d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4

Analysis

max time kernel
152s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
27-11-2022 01:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4.exe
Size

432KB
MD5

b4fc3739d4a1d4ed2729ff9c50b5ad16
SHA1

eca039c37693c947dd712ec73eca46e6ae8d5693
SHA256

d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4
SHA512

1169e664d2033f2fa50acad3bf0bfb30d8362292de0562f068fe921001bdf010aac9c7cd5462edbd5590085f043b9ddb6a65850594ae4c5d5d734d36190c290f
SSDEEP

3072:KylGSGtGSGOGOGlGln+Vk8m8ClX0kUb+16H6b5p8I0yH/JN8HOWShM+L7aL7b:KgbELf/MS8cWdi5pV/JNWOVhMr

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 13 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	WinSysApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	WinSysApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	WinAlert.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Commgr.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	WinSysApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	WinSysApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	WinSysApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	WinSysApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	WinAlert.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Commgr.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	WinSysApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	WinSysApp.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 13 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	WinAlert.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	Commgr.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	WinSysApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	WinSysApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	WinSysApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	WinSysApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	WinSysApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	WinAlert.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	WinSysApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	Commgr.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	WinSysApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	WinSysApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4.exe

Executes dropped EXE 12 IoCs

pid	Process
628	WinAlert.exe
584	Commgr.exe
1344	WinAlert.exe
564	WinSysApp.exe
1696	Commgr.exe
924	WinSysApp.exe
108	WinSysApp.exe
1224	WinSysApp.exe
1624	WinSysApp.exe
1396	WinSysApp.exe
572	WinSysApp.exe
1084	WinSysApp.exe

Loads dropped DLL 16 IoCs

pid	Process
1808	d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4.exe
1808	d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4.exe
1808	d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4.exe
1808	d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4.exe
1808	d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4.exe
1808	d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4.exe
1808	d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4.exe
1808	d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4.exe
1808	d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4.exe
584	Commgr.exe
1808	d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4.exe
1808	d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4.exe
1344	WinAlert.exe
584	Commgr.exe
1344	WinAlert.exe
1808	d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4.exe

