99da589fdc02aa9d7d6b38c08bdec0935142d92434a3f263405dff7a4f22e20e

Analysis

max time kernel
185s
max time network
183s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
30/10/2022, 00:50

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

99da589fdc02aa9d7d6b38c08bdec0935142d92434a3f263405dff7a4f22e20e.exe
Size

324KB
MD5

930888edc9d1b200439f6d6c3d46d98f
SHA1

835f1a4b3bfa0c7d1a0a910dae3e1290b37a82ab
SHA256

99da589fdc02aa9d7d6b38c08bdec0935142d92434a3f263405dff7a4f22e20e
SHA512

d29cf28fc0f7f272fecfdeb51fc2f49b37d7b6dfbd2dc192f3e1cd56c83c368c4a71b4d5ba7a116de30865df69b1beee45e850bd7f25adcef03f0f898f2ea261
SSDEEP

3072:6BNmGSGtGSGOGOGlGln+VP/m8ClX0kUb+16H6b5p8I0yH/JN8HOWShM+L7aL7rBz:6+bELf/Ml/cWdi5pV/JNWOVhM+JI

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 13 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Commgr.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	WinAlert.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	WinSysApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	WinAlert.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	WinSysApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	99da589fdc02aa9d7d6b38c08bdec0935142d92434a3f263405dff7a4f22e20e.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	WinAlert.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	WinSysApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Commgr.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Commgr.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Commgr.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	WinSysApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Commgr.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 13 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	WinSysApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	Commgr.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	WinSysApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	WinAlert.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	Commgr.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	WinSysApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	99da589fdc02aa9d7d6b38c08bdec0935142d92434a3f263405dff7a4f22e20e.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	WinAlert.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	Commgr.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	WinSysApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	Commgr.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	Commgr.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	WinAlert.exe

Executes dropped EXE 12 IoCs

pid	Process
1396	WinAlert.exe
1240	Commgr.exe
2380	WinAlert.exe
1156	WinSysApp.exe
4812	Commgr.exe
1772	WinSysApp.exe
768	WinAlert.exe
2188	Commgr.exe
544	WinSysApp.exe
1176	Commgr.exe
4532	WinSysApp.exe
4320	Commgr.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	99da589fdc02aa9d7d6b38c08bdec0935142d92434a3f263405dff7a4f22e20e.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	WinAlert.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	WinSysApp.exe

