redline | 8e6d8b5a004c8f21bee1bbe4213c6d78cf80e439b38f587e963e9bb4569aaffa

Analysis

max time kernel
118s
max time network
142s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
23-05-2024 05:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

84bf36993bdd61d216e83fe391fcc7fd.exe
Size

304KB
MD5

84bf36993bdd61d216e83fe391fcc7fd
SHA1

e023212e847a54328aaea05fbe41eb4828855ce6
SHA256

8e6d8b5a004c8f21bee1bbe4213c6d78cf80e439b38f587e963e9bb4569aaffa
SHA512

bb3241949618ad2d39057e085e150f43b4d41d74efc4658d9c27f8c0ec80420191517a2c0b6b7e225c4e50e02cd031cdfd178e05b9a869847a3c27b210d09caf
SSDEEP

3072:aq6EgY6igrUjXwwRwPfhlogDHGjZyTAZtAsiLVcZqf7D34leqiOLibBOO:ZqY6i7wPnpiZyTAfAPVcZqf7DIvL

Score

10^/10

redline stealc vidar 1 discovery infostealer spyware stealer

Malware Config

Extracted

Family

redline

Botnet

185.215.113.67:40960

Extracted

Family

stealc

rc4.plain

Signatures

Detect Vidar Stealer 8 IoCs

stealer

Processes:

resource	yara_rule
behavioral1/memory/2944-328-0x0000000003560000-0x00000000037A6000-memory.dmp	family_vidar_v7
behavioral1/memory/2944-329-0x0000000003560000-0x00000000037A6000-memory.dmp	family_vidar_v7
behavioral1/memory/2944-437-0x0000000003560000-0x00000000037A6000-memory.dmp	family_vidar_v7
behavioral1/memory/2944-456-0x0000000003560000-0x00000000037A6000-memory.dmp	family_vidar_v7
behavioral1/memory/2944-486-0x0000000003560000-0x00000000037A6000-memory.dmp	family_vidar_v7
behavioral1/memory/2944-505-0x0000000003560000-0x00000000037A6000-memory.dmp	family_vidar_v7
behavioral1/memory/2944-664-0x0000000003560000-0x00000000037A6000-memory.dmp	family_vidar_v7
behavioral1/memory/2944-683-0x0000000003560000-0x00000000037A6000-memory.dmp	family_vidar_v7

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1712-1-0x0000000000880000-0x00000000008D2000-memory.dmp	family_redline

Stealc
Stealc is an infostealer written in C++.
stealer stealc
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

eng.exeRent.pif

pid process

2912 eng.exe
2944 Rent.pif
Loads dropped DLL 2 IoCs

Processes:

84bf36993bdd61d216e83fe391fcc7fd.execmd.exe

pid process

1712 84bf36993bdd61d216e83fe391fcc7fd.exe
2204 cmd.exe
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

5 bitbucket.org
6 bitbucket.org
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2912	eng.exe
2944	Rent.pif

flow	ioc
5	bitbucket.org
6	bitbucket.org

NSIS installer 2 IoCs

installer

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\eng.exe	nsis_installer_1
\Users\Admin\AppData\Local\Temp\eng.exe	nsis_installer_2

Checks processor information in registry 2 TTPs 1 IoCs
Processor information is often read in order to detect sandboxing environments.

Query Registry
T1012

System Information Discovery
T1082

Processes:

Rent.pif

description ioc process

Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Rent.pif
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1124 timeout.exe
Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery
T1057

Processes:

tasklist.exetasklist.exe

pid process

1324 tasklist.exe
2160 tasklist.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Rent.pif

pid	process
1124	timeout.exe

pid	process
1324	tasklist.exe
2160	tasklist.exe

Modifies system certificate store 2 TTPs 17 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

