Analysis
-
max time kernel
150s -
max time network
124s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
05-11-2020 20:58
Static task
static1
Behavioral task
behavioral1
Sample
a.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
a.exe
Resource
win10v20201028
General
-
Target
a.exe
-
Size
32KB
-
MD5
4a94758d9b8bed45249bffffbaaa0460
-
SHA1
fff1c09b6e710d1804716e6b6b6c055a899aa1fc
-
SHA256
64cc82160edccda2bfd82d92b429ea0f98dcda9659a5c757b2748119847f5532
-
SHA512
5d77477a4561723c9752a9666228df2dc2b5547eaac7b7507ea552b310bcee5b13a75a73f8e9fb7a466762e5f360bec197ce0b3a09abd7b13d5b7dfc865ff45b
Malware Config
Extracted
C:\120162634617678\Read_Me.txt
http://25xb3kc6azicbbuo.onion/?IXNDSIXN
http://helpqvrg3cc5mvb3.onion/
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
35045.exewinsvcs.exe1076028349.exepid process 1108 35045.exe 952 winsvcs.exe 1212 1076028349.exe -
Modifies Installed Components in the registry 2 TTPs
-
Modifies extensions of user files 8 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
1076028349.exedescription ioc process File renamed C:\Users\Admin\Pictures\SetHide.png => C:\Users\Admin\Pictures\SetHide.png.ReadMe 1076028349.exe File renamed C:\Users\Admin\Pictures\SubmitConvert.tif => C:\Users\Admin\Pictures\SubmitConvert.tif.ReadMe 1076028349.exe File renamed C:\Users\Admin\Pictures\ConvertGroup.png => C:\Users\Admin\Pictures\ConvertGroup.png.ReadMe 1076028349.exe File renamed C:\Users\Admin\Pictures\DenyImport.raw => C:\Users\Admin\Pictures\DenyImport.raw.ReadMe 1076028349.exe File opened for modification C:\Users\Admin\Pictures\FindStep.tiff 1076028349.exe File renamed C:\Users\Admin\Pictures\FindStep.tiff => C:\Users\Admin\Pictures\FindStep.tiff.ReadMe 1076028349.exe File renamed C:\Users\Admin\Pictures\PushReset.crw => C:\Users\Admin\Pictures\PushReset.crw.ReadMe 1076028349.exe File renamed C:\Users\Admin\Pictures\RequestCompress.raw => C:\Users\Admin\Pictures\RequestCompress.raw.ReadMe 1076028349.exe -
Loads dropped DLL 6 IoCs
Processes:
a.exe35045.exewinsvcs.exe1076028349.exepid process 1080 a.exe 1108 35045.exe 952 winsvcs.exe 952 winsvcs.exe 1212 1076028349.exe 1212 1076028349.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
winsvcs.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" winsvcs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" winsvcs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" winsvcs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" winsvcs.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
35045.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows Services = "C:\\120162634617678\\winsvcs.exe" 35045.exe Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows Services = "C:\\120162634617678\\winsvcs.exe" 35045.exe -
Drops desktop.ini file(s) 41 IoCs
Processes:
1076028349.exeexplorer.exedescription ioc process File opened for modification C:\Program Files (x86)\desktop.ini 1076028349.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI 1076028349.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini 1076028349.exe File opened for modification C:\Users\Admin\Searches\desktop.ini 1076028349.exe File opened for modification C:\Users\Public\desktop.ini 1076028349.exe File opened for modification C:\Users\Public\Pictures\desktop.ini 1076028349.exe File opened for modification C:\Users\Public\Recorded TV\desktop.ini 1076028349.exe File opened for modification C:\Users\Public\Recorded TV\Sample Media\desktop.ini 1076028349.exe File opened for modification C:\Program Files\desktop.ini 1076028349.exe File opened for modification C:\Users\Admin\Links\desktop.ini 1076028349.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini 1076028349.exe File opened for modification C:\Users\Public\Music\desktop.ini 1076028349.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\AT22T7OH\desktop.ini 1076028349.exe File opened for modification C:\Users\Public\Documents\desktop.ini 1076028349.exe File opened for modification C:\Users\Public\Videos\Sample Videos\desktop.ini 1076028349.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini 1076028349.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini 1076028349.exe File opened for modification C:\Users\Public\Pictures\Sample Pictures\desktop.ini 1076028349.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini 1076028349.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini 1076028349.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini 1076028349.exe File opened for modification C:\Users\Public\Videos\desktop.ini 1076028349.exe File opened for modification \??