ctblocker | 4a0b83817f7e10ccaf4f73a8317c132fef767f646b5669e28d509c935910ef79

Analysis

max time kernel
150s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
02/10/2024, 14:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Fattura 00384788-0849838.pdf.exe
Size

867KB
MD5

921023d253b6dfac1eaabe38f3b36a45
SHA1

82ae601f2eb5202a5314feffb2a9bd07c5f33327
SHA256

a2deb60615b3bd20beeb9253547a41c0a970139bfb59d9f88854b8b61880ead1
SHA512

86229692b51a24e3f29aec482f6aca2109cf98031011a5bc71b756ee1417fe0200c179bde3adfd9dd72dcb5edd553abb98a5c6845b1c42d3e7672038fb7bc115
SSDEEP

24576:+XH+j3CgxpmJI+QhQ3r+HVqQUEHpGzOUPZ:Jj3CgxpNhN16EHpCx

Score

10^/10

ctblocker defense_evasion discovery execution impact ransomware

Malware Config

Signatures

CTB-Locker
Ransomware family which uses Tor to hide its C2 communications.
ransomware ctblocker
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Control Panel\International\Geo\Nation	uzllbbn.exe

Executes dropped EXE 4 IoCs

pid	Process
1628	uzllbbn.exe
640	uzllbbn.exe
2660	uzllbbn.exe
2724	uzllbbn.exe

Loads dropped DLL 6 IoCs

pid	Process
1900	Fattura 00384788-0849838.pdf.exe
1900	Fattura 00384788-0849838.pdf.exe
1628	uzllbbn.exe
1628	uzllbbn.exe
2660	uzllbbn.exe
2660	uzllbbn.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File opened for modification	C:\$RECYCLE.BIN\S-1-5-18\desktop.ini	svchost.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-18\desktop.ini	svchost.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	svchost.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\g2_Letter 8.5 x 11 in 300 dpi.IMZ	uzllbbn.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\green 3405 bl 4.ADO	uzllbbn.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\use.id.as.filename.xml	uzllbbn.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\DuelOmmatidium.Jsg	uzllbbn.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\SequenceFrequency.mm	uzllbbn.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\25.svg	uzllbbn.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Kiev	uzllbbn.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\ExampleXML2PDF.java	uzllbbn.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\default_hash.js	uzllbbn.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\g2_Letter 8.5 x 11 in 300 dpi.IMZ	uzllbbn.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\PSNormalMap.hlsl	uzllbbn.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\manifest.xml	uzllbbn.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\qanda.title.level2.properties.xml	uzllbbn.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\pass.png	uzllbbn.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\16ps.png	uzllbbn.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\P_AutoAlign_Interactive_87x38.png	uzllbbn.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\49-sansserif.conf	uzllbbn.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\NsResize.dll	uzllbbn.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\README_kn_IN.txt	uzllbbn.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\refentry.generate.name.xml	uzllbbn.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\GMT+8	uzllbbn.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\README_kn_IN.txt	uzllbbn.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\LoadLayers.exv	uzllbbn.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	uzllbbn.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\qanda.title.level3.properties.xml	uzllbbn.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\brzphon.env	uzllbbn.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\htmlhelp.title.xml	uzllbbn.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Warm Gray 11 bl 3.ADO	uzllbbn.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\CurveFitting.vbw	uzllbbn.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\BMY brown 2.ADO	uzllbbn.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\LICENSE_en_US.txt	uzllbbn.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\SequenceFrequency.mm	uzllbbn.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\South_Georgia	uzllbbn.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\tweakBIOSDriversFirmwareUpdate_ru.p5p	uzllbbn.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\f20.png	uzllbbn.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\page.width.xml	uzllbbn.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\P_AutoAlign_Interactive_87x38.png	uzllbbn.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\refentry.generate.name.xml	uzllbbn.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\README-en	uzllbbn.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\xslthl-config.xml	uzllbbn.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\inventory_3.png	uzllbbn.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\qanda.title.level2.properties.xml	uzllbbn.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\green 349 bl 1.ADO	uzllbbn.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\refentry.separator.xml	uzllbbn.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\refentry.source.name.profile.enabled.xml	uzllbbn.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\default_hash.js	uzllbbn.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\VsUntexturedInstanced.hlsl	uzllbbn.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\htmlhelp.use.hhk.xml	uzllbbn.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\root.properties.xml	uzllbbn.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\multiframe.xml	uzllbbn.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\xslthl-config.xml	uzllbbn.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\brzphon.env	uzllbbn.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\25.svg	uzllbbn.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\g1_1366 x 768 px 72 ppi.IMZ	uzllbbn.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\pcdrsound.p5m	uzllbbn.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\49-sansserif.conf	uzllbbn.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Ext-RKSJ-V	uzllbbn.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\use.role.as.xrefstyle.xml	uzllbbn.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\page.width.xml	uzllbbn.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\variablelist.max.termlength.xml	uzllbbn.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\tweakBIOSDriversFirmwareUpdate_ru.p5p	uzllbbn.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\htmlhelp.title.xml	uzllbbn.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\zy______.pfm	uzllbbn.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\manifest.xml	uzllbbn.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Documents\\!Decrypt-All-Files-rkxvmxi.bmp"	Explorer.EXE

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1900 set thread context of 2876	1900	Fattura 00384788-0849838.pdf.exe	31
PID 1628 set thread context of 640	1628	uzllbbn.exe	34
PID 2660 set thread context of 2724	2660	uzllbbn.exe	39