Rent.pif84bf36993bdd61d216e83fe391fcc7fd.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	Rent.pif
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 190000000100000010000000fd960962ac6938e0d4b0769aa1a64e26030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a1d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e709000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6502000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	Rent.pif
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0f000000010000002000000020d814fd5fc477ce74425e441d8f5b48d38db6f1dd119441bc35777689bd094c030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b0640200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e003000000000000b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f007200690074007900000020000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61	84bf36993bdd61d216e83fe391fcc7fd.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	84bf36993bdd61d216e83fe391fcc7fd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A	Rent.pif
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 190000000100000010000000dbd91ea86008fd8536f2b37529666c7b0f000000010000002000000020d814fd5fc477ce74425e441d8f5b48d38db6f1dd119441bc35777689bd094c030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b0640200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e003000000000000b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f0072006900740079000000140000000100000014000000f352eacf816860c1097c4b852f4332dd93eb5d4f20000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61	84bf36993bdd61d216e83fe391fcc7fd.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 0f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a2000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	Rent.pif
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	84bf36993bdd61d216e83fe391fcc7fd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6	84bf36993bdd61d216e83fe391fcc7fd.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 040000000100000010000000a923759bba49366e31c2dbf2e766ba870f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca619000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	84bf36993bdd61d216e83fe391fcc7fd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064	84bf36993bdd61d216e83fe391fcc7fd.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61	84bf36993bdd61d216e83fe391fcc7fd.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 140000000100000014000000f352eacf816860c1097c4b852f4332dd93eb5d4f0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b0640f000000010000002000000020d814fd5fc477ce74425e441d8f5b48d38db6f1dd119441bc35777689bd094c20000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61	84bf36993bdd61d216e83fe391fcc7fd.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	Rent.pif
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	84bf36993bdd61d216e83fe391fcc7fd.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 0f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	84bf36993bdd61d216e83fe391fcc7fd.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 19000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca61d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e4090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f006700690065007300000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a92000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	84bf36993bdd61d216e83fe391fcc7fd.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1224 PING.EXE

pid	process
1224	PING.EXE

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

84bf36993bdd61d216e83fe391fcc7fd.exeRent.pif

pid	process
1712	84bf36993bdd61d216e83fe391fcc7fd.exe
1712	84bf36993bdd61d216e83fe391fcc7fd.exe
1712	84bf36993bdd61d216e83fe391fcc7fd.exe
2944	Rent.pif
2944	Rent.pif
2944	Rent.pif
2944	Rent.pif
2944	Rent.pif

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

84bf36993bdd61d216e83fe391fcc7fd.exetasklist.exetasklist.exe

description	pid	process
Token: SeDebugPrivilege	1712	84bf36993bdd61d216e83fe391fcc7fd.exe
Token: SeDebugPrivilege	1324	tasklist.exe
Token: SeDebugPrivilege	2160	tasklist.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

Rent.pif

pid process

2944 Rent.pif
2944 Rent.pif
2944 Rent.pif
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

Rent.pif

pid process

2944 Rent.pif
2944 Rent.pif
2944 Rent.pif

pid	process
2944	Rent.pif
2944	Rent.pif
2944	Rent.pif

pid	process
2944	Rent.pif
2944	Rent.pif
2944	Rent.pif

Suspicious use of WriteProcessMemory 56 IoCs

Processes:

84bf36993bdd61d216e83fe391fcc7fd.exeeng.execmd.exeRent.pifcmd.exe

description	pid	process	target process
PID 1712 wrote to memory of 2912	1712	84bf36993bdd61d216e83fe391fcc7fd.exe	eng.exe
PID 1712 wrote to memory of 2912	1712	84bf36993bdd61d216e83fe391fcc7fd.exe	eng.exe
PID 1712 wrote to memory of 2912	1712	84bf36993bdd61d216e83fe391fcc7fd.exe	eng.exe
PID 1712 wrote to memory of 2912	1712	84bf36993bdd61d216e83fe391fcc7fd.exe	eng.exe
PID 2912 wrote to memory of 2204	2912	eng.exe	cmd.exe
PID 2912 wrote to memory of 2204	2912	eng.exe	cmd.exe
PID 2912 wrote to memory of 2204	2912	eng.exe	cmd.exe
PID 2912 wrote to memory of 2204	2912	eng.exe	cmd.exe
PID 2204 wrote to memory of 1324	2204	cmd.exe	tasklist.exe
PID 2204 wrote to memory of 1324	2204	cmd.exe	tasklist.exe
PID 2204 wrote to memory of 1324	2204	cmd.exe	tasklist.exe
PID 2204 wrote to memory of 1324	2204	cmd.exe	tasklist.exe
PID 2204 wrote to memory of 2580	2204	cmd.exe	findstr.exe
PID 2204 wrote to memory of 2580	2204	cmd.exe	findstr.exe
PID 2204 wrote to memory of 2580	2204	cmd.exe	findstr.exe
PID 2204 wrote to memory of 2580	2204	cmd.exe	findstr.exe
PID 2204 wrote to memory of 2160	2204	cmd.exe	tasklist.exe
PID 2204 wrote to memory of 2160	2204	cmd.exe	tasklist.exe
PID 2204 wrote to memory of 2160	2204	cmd.exe	tasklist.exe
PID 2204 wrote to memory of 2160	2204	cmd.exe	tasklist.exe
PID 2204 wrote to memory of 2152	2204	cmd.exe	findstr.exe
PID 2204 wrote to memory of 2152	2204	cmd.exe	findstr.exe
PID 2204 wrote to memory of 2152	2204	cmd.exe	findstr.exe
PID 2204 wrote to memory of 2152	2204	cmd.exe	findstr.exe
PID 2204 wrote to memory of 2596	2204	cmd.exe	cmd.exe
PID 2204 wrote to memory of 2596	2204	cmd.exe	cmd.exe
PID 2204 wrote to memory of 2596	2204	cmd.exe	cmd.exe
PID 2204 wrote to memory of 2596	2204	cmd.exe	cmd.exe
PID 2204 wrote to memory of 2644	2204	cmd.exe	findstr.exe
PID 2204 wrote to memory of 2644	2204	cmd.exe	findstr.exe
PID 2204 wrote to memory of 2644	2204	cmd.exe	findstr.exe
PID 2204 wrote to memory of 2644	2204	cmd.exe	findstr.exe
PID 2204 wrote to memory of 2488	2204	cmd.exe	cmd.exe
PID 2204 wrote to memory of 2488	2204	cmd.exe	cmd.exe
PID 2204 wrote to memory of 2488	2204	cmd.exe	cmd.exe
PID 2204 wrote to memory of 2488	2204	cmd.exe	cmd.exe
PID 2204 wrote to memory of 2944	2204	cmd.exe	Rent.pif
PID 2204 wrote to memory of 2944	2204	cmd.exe	Rent.pif
PID 2204 wrote to memory of 2944	2204	cmd.exe	Rent.pif
PID 2204 wrote to memory of 2944	2204	cmd.exe	Rent.pif
PID 2204 wrote to memory of 1224	2204	cmd.exe	PING.EXE
PID 2204 wrote to memory of 1224	2204	cmd.exe	PING.EXE
PID 2204 wrote to memory of 1224	2204	cmd.exe	PING.EXE
PID 2204 wrote to memory of 1224	2204	cmd.exe	PING.EXE
PID 2944 wrote to memory of 1496	2944	Rent.pif	cmd.exe
PID 2944 wrote to memory of 1496	2944	Rent.pif	cmd.exe
PID 2944 wrote to memory of 1496	2944	Rent.pif	cmd.exe
PID 2944 wrote to memory of 1496	2944	Rent.pif	cmd.exe
PID 2944 wrote to memory of 1628	2944	Rent.pif	cmd.exe
PID 2944 wrote to memory of 1628	2944	Rent.pif	cmd.exe
PID 2944 wrote to memory of 1628	2944	Rent.pif	cmd.exe
PID 2944 wrote to memory of 1628	2944	Rent.pif	cmd.exe
PID 1628 wrote to memory of 1124	1628	cmd.exe	timeout.exe
PID 1628 wrote to memory of 1124	1628	cmd.exe	timeout.exe
PID 1628 wrote to memory of 1124	1628	cmd.exe	timeout.exe
PID 1628 wrote to memory of 1124	1628	cmd.exe	timeout.exe

C:\Users\Admin\AppData\Local\Temp\84bf36993bdd61d216e83fe391fcc7fd.exe
"C:\Users\Admin\AppData\Local\Temp\84bf36993bdd61d216e83fe391fcc7fd.exe"
1⤵
- Loads dropped DLL
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1712
- C:\Users\Admin\AppData\Local\Temp\eng.exe
  "C:\Users\Admin\AppData\Local\Temp\eng.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2912
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k move Descriptions Descriptions.cmd & Descriptions.cmd & exit
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2204
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:1324
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /I "wrsa.exe opssvc.exe"
      4⤵
      PID:2580
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:2160
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
      4⤵
      PID:2152
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c md 335993
      4⤵
      PID:2596
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /V "EnquiryAnContributionRefers" Tank
      4⤵
      PID:2644
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c copy /b Ph + Shoot 335993\r
      4⤵
      PID:2488
  - - C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\335993\Rent.pif
      335993\Rent.pif 335993\r
      4⤵
      Executes dropped EXE
      Checks processor information in registry
      Modifies system certificate store
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:2944
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c start "" "C:\ProgramData\HCAEGCBFHJ.exe"
        5⤵
        
        PID:1496
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\JKJDHDBKEBGH" & exit
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1628
      - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 10
        6⤵
        Delays execution with timeout.exe
        
        PID:1124
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 5 127.0.0.1
      4⤵
      Runs ping.exe
      PID:1224

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
42dc55672d2950fd3dd942e7fa994063

SHA1
8c4555870db5d84adaeb2e8d28b167eb2512c033

SHA256
5a340f638496541e95da01ee348b5cacf31b84e4fbe230dbae4a4eb367f37129

SHA512
5f4e5bb8b376962653c93054ba300dcfc8083d17a32b36b2356562658afad3489883bf45b49932843806f62af80768124401e04f01297c51a6c595365991bfc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
bf0aa285a5ecbbee48c666df3601d0bc

