de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e

Resubmissions

24/10/2022, 14:59

221024-sczbashcfl 10

02/06/2020, 00:13

200602-s5zbncbaen 9

Analysis

max time kernel
146s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
24/10/2022, 14:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
Size

6.0MB
MD5

df472f90c33e6c341a74fe1ca29dac70
SHA1

d7512488de06b677751014bdc48302c179542558
SHA256

de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e
SHA512

4257e88d9c6f5eec59d1da6749c386b3859be04159ec37aba2adb3704e5f2ce11ef3adfb086b86d1bea03db300e1d82cab08f266cf6fae4d8f929e71918ddcf9
SSDEEP

196608:6lwfwLOxsdCZOGdRc7lg6MzQk67CU94Dy0q7:wnmF8O+9SQVCU9420a

Score

9^/10

discovery evasion persistence ransomware spyware stealer

Malware Config

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Disables Task Manager via registry modification
evasion

Modifies extensions of user files 1 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File opened for modification	C:\Users\Admin\Pictures\UndoDebug.tiff	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Cpriv.key	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\# How To Decrypt Files #.hta	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
1496	icacls.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PhoenixTechnology = "C:\\Users\\Admin\\AppData\\Local\\TempFonixCrypter.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\PhoenixTechnology = "C:\\Users\\Admin\\AppData\\Local\\TempFonixCrypter.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\PhoenixTechnology = "C:\\Users\\Admin\\AppData\\Local\\TempFonixCrypter.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\PhoenixTechnology = "C:\\Users\\Admin\\AppData\\Local\\TempFonixCrypter.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	reg.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
1980	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0196358.WMF	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\WB02039_.GIF	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Paper.eftx	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR7F.GIF	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\ACCWIZ\ACWZMAIN.ACCDE	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
File created	C:\Program Files (x86)\Uninstall Information\# How To Decrypt Files #.hta	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\js\# How To Decrypt Files #.hta	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-jvmstat.xml	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\ja-JP\js\# How To Decrypt Files #.hta	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\ENFR\Cpriv.key	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341559.JPG	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\MSPUB_K_COL.HXK	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\en-US\js\Cpriv.key	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\js\Cpriv.key	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ga\# How To Decrypt Files #.hta	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\J0115835.GIF	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\LTHD98SP.POC	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\TableTextServiceAmharic.txt	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_cloudy.png	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
File created	C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\1033\# How To Decrypt Files #.hta	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\video_chroma\Cpriv.key	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\js\picturePuzzle.js	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RICEPAPR\RICEPAPR.INF	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
File created	C:\Program Files (x86)\Common Files\System\msadc\en-US\Cpriv.key	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD15035_.GIF	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\HEADINGBB.POC	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
File opened for modification	C:\Program Files\Java\jre7\lib\ext\localedata.jar	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
File opened for modification	C:\Program Files\Java\jre7\lib\security\local_policy.jar	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
File created	C:\Program Files\Windows Sidebar\fr-FR\Cpriv.key	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\WATERMAR\PREVIEW.GIF	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\OUTLOOK_COL.HXC	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\heart_glass_Thumbnail.bmp	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152704.WMF	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0301432.WMF	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\Things\COUPLER.WAV	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
File created	C:\Program Files\VideoLAN\VLC\locale\eu\LC_MESSAGES\Cpriv.key	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-api-progress_zh_CN.jar	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\Cpriv.key	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\# How To Decrypt Files #.hta	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\playlist\vocaroo.luac	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\Words.pdf	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
File created	C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\# How To Decrypt Files #.hta	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-modules-startup.xml	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\Cpriv.key	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\Cpriv.key	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ja.txt	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\triggerEvaluators.exsd	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
File opened for modification	C:\Program Files\Java\jre7\lib\deploy\messages_de.properties	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD00256_.WMF	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Paper.xml	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\ADDINS\OUTEX2.ECF	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\auxbase.xml	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-application.xml	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
File opened for modification	C:\Program Files\Java\jre7\lib\deploy\messages_pt_BR.properties	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
File created	C:\Program Files\VideoLAN\VLC\locale\lv\Cpriv.key	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\logo.png	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152430.WMF	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00166_.WMF	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\rtf_pressed.gif	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-uihandler_zh_CN.jar	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\css\# How To Decrypt Files #.hta	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.COM.PH.XML	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\js\Cpriv.key	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18184_.WMF	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\# How To Decrypt Files #.hta	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
File created	C:\Windows\Cpriv.key	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1020	1324	WerFault.exe	9

