Resubmissions
28-11-2024 02:19
241128-cr9sks1kht 1027-11-2024 21:08
241127-zyzyaawqgn 1027-11-2024 20:16
241127-y145caymbs 1027-11-2024 20:13
241127-yzlxdavlen 1027-11-2024 19:53
241127-yl61dsxpcs 1027-11-2024 19:38
241127-ycrjcaxkfx 1027-11-2024 19:03
241127-xqsswsslej 1027-11-2024 19:03
241127-xqf44aslcr 327-11-2024 19:02
241127-xpxqfsslan 327-11-2024 18:32
241127-w6pkqs1mek 10Analysis
-
max time kernel
621s -
max time network
623s -
platform
windows11-21h2_x64 -
resource
win11-20240426-en -
resource tags
arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system -
submitted
09-05-2024 01:44
Static task
static1
Behavioral task
behavioral1
Sample
4363463463464363463463463.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral2
Sample
4363463463464363463463463.exe
Resource
win11-20240426-en
Behavioral task
behavioral3
Sample
New Text Document mod.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral4
Sample
New Text Document mod.exe
Resource
win11-20240508-en
Behavioral task
behavioral5
Sample
New Text Document mod.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral6
Sample
New Text Document mod.exe
Resource
win11-20240426-en
Errors
General
-
Target
New Text Document mod.exe
-
Size
8KB
-
MD5
69994ff2f00eeca9335ccd502198e05b
-
SHA1
b13a15a5bea65b711b835ce8eccd2a699a99cead
-
SHA256
2e2e035ece4accdee838ecaacdc263fa526939597954d18d1320d73c8bf810c2
-
SHA512
ced53147894ed2dfc980bcb50767d9734ba8021f85842a53bb4bb4c502d51b4e9884f5f74c4dd2b70b53cafbe2441376675f7bd0f19bb20a3becb091a34fb9f3
-
SSDEEP
96:y7ov9wc1dN1Unh3EHJ40CUJCrQt0LpCBIW12nEtgpH9GIkQYQoBNw9fnmK5iLjTv:yZyTFJfCB20LsBIW12n/eIkQ2BNg5S1
Malware Config
Extracted
remcos
RemoteHost
107.173.4.16:2560
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
true
-
install_flag
false
-
keylog_crypt
true
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-KDW6BI
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
- startup_value
-
take_screenshot_option
false
-
take_screenshot_time
5
Extracted
asyncrat
0.5.8
Default
NvCHbLc8lsi9
-
delay
3
-
install
false
-
install_folder
%AppData%
-
pastebin_config
https://pastebin.ai/raw/o87oy6ywss
Extracted
redline
7001210066
https://pastebin.com/raw/KE5Mft0T
Extracted
redline
5637482599
https://pastebin.com/raw/NgsUAPya
Extracted
redline
5345987420
https://pastebin.com/raw/KE5Mft0T
Extracted
socks5systemz
http://aqtevem.ru/search/?q=67e28dd8655ba77a135ffe187c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa48e8889b5e4fa9281ae978a571ea771795af8e05c645db22f31dfe339426fa12a466c553adb719a9577e55b8603e983a608ffa13c1e6979933
http://aqtevem.ru/search/?q=67e28dd8655ba77a135ffe187c27d78406abdd88be4b12eab517aa5c96bd86ec90864e845a8bbc896c58e713bc90c91d36b5281fc235a925ed3e06d6bd974a95129070b616e96cc92be510b866db51b9e34eed4c2b14a82966836f23d7f210c7ee90983ac46d951e
Signatures
-
Detect Blackmoon payload 2 IoCs
resource yara_rule behavioral6/files/0x000300000002aa5e-1266.dat family_blackmoon behavioral6/files/0x000300000002aa5f-1278.dat family_blackmoon -
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 3 IoCs
resource yara_rule behavioral6/memory/5108-1582-0x0000000000400000-0x0000000000422000-memory.dmp family_redline behavioral6/memory/3556-1864-0x0000000000400000-0x0000000000422000-memory.dmp family_redline behavioral6/memory/4712-1874-0x0000000000400000-0x0000000000422000-memory.dmp family_redline -
Socks5Systemz
Socks5Systemz is a botnet written in C++.
-
Async RAT payload 1 IoCs
resource yara_rule behavioral6/files/0x000300000002aa24-1205.dat family_asyncrat -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ PCHunter64_new.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ PCHunter64_pps.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2404 powershell.exe -
Downloads MZ/PE file
-
Sets file execution options in registry 2 TTPs 20 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\%E5%85%81%E8%AE%B8%E6%B3%A8%E9%94%[email protected] %E5%85%81%E8%AE%B8%E6%B3%A8%E9%94%[email protected] Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\%E5%85%81%E8%AE%B8%E6%B3%A8%E9%94%[email protected] %E5%85%81%E8%AE%B8%E6%B3%A8%E9%94%[email protected] Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\%E7%A6%81%E6%AD%A2%E6%B3%A8%E9%94%[email protected] %E7%A6%81%E6%AD%A2%E6%B3%A8%E9%94%[email protected] Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\%E5%85%81%E8%AE%B8%E6%B3%A8%E9%94%[email protected] %E5%85%81%E8%AE%B8%E6%B3%A8%E9%94%[email protected] Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\%E7%A6%81%E6%AD%A2%E6%B3%A8%E9%94%[email protected] %E7%A6%81%E6%AD%A2%E6%B3%A8%E9%94%[email protected] Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\%E5%85%81%E8%AE%B8%E6%B3%A8%E9%94%[email protected] %E5%85%81%E8%AE%B8%E6%B3%A8%E9%94%[email protected] Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\%E5%85%81%E8%AE%B8%E6%B3%A8%E9%94%[email protected] %E5%85%81%E8%AE%B8%E6%B3%A8%E9%94%[email protected] Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\%E7%A6%81%E6%AD%A2%E6%B3%A8%E9%94%[email protected] %E7%A6%81%E6%AD%A2%E6%B3%A8%E9%94%[email protected] Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\%E7%A6%81%E6%AD%A2%E6%B3%A8%E9%94%[email protected] %E7%A6%81%E6%AD%A2%E6%B3%A8%E9%94%[email protected] Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\%E5%85%81%E8%AE%B8%E6%B3%A8%E9%94%[email protected] %E5%85%81%E8%AE%B8%E6%B3%A8%E9%94%[email protected] Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\%E7%A6%81%E6%AD%A2%E6%B3%A8%E9%94%[email protected] %E7%A6%81%E6%AD%A2%E6%B3%A8%E9%94%[email protected] Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\%E5%85%81%E8%AE%B8%E6%B3%A8%E9%94%[email protected] %E5%85%81%E8%AE%B8%E6%B3%A8%E9%94%[email protected] Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\%E5%85%81%E8%AE%B8%E6%B3%A8%E9%94%[email protected] %E5%85%81%E8%AE%B8%E6%B3%A8%E9%94%[email protected] Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\%E7%A6%81%E6%AD%A2%E6%B3%A8%E9%94%[email protected] %E7%A6%81%E6%AD%A2%E6%B3%A8%E9%94%[email protected] Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\%E7%A6%81%E6%AD%A2%E6%B3%A8%E9%94%[email protected] %E7%A6%81%E6%AD%A2%E6%B3%A8%E9%94%[email protected] Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\%E5%85%81%E8%AE%B8%E6%B3%A8%E9%94%[email protected] %E5%85%81%E8%AE%B8%E6%B3%A8%E9%94%[email protected] Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\%E7%A6%81%E6%AD%A2%E6%B3%A8%E9%94%[email protected] %E7%A6%81%E6%AD%A2%E6%B3%A8%E9%94%[email protected] Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\%E7%A6%81%E6%AD%A2%E6%B3%A8%E9%94%[email protected] %E7%A6%81%E6%AD%A2%E6%B3%A8%E9%94%[email protected] Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\%E7%A6%81%E6%AD%A2%E6%B3%A8%E9%94%[email protected] %E7%A6%81%E6%AD%A2%E6%B3%A8%E9%94%[email protected] Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\%E5%85%81%E8%AE%B8%E6%B3%A8%E9%94%[email protected] %E5%85%81%E8%AE%B8%E6%B3%A8%E9%94%[email protected] -
Sets service image path in registry 2 TTPs 10 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\PCHunter64_pps\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\a\\PCHunter64_pps.sys" PCHunter64_pps.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wkqzofmvqjygcpqi\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\a\\wkqzofmvqjygcpqi.sys" PCHunter64_pps.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\bqgybicipzorkr\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\a\\bqgybicipzorkr.sys" PCHunter64_pps.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\PCHunter64_newas\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\a\\PCHunter64_newas.sys" PCHunter64_new.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\vvzvmjlmvxqvbgcr\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\a\\vvzvmjlmvxqvbgcr.sys" PCHunter64_new.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\sjmsikjaixsjypfb\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\a\\sjmsikjaixsjypfb.sys" PCHunter64_new.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\eeuxdtdlhodslrmho\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\a\\eeuxdtdlhodslrmho.sys" PCHunter64_new.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\PCHunter64_ppsas\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\a\\PCHunter64_ppsas.sys" PCHunter64_pps.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\shlwkgkidiauagls\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\a\\shlwkgkidiauagls.sys" PCHunter64_pps.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\PCHunter64_new\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\a\\PCHunter64_new.sys" PCHunter64_new.exe -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion PCHunter64_new.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion PCHunter64_new.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion PCHunter64_pps.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion PCHunter64_pps.exe -
