7d5a8384660b5dfbc3511ae32fbd44e18d59962088208e68820be3f2668a8547

Analysis

max time kernel
35s
max time network
53s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
27-07-2024 01:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

File.exe
Size

760.0MB
MD5

22393a03928e311b2f200404636357c3
SHA1

1c588f2acf973303c19011093a03095cd234df1c
SHA256

f0b73251977c6ae98bc37a3c342327dcd45155e02198a5548d1a71c811d3dc9f
SHA512

1ff30e07a78fd34a4d043df5291bdbd53ee3ba86df3060cf57db29bd662f487bfb8d17e44a37a0a0e81f19ab8d1a5b094cd1f77916b48e7f3764627590d2c5e8
SSDEEP

49152:VHc+ANhKDW6GzT0FFg3prZKZiUq5eKK5ZqD45FHzoZswW:VHc+ADKDW6Gz42rpUxRJzM1W

Score

10^/10

discovery evasion

Malware Config

Signatures

Modifies firewall policy service 3 TTPs 1 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

Processes:

Casinos.pif

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\C:\ = "1"	Casinos.pif

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

Casinos.pif

description pid process target process

PID 2680 created 1228 2680 Casinos.pif Explorer.EXE
Executes dropped EXE 2 IoCs

Processes:

Casinos.pifCasinos.pif

pid process

2680 Casinos.pif
2872 Casinos.pif
Loads dropped DLL 2 IoCs

Processes:

cmd.exeCasinos.pif

pid process

2744 cmd.exe
2680 Casinos.pif
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

11 ipinfo.io
12 ipinfo.io
5 api.myip.com
6 api.myip.com

description	pid	process	target process
PID 2680 created 1228	2680	Casinos.pif	Explorer.EXE

pid	process
2680	Casinos.pif
2872	Casinos.pif

pid	process
2744	cmd.exe
2680	Casinos.pif

flow	ioc
11	ipinfo.io
12	ipinfo.io
5	api.myip.com
6	api.myip.com

Drops file in System32 directory 4 IoCs

Processes:

Casinos.pif

description	ioc	process
File opened for modification	C:\Windows\System32\GroupPolicy\gpt.ini	Casinos.pif
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	Casinos.pif
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	Casinos.pif
File opened for modification	C:\Windows\System32\GroupPolicy	Casinos.pif

Enumerates processes with tasklist 1 TTPs 2 IoCs
discovery

Process Discovery
T1057

Processes:

tasklist.exetasklist.exe

pid process

2724 tasklist.exe
2612 tasklist.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

Casinos.pif

description pid process target process

PID 2680 set thread context of 2872 2680 Casinos.pif Casinos.pif

pid	process
2724	tasklist.exe
2612	tasklist.exe

description	pid	process	target process
PID 2680 set thread context of 2872	2680	Casinos.pif	Casinos.pif

Drops file in Windows directory 5 IoCs

Processes:

File.exe

description	ioc	process
File opened for modification	C:\Windows\JarRefined	File.exe
File opened for modification	C:\Windows\SurfIndependently	File.exe
File opened for modification	C:\Windows\PharmaceuticalPortrait	File.exe
File opened for modification	C:\Windows\ReviewedClicks	File.exe
File opened for modification	C:\Windows\SellerHungry	File.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

File.execmd.exefindstr.exetasklist.execmd.exefindstr.execmd.exechoice.exefindstr.exetasklist.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	File.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

Casinos.pif

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	Casinos.pif
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	Casinos.pif
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	Casinos.pif
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	Casinos.pif
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	Casinos.pif
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	Casinos.pif

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

Casinos.pif

pid process

2680 Casinos.pif
2680 Casinos.pif
2680 Casinos.pif
2680 Casinos.pif
2680 Casinos.pif
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

tasklist.exetasklist.exe

description pid process

Token: SeDebugPrivilege 2724 tasklist.exe
Token: SeDebugPrivilege 2612 tasklist.exe
Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

Casinos.pif

pid process

2680 Casinos.pif
2680 Casinos.pif
2680 Casinos.pif
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

Casinos.pif

pid process

2680 Casinos.pif
2680 Casinos.pif
2680 Casinos.pif

pid	process
2680	Casinos.pif
2680	Casinos.pif
2680	Casinos.pif
2680	Casinos.pif
2680	Casinos.pif

description	pid	process
Token: SeDebugPrivilege	2724	tasklist.exe
Token: SeDebugPrivilege	2612	tasklist.exe

pid	process
2680	Casinos.pif
2680	Casinos.pif
2680	Casinos.pif

pid	process
2680	Casinos.pif
2680	Casinos.pif
2680	Casinos.pif

Suspicious use of WriteProcessMemory 45 IoCs

Processes:

