9db66a3372237615c547bd64d25e7b8977cbe7ee78d78704bb06e6c83dbf6dce

Analysis

max time kernel
165s
max time network
35s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
29/11/2022, 05:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9db66a3372237615c547bd64d25e7b8977cbe7ee78d78704bb06e6c83dbf6dce.exe
Size

492KB
MD5

81422d9300dc4b73043e21a7733fbe2d
SHA1

7be7cd5622831d9c252c1ec9c48ebaf737b8a654
SHA256

9db66a3372237615c547bd64d25e7b8977cbe7ee78d78704bb06e6c83dbf6dce
SHA512

94d0342404d99a3f230d19a1a6cce122ead5e1c2f8000d1d07d69981288952dbddc8043826a27437031bd51e27b1eb7ef8d2fafd72a803f8869918785696a357
SSDEEP

3072:0tNQKGSGtGSGOGOGlGln+VD/m8ClX0kUb+16H6b5p8I0yH/JN8HOWShM+L7aL7Ct:0sKbELf/MR/cWdi5pV/JNWOVhMO

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 13 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	WinAlert.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	WinAlert.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	WinSysApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Commgr.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	WinSysApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	WinSysApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	9db66a3372237615c547bd64d25e7b8977cbe7ee78d78704bb06e6c83dbf6dce.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Commgr.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	WinSysApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	WinSysApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	WinAlert.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	WinSysApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	WinSysApp.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 13 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	WinAlert.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	WinAlert.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	WinSysApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	WinSysApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	Commgr.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	WinAlert.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	WinSysApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	WinSysApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	9db66a3372237615c547bd64d25e7b8977cbe7ee78d78704bb06e6c83dbf6dce.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	Commgr.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	WinSysApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	WinSysApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	WinSysApp.exe

Executes dropped EXE 13 IoCs

pid	Process
588	WinAlert.exe
996	Commgr.exe
576	WinSysApp.exe
1092	WinAlert.exe
1576	WinSysApp.exe
1992	WinSysApp.exe
1220	WinSysApp.exe
276	Commgr.exe
1224	WinAlert.exe
1996	WinSysApp.exe
900	WinSysApp.exe
1568	WinSysApp.exe
956	WinSysApp.exe

Loads dropped DLL 16 IoCs

pid	Process
1284	9db66a3372237615c547bd64d25e7b8977cbe7ee78d78704bb06e6c83dbf6dce.exe
1284	9db66a3372237615c547bd64d25e7b8977cbe7ee78d78704bb06e6c83dbf6dce.exe
1284	9db66a3372237615c547bd64d25e7b8977cbe7ee78d78704bb06e6c83dbf6dce.exe
1284	9db66a3372237615c547bd64d25e7b8977cbe7ee78d78704bb06e6c83dbf6dce.exe
1284	9db66a3372237615c547bd64d25e7b8977cbe7ee78d78704bb06e6c83dbf6dce.exe
1284	9db66a3372237615c547bd64d25e7b8977cbe7ee78d78704bb06e6c83dbf6dce.exe
1284	9db66a3372237615c547bd64d25e7b8977cbe7ee78d78704bb06e6c83dbf6dce.exe
588	WinAlert.exe
996	Commgr.exe
1284	9db66a3372237615c547bd64d25e7b8977cbe7ee78d78704bb06e6c83dbf6dce.exe
996	Commgr.exe
1284	9db66a3372237615c547bd64d25e7b8977cbe7ee78d78704bb06e6c83dbf6dce.exe
1284	9db66a3372237615c547bd64d25e7b8977cbe7ee78d78704bb06e6c83dbf6dce.exe
588	WinAlert.exe
996	Commgr.exe
1284	9db66a3372237615c547bd64d25e7b8977cbe7ee78d78704bb06e6c83dbf6dce.exe