Adds Run key to start application 2 TTPs 51 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Common Files Manager = "C:\\Program Files\\Windows Common Files\\Commgr.exe"	WinAlert.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Alerter = "C:\\Program Files\\Windows Alerter\\WinAlert.exe"	Commgr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Alerter = "C:\\Program Files\\Windows Alerter\\WinAlert.exe"	WinSysApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Common Files Manager = "C:\\Program Files\\Windows Common Files\\Commgr.exe"	WinSysApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Common Files Manager = "C:\\Program Files\\Windows Common Files\\Commgr.exe"	WinSysApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowMessenger = "C:\\RECYCLER\\X-1-5-21-1960408961-725345543-839522115-1003\\WinSysApp.exe"	WinSysApp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Common Files Manager = "C:\\Program Files\\Windows Common Files\\Commgr.exe"	d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowMessenger = "C:\\RECYCLER\\X-1-5-21-1960408961-725345543-839522115-1003\\WinSysApp.exe"	WinAlert.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Common Files Manager = "C:\\Program Files\\Windows Common Files\\Commgr.exe"	WinSysApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Alerter = "C:\\Program Files\\Windows Alerter\\WinAlert.exe"	WinSysApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Alerter = "C:\\Program Files\\Windows Alerter\\WinAlert.exe"	WinSysApp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowMessenger = "C:\\RECYCLER\\X-1-5-21-1960408961-725345543-839522115-1003\\WinSysApp.exe"	WinAlert.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Alerter = "C:\\Program Files\\Windows Alerter\\WinAlert.exe"	WinSysApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowMessenger = "C:\\RECYCLER\\X-1-5-21-1960408961-725345543-839522115-1003\\WinSysApp.exe"	WinSysApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Common Files Manager = "C:\\Program Files\\Windows Common Files\\Commgr.exe"	WinSysApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Common Files Manager = "C:\\Program Files\\Windows Common Files\\Commgr.exe"	WinSysApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Common Files Manager = "C:\\Program Files\\Windows Common Files\\Commgr.exe"	WinSysApp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowMessenger = "C:\\RECYCLER\\X-1-5-21-1960408961-725345543-839522115-1003\\WinSysApp.exe"	WinSysApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Alerter = "C:\\Program Files\\Windows Alerter\\WinAlert.exe"	WinAlert.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowMessenger = "C:\\RECYCLER\\X-1-5-21-1960408961-725345543-839522115-1003\\WinSysApp.exe"	Commgr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowMessenger = "C:\\RECYCLER\\X-1-5-21-1960408961-725345543-839522115-1003\\WinSysApp.exe"	Commgr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Alerter = "C:\\Program Files\\Windows Alerter\\WinAlert.exe"	WinAlert.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowMessenger = "C:\\RECYCLER\\X-1-5-21-1960408961-725345543-839522115-1003\\WinSysApp.exe"	WinSysApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Alerter = "C:\\Program Files\\Windows Alerter\\WinAlert.exe"	WinSysApp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Alerter = "C:\\Program Files\\Windows Alerter\\WinAlert.exe"	WinSysApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowMessenger = "C:\\RECYCLER\\X-1-5-21-1960408961-725345543-839522115-1003\\WinSysApp.exe"	d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Alerter = "C:\\Program Files\\Windows Alerter\\WinAlert.exe"	d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowMessenger = "C:\\RECYCLER\\X-1-5-21-1960408961-725345543-839522115-1003\\WinSysApp.exe"	WinAlert.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Common Files Manager = "C:\\Program Files\\Windows Common Files\\Commgr.exe"	Commgr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowMessenger = "C:\\RECYCLER\\X-1-5-21-1960408961-725345543-839522115-1003\\WinSysApp.exe"	WinSysApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Common Files Manager = "C:\\Program Files\\Windows Common Files\\Commgr.exe"	WinSysApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Common Files Manager = "C:\\Program Files\\Windows Common Files\\Commgr.exe"	d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Alerter = "C:\\Program Files\\Windows Alerter\\WinAlert.exe"	WinAlert.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Common Files Manager = "C:\\Program Files\\Windows Common Files\\Commgr.exe"	WinAlert.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowMessenger = "C:\\RECYCLER\\X-1-5-21-1960408961-725345543-839522115-1003\\WinSysApp.exe"	WinSysApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowMessenger = "C:\\RECYCLER\\X-1-5-21-1960408961-725345543-839522115-1003\\WinSysApp.exe"	WinSysApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Alerter = "C:\\Program Files\\Windows Alerter\\WinAlert.exe"	d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Alerter = "C:\\Program Files\\Windows Alerter\\WinAlert.exe"	Commgr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Common Files Manager = "C:\\Program Files\\Windows Common Files\\Commgr.exe"	Commgr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowMessenger = "C:\\RECYCLER\\X-1-5-21-1960408961-725345543-839522115-1003\\WinSysApp.exe"	WinSysApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Alerter = "C:\\Program Files\\Windows Alerter\\WinAlert.exe"	WinSysApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Alerter = "C:\\Program Files\\Windows Alerter\\WinAlert.exe"	WinSysApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Common Files Manager = "C:\\Program Files\\Windows Common Files\\Commgr.exe"	WinAlert.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Common Files Manager = "C:\\Program Files\\Windows Common Files\\Commgr.exe"	Commgr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Alerter = "C:\\Program Files\\Windows Alerter\\WinAlert.exe"	Commgr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Alerter = "C:\\Program Files\\Windows Alerter\\WinAlert.exe"	WinSysApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Common Files Manager = "C:\\Program Files\\Windows Common Files\\Commgr.exe"	WinSysApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowMessenger = "C:\\RECYCLER\\X-1-5-21-1960408961-725345543-839522115-1003\\WinSysApp.exe"	WinSysApp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Common Files Manager = "C:\\Program Files\\Windows Common Files\\Commgr.exe"	WinSysApp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowMessenger = "C:\\RECYCLER\\X-1-5-21-1960408961-725345543-839522115-1003\\WinSysApp.exe"	d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowMessenger = "C:\\RECYCLER\\X-1-5-21-1960408961-725345543-839522115-1003\\WinSysApp.exe"	Commgr.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 55 IoCs

