NEAS.693c14bc43b49bae8d393fe1c5a51300_JC.exe File created C:\WINDOWS\SysWOW64\dllcache\Default.exe system.exe File created C:\WINDOWS\SysWOW64\regedit.exe system.exe File created C:\WINDOWS\SysWOW64\dllcache\tskmgr.exe Global.exe -
Drops file in Windows directory 50 IoCs
description ioc Process File created C:\WINDOWS\Media\rndll32.pif NEAS.693c14bc43b49bae8d393fe1c5a51300_JC.exe File created C:\WINDOWS\Cursors\Boom.vbs system.exe File created C:\WINDOWS\Fonts\tskmgr.exe NEAS.693c14bc43b49bae8d393fe1c5a51300_JC.exe File opened for modification C:\WINDOWS\Media\rndll32.pif Global.exe File created C:\WINDOWS\pchealth\Global.exe svchost.exe File created C:\WINDOWS\Fonts\tskmgr.exe system.exe File created C:\WINDOWS\Media\rndll32.pif system.exe File created C:\WINDOWS\pchealth\helpctr\binaries\HelpHost.com system.exe File opened for modification C:\WINDOWS\Help\microsoft.hlp Global.exe File created C:\WINDOWS\system\KEYBOARD.exe system.exe File created C:\WINDOWS\Fonts\Fonts.exe system.exe File created C:\WINDOWS\pchealth\Global.exe NEAS.693c14bc43b49bae8d393fe1c5a51300_JC.exe File created C:\WINDOWS\Help\microsoft.hlp NEAS.693c14bc43b49bae8d393fe1c5a51300_JC.exe File created C:\Windows\e58af85 svchost.exe File created C:\WINDOWS\system\KEYBOARD.exe NEAS.693c14bc43b49bae8d393fe1c5a51300_JC.exe File created C:\WINDOWS\Help\microsoft.hlp system.exe File created C:\WINDOWS\Fonts\tskmgr.exe system.exe File created C:\WINDOWS\Fonts\tskmgr.exe svchost.exe File created C:\WINDOWS\Cursors\Boom.vbs NEAS.693c14bc43b49bae8d393fe1c5a51300_JC.exe File opened for modification C:\WINDOWS\Cursors\Boom.vbs system.exe File created C:\WINDOWS\Fonts\wav.wav NEAS.693c14bc43b49bae8d393fe1c5a51300_JC.exe File created C:\WINDOWS\pchealth\Global.exe system.exe File created C:\WINDOWS\Media\rndll32.pif system.exe File opened for modification C:\WINDOWS\Fonts\wav.wav NEAS.693c14bc43b49bae8d393fe1c5a51300_JC.exe File created C:\WINDOWS\Fonts\Fonts.exe NEAS.693c14bc43b49bae8d393fe1c5a51300_JC.exe File created C:\WINDOWS\Fonts\Fonts.exe system.exe File created C:\WINDOWS\Cursors\Boom.vbs system.exe File opened for modification C:\WINDOWS\Fonts\tskmgr.exe Global.exe File opened for modification C:\WINDOWS\system\KEYBOARD.exe Global.exe File created C:\WINDOWS\pchealth\helpctr\binaries\HelpHost.com system.exe File opened for modification C:\WINDOWS\Cursors\Boom.vbs system.exe File created C:\Windows\e57f397 NEAS.693c14bc43b49bae8d393fe1c5a51300_JC.exe File opened for modification C:\WINDOWS\Cursors\Boom.vbs Global.exe File opened for modification C:\WINDOWS\Cursors\Boom.vbs NEAS.693c14bc43b49bae8d393fe1c5a51300_JC.exe File created C:\WINDOWS\Cursors\Boom.vbs Global.exe File created C:\WINDOWS\Fonts\Fonts.exe svchost.exe File created C:\WINDOWS\system\KEYBOARD.exe svchost.exe File created C:\WINDOWS\pchealth\Global.exe system.exe File created C:\WINDOWS\Help\microsoft.hlp system.exe File created C:\WINDOWS\pchealth\Global.exe Global.exe File opened for modification C:\WINDOWS\Fonts\Fonts.exe Global.exe File created C:\WINDOWS\pchealth\helpctr\binaries\HelpHost.com svchost.exe File created C:\WINDOWS\Cursors\Boom.vbs svchost.exe File created C:\WINDOWS\system\KEYBOARD.exe system.exe File opened for modification C:\Windows\SYSTEM.INI NEAS.693c14bc43b49bae8d393fe1c5a51300_JC.exe File created C:\WINDOWS\pchealth\helpctr\binaries\HelpHost.com Global.exe File created C:\WINDOWS\Help\microsoft.hlp svchost.exe File created C:\WINDOWS\Media\rndll32.pif svchost.exe File opened for modification C:\WINDOWS\Cursors\Boom.vbs svchost.exe File created C:\WINDOWS\pchealth\helpctr\binaries\HelpHost.com NEAS.693c14bc43b49bae8d393fe1c5a51300_JC.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies Control Panel 20 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\Control Panel\Desktop NEAS.693c14bc43b49bae8d393fe1c5a51300_JC.exe Set value (str) \REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpHost.com" NEAS.693c14bc43b49bae8d393fe1c5a51300_JC.exe Set value (str) \REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\Control Panel\Desktop\ScreenSaveTimeOut = "30" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\Control Panel\Desktop\AutoEndTasks = "1" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpHost.com" system.exe Set value (str) \REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpHost.com" Global.exe Set value (str) \REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\Control Panel\Desktop\AutoEndTasks = "1" Global.exe Set value (str) \REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpHost.com" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\Control Panel\Desktop\ScreenSaveTimeOut = "30" system.exe Set value (str) \REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\Control Panel\Desktop\ScreenSaveTimeOut = "30" Global.exe Key created \REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\Control Panel\Desktop system.exe Key created \REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\Control Panel\Desktop system.exe Set value (str) \REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\Control Panel\Desktop\ScreenSaveTimeOut = "30" system.exe Set value (str) \REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\Control Panel\Desktop\AutoEndTasks = "1" system.exe Set value (str) \REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\Control Panel\Desktop\ScreenSaveTimeOut = "30" NEAS.693c14bc43b49bae8d393fe1c5a51300_JC.exe Set value (str) \REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\Control Panel\Desktop\AutoEndTasks = "1" NEAS.693c14bc43b49bae8d393fe1c5a51300_JC.exe Key created \REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\Control Panel\Desktop Global.exe Key created \REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\Control Panel\Desktop svchost.exe Set value (str) \REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\Control Panel\Desktop\AutoEndTasks = "1" system.exe Set value (str) \REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpHost.com" system.exe -
Modifies registry class 58 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "VBSFile" system.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt = "1" system.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mscfile\shell\open\command\ = "C:\\WINDOWS\\Fonts\\Fonts.exe" NEAS.693c14bc43b49bae8d393fe1c5a51300_JC.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\NeverShowExt = "1" Global.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile svchost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile system.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "VBSFile" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\open\command\ = "C:\\WINDOWS\\pchealth\\Global.exe" NEAS.693c14bc43b49bae8d393fe1c5a51300_JC.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\regfile\Shell\Open\Command Global.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\NeverShowExt = "1" system.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mscfile\shell\open\command\ = "C:\\WINDOWS\\pchealth\\Global.exe" NEAS.693c14bc43b49bae8d393fe1c5a51300_JC.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\NeverShowExt = "1" svchost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\regfile\Shell\Open\Command system.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile system.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MSCFile\Shell\Open\Command system.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs NEAS.693c14bc43b49bae8d393fe1c5a51300_JC.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt = "1" NEAS.693c14bc43b49bae8d393fe1c5a51300_JC.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\open\command\ = "C:\\WINDOWS\\pchealth\\Global.exe" svchost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "VBSFile" Global.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt = "1" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mscfile\shell\open\command\ = "C:\\WINDOWS\\pchealth\\Global.exe" Global.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\open\command\ = "C:\\WINDOWS\\pchealth\\Global.exe" Global.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mscfile\shell\open\command\ = "C:\\WINDOWS\\Fonts\\Fonts.exe" svchost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MSCFile\Shell\Open\Command system.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "VBSFile" NEAS.693c14bc43b49bae8d393fe1c5a51300_JC.exe Key created \REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_Classes\Local Settings NEAS.693c14bc43b49bae8d393fe1c5a51300_JC.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mscfile\shell\open\command\ = "C:\\WINDOWS\\pchealth\\Global.exe" system.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\regfile\Shell\Open\Command NEAS.693c14bc43b49bae8d393fe1c5a51300_JC.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile NEAS.693c14bc43b49bae8d393fe1c5a51300_JC.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\open\command\ = "C:\\WINDOWS\\pchealth\\Global.exe" system.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile system.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mscfile\shell\open\command\ = "C:\\WINDOWS\\Fonts\\Fonts.exe" system.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt = "1" system.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\open\command\ = "C:\\WINDOWS\\pchealth\\Global.exe" system.