773feea1bd44fec204c72fab08cd490c50a3d39d50d9a58d031eaaf2d8674c60

Analysis

max time kernel
30s
max time network
223s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
24-11-2022 19:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

CmdRegCleaner.exe
Size

418KB
MD5

0aeb125525c77edc57fb2c7e97d14467
SHA1

7b68218bc50ae922a1526393e9c4ef3870cc8243
SHA256

c20115171317123951b4e6306bfe29a2eb83cc4dafb2d3ba99663aafd336adb3
SHA512

e3bd20bda611757d1efe12e13a2e8138e167c074466512ab3248958a4a2039e128b2dafde00571455e8e1ff943e1ebaf64d2d8193598dee7baed38d16910e82f
SSDEEP

12288:pRZ+IoG/n9IQxW3OBse4X+tixbtjGtSYLNdZo:h2G/nvxW3WuN5GtrLny

Score

10^/10

persistence upx

Malware Config

Signatures

Modifies system executable filetype association 2 TTPs 47 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

reg.exe

description	ioc	process
Key deleted	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\lnkfile\shellex\ContextMenuHandlers	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shellex	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\command	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\CLSID	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\print	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\DefaultIcon	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\PintoStartScreen	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\DefaultIcon	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\edit\command	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\print\command	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shellex\DropHandler	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shellex\DropHandler	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shellex\ContextMenuHandlers	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runas	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shellex\DropHandler	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\{00021401-0000-0000-C000-000000000046}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\DropHandler	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shellex\ContextMenuHandlers\Compatibility	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\OpenContainingFolderMenu	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\DropHandler	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\tabsets	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runas\command	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runasuser	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\IconHandler	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shellex\IconHandler	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\Compatibility	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shellex\{8895b1c6-b41f-4c1c-a562-0d564250836f}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runasuser\command	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\edit	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runasuser\command	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runasuser	reg.exe

Executes dropped EXE 1 IoCs

Processes:

CmdRegCleaner.exe

pid process

4988 CmdRegCleaner.exe

pid	process
4988	CmdRegCleaner.exe

Registers COM server for autorun 1 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Processes:

reg.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9432194C-DF54-4824-8E24-B013BF2B90E3}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\CLSID\{CAFEEFAC-0014-0001-0001-ABCDEFFEDCBB}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\CLSID\{CAFEEFAC-0015-0000-0080-ABCDEFFEDCBC}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0023-ABCDEFFEDCBA}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DD4CB8C5-F540-47ff-84D7-67390D2743CA}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{82B02375-B5BC-11CF-810F-00A0C9030074}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\CLSID\{CAFEEFAC-0015-0000-0015-ABCDEFFEDCBB}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\CLSID\{CAFEEFAC-0015-0000-0072-ABCDEFFEDCBB}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\CLSID\{CAFEEFAC-0018-0000-0000-ABCDEFFEDCBA}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F48B770A-CBE5-44C2-8D4F-931DE9CEE6FA}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\CLSID\{CAFEEFAC-0013-0001-0033-ABCDEFFEDCBA}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\CLSID\{CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0001-ABCDEFFEDCBB}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0086-ABCDEFFEDCBC}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DDFE337F-4987-4EC8-BDE3-133FA63D5D85}\InProcServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{000209F0-0000-0000-C000-000000000046}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{186974B7-47BB-4673-9CDF-EBEDDE957427}\InProcServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\CLSID\{CAFEEFAC-0016-0000-0099-ABCDEFFEDCBC}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\CLSID\{CAFEEFAC-0018-0000-0046-ABCDEFFEDCBC}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\CLSID\{CAFEEFAC-0018-0000-0018-ABCDEFFEDCBC}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\CLSID\{A78ED123-AB77-406B-9962-2A5D9D2F7F30}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\CLSID\{CAFEEFAC-0013-0001-0049-ABCDEFFEDCBB}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\CLSID\{CAFEEFAC-0015-0000-0026-ABCDEFFEDCBB}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\CLSID\{CAFEEFAC-0015-0000-0056-ABCDEFFEDCBA}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\CLSID\{CAFEEFAC-0015-0000-0071-ABCDEFFEDCBA}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0014-ABCDEFFEDCBB}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\CLSID\{CAFEEFAC-0016-0000-0037-ABCDEFFEDCBA}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0055-ABCDEFFEDCBC}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\CLSID\{CAFEEFAC-0017-0000-FFFF-ABCDEFFEDCBA}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AFC20920-DA4E-11CE-B943-00AA006887B4}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f07f3920-7b8c-11cf-9be8-00aa004b9986}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\CLSID\{5AB7172C-9C11-405C-8DD5-AF20F3606282}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\CLSID\{CAFEEFAC-0014-0001-0003-ABCDEFFEDCBB}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\CLSID\{CAFEEFAC-0016-0000-0085-ABCDEFFEDCBB}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\CLSID\{CAFEEFAC-0018-0000-0000-ABCDEFFEDCBB}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\CLSID\{CAFEEFAC-0018-0000-0025-ABCDEFFEDCBA}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3F052B8E-512B-419D-9E06-9B9ADDC7118C}\InProcServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\CLSID\{CAFEEFAC-0013-0001-0018-ABCDEFFEDCBB}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\CLSID\{CAFEEFAC-0014-0002-0030-ABCDEFFEDCBA}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\CLSID\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\CLSID\{CAFEEFAC-0016-0000-0061-ABCDEFFEDCBA}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C6E13344-30AC-11D0-A18C-00A0C9118956}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\CLSID\{CAFEEFAC-0013-0001-0073-ABCDEFFEDCBB}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0069-ABCDEFFEDCBA}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\CLSID\{CAFEEFAC-0018-0000-0028-ABCDEFFEDCBA}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\CLSID\{CAFEEFAC-0014-0002-0042-ABCDEFFEDCBA}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8A624388-AA27-43e0-89F8-2A12BFF7BCCD}\LocalServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\CLSID\{CAFEEFAC-0016-0000-0088-ABCDEFFEDCBB}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0019-ABCDEFFEDCBA}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0073-ABCDEFFEDCBA}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\CLSID\{CAFEEFAC-0018-0000-0027-ABCDEFFEDCBA}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{84F66100-FF7C-4fb4-B0C0-02CD7FB668FE}\LocalServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\CLSID\{CAFEEFAC-0016-0000-0087-ABCDEFFEDCBA}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5504BE45-A83B-4808-900A-3A5C36E7F77A}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{33154C99-BF49-443D-A73C-303A23ABBE97}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{83C25742-A9F7-49FB-9138-434302C88D07}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\CLSID\{CAFEEFAC-0014-0002-0033-ABCDEFFEDCBB}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\CLSID\{CAFEEFAC-0015-0000-0033-ABCDEFFEDCBA}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\CLSID\{CAFEEFAC-0016-0000-0049-ABCDEFFEDCBA}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\CLSID\{CAFEEFAC-0015-0000-0008-ABCDEFFEDCBC}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\CLSID\{CAFEEFAC-0015-0000-0047-ABCDEFFEDCBA}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\CLSID\{CAFEEFAC-0016-0000-0077-ABCDEFFEDCBB}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EC529B00-1A1F-11D1-BAD9-00609744111A}\InprocServer32	reg.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\RarSFX0\CmdRegCleaner.exe	upx
C:\Users\Admin\AppData\Local\Temp\RarSFX0\CmdRegCleaner.exe	upx
behavioral1/memory/4988-135-0x0000000000400000-0x0000000000429000-memory.dmp	upx
behavioral1/memory/4988-139-0x0000000000400000-0x0000000000429000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\124F.tmp\shutdown.exe	upx
C:\Users\Admin\AppData\Local\Temp\124F.tmp\shutdown.exe	upx
behavioral1/memory/4596-146-0x0000000000400000-0x000000000041E000-memory.dmp	upx

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

CmdRegCleaner.exeCmdRegCleaner.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	CmdRegCleaner.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	CmdRegCleaner.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

3156 1828 WerFault.exe
4624 3356 WerFault.exe

pid	pid_target	process	target process
3156	1828	WerFault.exe
4624	3356	WerFault.exe

Modifies registry class 64 IoCs

Processes:

reg.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000244A3-0000-0000-C000-000000000046}\TypeLib	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{87379803-2FAD-4801-ABDF-218B5D2F076F}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E8BB8494-D3A0-4A0A-86D7-291033A8CF54}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Charset\iso-8859-5	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{336C75F2-4E4C-47c7-B4A9-D99AA7F81591}\15.0.0.0	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{69CEDC24-BC35-3354-B324-6BD5F3ECB757}\4.0.0.0	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{765653A0-2B24-38E4-A6F6-5CB325E8CCC9}\2.0.0.0	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000209DC-0000-0000-C000-000000000046}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A37BBB42-E8C1-4E09-B9CA-F009CE620C08}\Version	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5A90588C-C066-4BD4-8FE5-722454A15553}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6FA61A54-9D29-4997-8BC5-B9D804EC62B9}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A60-F07E-4CA4-AF6F-BEF486AA4E6F}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0C0B0642-1DEB-43DF-8032-7A9BF5811A74}\InProcServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000C0321-0000-0000-C000-000000000046}\TypeLib	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4CDF168A-6E3C-4004-93AF-A3D5E3C8DCF9}\ProxyStubClsid32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9149347E-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-957941444-2271171641-4049211970-804197638-2225746618-2474488012-4131196493	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PackageRepository\Extensions\windows.protocol\microsoft.windows.camera\AppXnzh5v9w1s9pv2y889efv7t8bg0msmhca	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\cplfile\shell	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\CLSID\{CAFEEFAC-0015-0000-0050-ABCDEFFEDCBC}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Excel.SheetMacroEnabled.12\Protocol\StdFileEditing\Verb	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00020937-0000-0000-C000-000000000046}\TypeLib	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000244D6-0000-0000-C000-000000000046}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000C037B-0000-0000-C000-000000000046}	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Win32WebViewHost_cw5n1h2txyewy\SplashScreen\Microsoft.Win32WebViewHost_cw5n1h2txyewy!DPI.PerMonit	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\SVCID.Local\7f7b65b8-769f-4221-a079-d93a05a933df	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\.avi	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000CDB02-0000-0000-C000-000000000046}\ProxyStubClsid32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A375119E-DFD5-51A6-BDE2-87297A3181BE}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PackageRepository\Extensions\windows.fileTypeAssociation\.jpe	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\MediaFoundation\Transforms\C0CD7D12-31FC-4BBC-B363-7322EE3E1879	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/vnd.adobe.acrobat-security-settings	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{89A572CD-0865-35D2-B6BA-4D43B64E123E}\15.0.0.0	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C100BEBC-D33A-4a4b-BF23-BBEF4663D017}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5052A832-2C0F-46c7-B67C-1F1FEC37B280}\Implemented Categories\{4FED769C-D8DB-44EA-99EA-65135757C156}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C62A69F0-16DC-11CE-9E98-00AA00574A4F}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000C0312-0000-0000-C000-000000000046}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934CC-5A91-11CF-8700-00AA0060263B}\TypeLib	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934DB-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\PKOFile\shellex\ContextMenuHandlers	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\AppX69r31t6nmawqr1gdamcsndphj2v4a6cx\DefaultIcon	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.LockApp_cw5n1h2txyewy\PSR	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F72A76E0-EB0A-11D0-ACE4-0000C0CC16BA}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AAE3CC38-94BC-467C-9359-BCC811FA9940}\ProxyStubClsid32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\VLC.dv\shell\Open	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{30590071-98B5-11CF-BB82-00AA00BDCE0B}\ProxyStubClsid32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\CLSID\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0090-ABCDEFFEDCBA}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{DA5CB2A4-456B-4906-B3FA-5191F98F7068}\15.0.0.0	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\VLC.mp4\shell\AddToPlaylistVLC\command	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\CLSID\{CAFEEFAC-0014-0002-0028-ABCDEFFEDCBB}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PackageRepository\Packages\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Microsoft.SkypeApp_kzf8qxf38zg5c!App\windows.protocol	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\MPlayer	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{56B47D6C-2795-39D8-8B21-CDCC7BE7ECBD}\15.0.0.0	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Excel.CSV\shell	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{978C9E23-D4B0-11CE-BF2D-00AA003F40D0}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Forms.SpinButton.1\CLSID	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Media Servers\Common\shell\Windows.RemoveDevice	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\PDFPrevHndlr.PDFPreviewHandler	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.oga\ShellEx\{e357fccd-a995-4576-b01f-234630154e96}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00020830-0000-0000-C000-000000000046}\Conversion	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\CLSID\{CAFEEFAC-0015-0000-0033-ABCDEFFEDCBA}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\GoogleUpdate.Update3WebMachineFallback	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0002095F-0000-0000-C000-000000000046}\ProxyStubClsid32	reg.exe

Modifies registry key 1 TTPs 3 IoCs

Modify Registry
T1112

Processes:

reg.exereg.exereg.exe

pid process

4608 reg.exe
2548 reg.exe
396 reg.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

CmdRegCleaner.exe

pid process

4988 CmdRegCleaner.exe

pid	process
4608	reg.exe
2548	reg.exe
396	reg.exe

pid	process
4988	CmdRegCleaner.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

CmdRegCleaner.exeCmdRegCleaner.execmd.exe

description	pid	process	target process
PID 4768 wrote to memory of 4988	4768	CmdRegCleaner.exe	CmdRegCleaner.exe
PID 4768 wrote to memory of 4988	4768	CmdRegCleaner.exe	CmdRegCleaner.exe
PID 4768 wrote to memory of 4988	4768	CmdRegCleaner.exe	CmdRegCleaner.exe
PID 4988 wrote to memory of 448	4988	CmdRegCleaner.exe	cmd.exe
PID 4988 wrote to memory of 448	4988	CmdRegCleaner.exe	cmd.exe
PID 448 wrote to memory of 832	448	cmd.exe	reg.exe
PID 448 wrote to memory of 832	448	cmd.exe	reg.exe

C:\Users\Admin\AppData\Local\Temp\CmdRegCleaner.exe
"C:\Users\Admin\AppData\Local\Temp\CmdRegCleaner.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4768

C:\Users\Admin\AppData\Local\Temp\RarSFX0\CmdRegCleaner.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\CmdRegCleaner.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4988

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\124F.tmp\1250.tmp\1251.bat C:\Users\Admin\AppData\Local\Temp\RarSFX0\CmdRegCleaner.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:448

C:\Windows\system32\reg.exe
reg delete HKCR /f
4⤵
- Modifies system executable filetype association
- Registers COM server for autorun
- Modifies registry class
PID:832