SHA1
80c38b16d444fb4983549646ca557fd287e7ad7f

SHA256
861b1f6baf164d0b601e1bb9d0f3d57a154315382cfe2b8687dc1360e4adbb6a

SHA512
32394ee67c7034222d2431810fc56acbf23e2ed5c990d0afec3e981ab0a104629d8ec28b3c165011dbeaee55780c8b2271c6afaadc47df6eb81a96d997487a81

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4fa50c26ad055a814a6c7cedf72c5a54

SHA1
bbecc4a818c9981724b77c7ab5fa9a6040a8124b

SHA256
ce2ccb1bf1d6e9306fba2fea586622a09933fbfaddd47247d303231bab869ce2

SHA512
7819d6acb33a53ce4855eeffe9923695d1d454433d8ad423f2a66bfd2795faf2f53cb0f29367a065e9443e0db98d8ce7723b4c3ad61442a6d2fc0b13462a63ab

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
1c4aa004fa10743ddd25a6a4321f86ac

SHA1
181f3fe21362bfd72b583b2452b991bc18b85ac7

SHA256
ec26f6b85104cd2fc32850f1acfc421f9c03077619cff8e24019dd05a0c0560e

SHA512
bc592a6a7be4e21711d90addf3e14e9bb7e48137aa2d763efadec257ab6841002625ab11c264839ae1abdc56fc9bdbbb375953148e41321fef2c64a854ef52ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\335993\r

Filesize
338KB

MD5
34975ef226eceb21f03f28d05acf85c2

SHA1
2e659a9335b8f4cb29dc1a9b142156f128fcdbdc

SHA256
c61b764e91da03e02120dfe4253d4e071acb51aff84b3c56767b72f1e5e5ed50

SHA512
2ef7a333bf25f33b4a54dccc842ba6575e32802a2655e0679c1ee1b6086b2260f65051711f95120deccbe90f9a009929c8b805336e4595e983840fa807210157

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Britney

Filesize
15KB

MD5
f5339a664c62f59758f97c27e5f18250

SHA1
6fe5f98d6bf4f9271d89d90760cb8abcd5cb0b42

SHA256
c7a2bb2a2938356cd5ca3fb1854dbd6972e5cf0482e2958cd82bb076d0f6ac69

SHA512
b3bd2f5235059a2c8b9058f888c6f4fffaa2bb603c15dfcde442dd9812a54642868bb3c05b18921da743713351b6ede41f6788e46af543d8e7eb5bdd5f8b8c3b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Considerations

Filesize
63KB

MD5
6e3f2f6daa0302e32004ebe4e10d3a70

SHA1
14e47c604889e4f1ed1514b17f2e7c10412f2b5c

SHA256
37f28d62d96a81bd91eb58f29a99e9a77926d91d417d6f66f6f8a6eece7526d0

SHA512
0f1005cb04b9fe4bf4c063437bf1ccc0071c5db08369f1531bdd8c41b6a5e7ff0f4cce0f7936bce69fb9df221e3dc3a506879b090de751b22473c09e7c7156ab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Defeat

Filesize
8KB

MD5
5fa2ab455cc5da6e96ab13dd1cd54bb6

SHA1
81d893c35c38ae7516582fcc51bce0b1e53f941d

SHA256
48c0322e96b304cd939baf6d79183e69069678b89184d7a8c43804769095fad2

SHA512
06e3ce00536694b0ee72809480f820e90decbc3b3337ef148fa18caeb502f799485c4c1cd1342cc8debff83e0d76f0e8d13b93a75419631da78aa8c59a4d9f6d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Descriptions

Filesize
10KB

MD5
ac7ade76b8beaf6a938d53b3caaba512

SHA1
23cd8c38ed38d7619cde18b13b9a5aa39daec08e

SHA256
7ae2ec9669a960155327bd0a4bc77910a1b99583b52992d7cd8199e4f6ca2f69

SHA512
ff4af167f39599d7fcb3bfc94cd3dce9f0ae025298e43d2fd4a6847881d6317463df3f5610d1ae1dc9fdd6de44f9ce156f5b3543c6df4fe2e6b39a524330e705

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Designated

Filesize
24KB

MD5
e7a2b27a7d4871e46c7b768f527739ee

SHA1
5d32cc2709a8a754f01412fae3de06bec38ab309

SHA256
c8f1e37f60d9b509f6ba28da0ce2fce3cf165afe87e74383aaa7a2c50abecb16

SHA512
6780fedc9fb56a2bc61a8ce70f10f9f9d5bbfc8f6b45c0f63f7ff7edee6f9c12ab576d938c7e32c9519092f2c594c2343d7ee51b5e0abe67f4f2b6e0c17c897f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Donna