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
940	schtasks.exe

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
1596	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 56 IoCs

pid	Process
1980	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
1980	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
1980	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
1980	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
1980	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
1980	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
1980	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
1980	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
1980	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
1980	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
1980	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
1980	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
1980	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
1980	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
1980	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
1980	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
1980	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
1980	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
1980	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
1980	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
1980	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
1980	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
1980	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
1980	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
1980	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
1980	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
1980	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
1980	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
1980	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
1980	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
1980	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
1980	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
1980	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
1980	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
1980	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
1980	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
1980	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
1980	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
1980	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
1980	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
1980	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
1980	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
1980	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
1980	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
1980	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
1980	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
1980	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
1980	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
1980	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
1980	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
1980	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
1980	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
1980	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
1980	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
1980	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
1980	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeBackupPrivilege	1756	vssvc.exe
Token: SeRestorePrivilege	1756	vssvc.exe
Token: SeAuditPrivilege	1756	vssvc.exe
Token: SeIncreaseQuotaPrivilege	1904	WMIC.exe
Token: SeSecurityPrivilege	1904	WMIC.exe
Token: SeTakeOwnershipPrivilege	1904	WMIC.exe
Token: SeLoadDriverPrivilege	1904	WMIC.exe
Token: SeSystemProfilePrivilege	1904	WMIC.exe
Token: SeSystemtimePrivilege	1904	WMIC.exe
Token: SeProfSingleProcessPrivilege	1904	WMIC.exe
Token: SeIncBasePriorityPrivilege	1904	WMIC.exe
Token: SeCreatePagefilePrivilege	1904	WMIC.exe
Token: SeBackupPrivilege	1904	WMIC.exe
Token: SeRestorePrivilege	1904	WMIC.exe
Token: SeShutdownPrivilege	1904	WMIC.exe
Token: SeDebugPrivilege	1904	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1904	WMIC.exe
Token: SeRemoteShutdownPrivilege	1904	WMIC.exe
Token: SeUndockPrivilege	1904	WMIC.exe
Token: SeManageVolumePrivilege	1904	WMIC.exe
Token: 33	1904	WMIC.exe
Token: 34	1904	WMIC.exe
Token: 35	1904	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1904	WMIC.exe
Token: SeSecurityPrivilege	1904	WMIC.exe
Token: SeTakeOwnershipPrivilege	1904	WMIC.exe
Token: SeLoadDriverPrivilege	1904	WMIC.exe
Token: SeSystemProfilePrivilege	1904	WMIC.exe
Token: SeSystemtimePrivilege	1904	WMIC.exe
Token: SeProfSingleProcessPrivilege	1904	WMIC.exe
Token: SeIncBasePriorityPrivilege	1904	WMIC.exe
Token: SeCreatePagefilePrivilege	1904	WMIC.exe
Token: SeBackupPrivilege	1904	WMIC.exe
Token: SeRestorePrivilege	1904	WMIC.exe