Adds Run key to start application 2 TTPs 51 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Alerter = "C:\\Program Files\\Windows Alerter\\WinAlert.exe"	WinAlert.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Alerter = "C:\\Program Files\\Windows Alerter\\WinAlert.exe"	99da589fdc02aa9d7d6b38c08bdec0935142d92434a3f263405dff7a4f22e20e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowMessenger = "C:\\RECYCLER\\X-1-5-21-1960408961-725345543-839522115-1003\\WinSysApp.exe"	Commgr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Common Files Manager = "C:\\Program Files\\Windows Common Files\\Commgr.exe"	Commgr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Alerter = "C:\\Program Files\\Windows Alerter\\WinAlert.exe"	WinAlert.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Common Files Manager = "C:\\Program Files\\Windows Common Files\\Commgr.exe"	WinAlert.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Common Files Manager = "C:\\Program Files\\Windows Common Files\\Commgr.exe"	WinSysApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowMessenger = "C:\\RECYCLER\\X-1-5-21-1960408961-725345543-839522115-1003\\WinSysApp.exe"	WinAlert.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Alerter = "C:\\Program Files\\Windows Alerter\\WinAlert.exe"	Commgr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowMessenger = "C:\\RECYCLER\\X-1-5-21-1960408961-725345543-839522115-1003\\WinSysApp.exe"	WinSysApp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Common Files Manager = "C:\\Program Files\\Windows Common Files\\Commgr.exe"	WinSysApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowMessenger = "C:\\RECYCLER\\X-1-5-21-1960408961-725345543-839522115-1003\\WinSysApp.exe"	WinSysApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowMessenger = "C:\\RECYCLER\\X-1-5-21-1960408961-725345543-839522115-1003\\WinSysApp.exe"	WinSysApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Common Files Manager = "C:\\Program Files\\Windows Common Files\\Commgr.exe"	WinSysApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Alerter = "C:\\Program Files\\Windows Alerter\\WinAlert.exe"	Commgr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Common Files Manager = "C:\\Program Files\\Windows Common Files\\Commgr.exe"	WinSysApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Alerter = "C:\\Program Files\\Windows Alerter\\WinAlert.exe"	WinSysApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowMessenger = "C:\\RECYCLER\\X-1-5-21-1960408961-725345543-839522115-1003\\WinSysApp.exe"	Commgr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Common Files Manager = "C:\\Program Files\\Windows Common Files\\Commgr.exe"	Commgr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Alerter = "C:\\Program Files\\Windows Alerter\\WinAlert.exe"	99da589fdc02aa9d7d6b38c08bdec0935142d92434a3f263405dff7a4f22e20e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Common Files Manager = "C:\\Program Files\\Windows Common Files\\Commgr.exe"	99da589fdc02aa9d7d6b38c08bdec0935142d92434a3f263405dff7a4f22e20e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowMessenger = "C:\\RECYCLER\\X-1-5-21-1960408961-725345543-839522115-1003\\WinSysApp.exe"	WinAlert.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Common Files Manager = "C:\\Program Files\\Windows Common Files\\Commgr.exe"	WinAlert.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Common Files Manager = "C:\\Program Files\\Windows Common Files\\Commgr.exe"	Commgr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Common Files Manager = "C:\\Program Files\\Windows Common Files\\Commgr.exe"	99da589fdc02aa9d7d6b38c08bdec0935142d92434a3f263405dff7a4f22e20e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowMessenger = "C:\\RECYCLER\\X-1-5-21-1960408961-725345543-839522115-1003\\WinSysApp.exe"	Commgr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Alerter = "C:\\Program Files\\Windows Alerter\\WinAlert.exe"	WinSysApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowMessenger = "C:\\RECYCLER\\X-1-5-21-1960408961-725345543-839522115-1003\\WinSysApp.exe"	WinAlert.