ctblocker | bd73f27673d98e8d9fb20bec3ef0dd4456e33eefead3839a68c2228a5c1686ab

Analysis

max time kernel
149s
max time network
118s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
03-12-2024 09:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Fattura 00384788-00849838.pdf.exe
Size

884KB
MD5

23c1fa39c8cb4a46d54b2c9ea9df952d
SHA1

815dfd495271d7792e5d0dbb3e78a14bf4a8fd90
SHA256

97be6754d010714743932afa3f4ea308e2f0b19212e8b8b150af7cdd3383f44b
SHA512

78106662327d856f05bc98bc700ab0f5d719fd2365c46db26400ad140b96004a86acd9831cba3799de4eeffa959c82c5ee557c1a1db266f79c49aa4b910e5d60
SSDEEP

24576:dRHuj2I8hyf+fJGV8HiukodYP+gIHB7wcmZtpU:2jL8cf+xIsDWlVBZt6

Score

10^/10

ctblocker defense_evasion discovery execution impact ransomware

Malware Config

Signatures

CTB-Locker
Ransomware family which uses Tor to hide its C2 communications.
ransomware ctblocker
Ctblocker family
ctblocker
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Control Panel\International\Geo\Nation	olmsojk.exe

Executes dropped EXE 4 IoCs

pid	Process
2972	olmsojk.exe
2420	olmsojk.exe
2820	olmsojk.exe
2132	olmsojk.exe

Loads dropped DLL 6 IoCs

pid	Process
2416	Fattura 00384788-00849838.pdf.exe
2416	Fattura 00384788-00849838.pdf.exe
2972	olmsojk.exe
2972	olmsojk.exe
2820	olmsojk.exe
2820	olmsojk.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File opened for modification	C:\$RECYCLE.BIN\S-1-5-18\desktop.ini	svchost.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-18\desktop.ini	svchost.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	svchost.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\pcdroverrides.p5i.readonly	olmsojk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\script-pass.png	olmsojk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\refentry.source.name.profile.xml	olmsojk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\admon.xsl	olmsojk.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Hojo-EUC-H	olmsojk.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\built-with-forrest-button.png	olmsojk.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Malta	olmsojk.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Nwiz.dll	olmsojk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\25-unhint-nonlatin.conf	olmsojk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\s0.png	olmsojk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Comoro	olmsojk.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\CommonMessages_en_US.xml	olmsojk.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Cool Gray 9 bl 4.ADO	olmsojk.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\refentry.source.name.profile.xml	olmsojk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\body.start.indent.xml	olmsojk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\annotation.support.xml	olmsojk.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\msconfig.png	olmsojk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\item_valid.xml	olmsojk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\modules.xml	olmsojk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\rc-t-r-5-1header-2tab-unselected-3tab-unselected.png	olmsojk.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Prague	olmsojk.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\modules.xml	olmsojk.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\rc-t-r-5-1header-2tab-unselected-3tab-unselected.png	olmsojk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\CommonMessages_en_US.xml	olmsojk.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\arrow_left_enabled.png	olmsojk.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\ua.js.xml	olmsojk.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\profile.role.xml	olmsojk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\ua.js.xml	olmsojk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\SimpleDocument1.xml	olmsojk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\glossterm.list.properties.xml	olmsojk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Cool Gray 9 bl 4.ADO	olmsojk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Malta	olmsojk.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\item_valid.xml	olmsojk.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\glossterm.list.properties.xml	olmsojk.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\body.start.indent.xml	olmsojk.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Danmarkshavn	olmsojk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\424 bl 4.ADO	olmsojk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\arrow_left_enabled.png	olmsojk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\body.font.size.xml	olmsojk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\dingbat.font.family.xml	olmsojk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\profile.role.xml	olmsojk.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\dxdiag.png	olmsojk.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Monochromatic High Contrast.hdt	olmsojk.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Comoro	olmsojk.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\s0.png	olmsojk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\dxdiag.png	olmsojk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\rc-b-l-15-1body-2menu-3menu.png	olmsojk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\built-with-forrest-button.png	olmsojk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\21.svg	olmsojk.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\hyph_gu_IN.dic	olmsojk.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Nicosia	olmsojk.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\admon.xsl	olmsojk.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\424 bl 4.ADO	olmsojk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\dfrg.png	olmsojk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\hyph_gu_IN.dic	olmsojk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\sRGB.pf	olmsojk.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Cape_Verde	olmsojk.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\rc-b-l-15-1body-2menu-3menu.png	olmsojk.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\annotation.support.xml	olmsojk.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\25-unhint-nonlatin.conf	olmsojk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\insertfile.xsl	olmsojk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\HKS N Process.aco	olmsojk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Abidjan	olmsojk.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\SimpleDocument1.xml	olmsojk.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Documents\\!Decrypt-All-Files-ylrtkob.bmp"	Explorer.EXE

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2416 set thread context of 3064	2416	Fattura 00384788-00849838.pdf.exe	30
PID 2972 set thread context of 2420	2972	olmsojk.exe	34
PID 2820 set thread context of 2132	2820	olmsojk.exe	39

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\!Decrypt-All-Files-ylrtkob.txt	svchost.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\!Decrypt-All-Files-ylrtkob.bmp	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fattura 00384788-00849838.pdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	olmsojk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	olmsojk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	olmsojk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	olmsojk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fattura 00384788-00849838.pdf.exe

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral1/files/0x0005000000019683-72.dat	nsis_installer_1
behavioral1/files/0x0005000000019683-72.dat	nsis_installer_2

Interacts with shadow copies 3 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
2540	vssadmin.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	olmsojk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	olmsojk.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main	olmsojk.exe