File.execmd.exeCasinos.pif

description	pid	process	target process
PID 2084 wrote to memory of 2744	2084	File.exe	cmd.exe
PID 2084 wrote to memory of 2744	2084	File.exe	cmd.exe
PID 2084 wrote to memory of 2744	2084	File.exe	cmd.exe
PID 2084 wrote to memory of 2744	2084	File.exe	cmd.exe
PID 2744 wrote to memory of 2724	2744	cmd.exe	tasklist.exe
PID 2744 wrote to memory of 2724	2744	cmd.exe	tasklist.exe
PID 2744 wrote to memory of 2724	2744	cmd.exe	tasklist.exe
PID 2744 wrote to memory of 2724	2744	cmd.exe	tasklist.exe
PID 2744 wrote to memory of 2192	2744	cmd.exe	findstr.exe
PID 2744 wrote to memory of 2192	2744	cmd.exe	findstr.exe
PID 2744 wrote to memory of 2192	2744	cmd.exe	findstr.exe
PID 2744 wrote to memory of 2192	2744	cmd.exe	findstr.exe
PID 2744 wrote to memory of 2612	2744	cmd.exe	tasklist.exe
PID 2744 wrote to memory of 2612	2744	cmd.exe	tasklist.exe
PID 2744 wrote to memory of 2612	2744	cmd.exe	tasklist.exe
PID 2744 wrote to memory of 2612	2744	cmd.exe	tasklist.exe
PID 2744 wrote to memory of 2056	2744	cmd.exe	findstr.exe
PID 2744 wrote to memory of 2056	2744	cmd.exe	findstr.exe
PID 2744 wrote to memory of 2056	2744	cmd.exe	findstr.exe
PID 2744 wrote to memory of 2056	2744	cmd.exe	findstr.exe
PID 2744 wrote to memory of 2644	2744	cmd.exe	cmd.exe
PID 2744 wrote to memory of 2644	2744	cmd.exe	cmd.exe
PID 2744 wrote to memory of 2644	2744	cmd.exe	cmd.exe
PID 2744 wrote to memory of 2644	2744	cmd.exe	cmd.exe
PID 2744 wrote to memory of 2144	2744	cmd.exe	findstr.exe
PID 2744 wrote to memory of 2144	2744	cmd.exe	findstr.exe
PID 2744 wrote to memory of 2144	2744	cmd.exe	findstr.exe
PID 2744 wrote to memory of 2144	2744	cmd.exe	findstr.exe
PID 2744 wrote to memory of 580	2744	cmd.exe	cmd.exe
PID 2744 wrote to memory of 580	2744	cmd.exe	cmd.exe
PID 2744 wrote to memory of 580	2744	cmd.exe	cmd.exe
PID 2744 wrote to memory of 580	2744	cmd.exe	cmd.exe
PID 2744 wrote to memory of 2680	2744	cmd.exe	Casinos.pif
PID 2744 wrote to memory of 2680	2744	cmd.exe	Casinos.pif
PID 2744 wrote to memory of 2680	2744	cmd.exe	Casinos.pif
PID 2744 wrote to memory of 2680	2744	cmd.exe	Casinos.pif
PID 2744 wrote to memory of 2496	2744	cmd.exe	choice.exe
PID 2744 wrote to memory of 2496	2744	cmd.exe	choice.exe
PID 2744 wrote to memory of 2496	2744	cmd.exe	choice.exe
PID 2744 wrote to memory of 2496	2744	cmd.exe	choice.exe
PID 2680 wrote to memory of 2872	2680	Casinos.pif	Casinos.pif
PID 2680 wrote to memory of 2872	2680	Casinos.pif	Casinos.pif
PID 2680 wrote to memory of 2872	2680	Casinos.pif	Casinos.pif
PID 2680 wrote to memory of 2872	2680	Casinos.pif	Casinos.pif
PID 2680 wrote to memory of 2872	2680	Casinos.pif	Casinos.pif

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1228

C:\Users\Admin\AppData\Local\Temp\File.exe
"C:\Users\Admin\AppData\Local\Temp\File.exe"
2⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2084

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k move Japan Japan.cmd & Japan.cmd & exit
3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2744

C:\Windows\SysWOW64\tasklist.exe
tasklist
4⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2724

C:\Windows\SysWOW64\findstr.exe
findstr /I "wrsa.exe opssvc.exe"
4⤵
- System Location Discovery: System Language Discovery
PID:2192

C:\Windows\SysWOW64\tasklist.exe
tasklist
4⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2612

C:\Windows\SysWOW64\findstr.exe
findstr /I "avastui.exe avgui.exe ekrn.exe bdservicehost.exe nswscsvc.exe sophoshealth.exe"
4⤵
- System Location Discovery: System Language Discovery
PID:2056

C:\Windows\SysWOW64\cmd.exe
cmd /c md 260887
4⤵
- System Location Discovery: System Language Discovery
PID:2644

C:\Windows\SysWOW64\findstr.exe
findstr /V "nccitizensreportaudi" Sudden
4⤵
- System Location Discovery: System Language Discovery
PID:2144

C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b Travis + Commonwealth + Momentum + Confusion + Deer + Leisure + Viagra + Calculator + Syria + Isle + Pmid + Adventure + Aaron + Patterns + Lies + Machinery 260887\M
4⤵
- System Location Discovery: System Language Discovery
PID:580