C:\Windows\system32\reg.exe
reg delete HKLM\Classes /f
4⤵
- Modifies registry key
PID:2548

C:\Windows\system32\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v "DisableTaskMgr" /t REG_SZ /d 1 /f
4⤵
- Modifies registry key
PID:396

C:\Windows\system32\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v "DisableRegistryTools"
4⤵
- Modifies registry key
PID:4608

C:\Users\Admin\AppData\Local\Temp\124F.tmp\shutdown.exe
shutdown -r -t 00
4⤵
PID:4596

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 468 -p 1828 -ip 1828
1⤵
PID:2996

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1828 -s 2476
1⤵
- Program crash
PID:3156

C:\Windows\System32\DataExchangeHost.exe
C:\Windows\System32\DataExchangeHost.exe -Embedding
1⤵
PID:3124

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 500 -p 3356 -ip 3356
1⤵
PID:2376

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3356 -s 2820
1⤵
- Program crash
PID:4624

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Change Default File Association

T1042

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\124F.tmp\1250.tmp\1251.bat
Filesize
396B

MD5
b9f3ec00075183ce1d4f65f55ed6a971

SHA1
09681a41472d17ad6ddc289f1b70952ee1afa524

SHA256
ff15fabb0dfe55ea5d5e951ddc7d232c8dd299d369530b2c938e9d0fabb8c7a7

SHA512
2749a9725329774823090f940a456bf178a26909337129b933761b64e151325129a2472f2331748b4e8b3e8aa7b49dde105c54261c1e6c702bce7f3066c4aa10

Download Submit
C:\Users\Admin\AppData\Local\Temp\124F.tmp\shutdown.exe
Filesize
45KB

MD5
f7318a6ca1ff34c75f72df07acc2d4ce

SHA1
31117c14ec440e42219548f54cbfad98e07f3fea

SHA256
e71c67aaa96bdc3a52fe3436b8ea2993fda2fc9aec0e46576d373e0d98cb105c

SHA512
03bc474c9a2487eaed9f5b996976d8d8df8afdd9478b2f6d8ea834513d72b606c9d95d8ecd8a8369c8f7d0005097453c21543caf57b4d906a350c89740a45bca

Download Submit
C:\Users\Admin\AppData\Local\Temp\124F.tmp\shutdown.exe
Filesize
45KB

MD5
f7318a6ca1ff34c75f72df07acc2d4ce

SHA1
31117c14ec440e42219548f54cbfad98e07f3fea

SHA256
e71c67aaa96bdc3a52fe3436b8ea2993fda2fc9aec0e46576d373e0d98cb105c

SHA512
03bc474c9a2487eaed9f5b996976d8d8df8afdd9478b2f6d8ea834513d72b606c9d95d8ecd8a8369c8f7d0005097453c21543caf57b4d906a350c89740a45bca

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\CmdRegCleaner.exe
Filesize
89KB

MD5
87418aa876e135c99e5b493d032b8355

SHA1
2e11c59b9ab9b0e86917a4869dde5ae53c74ab89

SHA256
faee0b377af7c269c8f0c6ee44d22dca0ad41551457b5d03f4dcdd744d4de096

SHA512
40915e7bb7c349c1ad8de5d1ec426c08865c89719f7bf2a83bbc06e7804bca57cca8e436c285939c467f04958c993a7e3f5c51dfef67c622b34e36c2c27af10e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\CmdRegCleaner.exe
Filesize
89KB

MD5
87418aa876e135c99e5b493d032b8355

SHA1
2e11c59b9ab9b0e86917a4869dde5ae53c74ab89

SHA256
faee0b377af7c269c8f0c6ee44d22dca0ad41551457b5d03f4dcdd744d4de096

SHA512
40915e7bb7c349c1ad8de5d1ec426c08865c89719f7bf2a83bbc06e7804bca57cca8e436c285939c467f04958c993a7e3f5c51dfef67c622b34e36c2c27af10e

Download Submit
C:\Users\Admin\Desktop\AssertOut.aifc
Filesize
211KB

MD5
44a0033314d53e46327f8eb803c5013d

SHA1
8305dc1e485dc2b1b068d6f52a4192d91b62955b

SHA256
c8002edb442276a7d3e010ff6f8b430d1e0686d608465ad7af90d6547895ee81

SHA512
3ce58dee21627151329976916f2f4b2d96b0e9e171ea1793f59756fbd036b17de0e4e9b5001462915cf45bff958b49f0b06f2c2c0a6be5f48b2e066654442448

Download Submit
C:\Users\Admin\Desktop\BackupGet.dwfx
Filesize
284KB

MD5
4895e7d0c8e6e33a2d1ae10198634876

SHA1
b638a7e45afe2fe9bead0d4b1f950ea55ea7c35d

SHA256
b41d09e18290ed97c51cbb6f4bac1961160d412e1d939d43defa1b9f517aadcd

SHA512
36b2e69809b91e9595a67085133020f9ec1d146c00a683de23a0ff5c6965295b4d1822eaf2f7aa4d5e27669343addfc9a68c85d9d4aeb2455f70daf731ad66c5