pid	Process
1808	d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4.exe
1808	d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4.exe
1808	d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4.exe
1808	d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4.exe
1808	d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4.exe
1808	d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4.exe
1808	d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4.exe
1808	d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4.exe
1808	d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4.exe
1808	d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4.exe
1808	d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4.exe
1808	d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4.exe
1808	d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4.exe
1808	d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4.exe
1808	d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4.exe
1808	d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4.exe
1808	d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4.exe
1808	d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4.exe
1808	d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4.exe
1808	d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4.exe
1808	d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4.exe
1808	d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4.exe
1808	d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4.exe
1808	d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4.exe
1808	d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4.exe
1808	d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4.exe
1808	d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4.exe
1808	d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4.exe
1808	d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4.exe
1808	d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4.exe
1808	d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4.exe
1808	d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4.exe
1808	d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4.exe
1808	d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4.exe
1808	d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4.exe
1808	d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4.exe
1808	d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4.exe
1808	d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4.exe
1808	d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4.exe
1808	d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4.exe
1808	d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4.exe
1808	d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4.exe
1808	d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4.exe
1808	d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4.exe
1808	d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4.exe
1808	d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4.exe
1808	d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4.exe
1808	d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4.exe
1808	d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4.exe
1808	d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4.exe
1808	d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4.exe
1808	d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4.exe
1808	d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4.exe
1808	d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4.exe
1808	d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	1808	d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4.exe
Token: SeDebugPrivilege	584	Commgr.exe
Token: SeDebugPrivilege	1344	WinAlert.exe
Token: SeDebugPrivilege	1696	Commgr.exe
Token: SeDebugPrivilege	628	WinAlert.exe
Token: SeDebugPrivilege	924	WinSysApp.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 1808 wrote to memory of 628	1808	d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4.exe	35
PID 1808 wrote to memory of 628	1808	d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4.exe	35
PID 1808 wrote to memory of 628	1808	d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4.exe	35
PID 1808 wrote to memory of 628	1808	d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4.exe	35
PID 1808 wrote to memory of 1344	1808	d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4.exe	34
PID 1808 wrote to memory of 1344	1808	d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4.exe	34
PID 1808 wrote to memory of 1344	1808	d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4.exe	34
PID 1808 wrote to memory of 1344	1808	d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4.exe	34
PID 1808 wrote to memory of 584	1808	d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4.exe	33
PID 1808 wrote to memory of 584	1808	d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4.exe	33
PID 1808 wrote to memory of 584	1808	d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4.exe	33
PID 1808 wrote to memory of 584	1808	d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4.exe	33
PID 1808 wrote to memory of 564	1808	d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4.exe	28
PID 1808 wrote to memory of 564	1808	d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4.exe	28
PID 1808 wrote to memory of 564	1808	d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4.exe	28
PID 1808 wrote to memory of 564	1808	d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4.exe	28
PID 1808 wrote to memory of 1696	1808	d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4.exe	29
PID 1808 wrote to memory of 1696	1808	d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4.exe	29
PID 1808 wrote to memory of 1696	1808	d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4.exe	29
PID 1808 wrote to memory of 1696	1808	d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4.exe	29
PID 584 wrote to memory of 924	584	Commgr.exe	30
PID 584 wrote to memory of 924	584	Commgr.exe	30
PID 584 wrote to memory of 924	584	Commgr.exe	30
PID 584 wrote to memory of 924	584	Commgr.exe	30
PID 1808 wrote to memory of 108	1808	d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4.exe	31
PID 1808 wrote to memory of 108	1808	d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4.exe	31
PID 1808 wrote to memory of 108	1808	d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4.exe	31
PID 1808 wrote to memory of 108	1808	d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4.exe	31
PID 1808 wrote to memory of 1224	1808	d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4.exe	32
PID 1808 wrote to memory of 1224	1808	d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4.exe	32
PID 1808 wrote to memory of 1224	1808	d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4.exe	32
PID 1808 wrote to memory of 1224	1808	d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4.exe	32
PID 1344 wrote to memory of 1624	1344	WinAlert.exe	36
PID 1344 wrote to memory of 1624	1344	WinAlert.exe	36
PID 1344 wrote to memory of 1624	1344	WinAlert.exe	36
PID 1344 wrote to memory of 1624	1344	WinAlert.exe	36
PID 584 wrote to memory of 1396	584	Commgr.exe	37
PID 584 wrote to memory of 1396	584	Commgr.exe	37
PID 584 wrote to memory of 1396	584	Commgr.exe	37
PID 584 wrote to memory of 1396	584	Commgr.exe	37
PID 1344 wrote to memory of 572	1344	WinAlert.exe	38
PID 1344 wrote to memory of 572	1344	WinAlert.exe	38
PID 1344 wrote to memory of 572	1344	WinAlert.exe	38
PID 1344 wrote to memory of 572	1344	WinAlert.exe	38
PID 1808 wrote to memory of 1084	1808	d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4.exe	39
PID 1808 wrote to memory of 1084	1808	d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4.exe	39
PID 1808 wrote to memory of 1084	1808	d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4.exe	39
PID 1808 wrote to memory of 1084	1808	d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4.exe	39