Modifies data under HKEY_USERS 23 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{f1097a44-919a-11ef-a817-806e6f6e6963}\MaxCapacity = "14116"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{31cbbbfe-9163-11ef-b7fb-527d588cbe37}\NukeOnDelete = "0"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\ = "%SystemRoot%\\System32\\imageres.dll,-55"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\WallpaperStyle = "0"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{f1097a44-919a-11ef-a817-806e6f6e6963}	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{31cbbbfe-9163-11ef-b7fb-527d588cbe37}\MaxCapacity = "2047"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\Empty = "%SystemRoot%\\System32\\imageres.dll,-55"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{f1097a44-919a-11ef-a817-806e6f6e6963}\NukeOnDelete = "0"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{31cbbbfe-9163-11ef-b7fb-527d588cbe37}	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\LastEnum = 30002c007b00660031003000390037006100340034002d0039003100390061002d0031003100650066002d0061003800310037002d003800300036006500360066003600650036003900360033007d00000030002c007b00330031006300620062006200660065002d0039003100360033002d0031003100650066002d0062003700660062002d003500320037006400350038003800630062006500330037007d0000000000	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\Full = "%SystemRoot%\\System32\\imageres.dll,-54"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\TileWallpaper = "0"	svchost.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
3064	Fattura 00384788-00849838.pdf.exe
2420	olmsojk.exe
2420	olmsojk.exe
2420	olmsojk.exe
2420	olmsojk.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2420	olmsojk.exe
Token: SeDebugPrivilege	2420	olmsojk.exe
Token: SeShutdownPrivilege	1208	Explorer.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2132	olmsojk.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
2132	olmsojk.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2132	olmsojk.exe
2132	olmsojk.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
1208	Explorer.EXE

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 2416 wrote to memory of 3064	2416	Fattura 00384788-00849838.pdf.exe	30
PID 2416 wrote to memory of 3064	2416	Fattura 00384788-00849838.pdf.exe	30
PID 2416 wrote to memory of 3064	2416	Fattura 00384788-00849838.pdf.exe	30
PID 2416 wrote to memory of 3064	2416	Fattura 00384788-00849838.pdf.exe	30
PID 2416 wrote to memory of 3064	2416	Fattura 00384788-00849838.pdf.exe	30
PID 2416 wrote to memory of 3064	2416	Fattura 00384788-00849838.pdf.exe	30
PID 2416 wrote to memory of 3064	2416	Fattura 00384788-00849838.pdf.exe	30
PID 2816 wrote to memory of 2972	2816	taskeng.exe	32
PID 2816 wrote to memory of 2972	2816	taskeng.exe	32
PID 2816 wrote to memory of 2972	2816	taskeng.exe	32
PID 2816 wrote to memory of 2972	2816	taskeng.exe	32
PID 2972 wrote to memory of 2420	2972	olmsojk.exe	34
PID 2972 wrote to memory of 2420	2972	olmsojk.exe	34
PID 2972 wrote to memory of 2420	2972	olmsojk.exe	34
PID 2972 wrote to memory of 2420	2972	olmsojk.exe	34
PID 2972 wrote to memory of 2420	2972	olmsojk.exe	34
PID 2972 wrote to memory of 2420	2972	olmsojk.exe	34
PID 2972 wrote to memory of 2420	2972	olmsojk.exe	34
PID 2420 wrote to memory of 604	2420	olmsojk.exe	9
PID 604 wrote to memory of 2448	604	svchost.exe	35
PID 604 wrote to memory of 2448	604	svchost.exe	35
PID 604 wrote to memory of 2448	604	svchost.exe	35
PID 2420 wrote to memory of 1208	2420	olmsojk.exe	21
PID 2420 wrote to memory of 2540	2420	olmsojk.exe	36
PID 2420 wrote to memory of 2540	2420	olmsojk.exe	36
PID 2420 wrote to memory of 2540	2420	olmsojk.exe	36
PID 2420 wrote to memory of 2540	2420	olmsojk.exe	36
PID 2420 wrote to memory of 2820	2420	olmsojk.exe	38
PID 2420 wrote to memory of 2820	2420	olmsojk.exe	38
PID 2420 wrote to memory of 2820	2420	olmsojk.exe	38
PID 2420 wrote to memory of 2820	2420	olmsojk.exe	38
PID 2820 wrote to memory of 2132	2820	olmsojk.exe	39
PID 2820 wrote to memory of 2132	2820	olmsojk.exe	39
PID 2820 wrote to memory of 2132	2820	olmsojk.exe	39
PID 2820 wrote to memory of 2132	2820	olmsojk.exe	39
PID 2820 wrote to memory of 2132	2820	olmsojk.exe	39
PID 2820 wrote to memory of 2132	2820	olmsojk.exe	39
PID 2820 wrote to memory of 2132	2820	olmsojk.exe	39

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
1⤵
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:604
- C:\Windows\system32\DllHost.exe
  C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
  2⤵
  PID:2448

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Sets desktop wallpaper using registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
PID:1208
- C:\Users\Admin\AppData\Local\Temp\Fattura 00384788-00849838.pdf.exe
  "C:\Users\Admin\AppData\Local\Temp\Fattura 00384788-00849838.pdf.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2416
- - C:\Users\Admin\AppData\Local\Temp\Fattura 00384788-00849838.pdf.exe
    "C:\Users\Admin\AppData\Local\Temp\Fattura 00384788-00849838.pdf.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:3064