Token: SeShutdownPrivilege	1904	WMIC.exe
Token: SeDebugPrivilege	1904	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1904	WMIC.exe
Token: SeRemoteShutdownPrivilege	1904	WMIC.exe
Token: SeUndockPrivilege	1904	WMIC.exe
Token: SeManageVolumePrivilege	1904	WMIC.exe
Token: 33	1904	WMIC.exe
Token: 34	1904	WMIC.exe
Token: 35	1904	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1980 wrote to memory of 1772	1980	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe	29
PID 1980 wrote to memory of 1772	1980	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe	29
PID 1980 wrote to memory of 1772	1980	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe	29
PID 1980 wrote to memory of 1772	1980	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe	29
PID 1772 wrote to memory of 940	1772	cmd.exe	30
PID 1772 wrote to memory of 940	1772	cmd.exe	30
PID 1772 wrote to memory of 940	1772	cmd.exe	30
PID 1772 wrote to memory of 940	1772	cmd.exe	30
PID 1980 wrote to memory of 1120	1980	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe	31
PID 1980 wrote to memory of 1120	1980	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe	31
PID 1980 wrote to memory of 1120	1980	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe	31
PID 1980 wrote to memory of 1120	1980	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe	31
PID 1120 wrote to memory of 1076	1120	cmd.exe	32
PID 1120 wrote to memory of 1076	1120	cmd.exe	32
PID 1120 wrote to memory of 1076	1120	cmd.exe	32
PID 1120 wrote to memory of 1076	1120	cmd.exe	32
PID 1980 wrote to memory of 1892	1980	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe	33
PID 1980 wrote to memory of 1892	1980	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe	33
PID 1980 wrote to memory of 1892	1980	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe	33
PID 1980 wrote to memory of 1892	1980	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe	33
PID 1892 wrote to memory of 2032	1892	cmd.exe	34
PID 1892 wrote to memory of 2032	1892	cmd.exe	34
PID 1892 wrote to memory of 2032	1892	cmd.exe	34
PID 1892 wrote to memory of 2032	1892	cmd.exe	34
PID 1980 wrote to memory of 1064	1980	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe	35
PID 1980 wrote to memory of 1064	1980	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe	35
PID 1980 wrote to memory of 1064	1980	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe	35
PID 1980 wrote to memory of 1064	1980	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe	35
PID 1064 wrote to memory of 1408	1064	cmd.exe	36
PID 1064 wrote to memory of 1408	1064	cmd.exe	36
PID 1064 wrote to memory of 1408	1064	cmd.exe	36
PID 1064 wrote to memory of 1408	1064	cmd.exe	36
PID 1980 wrote to memory of 2040	1980	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe	37
PID 1980 wrote to memory of 2040	1980	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe	37
PID 1980 wrote to memory of 2040	1980	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe	37
PID 1980 wrote to memory of 2040	1980	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe	37
PID 2040 wrote to memory of 2000	2040	cmd.exe	38
PID 2040 wrote to memory of 2000	2040	cmd.exe	38
PID 2040 wrote to memory of 2000	2040	cmd.exe	38
PID 2040 wrote to memory of 2000	2040	cmd.exe	38
PID 1980 wrote to memory of 1684	1980	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe	39
PID 1980 wrote to memory of 1684	1980	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe	39
PID 1980 wrote to memory of 1684	1980	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe	39
PID 1980 wrote to memory of 1684	1980	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe	39
PID 1684 wrote to memory of 880	1684	cmd.exe	40
PID 1684 wrote to memory of 880	1684	cmd.exe	40
PID 1684 wrote to memory of 880	1684	cmd.exe	40
PID 1684 wrote to memory of 880	1684	cmd.exe	40
PID 1980 wrote to memory of 676	1980	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe	41
PID 1980 wrote to memory of 676	1980	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe	41
PID 1980 wrote to memory of 676	1980	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe	41
PID 1980 wrote to memory of 676	1980	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe	41
PID 676 wrote to memory of 1916	676	cmd.exe	42
PID 676 wrote to memory of 1916	676	cmd.exe	42
PID 676 wrote to memory of 1916	676	cmd.exe	42
PID 676 wrote to memory of 1916	676	cmd.exe	42
PID 1980 wrote to memory of 684	1980	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe	43
PID 1980 wrote to memory of 684	1980	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe	43
PID 1980 wrote to memory of 684	1980	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe	43
PID 1980 wrote to memory of 684	1980	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe	43
PID 684 wrote to memory of 768	684	cmd.exe	44
PID 684 wrote to memory of 768	684	cmd.exe	44
PID 684 wrote to memory of 768	684	cmd.exe	44
PID 684 wrote to memory of 768	684	cmd.exe	44