Adds Run key to start application 2 TTPs 51 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Common Files Manager = "C:\\Program Files\\Windows Common Files\\Commgr.exe"	WinSysApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Alerter = "C:\\Program Files\\Windows Alerter\\WinAlert.exe"	WinSysApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowMessenger = "C:\\RECYCLER\\X-1-5-21-1960408961-725345543-839522115-1003\\WinSysApp.exe"	WinSysApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Alerter = "C:\\Program Files\\Windows Alerter\\WinAlert.exe"	WinSysApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Common Files Manager = "C:\\Program Files\\Windows Common Files\\Commgr.exe"	WinSysApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Alerter = "C:\\Program Files\\Windows Alerter\\WinAlert.exe"	Commgr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Alerter = "C:\\Program Files\\Windows Alerter\\WinAlert.exe"	9db66a3372237615c547bd64d25e7b8977cbe7ee78d78704bb06e6c83dbf6dce.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Common Files Manager = "C:\\Program Files\\Windows Common Files\\Commgr.exe"	9db66a3372237615c547bd64d25e7b8977cbe7ee78d78704bb06e6c83dbf6dce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowMessenger = "C:\\RECYCLER\\X-1-5-21-1960408961-725345543-839522115-1003\\WinSysApp.exe"	Commgr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowMessenger = "C:\\RECYCLER\\X-1-5-21-1960408961-725345543-839522115-1003\\WinSysApp.exe"	WinSysApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Alerter = "C:\\Program Files\\Windows Alerter\\WinAlert.exe"	WinSysApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Common Files Manager = "C:\\Program Files\\Windows Common Files\\Commgr.exe"	Commgr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Common Files Manager = "C:\\Program Files\\Windows Common Files\\Commgr.exe"	WinSysApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Common Files Manager = "C:\\Program Files\\Windows Common Files\\Commgr.exe"	WinSysApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Common Files Manager = "C:\\Program Files\\Windows Common Files\\Commgr.exe"	WinSysApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowMessenger = "C:\\RECYCLER\\X-1-5-21-1960408961-725345543-839522115-1003\\WinSysApp.exe"	WinAlert.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Common Files Manager = "C:\\Program Files\\Windows Common Files\\Commgr.exe"	WinAlert.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Common Files Manager = "C:\\Program Files\\Windows Common Files\\Commgr.exe"	WinSysApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowMessenger = "C:\\RECYCLER\\X-1-5-21-1960408961-725345543-839522115-1003\\WinSysApp.exe"	Commgr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowMessenger = "C:\\RECYCLER\\X-1-5-21-1960408961-725345543-839522115-1003\\WinSysApp.exe"	WinSysApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Alerter = "C:\\Program Files\\Windows Alerter\\WinAlert.exe"	WinSysApp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Common Files Manager = "C:\\Program Files\\Windows Common Files\\Commgr.exe"	9db66a3372237615c547bd64d25e7b8977cbe7ee78d78704bb06e6c83dbf6dce.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Alerter = "C:\\Program Files\\Windows Alerter\\WinAlert.exe"	WinAlert.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Common Files Manager = "C:\\Program Files\\Windows Common Files\\Commgr.exe"	WinSysApp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowMessenger = "C:\\RECYCLER\\X-1-5-21-1960408961-725345543-839522115-1003\\WinSysApp.exe"	WinSysApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Common Files Manager = "C:\\Program Files\\Windows Common Files\\Commgr.exe"	WinSysApp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Alerter = "C:\\Program Files\\Windows Alerter\\WinAlert.exe"	WinAlert.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowMessenger = "C:\\RECYCLER\\X-1-5-21-1960408961-725345543-839522115-1003\\WinSysApp.exe"	WinSysApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowMessenger = "C:\\RECYCLER\\X-1-5-21-1960408961-725345543-839522115-1003\\WinSysApp.exe"	WinSysApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowMessenger = "C:\\RECYCLER\\X-1-5-21-1960408961-725345543-839522115-1003\\WinSysApp.exe"	9db66a3372237615c547bd64d25e7b8977cbe7ee78d78704bb06e6c83dbf6dce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowMessenger = "C:\\RECYCLER\\X-1-5-21-1960408961-725345543-839522115-1003\\WinSysApp.exe"	9db66a3372237615c547bd64d25e7b8977cbe7ee78d78704bb06e6c83dbf6dce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Alerter = "C:\\Program Files\\Windows Alerter\\WinAlert.exe"	9db66a3372237615c547bd64d25e7b8977cbe7ee78d78704bb06e6c83dbf6dce.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Alerter = "C:\\Program Files\\Windows Alerter\\WinAlert.exe"	WinAlert.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowMessenger = "C:\\RECYCLER\\X-1-5-21-1960408961-725345543-839522115-1003\\WinSysApp.exe"	WinAlert.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowMessenger = "C:\\RECYCLER\\X-1-5-21-1960408961-725345543-839522115-1003\\WinSysApp.exe"	WinSysApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Alerter = "C:\\Program Files\\Windows Alerter\\WinAlert.exe"	WinSysApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowMessenger = "C:\\RECYCLER\\X-1-5-21-1960408961-725345543-839522115-1003\\WinSysApp.exe"	WinAlert.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Common Files Manager = "C:\\Program Files\\Windows Common Files\\Commgr.exe"	WinAlert.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Alerter = "C:\\Program Files\\Windows Alerter\\WinAlert.exe"	WinSysApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Alerter = "C:\\Program Files\\Windows Alerter\\WinAlert.exe"	WinAlert.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Common Files Manager = "C:\\Program Files\\Windows Common Files\\Commgr.exe"	Commgr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Alerter = "C:\\Program Files\\Windows Alerter\\WinAlert.exe"	Commgr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Alerter = "C:\\Program Files\\Windows Alerter\\WinAlert.exe"	WinSysApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowMessenger = "C:\\RECYCLER\\X-1-5-21-1960408961-725345543-839522115-1003\\WinSysApp.exe"	WinAlert.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Alerter = "C:\\Program Files\\Windows Alerter\\WinAlert.exe"	WinSysApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowMessenger = "C:\\RECYCLER\\X-1-5-21-1960408961-725345543-839522115-1003\\WinSysApp.exe"	WinSysApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowMessenger = "C:\\RECYCLER\\X-1-5-21-1960408961-725345543-839522115-1003\\WinSysApp.exe"	Commgr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Alerter = "C:\\Program Files\\Windows Alerter\\WinAlert.exe"	Commgr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Common Files Manager = "C:\\Program Files\\Windows Common Files\\Commgr.exe"	Commgr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Common Files Manager = "C:\\Program Files\\Windows Common Files\\Commgr.exe"	WinAlert.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Common Files Manager = "C:\\Program Files\\Windows Common Files\\Commgr.exe"	WinAlert.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 45 IoCs

