Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Resubmissions
12/03/2025, 21:32
250312-1dmynatxey 1011/03/2025, 16:10
250311-tmgdxaxnx4 1006/03/2025, 02:30
250306-cze8yav1az 10Analysis
-
max time kernel
237s -
max time network
266s -
platform
windows11-21h2_x64 -
resource
win11-20250217-en -
resource tags
arch:x64arch:x86image:win11-20250217-enlocale:en-usos:windows11-21h2-x64system -
submitted
12/03/2025, 21:32
Static task
static1
Behavioral task
behavioral1
Sample
bluestealer.rar
Resource
win11-20250217-en
General
-
Target
bluestealer.rar
-
Size
5.6MB
-
MD5
a90f4f14fd13ca22cfeb32127493bb3c
-
SHA1
680a9f3b7d74575cdd91f461e9e2b47c10e5c79c
-
SHA256
ee66a185008549b9ca0c687a78aa6a69e4770dd12cab9dc63d5346c1f570904b
-
SHA512
69fee2468fdb90e4dfebe18dd90f040be372a8d7c35f049d1f594c4f6ec37a7bb9fb8f2c847114e315b214e823d3921d4260b3770628903a875a8b9fbb270a66
-
SSDEEP
98304:xIb3rOEojkouUyLJ/IIDwOMTwKoD+ORWkt78cZfHKDDFaWI5Sz3ptM9b3Pd4g6wx:izaEJvD0WD+OP8QfqmSz3pt2zV4g6SmC
Malware Config
Extracted
redline
@Baobabss
185.230.143.48:14462
Extracted
redline
@tupa187
185.230.143.48:14462
Extracted
formbook
4.1
o4ms
fishingboatpub.com
trebor72.com
qualitycleanaustralia.com
amphilykenyx.com
jayte90.net
alveegrace.com
le-fleursoleil.com
volumoffer.com
businessbookwriters.com
alpin-art.com
firsttastetogo.com
catofc.com
ref-290.com
sbo2008.com
fortlauderdaleelevators.com
shanghaiyalian.com
majestybags.com
afcerd.com
myceliated.com
ls0a.com
chautauquapistolpermit.com
cq1937.com
riafellowship.com
sjzlyk120.com
onlinerebatemall.com
bjlmzmd.com
services-neetflix-info.info
khaapa.com
thehgboutique.com
iconndigital.com
ninjavendas.com
zeonyej.icu
iddqdtrk.com
taoy360.info
conanagent.icu
mobileflirting.online
lorrainelevis.com
bakerrepublic.com
tfi50.net
mildlobr.com
turnkeypet.com
instarmall.com
contilnetnoticias.website
symbiocrm.com
earn074.com
swapf.com
daveydavisphotography.com
notes2nobody.com
pensje.net
nanoplastiakopoma.com
inlandempiresublease.com
donaldjtryump.com
secondinningseva.com
zumohub.xyz
torbiedesigns.com
koastedco.com
lifestyleeve.com
purposepalacevenue.com
risk-managements.com
doluhediye.com
revolutionarylightworkers.com
smithridge.net
share-store.net
jastalks.com
nocodehost.com
Extracted
asyncrat
4.0.0.0
Default
2.56.59.227:8081
2.56.59.227:8082
2.56.59.227:8083
Mutex_21687213
-
delay
5
-
install
false
-
install_file
example.exe
-
install_folder
%AppData%
Extracted
agenttesla
Protocol: smtp- Host:
smtp.boydsteamships.com - Port:
587 - Username:
[email protected] - Password:
co*tNjEBt4
Extracted
xloader
2.5
mjyv
wenyuexuan.com
tropicaldepression.info
healthylifefit.com
reemletenleafy.com
jmrrve.com
mabduh.com
esomvw.com
selfcaresereneneness.com
murdabudz.com
meinemail.online
brandqrcodes.com
live-in-pflege.com
nickrecovery.com
ziototoristorante.com
chatcure.com
corlora.com
localagentlab.com
yogo7.net
krveop.com
heianswer.xyz
idproslot.xyz
anielleharris.com
lebonaharchitects.com
chilestew.com
ventasdecasasylotes.xyz
welcome-sber.store
ahmedintisher.com
pastlinks.com
productprinting.online
babybox.media
volteraenergy.net
chinatowndeliver.com
behiscalm.com
totalselfconfidence.net
single-on-purpose.com
miyonbuilding.com
medicalmanagementinc.info
bellaalubo.com
dubaibiologicdentist.com
jspagnier-graveur.com
deskbk.com
thehauntdepot.com
5fbuy.com
calmingscience.com
luvnecklace.com
noun-bug.com
mysenarai.com
socialmediaplugin.com
livinglovinglincoln.com
vaxfreeschool.com
bjjinmei.com
p60p.com
upgradepklohb.xyz
georges-lego.com
lkkogltoyof4.xyz
fryhealty.com
peacetransformationpath.com
lightfootsteps.com
recreativemysteriousgift.com
luminoza.website
mccorklehometeam.com
car-insurance-rates-x2.info
serpasboutiquedecarnes.com
1971event.com
simpeltattofor.men
Extracted
redline
@l_Like_a_Sir_l
185.230.143.48:14462
Extracted
asyncrat
0.5.7B
Default
iphy.strangled.net:1604
gpmaw.duckdns.org:3040
gpmaw.duckdns.org:2020
gpmaw.duckdns.org:4040
hpdndbnb.duckdns.org:3040
hpdndbnb.duckdns.org:2020
hpdndbnb.duckdns.org:4040
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
false
-
install_folder
%AppData%
Extracted
redline
@chucoed
185.230.143.48:14462
Extracted
revengerat
NyanCatRevenge
hpdndbnb.duckdns.org:2404
90a49aa7c27647e
Extracted
azorult
https://guifenergy.co.ke/bin/32/index.php
Extracted
xloader
2.5
qs23
alimentosafc.com
noveltyporpak.xyz
fleteszoom.com
crabcompanions.com
metumuskfinance.com
perfectwatch.store
thweddingstory.com
ameliasongsforever.com
enowrecords.com
mywebcrown.com
silianceconseil.com
moodoven.com
generalwholesalestore.com
laguiza.com
gionakpil.com
nftfreemarket.com
astrainconsultora.com
favoritepedia.com
mycprguru.com
estateadmin.services
licensedbenefitscenter.com
z7ips4jnhi.com
thefamilysmatterlawfirm.com
charronteam.com
sapphiremodule.com
carcharginginstaller.com
pledgenwork.com
glasscityrentals.com
lihsin.com
putaojiau.com
justnft.xyz
choiceandpossibilities.com
stark.agency
theandrewjbrady.com
cheaterbnuahe.xyz
ayf1236.com
techvirtys.xyz
simsheating.com
blendeqes.com
nashvillehomesell.com
christialana.com
vvp-bij.info
legalcoloradosprings.com
thanhstudiowedding.com
sogginesses.info
babadebabajiaoshimo11.xyz
bittywire.com
suothernprop.net
palisadestahoeoutlook.com
competitionproduct.com
cateringpairs.com
privatejetsthai.com
motodevi.com
tunaudc.com
disconnect.travel
sjwholesale.biz
roofingslobyo.xyz
doskonale-samopoczucie.com
dazzledayspa.com
riwaq-international.com
2cute2care.com
borzv.com
geraldkbell.store
xsqj888.com
thanhnguyenedu.com
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Agenttesla family
-
Asyncrat family
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Azorult family
-
Formbook family
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 4 IoCs
resource yara_rule behavioral1/memory/4676-48-0x0000000000160000-0x0000000000182000-memory.dmp family_redline behavioral1/memory/1528-57-0x0000000000800000-0x0000000000822000-memory.dmp family_redline behavioral1/memory/5908-152-0x0000000000400000-0x0000000000422000-memory.dmp family_redline behavioral1/memory/2660-188-0x0000000000400000-0x0000000000422000-memory.dmp family_redline -
Redline family
-
RevengeRAT
Remote-access trojan with a wide range of capabilities.