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\!Decrypt-All-Files-rkxvmxi.txt	svchost.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\!Decrypt-All-Files-rkxvmxi.bmp	svchost.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\	Fattura 00384788-0849838.pdf.exe
File opened for modification	C:\Windows\	uzllbbn.exe
File opened for modification	C:\Windows\	uzllbbn.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uzllbbn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uzllbbn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fattura 00384788-0849838.pdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fattura 00384788-0849838.pdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uzllbbn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uzllbbn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral1/files/0x0004000000004ed7-79.dat	nsis_installer_1
behavioral1/files/0x0004000000004ed7-79.dat	nsis_installer_2

Interacts with shadow copies 3 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
1620	vssadmin.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main	uzllbbn.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	uzllbbn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	uzllbbn.exe

Modifies data under HKEY_USERS 23 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{c21bc464-69ed-11ef-8091-806e6f6e6963}\MaxCapacity = "14116"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\ = "%SystemRoot%\\System32\\imageres.dll,-55"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{c21bc464-69ed-11ef-8091-806e6f6e6963}	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{f78f9d5e-69b5-11ef-ae46-ea7747d117e6}\MaxCapacity = "2047"	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\LastEnum = 30002c007b00630032003100620063003400360034002d0036003900650064002d0031003100650066002d0038003000390031002d003800300036006500360066003600650036003900360033007d00000030002c007b00660037003800660039006400350065002d0036003900620035002d0031003100650066002d0061006500340036002d006500610037003700340037006400310031003700650036007d0000000000	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\Full = "%SystemRoot%\\System32\\imageres.dll,-54"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\WallpaperStyle = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{c21bc464-69ed-11ef-8091-806e6f6e6963}\NukeOnDelete = "0"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\Empty = "%SystemRoot%\\System32\\imageres.dll,-55"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\TileWallpaper = "0"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{f78f9d5e-69b5-11ef-ae46-ea7747d117e6}	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{f78f9d5e-69b5-11ef-ae46-ea7747d117e6}\NukeOnDelete = "0"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon	svchost.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2876	Fattura 00384788-0849838.pdf.exe
640	uzllbbn.exe
640	uzllbbn.exe
640	uzllbbn.exe
640	uzllbbn.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	640	uzllbbn.exe
Token: SeDebugPrivilege	640	uzllbbn.exe
Token: SeShutdownPrivilege	1176	Explorer.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2724	uzllbbn.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
2724	uzllbbn.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2724	uzllbbn.exe
2724	uzllbbn.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
1176	Explorer.EXE

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 1900 wrote to memory of 2876	1900	Fattura 00384788-0849838.pdf.exe	31
PID 1900 wrote to memory of 2876	1900	Fattura 00384788-0849838.pdf.exe	31
PID 1900 wrote to memory of 2876	1900	Fattura 00384788-0849838.pdf.exe	31
PID 1900 wrote to memory of 2876	1900	Fattura 00384788-0849838.pdf.exe	31
PID 1900 wrote to memory of 2876	1900	Fattura 00384788-0849838.pdf.exe	31
PID 1900 wrote to memory of 2876	1900	Fattura 00384788-0849838.pdf.exe	31
PID 1900 wrote to memory of 2876	1900	Fattura 00384788-0849838.pdf.exe	31
PID 2656 wrote to memory of 1628	2656	taskeng.exe	33
PID 2656 wrote to memory of 1628	2656	taskeng.exe	33
PID 2656 wrote to memory of 1628	2656	taskeng.exe	33
PID 2656 wrote to memory of 1628	2656	taskeng.exe	33
PID 1628 wrote to memory of 640	1628	uzllbbn.exe	34
PID 1628 wrote to memory of 640	1628	uzllbbn.exe	34
PID 1628 wrote to memory of 640	1628	uzllbbn.exe	34
PID 1628 wrote to memory of 640	1628	uzllbbn.exe	34
PID 1628 wrote to memory of 640	1628	uzllbbn.exe	34
PID 1628 wrote to memory of 640	1628	uzllbbn.exe	34
PID 1628 wrote to memory of 640	1628	uzllbbn.exe	34
PID 640 wrote to memory of 612	640	uzllbbn.exe	9
PID 612 wrote to memory of 1524	612	svchost.exe	35
PID 612 wrote to memory of 1524	612	svchost.exe	35
PID 612 wrote to memory of 1524	612	svchost.exe	35
PID 640 wrote to memory of 1176	640	uzllbbn.exe	21
PID 640 wrote to memory of 1620	640	uzllbbn.exe	36
PID 640 wrote to memory of 1620	640	uzllbbn.exe	36
PID 640 wrote to memory of 1620	640	uzllbbn.exe	36
PID 640 wrote to memory of 1620	640	uzllbbn.exe	36
PID 640 wrote to memory of 2660	640	uzllbbn.exe	38
PID 640 wrote to memory of 2660	640	uzllbbn.exe	38
PID 640 wrote to memory of 2660	640	uzllbbn.exe	38
PID 640 wrote to memory of 2660	640	uzllbbn.exe	38
PID 2660 wrote to memory of 2724	2660	uzllbbn.exe	39
PID 2660 wrote to memory of 2724	2660	uzllbbn.exe	39
PID 2660 wrote to memory of 2724	2660	uzllbbn.exe	39
PID 2660 wrote to memory of 2724	2660	uzllbbn.exe	39
PID 2660 wrote to memory of 2724	2660	uzllbbn.exe	39
PID 2660 wrote to memory of 2724	2660	uzllbbn.exe	39
PID 2660 wrote to memory of 2724	2660	uzllbbn.exe	39

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
1⤵
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:612
- C:\Windows\system32\DllHost.exe
  C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
  2⤵
  PID:1524