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Alerter = "C:\\Program Files\\Windows Alerter\\WinAlert.exe"	WinAlert.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowMessenger = "C:\\RECYCLER\\X-1-5-21-1960408961-725345543-839522115-1003\\WinSysApp.exe"	WinSysApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Alerter = "C:\\Program Files\\Windows Alerter\\WinAlert.exe"	WinSysApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowMessenger = "C:\\RECYCLER\\X-1-5-21-1960408961-725345543-839522115-1003\\WinSysApp.exe"	Commgr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Alerter = "C:\\Program Files\\Windows Alerter\\WinAlert.exe"	Commgr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowMessenger = "C:\\RECYCLER\\X-1-5-21-1960408961-725345543-839522115-1003\\WinSysApp.exe"	99da589fdc02aa9d7d6b38c08bdec0935142d92434a3f263405dff7a4f22e20e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowMessenger = "C:\\RECYCLER\\X-1-5-21-1960408961-725345543-839522115-1003\\WinSysApp.exe"	99da589fdc02aa9d7d6b38c08bdec0935142d92434a3f263405dff7a4f22e20e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowMessenger = "C:\\RECYCLER\\X-1-5-21-1960408961-725345543-839522115-1003\\WinSysApp.exe"	WinAlert.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Alerter = "C:\\Program Files\\Windows Alerter\\WinAlert.exe"	WinSysApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Common Files Manager = "C:\\Program Files\\Windows Common Files\\Commgr.exe"	WinAlert.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowMessenger = "C:\\RECYCLER\\X-1-5-21-1960408961-725345543-839522115-1003\\WinSysApp.exe"	WinSysApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowMessenger = "C:\\RECYCLER\\X-1-5-21-1960408961-725345543-839522115-1003\\WinSysApp.exe"	Commgr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Common Files Manager = "C:\\Program Files\\Windows Common Files\\Commgr.exe"	Commgr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Alerter = "C:\\Program Files\\Windows Alerter\\WinAlert.exe"	Commgr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Common Files Manager = "C:\\Program Files\\Windows Common Files\\Commgr.exe"	WinAlert.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Common Files Manager = "C:\\Program Files\\Windows Common Files\\Commgr.exe"	Commgr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Common Files Manager = "C:\\Program Files\\Windows Common Files\\Commgr.exe"	Commgr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Common Files Manager = "C:\\Program Files\\Windows Common Files\\Commgr.exe"	WinSysApp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Alerter = "C:\\Program Files\\Windows Alerter\\WinAlert.exe"	WinAlert.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Alerter = "C:\\Program Files\\Windows Alerter\\WinAlert.exe"	WinSysApp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowMessenger = "C:\\RECYCLER\\X-1-5-21-1960408961-725345543-839522115-1003\\WinSysApp.exe"	Commgr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Alerter = "C:\\Program Files\\Windows Alerter\\WinAlert.exe"	Commgr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Alerter = "C:\\Program Files\\Windows Alerter\\WinAlert.exe"	Commgr.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	99da589fdc02aa9d7d6b38c08bdec0935142d92434a3f263405dff7a4f22e20e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WinAlert.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WinSysApp.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4996	99da589fdc02aa9d7d6b38c08bdec0935142d92434a3f263405dff7a4f22e20e.exe
4996	99da589fdc02aa9d7d6b38c08bdec0935142d92434a3f263405dff7a4f22e20e.exe
4996	99da589fdc02aa9d7d6b38c08bdec0935142d92434a3f263405dff7a4f22e20e.exe
4996	99da589fdc02aa9d7d6b38c08bdec0935142d92434a3f263405dff7a4f22e20e.exe
4996	99da589fdc02aa9d7d6b38c08bdec0935142d92434a3f263405dff7a4f22e20e.exe
4996	99da589fdc02aa9d7d6b38c08bdec0935142d92434a3f263405dff7a4f22e20e.exe
4996	99da589fdc02aa9d7d6b38c08bdec0935142d92434a3f263405dff7a4f22e20e.exe
