darktrack | f1149bb09ca48d83ed005113a7c99acee529cb782b5b9fa2d861333efd72cfc5

Analysis

max time kernel
147s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
07-06-2024 16:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Ob-imuschestve-03-4096.PDF.exe
Size

1.5MB
MD5

30515ea717c237b124625707b66290ef
SHA1

d3901874b08f3e1d1832232a54ea5be1978f368c
SHA256

36220391efa0de0d81bee5b8d8813b6f2c89e81c78091387d05946e184b967c8
SHA512

f1c01760d41256ed7d110395de852bcf8af46ba267e8a4710e4d2fa9de8a9a2cfe900cefde620da59739d82cb9396646dec00b2558c265cda267862e7fd7250c
SSDEEP

24576:IPdEQwQPcumM/gV1TREX+pU4sScdzazM16z1tV4MIdNoWE7j2kLcwi6pXw5rqJUR:ILwdGgvTRxDcdzZ1ItV0dNoWenLcwiw8

Score

10^/10

darktrack rat stealer upx

Malware Config

Signatures

DarkTrack
DarkTrack is a remote administration tool written in delphi.
rat stealer darktrack

DarkTrack payload 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/64-647-0x0000000000400000-0x00000000004A8000-memory.dmp	family_darktrack
behavioral2/memory/64-648-0x0000000000400000-0x00000000004A8000-memory.dmp	family_darktrack
behavioral2/memory/64-649-0x0000000000400000-0x00000000004A8000-memory.dmp	family_darktrack
behavioral2/memory/64-650-0x0000000000400000-0x00000000004A8000-memory.dmp	family_darktrack

Suspicious use of NtCreateUserProcessOtherParentProcess 4 IoCs

Processes:

Temporary.pif

description	pid	process	target process
PID 4124 created 3528	4124	Temporary.pif	Explorer.EXE
PID 4124 created 3528	4124	Temporary.pif	Explorer.EXE
PID 4124 created 3528	4124	Temporary.pif	Explorer.EXE
PID 4124 created 3528	4124	Temporary.pif	Explorer.EXE

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Ob-imuschestve-03-4096.PDF.exeputinpenis.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	Ob-imuschestve-03-4096.PDF.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	putinpenis.exe

Drops startup file 2 IoCs

Processes:

cmd.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KoalaLearn.url	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KoalaLearn.url	cmd.exe

Executes dropped EXE 4 IoCs

Processes:

putinpenis.exeTemporary.pifTemporary.pifTemporary.pif

pid process

1664 putinpenis.exe
4124 Temporary.pif
2528 Temporary.pif
64 Temporary.pif

pid	process
1664	putinpenis.exe
4124	Temporary.pif
2528	Temporary.pif
64	Temporary.pif

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/64-644-0x0000000000400000-0x00000000004A8000-memory.dmp	upx
behavioral2/memory/64-646-0x0000000000400000-0x00000000004A8000-memory.dmp	upx
behavioral2/memory/64-647-0x0000000000400000-0x00000000004A8000-memory.dmp	upx
behavioral2/memory/64-648-0x0000000000400000-0x00000000004A8000-memory.dmp	upx
behavioral2/memory/64-649-0x0000000000400000-0x00000000004A8000-memory.dmp	upx
behavioral2/memory/64-650-0x0000000000400000-0x00000000004A8000-memory.dmp	upx

Suspicious use of SetThreadContext 1 IoCs

Processes:

Temporary.pif

description pid process target process

PID 4124 set thread context of 64 4124 Temporary.pif Temporary.pif
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	pid	process	target process
PID 4124 set thread context of 64	4124	Temporary.pif	Temporary.pif

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AcroRd32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2012 schtasks.exe
Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery
T1057

Processes:

tasklist.exetasklist.exe

pid process

2192 tasklist.exe
3740 tasklist.exe

pid	process
2012	schtasks.exe

pid	process
2192	tasklist.exe
3740	tasklist.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

AcroRd32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies registry class 1 IoCs

Processes:

Ob-imuschestve-03-4096.PDF.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings Ob-imuschestve-03-4096.PDF.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

4024 PING.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings	Ob-imuschestve-03-4096.PDF.exe

pid	process
4024	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Temporary.pifAcroRd32.exe

