lumma | 4063a99a496a001e7fe8b613e00641f4978dcd7b7cc5d5fc5436367f2ebcd12c

Analysis

max time kernel
114s
max time network
303s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
21-09-2024 21:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

suhaag 1994 full movie mp4 download.exe
Size

890.4MB
MD5

cfaefdb151a490dc8047af6843b53b7b
SHA1

e07aebd16c38cfcb560ddcd075a2c89aa28ae18c
SHA256

f7089901034876bd1e7bb7c9bd510a5e829897237b619f08eec99f6685fc9aa8
SHA512

ae72fa594c780056e0da0919d36b2790280eb91939ef74af098642918386eac9f8e9addf0d6bcd272c79996c30871b34696bdd97dd297740d892f3f4ae3c4f63
SSDEEP

393216:m+3MOe3n7mOxAUUNGD/FZkfijYUy4FtPIapG0VvXHFjHmTYAAzX:i7iI/Ufi3ybuG0RXFjHmvAzX

Score

10^/10

lumma vidar 3a15237aa92dcd8ccca447211fb5fc2a bootkit credential_access discovery evasion execution persistence spyware stealer

Malware Config

Extracted

Family

vidar

Version

Botnet

3a15237aa92dcd8ccca447211fb5fc2a

https://steamcommunity.com/profiles/76561199780418869

https://t.me/ae5ed

Attributes

user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0

Extracted

Family

lumma

https://appleboltelwk.shop/api

Signatures

Detect Vidar Stealer 6 IoCs

stealer

resource	yara_rule
behavioral1/memory/2764-528-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral1/memory/2764-527-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral1/memory/2764-524-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral1/memory/2764-521-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral1/memory/2764-519-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral1/memory/2764-517-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003
Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Downloads MZ/PE file
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Control Panel\International\Geo\Nation	Wine.pif

Executes dropped EXE 19 IoCs

pid	Process
2556	Wine.pif
2908	Wine.pif
2396	1YMTUiJAgLT2aZlzw9v9EJ4U.exe
2756	zcOfI4fSS7800ZhXZCf9KfoZ.exe
2976	GAYkITooakqyo1HTV8XuOfbv.exe
2188	6gO7siZ_Pmwz8X2X39BY5k2v.exe
1712	pRvDklPflUfSS2pHf2CpeZNr.exe
1632	vvgAOugcQNx6BPkizvKFZ7xh.exe
1624	AUuafg41UCPcj4xo7GsZ5QX4.exe
2328	azdWxigkcf8mCmpSlwZqkjD0.exe
316	YbZZl8brBLAyTdIT5hLPlRp7.exe
1576	paI6jT461sd6Qt0r5pIDWjO5.exe
2284	SEs4SBF_4KskB6jUJQpxVtgi.exe
836	NR1se2CHipovuI8NEimJdFQt.exe
1612	DZ9JO1d1x1SXzZ8Er08iFB9N.exe
3024	azdWxigkcf8mCmpSlwZqkjD0.tmp
2840	videocompressor32-64.exe
816	AdminIDAAKEHJDH.exe
3044	AdminHJKJKKKJJJ.exe

Loads dropped DLL 29 IoCs

pid	Process
2488	cmd.exe
2556	Wine.pif
2908	Wine.pif
2908	Wine.pif
2908	Wine.pif
2908	Wine.pif
2908	Wine.pif
2908	Wine.pif
2908	Wine.pif
2908	Wine.pif
2908	Wine.pif
2908	Wine.pif
2908	Wine.pif
2908	Wine.pif
2908	Wine.pif
2908	Wine.pif
2908	Wine.pif
2908	Wine.pif
2908	Wine.pif
2908	Wine.pif
2328	azdWxigkcf8mCmpSlwZqkjD0.exe
3024	azdWxigkcf8mCmpSlwZqkjD0.tmp
3024	azdWxigkcf8mCmpSlwZqkjD0.tmp
3024	azdWxigkcf8mCmpSlwZqkjD0.tmp
3024	azdWxigkcf8mCmpSlwZqkjD0.tmp
1104	RegAsm.exe
1104	RegAsm.exe
2632	cmd.exe
2972	cmd.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs

Web Service

T1102

flow	ioc
28	bitbucket.org
46	iplogger.org
47	iplogger.org
17	bitbucket.org
24	bitbucket.org
25	bitbucket.org

Looks up external IP address via web service 6 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	api64.ipify.org
5	api64.ipify.org
7	ipinfo.io
8	ipinfo.io
12	api.myip.com
13	api.myip.com

Power Settings 1 TTPs 12 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
1052	powercfg.exe
1456	powercfg.exe
2868	powercfg.exe
2372	powercfg.exe
780	powercfg.exe
928	powercfg.exe
2032	powercfg.exe
2024	powercfg.exe
1368	powercfg.exe
2124	powercfg.exe
2472	powercfg.exe
1572	powercfg.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PHYSICALDRIVE0	SEs4SBF_4KskB6jUJQpxVtgi.exe

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
2840	tasklist.exe
2724	tasklist.exe

Suspicious use of SetThreadContext 6 IoCs

description	pid	Process	procid_target
PID 2556 set thread context of 2908	2556	Wine.pif	43
PID 1624 set thread context of 2552	1624	AUuafg41UCPcj4xo7GsZ5QX4.exe	67
PID 316 set thread context of 2764	316	YbZZl8brBLAyTdIT5hLPlRp7.exe	65
PID 2188 set thread context of 1104	2188	6gO7siZ_Pmwz8X2X39BY5k2v.exe	72
PID 816 set thread context of 1596	816	AdminIDAAKEHJDH.exe	85
PID 3044 set thread context of 1860	3044	AdminHJKJKKKJJJ.exe	83

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SundayAutomobile	suhaag 1994 full movie mp4 download.exe
File opened for modification	C:\Windows\CasesActor	suhaag 1994 full movie mp4 download.exe
File opened for modification	C:\Windows\IslamicAssignment	suhaag 1994 full movie mp4 download.exe
File opened for modification	C:\Windows\PublishAmericas	suhaag 1994 full movie mp4 download.exe
File opened for modification	C:\Windows\WarmSide	suhaag 1994 full movie mp4 download.exe

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1828	sc.exe
2920	sc.exe
2140	sc.exe
1864	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 30 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AdminIDAAKEHJDH.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AUuafg41UCPcj4xo7GsZ5QX4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AdminHJKJKKKJJJ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Wine.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	azdWxigkcf8mCmpSlwZqkjD0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	azdWxigkcf8mCmpSlwZqkjD0.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DZ9JO1d1x1SXzZ8Er08iFB9N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	suhaag 1994 full movie mp4 download.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6gO7siZ_Pmwz8X2X39BY5k2v.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1YMTUiJAgLT2aZlzw9v9EJ4U.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	YbZZl8brBLAyTdIT5hLPlRp7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	videocompressor32-64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Wine.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	paI6jT461sd6Qt0r5pIDWjO5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RegAsm.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	DZ9JO1d1x1SXzZ8Er08iFB9N.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	DZ9JO1d1x1SXzZ8Er08iFB9N.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RegAsm.exe

