clop | acc68337ea679a47248a05b92f5e766f2a7899d023b455f13159e66afce27402

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
28-10-2024 19:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4363463463464363463463463.exe
Size

10KB
MD5

2a94f3960c58c6e70826495f76d00b85
SHA1

e2a1a5641295f5ebf01a37ac1c170ac0814bb71a
SHA256

2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce
SHA512

fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f
SSDEEP

192:xlwayyHOXGc20L7BIW12n/ePSjiTlzkGu8stYcFwVc03KY:xlwwHe/20PKn/cLTlHuptYcFwVc03K

Score

10^/10

clop lumma phorphiex redline risepro vidar 1a72eb06939ea478753d5c4df4b2bd32 credential_access discovery evasion execution infostealer loader persistence ransomware spyware stealer trojan worm

Malware Config

Extracted

Family

lumma

185.99.133.246

Extracted

Family

phorphiex

http://185.215.113.66/

http://91.202.233.141/

Wallets

0xCa90599132C4D88907Bd8E046540284aa468a035

TRuGGXNDM1cavQ1AqMQHG8yfxP4QWVSMN6

qph44jx8r9k5xeq5cuf958krv3ewrnp5vc6hhdjd3r

XryzFMFVpDUvU7famUGf214EXD3xNUSmQf

rsXCXBf9SagxV8JfC12d8Bybk84oPdMNN9

AULzfBuUAPfCGAXoG5Vq14aP9s6fx3AH4Z

LTK4xdKPAgFHPLan8kriAD7eY4heyy73mB

MP8GEm8QpYgQYaMo8oM5NQhRBgDGiLZW5Q

4BB7ckkaPTyADc8trtuwDoZxywaR4eNL5cDJ3KBjq9GraN4mUFztf7mLS7WgT7Bh7uPqpjvA4ypVwXKCJ1vvLWWAFvSmDoD

15TssKwtjMtwy4vDLcLsQUZUD2B9f7eDjw85sBNVC5LRPPnC

1BzmrjmKPKSR2hH5BeJySfiVA676E8DYaK

ltc1qt0n3f0t7vz9k0mvcswk477shrxwjhf9sj5ykrp

3PMiLynrGVZ8oEqvoqC4hXD67B1WoALR4pc

3BiS1jaRpWtkqtfZGp9f1rXXts5DyUkaBX

DLUzwvyxN1RrwjByUPPzVMdfxNRPGVRMMA

t1J6GCPCiHW1eRdjJgDDu6b1vSVmL5U7Twh

stars125f3mw4xd9htpsq4zj5w5ezm5gags37yxxh6mj

bnb1msyt0djx4ecspfxg5en0ye465kg3kmv9utzml2

bc1ppypcmu3684n648gyj62gjp2rw0xy7w3vwfamatlg29ajp4z52desafa0sr

bc1qc9edl4hzl9jyt8twdad3zjeh2df2znq96tdezd

Attributes

mutex
0t6rv5xwbh
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36

Extracted

Family

risepro

3.36.173.8:50500

Extracted

Family

vidar

Version

10.6

Botnet

1a72eb06939ea478753d5c4df4b2bd32

https://steamcommunity.com/profiles/76561199747278259

https://t.me/armad2a

Attributes

user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36

Signatures

Clop family
clop

Detect Lumma Stealer payload V2 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Files\crypted.exe	family_lumma_V2

Detect Lumma Stealer payload V4 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Files\crypted.exe	family_lumma_v4

Detect Vidar Stealer 5 IoCs

stealer

Processes:

resource	yara_rule
behavioral1/memory/928-752-0x00000000038A0000-0x0000000003AE3000-memory.dmp	family_vidar_v7
behavioral1/memory/928-753-0x00000000038A0000-0x0000000003AE3000-memory.dmp	family_vidar_v7
behavioral1/memory/928-751-0x00000000038A0000-0x0000000003AE3000-memory.dmp	family_vidar_v7
behavioral1/memory/928-789-0x00000000038A0000-0x0000000003AE3000-memory.dmp	family_vidar_v7
behavioral1/memory/928-788-0x00000000038A0000-0x0000000003AE3000-memory.dmp	family_vidar_v7

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

Modifies security service 2 TTPs 2 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Processes:

sysklnorbcv.exesysppvrdnvs.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	sysklnorbcv.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	sysppvrdnvs.exe

Phorphiex family
phorphiex

Phorphiex payload 2 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\Files\t2.exe	family_phorphiex
C:\Users\Admin\AppData\Local\Temp\Files\tdrpload.exe	family_phorphiex

Phorphiex, Phorpiex
Phorphiex or Phorpiex Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.
worm trojan loader phorphiex
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1020-598-0x0000000000400000-0x0000000000428000-memory.dmp	family_redline
behavioral1/memory/1020-591-0x0000000000400000-0x0000000000428000-memory.dmp	family_redline
behavioral1/memory/1020-597-0x0000000000400000-0x0000000000428000-memory.dmp	family_redline
behavioral1/memory/1020-593-0x0000000000400000-0x0000000000428000-memory.dmp	family_redline
behavioral1/memory/1020-596-0x0000000000400000-0x0000000000428000-memory.dmp	family_redline

Redline family
redline
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro
Risepro family
risepro
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

Earl.pif

description pid process target process

PID 2244 created 1208 2244 Earl.pif Explorer.EXE
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Vidar family
vidar

description	pid	process	target process
PID 2244 created 1208	2244	Earl.pif	Explorer.EXE

Windows security bypass 2 TTPs 12 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

sysklnorbcv.exesysppvrdnvs.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	sysklnorbcv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	sysklnorbcv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1"	sysklnorbcv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	sysklnorbcv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	sysklnorbcv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	sysklnorbcv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	sysppvrdnvs.exe

clop
Ransomware discovered in early 2019 which has been actively developed since release.
ransomware clop
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exe

pid process

2856 powershell.exe
2584 powershell.exe
Downloads MZ/PE file
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

pid	process
2856	powershell.exe
2584	powershell.exe

Drops startup file 4 IoCs

Processes:

cmd.execmd.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TranscribeX.url	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TranscribeX.url	cmd.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VibeStream.url	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VibeStream.url	cmd.exe

Executes dropped EXE 26 IoCs

Processes:

Ndlvxzd.execrypted.exeLukeJazz.exet2.exeUl.pifsysklnorbcv.exeNdlvxzd.exeUl.pifXworm%20V5.6.exetdrpload.exesysppvrdnvs.exebuild3.exebuild3.exe13658670.exe13658670.exelummaforlife.exePharmaciesDetection.exeBuyer.pifmstsca.exemstsca.exe2304021696.exe2304021696.exe209103337.exe209103337.exeVidsUsername.exeEarl.pif

pid	process
1300	Ndlvxzd.exe
1372	crypted.exe
2176	LukeJazz.exe
2580	t2.exe
2340	Ul.pif
2168	sysklnorbcv.exe
1020	Ndlvxzd.exe
1356	Ul.pif
2080	Xworm%20V5.6.exe
2816	tdrpload.exe
2356	sysppvrdnvs.exe
888	build3.exe
1592	build3.exe
2872	13658670.exe
2648	13658670.exe
856	lummaforlife.exe
2700	PharmaciesDetection.exe
928	Buyer.pif
1572	mstsca.exe
2544	mstsca.exe
988	2304021696.exe
2496	2304021696.exe
1912	209103337.exe
2540	209103337.exe
1608	VidsUsername.exe
2244	Earl.pif

Loads dropped DLL 28 IoCs

Processes:

4363463463464363463463463.execmd.exeUl.pifNdlvxzd.exebuild3.exesysklnorbcv.execmd.exeVidsUsername.execmd.exe

pid	process
1696	4363463463464363463463463.exe
1696	4363463463464363463463463.exe
1696	4363463463464363463463463.exe
1696	4363463463464363463463463.exe
1696	4363463463464363463463463.exe
1696	4363463463464363463463463.exe
2632	cmd.exe
2340	Ul.pif
1300	Ndlvxzd.exe
1696	4363463463464363463463463.exe
1696	4363463463464363463463463.exe
1696	4363463463464363463463463.exe
1696	4363463463464363463463463.exe
1696	4363463463464363463463463.exe
888	build3.exe
2168	sysklnorbcv.exe
2168	sysklnorbcv.exe
1696	4363463463464363463463463.exe
1696	4363463463464363463463463.exe
1696	4363463463464363463463463.exe
1960	cmd.exe
2168	sysklnorbcv.exe
2168	sysklnorbcv.exe
2168	sysklnorbcv.exe
2168	sysklnorbcv.exe
1696	4363463463464363463463463.exe
1608	VidsUsername.exe
2992	cmd.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