pid	process
4124	Temporary.pif
4124	Temporary.pif
4124	Temporary.pif
4124	Temporary.pif
4124	Temporary.pif
4124	Temporary.pif
4124	Temporary.pif
4124	Temporary.pif
4124	Temporary.pif
4124	Temporary.pif
4124	Temporary.pif
4124	Temporary.pif
4124	Temporary.pif
4124	Temporary.pif
4124	Temporary.pif
4124	Temporary.pif
4124	Temporary.pif
4124	Temporary.pif
4124	Temporary.pif
4124	Temporary.pif
4124	Temporary.pif
4124	Temporary.pif
4124	Temporary.pif
4124	Temporary.pif
4124	Temporary.pif
4124	Temporary.pif
4124	Temporary.pif
4124	Temporary.pif
4124	Temporary.pif
4124	Temporary.pif
3680	AcroRd32.exe
3680	AcroRd32.exe
3680	AcroRd32.exe
3680	AcroRd32.exe
3680	AcroRd32.exe
3680	AcroRd32.exe
3680	AcroRd32.exe
3680	AcroRd32.exe
3680	AcroRd32.exe
3680	AcroRd32.exe
3680	AcroRd32.exe
3680	AcroRd32.exe
3680	AcroRd32.exe
3680	AcroRd32.exe
3680	AcroRd32.exe
3680	AcroRd32.exe
3680	AcroRd32.exe
3680	AcroRd32.exe
3680	AcroRd32.exe
3680	AcroRd32.exe
4124	Temporary.pif
4124	Temporary.pif
4124	Temporary.pif
4124	Temporary.pif
4124	Temporary.pif
4124	Temporary.pif
4124	Temporary.pif
4124	Temporary.pif
4124	Temporary.pif
4124	Temporary.pif
4124	Temporary.pif
4124	Temporary.pif
4124	Temporary.pif
4124	Temporary.pif

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Temporary.pif

pid process

64 Temporary.pif
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

tasklist.exetasklist.exe

description pid process

Token: SeDebugPrivilege 3740 tasklist.exe
Token: SeDebugPrivilege 2192 tasklist.exe
Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

AcroRd32.exeTemporary.pif

pid process

3680 AcroRd32.exe
4124 Temporary.pif
4124 Temporary.pif
4124 Temporary.pif
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

Temporary.pif

pid process

4124 Temporary.pif
4124 Temporary.pif
4124 Temporary.pif
Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

AcroRd32.exe

pid process

3680 AcroRd32.exe
3680 AcroRd32.exe
3680 AcroRd32.exe
3680 AcroRd32.exe
3680 AcroRd32.exe

pid	process
64	Temporary.pif

description	pid	process
Token: SeDebugPrivilege	3740	tasklist.exe
Token: SeDebugPrivilege	2192	tasklist.exe

pid	process
3680	AcroRd32.exe
4124	Temporary.pif
4124	Temporary.pif
4124	Temporary.pif

pid	process
3680	AcroRd32.exe
3680	AcroRd32.exe
3680	AcroRd32.exe
3680	AcroRd32.exe
3680	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Ob-imuschestve-03-4096.PDF.exeputinpenis.execmd.exeAcroRd32.exeTemporary.pifcmd.exeRdrCEF.exe

