af3a7bf0daf6254a5beb523fe0ed65a7e85fa24fd8eaa27120b8d39ab5e2f77b

Analysis

max time kernel
204s
max time network
100s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
04/12/2022, 13:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

af3a7bf0daf6254a5beb523fe0ed65a7e85fa24fd8eaa27120b8d39ab5e2f77b.exe
Size

3.7MB
MD5

8f2cfdd59f6f3a215a00fb1229080166
SHA1

84d17151ebc34df48e69596f2e4dd487d737e265
SHA256

af3a7bf0daf6254a5beb523fe0ed65a7e85fa24fd8eaa27120b8d39ab5e2f77b
SHA512

fd14840f399824406f6040f2891cafd90ee5c440aaf1120a5be34f94b0db3534c690782f3ad066104ebc9ca0effb997cfe6e805af988cf8bd49b84c970d4017d
SSDEEP

98304:DpBDwUCIKlrdDRAOMaU9y4Xms2FRY/sMySUz2+Y:3DwUCIKlJV4Xms28vqG

Score

8^/10

discovery upx

Malware Config

Signatures

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	WScript.exe
File opened for modification	C:\Windows\System32\drivers\etc\hîsts	WScript.exe

Executes dropped EXE 5 IoCs

pid	Process
1572	mrun.exe
1104	4konya.exe
832	runme.exe
1728	mac.exe
1832	nswitkh.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1572-80-0x0000000000400000-0x00000000006D2000-memory.dmp	upx
behavioral1/memory/1572-107-0x0000000000400000-0x00000000006D2000-memory.dmp	upx

Loads dropped DLL 15 IoCs

pid	Process
2024	af3a7bf0daf6254a5beb523fe0ed65a7e85fa24fd8eaa27120b8d39ab5e2f77b.exe
2024	af3a7bf0daf6254a5beb523fe0ed65a7e85fa24fd8eaa27120b8d39ab5e2f77b.exe
2024	af3a7bf0daf6254a5beb523fe0ed65a7e85fa24fd8eaa27120b8d39ab5e2f77b.exe
2024	af3a7bf0daf6254a5beb523fe0ed65a7e85fa24fd8eaa27120b8d39ab5e2f77b.exe
2024	af3a7bf0daf6254a5beb523fe0ed65a7e85fa24fd8eaa27120b8d39ab5e2f77b.exe
2024	af3a7bf0daf6254a5beb523fe0ed65a7e85fa24fd8eaa27120b8d39ab5e2f77b.exe
2024	af3a7bf0daf6254a5beb523fe0ed65a7e85fa24fd8eaa27120b8d39ab5e2f77b.exe
2024	af3a7bf0daf6254a5beb523fe0ed65a7e85fa24fd8eaa27120b8d39ab5e2f77b.exe
2024	af3a7bf0daf6254a5beb523fe0ed65a7e85fa24fd8eaa27120b8d39ab5e2f77b.exe
2024	af3a7bf0daf6254a5beb523fe0ed65a7e85fa24fd8eaa27120b8d39ab5e2f77b.exe
2024	af3a7bf0daf6254a5beb523fe0ed65a7e85fa24fd8eaa27120b8d39ab5e2f77b.exe
2024	af3a7bf0daf6254a5beb523fe0ed65a7e85fa24fd8eaa27120b8d39ab5e2f77b.exe
2024	af3a7bf0daf6254a5beb523fe0ed65a7e85fa24fd8eaa27120b8d39ab5e2f77b.exe
2024	af3a7bf0daf6254a5beb523fe0ed65a7e85fa24fd8eaa27120b8d39ab5e2f77b.exe
2024	af3a7bf0daf6254a5beb523fe0ed65a7e85fa24fd8eaa27120b8d39ab5e2f77b.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 21 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Shell\mac.exe	af3a7bf0daf6254a5beb523fe0ed65a7e85fa24fd8eaa27120b8d39ab5e2f77b.exe
File opened for modification	C:\Program Files (x86)\Windows Shell\mac.exe	af3a7bf0daf6254a5beb523fe0ed65a7e85fa24fd8eaa27120b8d39ab5e2f77b.exe
File created	C:\Program Files (x86)\Windows Shell\mrun.exe	af3a7bf0daf6254a5beb523fe0ed65a7e85fa24fd8eaa27120b8d39ab5e2f77b.exe
File opened for modification	C:\Program Files (x86)\Windows Shell\runme.exe	af3a7bf0daf6254a5beb523fe0ed65a7e85fa24fd8eaa27120b8d39ab5e2f77b.exe
File opened for modification	C:\Program Files (x86)\So\Sa\begom_na_zore.vbs	4konya.exe
File opened for modification	C:\Program Files (x86)\So\Sa\sasha_po_soshe.vbs	4konya.exe
File created	C:\Program Files (x86)\Windows Shell\Interop.IWshRuntimeLibrary.dll	af3a7bf0daf6254a5beb523fe0ed65a7e85fa24fd8eaa27120b8d39ab5e2f77b.exe
File created	C:\Program Files (x86)\Windows Shell\4konya.exe	af3a7bf0daf6254a5beb523fe0ed65a7e85fa24fd8eaa27120b8d39ab5e2f77b.exe
File opened for modification	C:\Program Files (x86)\Windows Shell\mrun.exe	af3a7bf0daf6254a5beb523fe0ed65a7e85fa24fd8eaa27120b8d39ab5e2f77b.exe
File opened for modification	C:\Program Files (x86)\So\Sa\yaveruchtoonadoidetdonasi.bat	4konya.exe
File created	C:\Program Files\YaFinder\manifest.json	mac.exe
File created	C:\Program Files (x86)\Windows Shell\__tmp_rar_sfx_access_check_7158932	af3a7bf0daf6254a5beb523fe0ed65a7e85fa24fd8eaa27120b8d39ab5e2f77b.exe
File opened for modification	C:\Program Files (x86)\So\Sa\Uninstall.exe	4konya.exe
File created	C:\Program Files (x86)\So\Sa\Uninstall.ini	4konya.exe
File opened for modification	C:\Program Files (x86)\So\Sa\niznitor.cho	4konya.exe
File opened for modification	C:\Program Files (x86)\Windows Shell\4konya.exe	af3a7bf0daf6254a5beb523fe0ed65a7e85fa24fd8eaa27120b8d39ab5e2f77b.exe
File opened for modification	C:\Program Files (x86)\Windows Shell\Interop.IWshRuntimeLibrary.dll	af3a7bf0daf6254a5beb523fe0ed65a7e85fa24fd8eaa27120b8d39ab5e2f77b.exe
File created	C:\Program Files (x86)\Windows Shell\runme.exe	af3a7bf0daf6254a5beb523fe0ed65a7e85fa24fd8eaa27120b8d39ab5e2f77b.exe
File opened for modification	C:\Program Files (x86)\So\Sa\nalei_tr.af	4konya.exe
File created	C:\PROGRA~3\Mozilla\nswitkh.exe	runme.exe
File opened for modification	C:\Program Files (x86)\Windows Shell	af3a7bf0daf6254a5beb523fe0ed65a7e85fa24fd8eaa27120b8d39ab5e2f77b.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1728	mac.exe
1728	mac.exe
1728	mac.exe
1832	nswitkh.exe
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1728	mac.exe
Token: SeDebugPrivilege	1832	nswitkh.exe
Token: SeDebugPrivilege	1268	Explorer.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1572	mrun.exe