C:\Users\Admin\AppData\Local\Temp\d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4.exe
"C:\Users\Admin\AppData\Local\Temp\d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4.exe"
1⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1808
- C:\RECYCLER\X-1-5-21-1960408961-725345543-839522115-1003\WinSysApp.exe
  "C:\RECYCLER\X-1-5-21-1960408961-725345543-839522115-1003\WinSysApp.exe"
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  PID:564
- C:\Program Files\Windows Common Files\Commgr.exe
  "C:\Program Files\Windows Common Files\Commgr.exe"
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  PID:1696
- C:\RECYCLER\X-1-5-21-1960408961-725345543-839522115-1003\WinSysApp.exe
  "C:\RECYCLER\X-1-5-21-1960408961-725345543-839522115-1003\WinSysApp.exe"
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  PID:108
- C:\RECYCLER\X-1-5-21-1960408961-725345543-839522115-1003\WinSysApp.exe
  "C:\RECYCLER\X-1-5-21-1960408961-725345543-839522115-1003\WinSysApp.exe"
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  PID:1224
- C:\Program Files\Windows Common Files\Commgr.exe
  "C:\Program Files\Windows Common Files\Commgr.exe"
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:584
- - C:\RECYCLER\X-1-5-21-1960408961-725345543-839522115-1003\WinSysApp.exe
    "C:\RECYCLER\X-1-5-21-1960408961-725345543-839522115-1003\WinSysApp.exe"
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Modifies visiblity of hidden/system files in Explorer
    - Executes dropped EXE
    - Adds Run key to start application
    PID:1396
- C:\Program Files\Windows Alerter\WinAlert.exe
  "C:\Program Files\Windows Alerter\WinAlert.exe"
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1344
- - C:\RECYCLER\X-1-5-21-1960408961-725345543-839522115-1003\WinSysApp.exe
    "C:\RECYCLER\X-1-5-21-1960408961-725345543-839522115-1003\WinSysApp.exe"
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Modifies visiblity of hidden/system files in Explorer
    - Executes dropped EXE
    - Adds Run key to start application
    PID:1624
- - C:\RECYCLER\X-1-5-21-1960408961-725345543-839522115-1003\WinSysApp.exe
    "C:\RECYCLER\X-1-5-21-1960408961-725345543-839522115-1003\WinSysApp.exe"
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Modifies visiblity of hidden/system files in Explorer
    - Executes dropped EXE
    - Adds Run key to start application
    PID:572
- C:\Program Files\Windows Alerter\WinAlert.exe
  "C:\Program Files\Windows Alerter\WinAlert.exe"
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  PID:628
- C:\RECYCLER\X-1-5-21-1960408961-725345543-839522115-1003\WinSysApp.exe
  "C:\RECYCLER\X-1-5-21-1960408961-725345543-839522115-1003\WinSysApp.exe"
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  PID:1084

C:\RECYCLER\X-1-5-21-1960408961-725345543-839522115-1003\WinSysApp.exe
"C:\RECYCLER\X-1-5-21-1960408961-725345543-839522115-1003\WinSysApp.exe"
1⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:924

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Windows Alerter\WinAlert.exe

Filesize
432KB

MD5
b4fc3739d4a1d4ed2729ff9c50b5ad16

SHA1
eca039c37693c947dd712ec73eca46e6ae8d5693

SHA256
d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4

SHA512
1169e664d2033f2fa50acad3bf0bfb30d8362292de0562f068fe921001bdf010aac9c7cd5462edbd5590085f043b9ddb6a65850594ae4c5d5d734d36190c290f

Download Submit
C:\Program Files\Windows Alerter\WinAlert.exe

Filesize
432KB

MD5
b4fc3739d4a1d4ed2729ff9c50b5ad16

SHA1
eca039c37693c947dd712ec73eca46e6ae8d5693

SHA256
d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4

SHA512
1169e664d2033f2fa50acad3bf0bfb30d8362292de0562f068fe921001bdf010aac9c7cd5462edbd5590085f043b9ddb6a65850594ae4c5d5d734d36190c290f

Download Submit
C:\Program Files\Windows Alerter\WinAlert.exe

Filesize
432KB

MD5
b4fc3739d4a1d4ed2729ff9c50b5ad16

SHA1
eca039c37693c947dd712ec73eca46e6ae8d5693

SHA256
d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4

SHA512
1169e664d2033f2fa50acad3bf0bfb30d8362292de0562f068fe921001bdf010aac9c7cd5462edbd5590085f043b9ddb6a65850594ae4c5d5d734d36190c290f