Filesize
39KB

MD5
41d97824b0359d0c4fce3b40e53aee4c

SHA1
b142e29dd94cb730c426b7b90d7018ba390ef0cf

SHA256
18bf0e8c0d9ad3370de623d2c9aa690cc6f7988d43489d9eaef8e50546a0a437

SHA512
2ef7dc75bb2a953ae782852e22e8876b489923178f42f589b1759b61506c498c36d5a4be46a1903ca26aee9c4cc21d00494fbce8251f51eed379bb10560b14e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Ed

Filesize
8KB

MD5
f47d19edcc3babcde919e3c34e823295

SHA1
6c7258605316c1fb24f8ab4356c4a7124c21b69e

SHA256
f455c49ee56b4c49cf34ad0cd07986b5f55b504a8b523ea0eb79f332a255a3d6

SHA512
9df301ff7113259e13beebf5a7d1b2270c65c568612539bf26416eab2edb3af591a30279793700a881972de4266e1c9e044db3c0de5b6a1d328b700c3004698c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Epinionscom

Filesize
63KB

MD5
fe358073b67f13eb6c2a16137514c833

SHA1
946cc24ddb9f36561ee139d594ac122497813e50

SHA256
ee478441e8ca4bf07da4f8ae5cd30de64b36e1862c44ab087a2f7a6326c6a876

SHA512
1862a4b2e514d31a1e51e02cdc3696f45c41c4d105b09542fd1683b0590543a172847cd3cf109168f49a4d2d9a40034ec3b1b676fa60f41bcf2be39f370cb0ec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Expenditures

Filesize
53KB

MD5
f05a97668744222469ad406c6e6bb451

SHA1
c99082561996334210aa8ced0858ffbc572a15b9

SHA256
7e638bd5b43325cf06e823b46b24ff6900eb21887ff7eba19d8478b2099a032a

SHA512
3836db570ee4e69603a8795ec8748392fb1b3a5da64ad4304fd7ea98671ab70fcf9e7a928cc4c50aff32157576d4c03568816d390e1683c48f933bbee056b60f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Going

Filesize
44KB

MD5
011c56ba5d5ca60775be001bcfda7f24

SHA1
b28ce248f4b2ada7c85224660a17e9bd64ef53b6

SHA256
f6ad9a10f800b1238e3c608f7d703420c856c87375bf0bee5b4c58ceefbc23b9

SHA512
f263c079c8086c0e9e11062951f5227d79959153880710d0d972944497b0216ee4140d6c66c81173b47f778ef0eb05d6ffbfd6e9e2c8e89b1fb7938ffb38a374

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Ii

Filesize
20KB

MD5
ba0edf26af3f9764a3e42d95ec7bd415

SHA1
d9e3bcd6acf3441b50153140ec000e0ec6772aea

SHA256
40529a835627ed7ac4d6cd0d474cedbec19bb6e5e6c8abb93ade9122d2731a0f

SHA512
c5585aa6eb9bb64357b9e04e6895c59474f1e9679f54a6ca70ac0bfa6c4b09083068e223b353b52d419633e70f1556cbb993af37c76496d9b2d2f257c701bdf6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Incomplete

Filesize
42KB

MD5
4d7afe4451f5c284f80731c27c3571ef

SHA1
e311a53444970618448f7906f099879e5d644efd

SHA256
d58c2b3f96a925872dbaff1ed64aa4f7304b96378c119fbbfadbd764e20182db

SHA512
f3edab8967848dfcc367aac9a51027fa638064726298503f50495b59f3f8ce9c4026cf78abcfc1e87c23136ba4357ec05cf3a475f094f324422b3406f4f26249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Ink

Filesize
62KB

MD5
2748c48bf017ec2dbf73d2c49e9c9a71

SHA1
16f9e9bd7f47653605562daccd7524e5920a58a3

SHA256
ed5050fbe794268c6edbe49f8fb226acf859a2c68251c4cb7fc8db4b90ec791d

SHA512
c66c9350217284e5a0f8a574cfc910efd798f66315195d716b4ba086595c6c62f2f7b4d505f23af3c9ad615fe6edcaf687404bf81627a39ca356f8392f8a0cdd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Joan

Filesize
21KB

MD5
4984868380ca7c21e36e8fca2f25884b

SHA1
e125be079754e3edd8a51b6b9170e44b6977ebc1

SHA256
9c23e3be788b1f05d3084e7b6c805c970f2deb80577b15c2bbdf68a1fbc04994

SHA512
42464ad15453471401c3663ef4c89f17b6f58e540000f1d8cb94ca795eaa7d18b94ca70f995ecc999277fb6dc83e29837e8d95aa2c8605c425b95c08e4fc3117