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MSCFile\Shell\Open\Command Global.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile Global.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\regfile\Shell\Open\Command svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mscfile\shell\open\command\ = "C:\\WINDOWS\\Fonts\\Fonts.exe" system.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mscfile\shell\open\command\ = "C:\\WINDOWS\\pchealth\\Global.exe" system.exe Key created \REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\WorkFolders rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile Global.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MSCFile\Shell\Open\Command svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mscfile\shell\open\command\ = "C:\\WINDOWS\\pchealth\\Global.exe" svchost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs system.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\NeverShowExt = "1" system.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt = "1" Global.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs system.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\regfile\Shell\Open\Command system.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MSCFile\Shell\Open\Command NEAS.693c14bc43b49bae8d393fe1c5a51300_JC.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\NeverShowExt = "1" NEAS.693c14bc43b49bae8d393fe1c5a51300_JC.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs Global.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mscfile\shell\open\command\ = "C:\\WINDOWS\\Fonts\\Fonts.exe" Global.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile NEAS.693c14bc43b49bae8d393fe1c5a51300_JC.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "VBSFile" system.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile system.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 4940 NEAS.693c14bc43b49bae8d393fe1c5a51300_JC.exe 4940 NEAS.693c14bc43b49bae8d393fe1c5a51300_JC.exe 4940 NEAS.693c14bc43b49bae8d393fe1c5a51300_JC.exe 4940 NEAS.693c14bc43b49bae8d393fe1c5a51300_JC.exe 4940 NEAS.693c14bc43b49bae8d393fe1c5a51300_JC.exe 4940 NEAS.693c14bc43b49bae8d393fe1c5a51300_JC.exe 2928 svchost.exe 2928 svchost.exe 2928 svchost.exe 2928 svchost.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4940 NEAS.693c14bc43b49bae8d393fe1c5a51300_JC.exe Token: SeDebugPrivilege 4940 NEAS.693c14bc43b49bae8d393fe1c5a51300_JC.exe Token: SeDebugPrivilege 4940 NEAS.693c14bc43b49bae8d393fe1c5a51300_JC.exe Token: SeDebugPrivilege 4940 NEAS.693c14bc43b49bae8d393fe1c5a51300_JC.exe Token: SeDebugPrivilege 4940 NEAS.693c14bc43b49bae8d393fe1c5a51300_JC.exe Token: SeDebugPrivilege 4940 NEAS.693c14bc43b49bae8d393fe1c5a51300_JC.exe Token: SeDebugPrivilege 4940 NEAS.693c14bc43b49bae8d393fe1c5a51300_JC.exe Token: SeDebugPrivilege 4940 NEAS.693c14bc43b49bae8d393fe1c5a51300_JC.exe Token: SeDebugPrivilege 4940 NEAS.693c14bc43b49bae8d393fe1c5a51300_JC.exe Token: SeDebugPrivilege 4940 NEAS.693c14bc43b49bae8d393fe1c5a51300_JC.exe Token: SeDebugPrivilege 4940 NEAS.693c14bc43b49bae8d393fe1c5a51300_JC.exe Token: SeDebugPrivilege 4940 NEAS.693c14bc43b49bae8d393fe1c5a51300_JC.exe Token: SeDebugPrivilege 4940 NEAS.693c14bc43b49bae8d393fe1c5a51300_JC.exe Token: SeDebugPrivilege 4940 NEAS.693c14bc43b49bae8d393fe1c5a51300_JC.exe Token: SeDebugPrivilege 4940 NEAS.693c14bc43b49bae8d393fe1c5a51300_JC.exe Token: SeDebugPrivilege 4940 NEAS.693c14bc43b49bae8d393fe1c5a51300_JC.exe Token: SeDebugPrivilege 4940 NEAS.693c14bc43b49bae8d393fe1c5a51300_JC.exe Token: SeDebugPrivilege 4940 NEAS.693c14bc43b49bae8d393fe1c5a51300_JC.exe Token: SeDebugPrivilege 4940 NEAS.693c14bc43b49bae8d393fe1c5a51300_JC.exe Token: SeDebugPrivilege 4940 NEAS.693c14bc43b49bae8d393fe1c5a51300_JC.exe Token: SeDebugPrivilege 4940 NEAS.693c14bc43b49bae8d393fe1c5a51300_JC.exe Token: SeDebugPrivilege 4940 NEAS.693c14bc43b49bae8d393fe1c5a51300_JC.exe Token: SeDebugPrivilege 4940 NEAS.693c14bc43b49bae8d393fe1c5a51300_JC.exe Token: SeDebugPrivilege 4940 NEAS.693c14bc43b49bae8d393fe1c5a51300_JC.exe Token: SeDebugPrivilege 4940 NEAS.693c14bc43b49bae8d393fe1c5a51300_JC.exe Token: SeDebugPrivilege 4940 NEAS.693c14bc43b49bae8d393fe1c5a51300_JC.exe Token: SeDebugPrivilege 4940 NEAS.693c14bc43b49bae8d393fe1c5a51300_JC.exe Token: SeDebugPrivilege 4940 NEAS.693c14bc43b49bae8d393fe1c5a51300_JC.exe Token: SeDebugPrivilege 4940 NEAS.693c14bc43b49bae8d393fe1c5a51300_JC.exe Token: SeDebugPrivilege 4940 NEAS.693c14bc43b49bae8d393fe1c5a51300_JC.exe Token: SeDebugPrivilege 4940 NEAS.693c14bc43b49bae8d393fe1c5a51300_JC.exe Token: SeDebugPrivilege 4940 