redline | hxxps://download[.]tt2dd[.]com/

Resubmissions

22/05/2024, 04:29

240522-e39m3aca78 10

11/05/2024, 11:09

11/05/2024, 10:59

09/05/2024, 13:02

04/05/2024, 06:42

02/05/2024, 14:21

Analysis

max time kernel
253s
max time network
146s
platform
windows7_x64
resource
win7-20240508-ja
resource tags

arch:x64arch:x86image:win7-20240508-jalocale:ja-jpos:windows7-x64systemwindows
submitted
09/05/2024, 13:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://download.tt2dd.com/

Score

10^/10

redline stealc vidar rajab discovery infostealer spyware stealer

Malware Config

Extracted

Family

redline

Botnet

rajab

45.89.53.206:4663

Signatures

Detect Vidar Stealer 2 IoCs

stealer

resource	yara_rule
behavioral2/memory/640-420-0x0000000003350000-0x0000000003597000-memory.dmp	family_vidar_v7
behavioral2/memory/640-419-0x0000000003350000-0x0000000003597000-memory.dmp	family_vidar_v7

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

resource	yara_rule
behavioral2/memory/2832-400-0x0000000000210000-0x0000000000262000-memory.dmp	family_redline
behavioral2/memory/2832-401-0x0000000000210000-0x0000000000262000-memory.dmp	family_redline
behavioral2/memory/2832-402-0x0000000000210000-0x0000000000262000-memory.dmp	family_redline

Stealc
Stealc is an infostealer written in C++.
stealer stealc

Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs

description	pid	Process	procid_target
PID 1712 created 1328	1712	Announcement.pif	21
PID 1712 created 1328	1712	Announcement.pif	21

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LynxChat.url	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LynxChat.url	cmd.exe

Executes dropped EXE 5 IoCs

pid	Process
2416	Setup.exe
1712	Announcement.pif
908	Crack.exe
640	Equivalent.pif
2832	RegAsm.exe

Loads dropped DLL 4 IoCs

pid	Process
2252	cmd.exe
2652	cmd.exe
1712	Announcement.pif
2832	RegAsm.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates processes with tasklist 1 TTPs 4 IoCs

Process Discovery

T1057

pid	Process
2896	tasklist.exe
2236	tasklist.exe
2480	tasklist.exe
560	tasklist.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_Classes\Local Settings	rundll32.exe

Modifies system certificate store 2 TTPs 9 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064	Equivalent.pif
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0f000000010000002000000020d814fd5fc477ce74425e441d8f5b48d38db6f1dd119441bc35777689bd094c030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b0640200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e003000000000000b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f007200690074007900000020000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61	Equivalent.pif
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 190000000100000010000000dbd91ea86008fd8536f2b37529666c7b0f000000010000002000000020d814fd5fc477ce74425e441d8f5b48d38db6f1dd119441bc35777689bd094c030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b0640200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e003000000000000b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f0072006900740079000000140000000100000014000000f352eacf816860c1097c4b852f4332dd93eb5d4f20000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61	Equivalent.pif
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	Equivalent.pif
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064	RegAsm.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61	RegAsm.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 140000000100000014000000f352eacf816860c1097c4b852f4332dd93eb5d4f0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b0640f000000010000002000000020d814fd5fc477ce74425e441d8f5b48d38db6f1dd119441bc35777689bd094c20000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61	Equivalent.pif
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	Equivalent.pif
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	Equivalent.pif