-
Revengerat family
-
SectopRAT payload 4 IoCs
resource yara_rule behavioral1/memory/4676-48-0x0000000000160000-0x0000000000182000-memory.dmp family_sectoprat behavioral1/memory/1528-57-0x0000000000800000-0x0000000000822000-memory.dmp family_sectoprat behavioral1/memory/5908-152-0x0000000000400000-0x0000000000422000-memory.dmp family_sectoprat behavioral1/memory/2660-188-0x0000000000400000-0x0000000000422000-memory.dmp family_sectoprat -
Sectoprat family
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 4 IoCs
resource yara_rule behavioral1/memory/6816-250-0x0000000000400000-0x0000000000436000-memory.dmp family_snakekeylogger behavioral1/memory/6816-248-0x0000000000400000-0x0000000000436000-memory.dmp family_snakekeylogger behavioral1/files/0x001900000002af30-273.dat family_snakekeylogger behavioral1/memory/7120-274-0x0000000000980000-0x00000000009A6000-memory.dmp family_snakekeylogger -
Snakekeylogger family
-
Xloader family
-
AgentTesla payload 1 IoCs
resource yara_rule behavioral1/memory/2472-142-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla -
Async RAT payload 1 IoCs
resource yara_rule behavioral1/files/0x001c00000002aef6-174.dat family_asyncrat -
Formbook payload 1 IoCs
resource yara_rule behavioral1/memory/5480-120-0x0000000000400000-0x000000000042E000-memory.dmp formbook -
Xloader payload 4 IoCs
resource yara_rule behavioral1/memory/5324-147-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral1/memory/5324-184-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral1/memory/4556-234-0x0000000000800000-0x0000000000829000-memory.dmp xloader behavioral1/memory/7084-356-0x0000000000400000-0x0000000000429000-memory.dmp xloader -
Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1408376509-1621642251-2666462513-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Modifies Windows Firewall 2 TTPs 2 IoCs
pid Process 3140 netsh.exe 4864 netsh.exe -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WindowsUpdater.lnk FB_E735.tmp.exe -
Executes dropped EXE 50 IoCs
pid Process 1480 cd3b81fbf93281530341f8c8cd66cfdeb7b2f1ec04f6fbe68ddcc35d28200a1c.exe 1896 .exe 2444 rape (2).exe 1124 (1).exe 5428 (2).exe 4108 rape (6).exe 5316 rape (13).exe 776 rape (5).exe 904 (6).exe 3908 rape (12).exe 2108 rape (11).exe 5480 (1).exe 2564 rape (11).exe 2268 (5).exe 1552 (6).exe 5984 rape (8).exe 2576 (4).exe 844 (3).exe 2472 rape (13).exe 5768 rape (7).exe 5324 (4).exe 1740 rape (17).exe 3620 rape (18).exe 1472 nitropdf.enterprise.pro.x64.13.xx-patch.exe 2300 AfraidDns_Async.exe 5068 (3).exe 1276 AfraidDns_Async.exe 5652 rape (8).exe 6816 (2).exe 7068 FB_E735.tmp.exe 7120 FB_E830.tmp.exe 1684 rape (7).exe 6128 rape (7).exe 3756 sergf.exe 2700 rape (5).exe 800 AsyncClient no setting.exe 6248 nitropdf.enterprise.pro.x64.13.xx-patch.exe 5588 nitropdf.enterprise.pro.x64.13.xx-patch.exe 2088 rape (12).exe 4528 AsyncClient no setting.exe 4000 (5).exe 4340 rape (5).exe 2368 rape (5).exe 4864 (4).exe 296 (3).exe 6256 (4).exe 6696 (4).exe 6684 (4).exe 2484 (3).exe 7084 rape (18).exe -
Loads dropped DLL 3 IoCs
pid Process 1472 nitropdf.enterprise.pro.x64.13.xx-patch.exe 6248 nitropdf.enterprise.pro.x64.13.xx-patch.exe 5588 nitropdf.enterprise.pro.x64.13.xx-patch.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1408376509-1621642251-2666462513-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowsUpdater = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\FB_E735.tmp.exe\" .." FB_E735.tmp.exe -
pid Process 5036 powershell.exe -
Enumerates connected drives 3 TTPs 2 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\D: explorer.exe File opened (read-only) \??\F: explorer.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 12 freegeoip.app 68 freegeoip.app 12 checkip.dyndns.org -
Suspicious use of SetThreadContext 33 IoCs
description pid Process procid_target PID 1480 set thread context of 4676 1480 cd3b81fbf93281530341f8c8cd66cfdeb7b2f1ec04f6fbe68ddcc35d28200a1c.exe 84 PID 1896 set thread context of 1528 1896 .exe 90 PID 2444 set thread context of 708 2444 rape (2).exe 97 PID 1124 set thread context of 5480 1124 (1).exe 121 PID 5480 set thread context of 3216 5480 (1).exe 52 PID 904 set thread context of 1552 904 (6).exe 124 PID 5316 set thread context of 2472 5316 rape (13).exe 130 PID 2576 set thread context of 5324 2576 (4).exe 137 PID 5324 set thread context of 3216 5324 (4).exe 52 PID 4108 set thread context of 5908 4108 rape (6).exe 141 PID 5768 set thread context of 1556 5768 rape (7).exe 143 PID 1552 set thread context of 5512 1552 (6).exe 151 PID 844 set thread context of 5068 844 (3).exe 148 PID 5324 set thread context of 3216 5324 (4).exe 52 PID 1564 set thread context of 3216 1564 msiexec.exe 52 PID 1740 set thread context of 2660 1740 rape (17).exe 161 PID 5512 set thread context of 5576 5512 cvtres.exe 165 PID 5984 set thread context of 5652 5984 rape (8).exe 178 PID 1564 set thread context of 2760 1564 msiexec.exe 149 PID 5428 set thread context of 6816 5428 (2).exe 189 PID 4556 set thread context of 3216 4556 mstsc.exe 52 PID 1684 set thread context of 796 1684 rape (7).exe 198 PID 776 set thread context of 2700 776 rape (5).exe 202 PID 6128 set thread context of 308 6128 rape (7).exe 203 PID 3908 set thread context of 2088 3908 rape (12).exe 205 PID 800 set thread context of 4528 800 AsyncClient no setting.exe 210 PID 2268 set thread context of 4000 2268 (5).exe 212 PID 4556 set thread context of 2760 4556 mstsc.exe 149 PID 6256 set thread context of 6696 6256 (4).exe 227 PID 4864 set thread context of 6684 4864 (4).exe 228 PID 296 set thread context of 2484 296 (3).exe 230 PID 3620 set thread context of 7084 3620 rape (18).exe 231 PID 7084 set thread context of 3216 7084 rape (18).exe 52 -
Drops file in Program Files directory 1 IoCs
description ioc Process File opened for modification C:\Program Files\Nitro\Pro\13\NitroPDF.exe nitropdf.enterprise.pro.x64.13.xx-patch.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe -
Program crash 6 IoCs
pid pid_target Process procid_target 4864 2564 WerFault.exe 127 6092 7120 WerFault.exe 195 400 3908 WerFault.exe 123 6940 4000 WerFault.exe 212 2076 4340 WerFault.exe 223 3900 2368 WerFault.exe 225 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rape (2).exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language (6).exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mstsc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rape (8).exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language (3).exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rape (7).exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language (3).exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nitropdf.enterprise.pro.x64.13.xx-patch.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rape (5).exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language (4).exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rape (5).exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rape (18).exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rape (11).exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AfraidDns_Async.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AsyncClient no setting.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rape (6).exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language (5).exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AppLaunch.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AfraidDns_Async.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sergf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AppLaunch.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rape (13).exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language (2).exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rape (13).exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nitropdf.enterprise.pro.x64.13.xx-patch.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nitropdf.enterprise.pro.x64.13.xx-patch.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rape (5).exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language (4).exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rape (8).exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msiexec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language (4).exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AppLaunch.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language (5).exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rape (17).exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language (2).exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language (3).exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rape (7).exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rape (18).exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language (3).exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rape (7).exe -