\M:\$RECYCLE.BIN\S-1-5-21-3825035466-2522850611-591511364-1000\desktop.ini explorer.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini 1076028349.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini 1076028349.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini 1076028349.exe File opened for modification C:\Users\Admin\Music\desktop.ini 1076028349.exe File opened for modification C:\Users\Admin\Videos\desktop.ini 1076028349.exe File opened for modification C:\Users\Public\Desktop\desktop.ini 1076028349.exe File opened for modification C:\Users\Public\Downloads\desktop.ini 1076028349.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini 1076028349.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\8DDKLDOL\desktop.ini 1076028349.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\F6O5NPVK\desktop.ini 1076028349.exe File opened for modification C:\Users\Admin\Documents\desktop.ini 1076028349.exe File opened for modification C:\Users\Admin\Favorites\Links for United States\desktop.ini 1076028349.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini 1076028349.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\RKGIF8TT\desktop.ini 1076028349.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini 1076028349.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini 1076028349.exe File opened for modification C:\Users\Public\Libraries\desktop.ini 1076028349.exe File opened for modification C:\Users\Public\Music\Sample Music\desktop.ini 1076028349.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
1076028349.exedescription ioc process File opened (read-only) \??\U: 1076028349.exe File opened (read-only) \??\F: 1076028349.exe File opened (read-only) \??\Q: 1076028349.exe File opened (read-only) \??\Y: 1076028349.exe File opened (read-only) \??\P: 1076028349.exe File opened (read-only) \??\S: 1076028349.exe File opened (read-only) \??\J: 1076028349.exe File opened (read-only) \??\K: 1076028349.exe File opened (read-only) \??\L: 1076028349.exe File opened (read-only) \??\Z: 1076028349.exe File opened (read-only) \??\W: 1076028349.exe File opened (read-only) \??\M: 1076028349.exe File opened (read-only) \??\I: 1076028349.exe File opened (read-only) \??\O: 1076028349.exe File opened (read-only) \??\A: 1076028349.exe File opened (read-only) \??\B: 1076028349.exe File opened (read-only) \??\N: 1076028349.exe File opened (read-only) \??\T: 1076028349.exe File opened (read-only) \??\R: 1076028349.exe File opened (read-only) \??\G: 1076028349.exe File opened (read-only) \??\H: 1076028349.exe File opened (read-only) \??\X: 1076028349.exe File opened (read-only) \??\V: 1076028349.exe File opened (read-only) \??\E: 1076028349.exe -
Modifies service 2 TTPs 4 IoCs
Processes:
explorer.exeexplorer.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\Shas explorer.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\Qecs explorer.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\Shas explorer.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\Qecs explorer.exe -
Drops file in Program Files directory 12050 IoCs
Processes:
1076028349.exedescription ioc process File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-heapwalker_zh_CN.jar 1076028349.exe File opened for modification C:\Program Files\Mozilla Firefox\libGLESv2.dll 1076028349.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Csi.dll 1076028349.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02268_.WMF 1076028349.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\CERTINTL.DLL 1076028349.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR46B.GIF 1076028349.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-favorites_zh_CN.jar 1076028349.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\demux\libimage_plugin.dll 1076028349.exe File created C:\Program Files (x86)\Common Files\SpeechEngines\Read_Me.txt 1076028349.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.35.452\goopdateres_ja.dll 1076028349.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00798_.WMF 1076028349.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGWEBSBR.XML 1076028349.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-charts.jar 1076028349.exe File created C:\Program Files\Microsoft Office\Read_Me.txt 1076028349.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\co\LC_MESSAGES\vlc.mo 1076028349.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN01184_.WMF 1076028349.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-waning-crescent.png 1076028349.exe File created C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\Read_Me.txt 1076028349.