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
1868	PING.EXE
2968	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1492	chrome.exe
1492	chrome.exe
1712	Announcement.pif
1712	Announcement.pif
1712	Announcement.pif
1712	Announcement.pif
1712	Announcement.pif
1712	Announcement.pif
1712	Announcement.pif
1712	Announcement.pif
1712	Announcement.pif
1712	Announcement.pif
1712	Announcement.pif
1712	Announcement.pif
1712	Announcement.pif
1712	Announcement.pif
1712	Announcement.pif
1712	Announcement.pif
1712	Announcement.pif
1712	Announcement.pif
1712	Announcement.pif
1712	Announcement.pif
640	Equivalent.pif
640	Equivalent.pif
640	Equivalent.pif
640	Equivalent.pif
640	Equivalent.pif
640	Equivalent.pif
2856	taskmgr.exe
2856	taskmgr.exe
2856	taskmgr.exe
2856	taskmgr.exe
2856	taskmgr.exe
1712	Announcement.pif
1492	chrome.exe
1492	chrome.exe
2856	taskmgr.exe
2856	taskmgr.exe
2856	taskmgr.exe
2856	taskmgr.exe
2856	taskmgr.exe
2856	taskmgr.exe
2856	taskmgr.exe
2856	taskmgr.exe
2856	taskmgr.exe
2856	taskmgr.exe
2856	taskmgr.exe
2856	taskmgr.exe
2832	RegAsm.exe
2856	taskmgr.exe
2856	taskmgr.exe
2856	taskmgr.exe
2856	taskmgr.exe
2856	taskmgr.exe
2856	taskmgr.exe
2856	taskmgr.exe
2856	taskmgr.exe
2856	taskmgr.exe
2832	RegAsm.exe
2832	RegAsm.exe
2832	RegAsm.exe
2832	RegAsm.exe
2832	RegAsm.exe
2832	RegAsm.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2856	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1492	chrome.exe
Token: SeShutdownPrivilege	1492	chrome.exe
Token: SeShutdownPrivilege	1492	chrome.exe
Token: SeShutdownPrivilege	1492	chrome.exe
Token: SeShutdownPrivilege	1492	chrome.exe
Token: SeShutdownPrivilege	1492	chrome.exe
Token: SeShutdownPrivilege	1492	chrome.exe
Token: SeShutdownPrivilege	1492	chrome.exe
Token: SeShutdownPrivilege	1492	chrome.exe
Token: SeShutdownPrivilege	1492	chrome.exe
Token: SeShutdownPrivilege	1492	chrome.exe
Token: SeShutdownPrivilege	1492	chrome.exe
Token: SeShutdownPrivilege	1492	chrome.exe
Token: SeShutdownPrivilege	1492	chrome.exe
Token: SeShutdownPrivilege	1492	chrome.exe
Token: SeShutdownPrivilege	1492	chrome.exe
Token: SeShutdownPrivilege	1492	chrome.exe
Token: SeShutdownPrivilege	1492	chrome.exe
Token: SeShutdownPrivilege	1492	chrome.exe
Token: SeShutdownPrivilege	1492	chrome.exe
Token: SeShutdownPrivilege	1492	chrome.exe
Token: SeShutdownPrivilege	1492	chrome.exe
Token: SeShutdownPrivilege	1492	chrome.exe
Token: SeShutdownPrivilege	1492	chrome.exe
Token: SeShutdownPrivilege	1492	chrome.exe
Token: SeShutdownPrivilege	1492	chrome.exe
Token: SeShutdownPrivilege	1492	chrome.exe
Token: SeShutdownPrivilege	1492	chrome.exe
Token: SeShutdownPrivilege	1492	chrome.exe
Token: SeShutdownPrivilege	1492	chrome.exe
Token: SeShutdownPrivilege	1492	chrome.exe
Token: SeShutdownPrivilege	1492	chrome.exe
Token: SeShutdownPrivilege	1492	chrome.exe
Token: SeShutdownPrivilege	1492	chrome.exe
Token: SeShutdownPrivilege	1492	chrome.exe
Token: SeShutdownPrivilege	1492	chrome.exe
Token: SeShutdownPrivilege	1492	chrome.exe
Token: SeShutdownPrivilege	1492	chrome.exe
Token: SeShutdownPrivilege	1492	chrome.exe
Token: SeShutdownPrivilege	1492	chrome.exe
Token: SeShutdownPrivilege	1492	chrome.exe
Token: SeShutdownPrivilege	1492	chrome.exe
Token: SeShutdownPrivilege	1492	chrome.exe
Token: SeShutdownPrivilege	1492	chrome.exe
Token: SeShutdownPrivilege	1492	chrome.exe
Token: SeShutdownPrivilege	1492	chrome.exe
Token: SeShutdownPrivilege	1492	chrome.exe
Token: SeShutdownPrivilege	1492	chrome.exe
Token: SeShutdownPrivilege	1492	chrome.exe
Token: SeShutdownPrivilege	1492	chrome.exe
Token: SeShutdownPrivilege	1492	chrome.exe
Token: SeShutdownPrivilege	1492	chrome.exe
Token: SeShutdownPrivilege	1492	chrome.exe
Token: SeShutdownPrivilege	1492	chrome.exe
Token: SeShutdownPrivilege	1492	chrome.exe
Token: SeShutdownPrivilege	1492	chrome.exe
Token: SeShutdownPrivilege	1492	chrome.exe
Token: SeShutdownPrivilege	1492	chrome.exe
Token: SeShutdownPrivilege	1492	chrome.exe
Token: SeShutdownPrivilege	1492	chrome.exe
Token: SeShutdownPrivilege	1492	chrome.exe
Token: SeShutdownPrivilege	1492	chrome.exe
Token: SeShutdownPrivilege	1492	chrome.exe
Token: SeShutdownPrivilege	1492	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1492	chrome.exe
1492	chrome.exe
1492	chrome.exe
1492	chrome.exe
1492	chrome.exe
1492	chrome.exe
1492	chrome.exe
1492	chrome.exe
1492	chrome.exe
1492	chrome.exe
1492	chrome.exe
1492	chrome.exe
1492	chrome.exe
1492	chrome.exe
1492	chrome.exe
1492	chrome.exe
1492	chrome.exe
1492	chrome.exe
1492	chrome.exe
1492	chrome.exe
1492	chrome.exe
1492	chrome.exe
1492	chrome.exe
1492	chrome.exe
1492	chrome.exe
1492	chrome.exe
1492	chrome.exe
1492	chrome.exe
1492	chrome.exe
1492	chrome.exe
1492	chrome.exe
1492	chrome.exe
1492	chrome.exe
1492	chrome.exe
1492	chrome.exe
1492	chrome.exe
1492	chrome.exe
1492	chrome.exe
1492	chrome.exe
1492	chrome.exe
1492	chrome.exe
1492	chrome.exe
2764	7zG.exe
2188	7zG.exe
1712	Announcement.pif
1712	Announcement.pif
1712	Announcement.pif
640	Equivalent.pif
640	Equivalent.pif
640	Equivalent.pif
2856	taskmgr.exe
2856	taskmgr.exe
2856	taskmgr.exe
2856	taskmgr.exe
2856	taskmgr.exe
2856	taskmgr.exe
2856	taskmgr.exe
2856	taskmgr.exe
2856	taskmgr.exe
2856	taskmgr.exe
2856	taskmgr.exe
2856	taskmgr.exe
2856	taskmgr.exe
2856	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
1492	chrome.exe
1492	chrome.exe
1492	chrome.exe
1492	chrome.exe
1492	chrome.exe
1492	chrome.exe
1492	chrome.exe
1492	chrome.exe
1492	chrome.exe
1492	chrome.exe
1492	chrome.exe
1492	chrome.exe
1492	chrome.exe
1492	chrome.exe
1492	chrome.exe
1492	chrome.exe
1492	chrome.exe
1492	chrome.exe
1492	chrome.exe
1492	chrome.exe
1492	chrome.exe
1492	chrome.exe
1492	chrome.exe
1492	chrome.exe
1492	chrome.exe
1492	chrome.exe
1492	chrome.exe
1492	chrome.exe
1492	chrome.exe
1492	chrome.exe
1492	chrome.exe
1492	chrome.exe
1712	Announcement.pif
1712	Announcement.pif
1712	Announcement.pif
640	Equivalent.pif
640	Equivalent.pif
640	Equivalent.pif
2856	taskmgr.exe
2856	taskmgr.exe
2856	taskmgr.exe
2856	taskmgr.exe
2856	taskmgr.exe
2856	taskmgr.exe
2856	taskmgr.exe
2856	taskmgr.exe
2856	taskmgr.exe
2856	taskmgr.exe
2856	taskmgr.exe
2856	taskmgr.exe
2856	taskmgr.exe
2856	taskmgr.exe
2856	taskmgr.exe
2856	taskmgr.exe
2856	taskmgr.exe
2856	taskmgr.exe
2856	taskmgr.exe
2856	taskmgr.exe
2856	taskmgr.exe
2856	taskmgr.exe
2856	taskmgr.exe
2856	taskmgr.exe
2856	taskmgr.exe
2856	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1492 wrote to memory of 2412	1492	chrome.exe	28
PID 1492 wrote to memory of 2412	1492	chrome.exe	28
PID 1492 wrote to memory of 2412	1492	chrome.exe	28
PID 1492 wrote to memory of 2736	1492	chrome.exe	30
PID 1492 wrote to memory of 2736	1492	chrome.exe	30
PID 1492 wrote to memory of 2736	1492	chrome.exe	30
PID 1492 wrote to memory of 2736	1492	chrome.exe	30
PID 1492 wrote to memory of 2736	1492	chrome.exe	30
PID 1492 wrote to memory of 2736	1492	chrome.exe	30
PID 1492 wrote to memory of 2736	1492	chrome.exe	30
PID 1492 wrote to memory of 2736	1492	chrome.exe	30
PID 1492 wrote to memory of 2736	1492	chrome.exe	30
PID 1492 wrote to memory of 2736	1492	chrome.exe	30
PID 1492 wrote to memory of 2736	1492	chrome.exe	30
PID 1492 wrote to memory of 2736	1492	chrome.exe	30
PID 1492 wrote to memory of 2736	1492	chrome.exe	30
PID 1492 wrote to memory of 2736	1492	chrome.exe	30
PID 1492 wrote to memory of 2736	1492	chrome.exe	30
PID 1492 wrote to memory of 2736	1492	chrome.exe	30
PID 1492 wrote to memory of 2736	1492	chrome.exe	30
PID 1492 wrote to memory of 2736	1492	chrome.exe	30
PID 1492 wrote to memory of 2736	1492	chrome.exe	30
PID 1492 wrote to memory of 2736	1492	chrome.exe	30
PID 1492 wrote to memory of 2736	1492	chrome.exe	30
PID 1492 wrote to memory of 2736	1492	chrome.exe	30
PID 1492 wrote to memory of 2736	1492	chrome.exe	30
PID 1492 wrote to memory of 2736	1492	chrome.exe	30
PID 1492 wrote to memory of 2736	1492	chrome.exe	30
PID 1492 wrote to memory of 2736	1492	chrome.exe	30
PID 1492 wrote to memory of 2736	1492	chrome.exe	30
PID 1492 wrote to memory of 2736	1492	chrome.exe	30
PID 1492 wrote to memory of 2736	1492	chrome.exe	30
PID 1492 wrote to memory of 2736	1492	chrome.exe	30
PID 1492 wrote to memory of 2736	1492	chrome.exe	30
PID 1492 wrote to memory of 2736	1492	chrome.exe	30
PID 1492 wrote to memory of 2736	1492	chrome.exe	30
PID 1492 wrote to memory of 2736	1492	chrome.exe	30
PID 1492 wrote to memory of 2736	1492	chrome.exe	30
PID 1492 wrote to memory of 2736	1492	chrome.exe	30
PID 1492 wrote to memory of 2736	1492	chrome.exe	30
PID 1492 wrote to memory of 2736	1492	chrome.exe	30
PID 1492 wrote to memory of 2736	1492	chrome.exe	30
PID 1492 wrote to memory of 1724	1492	chrome.exe	31
PID 1492 wrote to memory of 1724	1492	chrome.exe	31
PID 1492 wrote to memory of 1724	1492	chrome.exe	31
PID 1492 wrote to memory of 2508	1492	chrome.exe	32
PID 1492 wrote to memory of 2508	1492	chrome.exe	32
PID 1492 wrote to memory of 2508	1492	chrome.exe	32
PID 1492 wrote to memory of 2508	1492	chrome.exe	32
PID 1492 wrote to memory of 2508	1492	chrome.exe	32
PID 1492 wrote to memory of 2508	1492	chrome.exe	32
PID 1492 wrote to memory of 2508	1492	chrome.exe	32
PID 1492 wrote to memory of 2508	1492	chrome.exe	32
PID 1492 wrote to memory of 2508	1492	chrome.exe	32
PID 1492 wrote to memory of 2508	1492	chrome.exe	32
PID 1492 wrote to memory of 2508	1492	chrome.exe	32
PID 1492 wrote to memory of 2508	1492	chrome.exe	32
PID 1492 wrote to memory of 2508	1492	chrome.exe	32
PID 1492 wrote to memory of 2508	1492	chrome.exe	32
PID 1492 wrote to memory of 2508	1492	chrome.exe	32
PID 1492 wrote to memory of 2508	1492	chrome.exe	32
PID 1492 wrote to memory of 2508	1492	chrome.exe	32
PID 1492 wrote to memory of 2508	1492	chrome.exe	32
PID 1492 wrote to memory of 2508	1492	chrome.exe	32