NEAS.693c14bc43b49bae8d393fe1c5a51300_JC.exe Token: SeDebugPrivilege 4940 NEAS.693c14bc43b49bae8d393fe1c5a51300_JC.exe Token: SeDebugPrivilege 4940 NEAS.693c14bc43b49bae8d393fe1c5a51300_JC.exe Token: SeDebugPrivilege 4940 NEAS.693c14bc43b49bae8d393fe1c5a51300_JC.exe Token: SeDebugPrivilege 4940 NEAS.693c14bc43b49bae8d393fe1c5a51300_JC.exe Token: SeDebugPrivilege 4940 NEAS.693c14bc43b49bae8d393fe1c5a51300_JC.exe Token: SeDebugPrivilege 4940 NEAS.693c14bc43b49bae8d393fe1c5a51300_JC.exe Token: SeDebugPrivilege 4940 NEAS.693c14bc43b49bae8d393fe1c5a51300_JC.exe Token: SeDebugPrivilege 4940 NEAS.693c14bc43b49bae8d393fe1c5a51300_JC.exe Token: SeDebugPrivilege 4940 NEAS.693c14bc43b49bae8d393fe1c5a51300_JC.exe Token: SeDebugPrivilege 4940 NEAS.693c14bc43b49bae8d393fe1c5a51300_JC.exe Token: SeDebugPrivilege 4940 NEAS.693c14bc43b49bae8d393fe1c5a51300_JC.exe Token: SeDebugPrivilege 4940 NEAS.693c14bc43b49bae8d393fe1c5a51300_JC.exe Token: SeDebugPrivilege 4940 NEAS.693c14bc43b49bae8d393fe1c5a51300_JC.exe Token: SeDebugPrivilege 4940 NEAS.693c14bc43b49bae8d393fe1c5a51300_JC.exe Token: SeDebugPrivilege 4940 NEAS.693c14bc43b49bae8d393fe1c5a51300_JC.exe Token: SeDebugPrivilege 4940 NEAS.693c14bc43b49bae8d393fe1c5a51300_JC.exe Token: SeDebugPrivilege 4940 NEAS.693c14bc43b49bae8d393fe1c5a51300_JC.exe Token: SeDebugPrivilege 4940 NEAS.693c14bc43b49bae8d393fe1c5a51300_JC.exe Token: SeDebugPrivilege 4940 NEAS.693c14bc43b49bae8d393fe1c5a51300_JC.exe Token: SeDebugPrivilege 4940 NEAS.693c14bc43b49bae8d393fe1c5a51300_JC.exe Token: SeDebugPrivilege 4940 NEAS.693c14bc43b49bae8d393fe1c5a51300_JC.exe Token: SeDebugPrivilege 4940 NEAS.693c14bc43b49bae8d393fe1c5a51300_JC.exe Token: SeDebugPrivilege 4940 NEAS.693c14bc43b49bae8d393fe1c5a51300_JC.exe Token: SeDebugPrivilege 4940 NEAS.693c14bc43b49bae8d393fe1c5a51300_JC.exe Token: SeDebugPrivilege 4940 NEAS.693c14bc43b49bae8d393fe1c5a51300_JC.exe Token: SeDebugPrivilege 4940 NEAS.693c14bc43b49bae8d393fe1c5a51300_JC.exe Token: SeDebugPrivilege 4940 NEAS.693c14bc43b49bae8d393fe1c5a51300_JC.exe Token: SeDebugPrivilege 4940 NEAS.693c14bc43b49bae8d393fe1c5a51300_JC.exe Token: SeDebugPrivilege 4940 NEAS.693c14bc43b49bae8d393fe1c5a51300_JC.exe Token: SeDebugPrivilege 4940 NEAS.693c14bc43b49bae8d393fe1c5a51300_JC.exe Token: SeDebugPrivilege 4940 NEAS.693c14bc43b49bae8d393fe1c5a51300_JC.exe Token: SeDebugPrivilege 4940 NEAS.693c14bc43b49bae8d393fe1c5a51300_JC.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
pid Process 4940 NEAS.693c14bc43b49bae8d393fe1c5a51300_JC.exe 3364 Global.exe 2928 svchost.exe 1440 system.exe 2376 system.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4940 wrote to memory of 760 4940 NEAS.693c14bc43b49bae8d393fe1c5a51300_JC.exe 82 PID 4940 wrote to memory of 768 4940 NEAS.693c14bc43b49bae8d393fe1c5a51300_JC.exe 81 PID 4940 wrote to memory of 316 4940 NEAS.693c14bc43b49bae8d393fe1c5a51300_JC.exe 8 PID 4940 wrote to memory of 2788 4940 NEAS.693c14bc43b49bae8d393fe1c5a51300_JC.exe 53 PID 4940 wrote to memory of 2832 4940 NEAS.693c14bc43b49bae8d393fe1c5a51300_JC.exe 52 PID 4940 wrote to memory of 2940 4940 NEAS.693c14bc43b49bae8d393fe1c5a51300_JC.exe 20 PID 4940 wrote to memory of 3300 4940 NEAS.693c14bc43b49bae8d393fe1c5a51300_JC.exe 26 PID 4940 wrote to memory of 3492 4940 NEAS.693c14bc43b49bae8d393fe1c5a51300_JC.exe 25 PID 4940 wrote to memory of 3676 4940 NEAS.693c14bc43b49bae8d393fe1c5a51300_JC.exe 24 PID 4940 wrote to memory of 3896 4940 NEAS.693c14bc43b49bae8d393fe1c5a51300_JC.exe 23 PID 4940 wrote to memory of 3960 4940 NEAS.693c14bc43b49bae8d393fe1c5a51300_JC.exe 22 PID 4940 wrote to memory of 4060 4940 NEAS.693c14bc43b49bae8d393fe1c5a51300_JC.exe 50 PID 4940 wrote to memory of 2252 4940 NEAS.693c14bc43b49bae8d393fe1c5a51300_JC.exe 49 PID 4940 wrote to memory of 4388 4940 NEAS.693c14bc43b49bae8d393fe1c5a51300_JC.exe 47 PID 4940 wrote to memory of 2080 4940 NEAS.693c14bc43b49bae8d393fe1c5a51300_JC.exe 37 PID 4940 wrote to memory of 4152 4940 NEAS.693c14bc43b49bae8d393fe1c5a51300_JC.exe 30 PID 4940 wrote to memory of 1476 4940 NEAS.693c14bc43b49bae8d393fe1c5a51300_JC.exe 29 PID 4940 wrote to memory of 3364 4940 NEAS.693c14bc43b49bae8d393fe1c5a51300_JC.exe 84 PID 4940 wrote to memory of 3364 4940 NEAS.693c14bc43b49bae8d393fe1c5a51300_JC.exe 84 PID 4940 wrote to memory of 3364 4940 NEAS.693c14bc43b49bae8d393fe1c5a51300_JC.exe 84 PID 4940 wrote to memory of 760 4940 NEAS.693c14bc43b49bae8d393fe1c5a51300_JC.exe 82 PID 4940 wrote to memory of 768 4940 NEAS.693c14bc43b49bae8d393fe1c5a51300_JC.exe 81 PID 4940 wrote to memory of 316 4940 NEAS.693c14bc43b49bae8d393fe1c5a51300_JC.exe 8 PID 4940 wrote to memory of 2788 4940 NEAS.693c14bc43b49bae8d393fe1c5a51300_JC.exe 