pid	Process
1284	9db66a3372237615c547bd64d25e7b8977cbe7ee78d78704bb06e6c83dbf6dce.exe
1284	9db66a3372237615c547bd64d25e7b8977cbe7ee78d78704bb06e6c83dbf6dce.exe
1284	9db66a3372237615c547bd64d25e7b8977cbe7ee78d78704bb06e6c83dbf6dce.exe
1284	9db66a3372237615c547bd64d25e7b8977cbe7ee78d78704bb06e6c83dbf6dce.exe
1284	9db66a3372237615c547bd64d25e7b8977cbe7ee78d78704bb06e6c83dbf6dce.exe
1284	9db66a3372237615c547bd64d25e7b8977cbe7ee78d78704bb06e6c83dbf6dce.exe
1284	9db66a3372237615c547bd64d25e7b8977cbe7ee78d78704bb06e6c83dbf6dce.exe
1284	9db66a3372237615c547bd64d25e7b8977cbe7ee78d78704bb06e6c83dbf6dce.exe
1284	9db66a3372237615c547bd64d25e7b8977cbe7ee78d78704bb06e6c83dbf6dce.exe
1284	9db66a3372237615c547bd64d25e7b8977cbe7ee78d78704bb06e6c83dbf6dce.exe
1284	9db66a3372237615c547bd64d25e7b8977cbe7ee78d78704bb06e6c83dbf6dce.exe
1284	9db66a3372237615c547bd64d25e7b8977cbe7ee78d78704bb06e6c83dbf6dce.exe
1284	9db66a3372237615c547bd64d25e7b8977cbe7ee78d78704bb06e6c83dbf6dce.exe
1284	9db66a3372237615c547bd64d25e7b8977cbe7ee78d78704bb06e6c83dbf6dce.exe
1284	9db66a3372237615c547bd64d25e7b8977cbe7ee78d78704bb06e6c83dbf6dce.exe
1284	9db66a3372237615c547bd64d25e7b8977cbe7ee78d78704bb06e6c83dbf6dce.exe
1284	9db66a3372237615c547bd64d25e7b8977cbe7ee78d78704bb06e6c83dbf6dce.exe
1284	9db66a3372237615c547bd64d25e7b8977cbe7ee78d78704bb06e6c83dbf6dce.exe
1284	9db66a3372237615c547bd64d25e7b8977cbe7ee78d78704bb06e6c83dbf6dce.exe
1284	9db66a3372237615c547bd64d25e7b8977cbe7ee78d78704bb06e6c83dbf6dce.exe
1284	9db66a3372237615c547bd64d25e7b8977cbe7ee78d78704bb06e6c83dbf6dce.exe
1284	9db66a3372237615c547bd64d25e7b8977cbe7ee78d78704bb06e6c83dbf6dce.exe
1284	9db66a3372237615c547bd64d25e7b8977cbe7ee78d78704bb06e6c83dbf6dce.exe
1284	9db66a3372237615c547bd64d25e7b8977cbe7ee78d78704bb06e6c83dbf6dce.exe
1284	9db66a3372237615c547bd64d25e7b8977cbe7ee78d78704bb06e6c83dbf6dce.exe
1284	9db66a3372237615c547bd64d25e7b8977cbe7ee78d78704bb06e6c83dbf6dce.exe
1284	9db66a3372237615c547bd64d25e7b8977cbe7ee78d78704bb06e6c83dbf6dce.exe
1284	9db66a3372237615c547bd64d25e7b8977cbe7ee78d78704bb06e6c83dbf6dce.exe
1284	9db66a3372237615c547bd64d25e7b8977cbe7ee78d78704bb06e6c83dbf6dce.exe
1284	9db66a3372237615c547bd64d25e7b8977cbe7ee78d78704bb06e6c83dbf6dce.exe
1284	9db66a3372237615c547bd64d25e7b8977cbe7ee78d78704bb06e6c83dbf6dce.exe
1284	9db66a3372237615c547bd64d25e7b8977cbe7ee78d78704bb06e6c83dbf6dce.exe
1284	9db66a3372237615c547bd64d25e7b8977cbe7ee78d78704bb06e6c83dbf6dce.exe
1284	9db66a3372237615c547bd64d25e7b8977cbe7ee78d78704bb06e6c83dbf6dce.exe
1284	9db66a3372237615c547bd64d25e7b8977cbe7ee78d78704bb06e6c83dbf6dce.exe
1284	9db66a3372237615c547bd64d25e7b8977cbe7ee78d78704bb06e6c83dbf6dce.exe
1284	9db66a3372237615c547bd64d25e7b8977cbe7ee78d78704bb06e6c83dbf6dce.exe
1284	9db66a3372237615c547bd64d25e7b8977cbe7ee78d78704bb06e6c83dbf6dce.exe
1284	9db66a3372237615c547bd64d25e7b8977cbe7ee78d78704bb06e6c83dbf6dce.exe
1284	9db66a3372237615c547bd64d25e7b8977cbe7ee78d78704bb06e6c83dbf6dce.exe
1284	9db66a3372237615c547bd64d25e7b8977cbe7ee78d78704bb06e6c83dbf6dce.exe
1284	9db66a3372237615c547bd64d25e7b8977cbe7ee78d78704bb06e6c83dbf6dce.exe
1284	9db66a3372237615c547bd64d25e7b8977cbe7ee78d78704bb06e6c83dbf6dce.exe
1284	9db66a3372237615c547bd64d25e7b8977cbe7ee78d78704bb06e6c83dbf6dce.exe
1284	9db66a3372237615c547bd64d25e7b8977cbe7ee78d78704bb06e6c83dbf6dce.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	1284	9db66a3372237615c547bd64d25e7b8977cbe7ee78d78704bb06e6c83dbf6dce.exe
Token: SeDebugPrivilege	996	Commgr.exe
Token: SeDebugPrivilege	588	WinAlert.exe
Token: SeDebugPrivilege	1092	WinAlert.exe
Token: SeDebugPrivilege	1576	WinSysApp.exe

