stealc | 09b478546bc4ae0d040069e275324a0a6b1d7b08b0ccd66ddf95d9e233c8618e

Analysis

max time kernel
133s
max time network
139s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
11-06-2024 18:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d51ffcf06dd50b2b76721970c389dde2.exe
Size

911KB
MD5

d51ffcf06dd50b2b76721970c389dde2
SHA1

2969c12eb142c1facd990f3db7050742f120d578
SHA256

09b478546bc4ae0d040069e275324a0a6b1d7b08b0ccd66ddf95d9e233c8618e
SHA512

d57755f4c8f6b88bb701f6e5d1ef2e4da4d7628773461e7a9829dddae6c627f931753a29a27639dd5c010d1bad8e3a745da435e9ab6b75d4a3f7f048d8c9c863
SSDEEP

24576:VfLwgdkd80aWoFinfbtihLBfcHL0kPO2yP9+RBQFiv:Bzkd1aWoghidBYvO

Score

10^/10

stealc vidar discovery execution spyware stealer

Malware Config

Extracted

Family

stealc

rc4.plain

Extracted

Family

vidar

https://5.75.212.114

https://t.me/r8z0l

https://steamcommunity.com/profiles/76561199698764354

Attributes

user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Safari/605.1.15 Ddg/17.4.1

Signatures

Detect Vidar Stealer 12 IoCs

stealer

Processes:

resource	yara_rule
behavioral1/memory/2160-660-0x0000000003FB0000-0x00000000041F8000-memory.dmp	family_vidar_v7
behavioral1/memory/2160-659-0x0000000003FB0000-0x00000000041F8000-memory.dmp	family_vidar_v7
behavioral1/memory/2160-758-0x0000000003FB0000-0x00000000041F8000-memory.dmp	family_vidar_v7
behavioral1/memory/2160-779-0x0000000003FB0000-0x00000000041F8000-memory.dmp	family_vidar_v7
behavioral1/memory/2160-815-0x0000000003FB0000-0x00000000041F8000-memory.dmp	family_vidar_v7
behavioral1/memory/2160-836-0x0000000003FB0000-0x00000000041F8000-memory.dmp	family_vidar_v7
behavioral1/memory/2160-1014-0x0000000003FB0000-0x00000000041F8000-memory.dmp	family_vidar_v7
behavioral1/memory/2160-1038-0x0000000003FB0000-0x00000000041F8000-memory.dmp	family_vidar_v7
behavioral1/memory/2160-1039-0x0000000003FB0000-0x00000000041F8000-memory.dmp	family_vidar_v7
behavioral1/memory/2160-1060-0x0000000003FB0000-0x00000000041F8000-memory.dmp	family_vidar_v7
behavioral1/memory/2160-1061-0x0000000003FB0000-0x00000000041F8000-memory.dmp	family_vidar_v7
behavioral1/memory/2160-1082-0x0000000003FB0000-0x00000000041F8000-memory.dmp	family_vidar_v7

Stealc
Stealc is an infostealer written in C++.
stealer stealc
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Downloads MZ/PE file
Executes dropped EXE 3 IoCs

Processes:

Joe.pifEHIDAKECFI.exeAutoit3.exe

pid process

2160 Joe.pif
1020 EHIDAKECFI.exe
2824 Autoit3.exe
Loads dropped DLL 5 IoCs

Processes:

cmd.exeJoe.pifEHIDAKECFI.exe

pid process

1744 cmd.exe
2160 Joe.pif
2160 Joe.pif
2160 Joe.pif
1020 EHIDAKECFI.exe
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Command and Scripting Interpreter: AutoIT 1 TTPs 1 IoCs
Using AutoIT for possible automate script.
execution

T1059.010

Processes:

Autoit3.exe

pid process

2824 Autoit3.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2160	Joe.pif
1020	EHIDAKECFI.exe
2824	Autoit3.exe

pid	process
1744	cmd.exe
2160	Joe.pif
2160	Joe.pif
2160	Joe.pif
1020	EHIDAKECFI.exe

pid	process
2824	Autoit3.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Autoit3.exeJoe.pif

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Autoit3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Autoit3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Joe.pif

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1760 timeout.exe
Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery
T1057

Processes:

tasklist.exetasklist.exe

pid process

1964 tasklist.exe
1440 tasklist.exe

pid	process
1760	timeout.exe

pid	process
1964	tasklist.exe
1440	tasklist.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

Joe.pif

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	Joe.pif
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	Joe.pif
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	Joe.pif
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	Joe.pif
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	Joe.pif
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	Joe.pif

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1684 PING.EXE
Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