53 PID 4940 wrote to memory of 2832 4940 NEAS.693c14bc43b49bae8d393fe1c5a51300_JC.exe 52 PID 4940 wrote to memory of 2940 4940 NEAS.693c14bc43b49bae8d393fe1c5a51300_JC.exe 20 PID 4940 wrote to memory of 3300 4940 NEAS.693c14bc43b49bae8d393fe1c5a51300_JC.exe 26 PID 4940 wrote to memory of 3492 4940 NEAS.693c14bc43b49bae8d393fe1c5a51300_JC.exe 25 PID 4940 wrote to memory of 3676 4940 NEAS.693c14bc43b49bae8d393fe1c5a51300_JC.exe 24 PID 4940 wrote to memory of 3896 4940 NEAS.693c14bc43b49bae8d393fe1c5a51300_JC.exe 23 PID 4940 wrote to memory of 3960 4940 NEAS.693c14bc43b49bae8d393fe1c5a51300_JC.exe 22 PID 4940 wrote to memory of 4060 4940 NEAS.693c14bc43b49bae8d393fe1c5a51300_JC.exe 50 PID 4940 wrote to memory of 2252 4940 NEAS.693c14bc43b49bae8d393fe1c5a51300_JC.exe 49 PID 4940 wrote to memory of 4388 4940 NEAS.693c14bc43b49bae8d393fe1c5a51300_JC.exe 47 PID 4940 wrote to memory of 2080 4940 NEAS.693c14bc43b49bae8d393fe1c5a51300_JC.exe 37 PID 4940 wrote to memory of 4152 4940 NEAS.693c14bc43b49bae8d393fe1c5a51300_JC.exe 30 PID 4940 wrote to memory of 1476 4940 NEAS.693c14bc43b49bae8d393fe1c5a51300_JC.exe 29 PID 4940 wrote to memory of 3364 4940 NEAS.693c14bc43b49bae8d393fe1c5a51300_JC.exe 84 PID 4940 wrote to memory of 3364 4940 NEAS.693c14bc43b49bae8d393fe1c5a51300_JC.exe 84 PID 4940 wrote to memory of 3916 4940 NEAS.693c14bc43b49bae8d393fe1c5a51300_JC.exe 85 PID 4940 wrote to memory of 760 4940 NEAS.693c14bc43b49bae8d393fe1c5a51300_JC.exe 82 PID 4940 wrote to memory of 768 4940 NEAS.693c14bc43b49bae8d393fe1c5a51300_JC.exe 81 PID 4940 wrote to memory of 316 4940 NEAS.693c14bc43b49bae8d393fe1c5a51300_JC.exe 8 PID 4940 wrote to memory of 2788 4940 NEAS.693c14bc43b49bae8d393fe1c5a51300_JC.exe 53 PID 4940 wrote to memory of 2832 4940 NEAS.693c14bc43b49bae8d393fe1c5a51300_JC.exe 52 PID 4940 wrote to memory of 2940 4940 NEAS.693c14bc43b49bae8d393fe1c5a51300_JC.exe 20 PID 4940 wrote to memory of 3300 4940 NEAS.693c14bc43b49bae8d393fe1c5a51300_JC.exe 26 PID 4940 wrote to memory of 3492 4940 NEAS.693c14bc43b49bae8d393fe1c5a51300_JC.exe 25 PID 4940 wrote to memory of 3676 4940 NEAS.693c14bc43b49bae8d393fe1c5a51300_JC.exe 24 PID 4940 wrote to memory of 3896 4940 NEAS.693c14bc43b49bae8d393fe1c5a51300_JC.exe 23 PID 4940 wrote to memory of 3960 4940 NEAS.693c14bc43b49bae8d393fe1c5a51300_JC.exe 22 PID 4940 wrote to memory of 4060 4940 NEAS.693c14bc43b49bae8d393fe1c5a51300_JC.exe 50 PID 4940 wrote to memory of 2252 4940 NEAS.693c14bc43b49bae8d393fe1c5a51300_JC.exe 49 PID 4940 wrote to memory of 4388 4940 NEAS.693c14bc43b49bae8d393fe1c5a51300_JC.exe 47 PID 4940 wrote to memory of 2080 4940 NEAS.693c14bc43b49bae8d393fe1c5a51300_JC.exe 37 PID 4940 wrote to memory of 4152 4940 NEAS.693c14bc43b49bae8d393fe1c5a51300_JC.exe 30 PID 4940 wrote to memory of 1476 4940 NEAS.693c14bc43b49bae8d393fe1c5a51300_JC.exe 29 PID 4940 wrote to memory of 3916 4940 NEAS.693c14bc43b49bae8d393fe1c5a51300_JC.exe 85 PID 3364 wrote to memory of 2928 3364 Global.exe 88 PID 3364 wrote to memory of 2928 3364 Global.exe 88 PID 3364 wrote to memory of 2928 3364 Global.exe 88 PID 2928 wrote to memory of 760 2928 svchost.exe 82 PID 2928 wrote to memory of 768 2928 svchost.exe 81 PID 2928 wrote to memory of 316 2928 svchost.exe 8 -
System policy modification 1 TTPs 12 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" NEAS.693c14bc43b49bae8d393fe1c5a51300_JC.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableStatusMessages = "1" NEAS.693c14bc43b49bae8d393fe1c5a51300_JC.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableStatusMessages = "1" Global.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System system.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableStatusMessages = "1" system.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System NEAS.693c14bc43b49bae8d393fe1c5a51300_JC.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Global.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" svchost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableStatusMessages = "1" svchost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System system.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableStatusMessages = "1" system.exe
Processes
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:316
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2940
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3960
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3896
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3676
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3492
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3300
-
