Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
124s -
max time network
303s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
02/09/2024, 16:01
Static task
static1
Behavioral task
behavioral1
Sample
power systems ii.pdf.exe
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
power systems ii.pdf.exe
Resource
win7-20240729-en
Behavioral task
behavioral3
Sample
power systems ii.pdf.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral4
Sample
power systems ii.pdf.exe
Resource
win11-20240802-en
General
-
Target
power systems ii.pdf.exe
-
Size
901.1MB
-
MD5
d3d8447da77feabf7a266b412da8cbde
-
SHA1
260a441639ead58821da8de6e501b2934deae78a
-
SHA256
105fd27d53a08971c376126b2a42f012210b99e9ffad0e6dedb2c04324684062
-
SHA512
f3944b3ecbd7f497c1ce062a5d6c17c41e45e32fcbb8ee768473e905c81d7920607025957122af38c912d9892393ab526ff0d4e5370a6dff030cb749d3ec48b5
-
SSDEEP
393216:tNV5braq2dLlOh0t1gtXDG3UT8DZdaP4kiMMlbZzU7uGFzwBXB:tNV5Paq2T12DG3IqZ6diMUbC7uIzYR
Malware Config
Extracted
stealc
default
http://46.8.231.109
-
url_path
/c4754d4f680ead72.php
Extracted
stealc
W9
http://193.176.190.41
-
url_path
/2fa883eebd632382.php
Extracted
redline
LogsDiller Cloud (TG: @logsdillabot)
147.45.47.36:30035
Extracted
vidar
https://t.me/edm0d
https://steamcommunity.com/profiles/76561199768374681
-
user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 OPR/110.0.0.0
Extracted
djvu
http://cajgtus.com/test1/get.php
-
extension
.watz
-
offline_id
Lc3VTezPWbMhuVAQFzJUdeA68PwI7UDpc5aKHYt1
- payload_url
-
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. Do not ask assistants from youtube and recovery data sites for help in recovering your data. They can use your free decryption quota and scam you. Our contact is emails in this text document only. You can get and look video overview decrypt tool: https://wetransfer.com/downloads/abe121434ad837dd5bdd03878a14485820240531135509/34284d Price of private key and decrypt software is $999. Discount 50% available if you contact us first 72 hours, that's price for you is $499. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0874PsawqS
Extracted
stealc
leva
http://185.215.113.100
-
url_path
/e2b1563c6670f193.php
Extracted
lumma
https://stamppreewntnq.shop/api
https://locatedblsoqp.shop/api
Signatures
-
Detect Vidar Stealer 3 IoCs
resource yara_rule behavioral1/memory/4488-331-0x0000000000400000-0x0000000000657000-memory.dmp family_vidar_v7 behavioral1/memory/4488-335-0x0000000000400000-0x0000000000657000-memory.dmp family_vidar_v7 behavioral1/memory/4488-334-0x0000000000400000-0x0000000000657000-memory.dmp family_vidar_v7 -
Detected Djvu ransomware 7 IoCs
resource yara_rule behavioral1/memory/4284-322-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/4284-315-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/4284-384-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/200-390-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/200-394-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/200-393-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/200-395-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu -
Djvu Ransomware
Ransomware which is a variant of the STOP family.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
resource yara_rule behavioral1/memory/1100-325-0x0000000000400000-0x0000000000452000-memory.dmp family_redline -
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ ck1kQgnZGpqVGKLY2egHSvid.exe -
Creates new service(s) 2 TTPs
-
Downloads MZ/PE file
-
.NET Reactor proctector 2 IoCs
Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
resource yara_rule behavioral1/files/0x000800000001ac33-200.dat net_reactor behavioral1/memory/2100-275-0x0000000000480000-0x00000000007D6000-memory.dmp net_reactor -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion ck1kQgnZGpqVGKLY2egHSvid.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion ck1kQgnZGpqVGKLY2egHSvid.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Control Panel\International\Geo\Nation Crash.pif -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PowerExpertNNT.lnk 3GU73Emite8W2LE7jUkk5idR.exe -
Executes dropped EXE 25 IoCs
pid Process 2288 Crash.pif 4884 Crash.pif 4504 lTmXqotNlhgzkTosMw2nglcr.exe 4872 s5GRedbnGg1qeJV95EC4ypkH.exe 5108 cEb3YN9ry8jg1SsiMsJXrhaM.exe 2260 8lvF_pbPdErJhU6eYaLALhqF.exe 2100 g8E1Ykgx61NUZGcqiQ88LHyW.exe 792 VoVk7YX4kvrBtpYgoNjPz_1z.exe 368 D2dsp24xIugTOXbqFb03UBo8.exe 3136 i_EDTZdhnpvoNJRWQkGGccLX.exe 1496 DTGUSTj7L8sXcmLLMCcOVDCz.exe 4672 3GU73Emite8W2LE7jUkk5idR.exe 692 ck1kQgnZGpqVGKLY2egHSvid.exe 4388 F0sjTXtEkyFhyelgE0Mr8uU7.exe 1856 2BQuSJD0Ffe8sYCdJqTbFs6x.exe 2240 s5GRedbnGg1qeJV95EC4ypkH.tmp 1104 3GU73Emite8W2LE7jUkk5idR.exe 1568 3GU73Emite8W2LE7jUkk5idR.exe 4284 cEb3YN9ry8jg1SsiMsJXrhaM.exe 3668 cEb3YN9ry8jg1SsiMsJXrhaM.exe 200 cEb3YN9ry8jg1SsiMsJXrhaM.exe 2504 AdminCAFHIJDHDG.exe 4900 AdminCFIEBKEHCA.exe 4420 etzpikspwykg.exe 1396 FBGHIIJDGH.exe -
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Wine ck1kQgnZGpqVGKLY2egHSvid.exe -
Loads dropped DLL 7 IoCs
pid Process 2240 s5GRedbnGg1qeJV95EC4ypkH.tmp 2240 s5GRedbnGg1qeJV95EC4ypkH.tmp 2240 s5GRedbnGg1qeJV95EC4ypkH.tmp 4488 RegAsm.exe 4488 RegAsm.exe 4460 RegAsm.exe 4460 RegAsm.exe -
Modifies file permissions 1 TTPs 1 IoCs
pid Process 688 icacls.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Windows\CurrentVersion\Run\ExtreamFanV6 = "C:\\Users\\Admin\\AppData\\Local\\ExtreamFanV6\\ExtreamFanV6.exe" 3GU73Emite8W2LE7jUkk5idR.exe Set value (str) \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\519b4c81-998e-45cb-989b-eca0383684f5\\cEb3YN9ry8jg1SsiMsJXrhaM.exe\" --AutoStart" cEb3YN9ry8jg1SsiMsJXrhaM.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 129 iplogger.org 130 iplogger.org -
Looks up external IP address via web service 7 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 8 ipinfo.io 56 api.2ip.ua 60 api.2ip.ua 81 api.2ip.ua 4 api.myip.com 5 api.myip.com 7 ipinfo.io -
Power Settings 1 TTPs 8 IoCs
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
pid Process 368 powercfg.exe 2840 powercfg.exe 4708 powercfg.exe 2400 powercfg.exe 3916 powercfg.exe 2236 powercfg.exe 3060 powercfg.exe 3664 powercfg.exe -
Enumerates processes with tasklist 1 TTPs 2 IoCs