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OFFOWC.DLL 1076028349.exe File created C:\Program Files\VideoLAN\VLC\locale\cgg\LC_MESSAGES\Read_Me.txt 1076028349.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\hi\LC_MESSAGES\vlc.mo 1076028349.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\keystore\libmemory_keystore_plugin.dll 1076028349.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\visualization\libglspectrum_plugin.dll 1076028349.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD00455_.WMF 1076028349.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR34F.GIF 1076028349.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe 1076028349.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.reconciler.dropins.nl_ja_4.4.0.v20140623020002.jar 1076028349.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\org-openide-util.jar 1076028349.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_flat_10_000000_40x100.png 1076028349.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLED.EXE 1076028349.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0233992.WMF 1076028349.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\SECREC.CFG 1076028349.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\DiscussionToolIconImages.jpg 1076028349.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\pagecurl.png 1076028349.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OARTCONV.DLL 1076028349.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\GREET11.POC 1076028349.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Swirl\background.gif 1076028349.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libflac_plugin.dll 1076028349.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01141_.WMF 1076028349.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-sa.jar 1076028349.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\21.png 1076028349.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\ACEREP.DLL 1076028349.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.35.452\goopdateres_mr.dll 1076028349.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0292286.WMF 1076028349.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0297727.WMF 1076028349.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE00555_.WMF 1076028349.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\POST.CFG 1076028349.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-spi-actions.jar 1076028349.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\viewSelectionChanged.js 1076028349.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107328.WMF 1076028349.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14983_.GIF 1076028349.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BabyBlue\TAB_OFF.GIF 1076028349.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\EntityDataHandler.dll 1076028349.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Stationery\1033\CURRENCY.HTM 1076028349.exe File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\System.IdentityModel.dll 1076028349.exe File created C:\Program Files\Windows Journal\en-US\Read_Me.txt 1076028349.exe File opened for modification C:\Program Files (x86)\Common Files\System\DirectDB.dll 1076028349.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\ClassicPhotoAlbum.potx 1076028349.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\org-openide-compat.xml_hidden 1076028349.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe 1076028349.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\gtkHandle.png 1076028349.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-lib-profiler-common.xml 1076028349.exe File created C:\Program Files\VideoLAN\VLC\plugins\d3d11\Read_Me.txt 1076028349.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21323_.GIF 1076028349.exe -
Modifies registry class 15 IoCs
Processes:
explorer.exeexplorer.exeexplorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_Classes\Local Settings explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe -
Suspicious behavior: EnumeratesProcesses 4546 IoCs
Processes:
1076028349.exepid process 1212 1076028349.exe 1212 1076028349.exe 1212 1076028349.exe 1212 1076028349.exe 1212 1076028349.exe 1212 1076028349.exe 1212 1076028349.exe 1212 1076028349.exe 1212 1076028349.exe 1212 1076028349.exe 1212 1076028349.exe 1212 1076028349.exe 1212 1076028349.exe 1212 1076028349.exe 1212 1076028349.exe 1212 1076028349.exe 1212 1076028349.exe 1212 1076028349.exe 1212 1076028349.exe 1212 1076028349.exe 1212 1076028349.exe 1212 1076028349.exe 1212 1076028349.exe 1212 1076028349.exe 1212 1076028349.exe 1212 1076028349.exe 1212 1076028349.exe 1212 1076028349.exe 1212 1076028349.exe 1212 1076028349.exe 1212 1076028349.exe 1212 1076028349.exe 1212 1076028349.exe 1212 1076028349.exe 1212 1076028349.exe 1212 1076028349.exe 1212 1076028349.exe 1212 1076028349.exe 1212 1076028349.exe 1212 1076028349.exe 1212 1076028349.exe 1212 1076028349.exe 1212 1076028349.exe 1212 1076028349.exe 1212 1076028349.exe 1212 1076028349.exe 1212 1076028349.exe 1212 1076028349.exe 1212 1076028349.exe 1212 1076028349.exe 1212 1076028349.exe 1212 1076028349.exe 1212 1076028349.exe 1212 1076028349.exe 1212 1076028349.exe 1212 1076028349.exe 1212 1076028349.exe 1212 1076028349.exe 1212 1076028349.exe 1212 1076028349.exe 1212 1076028349.exe 1212 1076028349.exe 1212 1076028349.exe 1212 1076028349.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
explorer.exepid process 1308 explorer.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
1076028349.exepid process 1212 1076028349.exe -
Suspicious use of AdjustPrivilegeToken 33 IoCs
Processes:
explorer.exeAUDIODG.EXEexplorer.exeexplorer.exedescription pid process Token: SeShutdownPrivilege 1904 explorer.exe Token: SeShutdownPrivilege 1904 explorer.exe Token: SeShutdownPrivilege 1904 explorer.exe Token: SeShutdownPrivilege 1904 explorer.exe Token: SeShutdownPrivilege 1904 explorer.exe Token: SeShutdownPrivilege 1904 explorer.exe Token: SeShutdownPrivilege 1904 explorer.exe Token: 33 1756 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1756 AUDIODG.EXE Token: 33 1756 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1756 AUDIODG.EXE Token: SeShutdownPrivilege 1904 explorer.exe Token: SeShutdownPrivilege 1904 explorer.exe Token: SeShutdownPrivilege 1308 explorer.exe Token: SeShutdownPrivilege 1308 explorer.exe Token: SeShutdownPrivilege 1308 explorer.exe Token: SeShutdownPrivilege 1308 explorer.exe Token: SeShutdownPrivilege 1308 explorer.exe Token: SeShutdownPrivilege 1308 explorer.exe Token: SeShutdownPrivilege 1308 explorer.exe Token: SeShutdownPrivilege 1308 explorer.exe Token: SeShutdownPrivilege 1308 explorer.exe Token: SeShutdownPrivilege 1576 explorer.exe Token: SeShutdownPrivilege 1576 explorer.exe Token: SeShutdownPrivilege 1576 explorer.exe Token: SeShutdownPrivilege 1576 explorer.exe Token: SeShutdownPrivilege 1576 explorer.exe Token: SeShutdownPrivilege 1576 explorer.exe Token: SeShutdownPrivilege 1576 explorer.exe Token: SeShutdownPrivilege 1576 explorer.exe Token: SeShutdownPrivilege 1576 explorer.exe Token: SeShutdownPrivilege 1576 explorer.exe Token: SeShutdownPrivilege 1576 explorer.exe -
Suspicious use of FindShellTrayWindow 67 IoCs
Processes:
DllHost.exeexplorer.exeexplorer.exeexplorer.exepid process 576 DllHost.exe 1904 explorer.exe 1904 explorer.exe 1904 explorer.exe 1904 explorer.exe 1904 explorer.exe 1904 explorer.exe 1904 explorer.exe 1904 explorer.exe 1308 explorer.exe 1308 explorer.exe 1308 explorer.exe 1308 explorer.exe 1308 explorer.exe 1308 explorer.exe 1308 explorer.exe 1308 explorer.exe 1308 explorer.exe 1308 explorer.exe 1308 explorer.exe 1308 explorer.exe 1308 explorer.exe 1308 explorer.exe 1308 explorer.exe 1308 explorer.exe 1308 explorer.exe 1308 explorer.exe 1308 explorer.exe 1308 explorer.exe 1308 explorer.exe 1308 explorer.exe 1308 explorer.exe 1308 explorer.exe 1308 explorer.exe 1308 explorer.exe 1308 explorer.exe 1308 explorer.exe 1308 explorer.exe 1308 explorer.exe 1308 explorer.exe 1308 explorer.exe 1308 explorer.exe 1576 explorer.exe 1576 explorer.exe 1576 explorer.exe 1576 explorer.exe 1576 explorer.exe 1576 explorer.exe 1576 explorer.exe 1576 explorer.exe 1576 explorer.exe 1576 explorer.exe 1576 explorer.exe 1576 explorer.exe 1576 explorer.exe 1576 explorer.exe 1576 explorer.exe 1576 explorer.exe 1576 explorer.exe 1576 explorer.exe 1576 explorer.exe 1576 explorer.exe 1576 explorer.exe 1576 explorer.exe -
Suspicious use of SendNotifyMessage 79 IoCs
Processes:
explorer.exeexplorer.exeexplorer.exepid process 1904 explorer.exe 1904 explorer.exe 1904 explorer.exe 1904 explorer.exe 1904 explorer.exe 1904 explorer.exe 1904 explorer.exe 1904 explorer.exe 1904 explorer.exe 1904 explorer.exe 1904 explorer.exe 1904 explorer.exe 1904 explorer.exe 1904 explorer.exe 1904 explorer.exe 1904 explorer.exe 1308 explorer.exe 1308 explorer.exe 1308 explorer.exe 1308 explorer.exe 1308 explorer.exe 1308 explorer.exe 1308 explorer.exe 1308 explorer.exe 1308 explorer.exe 1308 explorer.exe 1308 explorer.exe 1308 explorer.exe 1308 explorer.exe 1308 explorer.exe 1308 explorer.exe 1308 explorer.exe 1308 explorer.exe 1308 explorer.exe 1308 explorer.exe 1308 explorer.exe 1308 explorer.exe 1308 explorer.exe 1308 explorer.exe 1308 explorer.exe 1308 explorer.exe 1308 explorer.exe 1308 explorer.exe 1308 explorer.exe 1308 explorer.exe 1308 explorer.exe 1308 explorer.exe 1308 explorer.exe 1308 explorer.exe 1308 explorer.exe 1576 explorer.exe 1576 explorer.exe 1576 explorer.exe 1576 explorer.exe 1576 explorer.exe 1576 explorer.exe 1576 explorer.exe 1576 explorer.exe 1576 explorer.exe 1576 explorer.exe 1576 explorer.exe 1576 explorer.exe 1576 explorer.exe 1576 explorer.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