C:\Users\Admin\AppData\Local\Temp\260887\Casinos.pif
Casinos.pif M
4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2680

C:\Windows\SysWOW64\choice.exe
choice /d y /t 5
4⤵
- System Location Discovery: System Language Discovery
PID:2496

C:\Users\Admin\AppData\Local\Temp\260887\Casinos.pif
C:\Users\Admin\AppData\Local\Temp\260887\Casinos.pif
2⤵
- Modifies firewall policy service
- Executes dropped EXE
- Drops file in System32 directory
- Modifies system certificate store
PID:2872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Process Discovery

T1057

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cde2c92cac6d3d7d9177dc669890cd5f

SHA1
db8e3c32b7ee1388e4252596105511c68f4947b3

SHA256
8975bc49f47b024a6af3ea199578f7d2a3884105ad9fd8aa3c35e29d96d8144b

SHA512
a554248cf3f8e69724dee9348c061fe05784ea6a86f39fed2b58be5655420299db33cf53b9398e5aec34cf7b1de1dc9d1512fff95205ab044b44276e5ee6aa2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\260887\M

Filesize
1.5MB

MD5
88ee50c0c59205c89de9a75a8819d7ab

SHA1
8e4a8e440e31b483bdf8035484313f8f6c08aa42

SHA256
582b61f512ad8bceff415d408e979e299f43ba0dfe14837d4db2c9198622f491

SHA512
1e8d5c51082829e2f83a6ff7bb1c85abf229dbd9fb1a10e60a332b6fae6cadaf92a8ddb71ae64ba6eb81403ef8154bda5025dd18f2f2c5dd695b7b1433869bc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Aaron

Filesize
79KB

MD5
07bacd49ddeb1d8d1e8d3b340a4d4f44

SHA1
b436997c1ffec0005bf672790cbc1d39a7dc7866

SHA256
5c2f46aa908ad5c3ac3eff8a294d8b774649f3025cba2fe4637906889a6dffe1

SHA512
f05f77d34bbf5ec183ebf8e1242c4e74e9ca044193207e3f1760fc8c33c1c9adc79f0518e3c23eb5b0b537360ac0380a2258ee1fde80d829e2f5ec4a8e25d70c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Adaptation

Filesize
30KB

MD5
df0ffce27b6d38ac90892038cfdac89d

SHA1
6d65f093487efcfeac752484150391c402c5f504

SHA256
51c5a2720baf4406fa2d3ab2c577a3830013ea4e34fb18996436e95d68de6025

SHA512
b0a330125f1b59df94e11a18a655eab6c888cd96699ae56f84ac44f9e99348e504e1eafb431297be54bbe756f70ff0bb9ec283957d203229923b7e1f491e2731

Download Submit
C:\Users\Admin\AppData\Local\Temp\Adventure

Filesize
193KB

MD5
522247cea17b885c10bbf1dfbb31406b

SHA1
c2bbdf6c4d651ce8d2da1fb533f2ddda7a412768

SHA256
e55ed4836325d8a922b05e8bd83d0bb3c7acd450aa07621e59b11603fc3a183c

SHA512
805ab54024bca3b8f920bd293ef558cd63d59944252fb90787dc94f4083d30e703f378c8e64bae1dd52bdcdfabb8a66309b83ed07bec08ff02263e7ed6e6f24f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Board

Filesize
32KB

MD5
6c9a4e88bd8c4acb61928d82e40dec05

SHA1
a4aab09469d05b57e698e2158000585fb2ebd690

SHA256
ca843fdef7f9445abcc23761c63992c47aa98447df33a5b28c2d5609df7d22dd

SHA512
9d009ac0620a428a95f1280cabefb31fe2b9ccd312dea2cd520ae375668b4602dde5813630f60c4af476fac1b0835caac20fce29688f1b21b87baf68590e69ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\Bridges

Filesize
22KB

MD5
7bfd23c9b1cf58deb5f567c751f75a5b

SHA1
a83a9ca9b4e1aa2a42d7e3d3de0a6df8ba4b6ff2

SHA256
0d71ab3f3e388003f04edefef2fa04f7a0d34e8301ffe3562a245eba7980a4a1

SHA512
8bbd9e15a795715fe98a31f988a6f0cace61e4047cad4bac34e2b0e5817ed004fa56a6b6c082d8163abfe9f25e4dbfa6811cb33a393248c023459a035bb8b5c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab4230.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cage

Filesize
16KB

MD5
10a8af86b71b5b7de286d42b1479c898

SHA1
f94c47a1c61f061e9d3c1a2b629db6d26f2752c9

SHA256
fe85e536434249d3104857878c2a6bfb541be000f4d117b10786a0e4046d82bd

SHA512
01eabba676020742daaa5474e332a4b3ff5068eb2c284ab26f3f3adec73a4c074f5e1e0e92019c3476c51bd7ad40ca3ae5b85bb0e2a03ec22b623c716ed498ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\Calculator