Executes dropped EXE 45 IoCs
pid Process 1220 lomik.exe 2720 eee01.exe 944 update.exe 2808 hjv.exe 4840 HJCL.exe 2340 HJCL.exe 1808 AnyDesk.exe 3464 AnyDesk.exe 1888 AnyDesk.exe 3132 060.exe 1304 060.tmp 4960 cdstudio32.exe 4288 cdstudio32.exe 1004 cryptography_module_windows.exe 4192 cryptography_module_windows.exe 1600 ngrok.exe 4960 Discord.exe 4364 artifact.exe 4228 ProjectE_5.exe 4120 %E7%A6%81%E6%AD%A2%E6%B3%A8%E9%94%[email protected] 3452 %E5%85%81%E8%AE%B8%E6%B3%A8%E9%94%[email protected] 2348 %E7%A6%81%E6%AD%A2%E6%B3%A8%E9%94%[email protected] 3984 %E5%85%81%E8%AE%B8%E6%B3%A8%E9%94%[email protected] 2320 %E7%A6%81%E6%AD%A2%E6%B3%A8%E9%94%[email protected] 4936 %E5%85%81%E8%AE%B8%E6%B3%A8%E9%94%[email protected] 2868 %E7%A6%81%E6%AD%A2%E6%B3%A8%E9%94%[email protected] 4808 %E5%85%81%E8%AE%B8%E6%B3%A8%E9%94%[email protected] 1088 %E7%A6%81%E6%AD%A2%E6%B3%A8%E9%94%[email protected] 5064 %E5%85%81%E8%AE%B8%E6%B3%A8%E9%94%[email protected] 3592 PH32.exe 3444 dControl.exe 1668 dControl.exe 4384 VmManagedSetup.exe 4056 dControl.exe 4784 PCHunter64_pps.exe 1856 PCHunter64_new.exe 3364 140.exe 3916 158.exe 4848 crazyCore.exe 1772 73.exe 2312 142.exe 2564 libcef.sfx.exe 3000 libcef.exe 1784 svcyr.exe 4772 tynbyc.exe -
Loads dropped DLL 33 IoCs
pid Process 2808 hjv.exe 2808 hjv.exe 708 hjv.exe 1888 AnyDesk.exe 3464 AnyDesk.exe 1304 060.tmp 4192 cryptography_module_windows.exe 4192 cryptography_module_windows.exe 4192 cryptography_module_windows.exe 4192 cryptography_module_windows.exe 4192 cryptography_module_windows.exe 4192 cryptography_module_windows.exe 4192 cryptography_module_windows.exe 4192 cryptography_module_windows.exe 4192 cryptography_module_windows.exe 4192 cryptography_module_windows.exe 4192 cryptography_module_windows.exe 4192 cryptography_module_windows.exe 4192 cryptography_module_windows.exe 4192 cryptography_module_windows.exe 4192 cryptography_module_windows.exe 4192 cryptography_module_windows.exe 4192 cryptography_module_windows.exe 4192 cryptography_module_windows.exe 4192 cryptography_module_windows.exe 4192 cryptography_module_windows.exe 4192 cryptography_module_windows.exe 4192 cryptography_module_windows.exe 4192 cryptography_module_windows.exe 4192 cryptography_module_windows.exe 4192 cryptography_module_windows.exe 4192 cryptography_module_windows.exe 3000 libcef.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral6/files/0x000400000002aa6c-1540.dat themida behavioral6/memory/4784-1548-0x0000000140000000-0x0000000141242000-memory.dmp themida behavioral6/files/0x000600000002aa6e-1554.dat themida behavioral6/memory/1856-1560-0x0000000140000000-0x000000014118D000-memory.dmp themida behavioral6/memory/4784-1718-0x0000000140000000-0x0000000141242000-memory.dmp themida behavioral6/memory/1856-1724-0x0000000140000000-0x000000014118D000-memory.dmp themida -
resource yara_rule behavioral6/files/0x000400000002aa6a-1423.dat upx behavioral6/memory/3444-1430-0x0000000000400000-0x00000000004CD000-memory.dmp upx behavioral6/memory/3444-1457-0x0000000000400000-0x00000000004CD000-memory.dmp upx behavioral6/memory/1668-1458-0x0000000000400000-0x00000000004CD000-memory.dmp upx behavioral6/memory/1668-1482-0x0000000000400000-0x00000000004CD000-memory.dmp upx behavioral6/memory/4056-1481-0x0000000000400000-0x00000000004CD000-memory.dmp upx behavioral6/memory/4056-1617-0x0000000000400000-0x00000000004CD000-memory.dmp upx behavioral6/memory/3000-2212-0x000000006ED60000-0x000000006EFC7000-memory.dmp upx behavioral6/memory/3000-2341-0x000000006ED60000-0x000000006EFC7000-memory.dmp upx -
Unexpected DNS network traffic destination 1 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description ioc Destination IP 45.155.250.90 -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Public\\Documents\\libcef.exe" libcef.exe Set value (str) \REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000\Software\Microsoft\Windows\CurrentVersion\Run\socks5 = "powershell.exe -windowstyle hidden -Command \"& 'C:\\Users\\Admin\\AppData\\Local\\Temp\\a\\VmManagedSetup.exe'\"" VmManagedSetup.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA PCHunter64_pps.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA PCHunter64_new.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 26 IoCs
flow ioc 88 2.tcp.eu.ngrok.io 147 2.tcp.eu.ngrok.io 194 2.tcp.eu.ngrok.io 375 pastebin.com 487 pastebin.com 536 pastebin.com 4 2.tcp.eu.ngrok.io 622 pastebin.com 927 2.tcp.eu.ngrok.io 967 pastebin.com 336 pastebin.com 552 2.tcp.eu.ngrok.io 686 pastebin.com 146 pastebin.com 198 pastebin.com 732 2.tcp.eu.ngrok.io 794 pastebin.com 867 pastebin.com 964 2.tcp.eu.ngrok.io 186 2.tcp.eu.ngrok.io 342 2.tcp.eu.ngrok.io 966 pastebin.com 149 pastebin.com 164 pastebin.com 232 pastebin.com 498 2.tcp.eu.ngrok.io -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PHYSICALDRIVE0 eee01.exe -
AutoIT Executable 5 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral6/memory/3444-1430-0x0000000000400000-0x00000000004CD000-memory.dmp autoit_exe behavioral6/memory/3444-1457-0x0000000000400000-0x00000000004CD000-memory.dmp autoit_exe behavioral6/memory/1668-1458-0x0000000000400000-0x00000000004CD000-memory.dmp autoit_exe behavioral6/memory/1668-1482-0x0000000000400000-0x00000000004CD000-memory.dmp autoit_exe behavioral6/memory/4056-1617-0x0000000000400000-0x00000000004CD000-memory.dmp autoit_exe -
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
pid Process 708 hjv.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 64 IoCs
pid Process 1220 lomik.exe 1220 lomik.exe 2808 hjv.exe 1220 lomik.exe 708 hjv.exe 1220 lomik.exe 1220 lomik.exe 1220 lomik.exe 1220 lomik.exe 1220 lomik.exe 1220 lomik.exe 1220 lomik.exe 1220 lomik.exe 1220 lomik.exe 1220 lomik.exe 1220 lomik.exe 1220 lomik.exe 1220 lomik.exe 1220 lomik.exe 1220 lomik.exe 1220 lomik.exe 1220 lomik.exe 1220 lomik.exe 1220 lomik.exe 4784 PCHunter64_pps.exe 1856 PCHunter64_new.exe 1220 lomik.exe 1220 lomik.exe 1220 lomik.exe 1220 lomik.exe 1220 lomik.exe 1220 lomik.exe 1220 lomik.exe 1220 lomik.exe 1220 lomik.exe 1220 lomik.exe 1220 lomik.exe 1220 lomik.exe 1220 lomik.exe 1220 lomik.exe 1220 lomik.exe 1220 lomik.exe 1220 lomik.exe 1220 lomik.exe 1220 lomik.exe 1220 lomik.exe 1220 lomik.exe 1220 lomik.exe 1220 lomik.exe 1220 lomik.exe 1220 lomik.exe 1220 lomik.exe 1220 lomik.exe 1220 lomik.exe 1220 lomik.exe 1220 lomik.exe 1220 lomik.exe 1220 lomik.exe 1220 lomik.exe 1220 lomik.exe 1220 lomik.exe 1220 lomik.exe 1220 lomik.exe 1220 lomik.exe -
Suspicious use of SetThreadContext 9 IoCs
description pid Process procid_target PID 2808 set thread context of 708 2808 hjv.exe 91 PID 4840 set thread context of 2340 4840 HJCL.exe 96 PID 708 set thread context of 2216 708 hjv.exe 77 PID 708 set thread context of 848 708 hjv.exe 97 PID 848 set thread context of 2216 848 EhStorAuthn.exe 77 PID 848 set thread context of 1588 848 EhStorAuthn.exe 98 PID 3364 set thread context of 5108 3364 140.exe 145 PID 1772 set thread context of 3556 1772 73.exe 155 PID 2312 set thread context of 4712 2312 142.exe 156 -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\tynbyc.exe svcyr.exe File opened for modification C:\Windows\tynbyc.exe svcyr.exe -
Detects Pyinstaller 4 IoCs
resource yara_rule behavioral6/files/0x000100000002aa37-1043.dat pyinstaller behavioral6/files/0x000100000002aa37-1042.dat pyinstaller behavioral6/files/0x000100000002aa37-1102.dat pyinstaller behavioral6/files/0x000100000002aa37-1040.dat pyinstaller -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 11 IoCs