Windows security modification 2 TTPs 14 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

sysppvrdnvs.exesysklnorbcv.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	sysklnorbcv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	sysklnorbcv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	sysklnorbcv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	sysklnorbcv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiSpywareOverride = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	sysklnorbcv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1"	sysklnorbcv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiSpywareOverride = "1"	sysklnorbcv.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

t2.exeNdlvxzd.exetdrpload.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\sysklnorbcv.exe"	t2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\Qolio = "\"C:\\Users\\Admin\\AppData\\Roaming\\Izkzqdwlb\\Qolio.exe\""	Ndlvxzd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\sysppvrdnvs.exe"	tdrpload.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs

Web Service
T1102

Processes:

flow ioc

10 bitbucket.org
12 bitbucket.org
17 raw.githubusercontent.com
18 raw.githubusercontent.com
105 bitbucket.org
106 bitbucket.org
Enumerates processes with tasklist 1 TTPs 6 IoCs
discovery

Process Discovery
T1057

Processes:

tasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exe

pid process

1076 tasklist.exe
2340 tasklist.exe
1688 tasklist.exe
2632 tasklist.exe
3004 tasklist.exe
2220 tasklist.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

crypted.exe

pid process

1372 crypted.exe

flow	ioc
10	bitbucket.org
12	bitbucket.org
17	raw.githubusercontent.com
18	raw.githubusercontent.com
105	bitbucket.org
106	bitbucket.org

pid	process
1076	tasklist.exe
2340	tasklist.exe
1688	tasklist.exe
2632	tasklist.exe
3004	tasklist.exe
2220	tasklist.exe

pid	process
1372	crypted.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

Ndlvxzd.exebuild3.exemstsca.exe

description	pid	process	target process
PID 1300 set thread context of 1020	1300	Ndlvxzd.exe	Ndlvxzd.exe
PID 888 set thread context of 1592	888	build3.exe	build3.exe
PID 1572 set thread context of 2544	1572	mstsca.exe	mstsca.exe

Drops file in Windows directory 17 IoCs

Processes:

VidsUsername.exet2.exePharmaciesDetection.exetdrpload.exe

description	ioc	process
File opened for modification	C:\Windows\DpiRachel	VidsUsername.exe
File opened for modification	C:\Windows\TargetSki	VidsUsername.exe
File created	C:\Windows\sysklnorbcv.exe	t2.exe
File opened for modification	C:\Windows\TrainsSexcam	PharmaciesDetection.exe
File opened for modification	C:\Windows\GamingNat	PharmaciesDetection.exe
File opened for modification	C:\Windows\PolyphonicWeblog	PharmaciesDetection.exe
File opened for modification	C:\Windows\SgLaid	PharmaciesDetection.exe
File created	C:\Windows\sysppvrdnvs.exe	tdrpload.exe
File opened for modification	C:\Windows\EditedRights	PharmaciesDetection.exe
File opened for modification	C:\Windows\XiMilton	PharmaciesDetection.exe
File opened for modification	C:\Windows\sysppvrdnvs.exe	tdrpload.exe
File opened for modification	C:\Windows\PermitLite	PharmaciesDetection.exe
File opened for modification	C:\Windows\JennyArtistic	PharmaciesDetection.exe
File opened for modification	C:\Windows\FacingLone	PharmaciesDetection.exe
File opened for modification	C:\Windows\sysklnorbcv.exe	t2.exe
File opened for modification	C:\Windows\GeniusRepeat	PharmaciesDetection.exe
File opened for modification	C:\Windows\MissWheat	PharmaciesDetection.exe

Launches sc.exe 10 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid process

2888 sc.exe
2140 sc.exe
2612 sc.exe
2968 sc.exe
2624 sc.exe
2884 sc.exe
2920 sc.exe
1608 sc.exe
2828 sc.exe
2732 sc.exe
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2888	sc.exe
2140	sc.exe
2612	sc.exe
2968	sc.exe
2624	sc.exe
2884	sc.exe
2920	sc.exe
1608	sc.exe
2828	sc.exe
2732	sc.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

tasklist.exesc.exefindstr.exefindstr.exeEarl.piffindstr.exepowershell.exesc.exesc.execmd.exetimeout.exepowershell.exesysklnorbcv.exesc.exefindstr.exechoice.execmd.exeUl.pifschtasks.exesysppvrdnvs.execmd.exetasklist.exeBuyer.pifchoice.exeNdlvxzd.execmd.exetdrpload.exetasklist.execmd.execmd.exefindstr.exet2.execmd.exesc.execmd.execrypted.execmd.exesc.execmd.exeschtasks.exeLukeJazz.exetasklist.exefindstr.execmd.exetasklist.exefindstr.exebuild3.exeVidsUsername.exefindstr.exesc.exemstsca.exetasklist.exe4363463463464363463463463.exebuild3.exefindstr.execmd.exeUl.pifsc.execmd.execmd.exeNdlvxzd.exepowershell.exesc.execmd.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Earl.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysklnorbcv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ul.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysppvrdnvs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Buyer.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndlvxzd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tdrpload.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	t2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crypted.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LukeJazz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	build3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VidsUsername.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mstsca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4363463463464363463463463.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	build3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ul.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndlvxzd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Buyer.pif

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Buyer.pif
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Buyer.pif

Delays execution with timeout.exe 2 IoCs
evasion

Processes:

timeout.exetimeout.exe

pid process

1264 timeout.exe
1504 timeout.exe

pid	process
1264	timeout.exe
1504	timeout.exe

Modifies system certificate store 2 TTPs 12 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

4363463463464363463463463.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	4363463463464363463463463.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 19000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca61d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e4090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f006700690065007300000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a92000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	4363463463464363463463463.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A	4363463463464363463463463.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	4363463463464363463463463.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	4363463463464363463463463.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	4363463463464363463463463.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6	4363463463464363463463463.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 0f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	4363463463464363463463463.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 040000000100000010000000a923759bba49366e31c2dbf2e766ba870f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca619000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	4363463463464363463463463.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 0f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a2000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	4363463463464363463463463.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 190000000100000010000000fd960962ac6938e0d4b0769aa1a64e26030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a1d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e709000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6502000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	4363463463464363463463463.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 040000000100000010000000324a4bbbc863699bbe749ac6dd1d46240f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a190000000100000010000000fd960962ac6938e0d4b0769aa1a64e262000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	4363463463464363463463463.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exeschtasks.exe

pid process

2376 schtasks.exe
2100 schtasks.exe

pid	process
2376	schtasks.exe
2100	schtasks.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

Processes:

powershell.exepowershell.exepowershell.exeBuyer.pifEarl.pif

pid	process
1692	powershell.exe
2856	powershell.exe
2584	powershell.exe
928	Buyer.pif
928	Buyer.pif
928	Buyer.pif
928	Buyer.pif
928	Buyer.pif
928	Buyer.pif
2244	Earl.pif
2244	Earl.pif
2244	Earl.pif
2244	Earl.pif
2244	Earl.pif
2244	Earl.pif
2244	Earl.pif
2244	Earl.pif
2244	Earl.pif
2244	Earl.pif
2244	Earl.pif
2244	Earl.pif
2244	Earl.pif
2244	Earl.pif
2244	Earl.pif
2244	Earl.pif
2244	Earl.pif

Suspicious behavior: SetClipboardViewer 1 IoCs

Processes:

sysppvrdnvs.exe

pid process

2356 sysppvrdnvs.exe

pid	process
2356	sysppvrdnvs.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

4363463463464363463463463.exepowershell.execrypted.exetasklist.exetasklist.exepowershell.exeNdlvxzd.exepowershell.exetasklist.exetasklist.exetasklist.exe

description	pid	process
Token: SeDebugPrivilege	1696	4363463463464363463463463.exe
Token: SeDebugPrivilege	1692	powershell.exe
Token: SeLoadDriverPrivilege	1372	crypted.exe
Token: SeDebugPrivilege	2220	tasklist.exe
Token: SeDebugPrivilege	1076	tasklist.exe
Token: SeDebugPrivilege	2856	powershell.exe
Token: SeDebugPrivilege	1300	Ndlvxzd.exe
Token: SeDebugPrivilege	2584	powershell.exe
Token: SeDebugPrivilege	1688	tasklist.exe
Token: SeDebugPrivilege	2632	tasklist.exe
Token: SeDebugPrivilege	3004	tasklist.exe

Suspicious use of FindShellTrayWindow 6 IoCs

Processes:

Buyer.pifEarl.pif

pid process

928 Buyer.pif
928 Buyer.pif
928 Buyer.pif
2244 Earl.pif
2244 Earl.pif
2244 Earl.pif
Suspicious use of SendNotifyMessage 6 IoCs

Processes:

Buyer.pifEarl.pif

pid process

928 Buyer.pif
928 Buyer.pif
928 Buyer.pif
2244 Earl.pif
2244 Earl.pif
2244 Earl.pif

pid	process
928	Buyer.pif
928	Buyer.pif
928	Buyer.pif
2244	Earl.pif
2244	Earl.pif
2244	Earl.pif

pid	process
928	Buyer.pif
928	Buyer.pif
928	Buyer.pif
2244	Earl.pif
2244	Earl.pif
2244	Earl.pif

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

4363463463464363463463463.exeNdlvxzd.exeLukeJazz.execmd.exet2.exe

description	pid	process	target process
PID 1696 wrote to memory of 1300	1696	4363463463464363463463463.exe	Ndlvxzd.exe
PID 1696 wrote to memory of 1300	1696	4363463463464363463463463.exe	Ndlvxzd.exe
PID 1696 wrote to memory of 1300	1696	4363463463464363463463463.exe	Ndlvxzd.exe
PID 1696 wrote to memory of 1300	1696	4363463463464363463463463.exe	Ndlvxzd.exe
PID 1300 wrote to memory of 1692	1300	Ndlvxzd.exe	powershell.exe
PID 1300 wrote to memory of 1692	1300	Ndlvxzd.exe	powershell.exe
PID 1300 wrote to memory of 1692	1300	Ndlvxzd.exe	powershell.exe
PID 1300 wrote to memory of 1692	1300	Ndlvxzd.exe	powershell.exe
PID 1696 wrote to memory of 1372	1696	4363463463464363463463463.exe	crypted.exe
PID 1696 wrote to memory of 1372	1696	4363463463464363463463463.exe	crypted.exe
PID 1696 wrote to memory of 1372	1696	4363463463464363463463463.exe	crypted.exe
PID 1696 wrote to memory of 1372	1696	4363463463464363463463463.exe	crypted.exe
PID 1696 wrote to memory of 2176	1696	4363463463464363463463463.exe	LukeJazz.exe
PID 1696 wrote to memory of 2176	1696	4363463463464363463463463.exe	LukeJazz.exe
PID 1696 wrote to memory of 2176	1696	4363463463464363463463463.exe	LukeJazz.exe
PID 1696 wrote to memory of 2176	1696	4363463463464363463463463.exe	LukeJazz.exe
PID 2176 wrote to memory of 2632	2176	LukeJazz.exe	cmd.exe
PID 2176 wrote to memory of 2632	2176	LukeJazz.exe	cmd.exe
PID 2176 wrote to memory of 2632	2176	LukeJazz.exe	cmd.exe
PID 2176 wrote to memory of 2632	2176	LukeJazz.exe	cmd.exe
PID 1696 wrote to memory of 2580	1696	4363463463464363463463463.exe	t2.exe
PID 1696 wrote to memory of 2580	1696	4363463463464363463463463.exe	t2.exe
PID 1696 wrote to memory of 2580	1696	4363463463464363463463463.exe	t2.exe
PID 1696 wrote to memory of 2580	1696	4363463463464363463463463.exe	t2.exe
PID 2632 wrote to memory of 2220	2632	cmd.exe	tasklist.exe
PID 2632 wrote to memory of 2220	2632	cmd.exe	tasklist.exe
PID 2632 wrote to memory of 2220	2632	cmd.exe	tasklist.exe
PID 2632 wrote to memory of 2220	2632	cmd.exe	tasklist.exe
PID 2632 wrote to memory of 576	2632	cmd.exe	findstr.exe
PID 2632 wrote to memory of 576	2632	cmd.exe	findstr.exe
PID 2632 wrote to memory of 576	2632	cmd.exe	findstr.exe
PID 2632 wrote to memory of 576	2632	cmd.exe	findstr.exe
PID 2632 wrote to memory of 1076	2632	cmd.exe	tasklist.exe
PID 2632 wrote to memory of 1076	2632	cmd.exe	tasklist.exe
PID 2632 wrote to memory of 1076	2632	cmd.exe	tasklist.exe
PID 2632 wrote to memory of 1076	2632	cmd.exe	tasklist.exe
PID 2632 wrote to memory of 1128	2632	cmd.exe	findstr.exe
PID 2632 wrote to memory of 1128	2632	cmd.exe	findstr.exe
PID 2632 wrote to memory of 1128	2632	cmd.exe	findstr.exe
PID 2632 wrote to memory of 1128	2632	cmd.exe	findstr.exe
PID 2632 wrote to memory of 1672	2632	cmd.exe	cmd.exe
PID 2632 wrote to memory of 1672	2632	cmd.exe	cmd.exe
PID 2632 wrote to memory of 1672	2632	cmd.exe	cmd.exe
PID 2632 wrote to memory of 1672	2632	cmd.exe	cmd.exe
PID 2632 wrote to memory of 884	2632	cmd.exe	findstr.exe
PID 2632 wrote to memory of 884	2632	cmd.exe	findstr.exe
PID 2632 wrote to memory of 884	2632	cmd.exe	findstr.exe
PID 2632 wrote to memory of 884	2632	cmd.exe	findstr.exe
PID 2632 wrote to memory of 1724	2632	cmd.exe	cmd.exe
PID 2632 wrote to memory of 1724	2632	cmd.exe	cmd.exe
PID 2632 wrote to memory of 1724	2632	cmd.exe	cmd.exe
PID 2632 wrote to memory of 1724	2632	cmd.exe	cmd.exe
PID 2632 wrote to memory of 2340	2632	cmd.exe	Ul.pif
PID 2632 wrote to memory of 2340	2632	cmd.exe	Ul.pif
PID 2632 wrote to memory of 2340	2632	cmd.exe	Ul.pif
PID 2632 wrote to memory of 2340	2632	cmd.exe	Ul.pif
PID 2632 wrote to memory of 1264	2632	cmd.exe	timeout.exe
PID 2632 wrote to memory of 1264	2632	cmd.exe	timeout.exe
PID 2632 wrote to memory of 1264	2632	cmd.exe	timeout.exe
PID 2632 wrote to memory of 1264	2632	cmd.exe	timeout.exe
PID 2580 wrote to memory of 2168	2580	t2.exe	sysklnorbcv.exe
PID 2580 wrote to memory of 2168	2580	t2.exe	sysklnorbcv.exe
PID 2580 wrote to memory of 2168	2580	t2.exe	sysklnorbcv.exe
PID 2580 wrote to memory of 2168	2580	t2.exe	sysklnorbcv.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1208
- C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe
  "C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies system certificate store
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1696
- - C:\Users\Admin\AppData\Local\Temp\Files\Ndlvxzd.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\Ndlvxzd.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1300
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1692
  - - C:\Users\Admin\AppData\Local\Temp\Files\Ndlvxzd.exe
      C:\Users\Admin\AppData\Local\Temp\Files\Ndlvxzd.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1020
- - C:\Users\Admin\AppData\Local\Temp\Files\crypted.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\crypted.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:1372
- - C:\Users\Admin\AppData\Local\Temp\Files\LukeJazz.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\LukeJazz.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2176
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k copy Decide Decide.cmd & Decide.cmd & exit
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2632
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2220
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "wrsa.exe opssvc.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:576
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1076
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1128
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c md 437570
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1672
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr /V "BASEDADVERTISEAFGHANISTANCONTENT" Sacramento
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:884
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b Avi + Hits + Joyce + Desk + Cheers + Cleanup + Generate + Hobbies + Possible + Rover + Notifications + Unique + Helpful + Constantly + Namibia + Revolution + Transfers + Index + Colors 437570\b
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1724
    - - C:\Users\Admin\AppData\Local\Temp\437570\Ul.pif
        
        437570\Ul.pif 437570\b
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2340
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 5
        5⤵
        Delays execution with timeout.exe
        
        PID:1264
- - C:\Users\Admin\AppData\Local\Temp\Files\t2.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\t2.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2580
  - - C:\Windows\sysklnorbcv.exe
      C:\Windows\sysklnorbcv.exe
      4⤵
      Modifies security service
      Windows security bypass
      Executes dropped EXE
      Loads dropped DLL
      Windows security modification
      System Location Discovery: System Language Discovery
      PID:2168
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2916
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"
        6⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2856
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop DoSvc & sc stop BITS
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3000
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop UsoSvc
        6⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:2888
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop WaaSMedicSvc
        6⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:2140
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop wuauserv
        6⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:2968
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop DoSvc
        6⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:2624
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop BITS
        6⤵
        Launches sc.exe
        