Download Submit
C:\Users\Admin\Desktop\BlockComplete.TTS
Filesize
591KB

MD5
e1ee13e734d8ed53dc5c84096ba1b9d7

SHA1
0b389ac38a9aebea21909c1037c2bd19c78cc1a3

SHA256
b58db816f8654d45a68a085020c7d4c5bb0713ee66200796bb9a183a8ba42938

SHA512
d1d19c9f38965ab006412c1bde65b98b42948d932d301232dfd21f0dbaf2ff6a27d2604f0b3d5aa8141cee0590570fae8d6ba9d02a7602d63a071c00e42b8a5e

Download Submit
C:\Users\Admin\Desktop\ConfirmRevoke.mpa
Filesize
445KB

MD5
7d37fbca05b9ccba56fc6472c9890f96

SHA1
6a17381257e8844306bd0dc019ddef718c5d4cfa

SHA256
2691d453e92ccfcdc38158ec6a5d0977a318af785d3278fdaaebb00e98f0a5c2

SHA512
1d0d1e491ed92cea8949940d31b85591250c7a3131e8a68ebaa789502f218a6b66963fd5dd78ae85baf2f3107937997e8fff79adfb1ab4617785f0f146603948

Download Submit
C:\Users\Admin\Desktop\ConnectConvertTo.rtf
Filesize
504KB

MD5
40106683bfae12df1945df01f9048765

SHA1
ca69ff37471f8b3a28cd6f34f4bff1369f80cc51

SHA256
4f8414b12f7cc1bb95052f48dc9f85ee99d0f06bf68bde5d8520c570606e0b89

SHA512
43bca4d934004e3cd4f7a840fe588c54c02be29d31be8dc7bd79570d5fd2262470e2cafa84551f6fb83c4674add72ae3ee370c957aec8b1aa75267871bb10c5d

Download Submit
C:\Users\Admin\Desktop\DebugSplit.mht
Filesize
328KB

MD5
ee04407b46d05bc26e8c48725d3f3611

SHA1
d9b26a1416fa3aa28973a67bf4f72f67aab83e55

SHA256
0e331be9ac0c6c33489baee7efdf2db5d48e1552fdf6967ccedb89c1ca38e1a6

SHA512
91279f5b0aa52a1b3d78c8c77c86be7c460ec3a8185b81181e798cb3afef710bdb14b44be6c959f66b7fe5dd91ebd94692be83df2e935c190666e5361dbe4216

Download Submit
C:\Users\Admin\Desktop\DenyOut.3g2
Filesize
401KB

MD5
99472179d5a3ce3e0071c698d948674a

SHA1
2b2602c16b9bfb13a9762f425e7fb8d1c86cfcea

SHA256
96cbe70d984233b15515e123c7c0bc917045ae77a6b831dc938104d7eb2ac6d6

SHA512
07b93720552146eb20a6729129b4ec69d8d892da179ab5cf7de4903d3cdbc809d5a2bd21055a477eb36476b0b7717440cd0aa4cdf72adaccee2211d0df5ad3be

Download Submit
C:\Users\Admin\Desktop\DisableUnlock.doc
Filesize
577KB

MD5
e19f2be4a0855ce1ed845aaaee1bdd29

SHA1
c118494ae55af3a6878a0917aa8a025aedc52938

SHA256
0a169e6f1287227a5daacb7da75cb31eaf10216a14272a7f616cdc621422be44

SHA512
c6aa08725d705a73b090dd4ec59e01855f9d6cafb207d657853f8d65c7e4e421447d7c8e5b5bfcdc854e86137172313466205c74fb84f49604447d09e9ae9ce6

Download Submit
C:\Users\Admin\Desktop\DisconnectEnter.wmx
Filesize
431KB

MD5
adebb09c329027f646f137d08149d2b7

SHA1
d316436cbf54009da6d955826559f1864351c920

SHA256
33ace572002c66292cc47949e0c5cfa42501547851c0b8478be847e34e405566

SHA512
5f5dff69bd03473f35221f03e730391b7881ca5d84f30135fefc3fd35d7084bf70f46139c6a4db85e87b50f7cd6258c4d29f3abf1fb917b6c88913d8d8a7c476

Download Submit
C:\Users\Admin\Desktop\EnterLimit.svgz
Filesize
372KB

MD5
b7ea094b064d835625cac067b848cddf

SHA1
336dc9672df5f99acd84298c7b143449c4670ef8

SHA256
956b7ce067b5964944346180e9c6323b24bf054ce62d1c95048b3c57b43886ad

SHA512
1be6f89bb44d6f35f416ff6f915f8d978e3d4ae6851bd7a22839d2d46b3b9a067b17915ed020261e08081055f7081ed2570c46067845d7a103ccef205b36dec1

