gh0strat | 5be1288b17f208477e60a1a398e42fb718f1767e7f79e2979996c79192e5e775

Analysis

max time kernel
303s
max time network
309s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
27-08-2023 16:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

WPS-0A6AB1D6FA31sshortcuts-custom.exe
Size

67.7MB
MD5

c01e7f9022cd6d91aa06881229383f31
SHA1

631b5ba15d4fe42b812436b8f12ee33018219d34
SHA256

5be1288b17f208477e60a1a398e42fb718f1767e7f79e2979996c79192e5e775
SHA512

21a3933e1776676960557cb092cc3bf8bd1037287053767a18b47f04580308a46355f199c1fe97c8b8a813491d58f769040c96d97a2b7a9c6dca397cf91ef45f
SSDEEP

1572864:83Mo59ulmbjAa91+FggUhx2HI+8h1QYkXmj6hbBeCVCqU:83/0QAau1qw88XmOBeuxU

Score

10^/10

gh0strat aspackv2 evasion persistence rat trojan upx

Malware Config

Signatures

Gh0st RAT payload 16 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1008-746-0x00000000003D0000-0x00000000003EB000-memory.dmp	family_gh0strat
behavioral1/memory/1008-748-0x00000000003D0000-0x00000000003EB000-memory.dmp	family_gh0strat
behavioral1/memory/1008-770-0x00000000003D0000-0x00000000003EB000-memory.dmp	family_gh0strat
behavioral1/memory/1008-813-0x0000000003E10000-0x0000000004313000-memory.dmp	family_gh0strat
behavioral1/memory/1008-814-0x0000000003E10000-0x0000000004313000-memory.dmp	family_gh0strat
behavioral1/memory/1008-820-0x00000000044B0000-0x00000000049B3000-memory.dmp	family_gh0strat
behavioral1/memory/1008-880-0x00000000044B0000-0x00000000049B3000-memory.dmp	family_gh0strat
behavioral1/memory/1008-881-0x00000000044B0000-0x00000000049B3000-memory.dmp	family_gh0strat
behavioral1/memory/1756-994-0x0000000004BC0000-0x00000000050C3000-memory.dmp	family_gh0strat
behavioral1/memory/1756-1047-0x0000000005960000-0x0000000005E63000-memory.dmp	family_gh0strat
behavioral1/memory/1756-1066-0x0000000005960000-0x0000000005E63000-memory.dmp	family_gh0strat
behavioral1/memory/2416-1107-0x00000000003C0000-0x00000000003DB000-memory.dmp	family_gh0strat
behavioral1/memory/2416-1146-0x0000000002BF0000-0x00000000030F3000-memory.dmp	family_gh0strat
behavioral1/memory/2416-1147-0x0000000002BF0000-0x00000000030F3000-memory.dmp	family_gh0strat
behavioral1/memory/2416-1160-0x00000000003C0000-0x00000000003DB000-memory.dmp	family_gh0strat
behavioral1/memory/2416-1162-0x0000000002BF0000-0x00000000030F3000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

UAC bypass 3 TTPs 3 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

TaskLoad.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	TaskLoad.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	TaskLoad.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	TaskLoad.exe

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
C:\Verifier\OaEACA	aspack_v212_v242

Executes dropped EXE 7 IoCs

Processes:

WsTaskLoad.exeTaskLoad.exeQQMusic.exeQQMusic.exeTaskLoad.exeWallPaper.exeWallPaper.exe

pid process

2364 WsTaskLoad.exe
1008 TaskLoad.exe
1756 QQMusic.exe
2032 QQMusic.exe
1360 TaskLoad.exe
2416 WallPaper.exe
2812 WallPaper.exe

pid	process
2364	WsTaskLoad.exe
1008	TaskLoad.exe
1756	QQMusic.exe
2032	QQMusic.exe
1360	TaskLoad.exe
2416	WallPaper.exe
2812	WallPaper.exe