Suspicious use of WriteProcessMemory 52 IoCs

description	pid	Process	procid_target
PID 1284 wrote to memory of 588	1284	9db66a3372237615c547bd64d25e7b8977cbe7ee78d78704bb06e6c83dbf6dce.exe	30
PID 1284 wrote to memory of 588	1284	9db66a3372237615c547bd64d25e7b8977cbe7ee78d78704bb06e6c83dbf6dce.exe	30
PID 1284 wrote to memory of 588	1284	9db66a3372237615c547bd64d25e7b8977cbe7ee78d78704bb06e6c83dbf6dce.exe	30
PID 1284 wrote to memory of 588	1284	9db66a3372237615c547bd64d25e7b8977cbe7ee78d78704bb06e6c83dbf6dce.exe	30
PID 1284 wrote to memory of 576	1284	9db66a3372237615c547bd64d25e7b8977cbe7ee78d78704bb06e6c83dbf6dce.exe	29
PID 1284 wrote to memory of 576	1284	9db66a3372237615c547bd64d25e7b8977cbe7ee78d78704bb06e6c83dbf6dce.exe	29
PID 1284 wrote to memory of 576	1284	9db66a3372237615c547bd64d25e7b8977cbe7ee78d78704bb06e6c83dbf6dce.exe	29
PID 1284 wrote to memory of 576	1284	9db66a3372237615c547bd64d25e7b8977cbe7ee78d78704bb06e6c83dbf6dce.exe	29
PID 1284 wrote to memory of 996	1284	9db66a3372237615c547bd64d25e7b8977cbe7ee78d78704bb06e6c83dbf6dce.exe	28
PID 1284 wrote to memory of 996	1284	9db66a3372237615c547bd64d25e7b8977cbe7ee78d78704bb06e6c83dbf6dce.exe	28
PID 1284 wrote to memory of 996	1284	9db66a3372237615c547bd64d25e7b8977cbe7ee78d78704bb06e6c83dbf6dce.exe	28
PID 1284 wrote to memory of 996	1284	9db66a3372237615c547bd64d25e7b8977cbe7ee78d78704bb06e6c83dbf6dce.exe	28
PID 1284 wrote to memory of 1092	1284	9db66a3372237615c547bd64d25e7b8977cbe7ee78d78704bb06e6c83dbf6dce.exe	31
PID 1284 wrote to memory of 1092	1284	9db66a3372237615c547bd64d25e7b8977cbe7ee78d78704bb06e6c83dbf6dce.exe	31
PID 1284 wrote to memory of 1092	1284	9db66a3372237615c547bd64d25e7b8977cbe7ee78d78704bb06e6c83dbf6dce.exe	31
PID 1284 wrote to memory of 1092	1284	9db66a3372237615c547bd64d25e7b8977cbe7ee78d78704bb06e6c83dbf6dce.exe	31
PID 588 wrote to memory of 1576	588	WinAlert.exe	32
PID 588 wrote to memory of 1576	588	WinAlert.exe	32
PID 588 wrote to memory of 1576	588	WinAlert.exe	32
PID 588 wrote to memory of 1576	588	WinAlert.exe	32
PID 996 wrote to memory of 1992	996	Commgr.exe	33
PID 996 wrote to memory of 1992	996	Commgr.exe	33
PID 996 wrote to memory of 1992	996	Commgr.exe	33
PID 996 wrote to memory of 1992	996	Commgr.exe	33
PID 1284 wrote to memory of 1220	1284	9db66a3372237615c547bd64d25e7b8977cbe7ee78d78704bb06e6c83dbf6dce.exe	34
PID 1284 wrote to memory of 1220	1284	9db66a3372237615c547bd64d25e7b8977cbe7ee78d78704bb06e6c83dbf6dce.exe	34
PID 1284 wrote to memory of 1220	1284	9db66a3372237615c547bd64d25e7b8977cbe7ee78d78704bb06e6c83dbf6dce.exe	34
PID 1284 wrote to memory of 1220	1284	9db66a3372237615c547bd64d25e7b8977cbe7ee78d78704bb06e6c83dbf6dce.exe	34
PID 996 wrote to memory of 1224	996	Commgr.exe	35
PID 996 wrote to memory of 1224	996	Commgr.exe	35
PID 996 wrote to memory of 1224	996	Commgr.exe	35
PID 996 wrote to memory of 1224	996	Commgr.exe	35
PID 1284 wrote to memory of 276	1284	9db66a3372237615c547bd64d25e7b8977cbe7ee78d78704bb06e6c83dbf6dce.exe	36
PID 1284 wrote to memory of 276	1284	9db66a3372237615c547bd64d25e7b8977cbe7ee78d78704bb06e6c83dbf6dce.exe	36
PID 1284 wrote to memory of 276	1284	9db66a3372237615c547bd64d25e7b8977cbe7ee78d78704bb06e6c83dbf6dce.exe	36
PID 1284 wrote to memory of 276	1284	9db66a3372237615c547bd64d25e7b8977cbe7ee78d78704bb06e6c83dbf6dce.exe	36
PID 1284 wrote to memory of 1996	1284	9db66a3372237615c547bd64d25e7b8977cbe7ee78d78704bb06e6c83dbf6dce.exe	37
PID 1284 wrote to memory of 1996	1284	9db66a3372237615c547bd64d25e7b8977cbe7ee78d78704bb06e6c83dbf6dce.exe	37
PID 1284 wrote to memory of 1996	1284	9db66a3372237615c547bd64d25e7b8977cbe7ee78d78704bb06e6c83dbf6dce.exe	37
PID 1284 wrote to memory of 1996	1284	9db66a3372237615c547bd64d25e7b8977cbe7ee78d78704bb06e6c83dbf6dce.exe	37
PID 588 wrote to memory of 900	588	WinAlert.exe	38
PID 588 wrote to memory of 900	588	WinAlert.exe	38
PID 588 wrote to memory of 900	588	WinAlert.exe	38
PID 588 wrote to memory of 900	588	WinAlert.exe	38
PID 996 wrote to memory of 956	996	Commgr.exe	39
PID 996 wrote to memory of 956	996	Commgr.exe	39
PID 996 wrote to memory of 956	996	Commgr.exe	39
PID 996 wrote to memory of 956	996	Commgr.exe	39
PID 1284 wrote to memory of 1568	1284	9db66a3372237615c547bd64d25e7b8977cbe7ee78d78704bb06e6c83dbf6dce.exe	40
PID 1284 wrote to memory of 1568	1284	9db66a3372237615c547bd64d25e7b8977cbe7ee78d78704bb06e6c83dbf6dce.exe	40
PID 1284 wrote to memory of 1568	1284	9db66a3372237615c547bd64d25e7b8977cbe7ee78d78704bb06e6c83dbf6dce.exe	40
PID 1284 wrote to memory of 1568	1284	9db66a3372237615c547bd64d25e7b8977cbe7ee78d78704bb06e6c83dbf6dce.exe	40