pid Process 4452 tasklist.exe 4880 tasklist.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 692 ck1kQgnZGpqVGKLY2egHSvid.exe -
Suspicious use of SetThreadContext 14 IoCs
description pid Process procid_target PID 2288 set thread context of 4884 2288 Crash.pif 85 PID 2100 set thread context of 3760 2100 g8E1Ykgx61NUZGcqiQ88LHyW.exe 105 PID 4504 set thread context of 4460 4504 lTmXqotNlhgzkTosMw2nglcr.exe 107 PID 4672 set thread context of 1568 4672 3GU73Emite8W2LE7jUkk5idR.exe 110 PID 5108 set thread context of 4284 5108 cEb3YN9ry8jg1SsiMsJXrhaM.exe 111 PID 4388 set thread context of 1100 4388 F0sjTXtEkyFhyelgE0Mr8uU7.exe 114 PID 1496 set thread context of 1336 1496 DTGUSTj7L8sXcmLLMCcOVDCz.exe 115 PID 2260 set thread context of 4488 2260 8lvF_pbPdErJhU6eYaLALhqF.exe 121 PID 3668 set thread context of 200 3668 cEb3YN9ry8jg1SsiMsJXrhaM.exe 128 PID 2504 set thread context of 3980 2504 AdminCAFHIJDHDG.exe 137 PID 4900 set thread context of 3388 4900 AdminCFIEBKEHCA.exe 143 PID 4420 set thread context of 1100 4420 etzpikspwykg.exe 165 PID 4420 set thread context of 5108 4420 etzpikspwykg.exe 169 PID 1396 set thread context of 1496 1396 FBGHIIJDGH.exe 175 -
Drops file in Windows directory 5 IoCs
description ioc Process File opened for modification C:\Windows\StayOperating power systems ii.pdf.exe File opened for modification C:\Windows\BrokerBaby power systems ii.pdf.exe File opened for modification C:\Windows\SurelyCabin power systems ii.pdf.exe File opened for modification C:\Windows\NotreNr power systems ii.pdf.exe File opened for modification C:\Windows\SpectrumNext power systems ii.pdf.exe -
Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 3652 sc.exe 2604 sc.exe 1768 sc.exe 4680 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 4 IoCs
pid pid_target Process procid_target 4308 2240 WerFault.exe 3820 3388 WerFault.exe 143 1196 3136 WerFault.exe 98 692 1496 WerFault.exe 175 -
System Location Discovery: System Language Discovery 1 TTPs 47 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language D2dsp24xIugTOXbqFb03UBo8.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8lvF_pbPdErJhU6eYaLALhqF.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DTGUSTj7L8sXcmLLMCcOVDCz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language s5GRedbnGg1qeJV95EC4ypkH.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ck1kQgnZGpqVGKLY2egHSvid.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language F0sjTXtEkyFhyelgE0Mr8uU7.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AdminCAFHIJDHDG.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Crash.pif Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language choice.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language s5GRedbnGg1qeJV95EC4ypkH.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AdminCFIEBKEHCA.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language FBGHIIJDGH.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language g8E1Ykgx61NUZGcqiQ88LHyW.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lTmXqotNlhgzkTosMw2nglcr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cEb3YN9ry8jg1SsiMsJXrhaM.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cEb3YN9ry8jg1SsiMsJXrhaM.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cEb3YN9ry8jg1SsiMsJXrhaM.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2BQuSJD0Ffe8sYCdJqTbFs6x.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language i_EDTZdhnpvoNJRWQkGGccLX.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3GU73Emite8W2LE7jUkk5idR.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language power systems ii.pdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Crash.pif Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cEb3YN9ry8jg1SsiMsJXrhaM.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3GU73Emite8W2LE7jUkk5idR.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString RegAsm.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 RegAsm.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString RegAsm.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 RegAsm.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString RegAsm.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 RegAsm.exe -
Delays execution with timeout.exe 2 IoCs
pid Process 2204 timeout.exe 1276 timeout.exe -
description ioc Process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61 RegAsm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 RegAsm.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 140000000100000014000000f352eacf816860c1097c4b852f4332dd93eb5d4f0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b0640f000000010000002000000020d814fd5fc477ce74425e441d8f5b48d38db6f1dd119441bc35777689bd094c20000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61 RegAsm.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 190000000100000010000000dbd91ea86008fd8536f2b37529666c7b0f000000010000002000000020d814fd5fc477ce74425e441d8f5b48d38db6f1dd119441bc35777689bd094c030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b0640200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e003000000000000b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f0072006900740079000000140000000100000014000000f352eacf816860c1097c4b852f4332dd93eb5d4f20000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61 RegAsm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4 RegAsm.