Download Submit
C:\Program Files\Windows Common Files\Commgr.exe

Filesize
432KB

MD5
b4fc3739d4a1d4ed2729ff9c50b5ad16

SHA1
eca039c37693c947dd712ec73eca46e6ae8d5693

SHA256
d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4

SHA512
1169e664d2033f2fa50acad3bf0bfb30d8362292de0562f068fe921001bdf010aac9c7cd5462edbd5590085f043b9ddb6a65850594ae4c5d5d734d36190c290f

Download Submit
C:\Program Files\Windows Common Files\Commgr.exe

Filesize
432KB

MD5
b4fc3739d4a1d4ed2729ff9c50b5ad16

SHA1
eca039c37693c947dd712ec73eca46e6ae8d5693

SHA256
d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4

SHA512
1169e664d2033f2fa50acad3bf0bfb30d8362292de0562f068fe921001bdf010aac9c7cd5462edbd5590085f043b9ddb6a65850594ae4c5d5d734d36190c290f

Download Submit
C:\Program Files\Windows Common Files\Commgr.exe

Filesize
432KB

MD5
b4fc3739d4a1d4ed2729ff9c50b5ad16

SHA1
eca039c37693c947dd712ec73eca46e6ae8d5693

SHA256
d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4

SHA512
1169e664d2033f2fa50acad3bf0bfb30d8362292de0562f068fe921001bdf010aac9c7cd5462edbd5590085f043b9ddb6a65850594ae4c5d5d734d36190c290f

Download Submit
C:\RECYCLER\X-1-5-21-1960408961-725345543-839522115-1003\WinSysApp.exe

Filesize
432KB

MD5
b4fc3739d4a1d4ed2729ff9c50b5ad16

SHA1
eca039c37693c947dd712ec73eca46e6ae8d5693

SHA256
d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4

SHA512
1169e664d2033f2fa50acad3bf0bfb30d8362292de0562f068fe921001bdf010aac9c7cd5462edbd5590085f043b9ddb6a65850594ae4c5d5d734d36190c290f

Download Submit
C:\RECYCLER\X-1-5-21-1960408961-725345543-839522115-1003\WinSysApp.exe

Filesize
432KB

MD5
b4fc3739d4a1d4ed2729ff9c50b5ad16

SHA1
eca039c37693c947dd712ec73eca46e6ae8d5693

SHA256
d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4

SHA512
1169e664d2033f2fa50acad3bf0bfb30d8362292de0562f068fe921001bdf010aac9c7cd5462edbd5590085f043b9ddb6a65850594ae4c5d5d734d36190c290f

Download Submit
C:\RECYCLER\X-1-5-21-1960408961-725345543-839522115-1003\WinSysApp.exe

Filesize
432KB

MD5
b4fc3739d4a1d4ed2729ff9c50b5ad16

SHA1
eca039c37693c947dd712ec73eca46e6ae8d5693

SHA256
d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4

SHA512
1169e664d2033f2fa50acad3bf0bfb30d8362292de0562f068fe921001bdf010aac9c7cd5462edbd5590085f043b9ddb6a65850594ae4c5d5d734d36190c290f

Download Submit
C:\RECYCLER\X-1-5-21-1960408961-725345543-839522115-1003\WinSysApp.exe

Filesize
432KB

MD5
b4fc3739d4a1d4ed2729ff9c50b5ad16

SHA1
eca039c37693c947dd712ec73eca46e6ae8d5693

SHA256
d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4

SHA512
1169e664d2033f2fa50acad3bf0bfb30d8362292de0562f068fe921001bdf010aac9c7cd5462edbd5590085f043b9ddb6a65850594ae4c5d5d734d36190c290f

Download Submit
C:\RECYCLER\X-1-5-21-1960408961-725345543-839522115-1003\WinSysApp.exe

Filesize
432KB

MD5
b4fc3739d4a1d4ed2729ff9c50b5ad16

SHA1
eca039c37693c947dd712ec73eca46e6ae8d5693

SHA256
d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4

SHA512
1169e664d2033f2fa50acad3bf0bfb30d8362292de0562f068fe921001bdf010aac9c7cd5462edbd5590085f043b9ddb6a65850594ae4c5d5d734d36190c290f

Download Submit
C:\RECYCLER\X-1-5-21-1960408961-725345543-839522115-1003\WinSysApp.exe