Loads dropped DLL 48 IoCs

Processes:

WPS-0A6AB1D6FA31sshortcuts-custom.exeMsiExec.exeMsiExec.exeWsTaskLoad.exeTaskLoad.exeQQMusic.exeQQMusic.exeTaskLoad.exeWallPaper.exeWallPaper.exe

pid	process
1856	WPS-0A6AB1D6FA31sshortcuts-custom.exe
1856	WPS-0A6AB1D6FA31sshortcuts-custom.exe
2380	MsiExec.exe
2380	MsiExec.exe
2380	MsiExec.exe
2380	MsiExec.exe
2788	MsiExec.exe
2788	MsiExec.exe
1856	WPS-0A6AB1D6FA31sshortcuts-custom.exe
2364	WsTaskLoad.exe
2364	WsTaskLoad.exe
2364	WsTaskLoad.exe
2364	WsTaskLoad.exe
1008	TaskLoad.exe
1008	TaskLoad.exe
1008	TaskLoad.exe
1008	TaskLoad.exe
1756	QQMusic.exe
1756	QQMusic.exe
1756	QQMusic.exe
1756	QQMusic.exe
1756	QQMusic.exe
1756	QQMusic.exe
1756	QQMusic.exe
2032	QQMusic.exe
2032	QQMusic.exe
1360	TaskLoad.exe
1360	TaskLoad.exe
2032	QQMusic.exe
1360	TaskLoad.exe
2032	QQMusic.exe
2032	QQMusic.exe
2032	QQMusic.exe
2032	QQMusic.exe
1756	QQMusic.exe
2416	WallPaper.exe
2416	WallPaper.exe
2416	WallPaper.exe
2416	WallPaper.exe
2416	WallPaper.exe
2416	WallPaper.exe
2416	WallPaper.exe
2812	WallPaper.exe
2812	WallPaper.exe
2812	WallPaper.exe
2812	WallPaper.exe
2812	WallPaper.exe
2812	WallPaper.exe

UPX packed file 30 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1008-743-0x00000000003D0000-0x00000000003EB000-memory.dmp	upx
behavioral1/memory/1008-746-0x00000000003D0000-0x00000000003EB000-memory.dmp	upx
behavioral1/memory/1008-748-0x00000000003D0000-0x00000000003EB000-memory.dmp	upx
behavioral1/memory/1008-770-0x00000000003D0000-0x00000000003EB000-memory.dmp	upx
behavioral1/memory/1008-807-0x0000000003E10000-0x0000000004313000-memory.dmp	upx
behavioral1/memory/1008-813-0x0000000003E10000-0x0000000004313000-memory.dmp	upx
behavioral1/memory/1008-814-0x0000000003E10000-0x0000000004313000-memory.dmp	upx
behavioral1/memory/1008-817-0x00000000044B0000-0x00000000049B3000-memory.dmp	upx
behavioral1/memory/1008-820-0x00000000044B0000-0x00000000049B3000-memory.dmp	upx
behavioral1/memory/1008-880-0x00000000044B0000-0x00000000049B3000-memory.dmp	upx
behavioral1/memory/1008-881-0x00000000044B0000-0x00000000049B3000-memory.dmp	upx
behavioral1/memory/1756-913-0x0000000001D40000-0x0000000001D79000-memory.dmp	upx
behavioral1/memory/1756-917-0x0000000001D40000-0x0000000001D79000-memory.dmp	upx
behavioral1/memory/2032-939-0x0000000000610000-0x0000000000649000-memory.dmp	upx
behavioral1/memory/2032-943-0x0000000000610000-0x0000000000649000-memory.dmp	upx
behavioral1/memory/1756-955-0x0000000001D40000-0x0000000001D79000-memory.dmp	upx
behavioral1/memory/1756-975-0x0000000001D40000-0x0000000001D79000-memory.dmp	upx
behavioral1/memory/1756-977-0x0000000001D40000-0x0000000001D79000-memory.dmp	upx
behavioral1/memory/1756-976-0x0000000004BC0000-0x00000000050C3000-memory.dmp	upx
behavioral1/memory/1756-994-0x0000000004BC0000-0x00000000050C3000-memory.dmp	upx
behavioral1/memory/2416-1041-0x00000000002C0000-0x00000000002EE000-memory.dmp	upx
behavioral1/memory/1756-1047-0x0000000005960000-0x0000000005E63000-memory.dmp	upx
behavioral1/memory/1756-1066-0x0000000005960000-0x0000000005E63000-memory.dmp	upx
behavioral1/memory/2416-1107-0x00000000003C0000-0x00000000003DB000-memory.dmp	upx
behavioral1/memory/2416-1146-0x0000000002BF0000-0x00000000030F3000-memory.dmp	upx
behavioral1/memory/2416-1147-0x0000000002BF0000-0x00000000030F3000-memory.dmp	upx
behavioral1/memory/2812-1155-0x00000000001A0000-0x00000000001CE000-memory.dmp	upx
behavioral1/memory/2416-1156-0x00000000002C0000-0x00000000002EE000-memory.dmp	upx
behavioral1/memory/2416-1160-0x00000000003C0000-0x00000000003DB000-memory.dmp	upx
behavioral1/memory/2416-1162-0x0000000002BF0000-0x00000000030F3000-memory.dmp	upx