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1328
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://download.tt2dd.com/
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:1492
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6579758,0x7fef6579768,0x7fef6579778
    3⤵
    PID:2412
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1096 --field-trial-handle=1352,i,3012831875964550512,17875340994073489087,131072 /prefetch:2
    3⤵
    PID:2736
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1496 --field-trial-handle=1352,i,3012831875964550512,17875340994073489087,131072 /prefetch:8
    3⤵
    PID:1724
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1568 --field-trial-handle=1352,i,3012831875964550512,17875340994073489087,131072 /prefetch:8
    3⤵
    PID:2508
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2256 --field-trial-handle=1352,i,3012831875964550512,17875340994073489087,131072 /prefetch:1
    3⤵
    PID:3048
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2236 --field-trial-handle=1352,i,3012831875964550512,17875340994073489087,131072 /prefetch:1
    3⤵
    PID:536
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1372 --field-trial-handle=1352,i,3012831875964550512,17875340994073489087,131072 /prefetch:2
    3⤵
    PID:1184
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2848 --field-trial-handle=1352,i,3012831875964550512,17875340994073489087,131072 /prefetch:8
    3⤵
    PID:1068
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=1796 --field-trial-handle=1352,i,3012831875964550512,17875340994073489087,131072 /prefetch:1
    3⤵
    PID:2228
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3524 --field-trial-handle=1352,i,3012831875964550512,17875340994073489087,131072 /prefetch:8
    3⤵
    PID:3012
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2276 --field-trial-handle=1352,i,3012831875964550512,17875340994073489087,131072 /prefetch:8
    3⤵
    PID:2716
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Downloads\Manual-Installer-V4.98767625T76545R980G.tar.gz
    3⤵
    - Modifies registry class
    PID:1124
- C:\Program Files\7-Zip\7zG.exe
  "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Manual-Installer-V4.98767625T76545R980G.tar\" -spe -an -ai#7zMap5309:146:7zEvent20005
  2⤵
  - Suspicious use of FindShellTrayWindow
  PID:2764
- C:\Program Files\7-Zip\7zG.exe
  "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Manual-Installer-V4.98767625T76545R980G.tar\Manual-Installer-V4.98767625T76545R980G\" -spe -an -ai#7zMap31036:228:7zEvent23439
  2⤵
  - Suspicious use of FindShellTrayWindow
  PID:2188
- C:\Users\Admin\Downloads\Manual-Installer-V4.98767625T76545R980G.tar\Manual-Installer-V4.98767625T76545R980G\Setup.exe
  "C:\Users\Admin\Downloads\Manual-Installer-V4.98767625T76545R980G.tar\Manual-Installer-V4.98767625T76545R980G\Setup.exe"
  2⤵
  - Executes dropped EXE
  PID:2416
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k move Reprint Reprint.cmd & Reprint.cmd & exit
    3⤵
    - Loads dropped DLL
    PID:2252
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:2896
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /I "wrsa.exe opssvc.exe"
      4⤵
      PID:2964
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:2236
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
      4⤵
      PID:2124
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c md 55206725
      4⤵
      PID:2144
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /V "pastinvitationinformalimproving" Does
      4⤵
      PID:1672
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c copy /b Bikini + Relief + Fw + Maximize + Bases 55206725\q
      4⤵
      PID:1540
  - - C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\55206725\Announcement.pif
      55206725\Announcement.pif 55206725\q
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:1712
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 5 127.0.0.1
      4⤵
      Runs ping.exe
      PID:1868
- C:\Windows\SysWOW64\cmd.exe
  cmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LynxChat.url" & echo URL="C:\Users\Admin\AppData\Local\CyberSphere Dynamics\LynxChat.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LynxChat.url" & exit
  2⤵
  - Drops startup file
  PID:912
- C:\Users\Admin\Downloads\Manual-Installer-V4.98767625T76545R980G.tar\Manual-Installer-V4.98767625T76545R980G\Crack.exe
  "C:\Users\Admin\Downloads\Manual-Installer-V4.98767625T76545R980G.tar\Manual-Installer-V4.98767625T76545R980G\Crack.exe"
  2⤵
  - Executes dropped EXE
  PID:908
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k move Broken Broken.cmd & Broken.cmd & exit
    3⤵
    - Loads dropped DLL
    PID:2652
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:2480
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /I "wrsa.exe opssvc.exe"
      4⤵
      PID:2500
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:560
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
      4⤵
      PID:320
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c md 1181
      4⤵
      PID:852
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /V "BluesAlgeriaDefinedIntersection" Pressed
      4⤵
      PID:1108
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c copy /b Breakfast + Dinner + Steven 1181\Q
      4⤵
      PID:1856
  - - C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\1181\Equivalent.pif
      1181\Equivalent.pif 1181\Q
      4⤵
      Executes dropped EXE
      Modifies system certificate store
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:640
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 5 127.0.0.1
      4⤵
      Runs ping.exe
      PID:2968
- C:\Windows\system32\taskmgr.exe
  "C:\Windows\system32\taskmgr.exe" /4
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2856
- C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\55206725\RegAsm.exe
  "C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\55206725\RegAsm.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  PID:2832