4996	99da589fdc02aa9d7d6b38c08bdec0935142d92434a3f263405dff7a4f22e20e.exe
4996	99da589fdc02aa9d7d6b38c08bdec0935142d92434a3f263405dff7a4f22e20e.exe
4996	99da589fdc02aa9d7d6b38c08bdec0935142d92434a3f263405dff7a4f22e20e.exe
4996	99da589fdc02aa9d7d6b38c08bdec0935142d92434a3f263405dff7a4f22e20e.exe
4996	99da589fdc02aa9d7d6b38c08bdec0935142d92434a3f263405dff7a4f22e20e.exe
4996	99da589fdc02aa9d7d6b38c08bdec0935142d92434a3f263405dff7a4f22e20e.exe
4996	99da589fdc02aa9d7d6b38c08bdec0935142d92434a3f263405dff7a4f22e20e.exe
4996	99da589fdc02aa9d7d6b38c08bdec0935142d92434a3f263405dff7a4f22e20e.exe
4996	99da589fdc02aa9d7d6b38c08bdec0935142d92434a3f263405dff7a4f22e20e.exe
4996	99da589fdc02aa9d7d6b38c08bdec0935142d92434a3f263405dff7a4f22e20e.exe
4996	99da589fdc02aa9d7d6b38c08bdec0935142d92434a3f263405dff7a4f22e20e.exe
4996	99da589fdc02aa9d7d6b38c08bdec0935142d92434a3f263405dff7a4f22e20e.exe
4996	99da589fdc02aa9d7d6b38c08bdec0935142d92434a3f263405dff7a4f22e20e.exe
4996	99da589fdc02aa9d7d6b38c08bdec0935142d92434a3f263405dff7a4f22e20e.exe
4996	99da589fdc02aa9d7d6b38c08bdec0935142d92434a3f263405dff7a4f22e20e.exe
4996	99da589fdc02aa9d7d6b38c08bdec0935142d92434a3f263405dff7a4f22e20e.exe
4996	99da589fdc02aa9d7d6b38c08bdec0935142d92434a3f263405dff7a4f22e20e.exe
4996	99da589fdc02aa9d7d6b38c08bdec0935142d92434a3f263405dff7a4f22e20e.exe
4996	99da589fdc02aa9d7d6b38c08bdec0935142d92434a3f263405dff7a4f22e20e.exe
4996	99da589fdc02aa9d7d6b38c08bdec0935142d92434a3f263405dff7a4f22e20e.exe
4996	99da589fdc02aa9d7d6b38c08bdec0935142d92434a3f263405dff7a4f22e20e.exe
4996	99da589fdc02aa9d7d6b38c08bdec0935142d92434a3f263405dff7a4f22e20e.exe
4996	99da589fdc02aa9d7d6b38c08bdec0935142d92434a3f263405dff7a4f22e20e.exe
4996	99da589fdc02aa9d7d6b38c08bdec0935142d92434a3f263405dff7a4f22e20e.exe
4996	99da589fdc02aa9d7d6b38c08bdec0935142d92434a3f263405dff7a4f22e20e.exe
4996	99da589fdc02aa9d7d6b38c08bdec0935142d92434a3f263405dff7a4f22e20e.exe
4996	99da589fdc02aa9d7d6b38c08bdec0935142d92434a3f263405dff7a4f22e20e.exe
4996	99da589fdc02aa9d7d6b38c08bdec0935142d92434a3f263405dff7a4f22e20e.exe
4996	99da589fdc02aa9d7d6b38c08bdec0935142d92434a3f263405dff7a4f22e20e.exe
4996	99da589fdc02aa9d7d6b38c08bdec0935142d92434a3f263405dff7a4f22e20e.exe
4996	99da589fdc02aa9d7d6b38c08bdec0935142d92434a3f263405dff7a4f22e20e.exe
4996	99da589fdc02aa9d7d6b38c08bdec0935142d92434a3f263405dff7a4f22e20e.exe
4996	99da589fdc02aa9d7d6b38c08bdec0935142d92434a3f263405dff7a4f22e20e.exe
4996	99da589fdc02aa9d7d6b38c08bdec0935142d92434a3f263405dff7a4f22e20e.exe
4996	99da589fdc02aa9d7d6b38c08bdec0935142d92434a3f263405dff7a4f22e20e.exe
4996	99da589fdc02aa9d7d6b38c08bdec0935142d92434a3f263405dff7a4f22e20e.exe
4996	99da589fdc02aa9d7d6b38c08bdec0935142d92434a3f263405dff7a4f22e20e.exe
4996	99da589fdc02aa9d7d6b38c08bdec0935142d92434a3f263405dff7a4f22e20e.exe
4996	99da589fdc02aa9d7d6b38c08bdec0935142d92434a3f263405dff7a4f22e20e.exe
4996	99da589fdc02aa9d7d6b38c08bdec0935142d92434a3f263405dff7a4f22e20e.exe
4996	99da589fdc02aa9d7d6b38c08bdec0935142d92434a3f263405dff7a4f22e20e.exe
4996	99da589fdc02aa9d7d6b38c08bdec0935142d92434a3f263405dff7a4f22e20e.exe
4996	99da589fdc02aa9d7d6b38c08bdec0935142d92434a3f263405dff7a4f22e20e.exe
4996	99da589fdc02aa9d7d6b38c08bdec0935142d92434a3f263405dff7a4f22e20e.exe
4996	99da589fdc02aa9d7d6b38c08bdec0935142d92434a3f263405dff7a4f22e20e.exe
4996	99da589fdc02aa9d7d6b38c08bdec0935142d92434a3f263405dff7a4f22e20e.exe
4996	99da589fdc02aa9d7d6b38c08bdec0935142d92434a3f263405dff7a4f22e20e.exe
4996	99da589fdc02aa9d7d6b38c08bdec0935142d92434a3f263405dff7a4f22e20e.exe
4996	99da589fdc02aa9d7d6b38c08bdec0935142d92434a3f263405dff7a4f22e20e.exe
4996	99da589fdc02aa9d7d6b38c08bdec0935142d92434a3f263405dff7a4f22e20e.exe
4996	99da589fdc02aa9d7d6b38c08bdec0935142d92434a3f263405dff7a4f22e20e.exe
4996	99da589fdc02aa9d7d6b38c08bdec0935142d92434a3f263405dff7a4f22e20e.exe
4996	99da589fdc02aa9d7d6b38c08bdec0935142d92434a3f263405dff7a4f22e20e.exe
4996	99da589fdc02aa9d7d6b38c08bdec0935142d92434a3f263405dff7a4f22e20e.exe
4996	99da589fdc02aa9d7d6b38c08bdec0935142d92434a3f263405dff7a4f22e20e.exe
4996	99da589fdc02aa9d7d6b38c08bdec0935142d92434a3f263405dff7a4f22e20e.exe