        PID:2884
    - - C:\Users\Admin\AppData\Local\Temp\13658670.exe
        
        C:\Users\Admin\AppData\Local\Temp\13658670.exe
        5⤵
        Executes dropped EXE
        
        PID:2872
    - - C:\Users\Admin\AppData\Local\Temp\13658670.exe
        
        "C:\Users\Admin\AppData\Local\Temp\13658670.exe"
        5⤵
        Executes dropped EXE
        
        PID:2648
    - - C:\Users\Admin\AppData\Local\Temp\2304021696.exe
        
        C:\Users\Admin\AppData\Local\Temp\2304021696.exe
        5⤵
        Executes dropped EXE
        
        PID:988
    - - C:\Users\Admin\AppData\Local\Temp\2304021696.exe
        
        "C:\Users\Admin\AppData\Local\Temp\2304021696.exe"
        5⤵
        Executes dropped EXE
        
        PID:2496
    - - C:\Users\Admin\AppData\Local\Temp\209103337.exe
        
        C:\Users\Admin\AppData\Local\Temp\209103337.exe
        5⤵
        Executes dropped EXE
        
        PID:1912
    - - C:\Users\Admin\AppData\Local\Temp\209103337.exe
        
        "C:\Users\Admin\AppData\Local\Temp\209103337.exe"
        5⤵
        Executes dropped EXE
        
        PID:2540
- - C:\Users\Admin\AppData\Local\Temp\Files\Xworm%20V5.6.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\Xworm%20V5.6.exe"
    3⤵
    - Executes dropped EXE
    PID:2080
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 2080 -s 732
      4⤵
      PID:1048
- - C:\Users\Admin\AppData\Local\Temp\Files\tdrpload.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\tdrpload.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:2816
  - - C:\Windows\sysppvrdnvs.exe
      C:\Windows\sysppvrdnvs.exe
      4⤵
      Modifies security service
      Windows security bypass
      Executes dropped EXE
      Windows security modification
      System Location Discovery: System Language Discovery
      Suspicious behavior: SetClipboardViewer
      PID:2356
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1200
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"
        6⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2584
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop DoSvc & sc stop BITS /wait
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2684
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop UsoSvc
        6⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:2920
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop WaaSMedicSvc
        6⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:2612
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop wuauserv
        6⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:1608
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop DoSvc
        6⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:2828
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop BITS /wait
        6⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:2732
- - C:\Users\Admin\AppData\Local\Temp\Files\build3.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\build3.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    PID:888
  - - C:\Users\Admin\AppData\Local\Temp\Files\build3.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\build3.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1592
    - - C:\Windows\SysWOW64\schtasks.exe
        
        /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2376
- - C:\Users\Admin\AppData\Local\Temp\Files\lummaforlife.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\lummaforlife.exe"
    3⤵
    - Executes dropped EXE
    PID:856
- - C:\Users\Admin\AppData\Local\Temp\Files\PharmaciesDetection.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\PharmaciesDetection.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:2700
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k move Ruth Ruth.cmd & Ruth.cmd & exit
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:1960
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        
        PID:2340
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "wrsa.exe opssvc.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1320
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1688
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "avastui.exe avgui.exe ekrn.exe bdservicehost.exe nswscsvc.exe sophoshealth.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:764
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c md 447331
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3044
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr /V "typesfaxincreasecompound" Ensemble
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2672
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b Compile + Olive + Within + Psychiatry 447331\p
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2464
    - - C:\Users\Admin\AppData\Local\Temp\447331\Buyer.pif
        
        Buyer.pif p
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:928
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\Admin\AppData\Local\Temp\447331\Buyer.pif" & rd /s /q "C:\ProgramData\IEHDBGDHDAEC" & exit
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:672
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 10
        7⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:1504
    - - C:\Windows\SysWOW64\choice.exe
        
        choice /d y /t 5
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:916
- - C:\Users\Admin\AppData\Local\Temp\Files\VidsUsername.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\VidsUsername.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:1608
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c move Recreation Recreation.bat & Recreation.bat
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:2992
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2632
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "wrsa opssvc"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1864
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3004
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2648
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c md 195197
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:876
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr /V "RESOLVEPHONESBLESSFRANK" Donated
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1056
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b ..\Arthritis + ..\Canyon + ..\Knights + ..\Movies + ..\Sequence + ..\Nascar + ..\Solve + ..\Cio + ..\Strategy + ..\Amounts + ..\Hans + ..\America + ..\Provincial + ..\Downtown + ..\Browser + ..\Afford + ..\Info + ..\Ll + ..\Intersection + ..\Rj + ..\Poetry + ..\Reality + ..\Cliff l
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2420
    - - C:\Users\Admin\AppData\Local\Temp\195197\Earl.pif
        
        Earl.pif l
        5⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2244
    - - C:\Windows\SysWOW64\choice.exe
        
        choice /d y /t 5
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2148
- C:\Windows\SysWOW64\cmd.exe
  cmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TranscribeX.url" & echo URL="C:\Users\Admin\AppData\Local\AudioSync Innovations\TranscribeX.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TranscribeX.url" & exit
  2⤵
  - Drops startup file
  - System Location Discovery: System Language Discovery
  PID:2552
- C:\Users\Admin\AppData\Local\Temp\437570\Ul.pif
  C:\Users\Admin\AppData\Local\Temp\437570\Ul.pif
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1356
- C:\Windows\SysWOW64\cmd.exe
  cmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VibeStream.url" & echo URL="C:\Users\Admin\AppData\Local\StreamFlow Dynamics\VibeStream.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VibeStream.url" & exit
  2⤵
  - Drops startup file
  PID:2792

C:\Windows\system32\taskeng.exe
taskeng.exe {D6AF8F28-A796-4471-87B7-581676D36820} S-1-5-21-4177215427-74451935-3209572229-1000:JSMURNPT\Admin:Interactive:[1]
1⤵
PID:3024
- C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:1572
- - C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2544
  - - C:\Windows\SysWOW64\schtasks.exe
      /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:2100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c2f57764eaece58c9ed1bfaa2417ac38

SHA1
fdef0358c0d715dec32567903d658e2de5a1dc77

SHA256
60010279b079079e7c6b790c9f889953e627f82ef977f0456ab678ee2f45d47b

SHA512
a695d335c3d5a50de86198eee93932c0537b8dda615693da78a3e668ac7488666ee236d2f51d9824b482aa069eb5b7b280d0fab1ed5a125196f9896f0d349209

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c8ed6750b6573bfc15a052bf3c0c9669

SHA1
84410433829def5d4b22ad2f673fab2f38a148fc

SHA256
c0175c9321934f73be8511229155fa4821c03b41c1c5e365c46fd84448bd9985

SHA512
c6d2432f391b268111cbaf4a78f65aaa3e0e16b34a62b4189455dd055ac364f68e633eaec262bd6b1fc49e88ea37de50cb56c1f93c00f7f1ca1ad7bf8e0bd095

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d649a815f8737bf1e6633d6a715a3c44

SHA1
17c74aafaae125a8f03c72b448d520d42ed1aa46

SHA256
bc2d62ca8f6b471d1757c4830ac4b0d5783a39caf116a623f3f5292de24658e6

SHA512
4f39f39205df610b92cc9ab5e8dbe4bed3c86ee614be6a444514b920ae7d6edba7adc2c96fffc592da424b750bbc21c7e505ebbcdea32528fa1ea1d36a5490f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7CNUR30T\1[1]

Filesize
108KB

MD5
1fcb78fb6cf9720e9d9494c42142d885

SHA1
fef9c2e728ab9d56ce9ed28934b3182b6f1d5379

SHA256
84652bb8c63ca4fd7eb7a2d6ef44029801f3057aa2961867245a3a765928dd02

SHA512
cdf58e463af1784aea86995b3e5d6b07701c5c4095e30ec80cc901ffd448c6f4f714c521bf8796ffa8c47538bf8bf5351e157596efaa7ab88155d63dc33f7dc3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EOYL2MRI\2[1]

Filesize
8KB

MD5
39f45edb23427ebf63197ca138ddb282

SHA1
4be1b15912c08f73687c0e4c74af0979c17ff7d5

SHA256
77fbb0d8630024634880c37da59ce57d1b38c7e85bdcc14c697db9e79c24e0de

SHA512
410f6baad25b256daebfa5d8b8a495429c9e26e7de767b2a0e6e4a75e543b77dbd0abca0335fb1f0d91e49e292b42cedc6edd72d25a3c4c62330e2b31c054cc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\195197\Earl.pif