C:\Windows\system32\taskeng.exe
taskeng.exe {A3BF0F97-3DC7-43AA-BE4B-B7C02E88E94E} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:2816
- C:\Users\Admin\AppData\Local\Temp\olmsojk.exe
  C:\Users\Admin\AppData\Local\Temp\olmsojk.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2972
- - C:\Users\Admin\AppData\Local\Temp\olmsojk.exe
    C:\Users\Admin\AppData\Local\Temp\olmsojk.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2420
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin delete shadows all
      4⤵
      System Location Discovery: System Language Discovery
      Interacts with shadow copies
      PID:2540
  - - C:\Users\Admin\AppData\Local\Temp\olmsojk.exe
      "C:\Users\Admin\AppData\Local\Temp\olmsojk.exe" -u
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2820
    - - C:\Users\Admin\AppData\Local\Temp\olmsojk.exe
        
        "C:\Users\Admin\AppData\Local\Temp\olmsojk.exe" -u
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:2132

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Privilege Escalation

Defense Evasion

Direct Volume Access

T1006

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Package Cache\xxmtraa

Filesize
654B

MD5
cd60fdbad71fdd5541124cfda7a25080

SHA1
bd3529d459c09bd395f81642f348bc5600a17955

SHA256
94f75b7eb5ddb7c965564f8b905e6b1b2b53509c3a51cb3ea2d16e5afd6f9fc5

SHA512
5e108b203d3a0e1e662799c93dbe7a05c4542ae1846d98d6524217921022d52c7ab88d773cf9ee26893ac1487574dd4fa3cd60d62bce24aa5a9bd3d10f767eb2

Download Submit
C:\ProgramData\Package Cache\xxmtraa

Filesize
654B

MD5
0ed2c252e63b9bfd70a8ca7f4721fce6

SHA1
d4f8ba551f1b3d951ca184ff852d89476afaf178

SHA256
e93961eb86babeb3ffe691a4c80737496e03b64cc9979da4b90719cb7f06f6f2

SHA512
ed210c4c254c8c2d92c0b0738c4faf0efe81d3ab55e4933c041162b38af3cbb9b2859bc40ddad01907b0692242e19c9cf178550ccd4af4a3c3f5a9a72c4baaa6

Download Submit
C:\ProgramData\Package Cache\xxmtraa

Filesize
654B

MD5
0dedb3a8ebc2a086e98fee10a215286c

SHA1
c8527eba10f7cfbca97a4ab74bf520c1749175e8

SHA256
09e1cb9466d7778d27b8ce70667f0ae0958977f1fbc2a584e6a160cf0b19947f

SHA512
5156c197463755695b9506c2ad3ecaea058d07608139c1cb3a5a93e092c6dddf2590a0cb38b14cb9fdc6afca8b73039f1b53f9ca71b207b0e2a1cc0934c566ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\olmsojk.exe

Filesize
884KB

MD5
23c1fa39c8cb4a46d54b2c9ea9df952d

SHA1
815dfd495271d7792e5d0dbb3e78a14bf4a8fd90

SHA256
97be6754d010714743932afa3f4ea308e2f0b19212e8b8b150af7cdd3383f44b

SHA512
78106662327d856f05bc98bc700ab0f5d719fd2365c46db26400ad140b96004a86acd9831cba3799de4eeffa959c82c5ee557c1a1db266f79c49aa4b910e5d60

Download Submit
C:\Users\Admin\AppData\Roaming\README_te.TXT

Filesize
512B

MD5
9941913ba06d1350b80929d66b751eaf

SHA1
11efa0f88b77d4712a6867ce400df342ff06c123

SHA256
ef72ed8efc4d6cf1e3a0c2fe27a0ac0f4fff182ace4c62344912971996d31f25

SHA512
d6daf3b6a0ad4d4c2953ca60c952d5005f2201d4eccc02941ef8c8daf223bd0c4f91bcc44824e5b18652ec7737ceb65f865d1bbb549b9a3dad1414c0811b89ce

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\21.svg

Filesize
1KB

MD5
fdeb32ba861b290b905acc8dd73948e0

SHA1
19d069c54925d6fbedc236535b988c7f1f5a5718

SHA256
454046357ae9f6fe58e428b3392481f63b19d4124edf8a8e4be29fca526aad55

SHA512
57242042ee96a85e687aa07617e269e971e571d2ed29ab8140241d6b70964b8b1beac77497dd8f0942bc03dd37666e2aa55760a4b98b602ae98330d66702bbe2

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\25-unhint-nonlatin.conf

Filesize
2KB

MD5
62953912e2a45ea9a1ef4d8a400b2894

SHA1
55cc2e1db60526ac8a4d6973698d5cb4327d13da

SHA256
5a8254819b63ab0ba7fec93691ca357be3d45fb43aeae0c937cc2c88866aacc1

SHA512
a773723a613a179c68efb1db514477524ed96e1fcbc875b565ec75abb66030c64e11900090f077f62ad5e4fe9f5b19d843ecd801870f413ae04bdc3a09e285ba

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\424 bl 4.ADO

Filesize
524B

MD5
f180e85af9eea2a1d42807a6ebcb7a36

SHA1
5d49cde993f16d8259b10c5401280aa067c1b423

SHA256
4e748cbdf4437760c6f7e32b770814bba131d1d9a1e9fa887ae62114a1be22f1

SHA512
22ff1448e9197f5ad37b288bcad397fed8de00c2cd97178aa7b3ae766a7eef60d153db0e59293281829ea65d3c3e66ff6b7d6eb7e52a5d5c3c3f108b46d416eb

