Resubmissions
07-09-2024 11:17
240907-ndvx2s1gra 1007-09-2024 10:21
240907-mdzqkayhpb 1007-09-2024 10:21
240907-mdq4esyfnl 1005-09-2024 22:04
240905-1y2bsa1clp 1005-09-2024 21:37
240905-1gl6ja1bjb 1016-08-2024 00:38
240816-azcrpsvdqe 1016-08-2024 00:13
240816-ah5fdsyapm 1016-08-2024 00:04
240816-ac4a5sxglk 1015-08-2024 01:57
240815-cc95ssydlb 10Analysis
-
max time kernel
1050s -
max time network
1051s -
platform
windows11-21h2_x64 -
resource
win11-20240802-en -
resource tags
arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system -
submitted
05-09-2024 22:04
Static task
static1
Behavioral task
behavioral1
Sample
New Text Document mod.exe
Resource
win11-20240802-en
General
-
Target
New Text Document mod.exe
-
Size
8KB
-
MD5
69994ff2f00eeca9335ccd502198e05b
-
SHA1
b13a15a5bea65b711b835ce8eccd2a699a99cead
-
SHA256
2e2e035ece4accdee838ecaacdc263fa526939597954d18d1320d73c8bf810c2
-
SHA512
ced53147894ed2dfc980bcb50767d9734ba8021f85842a53bb4bb4c502d51b4e9884f5f74c4dd2b70b53cafbe2441376675f7bd0f19bb20a3becb091a34fb9f3
-
SSDEEP
96:y7ov9wc1dN1Unh3EHJ40CUJCrQt0LpCBIW12nEtgpH9GIkQYQoBNw9fnmK5iLjTv:yZyTFJfCB20LsBIW12n/eIkQ2BNg5S1
Malware Config
Extracted
redline
deepweb
91.92.253.107:1334
Extracted
agenttesla
Protocol: ftp- Host:
ftp://ftp.stingatoareincendii.ro - Port:
21 - Username:
[email protected] - Password:
3.*RYhlG)lkA
Extracted
cobaltstrike
http://89.197.154.115:7700/RKyG
-
user_agent
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; WOW64; Trident/6.0; ASU2JS)
Extracted
xworm
5.0
45.141.26.197:7000
9nYi5R05H806aXaO
-
Install_directory
%AppData%
-
install_file
VLC_Media.exe
Extracted
stealc
leva
http://185.215.113.100
-
url_path
/e2b1563c6670f193.php
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Detect Xworm Payload 2 IoCs
resource yara_rule behavioral1/files/0x000400000000f488-541.dat family_xworm behavioral1/memory/2136-547-0x0000000000080000-0x00000000000B2000-memory.dmp family_xworm -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
resource yara_rule behavioral1/memory/3824-21-0x00000244DE410000-0x00000244DE42E000-memory.dmp family_redline -
SectopRAT payload 1 IoCs
resource yara_rule behavioral1/memory/3824-21-0x00000244DE410000-0x00000244DE42E000-memory.dmp family_sectoprat -
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ lamp.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 4484 powershell.exe 3084 powershell.exe 4580 powershell.exe 1164 powershell.exe 3524 powershell.exe 2592 powershell.exe -
Downloads MZ/PE file
-
Drops file in Drivers directory 1 IoCs
description ioc Process File created C:\Windows\system32\drivers\QAssist.sys Jbrja.exe -
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys" Jbrja.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion lamp.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion lamp.exe -
Drops startup file 3 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PowerExpertNNT.lnk 66d70e8640404_trics.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VLC_Media.lnk VLC_Media.exe.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VLC_Media.lnk VLC_Media.exe.exe -
Executes dropped EXE 42 IoCs
pid Process 1592 66d9f685932be_uninstaller.exe 3824 66d9f6e9330e4_deep.exe 4356 66d9ddcb9dbfe_Build.exe 3496 abQOhgu.exe 2620 notebyx.exe 3980 TikTokTool24.exe 5016 Accounts.exe 3952 Meeting.sfx.exe 1464 Meeting.exe 4760 ywp.exe 3128 Resolve.pif 2980 Resolve.pif 2788 pdfconv.exe 1660 66d8985a256af_installer.exe 4396 66d8985a256af_installer.exe 4728 R.exe 4488 wbspam.exe 2136 VLC_Media.exe.exe 3240 wbspam.exe 2560 XWORM-V5.4.exe 2884 XWorm V5.4.exe 1200 VLC_Media.exe.exe 1452 66d7540419a3a_installer.exe 2696 66d7540419a3a_installer.exe 4732 66d6af212bad3_kbdturme.exe 4528 66d6af212bad3_kbdturme.tmp 1668 66d6af212bad3_kbdturme.exe 4052 66d6af212bad3_kbdturme.tmp 996 AutoIt3.exe 4768 AutoIt3.exe 1404 66d5edf357fbf_BitcoinCore.exe 1460 tqh64.exe 2584 Co.exe 2368 66d70e8640404_trics.exe 2140 66d70e8640404_trics.exe 1908 lamp.exe 796 rev.exe 4744 prompt.exe 3736 ew.exe 3008 1.exe 3996 Jbrja.exe 3384 Jbrja.exe -
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Wine lamp.exe -
Loads dropped DLL 32 IoCs
pid Process 2788 pdfconv.exe 2788 pdfconv.exe 2788 pdfconv.exe 2788 pdfconv.exe 2788 pdfconv.exe 2788 pdfconv.exe 2788 pdfconv.exe 2788 pdfconv.exe 3648 rundll32.exe 3240 wbspam.exe 3240 wbspam.exe 3240 wbspam.exe 3240 wbspam.exe 3240 wbspam.exe 3240 wbspam.exe 3240 wbspam.exe 3240 wbspam.exe 3240 wbspam.exe 3240 wbspam.exe 3240 wbspam.exe 3240 wbspam.exe 3240 wbspam.exe 3240 wbspam.exe 3240 wbspam.exe 3240 wbspam.exe 3240 wbspam.exe 3240 wbspam.exe 3240 wbspam.exe 2884 XWorm V5.4.exe 688 rundll32.exe 4528 66d6af212bad3_kbdturme.tmp 4052 66d6af212bad3_kbdturme.tmp -
Obfuscated with Agile.Net obfuscator 2 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
resource yara_rule behavioral1/files/0x0004000000025c5c-749.dat agile_net behavioral1/memory/2884-755-0x00000266CBDE0000-0x00000266CCBC0000-memory.dmp agile_net -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts pdfconv.exe -
Accesses Microsoft Outlook profiles 1 TTPs 4 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook pdfconv.exe Key opened \REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 pdfconv.exe Key opened \REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 pdfconv.exe Key opened \REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 pdfconv.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CMark Experience Studio = "C:\\Users\\Admin\\AppData\\Local\\Programs\\PCV Convert Manager\\pdfconv.exe" pdfconv.exe Set value (str) \REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Microsoft\Windows\CurrentVersion\Run\ExtreamFanV6 = "C:\\Users\\Admin\\AppData\\Local\\ExtreamFanV6\\ExtreamFanV6.exe" 66d70e8640404_trics.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Enumerates connected drives 3 TTPs 22 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\O: Jbrja.exe File opened (read-only) \??\T: Jbrja.exe File opened (read-only) \??\U: Jbrja.exe File opened (read-only) \??\W: Jbrja.exe File opened (read-only) \??\X: Jbrja.exe File opened (read-only) \??\Y: Jbrja.exe File opened (read-only) \??\B: Jbrja.exe File opened (read-only) \??\K: Jbrja.exe File opened (read-only) \??\S: Jbrja.exe File opened (read-only) \??\M: Jbrja.exe File opened (read-only) \??\N: Jbrja.exe File opened (read-only) \??\R: Jbrja.exe File opened (read-only) \??\V: Jbrja.exe File opened (read-only) \??\G: Jbrja.exe File opened (read-only) \??\L: Jbrja.exe File opened (read-only) \??\I: Jbrja.exe File opened (read-only) \??\J: Jbrja.exe File opened (read-only) \??\P: Jbrja.exe File opened (read-only) \??\Q: Jbrja.exe File opened (read-only) \??\Z: Jbrja.exe File opened (read-only) \??\E: Jbrja.exe File opened (read-only) \??\H: Jbrja.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 8 discord.com 48 discord.com -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 8 ip-api.com -
AutoIT Executable 2 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/files/0x000300000002aa91-217.dat autoit_exe behavioral1/files/0x000300000002aa95-239.dat autoit_exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\Jbrja.exe 1.exe File opened for modification C:\Windows\SysWOW64\Jbrja.exe 1.exe -
Enumerates processes with tasklist 1 TTPs 8 IoCs
pid Process 1916 tasklist.exe 4476 tasklist.exe 1080 tasklist.exe 3572 tasklist.exe 1576 tasklist.exe 3088 tasklist.exe 352 tasklist.exe 1456 tasklist.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 1908 lamp.exe -
Suspicious use of SetThreadContext 5 IoCs
description pid Process procid_target PID 3496 set thread context of 1660 3496 abQOhgu.exe 89 PID 2620 set thread context of 4504 2620 notebyx.exe 92 PID 3128 set thread context of 2980 3128 Resolve.pif 113 PID 4768 set thread context of 4384 4768 AutoIt3.exe 210 PID 2368 set thread context of 2140 2368 66d70e8640404_trics.exe 232 -
Drops file in Program Files directory 1 IoCs
description ioc Process File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe pdfconv.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\ChampionshipsJustice TikTokTool24.exe File opened for modification C:\Windows\ConsistentParadise TikTokTool24.exe File opened for modification C:\Windows\FranklinBrochures TikTokTool24.exe -
Detects Pyinstaller 1 IoCs
resource yara_rule behavioral1/files/0x000600000000f452-534.dat pyinstaller -
Embeds OpenSSL 1 IoCs
Embeds OpenSSL, may be used to circumvent TLS interception.