Modifies system certificate store 2 TTPs 12 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	RegAsm.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	RegAsm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	Wine.pif
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	Wine.pif
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 19000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca61d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e4090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f006700690065007300000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a92000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	Wine.pif
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 0f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a2000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	Wine.pif
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 190000000100000010000000fd960962ac6938e0d4b0769aa1a64e26030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a1d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e709000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6502000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	Wine.pif
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	Wine.pif
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6	Wine.pif
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 0f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	Wine.pif
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 040000000100000010000000a923759bba49366e31c2dbf2e766ba870f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca619000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	Wine.pif
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A	Wine.pif

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2948	schtasks.exe
2280	schtasks.exe
2496	schtasks.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
2556	Wine.pif
2556	Wine.pif
2556	Wine.pif
2556	Wine.pif
2556	Wine.pif
3024	azdWxigkcf8mCmpSlwZqkjD0.tmp
3024	azdWxigkcf8mCmpSlwZqkjD0.tmp
2764	RegAsm.exe
1104	RegAsm.exe
2756	zcOfI4fSS7800ZhXZCf9KfoZ.exe
1104	RegAsm.exe
2764	RegAsm.exe
2552	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeDebugPrivilege	2840	tasklist.exe
Token: SeDebugPrivilege	2724	tasklist.exe
Token: SeDebugPrivilege	1576	paI6jT461sd6Qt0r5pIDWjO5.exe
Token: SeDebugPrivilege	2552	RegAsm.exe
Token: SeBackupPrivilege	2552	RegAsm.exe
Token: SeSecurityPrivilege	2552	RegAsm.exe
Token: SeSecurityPrivilege	2552	RegAsm.exe
Token: SeSecurityPrivilege	2552	RegAsm.exe
Token: SeSecurityPrivilege	2552	RegAsm.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
2556	Wine.pif
2556	Wine.pif
2556	Wine.pif
3024	azdWxigkcf8mCmpSlwZqkjD0.tmp

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
2556	Wine.pif
2556	Wine.pif
2556	Wine.pif

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2416 wrote to memory of 2488	2416	suhaag 1994 full movie mp4 download.exe	30
PID 2416 wrote to memory of 2488	2416	suhaag 1994 full movie mp4 download.exe	30
PID 2416 wrote to memory of 2488	2416	suhaag 1994 full movie mp4 download.exe	30
PID 2416 wrote to memory of 2488	2416	suhaag 1994 full movie mp4 download.exe	30
PID 2488 wrote to memory of 2840	2488	cmd.exe	32
PID 2488 wrote to memory of 2840	2488	cmd.exe	32
PID 2488 wrote to memory of 2840	2488	cmd.exe	32
PID 2488 wrote to memory of 2840	2488	cmd.exe	32
PID 2488 wrote to memory of 3032	2488	cmd.exe	33
PID 2488 wrote to memory of 3032	2488	cmd.exe	33
PID 2488 wrote to memory of 3032	2488	cmd.exe	33
PID 2488 wrote to memory of 3032	2488	cmd.exe	33
PID 2488 wrote to memory of 2724	2488	cmd.exe	35
PID 2488 wrote to memory of 2724	2488	cmd.exe	35
PID 2488 wrote to memory of 2724	2488	cmd.exe	35
PID 2488 wrote to memory of 2724	2488	cmd.exe	35
PID 2488 wrote to memory of 2768	2488	cmd.exe	36
PID 2488 wrote to memory of 2768	2488	cmd.exe	36
PID 2488 wrote to memory of 2768	2488	cmd.exe	36
PID 2488 wrote to memory of 2768	2488	cmd.exe	36
PID 2488 wrote to memory of 2940	2488	cmd.exe	37
PID 2488 wrote to memory of 2940	2488	cmd.exe	37
PID 2488 wrote to memory of 2940	2488	cmd.exe	37
PID 2488 wrote to memory of 2940	2488	cmd.exe	37
PID 2488 wrote to memory of 2848	2488	cmd.exe	38
PID 2488 wrote to memory of 2848	2488	cmd.exe	38
PID 2488 wrote to memory of 2848	2488	cmd.exe	38
PID 2488 wrote to memory of 2848	2488	cmd.exe	38
PID 2488 wrote to memory of 2772	2488	cmd.exe	39
PID 2488 wrote to memory of 2772	2488	cmd.exe	39
PID 2488 wrote to memory of 2772	2488	cmd.exe	39
PID 2488 wrote to memory of 2772	2488	cmd.exe	39
PID 2488 wrote to memory of 2556	2488	cmd.exe	40
PID 2488 wrote to memory of 2556	2488	cmd.exe	40
PID 2488 wrote to memory of 2556	2488	cmd.exe	40
PID 2488 wrote to memory of 2556	2488	cmd.exe	40
PID 2488 wrote to memory of 2932	2488	cmd.exe	41
PID 2488 wrote to memory of 2932	2488	cmd.exe	41
PID 2488 wrote to memory of 2932	2488	cmd.exe	41
PID 2488 wrote to memory of 2932	2488	cmd.exe	41
PID 2556 wrote to memory of 2908	2556	Wine.pif	43
PID 2556 wrote to memory of 2908	2556	Wine.pif	43
PID 2556 wrote to memory of 2908	2556	Wine.pif	43
PID 2556 wrote to memory of 2908	2556	Wine.pif	43
PID 2556 wrote to memory of 2908	2556	Wine.pif	43
PID 2556 wrote to memory of 2908	2556	Wine.pif	43
PID 2908 wrote to memory of 2396	2908	Wine.pif	45
PID 2908 wrote to memory of 2396	2908	Wine.pif	45
PID 2908 wrote to memory of 2396	2908	Wine.pif	45
PID 2908 wrote to memory of 2396	2908	Wine.pif	45
PID 2908 wrote to memory of 2756	2908	Wine.pif	46
PID 2908 wrote to memory of 2756	2908	Wine.pif	46
PID 2908 wrote to memory of 2756	2908	Wine.pif	46
PID 2908 wrote to memory of 2756	2908	Wine.pif	46
PID 2908 wrote to memory of 2188	2908	Wine.pif	47
PID 2908 wrote to memory of 2188	2908	Wine.pif	47
PID 2908 wrote to memory of 2188	2908	Wine.pif	47
PID 2908 wrote to memory of 2188	2908	Wine.pif	47
PID 2908 wrote to memory of 2976	2908	Wine.pif	48
PID 2908 wrote to memory of 2976	2908	Wine.pif	48
PID 2908 wrote to memory of 2976	2908	Wine.pif	48
PID 2908 wrote to memory of 2976	2908	Wine.pif	48
PID 2908 wrote to memory of 1712	2908	Wine.pif	49
PID 2908 wrote to memory of 1712	2908	Wine.pif	49