C:\Users\Admin\AppData\Local\Temp\NEAS.693c14bc43b49bae8d393fe1c5a51300_JC.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.693c14bc43b49bae8d393fe1c5a51300_JC.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Adds policy Run key to start application
- Drops file in Drivers directory
- Sets file execution options in registry
- Checks computer location settings
- Modifies system executable filetype association
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4940 -
C:\WINDOWS\SysWOW64\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\Global.exe"C:\WINDOWS\system32\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\Global.exe"3⤵
- Adds policy Run key to start application
- Drops file in Drivers directory
- Sets file execution options in registry
- Checks computer location settings
- Executes dropped EXE
- Modifies system executable filetype association
- Adds Run key to start application
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3364 -
C:\WINDOWS\SysWOW64\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\svchost.exe"C:\WINDOWS\system32\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\svchost.exe"4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Adds policy Run key to start application
- Drops file in Drivers directory
- Sets file execution options in registry
- Checks computer location settings
- Executes dropped EXE
- Modifies system executable filetype association
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2928 -
C:\WINDOWS\SysWOW64\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe"C:\WINDOWS\system32\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe"5⤵
- Adds policy Run key to start application
- Drops file in Drivers directory
- Sets file execution options in registry
- Executes dropped EXE
- Modifies system executable filetype association
- Adds Run key to start application
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1440
-
-
C:\WINDOWS\SysWOW64\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe"C:\WINDOWS\system32\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe"5⤵
- Adds policy Run key to start application
- Drops file in Drivers directory
- Sets file execution options in registry
- Executes dropped EXE
- Modifies system executable filetype association
- Adds Run key to start application
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:2376
-
-
-
-
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:1476
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca1⤵PID:4152
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:2080
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4388
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:2252
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4060
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2832
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2788
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:768
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:760
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
- Modifies registry class
PID:3916
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
3Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Change Default File Association
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
3Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Change Default File Association
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
9Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD5e72c9789ac7232e3b36766eb2a8f8da6
SHA1a37a9f18e227d103bb4e1ecac0834c2cdf99d112
SHA2567b03603cbc56105470b4bfb250d0ef18fa93126475e2872d63dc52c35866d2a9
SHA512666a2592c5303a1f42a8bbddc2a8e5d3289c612be7401e3530a3afd70d8243276645bad00a82f3254674307583dabae49c16204e790200a34b0707813265f6d0
-
Filesize
368KB
MD5693c14bc43b49bae8d393fe1c5a51300
SHA1445c720c5628b40e9bc90b846873b1b79289da10
SHA2565b6162ddd7028e8373edf5cb507aa7a984f13f289ab259a71573a40ed66a9450
SHA51255f5269d7202c637a302c4adcef894562a8c20708ca2ea90dd19e194aef0ac53d68a7ca03f103c29cf28ec7d7fc03c54eeb817b3f8ece2cc7b1255e1df0cb0d2
-
Filesize
368KB
MD5693c14bc43b49bae8d393fe1c5a51300
SHA1445c720c5628b40e9bc90b846873b1b79289da10
SHA2565b6162ddd7028e8373edf5cb507aa7a984f13f289ab259a71573a40ed66a9450
SHA51255f5269d7202c637a302c4adcef894562a8c20708ca2ea90dd19e194aef0ac53d68a7ca03f103c29cf28ec7d7fc03c54eeb817b3f8ece2cc7b1255e1df0cb0d2
-
Filesize
368KB
MD5693c14bc43b49bae8d393fe1c5a51300
SHA1445c720c5628b40e9bc90b846873b1b79289da10
SHA2565b6162ddd7028e8373edf5cb507aa7a984f13f289ab259a71573a40ed66a9450
SHA51255f5269d7202c637a302c4adcef894562a8c20708ca2ea90dd19e194aef0ac53d68a7ca03f103c29cf28ec7d7fc03c54eeb817b3f8ece2cc7b1255e1df0cb0d2
-
Filesize
368KB
MD5693c14bc43b49bae8d393fe1c5a51300