Suspicious use of UnmapMainImage 3 IoCs

pid	Process
832	runme.exe
1832	nswitkh.exe
1268	Explorer.EXE

Suspicious use of WriteProcessMemory 61 IoCs

description	pid	Process	procid_target
PID 2024 wrote to memory of 1572	2024	af3a7bf0daf6254a5beb523fe0ed65a7e85fa24fd8eaa27120b8d39ab5e2f77b.exe	27
PID 2024 wrote to memory of 1572	2024	af3a7bf0daf6254a5beb523fe0ed65a7e85fa24fd8eaa27120b8d39ab5e2f77b.exe	27
PID 2024 wrote to memory of 1572	2024	af3a7bf0daf6254a5beb523fe0ed65a7e85fa24fd8eaa27120b8d39ab5e2f77b.exe	27
PID 2024 wrote to memory of 1572	2024	af3a7bf0daf6254a5beb523fe0ed65a7e85fa24fd8eaa27120b8d39ab5e2f77b.exe	27
PID 2024 wrote to memory of 1572	2024	af3a7bf0daf6254a5beb523fe0ed65a7e85fa24fd8eaa27120b8d39ab5e2f77b.exe	27
PID 2024 wrote to memory of 1572	2024	af3a7bf0daf6254a5beb523fe0ed65a7e85fa24fd8eaa27120b8d39ab5e2f77b.exe	27
PID 2024 wrote to memory of 1572	2024	af3a7bf0daf6254a5beb523fe0ed65a7e85fa24fd8eaa27120b8d39ab5e2f77b.exe	27
PID 2024 wrote to memory of 1104	2024	af3a7bf0daf6254a5beb523fe0ed65a7e85fa24fd8eaa27120b8d39ab5e2f77b.exe	28
PID 2024 wrote to memory of 1104	2024	af3a7bf0daf6254a5beb523fe0ed65a7e85fa24fd8eaa27120b8d39ab5e2f77b.exe	28
PID 2024 wrote to memory of 1104	2024	af3a7bf0daf6254a5beb523fe0ed65a7e85fa24fd8eaa27120b8d39ab5e2f77b.exe	28
PID 2024 wrote to memory of 1104	2024	af3a7bf0daf6254a5beb523fe0ed65a7e85fa24fd8eaa27120b8d39ab5e2f77b.exe	28
PID 2024 wrote to memory of 1104	2024	af3a7bf0daf6254a5beb523fe0ed65a7e85fa24fd8eaa27120b8d39ab5e2f77b.exe	28
PID 2024 wrote to memory of 1104	2024	af3a7bf0daf6254a5beb523fe0ed65a7e85fa24fd8eaa27120b8d39ab5e2f77b.exe	28
PID 2024 wrote to memory of 1104	2024	af3a7bf0daf6254a5beb523fe0ed65a7e85fa24fd8eaa27120b8d39ab5e2f77b.exe	28
PID 2024 wrote to memory of 832	2024	af3a7bf0daf6254a5beb523fe0ed65a7e85fa24fd8eaa27120b8d39ab5e2f77b.exe	29
PID 2024 wrote to memory of 832	2024	af3a7bf0daf6254a5beb523fe0ed65a7e85fa24fd8eaa27120b8d39ab5e2f77b.exe	29
PID 2024 wrote to memory of 832	2024	af3a7bf0daf6254a5beb523fe0ed65a7e85fa24fd8eaa27120b8d39ab5e2f77b.exe	29
PID 2024 wrote to memory of 832	2024	af3a7bf0daf6254a5beb523fe0ed65a7e85fa24fd8eaa27120b8d39ab5e2f77b.exe	29
PID 2024 wrote to memory of 832	2024	af3a7bf0daf6254a5beb523fe0ed65a7e85fa24fd8eaa27120b8d39ab5e2f77b.exe	29
PID 2024 wrote to memory of 832	2024	af3a7bf0daf6254a5beb523fe0ed65a7e85fa24fd8eaa27120b8d39ab5e2f77b.exe	29