C:\Users\Admin\AppData\Local\Temp\suhaag 1994 full movie mp4 download.exe
"C:\Users\Admin\AppData\Local\Temp\suhaag 1994 full movie mp4 download.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2416
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c move Globe Globe.bat & Globe.bat
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2488
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2840
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "wrsa opssvc"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3032
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2724
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2768
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c md 558007
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2940
- - C:\Windows\SysWOW64\findstr.exe
    findstr /V "StoneTakeMallOb" Realtor
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2848
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b ..\System + ..\Am + ..\Folks + ..\Ser + ..\Visited + ..\Attitude + ..\Month + ..\Proportion + ..\Dining + ..\Function + ..\Request + ..\Wrapped + ..\Guitar + ..\Simply + ..\Reid + ..\Porno + ..\Outcome + ..\Patrick + ..\Molecules + ..\Locking + ..\Assignment + ..\Attention + ..\Porcelain + ..\Sql + ..\Jackets + ..\Boys + ..\Revised G
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2772
- - C:\Users\Admin\AppData\Local\Temp\558007\Wine.pif
    Wine.pif G
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:2556
  - - C:\Users\Admin\AppData\Local\Temp\558007\Wine.pif
      C:\Users\Admin\AppData\Local\Temp\558007\Wine.pif
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Modifies system certificate store
      Suspicious use of WriteProcessMemory
      PID:2908
    - - C:\Users\Admin\Documents\iofolko5\1YMTUiJAgLT2aZlzw9v9EJ4U.exe
        
        C:\Users\Admin\Documents\iofolko5\1YMTUiJAgLT2aZlzw9v9EJ4U.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2396
    - - C:\Users\Admin\Documents\iofolko5\zcOfI4fSS7800ZhXZCf9KfoZ.exe
        
        C:\Users\Admin\Documents\iofolko5\zcOfI4fSS7800ZhXZCf9KfoZ.exe
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:2756
      - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
        6⤵
        Power Settings
        
        PID:2868
      - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
        6⤵
        Power Settings
        
        PID:1456
      - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
        6⤵
        Power Settings
        
        PID:1052
      - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
        6⤵
        Power Settings
        
        PID:2024
      - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe delete "RRTELIGS"
        6⤵
        Launches sc.exe
        
        PID:1828
      - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe create "RRTELIGS" binpath= "C:\ProgramData\ejitkpfdxvzt\orpqcnvisucm.exe" start= "auto"
        6⤵
        Launches sc.exe
        
        PID:2920
      - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop eventlog
        6⤵
        Launches sc.exe
        
        PID:1864
      - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe start "RRTELIGS"
        6⤵
        Launches sc.exe
        
        PID:2140
    - - C:\Users\Admin\Documents\iofolko5\6gO7siZ_Pmwz8X2X39BY5k2v.exe
        
        C:\Users\Admin\Documents\iofolko5\6gO7siZ_Pmwz8X2X39BY5k2v.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2188
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        6⤵
        
        PID:2716
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        6⤵
        
        PID:2576
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        6⤵
        
        PID:2264
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        6⤵
        
        PID:592
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        6⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Suspicious behavior: EnumeratesProcesses
        
        PID:1104
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\AdminHJKJKKKJJJ.exe"
        7⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2972
        
        C:\Users\AdminHJKJKKKJJJ.exe
        
        "C:\Users\AdminHJKJKKKJJJ.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3044
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1860
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\AdminIDAAKEHJDH.exe"
        7⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2632
        
        C:\Users\AdminIDAAKEHJDH.exe
        
        "C:\Users\AdminIDAAKEHJDH.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:816
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        9⤵
        
        PID:1468
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1596
    - - C:\Users\Admin\Documents\iofolko5\GAYkITooakqyo1HTV8XuOfbv.exe
        
        C:\Users\Admin\Documents\iofolko5\GAYkITooakqyo1HTV8XuOfbv.exe
        5⤵
        Executes dropped EXE
        
        PID:2976
    - - C:\Users\Admin\Documents\iofolko5\pRvDklPflUfSS2pHf2CpeZNr.exe
        
        C:\Users\Admin\Documents\iofolko5\pRvDklPflUfSS2pHf2CpeZNr.exe
        5⤵
        Executes dropped EXE
        
        PID:1712
    - - C:\Users\Admin\Documents\iofolko5\vvgAOugcQNx6BPkizvKFZ7xh.exe
        
        C:\Users\Admin\Documents\iofolko5\vvgAOugcQNx6BPkizvKFZ7xh.exe
        5⤵
        Executes dropped EXE
        
        PID:1632
    - - C:\Users\Admin\Documents\iofolko5\YbZZl8brBLAyTdIT5hLPlRp7.exe
        
        C:\Users\Admin\Documents\iofolko5\YbZZl8brBLAyTdIT5hLPlRp7.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:316
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        6⤵
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Modifies system certificate store
        Suspicious behavior: EnumeratesProcesses
        
        PID:2764
    - - C:\Users\Admin\Documents\iofolko5\AUuafg41UCPcj4xo7GsZ5QX4.exe
        
        C:\Users\Admin\Documents\iofolko5\AUuafg41UCPcj4xo7GsZ5QX4.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1624
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        6⤵
        
        PID:1640
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2552
    - - C:\Users\Admin\Documents\iofolko5\SEs4SBF_4KskB6jUJQpxVtgi.exe
        
        C:\Users\Admin\Documents\iofolko5\SEs4SBF_4KskB6jUJQpxVtgi.exe
        5⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        
        PID:2284
    - - C:\Users\Admin\Documents\iofolko5\azdWxigkcf8mCmpSlwZqkjD0.exe
        
        C:\Users\Admin\Documents\iofolko5\azdWxigkcf8mCmpSlwZqkjD0.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2328
      - C:\Users\Admin\AppData\Local\Temp\is-P7277.tmp\azdWxigkcf8mCmpSlwZqkjD0.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-P7277.tmp\azdWxigkcf8mCmpSlwZqkjD0.tmp" /SL5="$801D2,2816939,56832,C:\Users\Admin\Documents\iofolko5\azdWxigkcf8mCmpSlwZqkjD0.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        
        PID:3024
        
        C:\Users\Admin\AppData\Local\Nikko Video Compressor\videocompressor32-64.exe
        
        "C:\Users\Admin\AppData\Local\Nikko Video Compressor\videocompressor32-64.exe" -i
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2840
    - - C:\Users\Admin\Documents\iofolko5\NR1se2CHipovuI8NEimJdFQt.exe
        
        C:\Users\Admin\Documents\iofolko5\NR1se2CHipovuI8NEimJdFQt.exe
        5⤵
        Executes dropped EXE
        
        PID:836
    - - C:\Users\Admin\Documents\iofolko5\paI6jT461sd6Qt0r5pIDWjO5.exe
        
        C:\Users\Admin\Documents\iofolko5\paI6jT461sd6Qt0r5pIDWjO5.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1576
      - C:\Users\Admin\Documents\iofolko5\paI6jT461sd6Qt0r5pIDWjO5.exe
        
        "C:\Users\Admin\Documents\iofolko5\paI6jT461sd6Qt0r5pIDWjO5.exe"
        6⤵
        
        PID:1708
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /RU "Admin" /tr "C:\ProgramData\jewkkwnf\jewkkwnf.exe" /tn "jewkkwnf HR" /sc HOURLY /rl HIGHEST
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2948
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /RU "Admin" /tr "C:\ProgramData\jewkkwnf\jewkkwnf.exe" /tn "jewkkwnf LG" /sc ONLOGON /rl HIGHEST
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2280
        