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob = 19000000010000001000000063664b080559a094d10f0a3c5f4f62900f00000001000000140000005d82adb90d5dd3c7e3524f56f787ec53726187760b000000010000005200000047006f00200044006100640064007900200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b06010505070301620000000100000020000000c3846bf24b9e93ca64274c0ec67c1ecc5e024ffcacd2d74019350e81fe546ae4140000000100000014000000d2c4b0d291d44c1171b361cb3da1fedda86ad4e31d000000010000001000000099949d2179811f6b30a8c99c4f6b42260300000001000000140000002796bae63f1801e277261ba0d77770028f20eee420000000010000000404000030820400308202e8a003020102020100300d06092a864886f70d01010505003063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137303632305a170d3334303632393137303632305a3063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100de9dd7ea571849a15bebd75f4886eabeddffe4ef671cf46568b35771a05e77bbed9b49e970803d561863086fdaf2ccd03f7f0254225410d8b281d4c0753d4b7fc777c33e78ab1a03b5206b2f6a2bb1c5887ec4bb1eb0c1d845276faa3758f78726d7d82df6a917b71f72364ea6173f659892db2a6e5da2fe88e00bde7fe58d15e1ebcb3ad5e212a2132dd88eaf5f123da0080508b65ca565380445991ea3606074c541a572621b62c51f6f5f1a42be025165a8ae23186afc7803a94d7f80c3faab5afca140a4ca1916feb2c8ef5e730dee77bd9af67998bcb10767a2150ddda058c6447b0a3e62285fba41075358cf117e3874c5f8ffb569908f8474ea971baf020103a381c03081bd301d0603551d0e04160414d2c4b0d291d44c1171b361cb3da1fedda86ad4e330818d0603551d230481853081828014d2c4b0d291d44c1171b361cb3da1fedda86ad4e3a167a4653063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100324bf3b2ca3e91fc12c6a1078c8e77a03306145c901e18f708a63d0a19f98780116e69e4961730ff3491637238eecc1c01a31d9428a431f67ac454d7f6e5315803a2ccce62db944573b5bf45c924b5d58202ad2379698db8b64dcecf4cca3323e81c88aa9d8b416e16c920e5899ecd3bda70f77e992620145425ab6e7385e69b219d0a6c820ea8f8c20cfa101e6c96ef870dc40f618badee832b95f88e92847239eb20ea83ed83cd976e08bceb4e26b6732be4d3f64cfe2671e26111744aff571a870f75482ecf516917a002126195d5d140b2104ceec4ac1043a6a59e0ad595629a0dcf8882c5320ce42b9f45e60d9f289cb1b92a5a57ad370faf1d7fdbbd9f RegAsm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 RegAsm.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2888 schtasks.exe 2404 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2288 Crash.pif 2288 Crash.pif 2288 Crash.pif 2288 Crash.pif 2288 Crash.pif 2288 Crash.pif 2288 Crash.pif 2288 Crash.pif 2288 Crash.pif 2288 Crash.pif 692 ck1kQgnZGpqVGKLY2egHSvid.exe 692 ck1kQgnZGpqVGKLY2egHSvid.exe 4672 3GU73Emite8W2LE7jUkk5idR.exe 4672 3GU73Emite8W2LE7jUkk5idR.exe 792 VoVk7YX4kvrBtpYgoNjPz_1z.exe 792 VoVk7YX4kvrBtpYgoNjPz_1z.exe 4488 RegAsm.exe 4488 RegAsm.exe 4284 cEb3YN9ry8jg1SsiMsJXrhaM.exe 4284 cEb3YN9ry8jg1SsiMsJXrhaM.exe 3760 RegAsm.exe 3760 RegAsm.exe 200 cEb3YN9ry8jg1SsiMsJXrhaM.exe 200 cEb3YN9ry8jg1SsiMsJXrhaM.exe 4488 RegAsm.exe 4488 RegAsm.exe 1336 RegAsm.exe 1336 RegAsm.exe 4488 RegAsm.exe 4488 RegAsm.exe 4488 RegAsm.exe 4488 RegAsm.exe 4488 RegAsm.exe 4488 RegAsm.exe 4488 RegAsm.exe 4488 RegAsm.exe 4488 RegAsm.exe 4488 RegAsm.exe 4488 RegAsm.exe 4488 RegAsm.exe 4488 RegAsm.exe 4488 RegAsm.exe 4488 RegAsm.exe 4488 RegAsm.exe 4488 RegAsm.exe 4488 RegAsm.exe 4488 RegAsm.exe 4488 RegAsm.exe 4488 RegAsm.exe 4488 RegAsm.exe 1100 RegAsm.exe 1100 RegAsm.exe 4460 RegAsm.exe 4460 RegAsm.exe 4488 RegAsm.exe 4488 RegAsm.exe 4488 RegAsm.exe 4488 RegAsm.exe 4488 RegAsm.exe 4488 RegAsm.exe 1100 RegAsm.exe 1100 RegAsm.exe 4460 RegAsm.exe 4460 RegAsm.exe -
Suspicious use of AdjustPrivilegeToken 27 IoCs
description pid Process Token: SeDebugPrivilege 4452 tasklist.exe Token: SeDebugPrivilege 4880 tasklist.exe Token: SeDebugPrivilege 4672 3GU73Emite8W2LE7jUkk5idR.exe Token: SeDebugPrivilege 1336 RegAsm.exe Token: SeBackupPrivilege 1336 RegAsm.exe Token: SeSecurityPrivilege 1336 RegAsm.exe Token: SeSecurityPrivilege 1336 RegAsm.exe Token: SeSecurityPrivilege 1336 RegAsm.exe Token: SeSecurityPrivilege 1336 RegAsm.exe Token: SeDebugPrivilege 1100 RegAsm.exe Token: SeShutdownPrivilege 2400 powercfg.exe Token: SeCreatePagefilePrivilege 2400 powercfg.exe Token: SeShutdownPrivilege 2840 powercfg.exe Token: SeCreatePagefilePrivilege 2840 powercfg.exe Token: SeShutdownPrivilege 4708 powercfg.exe Token: SeCreatePagefilePrivilege 4708 powercfg.exe Token: SeShutdownPrivilege 368 powercfg.exe Token: SeCreatePagefilePrivilege 368 powercfg.exe Token: SeLockMemoryPrivilege 5108 svchost.exe Token: SeShutdownPrivilege 3060 powercfg.exe Token: SeCreatePagefilePrivilege 3060 powercfg.exe Token: SeShutdownPrivilege 2236 powercfg.exe Token: SeCreatePagefilePrivilege 2236 powercfg.exe Token: SeShutdownPrivilege 3916 powercfg.exe Token: SeCreatePagefilePrivilege 3916 powercfg.exe Token: SeShutdownPrivilege 3664 powercfg.exe Token: SeCreatePagefilePrivilege 3664 powercfg.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 2288 Crash.pif 2288 Crash.pif 2288 Crash.pif -
Suspicious use of SendNotifyMessage 3 IoCs
pid Process 2288 Crash.pif 2288 Crash.pif 2288 Crash.pif -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4864 wrote to memory of 308 4864 power systems ii.pdf.exe 73 PID 4864 wrote to memory of 308 4864 power systems ii.pdf.exe 73 PID 4864 wrote to memory of 308 4864 power systems ii.pdf.exe 73 PID 308 wrote to memory of 4452 308 cmd.exe 75 PID 308 wrote to memory of 4452 308 cmd.exe 75 PID 308 wrote to memory of 4452 308 cmd.exe 75 PID 308 wrote to memory of 4416 308 cmd.exe 76 PID 308 wrote to memory of 4416 308 cmd.exe 76 PID 308 wrote to memory of 4416 308 cmd.exe 76 PID 308 wrote to memory of 4880 308 cmd.exe 78 PID 308 wrote to memory of 4880 308 cmd.exe 78 PID 308 wrote to memory of 4880 308 cmd.exe 78 PID 308 wrote to memory of 3536 308 cmd.exe 79 PID 308 wrote to memory of 3536 308 cmd.exe 79 PID 308 wrote to memory of 3536 308 cmd.exe 79 PID 308 wrote to memory of 4736 308 cmd.exe 80 PID 308 wrote to memory of 4736 308 cmd.exe 80 PID 308 wrote to memory of 4736 308 cmd.exe 80 PID 308 wrote to memory of 236 308 cmd.exe 81 PID 308 wrote to memory of 236 308 cmd.exe 81 PID 308 wrote to memory of 236 308 cmd.exe 81 PID 308 wrote to memory of 4704 308 cmd.exe 82 PID 308 wrote to memory of 4704 308 cmd.exe 82 PID 308 wrote to memory of 4704 308 cmd.exe 82 PID 308 wrote to memory of 2288 308 cmd.exe 83 PID 308 wrote to memory of 2288 308 cmd.exe 83 PID 308 wrote to memory of 2288 308 cmd.exe 83 PID 308 wrote to memory of 4708 308 cmd.exe 84 PID 308 wrote to memory of 4708 308 cmd.exe 84 PID 308 wrote to memory of 4708 308 cmd.exe 84 PID 2288 wrote to memory of 4884 2288 Crash.pif 85 PID 2288 wrote to memory of 4884 2288 Crash.pif 85 PID 2288 wrote to memory of 4884 2288 Crash.pif 85 PID 2288 wrote to memory of 4884 2288 Crash.pif 85 PID 2288 wrote to memory of 4884 2288 Crash.pif 85 PID 4884 wrote to memory of 4504 4884 Crash.pif 86 PID 4884 wrote to memory of 4504 4884 Crash.pif 86 PID 4884 wrote to memory of 4504 4884 Crash.pif 86 PID 4884 wrote to memory of 5108 4884 Crash.pif 90 PID 4884 wrote to memory of 5108 4884 Crash.pif 90 PID 4884 wrote to memory of 5108 4884 Crash.pif 90 PID 4884 wrote