Filesize
432KB

MD5
b4fc3739d4a1d4ed2729ff9c50b5ad16

SHA1
eca039c37693c947dd712ec73eca46e6ae8d5693

SHA256
d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4

SHA512
1169e664d2033f2fa50acad3bf0bfb30d8362292de0562f068fe921001bdf010aac9c7cd5462edbd5590085f043b9ddb6a65850594ae4c5d5d734d36190c290f

Download Submit
C:\RECYCLER\X-1-5-21-1960408961-725345543-839522115-1003\WinSysApp.exe

Filesize
432KB

MD5
b4fc3739d4a1d4ed2729ff9c50b5ad16

SHA1
eca039c37693c947dd712ec73eca46e6ae8d5693

SHA256
d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4

SHA512
1169e664d2033f2fa50acad3bf0bfb30d8362292de0562f068fe921001bdf010aac9c7cd5462edbd5590085f043b9ddb6a65850594ae4c5d5d734d36190c290f

Download Submit
C:\RECYCLER\X-1-5-21-1960408961-725345543-839522115-1003\WinSysApp.exe

Filesize
432KB

MD5
b4fc3739d4a1d4ed2729ff9c50b5ad16

SHA1
eca039c37693c947dd712ec73eca46e6ae8d5693

SHA256
d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4

SHA512
1169e664d2033f2fa50acad3bf0bfb30d8362292de0562f068fe921001bdf010aac9c7cd5462edbd5590085f043b9ddb6a65850594ae4c5d5d734d36190c290f

Download Submit
C:\RECYCLER\X-1-5-21-1960408961-725345543-839522115-1003\WinSysApp.exe

Filesize
432KB

MD5
b4fc3739d4a1d4ed2729ff9c50b5ad16

SHA1
eca039c37693c947dd712ec73eca46e6ae8d5693

SHA256
d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4

SHA512
1169e664d2033f2fa50acad3bf0bfb30d8362292de0562f068fe921001bdf010aac9c7cd5462edbd5590085f043b9ddb6a65850594ae4c5d5d734d36190c290f

Download Submit
C:\RECYCLER\X-1-5-21-1960408961-725345543-839522115-1003\bnf0342

Filesize
11KB

MD5
995e61fe62dcc249a21bc9e0b93b2e18

SHA1
b7a2d0b162be09571e0f4c85c9c67fc91ac3f3f4

SHA256
e92879aa620a4b4a6aa3232f135f35cbfa33f0a5ac6655f36edfbb5fd0a09312

SHA512
45dc6188f5223de3884f28e964ec018858468f014240ff555900a0f439f5be8ee0ff954c071ebcb69cb84225868210cbe5d507f48394c2b7ee1ec5ffd8a22f52

Download Submit
C:\RECYCLER\X-1-5-21-1960408961-725345543-839522115-1003\bnf0342

Filesize
60KB

MD5
b666a15b5e420a29f63779f89538125e

SHA1
9a0d36c81ccfc94d22d168b940be534349f40a35

SHA256
4722d044d9e8edf3937fa3a66ee41a3721f72b0b57c15019d4a73521d490535a

SHA512
f38f22a48a17ba91f662344061e863e7fdf5fdb222a15687b78022c34f04ae1454ec655f367cf0f3bce4dd82ae01091364234569710deeaf4d213e5587dc7c70

Download Submit
C:\RECYCLER\X-1-5-21-1960408961-725345543-839522115-1003\bnf0342

Filesize
99KB

MD5
d7114fddeb412249ec8394fd4f38e9f9

SHA1
dbbc747bd8c88530da8352f20c4fe75051d6acf4

SHA256
06274eb5cff94bc55de30e6f98f444c6974ff20e81f6b4ad78a6a75bd6b5c58e

SHA512
35b0f57eb9f02c670e71eb96e2209c79ba3d6074b1f230a9c0cdcab90b91162be7fe259eba4227e1ca4aca6ef350585475f51d1765c37e052e0c168c37c2ef91

Download Submit
C:\RECYCLER\X-1-5-21-1960408961-725345543-839522115-1003\bnf0342

Filesize
13KB

MD5
d2d54bf243b70cc6b2e57e4c7bb820fb

SHA1
a638d7fa9dfb9d4ed8cb9e3cef7dbc7bb10f9eac

SHA256
6c145e69c8ddc3e9b1db3c0c102cefe8c55ed47bbed5a4e10ef2d5f773692924

SHA512
e3c381f8326bed45986a9389a198cf1c6a3c7cc6cd2f9b525088727e3983cf338cacdb6630ad283581288576247cfe2c55adbc6500a2dbc0c501b1949cb7a942