Filesize
872KB

MD5
18ce19b57f43ce0a5af149c96aecc685

SHA1
1bd5ca29fc35fc8ac346f23b155337c5b28bbc36

SHA256
d8b7c7178fbadbf169294e4f29dce582f89a5cf372e9da9215aa082330dc12fd

SHA512
a0c58f04dfb49272a2b6f1e8ce3f541a030a6c7a09bb040e660fc4cd9892ca3ac39cf3d6754c125f7cd1987d1fca01640a153519b4e2eb3e3b4b8c9dc1480558

Download Submit
C:\Users\Admin\AppData\Local\Temp\209103337.exe

Filesize
15KB

MD5
0c37ee292fec32dba0420e6c94224e28

SHA1
012cbdddaddab319a4b3ae2968b42950e929c46b

SHA256
981d724feebc36777e99513dc061d1f009e589f965c920797285c46d863060d1

SHA512
2b60b571c55d0441ba0cfc695f9db5cd12660ebec7effc7e893c3b7a1c6cb6149df487c31b8d748697e260cbc4af29331592b705ea9638f64a711c7a6164628b

Download Submit
C:\Users\Admin\AppData\Local\Temp\2304021696.exe

Filesize
8KB

MD5
cb8420e681f68db1bad5ed24e7b22114

SHA1
416fc65d538d3622f5ca71c667a11df88a927c31

SHA256
5850892f67f85991b31fc90f62c8b7791afeb3c08ae1877d857aa2b59471a2ea

SHA512
baaabcc4ad5d409267a34ed7b20e4afb4d247974bfc581d39aae945e5bf8a673a1f8eacae2e6783480c8baaeb0a80d028274a202d456f13d0af956afa0110fdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Amounts

Filesize
67KB

MD5
edcf1c2d9b86b9f7a2bd7618a5b1dfd4

SHA1
397f56924b365eb009ec4312e2155f466419f91e

SHA256
e94c385ebccb44622e1365570028bbad19b81d978ed10acf0082c7e28b5a63ad

SHA512
b7bdf4ac1eca119fbb7e10ac68c0bf1acb10549016cabc017848898b3fd785f90e86ff9d139bc84d261a40a3028a0092b35e4f24f469d87e9e30f1187d4d4152

Download Submit
C:\Users\Admin\AppData\Local\Temp\Avi

Filesize
68KB

MD5
9e758a2c9c72320442816eb08a8e27a4

SHA1
3a2dbae1536fa8100a4b8bac70482045ddb9e80d

SHA256
7fa1c428d8fd5ef7d52d5b5b03d4e5acac622444dae39afa76ee9a7bde3fd154

SHA512
f6ee29a10e6ac88b3f7bf7547fdab065ba4553c939f88526df155cef9b29d638577a14c1a66321269810a8b75663e9b6feb164e1156279b1c97c0772b6039de2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Basically

Filesize
63KB

MD5
b112f393cb87141ecfdf11b6d749fd17

SHA1
984d8e5658faadcd9da6934857e2fb52cab317c6

SHA256
495bc634dcfdeab4947529c1377e5d4efea341cfb31ad383a57aeac6a1e62252

SHA512
dc102b9ab16f5c47c8e8336331a633c486abab52e71a7dc4464e37806ab1956a7322f3dfc05f3056483aafc43f65f0bee74ed6a1f6632722dbd8b311c18293b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Box

Filesize
59KB

MD5
a6bbde26e937cf6cf8a0ce6acff9d659

SHA1
946b9a620292b766df7f041286ac19c99e984a45

SHA256
879a887ef630ab9cb245f5e37cc7edb80f5828d3b9c9140e1611fdb6a4d7ab49

SHA512
04514d54355b2199144b9ffa1050cd0d78cde9bbe26a00ca54cf727803ef5476fb0d82dc9082293319b4759f30c920aa2d587ca6bd44a7e215b21e51992b73b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabC2F3.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cheers

Filesize
175KB

MD5
021bfd47a155208edd3bee1a0cc857f9

SHA1
964dfa0dead5e8e5c4f4d154df23200a198c7d2d

SHA256
baf011b31a05cc766790e85f8769fbbc0eb67ac472e976cc22b4a289643dd755

SHA512
6a63abb68d54936c075903adab7d20b57d57edbf0047a0eefb54e1749eb35c5c1ac38bbf688b8326a67e1fe33dca351153e2759ba7ccdb7856ed43bacea40a64

Download Submit
C:\Users\Admin\AppData\Local\Temp\Chose

Filesize
44KB

MD5
48557124c81c3c35ef3abe3c76578528

SHA1
aa268041649f4fecf561ae926d09c0ce657c5cbb

SHA256
5e208948e0ab40b334ad43c8c1a52e28bdfe9a3c2a4f81bd9cb8e3a26f9d5ed5

SHA512
ce040756f5c08f343f5658a97207065964e2778b6faeefaa4dbf0a5cd2051d4addf3a5e19f766b3688c2b0fa0f7c9df73e93b34df3dadb7763951026286676ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cleanup

Filesize
181KB

MD5
d497aee938931f4bfc1b2514c67794ac

SHA1
15fc81ccabbb86794c9981b5c184fa128b1cdb40

SHA256
f1ee2be75c586eeed567184e339a4da7af3e0f842c9afdcc17b4d082dc5220cb

SHA512
5a051754d412a356475ad9e505faa1e5f8542f6a1962be8be453bcdbb5d7782888a5c079ad1dfa5d4a5088d42c7487816f960b8fb922e813f74a45c237f3a6ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\Col

Filesize
38KB

MD5
986c52dd2aad8c9891cfacea7b907430

SHA1
0248b9946a2e10b5cf12c686b80d4b9b2b893688

SHA256
7c1d6ebb1a0d979e79a83596f9d98eb85627d80b9dca5632beff2fe8d4524e2c

SHA512
5d97b36d93b26e1768f27fb5493428a86373e7605f1054e321c7f8c88fd79fe7135e49e507fc6adfe7ec1c0957227569d567bd155d8b7df326b753e74890a007

Download Submit
C:\Users\Admin\AppData\Local\Temp\Colors

Filesize
34KB

MD5
d55ead5fcb2b703eb89e1613bc417241

SHA1
2c0fb4df9c37396d522099f848128882902b92c0

SHA256
1e0c0f943d4296ec7e0e7822c7035a8aea98b819ac613af662723a346d916f02

SHA512
ea28c6c990a51e42deff7e04de4d69bd4fcaae00814d1baaebce7b2e9b0bd6c261ae3a380956d2e06003167283955b3479488322b772052c1e1fae52b9e84d1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Constantly

Filesize
141KB

MD5
769148cf356fb3dc7444dfd8622e1b80

SHA1
536a27ef4b2d61f14198142688a1057984caffb3

SHA256
944f6d2e7d95f7ff93cf17bb3b763f094c148dc628e8e86efa3b88f85f5ecf16

SHA512
41e3833377ba842623b7d6bad5d5d017979c078161078139cf99bf4a27229f4689aa3173e37aadf649371be5e4bf30ff353013b21ededf5d9282a20bfbcdb93b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Coordinate

Filesize
58KB

MD5
b14205596d7c7f662138ab2c5ea346c7

SHA1
5b1d8e7c6bc477f818d5da41c2a54a29a1a49281

SHA256
86fb5cc8901a1db1be2c7278a39051ace8c86e8b7c412ac3ea9dc5f09c0e3f62

SHA512
af0c164de4db4dcfec94b25b63d69529c261aa28031f72516778108f6f6ddd5b97130771817947e623fd2750392703dfc4d4347e5204a25c2bacaaf22635a371

Download Submit
C:\Users\Admin\AppData\Local\Temp\Damages

Filesize
45KB

MD5
2f3c6228e463cf2a6febb7915872b85d

SHA1
29182a91adf1c021d600b6866459f47b6ccf3207

SHA256
3266c4f90e3cf19bd25b544b0fba1d810d4af2aab56dc3c814c3e44ea6737ea5

SHA512
080d378ccd001088c2daa403c716e1dd606289003d051c0ba7fdd9d3e85a85978230e67e6dec483839d4ae7b602e81a816db646c225ad5068392b278fdf815a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Decide.cmd

Filesize
6KB

MD5
5ebfe1a8c7070b73d616614556be81e0

SHA1
2542be96ed8da754f60969244a87897a6b25fd20

SHA256
e866bcc4fe787329c38afb1390c25c8d0de8812643f6799b3cb0e07cbff9e969

SHA512
8f06cd2cdb99c2b02b2da36f0401726b18bc05b1cf29cbd8697c571608131d016a18477e04b5e8a7a666229b14a5f2ad15b4c59a598cca21d6b812da7d81a8c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Defines