PID 2024 wrote to memory of 832	2024	af3a7bf0daf6254a5beb523fe0ed65a7e85fa24fd8eaa27120b8d39ab5e2f77b.exe	29
PID 2024 wrote to memory of 1728	2024	af3a7bf0daf6254a5beb523fe0ed65a7e85fa24fd8eaa27120b8d39ab5e2f77b.exe	30
PID 2024 wrote to memory of 1728	2024	af3a7bf0daf6254a5beb523fe0ed65a7e85fa24fd8eaa27120b8d39ab5e2f77b.exe	30
PID 2024 wrote to memory of 1728	2024	af3a7bf0daf6254a5beb523fe0ed65a7e85fa24fd8eaa27120b8d39ab5e2f77b.exe	30
PID 2024 wrote to memory of 1728	2024	af3a7bf0daf6254a5beb523fe0ed65a7e85fa24fd8eaa27120b8d39ab5e2f77b.exe	30
PID 1104 wrote to memory of 1420	1104	4konya.exe	31
PID 1104 wrote to memory of 1420	1104	4konya.exe	31
PID 1104 wrote to memory of 1420	1104	4konya.exe	31
PID 1104 wrote to memory of 1420	1104	4konya.exe	31
PID 1104 wrote to memory of 1420	1104	4konya.exe	31
PID 1104 wrote to memory of 1420	1104	4konya.exe	31
PID 1104 wrote to memory of 1420	1104	4konya.exe	31
PID 1420 wrote to memory of 1668	1420	cmd.exe	33
PID 1420 wrote to memory of 1668	1420	cmd.exe	33
PID 1420 wrote to memory of 1668	1420	cmd.exe	33
PID 1420 wrote to memory of 1668	1420	cmd.exe	33
PID 1420 wrote to memory of 1668	1420	cmd.exe	33
PID 1420 wrote to memory of 1668	1420	cmd.exe	33
PID 1420 wrote to memory of 1668	1420	cmd.exe	33
PID 1420 wrote to memory of 1332	1420	cmd.exe	34
PID 1420 wrote to memory of 1332	1420	cmd.exe	34
PID 1420 wrote to memory of 1332	1420	cmd.exe	34
PID 1420 wrote to memory of 1332	1420	cmd.exe	34
PID 1420 wrote to memory of 1332	1420	cmd.exe	34
PID 1420 wrote to memory of 1332	1420	cmd.exe	34
PID 1420 wrote to memory of 1332	1420	cmd.exe	34
PID 1572 wrote to memory of 1336	1572	mrun.exe	37
PID 1572 wrote to memory of 1336	1572	mrun.exe	37
PID 1572 wrote to memory of 1336	1572	mrun.exe	37
PID 1572 wrote to memory of 1336	1572	mrun.exe	37
PID 1572 wrote to memory of 1336	1572	mrun.exe	37
PID 1572 wrote to memory of 1336	1572	mrun.exe	37
PID 1572 wrote to memory of 1336	1572	mrun.exe	37
PID 1728 wrote to memory of 2012	1728	mac.exe	40
PID 1728 wrote to memory of 2012	1728	mac.exe	40
PID 1728 wrote to memory of 2012	1728	mac.exe	40
PID 1948 wrote to memory of 1832	1948	taskeng.exe	42
PID 1948 wrote to memory of 1832	1948	taskeng.exe	42
PID 1948 wrote to memory of 1832	1948	taskeng.exe	42
PID 1948 wrote to memory of 1832	1948	taskeng.exe	42
PID 1832 wrote to memory of 1268	1832	nswitkh.exe	13