SHA1445c720c5628b40e9bc90b846873b1b79289da10
SHA2565b6162ddd7028e8373edf5cb507aa7a984f13f289ab259a71573a40ed66a9450
SHA51255f5269d7202c637a302c4adcef894562a8c20708ca2ea90dd19e194aef0ac53d68a7ca03f103c29cf28ec7d7fc03c54eeb817b3f8ece2cc7b1255e1df0cb0d2
-
Filesize
368KB
MD5693c14bc43b49bae8d393fe1c5a51300
SHA1445c720c5628b40e9bc90b846873b1b79289da10
SHA2565b6162ddd7028e8373edf5cb507aa7a984f13f289ab259a71573a40ed66a9450
SHA51255f5269d7202c637a302c4adcef894562a8c20708ca2ea90dd19e194aef0ac53d68a7ca03f103c29cf28ec7d7fc03c54eeb817b3f8ece2cc7b1255e1df0cb0d2
-
Filesize
368KB
MD5693c14bc43b49bae8d393fe1c5a51300
SHA1445c720c5628b40e9bc90b846873b1b79289da10
SHA2565b6162ddd7028e8373edf5cb507aa7a984f13f289ab259a71573a40ed66a9450
SHA51255f5269d7202c637a302c4adcef894562a8c20708ca2ea90dd19e194aef0ac53d68a7ca03f103c29cf28ec7d7fc03c54eeb817b3f8ece2cc7b1255e1df0cb0d2
-
Filesize
368KB
MD5693c14bc43b49bae8d393fe1c5a51300
SHA1445c720c5628b40e9bc90b846873b1b79289da10
SHA2565b6162ddd7028e8373edf5cb507aa7a984f13f289ab259a71573a40ed66a9450
SHA51255f5269d7202c637a302c4adcef894562a8c20708ca2ea90dd19e194aef0ac53d68a7ca03f103c29cf28ec7d7fc03c54eeb817b3f8ece2cc7b1255e1df0cb0d2
-
Filesize
368KB
MD5693c14bc43b49bae8d393fe1c5a51300
SHA1445c720c5628b40e9bc90b846873b1b79289da10
SHA2565b6162ddd7028e8373edf5cb507aa7a984f13f289ab259a71573a40ed66a9450
SHA51255f5269d7202c637a302c4adcef894562a8c20708ca2ea90dd19e194aef0ac53d68a7ca03f103c29cf28ec7d7fc03c54eeb817b3f8ece2cc7b1255e1df0cb0d2
-
Filesize
368KB
MD5693c14bc43b49bae8d393fe1c5a51300
SHA1445c720c5628b40e9bc90b846873b1b79289da10
SHA2565b6162ddd7028e8373edf5cb507aa7a984f13f289ab259a71573a40ed66a9450
SHA51255f5269d7202c637a302c4adcef894562a8c20708ca2ea90dd19e194aef0ac53d68a7ca03f103c29cf28ec7d7fc03c54eeb817b3f8ece2cc7b1255e1df0cb0d2
-
Filesize
368KB
MD5693c14bc43b49bae8d393fe1c5a51300
SHA1445c720c5628b40e9bc90b846873b1b79289da10
SHA2565b6162ddd7028e8373edf5cb507aa7a984f13f289ab259a71573a40ed66a9450
SHA51255f5269d7202c637a302c4adcef894562a8c20708ca2ea90dd19e194aef0ac53d68a7ca03f103c29cf28ec7d7fc03c54eeb817b3f8ece2cc7b1255e1df0cb0d2
-
Filesize
368KB
MD5693c14bc43b49bae8d393fe1c5a51300
SHA1445c720c5628b40e9bc90b846873b1b79289da10
SHA2565b6162ddd7028e8373edf5cb507aa7a984f13f289ab259a71573a40ed66a9450
SHA51255f5269d7202c637a302c4adcef894562a8c20708ca2ea90dd19e194aef0ac53d68a7ca03f103c29cf28ec7d7fc03c54eeb817b3f8ece2cc7b1255e1df0cb0d2
-
Filesize
118B
MD54eb846be89a1520b7d0181f0736f9a96
SHA1869a156f9bd21b06d896cafa66db628f7b5e9679
SHA2565bf2d22daa1c82872df820f2e5d12fdc60e131f20782cc5e566a04343bfdf6d8
SHA512ee444365384528857a68672a0b1ae1a3b62f7a4b05038d894bc33f603291defdc03a2a3a2849054aa13f4f2def783fdce8f88a5896fd64f11a3f7c9b19c4008c
-
Filesize
118B
MD54eb846be89a1520b7d0181f0736f9a96
SHA1869a156f9bd21b06d896cafa66db628f7b5e9679
SHA2565bf2d22daa1c82872df820f2e5d12fdc60e131f20782cc5e566a04343bfdf6d8
SHA512ee444365384528857a68672a0b1ae1a3b62f7a4b05038d894bc33f603291defdc03a2a3a2849054aa13f4f2def783fdce8f88a5896fd64f11a3f7c9b19c4008c
-
Filesize
118B
MD54eb846be89a1520b7d0181f0736f9a96
SHA1869a156f9bd21b06d896cafa66db628f7b5e9679
SHA2565bf2d22daa1c82872df820f2e5d12fdc60e131f20782cc5e566a04343bfdf6d8
SHA512ee444365384528857a68672a0b1ae1a3b62f7a4b05038d894bc33f603291defdc03a2a3a2849054aa13f4f2def783fdce8f88a5896fd64f11a3f7c9b19c4008c
-
Filesize
118B
MD54eb846be89a1520b7d0181f0736f9a96
SHA1869a156f9bd21b06d896cafa66db628f7b5e9679
SHA2565bf2d22daa1c82872df820f2e5d12fdc60e131f20782cc5e566a04343bfdf6d8
SHA512ee444365384528857a68672a0b1ae1a3b62f7a4b05038d894bc33f603291defdc03a2a3a2849054aa13f4f2def783fdce8f88a5896fd64f11a3f7c9b19c4008c
-
Filesize
118B
MD54eb846be89a1520b7d0181f0736f9a96
SHA1869a156f9bd21b06d896cafa66db628f7b5e9679
SHA2565bf2d22daa1c82872df820f2e5d12fdc60e131f20782cc5e566a04343bfdf6d8
SHA512ee444365384528857a68672a0b1ae1a3b62f7a4b05038d894bc33f603291defdc03a2a3a2849054aa13f4f2def783fdce8f88a5896fd64f11a3f7c9b19c4008c
-
Filesize
368KB
MD5693c14bc43b49bae8d393fe1c5a51300
SHA1445c720c5628b40e9bc90b846873b1b79289da10
SHA2565b6162ddd7028e8373edf5cb507aa7a984f13f289ab259a71573a40ed66a9450
SHA51255f5269d7202c637a302c4adcef894562a8c20708ca2ea90dd19e194aef0ac53d68a7ca03f103c29cf28ec7d7fc03c54eeb817b3f8ece2cc7b1255e1df0cb0d2
-
Filesize
368KB
MD5693c14bc43b49bae8d393fe1c5a51300
SHA1445c720c5628b40e9bc90b846873b1b79289da10
SHA2565b6162ddd7028e8373edf5cb507aa7a984f13f289ab259a71573a40ed66a9450
SHA51255f5269d7202c637a302c4adcef894562a8c20708ca2ea90dd19e194aef0ac53d68a7ca03f103c29cf28ec7d7fc03c54eeb817b3f8ece2cc7b1255e1df0cb0d2
-
Filesize
368KB
MD5693c14bc43b49bae8d393fe1c5a51300
SHA1445c720c5628b40e9bc90b846873b1b79289da10
SHA2565b6162ddd7028e8373edf5cb507aa7a984f13f289ab259a71573a40ed66a9450