Adds Run key to start application 2 TTPs 14 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

rundll32.exerundll32.exeQQMusic.exeTaskLoad.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CORCentRun = "C:\\Users\\Public\\Documents\\RECSLLE.BIN\\system\\MiniStorPlay.exe"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Windows\CurrentVersion\Run\LOWORCAPP = "C:\\Users\\Public\\Documents\\RECSLLE.BIN\\WallPaper.exe"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Windows\CurrentVersion\Run = "yes"	QQMusic.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Windows\CurrentVersion\Run\LOWORCAPP = "C:\\Users\\Public\\Documents\\RECSLLE.BIN\\WallPaper.exe"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Windows\CurrentVersion\Run = "yes"	TaskLoad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Windows\CurrentVersion\Run\ManisORRun = "C:\\Users\\Public\\Documents\\RECSLLE.BIN\\system\\QQMusic.exe"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LOWORCAPP = "C:\\Users\\Public\\Documents\\RECSLLE.BIN\\WallPaper.exe"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ManisORRun = "C:\\Users\\Public\\Documents\\RECSLLE.BIN\\system\\QQMusic.exe"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Windows\CurrentVersion\Run\ManisORRun = "C:\\Users\\Public\\Documents\\RECSLLE.BIN\\system\\QQMusic.exe"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Windows\CurrentVersion\Run\CORCentRun = "C:\\Users\\Public\\Documents\\RECSLLE.BIN\\system\\MiniStorPlay.exe"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Windows\CurrentVersion\Run\CORCentRun = "C:\\Users\\Public\\Documents\\RECSLLE.BIN\\system\\MiniStorPlay.exe"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LOWORCAPP = "C:\\Users\\Public\\Documents\\RECSLLE.BIN\\WallPaper.exe"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CORCentRun = "C:\\Users\\Public\\Documents\\RECSLLE.BIN\\system\\MiniStorPlay.exe"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ManisORRun = "C:\\Users\\Public\\Documents\\RECSLLE.BIN\\system\\QQMusic.exe"	rundll32.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