pid pid_target Process procid_target 3448 944 WerFault.exe 83 248 944 WerFault.exe 83 4876 2720 WerFault.exe 82 3568 2720 WerFault.exe 82 2056 3916 WerFault.exe 142 2440 2720 WerFault.exe 82 1500 2720 WerFault.exe 82 4780 2720 WerFault.exe 82 2028 2720 WerFault.exe 82 4252 2720 WerFault.exe 82 2108 2720 WerFault.exe 82 -
NSIS installer 2 IoCs
resource yara_rule behavioral6/files/0x000100000002aa11-44.dat nsis_installer_1 behavioral6/files/0x000100000002aa11-44.dat nsis_installer_2 -
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz tynbyc.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 AnyDesk.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString AnyDesk.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 tynbyc.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3796 schtasks.exe -
description ioc Process Key created \Registry\User\S-1-5-21-2551177587-3778486488-1329702901-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 EhStorAuthn.exe -
description ioc Process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 5c000000010000000400000000080000190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc36200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8040000000100000010000000d474de575c39b2d39c8583c5c065498a2000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a PH32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 PH32.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a PH32.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4840 HJCL.exe 4840 HJCL.exe 2404 powershell.exe 2404 powershell.exe 708 hjv.exe 708 hjv.exe 708 hjv.exe 708 hjv.exe 708 hjv.exe 708 hjv.exe 708 hjv.exe 708 hjv.exe 848 EhStorAuthn.exe 848 EhStorAuthn.exe 848 EhStorAuthn.exe 848 EhStorAuthn.exe 848 EhStorAuthn.exe 848 EhStorAuthn.exe 848 EhStorAuthn.exe 848 EhStorAuthn.exe 3464 AnyDesk.exe 3464 AnyDesk.exe 1600 ngrok.exe 1600 ngrok.exe 1600 ngrok.exe 1600 ngrok.exe 3444 dControl.exe 3444 dControl.exe 3444 dControl.exe 3444 dControl.exe 3444 dControl.exe 3444 dControl.exe 1668 dControl.exe 1668 dControl.exe 1668 dControl.exe 1668 dControl.exe 1668 dControl.exe 1668 dControl.exe 4056 dControl.exe 4056 dControl.exe 5108 RegAsm.exe 4848 crazyCore.exe 4848 crazyCore.exe 3556 RegAsm.exe 3556 RegAsm.exe 4712 RegAsm.exe 4712 RegAsm.exe 3556 RegAsm.exe 3556 RegAsm.exe 3556 RegAsm.exe 3556 RegAsm.exe 3556 RegAsm.exe 3556 RegAsm.exe 3556 RegAsm.exe 3556 RegAsm.exe 3556 RegAsm.exe 3556 RegAsm.exe 3556 RegAsm.exe 3556 RegAsm.exe 3592 PH32.exe 3592 PH32.exe 3592 PH32.exe 3592 PH32.exe 3592 PH32.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 4056 dControl.exe 3592 PH32.exe -
Suspicious behavior: LoadsDriver 64 IoCs
pid Process 4784 PCHunter64_pps.exe 4784 PCHunter64_pps.exe 4784 PCHunter64_pps.exe 4784 PCHunter64_pps.exe 4784 PCHunter64_pps.exe 4784 PCHunter64_pps.exe 4784 PCHunter64_pps.exe 4784 PCHunter64_pps.exe 4784 PCHunter64_pps.exe 4784 PCHunter64_pps.exe 4784 PCHunter64_pps.exe 4784 PCHunter64_pps.exe 4784 PCHunter64_pps.exe 4784 PCHunter64_pps.exe 4784 PCHunter64_pps.exe 4784 PCHunter64_pps.exe 4784 PCHunter64_pps.exe 4784 PCHunter64_pps.exe 4784 PCHunter64_pps.exe 4784 PCHunter64_pps.exe 4784 PCHunter64_pps.exe 4784 PCHunter64_pps.exe 4784 PCHunter64_pps.exe 4784 PCHunter64_pps.exe 4784 PCHunter64_pps.exe 4784 PCHunter64_pps.exe 4784 PCHunter64_pps.exe 4784 PCHunter64_pps.exe 4784 PCHunter64_pps.exe 4784 PCHunter64_pps.exe 4784 PCHunter64_pps.exe 4784 PCHunter64_pps.exe 1856 PCHunter64_new.exe 1856 PCHunter64_new.exe 1856 PCHunter64_new.exe 1856 PCHunter64_new.exe 1856 PCHunter64_new.exe 1856 PCHunter64_new.exe 1856 PCHunter64_new.exe 1856 PCHunter64_new.exe 1856 PCHunter64_new.exe 1856 PCHunter64_new.exe 1856 PCHunter64_new.exe 1856 PCHunter64_new.exe 1856 PCHunter64_new.exe 1856 PCHunter64_new.exe 1856 PCHunter64_new.exe 1856 PCHunter64_new.exe 1856 PCHunter64_new.exe 1856 PCHunter64_new.exe 1856 PCHunter64_new.exe 1856 PCHunter64_new.exe 1856 PCHunter64_new.exe 1856 PCHunter64_new.exe 1856 PCHunter64_new.exe 1856 PCHunter64_new.exe 1856 PCHunter64_new.exe 1856 PCHunter64_new.exe 1856 PCHunter64_new.exe 1856 PCHunter64_new.exe 1856 PCHunter64_new.exe 1856 PCHunter64_new.exe 1856 PCHunter64_new.exe 1856 PCHunter64_new.exe -
Suspicious behavior: MapViewOfSection 8 IoCs
pid Process 2808 hjv.exe 708 hjv.exe 2216 New Text Document mod.exe 2216 New Text Document mod.exe 848 EhStorAuthn.exe 848 EhStorAuthn.exe 848 EhStorAuthn.exe 848 EhStorAuthn.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2216 New Text Document mod.exe Token: SeDebugPrivilege 4840 HJCL.exe Token: SeDebugPrivilege 2404 powershell.exe Token: SeDebugPrivilege 4960 Discord.exe Token: SeDebugPrivilege 4120 %E7%A6%81%E6%AD%A2%E6%B3%A8%E9%94%[email protected] Token: SeBackupPrivilege 4120 %E7%A6%81%E6%AD%A2%E6%B3%A8%E9%94%[email protected] Token: SeRestorePrivilege 4120 %E7%A6%81%E6%AD%A2%E6%B3%A8%E9%94%[email protected] Token: SeDebugPrivilege 3452 %E5%85%81%E8%AE%B8%E6%B3%A8%E9%94%[email protected] Token: SeBackupPrivilege 3452 %E5%85%81%E8%AE%B8%E6%B3%A8%E9%94%[email protected] Token: SeRestorePrivilege 3452 %E5%85%81%E8%AE%B8%E6%B3%A8%E9%94%[email protected] Token: SeDebugPrivilege 2348 %E7%A6%81%E6%AD%A2%E6%B3%A8%E9%94%[email protected] Token: SeBackupPrivilege 2348 %E7%A6%81%E6%AD%A2%E6%B3%A8%E9%94%[email protected] Token: SeRestorePrivilege 2348 %E7%A6%81%E6%AD%A2%E6%B3%A8%E9%94%[email protected] Token: SeDebugPrivilege 3984 %E5%85%81%E8%AE%B8%E6%B3%A8%E9%94%[email protected] Token: SeBackupPrivilege 3984 %E5%85%81%E8%AE%B8%E6%B3%A8%E9%94%[email protected] Token: SeRestorePrivilege 3984 %E5%85%81%E8%AE%B8%E6%B3%A8%E9%94%[email protected] Token: SeDebugPrivilege 2320 %E7%A6%81%E6%AD%A2%E6%B3%A8%E9%94%[email protected] Token: SeBackupPrivilege 2320 %E7%A6%81%E6%AD%A2%E6%B3%A8%E9%94%[email protected] Token: SeRestorePrivilege 2320 %E7%A6%81%E6%AD%A2%E6%B3%A8%E9%94%[email protected] Token: SeDebugPrivilege 4936 %E5%85%81%E8%AE%B8%E6%B3%A8%E9%94%[email protected] Token: SeBackupPrivilege 4936 %E5%85%81%E8%AE%B8%E6%B3%A8%E9%94%[email protected] Token: SeRestorePrivilege 4936 %E5%85%81%E8%AE%B8%E6%B3%A8%E9%94%[email protected] Token: SeDebugPrivilege 2868 %E7%A6%81%E6%AD%A2%E6%B3%A8%E9%94%[email protected] Token: SeBackupPrivilege 2868 %E7%A6%81%E6%AD%A2%E6%B3%A8%E9%94%[email protected] Token: SeRestorePrivilege 2868 %E7%A6%81%E6%AD%A2%E6%B3%A8%E9%94%[email protected] Token: SeDebugPrivilege 4808 %E5%85%81%E8%AE%B8%E6%B3%A8%E9%94%[email protected] Token: SeBackupPrivilege 4808 %E5%85%81%E8%AE%B8%E6%B3%A8%E9%94%[email protected] Token: SeRestorePrivilege 4808 %E5%85%81%E8%AE%B8%E6%B3%A8%E9%94%[email protected] Token: SeDebugPrivilege 1088 %E7%A6%81%E6%AD%A2%E6%B3%A8%E9%94%[email protected] Token: SeBackupPrivilege 1088 %E7%A6%81%E6%AD%A2%E6%B3%A8%E9%94%[email protected] Token: SeRestorePrivilege 1088 %E7%A6%81%E6%AD%A2%E6%B3%A8%E9%94%[email protected] Token: SeDebugPrivilege 5064 %E5%85%81%E8%AE%B8%E6%B3%A8%E9%94%[email protected] Token: SeBackupPrivilege 5064 %E5%85%81%E8%AE%B8%E6%B3%A8%E9%94%[email protected] Token: SeRestorePrivilege 5064 %E5%85%81%E8%AE%B8%E6%B3%A8%E9%94%[email protected] Token: SeDebugPrivilege 3592 PH32.exe Token: SeIncBasePriorityPrivilege 3592 PH32.exe Token: 33 3592 PH32.exe Token: SeLoadDriverPrivilege 3592 PH32.exe Token: SeProfSingleProcessPrivilege 3592 PH32.exe Token: SeRestorePrivilege 3592 PH32.exe Token: SeShutdownPrivilege 3592 PH32.exe Token: SeTakeOwnershipPrivilege 3592 PH32.exe Token: SeDebugPrivilege 3444 dControl.exe Token: SeAssignPrimaryTokenPrivilege 3444 dControl.exe Token: SeIncreaseQuotaPrivilege 3444 dControl.exe Token: 0 3444 dControl.exe Token: SeDebugPrivilege 1668 dControl.exe Token: SeAssignPrimaryTokenPrivilege 1668 dControl.exe Token: SeIncreaseQuotaPrivilege 1668 dControl.exe Token: SeDebugPrivilege 1856 PCHunter64_new.exe Token: SeDebugPrivilege 4784 PCHunter64_pps.exe Token: SeDebugPrivilege 5108 RegAsm.exe Token: SeLoadDriverPrivilege 4784 PCHunter64_pps.exe Token: SeLoadDriverPrivilege 4784 PCHunter64_pps.exe Token: SeLoadDriverPrivilege 4784 PCHunter64_pps.exe Token: SeLoadDriverPrivilege 4784 PCHunter64_pps.exe Token: SeLoadDriverPrivilege 4784 PCHunter64_pps.exe Token: SeLoadDriverPrivilege 4784 PCHunter64_pps.exe Token: SeLoadDriverPrivilege 4784 PCHunter64_pps.exe Token: SeLoadDriverPrivilege 4784 PCHunter64_pps.exe Token: SeLoadDriverPrivilege 4784 PCHunter64_pps.exe Token: SeLoadDriverPrivilege 4784 PCHunter64_pps.exe Token: SeLoadDriverPrivilege 4784 PCHunter64_pps.exe Token: SeLoadDriverPrivilege 4784 PCHunter64_pps.