4996	99da589fdc02aa9d7d6b38c08bdec0935142d92434a3f263405dff7a4f22e20e.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	4996	99da589fdc02aa9d7d6b38c08bdec0935142d92434a3f263405dff7a4f22e20e.exe
Token: SeDebugPrivilege	2380	WinAlert.exe
Token: SeDebugPrivilege	1396	WinAlert.exe
Token: SeDebugPrivilege	1156	WinSysApp.exe
Token: SeDebugPrivilege	2188	Commgr.exe
Token: SeDebugPrivilege	768	WinAlert.exe
Token: SeDebugPrivilege	1772	WinSysApp.exe
Token: SeDebugPrivilege	4812	Commgr.exe
Token: SeDebugPrivilege	544	WinSysApp.exe
Token: SeDebugPrivilege	1176	Commgr.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 4996 wrote to memory of 2380	4996	99da589fdc02aa9d7d6b38c08bdec0935142d92434a3f263405dff7a4f22e20e.exe	89
PID 4996 wrote to memory of 2380	4996	99da589fdc02aa9d7d6b38c08bdec0935142d92434a3f263405dff7a4f22e20e.exe	89
PID 4996 wrote to memory of 2380	4996	99da589fdc02aa9d7d6b38c08bdec0935142d92434a3f263405dff7a4f22e20e.exe	89
PID 4996 wrote to memory of 1396	4996	99da589fdc02aa9d7d6b38c08bdec0935142d92434a3f263405dff7a4f22e20e.exe	82
PID 4996 wrote to memory of 1396	4996	99da589fdc02aa9d7d6b38c08bdec0935142d92434a3f263405dff7a4f22e20e.exe	82
PID 4996 wrote to memory of 1396	4996	99da589fdc02aa9d7d6b38c08bdec0935142d92434a3f263405dff7a4f22e20e.exe	82
PID 4996 wrote to memory of 1240	4996	99da589fdc02aa9d7d6b38c08bdec0935142d92434a3f263405dff7a4f22e20e.exe	81
PID 4996 wrote to memory of 1240	4996	99da589fdc02aa9d7d6b38c08bdec0935142d92434a3f263405dff7a4f22e20e.exe	81
PID 4996 wrote to memory of 1240	4996	99da589fdc02aa9d7d6b38c08bdec0935142d92434a3f263405dff7a4f22e20e.exe	81
PID 4996 wrote to memory of 1156	4996	99da589fdc02aa9d7d6b38c08bdec0935142d92434a3f263405dff7a4f22e20e.exe	83
PID 4996 wrote to memory of 1156	4996	99da589fdc02aa9d7d6b38c08bdec0935142d92434a3f263405dff7a4f22e20e.exe	83
PID 4996 wrote to memory of 1156	4996	99da589fdc02aa9d7d6b38c08bdec0935142d92434a3f263405dff7a4f22e20e.exe	83
PID 4996 wrote to memory of 4812	4996	99da589fdc02aa9d7d6b38c08bdec0935142d92434a3f263405dff7a4f22e20e.exe	84
PID 4996 wrote to memory of 4812	4996	99da589fdc02aa9d7d6b38c08bdec0935142d92434a3f263405dff7a4f22e20e.exe	84
PID 4996 wrote to memory of 4812	4996	99da589fdc02aa9d7d6b38c08bdec0935142d92434a3f263405dff7a4f22e20e.exe	84
PID 4996 wrote to memory of 1772	4996	99da589fdc02aa9d7d6b38c08bdec0935142d92434a3f263405dff7a4f22e20e.exe	87
PID 4996 wrote to memory of 1772	4996	99da589fdc02aa9d7d6b38c08bdec0935142d92434a3f263405dff7a4f22e20e.exe	87
PID 4996 wrote to memory of 1772	4996	99da589fdc02aa9d7d6b38c08bdec0935142d92434a3f263405dff7a4f22e20e.exe	87
PID 4996 wrote to memory of 768	4996	99da589fdc02aa9d7d6b38c08bdec0935142d92434a3f263405dff7a4f22e20e.exe	85
PID 4996 wrote to memory of 768	4996	99da589fdc02aa9d7d6b38c08bdec0935142d92434a3f263405dff7a4f22e20e.exe	85
PID 4996 wrote to memory of 768	4996	99da589fdc02aa9d7d6b38c08bdec0935142d92434a3f263405dff7a4f22e20e.exe	85
PID 4996 wrote to memory of 2188	4996	99da589fdc02aa9d7d6b38c08bdec0935142d92434a3f263405dff7a4f22e20e.exe	88
PID 4996 wrote to memory of 2188	4996	99da589fdc02aa9d7d6b38c08bdec0935142d92434a3f263405dff7a4f22e20e.exe	88
PID 4996 wrote to memory of 2188	4996	99da589fdc02aa9d7d6b38c08bdec0935142d92434a3f263405dff7a4f22e20e.exe	88
PID 4996 wrote to memory of 544	4996	99da589fdc02aa9d7d6b38c08bdec0935142d92434a3f263405dff7a4f22e20e.exe	86
PID 4996 wrote to memory of 544	4996	99da589fdc02aa9d7d6b38c08bdec0935142d92434a3f263405dff7a4f22e20e.exe	86
PID 4996 wrote to memory of 544	4996	99da589fdc02aa9d7d6b38c08bdec0935142d92434a3f263405dff7a4f22e20e.exe	86
PID 2380 wrote to memory of 1176	2380	WinAlert.exe	91
PID 2380 wrote to memory of 1176	2380	WinAlert.exe	91
PID 2380 wrote to memory of 1176	2380	WinAlert.exe	91
PID 2380 wrote to memory of 4532	2380	WinAlert.exe	90
PID 2380 wrote to memory of 4532	2380	WinAlert.exe	90
PID 2380 wrote to memory of 4532	2380	WinAlert.exe	90
PID 1156 wrote to memory of 4320	1156	WinSysApp.exe	92
PID 1156 wrote to memory of 4320	1156	WinSysApp.exe	92
PID 1156 wrote to memory of 4320	1156	WinSysApp.exe	92