a.exe35045.exewinsvcs.exedescription pid process target process PID 1080 wrote to memory of 1808 1080 a.exe cmd.exe PID 1080 wrote to memory of 1808 1080 a.exe cmd.exe PID 1080 wrote to memory of 1808 1080 a.exe cmd.exe PID 1080 wrote to memory of 1808 1080 a.exe cmd.exe PID 1080 wrote to memory of 1108 1080 a.exe 35045.exe PID 1080 wrote to memory of 1108 1080 a.exe 35045.exe PID 1080 wrote to memory of 1108 1080 a.exe 35045.exe PID 1080 wrote to memory of 1108 1080 a.exe 35045.exe PID 1108 wrote to memory of 952 1108 35045.exe winsvcs.exe PID 1108 wrote to memory of 952 1108 35045.exe winsvcs.exe PID 1108 wrote to memory of 952 1108 35045.exe winsvcs.exe PID 1108 wrote to memory of 952 1108 35045.exe winsvcs.exe PID 952 wrote to memory of 1212 952 winsvcs.exe 1076028349.exe PID 952 wrote to memory of 1212 952 winsvcs.exe 1076028349.exe PID 952 wrote to memory of 1212 952 winsvcs.exe 1076028349.exe PID 952 wrote to memory of 1212 952 winsvcs.exe 1076028349.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a.exe"C:\Users\Admin\AppData\Local\Temp\a.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c start C:\Users\Admin\AppData\Local\Temp\10387.jpg2⤵
-
C:\Users\Admin\AppData\Local\Temp\35045.exeC:\Users\Admin\AppData\Local\Temp\35045.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\120162634617678\winsvcs.exeC:\120162634617678\winsvcs.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1076028349.exeC:\Users\Admin\AppData\Local\Temp\1076028349.exe4⤵
- Executes dropped EXE
- Modifies extensions of user files
- Loads dropped DLL
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}1⤵
- Suspicious use of FindShellTrayWindow
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Drops desktop.ini file(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x4f81⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies service
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies service
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\120162634617678\winsvcs.exeMD5
1f8cef7b1f327e19ec561d1b80583d2d
SHA196795527c65711c13aef7f2cda3b5a0ff5779137
SHA256c6ee0c5549619ebf81f7878da18a6e29ff315be7d0fb3d9b79b84717405c87f6
SHA5122bdb59b8ca921b7def3547c622a4357398566c475ed1c77aad4fe91f1171ddee1b0d3524463ead12a10bba19fb5e23dcad3b00e948c8bde585d315906fd782e2
-
C:\120162634617678\winsvcs.exeMD5
1f8cef7b1f327e19ec561d1b80583d2d
SHA196795527c65711c13aef7f2cda3b5a0ff5779137
SHA256c6ee0c5549619ebf81f7878da18a6e29ff315be7d0fb3d9b79b84717405c87f6
SHA5122bdb59b8ca921b7def3547c622a4357398566c475ed1c77aad4fe91f1171ddee1b0d3524463ead12a10bba19fb5e23dcad3b00e948c8bde585d315906fd782e2
-
C:\Users\Admin\AppData\Local\Temp\10387.jpgMD5
a603d35899017876f5cbea46dbf223d4
SHA1bbe3b9dc5ca78b399ae151afc0f03972e710b23b
SHA2562fbfd083e8286b5715afc2b0f0b84dc11d211e18a4bdd3f9b4af6d5a2e833ab4
SHA51214100ee11d31da7dc051600c66e175569ad6026a550fa1167e5ecffee0f84bd6487b65eec45e32ac2e2b9b5bc338a952657187945bab7530896294d6e4cbc78f
-
C:\Users\Admin\AppData\Local\Temp\1076028349.exeMD5
7d52884b375ce8b6182f1c53f0f1c496
SHA16b70e90b0dada8d93c61caa678e76ce2abcbc76b
SHA2569c48e8a5f83614f685249486a13a8a132660f37d11c5f55581414dbf02091021
SHA51224350255bda3672cce0ff22221e5973cd69f5b8470eb642e9679c3c006716271af8f32a2d4ee5309949c746eb9cb15bba411052fd4935a2a2b436501c7b4a515
-
C:\Users\Admin\AppData\Local\Temp\1076028349.exeMD5
7d52884b375ce8b6182f1c53f0f1c496
SHA16b70e90b0dada8d93c61caa678e76ce2abcbc76b
SHA2569c48e8a5f83614f685249486a13a8a132660f37d11c5f55581414dbf02091021
SHA51224350255bda3672cce0ff22221e5973cd69f5b8470eb642e9679c3c006716271af8f32a2d4ee5309949c746eb9cb15bba411052fd4935a2a2b436501c7b4a515
-
C:\Users\Admin\AppData\Local\Temp\35045.exeMD5
1f8cef7b1f327e19ec561d1b80583d2d
SHA196795527c65711c13aef7f2cda3b5a0ff5779137
SHA256c6ee0c5549619ebf81f7878da18a6e29ff315be7d0fb3d9b79b84717405c87f6
SHA5122bdb59b8ca921b7def3547c622a4357398566c475ed1c77aad4fe91f1171ddee1b0d3524463ead12a10bba19fb5e23dcad3b00e948c8bde585d315906fd782e2
-
C:\Users\Admin\AppData\Local\Temp\35045.exeMD5
1f8cef7b1f327e19ec561d1b80583d2d
SHA196795527c65711c13aef7f2cda3b5a0ff5779137
SHA256c6ee0c5549619ebf81f7878da18a6e29ff315be7d0fb3d9b79b84717405c87f6