        C:\Users\Admin\Documents\iofolko5\paI6jT461sd6Qt0r5pIDWjO5.exe
        
        "C:\Users\Admin\Documents\iofolko5\paI6jT461sd6Qt0r5pIDWjO5.exe"
        7⤵
        
        PID:2144
    - - C:\Users\Admin\Documents\iofolko5\DZ9JO1d1x1SXzZ8Er08iFB9N.exe
        
        C:\Users\Admin\Documents\iofolko5\DZ9JO1d1x1SXzZ8Er08iFB9N.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        
        PID:1612
      - C:\Users\Admin\AppData\Local\Temp\service123.exe
        
        "C:\Users\Admin\AppData\Local\Temp\service123.exe"
        6⤵
        
        PID:860
      - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\Admin\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2496
- - C:\Windows\SysWOW64\choice.exe
    choice /d y /t 5
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2932

C:\ProgramData\ejitkpfdxvzt\orpqcnvisucm.exe
C:\ProgramData\ejitkpfdxvzt\orpqcnvisucm.exe
1⤵
PID:2356
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Power Settings
  PID:780
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Power Settings
  PID:1368
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Power Settings
  PID:2372
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Power Settings
  PID:1572
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe
  2⤵
  PID:652
- - C:\ProgramData\ejitkpfdxvzt\orpqcnvisucm.exe
    "C:\ProgramData\ejitkpfdxvzt\orpqcnvisucm.exe"
    3⤵
    PID:2344
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
      4⤵
      Power Settings
      PID:2032
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
      4⤵
      Power Settings
      PID:2472
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
      4⤵
      Power Settings
      PID:928
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
      4⤵
      Power Settings
      PID:2124
  - - C:\Windows\system32\svchost.exe
      svchost.exe
      4⤵
      PID:1384
- C:\Windows\system32\svchost.exe
  svchost.exe
  2⤵
  PID:308

C:\Windows\system32\taskeng.exe
taskeng.exe {F72E0A67-57A3-4288-A02B-9DD98310FF61} S-1-5-21-3434294380-2554721341-1919518612-1000:ELZYPTFV\Admin:Interactive:[1]
1⤵
PID:1864
- C:\Users\Admin\AppData\Local\Temp\service123.exe
  C:\Users\Admin\AppData\Local\Temp\/service123.exe
  2⤵
  PID:1104
- C:\Users\Admin\AppData\Local\Temp\service123.exe
  C:\Users\Admin\AppData\Local\Temp\/service123.exe
  2⤵
  PID:2620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Power Settings

T1653

Pre-OS Boot

T1542

Bootkit

T1542.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\FIIIIDGHJEBF\BKKKEG

Filesize
92KB

MD5
e155b11eaa9d52d9fea781a3c7a52c90

SHA1
02467076895b88c0e1f8cb202d5c3db9ea2f59ed

SHA256
c5179cda73c35bf9b7677fd9c5d0fe90a7ad0889e9cf8d6886efaadc8fe1b15b

SHA512
5d1e533b4d91b5a774df192df82028c6824579c30a968ea6c68b4b0a2586d172822a9788b0f5eb8dc5c739be313538908b5871bc11b78f9840f8919cfc52f9cf

Download Submit
C:\ProgramData\FIIIIDGHJEBF\JJDBAA

Filesize
6KB

MD5
ae0f44bbb0177b9f3afc8aaa2f9d3797

SHA1
1fa3bb553627559bcf7ab11f493bcf557ad58769

SHA256
9fd54a1552501fc5e929be00e55b2369659a62a41d5c6f0a050629604dbbf9e8

SHA512
b380384b40511ca48a141ea49d0c921c24296e608461b9e60d5f89d8931d50c4d1c5661f0ae1444357f64980adebbf3068877cddd77409080bffc53ad1ff7182

Download Submit
C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
920e09f0d1ad0f403c428eb780fa5a40

SHA1
afcb3307a309e39fe690853b45d1c5434a76b251

SHA256
f1c41754badca9b4b5b843a3395cc4898291af7a32af0a62f2f75d3f84db2c63

SHA512
cc59b0167df26e6cc28f3a4e59d641201e3d3cc1a65651169fd801d07d3800fe760ce849172670da13998db47fbe95bdba38d8cfcbf916c2d18ba6a7b7836a09

Download Submit
C:\Users\Admin\AppData\Local\Temp\558007\G

Filesize
1.9MB

MD5
4decdcbabf2fc63b605d4f70bcf5c4a5

SHA1
85e8649a6f5dd24da8ea04c07b1c138c7e65dc01

SHA256
6bd5bc21b89a5ee7d80c4add8e3819274d7102334cf783c2567ca29776e5b75d

SHA512
6d0880019d3da95a1062d49a863d7279b95db956f8ad8fa5a9bad5d9fd68be911c1f96e6a01644c63f0466fce1e020b0600a8ea8a35b04ccef4fa2ce71626666

Download Submit
C:\Users\Admin\AppData\Local\Temp\Am

Filesize
62KB

MD5
c0d79b71894f9b7f7f9b4cace960bc76

SHA1
20fb92a551a58615f9ea4c5a7d5bf0415de4f187

SHA256
a71b606c0ec01455daec7156703ba780549ca09d2ee67a39e5e808bab37a63ce

SHA512
46dbd965a3a7484fdd1e60cedf33f7e20b6b34dba928941b6033ebc7535c630e0e74f9b9763c9288cfcc694990836827fa5903ead1d62419aa520ff721def9e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Assignment

Filesize
77KB

MD5
eada81aacd0749b6eac89087b5ed0fbb

SHA1
830ec58d830cee1966f3b5a3b36652beeba35de0

SHA256
16f2cd91707d5bbb1df843768f050bc9379eb920b6178dae45540e3972411002

SHA512
4031f1d2a474de1f351a670d41c4da028a35ae94e96517be457259eaa2ed8c17e825d439ee2d63719ba65bf1d803fc01016e2befee267ee43de4d40f2e68e9b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Attention

Filesize
91KB

MD5
7a546d0c415b6c4999a6884ae448a2ec

SHA1
207017b9b7b36cafacc5d95dd4c8a9afa48f11b4

SHA256
a4ca2fd24b59df85549350e92611af1bcdc9f163d6c0a051a5f86697a9c91de4

SHA512
5b72bdfc4de120ac116c92174faba1ccd6f1ab9972ebe19ae3b1006d77c803ca32e497faf24522c99e9cb680f12b12c8c3815b41a791718e9dfa9b5273cf8820

Download Submit
C:\Users\Admin\AppData\Local\Temp\Attitude

Filesize
93KB

MD5
48858db558ee806ad24dc948ec31aa81

SHA1
f27717c24e6b780c9f3e84d1ec4f1738341f7850

SHA256
076302e5fd93cd2bd888aee4531b09d5e43a2a0899c0a0bd0e9751bb36135db0

SHA512
52f2fc4a314a9dc581eaceaa1236b4c5ae029327dbebf9745fb854cfb6b5e71ed2673e2fb30f8ac996e432c038ab18a77f8c8d5d9f6bc25336cb59f78796f28e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Boys

Filesize
64KB

MD5
2384a6db212c5577b4b62c50ff78c1d7

SHA1
a1583211ac9e85c4bbf58f4d105bd0f9ddfc8059

SHA256
8f3b6bedc20fbac2fbd0e3463dba11b3f80fe49209ccbccc5e8a3fcde827571a

SHA512
0f67f39a3757164f4dc849808681470e123bcbee1e806eddec66b356f5d8e7310ca2932e62ddc432ff312b3f6acba29f95c411e76feeaf3f3c199a6ab055ace1