Filesize
172KB

MD5
c1af251cda983ef5b813ae400c80de25

SHA1
8c8a194a890ec37f342b818181fc7c6b7b64a400

SHA256
8cd955963f53742db1c0f79cf38f1e9cd88284b34a483c143c48cc1468849a8e

SHA512
f6618297ddf082bdb9406a32b4b055e9abf8860c5dfcff37fc6e1fd515f821027e0bd1a5663883bb740bf13abde289e442aba14a90b745d28f69768e06c9200b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cancellation

Filesize
31KB

MD5
3bf4d788f18a5b59f2dfa12d0f12bbd2

SHA1
55fd1d215b143bcca50543810c70717e5f7beb7b

SHA256
672245b7cb6c5303c668987b1bda3a72139eb0b65449457f00222501ce4646fa

SHA512
e97c7b2f493eaec112467c9f103f7ed77c241a78621c835f105d78146791df32fb535f77cc990c8cf2b8d62b62d0f237ed7d5a9d74dc15a3f070a5d6a7a2e18e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cms

Filesize
21KB

MD5
1184e7306fbcdeb43104acd679ce7a3c

SHA1
df8bb90d9c89e5be33e71942ef7f5eefd31a7411

SHA256
b9f0e2167277f54c9849aa58bffa6401204202df73889e4857605ddd8728180d

SHA512
3a673fd743f24a163f8f58ba8b5684110051fde964880c32c09fd974c81138d87abc28d79405e70d97e8c58d7aba13b4575930fb13d1d2d1594be75c1967f3be

Download Submit
C:\Users\Admin\AppData\Local\Temp\Commonwealth

Filesize
122KB

MD5
382e0f09b317daacb51d5b0ba7a4c452

SHA1
966e3a1b4c5f95efd4c6b4e6a21d869af1199a6a

SHA256
aab3d4bad426daf23ecaa1243f5ea4562ab56f2b52dbcd5a03d27e15d7689084

SHA512
7784ae81b4e5ff4ccab357e0f5331007d9b7311d8cd965cbb83b750e6be996c99c79a1ed5879f74c7e2b97482a2b942f2ef7fbf76f5578fd068ed7c1b6d4ad3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Confidence

Filesize
21KB

MD5
6b67f2a91d753f74a1e7fafd9990e4a6

SHA1
3864916b142053ea749bfa70c35ba16eebc2e1dd

SHA256
de137d485205628a5b938a4938bd68f97bfe63ba868ebc8f1473f07172948713

SHA512
8f60033004660f8697cce199198bd8fd3503ea6bd137d4355571b131fc00fcc9a515e82665c90765e65dd4a335b7d6c81b542fcd65f1964743e3a82a9c837ee7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Confusion

Filesize
55KB

MD5
aab8fd30f817b1af6dd6d7bb776cffb7

SHA1
ee20a3706f09024df03b0753c12047086c89164a

SHA256
1af61c90dcc4493091a99b871076a7ea336d1d88aa7804910bec991fa52f5809

SHA512
2ce5cf05d9c03d123018e7c3958eda619b3dbfa590bd62dba139f55f57093ba3707a41e0860a873d560ef19bdf16750b22697458fb3867cb789c35aa271dc4b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Copyrighted

Filesize
41KB

MD5
dbba440479309f9b820cc60612de4277

SHA1
a237db10e03fc92e2a0bf95e4528827d613b06e0

SHA256
12e8c0bc22f7f6e7a6f7efe250050cf52590b016c479b78bbf3ba84c9a994678

SHA512
8b50e9718b40a5e83e9a4bcf181d197e5ff11d62ec201c43a927ed432b612125f7dd690ff14f8f809141c045f7aec0851ca1b26b457d05d2140be6eb03e19f2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Crisis

Filesize
29KB

MD5
2cff51a7ae06f59f918910df6fbab81f

SHA1
8a5a5d8b084a9f2510d16d17f727cf06b14486f0

SHA256
98e06f14e6a70a82af9d99789c5ec7192bad31c33b919032e6fc9393aaac7543

SHA512
654b1f739acce63cc698cff1413068f53c1c02a901a588fd347761dbe532df068ac6640c3e4676fbd133ad4fdc8a7a454b2d3a91b9509bb9e2b62e1b821d1ab2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deer

Filesize
83KB

MD5
a1aa26f09bf971ca22d68f7d61c8ac0a

SHA1
a13965fdfec3b31573215575584a393c24a36704

SHA256
3bae12cb3b572af1308a69ddefa0a9be8971161c2fd9fcdc4bac9b6ae259c890

SHA512
e5c9161085ab3e062806121a1a3538ecfb7a23c66129ed2ee99627cf3f70fa5d8204fcc302e1a304e33877f39090fb03e2356c557c0b3d9065ea2c810e5c3bcd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dolls

Filesize
20KB

MD5
7dd1292e698387ffbe5ca671050f59cd

SHA1
7031cd19fb309f8a21943165729feeedab3ba92e

SHA256
3e0b24806b31c37caae658d0886b07361c94ff47600f1a283cdc5a02f9889be2

SHA512
f8e57a65150b5097fc3de38b06489dbd12d62a53ee2d862e25baff980034f5caadb689ccf11fae9c04eafcc144143201a422a19cadd4d16da5c8da93557cadfd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Establishing