Joe.pifAutoit3.exe

pid process

2160 Joe.pif
2160 Joe.pif
2160 Joe.pif
2160 Joe.pif
2160 Joe.pif
2160 Joe.pif
2160 Joe.pif
2160 Joe.pif
2160 Joe.pif
2824 Autoit3.exe

pid	process
1684	PING.EXE

pid	process
2160	Joe.pif
2160	Joe.pif
2160	Joe.pif
2160	Joe.pif
2160	Joe.pif
2160	Joe.pif
2160	Joe.pif
2160	Joe.pif
2160	Joe.pif
2824	Autoit3.exe

Suspicious use of AdjustPrivilegeToken 42 IoCs

Processes:

tasklist.exetasklist.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	1964	tasklist.exe
Token: SeDebugPrivilege	1440	tasklist.exe
Token: SeIncreaseQuotaPrivilege	1728	WMIC.exe
Token: SeSecurityPrivilege	1728	WMIC.exe
Token: SeTakeOwnershipPrivilege	1728	WMIC.exe
Token: SeLoadDriverPrivilege	1728	WMIC.exe
Token: SeSystemProfilePrivilege	1728	WMIC.exe
Token: SeSystemtimePrivilege	1728	WMIC.exe
Token: SeProfSingleProcessPrivilege	1728	WMIC.exe
Token: SeIncBasePriorityPrivilege	1728	WMIC.exe
Token: SeCreatePagefilePrivilege	1728	WMIC.exe
Token: SeBackupPrivilege	1728	WMIC.exe
Token: SeRestorePrivilege	1728	WMIC.exe
Token: SeShutdownPrivilege	1728	WMIC.exe
Token: SeDebugPrivilege	1728	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1728	WMIC.exe
Token: SeRemoteShutdownPrivilege	1728	WMIC.exe
Token: SeUndockPrivilege	1728	WMIC.exe
Token: SeManageVolumePrivilege	1728	WMIC.exe
Token: 33	1728	WMIC.exe
Token: 34	1728	WMIC.exe
Token: 35	1728	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1728	WMIC.exe
Token: SeSecurityPrivilege	1728	WMIC.exe
Token: SeTakeOwnershipPrivilege	1728	WMIC.exe
Token: SeLoadDriverPrivilege	1728	WMIC.exe
Token: SeSystemProfilePrivilege	1728	WMIC.exe
Token: SeSystemtimePrivilege	1728	WMIC.exe
Token: SeProfSingleProcessPrivilege	1728	WMIC.exe
Token: SeIncBasePriorityPrivilege	1728	WMIC.exe
Token: SeCreatePagefilePrivilege	1728	WMIC.exe
Token: SeBackupPrivilege	1728	WMIC.exe
Token: SeRestorePrivilege	1728	WMIC.exe
Token: SeShutdownPrivilege	1728	WMIC.exe
Token: SeDebugPrivilege	1728	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1728	WMIC.exe
Token: SeRemoteShutdownPrivilege	1728	WMIC.exe
Token: SeUndockPrivilege	1728	WMIC.exe
Token: SeManageVolumePrivilege	1728	WMIC.exe
Token: 33	1728	WMIC.exe
Token: 34	1728	WMIC.exe
Token: 35	1728	WMIC.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

Joe.pif

pid process

2160 Joe.pif
2160 Joe.pif
2160 Joe.pif
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

Joe.pif

pid process

2160 Joe.pif
2160 Joe.pif
2160 Joe.pif

pid	process
2160	Joe.pif
2160	Joe.pif
2160	Joe.pif

pid	process
2160	Joe.pif
2160	Joe.pif
2160	Joe.pif

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

d51ffcf06dd50b2b76721970c389dde2.execmd.exeJoe.pifcmd.exeEHIDAKECFI.exeAutoit3.execmd.exe