SHA51255f5269d7202c637a302c4adcef894562a8c20708ca2ea90dd19e194aef0ac53d68a7ca03f103c29cf28ec7d7fc03c54eeb817b3f8ece2cc7b1255e1df0cb0d2
-
Filesize
368KB
MD5693c14bc43b49bae8d393fe1c5a51300
SHA1445c720c5628b40e9bc90b846873b1b79289da10
SHA2565b6162ddd7028e8373edf5cb507aa7a984f13f289ab259a71573a40ed66a9450
SHA51255f5269d7202c637a302c4adcef894562a8c20708ca2ea90dd19e194aef0ac53d68a7ca03f103c29cf28ec7d7fc03c54eeb817b3f8ece2cc7b1255e1df0cb0d2
-
Filesize
368KB
MD5693c14bc43b49bae8d393fe1c5a51300
SHA1445c720c5628b40e9bc90b846873b1b79289da10
SHA2565b6162ddd7028e8373edf5cb507aa7a984f13f289ab259a71573a40ed66a9450
SHA51255f5269d7202c637a302c4adcef894562a8c20708ca2ea90dd19e194aef0ac53d68a7ca03f103c29cf28ec7d7fc03c54eeb817b3f8ece2cc7b1255e1df0cb0d2
-
Filesize
256B
MD57d83e571ece2ea3ea265faeda6e51c17
SHA19bd0d34ae523d5111038d0d45fede7e117f9311f
SHA256cce2618b02188cddecc1770e206bda7d0c9d251f4d22d05b7fe2330ccd637c4e
SHA5125c9fac6d080f14d9343151c052e8977344eb961b98de4f2ba72690ceb6fa79be2101c212db74c6bd1e5debdc9d5107cffd6121ee7b55aa33fa5606ee2b97f402
-
Filesize
368KB
MD5693c14bc43b49bae8d393fe1c5a51300
SHA1445c720c5628b40e9bc90b846873b1b79289da10
SHA2565b6162ddd7028e8373edf5cb507aa7a984f13f289ab259a71573a40ed66a9450
SHA51255f5269d7202c637a302c4adcef894562a8c20708ca2ea90dd19e194aef0ac53d68a7ca03f103c29cf28ec7d7fc03c54eeb817b3f8ece2cc7b1255e1df0cb0d2
-
Filesize
368KB
MD5693c14bc43b49bae8d393fe1c5a51300
SHA1445c720c5628b40e9bc90b846873b1b79289da10
SHA2565b6162ddd7028e8373edf5cb507aa7a984f13f289ab259a71573a40ed66a9450
SHA51255f5269d7202c637a302c4adcef894562a8c20708ca2ea90dd19e194aef0ac53d68a7ca03f103c29cf28ec7d7fc03c54eeb817b3f8ece2cc7b1255e1df0cb0d2
-
Filesize
368KB
MD5693c14bc43b49bae8d393fe1c5a51300
SHA1445c720c5628b40e9bc90b846873b1b79289da10
SHA2565b6162ddd7028e8373edf5cb507aa7a984f13f289ab259a71573a40ed66a9450
SHA51255f5269d7202c637a302c4adcef894562a8c20708ca2ea90dd19e194aef0ac53d68a7ca03f103c29cf28ec7d7fc03c54eeb817b3f8ece2cc7b1255e1df0cb0d2
-
Filesize
368KB
MD5693c14bc43b49bae8d393fe1c5a51300
SHA1445c720c5628b40e9bc90b846873b1b79289da10
SHA2565b6162ddd7028e8373edf5cb507aa7a984f13f289ab259a71573a40ed66a9450
SHA51255f5269d7202c637a302c4adcef894562a8c20708ca2ea90dd19e194aef0ac53d68a7ca03f103c29cf28ec7d7fc03c54eeb817b3f8ece2cc7b1255e1df0cb0d2
-
Filesize
118B
MD54eb846be89a1520b7d0181f0736f9a96
SHA1869a156f9bd21b06d896cafa66db628f7b5e9679
SHA2565bf2d22daa1c82872df820f2e5d12fdc60e131f20782cc5e566a04343bfdf6d8
SHA512ee444365384528857a68672a0b1ae1a3b62f7a4b05038d894bc33f603291defdc03a2a3a2849054aa13f4f2def783fdce8f88a5896fd64f11a3f7c9b19c4008c
-
Filesize
118B
MD54eb846be89a1520b7d0181f0736f9a96
SHA1869a156f9bd21b06d896cafa66db628f7b5e9679
SHA2565bf2d22daa1c82872df820f2e5d12fdc60e131f20782cc5e566a04343bfdf6d8
SHA512ee444365384528857a68672a0b1ae1a3b62f7a4b05038d894bc33f603291defdc03a2a3a2849054aa13f4f2def783fdce8f88a5896fd64f11a3f7c9b19c4008c
-
Filesize
118B
MD54eb846be89a1520b7d0181f0736f9a96
SHA1869a156f9bd21b06d896cafa66db628f7b5e9679
SHA2565bf2d22daa1c82872df820f2e5d12fdc60e131f20782cc5e566a04343bfdf6d8
SHA512ee444365384528857a68672a0b1ae1a3b62f7a4b05038d894bc33f603291defdc03a2a3a2849054aa13f4f2def783fdce8f88a5896fd64f11a3f7c9b19c4008c
-
Filesize
118B
MD54eb846be89a1520b7d0181f0736f9a96
SHA1869a156f9bd21b06d896cafa66db628f7b5e9679
SHA2565bf2d22daa1c82872df820f2e5d12fdc60e131f20782cc5e566a04343bfdf6d8
SHA512ee444365384528857a68672a0b1ae1a3b62f7a4b05038d894bc33f603291defdc03a2a3a2849054aa13f4f2def783fdce8f88a5896fd64f11a3f7c9b19c4008c
-
Filesize
97KB
MD5e7e276cb7878bf484ab3043a6e0380cf
SHA180e7244bc11a53b00fa39453465c1b4983629a56
SHA256795d3de401d5226168506bbd841b113ac601bb9e93c20eaacf2e76e3605aaf67
SHA512bc6c8d3c9b0af720019da57769333849d6f699de175d47c2cff8342d47f1b0f42b33c14590d4e9f7a4aa8d498cce9d9bf1edf3607182582f4ff2d4aed6dace57
-
Filesize
118B
MD54eb846be89a1520b7d0181f0736f9a96
SHA1869a156f9bd21b06d896cafa66db628f7b5e9679
SHA2565bf2d22daa1c82872df820f2e5d12fdc60e131f20782cc5e566a04343bfdf6d8
SHA512ee444365384528857a68672a0b1ae1a3b62f7a4b05038d894bc33f603291defdc03a2a3a2849054aa13f4f2def783fdce8f88a5896fd64f11a3f7c9b19c4008c
-
Filesize
118B
MD54eb846be89a1520b7d0181f0736f9a96
SHA1869a156f9bd21b06d896cafa66db628f7b5e9679
SHA2565bf2d22daa1c82872df820f2e5d12fdc60e131f20782cc5e566a04343bfdf6d8
SHA512ee444365384528857a68672a0b1ae1a3b62f7a4b05038d894bc33f603291defdc03a2a3a2849054aa13f4f2def783fdce8f88a5896fd64f11a3f7c9b19c4008c
-
Filesize
118B
MD54eb846be89a1520b7d0181f0736f9a96
SHA1869a156f9bd21b06d896cafa66db628f7b5e9679
SHA2565bf2d22daa1c82872df820f2e5d12fdc60e131f20782cc5e566a04343bfdf6d8
SHA512ee444365384528857a68672a0b1ae1a3b62f7a4b05038d894bc33f603291defdc03a2a3a2849054aa13f4f2def783fdce8f88a5896fd64f11a3f7c9b19c4008c