resource yara_rule behavioral1/files/0x000500000002aa5c-7.dat embeds_openssl -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 9 IoCs
pid pid_target Process procid_target 1772 3496 WerFault.exe 87 3772 4760 WerFault.exe 99 4468 4760 WerFault.exe 99 3456 2980 WerFault.exe 113 2344 2980 WerFault.exe 113 3096 4384 WerFault.exe 210 3656 1460 WerFault.exe 222 2108 2584 WerFault.exe 223 3168 2584 WerFault.exe 223 -
System Location Discovery: System Language Discovery 1 TTPs 46 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language choice.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Resolve.pif Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 66d6af212bad3_kbdturme.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MSBuild.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 66d9f685932be_uninstaller.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TikTokTool24.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Meeting.sfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Meeting.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AutoIt3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tqh64.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 66d70e8640404_trics.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ew.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Resolve.pif Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 66d70e8640404_trics.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdfconv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbrja.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbrja.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language abQOhgu.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegSvcs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 66d6af212bad3_kbdturme.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 66d6af212bad3_kbdturme.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 66d6af212bad3_kbdturme.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AutoIt3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Co.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lamp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language notebyx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegSvcs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ywp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 4 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 4140 PING.EXE 3928 cmd.exe 3160 PING.EXE 3308 cmd.exe -
Checks processor information in registry 2 TTPs 25 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data pdfconv.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information pdfconv.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 pdfconv.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier pdfconv.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier pdfconv.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier pdfconv.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 AutoIt3.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet pdfconv.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 pdfconv.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz Jbrja.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString AutoIt3.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz pdfconv.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier pdfconv.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString pdfconv.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data pdfconv.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet pdfconv.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 pdfconv.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jbrja.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision pdfconv.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString pdfconv.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information pdfconv.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 pdfconv.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor pdfconv.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor pdfconv.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz pdfconv.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies data under HKEY_USERS 5 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum Jbrja.exe Key created \REGISTRY\USER\.DEFAULT\Software Jbrja.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft Jbrja.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie Jbrja.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum\Version = "7" Jbrja.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\937545B11B5D80F15FD922F1D880FE57FD60151E pdfconv.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\937545B11B5D80F15FD922F1D880FE57FD60151E\Blob = 030000000100000014000000937545b11b5d80f15fd922f1d880fe57fd60151e2000000001000000a00200003082029c30820205a003020102020872fc501b4d54055f300d06092a864886f70d01010b05003081853145304306035504030c3c566572695369677020436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735311b3019060355040b0c1222286329203230303620566572695369676e31123010060355040a0c0922566572695369676e310b3009060355040613025553301e170d3232303930363232303932325a170d3236303930353232303932325a3081853145304306035504030c3c566572695369677020436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735311b3019060355040b0c1222286329203230303620566572695369676e31123010060355040a0c0922566572695369676e310b300906035504061302555330819f300d06092a864886f70d010101050003818d00308189028181009c182054159e9fb54bd85d80b9dbbf878f8009db9cd747f7c167b17106623c42bedcaf21387a13d5342b8229f108b7969c7ef95c4f74863a8346ab719f190da0425fed7b96ac86370365df168794b61baf11d3be4bb4a4fa2b7fcc3eb1a90c16b91c7c9bc44079e012cc507717b629738912fd74929cff741d7cd0f63af2d0cf0203010001a3133011300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038181006be8f14f52647e2640a9c8f8cc30d54720e8e9110765446a42884ff8b1981ed806a9df1b73b5b55e7f06156fa6a99c3c603b7e69a0d393525a86d047de9db5e5a4ac692391e89c9d4afc05a17cbbbdb4f24ac4f1454c8a0888959bc2a23cd20940aef406b4d1c32d77afb9b315eb28e4019f5010b186e13d0e460d3608dc19b5 pdfconv.exe -
Runs ping.exe 1 TTPs 2 IoCs
pid Process 4140 PING.EXE 3160 PING.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3148 schtasks.exe 4060 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3824 66d9f6e9330e4_deep.exe 3824 66d9f6e9330e4_deep.exe 1660 RegSvcs.exe 1660 RegSvcs.exe 4504 RegSvcs.exe 4504 RegSvcs.exe 3128 Resolve.pif 3128 Resolve.pif 3128 Resolve.pif 3128 Resolve.pif 3128 Resolve.pif 3128 Resolve.pif 3128 Resolve.pif 3128 Resolve.pif 3128 Resolve.pif 3128 Resolve.pif 2788 pdfconv.exe 2788 pdfconv.exe 2788 pdfconv.exe 2788 pdfconv.exe 3648 rundll32.exe 3648 rundll32.exe 3648 rundll32.exe 3648 rundll32.exe 4484 powershell.exe 4484 powershell.exe 1784 msedge.exe 1784 msedge.exe 976 msedge.exe 976 msedge.exe 3084 powershell.exe 3084 powershell.exe 4580 powershell.exe 4580 powershell.exe 1164 powershell.exe 1164 powershell.exe 3524 powershell.exe 3524 powershell.exe 2136 VLC_Media.exe.exe 688 rundll32.exe 688 rundll32.exe 688 rundll32.exe 688 rundll32.exe 4052 66d6af212bad3_kbdturme.tmp 4052 66d6af212bad3_kbdturme.tmp 2788 pdfconv.exe 2788 pdfconv.exe 2592 powershell.exe 2592 powershell.exe 2592 powershell.exe 2788 pdfconv.exe 2788 pdfconv.exe 2788 pdfconv.exe 2788 pdfconv.exe 2136 VLC_Media.exe.exe 2136 VLC_Media.exe.exe 2136 VLC_Media.exe.exe 2136 VLC_Media.exe.exe 2136 VLC_Media.exe.exe 2136 VLC_Media.exe.exe 2136 VLC_Media.exe.exe 2136 VLC_Media.exe.exe 2136 VLC_Media.exe.exe 2136 VLC_Media.exe.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 3384 Jbrja.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