WPS-0A6AB1D6FA31sshortcuts-custom.exemsiexec.exeWPS-0A6AB1D6FA31sshortcuts-custom.exeWallPaper.exeTaskLoad.exe

description	ioc	process
File opened (read-only)	\??\Z:	WPS-0A6AB1D6FA31sshortcuts-custom.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\T:	WPS-0A6AB1D6FA31sshortcuts-custom.exe
File opened (read-only)	\??\E:	WallPaper.exe
File opened (read-only)	\??\H:	WallPaper.exe
File opened (read-only)	\??\G:	WPS-0A6AB1D6FA31sshortcuts-custom.exe
File opened (read-only)	\??\T:	WPS-0A6AB1D6FA31sshortcuts-custom.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\O:	WPS-0A6AB1D6FA31sshortcuts-custom.exe
File opened (read-only)	\??\S:	TaskLoad.exe
File opened (read-only)	\??\L:	WPS-0A6AB1D6FA31sshortcuts-custom.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\I:	WPS-0A6AB1D6FA31sshortcuts-custom.exe
File opened (read-only)	\??\N:	TaskLoad.exe
File opened (read-only)	\??\K:	WallPaper.exe
File opened (read-only)	\??\M:	WallPaper.exe
File opened (read-only)	\??\T:	WallPaper.exe
File opened (read-only)	\??\Y:	WallPaper.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\H:	TaskLoad.exe
File opened (read-only)	\??\K:	TaskLoad.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\A:	WPS-0A6AB1D6FA31sshortcuts-custom.exe
File opened (read-only)	\??\O:	WPS-0A6AB1D6FA31sshortcuts-custom.exe
File opened (read-only)	\??\U:	WallPaper.exe
File opened (read-only)	\??\E:	WPS-0A6AB1D6FA31sshortcuts-custom.exe
File opened (read-only)	\??\I:	WPS-0A6AB1D6FA31sshortcuts-custom.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\I:	TaskLoad.exe
File opened (read-only)	\??\N:	WallPaper.exe
File opened (read-only)	\??\Y:	WPS-0A6AB1D6FA31sshortcuts-custom.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\X:	TaskLoad.exe
File opened (read-only)	\??\G:	WallPaper.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	TaskLoad.exe
File opened (read-only)	\??\E:	WPS-0A6AB1D6FA31sshortcuts-custom.exe
File opened (read-only)	\??\R:	WPS-0A6AB1D6FA31sshortcuts-custom.exe
File opened (read-only)	\??\X:	WPS-0A6AB1D6FA31sshortcuts-custom.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\J:	WPS-0A6AB1D6FA31sshortcuts-custom.exe
File opened (read-only)	\??\J:	TaskLoad.exe
File opened (read-only)	\??\W:	TaskLoad.exe
File opened (read-only)	\??\J:	WallPaper.exe
File opened (read-only)	\??\Q:	WPS-0A6AB1D6FA31sshortcuts-custom.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\G:	TaskLoad.exe
File opened (read-only)	\??\A:	WPS-0A6AB1D6FA31sshortcuts-custom.exe
File opened (read-only)	\??\X:	WPS-0A6AB1D6FA31sshortcuts-custom.exe
File opened (read-only)	\??\L:	WPS-0A6AB1D6FA31sshortcuts-custom.exe
File opened (read-only)	\??\O:	TaskLoad.exe
File opened (read-only)	\??\R:	TaskLoad.exe
File opened (read-only)	\??\V:	TaskLoad.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\M:	WPS-0A6AB1D6FA31sshortcuts-custom.exe
File opened (read-only)	\??\Q:	WPS-0A6AB1D6FA31sshortcuts-custom.exe
File opened (read-only)	\??\U:	TaskLoad.exe
File opened (read-only)	\??\Z:	TaskLoad.exe

Drops file in Windows directory 15 IoCs

Processes:

DrvInst.exemsiexec.exerundll32.exerundll32.exe

description	ioc	process
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\Installer\MSI385F.tmp	msiexec.exe
File created	C:\Windows\Installer\f773737.ipi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\Installer\f773736.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI538E.tmp	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.app.log	rundll32.exe
File created	C:\Windows\Installer\{7F0A5FEA-05D4-4164-AC2D-3D5459106702}\WPS_Installer.exe	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File opened for modification	C:\Windows\Installer\f773736.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3969.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{7F0A5FEA-05D4-4164-AC2D-3D5459106702}\WPS_Installer.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\f773737.ipi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.app.log	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 46 IoCs