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Sets desktop wallpaper using registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
PID:1176
- C:\Users\Admin\AppData\Local\Temp\Fattura 00384788-0849838.pdf.exe
  "C:\Users\Admin\AppData\Local\Temp\Fattura 00384788-0849838.pdf.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1900
- - C:\Users\Admin\AppData\Local\Temp\Fattura 00384788-0849838.pdf.exe
    "C:\Users\Admin\AppData\Local\Temp\Fattura 00384788-0849838.pdf.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2876

C:\Windows\system32\taskeng.exe
taskeng.exe {A887D025-C3AF-4D4F-84EB-86C475578B48} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:2656
- C:\Users\Admin\AppData\Local\Temp\uzllbbn.exe
  C:\Users\Admin\AppData\Local\Temp\uzllbbn.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1628
- - C:\Users\Admin\AppData\Local\Temp\uzllbbn.exe
    C:\Users\Admin\AppData\Local\Temp\uzllbbn.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:640
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin delete shadows all
      4⤵
      System Location Discovery: System Language Discovery
      Interacts with shadow copies
      PID:1620
  - - C:\Users\Admin\AppData\Local\Temp\uzllbbn.exe
      "C:\Users\Admin\AppData\Local\Temp\uzllbbn.exe" -u
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Suspicious use of SetThreadContext
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2660
    - - C:\Users\Admin\AppData\Local\Temp\uzllbbn.exe
        
        "C:\Users\Admin\AppData\Local\Temp\uzllbbn.exe" -u
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:2724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Privilege Escalation

Defense Evasion

Direct Volume Access

T1006

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Adobe\vbhgljf

Filesize
654B

MD5
8b581c4c6301f503cceaad370e34895b

SHA1
a7bfb33d6dc47f2f82caa196bbcd96ce9acf0186

SHA256
63fabc31352a6b1dd5a9564d746e4a7799780e4d886b1a1023745f00a960bcf5

SHA512
373d17d1d115ddb701393a012e07b3cf1996d30e8bd641b10e1de45382ecd91c6d925ffab0dfcd6f01cf8369a094af55c0eb7653de29850d6f615b4637d28840

Download Submit
C:\ProgramData\Adobe\vbhgljf

Filesize
654B

MD5
ea72394a74059b6bacfb0d5ea0921044

SHA1
eb43b84b63b9371c584fb1b34bb1b039c71c68a4

SHA256
13107619cc9587bb8f662b307b88548d0876a59c65359601639957b941e56ea5

SHA512
41f60980256749135ac4a4ead8051a2bf404c91a56d5b93a547e5b142a1acb89de04c4986356c2238fbd68befec9d92c6ea60876bb5d5582c35c55a177ef5628

Download Submit
C:\ProgramData\Adobe\vbhgljf

Filesize
654B

MD5
2498197a9fe64fcc96b280cf3a7eaf54

SHA1
a4483354181ac924da60f4ec19ec1fd0c9fec1fe

SHA256
98e59ce665a4150f83d7253f90dffb8d2d9da6d7cf629341997e77e52754971b

SHA512
baee83f927052660d7d00ff52f1e457f224da539d960ba92436957609ae95f70ac677492ffc9d4f3f777c617f5a3d9c50739c750480efc80d1317b649dcb2054

Download Submit
C:\Users\Admin\AppData\Local\Temp\uzllbbn.exe

Filesize
867KB

MD5
921023d253b6dfac1eaabe38f3b36a45

SHA1
82ae601f2eb5202a5314feffb2a9bd07c5f33327

SHA256
a2deb60615b3bd20beeb9253547a41c0a970139bfb59d9f88854b8b61880ead1

SHA512
86229692b51a24e3f29aec482f6aca2109cf98031011a5bc71b756ee1417fe0200c179bde3adfd9dd72dcb5edd553abb98a5c6845b1c42d3e7672038fb7bc115

Download Submit
C:\Users\Admin\AppData\Roaming\LICENSE_en_US.TXT

Filesize
1KB

MD5
3e707a35d921c574a3de3adc0c727aff

SHA1
2ff3b41dbdd2e353ea50b133c7c9e7258c8eb657

SHA256
72eaebf07c324ad197be6c1b12768b3e38e6879c169df41107273a0f7277c0d8

SHA512
939ff0f30d80c60153b100d2b27b8006a52e268d6b127e93ebb9d4a6034577f85b93af771fcd3c912a364a0590f01fe244541a593a9ae367db0611a9967e0de0

Download Submit
C:\Users\Admin\AppData\Roaming\README_kn_IN.TXT

Filesize
409B

MD5
ade6c65fd0eeb73a60e279fdc7da023b

SHA1
4af90b3176b51d1e70e5561e27a2a2fd2277edcb

SHA256
56c2ecc106829db1020d48fe49a4802a4ee24875a8a873fff86ff0c413a3e226

SHA512
6bce13814640b256b83fa54b9d8df0e34076734baaa090b9aa433eefff87324b6782dd36567ea1c231480714c15df30dafb0cc665ea8194c1ada2f956ec0b83e

Download Submit
C:\Users\Admin\AppData\Roaming\default_hash.JS

Filesize
136B

MD5
06a09bda9d5dd7dba611b2dd460d545e

SHA1
73946d0150e298464b8a55a107bb22be6368029c

SHA256
c062646586359c92950920a9e5a51bcec73afeb863dc01337a88adadc789f05e

SHA512
b104418ebc3eabf7a3d4aae3a23bdeea63d0118f56397e3763318397baa0b59ed5756a354a922c2c6206636ab761197e379e6fa5b4aa7cf2a60c24416a2ad459