to memory of 4872 4884 Crash.pif 88 PID 4884 wrote to memory of 4872 4884 Crash.pif 88 PID 4884 wrote to memory of 4872 4884 Crash.pif 88 PID 4884 wrote to memory of 2260 4884 Crash.pif 91 PID 4884 wrote to memory of 2260 4884 Crash.pif 91 PID 4884 wrote to memory of 2260 4884 Crash.pif 91 PID 4884 wrote to memory of 2100 4884 Crash.pif 89 PID 4884 wrote to memory of 2100 4884 Crash.pif 89 PID 4884 wrote to memory of 2100 4884 Crash.pif 89 PID 4884 wrote to memory of 792 4884 Crash.pif 92 PID 4884 wrote to memory of 792 4884 Crash.pif 92 PID 4884 wrote to memory of 4388 4884 Crash.pif 93 PID 4884 wrote to memory of 4388 4884 Crash.pif 93 PID 4884 wrote to memory of 4388 4884 Crash.pif 93 PID 4884 wrote to memory of 368 4884 Crash.pif 96 PID 4884 wrote to memory of 368 4884 Crash.pif 96 PID 4884 wrote to memory of 368 4884 Crash.pif 96 PID 4884 wrote to memory of 1856 4884 Crash.pif 95 PID 4884 wrote to memory of 1856 4884 Crash.pif 95 PID 4884 wrote to memory of 1856 4884 Crash.pif 95 PID 4884 wrote to memory of 3136 4884 Crash.pif 98 PID 4884 wrote to memory of 3136 4884 Crash.pif 98 PID 4884 wrote to memory of 3136 4884 Crash.pif 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\power systems ii.pdf.exe"C:\Users\Admin\AppData\Local\Temp\power systems ii.pdf.exe"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4864 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k move Expectations Expectations.bat & Expectations.bat & exit2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:308 -
C:\Windows\SysWOW64\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4452
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "wrsa opssvc"3⤵
- System Location Discovery: System Language Discovery
PID:4416
-
-
C:\Windows\SysWOW64\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4880
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "avastui avgui bdservicehost nswscsvc sophoshealth"3⤵
- System Location Discovery: System Language Discovery
PID:3536
-
-
C:\Windows\SysWOW64\cmd.execmd /c md 578393⤵
- System Location Discovery: System Language Discovery
PID:4736
-
-
C:\Windows\SysWOW64\findstr.exefindstr /V "ComicHoRecruitingHabits" Voluntary3⤵
- System Location Discovery: System Language Discovery
PID:236
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b ..\Festival + ..\Row + ..\Seven + ..\Author + ..\Jersey + ..\Affecting + ..\Explanation + ..\Reductions + ..\Monte + ..\Nissan + ..\Download + ..\Complicated + ..\Challenge + ..\Diet + ..\Cinema + ..\Rescue + ..\Military + ..\Chicken + ..\Lucy + ..\Html + ..\Modifications + ..\Savage + ..\Rise + ..\Lady + ..\Live + ..\Chester + ..\Massive + ..\Behavioral + ..\Duplicate + ..\Features + ..\Si + ..\Blogger + ..\Holy + ..\Signing + ..\Highlighted j3⤵
- System Location Discovery: System Language Discovery
PID:4704
-
-
C:\Users\Admin\AppData\Local\Temp\57839\Crash.pifCrash.pif j3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2288 -
C:\Users\Admin\AppData\Local\Temp\57839\Crash.pifC:\Users\Admin\AppData\Local\Temp\57839\Crash.pif4⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4884 -
C:\Users\Admin\Documents\iofolko5\lTmXqotNlhgzkTosMw2nglcr.exeC:\Users\Admin\Documents\iofolko5\lTmXqotNlhgzkTosMw2nglcr.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:4504 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"6⤵PID:2288
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"6⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:4460 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\AdminCAFHIJDHDG.exe"7⤵
- System Location Discovery: System Language Discovery
PID:852 -
C:\Users\AdminCAFHIJDHDG.exe"C:\Users\AdminCAFHIJDHDG.exe"8⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2504 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"9⤵
- System Location Discovery: System Language Discovery
PID:3980
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\AdminCFIEBKEHCA.exe"7⤵
- System Location Discovery: System Language Discovery
PID:1664 -
C:\Users\AdminCFIEBKEHCA.exe"C:\Users\AdminCFIEBKEHCA.exe"8⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:4900 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"9⤵PID:4128
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"9⤵
- System Location Discovery: System Language Discovery
PID:3388 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3388 -s 128410⤵
- Program crash
PID:3820
-
-
-
-
-
-
-
C:\Users\Admin\Documents\iofolko5\s5GRedbnGg1qeJV95EC4ypkH.exeC:\Users\Admin\Documents\iofolko5\s5GRedbnGg1qeJV95EC4ypkH.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4872 -
C:\Users\Admin\AppData\Local\Temp\is-J06V0.tmp\s5GRedbnGg1qeJV95EC4ypkH.tmp"C:\Users\Admin\AppData\Local\Temp\is-J06V0.tmp\s5GRedbnGg1qeJV95EC4ypkH.tmp" /SL5="$701FC,3863733,54272,C:\Users\Admin\Documents\iofolko5\s5GRedbnGg1qeJV95EC4ypkH.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2240 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2240 -s 6127⤵
- Program crash
PID:4308
-
-
-
-
C:\Users\Admin\Documents\iofolko5\g8E1Ykgx61NUZGcqiQ88LHyW.exeC:\Users\Admin\Documents\iofolko5\g8E1Ykgx61NUZGcqiQ88LHyW.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2100 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"6⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:3760 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" & del "C:\ProgramData\*.dll"" & exit7⤵
- System Location Discovery: System Language Discovery
PID:4692 -
C:\Windows\SysWOW64\timeout.exetimeout /t 58⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:2204
-
-
-
-
-
C:\Users\Admin\Documents\iofolko5\cEb3YN9ry8jg1SsiMsJXrhaM.exeC:\Users\Admin\Documents\iofolko5\cEb3YN9ry8jg1SsiMsJXrhaM.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:5108 -
C:\Users\Admin\Documents\iofolko5\cEb3YN9ry8jg1SsiMsJXrhaM.exeC:\Users\Admin\Documents\iofolko5\cEb3YN9ry8jg1SsiMsJXrhaM.exe6⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4284 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Local\519b4c81-998e-45cb-989b-eca0383684f5" /deny *S-1-1-0:(OI)(CI)(DE,DC)7⤵
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:688
-
-
C:\Users\Admin\Documents\iofolko5\cEb3YN9ry8jg1SsiMsJXrhaM.exe"C:\Users\Admin\Documents\iofolko5\cEb3YN9ry8jg1SsiMsJXrhaM.exe" --Admin IsNotAutoStart IsNotTask7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:3668 -