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabEE57.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dining

Filesize
55KB

MD5
90c5536396dc2d82b2c6740514a72a65

SHA1
af451fe0ed760337691cef20578fe5f1ae0584fd

SHA256
2775aad81cb283dd63fbe5167ab4cb1d6ad0bfa83f68f80976e92f61b12cf42f

SHA512
972624f8eccfc3f359aa564ce695765744c2911ca47cd0e0f1ce37dec828360faf060dca9ae0a0fd94d9e5fd2b99c0dee10670e897ebc5873dedf3544a4a12e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Finals

Filesize
866KB

MD5
2075e0ba395647d4a34ad08cd1f1dce7

SHA1
e25e2b8894ceed79eaa4a130211424c190ea5af7

SHA256
4be32474e7f00151fdf03246811ce23d600d1df60ee1d4299b9266b4fba75814

SHA512
e34b496d7c86c7426d0f0893d787f1c371fa249e6044cf0c4361a662214b1fdbe97175e4fec0865e4d8e7beb2c8de0c4730be13d860d1c8bd7e6274219002a72

Download Submit
C:\Users\Admin\AppData\Local\Temp\Folks

Filesize
69KB

MD5
21417ca75e463df9bcbcaec67f151a89

SHA1
ac17dc365958ba8fb5c5ade19354fe17cf0ade57

SHA256
9f0c519ad9aec39685e2027b92a567321bae31e20c5e446718199a3a5dff6b34

SHA512
7404a0c2be28b451d15c4652abeac977c210224ad05ece189b5419ec5e90d651f69d145151e4849de060cd1522b6adcd3aed8a70c725e53fa0ecae9476bbe8d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Function

Filesize
99KB

MD5
97a57f07b8e1ca4adb265299731329ab

SHA1
580f42307b0e819d5370900117fb5909f979a104

SHA256
bd2df475171f65653d9bdac24201563131ab12f7c406438c48fef717834dc99b

SHA512
65310b515d269735cd55deb4b96eca20ca9e781644a8c81ad673791f1a0ceef8044eddf40a0c797b8786623c9693c688de4d4378a2f6b24610aa2d6ce5ca8312

Download Submit
C:\Users\Admin\AppData\Local\Temp\Globe

Filesize
20KB

MD5
0070a139435cb49fead8e3336748b30e

SHA1
14b8a884a3263ac33382244c152c42511fbf054f

SHA256
d98ee9c8530250d54b826b05acee1686eced75293178fc282cedc9153aed77c1

SHA512
4c1a75e327125f59a80e32d20536300893145292e920b16b4e7f9519503b2e4aefc16ae14ec52cfeac389eec5c3b204187163f26bfe547c13cbf5dca0ca0b2db

Download Submit
C:\Users\Admin\AppData\Local\Temp\Guitar

Filesize
58KB

MD5
7b36d3e644ca6ffa9494875295fca054

SHA1
96e0f4f2d01db14997cb17a7c79d74c11aa788a1

SHA256
4649a27a45b5822549e8543ba4f27f07eb40c7a49eb86081b0691f2f96329ef7

SHA512
4b1190a24bf511bb0b031ce10a34d48581baf2d5e6688fa2f1abd43bde93845626b72a439cddc97efb6f8250a2c86fa96d8807170ad234e6aeeb2c65897c1910

Download Submit
C:\Users\Admin\AppData\Local\Temp\Jackets

Filesize
72KB

MD5
3a77b1c45dfcce3866aedf5ed100cb02

SHA1
f496beb465190fe0535bdcd040511d82c6d4650c

SHA256
72a038620011168ed2dbc1c6da0a24e8c2e8a42320f79f11c3fa4b091215ed3d

SHA512
110aa16566da012a94b03b6d2119ccb37c4a30447cae8124bbd836c8231dfd9573bff2647e0b66a6c7c2ed6ce257c3ef2eb08f51ce39ec3620957484ee639ce6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Locking

Filesize
80KB

MD5
384009312870b63717bce86f2f2b101d

SHA1
a514053a8c510f49dae03be63ea87a21acf12e97

SHA256
0da60a59bb29f2e479d1ce1d139f8b07a0a5b475b7aa05af53be1bd647f14a4e

SHA512
3a1c29cbcfd9e48c993adf29538978b70c8bf1f09117c2c8cd8c9e6d3abaa34ffc234b1bffca3de7f145bf276de054124a40761aad78bb4cdff799632ce90117

Download Submit
C:\Users\Admin\AppData\Local\Temp\Molecules

Filesize
59KB

MD5
4727f825e421e385992c01abce29dc15

SHA1
412ca096bb12e7c41ac962e9aab6f47291ffd28e

SHA256
bef29412171000059b5309e155e771714e6e53ee6c2f3aa9ddc1e7f5855cd601

SHA512
0b5512e43d35241a9915412ebf9ceec8824f044a4079340bf09c1079e447d42559b723696c1c79b30672a150b5106e08246d442b9dbde725d60ccd56587f4ec6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Month

Filesize
56KB

MD5
6567a7485db06ef6edb3f1960d76ca5c

SHA1
5aa6d23e7f3222df891298643c0add509a735655

SHA256
de89697ea502b3cfe5688779d326ec7f4b1323cc5bff45f3935933aa2a050e24

SHA512
b51460f02c38ecc70f323a884b01881073b4591aea2b930f9c4091a21aa2d5668003f803f5363f1315802a44cd4624484b2c16f773fa855acfe302502f480b0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Outcome

Filesize
59KB

MD5
64440adf7ef096468f1dbf0a26d018ca

SHA1
f4ee6db418370f1a420182ce9b82d7a3a47c9c8e

SHA256
ce9aab8189fb796547ef13e0ea9f2895cd60a67c71c1324b39bcbab64bdccc1b

SHA512
5294e08df0e06b06e4b9cb2670e04e7d60d152c9addbcdc593415a13a5669fc38d7b02c83d4357c51debe2ed6c2bf7b120c9f41e4bd068f3ef1a65bbcbed2230

Download Submit
C:\Users\Admin\AppData\Local\Temp\Patrick

Filesize
50KB

MD5
221eda88b806ce99db35216d726d1a16

SHA1
6fe6762dbe0f1db656287249e2406fb602c406a0

SHA256
1776d624ee82c1f59eba747bdbe6ebde1eaf4cde8eb8571db16a5a2a7f46f06c

SHA512
ace5bc1c96ab7b97362315aa3bcc43c77d2a5d127788b59073c75cba78788abe3777359134e25b28b32a605b4e00f068e6003e04a80b64b0dfb3207f688504ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\Porcelain

Filesize
79KB

MD5
13ea9472ae365f4237ee13d1c80ed1e3

SHA1
d667571b91ad7cc76aa14adee6c2250f1cde3442

SHA256
234b87f1daf80440662d1c8946f41ec9146b12477344e9fe5e221812dd68e92f

SHA512
3830ca2fd1adc46d2b48da7f7bbc3cb8a881690c78035a12bfb526f22e5aeafd7e1640bb4e32a8335f3ede9bf6d3129c80bcbf223fc44371b62ba46106f3b2db