Download Submit
C:\Users\Admin\AppData\Roaming\setup.ISS

Filesize
241B

MD5
698f513c0c9d50ac789cfbe4bde1b467

SHA1
122acd3c51b72fc2bf4dc556cac09f9e6c6445fa

SHA256
f19b204261a5524ed3f5204fbd01d91f06fe1b2181b2fa2c2c7629ccb4e54b16

SHA512
c2b5ef941d332d2faa780d044ee5fee6f59d7852e5b0a5974fa47c9b9f03c2b3d867423004eae788ac765f30dbe65bc3b71cd9b679b1ff5dee78eb8fc82f41fc

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\16ps.png

Filesize
1KB

MD5
a1cbc0cf66e527e6f190fba76eb62c9c

SHA1
e58ae1da042d694e54c73c06e2c638cb80b08c35

SHA256
1db3153d2c1b66a5aa3c5c8ee0a2f0d8adf71990ffd2da63ce9c7c2908458927

SHA512
526a17742a1bea14e3da20ad077af8c47df9b6c05e081068b86a834b30d990fc904daf9fbad34ffc6804caee544c141ff39fa01efe5fb0c26d8ca586439405c9

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\25.svg

Filesize
1KB

MD5
81608b503510aaff28c4fc9af1a34aef

SHA1
ccaa75d99467f04f48a7ccb3e4a228039782ff1b

SHA256
c5bec41cf09f196558dd562dc223fade4c6de35cb01846dc7decb7a9db4e13df

SHA512
4ea78e56e017ec2a0be2e10e5401c54a27813c55c17eb888e9283e7b95160d45a82562aa1353dba3058a751febcb4f5e1fe6132cd50b2609d25c53cf236b831d

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\49-sansserif.conf

Filesize
545B

MD5
22278b0b48e5864d9c7fcbc178da0db3

SHA1
fe066f8153c5e679ef711500bb213f691fe4b373

SHA256
ac32c6de350ff1c7945c31bf55eb89aa00c2198f65c92f89479f552dbce82090

SHA512
137d5fa18c5dc87701d35c53979a7e8c9993bfa0a50a2e6fdec3138d9e17f66255317191ceb918be1fb64354fd101a01c6864b8507d0291c6bd2508c752f69e2

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\BMY brown 2.ADO

Filesize
524B

MD5
8d63f0f3af0cd205c4051221f3fbbe3e

SHA1
e214a245412a2db759ce11457de927a81252463c

SHA256
3b5723d413242c064941312f3e94c1910d1f7bacd8ebf9fe79350312b26869db

SHA512
1deda57d4cb87a8893bd7604847b4cf9be2f17facab5e906f29d1764afa0b51469d5859bd11c1ec498fd578c8a6b8104721bf07d148f12b80cf709581e24d3a4

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Bosun.mNa

Filesize
654KB

MD5
baa090e806e9638e901fdcfbcbe80578

SHA1
4fa41a30bb7afc2a2426a462d6c5949e9d7c6d84

SHA256
28143daded82e3ff63a4817c41673edd0b238df525f318522d3fcff17a11c556

SHA512
e0555c92f8be5aaee2aba54d48d0a07f90921206c80b523a48afc701d7f72eba3a171b0b445e4f45d6a25ad3166100f8845904c75e927a20b30d1f01df74c078

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\ExampleXML2PDF.java

Filesize
3KB

MD5
1797b7c85905a97136e81974112b69bd

SHA1
16697c2197f56a56039b0cdb6be541e6f8862193

SHA256
89e2920f8db4cca778fdfb791679dc41384d23ca1f259864a7e44c6344111f11

SHA512
b69bf8a847d6db98c4b9e9eea31729b02b48f846523e55e712104dc83663d523b2ca4be0975487e7c1e9075721d3c41f5677eb3ec1285a95271a2135be67c52e

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Ext-RKSJ-V

Filesize
3KB

MD5
5f801547f79019d60fc68319b1f049b4

SHA1
4d525d254adbe2187b4543c5c92d5c01a61885cc

SHA256
90e9fc4efe897e08e4a6182c4a077e3303ca0c132ac2199ce1a5473ba91b3205

SHA512
f49a801bb62c22f95d4e52ee74fdd1dab2020839c5c10c21afbd0a9b9f1a7b6e34ba026ea5b9f504f60af3feb1e2a6c5cdfa2d926addd4b65ffdd01708f3b6d2

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\GMT+8

Filesize
27B

MD5
f49040ffcebf951b752c194a42ed775e

SHA1
4632642740c1db115843409f0bc32b9ca8d834d7

SHA256
7422b2a82603f03d711b7ac7a9bebe5d1e4d9307cd283ce3d2714af46362f934

SHA512
f7be16b8418f2d57132ccd6b65f40296c80aa2d34634dee839eb2b50c45cb511db1135f8816956bfa90f4f0ca298909adf70787cd8c9e30c894e836f32ef5ed6

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Kiev

Filesize
1KB

MD5
f1c5a57db16550a06c987a494100ca51

SHA1
4b92e61eeeb34a22b34d495026a1b8e0c1c2c5be

SHA256
327c3f09ea88412ba21341a3ae7fa79ad968f6ce0da6de29f5050433442de193

SHA512
c0cafdc30fb780918f58a8d0d5348bcf235a8a644b0df44cff16f85a87472aaa5ecbcea2dcd3c7fa92df3bafcd01a1e5cc9833f3f7fa2bdf14429a802c038049