C:\Users\Admin\Documents\iofolko5\cEb3YN9ry8jg1SsiMsJXrhaM.exe"C:\Users\Admin\Documents\iofolko5\cEb3YN9ry8jg1SsiMsJXrhaM.exe" --Admin IsNotAutoStart IsNotTask8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:200
-
-
-
-
-
C:\Users\Admin\Documents\iofolko5\8lvF_pbPdErJhU6eYaLALhqF.exeC:\Users\Admin\Documents\iofolko5\8lvF_pbPdErJhU6eYaLALhqF.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2260 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"6⤵PID:2184
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"6⤵PID:2588
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"6⤵PID:4496
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"6⤵PID:3928
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"6⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
PID:4488 -
C:\ProgramData\FBGHIIJDGH.exe"C:\ProgramData\FBGHIIJDGH.exe"7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1396 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"8⤵PID:4128
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"8⤵
- System Location Discovery: System Language Discovery
PID:1496 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1496 -s 12689⤵
- Program crash
PID:692
-
-
-
-
C:\ProgramData\GDBAKKKFBG.exe"C:\ProgramData\GDBAKKKFBG.exe"7⤵PID:4636
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"8⤵PID:4444
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\KFCBAEHCAEGD" & exit7⤵PID:4392
-
C:\Windows\SysWOW64\timeout.exetimeout /t 108⤵
- Delays execution with timeout.exe
PID:1276
-
-
-
-
-
C:\Users\Admin\Documents\iofolko5\VoVk7YX4kvrBtpYgoNjPz_1z.exeC:\Users\Admin\Documents\iofolko5\VoVk7YX4kvrBtpYgoNjPz_1z.exe5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:792 -
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 06⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:368
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 06⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:2840
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 06⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:4708
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 06⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:2400
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe delete "VIFLJRPW"6⤵
- Launches sc.exe
PID:1768
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe create "VIFLJRPW" binpath= "C:\ProgramData\xprfjygruytr\etzpikspwykg.exe" start= "auto"6⤵
- Launches sc.exe
PID:4680
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop eventlog6⤵
- Launches sc.exe
PID:2604
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start "VIFLJRPW"6⤵
- Launches sc.exe
PID:3652
-
-
-
C:\Users\Admin\Documents\iofolko5\F0sjTXtEkyFhyelgE0Mr8uU7.exeC:\Users\Admin\Documents\iofolko5\F0sjTXtEkyFhyelgE0Mr8uU7.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:4388 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"6⤵
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1100
-
-
-
C:\Users\Admin\Documents\iofolko5\2BQuSJD0Ffe8sYCdJqTbFs6x.exeC:\Users\Admin\Documents\iofolko5\2BQuSJD0Ffe8sYCdJqTbFs6x.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1856
-
-
C:\Users\Admin\Documents\iofolko5\D2dsp24xIugTOXbqFb03UBo8.exeC:\Users\Admin\Documents\iofolko5\D2dsp24xIugTOXbqFb03UBo8.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:368
-
-
C:\Users\Admin\Documents\iofolko5\3GU73Emite8W2LE7jUkk5idR.exeC:\Users\Admin\Documents\iofolko5\3GU73Emite8W2LE7jUkk5idR.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4672 -
C:\Users\Admin\Documents\iofolko5\3GU73Emite8W2LE7jUkk5idR.exe"C:\Users\Admin\Documents\iofolko5\3GU73Emite8W2LE7jUkk5idR.exe"6⤵
- Executes dropped EXE
PID:1104
-
-
C:\Users\Admin\Documents\iofolko5\3GU73Emite8W2LE7jUkk5idR.exe"C:\Users\Admin\Documents\iofolko5\3GU73Emite8W2LE7jUkk5idR.exe"6⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:1568 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\ProgramData\jewkkwnf\jewkkwnf.exe" /tn "jewkkwnf HR" /sc HOURLY /rl HIGHEST7⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2404
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\ProgramData\jewkkwnf\jewkkwnf.exe" /tn "jewkkwnf LG" /sc ONLOGON /rl HIGHEST7⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2888
-
-
-
-
C:\Users\Admin\Documents\iofolko5\i_EDTZdhnpvoNJRWQkGGccLX.exeC:\Users\Admin\Documents\iofolko5\i_EDTZdhnpvoNJRWQkGGccLX.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3136 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3136 -s 11446⤵
- Program crash
PID:1196
-
-
-
C:\Users\Admin\Documents\iofolko5\DTGUSTj7L8sXcmLLMCcOVDCz.exeC:\Users\Admin\Documents\iofolko5\DTGUSTj7L8sXcmLLMCcOVDCz.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1496 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"6⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1336
-
-
-
C:\Users\Admin\Documents\iofolko5\ck1kQgnZGpqVGKLY2egHSvid.exeC:\Users\Admin\Documents\iofolko5\ck1kQgnZGpqVGKLY2egHSvid.exe5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:692
-
-
-
-
C:\Windows\SysWOW64\choice.exechoice /d y /t 53⤵
- System Location Discovery: System Language Discovery
PID:4708
-
-
-
C:\ProgramData\xprfjygruytr\etzpikspwykg.exeC:\ProgramData\xprfjygruytr\etzpikspwykg.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4420 -
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:3664
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:3060
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:2236
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:3916
-
-
C:\Windows\system32\conhost.exeC:\Windows\system32\conhost.exe2⤵PID:1100
-
-
C:\Windows\system32\svchost.exesvchost.exe2⤵
- Suspicious use of AdjustPrivilegeToken
PID:5108
-
Network
MITRE ATT&CK Enterprise v15
Execution
Scheduled Task/Job
1Scheduled Task
1System Services
2Service Execution
2Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Power Settings
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Scheduled Task
1Defense Evasion
File and Directory Permissions Modification
1Impair Defenses
1Modify Registry
2Subvert Trust Controls
1Install Root Certificate
1Virtualization/Sandbox Evasion
2Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
4Credentials In Files
4Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
6KB
MD5c23c5b4d8fa0bfbb265b6ab72042d4b5
SHA196e8e7ccda26c5119fb13dc8ee64e1ece272bd85
SHA2565961ef4ca18f28c8c26b80cbcb3f4f8c20647e41111402012a25c8910c48db02
SHA51239f7dc6f603472160f3fe0be3e1a6f2d32351690e040246753f4e57de9a8b2521dd8f31c200a9b4d9501139471417500d275be140b058136f94ee0dc501a660a
-
Filesize
148KB
MD590a1d4b55edf36fa8b4cc6974ed7d4c4
SHA1aba1b8d0e05421e7df5982899f626211c3c4b5c1
SHA2567cf3e9e8619904e72ea6608cc43e9b6c9f8aa2af02476f60c2b3daf33075981c
SHA512ea0838be754e1258c230111900c5937d2b0788f90bbf7c5f82b2ceda7868e50afb86c301f313267eaa912778da45755560b5434885521bf915967a7863922ae2
-
Filesize
92KB
MD53daad470df391b2f80f1355a73f49b47
SHA1fd3d71f1d5bcca2c56518cdb061fc1e0a2465dec
SHA256a0732dc29331aee2809c08b9dd1bbddcfd6badc2b90a932b1e5c220d573e7b08
SHA512a03c5c17710c1ecafebca8b3066db41e1d682a619162da61d12f7f84c8ead35b49b6f390a473e23c41baff6072ffc6000a52345d5a1f73371b8711f470216b6a
-
Filesize
20KB
MD5c9ff7748d8fcef4cf84a5501e996a641
SHA102867e5010f62f97ebb0cfb32cb3ede9449fe0c9
SHA2564d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988
SHA512d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73
-
Filesize
46KB
MD502d2c46697e3714e49f46b680b9a6b83
SHA184f98b56d49f01e9b6b76a4e21accf64fd319140
SHA256522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9
SHA51260348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac
-
Filesize
425B
MD5605f809fab8c19729d39d075f7ffdb53
SHA1c546f877c9bd53563174a90312a8337fdfc5fdd9
SHA2566904d540649e76c55f99530b81be17e099184bb4cad415aa9b9b39cc3677f556
SHA51282cc12c3186ae23884b8d5c104638c8206272c4389ade56b926dfc1d437b03888159b3c790b188b54d277a262e731927e703e680ea642e1417faee27443fd5b3
-
Filesize
334KB
MD524b1ff1f8ba8c5e20613a652b7ddcafb
SHA148cb72e8fb1bb1d586ccde26de74154130d2b219
SHA256c45735085c630196f711708160c78f204d8fa3fd36dc7c49cfc039442ae4c9d7
SHA512d277a6a0830dabc5b7d535f3d84c948a70ae3fd9a16948b55ccd69340726390f6346c91098c0a48d8f40cb76a83299fcfccf92b59675f36692b8537bbd720c8c
-
Filesize
872KB
MD518ce19b57f43ce0a5af149c96aecc685
SHA11bd5ca29fc35fc8ac346f23b155337c5b28bbc36
SHA256d8b7c7178fbadbf169294e4f29dce582f89a5cf372e9da9215aa082330dc12fd
SHA512a0c58f04dfb49272a2b6f1e8ce3f541a030a6c7a09bb040e660fc4cd9892ca3ac39cf3d6754c125f7cd1987d1fca01640a153519b4e2eb3e3b4b8c9dc1480558
-
Filesize
2.5MB
MD56f2a4dfc60f72b9025b045544856516d
SHA188b8695b7b9abe8531fbbc10ed1c3c34549a83c3
SHA256dc6a0f03e2e81bbc16caeaec1595d7c18fcda70d1bb6bb3198076d3494e895ea
SHA512afb3fcec8edda5a4f4dacff719874420d31307006009d20259051adf1ecd68e40420cf0254924c6b8c4754ed4d66c202244baef0649fc1ece1f3ac08b99b2da9
-
Filesize
81KB
MD53f0c844167b93ec7fd2697de91790c4b
SHA181e9e8c129ef264c7981c49be22fc4f41e504c76
SHA25643dc4eb4d4b1b5be602976c3e6675285b0056fd6c0dd676362f4d026325b0556
SHA51254b72f71637cbcb159c0aaff33ddd6384aefe33bba50fe75c431051dbdda0e6ca83503678635cdabfeabaa11aea0a4c175b9acb48d926e03b7afe2133d269ef4
-
Filesize
90KB
MD5ff664f8979f694400b1973a4c9090640
SHA11f14c9bfec66926d43f9fcae51a531af3a1d95c3
SHA2562944dfefe3123e84dae7deeb3d25353cb4691926a8ef10de80ace2a194e5a355
SHA512665bfa47c037d22edbd1d17947eb25842928ef52a637bec755f843bc7ecbf99f43d804931c0ad1cf567f700461d02dfb55025f60207e9e6c20d3a13b2832feaa
-
Filesize
69KB
MD5ebe4b07bfed724aa5becd78901a6fe27
SHA15e8dd44ceac3ed195bfa3d1bb101c44f32e80be7
SHA2566668a6a7cd543d7c205c03f284951e8ea92c28ac73d87e70f75055473897426e
SHA5128dc0ed93474503a068ab6bad2b59f84bfc0117a8ed81d56f0b02d8f7c96813b813bf2c464b00fb8088eb2e1c5182eb0a1e7ef90d57081292f3abd8099b3d460c
-
Filesize
67KB
MD5378485e10e236ff814d839659433f06d
SHA15ae0565d277f6e85f58c8607d0b34db0a416025b
SHA256aee4aa79a81b1f35f9453ad64d7a5913a87cdd44eadbd17648f0be9a530f7245
SHA512e81a362ea8a4e5a2ef9b112cbaf581094a992b1a6f31464f60b60828e22284d44374fd6607ec5378fb8deb0d88cc853c2dbbce5fdff38a4ae991fc49f65523ad
-
Filesize
97KB
MD5537268e78ee12bfbcc243c56a7d496fc
SHA10dfc9eccbddc26e4ae99349cbbabeff3319328ec
SHA2562606d23c85faa7cd6392ca4e1988da60c712c824636e8a3a438ab189798cb6ee
SHA5124ac82bd876c1530906ecff0bafa09160de3512e9f5acecf3a005a68b1e273ea035d9411b00d06fb7e26e36d82ff3acd6eea86ece56543ab42f00256d76697ca3
-
Filesize
74KB
MD5725acfd693506370739de020e9a887f5
SHA145649e96847f624b50ed75515922c1db47fc05da
SHA256b6c3d34fa004d32a8f12e419c3f6a9bd193d4414d67f10ebda3a15422da28b84
SHA51289fdf5041b46c186a7149f924f763382e9f05264aed78a935f45244f3ab305ca4e5c3434af75d397342ea1d9e5be03a9f0c11c4f6cd000ed22d0ae977f78899a
-
Filesize
80KB
MD520105d875df6d6c0a9a393613822417f
SHA136eea2d5499ab0a814f6352f5adfe0e5941fd221
SHA256ca36b84ae853fe9d1c5051e02ff25123d4064c8a6a20d068bd41abc612ee3d43
SHA512092cf321346c059926d1f84133ec84fa489fe44880c43eb003eee8a58883178176acef29828c50ac0b9af768d22ddaf59df33e1e0f35cafcf14e3286974765ff
-
Filesize
55KB
MD565570d0c36a8df76f5f0f290652d8832
SHA1bc5e984dbb5045c6b3ff0e507fe2145644824430
SHA2560161abe58652bc8e36803ec78070a18a07c59ba6cd05388923b05a88010f2670
SHA512caa736077b30d0c819eafd31696a35681bb7afb1103e77597a6339b133874e80464bbf8db342a3661d59b5ec6802f2f5b0a3550e884155be00b1f4f30920ed8a
-
Filesize
76KB
MD56762d4e94c1b03d2c784c5fcc6078641
SHA13b1b5041616acacd1a3f2af9206dfb8836cbed8c
SHA25605dc4d855281f909f9283f5509e6d73c3d48649be7d089555e69f371fdd71a0e
SHA5120ef26c4dcb68dbfeafa254a82286d23403c44d1f21a5b2d677cb3ecefa55b28084afeb6e8bedac80360c34e03846a1562e9d7ef072670a7be62f9209a29475a2
-
Filesize
872KB
MD5756ebe860d35cf35959526d533e1547b
SHA1d739e66da9e6cea11d1df535210ad0dbf1bab2ea
SHA256f9ad895cd4e1daa5469ad8f10da51ce8bc7761bcaf1bfd1a1b859617bd5f9659
SHA512264cdb50d5fe76edf63825abb9cbf671182b985ff2a08cfb2bc762ea48e0bd5a9bc6c83473b2e468e3dd5536c4a34a14f79d3685f85c7a4353bfaf6692859650
-
Filesize
53KB
MD57430584ab5031bd1784772da8a706f6e
SHA1c299c3785cc742b5d224a500048230320b83eea3
SHA256ae0f89dedfc06a686fc283b53fa77b42d07360149a6becf05b134b08bce462e2
SHA51282ba15f997e3b62287cb56138606d930e1d77ebc9a338252cc5f353df4e4361f7a96347580131ea23d651225c72945e44b18d3cd596ca5df7ccd81d9069daca4
-
Filesize
50KB
MD5e62c9797d10a365321d928e89954a5be
SHA1612831de5d1cf5ebd90101617d78411cd5571e98
SHA256565c1e4052237777bf85e359f87a57ad8291017062300e5f677f9d3d77767e03