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 1888 AnyDesk.exe 1888 AnyDesk.exe 1888 AnyDesk.exe 4056 dControl.exe 4056 dControl.exe 4056 dControl.exe 4056 dControl.exe 4056 dControl.exe 4056 dControl.exe 4056 dControl.exe 4056 dControl.exe 4056 dControl.exe 4056 dControl.exe 4056 dControl.exe 4056 dControl.exe 4056 dControl.exe 4056 dControl.exe 4056 dControl.exe 4056 dControl.exe 4056 dControl.exe 4056 dControl.exe 4056 dControl.exe 4056 dControl.exe 4056 dControl.exe 4056 dControl.exe 4056 dControl.exe 4056 dControl.exe 4056 dControl.exe 4056 dControl.exe 4056 dControl.exe 4056 dControl.exe 4056 dControl.exe 4056 dControl.exe 4056 dControl.exe 4056 dControl.exe 4056 dControl.exe 4056 dControl.exe 4056 dControl.exe 4056 dControl.exe 4056 dControl.exe 4056 dControl.exe 4056 dControl.exe 4056 dControl.exe 4056 dControl.exe 4056 dControl.exe 4056 dControl.exe 4056 dControl.exe 4056 dControl.exe 4056 dControl.exe 4056 dControl.exe 4056 dControl.exe 4056 dControl.exe 4056 dControl.exe 4056 dControl.exe 4056 dControl.exe 4056 dControl.exe 4056 dControl.exe 4056 dControl.exe 4056 dControl.exe 4056 dControl.exe 4056 dControl.exe 4056 dControl.exe 4056 dControl.exe 4056 dControl.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 1888 AnyDesk.exe 1888 AnyDesk.exe 1888 AnyDesk.exe 4056 dControl.exe 4056 dControl.exe 4056 dControl.exe 4056 dControl.exe 4056 dControl.exe 4056 dControl.exe 4056 dControl.exe 4056 dControl.exe 4056 dControl.exe 4056 dControl.exe 4056 dControl.exe 4056 dControl.exe 4056 dControl.exe 4056 dControl.exe 4056 dControl.exe 4056 dControl.exe 4056 dControl.exe 4056 dControl.exe 4056 dControl.exe 4056 dControl.exe 4056 dControl.exe 4056 dControl.exe 4056 dControl.exe 4056 dControl.exe 4056 dControl.exe 4056 dControl.exe 4056 dControl.exe 4056 dControl.exe 4056 dControl.exe 4056 dControl.exe 4056 dControl.exe 4056 dControl.exe 4056 dControl.exe 4056 dControl.exe 4056 dControl.exe 4056 dControl.exe 4056 dControl.exe 4056 dControl.exe 4056 dControl.exe 4056 dControl.exe 4056 dControl.exe 4056 dControl.exe 4056 dControl.exe 4056 dControl.exe 4056 dControl.exe 4056 dControl.exe 4056 dControl.exe 4056 dControl.exe 4056 dControl.exe 4056 dControl.exe 4056 dControl.exe 4056 dControl.exe 4056 dControl.exe 4056 dControl.exe 4056 dControl.exe 4056 dControl.exe 4056 dControl.exe 4056 dControl.exe 4056 dControl.exe 4056 dControl.exe 4056 dControl.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 1220 lomik.exe 2340 HJCL.exe 1856 PCHunter64_new.exe 4784 PCHunter64_pps.exe 4784 PCHunter64_pps.exe 1856 PCHunter64_new.exe 3000 libcef.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2216 wrote to memory of 1220 2216 New Text Document mod.exe 81 PID 2216 wrote to memory of 1220 2216 New Text Document mod.exe 81 PID 2216 wrote to memory of 1220 2216 New Text Document mod.exe 81 PID 2216 wrote to memory of 2720 2216 New Text Document mod.exe 82 PID 2216 wrote to memory of 2720 2216 New Text Document mod.exe 82 PID 2216 wrote to memory of 2720 2216 New Text Document mod.exe 82 PID 2216 wrote to memory of 944 2216 New Text Document mod.exe 83 PID 2216 wrote to memory of 944 2216 New Text Document mod.exe 83 PID 2216 wrote to memory of 944 2216 New Text Document mod.exe 83 PID 2216 wrote to memory of 2808 2216 New Text Document mod.exe 84 PID 2216 wrote to memory of 2808 2216 New Text Document mod.exe 84 PID 2216 wrote to memory of 2808 2216 New Text Document mod.exe 84 PID 2216 wrote to memory of 4840 2216 New Text Document mod.exe 85 PID 2216 wrote to memory of 4840 2216 New Text Document mod.exe 85 PID 2216 wrote to memory of 4840 2216 New Text Document mod.exe 85 PID 2808 wrote to memory of 708 2808 hjv.exe 91 PID 2808 wrote to memory of 708 2808 hjv.exe 91 PID 2808 wrote to memory of 708 2808 hjv.exe 91 PID 2808 wrote to memory of 708 2808 hjv.exe 91 PID 2808 wrote to memory of 708 2808 hjv.exe 91 PID 4840 wrote to memory of 2404 4840 HJCL.exe 92 PID 4840 wrote to memory of 2404 4840 HJCL.exe 92 PID 4840 wrote to memory of 2404 4840 HJCL.exe 92 PID 4840 wrote to memory of 3796 4840 HJCL.exe 93 PID 4840 wrote to memory of 3796 4840 HJCL.exe 93 PID 4840 wrote to memory of 3796 4840 HJCL.exe 93 PID 4840 wrote to memory of 2340 4840 HJCL.exe 96 PID 4840 wrote to memory of 2340 4840 HJCL.exe 96 PID 4840 wrote to memory of 2340 4840 HJCL.exe 96 PID 4840 wrote to memory of 2340 4840 HJCL.exe 96 PID 4840 wrote to memory of 2340 4840 HJCL.exe 96 PID 4840 wrote to memory of 2340 4840 HJCL.exe 96 PID 4840 wrote to memory of 2340 4840 HJCL.exe 96 PID 4840 wrote to memory of 2340 4840 HJCL.exe 96 PID 4840 wrote to memory of 2340 4840 HJCL.exe 96 PID 4840 wrote to memory of 2340 4840 HJCL.exe 96 PID 4840 wrote to memory of 2340 4840 HJCL.exe 96 PID 4840 wrote to memory of 2340 4840 HJCL.exe 96 PID 2216 wrote to memory of 848 2216 New Text Document mod.exe 97 PID 2216 wrote to memory of 848 2216 New Text Document mod.exe 97 PID 2216 wrote to memory of 848 2216 New Text Document mod.exe 97 PID 848 wrote to memory of 1588 848 EhStorAuthn.exe 98 PID 848 wrote to memory of 1588 848 EhStorAuthn.exe 98 PID 2216 wrote to memory of 1808 2216 New Text Document mod.exe 99 PID 2216 wrote to memory of 1808 2216 New Text Document mod.exe 99 PID 2216 wrote to memory of 1808 2216 New Text Document mod.exe 99 PID 1808 wrote to memory of 3464 1808 AnyDesk.exe 100 PID 1808 wrote to memory of 3464 1808 AnyDesk.exe 100 PID 1808 wrote to memory of 3464 1808 AnyDesk.exe 100 PID 1808 wrote to memory of 1888 1808 AnyDesk.exe 101 PID 1808 wrote to memory of 1888 1808 AnyDesk.exe 101 PID 1808 wrote to memory of 1888 1808 AnyDesk.exe 101 PID 2216 wrote to memory of 3132 2216 New Text Document mod.exe 103 PID 2216 wrote to memory of 3132 2216 New Text Document mod.exe 103 PID 2216 wrote to memory of 3132 2216 New Text Document mod.exe 103 PID 3132 wrote to memory of 1304 3132 060.exe 104 PID 3132 wrote to memory of 1304 3132 060.exe 104 PID 3132 wrote to memory of 1304 3132 060.exe 104 PID 1304 wrote to memory of 4960 1304 060.tmp 115 PID 1304 wrote to memory of 4960 1304 060.tmp 115 PID 1304 wrote to memory of 4960 1304 060.tmp 115 PID 1304 wrote to memory of 4288 1304 060.tmp 106 PID 1304 wrote to memory of 4288 1304 060.tmp 106 PID 1304 wrote to memory of 4288 1304 060.tmp 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe"C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe"1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2216 -
C:\Users\Admin\AppData\Local\Temp\a\lomik.exe"C:\Users\Admin\AppData\Local\Temp\a\lomik.exe"2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:1220
-
-
C:\Users\Admin\AppData\Local\Temp\a\eee01.exe"C:\Users\Admin\AppData\Local\Temp\a\eee01.exe"2⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
PID:2720 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2720 -s 7243⤵
- Program crash
PID:4876
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2720 -s 7323⤵
- Program crash
PID:3568
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2720 -s 7203⤵
- Program crash
PID:2440
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2720 -s 7043⤵
- Program crash
PID:1500
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2720 -s 7883⤵
- Program crash
PID:4780
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2720 -s 7283⤵
- Program crash
PID:2028
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2720 -s 7323⤵
- Program crash
PID:4252
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2720 -s 7163⤵
- Program crash
PID:2108
-
-
-
C:\Users\Admin\AppData\Local\Temp\a\update.exe"C:\Users\Admin\AppData\Local\Temp\a\update.exe"2⤵
- Executes dropped EXE
PID:944 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 944 -s 4003⤵
- Program crash
PID:3448
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 944 -s 12123⤵