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\LICENSE_en_US.txt

Filesize
2KB

MD5
00d7ffb88aeb3f3fa5ae3178591139ef

SHA1
b5edc99a205912d98207c1314d696dfe48192118

SHA256
f8dfac00ca2636f16dbb824c1626a607308bb582356fb736d1ee3f5f2656d861

SHA512
03e9df7a1cd6b214b03830b184bf0e7c0abb48da36a184402f2bb3590991bb027cff95cc8751d83cb5c7f7fcddc6969e746056a307d30cfc9fe937010f9a4fa7

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\LoadLayers.exv

Filesize
2KB

MD5
d90c5a1ad9ce483d781210199d7a7f88

SHA1
950f223cc9240a0a5b4957bb04b485165bd5b524

SHA256
8bdc2217774cd4020407a6aef6133418d60eae8c6d490ba5be7b7de408f38b01

SHA512
9783099e6f854584d8f36456f5221eead8a878b40fc116f09a470deb6034402807b12e91de9e84bcdd59ed89b3b91602095746d8ba3463b2657160f214a5c1cb

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\P_AutoAlign_Interactive_87x38.png

Filesize
3KB

MD5
295fcfb5c30022f388804aeed50a3c41

SHA1
96c2f1b925aa12224c97edc4c9ffdd9f9759d8ed

SHA256
4cfc1dcf51bc4604d352adc3ee0aa9fde3525ef3ad70ca98f0d0afead72a7ed3

SHA512
4a14fdd9fa9e6444e88bdf4475ecffc13691fed5c60594c2c4d2a9d4f9b241d27e4cda05395a80943b10bd9007953316ca7cd0a47f4ccda0cef83a7b7ecd46ae

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\SequenceFrequency.mm

Filesize
2KB

MD5
1e585d1f86a617d79a06e55e047e992f

SHA1
6b72de0a0bd112e9d38812b7b66f9c34a446038e

SHA256
c64eece461357e0478ddb1e600b6ffbd9cb298d041324c6a2b090663785ac461

SHA512
0da54ee1980c2b09ebfa6e097e334d7cd8eeaf2668e0c7cb9db361c0d934ae89a3757f96a2fb1082be17b36ef8928cf0fdaf677e7809b2725ee4abd519262669

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\South_Georgia

Filesize
27B

MD5
e256eccde666f27e69199b07497437b2

SHA1
b2912c99ee4dff27ab1e3e897a31fc8f0cfcf5d7

SHA256
9e971632a3e9860a15af04efec3a9d5af9e7220cd4a731c3d9262d00670496a5

SHA512
460a225678c59a0259edef0c2868a45140ce139a394a00f07245cc1c542b4a74ff6fe36248f2fccc91a30d0a1d59d4ebcc497d6d3c31afad39934463f0496ee4

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Sydney

Filesize
1KB

MD5
59ed5f6750d92fa1622ff114c38e7bd6

SHA1
cf0e688d677fed17411f24dc26069e087dac8722

SHA256
2240e44b8c1b3518ee8e6df2cc3a8b358c5f49fdbc361bfb47ded8dbcc689c98

SHA512
60b667cf14478f0fe091f72533d9537e2d06ece221130048c3631b1af17db6d691c31ebbde8ae0769685cfbb46b9cc8c6c7e0467ce5b0996ef6d0520f0fba442

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\VsUntexturedInstanced.hlsl

Filesize
1017B

MD5
73a1cbc804fb45864705b89fa0538d59

SHA1
a5f2580e20ebeb55002a1e8647a1ca77f46854c3

SHA256
6f019564983449af24e2d8c13f541cf01ac0d5ea83ad8aa3c03b2db721593061

SHA512
11018b561c352675d58bf0f7d84de5134d2a94251747f8762e791cfcab76a67d6271589e691d324b7438be4526424ec1b418ac21f69cbf28e47db6bb0ced928e

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Warm Gray 11 bl 3.ADO

Filesize
524B

MD5
3cfe31d5eaedf4bd40092fc02106d6a4

SHA1
cb60aab5f4e05ad35e2e26d963b84f5bfb0bfe9a

SHA256
ddfc65799a5e931f389bd3bf730d9ffe83dd16c30dd361e80731601ede0a7124

SHA512
8ddec8cf122a55313beaf421c93cea287b1556760944a348b4dad799a5a400e095c54c59e13ea0f603fb5f524f74a0382b462327b4bdc8f73d000ddd1ebbed88

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Windows.act

Filesize
768B

MD5
bdf11c39dd33b0f1ae86357ceae6843a

SHA1
6cc6e8a3ccd4eb8e204caff9fe66f7515b315b51

SHA256
a15e9392b2f59d20b29227282ab7c50ccd4623d5492a832b888ee23003de75cc

SHA512
e2d51666e13f76a44d630531b838724f758d426f0d102a2ef193760b8e4bbd0869e1cebd4f09171011754418f20047bfa10d30fac38cb454abd10fcee33f1655

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\brzphon.env

Filesize
3KB

MD5
383a7041d62a079cabc6804322663f6d

SHA1
3706a41e90691c138cac3a67e4d47af3757e89cf

SHA256
e88f27a4940ed4a45f1ad1482329537e352abbce2b7451ac41952d39ca3ef1c9

SHA512
21c73ba72f4102598be883ccf7a064c2057e4953e075d8b9007ad59a934ff8692a2efe915963458231a33657614432494cefd3b9e6026bbf14880ad737b277da

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\f20.png

Filesize
1KB

MD5
72f5b12d2ab2a90bdde706421d348a2b

SHA1
29047ae77e8311fd9f248e314eedfed463af68a4

SHA256
2c6380476304086e7fe8ef898df2895056970b178cb29d50ebfa8e1039f4eb5b

SHA512
07f286c7c238f1468eef39810d6b4fe435240845f94f57a8008d0d1c041dfa3b688c810208e0cdf6e80a28c227abdbe09b8d5f4df10d4f3afbad3e903f63957c