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
31e49778302a8110f2d143e298ca49b9

SHA1
8d66faead59a5f21a0b661ebeecbedbc7962fedf

SHA256
bd43dc6f742171eab6196225fac829cacf3e83b4f93dd65fa805887f07ad815c

SHA512
72a85f481e596c597713f7a3823fb31d96c130f9dc5296cbf5ec4584c300a2bca62a8e6fd814267bb20f02b19d7908778bf34b22706ee5f7bb0cafa5a95beff4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
67a2f2ee4608ada69de6c1293c404c44

SHA1
3c8909fa9da93feb61343a8bb25c2970ea44ed0a

SHA256
48b9bccd5faa12160cbf6e15c5e31e3a8f9e084a9723045463707863f8ab3a54

SHA512
3d53ac4ef11ed315338ba9f0a018bf33273de690ebc0c4ea5c59fa553cd37ee694521dbbefb17813fb0093fb42abb6fa480949fdb18e3ea48c624059f8da35c1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
0b4fe4c0edf1a7a2549e44caf61a8445

SHA1
8295d4d20f2c08012ca1148779db343def4930ab

SHA256
0f393ff841b7742552b3fd2f819ab421e150713acd7b84c3c940ad1eca4acd72

SHA512
985dd95272befba98c2669d7584481453686e8a2cd95c0aa048685296c37fa01bb85cf0765461ce3762b051cf95430edc359f7334f3e0a7bab9d85c716a715f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
522B

MD5
9b5eba4537c8c978aeb4c26ec02d4c48

SHA1
c3b88952c4388c497d32c30d8475741258a4dbe6

SHA256
a0beffdd3cedaf41081806512744d5e9fe4f2d6e38d4b44b68a55b4626f6f32c

SHA512
f09b1ba8dfdce1b991ab5675515c12658de83d30369a408d82d6df50e71e94592ddba378ebc3d9a4aa0c4f8491b571739c1fc9a2cdb5361be156edcdc22af048

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
1557f9777c7b53d78e539696402dec18

SHA1
c9a73e8e990c6192fd4c37bea193364808d04c0c

SHA256
5825531bf0f8b89bdc183c802605710722ff51eda7e38b78871049f23fc65687

SHA512
d43b344eb2629030d1ff32ce872631299bb439ef0ef0d05b6719c3f95272c78635e62116ff3fac08bbd4054db0cf3df11c36f141d76d5ad00f6ef346f41e8212

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
c5f4e9525a3e44b96dbb4a7af99423e8

SHA1
3416df323a24936682047113c079a79dd957b170

SHA256
cd5a6ad6f57c5e9f493a28a3801cd4125e1d8bec8bce7207a89c94767a1e9010

SHA512
77ba74314267880867af0fd1f032c60266ab91fd3bf20aea18b738e6337e6b7e547789c069065f177a0d9272c30684a55646f1d7d725ded6a1f8dfb2962daa20

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
8fa3cb35a1bec533e9564e19c045b309

SHA1
4adb4378e9f9b63b42bf923e8e63779aaf1d7157

SHA256
8338c2cf73f69cad6dd506dc364cc85b5e369e34cb8c3566b0a30426c5a8ef91

SHA512
0b93783ab89b57f7f45388524f67aae6bf9870f818a57dbd787c2bc8a0e0b4ecaa79eeb8829ebf1807b8cf30aa0a8e0e3c18438d56494da6e4ee8e4ed2c16b34

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
140KB

MD5
2a57e53cdf2668ab7d18f214735e5fab

SHA1
7c4ffde4b7714bd9bae3ed0660ecb870b00c9b5a

SHA256
a28dd5532237248fa66e4bc7f926430df406b77b1490049572cf9673f6ea6709

SHA512
57edbcdbaab9cdf15894bab9da5f1330134ad623d2a5c009be4be39bf0a87e0f54b5172e891e7969c5394445b210fd2e0838ec92c65cc3d916e8fed7db9e44ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\55206725\q

Filesize
429KB

MD5
0e16279c98249aab9910a2fff72ebbc6

SHA1
f9c8736335606a6c086f6572a2a6c9ceb2784bbe

SHA256
d8e835e3a6385f90b7f5a2367a98dbe933310c4eed0deaa4cf0f1582cb16379f

SHA512
8bfcc6964bb1239d74dcda003a0d076784e0d2fba0aef1145d58782fb18834e3878195978d9579813df2ebe0873bb3323322fc5a2ed131d730cd0c1eb9cb4756