description	pid	process	target process
PID 2108 wrote to memory of 1744	2108	d51ffcf06dd50b2b76721970c389dde2.exe	cmd.exe
PID 2108 wrote to memory of 1744	2108	d51ffcf06dd50b2b76721970c389dde2.exe	cmd.exe
PID 2108 wrote to memory of 1744	2108	d51ffcf06dd50b2b76721970c389dde2.exe	cmd.exe
PID 2108 wrote to memory of 1744	2108	d51ffcf06dd50b2b76721970c389dde2.exe	cmd.exe
PID 1744 wrote to memory of 1964	1744	cmd.exe	tasklist.exe
PID 1744 wrote to memory of 1964	1744	cmd.exe	tasklist.exe
PID 1744 wrote to memory of 1964	1744	cmd.exe	tasklist.exe
PID 1744 wrote to memory of 1964	1744	cmd.exe	tasklist.exe
PID 1744 wrote to memory of 2228	1744	cmd.exe	findstr.exe
PID 1744 wrote to memory of 2228	1744	cmd.exe	findstr.exe
PID 1744 wrote to memory of 2228	1744	cmd.exe	findstr.exe
PID 1744 wrote to memory of 2228	1744	cmd.exe	findstr.exe
PID 1744 wrote to memory of 1440	1744	cmd.exe	tasklist.exe
PID 1744 wrote to memory of 1440	1744	cmd.exe	tasklist.exe
PID 1744 wrote to memory of 1440	1744	cmd.exe	tasklist.exe
PID 1744 wrote to memory of 1440	1744	cmd.exe	tasklist.exe
PID 1744 wrote to memory of 1468	1744	cmd.exe	findstr.exe
PID 1744 wrote to memory of 1468	1744	cmd.exe	findstr.exe
PID 1744 wrote to memory of 1468	1744	cmd.exe	findstr.exe
PID 1744 wrote to memory of 1468	1744	cmd.exe	findstr.exe
PID 1744 wrote to memory of 2988	1744	cmd.exe	cmd.exe
PID 1744 wrote to memory of 2988	1744	cmd.exe	cmd.exe
PID 1744 wrote to memory of 2988	1744	cmd.exe	cmd.exe
PID 1744 wrote to memory of 2988	1744	cmd.exe	cmd.exe
PID 1744 wrote to memory of 2752	1744	cmd.exe	findstr.exe
PID 1744 wrote to memory of 2752	1744	cmd.exe	findstr.exe
PID 1744 wrote to memory of 2752	1744	cmd.exe	findstr.exe
PID 1744 wrote to memory of 2752	1744	cmd.exe	findstr.exe
PID 1744 wrote to memory of 1680	1744	cmd.exe	cmd.exe
PID 1744 wrote to memory of 1680	1744	cmd.exe	cmd.exe
PID 1744 wrote to memory of 1680	1744	cmd.exe	cmd.exe
PID 1744 wrote to memory of 1680	1744	cmd.exe	cmd.exe
PID 1744 wrote to memory of 2160	1744	cmd.exe	Joe.pif
PID 1744 wrote to memory of 2160	1744	cmd.exe	Joe.pif
PID 1744 wrote to memory of 2160	1744	cmd.exe	Joe.pif
PID 1744 wrote to memory of 2160	1744	cmd.exe	Joe.pif
PID 1744 wrote to memory of 1684	1744	cmd.exe	PING.EXE
PID 1744 wrote to memory of 1684	1744	cmd.exe	PING.EXE
PID 1744 wrote to memory of 1684	1744	cmd.exe	PING.EXE
PID 1744 wrote to memory of 1684	1744	cmd.exe	PING.EXE
PID 2160 wrote to memory of 1020	2160	Joe.pif	EHIDAKECFI.exe
PID 2160 wrote to memory of 1020	2160	Joe.pif	EHIDAKECFI.exe
PID 2160 wrote to memory of 1020	2160	Joe.pif	EHIDAKECFI.exe
PID 2160 wrote to memory of 1020	2160	Joe.pif	EHIDAKECFI.exe
PID 2160 wrote to memory of 1448	2160	Joe.pif	cmd.exe
PID 2160 wrote to memory of 1448	2160	Joe.pif	cmd.exe
PID 2160 wrote to memory of 1448	2160	Joe.pif	cmd.exe
PID 2160 wrote to memory of 1448	2160	Joe.pif	cmd.exe
PID 1448 wrote to memory of 1760	1448	cmd.exe	timeout.exe
PID 1448 wrote to memory of 1760	1448	cmd.exe	timeout.exe
PID 1448 wrote to memory of 1760	1448	cmd.exe	timeout.exe
PID 1448 wrote to memory of 1760	1448	cmd.exe	timeout.exe
PID 1020 wrote to memory of 2824	1020	EHIDAKECFI.exe	Autoit3.exe
PID 1020 wrote to memory of 2824	1020	EHIDAKECFI.exe	Autoit3.exe
PID 1020 wrote to memory of 2824	1020	EHIDAKECFI.exe	Autoit3.exe
PID 1020 wrote to memory of 2824	1020	EHIDAKECFI.exe	Autoit3.exe
PID 2824 wrote to memory of 2792	2824	Autoit3.exe	cmd.exe
PID 2824 wrote to memory of 2792	2824	Autoit3.exe	cmd.exe
PID 2824 wrote to memory of 2792	2824	Autoit3.exe	cmd.exe
PID 2824 wrote to memory of 2792	2824	Autoit3.exe	cmd.exe
PID 2792 wrote to memory of 1728	2792	cmd.exe	WMIC.exe
PID 2792 wrote to memory of 1728	2792	cmd.exe	WMIC.exe
PID 2792 wrote to memory of 1728	2792	cmd.exe	WMIC.exe
PID 2792 wrote to memory of 1728	2792	cmd.exe	WMIC.exe