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\g1_1366 x 768 px 72 ppi.IMZ

Filesize
46B

MD5
e04a78e9692c944ac6b5b9435ac2d4b4

SHA1
666cad58284692a169d436eb7b639f2cb4cfa881

SHA256
52c130792c694a3ceacc73a1e3ab9ee5cfd41bdb06823823a94be762ef802ac1

SHA512
3093d25f6956c1acdaa55be7c8b2d53e056b4c73cb80c399d6287a896dcdb7cfe0056d79c93a710f1092cf4209c963cfb721b04825de1326ab135b834ea37bd1

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\g2_Letter 8.5 x 11 in 300 dpi.IMZ

Filesize
46B

MD5
633d34ead61d11ef8028e7ae3f22f062

SHA1
964f641288254491cf203ad9966e145ae04750af

SHA256
2798675ce2702d03c99a831e3794f40d08271ccf74856383c41601aa0dd6f502

SHA512
65dfbd479b5eb7294899d503440997172e0fc00754e12caf56a26cbd58fa5502351abd8a1970ac132ad3ca55982dec3a231acfd0031232246386dc484c8e5956

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\green 3405 bl 4.ADO

Filesize
524B

MD5
8c4915fd9ae4038a89aae7907e27b841

SHA1
632b6276161799556d88b863768ed6b68a9b6237

SHA256
ac62d53f68d8bd4ad1d69af7b1a642d3ea73533d6200ad1d0cb8df40f6f77bd3

SHA512
7f350656e0fb91a7b02a33a67771778e48ad973c3911b1a0454f538adfbff8db80feaec5c5a16ed32bc49ce4c55ae58bba0381741c686795942efe0f1e0bef41

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\green 349 bl 1.ADO

Filesize
524B

MD5
1289782651c9af159c54bd25c344a26e

SHA1
5ff702833f8e0b9b2bc066d7de9e9d3885984135

SHA256
82020a2103aa444d0b44638ee2666fa3f077af7b5dda85433607d871d103fc39

SHA512
afe7c5e2df5643fec0c486c7efd9b8a440d2ac9631b70369e35b14561995ca91151c1859ef2d49e20621652cf38f024ea94898ff4c2b258380f5a92613a3df51

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\htmlhelp.title.xml

Filesize
937B

MD5
eb3cf4a16f7d5ba110213a4fc8eaec2c

SHA1
e5561a60f4aa14a92730d10245cd625063320814

SHA256
56f0bd0419454ac218d7dfee67ebd9abf96495d95785ea1dd0d925a847c6134f

SHA512
e151c83bcd4dbbd5b122974d34cc004e74812d5590047da1bea15f0960b4695839e25196ace36d4b3bb86b8b53250c76858c025b78bc54f03601e7638873d682

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\htmlhelp.use.hhk.xml

Filesize
1KB

MD5
212c601ec04c872a7ad691a619057e59

SHA1
9ca49b45817d6aec0ae19497dc926411ca478b36

SHA256
8f38b404a14d0d0c4420f8af95cc70466495c0ce867da0408261fc266bc7e0d0

SHA512
f94887811478f3d04f16d94b5cb319eee4ec483059d1c9f4859feab59846b6e61a5c9c49514517985825b48b321a75390af2b81946ac87b5638998ceb3fcc056

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\inventory_3.png

Filesize
1KB

MD5
fc85c26ecd9249354441417f6da6f14f

SHA1
68e1f48294fa1502ee8c41577f1b845cf73497f8

SHA256
4a2755378a7f529311806b2fec26ab149f01221dcc3ae61460b43825323e8587

SHA512
ec344fb2cb47b0a178d5541b0c9bf429cec197624a101275496415f6a1e780b3af0993134829bd0b9929bc9dbf8f17b169078aac071f9d73235f7ea4fc2f6b33

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\manifest.xml

Filesize
988B

MD5
c3ad825146db97ed0361f03bfdc013b6

SHA1
586ace1f37272a909445e845c0199125da64e63c

SHA256
20f49e604c474b22df60237e9ca35ff4841f3da254df1c8063b1608a890d7dc5

SHA512
e793e583fddc448c228634524f3fe64808a3cc1e9f7dd9343f20a0a16ed96bb82aadaf22d81ec30aa55c744487e89208231123607d590d6157e741fa44e272f0

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\page.width.xml

Filesize
1KB

MD5
3e9c5adb1a6888e7aaafa813ff3f7f6c

SHA1
7a7e3ef15f9318513d8b61d8a8d7d2951b4b326f

SHA256
a5d7e99658f9ee81da1a1c6386c1a9df1a2b5a73fa0eac3490e4b2d07a38857f

SHA512
8c9cf78b9e44cc2bb26c498c648c7b0c679b5ccffa9a53d28b8b45782a47dd44a8832c72d984e29b6380808fbb70b4b7a796f43e30cb4881cfdf4669ff0d8ec1

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\pass.png

Filesize
4KB

MD5
e98c394bbb167dadfaf5730434311db8

SHA1
da8700c14557e046efc3ccb1149d097b8328719e

SHA256
987e1548b25af83905ba12a5b8ccf4be56d667c00c3847b9f44706007841da7d

SHA512
53ce8f76e96351c9388d6dc11acb9717ca80d243068026c03d0b09b7998d897d26594a3d537f55881189dc2838ba04da5cbb0c9132d9ad7992652ace77c71370

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\qanda.title.level2.properties.xml