Download Submit
\Program Files\Windows Alerter\WinAlert.exe

Filesize
432KB

MD5
b4fc3739d4a1d4ed2729ff9c50b5ad16

SHA1
eca039c37693c947dd712ec73eca46e6ae8d5693

SHA256
d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4

SHA512
1169e664d2033f2fa50acad3bf0bfb30d8362292de0562f068fe921001bdf010aac9c7cd5462edbd5590085f043b9ddb6a65850594ae4c5d5d734d36190c290f

Download Submit
\Program Files\Windows Alerter\WinAlert.exe

Filesize
432KB

MD5
b4fc3739d4a1d4ed2729ff9c50b5ad16

SHA1
eca039c37693c947dd712ec73eca46e6ae8d5693

SHA256
d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4

SHA512
1169e664d2033f2fa50acad3bf0bfb30d8362292de0562f068fe921001bdf010aac9c7cd5462edbd5590085f043b9ddb6a65850594ae4c5d5d734d36190c290f

Download Submit
\Program Files\Windows Alerter\WinAlert.exe

Filesize
432KB

MD5
b4fc3739d4a1d4ed2729ff9c50b5ad16

SHA1
eca039c37693c947dd712ec73eca46e6ae8d5693

SHA256
d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4

SHA512
1169e664d2033f2fa50acad3bf0bfb30d8362292de0562f068fe921001bdf010aac9c7cd5462edbd5590085f043b9ddb6a65850594ae4c5d5d734d36190c290f

Download Submit
\Program Files\Windows Alerter\WinAlert.exe

Filesize
432KB

MD5
b4fc3739d4a1d4ed2729ff9c50b5ad16

SHA1
eca039c37693c947dd712ec73eca46e6ae8d5693

SHA256
d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4

SHA512
1169e664d2033f2fa50acad3bf0bfb30d8362292de0562f068fe921001bdf010aac9c7cd5462edbd5590085f043b9ddb6a65850594ae4c5d5d734d36190c290f

Download Submit
\Program Files\Windows Common Files\Commgr.exe

Filesize
432KB

MD5
b4fc3739d4a1d4ed2729ff9c50b5ad16

SHA1
eca039c37693c947dd712ec73eca46e6ae8d5693

SHA256
d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4

SHA512
1169e664d2033f2fa50acad3bf0bfb30d8362292de0562f068fe921001bdf010aac9c7cd5462edbd5590085f043b9ddb6a65850594ae4c5d5d734d36190c290f

Download Submit
\Program Files\Windows Common Files\Commgr.exe

Filesize
432KB

MD5
b4fc3739d4a1d4ed2729ff9c50b5ad16

SHA1
eca039c37693c947dd712ec73eca46e6ae8d5693

SHA256
d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4

SHA512
1169e664d2033f2fa50acad3bf0bfb30d8362292de0562f068fe921001bdf010aac9c7cd5462edbd5590085f043b9ddb6a65850594ae4c5d5d734d36190c290f

Download Submit
\Program Files\Windows Common Files\Commgr.exe

Filesize
432KB

MD5
b4fc3739d4a1d4ed2729ff9c50b5ad16

SHA1
eca039c37693c947dd712ec73eca46e6ae8d5693

SHA256
d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4

SHA512
1169e664d2033f2fa50acad3bf0bfb30d8362292de0562f068fe921001bdf010aac9c7cd5462edbd5590085f043b9ddb6a65850594ae4c5d5d734d36190c290f

Download Submit
\RECYCLER\X-1-5-21-1960408961-725345543-839522115-1003\WinSysApp.exe

Filesize
432KB

MD5
b4fc3739d4a1d4ed2729ff9c50b5ad16

SHA1
eca039c37693c947dd712ec73eca46e6ae8d5693

SHA256
d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4

SHA512
1169e664d2033f2fa50acad3bf0bfb30d8362292de0562f068fe921001bdf010aac9c7cd5462edbd5590085f043b9ddb6a65850594ae4c5d5d734d36190c290f

Download Submit
\RECYCLER\X-1-5-21-1960408961-725345543-839522115-1003\WinSysApp.exe

Filesize
432KB

MD5
b4fc3739d4a1d4ed2729ff9c50b5ad16

SHA1
eca039c37693c947dd712ec73eca46e6ae8d5693

SHA256
d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4

SHA512
1169e664d2033f2fa50acad3bf0bfb30d8362292de0562f068fe921001bdf010aac9c7cd5462edbd5590085f043b9ddb6a65850594ae4c5d5d734d36190c290f