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Abidjan

Filesize
65B

MD5
d803a36bdfda24206049e32cde7c2b2c

SHA1
6d2b22926cfff7227cbbf062e85ca77ff3b2be77

SHA256
a3082cb00066566478bf0e36e608d979628c3ab3df3dba0f8a67c2c1e99cd4b8

SHA512
bb600833c2e1f137fc1b1b236f0fb6548bf30667c3a51ddade1bf6f8bf380db00afd1942f8c9981b7aa7c54a1037dea26ce5cc176538db586c051cdd9ef12f05

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Buyout.9mA

Filesize
654KB

MD5
eb2c960832bc983566f85557c6f739ee

SHA1
6b5aacc9238236e512261057190133b69e54d5fa

SHA256
044c52c2e0cba38ae0abb3804cd3bc1299b1d3713b229abc33a4d63462994ee8

SHA512
9e14abb0b1fcee5c9892cc959c3824eb0bcfd36a0ddcfc2c990840b6a3e9b7300f636c32d6dd2931323e79a9ab4756ec9c72623bb6420edb22b302074998b897

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Cape_Verde

Filesize
97B

MD5
739bc3be601fc4c312fca262597514eb

SHA1
c14ae4cd4e2ce75b7ea4ed39a835bc8d207f2486

SHA256
b645b5d403881ac66ce4171af4aced39c0a17237fb78443fae623b1f4367345f

SHA512
c0092979146f54dd885d4b12b0f7e37285b4116aecf4a793eb524d0b33c8ed2e7a336f97ec6d2504203d51207205f192895c1850fd6dd5f30f9848d86ef4c5fd

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\CommonMessages_en_US.xml

Filesize
1KB

MD5
eb7e5640b62b9f2c204d2d71d7203d0c

SHA1
e8d73e315aabe7e4de946909dd0ad38752559ad0

SHA256
604f808eded1fc1ab65b4daf91b403463937fa2c132eef90dcee1b2317f52415

SHA512
7abfdf727bae2c2151533ddee9ab5f1ae83f1cb07eed95954dd37cfc1c7014f8f6f26bb98dbb61cf2e2431387db356515aaeaedd7dcefa76b0e4d80e032f61f6

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Comoro

Filesize
65B

MD5
0d6f52398a1767477b51bdd471c59bd3

SHA1
55a55b24310d7a79aea1eb3e03d7f15772f295b3

SHA256
3f734c8eaefa934de719cdaacc059115bcf0b35b5da238a099aae910fea4b62b

SHA512
be50f7d363e0d650516c50dc50070f120998a4fb248173ea410440bb52e62a5869e2c58d3fe620b371cf1ae83f6be16f81231aa167c793c37599ce10cd30bc2c

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Cool Gray 9 bl 4.ADO

Filesize
524B

MD5
3afffe896e60eadf0cba2a7b6b410636

SHA1
77e14647d4d13c8c2831f4b781d257ba65c6f623

SHA256
7c765f5657941078128231f3f932a044d56731571a1c323c26d73a9bebe58c4c

SHA512
ae849fb6679061e5a5d8f710f0f7972de011a20d44d70a2f0db814ba0b43371599debef5b6300353a1ac74ab62fd8160916fc46d86357b13a5e095f78c386e45

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Danmarkshavn

Filesize
341B

MD5
f3f8714e3a5d90848aee400fafde93c9

SHA1
6d63025807e25f8987905729574e43bf1d4ff226

SHA256
5ff883ea5f2cfbd9d6c1e3a48f96dcc3794691ebd0f1ee548340919ee7b8a53c

SHA512
c596761b783bd54e04d5b89f863c0900f4487b52edc9eb67e911e2933d9e656dd38050610e419a8bf2c9f7bc2b1a07efe33904b622a5460d30a3befbafc17822

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\HKS N Process.aco

Filesize
2KB

MD5
07a377b2e9931a451c45721ef83f10ee

SHA1
8f4fa6bdf8a80d53904f036bf46bca4aa554a5e2

SHA256
f429eea4e13c307b27a9c7b13d6fe38d29fa5deffeb35e5f7cd89318b2d05888

SHA512
74786be177fdfc810ca2f6b9cba919037b3ae4ed2dfca294164ff6f3200d404d1ebfc91cf83715a2d0683e9e5422e3c57dac186808ee7a83d9299304400a44e3

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Hojo-EUC-H

Filesize
4KB

MD5
c8c39bc4ee14e9218e4c9a94f22b6114

SHA1
e36e9a777b4c413cd4f690a3c4ccc46501223dff

SHA256
caf0b6a9c8d515a3687d603840cd5f4d689e2f0eebc7cfbbea7ca3f9a9caadc9

SHA512
e14e98864d65860c66ca2f573d58b1e9435b49076a0ffa5b6952ef4c101a4ccd75f6a669b9ee0bf4a81f4b1edd79b1f0d786d7f29d509c9a67f48c2aa3d7b281

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Malta

Filesize
1KB

MD5
48f9d66b92ec3a74f5c888453658ec86

SHA1
240bae24ef619d23a100a130788709cd2685a0b0

SHA256
50d6837e0f2d3ee847377d02773428f42a9a0fc54b432a3daaa30dd6ed5934b8

SHA512
28730b1c1bec7ee335865462d1991bad9984645348dc8fcc7bf06974492dce46a69fed5932b8e32bf39daeb8f42a641c38ce089280512e8e9c772f76b484860c

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Monochromatic High Contrast.hdt

Filesize
122B

MD5
25a339f321dc06b2c78180ecb8a9d82b

SHA1
f3f2d8a06d923a5484a0a8309d75f76ea024bd5f

SHA256
cbc0890fa2aff3e33fbde3a3a883cfd3672860d6e98e4799a6af548046cc02f3

SHA512
b17a6e3e9d51c1de1ac9ae2218e670dcde1eaf8302d47d1b356dd68a30bf2787e0859541331a65fc0d66d770f1f14819f90b6afdcebdb6033b65edbef5f36308