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Answering

Filesize
34KB

MD5
c5f9f475de7e9ee88385c0167faba246

SHA1
c15f28af857b44f21bfb9cf30f0045fe133fed6f

SHA256
f90752a63f2f936057456e210a3aa7cfc9c616c527dfc7722ab975eed47d532c

SHA512
498660418e16797084ac2376ebaf35f30daaa62fbf9c767d7dd8bd5ff0d8a1590d7a94d9dc3054932a02b5283109801d7855d65d41a3f95252363de225c00cc9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Bases

Filesize
3KB

MD5
dd8815477ea9528ae8ff3edc2ec40f4b

SHA1
8a2cdb3a6e4aa5ee6a6c6556e32a87bb2e3cc210

SHA256
db0b603cea03d6f04581b00d7b2129265eca4fd145faa2ed98077b7539a9f9b1

SHA512
c22a26b4d70bd3359218a2b8c50359f0197ccaf1a3d9cac40ea00158874aae2916f4a46216bb4914a077a304d3ef00a3a9333fb919fa34f69cd3a5467a7fc938

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Bd

Filesize
27KB

MD5
ab82d61f75d101eb20cf0a19b79d722d

SHA1
cd32f6392116f7f3ffd211fcdbdb155e0a0bc301

SHA256
6292db893218d11fce76dcd5f14b73addd6f6fd19d17661fffe351d55c31145d

SHA512
b166f9bbb0ed16f1c39218dd9cd29b0978568450d7592e4fbc5f3d73acee59772c8f8a713f381148dd9c05a31002641f2976892d55bcb6acc0c77dcc3af35402

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Bikini

Filesize
71KB

MD5
89dc1653fe6c07feffcca2d0e2ae6141

SHA1
b6a8a18a0cd3d594206367417d0a5e7261a83d0e

SHA256
e85a87a08d28df8475cd9aa2c08ecf0c993cb44337bb46c34134ea81ba42fd5a

SHA512
d99dbd44ebaa2976b10d06b2fda30bff88df96019f70f69f27b94c0ab214e4626bae7c8c029621271ffd0e9dcbaa6a19195568163cdfe88098383b4706f12329

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Broken

Filesize
27KB

MD5
dbf242470b8793fbb15f2262de428dfe

SHA1
5a5694c41907a53ac44c0ab164c104a9c3377667

SHA256
66f1be1ca30374f5c9301d0f4528eff366bfb44d67c65e1321b066a3e6d1b9fe

SHA512
1059e358d3e513ee0a8ef2e8aae88a900890c65550bd6eff8cb50e02fbbb7dcedc5d0cf61e4dfbd196436f2b41c99fe5fb08afd8db595adc54e4b98659280f76

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Busty

Filesize
14KB

MD5
3d2180673bee65cf0fa0beea062f82f4

SHA1
894f7759e36e85562a5e2cf310b7ecf59d8975e8

SHA256
67a9aef37bd23f44ef41acc4054bdf6315f84dcd6ab7eccd878f70c270a2154a

SHA512
a46d226106012694d05cea50f0f9642718b8af7de2988235cfcdae195d66cc772fc945d59c94172d7b3bedc63c4f7953cd51fa930ae3f590b435f086b237285c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Colombia

Filesize
55KB

MD5
73d14fcaa5867147a144d5b99ffb8332

SHA1
f37f1fee7ee4aadce6dc72428bc5786d815f4cee

SHA256
9eca40718378e375d95f9b60e893843f11f2a06d3b09fd1abaa0400c7a1eca9d

SHA512
f0c94eac934a6ccccab7d6d510063a6ad17ddafc4d3b160a6c9e6c1b000523bff8eb83d83b90c83306a7a6d59df4c5444be81c9dddbce16353442eb6d970dc08

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Corporation

Filesize
36KB

MD5
95d99506ebd81f275db7405c10105217

SHA1
770d862a3b2b6c4cdd0dbad515c1b1837e73a85e

SHA256
a39564a2ad5fc274b639108b898d21382c168ef4f4bb16d1a1783550bb3e51c2

SHA512
86b3f0faf4aa7265da039d3ff01fb03f47137272a8ad1c17bf0b5496a9d0e4b812108b164a938bdde4f031e1a1140bfdd8ee4a6c2b1bfa7f27f76191934c7367

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Crazy

Filesize
12KB

MD5
f2a40b7cd21b530472bb2e8b0d89136b

SHA1
2e45167924bb3c1ca5307feef80fc43a4a5e7af8

SHA256
dcd6a0df13bdb3adcc2aebb1352ed61c82f0f6f1bca2d19e70cc0f5d595c8e92

SHA512
663affc416f064c9e94f501d406f264246f818e1c57dbd4f6a6f9ec34de8c3da0229bad3a9e60837e5e722b08119535b1a8f0a39ed16a2b9e8d8ae382bc7f684

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Does

Filesize
155B

MD5
77e157cb17ed60656abee35ef0346168

SHA1
1c3d0dfcbc3be543b798b74cd92958128ca8b128

SHA256
e257d8d93bf73e5e4a8c40fbdceb6e13e9651f683f18782d6cea323402a07548

SHA512
3e970d2773b117c02b3640935704f2e3ec62cc7dc5d12364efe80249c1ca7c8231f4d6b245f1c744f4fa69441fd2e40681e0f9dd886d3f4f245624cad3db3082

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Earlier

Filesize
15KB

MD5
e92c016eddb450b3e86d82aa039cad02

SHA1
fc7f491c4d928436ae436863797c04b8b23a8ad1

SHA256
35bf35ed6372f240a3c8061ff983b6dda077438781cdc9d3cd19bbdab5c49960

SHA512
aec5b2dba92478be809e9316c1afdc74bab1dc0ae83265427820919a732423a197f78cf73b2068b5a8a0ca4e721309b02f1a0420c32ee75763c776029f49f6ba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Et

Filesize
42KB

MD5
0ec8c7e006ce043fa7c02ce91b175f12

SHA1
7265bdeccc9f42ad33c4e7eba2bc1cca56e71954

SHA256
8fef92219d7ae98db35c1be45e8a41fb2bc27ea36e1bf57a9d81fda9d14fc95f

SHA512
cab9d10e5ff3fe5920e8ecf6a3a91f33b42fd8b9bdde34706f3d047c89bbbe1ce95f30513eb527cb28600884192f4115a1430c83755061f121a8d48ce532f710

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Eva

Filesize
61KB

MD5
7e250be5fa778843177b2393f0b17419

SHA1
6d2b05818dea37e8012a30523732144e421a6e14

SHA256
e7420d5ccf157b1a35a91c6ea4cfbcb6e220b1bd95ca778b61397f6d547816ec

SHA512
1a202ed2afd3a199d442ba9683434fc2a5ded229d4435769eb41a9eabf1f87270298cfb4e220c8378f106eac0f468835a89afdea804f09d06e82d7de50be5368