Checks SCSI registry key(s) 3 TTPs 25 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Capabilities explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Capabilities explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 explorer.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString rape (5).exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0 rape (5).exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1408376509-1621642251-2666462513-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-1408376509-1621642251-2666462513-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-1408376509-1621642251-2666462513-1000\Software\Microsoft\Internet Explorer\Main Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1408376509-1621642251-2666462513-1000\Software\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize = "1" Explorer.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1408376509-1621642251-2666462513-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-1408376509-1621642251-2666462513-1000\Software\Microsoft\Internet Explorer\Toolbar Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1408376509-1621642251-2666462513-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1" Explorer.EXE -
Modifies registry class 64 IoCs
description ioc Process Set value (data) \REGISTRY\USER\S-1-5-21-1408376509-1621642251-2666462513-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1408376509-1621642251-2666462513-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff nitropdf.enterprise.pro.x64.13.xx-patch.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-1408376509-1621642251-2666462513-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-1408376509-1621642251-2666462513-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2 Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1408376509-1621642251-2666462513-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1" nitropdf.enterprise.pro.x64.13.xx-patch.exe Key created \REGISTRY\USER\S-1-5-21-1408376509-1621642251-2666462513-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell nitropdf.enterprise.pro.x64.13.xx-patch.exe Key created \REGISTRY\USER\S-1-5-21-1408376509-1621642251-2666462513-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags nitropdf.enterprise.pro.x64.13.xx-patch.exe Key created \Registry\User\S-1-5-21-1408376509-1621642251-2666462513-1000_Classes\NotificationData nitropdf.enterprise.pro.x64.13.xx-patch.exe Key created \REGISTRY\USER\S-1-5-21-1408376509-1621642251-2666462513-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0 Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-1408376509-1621642251-2666462513-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff nitropdf.enterprise.pro.x64.13.xx-patch.exe Key created \REGISTRY\USER\S-1-5-21-1408376509-1621642251-2666462513-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 nitropdf.enterprise.pro.x64.13.xx-patch.exe Set value (data) \REGISTRY\USER\S-1-5-21-1408376509-1621642251-2666462513-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 nitropdf.enterprise.pro.x64.13.xx-patch.exe Set value (data) \REGISTRY\USER\S-1-5-21-1408376509-1621642251-2666462513-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 nitropdf.enterprise.pro.x64.13.xx-patch.exe Set value (int) \REGISTRY\USER\S-1-5-21-1408376509-1621642251-2666462513-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupView = "0" nitropdf.enterprise.pro.x64.13.xx-patch.exe Key created \REGISTRY\USER\S-1-5-21-1408376509-1621642251-2666462513-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ nitropdf.enterprise.pro.x64.13.xx-patch.exe Set value (data) \REGISTRY\USER\S-1-5-21-1408376509-1621642251-2666462513-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0100000000000000ffffffff Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-1408376509-1621642251-2666462513-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0 Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-1408376509-1621642251-2666462513-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 nitropdf.enterprise.pro.x64.13.xx-patch.exe Set value (int) \REGISTRY\USER\S-1-5-21-1408376509-1621642251-2666462513-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSize = "16" nitropdf.enterprise.pro.x64.13.xx-patch.exe Set value (int) \REGISTRY\USER\S-1-5-21-1408376509-1621642251-2666462513-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirection = "1" nitropdf.enterprise.pro.x64.13.xx-patch.exe Key created \REGISTRY\USER\S-1-5-21-1408376509-1621642251-2666462513-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1408376509-1621642251-2666462513-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" BackgroundTransferHost.exe Set value (str) \REGISTRY\USER\S-1-5-21-1408376509-1621642251-2666462513-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents" nitropdf.enterprise.pro.x64.13.xx-patch.exe Key created \REGISTRY\USER\S-1-5-21-1408376509-1621642251-2666462513-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656} nitropdf.enterprise.pro.x64.13.xx-patch.exe Set value (int) \REGISTRY\USER\S-1-5-21-1408376509-1621642251-2666462513-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\LogicalViewMode = "1" nitropdf.enterprise.pro.x64.13.xx-patch.exe Key created \REGISTRY\USER\S-1-5-21-1408376509-1621642251-2666462513-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.WindowsTerminal_8wekyb3d8bbwe\StartTerminalOnLoginTask taskmgr.exe Set value (data) \REGISTRY\USER\S-1-5-21-1408376509-1621642251-2666462513-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0 = 5600310000000000515a70a9100057696e646f777300400009000400efbec5522d606c5a15ac2e000000a60500000000010000000000000000000000000000006e8e7800570069006e0064006f0077007300000016000000 Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-1408376509-1621642251-2666462513-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-1408376509-1621642251-2666462513-1000_Classes\Local Settings nitropdf.enterprise.pro.x64.13.xx-patch.exe Key created \REGISTRY\USER\S-1-5-21-1408376509-1621642251-2666462513-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell nitropdf.enterprise.pro.x64.13.xx-patch.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\Instance\ explorer.exe Key created \REGISTRY\USER\S-1-5-21-1408376509-1621642251-2666462513-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1 Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-1408376509-1621642251-2666462513-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202 Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-1408376509-1621642251-2666462513-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff nitropdf.enterprise.pro.x64.13.xx-patch.exe Key created \REGISTRY\USER\S-1-5-21-1408376509-1621642251-2666462513-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-1408376509-1621642251-2666462513-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-1408376509-1621642251-2666462513-1000_Classes\Local Settings\MuiCache StartMenuExperienceHost.exe Set value (str) \REGISTRY\USER\S-1-5-21-1408376509-1621642251-2666462513-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix BackgroundTransferHost.exe Set value (data) \REGISTRY\USER\S-1-5-21-1408376509-1621642251-2666462513-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e80922b16d365937a46956b92703aca08af0000 nitropdf.enterprise.pro.x64.13.xx-patch.exe Set value (data) \REGISTRY\USER\S-1-5-21-1408376509-1621642251-2666462513-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-1408376509-1621642251-2666462513-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-1408376509-1621642251-2666462513-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 nitropdf.enterprise.pro.x64.13.xx-patch.