SHA5127c45ba8873a2647ba73d9fe3aff724051e9da73cb12bebce844fe66140b8493fab661f4c88bf89c1cbeed7e35f8744b679910e3a66aae7933f38aa4230bc1eb0
-
Filesize
94KB
MD53bcc0c3847c9a8e1699947169eecb998
SHA19eebb699415d3166209f3b3fb86664911aab576d
SHA25661c57cf3c141dcc23165abefcbe0eb26f80538c03b47de7f6e7199aa5f40ae1f
SHA5125ddf19bc6cc34e29f08f32b3b9093eed0846c7bd88b34a49cd159f139541f9e16b2375ac6282fc2497fc530bcf0b39325cf46f46e2bd10c19bd7bc34f80fa5db
-
Filesize
19KB
MD53281bcef02057c7c42ffc446180035d9
SHA1b6f03015126215d02e2e0a299af9822df7080a0b
SHA256a09bfd463231d947d05075be36ab7bf17df215973c35f8de0cfa7bb8497bc713
SHA5122dd9821ce87a7e17a9a1d0546873ed2f8c0ceab314b10d1b71c95be2f209cc60c265b2cd6aba1ba1e694a7d709b7028c7f11cccd0e7bf555825ddfc69a78458c
-
Filesize
58KB
MD51570a1bee5b357710cc74f60ce825c22
SHA1c515aeca6d025d65dc191a31755e87f54092acc5
SHA256bdf3713418777ec674408cd3f62ab56e09a2467f1a5f78e8f078f4ef3ecab7ae
SHA512cddcd3363f1975f0d6118cef40c9464d87f5f8eaba62e8d79da2fc60f5ce7148ffbdc90b60d020e2e78ef3e8c57eff7c9e75dd23295d31354997ce277646c726
-
Filesize
89KB
MD5d745691d6cb303d913e41ce5e4b58c7c
SHA14d650125002e80e9134f13a50d517371ebb75690
SHA25673ffb9ea8910ea475edb0a552409388109572d989cf03ab6a5c0a661e13849e8
SHA51238217f947ae0348a2ce079bd8086fd276cc3b5ace0bcb1f3d9793f9c939eea9ae1498788c49772472128c17dd5e63a25cb1b75ad8cee12497358442b48a1fedb
-
Filesize
50KB
MD5b7ad3cbdf401b3c7267cfc9711574142
SHA1e7a0ceb17efd4038a20865e496bd4a5ba19fd77c
SHA256643138ec5dc886e6bf8814b20e79755508d431fdb30b09bfcfe9c151a067ae78
SHA512735f0ace87cf5da6764c5ba585841c5551c45bd1e4c1e80cb9bb85fb5409a5c25aa13270a906e3cc6bafabdd2ef49b057653b9492c6d0c40564e99ae38b3cbbe
-
Filesize
90KB
MD564b4546e5c30703ec09d37d7b580a5f8
SHA132bd68a136801200bc147cfc4e554d63ceb35e80
SHA256bdd93c57d2d6f02a7402eac7517db0d4a58390d01d74443668260436d0af5328
SHA512a28cbd7438b6abc438cba05e11251037193a1b0b77846cc960ff6d6fde83c4f262a002fef6402caba68083fb0d7bca97bdd9241979a4de1957aebb8267087d67
-
Filesize
62KB
MD52d96b5acce1dec9f12612c247afd1863
SHA186a7951ea9243849382c4201407f2def3bc3c04e
SHA2565b07743f4c23ea6b6a2bae967d7e556b0be8afbf3513a90e42944e38da1e3035
SHA5125dbf9f3ff88f3b98b1b562c996f4406254cdf697cbbeb4d95e5374248f8cdb5ab3b5fb1b622546dc3488e911bafd255c82a8f836bc3d2c02e4b0371991647563
-
Filesize
71KB
MD560ac1993c088722394ffe200673bb477
SHA14bf6dbf1672272cc12ee9c66280ac15eb6621c0c
SHA256ca3292f4a30d8fc1d5a4aa8d726b5ebcc15c4fcfd05c557c0f90408a398eee95
SHA51214adc777d65092b48eb1d55e9ec898240fbfc24f13f64734e814457fe2e3f5a7d4a32e4e55299b3638f5308209f28c6ef4e08b70b67107af6ae3106cae0dfd98
-
Filesize
50KB
MD525f618dcd9a958e79913ec30f89f30c9
SHA152ce81a9f0d13373257382c67633b3726cd0e919
SHA256859989af71529799e5dae9275b104e8c45b8fa37176f969047151687c3b3ea12
SHA512c477e402556045035f3028994fdeffed31f78a787a9dbadccdcc7862d03d234902170559a3fc8929fe4a59fb61279881c6c1f2b7d6870f97c3d9b346e3aafd7f
-
Filesize
53KB
MD5543168f1d78f27bc1e0a01a41fa841e8
SHA13adfd6f137aae243f115727ff34aef34ec4937d2
SHA2561eecb6117a45ec6408ded2ba9e158a6dcfd5ce70bec186b3fce18c2b554e6d21
SHA51254c7c0070bd4167f8185915dffbd37c9cc28772a277a4f150ddb9e8cd79fd7c715b386986cd4e6d905c37305338c1bda6841fa5e1ca85fc6ee285532dd4005f1
-
Filesize
88KB
MD5376e677f9a5afdf14a709ae45b3ac489
SHA112fcde474c530ae35dbd410374b811c3eeb69dbe
SHA256742701e67824acdab99ab8b17deaaa4323ac3eb497394732811d0f37843bd09a
SHA512bb2e48d6858574e45033e76f6a48f5009b77a7c0502e4f32fb7097a8223362c8987323e4ec8e69b934aa6aa27ca60aca50efe4a70fe62ca9001fe1f693f1bcd8
-
Filesize
89KB
MD51e19f8b5a5df8835b2c08291a28e2096
SHA1a2573e83e5d52d4c30fad472131f75c73c666651
SHA2566a5656e3112e2725b03726a0837bf7ac9614a904ed4bd863fc03f48bf391d3ba
SHA51265c04cb91f337c076c8bd58298ca32b41c9a58f6733bddd9ba21e6cd36c63c12d4dc9c3234499ec2f4a053f3a5e373d8c3abb4919d139ead3a21507a886d5a94
-
Filesize
67KB
MD5a980747d497a8ee2ae7004c77f90733b
SHA168a73778039a85f26ae490bb1a53cf6f7f606d09
SHA25629c12fbc9d853a8ae13d605dd64e5694fed70d8693e44d159a9e790624e14609
SHA512f584cd150da0805f01386647ba672c21e51a26be4c59a606942701cbd19a50fc6619536dbcf4d627d9867a034b0795e9395346f4bd720cc2b2e7f7de57a40d2b
-
Filesize
61KB
MD57ae74abe58a6e55d07374af9c912645f
SHA1ec6f11d0d01ce721ed11ad3739664c44e7b6e2e3
SHA256b1801346bba35b4cd849cec9b51db802f9e4d2c8d287dfa95352851437f75ff8
SHA51273e3e8e341d80c529e38de72962b0abf1a70ae4d0da1f149fc3828cdd3a40c561ab490a9a3177c879dbf6136e6cbac139cf84c06b3ff157d5cba8e069f5830b3
-
Filesize
73KB
MD5ef01a057cc8722790ca29a4ebaa97d06
SHA1a28e9c67b9b6af98c5aedcdde7d954ba95edd3fc
SHA2567b9dc5b21229b4ab7c42966692edb6b3c586d3bfc44ea84717ba02247b697c5c
SHA512214fafd0f54657e56848454b14d99e740726e3b9252c29156650d8d4010632246e3012c28cad9a6554f9be5a929761da78626ec8ebf5dc7500d5b6eb466f733e
-
Filesize
76KB
MD55052be6a36baef4bc80fc0a25377991f
SHA1f4d4d1226128ff8b76a2ff07cddb00132025da58
SHA256deca9a2ea25ed74c437cf2de09db4487235dad8aa66ba9b61829ed4984c10952
SHA512d651ec799bd503f4bb542a57135ac87f1901b636103054d7b4d57002d80ef866fe815825af314ba621b164d08524475086c06df987c480b2bfe2b2c687cc81e5
-
Filesize
87KB
MD54c1bf2e085c8294fdca893a02a568d67
SHA1f0f6b045c8b13b1684c3ab44ebc9a7fc16bfb375
SHA256cd21acc319a788cb924a5a471d00199f414aa5c08e2f0bc6e8b1cc27b5e96891
SHA5122c709bbdc03236416ee76a86d18454a405d9e820de671b749b05509e7a1e1777c18c6e7cf37ec3aa3e0c419baef71f1b240b7667554cd14a594f1b0cf73f83f4
-
Filesize
74KB
MD5d203f6393a3903aa4d01f3f7f8fbdca1
SHA1de0f58ca1f059366d86bfeb1ce91c44b60898bc9
SHA25656362c14415b381c1e869e4fdc88e02945c5560ecb8e4fb877c6afc9e86479dd
SHA5124fef97dfc0a70679005c56d9b3a541ce8f36460f667769f48e84b2313f7f6c02c35ce5b5a909778afd2c89e8e7af487d8d0db8adb415ae63aad888e5e167fa87
-
Filesize
82KB
MD56b5b55e3f833053ac81fe00f0e0808f7
SHA18334f3338966eed623ab0bce20d3a52c417ee4a9
SHA25678ba5a3d96aeae98ea4b0b6a63ffc16b8f19438f2f2158580e2a77876e65efd6
SHA512c7b7198b802bbb514d6b05436b118398fdf94c972a3c6d3ee2e5a9a06c1db97faaea3e0caad2ba85a7fd1d2b77234a559436e8c1d1c300571dbbff9a8a6afe98
-
Filesize
73KB
MD5396d0835e6878f2a72c2104950e072b4
SHA127750a5a4cc755abbda70173bad00e7b9d5d7fee
SHA256b2345ac87d9c2c91dc78b75ce32e6faf57589c483be6c5a7b6cd88a51ac9366a
SHA5121ed8fce8ab64f9599b7342e8d9ea275bab23d4a13b02230cafcd82d6110bcc7b8e4f708c8e4e6597efb9621b6368ba9b4e84da7cff931855dee81b4ba0d9abe7
-
Filesize
92KB
MD5bf39dfa471c242ee0ce4c1010af5854f