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Evolution

Filesize
63KB

MD5
0901b0d0d512bc902feb25490157ffbf

SHA1
b84050cb0496f45b7676ca8237ffd1c1de6d68df

SHA256
7c2053611fa9cd19b733cb2594caaa1acc1c0d5e9356c6fce5b158c377090ac0

SHA512
2b3876ef3b8fff839c10a9119b62b187faea4d4a384815e70e88a29990d9bb8079957bad74e66bc93172c3a8584c652202788e3ac5b7c0309df8ebd8d7465186

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Exercises

Filesize
23KB

MD5
4ae9a830a28df6ceef564e032d7c14a6

SHA1
dd1a92d2df6b939de3e740da26e58681c87ccdfe

SHA256
5bee23acc72504a2789cf9e21bafbf2fc098f612c174b891bdd377712d1283df

SHA512
7ac0f03bf67b7be669534909e90a2fb7dbfb35bf97e1b6c73538b5b1c731614b5f474355b9577dc669a728c682ad367956ca1d7e204e9f37b6b9abc353db06d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Fw

Filesize
141KB

MD5
12bfb07a04ce17f08ed4d9368001620a

SHA1
c8f6ed9c327e5ee266bdb43fe08e98842340d691

SHA256
a22c4ea1a207ea3fb1e58baa755f342112284eaa0a9f295085a1e3b8c13a24ee

SHA512
dca46dcdc3cfd38a2e420c98b62621299938eeae5026fe4b20ff8c01b616fcefd2929d32205a46aa584101c46a3319513eebb7c0dfdeadce11bb7ee881c144b2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Harm

Filesize
26KB

MD5
847278273baea557f863008247367b65

SHA1
d9d20183b9810f2bbe1d655c264e05439f691fd1

SHA256
c6f0f7d6d2d744c4c4167878410114a9be7c28cf6a506ce50c6f2504918c08fa

SHA512
baa098aaba476311bcb9d84de456f4544151b36b4812b7985595a93cbe9a0b7d21cba5866a8a4282f87c5d1a4599ba8d8316df862866e0322485c8b8eb4e7657

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\His

Filesize
42KB

MD5
751c49aad91b18494d138ee0cc6cb622

SHA1
621725721b84a279817f3bc0bcc9b325218548ce

SHA256
3bdeea17d6e666560aee48eb09fadc35c8715540b6ac68e5800018100ecab0cc

SHA512
3570f90da5ef4386f57233aeb6caa1f8e71dc9a3caa92b05bb56a768d7569a2d074bfbb3e89d975f8cceb458013538aa331da6870ea006a148405346e8b06c76

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Joins

Filesize
40KB

MD5
188ce596579c2d930d187d97ae19a767

SHA1
971c6af9d0e20e1b1974edad01f7715df97e089f

SHA256
8b8de4c9a3d09d9841fa94453ed482ecd6c07669b0c8dee18c623b9a4eae9721

SHA512
b72b038d4d6c6690864a5b28db593e854116fcd772e71b97fb8a691dde954113a2893b9d67e14c1ee94aaa6ec4c6e65cec7864ce1587012d1bc3daeac9b7680d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Kennedy

Filesize
21KB

MD5
7a84a28c65a6a809e635583dfb749459

SHA1
4c9695bf4f5dd5a94d5e898b741e2d408a3bc3b4

SHA256
269a99d3fb90d2011a4ff28768dcfd65513edb5729a318e3c0a67ce4d48a392c

SHA512
61155af9efe8c870425bbc24a42b3ff1caecb9e813b00888cc0a53b10d5b23e9d241591f427af86ed27ec1ba85505fe12159055d2f5df988e9a46d2f37e874c9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Laden

Filesize
8KB

MD5
900fe58c36324ceac6581212821ad122

SHA1
3e8ff27af8047e98151368d414eafebeffb88e28

SHA256
71caf18a2e40d456dd84d694a55d92e417342c524de6239157236efc6b9b32bc

SHA512
e3db08c30c33438b9b6052c10f7d93b1b301a71bc0d8be7a2f95c518056cb129bc6ca4cff12876f5587bddb745abcc3d45d929eef1dcf157487fdd1b6302dcf0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Ln

Filesize
47KB

MD5
6d3b213c936302eaefd7b4b8b417ebc1

SHA1
e2295759fe13a653bbfddcc0af58a3f894e46a16

SHA256
d36356da27c284891846dee72d16d531df97f39cbf162c0a1ca3a3aed0bf6d5f

SHA512
03ff362d01c8d61e055f9748f9c56b49c92324fb2c8ff3014e079fd149408182169d9fd0557d9345ce0c6370a81f6275d823d29d4026a602c0c8003d7661d9bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Maximize

Filesize
95KB

MD5
e76929f60e7d0a7bcb5cbe821bcc717f

SHA1
732c36d6982a1e700b1527576279092cb31d7d5a

SHA256
d748b99c8108b112be58d1b3e4ef35aea0f84462cba7ab14a9a6142c0a0e7b10

SHA512
bfc8996483dfca72fa9c2fa16eccbbd307a0c2232c03beb8a380b30ba2d23ce14f05db1201c97d9d1aac3e19cc576053d964c18eb8ceb983b35ad23608c642bc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Meter

Filesize
19KB

MD5
bbc104304467d04d85b33619f23fd8ca

SHA1
de13318c47c7e583ab8b6dcf3da7c373721e6ac3

SHA256
3393d226a3d9edf57cf2d93246ce625c5a860a41eb50035513a8e7d27724d96f

SHA512
034ac41e8c148f85cb4e27c5d2d7f74ba18c34eb8eee1b8440d4727a68777f5cc80fbbf98b0a20372f86fb0d228f6ab0d53a15a9c3cf33cf0781d1dc3f7ec7a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Password

Filesize
45KB

MD5
642cc3cad7579882540d6e71b00d5e91

SHA1
fcfb810fa0f5983b781582afdd1a2b65c3310bc2

SHA256
d874480ed8bf8e2dbb3057848eb2a3cf94a64e1e61f8897001a3e05b63e3f29d

SHA512
b7afb9423475687f42c2dc084647e16d1054badbdf0f2c79952bb5b9e9c436fab48ceaa731a9630557621f3c3b785c64d49f3ad62a8e4af129d25bc4927f45d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Pension

Filesize
30KB

MD5
fde08f709e056568f8556560990f5b4f

SHA1
db297a5b34deb093a0fb70e8bfb098e4999bb4aa

SHA256
260a009cd47d7c01df3bf879f374a2b1b97cb809fdb73d2f9253c5fe3eea86ac

SHA512
41373bca6518602d3136fdf42798a7469510ee1450664dfd1c85dffd638d3b3623ad7bbd3d24afae217bb5ab537cbde79e5870b741c507759affbf2c36adf865