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1408376509-1621642251-2666462513-1000\{6BFC87EA-112F-409B-82D3-BAF362384AC4} explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1408376509-1621642251-2666462513-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots nitropdf.enterprise.pro.x64.13.xx-patch.exe Set value (data) \REGISTRY\USER\S-1-5-21-1408376509-1621642251-2666462513-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff nitropdf.enterprise.pro.x64.13.xx-patch.exe Key created \REGISTRY\USER\S-1-5-21-1408376509-1621642251-2666462513-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ nitropdf.enterprise.pro.x64.13.xx-patch.exe Key created \REGISTRY\USER\S-1-5-21-1408376509-1621642251-2666462513-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg nitropdf.enterprise.pro.x64.13.xx-patch.exe Set value (int) \REGISTRY\USER\S-1-5-21-1408376509-1621642251-2666462513-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:PID = "0" nitropdf.enterprise.pro.x64.13.xx-patch.exe Set value (data) \REGISTRY\USER\S-1-5-21-1408376509-1621642251-2666462513-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0 = 5a003100000000006c5a0dac100053797374656d33320000420009000400efbec5522d606c5a15ac2e0000008f3600000000010000000000000000000000000000003f477200530079007300740065006d0033003200000018000000 Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-1408376509-1621642251-2666462513-1000_Classes\Local Settings OpenWith.exe Set value (data) \REGISTRY\USER\S-1-5-21-1408376509-1621642251-2666462513-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000 nitropdf.enterprise.pro.x64.13.xx-patch.exe Set value (data) \REGISTRY\USER\S-1-5-21-1408376509-1621642251-2666462513-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1 = 19002f433a5c000000000000000000000000000000000000000000 Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1408376509-1621642251-2666462513-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0\NodeSlot = "2" Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-1408376509-1621642251-2666462513-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0\MRUListEx = ffffffff Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-1408376509-1621642251-2666462513-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1408376509-1621642251-2666462513-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Mode = "4" nitropdf.enterprise.pro.x64.13.xx-patch.exe Set value (data) \REGISTRY\USER\S-1-5-21-1408376509-1621642251-2666462513-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\PastIconsStream = 1400000005000000010001000200000014000000494c2006020004004c0010001000ffffffff2110ffffffffffffffff424d360000000000000036000000280000001000000040000000010020000000000000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000060000000a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000060000000ff00000060000000000000000000000020000000b0000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff00000060000000200000000000000020000000f00d0d0df09d9d9dffc8c8c8ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ff8f8f8fff000000ff000000603f3f3f66000000ff00000060000000900a0a0af0c0c0c0ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ff8f8f8fff000000ff0000006056565660e2e2e2ff474747eb000000d0000000e04c4c4cee999999ff939393eeb1b1b1f0e0e0e0ffe5e5e5ffe5e5e5ff8f8f8fff000000ff0000006056565660c8c8c8f7adadadf6858585ff000000ff000000ff737373ff999999ff999999ff999999ff999999ffa0a0a0e8868686ff000000ff000000606d6d6d88aaaaaaebb2b2b2ffb2b2b2ff7a7a7aff000000ff000000ff696969ff999999ff999999ff999999ff999999ff5f5f5fff000000ff0000006045454571b2b2b2ffb2b2b2ffb2b2b2ffa7a7a7ff1b1b1be8000000c0000000b0080808f08f8f8fff999999ff999999ff5f5f5fff000000ff00000060303030607f7f7fff7b7b7bf67e7e7ee2525252e20a0a0af0000000f00000003000000020000000f0101010eb5a5a5af6505050ff000000ff00000060303030607f7f7fff7f7f7fff7f7f7fff676767ff000000ff000000b000000020000000000000000000000020000000b0000000ff000000ff00000060303030607f7f7fff7f7f7fff7f7f7fff777777ff080808f0000000d0000000000000000000000000000000000000000000000060000000ff00000060000000602c2c2ceb5f5f5fff5f5f5fff3f3f3fee080808f0000000f0000000300000000000000000000000000000000000000000000000a0000000600000000000000050000000b0000000f0000000ff000000f0000000a000000010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000060000000a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000060000000ff00000060000000000000000000000020000000b0000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff00000060000000200000000000000020000000f00d0d0df09d9d9dffc8c8c8ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ff8f8f8fff000000ff000000603f3f3f66000000ff00000060000000900a0a0af0c0c0c0ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ff8f8f8fff000000ff0000006056565660e2e2e2ff474747eb000000d0000000e04c4c4cee999999ff939393eeb1b1b1f0e0e0e0ffe5e5e5ffe5e5e5ff8f8f8fff000000ff0000006056565660c8c8c8f7adadadf6858585ff000000ff000000ff737373ff999999ff999999ff999999ff999999ffa0a0a0e8868686ff000000ff000000606d6d6d88aaaaaaebb2b2b2ffb2b2b2ff7a7a7aff000000ff000000ff696969ff999999ff999999ff999999ff999999ff5f5f5fff000000ff0000006045454571b2b2b2ffb2b2b2ffb2b2b2ffa7a7a7ff1b1b1be8000000c0000000b0080808f08f8f8fff999999ff999999ff5f5f5fff000000ff00000060303030607f7f7fff7b7b7bf67e7e7ee2525252e20a0a0af0000000f00000003000000020000000f0101010eb5a5a5af6505050ff000000ff00000060303030607f7f7fff7f7f7fff7f7f7fff676767ff000000ff000000b000000020000000000000000000000020000000b0000000ff000000ff00000060303030607f7f7fff7f7f7fff7f7f7fff777777ff080808f0000000d0000000000000000000000000000000000000000000000060000000ff00000060000000602c2c2ceb5f5f5fff5f5f5fff3f3f3fee080808f0000000f0000000300000000000000000000000000000000000000000000000a0000000600000000000000050000000b0000000f0000000ff000000f0000000a000000010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000424d3e000000000000003e0000002800000010000000400000000100010000000000000100000000000000000000000000000000000000000000ffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffff0000fff90000fff10000800100000000000000000000000000000000000000000000000000000001000080070000c0070000c80f0000ffff0000ffff0000ffff0000fff90000fff10000800100000000000000000000000000000000000000000000000000000001000080070000c0070000c80f0000ffff0000ffff000000000000000000000000000000000000000000000000010000000800000002000000040000002400000001000000000000000100000000000000 explorer.exe Key created \REGISTRY\USER\S-1-5-21-1408376509-1621642251-2666462513-1000_Classes\Local Settings\MuiCache BackgroundTransferHost.exe Key created \REGISTRY\USER\S-1-5-21-1408376509-1621642251-2666462513-1000_Classes\Local Settings taskmgr.exe Set value (data) \REGISTRY\USER\S-1-5-21-1408376509-1621642251-2666462513-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-1408376509-1621642251-2666462513-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\MRUListEx = 00000000ffffffff Explorer.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1408376509-1621642251-2666462513-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Generic" Explorer.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 6 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 5576 schtasks.exe 4908 schtasks.exe 6236 schtasks.exe 4680 schtasks.exe 3352 schtasks.exe 5636 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3164 powershell.exe 3164 powershell.exe 4876 powershell.exe 4876 powershell.exe 5480 (1).exe 5480 (1).exe 5480 (1).exe 5480 (1).exe 5480 (1).exe 5480 (1).exe 1564 msiexec.exe 1564 msiexec.exe 1564 msiexec.exe 2472 rape (13).exe 2472 rape (13).exe 2472 rape (13).exe 5324 (4).exe 5324 (4).exe 5324 (4).exe 5324 (4).exe 5324 (4).exe 5324 (4).exe 1552 (6).exe 1552 (6).exe 1564 msiexec.exe 1564 msiexec.exe 1564 msiexec.exe 5324 (4).exe 5324 (4).exe 5324 (4).exe 5068 (3).exe 5068 (3).exe 5068 (3).exe 4556 mstsc.exe 4556 mstsc.exe 4556 mstsc.exe 5036 powershell.exe 5036 powershell.exe 5036 powershell.exe 5652 rape (8).exe 5652 rape (8).exe 5652 rape (8).exe 4556 mstsc.exe 4556 mstsc.exe 4556 mstsc.exe 5576 cvtres.exe 5576 cvtres.exe 1564 msiexec.exe 1564 msiexec.exe 1564 msiexec.exe 7120 FB_E830.tmp.exe 7120 FB_E830.tmp.exe 1564 msiexec.exe 1564 msiexec.exe 1564 msiexec.exe 1564 msiexec.exe 1564 msiexec.exe 1564 msiexec.exe 1564 msiexec.exe 1564 msiexec.exe 6696 (4).exe 6696 (4).exe 6696 (4).exe 6696 (4).exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 3864 7zFM.exe 3216 Explorer.EXE -
Suspicious behavior: MapViewOfSection 18 IoCs