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
PID:1268
- C:\Users\Admin\AppData\Local\Temp\af3a7bf0daf6254a5beb523fe0ed65a7e85fa24fd8eaa27120b8d39ab5e2f77b.exe
  "C:\Users\Admin\AppData\Local\Temp\af3a7bf0daf6254a5beb523fe0ed65a7e85fa24fd8eaa27120b8d39ab5e2f77b.exe"
  2⤵
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:2024
- - C:\Program Files (x86)\Windows Shell\mrun.exe
    "C:\Program Files (x86)\Windows Shell\mrun.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1572
  - - C:\Windows\SysWOW64\cscript.exe
      "C:\Windows\System32\cscript.exe" "C:\Users\Admin\AppData\Temp\tmp.vbs"
      4⤵
      PID:1336
- - C:\Program Files (x86)\Windows Shell\4konya.exe
    "C:\Program Files (x86)\Windows Shell\4konya.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious use of WriteProcessMemory
    PID:1104
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Program Files (x86)\So\Sa\yaveruchtoonadoidetdonasi.bat" "
      4⤵
      Drops file in Drivers directory
      Suspicious use of WriteProcessMemory
      PID:1420
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\So\Sa\begom_na_zore.vbs"
        5⤵
        Drops file in Drivers directory
        
        PID:1668
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\So\Sa\sasha_po_soshe.vbs"
        5⤵
        
        PID:1332
- - C:\Program Files (x86)\Windows Shell\runme.exe
    "C:\Program Files (x86)\Windows Shell\runme.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious use of UnmapMainImage
    PID:832
- - C:\Program Files (x86)\Windows Shell\mac.exe
    "C:\Program Files (x86)\Windows Shell\mac.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1728
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
      dw20.exe -x -s 952
      4⤵
      PID:2012

C:\Windows\system32\taskeng.exe
taskeng.exe {B79325CF-B4E4-47E1-8A57-8FCA525E4570} S-1-5-21-3845472200-3839195424-595303356-1000:ZERMMMDR\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1948
- C:\PROGRA~3\Mozilla\nswitkh.exe
  C:\PROGRA~3\Mozilla\nswitkh.exe -vhgoixm
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:1832

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~3\Mozilla\nswitkh.exe

Filesize
270KB

MD5
66d6456a4e794af66f9e0f37b1d0ed75

SHA1
036f62a89a8a212a432b25d3d859d7ee3ac20545

SHA256
95c2904f2a81166c8d48ec774b6c793376c33bcf572b9db0d95f659cdee45f97

SHA512
bb9124c03b7879b256f20faa41385bf0a70582f0bec661e243e7e75ef3122db4f5b442433ead36015bcc3c3cd5480dccfa03aaf5502cfd83891e2f3035445a7a

Download Submit
C:\PROGRA~3\Mozilla\nswitkh.exe

Filesize
270KB

MD5
66d6456a4e794af66f9e0f37b1d0ed75

SHA1
036f62a89a8a212a432b25d3d859d7ee3ac20545

SHA256
95c2904f2a81166c8d48ec774b6c793376c33bcf572b9db0d95f659cdee45f97

SHA512
bb9124c03b7879b256f20faa41385bf0a70582f0bec661e243e7e75ef3122db4f5b442433ead36015bcc3c3cd5480dccfa03aaf5502cfd83891e2f3035445a7a