Filesize
13KB

MD5
20473ae088faf286adcded910fc4aa24

SHA1
b59cad9a431be40baf53e6555560e1e49fa09b7f

SHA256
63d634ae8b57b14ac05ffd44e0913b48681db8e29b47d880e5b85d65394a64e3

SHA512
fdef774c270b2d7424b35214f6ca674e5a9deb29a03c3fd4c7ca0f79c1cade01c11fb57475d75b5601135724217330b54ab61ed825bf03442c1a08b0564e0ea1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Financial

Filesize
63KB

MD5
173eb2f8946091657d1a5275e6488e9d

SHA1
708ebf68eaba48947d1c4d2611751eadfafddffe

SHA256
674f748b68e984ee3eff29362f7f1aad390f2457ad75929312c18133f11d8673

SHA512
895393af27ce0a4fa80f341ae40f6293ef0d6f347ed6eb4062725f52cc91bf6d6e5da386587fe686f4d04a52b8faa566642345b64866d8701950924f66cd2cc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Find

Filesize
18KB

MD5
2ed1369d666964e9f66d9f3ea7a80d6f

SHA1
05d2d940b65f4c629f4541c7a67ab26697e772b2

SHA256
a13c694bcabd754bd49f6b0fe6efa653e0c9358ea52f37055aba362ffa99c145

SHA512
68e2d9240a64031c304ca856d2004a56620c99013bc826b1f9b553ff6371624e6212260c7aa0ecb3b2442ae4cd5e091eb66d77ccee510e48822ec4cb2e6e4dd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Futures

Filesize
41KB

MD5
6f33eabebf12bfc86ab1c35c6f27c645

SHA1
b7a9d5a96c953952c6103ee25fed65a407f48834

SHA256
8c8843cf189abaefa8b5bd2ddecc249800b33467b5264bb3adf43ed3c71c94c1

SHA512
5a82ad8699cebd9edda5a8189db58f21bb5edaf1fc04e2739b90212588db7a479bbf62e03d606179be8c79395b2ba6e40fe61a28bf3954ee9ed668af7a7d4ebe

Download Submit
C:\Users\Admin\AppData\Local\Temp\Gentle

Filesize
51KB

MD5
6c0768d81d73d6cca32ef7718594f826

SHA1
4b6cac08c519b150248a2dd1d3b99d7d4bb5dee9

SHA256
9cde89a0883fb55e913e62a97b26c95cc9e2a0190036dcfc3c61ce1f5aef3f78

SHA512
4bc4d9b349ce94c8ffa8cfc30bf074a4a6c8bddf00f2712935d6f522ca7467b2dcbf5e65d39d5c80654f8c9924133c18c41affd57cd4905793052ded4cb576c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Graduates

Filesize
27KB

MD5
97dd7e02e3ecdaea24e85c8cdcd7f880

SHA1
2599be81e5b89c07daf1b1bf67b0da215770a107

SHA256
7a6713dc7d458c4e2e063818e7149323c3e66982a8f1dce768619b0a6652704e

SHA512
9bda6504d8af05fa4178d0149b06d42437150b84aca5e182ab0f5a913fcb1e195d66f76528e9938e95b04c0d4314afaa8bd50516f417ca3319dab2d1975e1236

Download Submit
C:\Users\Admin\AppData\Local\Temp\Incidence

Filesize
5KB

MD5
32fb7be2a8a689e62986bdf616bc30f2

SHA1
3ae8e7c01b28f7869c0355b7ba7272c6064a20c6

SHA256
8f51603ca367b1dde3ca7482e351676eb9f501bb6690b599c05d5089f907d3d7

SHA512
1c6483dd17293fe5d80949830a5c07eb333ce06fb64fecc929edd282e77624aa0fb2e651d2b9d0be57521cee13a788e93e3e6c9b7d4dab39cdfe2cd00d0ea5ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\Isle

Filesize
130KB

MD5
bf4a8bdbb4d09fbfa1d71b239359f000

SHA1
54c2a237f3dd1f680681855e21cd4ff38df21e85

SHA256
c861181004556840d402c22097a9ca7638bec3bc75dfce3618a6718ee749e347

SHA512
69ee2c958e380ada2b5a4241d385533855caeb4050deae0b29e28ce92b11cecb6a6296d7d0385279e2d25ed2646c2122b4f6d50b0b635cd3c9784083ee1f2d16

Download Submit
C:\Users\Admin\AppData\Local\Temp\Japan

Filesize
9KB

MD5
27487466c400df25a61a7e6239e1d33b

SHA1
8a85c59c5dc82b3cd9b4e7092f0892a08b3aaba4

SHA256
f7f84d6e77ccf3d0de1172d4d491d81c1b33f61f80aa053f491b45058f03a751

SHA512
a3fa60ca556935121b9c449f097c4725a05df4f12dd5386c114cc299fc14adb274ff5d43268b20db32304c501eda3829534b5ff0e9d43ec47f8b508385f9a384