pid Process 5480 (1).exe 5480 (1).exe 5480 (1).exe 5324 (4).exe 1564 msiexec.exe 5324 (4).exe 1564 msiexec.exe 5324 (4).exe 5324 (4).exe 1564 msiexec.exe 1564 msiexec.exe 4556 mstsc.exe 4556 mstsc.exe 4556 mstsc.exe 4556 mstsc.exe 7084 rape (18).exe 7084 rape (18).exe 7084 rape (18).exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeRestorePrivilege 3864 7zFM.exe Token: 35 3864 7zFM.exe Token: SeSecurityPrivilege 3864 7zFM.exe Token: SeDebugPrivilege 1480 cd3b81fbf93281530341f8c8cd66cfdeb7b2f1ec04f6fbe68ddcc35d28200a1c.exe Token: SeDebugPrivilege 1896 .exe Token: SeDebugPrivilege 2444 rape (2).exe Token: SeDebugPrivilege 3164 powershell.exe Token: SeDebugPrivilege 4876 powershell.exe Token: SeDebugPrivilege 1124 (1).exe Token: SeDebugPrivilege 5428 (2).exe Token: SeDebugPrivilege 4108 rape (6).exe Token: SeDebugPrivilege 5316 rape (13).exe Token: SeDebugPrivilege 776 rape (5).exe Token: SeDebugPrivilege 904 (6).exe Token: SeDebugPrivilege 3908 rape (12).exe Token: SeDebugPrivilege 2108 rape (11).exe Token: SeDebugPrivilege 5480 (1).exe Token: SeDebugPrivilege 2564 rape (11).exe Token: SeDebugPrivilege 2268 (5).exe Token: SeShutdownPrivilege 3216 Explorer.EXE Token: SeCreatePagefilePrivilege 3216 Explorer.EXE Token: SeDebugPrivilege 5984 rape (8).exe Token: SeShutdownPrivilege 3216 Explorer.EXE Token: SeCreatePagefilePrivilege 3216 Explorer.EXE Token: SeShutdownPrivilege 3216 Explorer.EXE Token: SeCreatePagefilePrivilege 3216 Explorer.EXE Token: SeDebugPrivilege 2576 (4).exe Token: SeDebugPrivilege 1564 msiexec.exe Token: SeDebugPrivilege 844 (3).exe Token: SeDebugPrivilege 2472 rape (13).exe Token: SeDebugPrivilege 5768 rape (7).exe Token: SeShutdownPrivilege 3216 Explorer.EXE Token: SeCreatePagefilePrivilege 3216 Explorer.EXE Token: SeDebugPrivilege 5324 (4).exe Token: SeDebugPrivilege 1740 rape (17).exe Token: SeShutdownPrivilege 3216 Explorer.EXE Token: SeCreatePagefilePrivilege 3216 Explorer.EXE Token: SeShutdownPrivilege 3216 Explorer.EXE Token: SeCreatePagefilePrivilege 3216 Explorer.EXE Token: SeDebugPrivilege 1552 (6).exe Token: SeDebugPrivilege 3620 rape (18).exe Token: SeShutdownPrivilege 2760 explorer.exe Token: SeCreatePagefilePrivilege 2760 explorer.exe Token: SeShutdownPrivilege 2760 explorer.exe Token: SeCreatePagefilePrivilege 2760 explorer.exe Token: SeShutdownPrivilege 2760 explorer.exe Token: SeCreatePagefilePrivilege 2760 explorer.exe Token: SeDebugPrivilege 5512 cvtres.exe Token: SeShutdownPrivilege 2760 explorer.exe Token: SeCreatePagefilePrivilege 2760 explorer.exe Token: SeShutdownPrivilege 3216 Explorer.EXE Token: SeCreatePagefilePrivilege 3216 Explorer.EXE Token: SeShutdownPrivilege 3216 Explorer.EXE Token: SeCreatePagefilePrivilege 3216 Explorer.EXE Token: SeDebugPrivilege 5068 (3).exe Token: SeShutdownPrivilege 3216 Explorer.EXE Token: SeCreatePagefilePrivilege 3216 Explorer.EXE Token: SeShutdownPrivilege 3216 Explorer.EXE Token: SeCreatePagefilePrivilege 3216 Explorer.EXE Token: SeShutdownPrivilege 3216 Explorer.EXE Token: SeCreatePagefilePrivilege 3216 Explorer.EXE Token: SeShutdownPrivilege 3216 Explorer.EXE Token: SeCreatePagefilePrivilege 3216 Explorer.EXE Token: SeShutdownPrivilege 3216 Explorer.EXE -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 3864 7zFM.exe 3864 7zFM.exe 2308 WindowsTerminal.exe 2760 explorer.exe 2760 explorer.exe 3216 Explorer.EXE 3216 Explorer.EXE 3216 Explorer.EXE 3216 Explorer.EXE 2760 explorer.exe 2760 explorer.exe 2760 explorer.exe 2760 explorer.exe 2760 explorer.exe 2760 explorer.exe 2760 explorer.exe 2760 explorer.exe 2760 explorer.exe 2760 explorer.exe 2760 explorer.exe 2760 explorer.exe 2760 explorer.exe 2760 explorer.exe 2760 explorer.exe 2760 explorer.exe 2760 explorer.exe 2760 explorer.exe 2760 explorer.exe 2760 explorer.exe 2760 explorer.exe 2760 explorer.exe 2760 explorer.exe 2760 explorer.exe 2760 explorer.exe 2760 explorer.exe 2760 explorer.exe 2760 explorer.exe 3216 Explorer.EXE 3216 Explorer.EXE 3216 Explorer.EXE 3216 Explorer.EXE 6544 taskmgr.exe 6544 taskmgr.exe 6544 taskmgr.exe 6544 taskmgr.exe 6544 taskmgr.exe 6544 taskmgr.exe 6544 taskmgr.exe 6544 taskmgr.exe 6544 taskmgr.exe 6544 taskmgr.exe 6544 taskmgr.exe 6544 taskmgr.exe 6544 taskmgr.exe 6544 taskmgr.exe 6544 taskmgr.exe 6544 taskmgr.exe 6544 taskmgr.exe 6544 taskmgr.exe 6544 taskmgr.exe 6544 taskmgr.exe 6544 taskmgr.exe 6544 taskmgr.exe 6544 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 2760 explorer.exe 2760 explorer.exe 2760 explorer.exe 2760 explorer.exe 2760 explorer.exe 2760 explorer.exe 2760 explorer.exe 2760 explorer.exe 3216 Explorer.EXE 2760 explorer.exe 2760 explorer.exe 3216 Explorer.EXE 3216 Explorer.EXE 3216 Explorer.EXE 3216 Explorer.EXE 3216 Explorer.EXE 2760 explorer.exe 2760 explorer.exe 2760 explorer.exe 2760 explorer.exe 2760 explorer.exe 2760 explorer.exe 2760 explorer.exe 2760 explorer.exe 2760 explorer.exe 2760 explorer.exe 2760 explorer.exe 2760 explorer.exe 2760 explorer.exe 2760 explorer.exe 2760 explorer.exe 3216 Explorer.EXE 3216 Explorer.EXE 3216 Explorer.EXE 3216 Explorer.EXE 3216 Explorer.EXE 3216 Explorer.EXE 3216 Explorer.EXE 3216 Explorer.EXE 3216 Explorer.EXE 3216 Explorer.EXE 3216 Explorer.EXE 3216 Explorer.EXE 3216 Explorer.EXE 3216 Explorer.EXE 3216 Explorer.EXE 3216 Explorer.EXE 3216 Explorer.EXE 3216 Explorer.EXE 3216 Explorer.EXE 3216 Explorer.EXE 3216 Explorer.EXE 3216 Explorer.EXE 3216 Explorer.EXE 3216 Explorer.EXE 3216 Explorer.EXE 3216 Explorer.EXE 3216 Explorer.EXE 3216 Explorer.EXE 3216 Explorer.EXE 3216 Explorer.EXE 3216 Explorer.EXE 3216 Explorer.EXE 3216 Explorer.EXE -
Suspicious use of SetWindowsHookEx 8 IoCs
pid Process 3992 OpenWith.exe 1992 OpenWith.exe 3536 OpenWith.exe 2308 WindowsTerminal.exe 4136 OpenWith.exe 664 StartMenuExperienceHost.exe 1472 nitropdf.enterprise.pro.x64.13.xx-patch.exe 3216 Explorer.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1480 wrote to memory of 4676 1480 cd3b81fbf93281530341f8c8cd66cfdeb7b2f1ec04f6fbe68ddcc35d28200a1c.exe 84 PID 1480 wrote to memory of 4676 1480 cd3b81fbf93281530341f8c8cd66cfdeb7b2f1ec04f6fbe68ddcc35d28200a1c.exe 84 PID 1480 wrote to memory of 4676 1480 cd3b81fbf93281530341f8c8cd66cfdeb7b2f1ec04f6fbe68ddcc35d28200a1c.exe 84 PID 1480 wrote to memory of 4676 1480 cd3b81fbf93281530341f8c8cd66cfdeb7b2f1ec04f6fbe68ddcc35d28200a1c.exe 84 PID 1480 wrote to memory of 4676 1480 cd3b81fbf93281530341f8c8cd66cfdeb7b2f1ec04f6fbe68ddcc35d28200a1c.exe 84 PID 1480 wrote to memory of 4676 1480 cd3b81fbf93281530341f8c8cd66cfdeb7b2f1ec04f6fbe68ddcc35d28200a1c.exe 84 PID 1480 wrote to memory of 4676 1480 cd3b81fbf93281530341f8c8cd66cfdeb7b2f1ec04f6fbe68ddcc35d28200a1c.exe 84 PID 1480 wrote to memory of 4676 1480 cd3b81fbf93281530341f8c8cd66cfdeb7b2f1ec04f6fbe68ddcc35d28200a1c.exe 84 PID 1896 wrote to memory of 1528 1896 .exe 90 PID 1896 wrote to memory of 1528 1896 .exe 90 PID 1896 wrote to memory of 1528 1896 .exe 90 PID 1896 wrote to memory of 1528 1896 .exe 90 PID 1896 wrote to memory of 1528 1896 .exe 90 PID 1896 wrote to memory of 1528 1896 .exe 90 PID 1896 wrote to memory of 1528 1896 .exe 90 PID 1896 wrote to memory of 1528 1896 .exe 90 PID 2444 wrote to memory of 708 2444 rape (2).exe 97 PID 2444 wrote to memory of 708 2444 rape (2).exe 97 PID 2444 wrote to memory of 708 2444 rape (2).exe 97 PID 2444 wrote to memory of 708 2444 rape (2).exe 97 PID 2444 wrote to memory of 708 2444 rape (2).exe 97 PID 2444 wrote to memory of 708 2444 rape (2).exe 97 PID 2444 wrote to memory of 708 2444 rape (2).exe 97 PID 2444 wrote to memory of 708 2444 rape (2).exe 97 PID 2024 wrote to memory of 2308 2024 wt.exe 103 PID 2024 wrote to memory of 2308 2024 wt.exe 103 PID 2024 wrote to memory of 2308 2024 wt.exe 103 PID 2308 wrote to memory of 1488 2308 WindowsTerminal.exe 104 PID 2308 wrote to memory of 1488 2308 WindowsTerminal.exe 104 PID 2308 wrote to memory of 4256 2308 WindowsTerminal.exe 108 PID 2308 wrote to memory of 4256 2308 WindowsTerminal.exe 108 PID 2308 wrote to memory of 4256 2308 WindowsTerminal.exe 108 PID 2308 wrote to memory of 3164 2308 WindowsTerminal.exe 109 PID 2308 wrote to memory of 3164 2308 WindowsTerminal.exe 109 PID 2308 wrote to memory of 5148 2308 WindowsTerminal.exe 110 PID 2308 wrote to memory of 5148 2308 WindowsTerminal.exe 110 PID 2308 wrote to memory of 5148 2308 WindowsTerminal.exe 110 PID 2308 wrote to memory of 4876 2308 WindowsTerminal.exe 111 PID 2308 wrote to memory of 4876 2308 WindowsTerminal.exe 111 PID 2308 wrote to memory of 4304 2308 WindowsTerminal.exe 112 PID 2308 wrote to memory of 4304 2308 WindowsTerminal.exe 112 PID 2308 wrote to memory of 4304 2308 WindowsTerminal.exe 112 PID 2308 wrote to memory of 5856 2308 WindowsTerminal.exe 113 PID 2308 wrote to memory of 5856 2308 WindowsTerminal.exe 113 PID 1124 wrote to memory of 5480 1124 (1).exe 121 PID 1124 wrote to memory of 5480 1124 (1).exe 121 PID 1124 wrote to memory of 5480 1124 (1).exe 121 PID 1124 wrote to memory of 5480 1124 (1).exe 121 PID 1124 wrote to memory of 5480 1124 (1).exe 121 PID 1124 wrote to memory of 5480 1124 (1).exe 121 PID 904 wrote to memory of 1552 904 (6).exe 124 PID 904 wrote to memory of 1552 904 (6).exe 124 PID 904 wrote to memory of 1552 904 (6).exe 124 PID 904 wrote to memory of 1552 904 (6).exe 124 PID 904 wrote to memory of 1552 904 (6).exe 124 PID 904 wrote to memory of 1552 904 (6).exe 124 PID 904 wrote to memory of 1552 904 (6).exe 124 PID 904 wrote to memory of 1552 904 (6).exe 124 PID 3216 wrote to memory of 1564 3216 Explorer.EXE 126 PID 3216 wrote to memory of 1564 3216 Explorer.EXE 126 PID 3216 wrote to memory of 1564 3216 Explorer.EXE 126 PID 3216 wrote to memory of 2564 3216 Explorer.EXE 127 PID 3216 wrote to memory of 2564 3216 Explorer.EXE 127 PID 3216 wrote to memory of 2564 3216 Explorer.EXE 127 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3216 -