SHA5122bdb59b8ca921b7def3547c622a4357398566c475ed1c77aad4fe91f1171ddee1b0d3524463ead12a10bba19fb5e23dcad3b00e948c8bde585d315906fd782e2
-
C:\Users\Admin\AppData\Local\Temp\WPDNSE\Read_Me.txtMD5
fbb87717e779a76e3489302ad9db6e6b
SHA1b2308a9cb9a4d35e7ad19c49adc4a56e18372d7d
SHA256db339060d0450f78a6e28d89690bb235e36c26eeab2f16887a23dea19b8499fc
SHA51212e7d898dddc449a0c06a7d8d5c443742117b2e432ee46c805d5e852d67d34bc018e27b0d9e91b1de1759fa26328c18f5fa6a1a1239f23193cbc81a554547b31
-
C:\Users\Admin\Desktop\AssertConfirm.MTS.ReadMeMD5
600eca07335ec17931337d14b1dc1de3
SHA15776139ef2281e8958ee38e8d8b7083c5982dcc9
SHA25646f297b7e225ab5402229f9553e906857576b64b2fb3097d3ec1499ad2adf2b2
SHA5124dc8b0f9bdbe6e0b8006226075a41c0cb25980eb434b8a1123be778dae31ad69558081646bcde60cdb34a92f7e48b2ebd7c1e949c9ad0ed666da94f1ad7252f9
-
C:\Users\Admin\Desktop\CloseAdd.tmp.ReadMeMD5
c234e1edb67f7f3fcc633d7eae0bada9
SHA19b17edbff27c2f7117d56c7a8ec4eb8dd9182c7c
SHA25620b1442263caf8572ccf3b849b66667362063507ee321ab751a155d084404e57
SHA5127c19bbcb7f6722def19c363deb7d6b3c3ffc9fab72904564fdc589ce9fd1b51b1bad0b891cd2a8eedbab2c14e743b50b1711f6e7ae62060883f8e9d77f4635cd
-
C:\Users\Admin\Desktop\CompareClose.m4a.ReadMeMD5
f92871653fc2431cc3b67036049eed95
SHA118eb71a8bbfa3938e2d5824a5bcef458e7449671
SHA2564759d24600523dc9cd66e53a778c0b9a39a433482e0ccf03dab4ac1d31cba505
SHA5128554468f0c60016ae6a47ed3674b3936985d60c81c70dda57f939efd0c9bc28b20dba690f4272e85034b499de2578aa4667ae8986d7cc2702d927d970b4a420b
-
C:\Users\Admin\Desktop\CompareResize.wav.ReadMeMD5
6b2ac0cd6ae7a7a5278a4015bd6526e8
SHA1f4c2a032fdaebe89f3be623e0190417656b6b67f
SHA2560006f827a3356afbb0529b302ca2e38f1173b10388c7af01df20d6076f8fac28
SHA5120d26a73366f8e8a5547e6a740102d34513a5c1fceeaaf3cbed1931d22a78616b616f59ca66ba0711d4119784ebbbfe4ccc4b90bda5658b062cf52dd6549c482c
-
C:\Users\Admin\Desktop\CompressSubmit.wmf.ReadMeMD5
63f99d34c5e915e7afa568fc192952ec
SHA15af687a71552406f56a089ca77e098a3b1c5fd13
SHA2565f168c1fd40206863a92551c2a62f77a59d8bd1b840f14fd67bd28057f5a105c
SHA51245e8e5cdcb7120545d5eb66db1c8386b6990ef546f511e001881a716b69861c17a5ed72e2a463ed510bc8968b102cb26e92137eb0e06d5ca2d7a1f15429275bd
-
C:\Users\Admin\Desktop\ConvertFromClear.rm.ReadMeMD5
44aea17eb2f5b7b5856e34147e8549ba
SHA16d04f9366fe9b9acc45c80b91136f07ebdf76cc4
SHA2563cd17d804be4cb9af510f4bd022734da37752578b7343dd549d3306dba885560
SHA5127ef177d2b39b65da847c0ca61b714fa03309d6d198b3186de831aef3a713490920df9bf84f0ce65ce7471cf63b19dab40b6173d36948b518497081df0456039b
-
C:\Users\Admin\Desktop\CopyExit.vssx.ReadMeMD5
a7b2a845af1dea59feaa2b50ac2a46e9
SHA1b5da9b555819608e9a791c7d0c58b40c8d0a1ee7
SHA2566d048aa133c088f5f1dac2a40d33fa7335e6c34c0eaa26c373c5dbc5922e70a2
SHA5123880e68c42b85f8661b9a07a5aead6579e513979fd8e54773fe5fa876c69fae657d2260836d508b5fbcc5b1ad06c56a9d0e087abe168b2fb988e42f6d86e97ff
-
C:\Users\Admin\Desktop\CopySplit.AAC.ReadMeMD5
7e32231998f14b46507c0980d39f1cc5
SHA183166382194a0e407a8ca10ea23644d3790cc7af
SHA2565f64a18ef5e77ed612c847f184c88d6f17adc44ee91b45c33ccadf3f56a83b87
SHA512f9747ffa956205be6fcd613d61fdb97a8637c6e93b5a23963881de21109ed22dc91683e86ec88d87416a1544bf1d4998dfbd5cd25c6683ccdb6f00b5148112ee
-
C:\Users\Admin\Desktop\DenyConnect.3g2.ReadMeMD5
8007cf737a927fba8f36677c1ce31af2
SHA16eb7790a356270c4f2a4a8826baf260a7a5cef80
SHA256afe7055f8bc13eec31e0d4a93ce1dbabbec306701d2db4716e07ee951880a312
SHA512506a23ecee8d5211bdec87f01a014622d2919fd1dc58649e1c8e9996cc7685a7f18e1feda4ed01a31cf2ff4f64f4f6fb504f79416b3c9a94154c0cae42d34163
-
C:\Users\Admin\Desktop\DenyConnect.tif.ReadMeMD5
6a4abe0332ebf650ff085c538f9d9700
SHA1d601872904aed6a24bcfc3e516ff338eca1243f2
SHA256426053e5104bb873e408ea9a49ee0161ee4c8516b3309c3a13faf5a104142fc7
SHA51284e7e1fd24a6c38a84228d1ab86bed17a2dc48c4950d5f2e93c06cfdbfd6f381c72c20a96923e3ccc0eb41497715383e01d5bd7a2fba2de7ca39f19a60eea7bc
-
C:\Users\Admin\Desktop\GrantDeny.rm.ReadMeMD5
5fcabf3ac1828800b05180d5353aa400
SHA142fa51b2c02d2b3a285804078451f643526de492
SHA2568a11e30faa4345812faea782dcce70f8b2745ab29f593589b4b341718f34b083
SHA512fd1c486b53feb520f0a90f9cc248cd77f428c66d4692f26947276efbed81d1df6cb2d0498e4cbee92cbbf70a5dc2d7488a4a32aca77a33e5d8c637185317b808
-
C:\Users\Admin\Desktop\GrantUndo.iso.ReadMeMD5
c7a415b8caf73fb7cae792afdb33f0a5
SHA1889e61e720ee9c39ae309324462efb3d3de22176
SHA25642d184b1df44c3990bca6699b3a281019b1d327999c8db3e10135be3b3f684dc
SHA512fe903fe04c9fb8ff472a825faa12137fafcf0bca01f090f74abab53b07c9ebe597398e077290b44d76882cf016bf47d10f18021a8d5d6f13249ded265e775b2d
-
C:\Users\Admin\Desktop\LimitBackup.ogg.ReadMeMD5
379c13620e86bfb29189e3a7a4bc6660