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Nicosia

Filesize
1KB

MD5
5517f299f99bfd2cf717599f4fb3a114

SHA1
b5c739f50bc2e666353d0a5c5ae923a2afd23dd4

SHA256
a5835ed446663a58442badd71635757f74052cff347073b3cd25077d1ec4b9ff

SHA512
67fe078a0f01cfd8194873becdd0022962d600b6c3035a4e324ab631683209ebba5edfcaa74b04f4fe369675cc8adb88002e6f19135b022843b4cbd19e36199d

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Prague

Filesize
1KB

MD5
87d84818ece904caaaf7bf0499575e57

SHA1
6f46b660667b886a46efac77ba03c717dcb6c00a

SHA256
d563f7ba3574e96c4231ec05c7ab68c8a1f454d075e86ebba09e3f14c54de766

SHA512
9d378f2b33d34c9eece39b58d6a4388818ca596ea0d4acd940212e3f859dc6e51c389673d441798d8b11c9d0513ece343c8e61616a7a0d942f6c79b67e668cff

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\README_te.txt

Filesize
884B

MD5
0c041dcb1d9bb1c91548c46b484be783

SHA1
882c3e8e97fe1dacf3b30d250c3da72667b95417

SHA256
20c311f57374a8734d48426cca56e3a132daf65c3d01925f04cacf62ed82ffcf

SHA512
b0ffd5ed8e93e811a6b52ab70a4df807fa2f8c161f9c66737621b397f0b474c45402456c711a3a6931f98b78547a63c7ac3a17f7b58c2b62933ed98753ec5ca6

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\SimpleDocument1.xml

Filesize
356B

MD5
2de54316b3170a1143eef4700836dc52

SHA1
fe433be45734afbe1329f65573b868ebb498b5c5

SHA256
6342dadfbf893e2eb31bd2d751ad897226fd3cad08140de6b9ffcdb84f2f5869

SHA512
56ec9b595c5e1644eb63aff2b237488e5c20ff62ab456bef042ab4eac59ca73af19a64208328a8cf3e3793dec4acf6cdda3a154f3f6e5b6a9d2bafc92d406e71

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\admon.xsl

Filesize
4KB

MD5
f1befa6b55a1f2ecbb7983fdb29bf0ea

SHA1
4bca478f6885feebcc820521a95456bf18a5e7e1

SHA256
c47c6c7798804547cd9002d20c79f3c314559e0b663ad8e6bf0f26573a9e45af

SHA512
ff9de152cd71a00ff4ed8f2421b38af024a2778a046873d7a96494b569a16c986bad2aea3cf62d4bffb0b1bf23dc5cc33faaba77eca2ffbbbe4a1c9cdb786cb2

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\annotation.support.xml

Filesize
979B

MD5
d33c69b7a9530aaef71a4f40ee95ac6b

SHA1
6bfb4affe670ee6e34b42af42b74dd3120ae75ff

SHA256
adee7d2bb7771766e91c59cd059209d92722e465c7fd7ae6664f781c5758884f

SHA512
09280a3626e6e989a9badfc4133e347694ab49204c415724f468bd3ec5878656f85ddd344d4fca48c8fae8e2fa8abcf5a755ee34c6a56ae5acbf57c95b851793

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\arrow_left_enabled.png

Filesize
1KB

MD5
f7ff8ce3557cc041a5e36f8864d77649

SHA1
4d9b28243031ac2f74cea1b8a8baccc6d2408305

SHA256
72c7681c30cc1b6adb6724539c0b2d089e4b1702858748a1c5564a93d69a475c

SHA512
c09137aadafc10a9e115e3b9e30e063dfaa8631a3387991e37a0d01609bad4545aab0d3ca29aafae2ecd659c6ec09cb1f85cd66845feb95a5b6fc0180cf3afc3

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\body.font.size.xml

Filesize
1KB

MD5
2e252ce9d2220464f0c56ef4d0edd08c

SHA1
abcfe009ace14b590ea10c7dd9dff1999750acd3

SHA256
a0ea8067714e9566c585fcb0cfd3bc5839d93dc2bc5bc21e25e440d07ce8d10f

SHA512
276efa9157b82599e634b505c653792c35a5bbf2177a2932daef235bdfe73023e30689e27723c81968d5e7c50c3986aac0d397c18747ed8531fef0f45c80a785

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\body.start.indent.xml

Filesize
2KB

MD5
7cb3cdb185e0ec6e32013c74eba9de77

SHA1
b445dfe789fae06c9c598e3cd81f5d892502b9af

SHA256
648a60a9ee85ade9fa07c38ca90a8629e833d7b8d5f25b6edbbad8c931f57ff8

SHA512
f1d9fae80472115d100053754dc629bf64d7d12d4a9252f666571aaeb6ba54c0f1e80290b6dffedc26207dea391eaaa499ffc94e498ce9e514cab7b1c6d9a87e

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\built-with-forrest-button.png

Filesize
1KB

MD5
b6d615540a14a614c770e73d0a975f32

SHA1
d893d40eb8611ab9e6710b74ec7c8d3e231e66b4

SHA256
48a1bd36640694fb5515ee9b7157619a42c2e12eec70b6f188cc7b0a8c52d802

SHA512
9e198a4a2877e15679e54f98b394ed415f813514182885444505d9631009498f4cd85bfdf4a5b337706e64be983016bfef62027ddaf7bae055ccb0f1d49d22c2