Download Submit
C:\Program Files (x86)\So\Sa\begom_na_zore.vbs

Filesize
1KB

MD5
2f9625ced427b3ca5951a254c8f1a1cd

SHA1
1ad9baa956aeba4b84a2aea3a8d2b0e2e3ea4de6

SHA256
02875049e62a5f01c911a83bbbb3d8d2a3cfe7a9771470d04c6050e66bba5c66

SHA512
2a9f7a673509945192b226f30b9d989da86229e6c39f6196ecb31e230d2a5ed3c2eb2ca5584d29921cf7e3b230a68010e1be1ef31591e042e35f28e903c5f295

Download Submit
C:\Program Files (x86)\So\Sa\nalei_tr.af

Filesize
27B

MD5
213c0742081a9007c9093a01760f9f8c

SHA1
df53bb518c732df777b5ce19fc7c02dcb2f9d81b

SHA256
9681429a2b00c27fe6cb0453f255024813944a7cd460d18797e3c35e81c53d69

SHA512
55182c2e353a0027f585535a537b9c309c3bf57f47da54a16e0c415ed6633b725bf40e40a664b1071575feeb7e589d775983516728ec3e51e87a0a29010c4eb9

Download Submit
C:\Program Files (x86)\So\Sa\niznitor.cho

Filesize
44B

MD5
06b72f2e91ce7dfccc59c485c05450c5

SHA1
a56b511cf737b3785604c1af6323ee79665de58b

SHA256
6d4285fc44c978f678f815a7a0bdfff1b43a63b08fca4581061a246179af13ab

SHA512
4ff19d29c90f46d121793f942fa3f16b9485f5d5b32773f3faedb1d9e4d0662670699f7aaae6dc31cd7588d90c0b62295b0db24797e82dba39083456759b7c56

Download Submit
C:\Program Files (x86)\So\Sa\sasha_po_soshe.vbs

Filesize
162B

MD5
54aad904bc26d06756408c9c4b9d37d1

SHA1
e1825c33b4e1cb5ee488bee3cff8439a54bdec33

SHA256
0ea4b001b3d9ee588a31c7db6e1735e11510e91b14023100004540f6f6d4b38b

SHA512
c912e6793f6efdeafacb638f4a57240384195641659fe749747488b2fe939f018424da76b38f6fda1bdae5f43fa757d364e6f96594c6996d261f6f03ba219f8a

Download Submit
C:\Program Files (x86)\So\Sa\yaveruchtoonadoidetdonasi.bat

Filesize
1KB

MD5
c4ef4e633ed1144c3af0284c084c8ac8

SHA1
29a4017f2ba33dcc2b93158444c458f3710efaa5

SHA256
936d612af904777f98592cae37802bd2f741b530840d15d3b8aea7abb269d9a9

SHA512
8c52f55c7f851a52b684ca847bb2d9f67cb196b53eb110c415697772ff7e754611c4bd2ae67b7c415935ba0896549edc121694a7eeec8dfe6644948624fd1da4

Download Submit
C:\Program Files (x86)\Windows Shell\4konya.exe

Filesize
158KB

MD5
5938ee1ebc7ad3547352640411eeb861

SHA1
08a971987df20ca3dabca264d08e1ac4fb469744

SHA256
ccfe4b69052cf07478c074915333aad213adccef2bbebe9e9f1f9b46cb984fd8

SHA512
f03f93f4999e5ba644793f1c588e6d24eb1f730c3d667d49b533055506721dad9661c7320e46999bf2cc178795f5d2f1c77757a7672a24fa60a8c52d90b1d53b

Download Submit
C:\Program Files (x86)\Windows Shell\4konya.exe

Filesize
158KB

MD5
5938ee1ebc7ad3547352640411eeb861

SHA1
08a971987df20ca3dabca264d08e1ac4fb469744

SHA256
ccfe4b69052cf07478c074915333aad213adccef2bbebe9e9f1f9b46cb984fd8

SHA512
f03f93f4999e5ba644793f1c588e6d24eb1f730c3d667d49b533055506721dad9661c7320e46999bf2cc178795f5d2f1c77757a7672a24fa60a8c52d90b1d53b

Download Submit
C:\Program Files (x86)\Windows Shell\Interop.IWshRuntimeLibrary.dll