SHA14983d75ade8744ff8111093f14b8335e074e6575
SHA2563b2c0a3a888816362e4477b9b2046a8e099d49169e5292f34423be1b75ff3f32
SHA512c74e1e1b0c060dfb05cd203ea18c448a7df036536a3bf6998e4b6b68cbe68b6487c9848eaa0460dd613a1dec512e926299cc8ce7df3a27d15d8df39040448bc7
-
C:\Users\Admin\Desktop\NewEnable.au.ReadMeMD5
9f3c01a45bfa8bc89958cf2f0a420977
SHA1df28a220f15f1f5febbde4cdae8c3b44e163c33c
SHA2568fde1359b41f1ec8030cf751836eed89d318a778fd41e8f2754276520a5c8aa7
SHA51239fff1d5113ee8ba34c807df9f598460cca660aba2637df64a1265f3351d25c69fa4ef2f1277b14de005c9fff22e30664d0a54a09bfee50144901561c6fc437f
-
C:\Users\Admin\Desktop\NewProtect.csv.ReadMeMD5
47a71203f04cdebb53dbc7c79168e8ad
SHA174004cc491514a9c20ae0a3e78c31a317604a637
SHA2567e57027ee36ae2dadf83e16b9e7b7bd4803a5c075fc9807238eeb32391a16d01
SHA5125880ae2f320a5b7522a68b427949c072ed91129903bab01c23791b1a81875c559312985490e5089018d3d13ad61f411f8a5537321aee2460e8c5369e9266c2ff
-
C:\Users\Admin\Desktop\PublishJoin.aifc.ReadMeMD5
ef7e03f4fac10131e97ca31d48d2e17b
SHA166daad09744448ce3f8f20a373d37773476e45b5
SHA256df729413aa9579850d436f5271f1108e23acce068773ea7533555e5ba306cdd4
SHA512c49563f139015c74f8b3b3a5cbd750bdcfb747295c520ecd5a414a35c3365fe22746ab93e753f99465a9c260e6dc259050cbf4d8dde7a099925bca73a195a42b
-
C:\Users\Admin\Desktop\PushSend.mpg.ReadMeMD5
8e7953a56028808845e9e4f8cd9802fe
SHA197ccf470fbef92a8fdbfca047fa006d4f7240bc5
SHA2563d03ca8bbd1a4a74ac140c9f91728e08400a4db24d8019eb13f4db9f452cb710
SHA51238c256a2ae26b2bb8e746f816b1814097f88f6dc0405140108e402a51ee9c49269ecd2aed9fa939927a2ccfd217d4e4abad751ed8360bcdadc2c3e91cb668323
-
C:\Users\Admin\Desktop\Read_Me.txtMD5
fbb87717e779a76e3489302ad9db6e6b
SHA1b2308a9cb9a4d35e7ad19c49adc4a56e18372d7d
SHA256db339060d0450f78a6e28d89690bb235e36c26eeab2f16887a23dea19b8499fc
SHA51212e7d898dddc449a0c06a7d8d5c443742117b2e432ee46c805d5e852d67d34bc018e27b0d9e91b1de1759fa26328c18f5fa6a1a1239f23193cbc81a554547b31
-
C:\Users\Admin\Desktop\SyncJoin.iso.ReadMeMD5
bdc95ff91a66d1634d46278e107e0951
SHA1739f790453ee2d8b915a526b8c15cfc36943fd28
SHA25657eab59cd0a442b273c8e58decd37551d752da4dec2ddb6fff3ea9de7fe0477c
SHA5128ed87d1c503b109376d0131dfb6baccbd2c8c9df5c2c3b7bc40ae73562839e8ec6f5e225d225de22df01aef1561fcd44226a3aa2d6732d79d3ff82c4834e733d
-
C:\Users\Admin\Desktop\TraceUnregister.wmf.ReadMeMD5
0c48e22c7f8ffa6b8cf1008cbdf6262d
SHA1639b302b7e68de0e64101cc1e0c1ae012279bd46
SHA256fc4621c022750827abe7fecafde11feca6d556a6230a305a931612ff01e3a774
SHA512fb288793e9275d32771b18a8076b58fc109c5336706808d2e8bb092b0137b658f2297f97c174dda1bda283c73505f96a9ea96b279896d5d0d8658a7c09e1287e
-
C:\Users\Admin\Desktop\UnblockConvertFrom.DVR.ReadMeMD5
5af5fbdd12247711c38ec24855a69a29
SHA1850ad20f05ad49c3748fd959ca6609af3dde81ec
SHA2565dae066c54cb3aade0e881136ef61c8721758589a34920df6028b40f17b0d222
SHA51233f41bede523814159ee80b6b3a084b29ab20cf81ddd3e9510c8854c206c9deb841f5eb27667485f92e3c9948be5fb92506c747222918cd924413e3dc89a77e2
-
C:\Users\Admin\Desktop\UnblockSet.au.ReadMeMD5
810168777439cdce8d2ad5f062add3d5
SHA17293fe247477f6a57c9c67313e1dc90da85e7ea4
SHA256724e98b2c238728e3d000e10d1603586bf4dc794b1e6b23f37346cde7a10c4a4
SHA5127db56754421c67d761c0df8bf97c91e90e898ca4839af34d9ab21533069114e150c91e63d74e37267b34e1950f0dce38d92c48a3f31f8e00777e3434c73cd936
-
C:\Users\Admin\Desktop\UninstallRestore.m1v.ReadMeMD5
887d12f451b8d009a2aae83441db2a13
SHA1d013478b1b6ab199844198558c406fcee26b4897
SHA2562e5f0792cef3b63756e156a1ffe47530d2f7896810a6302b1de4bdf7b641c363
SHA512e4d4f36a1400ffc95bab08cfa53ad582d19c15d3def5ac9fdf585b80a10173b2ad44f13aedf2b2620c729cff629cee9ac650fbb2d86287de7e1189f70bc15057
-
C:\Users\Admin\Desktop\UnlockBlock.avi.ReadMeMD5
59003ae0fcc13a60b8cebd16a3ea148b
SHA1f681185ed5846458b99133f33fee5b52995c0bf0
SHA256f6b5619eb4d37bd67d9b5cd92ccc8086d302a1682431d00161cc1500065e063a
SHA5121d5a9ffc0865c3bd7715dfbd3497e81d9ded298b1f6748015e0551dea84f94579cc41fd1e2e18a357405975759578958aac319bf960be1cb509b007158c2ff49
-
C:\Users\Admin\Desktop\desktop.ini.ReadMeMD5
ac712555d33fc0912c21a4446a40e93c
SHA1c571d7b5e1ea5ad34e714dff4be82b119b1e09ff
SHA256264273125083adb014e33eda30bfd7696bc26d074c93b4cf49f19c020bef1a6a
SHA512b0b669b58a4a0a352c278b43159336cd05ac278746ff4fb1128a2f730684b8c1f1e3334132da077554adc31f9cdb515dfcb5a6dfc81acb8cb319eac0cbb23ffd
-
C:\Users\Public\Desktop\Adobe Reader 9.lnk.ReadMeMD5
a3550476acc0f779a0ce244696153cfe
SHA10416bdc409bab7d6852513e7ccfc856d695949c2
SHA25613272ad3279cd3f780822144b2c19703f0c81ab6a3a37278622365fc37ad4c12
SHA51282c1d454a49857622aa746e57900e00303b1576f181b8d565efb3fa572c3be19416b33530a3edc8c004ac7800475f353a39665d31180cf8e7f84d721d74ed31a
-
C:\Users\Public\Desktop\Firefox.lnk.ReadMeMD5