Filesize
1KB

MD5
85a98e83294c06904bdc35807eb37683

SHA1
c4718cf1ad269584a7a763454d16df99747c11c5

SHA256
8f79032a7554d1042b03749dc6cf949b1a5d5ee6794bb9131e0bd345faf42e2f

SHA512
9a7f961576767fa352a29e77fc6ded87b6c7590827359f6832c4924340cbf50ba47e0bcbb73cbdee5d4f68e62c82d6ba86adeada3fec7a3687f27283eb3f77ab

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\qanda.title.level3.properties.xml

Filesize
1KB

MD5
bd1bc2932a54fb5d0af6ed6ed5ada5f8

SHA1
015a657ccdb4d729a09ed13030119e31d8ef6bd3

SHA256
eae13222d4ec9dee48885b2d5f317fcb035eb1b7bc4657e8accd1b6c311f7287

SHA512
d37c5f1ac80e5aa34100ad3c0f497562eecee7c1edadf683f847d060a8e7bde10fbd59d5eea639a71fe30d316a378777882b3d0520d45f705badc0f4acf50c2c

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\refentry.generate.name.xml

Filesize
1KB

MD5
349dcc9e0ac7dfe9ee6c8afb9637db5d

SHA1
58ccf637d47dfe6c5c17c7d914ddf60aafe86cc3

SHA256
169612731b1e8ec5d2ec3cc549d9fddef45af18b2c1f89a3b23ed08f23012ba0

SHA512
42cbd2089e8eab2093dc408c1ab117697abfefd741f34480323ee07d672c7672587f755e87d00b1941ec9c1a5a5143970739f78eb57d3819da013cd5a1caf6ec

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\refentry.separator.xml

Filesize
942B

MD5
fc55c7ac5eeff5aac35ecc99076da2b5

SHA1
1da605bdc22ab617f30ccd94f10edef3dddb2167

SHA256
efd53017d472ec0550417fbba9f2b714d1a8e8c53da0e842d5b0f9ce000d2f45

SHA512
39495fcec1e1c5b35b2f1c9bd040fa14202257192c148bd6042def426c7e3468536d02b21df5d1fe3c96cae1c6da2844e24198afd1d1e38a61cb04da2bcdbb6e

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\refentry.source.name.profile.enabled.xml

Filesize
1KB

MD5
0e6ed3dda1b1b189c3d71e7c4866049f

SHA1
19d18d2d447c69e37356ea9d5850883c7460ab4d

SHA256
40d05b5209a17ffb3aba2e2dd13c3342b44b7a1b5c5c2562309a716040594c14

SHA512
c5592132a232a413cb4ea7299c1dc4d76b338272c582d52c3a4c8f6bc776213706bc71ce63ec0c2845b2e8ded55d1b79ae6dc25a6e1bcc70454ef7640172766e

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\root.properties.xml

Filesize
1KB

MD5
214e467af3f5fcbd989673843b9839ec

SHA1
1c508212bdaa4afcbdf8eced6c94e79043505263

SHA256
8f630944991fa6f5ef473fb922bf8478f454da639a339aca464aec744953ec2f

SHA512
dcf7369f9be7bd58bfd2bf71796dc3609d7f58a7507e5f6c7a1b14b2ddba1478eba0b6da4307ffdf9f8b72e72bf20ca40c1cf5a591a9946a3b002ee7090af57c

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\slvphon.env

Filesize
4KB

MD5
41558725fcbbc23f7cd079e3b4bc0a0e

SHA1
555d832850d1f1133b8591131ac360ce684d07fc

SHA256
1440cdcb9bf73c19e4187b049a8bba9f6c399babe029215e373b0c96fcab2ee2

SHA512
ff638f21b614a8769aead543b5e48c965f4b6bd00326968d0afa30d7316c609faf19bcfa6fa97619e4bf0ac0b5cec61e2f0f715b32f6f628278297cccad9204c

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\tweakBIOSDriversFirmwareUpdate_ru.p5p

Filesize
963B

MD5
53a00965d8a59418bc5ec45a6019fc12

SHA1
b172477f9b3b6dc9c65608f772ffc3c4686191f0

SHA256
15c3586e2ab722251f06d00574e168f44c39f72b061e61a3e0185bc7663739d6

SHA512
c1aa559cb25c35f0f33ae0cf4575bf0b2d83c2b3d217be81a5ba5ea4f8df587e109abef0c6ff596a9a6741d2f7fe076a2e36e68c8ab1f8aed13f37e85ed6c461

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\use.id.as.filename.xml

Filesize
992B

MD5
e7fdc5c71842ad912db2da98240ce82e

SHA1
5e603c31454c65c6652baf31dcb0a1cc2f8aba30

SHA256
d47d6b8a47a45b84474c4fa42448d16bf3eae5a212795aedc56e69e0d48ce09d

SHA512
ed281a69b7a8e77c97f101f3788cf0bc209d31e1390b8657f72bd72308df8fdf831204646f525381d57d2f2ce2b2bf3426c9b8af633215f59600b708961e498a

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\variablelist.max.termlength.xml

Filesize
1KB

MD5
9448239c70925767117a7c39cbc54cea

SHA1
88647080b87e149b4079853bfc72c33ddc859136

SHA256
d93b3cd7955eb161d7e7532f9278dca8845628a929fe76fe2b69e60d77e64433

SHA512
f64ca7f0d626cf03d4011a9e3a43d2ac4e8e71b23a5e5a9b40f2bddc5c2e140ca593035b00a55ee2dd5d213e4d0077ea1da0c8cdb01a1d88dac7a5c8c204a829