- Program crash
PID:248
-
-
-
C:\Users\Admin\AppData\Local\Temp\a\hjv.exe"C:\Users\Admin\AppData\Local\Temp\a\hjv.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2808 -
C:\Users\Admin\AppData\Local\Temp\a\hjv.exe"C:\Users\Admin\AppData\Local\Temp\a\hjv.exe"3⤵
- Loads dropped DLL
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:708
-
-
-
C:\Users\Admin\AppData\Local\Temp\a\HJCL.exe"C:\Users\Admin\AppData\Local\Temp\a\HJCL.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4840 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\ButRGiQXIZcKdy.exe"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2404
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ButRGiQXIZcKdy" /XML "C:\Users\Admin\AppData\Local\Temp\tmpC69C.tmp"3⤵
- Creates scheduled task(s)
PID:3796
-
-
C:\Users\Admin\AppData\Local\Temp\a\HJCL.exe"C:\Users\Admin\AppData\Local\Temp\a\HJCL.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2340
-
-
-
C:\Windows\SysWOW64\EhStorAuthn.exe"C:\Windows\SysWOW64\EhStorAuthn.exe"2⤵
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:848 -
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵PID:1588
-
-
-
C:\Users\Admin\AppData\Local\Temp\a\AnyDesk.exe"C:\Users\Admin\AppData\Local\Temp\a\AnyDesk.exe"2⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:1808 -
C:\Users\Admin\AppData\Local\Temp\a\AnyDesk.exe"C:\Users\Admin\AppData\Local\Temp\a\AnyDesk.exe" --local-service3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:3464
-
-
C:\Users\Admin\AppData\Local\Temp\a\AnyDesk.exe"C:\Users\Admin\AppData\Local\Temp\a\AnyDesk.exe" --local-control3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1888
-
-
-
C:\Users\Admin\AppData\Local\Temp\a\060.exe"C:\Users\Admin\AppData\Local\Temp\a\060.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3132 -
C:\Users\Admin\AppData\Local\Temp\is-9DQLV.tmp\060.tmp"C:\Users\Admin\AppData\Local\Temp\is-9DQLV.tmp\060.tmp" /SL5="$110026,4328255,54272,C:\Users\Admin\AppData\Local\Temp\a\060.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1304 -
C:\Users\Admin\AppData\Local\CD Studio\cdstudio32.exe"C:\Users\Admin\AppData\Local\CD Studio\cdstudio32.exe" -i4⤵
- Executes dropped EXE
PID:4960
-
-
C:\Users\Admin\AppData\Local\CD Studio\cdstudio32.exe"C:\Users\Admin\AppData\Local\CD Studio\cdstudio32.exe" -s4⤵
- Executes dropped EXE
PID:4288
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\a\cryptography_module_windows.exe"C:\Users\Admin\AppData\Local\Temp\a\cryptography_module_windows.exe"2⤵
- Executes dropped EXE
PID:1004 -
C:\Users\Admin\AppData\Local\Temp\a\cryptography_module_windows.exe"C:\Users\Admin\AppData\Local\Temp\a\cryptography_module_windows.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4192
-
-
-
C:\Users\Admin\AppData\Local\Temp\a\ngrok.exe"C:\Users\Admin\AppData\Local\Temp\a\ngrok.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1600
-
-
C:\Users\Admin\AppData\Local\Temp\a\Discord.exe"C:\Users\Admin\AppData\Local\Temp\a\Discord.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4960
-
-
C:\Users\Admin\AppData\Local\Temp\a\artifact.exe"C:\Users\Admin\AppData\Local\Temp\a\artifact.exe"2⤵
- Executes dropped EXE
PID:4364
-
-
C:\Users\Admin\AppData\Local\Temp\a\ProjectE_5.exe"C:\Users\Admin\AppData\Local\Temp\a\ProjectE_5.exe"2⤵
- Executes dropped EXE
PID:4228
-
-
C:\Users\Admin\AppData\Local\Temp\a\%E7%A6%81%E6%AD%A2%E6%B3%A8%E9%94%[email protected]"C:\Users\Admin\AppData\Local\Temp\a\%E7%A6%81%E6%AD%A2%E6%B3%A8%E9%94%[email protected]"2⤵
- Sets file execution options in registry
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4120
-
-
C:\Users\Admin\AppData\Local\Temp\a\%E5%85%81%E8%AE%B8%E6%B3%A8%E9%94%[email protected]"C:\Users\Admin\AppData\Local\Temp\a\%E5%85%81%E8%AE%B8%E6%B3%A8%E9%94%[email protected]"2⤵
- Sets file execution options in registry
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3452
-
-
C:\Users\Admin\AppData\Local\Temp\a\%E7%A6%81%E6%AD%A2%E6%B3%A8%E9%94%[email protected]"C:\Users\Admin\AppData\Local\Temp\a\%E7%A6%81%E6%AD%A2%E6%B3%A8%E9%94%[email protected]"2⤵
- Sets file execution options in registry
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2348
-
-
C:\Users\Admin\AppData\Local\Temp\a\%E5%85%81%E8%AE%B8%E6%B3%A8%E9%94%[email protected]"C:\Users\Admin\AppData\Local\Temp\a\%E5%85%81%E8%AE%B8%E6%B3%A8%E9%94%[email protected]"2⤵
- Sets file execution options in registry
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3984
-
-
C:\Users\Admin\AppData\Local\Temp\a\%E7%A6%81%E6%AD%A2%E6%B3%A8%E9%94%[email protected]"C:\Users\Admin\AppData\Local\Temp\a\%E7%A6%81%E6%AD%A2%E6%B3%A8%E9%94%[email protected]"2⤵
- Sets file execution options in registry
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2320
-
-
C:\Users\Admin\AppData\Local\Temp\a\%E5%85%81%E8%AE%B8%E6%B3%A8%E9%94%[email protected]"C:\Users\Admin\AppData\Local\Temp\a\%E5%85%81%E8%AE%B8%E6%B3%A8%E9%94%[email protected]"2⤵
- Sets file execution options in registry
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4936
-
-
C:\Users\Admin\AppData\Local\Temp\a\%E7%A6%81%E6%AD%A2%E6%B3%A8%E9%94%[email protected]"C:\Users\Admin\AppData\Local\Temp\a\%E7%A6%81%E6%AD%A2%E6%B3%A8%E9%94%[email protected]"2⤵
- Sets file execution options in registry
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2868
-
-
C:\Users\Admin\AppData\Local\Temp\a\%E5%85%81%E8%AE%B8%E6%B3%A8%E9%94%[email protected]"C:\Users\Admin\AppData\Local\Temp\a\%E5%85%81%E8%AE%B8%E6%B3%A8%E9%94%[email protected]"2⤵
- Sets file execution options in registry
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4808
-
-
C:\Users\Admin\AppData\Local\Temp\a\%E7%A6%81%E6%AD%A2%E6%B3%A8%E9%94%[email protected]"C:\Users\Admin\AppData\Local\Temp\a\%E7%A6%81%E6%AD%A2%E6%B3%A8%E9%94%[email protected]"2⤵
- Sets file execution options in registry
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1088
-
-
C:\Users\Admin\AppData\Local\Temp\a\%E5%85%81%E8%AE%B8%E6%B3%A8%E9%94%[email protected]"C:\Users\Admin\AppData\Local\Temp\a\%E5%85%81%E8%AE%B8%E6%B3%A8%E9%94%[email protected]"2⤵
- Sets file execution options in registry
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5064
-
-
C:\Users\Admin\AppData\Local\Temp\a\PH32.exe"C:\Users\Admin\AppData\Local\Temp\a\PH32.exe"2⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:3592
-
-
C:\Users\Admin\AppData\Local\Temp\a\dControl.exe"C:\Users\Admin\AppData\Local\Temp\a\dControl.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3444 -
C:\Users\Admin\AppData\Local\Temp\a\dControl.exeC:\Users\Admin\AppData\Local\Temp\a\dControl.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1668 -
C:\Users\Admin\AppData\Local\Temp\a\dControl.exe"C:\Users\Admin\AppData\Local\Temp\a\dControl.exe" /TI4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4056
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\a\VmManagedSetup.exe"C:\Users\Admin\AppData\Local\Temp\a\VmManagedSetup.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4384
-
-
C:\Users\Admin\AppData\Local\Temp\a\PCHunter64_pps.exe"C:\Users\Admin\AppData\Local\Temp\a\PCHunter64_pps.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Sets service image path in registry
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4784
-
-
C:\Users\Admin\AppData\Local\Temp\a\PCHunter64_new.exe"C:\Users\Admin\AppData\Local\Temp\a\PCHunter64_new.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Sets service image path in registry
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1856
-
-
C:\Users\Admin\AppData\Local\Temp\a\140.exe"C:\Users\Admin\AppData\Local\Temp\a\140.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3364 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵PID:5056
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5108
-
-
-
C:\Users\Admin\AppData\Local\Temp\a\158.exe"C:\Users\Admin\AppData\Local\Temp\a\158.exe"2⤵
- Executes dropped EXE
PID:3916 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3916 -s 12643⤵
- Program crash
PID:2056
-
-
-
C:\Users\Admin\AppData\Local\Temp\a\crazyCore.exe"C:\Users\Admin\AppData\Local\Temp\a\crazyCore.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4848
-
-