Download Submit
C:\Users\Admin\AppData\Local\Temp\Kilometers

Filesize
34KB

MD5
b96d7707070287ce7e2bb8fdc07812a8

SHA1
173e4ac9ee730eb04b1347bced1c7cc239b7c978

SHA256
0eba0038c1c1cca6d878ba03ab372630ed9a80d8f6d88bb0342658ce58d76484

SHA512
ca354c864e232bcb940551144159ec106b964060fb451f63a0a38636cf15af4fa602c87c6c6f478c84aef222af08e0b41784a3846f7ca43ba15ea4bd08729f5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Lawn

Filesize
7KB

MD5
fe5ed5e5e968ea93e5730ab9cab307db

SHA1
c7872ee2fec13584887afc569ee2069da093b942

SHA256
e2be31c221a564f8b32ef22735958b9e364ebd71f59aae4dac027891f39bc78c

SHA512
43a52c50a84f14f3865e349185aad8d7543aa32f9505e06a5824fbeed83521b7a9466fcf3b7ab96534221c7123bb46d843f2eda0cccd3b0cc891aad7dfe96b67

Download Submit
C:\Users\Admin\AppData\Local\Temp\Leisure

Filesize
40KB

MD5
c2955e85c6aaa40418a6522eb791745f

SHA1
2ddce6b41ac3737f89f4f1af6871fb85f4cd6bca

SHA256
2b609e56ec84bcc891d8ff12b7cb6ae25300427cff5e944f7d8db5ff2d350634

SHA512
7cd33d8b1cbf5f7c6f51208a16fa026b21fbef0f9dbc6fceb4cf7580b5b7cb73786834a47cba468cbc763fcf07f76cb071dc92113a2613c6ddf65abc59e2c68c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Lies

Filesize
48KB

MD5
eef9f4ef9d21fe8775bb762ee89ab8d6

SHA1
d26eac22b37d29bb2d164b1f108df25c3e45f90b

SHA256
7b2dfcaaa0921b0424aab125522182b318604fe680e4d059d595dd90a05785a2

SHA512
f303c66896de595531e32d349df84d27959918017bf56138d20e7c2661b4c9f07a4056b49d62106b07966b40ffff4bedbfa3e080502fd1686987e99df5f0cb6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Machinery

Filesize
24KB

MD5
e9c04eb410a5bc5f3c477a8092567767

SHA1
adb5a342c5befa8e8bfc3ed6ddddeeb93d2aebcd

SHA256
a44a607b8cf74144adc9e40cc08d1418d23bd45f83a7dfc29fa4b89caae7908a

SHA512
f631d1b78e7eb6c2052b797fcdf5476afd40e012aa136104b34c342b2724874963b8ba08cd481866d475ab446f8bacd4f3df24dd13e4ad9906fdffceb2b11433

Download Submit
C:\Users\Admin\AppData\Local\Temp\Momentum

Filesize
176KB

MD5
5e0b9269c0098e9c622912ba714697aa

SHA1
56344ad8fca3039f261824a312a2e7a036ba9ea3

SHA256
c731d432999b51bcfcc0920d95371c428488ae6a92320e38a83d161c19aa0b79

SHA512
b6481bb85adb00c3f831d43db4005da27f07bbd98308812f605f65c5a364fcdc76a6bf09e5d83000f586a479d6fbf8a7504f253be701935cdb61cecc9f47ea9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Normally

Filesize
31KB

MD5
b53e74f3fc380132f20c3f2076cef287

SHA1
241ce91bc76d6cbef9a841f3d34827c22b910b14

SHA256
432cec5f0f0f2c132aca5d544cd11e928e2780312415f21a7dbe0a388724885f

SHA512
d557b5b5c61e76328217033874650d48a553e28b0b750f14bb92d9db4c6a854c4abf21e63c0b3d88f52715e00e86d261698cb1d98e103a759541f5b61c459701

Download Submit
C:\Users\Admin\AppData\Local\Temp\Occurring

Filesize
22KB

MD5
f8d6e140c3522ca8a680f57165e028e5

SHA1
ec1bd1c83db9636c3cee6614a07c14b81dab7607

SHA256
69748c70efb1005d9c502416b72e46e7d4198a43dc945385ac9b4d7d2e56ef0d

SHA512
118bcf118faec07649e985838ae8793233adc73e3c185852f076c5ce4c62571f46a509a49746674dd9593858e4fefc3dfb1892e15726bf317847202fd615baba

Download Submit
C:\Users\Admin\AppData\Local\Temp\Patterns

Filesize
112KB

MD5
7cd5447464ed4c1e61d045d2a503d0cf

SHA1
ce0353ff6ff2459a03abef452d1ea6e1915d21fb

SHA256
a8e79f0fe66ae60e2a51f9bd7da06df9b289e7f52fe9e0987ddf395c3a1fdea0

SHA512
9549be0c1a44fcd37acfd982de25364408fcc0fea96011f5936f48cab2e5d2f84871ed1faa809cf1c8713540c14c5dc1fabd851ab6ce3fcb073f02740d39c7f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Pmid