C:\Users\Admin\AppData\Local\Temp\99da589fdc02aa9d7d6b38c08bdec0935142d92434a3f263405dff7a4f22e20e.exe
"C:\Users\Admin\AppData\Local\Temp\99da589fdc02aa9d7d6b38c08bdec0935142d92434a3f263405dff7a4f22e20e.exe"
1⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4996
- C:\Program Files\Windows Common Files\Commgr.exe
  "C:\Program Files\Windows Common Files\Commgr.exe"
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  PID:1240
- C:\Program Files\Windows Alerter\WinAlert.exe
  "C:\Program Files\Windows Alerter\WinAlert.exe"
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  PID:1396
- C:\RECYCLER\X-1-5-21-1960408961-725345543-839522115-1003\WinSysApp.exe
  "C:\RECYCLER\X-1-5-21-1960408961-725345543-839522115-1003\WinSysApp.exe"
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Checks computer location settings
  - Adds Run key to start application
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1156
- - C:\Program Files\Windows Common Files\Commgr.exe
    "C:\Program Files\Windows Common Files\Commgr.exe"
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Modifies visiblity of hidden/system files in Explorer
    - Executes dropped EXE
    - Adds Run key to start application
    PID:4320
- C:\Program Files\Windows Common Files\Commgr.exe
  "C:\Program Files\Windows Common Files\Commgr.exe"
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  PID:4812
- C:\Program Files\Windows Alerter\WinAlert.exe
  "C:\Program Files\Windows Alerter\WinAlert.exe"
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  PID:768
- C:\RECYCLER\X-1-5-21-1960408961-725345543-839522115-1003\WinSysApp.exe
  "C:\RECYCLER\X-1-5-21-1960408961-725345543-839522115-1003\WinSysApp.exe"
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  PID:544
- C:\RECYCLER\X-1-5-21-1960408961-725345543-839522115-1003\WinSysApp.exe
  "C:\RECYCLER\X-1-5-21-1960408961-725345543-839522115-1003\WinSysApp.exe"
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  PID:1772
- C:\Program Files\Windows Common Files\Commgr.exe
  "C:\Program Files\Windows Common Files\Commgr.exe"
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  PID:2188
- C:\Program Files\Windows Alerter\WinAlert.exe
  "C:\Program Files\Windows Alerter\WinAlert.exe"
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Checks computer location settings
  - Adds Run key to start application
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2380
- - C:\RECYCLER\X-1-5-21-1960408961-725345543-839522115-1003\WinSysApp.exe
    "C:\RECYCLER\X-1-5-21-1960408961-725345543-839522115-1003\WinSysApp.exe"
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Modifies visiblity of hidden/system files in Explorer
    - Executes dropped EXE
    - Adds Run key to start application
    PID:4532
- - C:\Program Files\Windows Common Files\Commgr.exe
    "C:\Program Files\Windows Common Files\Commgr.exe"
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Modifies visiblity of hidden/system files in Explorer
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of AdjustPrivilegeToken
    PID:1176