C:\Users\Admin\AppData\Local\Temp\de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
"C:\Users\Admin\AppData\Local\Temp\de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe"
1⤵
- Modifies extensions of user files
- Drops startup file
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1980
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN fonix /TR %temp%/FonixCrypter.exe /RU SYSTEM /RL HIGHEST /F
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1772
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /SC ONLOGON /TN fonix /TR C:\Users\Admin\AppData\Local\Temp/FonixCrypter.exe /RU SYSTEM /RL HIGHEST /F
    3⤵
    - Creates scheduled task(s)
    PID:940
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v "PhoenixTechnology" /t REG_SZ /d %temp%FonixCrypter.exe /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1120
- - C:\Windows\SysWOW64\reg.exe
    reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v "PhoenixTechnology" /t REG_SZ /d C:\Users\Admin\AppData\Local\TempFonixCrypter.exe /f
    3⤵
    - Adds Run key to start application
    PID:1076
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v "PhoenixTechnology" /t REG_SZ /d %temp%FonixCrypter.exe /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1892
- - C:\Windows\SysWOW64\reg.exe
    reg add HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v "PhoenixTechnology" /t REG_SZ /d C:\Users\Admin\AppData\Local\TempFonixCrypter.exe /f
    3⤵
    - Adds Run key to start application
    PID:2032
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ /v "PhoenixTechnology" /t REG_SZ /d %temp%FonixCrypter.exe /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1064
- - C:\Windows\SysWOW64\reg.exe
    reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ /v "PhoenixTechnology" /t REG_SZ /d C:\Users\Admin\AppData\Local\TempFonixCrypter.exe /f
    3⤵
    - Adds Run key to start application
    PID:1408
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ /v "PhoenixTechnology" /t REG_SZ /d %temp%FonixCrypter.exe /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2040
- - C:\Windows\SysWOW64\reg.exe
    reg add HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ /v "PhoenixTechnology" /t REG_SZ /d C:\Users\Admin\AppData\Local\TempFonixCrypter.exe /f
    3⤵
    - Adds Run key to start application
    PID:2000
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1684
- - C:\Windows\SysWOW64\reg.exe
    reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
    3⤵
    PID:880
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:676
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
    3⤵
    PID:1916
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKEY_CURRENT_USER\System\CurrentControlSet\Control\SafeBoot /va /F
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:684
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKEY_CURRENT_USER\System\CurrentControlSet\Control\SafeBoot /va /F
    3⤵
    PID:768
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot /va /F
  2⤵
  PID:1296
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot /va /F
    3⤵
    PID:1224
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c cmd.exe /c vssadmin Delete Shadows /All /Quiet & wmic shadowcopy delete & bcdedit /set {default} boostatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet/ & icacls * /grant Everyone:(OI)(CI)F /T /C /Q
  2⤵
  PID:1864
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c vssadmin Delete Shadows /All /Quiet
    3⤵
    PID:1832
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin Delete Shadows /All /Quiet
      4⤵
      Interacts with shadow copies
      PID:1596
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic shadowcopy delete
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1904
- - C:\Windows\SysWOW64\icacls.exe
    icacls * /grant Everyone:(OI)(CI)F /T /C /Q
    3⤵
    - Modifies file permissions
    PID:1496
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c Copy Cpriv.key %appdata%\Cpriv.key
  2⤵
  PID:1152
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c Copy Cpub.key %appdata%\Cpub.key
  2⤵
  PID:1672
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c Copy SystemID %appdata%\SystemID
  2⤵
  PID:1484