C:\Users\Admin\AppData\Local\Temp\d51ffcf06dd50b2b76721970c389dde2.exe
"C:\Users\Admin\AppData\Local\Temp\d51ffcf06dd50b2b76721970c389dde2.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2108

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k copy Filme Filme.cmd & Filme.cmd & exit
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1744

C:\Windows\SysWOW64\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1964

C:\Windows\SysWOW64\findstr.exe
findstr /I "wrsa.exe opssvc.exe"
3⤵
PID:2228

C:\Windows\SysWOW64\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1440

C:\Windows\SysWOW64\findstr.exe
findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
3⤵
PID:1468

C:\Windows\SysWOW64\cmd.exe
cmd /c md 620735
3⤵
PID:2988

C:\Windows\SysWOW64\findstr.exe
findstr /V "EvenAttributeWatershedCumshot" Professor
3⤵
PID:2752

C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b Ron + Treasure + Dept 620735\d
3⤵
PID:1680

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\620735\Joe.pif
620735\Joe.pif 620735\d
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2160

C:\ProgramData\EHIDAKECFI.exe
"C:\ProgramData\EHIDAKECFI.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1020

\??\c:\st\Autoit3.exe
"c:\st\Autoit3.exe" c:\st\script.a3x
5⤵
- Executes dropped EXE
- Command and Scripting Interpreter: AutoIT
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2824

\??\c:\windows\SysWOW64\cmd.exe
"c:\windows\system32\cmd.exe" /c wmic ComputerSystem get domain > C:\ProgramData\cehddef\hakbeah
6⤵
- Suspicious use of WriteProcessMemory
PID:2792

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic ComputerSystem get domain
7⤵
- Suspicious use of AdjustPrivilegeToken
PID:1728

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\620735\Joe.pif" & rd /s /q "C:\ProgramData\FCBFBGDBKJKE" & exit
4⤵
- Suspicious use of WriteProcessMemory
PID:1448

C:\Windows\SysWOW64\timeout.exe
timeout /t 10
5⤵
- Delays execution with timeout.exe
PID:1760

C:\Windows\SysWOW64\PING.EXE
ping -n 5 127.0.0.1
3⤵
- Runs ping.exe
PID:1684

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\cehddef\hakbeah
Filesize
54B

MD5
c8bbad190eaaa9755c8dfb1573984d81

SHA1
17ad91294403223fde66f687450545a2bad72af5

SHA256
7f136265128b7175fb67024a6ddd7524586b025725a878c07d76a9d8ad3dc2ac

SHA512
05f02cf90969b7b9a2de39eecdf810a1835325e7c83ffe81388c9866c6f79be6cdc8617f606a8fedc6affe6127bede4b143106a90289bbb9bf61d94c648059df

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
66b54dc8397149fcffd2de7e1cd1b8ff

SHA1
b21d6f3381858a89b9e746aabd4bc0500c17c354

SHA256
a8d4c5f9e1a415c45f898c2c531aac89fe0e5b791ac0bf3e840ab3f4c9bc0a54

SHA512
e8b207ec7dc891f1d9bffbf9ef253820aac64a0c99abc8fc263ccd98ecae83d4daf4a28e8924b490865cd7e560b98e9d6014b1e47a88f8a3326d1149820af01c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
79fb2fcd76b69788330cb179916c808d

SHA1
fa07e6cca689a5959c78ffc5828e5c24e653cea6

SHA256
aad4b5f6d039dbf2e8699d97c52acba14f2ba9be56640615772cca7fbc18fd1d

SHA512
cc68e7e033a21146a0561af0076a27bb52f8601468dd602dccd644effe62a8454503cb819d220be146d67f7889bf8f9ed1a2a542185a8f50dddcff6a0796e77c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\620735\d
Filesize
313KB

MD5
da5b07c131a945c8a60447e1639d45d1

SHA1
ebc88a1dc887e5d4dabf1cdc7618b7bd82ab749f

SHA256
c671e116d75250abcea020c026b346e19a3698331482ac7094441b4688ba4746

SHA512
310cedb1735cc901ebd378cc3325edbb7f5baf336e7a40cd02ea40a2d5624dda13b986fc00db3776adddad35e99faa58684f848d95dc708bb4eb0b6ea89fce02

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Appearance
Filesize
51KB

MD5
78b150be4d0f1b2b2065e5b7e0b24c78

SHA1
f5a40bbb78de278a3275df00d705836c66b20398

SHA256
0e2c878fa125b22abc9eb8a68584560ec7102779928a05d3643ef09bd518f63b

SHA512
e58cfd473c63ccf3c271203aa46e553f93acb9c3a25f91d01c3a7240d6195bfb6365bf886b72a930676c7e13cca53e6acd3fe0ff98b57d43f9a7d3c50b9ba2ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Appliance
Filesize
36KB