pid Process 3496 abQOhgu.exe 2620 notebyx.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
pid Process 976 msedge.exe 976 msedge.exe 976 msedge.exe -
Suspicious use of AdjustPrivilegeToken 45 IoCs
description pid Process Token: SeDebugPrivilege 248 New Text Document mod.exe Token: SeDebugPrivilege 3824 66d9f6e9330e4_deep.exe Token: SeDebugPrivilege 1660 RegSvcs.exe Token: SeDebugPrivilege 4504 RegSvcs.exe Token: SeDebugPrivilege 1576 tasklist.exe Token: SeDebugPrivilege 3088 tasklist.exe Token: SeDebugPrivilege 2788 pdfconv.exe Token: SeDebugPrivilege 4484 powershell.exe Token: SeDebugPrivilege 2136 VLC_Media.exe.exe Token: SeDebugPrivilege 3084 powershell.exe Token: SeDebugPrivilege 4580 powershell.exe Token: SeDebugPrivilege 1164 powershell.exe Token: SeDebugPrivilege 3524 powershell.exe Token: SeDebugPrivilege 2136 VLC_Media.exe.exe Token: SeDebugPrivilege 1200 VLC_Media.exe.exe Token: SeDebugPrivilege 2884 XWorm V5.4.exe Token: SeDebugPrivilege 352 tasklist.exe Token: SeDebugPrivilege 1456 tasklist.exe Token: SeDebugPrivilege 1916 tasklist.exe Token: SeDebugPrivilege 4476 tasklist.exe Token: SeDebugPrivilege 1080 tasklist.exe Token: SeDebugPrivilege 3572 tasklist.exe Token: SeDebugPrivilege 2592 powershell.exe Token: SeIncBasePriorityPrivilege 3008 1.exe Token: SeLoadDriverPrivilege 3384 Jbrja.exe Token: 33 3384 Jbrja.exe Token: SeIncBasePriorityPrivilege 3384 Jbrja.exe Token: 33 3384 Jbrja.exe Token: SeIncBasePriorityPrivilege 3384 Jbrja.exe Token: 33 3384 Jbrja.exe Token: SeIncBasePriorityPrivilege 3384 Jbrja.exe Token: 33 3384 Jbrja.exe Token: SeIncBasePriorityPrivilege 3384 Jbrja.exe Token: 33 3384 Jbrja.exe Token: SeIncBasePriorityPrivilege 3384 Jbrja.exe Token: 33 3384 Jbrja.exe Token: SeIncBasePriorityPrivilege 3384 Jbrja.exe Token: 33 3384 Jbrja.exe Token: SeIncBasePriorityPrivilege 3384 Jbrja.exe Token: 33 3384 Jbrja.exe Token: SeIncBasePriorityPrivilege 3384 Jbrja.exe Token: 33 3384 Jbrja.exe Token: SeIncBasePriorityPrivilege 3384 Jbrja.exe Token: 33 3384 Jbrja.exe Token: SeIncBasePriorityPrivilege 3384 Jbrja.exe -
Suspicious use of FindShellTrayWindow 35 IoCs
pid Process 3496 abQOhgu.exe 3496 abQOhgu.exe 2620 notebyx.exe 2620 notebyx.exe 3128 Resolve.pif 3128 Resolve.pif 3128 Resolve.pif 2788 pdfconv.exe 976 msedge.exe 976 msedge.exe 976 msedge.exe 976 msedge.exe 976 msedge.exe 976 msedge.exe 976 msedge.exe 976 msedge.exe 976 msedge.exe 976 msedge.exe 976 msedge.exe 976 msedge.exe 976 msedge.exe 976 msedge.exe 976 msedge.exe 976 msedge.exe 976 msedge.exe 976 msedge.exe 976 msedge.exe 976 msedge.exe 976 msedge.exe 976 msedge.exe 976 msedge.exe 976 msedge.exe 976 msedge.exe 976 msedge.exe 4052 66d6af212bad3_kbdturme.tmp -
Suspicious use of SendNotifyMessage 19 IoCs
pid Process 3496 abQOhgu.exe 3496 abQOhgu.exe 2620 notebyx.exe 2620 notebyx.exe 3128 Resolve.pif 3128 Resolve.pif 3128 Resolve.pif 976 msedge.exe 976 msedge.exe 976 msedge.exe 976 msedge.exe 976 msedge.exe 976 msedge.exe 976 msedge.exe 976 msedge.exe 976 msedge.exe 976 msedge.exe 976 msedge.exe 976 msedge.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 3952 Meeting.sfx.exe 3952 Meeting.sfx.exe 2788 pdfconv.exe 2136 VLC_Media.exe.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 248 wrote to memory of 1592 248 New Text Document mod.exe 80 PID 248 wrote to memory of 1592 248 New Text Document mod.exe 80 PID 248 wrote to memory of 1592 248 New Text Document mod.exe 80 PID 248 wrote to memory of 3824 248 New Text Document mod.exe 81 PID 248 wrote to memory of 3824 248 New Text Document mod.exe 81 PID 248 wrote to memory of 4356 248 New Text Document mod.exe 86 PID 248 wrote to memory of 4356 248 New Text Document mod.exe 86 PID 248 wrote to memory of 3496 248 New Text Document mod.exe 87 PID 248 wrote to memory of 3496 248 New Text Document mod.exe 87 PID 248 wrote to memory of 3496 248 New Text Document mod.exe 87 PID 248 wrote to memory of 2620 248 New Text Document mod.exe 88 PID 248 wrote to memory of 2620 248 New Text Document mod.exe 88 PID 248 wrote to memory of 2620 248 New Text Document mod.exe 88 PID 3496 wrote to memory of 1660 3496 abQOhgu.exe 89 PID 3496 wrote to memory of 1660 3496 abQOhgu.exe 89 PID 3496 wrote to memory of 1660 3496 abQOhgu.exe 89 PID 3496 wrote to memory of 1660 3496 abQOhgu.exe 89 PID 2620 wrote to memory of 4504 2620 notebyx.exe 92 PID 2620 wrote to memory of 4504 2620 notebyx.exe 92 PID 2620 wrote to memory of 4504 2620 notebyx.exe 92 PID 2620 wrote to memory of 4504 2620 notebyx.exe 92 PID 248 wrote to memory of 3980 248 New Text Document mod.exe 93 PID 248 wrote to memory of 3980 248 New Text Document mod.exe 93 PID 248 wrote to memory of 3980 248 New Text Document mod.exe 93 PID 248 wrote to memory of 5016 248 New Text Document mod.exe 94 PID 248 wrote to memory of 5016 248 New Text Document mod.exe 94 PID 3980 wrote to memory of 1360 3980 TikTokTool24.exe 95 PID 3980 wrote to memory of 1360 3980 TikTokTool24.exe 95 PID 3980 wrote to memory of 1360 3980 TikTokTool24.exe 95 PID 248 wrote to memory of 3952 248 New Text Document mod.exe 97 PID 248 wrote to memory of 3952 248 New Text Document mod.exe 97 PID 248 wrote to memory of 3952 248 New Text Document mod.exe 97 PID 248 wrote to memory of 1464 248 New Text Document mod.exe 98 PID 248 wrote to memory of 1464 248 New Text Document mod.exe 98 PID 248 wrote to memory of 1464 248 New Text Document mod.exe 98 PID 248 wrote to memory of 4760 248 New Text Document mod.exe 99 PID 248 wrote to memory of 4760 248 New Text Document mod.exe 99 PID 248 wrote to memory of 4760 248 New Text Document mod.exe 99 PID 1360 wrote to memory of 1576 1360 cmd.exe 100 PID 1360 wrote to memory of 1576 1360 cmd.exe 100 PID 1360 wrote to memory of 1576 1360 cmd.exe 100 PID 1360 wrote to memory of 4668 1360 cmd.exe 101 PID 1360 wrote to memory of 4668 1360 cmd.exe 101 PID 1360 wrote to memory of 4668 1360 cmd.exe 101 PID 1360 wrote to memory of 3088 1360 cmd.exe 102 PID 1360 wrote to memory of 3088 1360 cmd.exe 102 PID 1360 wrote to memory of 3088 1360 cmd.exe 102 PID 1360 wrote to memory of 2672 1360 cmd.exe 103 PID 1360 wrote to memory of 2672 1360 cmd.exe 103 PID 1360 wrote to memory of 2672 1360 cmd.exe 103 PID 1360 wrote to memory of 4208 1360 cmd.exe 104 PID 1360 wrote to memory of 4208 1360 cmd.exe 104 PID 1360 wrote to memory of 4208 1360 cmd.exe 104 PID 1360 wrote to memory of 1040 1360 cmd.exe 105 PID 1360 wrote to memory of 1040 1360 cmd.exe 105 PID 1360 wrote to memory of 1040 1360 cmd.exe 105 PID 1360 wrote to memory of 2592 1360 cmd.exe 106 PID 1360 wrote to memory of 2592 1360 cmd.exe 106 PID 1360 wrote to memory of 2592 1360 cmd.exe 106 PID 1360 wrote to memory of 3128 1360 cmd.exe 107 PID 1360 wrote to memory of 3128 1360 cmd.exe 107 PID 1360 wrote to memory of 3128 1360 cmd.exe 107 PID 1360 wrote to memory of 1336 1360 cmd.exe 108 PID 1360 wrote to memory of 1336 1360 cmd.exe 108 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 pdfconv.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 pdfconv.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe"C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:248 -
C:\Users\Admin\AppData\Local\Temp\a\66d9f685932be_uninstaller.exe"C:\Users\Admin\AppData\Local\Temp\a\66d9f685932be_uninstaller.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1592 -