C:\Users\Admin\AppData\Local\Temp\a\73.exe"C:\Users\Admin\AppData\Local\Temp\a\73.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1772 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵PID:772
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵PID:1576
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
PID:3556
-
-
-
C:\Users\Admin\AppData\Local\Temp\a\142.exe"C:\Users\Admin\AppData\Local\Temp\a\142.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2312 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
PID:4712
-
-
-
C:\Users\Admin\AppData\Local\Temp\a\libcef.sfx.exe"C:\Users\Admin\AppData\Local\Temp\a\libcef.sfx.exe"2⤵
- Executes dropped EXE
PID:2564 -
C:\Users\Public\Documents\libcef.exe"C:\Users\Public\Documents\libcef.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
PID:3000
-
-
-
C:\Users\Admin\AppData\Local\Temp\a\svcyr.exe"C:\Users\Admin\AppData\Local\Temp\a\svcyr.exe"2⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1784
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 944 -ip 9441⤵PID:2596
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 944 -ip 9441⤵PID:1340
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2720 -ip 27201⤵PID:4432
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2720 -ip 27201⤵PID:1124
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3916 -ip 39161⤵PID:4764
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2720 -ip 27201⤵PID:3692
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2720 -ip 27201⤵PID:2280
-
C:\Windows\tynbyc.exeC:\Windows\tynbyc.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
PID:4772
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2720 -ip 27201⤵PID:2848
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 2720 -ip 27201⤵PID:1156
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2720 -ip 27201⤵PID:3652
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 2720 -ip 27201⤵PID:728
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
3Pre-OS Boot
1Bootkit
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
3Scheduled Task/Job
1Defense Evasion
Modify Registry
5Pre-OS Boot
1Bootkit
1Subvert Trust Controls
1Install Root Certificate
1Virtualization/Sandbox Evasion
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
212B
MD5a574b0d0b6f937bfd6a504879a0e98ad
SHA1a207d3b745ae1bd3ae43c5900624cff47912338e
SHA2563bbcbb8a1d24e327a841007f8f06c1f88718f564979658179a6784a84227e1b5
SHA51282f426b4b15075df1174c98d764284fb12c24975ce1436804f739496dfeb918fdc8cb27a3196ca6346a62ab6064039b54660e72ba3584c006846c9e5eec58ac6
-
Filesize
1.9MB
MD5aeb44632160f82be1ddd679feffca62a
SHA15d5a2be0283b77acac3c6270f1a68ee4d598cf62
SHA25698e752b4ceb1dbc5c256eeff698dd2c3f1738b8369f737f75acff718a0dc90a3
SHA512ea239d4ebb78c6c908a9df5bbda853b2a2aa2dd468cbcd8abdb559d18e2527792c0feacb78f77de799106990dab138de0623be2af02fa4191a115b0d38dd2f4b
-
Filesize
448KB
MD5fc1bc730b97ef78af9f19d3e76d93db6
SHA1322cf3a00aea2022b9f44d049acbd185a45ae068
SHA25647e4a923de426bc2e9c73db0b7a154e7b6c865165768bb195ad2714b802a0b5b
SHA512bb22420b4a3ced6c8d897caf5d662b1be246428abf6b6afa7d5d82955987ba60e7a33b8eddd467509925bec72df9361d39de1db175e240db090846bdb08fc41a
-
Filesize
448KB
MD5b521f3e715e8bd6b534ad52d0b1c2613
SHA1a2c073959d014fd5719ca8112182486359d1ed46
SHA25625fe45a913106290932bc7a9a19d03386e6ae34cc9203953ebfc069263938ce4
SHA512b84dc6a2043015f78dba6201f3a0675a95da7889397c5223679f059660dbc5b60300360c5f732a918f36f640999f807592ae58c3338ac309f0d4f2d8e31214d2
-
Filesize
37KB
MD53bc9acd9c4b8384fb7ce6c08db87df6d
SHA1936c93e3a01d5ae30d05711a97bbf3dfa5e0921f
SHA256a3d7de3d70c7673e8af7275eede44c1596156b6503a9614c47bad2c8e5fa3f79
SHA512f8508376d9fb001bce10a8cc56da5c67b31ff220afd01fb57e736e961f3a563731e84d6a6c046123e1a5c16d31f39d9b07528b64a8f432eac7baa433e1d23375
-
Filesize
94KB
MD5a87575e7cf8967e481241f13940ee4f7
SHA1879098b8a353a39e16c79e6479195d43ce98629e
SHA256ded5adaa94341e6c62aea03845762591666381dca30eb7c17261dd154121b83e
SHA512e112f267ae4c9a592d0dd2a19b50187eb13e25f23ded74c2e6ccde458bcdaee99f4e3e0a00baf0e3362167ae7b7fe4f96ecbcd265cc584c1c3a4d1ac316e92f0
-
Filesize
116KB
MD541a9708af86ae3ebc358e182f67b0fb2
SHA1accab901e2746f7da03fab8301f81a737b6cc180
SHA2560bd4ed11f2fb097f235b62eb26a00c0cb16815bbf90ab29f191af823a9fed8cf
SHA512835f9aa33fdfbb096c31f8ac9a50db9fac35918fc78bce03dae55ea917f738a41f01aee4234a5a91ffa5bdbbd8e529399205592eb0cae3224552c35c098b7843
-
Filesize
812KB
MD5ab6d3149a35e6baddf630cdcefe0dab5
SHA144cdb197e8e549a503f6cfcb867a83bf2214d01c
SHA2561d91fa604893531393f83e03e68eb97d2c14c2d957ed33877d2b27b7c30ce059
SHA51228a882e86d92d42ff983b68445cc90431c2b65b7ec3abbffb5585a9750d67b8b52a1361e20d4d80ca4a30b927fe543a2e9c9a65c1846e42a112b511ddc59545a
-
Filesize
2.1MB
MD56c7199469af2e09291dd2479f6edde3d
SHA159f5ffbc2f5fbe1090a8aa74f194d7625a955f13
SHA2565fb959091c855a6685c7bd8ea36f12d8594300a53a8e369bb418d313b2651ba8
SHA5123c24d547e304c35bf57bdf64fe2f169d44f83b85ec505e661079ff1c9d1ca3dc649078c1d7af9d8caa93e1f26eec3889ea68a189fe830cb939ac229bcdb3429e
-
Filesize
4.2MB
MD5c6c37b848273e2509a7b25abe8bf2410
SHA1b27cfbd31336da1e9b1f90e8f649a27154411d03
SHA256b7a7f3707beab109b66de3e340e3022dd83c3a18f444feb9e982c29cf23c29b8
SHA512222ad791304963a4b8c1c6055e02c0c4c47fce2bb404bd4f89c022ff9706e29ca6fa36c72350fbf296c8a0e3e48e3756f969c003dd1eb056cd026efe0b7eba40
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\a\%E5%85%81%E8%AE%B8%E6%B3%A8%E9%94%[email protected]
Filesize836KB
MD590dd8d89f6e412b975b0c63813d38771
SHA13eac8cb70cbb0cac16a0833ec5d9854bba7d2346
SHA256a7cd3dc3918f3d976545d24228b8d29aac13198c9f1594afa89eb5d64c4f70c4
SHA51250d01634d3c3a4ca75fe8c49f2ddef4605c44d56d435e12256cc3627a9a59e2b61315e1787a42dbe9be175762fc3d42bf80d2cdba73e41b1f060462868ef1b24
-
C:\Users\Admin\AppData\Local\Temp\a\%E7%A6%81%E6%AD%A2%E6%B3%A8%E9%94%[email protected]
Filesize837KB
MD55433ce5f372e78ea0feac807b5e80cf0
SHA194cf39d63be2da0a86126c2d31e2d94ce1f29c32
SHA256d65fecea3682295083a14185d4c448d22dd676bb4172ae78cf67554212497cbf
SHA512cd2abe7ccff9359aa2116ba3e4927fb748f106010158b46727fca7f8e882a7f38faea47ca1f880f11cfc72e3b18770ac3d84d951b90ac2caf93c1b2a5ac573ae
-
Filesize
1.6MB
MD5ee17e9b30abba533ea8b0821aac9de21
SHA101b152e43e73fa12e70017c831b0f01cd66722ff
SHA256458cfa44655ce59d76aa50469e6df699848ca44f518b2857738371a1dce080a7
SHA512a019a6adbda9688c05a8389f0273b33938b90d5b5aae9ceef32f63f5e090611f3f063a5d145217bc130f99cc05ddd0c7ec629cd6f2f4acfb2f727d93badd641f
-
Filesize
2.1MB
MD5f6dc86926ec981b84bce1162d7598217
SHA12616bcd445607ad978a6086f9f15cd33e5406da6
SHA2569181c11d632ac97bc20adaa0512c13f06caba7c18afd79c170b499934fe07a33
SHA512f36af8d070c71f60615534d44ebcf89f9fe40b69b6612979770cf7ac3371705fc64552a1794bc5f4cb48579d1210d543eff0ca368feb5a58e3a07f7c824c3292
-
Filesize
448KB
MD57ebd43f3a56d906aedb1cc97410438fe
SHA1ca3c7de4bab99f3d11dd932cc301a93bf2964281
SHA256ec9974a80372c55f1cf4cd78200c5369a5e8c03afb8fb925ce81d4a192978bd6
SHA512f90f506c307a221fc83476d9da1d575d0568217a17fff3dc6578444a670d1a6feb1393902386b2720ad6f617e0cdf4029db98a34ce8923c4111e691da937cd92
-
Filesize
267KB
MD50a4867a6a81fa3de88e5abebfbce8c6d
SHA1b2fd89124e8ff8141dc151ae97124378370e6002
SHA2566af45dc7913cddfc1408ea0cb202385a2688d1913dfb62948cac1587fc97eb51
SHA51208dd37a98f7d6a4254d6772c74df72be5076fedd25f446a4271886998034027a2c924cccfd505eb73bc05d9a252b0842a48b91e5727a95473089f03ca74ed333
-
Filesize
267KB
MD5d789090cbd06fe803da671c1a309ca3d
SHA13c5e1b7c54427ce354d63ec84b28fd805b7b12f0
SHA2567d2cda1bd16632cd707547c2e690f9155b7102a447f14c6a7e27e6148662c5c2
SHA5121a059019c9dbaf0af44d76d49f2fab6383966cd27ec01a377924d99d7b56a57d356af96df90a2aa970446ecee10d80a8c154bef2bb1b10fd35dc1c7a8a3b0652
-
Filesize
278KB
MD5f700c7059dcb4db8b23e7f31ec135b7b
SHA15f396e6e296ad01765c0e090dbb0130698531b91
SHA256b5e6dde637ff9dbc4dc8602c2340a4697009e2e4f1d876b9aaa6d7d0608cfcc6
SHA51293f98687c55f6d1d6e58a42b8fe8de9ef8e5a7b0d9cefc9987d3d94b5332f1ea3672aefb97ae8aaf37a8b078a4206d83c4550f7fc2a0e58105d55f9fd3afc256
-
Filesize
267KB
MD5badb07000ee512419746fa1055631ac5
SHA153b2709a63e49720e3aa8d6ada4140eaa48bdaa2
SHA256b121da5d4ea405453284cbcf001e750feb3eaf4c3a4cb35d2cd44ecf96f85584
SHA51230f399df2ece75bfe1a0b418dfcbc1e1010b972fdb20a659bcd0a63bc24123e37d22c2ae3d62baf56fa75267a0d67bfebf6c6dd83e580a5ab01ec615287647b1
-
Filesize
5.3MB