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Located

Filesize
10KB

MD5
454c16489a10fd4b91f088a2b9b88194

SHA1
c8074d4dcbd59f990a9f12483fa55ebccc9adc12

SHA256
8236b37f3e875ced66c35a19085eec2c8674621c389278ca75a1a0dd7d12ccde

SHA512
f0c969bfdd5c4cc46ec070997bf75b859d1ecf771a5c00691f471d0698456f7b69176068c87196c6bf24778c45e6cd84fe48b9f18332ecb8258237969ca51790

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Mrna

Filesize
17KB

MD5
103c60175a4f3793488460aeb32e0f2d

SHA1
4d6399a06449b5caf78ecd08cea8cf91f027f4ec

SHA256
596ba1d906161a86995c4cacea3f9c1be51ce40fa734609f01ad698fcd555902

SHA512
edd06e3ef00b6575051528ff5d0296149a6bb8bbdf85f5c0c5c013027892f850cd2d0e6c49fbf9debd66ce6e6773cbc0544c0f24ba40b3dbd9d93ab27d20b5f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Pam

Filesize
13KB

MD5
654f4d84ca4c697e2aaf43c6defc6ff5

SHA1
d1dca9f755924c9c8a8db241de570d1022b58aa0

SHA256
90bc9bcd85b5151791b71ce1806745d86c1e15933402ea4a2d171a65a1a12f9f

SHA512
93c0ec18fbd6565632ff4352bcf519cfbd05023b55eeea1535b391f022a46129d2664d3154bf7f79104918a9d1891effd41b702f3419cd648aa9908de5683b55

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Paso

Filesize
49KB

MD5
2de38fbaa0b1f120c96c130029c531c1

SHA1
e5256681a7374df29171ae5d7888718e1a19792b

SHA256
e71c48c8c75b9a6ef0b7d4875d1ab7acaa76855207a951956b8c167b9fc0cd71

SHA512
5a86ad2b6caae0872c996a9c768085306dbeeaf0dcd0f65054c86e4b092b1fef21130e9497342cc7dea84afc6a45d968142a852674d77ec7d846bbb23f23dc66

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Ph

Filesize
192KB

MD5
4e5b164559df8ef5fe5db36b6dd7c779

SHA1
d4b1732c0065449718f472536e5a95254932a160

SHA256
3123a61a0f949ba754dbe29686bfe82b2527e0f71efca042701eadc3fe0a8000

SHA512
a130144210b67331da42be56aad487c733ab97b917f2f969fd5da4127bf36324846bd109b8ccfe0cfe94a6c7856ee0a946a0503d260bbe69a538b46219198509

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Proc

Filesize
13KB

MD5
3401516a7640eb223c1b2f7e618c451d

SHA1
f865b234e6c653130afb438bc7c5260cde3abf92

SHA256
9c279dfab8f0a455caa5e1272a37d523d54af33a1b8b8c661121c175e8815692

SHA512
94ecb28fde13608a2a0436c7335347d8c8627fcbdbc8c3cf480d7175c086b544ba068ed566fb9174ed78a318ae6ff4337a863c5a220158e5320d1e237ea1786b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Shoot

Filesize
146KB

MD5
7ac1a5294889816108ce801cee57300b

SHA1
e19198c86f820256797e0f20c13db6667117bc92

SHA256
e0c0e1e381d479170dd8de9ca40700163508ed1fb3f157d1e6107ae004e6c4fc

SHA512
aa3821143199cb066e0520aa2152bc474966f7924e2f3c6befeb68f4015fe1443159c4a831a6f59059356ceaa09c35eef990f1644be6ef78f38121f31cb2ebf6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Spirit

Filesize
19KB

MD5
e3da5f2550d27668b287d2d8781d72fe

SHA1
c492e85131f137f564eebfb92ff0d5208350ba39

SHA256
338c5edf0aeef9a14ffcaccfa0463ba901bc4b93e6764175df4f1c148cf87168

SHA512
ca550c7c69920203aa53096882fb408a4bd1af8438dcedb02f43bd32d125328e09f31677bd77bbdafee9fadb553fa0fd11e6d2c951482033a2e3b08d2b9b39ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Sponsors

Filesize
66KB

MD5
33e77dd003343a54fb3f3c69cb2bd71c

SHA1
caba565823d9841ebdadc743741b03b9f098eec5

SHA256
e21533aaf685290de228ac13e8eeb0ed0195192e1c18108ad2dcf9f090b14404

SHA512
8ffcaf2432aae89f0e2f1eabe4f42b0cfe7f990914ddc988718d1a41ccdc9f5ab62f2138d32fe8054a70b63596525bbc3a109529d1963de64a9a7f67efb54d7a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Stayed