C:\Users\Admin\AppData\Local\Programs\PCV Convert Manager\pdfconv.exe"C:\Users\Admin\AppData\Local\Programs\PCV Convert Manager\pdfconv.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- outlook_office_path
- outlook_win_path
PID:2788 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Programs\PCV Convert Manager\pdfconv.exe"4⤵
- System Location Discovery: System Language Discovery
PID:2140 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Programs\PCV Convert Manager\pdfconv.exe"5⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4484
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Programs\PCV Convert Manager\pdfconv.exe4⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2592
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\a\66d9f6e9330e4_deep.exe"C:\Users\Admin\AppData\Local\Temp\a\66d9f6e9330e4_deep.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3824
-
-
C:\Users\Admin\AppData\Local\Temp\a\66d9ddcb9dbfe_Build.exe"C:\Users\Admin\AppData\Local\Temp\a\66d9ddcb9dbfe_Build.exe"2⤵
- Executes dropped EXE
PID:4356
-
-
C:\Users\Admin\AppData\Local\Temp\a\abQOhgu.exe"C:\Users\Admin\AppData\Local\Temp\a\abQOhgu.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3496 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Users\Admin\AppData\Local\Temp\a\abQOhgu.exe"3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1660
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3496 -s 8043⤵
- Program crash
PID:1772
-
-
-
C:\Users\Admin\AppData\Local\Temp\a\notebyx.exe"C:\Users\Admin\AppData\Local\Temp\a\notebyx.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2620 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Users\Admin\AppData\Local\Temp\a\notebyx.exe"3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4504
-
-
-
C:\Users\Admin\AppData\Local\Temp\a\TikTokTool24.exe"C:\Users\Admin\AppData\Local\Temp\a\TikTokTool24.exe"2⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3980 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k move Columbia Columbia.bat & Columbia.bat & exit3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1360 -
C:\Windows\SysWOW64\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1576
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "wrsa opssvc"4⤵
- System Location Discovery: System Language Discovery
PID:4668
-
-
C:\Windows\SysWOW64\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3088
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "avastui avgui bdservicehost nswscsvc sophoshealth"4⤵
- System Location Discovery: System Language Discovery
PID:2672
-
-
C:\Windows\SysWOW64\cmd.execmd /c md 1963234⤵
- System Location Discovery: System Language Discovery
PID:4208
-
-
C:\Windows\SysWOW64\findstr.exefindstr /V "cheatsfortyumsent" Zen4⤵
- System Location Discovery: System Language Discovery
PID:1040
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b ..\Immediate + ..\Surrounded + ..\Familiar + ..\Enclosed + ..\Telecommunications + ..\Boolean + ..\Integrating + ..\Stack + ..\Lawn F4⤵
- System Location Discovery: System Language Discovery
PID:2592
-
-
C:\Users\Admin\AppData\Local\Temp\196323\Resolve.pifResolve.pif F4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3128 -
C:\Users\Admin\AppData\Local\Temp\196323\Resolve.pifC:\Users\Admin\AppData\Local\Temp\196323\Resolve.pif5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2980 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2980 -s 11966⤵
- Program crash
PID:3456
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2980 -s 11726⤵
- Program crash
PID:2344
-
-
-
-
C:\Windows\SysWOW64\choice.exechoice /d y /t 54⤵
- System Location Discovery: System Language Discovery
PID:1336
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\a\Accounts.exe"C:\Users\Admin\AppData\Local\Temp\a\Accounts.exe"2⤵
- Executes dropped EXE
PID:5016
-
-
C:\Users\Admin\AppData\Local\Temp\a\Meeting.sfx.exe"C:\Users\Admin\AppData\Local\Temp\a\Meeting.sfx.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3952
-
-
C:\Users\Admin\AppData\Local\Temp\a\Meeting.exe"C:\Users\Admin\AppData\Local\Temp\a\Meeting.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1464
-
-
C:\Users\Admin\AppData\Local\Temp\a\ywp.exe"C:\Users\Admin\AppData\Local\Temp\a\ywp.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4760 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4760 -s 12763⤵
- Program crash
PID:3772
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4760 -s 13163⤵
- Program crash
PID:4468
-
-
-
C:\Users\Admin\AppData\Local\Temp\a\66d8985a256af_installer.exe"C:\Users\Admin\AppData\Local\Temp\a\66d8985a256af_installer.exe"2⤵
- Executes dropped EXE
PID:1660 -
C:\Users\Admin\AppData\Local\Temp\a\66d8985a256af_installer.exe"C:\Users\Admin\AppData\Local\Temp\a\66d8985a256af_installer.exe" -sfxwaitall:0 "rundll32" setup_app_tmp.dll,setuptool3⤵
- Executes dropped EXE
PID:4396 -
C:\Windows\System32\rundll32.exe"C:\Windows\System32\rundll32.exe" setup_app_tmp.dll,setuptool4⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:3648
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd" "3⤵PID:2088
-
-
-
C:\Users\Admin\AppData\Local\Temp\a\R.exe"C:\Users\Admin\AppData\Local\Temp\a\R.exe"2⤵
- Executes dropped EXE
PID:4728 -
C:\Users\Admin\AppData\Local\Temp\wbspam.exe"C:\Users\Admin\AppData\Local\Temp\wbspam.exe"3⤵
- Executes dropped EXE
PID:4488 -
C:\Users\Admin\AppData\Local\Temp\wbspam.exe"C:\Users\Admin\AppData\Local\Temp\wbspam.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3240 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c5⤵PID:3276
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c5⤵PID:2244
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://discord.gg/rz9598cHay5⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:976 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdd1793cb8,0x7ffdd1793cc8,0x7ffdd1793cd86⤵PID:2072
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1820,7756300179006939590,10788331440045344878,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1796 /prefetch:26⤵PID:884
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1820,7756300179006939590,10788331440045344878,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2240 /prefetch:36⤵
- Suspicious behavior: EnumeratesProcesses
PID:1784
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1820,7756300179006939590,10788331440045344878,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2816 /prefetch:86⤵PID:3124
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1820,7756300179006939590,10788331440045344878,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:16⤵PID:836
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1820,7756300179006939590,10788331440045344878,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:16⤵PID:2052
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1820,7756300179006939590,10788331440045344878,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4696 /prefetch:16⤵PID:4088
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\VLC_Media.exe.exe"C:\Users\Admin\AppData\Local\Temp\VLC_Media.exe.exe"3⤵
- Drops startup file
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2136 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\VLC_Media.exe.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3084
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'VLC_Media.exe.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4580 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵PID:2052
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\VLC_Media.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1164
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'VLC_Media.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3524
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\a\XWORM-V5.4.exe"C:\Users\Admin\AppData\Local\Temp\a\XWORM-V5.4.exe"2⤵
- Executes dropped EXE
PID:2560 -
C:\Users\Admin\AppData\Local\Temp\XWorm V5.4.exe"C:\Users\Admin\AppData\Local\Temp\XWorm V5.4.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2884
-
-
C:\Users\Admin\AppData\Local\Temp\VLC_Media.exe.exe"C:\Users\Admin\AppData\Local\Temp\VLC_Media.exe.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1200
-
-
-
C:\Users\Admin\AppData\Local\Temp\a\66d7540419a3a_installer.exe"C:\Users\Admin\AppData\Local\Temp\a\66d7540419a3a_installer.exe"2⤵
- Executes dropped EXE
PID:1452 -
C:\Users\Admin\AppData\Local\Temp\a\66d7540419a3a_installer.exe"C:\Users\Admin\AppData\Local\Temp\a\66d7540419a3a_installer.exe" -sfxwaitall:0 "rundll32" setup_app.dll,setupvar3⤵
- Executes dropped EXE
PID:2696 -
C:\Windows\System32\rundll32.exe"C:\Windows\System32\rundll32.exe" setup_app.dll,setupvar4⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:688
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd" "3⤵PID:4396
-
-
-
C:\Users\Admin\AppData\Local\Temp\a\66d6af212bad3_kbdturme.exe"C:\Users\Admin\AppData\Local\Temp\a\66d6af212bad3_kbdturme.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4732 -
C:\Users\Admin\AppData\Local\Temp\is-CO8MB.tmp\66d6af212bad3_kbdturme.tmp"C:\Users\Admin\AppData\Local\Temp\is-CO8MB.tmp\66d6af212bad3_kbdturme.tmp" /SL5="$60350,10276342,812544,C:\Users\Admin\AppData\Local\Temp\a\66d6af212bad3_kbdturme.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:4528 -
C:\Users\Admin\AppData\Local\Temp\a\66d6af212bad3_kbdturme.exe"C:\Users\Admin\AppData\Local\Temp\a\66d6af212bad3_kbdturme.exe" /VERYSILENT /NORESTART4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1668 -
C:\Users\Admin\AppData\Local\Temp\is-9LKRE.tmp\66d6af212bad3_kbdturme.tmp"C:\Users\Admin\AppData\Local\Temp\is-9LKRE.tmp\66d6af212bad3_kbdturme.tmp" /SL5="$70350,10276342,812544,C:\Users\Admin\AppData\Local\Temp\a\66d6af212bad3_kbdturme.exe" /VERYSILENT /NORESTART5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:4052 -
C:\Windows\system32\cmd.exe"cmd.exe" /C tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH | find /I "wrsa.exe"6⤵PID:3400
-
C:\Windows\system32\tasklist.exetasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH7⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:352
-
-
C:\Windows\system32\find.exefind /I "wrsa.exe"7⤵PID:1936
-
-
-
C:\Windows\system32\cmd.exe"cmd.exe" /C tasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH | find /I "opssvc.exe"6⤵PID:1496
-
C:\Windows\system32\tasklist.exetasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH7⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1456
-
-
C:\Windows\system32\find.exefind /I "opssvc.exe"7⤵PID:884
-
-
-
C:\Windows\system32\cmd.exe"cmd.exe" /C tasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH | find /I "avastui.exe"6⤵PID:200
-
C:\Windows\system32\tasklist.exetasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH7⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1916
-
-
C:\Windows\system32\find.exefind /I "avastui.exe"7⤵PID:4596
-
-
-
C:\Windows\system32\cmd.exe"cmd.exe" /C tasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH | find /I "avgui.exe"6⤵PID:5024
-
C:\Windows\system32\tasklist.exetasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH7⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4476
-
-
C:\Windows\system32\find.exefind /I "avgui.exe"7⤵PID:456
-
-
-
C:\Windows\system32\cmd.exe"cmd.exe" /C tasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH | find /I "nswscsvc.exe"6⤵PID:3560
-
C:\Windows\system32\tasklist.exetasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH7⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1080
-
-
C:\Windows\system32\find.exefind /I "nswscsvc.exe"7⤵PID:3796
-
-
-
C:\Windows\system32\cmd.exe"cmd.exe" /C tasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH | find /I "sophoshealth.exe"6⤵PID:2884
-
C:\Windows\system32\tasklist.exetasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH7⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:3572
-
-
C:\Windows\system32\find.exefind /I "sophoshealth.exe"7⤵PID:3000
-
-
-
C:\Users\Admin\AppData\Local\banqueteer\AutoIt3.exe"C:\Users\Admin\AppData\Local\banqueteer\\AutoIt3.exe" "C:\Users\Admin\AppData\Local\banqueteer\\calimanco1.a3x"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:996 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping -n 5 127.0.0.1 >nul && AutoIt3.exe C:\ProgramData\\qTS9Ah7.a3x && del C:\ProgramData\\qTS9Ah7.a3x7⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:3308 -
C:\Windows\SysWOW64\PING.EXEping -n 5 127.0.0.18⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4140
-
-
C:\Users\Admin\AppData\Local\banqueteer\AutoIt3.exeAutoIt3.exe C:\ProgramData\\qTS9Ah7.a3x8⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Checks processor information in registry
PID:4768 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe9⤵
- System Location Discovery: System Language Discovery
PID:4384 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4384 -s 127210⤵
- Program crash
PID:3096
-
-
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\a\66d5edf357fbf_BitcoinCore.exe"C:\Users\Admin\AppData\Local\Temp\a\66d5edf357fbf_BitcoinCore.exe"2⤵
- Executes dropped EXE
PID:1404
-
-
C:\Users\Admin\AppData\Local\Temp\a\tqh64.exe"C:\Users\Admin\AppData\Local\Temp\a\tqh64.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1460 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1460 -s 12963⤵
- Program crash
PID:3656
-
-
-
C:\Users\Admin\AppData\Local\Temp\a\Co.exe"C:\Users\Admin\AppData\Local\Temp\a\Co.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2584 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2584 -s 11363⤵
- Program crash
PID:2108
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2584 -s 11363⤵
- Program crash
PID:3168
-
-
-
C:\Users\Admin\AppData\Local\Temp\a\66d70e8640404_trics.exe"C:\Users\Admin\AppData\Local\Temp\a\66d70e8640404_trics.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2368 -
C:\Users\Admin\AppData\Local\Temp\a\66d70e8640404_trics.exe"C:\Users\Admin\AppData\Local\Temp\a\66d70e8640404_trics.exe"3⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:2140 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\ProgramData\jewkkwnf\jewkkwnf.exe" /tn "jewkkwnf HR" /sc HOURLY /rl HIGHEST4⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:3148
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\ProgramData\jewkkwnf\jewkkwnf.exe" /tn "jewkkwnf LG" /sc ONLOGON /rl HIGHEST4⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:4060
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\a\lamp.exe"C:\Users\Admin\AppData\Local\Temp\a\lamp.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
PID:1908
-
-
C:\Users\Admin\AppData\Local\Temp\a\rev.exe"C:\Users\Admin\AppData\Local\Temp\a\rev.exe"2⤵
- Executes dropped EXE
PID:796
-
-
C:\Users\Admin\AppData\Local\Temp\a\prompt.exe"C:\Users\Admin\AppData\Local\Temp\a\prompt.exe"2⤵
- Executes dropped EXE
PID:4744
-
-