MD5
f56673f815351ad31aa3f00c7245c059

SHA1
3f48e22be046d0f0021e99adca8bcf304c04a296

SHA256
76c57b6c3ab9498bd15594bad148dd34e9a2600da3223dd053a5921ef64e6783

SHA512
6dd5fadc55b004020d65e4d02f4386278a1f9d0130fca6547c93648a64679d33929c4b05c3b0f2e52eecc497a737cd8dd49f4fdd8879de3e76b6312ffe27da26

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Barely
Filesize
13KB

MD5
a14c7999ff4fc32e3b7f76a62e29709c

SHA1
66e47e7dfed689d11f977175de1003b0a9014001

SHA256
7dc5dd261a1271d218148b42eee51eaa70b89e29fccfdece5cc33fcee1305e58

SHA512
22b16f41e1b4148ee38b9e519696414296a2ebf3ead9acb3d56b1fbbb590bbc45f09e221a9996b648516cbbb8b0d859d8b32d681acef1ce9a17f671b253711f9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Bros
Filesize
48KB

MD5
50d7b3138896b3dec2a052bab3d2a29a

SHA1
1d7dc8c41e83ebf35ee3e6eab35e7a0ee7e4d93d

SHA256
ff646b437a7bee76ff369e310881a238411c6774827ffcef71e1554f5b3e76a6

SHA512
7276fb5521655b86697aa46d1dc9a520ed38c4e335f8ba8b520e679137f85ac2981e33448426f01599af1cfe3abcf8ceec56f73124462c22748a1884c9706a31

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Dept
Filesize
6KB

MD5
e40b3c6634aebdc9d64c834850739f1b

SHA1
2496be6acf6c11c242a7b7356ce62c3badfa4298

SHA256
a386251d028f047e347d80b8943070315b43030144d3092272e8e02b82f41ac9

SHA512
11c077c9ca80d6ebeb3bc07b0ffe8cc31a4999574d38380b9aac48ea483f9578f0fff6bd5645f36767e2b90584a31b17499b511c25c925dca73654fc67a5a9c8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Detail
Filesize
24KB

MD5
aacce588e7ca3a293424ef3c45cda11f

SHA1
ac09508c18894d937df859676b5b65d8a0af712b

SHA256
54365bb8ad9817cdbbf95154157a67626eb99ea3c88b3f5b295d66bfab692078

SHA512
1e146feae37a9da8e167f285e5f1dfe4b43e51eb8e257b3fe025ca7aa0171c9c8f2a038428124b19574ae2eca95635153ff7ae0cb91c9dbc953fe97204f3c700

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Directory
Filesize
24KB

MD5
0e71805320ce820e8a0fcf9ed10296a7

SHA1
877dc110151acd54bb89aa89a55e0c5292e3fef1

SHA256
fe66a53c1b920f5312d0d8f2f7d37e1614d6776111f4d12e7cabe9e23c39ab5a

SHA512
633b04cb46be64ba9089966aadb2cc4f2085d89cb86674c3beb3e930b07b6e05ea0680de0c837729363468066562dd525e01a91002b7e2dbe80201d9dc0d5c66

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Filme
Filesize
27KB

MD5
32b89cdd98765294a865d24d3ff416bf

SHA1
6b2d48789c1d3c383c9e76246046bbed55d226a3

SHA256
fb5fdc4d1276303ff4651a7177e9b1bbcbdff2438c50df99b946e87c568e84ab

SHA512
2a4af9e316711062c26e3455f5c1d45fb66683c13668067b6319c89440b4d8b59c40f4704a25b31c9c37f4223e69aeab1a2eca7783b40ab9feef6785edfb9fd1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Frequent
Filesize
9KB

MD5
344f8759460f7592df30385354132e8d

SHA1
222aed99d7a1064968a96c1ddbffe4d08678a9d1

SHA256
838c929d12e9d1a835cf4b188639d4316d9f40bf9201241d695cfc3e64242a24

SHA512
d58524540408b326177893d7f28a5b768f8a0187da5899c2f7ae84ff6ef19a680dcb572bbaa521aa7202dae84eccbd617681db8df93ea036717c50f995a9113a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Fri
Filesize
69KB

MD5
2c3df2fa120a9510e81161e271b5b8bf

SHA1
be13265571f051ce0b4b7b6f0f53dfd279f6fbda

SHA256
267391ed6c73a010e7a26bafc6b285b2726b22b8f52a17d2d50551d6ca9c0b0d

SHA512
8d65d9287d64a97389cc2fd7ed955a52f953c05b9bcf15149f566de7e0075efe6f8203c5412a2cf51567ec798cd31cb68a5df778edd294d73770ed38da4571bf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Future
Filesize
18KB