Filesize
5KB

MD5
3e9e16e7b28a54bc7ff811ced935da0c

SHA1
e3ec288dce1d9d8daba30e8a07bab4d2bbad4bc5

SHA256
5fd7e81cf9b742293562951acf69a68618594c2506410748b48736e049fe06e4

SHA512
fb6280a8ede06aefaa173b50eedaa273da7971ca86cc753adc566f5556152873d6194670be1a1ad64b4dec91e119be6c82144877dec4a0a7ee4617393ff48043

Download Submit
C:\Users\Admin\AppData\Local\Temp\Desk

Filesize
78KB

MD5
cb3c8017b7e462ce15cd44edcde1ea33

SHA1
c1d47e1dffbf096572d5489b4f14c070f9725fec

SHA256
a2fa8dc23c826401b54e666f8f2098a61ab8b8798b2d6d4b6ed7f875930f8de9

SHA512
6cad5b5ad847ae2353cebf9ac606df2d9c269471bc9f6272bbcfb14bc05497ef947a709bef96537216d414c125a42b218575a5e4c9132902cb4265410ec7ea13

Download Submit
C:\Users\Admin\AppData\Local\Temp\Extending

Filesize
11KB

MD5
1f402f620c9be33fb6f1f86807660995

SHA1
9f4e0fc7f418eea3dfd238175a8d965b6a06b043

SHA256
10a38c0767507d3558cc807fa41c901637fabccc51749507924cf83c7f5d8335

SHA512
4aef1e1873d30f651e88c26de5404ac0e1328b1e0d0b092a069e17c65cb5bd4e87eaaa984e17742db977ac52a99fe39d5e9d44f94563d51c456cdd973c9c2aa4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\build3.exe

Filesize
299KB

MD5
41b883a061c95e9b9cb17d4ca50de770

SHA1
1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad

SHA256
fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408

SHA512
cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\crypted.exe

Filesize
316KB

MD5
cd4121ea74cbd684bdf3a08c0aaf54a4

SHA1
ee87db3dd134332b815d17d717b1ed36939dfa35

SHA256
4ebe4e62066ac10efc23e7b63e421cc153b426e036309dbf99e4a4aa97122782

SHA512
af2b1ee11be992295a932fb6bf6221a077c33823367e5f26aa7b4f9bdd573482a67b2dab90cc778096cd57bf5892adc0678d23fe73de39c29f9377b1835ca100

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\lummaforlife.exe

Filesize
1.4MB

MD5
f7474a5b6a7433ad725b77709816b49a

SHA1
8de0d241e825975ec105c0bc844a62dfd35214af

SHA256
f2af9576b7878464c0c955db670e1ba7b3cdd344f30fe72030016f4622f1a485

SHA512
6152e8ec300e800a705f982db66a05dd674b67fdffc1ec5690faae0268d45631a724301d89f96faee148c536c8bf07c5237b2d91a547e070f2b15e67598aa595

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\tdrpload.exe

Filesize
83KB

MD5
06560b5e92d704395bc6dae58bc7e794

SHA1
fbd3e4ae28620197d1f02bfc24adaf4ddacd2372

SHA256
9eaaadf3857e4a3e83f4f78d96ab185213b6528c8e470807f9d16035daadf33d

SHA512
b55b49fc1bd526c47d88fcf8a20fcaed900bfb291f2e3e1186ec196a87127ed24df71385ae04fedcc802c362c4ebf38edfc182013febf4496ddeb66ce5195ee3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Generate

Filesize
146KB

MD5
b16244ae1a5448d8972f1ce3f2f45ce8

SHA1
11a732f86460f6c45842a36bc2db2883e2f97ebc

SHA256
fe7f5732d1aa8885fc27ad65f616a5a831a8406dc0a23a7f898924376755e81b

SHA512
9001a52ec073ad077901a7dcd09eac2857be6ed4b158cff11913b47b48c4822e52fe1ec3c21e3c4c3f7aacae1e8cadab94a14f10e857064039370972bb76c4e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Gif

Filesize
39KB

MD5
6b27cb9967b102372d55416aeb88673f

SHA1
ede477dbc53bbd3650479bed7eec1e28b4604c75

SHA256
cd44b3bd423f9aeac80da0823d379483d7da8d96fad4f029c768f7f99e21f60f

SHA512
9f195b5e2aec2f1f48b65ffbbbf4bd0081c6e87fd926bd1e73639be38e33eff2648a91e1660ad8b8d8f18895e19a1be21e2331eea2d1a56d169a09a66be19257

Download Submit
C:\Users\Admin\AppData\Local\Temp\Helpful

Filesize
47KB

MD5
009858e6c8e751fc8ce739a0998879ab

SHA1
96b1d4bf1e08846185bcf291c502f224bad5f12a

SHA256
8549e7c332faa6e01d49f0409b5511cf963d6696e3df2beb4260e592f1c8789b

SHA512
58ba4874577290695276a0dca2088291bfd01e27e7896bf47df21a3d12f0f2fc475ce8abbd5f660d89332713e8545c803ba863ea97af6dfdf8b3e7783eedb79d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Hits

Filesize
91KB

MD5
7bd8beb7e4d03db3ee0244d1fa17ee4f

SHA1
76f29a8b326e754946178abcae4901c328196cff

SHA256
19f9ec7335e09f952704202a9b42e1e3b8d18b9b07a45db42798f012dca558d5

SHA512
bf76386c6dd264d5e1529a148c405fd9803eaf3202ebfcb0e510906c2c41faeb0975a031dcaefe08883263a9dc25c16a668a14e8f58e1a63c70e8be1c3371cb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Hobbies

Filesize
79KB

MD5
b91ee2c9302266d366161b7202c28067

SHA1
118b327bae6135c26071f0e858cd2629b011cb3b

SHA256
b62a4af7cc863cb4a3961f4a917040ffb084f06cc1742eb062632d48b63a939d

SHA512
34713bdc6eeb74a95cf0bfb673e4b91d1553503aaf61613763bffb1284d72cc5de859bbad35f8ba7aeee3ca2c2232e92fac5702223a2366426afd203fa7a0c19

Download Submit
C:\Users\Admin\AppData\Local\Temp\Index

Filesize
32KB

MD5
3fd8e044eb5c8431d07c15b8294c496e

SHA1
92fdb9633ba073114d365d0755e35d6bc448217e

SHA256
a7a7bc9eb433f5bba335d2f26e37cb08bb819ece321ad3233294b937282a39fe

SHA512
131c8885dfb279063d150f71aaa6761a7fabeee2f832947d8ef02e1006b1f0c1db706bcc5f2efd822e0a24627511dfe5a58d1310552ecaa5630a3188d7638e52

Download Submit
C:\Users\Admin\AppData\Local\Temp\Its

Filesize
28KB

MD5
3d6a879d46553428773c851220a4897b

SHA1
a0abfbe1ca2d30a3fa0c7c35ade508b324f7ae74

SHA256
2adf740231c6c1059622b6989b1caedb4f266397340c1e9f6d5e1d460ecbf82a

SHA512
23590542a96210a974c87babc39bbcb4d585fb6fe8b5cafe25c65fec9e6f419851b67dac21c312d5f129faf1e855840ec6671f4c772d28e336f99344a46a3f24

Download Submit
C:\Users\Admin\AppData\Local\Temp\Joyce

Filesize
51KB

MD5
a745692d30300c598e8871ac44a9b058

SHA1
6cacb144fa8381c70ee4e3ff7a956175eff67b4f

SHA256
9cef68052a2aae96ea947ee15a81b620754855ff2acacad637eda0fb8df3f55a

SHA512
f3058090cb43cae4c92e33397057bd64b599096d2efda03dd78bd97f029a08a1459c21dfabcb3249126057b231909f419325e57d5f47d40f70935d82d99e9888

Download Submit
C:\Users\Admin\AppData\Local\Temp\Kits

Filesize
68KB

MD5
4f282b496d48196b4aa3a2002327ac83

SHA1
60996b0d2c5ba23ec13fd6be16a232abe9f6481b

SHA256
ded4e61660ca3681d308fcc43bd29009e40d543740327960e588783f8440a76b

SHA512
af856d82f96e9f844131165809aff4ec896ae6f1d9fde59cba1a7cf2b7ae2349affe7343968fe4bd13b36bb68ec2993548f59bfddbd61492207fb774e25010b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Logging