Download Submit
C:\Users\Admin\Desktop\ExpandSuspend.xlt
Filesize
343KB

MD5
4fd05da114b6aea85550b948aa2b44e2

SHA1
45b109e2637b533d09f3676c8bdb213aebbadbcf

SHA256
0c91274ed815f0dceedbdc809f90f67663baa43a3a2f0f5281a8bd20b0e6350c

SHA512
537d02153da9fcb87de3c2ecf6932c7a7bb3f150a8a0bb564d4b6fd1140f6554e6265329e12a4ef03294067e906727741898573dac4ec4c0a90743551d65ddc5

Download Submit
C:\Users\Admin\Desktop\GetLock.dib
Filesize
387KB

MD5
0b22c27e3e9d07a502963aa5d70a2d1e

SHA1
28f2414653f5cfa605926e04feedd37a88586c85

SHA256
5b2f31a7476cc89d738fa6ffeb90e199e88dee32fcdabfd6e2166ba0b2a3b875

SHA512
f84b0caa6f168361533e5587242d3172ec6b2a62be37c2e0768a76fe9e7c316bc086bb1b1be8d8d9faadcc0eb231666d649659d63f7db4bff92f29b564c0becf

Download Submit
C:\Users\Admin\Desktop\ImportInitialize.inf
Filesize
518KB

MD5
db14c17246eacdb68b04fcbee0ec575c

SHA1
ed1fcc797aa13f58d42c91371916c82c585f0b68

SHA256
6cc38a86ea86df0ba6cd85b80baec448af01a19dace277707a61e281d73ef278

SHA512
15be0cb5c5125934324ab72e9cb01c42ded0d8c4162d2dd57311c7b8deb578c59f8fe2e8530176dd3d0ea1115f0a2bb4db52f38d1d354c14cc40e4fd12e05975

Download Submit
C:\Users\Admin\Desktop\ImportMeasure.cab
Filesize
270KB

MD5
78fb3b9a97977daefc400b4bfa62ce2c

SHA1
b0c44a038eb82681f7f9ea7e48f5caadee0b97b2

SHA256
53366d0119238bc7a5ed42eb84f7430248691dec6417a9951a4f6d21e89d7d64

SHA512
7c147b55f7b1980f342125e1fb8004a5bec1bf8ab5607a576f03842640493d3b976ee54209816f1300a5116e15ab88a1638c769be86013138555e63f96e75faa

Download Submit
C:\Users\Admin\Desktop\MergeClose.csv
Filesize
241KB

MD5
ecd11486a85e6580f2811be19b06e569

SHA1
901d6eba7975031ff627524d2c4c43678cac58f5

SHA256
ab28454a5357674d43edefe1f48e966c2760a252002a6375111d933bd4b0cf45

SHA512
8684bf41407055c49bc52dd969f21893cc5ee232a15eae89edde808e064131110f1bd3f5b98069616fdb6a425cec660c650519b26525ab4330844dbd2ed22403

Download Submit
C:\Users\Admin\Desktop\Microsoft Edge.lnk
Filesize
2KB

MD5
c59499d5cc30b661c52b91975e5de7c7

SHA1
d7e4c4e3f4389f5e407b94fa587c16110820b6e8

SHA256
60d3a963843f0dd655ac85d515f7b32b26ca81524811e86f225b6bf41bd412b5

SHA512
cde1e2d48a04470f172cf51bf5839b9a054534dc61ea1866d564061d4eed84a2670dbd55d222e28f1a9b0a470fc05fc7e6d19edd1b9d7f0c5931a7e42557d3a0

Download Submit
C:\Users\Admin\Desktop\OpenOptimize.odt
Filesize
226KB

MD5
58cda6f3a8ae594af3ba4f81a5d05293

SHA1
64aa706db604d1ac3e57b08382fab979cb4ad910

SHA256
7195d3909b56ba50f803b7172c52d6dd217224beb8d7f7d21faee8afe48a7a70

SHA512
721bd971cb31be49addc870ce180b209132821cb6ad2d4fc5c6133d925395e5185864dd424f83777b222084187b40b56c90b7687b06225eb0e5eeefd0f088a95

Download Submit
C:\Users\Admin\Desktop\OutGrant.mpp
Filesize
489KB

MD5
69e87fa72cb96d0ddc65f0e837d9039e

SHA1
4b42dfc8473a572bbc5ed9cc8cd2212338143412

SHA256
e0e13ad8c5d295d2f6026f526565fb9b1dd85fd1eb14bdd43fae068bc50c5d19

SHA512
5213aa78ad9177f1d5b9255cadc0b71499f952b34655ddb88518805104052185f7ce53d7c993ef02b3542ed061972181df367378503d0c9b49520e3385c3d3c3