C:\Users\Admin\AppData\Local\Temp\9db66a3372237615c547bd64d25e7b8977cbe7ee78d78704bb06e6c83dbf6dce.exe
"C:\Users\Admin\AppData\Local\Temp\9db66a3372237615c547bd64d25e7b8977cbe7ee78d78704bb06e6c83dbf6dce.exe"
1⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1284
- C:\Program Files\Windows Common Files\Commgr.exe
  "C:\Program Files\Windows Common Files\Commgr.exe"
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:996
- - C:\RECYCLER\X-1-5-21-1960408961-725345543-839522115-1003\WinSysApp.exe
    "C:\RECYCLER\X-1-5-21-1960408961-725345543-839522115-1003\WinSysApp.exe"
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Modifies visiblity of hidden/system files in Explorer
    - Executes dropped EXE
    - Adds Run key to start application
    PID:1992
- - C:\Program Files\Windows Alerter\WinAlert.exe
    "C:\Program Files\Windows Alerter\WinAlert.exe"
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Modifies visiblity of hidden/system files in Explorer
    - Executes dropped EXE
    - Adds Run key to start application
    PID:1224
- - C:\RECYCLER\X-1-5-21-1960408961-725345543-839522115-1003\WinSysApp.exe
    "C:\RECYCLER\X-1-5-21-1960408961-725345543-839522115-1003\WinSysApp.exe"
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Modifies visiblity of hidden/system files in Explorer
    - Executes dropped EXE
    - Adds Run key to start application
    PID:956
- C:\RECYCLER\X-1-5-21-1960408961-725345543-839522115-1003\WinSysApp.exe
  "C:\RECYCLER\X-1-5-21-1960408961-725345543-839522115-1003\WinSysApp.exe"
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  PID:576
- C:\Program Files\Windows Alerter\WinAlert.exe
  "C:\Program Files\Windows Alerter\WinAlert.exe"
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:588
- - C:\RECYCLER\X-1-5-21-1960408961-725345543-839522115-1003\WinSysApp.exe
    "C:\RECYCLER\X-1-5-21-1960408961-725345543-839522115-1003\WinSysApp.exe"
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Modifies visiblity of hidden/system files in Explorer
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of AdjustPrivilegeToken
    PID:1576
- - C:\RECYCLER\X-1-5-21-1960408961-725345543-839522115-1003\WinSysApp.exe
    "C:\RECYCLER\X-1-5-21-1960408961-725345543-839522115-1003\WinSysApp.exe"
    3⤵
    - Executes dropped EXE
    PID:900
- C:\Program Files\Windows Alerter\WinAlert.exe
  "C:\Program Files\Windows Alerter\WinAlert.exe"
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  PID:1092
- C:\RECYCLER\X-1-5-21-1960408961-725345543-839522115-1003\WinSysApp.exe
  "C:\RECYCLER\X-1-5-21-1960408961-725345543-839522115-1003\WinSysApp.exe"
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  PID:1220
- C:\Program Files\Windows Common Files\Commgr.exe
  "C:\Program Files\Windows Common Files\Commgr.exe"
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  PID:276
- C:\RECYCLER\X-1-5-21-1960408961-725345543-839522115-1003\WinSysApp.exe
  "C:\RECYCLER\X-1-5-21-1960408961-725345543-839522115-1003\WinSysApp.exe"
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  PID:1996
- C:\RECYCLER\X-1-5-21-1960408961-725345543-839522115-1003\WinSysApp.exe
  "C:\RECYCLER\X-1-5-21-1960408961-725345543-839522115-1003\WinSysApp.exe"
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  PID:1568

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Windows Alerter\WinAlert.exe

Filesize
492KB

MD5
81422d9300dc4b73043e21a7733fbe2d

SHA1
7be7cd5622831d9c252c1ec9c48ebaf737b8a654

SHA256
9db66a3372237615c547bd64d25e7b8977cbe7ee78d78704bb06e6c83dbf6dce

SHA512
94d0342404d99a3f230d19a1a6cce122ead5e1c2f8000d1d07d69981288952dbddc8043826a27437031bd51e27b1eb7ef8d2fafd72a803f8869918785696a357

Download Submit
C:\Program Files\Windows Alerter\WinAlert.exe

Filesize
492KB

MD5
81422d9300dc4b73043e21a7733fbe2d

SHA1
7be7cd5622831d9c252c1ec9c48ebaf737b8a654

SHA256
9db66a3372237615c547bd64d25e7b8977cbe7ee78d78704bb06e6c83dbf6dce

SHA512
94d0342404d99a3f230d19a1a6cce122ead5e1c2f8000d1d07d69981288952dbddc8043826a27437031bd51e27b1eb7ef8d2fafd72a803f8869918785696a357

Download Submit
C:\Program Files\Windows Alerter\WinAlert.exe

Filesize
492KB

MD5
81422d9300dc4b73043e21a7733fbe2d

SHA1
7be7cd5622831d9c252c1ec9c48ebaf737b8a654

SHA256
9db66a3372237615c547bd64d25e7b8977cbe7ee78d78704bb06e6c83dbf6dce

SHA512
94d0342404d99a3f230d19a1a6cce122ead5e1c2f8000d1d07d69981288952dbddc8043826a27437031bd51e27b1eb7ef8d2fafd72a803f8869918785696a357

Download Submit
C:\Program Files\Windows Alerter\WinAlert.exe

Filesize
492KB

MD5
81422d9300dc4b73043e21a7733fbe2d

SHA1
7be7cd5622831d9c252c1ec9c48ebaf737b8a654

SHA256
9db66a3372237615c547bd64d25e7b8977cbe7ee78d78704bb06e6c83dbf6dce

SHA512
94d0342404d99a3f230d19a1a6cce122ead5e1c2f8000d1d07d69981288952dbddc8043826a27437031bd51e27b1eb7ef8d2fafd72a803f8869918785696a357

Download Submit
C:\Program Files\Windows Common Files\Commgr.exe

Filesize
492KB

MD5
81422d9300dc4b73043e21a7733fbe2d

SHA1
7be7cd5622831d9c252c1ec9c48ebaf737b8a654

SHA256
9db66a3372237615c547bd64d25e7b8977cbe7ee78d78704bb06e6c83dbf6dce

SHA512
94d0342404d99a3f230d19a1a6cce122ead5e1c2f8000d1d07d69981288952dbddc8043826a27437031bd51e27b1eb7ef8d2fafd72a803f8869918785696a357

Download Submit
C:\Program Files\Windows Common Files\Commgr.exe

Filesize
492KB

MD5
81422d9300dc4b73043e21a7733fbe2d

SHA1
7be7cd5622831d9c252c1ec9c48ebaf737b8a654

SHA256
9db66a3372237615c547bd64d25e7b8977cbe7ee78d78704bb06e6c83dbf6dce

SHA512
94d0342404d99a3f230d19a1a6cce122ead5e1c2f8000d1d07d69981288952dbddc8043826a27437031bd51e27b1eb7ef8d2fafd72a803f8869918785696a357

Download Submit
C:\Program Files\Windows Common Files\Commgr.exe

Filesize
492KB

MD5
81422d9300dc4b73043e21a7733fbe2d

SHA1
7be7cd5622831d9c252c1ec9c48ebaf737b8a654

SHA256
9db66a3372237615c547bd64d25e7b8977cbe7ee78d78704bb06e6c83dbf6dce

SHA512
94d0342404d99a3f230d19a1a6cce122ead5e1c2f8000d1d07d69981288952dbddc8043826a27437031bd51e27b1eb7ef8d2fafd72a803f8869918785696a357

Download Submit
C:\RECYCLER\X-1-5-21-1960408961-725345543-839522115-1003\WinSysApp.exe

Filesize
492KB

MD5
81422d9300dc4b73043e21a7733fbe2d

SHA1
7be7cd5622831d9c252c1ec9c48ebaf737b8a654

SHA256
9db66a3372237615c547bd64d25e7b8977cbe7ee78d78704bb06e6c83dbf6dce

SHA512
94d0342404d99a3f230d19a1a6cce122ead5e1c2f8000d1d07d69981288952dbddc8043826a27437031bd51e27b1eb7ef8d2fafd72a803f8869918785696a357