Filesize
35KB

MD5
326771f3c4cabaab267bba316782af10

SHA1
3402750abcc2f61054bf751bc7f5228ed3cb49f6

SHA256
ce774c5b786f3bcad31d8e9ac06a43747f59d5d9ddcd96db488beb16af3a10dd

SHA512
df7d2c48f39833db0da5e4c5bcf2ad3be4ec0e9f60a2b8c6a888a7f74eb8a6b3ad604fffedee2bc2288eabb59d073272fb5edd7733348db70e37163c138e086f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Surgeon

Filesize
34KB

MD5
4c19752b97ac888f688316e8c45070cf

SHA1
69e5161395539bbfa48067b03cd6f54a322267d9

SHA256
ce3f7644ce8f0cda4127ed1f094daec6cf03e955e2b2f08fce1e1fa8c499a323

SHA512
67833b956c745109c6f065f07ce29bdb703f72126e168def7cd3174dc916ba54da2a23a1f57ef6df494a9879bae2bf18c5842a958cb4a5253074cee5720d724e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Switched

Filesize
12KB

MD5
052bd98c12eb6881b0ef0e5809d1dac8

SHA1
5a678738efb5b39b6d6c2503a3da00ecfd3539ae

SHA256
12387059317cee313e858a6707c3abc0aad950d383621ec109acffa1a1e3c456

SHA512
86394e8351977784a8dc512aca1a0fd874903fd98c7b7418fac13a13ef4d9654141496211d9808bbd033a9340ed00da0c2b612318eff8425f63f561f0fb91321

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Tank

Filesize
155B

MD5
98d329abe01cf448863e8bc0bd01fddc

SHA1
72e41bbce5c1a58c7093fdceb16a4d4ceceedc14

SHA256
e37dd741efc2fe87d76ff42c501ab30ce887d19de47834e30d8e96bbb33637f5

SHA512
b4b9b3c37ba8dcbf331686e3b8fc8533a2c33e449729cb6b00d21575b9975f59bf3c1357bd3d405ebc40e9a180c21e52a5ed172db01365e639ba6d095905c2ba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Teaching

Filesize
10KB

MD5
c5e2683b5a8426fdc75ad224c4c3b432

SHA1
24e8fa9fff6afbef893ca612786526de4d3f7866

SHA256
42d15faa6a365a2d83698253fedbe72a13cbd5b7cf34234073e743a12d7ee276

SHA512
0e5a8bbfad9af2d7646ce1cef789baf1967ffdb70b0303d5507732ea1e1fd98658681d6cbf520bcd129109c032bb12996f5d11d71eb688020d36cb949ddc5642

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Treat

Filesize
49KB

MD5
dd1de88457815a965b8a36ba3c410998

SHA1
80a8cbf4ceb65afbb5a61ea3b81cfe5e9dc90205

SHA256
2ee7d900fa7114a695f7fd92b917d05a3b693b492db0efdbe91e5872b6973f3d

SHA512
74e623fa395a48a9eb3708721de5921691b55db96a5ecab303e1b521e1186f36c9d2e57d4dcf880a697118473ccced90c55261792b050e52eb1c9ca1ed2d450f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Villa

Filesize
9KB

MD5
5a1f0e90d3492a8f85e7d01259d6f447

SHA1
2335a66f4ed45c642e00ec0ab4bf2833518498b5

SHA256
111312c36bbf7878d4079036dfcb872a6a30aba8c81192ed4832f352ce8232d6

SHA512
1d90a9e571e11467e05a63bdbc5c4cbd0fe17422e9c3518e0943054b68c2b0c23ae7505554a178a351f2b5d1d0983005cd4b16be2474c1526c7aa9039142b293

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Warcraft

Filesize
19KB

MD5
bf4a4bfb3e732742fed6fad23a0c80bc

SHA1
fd1063b5166e6ca2e3ca878c05e017508ec951e0

SHA256
1a0a41581f11dadb5a0bc39c9be1fc544f3c178f46d503bc5d28a148764a8c6f

SHA512
edb30a9016d0471a02d4a460011f38391b969f268deaeb51e01f392edb0d9c2a3ba0938cfcf5207160c328476df5957a74d04a777a84115d4dc4e2f5bf8cc184

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Williams

Filesize
43KB

MD5
d4e43ffff41889264559e1ea234696b3

SHA1
d0c2f318fc64715d5c7c7ed6612b0383bba202de

SHA256
b32991a917dbea6f4c1309dd51c596c6aff925a563df1627f7cf5feb7f234a64

SHA512
9a2d5aa2ca6fde40f0635d8b0a2d9e3a14ce3565dcec34192d6c690eda8139795185cf32581990b28ca9853415be1de9a8488f11b902e3ff7910e266ab89405f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Windsor