C:\Users\Admin\AppData\Local\Temp\a\ew.exe"C:\Users\Admin\AppData\Local\Temp\a\ew.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3736
-
-
C:\Users\Admin\AppData\Local\Temp\a\1.exe"C:\Users\Admin\AppData\Local\Temp\a\1.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3008 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\a\1.exe > nul3⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:3928 -
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.14⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3160
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 3496 -ip 34961⤵PID:2804
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4760 -ip 47601⤵PID:1084
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 4760 -ip 47601⤵PID:1344
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 2980 -ip 29801⤵PID:2960
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 2980 -ip 29801⤵PID:4904
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:1228
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3796
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:564
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 4384 -ip 43841⤵PID:4556
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1460 -ip 14601⤵PID:1944
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 2584 -ip 25841⤵PID:3456
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2584 -ip 25841⤵PID:2268
-
C:\Windows\SysWOW64\Jbrja.exeC:\Windows\SysWOW64\Jbrja.exe -auto1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3996 -
C:\Windows\SysWOW64\Jbrja.exeC:\Windows\SysWOW64\Jbrja.exe -acsi2⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Executes dropped EXE
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:3384
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Modify Registry
3Subvert Trust Controls
1Install Root Certificate
1Virtualization/Sandbox Evasion
2Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
3Credentials In Files
2Credentials in Registry
1Discovery
Browser Information Discovery
1Network Service Discovery
1Peripheral Device Discovery
1Process Discovery
1Query Registry
7Remote System Discovery
1System Information Discovery
5System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
1Internet Connection Discovery
1Virtualization/Sandbox Evasion
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5228fefc98d7fb5b4e27c6abab1de7207
SHA1ada493791316e154a906ec2c83c412adf3a7061a
SHA256448d09169319374935a249b1fc76bcf2430b4e1436611f3c2f3331b6eafe55a2
SHA512fa74f1cc5da8db978a7a5b8c9ebff3cd433660db7e91ce03c44a1d543dd667a51659ba79270d3d783d52b9e45d76d0f9467458df1482ded72ea79c873b2a5e56
-
Filesize
152B
MD5026e0c65239e15ba609a874aeac2dc33
SHA1a75e1622bc647ab73ab3bb2809872c2730dcf2df
SHA256593f20dfb73d2b81a17bfcc1f246848080dfc96898a1a62c5ddca62105ed1292
SHA5129fb7644c87bdd3430700f42137154069badbf2b7a67e5ac6c364382bca8cba95136d460f49279b346703d4b4fd81087e884822a01a2a38901568a3c3e3387569
-
Filesize
247B
MD594bd83393ee4e3c749f28c3414160cbc
SHA168effb04ecc392f2ae4ad7bdc1e99b9116da474c
SHA256e1dbf44fca250f32925910fcd7f59276e46d0d916eff30fdf9f85ef91bcd3d4b
SHA512203109a405cd685a195e6cdae5d0a624abcd6c6a9333b88f312e50f96bafa03057366bd78bf62df8784ec97f14677d56f8b78b472000044618a784bcf7af3e8a
-
Filesize
5KB
MD5ca64b37b773de5190b1de6b8bd1656a9
SHA1a68b1b38f0ce533b95a9f2dbe878d93f33589f81
SHA2569f05eb3261ade3d08cef61755eaae91b3a727b117a2d9ef6c1288e1e2e2e8009
SHA512fb596c140f5e851802fb5c290c98ce0ca888553a5d1250b170d3937f0dae1ffba7ad9f286edf30ce8729bd951a6c29a77b7e3bbb21b9d290ab83bc3a06c20869
-
Filesize
6KB
MD5fc41896545e39e73e6919b7420192fdd
SHA1269ec110c9c752dea9dcfabfd450283bf7723159
SHA256c631f6df783a1697e8cb601a5e8bacb1ed9c5ba1241e2e1715d766c22af90c49
SHA51267e03297dc755f1d7611c22356921ce0b852f0aa6a9bde598f4426465aaad1769d28ea33b09940626ec30e4af3d8cf8fd3ccb81f856344a1f5405264fb0f2a92
-
Filesize
10KB
MD588ca984219c6383a0aa8158f3c60c170
SHA147260bf501725ce2816d9e3ed0e23eeac84e872d
SHA256628a3521e88c24094490abc03d5d90dcb27014ea56073180f0bf1076d073cdf6
SHA5127c43db226b9f7a491d195a1262127df985b7ce6cd957127632e6cfdda7e03e4bf32bf257913f4c4736ff2383f0c45918d1968281d3e0d831bd05315d005a3801
-
Filesize
6.9MB
MD5a48d47a826bd19bed46d82e4d12d0747
SHA1fe7ced0a8757f86abbc4a28f5d9ac4808ded1c8f
SHA25610c91979275078c324a5f2c1b027d51140160a892d986f25dd5ad6a6a93d53d1
SHA512b6274971776a967b2deb9805418af439b0412f0a23233189d8087fee124c952a14fd2a8acc005fa26cb8f906421814726a3681786620b63b32b301d6712a351e
-
Filesize
515KB
MD5576bbf8adb9278830e883ecac484bead
SHA1c1242601d50012dc51b545d7b9a24fb5108b0f70
SHA2565b26c145a7cc91e95175d38047e46a3a0b8766905b9d51f4e6bb559a439b3761
SHA5120957743b19e989742b9584d7791249f3fb64615210ec2110c40ae774d4fb4fa4dcda498e019fbd316b42ab23bde314af24eeba20674b0190c1a2760debd55103
-
Filesize
5.6MB
MD5452c732598cff53811896cff493a026b
SHA153d370accb009685ade791d5d7e5e190b89384c1
SHA2566053b66fca4a247f202eee0e32dc3a05c426addcb30fbf1d959488042cfded15
SHA512a26ee492733aafc5c90dff79eb1887176e162481996acb3bf99718d3f799daa289bc3c50f4c02f71ef61d6a5a670cdb925b3a5b47bd16c24938c41205bb6a0cf
-
Filesize
144KB
MD51536f15da51dc7988f17fe81aa6d7dd1
SHA1e19ab45229d89c6d5450c607d1784e37b1ebdd3e
SHA256605630f97e3f6b834b2210ef69825c8fb22a9efcaa51f3276833afae114e4377
SHA51296120bbc85bdfcfb3f80e944c866cf0d67eaee990691484929c52863ee37a19907a32ef79c88fdcb4a975eb4bcdc49014c665d36e152d8ff01b7270629e3cf4a
-
Filesize
360KB
MD5b8d1b2aefecfe0ec73ef065f377af918
SHA1eab322acb1d95179969b75c56febd042258cc668
SHA2567f741ee47a3ac13b2f310a94c75204f842c13d57bb9a05a04e5a6d4a9d55a87e
SHA5129ca8cfa74af6a607a25ba61ccb4bc6608e63cb4ff37da6403395acd85177259d9e482d3787715b38776edf66eef49983830add9d21b033dfffea18a4d70ffc68
-
Filesize
5.2MB
MD561b6d43b7aa1a2e45f59a99cd5c80f5f
SHA1a45ec665632501a7fdd90520d1a5cc9e29ddcc3c
SHA25649bdbd9c6f651f573b08c8300fcdf928be36d86450433bac00aa610d74049f66
SHA512d74bfb70184f802cf3997fa16b1fd637e22653ba87d085b651c373608934b5f961e2d85aae6155f3ca96eb1d7afd9ac34fd88bbe78a8c9d79583061c4279df93
-
Filesize
348KB
MD51e2c7829fac8f5c3f02d5d46c164a908
SHA14e8e9bafa543dc15d88542f2c026b7d87cb537b0
SHA256ed00a76486bf4b644186f2ea83559392d6a5c30beeae2674f4d56fb1f679c364
SHA5120e381fefbac7ea9937a76df4a5d1b1d8d899bc7332c40684a9a57625f437b2457b57959f3e2d42241824026fe7da4018b6f197b970a25d78f0ed0eae218f984f
-
Filesize
11.2MB
MD57366d8ddcc9fb6721c53f5feef334b1e
SHA191f437cf6b6dd98da5ccbb543020b5e6f1f30f27
SHA256b3b91381d1df6f08d06ac4f74bca4e597b596001966cee4bc4401a46f1b318b0
SHA51241990b1d6338bdd865f5f3f0915fd85ca3d165d27ca4d2f85e2def8d27d3363a28387689a3d1e4bb3b581ca71b0c2dc62cd54bf9e99537750d2f934ddfb81de1
-
Filesize
694KB
MD59daa3cad815d1d77018e6c02421f1dba
SHA1d3b5219540c529c91d1054cc1b7281c23fecd6dc
SHA25667f2299c1d29f05e573143191959264aaf130c7b450bddd25e1223c06407eff7
SHA5126a47e0bc8608473fc35828ccfbaeb238b53283a56516cc4e81ac93339a0cad11f55c5ecc88d26f8b9479ef2b47088a516cc7cfea4cbd0dd21c22a117d62e9368
-
Filesize
1.8MB
MD5ca1b509a093a8121d9b5753fca1e070a
SHA1e2d20c24c8f2ddf460658d0637b1a91972163a52
SHA2563e20fd7f5c97cc35b9567bbe85be68b70cf4eafba9b7d9adebd753e98b5cda8f
SHA512b20423239c43aa87fd032053d65f83b89adf9479dc38a8abc88b4f2e0e15c9a6eb86f6f2b1ea451f9f7af250ac17fed236cf7c8a736559ae504131cb44deda04
-
Filesize
619KB
MD51b8a259d820e3b6dbf0085bb888cd64d
SHA18bc44f1b3f13d760c4831afbb4b46ebb42a0f3f5
SHA25699d569e8196faf244515691abd0be3dcb410900ccf91a874b3270ca3d93b3d0c
SHA51212b5d873fe487c1e00c6eb8a0f18ced6ce942ae64fedb0efbaab63ea43c2b79cdd41785f02cd7032b2c55f865e401b54486d39b533039418e31cf36b08986244