description	pid	process	target process
PID 2528 wrote to memory of 3680	2528	Ob-imuschestve-03-4096.PDF.exe	AcroRd32.exe
PID 2528 wrote to memory of 3680	2528	Ob-imuschestve-03-4096.PDF.exe	AcroRd32.exe
PID 2528 wrote to memory of 3680	2528	Ob-imuschestve-03-4096.PDF.exe	AcroRd32.exe
PID 2528 wrote to memory of 1664	2528	Ob-imuschestve-03-4096.PDF.exe	putinpenis.exe
PID 2528 wrote to memory of 1664	2528	Ob-imuschestve-03-4096.PDF.exe	putinpenis.exe
PID 2528 wrote to memory of 1664	2528	Ob-imuschestve-03-4096.PDF.exe	putinpenis.exe
PID 1664 wrote to memory of 4300	1664	putinpenis.exe	cmd.exe
PID 1664 wrote to memory of 4300	1664	putinpenis.exe	cmd.exe
PID 1664 wrote to memory of 4300	1664	putinpenis.exe	cmd.exe
PID 4300 wrote to memory of 3740	4300	cmd.exe	tasklist.exe
PID 4300 wrote to memory of 3740	4300	cmd.exe	tasklist.exe
PID 4300 wrote to memory of 3740	4300	cmd.exe	tasklist.exe
PID 4300 wrote to memory of 2872	4300	cmd.exe	findstr.exe
PID 4300 wrote to memory of 2872	4300	cmd.exe	findstr.exe
PID 4300 wrote to memory of 2872	4300	cmd.exe	findstr.exe
PID 4300 wrote to memory of 2192	4300	cmd.exe	tasklist.exe
PID 4300 wrote to memory of 2192	4300	cmd.exe	tasklist.exe
PID 4300 wrote to memory of 2192	4300	cmd.exe	tasklist.exe
PID 4300 wrote to memory of 1596	4300	cmd.exe	findstr.exe
PID 4300 wrote to memory of 1596	4300	cmd.exe	findstr.exe
PID 4300 wrote to memory of 1596	4300	cmd.exe	findstr.exe
PID 4300 wrote to memory of 5108	4300	cmd.exe	cmd.exe
PID 4300 wrote to memory of 5108	4300	cmd.exe	cmd.exe
PID 4300 wrote to memory of 5108	4300	cmd.exe	cmd.exe
PID 4300 wrote to memory of 1572	4300	cmd.exe	findstr.exe
PID 4300 wrote to memory of 1572	4300	cmd.exe	findstr.exe
PID 4300 wrote to memory of 1572	4300	cmd.exe	findstr.exe
PID 4300 wrote to memory of 3340	4300	cmd.exe	cmd.exe
PID 4300 wrote to memory of 3340	4300	cmd.exe	cmd.exe
PID 4300 wrote to memory of 3340	4300	cmd.exe	cmd.exe
PID 4300 wrote to memory of 4124	4300	cmd.exe	Temporary.pif
PID 4300 wrote to memory of 4124	4300	cmd.exe	Temporary.pif
PID 4300 wrote to memory of 4124	4300	cmd.exe	Temporary.pif
PID 4300 wrote to memory of 4024	4300	cmd.exe	PING.EXE
PID 4300 wrote to memory of 4024	4300	cmd.exe	PING.EXE
PID 4300 wrote to memory of 4024	4300	cmd.exe	PING.EXE
PID 3680 wrote to memory of 3716	3680	AcroRd32.exe	RdrCEF.exe
PID 3680 wrote to memory of 3716	3680	AcroRd32.exe	RdrCEF.exe
PID 3680 wrote to memory of 3716	3680	AcroRd32.exe	RdrCEF.exe
PID 4124 wrote to memory of 2904	4124	Temporary.pif	cmd.exe
PID 4124 wrote to memory of 2904	4124	Temporary.pif	cmd.exe
PID 4124 wrote to memory of 2904	4124	Temporary.pif	cmd.exe
PID 4124 wrote to memory of 212	4124	Temporary.pif	cmd.exe
PID 4124 wrote to memory of 212	4124	Temporary.pif	cmd.exe
PID 4124 wrote to memory of 212	4124	Temporary.pif	cmd.exe
PID 2904 wrote to memory of 2012	2904	cmd.exe	schtasks.exe
PID 2904 wrote to memory of 2012	2904	cmd.exe	schtasks.exe
PID 2904 wrote to memory of 2012	2904	cmd.exe	schtasks.exe
PID 3716 wrote to memory of 1116	3716	RdrCEF.exe	RdrCEF.exe
PID 3716 wrote to memory of 1116	3716	RdrCEF.exe	RdrCEF.exe
PID 3716 wrote to memory of 1116	3716	RdrCEF.exe	RdrCEF.exe
PID 3716 wrote to memory of 1116	3716	RdrCEF.exe	RdrCEF.exe
PID 3716 wrote to memory of 1116	3716	RdrCEF.exe	RdrCEF.exe
PID 3716 wrote to memory of 1116	3716	RdrCEF.exe	RdrCEF.exe
PID 3716 wrote to memory of 1116	3716	RdrCEF.exe	RdrCEF.exe
PID 3716 wrote to memory of 1116	3716	RdrCEF.exe	RdrCEF.exe
PID 3716 wrote to memory of 1116	3716	RdrCEF.exe	RdrCEF.exe
PID 3716 wrote to memory of 1116	3716	RdrCEF.exe	RdrCEF.exe
PID 3716 wrote to memory of 1116	3716	RdrCEF.exe	RdrCEF.exe
PID 3716 wrote to memory of 1116	3716	RdrCEF.exe	RdrCEF.exe
PID 3716 wrote to memory of 1116	3716	RdrCEF.exe	RdrCEF.exe
PID 3716 wrote to memory of 1116	3716	RdrCEF.exe	RdrCEF.exe
PID 3716 wrote to memory of 1116	3716	RdrCEF.exe	RdrCEF.exe
PID 3716 wrote to memory of 1116	3716	RdrCEF.exe	RdrCEF.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3528
- C:\Users\Admin\AppData\Local\Temp\Ob-imuschestve-03-4096.PDF.exe
  "C:\Users\Admin\AppData\Local\Temp\Ob-imuschestve-03-4096.PDF.exe"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2528
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Ob-imuschestve-03-4096.PDF"
    3⤵
    - Checks processor information in registry
    - Modifies Internet Explorer settings
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3680
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3716
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=87B29C230A362AA89FFA1B17C0E05819 --mojo-platform-channel-handle=1748 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
        5⤵
        
        PID:1116
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=5BC3A8E8ADC2D6F25377A9E3B038980A --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=5BC3A8E8ADC2D6F25377A9E3B038980A --renderer-client-id=2 --mojo-platform-channel-handle=1756 --allow-no-sandbox-job /prefetch:1
        5⤵
        
        PID:2400
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=75E5B7796778F2173D96DEC0B1AA4E90 --mojo-platform-channel-handle=2308 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
        5⤵
        
        PID:2796
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=005FF3E150225D37068C897C2956E5C6 --mojo-platform-channel-handle=1900 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
        5⤵
        
        PID:3244
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=7FFB5805E2168A9A27CDC84CAFC66A28 --mojo-platform-channel-handle=2312 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
        5⤵
        
        PID:2528
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=2195AB5FF9DA31D0992E74D61197BE78 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=2195AB5FF9DA31D0992E74D61197BE78 --renderer-client-id=7 --mojo-platform-channel-handle=2324 --allow-no-sandbox-job /prefetch:1
        5⤵
        