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Windows Alerter\WinAlert.exe

Filesize
324KB

MD5
930888edc9d1b200439f6d6c3d46d98f

SHA1
835f1a4b3bfa0c7d1a0a910dae3e1290b37a82ab

SHA256
99da589fdc02aa9d7d6b38c08bdec0935142d92434a3f263405dff7a4f22e20e

SHA512
d29cf28fc0f7f272fecfdeb51fc2f49b37d7b6dfbd2dc192f3e1cd56c83c368c4a71b4d5ba7a116de30865df69b1beee45e850bd7f25adcef03f0f898f2ea261

Download Submit
C:\Program Files\Windows Alerter\WinAlert.exe

Filesize
324KB

MD5
930888edc9d1b200439f6d6c3d46d98f

SHA1
835f1a4b3bfa0c7d1a0a910dae3e1290b37a82ab

SHA256
99da589fdc02aa9d7d6b38c08bdec0935142d92434a3f263405dff7a4f22e20e

SHA512
d29cf28fc0f7f272fecfdeb51fc2f49b37d7b6dfbd2dc192f3e1cd56c83c368c4a71b4d5ba7a116de30865df69b1beee45e850bd7f25adcef03f0f898f2ea261

Download Submit
C:\Program Files\Windows Alerter\WinAlert.exe

Filesize
324KB

MD5
930888edc9d1b200439f6d6c3d46d98f

SHA1
835f1a4b3bfa0c7d1a0a910dae3e1290b37a82ab

SHA256
99da589fdc02aa9d7d6b38c08bdec0935142d92434a3f263405dff7a4f22e20e

SHA512
d29cf28fc0f7f272fecfdeb51fc2f49b37d7b6dfbd2dc192f3e1cd56c83c368c4a71b4d5ba7a116de30865df69b1beee45e850bd7f25adcef03f0f898f2ea261

Download Submit
C:\Program Files\Windows Alerter\WinAlert.exe

Filesize
324KB

MD5
930888edc9d1b200439f6d6c3d46d98f

SHA1
835f1a4b3bfa0c7d1a0a910dae3e1290b37a82ab

SHA256
99da589fdc02aa9d7d6b38c08bdec0935142d92434a3f263405dff7a4f22e20e

SHA512
d29cf28fc0f7f272fecfdeb51fc2f49b37d7b6dfbd2dc192f3e1cd56c83c368c4a71b4d5ba7a116de30865df69b1beee45e850bd7f25adcef03f0f898f2ea261

Download Submit
C:\Program Files\Windows Common Files\Commgr.exe

Filesize
324KB

MD5
930888edc9d1b200439f6d6c3d46d98f

SHA1
835f1a4b3bfa0c7d1a0a910dae3e1290b37a82ab

SHA256
99da589fdc02aa9d7d6b38c08bdec0935142d92434a3f263405dff7a4f22e20e

SHA512
d29cf28fc0f7f272fecfdeb51fc2f49b37d7b6dfbd2dc192f3e1cd56c83c368c4a71b4d5ba7a116de30865df69b1beee45e850bd7f25adcef03f0f898f2ea261

Download Submit
C:\Program Files\Windows Common Files\Commgr.exe

Filesize
324KB

MD5
930888edc9d1b200439f6d6c3d46d98f

SHA1
835f1a4b3bfa0c7d1a0a910dae3e1290b37a82ab

SHA256
99da589fdc02aa9d7d6b38c08bdec0935142d92434a3f263405dff7a4f22e20e

SHA512
d29cf28fc0f7f272fecfdeb51fc2f49b37d7b6dfbd2dc192f3e1cd56c83c368c4a71b4d5ba7a116de30865df69b1beee45e850bd7f25adcef03f0f898f2ea261

Download Submit
C:\Program Files\Windows Common Files\Commgr.exe

Filesize
324KB

MD5
930888edc9d1b200439f6d6c3d46d98f

SHA1
835f1a4b3bfa0c7d1a0a910dae3e1290b37a82ab

SHA256
99da589fdc02aa9d7d6b38c08bdec0935142d92434a3f263405dff7a4f22e20e

SHA512
d29cf28fc0f7f272fecfdeb51fc2f49b37d7b6dfbd2dc192f3e1cd56c83c368c4a71b4d5ba7a116de30865df69b1beee45e850bd7f25adcef03f0f898f2ea261

Download Submit
C:\Program Files\Windows Common Files\Commgr.exe

Filesize
324KB

MD5
930888edc9d1b200439f6d6c3d46d98f

SHA1
835f1a4b3bfa0c7d1a0a910dae3e1290b37a82ab

SHA256
99da589fdc02aa9d7d6b38c08bdec0935142d92434a3f263405dff7a4f22e20e

SHA512
d29cf28fc0f7f272fecfdeb51fc2f49b37d7b6dfbd2dc192f3e1cd56c83c368c4a71b4d5ba7a116de30865df69b1beee45e850bd7f25adcef03f0f898f2ea261

Download Submit
C:\Program Files\Windows Common Files\Commgr.exe

Filesize
324KB

MD5
930888edc9d1b200439f6d6c3d46d98f

SHA1
835f1a4b3bfa0c7d1a0a910dae3e1290b37a82ab

SHA256
99da589fdc02aa9d7d6b38c08bdec0935142d92434a3f263405dff7a4f22e20e

SHA512
d29cf28fc0f7f272fecfdeb51fc2f49b37d7b6dfbd2dc192f3e1cd56c83c368c4a71b4d5ba7a116de30865df69b1beee45e850bd7f25adcef03f0f898f2ea261

Download Submit
C:\Program Files\Windows Common Files\Commgr.exe

Filesize
324KB

MD5
930888edc9d1b200439f6d6c3d46d98f

SHA1
835f1a4b3bfa0c7d1a0a910dae3e1290b37a82ab

SHA256
99da589fdc02aa9d7d6b38c08bdec0935142d92434a3f263405dff7a4f22e20e

SHA512
d29cf28fc0f7f272fecfdeb51fc2f49b37d7b6dfbd2dc192f3e1cd56c83c368c4a71b4d5ba7a116de30865df69b1beee45e850bd7f25adcef03f0f898f2ea261