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\bluestealer.rar"2⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3864
-
-
C:\Users\Admin\Desktop\cd3b81fbf93281530341f8c8cd66cfdeb7b2f1ec04f6fbe68ddcc35d28200a1c.exe"C:\Users\Admin\Desktop\cd3b81fbf93281530341f8c8cd66cfdeb7b2f1ec04f6fbe68ddcc35d28200a1c.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1480 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
- System Location Discovery: System Language Discovery
PID:4676
-
-
-
C:\Users\Admin\Desktop\.exe"C:\Users\Admin\Desktop\.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1896 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
- System Location Discovery: System Language Discovery
PID:1528
-
-
-
C:\Users\Admin\Desktop\rape (2).exe"C:\Users\Admin\Desktop\rape (2).exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2444 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
- System Location Discovery: System Language Discovery
PID:708
-
-
-
C:\Users\Admin\Desktop\ (1).exe"C:\Users\Admin\Desktop\ (1).exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1124 -
C:\Users\Admin\Desktop\ (1).exe"C:\Users\Admin\Desktop\ (1).exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:5480
-
-
-
C:\Users\Admin\Desktop\ (2).exe"C:\Users\Admin\Desktop\ (2).exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:5428 -
C:\Users\Admin\Desktop\ (2).exe"C:\Users\Admin\Desktop\ (2).exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:6816 -
C:\Users\Admin\AppData\Local\Temp\FB_E735.tmp.exe"C:\Users\Admin\AppData\Local\Temp\FB_E735.tmp.exe"4⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
PID:7068
-
-
C:\Users\Admin\AppData\Local\Temp\FB_E830.tmp.exe"C:\Users\Admin\AppData\Local\Temp\FB_E830.tmp.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:7120 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7120 -s 19205⤵
- Program crash
PID:6092
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /sc minute /mo 1 /tn "Nano" /tr "'C:\Users\Admin\AppData\Roaming\sergf\sergf.exe'" /f3⤵
- System Location Discovery: System Language Discovery
PID:6916 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "Nano" /tr "'C:\Users\Admin\AppData\Roaming\sergf\sergf.exe'" /f4⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:4680
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\Desktop\ (2).exe" "C:\Users\Admin\AppData\Roaming\sergf\sergf.exe"3⤵
- System Location Discovery: System Language Discovery
PID:6924
-
-
-
C:\Users\Admin\Desktop\rape (6).exe"C:\Users\Admin\Desktop\rape (6).exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4108 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
- System Location Discovery: System Language Discovery
PID:5908
-
-
-
C:\Users\Admin\Desktop\rape (13).exe"C:\Users\Admin\Desktop\rape (13).exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:5316 -
C:\Users\Admin\Desktop\rape (13).exe"C:\Users\Admin\Desktop\rape (13).exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2472
-
-
-
C:\Users\Admin\Desktop\rape (5).exe"C:\Users\Admin\Desktop\rape (5).exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:776 -
C:\Users\Admin\Desktop\rape (5).exe"C:\Users\Admin\Desktop\rape (5).exe"3⤵
- Executes dropped EXE
- Checks processor information in registry
PID:2700
-
-
C:\Users\Admin\Desktop\AsyncClient no setting.exe"C:\Users\Admin\Desktop\AsyncClient no setting.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:800 -
C:\Users\Admin\Desktop\AsyncClient no setting.exe"C:\Users\Admin\Desktop\AsyncClient no setting.exe"4⤵
- Executes dropped EXE
PID:4528
-
-
-
-
C:\Users\Admin\Desktop\ (6).exe"C:\Users\Admin\Desktop\ (6).exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:904 -
C:\Users\Admin\Desktop\ (6).exe"C:\Users\Admin\Desktop\ (6).exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1552 -
C:\Windows\explorer.exe"C:\Windows\explorer.exe"4⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2760
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"4⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:5512 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"5⤵
- Suspicious behavior: EnumeratesProcesses
PID:5576
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /sc minute /mo 1 /tn "Nano" /tr "'C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe'" /f5⤵
- System Location Discovery: System Language Discovery
PID:6088 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "Nano" /tr "'C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe'" /f6⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:6236
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" "C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"5⤵
- System Location Discovery: System Language Discovery
PID:1360
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /sc minute /mo 1 /tn "Nano" /tr "'C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe'" /f3⤵
- System Location Discovery: System Language Discovery
PID:5392 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "Nano" /tr "'C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe'" /f4⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:5576
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\Desktop\ (6).exe" "C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"3⤵
- System Location Discovery: System Language Discovery
PID:6028
-
-
-
C:\Users\Admin\Desktop\rape (12).exe"C:\Users\Admin\Desktop\rape (12).exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:3908 -
C:\Users\Admin\Desktop\rape (12).exe"C:\Users\Admin\Desktop\rape (12).exe"3⤵
- Executes dropped EXE
PID:2088
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3908 -s 14683⤵
- Program crash
PID:400
-
-
-
C:\Users\Admin\Desktop\rape (11).exe"C:\Users\Admin\Desktop\rape (11).exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2108 -
C:\Users\Admin\AppData\Local\Temp\AfraidDns_Async.exe"C:\Users\Admin\AppData\Local\Temp\AfraidDns_Async.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2300
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Local\Temp\win10\win10.exe'" /f3⤵
- System Location Discovery: System Language Discovery
PID:5036 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Local\Temp\win10\win10.exe'" /f4⤵
- Scheduled Task/Job: Scheduled Task
PID:4908
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C copy "C:\Users\Admin\Desktop\rape (11).exe" "C:\Users\Admin\AppData\Local\Temp\win10\win10.exe"3⤵
- System Location Discovery: System Language Discovery
PID:1684
-
-
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\SysWOW64\msiexec.exe"2⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1564 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\Desktop\ (1).exe"3⤵
- System Location Discovery: System Language Discovery
PID:5668
-
-
-
C:\Users\Admin\Desktop\rape (11).exe"C:\Users\Admin\Desktop\rape (11).exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2564 -
C:\Users\Admin\AppData\Local\Temp\AfraidDns_Async.exe"C:\Users\Admin\AppData\Local\Temp\AfraidDns_Async.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1276
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2564 -s 10803⤵
- Program crash
PID:4864
-
-
-
C:\Users\Admin\Desktop\ (5).exe"C:\Users\Admin\Desktop\ (5).exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2268 -
C:\Users\Admin\Desktop\ (5).exe"C:\Users\Admin\Desktop\ (5).exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4000 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4000 -s 4044⤵
- Program crash
PID:6940
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /sc minute /mo 1 /tn "Nano" /tr "'C:\Users\Admin\AppData\Roaming\Filemanager\Filemanager.exe'" /f3⤵
- System Location Discovery: System Language Discovery
PID:6892 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "Nano" /tr "'C:\Users\Admin\AppData\Roaming\Filemanager\Filemanager.exe'" /f4⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:3352
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\Desktop\ (5).exe" "C:\Users\Admin\AppData\Roaming\Filemanager\Filemanager.exe"3⤵PID:7112
-
-
-
C:\Users\Admin\Desktop\rape (8).exe"C:\Users\Admin\Desktop\rape (8).exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:5984 -
C:\Users\Admin\Desktop\rape (8).exe"C:\Users\Admin\Desktop\rape (8).exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:5652
-
-
-
C:\Users\Admin\Desktop\ (4).exe"C:\Users\Admin\Desktop\ (4).exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2576 -
C:\Users\Admin\Desktop\ (4).exe"C:\Users\Admin\Desktop\ (4).exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:5324
-
-
-
C:\Users\Admin\Desktop\ (3).exe"C:\Users\Admin\Desktop\ (3).exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:844 -
C:\Users\Admin\Desktop\ (3).exe"C:\Users\Admin\Desktop\ (3).exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5068