        PID:4500
- - C:\Users\Admin\AppData\Local\Temp\putinpenis.exe
    C:\Users\Admin\AppData\Local\Temp\putinpenis.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1664
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k copy Demo Demo.cmd & Demo.cmd & exit
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4300
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:3740
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "wrsa.exe opssvc.exe"
        5⤵
        
        PID:2872
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:2192
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
        5⤵
        
        PID:1596
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c md 570484
        5⤵
        
        PID:5108
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr /V "CodesPalaceHighlightedMusicians" Trustee
        5⤵
        
        PID:1572
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b Already + Concentrations + Breach + Poker + Least + German + Exterior + Hospital 570484\d
        5⤵
        
        PID:3340
    - - C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\570484\Temporary.pif
        
        570484\Temporary.pif 570484\d
        5⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:4124
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 5 127.0.0.1
        5⤵
        Runs ping.exe
        
        PID:4024
- C:\Windows\SysWOW64\cmd.exe
  cmd /c schtasks.exe /create /tn "Pants" /tr "wscript //B 'C:\Users\Admin\AppData\Local\EduVirtu Dynamics\KoalaLearn.js'" /sc minute /mo 5 /F
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2904
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /create /tn "Pants" /tr "wscript //B 'C:\Users\Admin\AppData\Local\EduVirtu Dynamics\KoalaLearn.js'" /sc minute /mo 5 /F
    3⤵
    - Creates scheduled task(s)
    PID:2012
- C:\Windows\SysWOW64\cmd.exe
  cmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KoalaLearn.url" & echo URL="C:\Users\Admin\AppData\Local\EduVirtu Dynamics\KoalaLearn.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KoalaLearn.url" & exit
  2⤵
  - Drops startup file
  PID:212
- C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\570484\Temporary.pif
  C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\570484\Temporary.pif
  2⤵
  - Executes dropped EXE
  PID:2528
- C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\570484\Temporary.pif
  C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\570484\Temporary.pif
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: GetForegroundWindowSpam
  PID:64

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Process Discovery

T1057

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
36KB

MD5
b30d3becc8731792523d599d949e63f5

SHA1
19350257e42d7aee17fb3bf139a9d3adb330fad4

SHA256
b1b77e96279ead2b460de3de70e2ea4f5ad1b853598a4e27a5caf3f1a32cc4f3

SHA512
523f54895fb07f62b9a5f72c8b62e83d4d9506bda57b183818615f6eb7286e3b9c5a50409bc5c5164867c3ccdeae88aa395ecca6bc7e36d991552f857510792e

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
56KB

MD5
752a1f26b18748311b691c7d8fc20633

SHA1
c1f8e83eebc1cc1e9b88c773338eb09ff82ab862

SHA256
111dac2948e4cecb10b0d2e10d8afaa663d78d643826b592d6414a1fd77cc131

SHA512
a2f5f262faf2c3e9756da94b2c47787ce3a9391b5bd53581578aa9a764449e114836704d6dec4aadc097fed4c818831baa11affa1eb25be2bfad9349bb090fe5

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
23f0c2219ca7a338d8fd377b08480c78

SHA1
dfa4e8b6b59eadaa0f502f98964c24ee6508c000

SHA256
f8fa203aea04aae7c42712ba4adb0cc631e168e32207c0b730b509933d45837b

SHA512
0933f6eea63be12d28859a9bee531a0928b1b6cc0ffea33f9dc31fae486fa3dfe0a81fbb0c81323292abac30dbf7831390654d1e9c32ae539d1273ec47ceda71

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\570484\Temporary.pif

Filesize
915KB

MD5
b06e67f9767e5023892d9698703ad098

SHA1
acc07666f4c1d4461d3e1c263cf6a194a8dd1544

SHA256
8498900e57a490404e7ec4d8159bee29aed5852ae88bd484141780eaadb727bb

SHA512
7972c78acebdd86c57d879c12cb407120155a24a52fda23ddb7d9e181dd59dac1eb74f327817adbc364d37c8dc704f8236f3539b4d3ee5a022814924a1616943

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\570484\d

Filesize
752KB

MD5
fd85be4abc3112cf46fbc6485d3547c3

SHA1
58d49a28f05d24b04faff2e1ab5b619db143d59b

SHA256
ec5ac73d60d7ffe3e5f60966168fa5b5ed67bc6a471fa0c1b0318771aa9eef71

SHA512
cab07d9612b756bc1d78c83e514d4904f2c01e3988298fbec81c5cc863807ee4c84b46be4fbc5a9437a6beae3f4a3eee20e0e47f1f7526f9cb01866dbf2bf0cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Advisor

Filesize
46KB

MD5
3d8f3cda37221002c3c9e763abe8dce0

SHA1
4c546839c5b93207a310686b05dffc4c432cb2c2

SHA256
44723459237af62105d089b14312c8cd89a30b444cb7493660e59f5c2d1ea6fa

SHA512
9e73bde44b770a7ac7a81b6ddf8b9d639bc75b96522f729779c51311cc1573cb3f37ac018b4e99fd55929e47e369ea3cc5b80f89afd463f05da65f37594959a9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Already