Filesize
47KB

MD5
c734f7c2828866b315e700633b23585a

SHA1
e130edbe1002a0ac5dc36b9dc378b3377c25f539

SHA256
a64a886e83d6e03b962790b6a1da7c5fa436b7c58ac7e10ae644c367f3363da5

SHA512
80481e4810e3107f2a3ff2a54b31cc6c1997a62cc1b6c92dc03c306a7b3a378f232fd57801762f76e5cfbf87e6ca35115b258aa700bbb2439a17877803ff7c24

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Wrestling

Filesize
8KB

MD5
62d27ec504c7629add8a60e6bc4b5244

SHA1
846b1f08c7df6f336be4c83d2f33b5f6c9e1eaaf

SHA256
e008fea09e831e640bc1189b6298689f831d5138bac26cce62f58093b0635ce8

SHA512
9aaa383e03ed90760f4e3c2852f3647ebd3b90b7ad04c8026a3a99b61024cace657a9e24eac86c23b44e5617dba38b6e2f97a57879ac6cf71e13a23cec9974c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar6224.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tmp1B2F.tmp

Filesize
2KB

MD5
1420d30f964eac2c85b2ccfe968eebce

SHA1
bdf9a6876578a3e38079c4f8cf5d6c79687ad750

SHA256
f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9

SHA512
6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8

Download Submit
\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\335993\Rent.pif

Filesize
915KB

MD5
b06e67f9767e5023892d9698703ad098

SHA1
acc07666f4c1d4461d3e1c263cf6a194a8dd1544

SHA256
8498900e57a490404e7ec4d8159bee29aed5852ae88bd484141780eaadb727bb

SHA512
7972c78acebdd86c57d879c12cb407120155a24a52fda23ddb7d9e181dd59dac1eb74f327817adbc364d37c8dc704f8236f3539b4d3ee5a022814924a1616943

Download Submit
\Users\Admin\AppData\Local\Temp\eng.exe

Filesize
889KB

MD5
fb88fe2ec46424fce9747de57525a486

SHA1
19783a58cf0fccb5cc519ebf364c4f4c670d81ce

SHA256
cbd9e9333684de488c6fd947583149065d9d95b031d6be7a0440c2581a304971

SHA512
885d0ec96eb73c3213c9fe055620c70561ca1aecc5f9cb42cc8e1c26b86c383e92f506e8da4696c7ff7c4feafe09791ab900b2a983528b680224af347ef4b40c

Download Submit
memory/1712-239-0x000000007498E000-0x000000007498F000-memory.dmp

Filesize
4KB

Download
memory/1712-251-0x0000000074980000-0x000000007506E000-memory.dmp

Filesize
6.9MB

Download
memory/1712-0-0x000000007498E000-0x000000007498F000-memory.dmp

Filesize
4KB

Download
memory/1712-2-0x0000000074980000-0x000000007506E000-memory.dmp

Filesize
6.9MB

Download
memory/1712-1-0x0000000000880000-0x00000000008D2000-memory.dmp

Filesize
328KB

Download
memory/2944-327-0x0000000003560000-0x00000000037A6000-memory.dmp

Filesize
2.3MB

Download
memory/2944-326-0x0000000003560000-0x00000000037A6000-memory.dmp

Filesize
2.3MB

Download
memory/2944-328-0x0000000003560000-0x00000000037A6000-memory.dmp

Filesize
2.3MB

Download
memory/2944-329-0x0000000003560000-0x00000000037A6000-memory.dmp

Filesize
2.3MB

Download
memory/2944-325-0x0000000003560000-0x00000000037A6000-memory.dmp

Filesize
2.3MB

Download
memory/2944-437-0x0000000003560000-0x00000000037A6000-memory.dmp

Filesize
2.3MB

Download
memory/2944-456-0x0000000003560000-0x00000000037A6000-memory.dmp

Filesize
2.3MB

Download
memory/2944-477-0x0000000010000000-0x000000001025F000-memory.dmp

Filesize
2.4MB

Download
memory/2944-486-0x0000000003560000-0x00000000037A6000-memory.dmp

Filesize
2.3MB

Download
memory/2944-505-0x0000000003560000-0x00000000037A6000-memory.dmp

Filesize
2.3MB

Download
memory/2944-664-0x0000000003560000-0x00000000037A6000-memory.dmp

Filesize
2.3MB

Download
memory/2944-683-0x0000000003560000-0x00000000037A6000-memory.dmp

Filesize
2.3MB

Download