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1756

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1324 -s 1384
1⤵
- Program crash
PID:1020

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

File Deletion

T1107

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Cpriv.key

Filesize
2KB

MD5
9a26495d34b2ddc44fa334e894f6af12

SHA1
8f140986da38a7e917c1bd65bddbbba2ac35f387

SHA256
0e79f6bf382028594e09ff0d88ed1bb4163ce49e1f75a80d7aa10d8e171fe265

SHA512
0e528bae9256a2570cd5f39762921431dd99ee487fdbb1c139fd57f7c845899a1a013854afdcfcc66084ea662cc2ca6c34766e165a0b412f839f23a6e8449a0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cpub.key

Filesize
292B

MD5
bc66ec97431049e8212d22eafc2fb6f9

SHA1
05181f6f734ca3dabce697057282db6a592b05b3

SHA256
8e958e448fa1ace725bae16621c4e7a59a11e92da6a8d1ce46854f5e26083c28

SHA512
954468133220ab35678650ac863c289477a32fdca057ee7ac7357836624f6ebdb6d57e0bb2c5bb7ddb22e49d2308a77c93923d1fc3125b532ed2075cd8738106

Download Submit
C:\Users\Admin\AppData\Local\Temp\SystemID

Filesize
8B

MD5
d474ac18ca9e6b13a5d96992e3e2cea2

SHA1
7801c83cfce24e74be1aec01da46e382b59a1d97

SHA256
67ac2a08674d573e2d8823d66e629f593593d87edef0d4ae71413144fcd0134e

SHA512
129495ae579cb2d309626dd3eebe7e54f8591c4ba6afe543c9d884facd326bf8bf5cccccf58be5e1e72600e84b27ee08371a2f5c458f417f62fdb013ca93ef8d

Download Submit
C:\Users\Admin\AppData\Roaming\Cpriv.key

Filesize
2KB

MD5
9a26495d34b2ddc44fa334e894f6af12

SHA1
8f140986da38a7e917c1bd65bddbbba2ac35f387

SHA256
0e79f6bf382028594e09ff0d88ed1bb4163ce49e1f75a80d7aa10d8e171fe265

SHA512
0e528bae9256a2570cd5f39762921431dd99ee487fdbb1c139fd57f7c845899a1a013854afdcfcc66084ea662cc2ca6c34766e165a0b412f839f23a6e8449a0b

Download Submit
C:\Users\Admin\AppData\Roaming\Cpriv.key

Filesize
2KB

MD5
9a26495d34b2ddc44fa334e894f6af12

SHA1
8f140986da38a7e917c1bd65bddbbba2ac35f387

SHA256
0e79f6bf382028594e09ff0d88ed1bb4163ce49e1f75a80d7aa10d8e171fe265

SHA512
0e528bae9256a2570cd5f39762921431dd99ee487fdbb1c139fd57f7c845899a1a013854afdcfcc66084ea662cc2ca6c34766e165a0b412f839f23a6e8449a0b

Download Submit
C:\Users\Admin\AppData\Roaming\Cpub.key

Filesize
292B

MD5
bc66ec97431049e8212d22eafc2fb6f9

SHA1
05181f6f734ca3dabce697057282db6a592b05b3

SHA256
8e958e448fa1ace725bae16621c4e7a59a11e92da6a8d1ce46854f5e26083c28

SHA512
954468133220ab35678650ac863c289477a32fdca057ee7ac7357836624f6ebdb6d57e0bb2c5bb7ddb22e49d2308a77c93923d1fc3125b532ed2075cd8738106

Download Submit
C:\Users\Admin\AppData\Roaming\Cpub.key

Filesize
292B

MD5
bc66ec97431049e8212d22eafc2fb6f9

SHA1
05181f6f734ca3dabce697057282db6a592b05b3

SHA256
8e958e448fa1ace725bae16621c4e7a59a11e92da6a8d1ce46854f5e26083c28

SHA512
954468133220ab35678650ac863c289477a32fdca057ee7ac7357836624f6ebdb6d57e0bb2c5bb7ddb22e49d2308a77c93923d1fc3125b532ed2075cd8738106

Download Submit
C:\Users\Admin\AppData\Roaming\SystemID

Filesize
8B

MD5
d474ac18ca9e6b13a5d96992e3e2cea2

SHA1
7801c83cfce24e74be1aec01da46e382b59a1d97

SHA256
67ac2a08674d573e2d8823d66e629f593593d87edef0d4ae71413144fcd0134e

SHA512
129495ae579cb2d309626dd3eebe7e54f8591c4ba6afe543c9d884facd326bf8bf5cccccf58be5e1e72600e84b27ee08371a2f5c458f417f62fdb013ca93ef8d

Download Submit
memory/1980-93-0x0000000001220000-0x0000000001C48000-memory.dmp

Filesize
10.2MB

Download
memory/1980-94-0x0000000001220000-0x0000000001C48000-memory.dmp

Filesize
10.2MB

Download
memory/1980-54-0x0000000001220000-0x0000000001C48000-memory.dmp

Filesize
10.2MB

Download
memory/1980-58-0x0000000001220000-0x0000000001C48000-memory.dmp

Filesize
10.2MB

Download
memory/1980-92-0x0000000001220000-0x0000000001C48000-memory.dmp

Filesize
10.2MB

Download