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\dfrg.png

Filesize
2KB

MD5
54f817239bdf35ed1f43e660ec8d2983

SHA1
928a946eb5ec5a18f5961d02c329e6e0b04aab4f

SHA256
c98cb5674c9daed32a630e6a5f981113a5cbe4670438f8d17e0015967816a729

SHA512
b0ab5f07775fd7f07a08d02eb71e0f296063303b9de697d3516837dcf79503e1762bb539c3a826cf01dcd7c05608fee8eab502abd4fbfeea048026ccd9259332

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\dxdiag.png

Filesize
4KB

MD5
d5f980f296bfd9595ae17154186f1f1d

SHA1
e4ae0a1aa9fa6384a1e7cfff2dbe6e2493e0419a

SHA256
1062b847013de82124771ca60783840fb336a973c71079799fb80be7ca97573d

SHA512
0cf75393bea33a8201d8e154c05112e880d39f7ed4eeed5f47fd3ca95a06015e8a8abd9b6634551095d229ba6fc2f382602abf12100c260cc377668737bd5726

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\glossterm.list.properties.xml

Filesize
1KB

MD5
18520a0ba2dd93353df9a5e1af67ba9a

SHA1
139dfbd54ecff43075689b32014628d7e57db2eb

SHA256
225b2f4d5432f9e32a696a4c42f60c163be2e2c740d31ff6ac1c87695f36028c

SHA512
f7144d2a1ea5056303dcfbab18f8a21d4528050da1d02d11d8f8120cf642210b51262fa594ba11efba6edb0369fd3a2d79df8ecd79bbbb9b7045f26c05f85beb

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\history_report_yellow.png

Filesize
3KB

MD5
ba60cbe9775298c1c3e377023fe19f9f

SHA1
ee7e50f716524672a502c03e3c8ed7e769e33a75

SHA256
a12985e09396dd88b046ea1400e4438aced18de12c08ebcb41b9b694f382ed97

SHA512
ae6ee86e4285ca5fc398ac2c2fe8f3fc50f9c0c416f9b060475a41c2a591bac82253f3f3cef54400ab3710dd46b669e7446bec6984cf9f8ca1f98fa3bc433b0b

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\htmlhelp.hhp.tail.xml

Filesize
954B

MD5
0e4b7b8d5fa4bf58e91006b5d3500926

SHA1
b5b4455498e5d43d94f2c59bc0f348e3648411fc

SHA256
d08506fdb3996a2236c3c8cff4fea10be79ce03e4209cfa602901fd409fd7c1f

SHA512
bd97b5551693a0cdbde7b0cc2da2b619231c8d467ed36b0c137a930c8a17e77fa92ace6992ae416e5c5d41d528da19292ed94d99e72d997f718652c7f1a9a0eb

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\hyph_gu_IN.dic

Filesize
1KB

MD5
6ffabf660918d914848b990e183224dd

SHA1
256bfde4e8b0fa82d158b4832a8b6265f6ff29dd

SHA256
e601224307448d7fdfc3eacf2ee7c3d9ee3fda23cb9ceba06509c279f8991adc

SHA512
62e726efd7fd7881abc3e003060c81a0fd00cc4dc78b64a5e944e88c6adde6ce6d00b24b6dd065d06927b0f853af9c04b6404ad3640b593b5a4ae1683251c487

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\insertfile.xsl

Filesize
3KB

MD5
b0e162802fba8f5223e3b9d3817fcfa5

SHA1
5acc8325c0b72e462aad6ba81a83640f062948fa

SHA256
95f323cdccd1198dd8b6769d81649600898081eecfecc99a82dfaf99575ac03c

SHA512
78bb9a654fcfafa11aa2468b0d7c73649c689837f19aefe451f7405147322e4a6440a8ad5a3c0272f603e50bd774fb94fe8063de53cff26646b3908020e219e4

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\item_valid.xml

Filesize
566B

MD5
a62d4a72d4162d1972379e343cba9570

SHA1
d550971c35d61d859c0d7caa583f171b902becc4

SHA256
11b93b95a5c9bd97582103c45e4e6869187cd6cfc488afa37f9dd195a442e40e

SHA512
60a060f43b203fec3a649bc11357fbd1b27611d4493dfde89d7d53f256b5bc71084871ffeda6683e65b236d4064c37c8e1489deb679f15b3ce8d377fa6a641d4

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\modules.xml

Filesize
305B

MD5
9d13577f581593181cf2214228ace9df

SHA1
f78e9e729843e4c0aa66c251ab9dae1851b79365

SHA256
3bd4ec13d2da921506a70b27d6c302de00fb24cf6fb2bc344d325acc7fa7c709

SHA512
44523aa79a3cf8f2c03b78be4f59e1b1863a8a52077d847fc187219da851543d157173e37006b6b4a2855260f5c1c6903e2ad10b51c2efa8f4782c7d04cacb09

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\msconfig.png

Filesize
2KB

MD5
ecbc5e3d8c0314a1671441ad66422581

SHA1
356b6245df4dae2ec2d5312031438834171c94fb

SHA256
4a9a8b1aa036980f933053221d996f69070c32410cd7467b7a8653c523ac7a43

SHA512
c0b131bfbdcf6ece718e2b3b345327a2e9492e6bc3c3e8f63ee0d67c8ec32945971232df8e90bc617e32181e51899a1c67c74349aa44dd908a4a265523194964

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\pcdrbdre.p5m

Filesize
2KB

MD5
c630e6fe95a9ba4c4a7862e1cd661b91

SHA1
45b36a05004836166ac41113e2e5bf167bb0cb39

SHA256
ee8df77c4eafd0263a4146e5d7671d9a8cfbd454693888f12f09aa29e57620bf

SHA512
8df25adf5e9ccfb9a6d30cef272eb3b56fb80d7b199200db0730e89b0df178d4784e602d448b407ead6e40d698470cbe55c3d5044c5302bf09115ac4a30e2605