Download Submit
C:\RECYCLER\X-1-5-21-1960408961-725345543-839522115-1003\WinSysApp.exe

Filesize
492KB

MD5
81422d9300dc4b73043e21a7733fbe2d

SHA1
7be7cd5622831d9c252c1ec9c48ebaf737b8a654

SHA256
9db66a3372237615c547bd64d25e7b8977cbe7ee78d78704bb06e6c83dbf6dce

SHA512
94d0342404d99a3f230d19a1a6cce122ead5e1c2f8000d1d07d69981288952dbddc8043826a27437031bd51e27b1eb7ef8d2fafd72a803f8869918785696a357

Download Submit
C:\RECYCLER\X-1-5-21-1960408961-725345543-839522115-1003\WinSysApp.exe

Filesize
492KB

MD5
81422d9300dc4b73043e21a7733fbe2d

SHA1
7be7cd5622831d9c252c1ec9c48ebaf737b8a654

SHA256
9db66a3372237615c547bd64d25e7b8977cbe7ee78d78704bb06e6c83dbf6dce

SHA512
94d0342404d99a3f230d19a1a6cce122ead5e1c2f8000d1d07d69981288952dbddc8043826a27437031bd51e27b1eb7ef8d2fafd72a803f8869918785696a357

Download Submit
C:\RECYCLER\X-1-5-21-1960408961-725345543-839522115-1003\WinSysApp.exe

Filesize
492KB

MD5
81422d9300dc4b73043e21a7733fbe2d

SHA1
7be7cd5622831d9c252c1ec9c48ebaf737b8a654

SHA256
9db66a3372237615c547bd64d25e7b8977cbe7ee78d78704bb06e6c83dbf6dce

SHA512
94d0342404d99a3f230d19a1a6cce122ead5e1c2f8000d1d07d69981288952dbddc8043826a27437031bd51e27b1eb7ef8d2fafd72a803f8869918785696a357

Download Submit
C:\RECYCLER\X-1-5-21-1960408961-725345543-839522115-1003\WinSysApp.exe

Filesize
492KB

MD5
81422d9300dc4b73043e21a7733fbe2d

SHA1
7be7cd5622831d9c252c1ec9c48ebaf737b8a654

SHA256
9db66a3372237615c547bd64d25e7b8977cbe7ee78d78704bb06e6c83dbf6dce

SHA512
94d0342404d99a3f230d19a1a6cce122ead5e1c2f8000d1d07d69981288952dbddc8043826a27437031bd51e27b1eb7ef8d2fafd72a803f8869918785696a357

Download Submit
C:\RECYCLER\X-1-5-21-1960408961-725345543-839522115-1003\WinSysApp.exe

Filesize
492KB

MD5
81422d9300dc4b73043e21a7733fbe2d

SHA1
7be7cd5622831d9c252c1ec9c48ebaf737b8a654

SHA256
9db66a3372237615c547bd64d25e7b8977cbe7ee78d78704bb06e6c83dbf6dce

SHA512
94d0342404d99a3f230d19a1a6cce122ead5e1c2f8000d1d07d69981288952dbddc8043826a27437031bd51e27b1eb7ef8d2fafd72a803f8869918785696a357

Download Submit
C:\RECYCLER\X-1-5-21-1960408961-725345543-839522115-1003\WinSysApp.exe

Filesize
492KB

MD5
81422d9300dc4b73043e21a7733fbe2d

SHA1
7be7cd5622831d9c252c1ec9c48ebaf737b8a654

SHA256
9db66a3372237615c547bd64d25e7b8977cbe7ee78d78704bb06e6c83dbf6dce

SHA512
94d0342404d99a3f230d19a1a6cce122ead5e1c2f8000d1d07d69981288952dbddc8043826a27437031bd51e27b1eb7ef8d2fafd72a803f8869918785696a357

Download Submit
C:\RECYCLER\X-1-5-21-1960408961-725345543-839522115-1003\WinSysApp.exe

Filesize
492KB

MD5
81422d9300dc4b73043e21a7733fbe2d

SHA1
7be7cd5622831d9c252c1ec9c48ebaf737b8a654

SHA256
9db66a3372237615c547bd64d25e7b8977cbe7ee78d78704bb06e6c83dbf6dce

SHA512
94d0342404d99a3f230d19a1a6cce122ead5e1c2f8000d1d07d69981288952dbddc8043826a27437031bd51e27b1eb7ef8d2fafd72a803f8869918785696a357

Download Submit
C:\RECYCLER\X-1-5-21-1960408961-725345543-839522115-1003\WinSysApp.exe

Filesize
492KB

MD5
81422d9300dc4b73043e21a7733fbe2d

SHA1
7be7cd5622831d9c252c1ec9c48ebaf737b8a654

SHA256
9db66a3372237615c547bd64d25e7b8977cbe7ee78d78704bb06e6c83dbf6dce

SHA512
94d0342404d99a3f230d19a1a6cce122ead5e1c2f8000d1d07d69981288952dbddc8043826a27437031bd51e27b1eb7ef8d2fafd72a803f8869918785696a357

Download Submit
C:\RECYCLER\X-1-5-21-1960408961-725345543-839522115-1003\bnf0342

Filesize
13KB

MD5
54ca5afa4fad7ef3b0160e431ec51519

SHA1
182832e4d6060e0a0a719a3aa837b8f1cee8fcb8

SHA256
1ca0fd5cb07bc20fa70e4def2b5ab5b08bd24b51888de5a3c9dde38838b4553c

SHA512
17a56803f06bb68f7cb1387be99f662dfdb8c5c5ab2e793d2589776b7d4e40c17607ee5b69ff3374621ac69a4e0df6be1839e677537589a15690c2aeaf782667

Download Submit
C:\RECYCLER\X-1-5-21-1960408961-725345543-839522115-1003\bnf0342

Filesize
95KB

MD5
18bf85e7083508699a24e6cac5e7e594

SHA1
bbce4d35b72e54522346763ab901d347198757e8

SHA256
9895189c0386b30d644363f1a82f7d1d45704096acc0c7eae687ee5100015a16

SHA512
ea0919bfd468bd0dbb5f353a8f2d30c960249545e1236dc036bedc769c4ae67eba3675e564cce28965d3878cc3c48b8932ade3f4b4a1cb24ced0b4a2449ce9e0