-
Filesize
872KB
MD518ce19b57f43ce0a5af149c96aecc685
SHA11bd5ca29fc35fc8ac346f23b155337c5b28bbc36
SHA256d8b7c7178fbadbf169294e4f29dce582f89a5cf372e9da9215aa082330dc12fd
SHA512a0c58f04dfb49272a2b6f1e8ce3f541a030a6c7a09bb040e660fc4cd9892ca3ac39cf3d6754c125f7cd1987d1fca01640a153519b4e2eb3e3b4b8c9dc1480558
-
Filesize
75KB
MD5e61e8143ab0c091309715bc5fede9d63
SHA1600855ba65c808f489efd667910fb89d7b9d6d0e
SHA256befb65ad68ce0b25655fb6e18f85acdc454230d6e324e7f311d463ea622780db
SHA5127fb1cdaf23cd719dbc2a3271bc679b1314e644cf59cae6f6278a2cc692998022de66adc3e5045ae4bea7a3e40787b4dfb2fdd322e09c9a33f819bf7f80ffc47f
-
Filesize
13KB
MD576dca068cb629666eca91144e30f7d9a
SHA17eb536e6526ecc51d4dc1527295f9605bfddc0e9
SHA25605e7bcacb4803b7b87a0546551228b5886131fc3571a5d8b38b881c11e77abc6
SHA5125f2aa6ac46d5bebe3fb6133350446628965ea4a1f953b7a1768fce3f6215618bb62fa7925c44bbf3622af1ebc34e3a1f9da4ddde20c168cd70f656c86892fa30
-
Filesize
78KB
MD51a56e65997e9317f8803df90a7deedaa
SHA1bc9a75f41c00a207803199166d123c784c7f5c9d
SHA256676ee76d9ff695d3e0f2872ffbd7b0d45bac9d3bec4eee1f832bb7236524512f
SHA5125477017782136c556c497ff990dedd715c56b98cc0ccaa3b4147191cc0a4b856f281ca4a4389396ed4bfa2ae10220e9a39d5faf3c5f315d53f4c89c954185d7e
-
Filesize
97KB
MD5cdab67159fb964233535ad7044bde466
SHA12c079c4950d6dd45409e9a387e2cc982cc598ebf
SHA256560d27faaa415138b6c2a3c363b870456fea8d43ad628c4bf0436e2da855332b
SHA5125aab34193aef060c13b38947e5f505340dcad13ec069c78605cf5fe490f04802f269ed36e27f9f6c13a1cf59270127f8cca576cb35e1ea53112f2869ef441131
-
Filesize
871KB
MD55caf62d6192678a255b317eeb20e8c75
SHA1ed34e0ef143514b6558def99f9ea29a1c6db9037
SHA256ead456b39b62db259dcda071b17f4f75d9451536cf919a811e1337bbd892e6f3
SHA5124e94042139864b4369f27540c69cd52f17b09a8b20472c2f58bd08933c798bb648caf54fd1186e0ab13a3b7cb7f0d56f1cacdc73f9d15bbb59c7d957337a348d
-
Filesize
40KB
MD5ab893875d697a3145af5eed5309bee26
SHA1c90116149196cbf74ffb453ecb3b12945372ebfa
SHA25602b1c2234680617802901a77eae606ad02e4ddb4282ccbc60061eac5b2d90bba
SHA5126b65c0a1956ce18df2d271205f53274d2905c803d059a0801bf8331ccaa28a1d4842d3585dd9c2b01502a4be6664bde2e965b15fcfec981e85eed37c595cd6bc
-
Filesize
74KB
MD546a0e930cb7c3f5d03df571170e2b22d
SHA191b833cbb6a8c4345cbc013e1732ddccefcba1a4
SHA256d0161d8e383e516187955f3885e39775859f50d04b67fba7a99f0570639f6988
SHA512e89980de6ecf1107ddde9457427bbccd353ca3ab52e4ce9c23b4a161b9a73a8fdb8650319537958d15575176feddb1ed39724803bfa54c9fb994c01125506b17
-
Filesize
67KB
MD5b5c63f06efb3ebd3635ea9674ed2b75b
SHA1b28455870b0a9cbf86c05251ddd529c9fba3fcdc
SHA256905c08df52e22e0e9b6dcc521af4bcc78e27db1998b864ff458394e9bfea2ad3
SHA512927650c4bde375414687aff58afafcbb568361cea5c49112c2ce0da727ac5ea653b724259fba41c3b4acef558dfba26ef6045d3a2a0e8cfb6f0fe4a0bedd71d9
-
Filesize
24KB
MD55d023824f0bb91de408ef1d6b954eb23
SHA181b140234856964ffd7aa100c6d80047523df019
SHA256a1bcbe39003c15ee1e531e4ccaac05d2f7d925aef40abc5ef8aa80bed4a150a0
SHA5124711aaaa8a4a53892b0feb7a25487a5e7a528100b3df8207500b4e056c432c96e335c6953ad4bedb73a6a1894b4b25b10a1c2a3955a6f26b98a15960473b186b
-
Filesize
79KB
MD5f8dfadd15b0c724443f9c5f12f26483b
SHA1330dc644e1a79e8aa686627fd1201c7c948698f7
SHA25650c93fae7f594407a32afbda2f877e316cca94de54101db07311291542d604b1
SHA5129376a9a5ae5ce389224262ede24d4718bddc8e139df61f37313bf3ecab3702ee7d9b63d033259dd781760ce7f356219cb327d65a2217a34ef92f2b78fa94fa55
-
Filesize
65KB
MD55722f4e1e52db6ce97a2ada9ac187c71
SHA1ad9f049e3c8cf08a147e36ae1260f5ebb40a4408
SHA256ad76b6da286a036e7dac58ad4d18c87302d91b1768fc8aa08be7d438ff07eb5a
SHA5122a4e2e2d77808682b521924000758d2709f30f71831c6ef04d8942c8fe492e0b1d5219fff74b05c17314973bc6f828133e79340f087f10e33279be00221a9ba9
-
Filesize
60KB
MD5be0addb87db5a1247b11c445e1f253d5
SHA15c36f70eec403f8279734e6ca4a1ac22f2a41384
SHA256e2d45abe5aff4929c51f336ff68e1cffa9a030ff05bf5f7954f4e8bff798edd3
SHA512b48cfb275128e1dd61e7b6ff344bc23d679d57db8e265ebc1c8632180c982c628818bfc703d5f563f97792cba770aa01cc344ee19603b865b5d77043b61b2ec8
-
Filesize
176KB
MD5a9376f54dd83bf547f6188f8904ae3af
SHA185bb802b0ade5b2136c83e6217a2aaace3735edc
SHA25644661d9d0df9aa2e03844719c9e6963a738e431c565f0983d309a0e113508d17
SHA51271a4e6251e201441ccc1ae9633790b977a898e6f42b0d25f4c54d66d99311dad5b63e25f7ac703e932db5a526290f95e9abfe2158b72cd21e8564ac1942a48a9
-
Filesize
13.8MB
MD5efb0528d6978337e964d999dacb621df
SHA1244979b8495d3d173a4359d62ad771f99a0033fc
SHA2564786ac3ceb9ecdcb98bdd19a0e93750e6c9c0df460751994840f8ea9733cc491
SHA5124b16aca5638094741a9e5f0e4581b5c3cdbd77835035362468d2a0e077fba0f96b8dd98c4a4ea853b3b623d5b525fe64091daa1b761597b660840a371fbae0df
-
Filesize
859B
MD5e026bc307ba75a0005b762fd057cb2c6
SHA1b0b4dbdf5e5ce0eab9b8eaa2ec3e7ac299f7ea00
SHA256506dc21f9f2fdb9ec97eea78f987be593c91a719cd77eba9e6256792fc463ba1
SHA5121962d5c7bd6f7a78ceec8873f138c23f7571707467c7a50e8e129977e6dfd8d8d67565e0fc798ded8c356107fb597af2353283c4e6a95564709d9a97e299c80b
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
206KB
MD55dfd11773a165d97e5f0c53d51c52492
SHA13025f864238e45ed6ef5545386893f6efadcd29f
SHA256c62e1a6d73e76fea81515d2aee25494b8553f41855549e2d8f98fe6d689569c4
SHA51259a8782b4b517987d6347c3936ab196e7ca4edbcd668852711f6b29acc045ac8e769c68b5f4985c234da518acdd8c671a531a707f2706a35bd110bde2931b303
-
Filesize
1.5MB
MD52978ce3b334332c2bf8e6c45652c599c
SHA1d297e5a04848168db55cb7aa43ec9f68e88e3ff5
SHA256f17af5296ff826f4199381574dccb3dcb8a5deeb811e40929f95c722ab70aeb7
SHA51257f28c9287b185183f190f3864edd84de8e6f8a28ab86468eff195a717eb57bc1c89c2b144f3a60b5c8880983ef85e3387bb0e1805d3295bfbcc323a996a5b20
-
Filesize
13.4MB
MD526dc83cd26d56041c731e497b96a8a73
SHA15338d1bc7da69233af80ca7ef13fa1dacfc0748c
SHA256b8927abe41a230bb684bcd01fa78d688ccf6c0df1c2177a46510b76df9f6ea6a
SHA51260b6625e3eaeeef6445b2809f1023557a1786aabc57a4b016216bd2567f278a5a228cb07a074790e90f5c83d8e939afbbe140bb9213b252b7631336ed8a653f5
-
Filesize
10.7MB
MD5b2ceff540f1fb7234b424a5702e989ba
SHA1db23b99773aaf3c3ccf45bb93a7321647aad99f9
SHA256eaa5582959770d5fa7fc18fa15d6e6aedec88b7503b8d16df3dd82626fab57d9
SHA512d42c2dbc0aecb9220c634cb3fbbe7c67eea107599048d7e3c66c01c0ed6a3c5639b6448fcc4de30e1a38a1b19bdd9882513403e3abfbffbfbdaadae49b59b342
-
Filesize
8.3MB
MD5b5887a19fe50bfa32b524aaad0a453bc
SHA1cd1f3905959cd596c83730a5b03ceef4e9f2a877
SHA256fce5cbeec1eb5274fc3afa55e57fb2f724688cb9d4661a8a86716011493564c7
SHA5125b9914c94101b53314b14335e687552e5da0a4085afb826ae94f45769e9b1e66a35624b6e6b60257514f4adf2acc5c9e048bfa3a24aafb891d203e3011c02538
-
Filesize
4.8MB
MD59a0770b61e54640630a3c8542c5bc7ac
SHA17cc5f989a483ec381d0293978796e28a4e8b4a90
SHA2569526753470158f5c148ba6c12f2dbd0f77cbe830ace567c44b5399d0e05b2b0c
SHA512608e16e2c8466e2736861773710bf8a1bc3ba9860f7ed6ac8d7706ea2c9f42343e3ba88236945b0f5b70fb0ee4d1ad355d87f9fbb6edb9e23c518a1dfa839a9d
-
Filesize
4.7MB
MD54b0348bf0a8544b5c6b90c79bbeca054
SHA1fffc3fed695f793866fc13fd2000531134e8874f
SHA256aa0b653006f07f7129c7c1ac1d2d3fbd7a3039b2f4a00771a8138705d5782ae0
SHA512887d7b2ff7bb4b0d0fbf68cf444e3274aa42cf30d02d322c8edb566984e6e1e9f3fe4dd29d1d70f6cd557f12749e5e17eff171c8a8391288dc3a63cb8d5fb5fe
-
Filesize
20.9MB
MD5df763cc3afd7e98d660e5db9de5b1d95
SHA1e50abf286735649267da3024aa27544eaf095845
SHA256aee46fb12d8bd25b4033b3ef7fb04703961e68e6cbc40d6aa410b01b05e4b411
SHA512a7622cf295023ca9073d3ae239b98268705f1b9ea850bc6c8f6db66f175b546df95a1dd4978bf376af4a6d4568ae0f78b66b3fa885a5146f6692a35c69b879c0
-
Filesize
5.5MB
MD5fdf999d19df6b5c6a03bdbe1990347b3