Filesize
33KB

MD5
c51e6398d45ea0bbeda082d4d98f01e1

SHA1
f6902a3881673f45a622f3f092d96d2120ccf0da

SHA256
c6a17778416e94d9ae413f65ab1a3a8823ee5c9a760b6604805cb12afa537a73

SHA512
01d2f32c0f9bda293ed6e2c5344d35e9be6a41410c5d30be6e13c5f73ed6f8b7d6ba1348bcc6aa0ccaed2be99117fe8949584ada8b4abfc9628857b25f66e3c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Postings

Filesize
33KB

MD5
b3b4cd28870954e4937ad80ba373550c

SHA1
c397eae337bc6a88fd28ba280f5ee535ea35671a

SHA256
4c4fada05bec667643313902f8f7915dfb5be9de2e18f0247cc5f6f29b798e69

SHA512
9a09ad5b83deda19a30da9056250e632d9bcceda64f5f4322b39aa63dba0b823340cd1a72dcab58852bd48d757580c5a6710444a760e7a252e3c07946027c9aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Public

Filesize
38KB

MD5
4cdb45016b7adaf22ba76cb926b898ca

SHA1
b931bf84eaa429c7905cf6c4d73ee90ed902999a

SHA256
f3bfb2e4793f6ee707ddd875f77ede857ab81e82c76317e5c0f827d03a7a61fd

SHA512
a470a96b05f23e90bca74292353189ffe257c5aafd201a0d618dd73f6e906f6c5a100326451c71c5ee22f1b723d95d66620c2f3927123772494fb0560987a8af

Download Submit
C:\Users\Admin\AppData\Local\Temp\Reasonable

Filesize
60KB

MD5
00e4b68389cd1081b8d7dc7abf0bc8e0

SHA1
1d69783ef7f861768762be734be52fdf323b4c66

SHA256
082675fe18dd3eae06faec1f59e9b182f265107d34dc7b9e9de4187ba1315947

SHA512
6b95ab60e72f0dc269e111c5957de20abde0e04e512b10fb050381ce482bdb7179adb0e7a053e740d35318b6cd8db8313bfeecc6394cdbebc54b7010e62c2b8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Shares

Filesize
30KB

MD5
b2ee93e55ab2bd82f8fe8743df9161cc

SHA1
413abffa0bccc2c1f613bd8cfebbb7ce36ca6faa

SHA256
7f6c0d96161340e845f169b6fb029277ad3a291959c9a75947f36cb19848ce92

SHA512
18bb7d0e2342a72c395ad9edd756eb70cc6163b1073c6a64ae4f2d24ef12358cdbb39bd71acc4cf7af3fa0507dff66031e17c69afaee77c6b1151e89d8e25505

Download Submit
C:\Users\Admin\AppData\Local\Temp\Shopping

Filesize
38KB

MD5
896ac464bc69edb0e865b000bca56157

SHA1
9ee0cc6d1cc5c31c6e40946f39f7a7214e719043

SHA256
b55aea051cd01734190e906665707dfc223914a88165a970a1e62ca2cba3d485

SHA512
072fd17ee0a2e2353046a81d98e03414a2d4041eb69affbdc87fa73a488aabae51cab3e73869204947f6ebe4c7b41353f7d62b9999e067e6701cb917e85bfae3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sites

Filesize
51KB

MD5
c6dab83d58303357f88db51825cfbaa5

SHA1
518be4db59af0775d0f46f345127622ad5be7bee

SHA256
6b16ad140e002c18760dc58b0bd5096ee354c533c2a16eb7cb01b673fde1eaf8

SHA512
70cb69693c894dbee10f015706ad3a6041e2d0fe7328c320026877c382add0d53e0bc5d833683615e9af8bc6149ea07627830594b8f7e2a54c4f5b0cb07e4dc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sleep

Filesize
22KB

MD5
84682740e9a6342f34d1b23f74ea8cf1

SHA1
bfeaf73b34019dc9ab87b70aa04df6d4ef28089c

SHA256
b0ab6f9b0c3b1f10507dba83e0809e9a3a9f0c8ee46dc00c912f2a7f774d386c

SHA512
7e19cf0ebf356aca224bb0d06f4df51264aa37855cb743e2bd670169dde1afcfa173aa60eb7202cbf340d55ab7c3e2ae61502255d68bc863274d65b56b05b756

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sole

Filesize
16KB

MD5
bbae64c03ce2e83037285b1cbb7ee188

SHA1
257e69f8e60ab147e1f18d3a342d1658febb6742

SHA256
b87669ec8365b0f083f43d501585c49555b92ab9defbdf80a1b639a16496bcc5

SHA512
08b984dda002ae36cd4c6e981526946aa35a0775f9e5ff960753871c9ca6bcdfe1e439b7c4d0379ff14ad40b1beff836095785f17d192fac603ed8a92f84fd6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Soup