Download Submit
C:\RECYCLER\X-1-5-21-1960408961-725345543-839522115-1003\bnf0342

Filesize
50KB

MD5
6333075589f03df2c41ee43da529e7ba

SHA1
acf1d91df75fc970bd677f34f5d544a7c621f6e9

SHA256
5ddc84cc88d804303b1187dcdecf78594a3aba2a5c3f934f0ac0d45b8ebe6497

SHA512
d8381afe650518138a0e82e79d68450719e2c23fcd1ef85caf9141a4b0fc0ed934d17b304b33d0f68350d5021305a1fe9478e64708280f6d05f3ca8a54dfeffd

Download Submit
C:\RECYCLER\X-1-5-21-1960408961-725345543-839522115-1003\bnf0342

Filesize
2KB

MD5
3c71380ae9c49517e8f1ff769c868b6b

SHA1
65fb43386aa81ac13da14f1ff5020f61b165faea

SHA256
10753e8855aefbd864178c14d5d7dedec1d1555669af050ca3c6fa9a6258903d

SHA512
306837de3e32e33978efdf8e2194bde9664cbdaf6b3f9f3822f553a8bc2dc70a6e1a04b084d346c2c055b3a21c19b0c9200a6172f55dee5554101621ab4a2aa7

Download Submit
C:\RECYCLER\X-1-5-21-1960408961-725345543-839522115-1003\bnf0342

Filesize
31KB

MD5
c82cab626f4c3e02cc09330190af7fb7

SHA1
13e7c25f4eb889549f8e41ea7e7c4efbc4615ee9

SHA256
929f71912c3d12a3ca50577d4e92530e0c271191ed9e9725b0ab0ad3811c674e

SHA512
561a5c3f8162f3dfa543cd753f2da4821ea7e10e0e8e5cef954f370f09fb1cdc684586bf5cc645631c114b8adf40013ccbca2d97302f0383a69e4e58e3d51216

Download Submit
\Program Files\Windows Alerter\WinAlert.exe

Filesize
492KB

MD5
81422d9300dc4b73043e21a7733fbe2d

SHA1
7be7cd5622831d9c252c1ec9c48ebaf737b8a654

SHA256
9db66a3372237615c547bd64d25e7b8977cbe7ee78d78704bb06e6c83dbf6dce

SHA512
94d0342404d99a3f230d19a1a6cce122ead5e1c2f8000d1d07d69981288952dbddc8043826a27437031bd51e27b1eb7ef8d2fafd72a803f8869918785696a357

Download Submit
\Program Files\Windows Alerter\WinAlert.exe

Filesize
492KB

MD5
81422d9300dc4b73043e21a7733fbe2d

SHA1
7be7cd5622831d9c252c1ec9c48ebaf737b8a654

SHA256
9db66a3372237615c547bd64d25e7b8977cbe7ee78d78704bb06e6c83dbf6dce

SHA512
94d0342404d99a3f230d19a1a6cce122ead5e1c2f8000d1d07d69981288952dbddc8043826a27437031bd51e27b1eb7ef8d2fafd72a803f8869918785696a357

Download Submit
\Program Files\Windows Alerter\WinAlert.exe

Filesize
492KB

MD5
81422d9300dc4b73043e21a7733fbe2d

SHA1
7be7cd5622831d9c252c1ec9c48ebaf737b8a654

SHA256
9db66a3372237615c547bd64d25e7b8977cbe7ee78d78704bb06e6c83dbf6dce

SHA512
94d0342404d99a3f230d19a1a6cce122ead5e1c2f8000d1d07d69981288952dbddc8043826a27437031bd51e27b1eb7ef8d2fafd72a803f8869918785696a357

Download Submit
\Program Files\Windows Alerter\WinAlert.exe

Filesize
492KB

MD5
81422d9300dc4b73043e21a7733fbe2d

SHA1
7be7cd5622831d9c252c1ec9c48ebaf737b8a654

SHA256
9db66a3372237615c547bd64d25e7b8977cbe7ee78d78704bb06e6c83dbf6dce

SHA512
94d0342404d99a3f230d19a1a6cce122ead5e1c2f8000d1d07d69981288952dbddc8043826a27437031bd51e27b1eb7ef8d2fafd72a803f8869918785696a357

Download Submit
\Program Files\Windows Common Files\Commgr.exe

Filesize
492KB

MD5
81422d9300dc4b73043e21a7733fbe2d

SHA1
7be7cd5622831d9c252c1ec9c48ebaf737b8a654

SHA256
9db66a3372237615c547bd64d25e7b8977cbe7ee78d78704bb06e6c83dbf6dce

SHA512
94d0342404d99a3f230d19a1a6cce122ead5e1c2f8000d1d07d69981288952dbddc8043826a27437031bd51e27b1eb7ef8d2fafd72a803f8869918785696a357

Download Submit
\Program Files\Windows Common Files\Commgr.exe

Filesize
492KB

MD5
81422d9300dc4b73043e21a7733fbe2d

SHA1
7be7cd5622831d9c252c1ec9c48ebaf737b8a654

SHA256
9db66a3372237615c547bd64d25e7b8977cbe7ee78d78704bb06e6c83dbf6dce

SHA512
94d0342404d99a3f230d19a1a6cce122ead5e1c2f8000d1d07d69981288952dbddc8043826a27437031bd51e27b1eb7ef8d2fafd72a803f8869918785696a357

Download Submit
\Program Files\Windows Common Files\Commgr.exe

Filesize
492KB

MD5
81422d9300dc4b73043e21a7733fbe2d

SHA1
7be7cd5622831d9c252c1ec9c48ebaf737b8a654

SHA256
9db66a3372237615c547bd64d25e7b8977cbe7ee78d78704bb06e6c83dbf6dce

SHA512
94d0342404d99a3f230d19a1a6cce122ead5e1c2f8000d1d07d69981288952dbddc8043826a27437031bd51e27b1eb7ef8d2fafd72a803f8869918785696a357

Download Submit
\RECYCLER\X-1-5-21-1960408961-725345543-839522115-1003\WinSysApp.exe