Filesize
96KB

MD5
2d926f5e0fce8955984591d070c31400

SHA1
522fb33356fb293df759b6808d4292187eb5f257

SHA256
48e6d5ff6604a7f76212a0dc2c56835904194a61fafe73b07d7947edba671da5

SHA512
7e8a5284993b86f1bf1e329d5dacea36f465ed643af7759685a691ee3c448aab3a9eed77a29b5ebe5a3db0050eb0bef70bd9303013df4aaa06b5cc2baa36a6cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Amongst

Filesize
43KB

MD5
732961d18e0a298bbb991d10a6997bb0

SHA1
ac8032d49e3dd7e8c2bf5fb2ae06be99c7f57e3d

SHA256
8c31b9d6921751040b2b70c5dcd0a79d0cc7774527aaadf0f5d126c807dd660d

SHA512
fccbc9c5fa010f14fa27a3d22a4f52f8c708a481c937116a3471b9f7d2ed4df6b479346228642c40151fd0741cec1835e68e2d1e9541282447aed740ceea585f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Bloom

Filesize
28KB

MD5
d5cc70f6004203d99466022aebc5c1e0

SHA1
e48b16be260bfeca79597b1435caa200771ed901

SHA256
5322417123644aa96daba49f8eaf2f8e92d61adde693302118c4fc9bf3eb59ac

SHA512
6338ade58733a2c941dbc2d5103f7a663f61c5a3c23065ca0fc3d6eb5dcbd05356db7172cbbbaaa124a7ad5b418df2edc23bfa96be03e342213e381dfb4a16cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Breach

Filesize
38KB

MD5
0d1889e104043904a0de47ee438e83c5

SHA1
7e24d348e3fe4e4db8bb45c9a1af538512186b07

SHA256
32dab62540f86c63c73ead0b05f6422b9fc671144acfc06f4c7ce4899f9db9d2

SHA512
8c0163421921e30025b46fb3fcc27f64bbe24cf1948f9affe59e31eab8d7e31be13aaa9b67afbdd4a970613c1c395f0591260b079c9398688531685a44b5d72a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Calendars

Filesize
52KB

MD5
096ef8249852e286e21047a3957e87fc

SHA1
606e38635dbab0ac628cfc941704aa7780ab962b

SHA256
6fb449a71d4d15a998143863a4829eab4b225083bb5fde31d5896f6461e3bf84

SHA512
151e272792d4c4b700d0dde87981890ec9c0dca75833e521ff8ad26e587b156482633f4887d6c02215a0dde954bbdbd699e6171d3d02db27c86af40aabdbdf98

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Celebrity

Filesize
14KB

MD5
410b8a1ea9d5344066e134e347afbfa3

SHA1
8761d11868163568595d9acfcb403929b970e67e

SHA256
12efe79db9ea6f0ad1eec44a6271d1ad0c736c74080443bb3229c90d4fcc5994

SHA512
2b1e0a41b89ba8ded35ca8bdf69ad566870cf33e9539aeec1680c9960e7354b42265d322d3ca9349d8a147cdd6acf082ccbc2d3ba1a4cf488f72c5bc6498fde8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Concentrations

Filesize
77KB

MD5
9ac8597e0cfe3967778970a9b2f5ba37

SHA1
cf840e8f8cd813303b8ea1327ebb61eb246b3562

SHA256
edf538516e40168f4506e2e2f2c7783740ae0910df51d5f2e080695b68e4adfb

SHA512
20517c0cfb867664a7052940fd41e5216a0d03655fe178b2f044c5b6315b56e23652ef9caa1766783f548f47a4260c7e28998198f26a9d52c7fdf50aa106c17c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Consolidation

Filesize
25KB

MD5
cea22f32cd8a67d07a9f5b489195d27d

SHA1
f7d0782e262362694b32c82d1fdd57fe3aa16bb4

SHA256
0952018ad90d3ee178395526fe5b7ed5e62550910bde4530cc22d507f3366009

SHA512
8de484a51836bc3fd0587effbfb048b2b3dec568b77b95b759c5f89d10b68eed9f165bf9959f31ee85f521c7b5e59742e39a6fb808a0b53742de37087f3b5f6a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Cv

Filesize
26KB

MD5
9c219ea668d567a0f16a6201a41faaa8

SHA1
67e382aa79c376be6de53c9d6a7e720bb3f60df7

SHA256
23fa939c71e995f28915377d302fc72f73d0de18cbb16c25cd24c8fa000a7ef8

SHA512
0f5a0ec47527289d893b00b5b1a74af13addb98c35bd55020ef6e9820904a97c4e42e0ebff884bd1aed241d20a7a0288e3ebfb6b4db8a311120ff86ee53e2050