MD5
de457f7cb457e1f9d9cc08426f48d35c

SHA1
5ac37406be1d140096596b26acc95fcbcfbc6445

SHA256
34ceb19d2286d7d9d26bbab78044f71a629bc75a25bc097805d5bb07add510bf

SHA512
79581b6fd033ae0690689083136109eb4c15843f4b597a671ad9d56ad243f63c3beeb52e11119980c8b9bbef46c477af2dfd64b09b79792b42c43ff510a2ffc0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Giant
Filesize
27KB

MD5
48e6960e7c881d6d5c41457b7d1abcce

SHA1
b0ae8dbcd5f165091c2b5b295b92d8d704064692

SHA256
4bc581cb17ffe5b5e148f36019ae5bac5c7f8f97e6db740e1f4b95294d6a10f1

SHA512
00202707218357e1e43c1fea798eb8555d954baec94312378f933fca3844b95ab705855ba336add935801f084f3b3b5ad6355bc046db567a942fde4255f61ba4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Interact
Filesize
19KB

MD5
996cf7bf0146d63c4d415655994c6a94

SHA1
189ebd4f58887dccc02ab5db46deec1c5dac8145

SHA256
37da2ddaee7dc02018e16ed50acc79aabe79c4a4562a561733a6f447e2033849

SHA512
5b9296a12cf461afd44a64d19db35cf9345df16394b2639a94294f705fac0896224d788ef077cca98634976b57824f915b933336dd234e691f084a4c2348b823

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Interest
Filesize
37KB

MD5
3345f2cdd61b5e9af9902ee8558e04f9

SHA1
3aca625fbb299f9299a5e0790022e7627cbd9dad

SHA256
9735f972650ae5d350f79edc82be9c01edfc7477bc30484f2f65374760c865dd

SHA512
570f580f80bb2f2a306773c06afe2109236fd2839ba5d8307beb00fb2a1b14a53d2cc917c1f76a42df41adf9a57717312bff1f2006be2ec487926be5a78250c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Iraq
Filesize
38KB

MD5
bfaf2d299bdd465ffa3a5d42e46e025b

SHA1
ca781b9099eb11de7a672cc7dc0d5c48f14d3865

SHA256
8aea50ccfbe95fe490d9021f90e9a1af30e14093363d8cf7711f3ff3c9de694b

SHA512
2a3ab6c2fec3fb64256f4820b4cb606959bf22d33cfd0439128bc1f0d2db31499164ca73de5bf8248587147c8749b13801374acd38681aa53846841eb7ed523c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Periodic
Filesize
12KB

MD5
5baf13b9d96b426d60fe331154f4c915

SHA1
2e6b30d41da7d15953741d7da4a3c11b5abb9eb8

SHA256
13bd87051bf93fdf2ea085d3776a0f1981c9f45ed1fdfc6bae3487f0023f588a

SHA512
bf9923fa7ed914f65cc21fa0719736dc94bb64ebd7c351918cb898d9122a3b8362d309597c92c2220bef87e1cb29cd1b51e37c9086cce4bb74263630b82092ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Professor
Filesize
132B

MD5
9a3ceeeba34e0ce1353bb1e45603884a

SHA1
994c2352530052684dca2706ec8707e87e78c3fa

SHA256
0b78d958972123238bb1ee439aa4ac30b1bff93071daf362bc1e171ab22f9a13

SHA512
f291ee3ba3fedd739cb5ef863fb75a7659c12765b9baa3b2861b43c879e2f5424c68ad0b5e2a9bcfe526f45f5727ac8e50b0af3d842d9d27cdfe95bad94e94b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Public
Filesize
62KB

MD5
8a5d414718c02e5ce2506a8cadd86f87

SHA1
d48d0190fed7c5f09605e78d6819fce0c7c33c8d

SHA256
e880506f49a2868fe5aa8e8678ab36683dd2884b748452d0018e486d9825f274

SHA512
6efabefb7c6d674adb4f48e04ffc769f85fd1f69776ccd1dafd6e8d64238173581da02caaf9e42bf48b6f63d7c2b37583752e724aac52e79eff00fdedc4d9a41

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Resumes
Filesize
59KB

MD5
c3c150db3cd73c20a412ebd3da0671a5

SHA1
8ff704187a9d072d3f52d4f8487024bee6085f32

SHA256
60a10e46b7192fbe909d09768298111b02a77ea32f10c4f98934a5a37a149f52

SHA512
ad972dbb1bb2a0dcacb6574a4e6936136d6bd97c8bee590849ff3be78a294536af563fc2be5899bf613e963db90934ec3ddec962a6f671f247c8dd5e23c8532c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Ron
Filesize
142KB