Download Submit
C:\Users\Admin\AppData\Local\Temp\Porno

Filesize
50KB

MD5
474220af49cb1c9a16ff325ba8dbb4b5

SHA1
cdef63f0c63d3e889c85bc682baad48c769c6160

SHA256
fcdd0ed5d2b5f85e037b62d94cdaa56cda8f71b0e2aaac4c6b817b1180ab57b5

SHA512
3ac9a73f3934bc6550982ef9a77255d2e1a427d47c933c14524a2dbef4816f958f131b7c8a2208d5d2adc0a408dd89524d75a26e129003e4c4ed2f9cb61ae4c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Proportion

Filesize
94KB

MD5
bac6ce71bbee29e50abe0eac2ca7213e

SHA1
f0123024f34aaf5116bca5a53132adda254d3308

SHA256
f7909a3a3767b8d7914b29b638bde458316bf785978dd67a23dbcddb148a9531

SHA512
f210922aaf2527a9af4d4c80ee2f8b6ecdf05213dd9432a94ae44ec9775216d873d588699a3a295300a8a79a962bac51bcf32e205bc7e0a30f16b881a4d9b348

Download Submit
C:\Users\Admin\AppData\Local\Temp\Realtor

Filesize
6KB

MD5
cd932975792cb6f81477cbe06d27f8f1

SHA1
a886f47373176f5fa4246c6735b5733d7fdc0e4c

SHA256
a11d42f685127c1ace0af1feb604671efe0ce6a2a959c5b3991a047465acd832

SHA512
efed6d9347f959e7e63934ffff82ea675365fc8e2fe840dbe026e69db4dea66b439c20f43012a23aa64b0a2d9f8ff7f4eaf4192f2cd33db8983695084daf878b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Reid

Filesize
80KB

MD5
b8d07f1a1c8dce8bbcf89fdb06729ea1

SHA1
d8599567b0a6ab4c08c8b34c06c7aca6c5d2de7b

SHA256
e0ddf061b673f410c8c4ced4a8281510bc1046030c56e0b81b4bc273cf5dec1c

SHA512
a263bd37029f0eec9f07d3651744ea40323abfa96b667d70754d43e309becacf87621d7245979a6e0c3a5b73f29b0ebd863508ada1161b985474fa389e87ac77

Download Submit
C:\Users\Admin\AppData\Local\Temp\Request

Filesize
89KB

MD5
2e80ef53a0163bf62b2e19ac9d27b07f

SHA1
eb76e5d6ae2763869a17253803665e3e0eeff35b

SHA256
473c497dda34300e05cab9bda94051f5a1fa7e54467dcec45cc299c1272646af

SHA512
89077d6ab505538fca368185e17b7cfa851c522efdd8428cffb72dc01bcb709f0b0f6ca52b7b6391a8346d8c3aa0e2c72a43efa8df9486b7004943ced35e47ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\Revised

Filesize
69KB

MD5
2a423c293451584663193634a98c61ef

SHA1
70a1666c18ee1908339b100946aee60303bd31bf

SHA256
4c1fe57a51fb33e305b78565cfdfecb113f83a1b44e676814367a5d886d42019

SHA512
1d6725449d70361fb7acbc6d2705bb0ab0fa295c2c49b32100608a57dd0c36b6b2086b933f63c36ad5a1532709fad096610b8184b3f876513ea3d35a8332a02a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ser

Filesize
56KB

MD5
01106822cef92aacaf739870861f743d

SHA1
a91662dd5432c0ab4a4b6480329e85887dddb757

SHA256
1eb5ab7808747e0b288304caabc6719897dc44bd1fb4e6f1b1da6e0f7f01a77e

SHA512
1cc2b057624909475726bf3c9e8217be47bd8804600e12a58987282cda30008842fd1a1310535245b6cdb31474245f71e67875beacad68da3052d41ac97f49b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Simply

Filesize
58KB

MD5
357e1140d723a70ea332fc27855e6e59

SHA1
6be145291f0e0a3d8c8e28aa48ff856f5573a49b

SHA256
329682f328e45842241953db31821f7177f027ee48a603baeb8743f5c0ec609c

SHA512
2247d53f92ec517b9c71038526d4b5c84e6f4b5d33d6ac7ae1f71cfb51fcdb9835b64d111a9df34a3f2dd60137e6a833c19e26ba76221f989b0aef694692e4ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sql

Filesize
50KB

MD5
90f06406bf8ff913bfdf6bf551e63edf

SHA1
ecd9f7e649e23ac5705065ecabb1e2813012cf3c

SHA256
8f589ec135538da8ec66fabfbdb1de0e830921b54517b48a09d950e794efc316

SHA512
6e91be5d0087425793764ca8aa8a9234c490b8cf9c0ec7187e497936ebd64f0123d97207b5e5a55aae9c082f65e564085d7c0154656420e2ba5527b61c2cc6bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\System

Filesize
96KB

MD5
77063caca2726105dc85444cdcde7289

SHA1
016b0772e3e929d032680082da85793a76eb1848

SHA256
bb24a3dc7ad207d3b956f89b363530023d6746b965a3b6484427c573c0a26b5d

SHA512
b6c8fb7b6073bf0969a59df3516fe6b6e5b6f57b9d2034c0190d7a5f4f34836960ae35b64bf73c79247b9cf23ba91dba8a9d600536412daa71f829251cc57cac

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarEEC7.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Visited

Filesize
69KB

MD5
aae74cc24faae4e5074f6c56c92c118c

SHA1
3e823a793ad4495906803e1c67f1e58e5b9bf418

SHA256
b714a778ee7089f1ad2ee1756ec643c95295d45d0f1b7ff305e14b714c1cd322

SHA512
9f0c98e50fcadd8dcfd8fcdd0d43e0ce0a65893d572c0fcfa425213420821380292b958d25d97d1ad731dc1b47c5e3447b79eaaf293e547677dc0ce9374f4a37

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wrapped

Filesize
73KB

MD5
1037252120ab67d635c10b410391b254

SHA1
f38daffe745a08a90a55a43fed626892ce87bf1f

SHA256
3b978162e85f6c86698da328364a2a98c900b21d47d0cdbb13f1b8e0024ebeee

SHA512
14bac6c6de414a58cf0fd752717a35931130e095c8c29f91e60f4641053f4ba9e2d6283fbdd796dd722fc7b2b46ef1e1e3e4ce07aaf85e356f12919791007d10

Download Submit
C:\Users\Admin\Documents\iofolko5\1YMTUiJAgLT2aZlzw9v9EJ4U.exe

Filesize
323KB

MD5
c61cc62b59b5959951d1158887b20b7b

SHA1
f9052b6c037887880dcedb4b267101aebf555a8a

SHA256
6702392e56414e5569fe81bbe157836f3fb2b96455d744126c77e7025ebd3b7b

SHA512
8aa4f569699bc38dbb58fb3d19beb65d6537f54dc5a2f8f38923d16c9355f1d21b28e0334d02e4ee681e477cabfff19c6e9cd448de320291050c6cc671bc19b0