Filesize
63KB

MD5
3479b9a0b4a14e7001b65e0dc639eefd

SHA1
41a962b8c016a9fb7a5def04ff133c25413e30dd

SHA256
f1a66266c36a65695722c7a37abf1383339c15aa0b00b0fe5aea4da49192cc5d

SHA512
a76a3b21859bb0593c10fcaf737601f665ceeb2c82a15d200515da575eb7f9c12f8606e69df270c6ee321b25392b71f583e6b2f3461ca793b2867fed4d031f4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Method

Filesize
24KB

MD5
761081350b79e648b0da3734e403836d

SHA1
8bd55f8c7938c04677751cc1daeb217367d3e882

SHA256
846dc2a62b7f4892b00f5e94a9cdbeb817f17a417904c20cf0949412ec5d43d7

SHA512
44050b5d590e864a2202edcef7ec8220b4083c5adcbf0f6a36ac27e2a9108b76fc4b68de87e41a5d038a2ae0197e9ce2670e2a9c2ef022cd94b79dca0fe4b586

Download Submit
C:\Users\Admin\AppData\Local\Temp\Modern

Filesize
33KB

MD5
6eaba0b24eb1c36e6fb5a4cc717c268b

SHA1
926394e3b2bdaab85cc8987e94b56bbd6dbfcf75

SHA256
5797e5b669bb6438cbe438a9d8adb83b7ec045959511c93d22094e19f108f5de

SHA512
aeb956afd8d8a4782a129d0b2dc5d17ce76113ea7fae7fa52f071f0705ce6331cd24d58bdfa5efb946ea357a8f928f9af768749a6a632dec3020d0b1e97f9c93

Download Submit
C:\Users\Admin\AppData\Local\Temp\Namibia

Filesize
85KB

MD5
7af4f8c3179e97831bcc4406a8576493

SHA1
75b4462e198d4cf6cf4d8145cf7269b21f95c7a4

SHA256
cb95849f22e88c76f7587c2834a25856267bf9cf7cf45d0bc01fe97f58c775e2

SHA512
998fe7bb2d7e7ac769b865d1790b18ebb9f87d9c75ba1ae51342aa96382de8d87ba65cb2ceb75a5620e821a9486295438c8af8d0fa1cff2504c2f619d7b9cc0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Notifications

Filesize
194KB

MD5
aa27efee429da9bba50081d4efff984c

SHA1
313180c962f37e07a22f87967bad50fb13b5b8e9

SHA256
304d59a825572e52bb6fff1534e8c4edfa665ffc047d9cef3c7a1d5845f22be9

SHA512
da07faeb93a60674a48498a8e85eacbc3fb0460a549b63a45c5dc16d17e0979321dc76834356ba6550a7807a3bc86cf2e6d2d1b8fbfe01cef9288b10a1ee0fb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Occasionally

Filesize
16KB

MD5
a31d4ccc4ed575ae2e438a6df9d8f01c

SHA1
4ad1c10f0b12f69972b0fb29260dbc4604dcc67b

SHA256
3df65de4b95917a0cf7c089e4a54e199ab550427be13a435e47683946e8d827a

SHA512
065f292edb8b30e7e3c9a46b92f5b67fd812382dfcda87dc17cdd22bf5f79d1c7aeee69883c53b13b24b6b76171afb835106467647e1d9154d8823237d013763

Download Submit
C:\Users\Admin\AppData\Local\Temp\Opera

Filesize
16KB

MD5
9eb65c4cce00e7b999daa9108e5c1cfe

SHA1
6bbb3148e53d24b7fdbc40c46a37886e6edd4c90

SHA256
77c9cd8653b2fd087b1b764418989aca5a9aa96cbe5ff9c49db1df81d0c776ee

SHA512
9896991c888300b6593d6da5228b1ce48bfc1ed7f1ed8b2d19a95169437490011e8c09dbd305be1e113ec35f38803deef1630f6928715fce27efabf4bbe56897

Download Submit
C:\Users\Admin\AppData\Local\Temp\Plains

Filesize
19KB

MD5
e49894e1e0a87bf4eab14b6857fc140a

SHA1
a0323965f8679a62ed9dd3dd3174f4faf15a4df8

SHA256
8142a8f010e9a5c966192a13abc140c5418eefeb83ae917eb41cce04e5a1c37b

SHA512
9064d70e40e93f4414f8bdd38b33795ebddc892d0aaff1805122c3516948e10888faebd8dcb70492fc3eeed726594cefcd946c9a761f6f7b31733a3d014958a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Possible

Filesize
61KB

MD5
0dbaf7bb79f3ea3894a53bdcdffcc8a1

SHA1
8661c07db309f782d61f102926beb6d7d3440efe

SHA256
3f294876e29057e789c040c3dd96fbf366178af7298203f1ea1812f1e7171ed2

SHA512
4d999416d3c871c50b91b7bf151344cd37c8e8735cb680c77995764bc769239212e261f3677d0191fb397f4bd814e0dc78cea493f37b4d3c1dd0374ff52cf5ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\Record

Filesize
11KB

MD5
a934552ee9f7940d56c3ed33bece6305

SHA1
d2e9031fb03ccbae04c6acdffaeee27b9e3a7934

SHA256
90dcd76c792e94f876aa6683c52590979889d3b1bb6c41e06efea126ca28a81f

SHA512
c77479046d88250ab20b7f263a362a7034a8c12cff5ede33180b2aa00fec99c0b790d56c9e3a2994a2fe6acd4b51bdff14c83931fde42f0e4c7cccb07cd10b6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Retrieval

Filesize
17KB

MD5
bef49bea0a31738881a82912f65227b3

SHA1
cf320c4286d0232ba4ed483932dc0c9e9ff75465

SHA256
81f2d94828251c97bc3ec0fd0c6f7dc8529e7d15021ac931e502788e848d69c2

SHA512
414b61e266fb09f3aab9d20af88978b7e78d767452863b4c8fbc0fa75c018c267f978d50c0bc85f650c45a0c8558b580ae06e83471d3b0dd0bfccc592230fc58

Download Submit
C:\Users\Admin\AppData\Local\Temp\Revolution

Filesize
110KB

MD5
b3d1b18c604081039f688aeb4eb1a63d

SHA1
1040134463184d94d562ebfb81a7c6f0b14a3597

SHA256
5aa2a86ad9325bde9de04ba17adc13b29ad4d83c861ef1ab657a0335af6145f6

SHA512
639cbc92bde5634a0ab203249bfec80cf6ccd0a4030199440c3d15484cbf526c006efa195641e7f97f838b8ae1731893537c09a70db100ee8e24fb591d188261

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rolled

Filesize
58KB

MD5
a99cfcab1da597b3ece73b5484783e24

SHA1
5addf2a9adc261c23b4345a202a4f1fa8fc400c7

SHA256
ee41a80173b7259495b35d4244bbb089046291b3e11dc55897ea9e44bd5ffa30

SHA512
8fc201f1d31f6b57728e3f2873aa9728c2b9bf7ec0fd6d09cd7e80e7c4e134cddf0b30b3c0e56997a4e5686d0dbddda4e79a376b08ca09135af3c269d371edee

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rover

Filesize
62KB

MD5
e62f73c0cd52102697b4b00a8e3f09a6

SHA1
17774c9912b4f394e507bc12cd97edfa86bf1ca9

SHA256
c749b4b01d4ba6de5c792604c5bd4f84e7b75c5f6483ca8b165e10439d2797d7

SHA512
bc50e190fa32e40ba6739c5a67af7fc76bb0e54f6e963ffec0cf6e42c8921ce865566c345de10a3a894eec52104e9e436ac2248b5873c6354956fdcd76f4289e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sacramento

Filesize
107B

MD5
caede9cda6609114d77e75703951aab1

SHA1
19c2b74f4abda72bf3ad0550173e5d3b9f48eb1c

SHA256
e9bd3e0c94a65a28800f45f3d3d45f6e62d2eee52b44cb760570b8ee6f10f0cc

SHA512
a731262861cf6e60dd3495e89c9e0b17519f0acbf47cea62576eef01333589a1440d223fde6984a435219c30d214ff8f833179532386dc460a69cf0a8f066324

Download Submit
C:\Users\Admin\AppData\Local\Temp\Senator

Filesize
36KB

MD5
24d3aa621749528b33a4cffb8c6679b4

SHA1
141f5649209746ee67ac6380821f6c73a1ab6a8f

SHA256
aa240749eeceffbe0f614340f08cebbb79f9bc3c705ed7db67a551d1a904e54b

SHA512
7b72ca9c19b2a1b0610fd812877c72c50702eb3594dec2dbda97b59d6fe6061e67c464f89d8f6492a24c9a312b916218399ae7ee118089f639f2403cd1123504