MD575eecc3a8b215c465f541643e9c4f484
SHA13ad1f800b63640128bfdcc8dbee909554465ee11
SHA256ec33d8ee9c3881b8fcea18f9f862d5926d994553aec1b65081d925afd3e8b028
SHA512b3a48230fc6f20038c938e5295b68a3f020b94e220ca2fab6a894d126dc41f6f1021c239613bf9d6de84370ad7df9d9a91baf716a87d43eb101ee3e48578e5ff
-
Filesize
47KB
MD5f0d723bcc3e6a9b9c2bce6662d7c5075
SHA120351c296e09300073a7172eba2c5b83b63af5ef
SHA256c2581f5f80995248435855de78cc4821630ae367d05fe204f032dda3e65abda8
SHA5122fc7bb4c3496328f678766ad230529049f90f4f98c5338de79d7d7a7e3546c5a0e430cb337c2bfb833f6dc67cb69f61c14e5b5b91d9e0ba917b9c32468ee2dbc
-
Filesize
1.4MB
MD541865f7b2afe5058e695579cbed1e92f
SHA19814e78d809e260e294ae85bbe69fe21916f6f7b
SHA2567e6ba6f340da6ec5121f2c910b376fe4a23adeed64ab239a295864c136eb40b1
SHA512cd64b5468afb9cbab925c7da671726e54d00872eaee60f346f03ebbbc8b955689249e688e11177fcaa9e7451d085628c0bad2ee24e0632d7362258ee2b3117b6
-
Filesize
6.8MB
MD5a2ed2bf5957b0b2d33eb778a443d15d0
SHA1889b45e70070c3ef4b8cd900fdc43140a5ed8105
SHA256866f59529cf4e0a4c2c4bcd2b9d5d18ece73bf99470ea1be81b26f91b586b174
SHA512b50b7416bc75324866407e08fd9bb29b0abed501e0720bb77721ce4922d7512221f93becc9cd37efd73b4bf0984d4db5a4da13e896f988256333d972e22ffba8
-
Filesize
8.3MB
MD58cafdbb0a919a1de8e0e9e38f8aa19bd
SHA163910a00e3e63427ec72e20fb0eb404cc1ff7e9c
SHA2561e2e566871e5e2d6b37ed00747f8ecd4c7098d39a2fdc8f272b1ff2962122733
SHA512cd65da486929240c041a7c0316a23402fc0364d778056eeeb1a07cba9b0687e6604c4f46c6f0655c6e8b8992be633aac6741bc1b841e1058e1b46fca5f0bce22
-
Filesize
1.4MB
MD568f9b52895f4d34e74112f3129b3b00d
SHA1c5e2018bf7c0f314fed4fd7fe7e69fa2e648359e
SHA256d4a0fe56316a2c45b9ba9ac1005363309a3edc7acf9e4df64d326a0ff273e80f
SHA5121cd875f9d0301b14645ea608fe61560a229ee395fa061f32675c3d84e41916998f887278d8497a5e875be22ba8fcbcfcbd878a5e2ed1746dc75430b7aed5fede
-
Filesize
1.1MB
MD5aabe25c748360f1575c09d77cc281e07
SHA11148798644722e1c8f762ff07e9f586118fe18cf
SHA2566e3fa62d5c15ce8b5bc8766edba80407099d78e20d9ff25b8733809064faae54
SHA51234a59cdd8cd5a6175b957fe48aaef964707e55c0a381265074fa8b841930938001a7dec9c6fe899e33e043d50e75ce02df0d6583e0f072123164409b3c93e09e
-
Filesize
16KB
MD57ee103ee99b95c07cc4a024e4d0fdc03
SHA1885fc76ba1261a1dcce87f183a2385b2b99afd96
SHA256cc4960939a41d6a281ddad307b107e16214f4aeda261c9b5037f26e60dc7bba2
SHA512ad3189d8ba4be578b13b81d50d1bd361f30fc001ebe27d365483858b3d78db38b6b54c1464f816b589c01407674ffcaae96d34b923ec15d0808cfed2bfa8ce21
-
Filesize
17KB
MD53a87727e80537e3d27798bc4af55a54b
SHA1b0382a36de85f88a4adf23eaa7a0c779f9bf3e1f
SHA256bac119d2db4efdad6c6b264942e0e10ec5c3d919480b8ed2b25a747ad4e8a96e
SHA5124e8d393bfda66d220a81edac93912a78d7893920773bd5f6c1dfc5a4edbc2fc8488688da984272d1b16b167bb1c233b7579c0ff78ef0a872df7bb95e4561b7c9
-
Filesize
3.6MB
MD5cec6feaeda0eb28ac63cdbb9c63e04ae
SHA1ff3a31359252cbc6fcaa7b4033a420184e1d7f90
SHA25647221084d85da5023a913101803f859e4f35b24b404468d4d4659821bc7f36ad
SHA51208845994ee478918c0178df0ec82d429276b201a4f06b2a4ba3c43dd0bdf38cc69efcfa41cbafeccefabb9fcd37987b1da0918932082dbecb2093ed0052e4add
-
Filesize
2.1MB
MD5175a560d3f68c6df6e761843f7da1852
SHA196079b9c34df521cafebed8504def955ee934b3d
SHA25660a5914ec8c521acfa2a55d0c811b676a5d86332581e6cdc1dc8d7fe1f7b6e26
SHA512960d14b06dcb153555166ca0e430b77f91191056ae03fa3c07a33b742de673b3e177aea21f56f5cea3242e78b6dfc97c795bd3e3491e857d11dbfd1f7b37e8a7
-
Filesize
1.9MB
MD53c5bc50565b1f2bf60d66e3129723d98
SHA1de7dfd9b0cb14752e2cba7ed46b4ea3146a02507
SHA256ef9d6da9de38c28c714d3738da9124d63dbed5cd7d6f2a60d86c3bced0a83652
SHA51216c4f176fb0411077d14af65e5c5b6a3fd56ded761131a841dccb33cea637819c29fe700f07de2800a0b76914b9c7d297252c0f41f3a4bae20963164c471655e
-
Filesize
2.0MB
MD5e903b5db7f97f9c8e1bb62da0af5f70f
SHA102438e53bba5967c7de08f77727136dec6618086
SHA256d480d669035b92ebd7573657b45fd7755bff42c145140826105521fd9ac4cb66
SHA512087edbddc5b3e4e3bfc4e313c00b9472c706ce8b881d86a66aad6acd69b2099d99403d9bbf8d391ce0003f1fca592c00397a7e068c3598a7ce6e7e98ac30ecaf
-
Filesize
447KB
MD558008524a6473bdf86c1040a9a9e39c3
SHA1cb704d2e8df80fd3500a5b817966dc262d80ddb8
SHA2561ef6c1a4dfdc39b63bfe650ca81ab89510de6c0d3d7c608ac5be80033e559326
SHA5128cf492584303523bf6cdfeb6b1b779ee44471c91e759ce32fd4849547b6245d4ed86af5b38d1c6979729a77f312ba91c48207a332ae1589a6e25de67ffb96c31
-
Filesize
2KB
MD541582fbbd541b420ee8407d0111bf760
SHA1314243cb36902775afc5048ce22ae51d2988fa77
SHA2563ba2d31e9d665edef1794cb6073175b7d5ed443680001176f0cbb5532a01cc12
SHA5123e3b5f9ca9b5bbd865e05d72753162fdb4e2c6aa16f37d96d1da8fe274230eb171fadc8097420fb2fad4afaf3a1e470b3bccc3e1c64bc30fb1188a80758bce70
-
Filesize
932KB
MD50d8af92c716952f614cc579532313f1f
SHA139f036e16402c5a8521f224f2793c71f42387b88
SHA25691e903b9fad76266ecdba9dffb7041127c7eb8983b56eae664bcebdbdcdaf852
SHA5127355e27521649cb164696c2b22ef2cef8732f23126fcd88a4440938f5152ceca1dcb17f1f34d588f13f36cd5034e38f7b7dd2e94d5debc692cc1630145ca3c4c
-
Filesize
385KB
MD51ce7d5a1566c8c449d0f6772a8c27900
SHA160854185f6338e1bfc7497fd41aa44c5c00d8f85
SHA25673170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf
SHA5127e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753
-
Filesize
502KB
MD569568a88abae198f5ab9ae1578383cc2
SHA18465bb8304fcc90bc1fd0dd3da28d959258f4107
SHA25606ec46f6d1f609aeafb8e8f5be8d12f8874902661394ce04094249558237c29d
SHA5121bfaf5241bc2c16dd1d75363c6437b526f7d59066ab7fe88734c04e17e3fc5555a2732476586814dc131aa7cfee630597587a66ff08d1a2c67b8b6b43beca3f7
-
Filesize
1.8MB
MD59086dc170ca5e4763e6658db1931e678
SHA14988ecf058deea292d21e99b8552a379f6e21edc
SHA25615485127b4f1c4bd92fc6e302ddbb998e1d966a8603534a47da80cb2e73f35c2
SHA512b6aeb0ab81dd4fbbc914797d6a839d3bcebd884e31468ca0a02705e86d0753cd16a39a3119066825fa6970f13c62b51d626520c1a1157f50596be211217acff4
-
Filesize
3.1MB
MD5d81c636dceec056448766c41f95c70bd
SHA1c96b12739c67bf3ea9889e0d28c783d9597ee2c7
SHA2566cfad9496a2bee32a0f4dda1de58005c6592a59e7365623f5314ccae417b1055
SHA5127632d9bf30cc28d3d33465a356f3aff2297792db2cc2ef17e24de7adfaa55057a4acee06c206d8b531cc2b3bc870b301fe1befda12b953ee1d7c4dc4e4ffabb4
-
Filesize
9.3MB
MD5f7bdcdc3ed4f175f16ae7ca9006ad87d
SHA1e6b3f2d64cd5e7fceda51a19e2bb517a9776e504
SHA2567e4e0fca7acf800e318e3d6fc1469a4139604257ec0e3864530a8a801c35e543
SHA5121e7f75a05f3a2f5206bcd2d2556b538998e105922d42b8d6e9d255d93fdc0ee6a7b3aa80b6b9b90e3f52f8a1f38e663acb4115c17c489690bf3dfb538143af57
-
Filesize
104KB
MD57edc4b4b6593bd68c65cd155b8755f26
SHA12e189c82b6b082f2853c7293af0fa1b6b94bd44b
SHA256dcd92ec043cb491b3de3e4f73fbe35041274a9b81d48b4377c8c9a8157c95590
SHA512509b4630cf02fd7ef02893367a281bb2a361e527ea6279bf19477b2fcde5f477f5a3f8c4f1fb692406df472a52fb000aa55875469ddf5ea8ee9c411b37c1f979
-
Filesize
312KB
MD5eb9ccfe6044b46b7ee313c3dc9ffe966
SHA104e5c7dca38b2a78e8c21ea83f4b359ec5a46657
SHA2564a4d61eb977b43d044573d215a6a112562960969288b170e8c7ab22c635c234c
SHA5122a81bb17adb11abd51894d4918ac48830cf434e0fa34ceda54d92f6337724f2e61eaadd47f002fed2a682081494abce4b69e22679ac7dbbda8374c48cba55637
-
Filesize
624KB
MD55eb2f44651d3e4b90664bab3070409ff
SHA16d71d69243bc2495a107ca45d5989a6fc1545570
SHA25632726fa33be861472d0b26286073b49500e3fd3bd1395f63bc114746a9195efb
SHA51255eef39a6845567c8bf64d04e5414537837ae7937229849f7bb1f28e4ddc22428aa1d56af177606c1ea31dd8799ff96d1dfa0f80cb266afe31ca1b43fe9313b5
-
Filesize
512KB
MD54c46c4b0d1c4046dcb0b362f4d673ac5
SHA136f39f6172fe3c134bf8058813ba8cd2fefa81f8
SHA256d4c230bf3e42b42805a3abf3f7d5df6c9e5b6a0f38dba03ad6a46fd1c2c5d881
SHA512e02ba942463a9f9303cee08aed163bfb5a0e971b506affb73a74399b9bd628637c3f50ab0807b7961ade296097719e34b56ff4296ef2468a4e6c9088ae6aa91b
-
Filesize
696KB
MD52e2f983fe7fcf3751ff06afb8842a41d
SHA1e7296f13ab8b7a0ba6ee1d2dee180a3eb345815f
SHA2568e9f8ccf8a70e815a29dc9e0057b0ad7d43a5e9d9671a50e1c14d48344f76dea
SHA51279f0eddfb107724d5a16d678e8ead3a8c10881d1486b5cb8b3fb8fa1ad96a864d4c45075be865c8f5637c3a9258630ff816d7253b5ce984f24f7602851243174
-
Filesize
2KB
MD5a69559718ab506675e907fe49deb71e9
SHA1bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA2562f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63
-
Filesize
11KB
MD5883eff06ac96966270731e4e22817e11
SHA1523c87c98236cbc04430e87ec19b977595092ac8
SHA25644e5dfd551b38e886214bd6b9c8ee913c4c4d1f085a6575d97c3e892b925da82