-
-
-
C:\Users\Admin\Desktop\rape (7).exe"C:\Users\Admin\Desktop\rape (7).exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:5768 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"3⤵
- System Location Discovery: System Language Discovery
PID:1556 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe" "AppLaunch.exe" ENABLE4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:4864
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe" "AppLaunch.exe" ENABLE4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:3140
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionExtension exe,vbs,bat,hta,lnk,dll,ps1;exit4⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:5036
-
-
-
C:\Users\Admin\AppData\Local\Temp\nitropdf.enterprise.pro.x64.13.xx-patch.exe"C:\Users\Admin\AppData\Local\Temp\nitropdf.enterprise.pro.x64.13.xx-patch.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1472
-
-
-
C:\Users\Admin\Desktop\rape (17).exe"C:\Users\Admin\Desktop\rape (17).exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1740 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
- System Location Discovery: System Language Discovery
PID:2660
-
-
-
C:\Users\Admin\Desktop\rape (18).exe"C:\Users\Admin\Desktop\rape (18).exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3620 -
C:\Users\Admin\Desktop\rape (18).exe"C:\Users\Admin\Desktop\rape (18).exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
PID:7084
-
-
-
C:\Windows\SysWOW64\mstsc.exe"C:\Windows\SysWOW64\mstsc.exe"2⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4556 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\Desktop\ (4).exe"3⤵
- System Location Discovery: System Language Discovery
PID:2836
-
-
-
C:\Users\Admin\Desktop\rape (7).exe"C:\Users\Admin\Desktop\rape (7).exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1684 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"3⤵
- System Location Discovery: System Language Discovery
PID:796
-
-
C:\Users\Admin\AppData\Local\Temp\nitropdf.enterprise.pro.x64.13.xx-patch.exe"C:\Users\Admin\AppData\Local\Temp\nitropdf.enterprise.pro.x64.13.xx-patch.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:6248
-
-
-
C:\Users\Admin\Desktop\rape (7).exe"C:\Users\Admin\Desktop\rape (7).exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:6128 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"3⤵
- System Location Discovery: System Language Discovery
PID:308
-
-
C:\Users\Admin\AppData\Local\Temp\nitropdf.enterprise.pro.x64.13.xx-patch.exe"C:\Users\Admin\AppData\Local\Temp\nitropdf.enterprise.pro.x64.13.xx-patch.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:5588
-
-
-
C:\Users\Admin\Desktop\ (4).exe"C:\Users\Admin\Desktop\ (4).exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:4864 -
C:\Users\Admin\Desktop\ (4).exe"C:\Users\Admin\Desktop\ (4).exe"3⤵
- Executes dropped EXE
PID:6684
-
-
-
C:\Users\Admin\Desktop\rape (5).exe"C:\Users\Admin\Desktop\rape (5).exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4340 -
C:\Users\Admin\Desktop\rape (5).exe"C:\Users\Admin\Desktop\rape (5).exe"3⤵PID:2028
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4340 -s 14443⤵
- Program crash
PID:2076
-
-
-
C:\Users\Admin\Desktop\ (3).exe"C:\Users\Admin\Desktop\ (3).exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:296 -
C:\Users\Admin\Desktop\ (3).exe"C:\Users\Admin\Desktop\ (3).exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2484
-
-
-
C:\Users\Admin\Desktop\rape (5).exe"C:\Users\Admin\Desktop\rape (5).exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2368 -
C:\Users\Admin\Desktop\rape (5).exe"C:\Users\Admin\Desktop\rape (5).exe"3⤵PID:3044
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2368 -s 14443⤵
- Program crash
PID:3900
-
-
-
C:\Users\Admin\Desktop\ (4).exe"C:\Users\Admin\Desktop\ (4).exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:6256 -
C:\Users\Admin\Desktop\ (4).exe"C:\Users\Admin\Desktop\ (4).exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:6696
-
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /02⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:6544
-
-
C:\Windows\SysWOW64\raserver.exe"C:\Windows\SysWOW64\raserver.exe"2⤵PID:1036
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\Desktop\rape (18).exe"3⤵
- System Location Discovery: System Language Discovery
PID:2108
-
-
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Suspicious use of SetWindowsHookEx
PID:3992
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1992
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Suspicious use of SetWindowsHookEx
PID:3536
-
C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.6.10571.0_x64__8wekyb3d8bbwe\wt.exe"C:\Users\Admin\AppData\Local\Microsoft\WindowsApps\Microsoft.WindowsTerminal_8wekyb3d8bbwe\wt.exe" -d "C:\Users\Admin\Desktop\."1⤵
- Suspicious use of WriteProcessMemory
PID:2024 -
C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.6.10571.0_x64__8wekyb3d8bbwe\WindowsTerminal.exewt.exe -d "C:\Users\Admin\Desktop\."2⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2308 -
C:\Windows\system32\wsl.exeC:\Windows\system32\wsl.exe --list3⤵PID:1488
-
-
C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.6.10571.0_x64__8wekyb3d8bbwe\OpenConsole.exe"C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.6.10571.0_x64__8wekyb3d8bbwe\OpenConsole.exe" --headless --win32input --resizeQuirk --width 120 --height 27 --signal 0xa1c --server 0xa183⤵PID:4256
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3164
-
-
C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.6.10571.0_x64__8wekyb3d8bbwe\OpenConsole.exe"C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.6.10571.0_x64__8wekyb3d8bbwe\OpenConsole.exe" --headless --win32input --resizeQuirk --width 120 --height 27 --signal 0xb68 --server 0xb5c3⤵PID:5148
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4876
-
-
C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.6.10571.0_x64__8wekyb3d8bbwe\OpenConsole.exe"C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.6.10571.0_x64__8wekyb3d8bbwe\OpenConsole.exe" --headless --win32input --resizeQuirk --width 120 --height 27 --signal 0xc2c --server 0xc243⤵PID:4304
-
-
C:\Windows\system32\cmd.execmd.exe3⤵PID:5856
-
-
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4136
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:664
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 400 -p 2564 -ip 25641⤵PID:1888
-
C:\Windows\system32\BackgroundTransferHost.exe"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.131⤵
- Modifies registry class
PID:804
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵PID:2408
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 7120 -ip 71201⤵PID:4864
-
C:\Users\Admin\AppData\Roaming\sergf\sergf.exeC:\Users\Admin\AppData\Roaming\sergf\sergf.exe1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3756 -
C:\Users\Admin\AppData\Roaming\sergf\sergf.exe"C:\Users\Admin\AppData\Roaming\sergf\sergf.exe"2⤵PID:6664
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /sc minute /mo 1 /tn "Nano" /tr "'C:\Users\Admin\AppData\Roaming\sergf\sergf.exe'" /f2⤵PID:6668
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "Nano" /tr "'C:\Users\Admin\AppData\Roaming\sergf\sergf.exe'" /f3⤵
- Scheduled Task/Job: Scheduled Task
PID:5636
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Roaming\sergf\sergf.exe" "C:\Users\Admin\AppData\Roaming\sergf\sergf.exe"2⤵PID:5840
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3908 -ip 39081⤵PID:1888
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4000 -ip 40001⤵PID:6944
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:6252
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4340 -ip 43401⤵PID:6184
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 2368 -ip 23681⤵PID:6632
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
62KB
MD5e566632d8956997225be604d026c9b39
SHA194a9aade75fffc63ed71404b630eca41d3ce130e
SHA256b7f66a3543488b08d8533f290eb5f2df7289531934e6db9c346714cfbf609cf0
SHA512f244eb419eef0617cd585002e52c26120e57fcbadc37762c100712c55ff3c29b0f3991c2ffa8eefc4080d2a8dbfa01b188250ea440d631efed358e702cc3fecd
-
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\eef1ef81-7215-4306-a3e0-0392571f6590.down_data
Filesize555KB
MD55683c0028832cae4ef93ca39c8ac5029
SHA1248755e4e1db552e0b6f8651b04ca6d1b31a86fb
SHA256855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e
SHA512aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3
-
Filesize
47KB
MD5c1dcd0d286ad0121901f2c269c86d16b
SHA110acacc80588f73f5197adc0ea7cf1eadb49c793
SHA25616d86733b11a9fd3ec2a732c2ca18c04c427d9fb9ddf1bdc14fe4109644854f9