a06f723c0eb928b58516dd8aebf38b89
SHA1e72cd54944f5d7b8452fff7cff19a5b1264deec2
SHA256f43cc862930cfa25595c24301b752e04e371cfa2bc49026a968df5f96a51417f
SHA5124b6f17277fa3936d471397464858b60b298fe3442cf2a93bfffd266bd2282c799f81824928a4e2cf73fec985766622a71fd2a3d27edc9cf3d26f4a3ad29938ee
-
C:\Users\Public\Desktop\Google Chrome.lnk.ReadMeMD5
764cc03a40deff4cb5b6f6f359b07df5
SHA12012857fe9f0b635e1cac2d5a480659a2353c0f2
SHA2569d84579c78070fbfa6f668177fc9474e26106bc4ccd6f357daf086e1504e0933
SHA5121c2daa5e84817f8a0f0e05ce5ba89c7f8a25c65572216a8b1534335595581e23ee039f067671e8c7e9897bd750a6e78e859c95623955a0fe58cfac9d067ee48f
-
C:\Users\Public\Desktop\Read_Me.txtMD5
fbb87717e779a76e3489302ad9db6e6b
SHA1b2308a9cb9a4d35e7ad19c49adc4a56e18372d7d
SHA256db339060d0450f78a6e28d89690bb235e36c26eeab2f16887a23dea19b8499fc
SHA51212e7d898dddc449a0c06a7d8d5c443742117b2e432ee46c805d5e852d67d34bc018e27b0d9e91b1de1759fa26328c18f5fa6a1a1239f23193cbc81a554547b31
-
C:\Users\Public\Desktop\VLC media player.lnk.ReadMeMD5
357d78e5f61132d504a566d3db10a97c
SHA1152cdb8d3e481f2ea2bd651a9b3c444af6a02d83
SHA25617ed82122063edca81dfe32a65ab6ba066de9476a824f1deffc231d6591fecd5
SHA51228346c03184899d8006aebbfd75e7077765702285b416d9e37f375dfa7ac8b075d061fe23c97bfd875f28d0bb9eec656e4752351b9b6804adb3ff4d84971fbbc
-
C:\Users\Public\Desktop\desktop.ini.ReadMeMD5
fa77527ddc2adeb6a62271deb84e19a0
SHA13ee5ebfef7efda26f9734bfaaff51957f7700527
SHA2566774a61775a0f1a9b972e63b4f7064a3160a89b182d0bf76a9882d8f56ff43de
SHA512364c5ccb0ad00bb6ca9762d82819a2297503468e08308660e65b3c3960ff52368dca3eeab7de7114cc88aae0511d3d9e5b587620fca4591a4ed638996459e468
-
\120162634617678\winsvcs.exeMD5
1f8cef7b1f327e19ec561d1b80583d2d
SHA196795527c65711c13aef7f2cda3b5a0ff5779137
SHA256c6ee0c5549619ebf81f7878da18a6e29ff315be7d0fb3d9b79b84717405c87f6
SHA5122bdb59b8ca921b7def3547c622a4357398566c475ed1c77aad4fe91f1171ddee1b0d3524463ead12a10bba19fb5e23dcad3b00e948c8bde585d315906fd782e2
-
\120162634617678\winsvcs.exeMD5
1f8cef7b1f327e19ec561d1b80583d2d
SHA196795527c65711c13aef7f2cda3b5a0ff5779137
SHA256c6ee0c5549619ebf81f7878da18a6e29ff315be7d0fb3d9b79b84717405c87f6
SHA5122bdb59b8ca921b7def3547c622a4357398566c475ed1c77aad4fe91f1171ddee1b0d3524463ead12a10bba19fb5e23dcad3b00e948c8bde585d315906fd782e2
-
\120162634617678\winsvcs.exeMD5
1f8cef7b1f327e19ec561d1b80583d2d
SHA196795527c65711c13aef7f2cda3b5a0ff5779137
SHA256c6ee0c5549619ebf81f7878da18a6e29ff315be7d0fb3d9b79b84717405c87f6
SHA5122bdb59b8ca921b7def3547c622a4357398566c475ed1c77aad4fe91f1171ddee1b0d3524463ead12a10bba19fb5e23dcad3b00e948c8bde585d315906fd782e2
-
\??\M:\$RECYCLE.BIN\S-1-5-21-3825035466-2522850611-591511364-1000\desktop.iniMD5
a526b9e7c716b3489d8cc062fbce4005
SHA12df502a944ff721241be20a9e449d2acd07e0312
SHA256e1b9ce9b57957b1a0607a72a057d6b7a9b34ea60f3f8aa8f38a3af979bd23066
SHA512d83d4c656c96c3d1809ad06ce78fa09a77781461c99109e4b81d1a186fc533a7e72d65a4cb7edf689eeccda8f687a13d3276f1111a1e72f7c3cd92a49bce0f88
-
\Users\Admin\AppData\Local\Temp\1076028349.exeMD5
7d52884b375ce8b6182f1c53f0f1c496
SHA16b70e90b0dada8d93c61caa678e76ce2abcbc76b
SHA2569c48e8a5f83614f685249486a13a8a132660f37d11c5f55581414dbf02091021
SHA51224350255bda3672cce0ff22221e5973cd69f5b8470eb642e9679c3c006716271af8f32a2d4ee5309949c746eb9cb15bba411052fd4935a2a2b436501c7b4a515
-
\Users\Admin\AppData\Local\Temp\1076028349.exeMD5
7d52884b375ce8b6182f1c53f0f1c496
SHA16b70e90b0dada8d93c61caa678e76ce2abcbc76b
SHA2569c48e8a5f83614f685249486a13a8a132660f37d11c5f55581414dbf02091021
SHA51224350255bda3672cce0ff22221e5973cd69f5b8470eb642e9679c3c006716271af8f32a2d4ee5309949c746eb9cb15bba411052fd4935a2a2b436501c7b4a515
-
\Users\Admin\AppData\Local\Temp\35045.exeMD5
1f8cef7b1f327e19ec561d1b80583d2d
SHA196795527c65711c13aef7f2cda3b5a0ff5779137
SHA256c6ee0c5549619ebf81f7878da18a6e29ff315be7d0fb3d9b79b84717405c87f6
SHA5122bdb59b8ca921b7def3547c622a4357398566c475ed1c77aad4fe91f1171ddee1b0d3524463ead12a10bba19fb5e23dcad3b00e948c8bde585d315906fd782e2
-
memory/952-8-0x0000000000000000-mapping.dmp
-
memory/1108-3-0x0000000000000000-mapping.dmp
-
memory/1212-13-0x0000000000000000-mapping.dmp
-
memory/1308-19-0x0000000003780000-0x0000000003781000-memory.dmpFilesize
4KB
-
memory/1308-23-0x0000000003780000-0x0000000003781000-memory.dmpFilesize
4KB
-
memory/1576-26-0x0000000003F90000-0x0000000003F91000-memory.dmpFilesize
4KB
-
memory/1576-59-0x0000000003F90000-0x0000000003F91000-memory.dmpFilesize
4KB
-
memory/1584-0-0x000007FEF6930000-0x000007FEF6BAA000-memory.dmpFilesize
2.5MB
-
memory/1808-1-0x0000000000000000-mapping.dmp
-
memory/1904-18-0x0000000003B50000-0x0000000003B51000-memory.dmpFilesize
4KB