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Demo

Filesize
20KB

MD5
d85cdf49bfe424e5d0c64bc602496398

SHA1
a73e14f1fc50e5732695b619880b0e4dfbf97e72

SHA256
413207795174f1460192657fe366087d4bdcb894e4e81cabadddf5deafea0cc7

SHA512
6475403af4f89b14d58ea21fef06e2a806237a55b50b89071ab7850b344ff42940e91eed81327310db719f658c670dc8944c821c43ff0d02b9f8178856f5aed3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Dimensional

Filesize
26KB

MD5
4fda00cf788cdaa62aa2130ee8a6286b

SHA1
648a9c019116ebfd33f6f3c57a3e50c75bcdee24

SHA256
bb8e288b1ea88a4c62e31dc2beb7b3df88de30da9c3dc384fbfdf8a8b10f733b

SHA512
137af5a4dac377559fee3dfb0a54f691e5f7cfd04a3439caf8f2a186c0f344014a35abf8c67a7950c36d7da87ad1cc5ea52968093072574b36249d9627e66f4e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Divorce

Filesize
32KB

MD5
371f495a29f18e07fcb7022e27166a06

SHA1
f1cfee97cd2a86df108c4dd17cc6f10e605a2517

SHA256
4b19932204a35310c26a00257995b18fc52daf477081c242e1989a4d36cbdb7d

SHA512
cd66d32c54f1e989cd7cc9b7a060eddb6b1d74e82d21889a9945167761c8c8156c8345b6355143a7c630b008cd057e2d172b130ef66dfabd3bde2eaf321bd25c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Editions

Filesize
29KB

MD5
7f1adac363c8fcbe06fe18d8974b7c76

SHA1
b32a0913ac757bd6e3d18ece60fb2884ba5abd4d

SHA256
83ae29a290ac9fe94f873ecd85cedfe3b9067dbd65ce0bc99136a9e30bab7ec3

SHA512
7c02e35b0d5677402e423108ee93c337dee60ae53504299bd1b82b94bdee95a23f645afb8d9bed38959c1c30705e00abec99682ba0f17fe055b7f71befdb856c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\En

Filesize
57KB

MD5
5e2c3da94ca585967428d7973b3aaccb

SHA1
355329b96e589d0e2e877b9b16952b6527be65c7

SHA256
67338a1ce1a04a379fa43f40ed495d1bd6595a264ccf80c796c6b66a81eb8582

SHA512
d79c1d8aecc6ee8ce1a54e9676e76cc8ecab0e58221fa68891c7c6879c8a2a2e9575796ea2a4bb311deae825a3b3a2503b62db269e07f4562a9173769d5973d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Exterior

Filesize
45KB

MD5
822870ede799ecc66db5c984925b35da

SHA1
32123444471ccabc2f48ca76a07cdb579bb68bbf

SHA256
037b46e694c26a2d812f11c2f397a1248de4116647ceb52713f6ef91d1e84274

SHA512
50a6675f526f2ba9c46202435e26c8163fec91082fed98938f3cfe16f11a1442aa9ce0dc36342036142a4162fb6353a25a5c000aff34f45adf62daa20f1f0392

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Franklin

Filesize
56KB

MD5
c74f55fcc74a8a1219e401d1b0b763b7

SHA1
c1474c29cc388ab06c11ce7d9602bdf6a905b21d

SHA256
b8f46613060e9572fb3f1454952f28a4fdedaeb0c8990184ea7d8531d2d46e93

SHA512
aa2c57065a3af776aa32fd3b20cc78431d708e57eb3a712e23c92c6343da2140e42a68049d6755ca19dc2d3e7ec23d7cfbc8faf83b4b1aaa8bc998a9c36ec5e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\German

Filesize
149KB

MD5
1aeaeae242e099afc35468904c54ae39

SHA1
6c7abf789e1c6e1d9c089656f338bc728009dce2

SHA256
8363b1dc41ce279f36f4f0c5d06bee5d0da21d0f9db72a788fa50cc048007901

SHA512
38a723dd7cdc960a6fa78bbddf849b799cd05cf51bb34992a98ec6abb9b80166aab4ae1ae09e8fefa728e26a3fa9ecf5585b4154ba5df9e9a9c48786951e3bf6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Hospital

Filesize
28KB

MD5
e20316f01be8119616ccc5e32421ff8e

SHA1
57ed34cc1329a31b35bb7f3ff83ad2666a9a2086

SHA256
e38966dc4e7a11b57ea518533fb704ea2085ccbd7f1d8f065bf6998f8cd3ba76

SHA512
7e536706729ca029aaedc84f6aae0da0119696dc20e531cf6874ef781d1f0e0cc2e48ae98568003e787cf4f57ce4a5ba44b4d3eb3b996f62c8a7041ffc286eb0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\International

Filesize
37KB

MD5
837a42ec9abcd9e43c5a45254b2ca635

SHA1
c7bed2a7666ad442fc653c4c48ffbcf2532dba66

SHA256
76fb4dd9f51bf38486d9d081d35b994b9009a1704dcc646907495bd0161b070e

SHA512
61cc0b1b99155918bdad0246939c7bf9d8d4b2e449ff5e49b480b6cd0fc0e7411156e8604e43b97b7ae13917be5b64cde89db353a59a97c7fee343e69d43fa27