Download Submit
\RECYCLER\X-1-5-21-1960408961-725345543-839522115-1003\WinSysApp.exe

Filesize
432KB

MD5
b4fc3739d4a1d4ed2729ff9c50b5ad16

SHA1
eca039c37693c947dd712ec73eca46e6ae8d5693

SHA256
d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4

SHA512
1169e664d2033f2fa50acad3bf0bfb30d8362292de0562f068fe921001bdf010aac9c7cd5462edbd5590085f043b9ddb6a65850594ae4c5d5d734d36190c290f

Download Submit
\RECYCLER\X-1-5-21-1960408961-725345543-839522115-1003\WinSysApp.exe

Filesize
432KB

MD5
b4fc3739d4a1d4ed2729ff9c50b5ad16

SHA1
eca039c37693c947dd712ec73eca46e6ae8d5693

SHA256
d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4

SHA512
1169e664d2033f2fa50acad3bf0bfb30d8362292de0562f068fe921001bdf010aac9c7cd5462edbd5590085f043b9ddb6a65850594ae4c5d5d734d36190c290f

Download Submit
\RECYCLER\X-1-5-21-1960408961-725345543-839522115-1003\WinSysApp.exe

Filesize
432KB

MD5
b4fc3739d4a1d4ed2729ff9c50b5ad16

SHA1
eca039c37693c947dd712ec73eca46e6ae8d5693

SHA256
d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4

SHA512
1169e664d2033f2fa50acad3bf0bfb30d8362292de0562f068fe921001bdf010aac9c7cd5462edbd5590085f043b9ddb6a65850594ae4c5d5d734d36190c290f

Download Submit
\RECYCLER\X-1-5-21-1960408961-725345543-839522115-1003\WinSysApp.exe

Filesize
432KB

MD5
b4fc3739d4a1d4ed2729ff9c50b5ad16

SHA1
eca039c37693c947dd712ec73eca46e6ae8d5693

SHA256
d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4

SHA512
1169e664d2033f2fa50acad3bf0bfb30d8362292de0562f068fe921001bdf010aac9c7cd5462edbd5590085f043b9ddb6a65850594ae4c5d5d734d36190c290f

Download Submit
\RECYCLER\X-1-5-21-1960408961-725345543-839522115-1003\WinSysApp.exe

Filesize
432KB

MD5
b4fc3739d4a1d4ed2729ff9c50b5ad16

SHA1
eca039c37693c947dd712ec73eca46e6ae8d5693

SHA256
d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4

SHA512
1169e664d2033f2fa50acad3bf0bfb30d8362292de0562f068fe921001bdf010aac9c7cd5462edbd5590085f043b9ddb6a65850594ae4c5d5d734d36190c290f

Download Submit
\RECYCLER\X-1-5-21-1960408961-725345543-839522115-1003\WinSysApp.exe

Filesize
432KB

MD5
b4fc3739d4a1d4ed2729ff9c50b5ad16

SHA1
eca039c37693c947dd712ec73eca46e6ae8d5693

SHA256
d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4

SHA512
1169e664d2033f2fa50acad3bf0bfb30d8362292de0562f068fe921001bdf010aac9c7cd5462edbd5590085f043b9ddb6a65850594ae4c5d5d734d36190c290f

Download Submit
\RECYCLER\X-1-5-21-1960408961-725345543-839522115-1003\WinSysApp.exe

Filesize
432KB

MD5
b4fc3739d4a1d4ed2729ff9c50b5ad16

SHA1
eca039c37693c947dd712ec73eca46e6ae8d5693

SHA256
d3680ce3614943bccbb14a95084ac67bcd274a8baae7dedc3d0aef045cec59b4

SHA512
1169e664d2033f2fa50acad3bf0bfb30d8362292de0562f068fe921001bdf010aac9c7cd5462edbd5590085f043b9ddb6a65850594ae4c5d5d734d36190c290f

Download Submit
memory/108-122-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/564-97-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/572-126-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/584-132-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/584-93-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/628-129-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/628-90-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/924-131-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/924-101-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1084-127-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1224-123-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1344-94-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1396-125-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1624-124-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1696-128-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1696-98-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1808-54-0x0000000075211000-0x0000000075213000-memory.dmp

Filesize
8KB

Download
memory/1808-83-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1808-88-0x0000000007EC0000-0x0000000007F2C000-memory.dmp

Filesize
432KB

Download
memory/1808-130-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download