Filesize
48KB

MD5
d923d4b8d2eba5847c92b8fdd3a0378f

SHA1
e99c5b639918616d41e06f1274c6ec5b9706c706

SHA256
73de6d8cd7795bed2fe4dd894a3febfc0083b7916b9bedc77a61fa1d23deee84

SHA512
2fcc23f1fa829fada9e77814af8062a077871128eddc6233c8bf1673af1ee0475489d2c6b8585e1d4066f2acf0657e024ac7fa93659c0ca0fb68bf582ce068bf

Download Submit
C:\Program Files (x86)\Windows Shell\mac.exe

Filesize
86KB

MD5
47af31afd8658aa7924283ce9f33ab0c

SHA1
bffc90a3ad32d6b085972a1401563bdafc97cd14

SHA256
041ee5479c2fd3df52c3ece70f6948eadb200aee7ad2cbaa7b25326383cddd95

SHA512
4b1b101bc3bbf14ce31f8d6620467e1d812fc220e46ac580c8c77fe71ba45f75876365f71bdbee871374a7c19c5e0160a376a55c9b428db6f61644d9c3e3a695

Download Submit
C:\Program Files (x86)\Windows Shell\mac.exe

Filesize
86KB

MD5
47af31afd8658aa7924283ce9f33ab0c

SHA1
bffc90a3ad32d6b085972a1401563bdafc97cd14

SHA256
041ee5479c2fd3df52c3ece70f6948eadb200aee7ad2cbaa7b25326383cddd95

SHA512
4b1b101bc3bbf14ce31f8d6620467e1d812fc220e46ac580c8c77fe71ba45f75876365f71bdbee871374a7c19c5e0160a376a55c9b428db6f61644d9c3e3a695

Download Submit
C:\Program Files (x86)\Windows Shell\mrun.exe

Filesize
2.8MB

MD5
a24c7214cd5f4e6d583054ff884f3975

SHA1
cd88074a83e84310f9958cce9976274b9f097193

SHA256
784f037789f4a38996a68e847e7b8b221a62dbabd6fd6debc9a1ef764beb2df5

SHA512
299dc8607bb39e25202d5bf417de7c43e842b1648f5beeb619c89236dcb240ef095903686f0b49f06b42c0f65b59fba5c4c909c2b3c087475b906e32201701c0

Download Submit
C:\Program Files (x86)\Windows Shell\runme.exe

Filesize
270KB

MD5
57bb3bbc05b6a5fb10522ba78237f66f

SHA1
69c0d913fabc98abfc5af4001f9866557639912f

SHA256
fd4f4195ed77807e33a9238b8155b6dc9d0dc40d564ccbee3c2e53c01a1bec67

SHA512
617980be47854649235fe53b4f67af55be65ab1aef75f0e280928eb94a5e39f06386b3a5ca19580e63792492b720dfc9731aa6984013d9e60bc158aa5871cf5d

Download Submit
C:\Program Files (x86)\Windows Shell\runme.exe

Filesize
270KB

MD5
57bb3bbc05b6a5fb10522ba78237f66f

SHA1
69c0d913fabc98abfc5af4001f9866557639912f

SHA256
fd4f4195ed77807e33a9238b8155b6dc9d0dc40d564ccbee3c2e53c01a1bec67

SHA512
617980be47854649235fe53b4f67af55be65ab1aef75f0e280928eb94a5e39f06386b3a5ca19580e63792492b720dfc9731aa6984013d9e60bc158aa5871cf5d

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
1KB

MD5
fc9cc9adef1783041f958397016a7646

SHA1
4764664e116953ad83d3a8873cd95c28aef7860a

SHA256
526ab221525681d39e0073513e17cdeb2cca4e27ad2a91053e52ca3d99ef05ae

SHA512
e8671370d2bb83b1c0708b4a70dc010997b300ff6cbdd58ae8eda6bf4cbef984d3070b40916bb5e4f2cade584439debf250c8d0a30eaf76198996ee8f84889e1

Download Submit
\Program Files (x86)\Windows Shell\4konya.exe

Filesize
158KB

MD5
5938ee1ebc7ad3547352640411eeb861

SHA1
08a971987df20ca3dabca264d08e1ac4fb469744

SHA256
ccfe4b69052cf07478c074915333aad213adccef2bbebe9e9f1f9b46cb984fd8

SHA512
f03f93f4999e5ba644793f1c588e6d24eb1f730c3d667d49b533055506721dad9661c7320e46999bf2cc178795f5d2f1c77757a7672a24fa60a8c52d90b1d53b