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Introduced

Filesize
60KB

MD5
65ca5fc43b15ac320eec9d30bac04938

SHA1
1252ae50cf7276bde71f286f5e364c00650b1fd5

SHA256
2a76e06eb50e69fe49b95867a3e4b2fb75e0b531ad8945572aca0907c55d3f79

SHA512
27ba096f12f6b2bd7a3d54a2df36a525a223222a6b98b5760837cdf441316365f20b84f237d737f374e99f216fcad49e6f8a84a79eb65b110f47d00802a139b2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Jp

Filesize
40KB

MD5
f63aa8162c44b12e46e0ca59da23b3c8

SHA1
4c52628ac325a89f214553189804ce4aea465d56

SHA256
1670f50e3bc3e56685854aa85e9b08920f34ee54bd26706e5727d1db9877928c

SHA512
dbb31a626d2f1c0bcbe874ae4ae8971efa1cbe163c6b94ddfdd36ab77569d0a20919263808686a4d8a84937add8ebdd7cb288c0857abb778d60bd5ab74116d4c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Keys

Filesize
40KB

MD5
f1876663b6386ed608a86958549622f8

SHA1
f973f805b0ab89f08cc8f2904469dfb8d447e500

SHA256
f97cfa9f38b6b548a95c0acc9f8f6371a7b7f1783adc85213202e4365a6008c1

SHA512
7555d6fcc0c65ccac5de0f045903b8e1163bf284f387d7d14e0975e4023d072a8633229c071e264489e1df648f95255fc9a57b9dcecf453b0b5eb6955da98824

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Least

Filesize
131KB

MD5
29cbce06269068c58edd0f655ee203d8

SHA1
ed82700569d13932deb9957a5d8004974b9c04f7

SHA256
726c425e36aa47ebce82ec744599d15306296530cc7a447ac3e0c7316a028ec4

SHA512
3c808e7e7d0f3dbc30a556b98920c5c5e86d85995ad180898f89b26e79d4d8a83e44572ffb85bcc008561f03a3feb01675e4109fd61637cecbc8f5d836a8b367

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Permit

Filesize
29KB

MD5
50eb6e33d3ef46e82d66b03f60b078ff

SHA1
400154fe74bbfe974a266f6af39e8ea68e2b09f2

SHA256
8891ed6770dad0df5130bb13b1e9d6b9c6152b4207a81cd87d16b041264bc608

SHA512
c7fcfc3625d6ca2be2f00027afe4984fa87e5dbeeb23efd55a1d05201481e8043305384dc855c7281e95dd785cbde4ac442105a56eac9e4291e69140a8436cd8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Poker

Filesize
188KB

MD5
4da3c32c5d5c427da9f995957346be4d

SHA1
6c78882cf1f1327f96a78bf72ca18b5768ee1e81

SHA256
9501e1aa20c416357bd7acc5d0619db795116793a59c117b3d9431253e1c5e92

SHA512
25158989a94b98525ef99779d8a94123d1f48c74be6974f36addf72e79112d48527b2fb570923debdb3fe541e40d3874e3fa1f6b752dbb6021f779100ea88028

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Ralph

Filesize
56KB

MD5
ba453f3cd3c827410212d2c1ee6b02ee

SHA1
8a087e7495f670c782cfa80d430ec13791454659

SHA256
fd9e38c7bfece3145b70f66714d559cb0b1d8191041579df7f80b44f9ee7ef13

SHA512
77c950f03e083a1cdee2b7d40175a76d74b7417aff03d86902d88ee2fb1a51e4f46af7c1d4e22acbfcedf4b825e39f92004ee3e4e4d25e3a1724927a184398ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Revealed

Filesize
32KB

MD5
ee6da09953ada3eb441d3265d3a41186

SHA1
a43d9a9576e86547d623443790c8bade17394e3f

SHA256
75db2e6da030f1d66f033e4bc9b890b8960280b651e7515246eafd4d0520150d

SHA512
43def9901549c2fd5afcaeadcce4c54adc5bd7dcb77ab974b28acd1a488adcd55d9b39bb0ddbc2a575554ef3b0c5dd23cb6fabe874f51516724d5e7f211e4b7e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Slovakia

Filesize
6KB

MD5
a70ae24bc4e374b5d4df1abcd68f400d

SHA1
36f424a8a8704e089863f28484a8f07299a597d3

SHA256
dd1c8fd9c7d82201ff1e03ba30fbca93dd198eabff061111f1a8e5964cf18337

SHA512
4af10489ece7232918fa5604f3aab6bbcdd05a7f2a2b4c8beb558bddec91e5e7ab6d810491d22a0f22a6cb37d28975ffc843d3a5cd2d53ee8497f77a5363311e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Snow