MD5
6b2e81e49af868704424172e697ef28d

SHA1
907d657ef08e2c5bbe323a1a3c8661f48f080216

SHA256
2207d8c994bbd9734530a340cc7ebbb85fe907f5cfc3da49d3ef004f5b85f3af

SHA512
f5775348ea81815c79ece370a2534ee17261aa82a78aca301f2d7991c4ad52349038af6a0853ddd0eadcc9e6bd1a9cc60b725414395a7d801fdc720e5ca954cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Sky
Filesize
23KB

MD5
fe8ed675ad3b1c287832b698ff88ce68

SHA1
0ffe5ac683c2acfb24c15fff721bd851c62c547e

SHA256
9e3c9261bad186dc4313dad5f7bf75bcba10fc5ef0210ca2af68cb2f4e1e06c7

SHA512
b599c7965aff9db03faf3791caa31d2e21afabc3e76cc54fbed898099232e9ddfdb99044b2ff45a89a3636146f20effad03839cd48c69a60ee04c86fb18da74e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Struggle
Filesize
65KB

MD5
205b5f07cbccaf204c27a25316166170

SHA1
865dee186ef4b5ff63cc35e62bf5c487889ed52f

SHA256
89dfb375f6adbaeed627d94e290883eccbaa21e26045759a81a8bdf81bce12d2

SHA512
99f27e28701ea137bd4da11411d9e0d2f31599f07a0c5b84586e6ca78ecd632218ff1048619d948dc97f808d5576834fb99ddd0701a6750e6c36e8dbc8b1b2f9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Switches
Filesize
33KB

MD5
7386c0c41ac1bbf52dff08b41058154a

SHA1
e1bc5026757358fddef544b6a5ae940c9a5db152

SHA256
2bea5f056f09480542b7ae221801fc9d1a6872e3f032e2b7f8b8cdb91b978c28

SHA512
5f597b3ad0658a776eeddb6e057a6652023ad2729279f74d0da91d7845db47a61cf940ee6529f5d6bbd36550ce4ad26f11298a49b93f5bd9f23b009a65ccbb4a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Treasure
Filesize
165KB

MD5
3b4b56b69acbe7d5be4688a301f8fb9b

SHA1
e742fe917aceb4e644e1ed527a52a90a5db13165

SHA256
edc1e95ea7f2c3bd473063eb675f51a223aa011c12ea250aea14f40ab118bce4

SHA512
98252fa254c4ddaf776aaa629d8e0907dd45fcfa0fb1031ed6e4d2e23658f9dc14867cebe5e6dc7392bfb41f9d1b71db484b2bbe3c151e706e55178a4e49455a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Triangle
Filesize
15KB

MD5
81d946f263006eb46f2cb8b8a2173d65

SHA1
6e77d3cefddf5ce5c63adc1c5bdbc345f582dcd8

SHA256
4e9c4c1b63c3a2f7095a7bdbaa60667a45001d5ec64d0c888813d2b65f35fba7

SHA512
1a291efc4780c55818d4656cfc243711a700aaeb4fa773734ea653bf57c8d6aa611d15c94f830d4fd4b7e24fa96b3810aa5ff14edeee86f00cecc92404012bf2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Truly
Filesize
33KB

MD5
e6b141ed920de3bdce0371b7e1cb0780

SHA1
88b447c8508edf6935840efe3a0be52b2860590c

SHA256
2bcadebab748765fba52f83a8f90d380213c70cb5335208debe8b6311465ce79

SHA512
5284c6529f064e0576e0fd01ec8b4f3e6fc60e0ba591d94129e4145e8379098d182837949a7ca7acc78706031efbd92731759a92f5f99ceb5a94a76383ef89da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Unix
Filesize
58KB

MD5
49a19fd12501352b42a9ba87c3a2230e

SHA1
23960e63c6bed0d7867480f51754adff56e31598

SHA256
f650622c690d896bba73ebce76b4d71e0103337734eb8bbf6e32e9fea184929c

SHA512
45f013e34f75dfb8042a957b0edce907696b6b3f0aa99960c6c5628b769a361653b77bcea63540ae38365cbcb00776d343bc0749bb0da25ac12a10608126c09d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Very
Filesize
61KB

MD5
156d49c96e480544061f89a4cc92b9a0

SHA1
5f4036d3028a81eb8c1dbb4c64e616e5db9d7cde

SHA256
cff8c7cd73d289821ba6896070519f2c28bf5060caa64db55145b12630e8ee14

SHA512
799dc1419ed48be7d26861989cf6be85cce24905819f2c8b0725715aae627f931ba6e0af8322803f5e7f1845a5b0528e74048764884e776fd8ef08c4f88ccc2f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Welding
Filesize
22KB