Download Submit
C:\Users\Admin\Desktop\PingDeny.shtml
Filesize
547KB

MD5
ad34bc6685f5890bfd4c2709356f5e5e

SHA1
2d0d896b87537fbe83623bf10944140e8545dd2e

SHA256
85c4b78426118e7dc742e49da0d86b5d90e9c5abc812abb7c613fdf534a7dfca

SHA512
005cb6afffc9fd90356d63c499b3eb41b45a700b16b7a37899ba7ff95de1dc553db9e5fb0ac046bd46548f05004b5bfef68c3feb23ce327a179cc28af96d8a57

Download Submit
C:\Users\Admin\Desktop\RedoRestore.ttc
Filesize
416KB

MD5
667a4b8e513efbeebf3c7b82abcac36a

SHA1
c667f86d7f10331f176a623af793c9ae052c7f2a

SHA256
938b4c4b63c3e7675677ae68bc3eeae67a281923dab4c08ea0b6035fcea1e2ca

SHA512
7bc8279561a801c35ad54a186234979f410654c28867b539c7199a7d0729951dfa85d1c814f4b0e547399327e8d68d5b0d924ac4ee8aff5fa95053a4f34a0e61

Download Submit
C:\Users\Admin\Desktop\RemoveSkip.vbe
Filesize
299KB

MD5
7a90144864bd5a4a1060fb747e65377f

SHA1
e87d698ace485654d43fce24f44b0b42b05ea140

SHA256
8d93771c3349e76e93ceb47096348388d68f08c91e0e882e97cbea2cbd302a96

SHA512
745814c63ae1418065112f014c71d8c75cde02edc725e2bcb3b06b1c6a1635302b5ad749f4a78e47a3178cd6df71086ffbdebec51781ef748068ef5f7592289f

Download Submit
C:\Users\Admin\Desktop\RepairMove.svg
Filesize
460KB

MD5
3e6d1c8a8789cf3f9e3396a1a029d4c9

SHA1
8448ea4e0eb37511f535fa1b6ef82e5041054f7e

SHA256
73050b7f125954ac6ae80ae9bd46a618f6d02cd0e67b4ef637ed90f7e837a2d7

SHA512
b392d670e2c30ba39b93b8cc973e0875c6c0555bb93b45d88a75cc10cab2af8a9d99f2cdefc05c9ece356a06020c051abf90ecf4833f884204131383ca824552

Download Submit
C:\Users\Admin\Desktop\ResetStep.wma
Filesize
314KB

MD5
5c9a1a8c22f384584aba49e62935e40b

SHA1
577d4ef2abd8f5475afc2ab26f6cc7070cf898a9

SHA256
b7f043a784c6dc59f6be9a61d7b7100bf3eedf96e93f187b53dc865c4ee8b74a

SHA512
700ce9185755e8e1f95c0e98831eb8bb6f71a0373a52d5c508153d6e37f35d7607dd2ab957e827fbdd8dddbf37162338693ca7d9c06289a3b6ceb12d2b654f0d

Download Submit
C:\Users\Admin\Desktop\ResolveConvertTo.ppsx
Filesize
474KB

MD5
c791b4cda875a2e5f28a5d0a8b876cdb

SHA1
772fdd28f7be1044a313ff425a8d968d291e7edb

SHA256
02c724da333c7c907a19418baf94885108add16b6c6d4589262db3629d6c7d74

SHA512
9e39e724b72811b9d49601d7ee0648088df16ac4eb587514d4f442e2a95229794bb92766747d8b87dc9eeeab761c36761650bd725aef1aa50cd96ae1ae8ea208

Download Submit
C:\Users\Admin\Desktop\RestartSync.doc
Filesize
255KB

MD5
949fe45d3eb228ac41f21968b1c2de1a

SHA1
2230fb950174b97433409e11f646eb841bdd3cf1

SHA256
e020950b419c341e2ba359d8bd497fbc6718c5bdd90614cf0856e58036c770d4

SHA512
82a8163dc14ab89665311b1acb80e458ab45f0ffdab15220f978903e9b9405173f22bfab2c8f07a10c750aa31228bd5137e6d6e8217fcdd6205fe3a07b69d507

Download Submit
C:\Users\Admin\Desktop\SaveSubmit.vsdx
Filesize
832KB

MD5
a74749856ed97373d1acc479f6664a6e

SHA1
e240ba6220e96683f892ce557e99f939205a28f2

SHA256
2bb5217e3a60c11a710ad6b689a6a569dac057b6e03312685ac7fbd0eb2e5a9d

SHA512
1849de79bd0a2dad917513ba7a1a54ac536b0b37d0ef106afced118ca1fd9f4d075c9934b340dbaf4c79223b728014e28bff9e1fd8034c1d745a493b5d4c003f

Download Submit
C:\Users\Admin\Desktop\SubmitGrant.au3
Filesize
606KB

MD5
310d29379cf150a77543805249eb9b1e

SHA1
2e31e8cab578db27f5e533eed4958de40f9a6e09

SHA256
b9467ed62a5fa12ab3f7110c0a84230b09c75f17822d3f2dc98073f776a1d5db

SHA512
482e273a6fd1a3405763a5cd49530d11a4738f3c680d37ddb4b06c61ddf3dbfed2a804f72557f017488d388e350eb92d17457f0ab46ac6a1dd0cb07014f25128