Filesize
492KB

MD5
81422d9300dc4b73043e21a7733fbe2d

SHA1
7be7cd5622831d9c252c1ec9c48ebaf737b8a654

SHA256
9db66a3372237615c547bd64d25e7b8977cbe7ee78d78704bb06e6c83dbf6dce

SHA512
94d0342404d99a3f230d19a1a6cce122ead5e1c2f8000d1d07d69981288952dbddc8043826a27437031bd51e27b1eb7ef8d2fafd72a803f8869918785696a357

Download Submit
\RECYCLER\X-1-5-21-1960408961-725345543-839522115-1003\WinSysApp.exe

Filesize
492KB

MD5
81422d9300dc4b73043e21a7733fbe2d

SHA1
7be7cd5622831d9c252c1ec9c48ebaf737b8a654

SHA256
9db66a3372237615c547bd64d25e7b8977cbe7ee78d78704bb06e6c83dbf6dce

SHA512
94d0342404d99a3f230d19a1a6cce122ead5e1c2f8000d1d07d69981288952dbddc8043826a27437031bd51e27b1eb7ef8d2fafd72a803f8869918785696a357

Download Submit
\RECYCLER\X-1-5-21-1960408961-725345543-839522115-1003\WinSysApp.exe

Filesize
492KB

MD5
81422d9300dc4b73043e21a7733fbe2d

SHA1
7be7cd5622831d9c252c1ec9c48ebaf737b8a654

SHA256
9db66a3372237615c547bd64d25e7b8977cbe7ee78d78704bb06e6c83dbf6dce

SHA512
94d0342404d99a3f230d19a1a6cce122ead5e1c2f8000d1d07d69981288952dbddc8043826a27437031bd51e27b1eb7ef8d2fafd72a803f8869918785696a357

Download Submit
\RECYCLER\X-1-5-21-1960408961-725345543-839522115-1003\WinSysApp.exe

Filesize
492KB

MD5
81422d9300dc4b73043e21a7733fbe2d

SHA1
7be7cd5622831d9c252c1ec9c48ebaf737b8a654

SHA256
9db66a3372237615c547bd64d25e7b8977cbe7ee78d78704bb06e6c83dbf6dce

SHA512
94d0342404d99a3f230d19a1a6cce122ead5e1c2f8000d1d07d69981288952dbddc8043826a27437031bd51e27b1eb7ef8d2fafd72a803f8869918785696a357

Download Submit
\RECYCLER\X-1-5-21-1960408961-725345543-839522115-1003\WinSysApp.exe

Filesize
492KB

MD5
81422d9300dc4b73043e21a7733fbe2d

SHA1
7be7cd5622831d9c252c1ec9c48ebaf737b8a654

SHA256
9db66a3372237615c547bd64d25e7b8977cbe7ee78d78704bb06e6c83dbf6dce

SHA512
94d0342404d99a3f230d19a1a6cce122ead5e1c2f8000d1d07d69981288952dbddc8043826a27437031bd51e27b1eb7ef8d2fafd72a803f8869918785696a357

Download Submit
\RECYCLER\X-1-5-21-1960408961-725345543-839522115-1003\WinSysApp.exe

Filesize
492KB

MD5
81422d9300dc4b73043e21a7733fbe2d

SHA1
7be7cd5622831d9c252c1ec9c48ebaf737b8a654

SHA256
9db66a3372237615c547bd64d25e7b8977cbe7ee78d78704bb06e6c83dbf6dce

SHA512
94d0342404d99a3f230d19a1a6cce122ead5e1c2f8000d1d07d69981288952dbddc8043826a27437031bd51e27b1eb7ef8d2fafd72a803f8869918785696a357

Download Submit
\RECYCLER\X-1-5-21-1960408961-725345543-839522115-1003\WinSysApp.exe

Filesize
492KB

MD5
81422d9300dc4b73043e21a7733fbe2d

SHA1
7be7cd5622831d9c252c1ec9c48ebaf737b8a654

SHA256
9db66a3372237615c547bd64d25e7b8977cbe7ee78d78704bb06e6c83dbf6dce

SHA512
94d0342404d99a3f230d19a1a6cce122ead5e1c2f8000d1d07d69981288952dbddc8043826a27437031bd51e27b1eb7ef8d2fafd72a803f8869918785696a357

Download Submit
\RECYCLER\X-1-5-21-1960408961-725345543-839522115-1003\WinSysApp.exe

Filesize
492KB

MD5
81422d9300dc4b73043e21a7733fbe2d

SHA1
7be7cd5622831d9c252c1ec9c48ebaf737b8a654

SHA256
9db66a3372237615c547bd64d25e7b8977cbe7ee78d78704bb06e6c83dbf6dce

SHA512
94d0342404d99a3f230d19a1a6cce122ead5e1c2f8000d1d07d69981288952dbddc8043826a27437031bd51e27b1eb7ef8d2fafd72a803f8869918785696a357

Download Submit
\RECYCLER\X-1-5-21-1960408961-725345543-839522115-1003\WinSysApp.exe

Filesize
492KB

MD5
81422d9300dc4b73043e21a7733fbe2d

SHA1
7be7cd5622831d9c252c1ec9c48ebaf737b8a654

SHA256
9db66a3372237615c547bd64d25e7b8977cbe7ee78d78704bb06e6c83dbf6dce

SHA512
94d0342404d99a3f230d19a1a6cce122ead5e1c2f8000d1d07d69981288952dbddc8043826a27437031bd51e27b1eb7ef8d2fafd72a803f8869918785696a357

Download Submit
memory/276-128-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/576-105-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/588-78-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/900-125-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/956-138-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/996-80-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1092-108-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1092-126-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1220-111-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1224-124-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1224-129-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1284-79-0x0000000006980000-0x00000000069FB000-memory.dmp

Filesize
492KB

Download
memory/1284-77-0x0000000008120000-0x000000000819B000-memory.dmp

Filesize
492KB

Download
memory/1284-140-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1284-76-0x0000000008120000-0x000000000819B000-memory.dmp

Filesize
492KB

Download
memory/1284-54-0x0000000075531000-0x0000000075533000-memory.dmp

Filesize
8KB

Download
memory/1284-112-0x0000000007B10000-0x0000000007B8B000-memory.dmp

Filesize
492KB

Download
memory/1284-55-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1568-139-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1576-109-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1992-110-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1996-130-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download