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Pressed

Filesize
85B

MD5
cf5f76bcd29588fb5fbebd249283460c

SHA1
1a1f6a7b4a39acb640a016b5d52c672762de44d9

SHA256
dff0f7ea17f596008bff24de1c9231ac973091087ac3b305fb7b09b64e917b80

SHA512
2cc82370ef83fbecaa68d418f12c6fbe5cbcd99d6c55f49ad2e5aa00e51617a1edb4ba4ad36bf4dd195af57b54f1ff5cdefc3ddb72d7b14b047350fd6c886330

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Proper

Filesize
61KB

MD5
c037de0212cd77bb2acb71b45e2bb7d4

SHA1
c27d9fd633e3b7ca1de016e804b9f49d485d2e02

SHA256
3e767c7ae42fa1a838709ffc869d72558b381f8a359eb8f2dcc7e9ad43abae20

SHA512
cbe7ae3587c49af096ee7e0188ae94285a27109343940e78fa78e49a75dfe51be5683708b568fb24a39bba6b296f59f03df23c3b7fefb501c611ce96a8111fdf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Proposition

Filesize
47KB

MD5
1702b70ee4cbb05665de2037f0f88161

SHA1
8be05a314d814265b8da7ee8a934624753fbd38d

SHA256
6492974c3ce14d4813b4cf2da843329a435648a339b95dfd32f8d566626a5f99

SHA512
5a0b7cbdde942a176fb9f9ba238a4e15c2d6da1cf0e7eb3742c69727faf447d21d62eaeee2bcc9b2b7b92b9a8cf4c48f47ce28f16a6c3613a95114deb0083f2d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Radio

Filesize
46KB

MD5
6803130c7cc6d3e49cfd5a22c7255d8f

SHA1
adbbd656bbeea80570eae42c796bcceaab5c0f4c

SHA256
476e554dfe172282402598012ec6727b3fad1f217fa9484508ada92fa86e0d43

SHA512
74913e88ae907fe5602e63339622ca4b7fbc3cf919b8346634ab833112868b061a2bede9682b6d0c1bb48f3033758084fb211ea32d63211813b1f90f4dfb2a2b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Relief

Filesize
119KB

MD5
1cdcb9dd6bdbb4f18d344d51f53ca35a

SHA1
cd9f98a0ce1fca78ef27e10029be8c852071c41f

SHA256
8a6cc44697aff7597e1c4c01d5cf1b0a0b07b22cd6f4c3c17b5a96b19c62f429

SHA512
9943b4596cb021b0960ee943fa433a2583082a36a333692cb1c75fbca78551fe396ed8e7d905250a82487ebb2479eaad5dd96371b66f99b9377720e4fc3236f4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Reprint

Filesize
21KB

MD5
55dd4a20f7eeebd633cd9686d55a6fb2

SHA1
400dcd289e265494671d162731aea59eacceab0d

SHA256
dff5d673567b73e1bb4ecc210d61d1db5a5653920cb2aba84d1cef5d6d3ebabe

SHA512
59748f5fd92a00d3234c06ce3335cd9b387a48449b454aef915ab539d13de2c5983892c9d88fd713327b2fa67e5ec2b1f2e2417a52fb38f4c4b56f079d8a6d16

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Seasons

Filesize
34KB

MD5
00f36700d9d99547a524d6c485f81b97

SHA1
4ad7129284149769bccd1105f77a0a30e600c4b7

SHA256
3fe028c9d835683031c15ece07aad46205113fb404f061e41117cb2cba195f8e

SHA512
56bcaa17dbe4281e65ecb50ff7755d5b62b86e733477e77962cf5147abffb108328a252291eb369b7429eda31d901d5e087dd1e0d5ebac3fb4ee9f29267a0688

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Sign

Filesize
55KB

MD5
9521f2ca06365470502c1e72e884ca2a

SHA1
f4a347fe3795eebb2aec5eda8bc342536d957828

SHA256
57abb3caa53763da0ec965ba5a0c6c6398e2e3dc7f65eaabe4e97fbf419d76d0

SHA512
5c6307c46b4aa3ae63e4bf0c66f515ce62866f8d7bbe45111f5ab95d6536bc43e6a2b7e41eae32d89bf96f188a818b42b91c80d00f855c770b916064ede4e26f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Smart

Filesize
6KB

MD5
0d812f6b5ea4d9707a3d2b6097d481dc

SHA1
ecd4540d35844865e85980b831570e2e96336141

SHA256
a8168cd0919a05a6bde6546df7352c85416ce6dc3931e0451b933077e8862a4a

SHA512
cbb0eda621794c0156acd222407feea93a25b22e94c89103005c9b757762edfe4a394e6fe8bd0207547cfce8711c36453223dd18dc928a8f96551f0fd55e20b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Spears

Filesize
26KB

MD5
8545d958ef99bfb24b569ab066d8e27d

SHA1
303b7b887280b61cae2936201cebb874c16f9b3b

SHA256
e67d227e4dfc69ff61d03c5ece2ce16458f8ae590a133976397129bf9ee56406

SHA512
b2c357bd47f6a470b12e1ae518706814166f053f242c73abbdc230cfa07a56baf7917e63adb1563161583adb89a2f2a7d7ed7d7d22ab3324674a3c7b0bb94ee6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Storage

Filesize
33KB

MD5
b93b13b168b93143ab66f60fc81d1fca

SHA1
7d342b47bd372aaf1991607d66d552c813c5de8f

SHA256
931c7ba52717cecf461dfa66a44d73f053befe71bc8432893ca0428c2f1d8045

SHA512
27d3cb138365c8a7bb4fdda89294541a311a40917b23ec5abdd3b61ceebe35ead8ae1b78d8283fe7f34220deecb7b9deb3c90920ee5b1eca3d4b59606dca7064

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Submission

Filesize
9KB

MD5
00a438783b8ab51d81596ac52ad07157

SHA1
55a56232dafe2610d381f536eb942009d5972233

SHA256
dba238af26bbf85836d27c52ada3106b865ce90b6a17a37247a12ce38c5559e1

SHA512
5e0854668487d9eefd3ed36afeb96fbeb78a4a15689d41b29a5a6048df81aba1a9e5e3a22b4cef6f68750be747aa8a84c15c277a1edd6090118d5c99c49faf5f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Ta