Download Submit
C:\Users\Admin\Desktop\SuspendDismount.xlt
Filesize
357KB

MD5
450666d20731d1a7d577d069b8975763

SHA1
a97f1d284023afa5dac0cfd3bdd5febeac5b987e

SHA256
5b390f7429ff13ca33fa3fd4d7b2a345a093c372e6053192ea51e6839777e78b

SHA512
aab9a23b07ceef010b120fcdfb3ae2fde911cb55718e46c5d27433caa935c9985755f2bd1f7681e60ecca301ac82ff07fffa07ce32d20863f7c3521a0cff7c6e

Download Submit
C:\Users\Admin\Desktop\TraceProtect.TTS
Filesize
533KB

MD5
0aa8f99744d312c081c37e6fed6963ce

SHA1
20fb5e59ea1b04932402f6d3379351ba0ce4215d

SHA256
b547a297356366422d991940dd475ce986b189403bfd15b394c82e6bfd9f4c9b

SHA512
dc1d0873715e30763ee105bc0ae025466f06a49fba57ff8fca92b51f41b1a152c9b7f8fbf8f2487f3e23c341e3f59d3e89250f912bc03077a6acb45ddb5e94f2

Download Submit
C:\Users\Admin\Desktop\WriteUnregister.3gp
Filesize
562KB

MD5
ba2322ef4a21145759e2af77c281d708

SHA1
e78f84ac86c46bafeded807b33101115de18d135

SHA256
469d1c565668b4eb958b33a5d7a98d4c0ab5fcadabe7e2038ca8ee99995c5617

SHA512
9c2b0ae77eb60c8be518c0a662abefe0116c2a46f6a7bff64b77965a115d342860a54efc3f05384c333144eb0584664d36add1ca470152a822bbace33901adbf

Download Submit
C:\Users\Public\Desktop\Acrobat Reader DC.lnk
Filesize
2KB

MD5
27f5421315bac31c8ddf3017a5d235ae

SHA1
dcd289ba8f65935b0ad4610b8a816213adf0401c

SHA256
66e571fbc441d2d6fd5eb352eba7b4356c4e38e12b917ce0dff3dd82f2170766

SHA512
3579c1a1661b0ca844c0ad4d896727d682390cbc63fafb660faff00a011a0ae3cf7e53b5ac4f94cd3bddb644934fd42e7a89780836419675a8a1329a2dd5bb89

Download Submit
C:\Users\Public\Desktop\Firefox.lnk
Filesize
1000B

MD5
eab9caf1c5b621c64970aaf4919ad70c

SHA1
98a09e9ee47955f87294fc8c1dcbd535bfb12670

SHA256
57ab4457a679178306c919ec18b6494f0354d4d94e0f4c518dd454d161ae8ee5

SHA512
cc2079ffc102e58180c472198fc83f2cb85efb67e2655d4c36560bb9360c9b5447f8428900ee3881a782b3445839b76f93daf9c257a109a0ead2a78bf3bf8de9

Download Submit
C:\Users\Public\Desktop\Google Chrome.lnk
Filesize
2KB

MD5
09b7fb52d3a15ab23f554e081f426244

SHA1
b8ebf9bf5d2fe80ae1fc6fb818171226e3936618

SHA256
c7644997fb23f7d94b48de4fc12b02f15372fb1c65c39a9d597a636e6592b16e

SHA512
abf25107bb4ae403204f043db23c5833afd55ff4285aa092262a07c5a83909cd91f13570af6f4b817a35acdb14e662483aa25086e6d7166bc0e030b7edbb3a98

Download Submit
C:\Users\Public\Desktop\VLC media player.lnk
Filesize
923B

MD5
3921629f83a04ffb159a1824c3a8594c

SHA1
c475485d6da080e0cf960d0fb21fc7c36cdb9e2a

SHA256
5a92af810d5393bd9777a459f8c6e545364c98b07bba27509a182cb0f83064fa

SHA512
3894ddefcbccc3ab93796d5852fe8ed1a775a7594fbee8680ce88a666349332081d52a7f7a1483a5cd0e18e69b1b36f6cfa227c4e24237287105f2b7ec460594

Download Submit
memory/396-141-0x0000000000000000-mapping.dmp

Download
memory/448-136-0x0000000000000000-mapping.dmp

Download
memory/832-138-0x0000000000000000-mapping.dmp

Download
memory/2548-140-0x0000000000000000-mapping.dmp

Download
memory/4596-146-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4596-144-0x0000000000000000-mapping.dmp

Download
memory/4608-142-0x0000000000000000-mapping.dmp

Download
memory/4988-132-0x0000000000000000-mapping.dmp

Download
memory/4988-139-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4988-135-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download