Download Submit
C:\Users\Admin\Documents\iofolko5\6gO7siZ_Pmwz8X2X39BY5k2v.exe

Filesize
216KB

MD5
9a29528b1463ae389bd3e03e4e686a56

SHA1
0cefb61f8615c6ed5606360db20adecdedf4c59c

SHA256
a0add2ff01fd0b1c7a259a9b0f0bdee713a7edbbf12fa18820fc95a373254e3b

SHA512
34743dd19630de9802258476e6c9aacd14b7338c9e1c22c0369e759844b3248570b272c7edbc89079fe5eb8f375c7e2680e71f88ab5b8a4c01ba4d7ef116f9ae

Download Submit
C:\Users\Admin\Documents\iofolko5\AUuafg41UCPcj4xo7GsZ5QX4.exe

Filesize
352KB

MD5
d687af3b103399aa245807bb719878b7

SHA1
c3d45032bfd13c7dc75f08e55caba56d0a1d4a42

SHA256
cc7056857cec7d81101af02d79431f4e193090fef7d505d1970d4b2846f385b9

SHA512
8482b42fb16963bdcc6bce162f79f64e28bfa46977788df2044a7a0e805e67d44991c6ef24e1dd45643c7f69abc66deb257f23e7680b25da8c486dc5ba0ff978

Download Submit
C:\Users\Admin\Documents\iofolko5\DZ9JO1d1x1SXzZ8Er08iFB9N.exe

Filesize
6.4MB

MD5
b3c3b4845dd169c8bb97618de84330fc

SHA1
dbefee586896d7d55f2d3ac7604cfce81ccd3241

SHA256
ffd998746e12ce104bfc905c9e37dd671b866717db084a7c0b4d1d6d8607ae52

SHA512
71bce3581509f05c399008c1c6ad9043979e00cc887d2d95d08dd9be1ccda1157010e40125c30bb2eb8534fb0715b4e41d067d9f876701429061934ae727e3e8

Download Submit
C:\Users\Admin\Documents\iofolko5\GAYkITooakqyo1HTV8XuOfbv.exe

Filesize
21.4MB

MD5
cb3952f1852179348f8d2db91760d03b

SHA1
4d2c9d9b09226524868760263c873edc664456a9

SHA256
a9ea40670a686e175cc8c32e3fc6ba92505379303d6524f149022490a2dda181

SHA512
163006435a30b31ff0b079215efc0cedf6a624516af1ffccbc6144cfdb205b822029d523f28ec86e0391af1b741771b860cf4d3492c87567a55f541a39c69d11

Download Submit
C:\Users\Admin\Documents\iofolko5\NR1se2CHipovuI8NEimJdFQt.exe

Filesize
447KB

MD5
9b8f3ed26e3a00b86cdce7c4d89e576d

SHA1
b6afab419f6869e468a0c40b624595941c2d308c

SHA256
40df2b2bfe36a9954e3b4ee4a5aa089e166ea61da0d933f973a69b6f8245d16d

SHA512
586e3e0875ccc6f0bb8c60b7d887e80d9bcbce6e6e15e53715969d9460b52ea89374fcee4315284cfc557145f71527b0b0c71f40a343d1e72dd065ceb2f3f125

Download Submit
C:\Users\Admin\Documents\iofolko5\SEs4SBF_4KskB6jUJQpxVtgi.exe

Filesize
421KB

MD5
59f2f7f0cf8faf41dbb0a7878b5d66bb

SHA1
0a96781c3e937cd7c12a052242f4755ea3656297

SHA256
683391c9e997f8e960c52edb11106157fb4bf122d21a0a72fe6a9a14ebacf584

SHA512
f3c6bc3fe42dbf48bda944817718298c9e23b7b6c08d7ff3142dfbc82b9a5070090ba80ce8dad8bc7b99e334f888bad3b6109142b5dc063a5ef73883f2b87ccd

Download Submit
C:\Users\Admin\Documents\iofolko5\YbZZl8brBLAyTdIT5hLPlRp7.exe

Filesize
413KB

MD5
76b81bbaa929e92a0885267869e62fdf

SHA1
16ee3b53fd9d0fe6bd7fc75ac961a21bfd9fae51

SHA256
f59f82ea9cbaa95389bbec5f80b427daa2e575c2827eaaede006590810809f9c

SHA512
67d4fb8ed2c767871a307c54fddc86fa4df07ccfa943eeb61e6e8960c4038fb8a38118a69cbb7a6364dde6c11fd3139b8c5f91e029a437dad0d39202383ac3cd

Download Submit
C:\Users\Admin\Documents\iofolko5\azdWxigkcf8mCmpSlwZqkjD0.exe

Filesize
2.9MB

MD5
7b4edff2770fcb1177128a9985d02495

SHA1
9e406e801fa1c7e87d6c8cbdbf4c583ee80f36cf

SHA256
af900d9dda235bf8a4c20b724a3d79daf8b87cbe1acd4a93af348203a45cc33c

SHA512
cf353cc34796fa8c1d766cc4d030a5b23ca27ffb2b17b6681ba7de21ba2dc62d5d4570c7a639e2e1c7271be42a48cb298f23479870cac101a6cf77f236308ba8

Download Submit
C:\Users\Admin\Documents\iofolko5\pRvDklPflUfSS2pHf2CpeZNr.exe

Filesize
447KB

MD5
dd9983e56e44b300e97fbead17bbb8ec

SHA1
bcfc4f542d1824b23b5beefe94e8eaa9d487e037

SHA256
16c9a4debb518681ece83ec9f4eb3edfab08cc4231243db1949a64c80e017aa4

SHA512
02663157f5a109a122897fb0ac32eda38a9ed5d289b70ef1541e3ca800e02a41d471879e04d1bd59eb2110e4a0f8cd7851e3bacba04147ffa488997e8a100457

Download Submit
C:\Users\Admin\Documents\iofolko5\paI6jT461sd6Qt0r5pIDWjO5.exe

Filesize
4.1MB

MD5
abdbcc23bd8f767e671bac6d2ff60335

SHA1
18ca867c0502b353e9aad63553efd4eb4e25723f

SHA256
45a7b861baac5f8234433fefd9dbdd0a5f288a18b72346b6b6917cf56882bf85

SHA512
67c00713e6d24d192c0f8e3e49fa146418faf72b2bb42c276ad560f08e39c68f4ab446c47c7e7710778aee9ca1f193ad65e061645b6bcec414844165b5e16bc7

Download Submit
C:\Users\Admin\Documents\iofolko5\paI6jT461sd6Qt0r5pIDWjO5.exe

Filesize
1.0MB

MD5
8c8af20bf6536903c1d042cebede6475

SHA1
8ef42abc3ad478f6d8c17691fe4cc1975ca43684

SHA256
b15bdb0a4d7f265cf4ed7c46668f4ca247347ca2ce4a7689cb8dbb25863f294a

SHA512
8f68e5302d07fb74dde0e42e0d370e1cb7c1d6b0372633fcfaab95cd1d12f9786c4e44e71b3cc98eeeb60ea10f54497773c3b4aa58afa5297fad93a3f11097e0

Download Submit
C:\Users\Admin\Documents\iofolko5\vvgAOugcQNx6BPkizvKFZ7xh.exe

Filesize
446KB

MD5
bf87a376305099cac2ea13ff482ba319

SHA1
8215ee2aed65897764ce557e4472092c6fb76636

SHA256
8a04951a8c70c63987bd25e462a98e589e36a2c8f5ce2816f9e5a0906687f031

SHA512
59bf9b99b3cb6e30749cdb66e93c42481a61b6a6ea7e21ac6a52e6701aabb55faf169dcc87c21eed1dafcaa72c09df38f64d2a1c7545207fd49409cde02bd8ff