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\pcdroverrides.p5i.readonly

Filesize
874B

MD5
01bd65de7cf40b95e735d995686dbd0b

SHA1
56b901609d4f3d036f0902d51699034529ed83c8

SHA256
eb58fdb8dd7b9a76363a687e7a4c44e3994ed369e39427a4070abed51909ca9e

SHA512
674127a1bd1a29579a3bd21e11cc77eb949036cfa942a107523948c9a558eac12b7561eb11750cb5b9eb8a02b06381ba5c22615f5d79f6501df595ee32c4418c

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\profile.role.xml

Filesize
2KB

MD5
5b35aca279962ea53b7f13fefcd19c05

SHA1
4c78bbe63eaa550385cc978592b91ecce0c5af0a

SHA256
b4cf9006e1a679c9cbfbdab09ed80c60f232fbc52f93df99362fd32727ef755a

SHA512
437c178ca354a423d29fe3879edeec3a19793ccdf8776e5218571dcf03bb7e221f6a445e647b93aeb8e2c793c8b13b2c6ad64bf82ae3948c0788a3b729307100

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\rc-b-l-15-1body-2menu-3menu.png

Filesize
246B

MD5
2b9a419e8d6cc155eb907cd62a5315c7

SHA1
46d2bedd64727ce5ecf26d000b7f0a48e418c02f

SHA256
1dc64ff0c451277de7630b94898ec20145d8659f744cb072c95fa17e683e98fa

SHA512
f619da0155d141c0b41b972c7ce870ea89947292b718445ade7a972009fc1a0f62123f8e2ce546ad550529dff02ce5d88def78019b2c80dddd877afbb9d7f134

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\rc-t-r-5-1header-2tab-unselected-3tab-unselected.png

Filesize
198B

MD5
667cf2a5f682b03caded4712f33cc14c

SHA1
b4727230178f2467af8dc0360ac66c0ee8cb0ef8

SHA256
9a6dcf78ac11e27da517ac807e97fd2d43a1cd3826db129d4158558a0972004e

SHA512
fb2871f0fcf4fbb561678678406b9244864b1ae3e8b32d2454b8c2a6f7e3efba540a6cca506d2ca7617672806183e1eacb4a45167068a22b9b9da3ab54707c64

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\refentry.source.name.profile.xml

Filesize
3KB

MD5
5004d45999ad9543c894463e9b9ae2a5

SHA1
97bfffb410971e419e8c14b7f907def5f834376e

SHA256
c7d4c7c6f7a95a6bc06327327e7594a0ec0e38aca49c8ca23de4372d8e598861

SHA512
738f57fbb4912418a1f706e0436dad9644c262a5ca0d97683599d642e2a070197075fed991549cfd51d049788b81f7d3e91b57fefcbfa02051a1ab0389d143f2

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\s0.png

Filesize
1KB

MD5
04d044db1ae8804289bfdc40b3569fc0

SHA1
4a7bdfe51057ef3f49c84208e8021eb3f928f50c

SHA256
fdc46bde9b7d06b2c5e606a2e2c6075b3b40325ae58cc305ffd99d128badf4e9

SHA512
d8ce946014da8634b94a21cb876794a1dcebd41cfef447cd7b766a4c167c3b2268cbec54beff42c2986c05956caa12e05b3678bfa9baefd7488710eaa9defbb8

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\sRGB.pf

Filesize
3KB

MD5
1d3fda2edb4a89ab60a23c5f7c7d81dd

SHA1
9eaea0911d89d63e39e95f2e2116eaec7e0bb91e

SHA256
2b3aa1645779a9e634744faf9b01e9102b0c9b88fd6deced7934df86b949af7e

SHA512
16aae81acf757036634b40fb8b638d3eba89a0906c7f95bd915bc3579e3be38c7549ee4cd3f344ef0a17834ff041f875b9370230042d20b377c562952c47509b

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\script-pass.png

Filesize
1KB

MD5
cf2462d43ad7baaa0f129ad5fca4a981

SHA1
aa75b44dbce258bf164bb6a8cdeaa3688516263f

SHA256
c5b6d02b6b64052cb15bbf90207fa551953809b12406cfe1042d26abc24b1c36

SHA512
6172425c91be581f3910056ed3a829866fd853fc24a0c02c837c6caf1e57d05b981a1f384ed4894fa19dc0c29d36d2b37d25a6753feb5a21c5faf4e5c000af96

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\sidebar.title.properties.xml

Filesize
1KB

MD5
1a10975fd4bae07148667bd720448b60

SHA1
c3d65d54f04ad93dd59bfe85937b7c58f3abea98

SHA256
fe73823a3681b3cc9b2ac998f57a8a594f253a2f8e7ba042a288393c1fb6d66b

SHA512
7215c5645614769b267ec9e35e77af48dcb8046e28e88d056cad899f3765754c7372ea564b5a5903a596f47c23021af2ef1c072f98fd3ea065f0b7301904ed37

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\template.xml

Filesize
730B

MD5
b778b063eb5fae768be12574ec334902

SHA1
1d7dcbf160f802cda47c9fa50b251b851277b161

SHA256
4fcab5ca777797a885e3129b31ac7d660d1b9b375814af278da757809eeb75fe

SHA512
622a9856016a0214a307072f1b23b0de30811a52230bc1b2ca8937d3be5f2ac4d09667d9bb808c5f9c9ce572aaab954f41d2adc90c2b3c692bbe74f9a3704aa6