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\xslthl-config.xml

Filesize
1KB

MD5
c64c7a25b6c62422f6b4653f4f6174c2

SHA1
787cb46096be939b0c913564590ad9da38c502d4

SHA256
2839673abc0eac4ebd829d6db25ca91f7d86244abced98f72acc2e1e7618a354

SHA512
f7bff4b9aab4c282f59168081d8d64bb5d08773190229deb316994b1a76939d05cbce893c8ea7fc6fb7c7863271d38f1b529e9e958038d796e77262acbea6c7d

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\zy______.pfm

Filesize
684B

MD5
7d3be2ec810fa01a9ea7d2a26551cff7

SHA1
7962465ce36a83666fe7a3edcb31e125ed597e93

SHA256
1a5660f3f8bb9d18fd6a710d70af26cf1e167fe040d7daf3ce41e527236e1fec

SHA512
cd4ba616364f37aa8294c9a2a6b64ed3cf0b011cfcffa9056295b5fc23348c2b3cfa96a25954c6dc472053daa1f9f4b08176a515c95abab6ffd7077deb8d7959

Download Submit
F:\$RECYCLE.BIN\S-1-5-18\desktop.ini

Filesize
129B

MD5
a526b9e7c716b3489d8cc062fbce4005

SHA1
2df502a944ff721241be20a9e449d2acd07e0312

SHA256
e1b9ce9b57957b1a0607a72a057d6b7a9b34ea60f3f8aa8f38a3af979bd23066

SHA512
d83d4c656c96c3d1809ad06ce78fa09a77781461c99109e4b81d1a186fc533a7e72d65a4cb7edf689eeccda8f687a13d3276f1111a1e72f7c3cd92a49bce0f88

Download Submit
\Users\Admin\AppData\Local\Temp\nsyC4F5.tmp\System.dll

Filesize
11KB

MD5
883eff06ac96966270731e4e22817e11

SHA1
523c87c98236cbc04430e87ec19b977595092ac8

SHA256
44e5dfd551b38e886214bd6b9c8ee913c4c4d1f085a6575d97c3e892b925da82

SHA512
60333253342476911c84bbc1d9bf8a29f811207787fdd6107dce8d2b6e031669303f28133ffc811971ed7792087fe90fb1faabc0af4e91c298ba51e28109a390

Download Submit
\Users\Admin\AppData\Roaming\NsResize.dll

Filesize
60KB

MD5
9c655b0c142db0494026c1ebb1b3923f

SHA1
2dbebe42968e78200688e40ab5b8d25bf8e0b4df

SHA256
ef2d114896f07fc20aed5c3045754de0103813aa31bedb188262cec6fb3263dd

SHA512
51d7efab18f6909daf61534befa2e20eec437c24114f7c21b383004806d4b8869dc12395a972965c89dbeb66fe0282833207b5aa93ec7f085ca7054d0a0d9f1d

Download Submit
memory/612-171-0x0000000000560000-0x00000000005D7000-memory.dmp

Filesize
476KB

Download
memory/612-165-0x0000000000560000-0x00000000005D7000-memory.dmp

Filesize
476KB

Download
memory/612-162-0x0000000000560000-0x00000000005D7000-memory.dmp

Filesize
476KB

Download
memory/612-163-0x0000000000560000-0x00000000005D7000-memory.dmp

Filesize
476KB

Download
memory/612-169-0x0000000000560000-0x00000000005D7000-memory.dmp

Filesize
476KB

Download
memory/612-166-0x0000000000560000-0x00000000005D7000-memory.dmp

Filesize
476KB

Download
memory/612-173-0x0000000000560000-0x00000000005D7000-memory.dmp

Filesize
476KB

Download
memory/612-176-0x0000000000560000-0x00000000005D7000-memory.dmp

Filesize
476KB

Download
memory/612-177-0x0000000000560000-0x00000000005D7000-memory.dmp

Filesize
476KB

Download
memory/612-1407-0x0000000000560000-0x00000000005D7000-memory.dmp

Filesize
476KB

Download
memory/640-159-0x0000000000860000-0x0000000000AAB000-memory.dmp

Filesize
2.3MB

Download
memory/640-1430-0x0000000000860000-0x0000000000AAB000-memory.dmp

Filesize
2.3MB

Download
memory/640-1419-0x0000000000860000-0x0000000000AAB000-memory.dmp

Filesize
2.3MB

Download
memory/640-150-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1628-143-0x00000000003C0000-0x00000000003D0000-memory.dmp

Filesize
64KB

Download
memory/1900-62-0x0000000000300000-0x0000000000310000-memory.dmp

Filesize
64KB

Download
memory/2724-1555-0x0000000000940000-0x0000000000B8B000-memory.dmp

Filesize
2.3MB

Download
memory/2724-1554-0x0000000000940000-0x0000000000B8B000-memory.dmp

Filesize
2.3MB

Download
memory/2876-65-0x0000000000400000-0x00000000004A5000-memory.dmp

Filesize
660KB

Download
memory/2876-71-0x0000000000400000-0x00000000004A5000-memory.dmp

Filesize
660KB

Download
memory/2876-69-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2876-67-0x0000000000400000-0x00000000004A5000-memory.dmp

Filesize
660KB

Download
memory/2876-77-0x0000000000990000-0x0000000000BDB000-memory.dmp

Filesize
2.3MB

Download
memory/2876-74-0x0000000000400000-0x00000000004A4600-memory.dmp

Filesize
657KB

Download
memory/2876-75-0x0000000000770000-0x000000000098A000-memory.dmp

Filesize
2.1MB

Download
memory/2876-76-0x0000000000400000-0x00000000004A5000-memory.dmp

Filesize
660KB

Download