Download Submit
C:\Users\Admin\Documents\iofolko5\zcOfI4fSS7800ZhXZCf9KfoZ.exe

Filesize
11.0MB

MD5
d60d266e8fbdbd7794653ecf2aba26ed

SHA1
469ed7d853d590e90f05bdf77af114b84c88de2c

SHA256
d4df1aba83289161d578336e1b7b6daf7269bb73acc92bd9dfa2c262ebc6c4d2

SHA512
80df5d568e34dfc086f546e8d076749e58a7230ed1aa33f3a5c9d966809becadc9922317095032d6e6a7ecdfbfbce02a72cc82513ab0d132c5ffa6c07682bd87

Download Submit
\Users\Admin\AppData\Local\Temp\558007\Wine.pif

Filesize
872KB

MD5
18ce19b57f43ce0a5af149c96aecc685

SHA1
1bd5ca29fc35fc8ac346f23b155337c5b28bbc36

SHA256
d8b7c7178fbadbf169294e4f29dce582f89a5cf372e9da9215aa082330dc12fd

SHA512
a0c58f04dfb49272a2b6f1e8ce3f541a030a6c7a09bb040e660fc4cd9892ca3ac39cf3d6754c125f7cd1987d1fca01640a153519b4e2eb3e3b4b8c9dc1480558

Download Submit
memory/316-461-0x0000000001270000-0x00000000012D8000-memory.dmp

Filesize
416KB

Download
memory/816-744-0x0000000000ED0000-0x0000000000F38000-memory.dmp

Filesize
416KB

Download
memory/836-457-0x0000000002580000-0x0000000002680000-memory.dmp

Filesize
1024KB

Download
memory/1104-533-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/1576-462-0x00000000009E0000-0x0000000000DF4000-memory.dmp

Filesize
4.1MB

Download
memory/1576-1003-0x0000000005970000-0x0000000005AEC000-memory.dmp

Filesize
1.5MB

Download
memory/1576-1004-0x00000000005F0000-0x0000000000612000-memory.dmp

Filesize
136KB

Download
memory/1624-460-0x0000000000E40000-0x0000000000E9C000-memory.dmp

Filesize
368KB

Download
memory/1632-450-0x00000000025B0000-0x00000000026B0000-memory.dmp

Filesize
1024KB

Download
memory/1712-448-0x0000000002560000-0x0000000002660000-memory.dmp

Filesize
1024KB

Download
memory/2144-1123-0x0000000001210000-0x000000000131C000-memory.dmp

Filesize
1.0MB

Download
memory/2188-464-0x0000000000C20000-0x0000000000C58000-memory.dmp

Filesize
224KB

Download
memory/2328-453-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2396-463-0x0000000000D50000-0x0000000000DA4000-memory.dmp

Filesize
336KB

Download
memory/2552-503-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2552-510-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2552-509-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2552-501-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2552-507-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2552-551-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2552-505-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2764-513-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/2764-528-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/2764-511-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/2764-515-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/2764-517-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/2764-519-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/2764-521-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/2764-524-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/2764-527-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/2840-531-0x0000000000400000-0x00000000006B4000-memory.dmp

Filesize
2.7MB

Download
memory/2840-500-0x0000000000400000-0x00000000006B4000-memory.dmp

Filesize
2.7MB

Download
memory/2908-85-0x0000000000670000-0x0000000000851000-memory.dmp

Filesize
1.9MB

Download
memory/2908-79-0x0000000000670000-0x0000000000851000-memory.dmp

Filesize
1.9MB

Download
memory/2908-86-0x0000000000670000-0x0000000000851000-memory.dmp

Filesize
1.9MB

Download
memory/2908-428-0x0000000000670000-0x0000000000851000-memory.dmp

Filesize
1.9MB

Download
memory/2908-78-0x0000000000670000-0x0000000000851000-memory.dmp

Filesize
1.9MB

Download
memory/2908-76-0x0000000000670000-0x0000000000851000-memory.dmp

Filesize
1.9MB

Download
memory/2908-84-0x0000000000670000-0x0000000000851000-memory.dmp

Filesize
1.9MB

Download
memory/2908-409-0x0000000000670000-0x0000000000851000-memory.dmp

Filesize
1.9MB

Download
memory/2908-417-0x0000000000670000-0x0000000000851000-memory.dmp

Filesize
1.9MB

Download
memory/2908-424-0x0000000000670000-0x0000000000851000-memory.dmp

Filesize
1.9MB

Download
memory/2908-438-0x0000000000670000-0x0000000000851000-memory.dmp

Filesize
1.9MB

Download
memory/2908-82-0x0000000000670000-0x0000000000851000-memory.dmp

Filesize
1.9MB

Download
memory/2908-433-0x0000000000670000-0x0000000000851000-memory.dmp

Filesize
1.9MB

Download
memory/2908-87-0x0000000000670000-0x0000000000851000-memory.dmp

Filesize
1.9MB

Download
memory/2908-81-0x0000000000670000-0x0000000000851000-memory.dmp

Filesize
1.9MB

Download
memory/2908-80-0x0000000000670000-0x0000000000851000-memory.dmp

Filesize
1.9MB

Download
memory/2908-394-0x0000000000670000-0x0000000000851000-memory.dmp

Filesize
1.9MB

Download
memory/2908-413-0x0000000000670000-0x0000000000851000-memory.dmp

Filesize
1.9MB

Download
memory/2908-402-0x0000000000670000-0x0000000000851000-memory.dmp

Filesize
1.9MB

Download
memory/2908-385-0x0000000000670000-0x0000000000851000-memory.dmp

Filesize
1.9MB

Download
memory/2908-389-0x0000000000670000-0x0000000000851000-memory.dmp

Filesize
1.9MB

Download
memory/2908-378-0x0000000000670000-0x0000000000851000-memory.dmp

Filesize
1.9MB

Download
memory/2908-83-0x0000000000670000-0x0000000000851000-memory.dmp

Filesize
1.9MB

Download
memory/2908-445-0x0000000000670000-0x0000000000851000-memory.dmp

Filesize
1.9MB

Download
memory/2908-74-0x0000000000670000-0x0000000000851000-memory.dmp

Filesize
1.9MB

Download
memory/2908-75-0x0000000000670000-0x0000000000851000-memory.dmp

Filesize
1.9MB

Download
memory/2908-77-0x0000000000670000-0x0000000000851000-memory.dmp

Filesize
1.9MB

Download
memory/2908-72-0x0000000000670000-0x0000000000851000-memory.dmp

Filesize
1.9MB

Download
memory/2908-71-0x0000000000670000-0x0000000000851000-memory.dmp

Filesize
1.9MB

Download
memory/2976-418-0x000000013F530000-0x0000000140B3C000-memory.dmp

Filesize
22.0MB

Download
memory/3024-498-0x0000000003CB0000-0x0000000003F64000-memory.dmp

Filesize
2.7MB

Download
memory/3044-745-0x0000000001270000-0x00000000012D0000-memory.dmp

Filesize
384KB

Download