Download Submit
C:\Users\Admin\AppData\Local\Temp\Slim

Filesize
32KB

MD5
8d62ebf875758f51cbacb46a2afa0609

SHA1
36f0aeff29c080bf5808ddd82f710b2fa3c83e51

SHA256
9f70c10b82ab2459aad5937bb6eee25f08ed8c487b96122bb6afc9dc85169daf

SHA512
ae1744a4279113241a8dd67192ec062f2d58eb5552997892b436a6b36ae140fa12b09e8254c3d83213893ab9efe3063caac732e58ebfaef9ce05c52517d6a39d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Small

Filesize
55KB

MD5
683e7557b686989a2743824e88a5a1ef

SHA1
5f9e1964e7c456eb0d4bb84c931e0eb475d3272e

SHA256
61fc303c15a386fcdaf60a8f8605c514d58480c12ee197299afd2fd687008eee

SHA512
0d652fbcb7666855187f5715fbf257d5af610cb911824d1089e65796cc9ff2b8446596dd2535c993ac21ae098e1805bff92fe2dd4eb89fa950283f1c8137b0b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarC316.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Text

Filesize
10KB

MD5
1f8bf3ea16d5ac311abc7818a8d55467

SHA1
1343fd61f346213d5c888a8deaf90ca79ca51ae3

SHA256
cfbb8ad3701a73f7e4a36b0a49bb4e52cf417331762c3e647391bb61b4437a6c

SHA512
c25fa0e228e59c49b07b3db25f217e632432aee151b9138930859c96b292aa76c1f3b78f206ce17ac31e0d23e8fe1244a6cdf95c6dcd04750f7523e0b4f234ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\Transfers

Filesize
93KB

MD5
1d77ab8f41b07724bc7f07b15e67aca6

SHA1
22243e1447316d77a6e3dcbab78bdc35b7d955f3

SHA256
1dcd9afe0709a23031ed6e1bc66aec78c0c762119251eacb3fb67a923043f259

SHA512
c1818791701b068969945a9199000171822ef9e4f8fd5e5eb4b2b5466be1feaeba21c7590fdd381c51d130a0541179706abbd059a68d4a0ceaa76eab75f1149c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Unique

Filesize
102KB

MD5
ac93727df4f467593957095b2e86750e

SHA1
8a3a97d7214462fd64844abf40db28565b6bd07d

SHA256
8294beded21ecac9b9385e51ec0bc9c25ebc73ddbe619b9f43d2014638adf577

SHA512
bbfbe1a495800128dc9e0ac7d3a072d9564950deb3e7bc98e0bb612f01bfdd4d2602264280b3d84b5b5960f7e9b863fdcf3a9414e4f10c057c2c051992697a2a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\GM0B1TZNSPCDO1F1U5Z2.temp

Filesize
7KB

MD5
cf23875e5434f9ea715db90647b4cf43

SHA1
fe7371f6ea54d8ee5ca0bdff8a648224eb2e9e55

SHA256
494dfcf354c57a45b75829a8fb6e4b1bdbf19ce0741a2d3e8b77bedeada6cdee

SHA512
0420406a9ee1d1c2ba5b4f4f87a72c5608a25c8159f813ffbeffb19176eb497006914c96648df74f5deaf294d5267283a6ed646f6af8ff565b180e44d2df4736

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
62834c863f8c9b969e04d97222510b3b

SHA1
78a1cc83dcab131dd4b376047933e10f6776d890

SHA256
9810be3fe0c9c77cb5287b95458c8b70eddadcaeeb8ea88ab787cbdda0caba1a

SHA512
789a72a194250fcbef44a41118676ca14a4931aa8a2947b696586f427a31d7dc9e0281ccdf37cb274867f8333bd1687f3034777ad833b038c9725f1ad1f8a6cc

Download Submit
\Users\Admin\AppData\Local\Temp\437570\Ul.pif

Filesize
915KB

MD5
b06e67f9767e5023892d9698703ad098

SHA1
acc07666f4c1d4461d3e1c263cf6a194a8dd1544

SHA256
8498900e57a490404e7ec4d8159bee29aed5852ae88bd484141780eaadb727bb

SHA512
7972c78acebdd86c57d879c12cb407120155a24a52fda23ddb7d9e181dd59dac1eb74f327817adbc364d37c8dc704f8236f3539b4d3ee5a022814924a1616943

Download Submit
\Users\Admin\AppData\Local\Temp\Files\LukeJazz.exe

Filesize
2.3MB

MD5
0478c21bf8ef83cce4eb19b620165ff7

SHA1
5ef07502d5208b162703ee20e3d7b655af4d1896

SHA256
3011ebd226c1b5ec573ac8827a4b1d3395440652edc4fbde3cb91f59419a3d08

SHA512
3fe6c238caff0b9186a371d34f42c2844de6b52b62954b08680846dc20995adcac4aa2b35b837e9a841c852d9193395c5cd7d517551b634493a4ba2849a12b7d

Download Submit
\Users\Admin\AppData\Local\Temp\Files\Ndlvxzd.exe

Filesize
8.4MB

MD5
ce9c1a7e9ed06f8a9024c92b707fd19a

SHA1
cd56b22f16c56339da79d0085cf6314cf4ec61b7

SHA256
3a09c0e366b5b09c9877eb35ce0f88a2f12070c0b3b7fca41ed502aeca26867e

SHA512
929297ee9027253eb7f0f70fffcd041360be9f3f6ea3fa06f11a4628dbd2716a35b105bca193e4722dbde59ecc475df7f6a2d68dca349a35718c08f12277ba5f

Download Submit
\Users\Admin\AppData\Local\Temp\Files\t2.exe

Filesize
84KB

MD5
a775d164cf76e9a9ff6afd7eb1e3ab2e

SHA1
0b390cd5a44a64296b592360b6b74ac66fb26026

SHA256
794ba0b949b2144057a1b68752d8fa324f1a211afc2231328be82d17f9308979

SHA512
80b2d105d2fac2e56b7ea9e1b56057e94ffe594c314ea96668d387ab120b24be580c58d68d37aca07273d3ce80f0d74f072102469f35cb02e2295817e1f16808

Download Submit
memory/928-789-0x00000000038A0000-0x0000000003AE3000-memory.dmp

Filesize
2.3MB

Download
memory/928-751-0x00000000038A0000-0x0000000003AE3000-memory.dmp

Filesize
2.3MB

Download
memory/928-753-0x00000000038A0000-0x0000000003AE3000-memory.dmp

Filesize
2.3MB

Download
memory/928-752-0x00000000038A0000-0x0000000003AE3000-memory.dmp

Filesize
2.3MB

Download
memory/928-749-0x00000000038A0000-0x0000000003AE3000-memory.dmp

Filesize
2.3MB

Download
memory/928-750-0x00000000038A0000-0x0000000003AE3000-memory.dmp

Filesize
2.3MB

Download
memory/928-748-0x00000000038A0000-0x0000000003AE3000-memory.dmp

Filesize
2.3MB

Download
memory/928-788-0x00000000038A0000-0x0000000003AE3000-memory.dmp

Filesize
2.3MB

Download
memory/1020-593-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1020-595-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1020-598-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1020-591-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1020-587-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1020-597-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1020-596-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1020-589-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1300-227-0x0000000005570000-0x0000000005602000-memory.dmp

Filesize
584KB

Download
memory/1300-225-0x0000000005150000-0x0000000005292000-memory.dmp

Filesize
1.3MB

Download
memory/1300-224-0x0000000000B00000-0x000000000136E000-memory.dmp

Filesize
8.4MB

Download
memory/1300-226-0x00000000006C0000-0x00000000006E0000-memory.dmp

Filesize
128KB

Download
memory/1356-599-0x0000000000550000-0x00000000006E6000-memory.dmp

Filesize
1.6MB

Download
memory/1592-628-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/1592-630-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/1592-626-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1592-627-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/1696-2-0x00000000743B0000-0x0000000074A9E000-memory.dmp

Filesize
6.9MB

Download
memory/1696-215-0x00000000743BE000-0x00000000743BF000-memory.dmp

Filesize
4KB

Download
memory/1696-216-0x00000000743B0000-0x0000000074A9E000-memory.dmp

Filesize
6.9MB

Download
memory/1696-0-0x00000000743BE000-0x00000000743BF000-memory.dmp

Filesize
4KB

Download
memory/1696-1-0x00000000003F0000-0x00000000003F8000-memory.dmp

Filesize
32KB

Download
memory/2080-605-0x0000000000360000-0x0000000001248000-memory.dmp

Filesize
14.9MB

Download