Download Submit
\Program Files (x86)\Windows Shell\4konya.exe

Filesize
158KB

MD5
5938ee1ebc7ad3547352640411eeb861

SHA1
08a971987df20ca3dabca264d08e1ac4fb469744

SHA256
ccfe4b69052cf07478c074915333aad213adccef2bbebe9e9f1f9b46cb984fd8

SHA512
f03f93f4999e5ba644793f1c588e6d24eb1f730c3d667d49b533055506721dad9661c7320e46999bf2cc178795f5d2f1c77757a7672a24fa60a8c52d90b1d53b

Download Submit
\Program Files (x86)\Windows Shell\4konya.exe

Filesize
158KB

MD5
5938ee1ebc7ad3547352640411eeb861

SHA1
08a971987df20ca3dabca264d08e1ac4fb469744

SHA256
ccfe4b69052cf07478c074915333aad213adccef2bbebe9e9f1f9b46cb984fd8

SHA512
f03f93f4999e5ba644793f1c588e6d24eb1f730c3d667d49b533055506721dad9661c7320e46999bf2cc178795f5d2f1c77757a7672a24fa60a8c52d90b1d53b

Download Submit
\Program Files (x86)\Windows Shell\4konya.exe

Filesize
158KB

MD5
5938ee1ebc7ad3547352640411eeb861

SHA1
08a971987df20ca3dabca264d08e1ac4fb469744

SHA256
ccfe4b69052cf07478c074915333aad213adccef2bbebe9e9f1f9b46cb984fd8

SHA512
f03f93f4999e5ba644793f1c588e6d24eb1f730c3d667d49b533055506721dad9661c7320e46999bf2cc178795f5d2f1c77757a7672a24fa60a8c52d90b1d53b

Download Submit
\Program Files (x86)\Windows Shell\mac.exe

Filesize
86KB

MD5
47af31afd8658aa7924283ce9f33ab0c

SHA1
bffc90a3ad32d6b085972a1401563bdafc97cd14

SHA256
041ee5479c2fd3df52c3ece70f6948eadb200aee7ad2cbaa7b25326383cddd95

SHA512
4b1b101bc3bbf14ce31f8d6620467e1d812fc220e46ac580c8c77fe71ba45f75876365f71bdbee871374a7c19c5e0160a376a55c9b428db6f61644d9c3e3a695

Download Submit
\Program Files (x86)\Windows Shell\mac.exe

Filesize
86KB

MD5
47af31afd8658aa7924283ce9f33ab0c

SHA1
bffc90a3ad32d6b085972a1401563bdafc97cd14

SHA256
041ee5479c2fd3df52c3ece70f6948eadb200aee7ad2cbaa7b25326383cddd95

SHA512
4b1b101bc3bbf14ce31f8d6620467e1d812fc220e46ac580c8c77fe71ba45f75876365f71bdbee871374a7c19c5e0160a376a55c9b428db6f61644d9c3e3a695

Download Submit
\Program Files (x86)\Windows Shell\mac.exe

Filesize
86KB

MD5
47af31afd8658aa7924283ce9f33ab0c

SHA1
bffc90a3ad32d6b085972a1401563bdafc97cd14

SHA256
041ee5479c2fd3df52c3ece70f6948eadb200aee7ad2cbaa7b25326383cddd95

SHA512
4b1b101bc3bbf14ce31f8d6620467e1d812fc220e46ac580c8c77fe71ba45f75876365f71bdbee871374a7c19c5e0160a376a55c9b428db6f61644d9c3e3a695

Download Submit
\Program Files (x86)\Windows Shell\mac.exe

Filesize
86KB

MD5
47af31afd8658aa7924283ce9f33ab0c

SHA1
bffc90a3ad32d6b085972a1401563bdafc97cd14

SHA256
041ee5479c2fd3df52c3ece70f6948eadb200aee7ad2cbaa7b25326383cddd95

SHA512
4b1b101bc3bbf14ce31f8d6620467e1d812fc220e46ac580c8c77fe71ba45f75876365f71bdbee871374a7c19c5e0160a376a55c9b428db6f61644d9c3e3a695

Download Submit
\Program Files (x86)\Windows Shell\mrun.exe

Filesize
2.8MB

MD5
a24c7214cd5f4e6d583054ff884f3975

SHA1
cd88074a83e84310f9958cce9976274b9f097193

SHA256
784f037789f4a38996a68e847e7b8b221a62dbabd6fd6debc9a1ef764beb2df5

SHA512
299dc8607bb39e25202d5bf417de7c43e842b1648f5beeb619c89236dcb240ef095903686f0b49f06b42c0f65b59fba5c4c909c2b3c087475b906e32201701c0