Filesize
8KB

MD5
dbc614c5ac6fd2a7acd290c360793bad

SHA1
9f4d3f62ea3d8e2c0f50faa0ea7ab7a14f9f2c15

SHA256
f65151d900657acd8650114c38acc1a13b2d791b80af20e8cefe3e77104a2359

SHA512
951f0b5c4976783f2260d199133ce31fb9b105528aa6f7e96abf247579cbb9729d0d2a6b50fcca658447d5f235ed25300e75d3fc61eee6706f923a3313eb19ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Stock

Filesize
11KB

MD5
490228121144027226a8be776cbbf248

SHA1
f4b6d9a3c086ee5d794ddaca2f832a6621494279

SHA256
3d1494c7f5761583ecdf431b1e3607a1fa0563c7574f825f57edc0acf4813912

SHA512
30fdff7a2eedbb375aa6a8e139604a5751e1b6fd3b6d7cfc7cba2ac0e4cc84688a5cdd30e8493c402a3be9e56a10bd8b1cdbf9e3c3641cd64fb67f6e46eb5e2d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Sublimedirectory

Filesize
57KB

MD5
79b954fc0c56f806407157b5e6d634dd

SHA1
74dbc2ed1ccde3f71b0eb72f503ce5e809c2cfcd

SHA256
2688c0c8b4a824e7d6dbb422d3ff73f9951b3ab8e30b4a72b5bbbc6a6311d7c8

SHA512
ab9f88ae12f7eb3393a75cacb7ed5f11b7efe8cf56c43cfe9fac30724f411954f5c5d67e2a645d6329903dfa11d7adc8d92f0ab9f867dcdc3ebe853008d624a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Tap

Filesize
36KB

MD5
15da8133df15b5be25265fcfba6cb25e

SHA1
63ab24f614db278714ccddc030e4e7a7001af7ef

SHA256
1f361685b4e73f8895b314902a7d4f3732dcc1e4f307e238a5a74393a9c766ca

SHA512
38ca89d2e85afb6c6e79d872d046a02679d4d9494b79725f8ef6ab8ecfaec74c07c79b7283ab5fcc6060c4bd5ca8da07eef7f0d564bb31cfa49af282aac221a9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Trustee

Filesize
102B

MD5
970f9aaa00d33cd4ca31911898072362

SHA1
a6647af0469dab1fc97a34f68caa20ee68a777d4

SHA256
3d670922f8b127815863c7818e8c2d66f3d12eef732715a3093fc4cecc6f8c53

SHA512
5f9bec28f7c3344602afcfe03f6a83fc5431975e77ec95b37b0f31c02d3146f165beca8bcb430f9084d3ea40a6fc634adf4c39a51cc4b3b69cfaf568e8afaae2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Urge

Filesize
33KB

MD5
1eef7074596ffbde6e7f27dca376e7dd

SHA1
35ea0eef5baecc996325d9882c1929cf0c311c2e

SHA256
d108c983dce1f184734b190374f7a956a306bfd23cb010fc09fbf34a255fbd7f

SHA512
2e1eb513fc02322e04fbbc1297b6d98afd06f419408eddf88b67057b6e2a920c093952b2d75f009217eb7921a334d485af9f47fae4eac2341e9b3a973bca4c2f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Wonder

Filesize
36KB

MD5
471a8d3cd74d64ac1f8cf89736bc2c8f

SHA1
6875947e4b8692bd4d1c71aa613bbf037aa01d86

SHA256
dd60b6c793d6c09652f557af038b36ae1c2cefc00dc036c4b4bc4b316d0577ea

SHA512
24c84ecb39e8d81ee1e13cc435b1d9ab146772d12eb05c2adce69a210a0330a333d0cff51b8733ebe16c6c723b50a3094e43d7480ce3da686c28370ffe95129b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ob-imuschestve-03-4096.pdf

Filesize
101KB

MD5
3d2b307dd04a2cf0a4b49e2fee1db17a

SHA1
8063e0902d60b37ae37d580a1027360466794ef0

SHA256
01dd6941f22aa1cc7125eadc6179f920cb1661674a52369f0bb4c2fac2884054

SHA512
f95756a2b7979251afb0f49aa7bc9b6a6200430082f4d916da2c515ad9134459404ea3c69a7adcd12051928e9e0bdb13e88b60c5aecdde51b9ec35f7c858f6c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\putinpenis.exe

Filesize
1.3MB

MD5
f207f15a7dc33fff2fc00662acce13f9

SHA1
72322200bb1a8df47a79588bd380d9cd101fe77d

SHA256
4ac7e33850576a39f771a5e3f9202af814ab087d9f74bd2e6742a27c06f3b397

SHA512
e59b3b733131c80aac55bcc3c8d86995a2fc9cabd501b90bbdb8efbfc7106ff1c380e010d947c19f2b21e8c457a29405e167c21dcbb5e841bc26f26ba54e5b28

Download Submit
memory/64-643-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/64-644-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/64-646-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/64-647-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/64-648-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/64-649-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/64-650-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/3680-654-0x000000000BDD0000-0x000000000C07B000-memory.dmp

Filesize
2.7MB

Download