SHA13266aa1f4ee746d69601c42afcda7666efd08ea2
SHA2567a15dd944f05b7280ae9d297f7707f5ee712821fbae770930bae1539cf9e0b4e
SHA5123232b2b0e373104b0f3d31d0275e0d40d247abd3b3fc288cc75d29ed26161726d31728f7ac25a771b277f74fe9a274346820f7087596caf6184ea7c7ce340274
-
Filesize
2.1MB
MD56a94b94ba557d5d85a1da20213d48974
SHA1a311aa3a9243849b883867fa3d772e4c4e95d080
SHA256e4a125aa374a939c07ee3172dd5cdb23990096efe7059e9d647f1eaadc32e3dd
SHA512a246f8f4341a144f4946179c518fea833dbec7e40c69023e10687f85d97c28e1851334f20260069c0d6500ecb859c2e2553b4492cda22c6145966bc893a54c74
-
Filesize
19KB
MD58a4f0f41b42e3f0027066f418e5436c5
SHA13ce8dec5bcfd824805e40ec6f9d43ac45b6f029c
SHA256a0b724fea63d02a4b665dfb5c047da345e949385758e6bdc20b3c42951c549e4
SHA51219c0c02ba0fa3899f1f67cc19daab651a4384217cf81f50c3b3774cae09c5f2117bc2d43698866156e93a00948014345f96db1c8a637daf0a146862531ce3ef2
-
Filesize
264KB
MD550968bf1892077705f9182f7028c8ef2
SHA14785419ec767a0f0678175c8ae8fbd0b8bec624f
SHA256d65403b37e00e6268b8a0d4e1271f35077d3e3b82573d42eeb7260836edabc24
SHA5123e2809a85bdf471227f59d800069285e93b0ac200a284d18026637dcc2bc27df5b34445032483679f88b79b936b90e183a873a3bd073bcdb96e1e7189bc34c03
-
Filesize
72KB
MD51ebcc328f7d1da17041835b0a960e1fa
SHA1adf1fe6df61d59ca7ac6232de6ed3c07d6656a8c
SHA2566779bc4c64850150de694166f4b215ce25bbaca7d60b293fa7bb65e6bdecbc1a
SHA5120c537e8dbdf5de433f862a31fbcb5a709f7727783cb36f7ed3dcac1acb44d704d5ad570035259022b46a0370754d029f476ae40280983d1586de9098e31a31d6
-
Filesize
291KB
MD51a679e0ccedfb2c3b8ebaf8d9b22f96a
SHA16ae0ff6690d0a857d145f671589a97620c1e43e5
SHA256d16eb8da5c5ce99f1a2e38677eff8d2ae532cb1ad0eddf10a311583004675960
SHA5128e60833f266f1a092846892659b117e06f96d5f7017ce0847333a7ae38f30b2a274bf6fe0ee43d5e94c1aa87a84ce340c4b66de256883bcf2bbc17038353a4d7
-
Filesize
9.5MB
MD5fb3065fb8f756f9ccca0ef035ddb0f0d
SHA10d6409e94e7c06be8dbf43c78c26d26f86a1454e
SHA2564d53c18f9c35747419cc289b1da6998457cb6ff5aeaddc1e5e474586b739b1c7
SHA5127eb443b4efeca64f1c7fdb3273523a87ed103d78cdb1cfe0c55d1491edacffae5d4d8563598ca43012add7eeb29a405f84bab66feb67211534c18f76ff04bced
-
Filesize
1.2MB
MD53c0bc60ec3907224b9720d80bf799281
SHA1303ce336a032b419eba255bd502bdbfcc343607f
SHA25607d538c1cab4f197f08f0d1811a2e3538e373659e25bc08d129fe4caf631048a
SHA51262ee08410a3deed3d65ee15e78cf43cd11ada873cb98ebecdc7eefddc4b598af2386d44f23b4e1f8496baffdd071deb888b2ab63be368b6e0d4782cb2e15a8b1
-
Filesize
14.2MB
MD5741b1f2ee5826897af2ba2ec765296e4
SHA1706534d9c6a16354974b3b6fd6d1f620524b7dd1
SHA2560b142a5773fcd9ae5cbb967f748e8da9a89e74aa50a0e1cd52f3aaa313bc749d
SHA512a0b14ab280d906a8ad1681e335d30a457b02355cc941d12208f2ef460a9b1f700b84789749ee2080fb4351cce09e3cceeb9fea94478c3c81ae1fb184892de03a
-
Filesize
1022KB
MD5387d4b12ac9e87b9db76589fcca2b937
SHA14a51340e1817d7ab2c739b1237c541b58e3b7c9a
SHA25630d91ef269ca652f181ba1985cf2cf8a5790305927c6887e0c298c38ae87afcf
SHA51235bd0a53169d56a12260ec280977fdf0e3c07b41baa836a931667aaaeffebad902f7fb1b61b3d33072a02823a959a54a6327aed57580b970bc0bcee464cd4f87
-
Filesize
55KB
MD5d76e1525c8998795867a17ed33573552
SHA1daf5b2ffebc86b85e54201100be10fa19f19bf04
SHA256f4dd44bc19c19056794d29151a5b1bb76afd502388622e24c863a8494af147dd
SHA512c02e1dcea4dc939bee0ca878792c54ff9be25cf68c0631cba1f15416ab1dabcd16c9bb7ad21af69f940d122b82880b1db79df2264a103463e193f8ae157241dd
-
Filesize
1.7MB
MD51777e41c01138cfcd1b8e4b6082ae3b1
SHA1bf83c19106c0226d8e3e08fbbd5633ce96472bf0
SHA2567af1ac95d468a1b0d9dfb2dbe0dba8b3aca9a09e2620a0ec35dc087f829f9401
SHA512e44f8d2b9c5f33b48c64107b9a1c8fd0ac77bf88b465e6fcdbcc2b1b3253f71922b350048e55b6d97e938892084b0d7cc098cdd208ee1f15b9434426449fa88b
-
Filesize
1.0MB
MD57a8463b22eb60bf18f4df8444e006d96
SHA1f1577856bf96eea03ba84a5fd85dfc9426d60def
SHA25607dfcd4aad4d53de15bd688a17d31ce50d591173d60fa2cb629b9ed94179cc2a
SHA5125bc787b6e6cc02c96481bfa87fa3336ba53aa596c1c4b053de40e18d400305481a7059a71c9ee9ad1e6ce3260a743860595a7cddbdbcffd7dfeb8eed06de9779
-
Filesize
203KB
MD526ea34638c9aab0fb5411b9944f50404
SHA1ab99b7c04950cdbaa28e6de6095efcb4d1e336b0
SHA25601c4c4582cdfc256135e87ae42ebccb02f2c2cdea4a37c233948a3ac454e1593
SHA5127f66607bd31f5dda446ba646e471a8546b975688a1468fd42fb10e60ab3986920efd3acf5c0b0836f7abd27f7f24544fc0e77c428ac01e84526d7794a8cc23f7
-
Filesize
203KB
MD5c457b64b8faf93fb23adb3d3b6a6cb78
SHA1b7171be5e8a552346f4f44148c8935ed52ba90d6
SHA256592474a6afcaa6a1147524a4a24ae9a535cd58f043e218ab64ae218ee7229f42
SHA5120810734f3717783de50b02b64e60dfbe210ecc43be4a013c6f3a659b31122e3195a0fcd2adec2cf14be3d6c4ab6405af7c17ef8ac2ff8b30d7eb5a6c59e89ebc
-
Filesize
273KB
MD52d8bfa12ffd53e578028edae844e7611
SHA1a0db3c316b9fc54b056ccb4cf284b90c95bfa605
SHA256d61d2772dc9bd808c17c2862d4be8aa61ccc6851012967e82b2f514f94ab6f97
SHA5128a107dcb884a19492604487f044f5e90aadfc6fd6594b3271081167bde5180c2db4fcf5333fa141944dc209f19476bf5a2c2d24f419a482cd94510185b1cc0a7
-
Filesize
268KB
MD56a9213568bc6a19895240ff14fd57329
SHA1bd18494cb4d7f652bcf9ce187e11ed0eccda65f8
SHA2565618de81f0a47570c7048019102af4664a7402b657dcc060148243e97159ad97
SHA512d6c658c22dd0e70f09c0a3d07b656ea6315c39a99bd7855f202447f88359272efdc8cfba17b5243b26fac69b5159ce2cec106f42df22bdb72f948c4f9618335d
-
Filesize
112KB
MD52f1a50031dcf5c87d92e8b2491fdcea6
SHA171e2aaa2d1bb7dbe32a00e1d01d744830ecce08f
SHA25647578a37901c82f66e4dba47acd5c3cab6d09c9911d16f5ad0413275342147ed
SHA5121c66dbe1320c1a84023bdf77686a2a7ab79a3e86ba5a4ea2cda9a37f8a916137d5cfec30b28ceae181355f6f279270465ef63ae90b7e8dcd4c1a8198a7fd36a8
-
Filesize
40KB
MD5a182561a527f929489bf4b8f74f65cd7
SHA18cd6866594759711ea1836e86a5b7ca64ee8911f
SHA25642aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914
SHA5129bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558
-
Filesize
114KB
MD5e54dec68d633001c42366d0ecde3f2e0
SHA168ad889d9b6f02fa8d7c3df69d30eeff5745ef52
SHA256387015740938f6d013d089c66d2250c6f4e80f9d7d7a0887043df3dc3f812f02
SHA512dd531dfbbb35f4d92858227bebb93f396690e8a902cd61fc80e7a981cd34a4fdd8490130a552069f48f6a06f21f7c3a63e6e205274bb50f85cb81a1b329901f2
-
Filesize
46KB
MD514ccc9293153deacbb9a20ee8f6ff1b7
SHA146b4d7b004ff4f1f40ad9f107fe7c7e3abc9a9f3
SHA2563195ce0f7aa2eae2b21c447f264e2bd4e1dc5208353ac72d964a750de9a83511
SHA512916f2178be05dc329461d2739271972238b22052b5935883da31e6c98d2697bd2435c9f6a2d1fcafb4811a1d867c761055532669aac2ea1a3a78c346cdeba765
-
Filesize
20KB
MD522be08f683bcc01d7a9799bbd2c10041
SHA12efb6041cf3d6e67970135e592569c76fc4c41de
SHA256451c2c0cf3b7cb412a05347c6e75ed8680f0d2e5f2ab0f64cc2436db9309a457
SHA5120eef192b3d5abe5d2435acf54b42c729c3979e4ad0b73d36666521458043ee7df1e10386bef266d7df9c31db94fb2833152bb2798936cb2082715318ef05d936
-
Filesize
112KB
MD587210e9e528a4ddb09c6b671937c79c6
SHA13c75314714619f5b55e25769e0985d497f0062f2
SHA256eeb23424586eb7bc62b51b19f1719c6571b71b167f4d63f25984b7f5c5436db1
SHA512f8cb8098dc8d478854cddddeac3396bc7b602c4d0449491ecacea7b9106672f36b55b377c724dc6881bee407c6b6c5c3352495ed4b852dd578aa3643a43e37c0
-
Filesize
96KB
MD540f3eb83cc9d4cdb0ad82bd5ff2fb824
SHA1d6582ba879235049134fa9a351ca8f0f785d8835
SHA256cdd772b00ae53d4050150552b67028b7344bb1d345bceb495151cc969c27a0a0
SHA512cdd4dbf0b1ba73464cd7c5008dc05458862e5f608e336b53638a14965becd4781cdea595fd6bd18d0bf402dccffd719da292a6ce67d359527b4691dc6d6d4cc2
-
Filesize
9.1MB
MD52439191ec6705d5ec64a62100c3403b5
SHA1082d5e6026166c28ce86084a670aeb51fdced867
SHA256a4baabd02d5098ad2e56769050d9d59f3689e46fa71a08cf25a4f60aed5f6439
SHA5128f0f1c093ac1988a2d9ea8a068afe130411a96cfe38d64a1ab4a94ec0bb1e5972ba0b78b5ff9422488b966cc15eae468bf41b7981cfff9203f5e37237dbc9b4d