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\ua.js.xml

Filesize
879B

MD5
c15b13e12b2bd4125b8d3e275fb667ab

SHA1
abc8678271481d275d5c097ab046e0fe33c53c51

SHA256
80d81370b8468ca5f43f5162f0cb3e6235ab4e339924b7bbe6758169df9e6865

SHA512
93e7c31324ea5a03e82391c7f96f1fa2b2d7b5c1b0ebe53a4aa91b8e98ebfede07ae623bda38234c7918ca52f7448e4fc5b540fc4eff075b8123b2aa5d4b5708

Download Submit
F:\$RECYCLE.BIN\S-1-5-18\desktop.ini

Filesize
129B

MD5
a526b9e7c716b3489d8cc062fbce4005

SHA1
2df502a944ff721241be20a9e449d2acd07e0312

SHA256
e1b9ce9b57957b1a0607a72a057d6b7a9b34ea60f3f8aa8f38a3af979bd23066

SHA512
d83d4c656c96c3d1809ad06ce78fa09a77781461c99109e4b81d1a186fc533a7e72d65a4cb7edf689eeccda8f687a13d3276f1111a1e72f7c3cd92a49bce0f88

Download Submit
\Users\Admin\AppData\Local\Temp\nsj933C.tmp\System.dll

Filesize
11KB

MD5
883eff06ac96966270731e4e22817e11

SHA1
523c87c98236cbc04430e87ec19b977595092ac8

SHA256
44e5dfd551b38e886214bd6b9c8ee913c4c4d1f085a6575d97c3e892b925da82

SHA512
60333253342476911c84bbc1d9bf8a29f811207787fdd6107dce8d2b6e031669303f28133ffc811971ed7792087fe90fb1faabc0af4e91c298ba51e28109a390

Download Submit
\Users\Admin\AppData\Roaming\Nwiz.dll

Filesize
54KB

MD5
af5cfacd0e4f50aea5e1353131d31ee1

SHA1
2c25083e39c4604bcde7ebc1ea966d45646eead8

SHA256
60737caef33db58b24924eecaeb13e9d6c6cbc27408fd2c59cda67d326b1495e

SHA512
5c58ecb55ca6a82bfe6d5647058b4d2e852010029d4a356d7cbd4a4e7fa3f31ca3fb88a8e81c9566e9d9736e104e8d8375053ff89d90802cc145e27349155db9

Download Submit
memory/604-154-0x0000000000130000-0x00000000001A7000-memory.dmp

Filesize
476KB

Download
memory/604-150-0x0000000000130000-0x00000000001A7000-memory.dmp

Filesize
476KB

Download
memory/604-148-0x0000000000130000-0x00000000001A7000-memory.dmp

Filesize
476KB

Download
memory/604-147-0x0000000000130000-0x00000000001A7000-memory.dmp

Filesize
476KB

Download
memory/604-151-0x0000000000130000-0x00000000001A7000-memory.dmp

Filesize
476KB

Download
memory/604-158-0x0000000000130000-0x00000000001A7000-memory.dmp

Filesize
476KB

Download
memory/604-156-0x0000000000130000-0x00000000001A7000-memory.dmp

Filesize
476KB

Download
memory/604-161-0x0000000000130000-0x00000000001A7000-memory.dmp

Filesize
476KB

Download
memory/604-1391-0x0000000000130000-0x00000000001A7000-memory.dmp

Filesize
476KB

Download
memory/2416-64-0x0000000002500000-0x0000000002513000-memory.dmp

Filesize
76KB

Download
memory/2416-55-0x0000000002500000-0x0000000002513000-memory.dmp

Filesize
76KB

Download
memory/2416-65-0x0000000002500000-0x0000000002513000-memory.dmp

Filesize
76KB

Download
memory/2420-143-0x0000000000920000-0x0000000000B6B000-memory.dmp

Filesize
2.3MB

Download
memory/2420-135-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2420-1414-0x0000000000920000-0x0000000000B6B000-memory.dmp

Filesize
2.3MB

Download
memory/2420-1403-0x0000000000920000-0x0000000000B6B000-memory.dmp

Filesize
2.3MB

Download
memory/2820-1532-0x00000000004C0000-0x00000000004D3000-memory.dmp

Filesize
76KB

Download
memory/2820-1530-0x00000000004C0000-0x00000000004D3000-memory.dmp

Filesize
76KB

Download
memory/2820-1521-0x00000000004C0000-0x00000000004D3000-memory.dmp

Filesize
76KB

Download
memory/2972-140-0x0000000001AF0000-0x0000000001B03000-memory.dmp

Filesize
76KB

Download
memory/2972-129-0x0000000001AF0000-0x0000000001B03000-memory.dmp

Filesize
76KB

Download
memory/2972-138-0x0000000001AF0000-0x0000000001B03000-memory.dmp

Filesize
76KB

Download
memory/3064-61-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/3064-70-0x0000000000870000-0x0000000000ABB000-memory.dmp

Filesize
2.3MB

Download
memory/3064-63-0x0000000000400000-0x00000000004A5000-memory.dmp

Filesize
660KB

Download
memory/3064-68-0x0000000000650000-0x000000000086A000-memory.dmp

Filesize
2.1MB

Download
memory/3064-69-0x0000000000400000-0x00000000004A4600-memory.dmp

Filesize
657KB

Download
memory/3064-59-0x0000000000400000-0x00000000004A5000-memory.dmp

Filesize
660KB

Download
memory/3064-57-0x0000000000400000-0x00000000004A5000-memory.dmp

Filesize
660KB

Download
memory/3064-67-0x0000000000400000-0x00000000004A5000-memory.dmp

Filesize
660KB

Download