SHA512919dc181df55584c744d98344ae340ad2a844aed278570dc2729f430234e3ce7539bc9807a522c7b73d8e26c05cdf5a45851ba88688e7840b03e7ffb7c278618
-
Filesize
69KB
MD50052d6c22b3c528c011b2e093155f8e0
SHA1e176827903acb3f96b4114b036a0cda8646331d9
SHA256eef635d1c6f58320072d6b4b762bee15d559978f2d150726a0fef3f83627871f
SHA512b6f1f20b43b2af9633d16532be2d05a1ece10d99a83481913b254a5301e0c7934a8035fc0ba752a5c863aea1828665ad99e69c8ccdaa086544f228beb72db50a
-
Filesize
126KB
MD56871e4e3ce2b458881aa007560ef80b5
SHA1e2a3fb4dc3d184693aed6b3c2f2f3065fdb0ff4e
SHA25639e83410a9e1b504499680e98c3a4c5b7f272bf74e72528c8796f97ef6868c6e
SHA5128bf95a29c79123bfd88f3ebbf1abd5095ce0bafac9cf9f97b619f4a1ab3e6df2574b9d24e9157b9da0d64240fa63818467ae31a0f2e139e411330a718371c7ef
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
234KB
MD56f8b0021a206e48a50986333b87a5245
SHA1b650435b6e1a0cc59e2c232f83a9796770f85f96
SHA256326ca48a87c1e82e1fcaf95acd5b8c09d92f712591ba88928f48e093c485c40a
SHA512b7f066786f20934148d718689fbcdf830a0a04ebf46092c48b6ec06ef5a989518cb23659a7ecbcef5b689a58546f2ac688a861887611cd3ee62b8ade62b4cc27
-
Filesize
240KB
MD5646260e1f316dd6e518d4c7a9ac6b589
SHA133eb1212fd842078b5b65d8720672582d8acb7ca
SHA2568b0a871839c2e9714684cdb00cd18484780e29ee762f004d300c1fe65bb08628
SHA512fc8e21267cc9141c86d490557de28e1afaebfb8d1519aca377160543b1dd825cd116d7b5bcb2e3b21a15b32f7f45505cf3c47ae6b29e4dd39c137ebaa694acad
-
Filesize
22B
MD5bf47811e88069dd8be6a856b0b25cbc9
SHA1dd5d8ccb039c004cc12e43371dc177cc49d5ea3b
SHA256de708ed0b51e59a12bb14bbb376daa4a390667605125d3642ac151e2605ea7e6
SHA5120c475dfc4be11103e09759cd450568022953f2c984514efdd7cbd541862fa2669f3d4e4be70e67614fde398896e9e8581e27d4d2077c38b98745d074b688b757
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\f01b4d95cf55d32a.automaticDestinations-ms
Filesize7KB
MD5a2e0eed4b8ef85807b0e2d0aae2a191b
SHA13b60dbaa3dee3abb1722179ecbf7917ea06faace
SHA25600f202fd5b8cfa1ed51b1cca03a1995e3a8248611b660902ecc60698ad78a3ee
SHA512f28c6eb23ae39c8bffc40c753111cbed45ebe2a7492900a4dc06b30c78a8205aa50deea3a2d9bc2f04c6a7d91578f27df621edc8c1e6f9d0bd8943d014449737
-
Filesize
45KB
MD570d838a7dc5b359c3f938a71fad77db0
SHA166b83eb16481c334719eed406bc58a3c2b910923
SHA256e4dbdbf7888ea96f3f8aa5c4c7f2bcf6e57d724dd8194fe5f35b673c6ef724ea
SHA5129c9a945db5b5e7ff8105bfe74578e6f00b5f707f7c3d8f1f1fb41553a6d0eab29cef026e77877a1ad6435fa7bc369141921442e1485f2b0894c6bbcbd7791034
-
Filesize
436KB
MD59284392fd96b31b3de8d8f664de3f0e4
SHA19b2e8d834a7e50ec7e674433d019dbd19996036c
SHA2564f8799e5441c553ebbda342b6b06356a70dc432e5ac0434f4158146520b57ab7
SHA51261efcc329ba8f50c32de43ba0bfc66e6591158c12fcb095dfa3652e54fc799255a49e44c62f2022b807d51b432050f85d94a172dc0e186af40a21e3848c7c922
-
Filesize
659KB
MD5183ebe37f8f5b5b3e324577327363c3f
SHA18ae40a52e750efa0f8c7014583770f9ff2343291
SHA2565f278f8bdee6e51c769320f10506c28a4e84a56ee3ff44f63eec9a189236b1cb
SHA5120b2600468a1977e14f592ca5ddda8ec5c0ab8bcab15a3cce9107360e3fdc95b00f55f424ba42ab9ba6624586e5e9f27d00270adf12e5f651ef5c46030b186034
-
Filesize
296KB
MD531a70c300f7286f3621ae7836616190c
SHA1094b64bbd18840512fc9e044d79bb32cf4dc9ca3
SHA25656b7b7798a01e1bad522a375b7b096efeba0e118885b353b525b44471cdec90e
SHA51237c420cb69669ed5aad32131fc78a8e6f3cdd90d156151fe6c928c407fb13654d37b99cdfd0a78ab9c396e917168ac8f8d977a1c054cd9903a442e3aa5614be3
-
Filesize
402KB
MD5f4d5ddad31a703040adf721a9f9378c1
SHA121475642eb3561ba5d34a1a7f02899bb1ca61432
SHA25657fb4959548b3597ea3689167e496cdbb83d07afa9f0f3acb6a56987cd50099d
SHA512d595b167f88f3e5fe2329e2423914dd32a79a38dda9197d6d87517cf1cdd2322cac9ac42f1e02e934e310d9e5a3a431217983888bb293f617ca88528a075a776
-
Filesize
471KB
MD5ab1a54b9bc677256e1757897de53211e
SHA1d8dff0fc44fb65c2ec1f4d43fb69f979b78c8c29
SHA256cbee3a2ab943816de40704ed266962b9d84d1a9b58a4a79f0200eb2a7258197f
SHA512d434d9ba2ccef628e4e8288557e22578ddfe7128daf3b626e480cbae887ef81278f9a6b9824b7e67b392a982f116e84f6b73f36fa976f23cc6869f4643854615
-
Filesize
384KB
MD56430da0933f212d3dbc26aa283131e3f
SHA119ca70847c2a47c17674bcfa7507ddd973ab7574
SHA256d0ac203d92810c4e13aa360f1accb3053f4179c73a47ba7fdb0566c5b6788b28
SHA512f3e06bc6177a22189b9f0c3738e2e0235d7d34e7807c824028923ba262ac254a8460ab934a94264193ed3f60cdedadf3bbf68770c7b26ee7bff9f38eb69d3adf
-
Filesize
393KB
MD5b00ce88a2b91a871790fd474b9a1d21a
SHA1080cb85002442c677a54e17fc26883d24ecf9551
SHA256e45511dfa75cd8f4c3735710d850f5dc0f30f0af6ea034ba48ddf81a27df6b48
SHA512b6876af01963d4b8fbc80e6067a62086a6f48c6242ac4d778b185b4f6e6b7a750172fcdd4c949f20a27ef57f9c3ea0d1d79bc98220faa3a2074db5b2a806ea74
-
Filesize
280KB
MD5211fe2f27eb6bb501821766ffe46f8c6
SHA1cdb9c540719567b7ef64677f1fe030de377cb534
SHA2566497a1878d2676ba6e4184692baceb2147f09a0cf6ce117ff09c8d759a64d3df
SHA512fcf4c0284577d770f29520910c6e3d6121a35a9d68748708e8e9556d5ec811813525df7820e7b632122289de4e095f8a989a999f662526bf00c853f3057c9089
-
Filesize
397KB
MD503a32b8f44708e43ba5655d735eaebc0
SHA11d5aa010a79241fb75eab2cab75acd4a449338b5
SHA256cd3b81fbf93281530341f8c8cd66cfdeb7b2f1ec04f6fbe68ddcc35d28200a1c
SHA5129a93097bd0a5a57103c3099c6c0738c56c38cfb6fabb9036326d06c1761cf03dd78802f357380949c3f0d507ca0f8f13e0a0b5158d7148b3db077c80065036df
-
Filesize
429KB
MD53aa19b791cd0ec8d9bc25a631bbad827
SHA1d807bc8785423b59ce08fa1a89205eb95f0e57fc
SHA2563a9efda763f017e1ca8237aa27f8659b081f62f42e11aa36b6e122f65caca48a
SHA512a9a4a3e8603d28c7df254507f668052c722b742e937fefd5c9c687e48e502f147f22deacfad8510d09faac59a928a536061c5a1865247fcc6bebb9abdcffc489
-
Filesize
363KB
MD5ddbbbb0895f1997339c1c388f853f65d
SHA1d79b5cab17509a0aaeef232947a3992a20a706be
SHA25666b157a3d414b913b1a436edc71e8fc733c1f5457302fe9ca950a8b16d86b9e6
SHA512a3912b39b1efe5e56b970ba4e2a64bc76a36c1edfc1774ac3dc987e9f89fa6468ff26db69e58854a1b11e58bcaa64789a223fadc9f599649cb5cc08db936307a
-
Filesize
376KB
MD55022069109525eccc6b1f9aea5310c30
SHA107427c696897bbe46a384aed624c4fd0b55d155c
SHA256977e5ce44a0ca0b374857f1f9ba476376ab41b7edf1117a3f5b805a69244f6f1
SHA512d2c6b6175bf776d61efdeaf522ff5b73da883d84dfa10804d4bab2e0c8e83b82af839a0328e4ef1493dddf323edc2c496df55f13e99912b27a6b61d4cd363600
-
Filesize
296KB
MD5d88fc1f23009d945ef6096b14a2b52ff
SHA1c1a7e896034692aa6ae337d9034aa09baedac9d8
SHA256099355d506f15966ba946cd6f58a72f6c02c73232349cf7f2d6af5641eed0ceb
SHA512359d8d15130582112dcff3a5ec596f23d9ce5cfec60b011d1d5623919e5f9581f49ae1b9fc47a177d16002baa8b8dbced2413740664ffaa0fcf61bfbc9a321ea
-
Filesize
397KB
MD5399d700b5b33aaa71dfd3663d3f726ca
SHA1e19122ffc9ac23b15cda09c01d949e938e533f9e
SHA256a4865b2ed7dce154e50357674e8f15052a532609af0026dc4c8ea69b8a2f77c6
SHA51258e337a1fec459c6124a45e6eb9298fe0743987dd279f5f0c350e78c2b189d635c661a2e7696456262f0da4a61a0e3755e436278ad337905dd888e15fee81108
-
Filesize
392KB
MD5de8048ac576f6245d0d1e4c46d99ecc9
SHA13dc6a9821a623e226d14c6b677341539d3330a1a
SHA256ec80b9834589c1d7c085ed91c380dba9dc8617e246cbbcfcb7b66657134ca28b
SHA5128c9f49232362338c4a0ec4a931c8fa7b52fdb29cc16099ce3acf1a0f2384ee8d8a16bf385475ce19ced56b6a98a426519d85a12880aea78f78478755f8ce26b8
-
Filesize
481KB
MD5d57a65324f585b76a5109a9e24e15e36
SHA1fe71977f7e6525a556a50a1492a553923543bf62
SHA256f421edcb46a128618f15ada2053d311ea25e065d80d8da89bdc211bba054c07e
SHA5126055b7841fbd60a4db9e5bc6750550702543259308a0a048a60ad924b647d0528c76dad91cb931b926a8057fe7eedd4e5e9b63f4f2107b552d7090e9ee0ec123
-
Filesize
1.6MB
MD57ea2249f22066a4dafa98d3a054d8dfb
SHA1fc7582154e909a4ffae91f7e672be8c084a999d1
SHA2563b49b6c1cc92bed7fb10ec3399c1f03449c5ab983a7d03f22bd83392b7a2dc86
SHA512351abe96e14a2872a6e3e087c645b0547fdd61e2e64092ab76e29412f22196151deb27d3f79a53182ae235601e5e8757a13d38beedbd22c8cdbfab4c3846aba7
-
Filesize
376KB
MD59ceb9d87e88e9183841d70781b4dbf2f
SHA11d6c5ec438aa3d6e79487a1ec0340c34128d2c85
SHA2566ec9f82a79152492b6a50a55dee43665e5205d607206573ce3729f824a05db36
SHA5125abea7da457d239799555b8263c7f7b945ba1b327f88fecc2bee8faea7731634fd99f7e99d1b08b38a406e297de638306e45079ec78d7e970be01ee37124bc16
-
Filesize
401KB
MD54e0d7de9ab90eae3d73e82c516746b1d
SHA1319c1b1ebcb538f0b74b56e5087b2cf960b33ce9
SHA2568d469fed80fcd597d17e15df98cd15a4646abb69cd7f81795af94c2c46ed2a33
SHA5122d9abc62b8033ef874d09d274efd1e1546c5a51790d990a5c8dffed70d0cca0c6f76868b745322e1638e1b79970e42c277327052f6024275b864cae3eae65936
-
Filesize
324KB
MD5638264dabfa294ec7b31dfb89a85edbc
SHA12029e54083f1900349c89cc49a72f914c0db943f
SHA25623d6f9a120790d441377488f28c15f7ffc4df84c3fb5d05ce42f0bae5d75731e
SHA5122bc06a4789bcdecc338a53410ffdbf4c4f7914884db9a2ab05940296824aaae5c94a33cce61f82c32d83164efbec9c53ffc4a2ba76e27f6c417d78a9a15e3d0f
-
Filesize
482KB
MD5d5c6afc24d4fff226ae1190fde23e514
SHA1e342136d49082c798e5da37f27a0bad894e3e4ce
SHA25651bd8c50dd5a58aa312bbcd0db0a1c297b929b8addb04cca5552a0ed1a79b209
SHA5124cfa0f5bacd1521792bc3278bd0b25871da1b86afc7e7a243b89cd2a7ccd7119ab013422c1cccad06790e2d5b3885180047684d5a3504d6a1f86ad42aba0a575