Download Submit
\Program Files (x86)\Windows Shell\mrun.exe

Filesize
2.8MB

MD5
a24c7214cd5f4e6d583054ff884f3975

SHA1
cd88074a83e84310f9958cce9976274b9f097193

SHA256
784f037789f4a38996a68e847e7b8b221a62dbabd6fd6debc9a1ef764beb2df5

SHA512
299dc8607bb39e25202d5bf417de7c43e842b1648f5beeb619c89236dcb240ef095903686f0b49f06b42c0f65b59fba5c4c909c2b3c087475b906e32201701c0

Download Submit
\Program Files (x86)\Windows Shell\mrun.exe

Filesize
2.8MB

MD5
a24c7214cd5f4e6d583054ff884f3975

SHA1
cd88074a83e84310f9958cce9976274b9f097193

SHA256
784f037789f4a38996a68e847e7b8b221a62dbabd6fd6debc9a1ef764beb2df5

SHA512
299dc8607bb39e25202d5bf417de7c43e842b1648f5beeb619c89236dcb240ef095903686f0b49f06b42c0f65b59fba5c4c909c2b3c087475b906e32201701c0

Download Submit
\Program Files (x86)\Windows Shell\runme.exe

Filesize
270KB

MD5
57bb3bbc05b6a5fb10522ba78237f66f

SHA1
69c0d913fabc98abfc5af4001f9866557639912f

SHA256
fd4f4195ed77807e33a9238b8155b6dc9d0dc40d564ccbee3c2e53c01a1bec67

SHA512
617980be47854649235fe53b4f67af55be65ab1aef75f0e280928eb94a5e39f06386b3a5ca19580e63792492b720dfc9731aa6984013d9e60bc158aa5871cf5d

Download Submit
\Program Files (x86)\Windows Shell\runme.exe

Filesize
270KB

MD5
57bb3bbc05b6a5fb10522ba78237f66f

SHA1
69c0d913fabc98abfc5af4001f9866557639912f

SHA256
fd4f4195ed77807e33a9238b8155b6dc9d0dc40d564ccbee3c2e53c01a1bec67

SHA512
617980be47854649235fe53b4f67af55be65ab1aef75f0e280928eb94a5e39f06386b3a5ca19580e63792492b720dfc9731aa6984013d9e60bc158aa5871cf5d

Download Submit
\Program Files (x86)\Windows Shell\runme.exe

Filesize
270KB

MD5
57bb3bbc05b6a5fb10522ba78237f66f

SHA1
69c0d913fabc98abfc5af4001f9866557639912f

SHA256
fd4f4195ed77807e33a9238b8155b6dc9d0dc40d564ccbee3c2e53c01a1bec67

SHA512
617980be47854649235fe53b4f67af55be65ab1aef75f0e280928eb94a5e39f06386b3a5ca19580e63792492b720dfc9731aa6984013d9e60bc158aa5871cf5d

Download Submit
\Program Files (x86)\Windows Shell\runme.exe

Filesize
270KB

MD5
57bb3bbc05b6a5fb10522ba78237f66f

SHA1
69c0d913fabc98abfc5af4001f9866557639912f

SHA256
fd4f4195ed77807e33a9238b8155b6dc9d0dc40d564ccbee3c2e53c01a1bec67

SHA512
617980be47854649235fe53b4f67af55be65ab1aef75f0e280928eb94a5e39f06386b3a5ca19580e63792492b720dfc9731aa6984013d9e60bc158aa5871cf5d

Download Submit
memory/832-109-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/832-110-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/832-100-0x00000000002E0000-0x000000000033F000-memory.dmp

Filesize
380KB

Download
memory/832-101-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1268-118-0x0000000003B30000-0x0000000003B4C000-memory.dmp

Filesize
112KB

Download
memory/1268-116-0x0000000003B30000-0x0000000003B4C000-memory.dmp

Filesize
112KB

Download
memory/1572-107-0x0000000000400000-0x00000000006D2000-memory.dmp

Filesize
2.8MB

Download
memory/1572-80-0x0000000000400000-0x00000000006D2000-memory.dmp

Filesize
2.8MB

Download
memory/1728-99-0x000007FEF2730000-0x000007FEF37C6000-memory.dmp

Filesize
16.6MB

Download
memory/1728-86-0x000007FEF37D0000-0x000007FEF41F3000-memory.dmp

Filesize
10.1MB

Download
memory/1832-114-0x0000000000460000-0x00000000004BF000-memory.dmp

Filesize
380KB

Download
memory/1832-115-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1832-119-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2012-108-0x000007FEFB821000-0x000007FEFB823000-memory.dmp

Filesize
8KB

Download
memory/2024-54-0x0000000075071000-0x0000000075073000-memory.dmp

Filesize
8KB

Download