Download Submit
C:\RECYCLER\X-1-5-21-1960408961-725345543-839522115-1003\WinSysApp.exe

Filesize
324KB

MD5
930888edc9d1b200439f6d6c3d46d98f

SHA1
835f1a4b3bfa0c7d1a0a910dae3e1290b37a82ab

SHA256
99da589fdc02aa9d7d6b38c08bdec0935142d92434a3f263405dff7a4f22e20e

SHA512
d29cf28fc0f7f272fecfdeb51fc2f49b37d7b6dfbd2dc192f3e1cd56c83c368c4a71b4d5ba7a116de30865df69b1beee45e850bd7f25adcef03f0f898f2ea261

Download Submit
C:\RECYCLER\X-1-5-21-1960408961-725345543-839522115-1003\WinSysApp.exe

Filesize
324KB

MD5
930888edc9d1b200439f6d6c3d46d98f

SHA1
835f1a4b3bfa0c7d1a0a910dae3e1290b37a82ab

SHA256
99da589fdc02aa9d7d6b38c08bdec0935142d92434a3f263405dff7a4f22e20e

SHA512
d29cf28fc0f7f272fecfdeb51fc2f49b37d7b6dfbd2dc192f3e1cd56c83c368c4a71b4d5ba7a116de30865df69b1beee45e850bd7f25adcef03f0f898f2ea261

Download Submit
C:\RECYCLER\X-1-5-21-1960408961-725345543-839522115-1003\WinSysApp.exe

Filesize
324KB

MD5
930888edc9d1b200439f6d6c3d46d98f

SHA1
835f1a4b3bfa0c7d1a0a910dae3e1290b37a82ab

SHA256
99da589fdc02aa9d7d6b38c08bdec0935142d92434a3f263405dff7a4f22e20e

SHA512
d29cf28fc0f7f272fecfdeb51fc2f49b37d7b6dfbd2dc192f3e1cd56c83c368c4a71b4d5ba7a116de30865df69b1beee45e850bd7f25adcef03f0f898f2ea261

Download Submit
C:\RECYCLER\X-1-5-21-1960408961-725345543-839522115-1003\WinSysApp.exe

Filesize
324KB

MD5
930888edc9d1b200439f6d6c3d46d98f

SHA1
835f1a4b3bfa0c7d1a0a910dae3e1290b37a82ab

SHA256
99da589fdc02aa9d7d6b38c08bdec0935142d92434a3f263405dff7a4f22e20e

SHA512
d29cf28fc0f7f272fecfdeb51fc2f49b37d7b6dfbd2dc192f3e1cd56c83c368c4a71b4d5ba7a116de30865df69b1beee45e850bd7f25adcef03f0f898f2ea261

Download Submit
C:\RECYCLER\X-1-5-21-1960408961-725345543-839522115-1003\WinSysApp.exe

Filesize
324KB

MD5
930888edc9d1b200439f6d6c3d46d98f

SHA1
835f1a4b3bfa0c7d1a0a910dae3e1290b37a82ab

SHA256
99da589fdc02aa9d7d6b38c08bdec0935142d92434a3f263405dff7a4f22e20e

SHA512
d29cf28fc0f7f272fecfdeb51fc2f49b37d7b6dfbd2dc192f3e1cd56c83c368c4a71b4d5ba7a116de30865df69b1beee45e850bd7f25adcef03f0f898f2ea261

Download Submit
C:\RECYCLER\X-1-5-21-1960408961-725345543-839522115-1003\bnf0342

Filesize
370B

MD5
e2cf0888d496e68c8a8497d735ea23ee

SHA1
87e99be2f20fc49d94edfe5e772abb3f62a89281

SHA256
87ff1570c6bc80a42c27037affbbe8a4d252b51ad324cafcee4c6c4a53eb499b

SHA512
17b1343f40069b6bf482ba053a17b40f3ec4e5d0f869ae1204cc67323aa2db2b3ca10d0752503927a6f7d11993b103c31160d6ded05ae88e2f0a485ce77eb1ae

Download Submit
memory/544-174-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/544-164-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/768-171-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/768-162-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/1156-159-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/1156-179-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/1176-175-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/1240-157-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/1396-156-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/1772-161-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/1772-170-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2188-180-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2188-163-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2380-158-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/4320-177-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/4532-176-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/4812-160-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/4812-169-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/4996-133-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/4996-178-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download