SHA17f50ac6e3939dde82d92b5c60ec2a724a8d840b9
SHA256fbf43408da62b58fb3f45239076f92258d9c93a1cea87ac5c194be668426195e
SHA512bf94e13970fac6c98370cad29986a635283652de4fd7cf84b451343427cf4ad97d9b1185cccf780fbbcd7c9eeda49d67372ac81630e3c9b353ad2a0412bcb9d3
-
Filesize
65KB
MD5fb541151b9390f68c6c2401afc2d99c7
SHA1a31a9d485725a9f86a1867f4f81a58d891a89738
SHA256ea1b11937d5d91b042394afd21d659a187562800c404ddeb22b9dc112d5de57f
SHA5125de0e63460d3e7073bae1a1c5caae32e8d8e2bd9ac03ad1f396f24697c451167e3d969f1f0716c1afc224c54556eae522f26dff69d4839dcf0743dbc3899dcf0
-
Filesize
75KB
MD52edee24053811c6808c917363e0a36b1
SHA167335e45423653ceb25fda916f03906c7809ead2
SHA25680bda82b089599eca38f145957fd0c552994c6b5ea7f3084ad3bbf7f2805c030
SHA512b2649bf558570da468baeb7654c66915253d70e9ce7595e0b10a8cb04af75e38986ad68b16f581ea79f54c5a4d5d06f51b13cd6c3b9f1eef16bffedfef965c38
-
Filesize
75KB
MD5718c0e812f72e5bcbec91397f65a077d
SHA176068ad0af77a48d664e4b36133f17649b818648
SHA2568f9840ba9841a3a0df66883c1b2063f2252ef739d0ba2326de6162a7c510a860
SHA512c8c3b178828562df41f03cead119f330c20009e9c373bb95e78e7c49c39c1a74e11583974facb5198d6277aadf644446691202a3ea084d4c3facc8208fc917cc
-
Filesize
51KB
MD513d7a9bf7a6a8ad1d7786ae78a0499ae
SHA1d76aa87f901d3ccf0838fff7a49e9f8b1bdc5288
SHA2565a5f6dab597d2edf2f36671cc2e7973d649a7e182a36be32581b586af2d8a0f8
SHA51238da7f8760ca8677bfd87dd2ed64fd1be84c9336268eade2985f24bd7099dab6046c25b636e4ca29417c0236b0e2e42f2beb1cacbfbe22bc2d444f6d9fe03411
-
Filesize
2KB
MD51420d30f964eac2c85b2ccfe968eebce
SHA1bdf9a6876578a3e38079c4f8cf5d6c79687ad750
SHA256f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9
SHA5126fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8
-
Filesize
523B
MD5f9eb00df5045603dcd9bd10c9c2de5a6
SHA1ec9430633bd4833a58c4d5cabdb4bd39115c3fee
SHA256f4c33fe43545336d8214df342721358940b2931733e1e495171b16eec3eaf3ca
SHA5121f48845c174f306cf96400a2c7a200729529726f92a4c433ba07d07dace7a9394a5fa165824e69b3ef16a7bfa1f4ddb56c5377f76a00d927ddd4ffd0ef8bb402
-
Filesize
680KB
MD5ca83418803bb9d01b1c9f4b296a24f66
SHA1c1d2bb6630a65a20758491b2c02a2fd743f30e58
SHA256c6521855ab827e14b1cbe8fcd21617701667c99a721fa32a9d0e3e145575562e
SHA512916ed009e9f838ceae0a298799013a18218d11643e351a3e7eb0aeba390b712e051612cd75f9d5f51158d8d682b63087c11085b82f987970a16bfdea70de12e1
-
Filesize
216KB
MD5887e72b4cb2377696debda89a72d02cf
SHA11ff82934834b67f53bd8b1daa73509fe2fe81d82
SHA25645d0fe6264411334fe1045efebd8f394ebb84495ef194320d46168e10a849b2b
SHA51212718b2ad234e7a80b95be46cb47cf5dacc914b5082e715125b479a3e856d0665005c0629cda5efc9fb3e71561d5fa059f50762d9de017537ab0880a48e6ef15
-
Filesize
2.9MB
MD5d4ac1a0d0504ab9a127defa511df833e
SHA19254864b6917eba6d4d4616ac2564f192626668b
SHA256a29c9ebecbe58f11b98fa8f685619e46bbe0a73ca7f770a71a14051aa0bd9848
SHA51259b707d1c4f3c66337ec2f913de4b3506786a31108fc621bdbe7201490e91b0f7b70505763f71d53eee0eaacf477dc6ef9cd50769881654daf1b678eaaf994c5
-
Filesize
282KB
MD59d1e5520a634731ed9747be9e9af7c5d
SHA16bc547c7e26073f71be0017e29c8702ddea2fc11
SHA25690c0395f668f198d1aed010aaabbdab7c7f78b5a8c90072f4a2225683ebaac36
SHA5123cc597e4b451252361707740fe58ea18ff8734a9adad48458760518d1828beb55bd0ddb080daf7c1a29cda462b7cabab3c3829fc5c811b1d3069a5d507b7cbaa
-
Filesize
271KB
MD5404b53e64579f603d9ef29eba5bdc173
SHA196bac004043f3e9ec246eec235d849de4cec8061
SHA256c9d8ae512980ed05e16b701c029c18276542cb837dae9f819b940fb4a23a6237
SHA512b9e13178d744ea919e08360a0e5c3f024c85261cd8a4673b4f5df4b59c670fa63a08d949f33d4d95f51f6c379b78a83880c6eef4020887bf361ba4e833cf7e17
-
Filesize
516KB
MD5d8ecb462d3046a0ee172551c5d505c8e
SHA154f9e16b497579964e9afc90c3c0c208f16b4418
SHA256afb9edbf499a4726d798cda9f0f372b4b1019033b68d5eb87a8a83ecb7463d6f
SHA5129eed44c24a71b44e90efc853b75d2103faa3f8518e1efad45c8c4733ee0396c51e8ea11ba6e7d2ac4f30234e6380c3325227cced8d1753373581eb45073c012e
-
Filesize
312KB
MD567a51322cbb161374023771f2fa9c1d5
SHA10162a4171c983605374a295a57a7ba6a58622ff5
SHA256ef7e913e51b970193a61248fccf25fa32f9efbdc82953ca0850d9607e87cdd68
SHA51271e4962d123a21d763a6d88899c35df1f7a0712bd33995fd61e548deb4d1d2c135000330d5f2dd843c69cd8f92c42295c9e0f2c2a288a4f3c81496e83a837ce1
-
Filesize
10.4MB
MD5025ebe0a476fe1a27749e6da0eea724f
SHA1fe844380280463b927b9368f9eace55eb97baab7
SHA2562a51d50f42494c6ab6027dbd35f8861bdd6fe1551f5fb30bf10138619f4bc4b2
SHA5125f2b40713cc4c54098da46f390bbeb0ac2fc0c0872c7fbdfdca26ab087c81ff0144b89347040cc93e35b5e5dd5dc102db28737baea616183bef4caecebfb9799
-
Filesize
812KB
MD57972b08246e568495d9d116fc2d0b159
SHA13e12225494f08369858453fd9fc7481b4f788165
SHA2562a6c90c8db27e6ac04c7e339dfe4b3c2d47a292bcf6fc1c5b4e0ae62fc81ff84
SHA512f0ead246f31d1badb3cd5fd67cb5b3081f027fdad44dd50364734d61722f1bc2cacb1ad5d842ca3f7000a2699e7bdf059a508b54a95f5e155ae274d70e833ff7
-
Filesize
1.7MB
MD5e81c71d0c270fa8d67b4ec8b1e968479
SHA1bf33b5e1b7b694909de07a3447f84362fa766600
SHA256d92729a5a6186ae6dc688de6b0c3774c43f7788f50c09a3373306fa553750691
SHA51272298ce9e81a84c878a1eba30d1acad2d0d04567b0081ec7593fce17082a4aae8c0ac28bd4cf7943e55fecb61737fb8a3df5b0edebe79e6582846ec5d5a51af4
-
Filesize
3.3MB
MD5865adfa302bfc57219c6541aebbfa1c9
SHA1aeeb2cdc6cdd99705094904fdf65f52910e8fb89
SHA256de35d4193e3e6b9410a748c59bb2e0fc84ea2a3f16cc8d9d1d598fb32f0f0d4c
SHA512fb6a9dd9d66013e2274adca885b3d0f038aa14cf4a64bac2140203ff72d2091e71c6929d3748af6e999c9b1c95098036489568ac8c40032bc819d917a4e87b38
-
Filesize
301KB
MD5446e93ad377c766b423ca427cd0290b3
SHA1ab01cadbf1fa2737d833b41211032269c7c02097
SHA256bb89dd19fdfdcb9bffb1119abbcbd78fc5401e070040937990dcaf1bbae96716
SHA5124c36afaf4acf4bd3d1aee367968a58d8253a43664ed3f8e8bdc1aa9ea9f3bbfdc0b6ca68d1d6a0003d542a2c8a3e68acca1e753bfedbef27e20e0ad6831e9275
-
Filesize
206KB
MD5ab68db6a238464a75b669938a3512ae1
SHA148a7e2ed179d29d783d55fe610598474825bdf95
SHA25686bb9a397e62d756578dbe6c40cc07050f2066db6fb5d54499e03469a7cdccd5
SHA512b811a8f5d3d2fab469a97a9a0d59d6b132b4fecbc7048dd203d25c938e7047b487e9a85799f8d9b04c0e01f307f3ff1bd0c3af967a8813c3ab0d72c69650364c
-
Filesize
3.9MB
MD522e3086fa71d9cc3418a00372ef05ff8
SHA197dbc4e6cd4d5c40379ab5fc67a9c690f0bf48dd
SHA25652caacc4df11ab50c9cc0cac8715d046312167c6e6a2b2f5a756f1979ae2db86
SHA512f41724beb373db7ff2e2f20e883a316e57a4e70c0809629583fc253f88fa211a5eadc3788a5747fb8353bb3237d3234dce2593dde27b40f12520d23b58dad738