Filesize
66KB

MD5
b8dc924a040c652fd09c853bf245f1d5

SHA1
988db104938cec80d90eff36b27df155b3bcc3be

SHA256
70f05fdd5b8eeef11c5de8e93fa4eb62eb898942e32a7b795b9717c3dc27bc49

SHA512
aa0ee94b23b9c47bb8c36262296fd0f04d6074544f3260165b627c125b2ca763fd52844285e5f48f1c6ce3fe914327c345f08833b26266f84b03708949eb82d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Stanford

Filesize
30KB

MD5
541cb9b83352756e9fdf05f1eb0de940

SHA1
d3f9eafbc1b73a37dcbc361f2e51f1e203f0f0e1

SHA256
c6520161095c3cfe33a8988378d3bf93d9363e40f0b7a52cf2159beeb0d9f059

SHA512
308f04702736b68f78d3cf64610d3d680b6288def32a997bbe4b1d3c6a99001be0f27be091fc2907f380c13edc66c661d8e0939365618d8c7826ad112252f372

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sudden

Filesize
204B

MD5
db6209fd85cab2ce6e8628683247f084

SHA1
c6b896d2104b56dbee8432961140a320c4cfb212

SHA256
935109ed73a984a7aea7d9c9e88a4ee581ccc32418eb13c40b899d827417d1f7

SHA512
a5d372a18a07465156847f13d9c202b71bfdcf5103ef608ddc90a7570ca5de1eb56e4a5a3f8dfcbca44fe52b7897220ae0fd9bb5d13cd29311b999cbaa5452dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Synthesis

Filesize
15KB

MD5
9f94504066f862de33983df1eb9e78d4

SHA1
1690da08234bd0da469a3a38184225606a41d565

SHA256
0fccc2667e9b942cf777ae024269cbd2da1449ddcdb521914503cf860ef307bf

SHA512
d288558d5873efdd783617a601f997e1b1e1434fa722a00cbffbda8d2ce04bf1ec2170b3152eab19cabe473c7339f5e17ca1d07d80655f13c7ebf6379da888ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\Syria

Filesize
68KB

MD5
85fa376278dde488899588dda5ef50a4

SHA1
80143c6e0cb9f934232b402a1814241083b9240e

SHA256
4826e086eea82d7fd84efafb1eb2fb02bfd98a06101509a545b01fe5bac0b617

SHA512
e1dbdbd4802f620d5aae2826969ac1ec8d22b3b1017d42617f75f60de5e1274ecfa8898cb113735866c7227fa0d39eb26e652270d569a266bf5bf16d95452e91

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar42DF.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Travis

Filesize
39KB

MD5
98d44264161df3b76062072ba2151f25

SHA1
3ee879602740a641d664b5dfe06eab6191a03881

SHA256
f07429a18db185203867e0192d1d6e357072c23eec4e36d049714bf58d5aa3f0

SHA512
115c9b45bfa4def03ca4f854cee37816543fd1727d0e6cdf6a63140cfd2df3bf5e31c3e98db6a433390d18e476d40f5df2440de4c57e19c7e7d930ac7fa6d206

Download Submit
C:\Users\Admin\AppData\Local\Temp\Uniform

Filesize
15KB

MD5
4d1be187e1aa89c72b934a83801ab422

SHA1
6b187c966ba0579bac472e3dbc3e09bce39671c9

SHA256
20272d7dd4b84d62a642640bb4d3acf4d1b598b62fc695f6617a157bafda3ea9

SHA512
f990e23155e6ea25c899b0dfb0412aa773e86663b1104fb9e5a8e1c9e76b3e725769edc85bfb515bc124468b24b231f0200867471c1d8d89164e99814f26e651

Download Submit
C:\Users\Admin\AppData\Local\Temp\Viagra

Filesize
173KB

MD5
230f63ba7fe9aad9c7a09b0687908e16

SHA1
87eca1e1e46efe5ec628934110f0f52cc45fb48e

SHA256
47a9023963bef33807876f31a9f15e7d37f81f80428159d7bf591a4ad43006a3

SHA512
4f5d93b1edded76f43a2d0c4751830b9b099d49dcfa14936467d56b44414214b37228b984f9039aa10498b46003af044b4538972c8a23bee23ee18bf253b3718

Download Submit
\Users\Admin\AppData\Local\Temp\260887\Casinos.pif

Filesize
990KB

MD5
7e778aecb67efac6252d3664087209e3

SHA1
e710316dae046e32f9011cabd2b68342a0d02626

SHA256
e528c2a6706b5ad536c7d5b745fbb037ae5ed197df4d687321eeb119c60007b3

SHA512
b459f0dd30d70eadadf79e52dfa97e186fb9a679d37c5c03cde23671fe28b987a8505e519b7586893c6b8728365f295c2aaf98794013301c2cc907feb349d65e

Download Submit
memory/2872-112-0x00000000004F0000-0x000000000069E000-memory.dmp

Filesize
1.7MB

Download
memory/2872-113-0x00000000004F0000-0x000000000069E000-memory.dmp

Filesize
1.7MB

Download
memory/2872-115-0x00000000004F0000-0x000000000069E000-memory.dmp

Filesize
1.7MB

Download