Filesize
6KB

MD5
f60f406fd3dfca1f0ae0fe0113dec01a

SHA1
23d51e53c09b720aa25125f195501c1e0402378b

SHA256
3c184485b23e0d19b39aeae57e95cb772fae39c03b0838605f9acc3ae23d50c9

SHA512
72d62af40e6432380aa52b752ebd8770c70586d477c00996cda0ba30ddf78d6303d6dcfdadf1a3fb1ad965f0dda43ef7ee7397e32200d2717795e6a946230327

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Terminology

Filesize
64KB

MD5
ce5b7cede522240f805669ed75da9cbb

SHA1
4cbd7aca97e9580b8294734025314d7b34c12ffa

SHA256
bca86d9298807bdb93f997d29736ae4255edd599d0fe4567b7a68fcbae516f11

SHA512
8a39930ac5ce43f7249416136f26289f1d2159240d45b494f858d3a79d71205d2d380ae4feb9f0d1a505edc8f17084abfebe57669f34224c9196ba37bf641010

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Total

Filesize
37KB

MD5
af32b2e863ee66a1b6dd74ca65861a05

SHA1
f1c1c69841d4f47daee1e7f7e1378c5782ce90a4

SHA256
64a77c215107ea2183e66cc34352c7d0afdec70e6d794877592c1db7bfcb9264

SHA512
bf64cc545d5daf167b9af8506e631683e765f809d43c6799e57db60065d1169c991ec83a8b0876ed9582ba3090441403ecba34a1e4c7706cfe06e7203d97fa15

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Travelers

Filesize
23KB

MD5
3abd1be764e77a01ba50d7540cfb4358

SHA1
af6b3162f419f631ade9819f294d01979ff15fd7

SHA256
eee2b5ca9bb0a0f09516ec19bae1e23fd91e02a42f0f311677ad764e3d328f63

SHA512
77d43432ff1c480f033c1e2b799d6b21371a3877714c78f9ba68c1d9479a40fd368dc94fd46b4d5230ae0c6d56b403dece7bb6e0f1654c0daa731da70564446b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Turkey

Filesize
5KB

MD5
5d869b16db71ff094e1b063bf014edcb

SHA1
b9003c1ea2eaa6e8443b2a5cd4df570369cf39f6

SHA256
aa50cd9ab888451202b74afb1b533dfa884b0d3d5184f757f43310d6e2a4dd3c

SHA512
7508a27b0b7a6e22cbb9d66529b8d66b8054e2db77a4dfea4d7420b69f970281b1a46c6d08c2b1a2e973613046aed7ae6a17610e34f8c4330485c6a325c84b40

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Vibrator

Filesize
31KB

MD5
f3491fd23f5eeab678812b758b29ffdd

SHA1
4d724ffc50c0139276f2e3fd561a0bb10c697fe7

SHA256
0e0137af0f7b35ad1320a820e1e7b5e309bbcd64479359673a779a8c1f8eadfa

SHA512
ea5b47524d009c0abdcbf7890c09c5fa14683e23651d028c520a0cc69aadc34b1a07700996920b5aff02c9e43f121ab335267173d65c318d47a15f71aa08089b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Visit

Filesize
69KB

MD5
f8116f63158d44b8a32653ba47d338be

SHA1
4ce47792d29f7b2d59f2aed06ed530da7ec7db46

SHA256
9db8cebd14a1aab1c4dcece95213d4e91941b173e515c079f9913e8323f9520a

SHA512
df97dd0a2e574503fd0593bccec021d460f22dda3c8b9d78ffcc3db7e447d9ea79206dfde6db13038803efa5cf6c5f80124a79b77232e273e96d1a0264b2d646

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab84CB.tmp

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar84EE.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tmp5F9E.tmp

Filesize
2KB

MD5
1420d30f964eac2c85b2ccfe968eebce

SHA1
bdf9a6876578a3e38079c4f8cf5d6c79687ad750

SHA256
f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9

SHA512
6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8

Download Submit
C:\Users\Admin\Downloads\Manual-Installer-V4.98767625T76545R980G.tar.gz

Filesize
2.7MB

MD5
712e95f9d0c5c7359aeaab697e099f9e

SHA1
9ff66a4d79e060d764093b70fe68949b62edf439

SHA256
d954514846c34e32e4cc7a29b840e4842a9dc7146c7daeb8ed454e301f52f7bf

SHA512
7582f4d0a001df350a0ae4da5e189388017c63345dc06e3c2656baa3e931688b4e8c0c127b107730f71dc3723e10ebf67fd1de17edac6fd29f15f23fed296b9f

Download Submit
C:\Users\Admin\Downloads\Manual-Installer-V4.98767625T76545R980G.tar\Manual-Installer-V4.98767625T76545R980G\bin\Debug\MusicPlayerApp.vshost.exe.config

Filesize
184B

MD5
28960c034283c54b6f70673f77fd07fa

SHA1
914b9e3f9557072ea35ec5725d046b825ef8b918

SHA256
8d65429e0b2a82c11d3edc4ea04ed200aedfea1d7ef8b984e88a8e97cff54770

SHA512
d30dd93457a306d737aac32c0944880517ed4c3e8f2d1650ffca6c1d98e892082b41b40fb89ccf75d5f03d2464b0b4f943cd4b082071f0abfe978d149bd61479

Download Submit
\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\55206725\Announcement.pif

Filesize
925KB

MD5
62d09f076e6e0240548c2f837536a46a

SHA1
26bdbc63af8abae9a8fb6ec0913a307ef6614cf2

SHA256
1300262a9d6bb6fcbefc0d299cce194435790e70b9c7b4a651e202e90a32fd49

SHA512
32de0d8bb57f3d3eb01d16950b07176866c7fb2e737d9811f61f7be6606a6a38a5fc5d4d2ae54a190636409b2a7943abca292d6cefaa89df1fc474a1312c695f

Download Submit
memory/640-420-0x0000000003350000-0x0000000003597000-memory.dmp

Filesize
2.3MB

Download
memory/640-418-0x0000000003350000-0x0000000003597000-memory.dmp

Filesize
2.3MB

Download
memory/640-417-0x0000000003350000-0x0000000003597000-memory.dmp

Filesize
2.3MB

Download
memory/640-416-0x0000000003350000-0x0000000003597000-memory.dmp

Filesize
2.3MB

Download
memory/640-419-0x0000000003350000-0x0000000003597000-memory.dmp

Filesize
2.3MB

Download
memory/2832-402-0x0000000000210000-0x0000000000262000-memory.dmp

Filesize
328KB

Download
memory/2832-401-0x0000000000210000-0x0000000000262000-memory.dmp

Filesize
328KB

Download
memory/2832-400-0x0000000000210000-0x0000000000262000-memory.dmp

Filesize
328KB

Download
memory/2856-395-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2856-394-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2856-552-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2856-553-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2856-554-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download