SHA51260333253342476911c84bbc1d9bf8a29f811207787fdd6107dce8d2b6e031669303f28133ffc811971ed7792087fe90fb1faabc0af4e91c298ba51e28109a390
-
Filesize
52B
MD55d04a35d3950677049c7a0cf17e37125
SHA1cafdd49a953864f83d387774b39b2657a253470f
SHA256a9493973dd293917f3ebb932ab255f8cac40121707548de100d5969956bb1266
SHA512c7b1afd95299c0712bdbc67f9d2714926d6ec9f71909af615affc400d8d2216ab76f6ac35057088836435de36e919507e1b25be87b07c911083f964eb67e003b
-
Filesize
56B
MD536e0479ee530f7fb7372245abe498442
SHA173034ade516c6bf060b6e97cc3c89fa2cf70b993
SHA256bdedfa3075b3e133c71a5abeec7ab86880dd5ca8503cc6a5fac86b257dc5f1cf
SHA512bfae6ca6bf4b014759c8030fe6e413b8a92c7361e00395b63b7100aaf0646eab6b751674c37b9fd92bc0eb600b48f33a071ccf5e684eecaf4cb0be2fb95bf0d5
-
Filesize
30B
MD5f15bfdebb2df02d02c8491bde1b4e9bd
SHA193bd46f57c3316c27cad2605ddf81d6c0bde9301
SHA256c87f2ff45bb530577fb8856df1760edaf1060ae4ee2934b17fdd21b7d116f043
SHA5121757ed4ae4d47d0c839511c18be5d75796224d4a3049e2d8853650ace2c5057c42040de6450bf90dd4969862e9ebb420cd8a34f8dd9c970779ed2e5459e8f2f1
-
Filesize
74B
MD516d513397f3c1f8334e8f3e4fc49828f
SHA14ee15afca81ca6a13af4e38240099b730d6931f0
SHA256d3c781a1855c8a70f5aca88d9e2c92afffa80541334731f62caa9494aa8a0c36
SHA5124a350b790fdd2fe957e9ab48d5969b217ab19fc7f93f3774f1121a5f140ff9a9eaaa8fa30e06a9ef40ad776e698c2e65a05323c3adf84271da1716e75f5183c3
-
Filesize
36B
MD5056fd9e747f45f72c12ed185db65ca8f
SHA196b9e5254b0c249a3393008a3fb160b18319532b
SHA256b46a1b647cd0ac5d5ed27381e1559a8ed6244c5bb7a0d27a41ab1784c40bef85
SHA51293f9577f9226d4c090034d81735a61a4505da2068e207d5885452637bfcf87f434278e58db281bce79d49e0d941bf3ead9550541b459fad386a7dd60e24c4446
-
Filesize
60B
MD5b5a9b50b4278f31cf8e8ad052b2c39f6
SHA1f1c88c09bad1aafaf5cd0de9eb29e9092f119a51
SHA25658441afb24ac1fe610a47e89d0848865842be2383ab88c06d31fd70eec7ce470
SHA512b00baeeb3332e66724077ee2430cd43f2a39041b7b7d43d195199e2465d272f16b49711ef6c34c3617f3f815097e80f48b574ef7ac37b6de75ec777f5f9cb447
-
Filesize
1KB
MD5d71dedeeb4d5ef6e05636dd32f6df60d
SHA1af8fb26deb21686c214ff31e344ca2d426ffca0a
SHA2563a4871bbc22f3c07c0f708f73e9566c7a2b0eeeed0c2abe2acfc1f3ce419ea71
SHA512bff2afc545fde8c73a2519cd065f1c99a29a6b1b0583d81987872223a2a90636420d6ad697dd563419dad162bdd2eb85a255fa8d31a0eb426be3fcd4ebd7299d
-
Filesize
6KB
MD5123a4e994bc774a0502599c4c736f75f
SHA1e15483a7c5ba7557a6de8867c14405518ab0c605
SHA2564c4e3b3ef65cf3bc7eb0756b00acaa8e10043a1d14d62c60e492e2dffe528d17
SHA512b84f607e340da66f4f496abe141cd53e5d38855a006c85e19af9989d7ae2889d134517fe4afd1c7c811c6c2061f0968b28a05fe40e65e3520750275f358b5891
-
Filesize
9KB
MD5bd25f6205c17fe261d6a8b822677125c
SHA1d5e4d2194437fab4c5e3b543bcb13ed18e5628ef
SHA2563aa0089f25728ee80aa673dadff12b55607bf414e1aaa71c058b0ade0e66a00c
SHA5124a82888dee396c5666d1008bd2f3311332b28d14c49725de253f9d58a87e6ad2b529b066cc3e4147bb718a60a951edfee8f48f36a22201f49f5f24905458b848
-
Filesize
2KB
MD5e751407898789c69664b8b9cf60abde5
SHA136fd1c77cfef20cc4c0f32eaea4323152c3162eb
SHA256cb50cfea61d8db06094a399fed332f8d7061fb03a08334bb5592b1585da6bd5d
SHA512035f951e62567d328ab6f8916e75f8e1b0aad5bbcea8ceadb8c13ebce4fad8014f15a32203c63df6d0be8078b559e03a55dd16f9cf981c134a2c6b943da73de5
-
Filesize
2KB
MD53ef760f08d3de1ac656e81c6936305ec
SHA1ff7486206b89e12eaca1b6d4eab53638a864470f
SHA2562c6728e9eea87b270c9a143811e7728dfa210fd61b70045b880d542e1ba4df6c
SHA51213f94e00f8204552a8b58c55205162cf322d89a777e2b72a85438d1df8eea3dab694d7c5a47e9dd4b8cbdf56f49190e466e258daf834057a0512fdff88bab6af
-
Filesize
312B
MD50c04ad1083dc5c7c45e3ee2cd344ae38
SHA1f1cf190f8ca93000e56d49732e9e827e2554c46f
SHA2566452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0
SHA5126c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492
-
Filesize
424B
MD56c6334cbcc3c29503c45ce9c1176f152
SHA19cd8f5bd2902a1dd08ea462d8c43ee3a06354e41
SHA256a88485015865639d5369e547ad5bc73998e7696f3fc970fff36d8bf795fa843f
SHA5120d2f380a1876578758a6eb44687f16adf1799da5eb79e69f1bcf34b0c255c9ad4b22091e328385da9ad3d07be50cb0c2e2230ce2fbf6b88fa084577b279cf879
-
Filesize
681B
MD578ce50084e355f37c2206e1e7319e00b
SHA1ab350cfbd7ab69406d240802785a864cb5bfd214
SHA256a944dbe9be4595cbe3d27a39bc43f68f47bc9e042b5d6bb8e9bf3f8c4d6bda8a
SHA5122e2668dbd208a84bf6bb8d7864379b9d88f934fd694b121d2589ec68cfff05e1358c909e3ffd4c6a219a2a9cdc5b63603762de711fe614c266e7fbaae207125d
-
Filesize
745B
MD56b0b722d7400a0fd1ce15e1c65bfbe7c
SHA162dd74d2929bbc01237389ee681574036a74fabf
SHA2569e7266691fed9d1951921c2693c71275c511a3ed864a4f97275cc4ce1fba4d69
SHA5128adc26ed40d08736ac335331c49903d2c7507430737516e06631798356ae2b556991142d64a6e57b4198525f596a116e8c28386e508c9d9c27a2034f3d4b0a88
-
Filesize
802B
MD56492182588f4c4237b176bb3d30d682e
SHA117615f7225be4f3da0ca6688bd8f25550e518998
SHA2569a861337508fd961fc0e3063ca4a7faedec57048598802d54722eb04ced1c20a
SHA512efa1d611c066216f8e179003826f8e6ed03ebe59d30bb5289a242d1f3aa0442ce0cfd76c9a8be08496f3146981d5b747b6700e618c8f2d5c75570194f4bff1d0
-
Filesize
1KB
MD5e3269fd1220a31a147f7dea2be262769
SHA1559b1b17323549a158cf0e0ad0515afda224289a
SHA256505907978d00e1cbb6a65b9f86729e4787a0d125bad74c73fb6ee2e8feed189d
SHA5129ce47b2e15aecd524c99d8becc0ef37d5cb321dfbf4af41e05babb3167d5ed0b05812a91f9aca0c6846dd8367d0528c760e4bed43bd12c78364ba3f2ccbadd85
-
Filesize
1KB
MD53a5e0c91996643fc62cb04d6698085ce
SHA18dc2169258331cf2e4b6947e6f40d8d952902213
SHA256481fe50c3904a4f2c8d2548da94f1a9c3629c808225e5b45625d6bad22f13538
SHA51260b455540c95d1da28c7686aa0e19471ff89013ead01200c01f9dff2719e31b8613170d0b228ebacc5304bf9aa9044fcfc824fe042fafa803ec462054d7f49ab
-
Filesize
1KB
MD53d84a503012656f14a3fbd45c1423903
SHA1717d98f5152369df1bea7692adebe70fa7957891
SHA2567dce22b910ff46d56b0dd169bbe106c78570fbab1f232fa61205272c8031960d
SHA512e0c6478b6408c069992f184797f4d58bc0a6e1b4e8fc66b5511baa3e6bdc75982917c9ed15d94570cbcbe5edbdc04109be3a36187dafd924e9f344ca380abb6e
-
Filesize
1KB
MD53feb179bf36c2bb0129b4ad4336c85ad
SHA1a5456bc2658e20e3241cd6a9fcf9431d6f9cf416
SHA25647267f7e53433db2ee2f58722f7eed1e3326a0742e1bc866dbcb0a13c07f41a6
SHA51242b4d877b1507a8320cc485033cd40c3e10153b1c22018358a1f2498c4da4f8e88436e3152bcca3dfaaf6c1cd4cc0ecd410ad4960af3d0163af152cfe2450bca
-
Filesize
6KB
MD5742121f12a2151d8adc4618db51b57f5
SHA15734b4ea6a4b3c9e5b13aa17aa916dccd559357c
SHA2561be723be59547ef14336fa8a64b2fec0a6cbf9efc62d2b1f71aa3426cf889980
SHA512de71e2051b906379bc47b8eec51fc0ab5f7842605bb80e3757bcac237755af676396eee15056a9f67ad185879d2ac01fe1f396e8fc834e2212d9243f86c9e491
-
Filesize
6KB
MD540743e03d72df577dadc54fd8751db1f
SHA1e3b25d0ac7d1f792b4674a1599112d44857366ef
SHA25692d44493b69a6b610f4266fdaba6dfead7b3202a2ff81d02b04462754170ffd7
SHA5126caa36f3250b814b283356b7114af49455956b6ac15b83df243e3e2a8590b0b87ac8bdd00fa38b2689d0ade33c05d7884378fab0c849e09bee6574aa14912c80
-
Filesize
6KB
MD54ca37931f208823d531f7987b11d8e3a
SHA198c32592f86d298cd024e19c1d18f7ee94c31afb
SHA256b3e8eaf5bbdfd7bca0602c5f37ed3428cb702e2a52699c9c8731ffb869613a5d
SHA5123b7859a58fce4ef8b6291771f6fee32da13e31717f433587e73dc5e0f4d4b12af5e816ec81046ce40451955fdaab238313bc28ef034b9ad2ceae3cf34f38efa1
-
Filesize
895KB
MD599232c6ae4570778d2069f9567e3b4f1
SHA10dce35d4b2d15be839999ba00cd1f829c4a2dac0
SHA25661e1379a27b0c5d73db6302ffd1f8522a47080554866b9c99b1eb771c60cd83c
SHA51286e940cf2f44c8c3ea5d83b02a4db5e0926ceea5d5ca2ae9a44fdbe14333393bf3b267c0d755d42ca2efdc083c1bd975eb446b2d34187879dabe3d03a0780a5b
-
Filesize
14KB
MD59d5a0ef18cc4bb492930582064c5330f
SHA12ec4168fd3c5ea9f2b0ab6acd676a5b4a95848c8
SHA2568f5bbcc572bc62feb13a669f856d21886a61888fd6288afd066272a27ea79bb3
SHA5121dc3387790b051c3291692607312819f0967848961bc075799b5a2353efadd65f54db54ddf47c296bb6a9f48e94ec83086a4f8bf7200c64329a73fc7ec4340a4
-
Filesize
12KB
MD5efe44d9f6e4426a05e39f99ad407d3e7
SHA1637c531222ee6a56780a7fdcd2b5078467b6e036
SHA2565ea3b26c6b1b71edaef17ce365d50be963ae9f4cb79b39ec723fe6e9e4054366
SHA5128014b60cef62ff5c94bf6338ee3385962cfc62aaa6c101a607c592ba00aea2d860f52e5f52be2a2a3b35310f135548e8d0b00211bfcf32d6b71198f5d3046b63
-
Filesize
7KB
MD5ecffd3e81c5f2e3c62bcdc122442b5f2
SHA1d41567acbbb0107361c6ee1715fe41b416663f40
SHA2569874ab363b07dcc7e9cd6022a380a64102c1814343642295239a9f120cb941c5
SHA5127f84899b77e3e2c0a35fb4973f4cd57f170f7a22f862b08f01938cf7537c8af7c442ef2ae6e561739023f6c9928f93a59b50d463af6373ed344f68260bc47c76