MD5
96ca4691b9a93102277a1c395a21e048

SHA1
881ee9f726112dcac4a357fc7a5390215c60b076

SHA256
c7787314c7423b0e69d1165194935a617e3adaee2b12b82134008d26c09e0cd6

SHA512
ffd3d43119d00a82ef4f2ade3f2f5d66c5ae5abce3b9a58bfed09ff8a8687119b399b65c2c8ce79c754329a7e2e328471d64281c5732354f898751a4a9dae946

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Wellington
Filesize
59KB

MD5
c758d0d897a17ae1344789cbd6d2315d

SHA1
e59c8d272e020ec06793c02f7161dd6f3934cf18

SHA256
331d9c0aa037672726ef2e7e120e8bc15d0ec32293fd102733d7d23ac5dd4119

SHA512
705ea1d1124b62866fbf0cf414883b979e06fef5632381ed34c45a5158c8c2dbecbaf2f68be5ab0a4ede19df18990478279ac70e762cfa4bdc113fd33ae81832

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar8492.tmp
Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
\??\c:\st\script.a3x
Filesize
549KB

MD5
0881a690ab76a93af7220a7cc376ac37

SHA1
b145db693476afe29417c3ea1a34f46e58389086

SHA256
660156ab9a187a7da50dab8a825ef4b4d4507ca3e0e65a390a9730803ca35835

SHA512
aee7987aa3fc96101ba391f8582e4720ae97018d8a3911559b577f6f5e0c38d320c9189070ea9ffaa822c9c7a8c5fdf7350b90173b7af6e7f451fb94290d4cbd

Download Submit
\ProgramData\EHIDAKECFI.exe
Filesize
3.8MB

MD5
b2d33941295f236bebee0d3c389a8549

SHA1
76bfc480242219d14cfbbb8dd7628c3c9bde7f7d

SHA256
cfa0a176bad0046bd498a5a7f5140ca92734b096c541a54acd1b002f228ec47c

SHA512
c7a8a877a93590876221c9bf0c21e04b78a8a8af415c1a70c776744702d3442aa9ffab2d480cc5d6f78a444d74ed3b6eac0407f6b571ddd02e63058d5386aae4

Download Submit
\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\620735\Joe.pif
Filesize
915KB

MD5
b06e67f9767e5023892d9698703ad098

SHA1
acc07666f4c1d4461d3e1c263cf6a194a8dd1544

SHA256
8498900e57a490404e7ec4d8159bee29aed5852ae88bd484141780eaadb727bb

SHA512
7972c78acebdd86c57d879c12cb407120155a24a52fda23ddb7d9e181dd59dac1eb74f327817adbc364d37c8dc704f8236f3539b4d3ee5a022814924a1616943

Download Submit
\st\Autoit3.exe
Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
memory/2160-758-0x0000000003FB0000-0x00000000041F8000-memory.dmp

Filesize
2.3MB

Download
memory/2160-1060-0x0000000003FB0000-0x00000000041F8000-memory.dmp

Filesize
2.3MB

Download
memory/2160-815-0x0000000003FB0000-0x00000000041F8000-memory.dmp

Filesize
2.3MB

Download
memory/2160-836-0x0000000003FB0000-0x00000000041F8000-memory.dmp

Filesize
2.3MB

Download
memory/2160-1014-0x0000000003FB0000-0x00000000041F8000-memory.dmp

Filesize
2.3MB

Download
memory/2160-1038-0x0000000003FB0000-0x00000000041F8000-memory.dmp

Filesize
2.3MB

Download
memory/2160-1039-0x0000000003FB0000-0x00000000041F8000-memory.dmp

Filesize
2.3MB

Download
memory/2160-801-0x0000000010000000-0x000000001025F000-memory.dmp

Filesize
2.4MB

Download
memory/2160-1061-0x0000000003FB0000-0x00000000041F8000-memory.dmp

Filesize
2.3MB

Download
memory/2160-1082-0x0000000003FB0000-0x00000000041F8000-memory.dmp

Filesize
2.3MB

Download
memory/2160-779-0x0000000003FB0000-0x00000000041F8000-memory.dmp

Filesize
2.3MB

Download
memory/2160-659-0x0000000003FB0000-0x00000000041F8000-memory.dmp

Filesize
2.3MB

Download
memory/2160-660-0x0000000003FB0000-0x00000000041F8000-memory.dmp

Filesize
2.3MB

Download
memory/2160-658-0x0000000003FB0000-0x00000000041F8000-memory.dmp

Filesize
2.3MB

Download
memory/2160-657-0x0000000003FB0000-0x00000000041F8000-memory.dmp

Filesize
2.3MB

Download
memory/2160-656-0x0000000003FB0000-0x00000000041F8000-memory.dmp

Filesize
2.3MB

Download