Processes:

msiexec.exeDrvInst.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

msiexec.exeWsTaskLoad.exeTaskLoad.exeQQMusic.exeTaskLoad.exeWallPaper.exe

pid	process
3032	msiexec.exe
3032	msiexec.exe
2364	WsTaskLoad.exe
1008	TaskLoad.exe
1008	TaskLoad.exe
1008	TaskLoad.exe
1008	TaskLoad.exe
1008	TaskLoad.exe
1008	TaskLoad.exe
1008	TaskLoad.exe
1008	TaskLoad.exe
1008	TaskLoad.exe
1008	TaskLoad.exe
1008	TaskLoad.exe
1008	TaskLoad.exe
1008	TaskLoad.exe
1008	TaskLoad.exe
1008	TaskLoad.exe
1008	TaskLoad.exe
1008	TaskLoad.exe
1008	TaskLoad.exe
1008	TaskLoad.exe
1008	TaskLoad.exe
1008	TaskLoad.exe
1008	TaskLoad.exe
1008	TaskLoad.exe
1008	TaskLoad.exe
1008	TaskLoad.exe
1008	TaskLoad.exe
1008	TaskLoad.exe
1008	TaskLoad.exe
1008	TaskLoad.exe
1008	TaskLoad.exe
1008	TaskLoad.exe
1008	TaskLoad.exe
1008	TaskLoad.exe
1008	TaskLoad.exe
1008	TaskLoad.exe
1008	TaskLoad.exe
1008	TaskLoad.exe
1008	TaskLoad.exe
1756	QQMusic.exe
1756	QQMusic.exe
1756	QQMusic.exe
1008	TaskLoad.exe
1008	TaskLoad.exe
1008	TaskLoad.exe
1008	TaskLoad.exe
1360	TaskLoad.exe
1008	TaskLoad.exe
1756	QQMusic.exe
1756	QQMusic.exe
1008	TaskLoad.exe
1756	QQMusic.exe
2416	WallPaper.exe
1756	QQMusic.exe
1008	TaskLoad.exe
1008	TaskLoad.exe
2416	WallPaper.exe
2416	WallPaper.exe
2416	WallPaper.exe
2416	WallPaper.exe
2416	WallPaper.exe
2416	WallPaper.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

WPS-0A6AB1D6FA31sshortcuts-custom.exe

pid process

1856 WPS-0A6AB1D6FA31sshortcuts-custom.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exeWPS-0A6AB1D6FA31sshortcuts-custom.exe

description	pid	process
Token: SeRestorePrivilege	3032	msiexec.exe
Token: SeTakeOwnershipPrivilege	3032	msiexec.exe
Token: SeSecurityPrivilege	3032	msiexec.exe
Token: SeCreateTokenPrivilege	1856	WPS-0A6AB1D6FA31sshortcuts-custom.exe
Token: SeAssignPrimaryTokenPrivilege	1856	WPS-0A6AB1D6FA31sshortcuts-custom.exe
Token: SeLockMemoryPrivilege	1856	WPS-0A6AB1D6FA31sshortcuts-custom.exe
Token: SeIncreaseQuotaPrivilege	1856	WPS-0A6AB1D6FA31sshortcuts-custom.exe
Token: SeMachineAccountPrivilege	1856	WPS-0A6AB1D6FA31sshortcuts-custom.exe
Token: SeTcbPrivilege	1856	WPS-0A6AB1D6FA31sshortcuts-custom.exe
Token: SeSecurityPrivilege	1856	WPS-0A6AB1D6FA31sshortcuts-custom.exe
Token: SeTakeOwnershipPrivilege	1856	WPS-0A6AB1D6FA31sshortcuts-custom.exe
Token: SeLoadDriverPrivilege	1856	WPS-0A6AB1D6FA31sshortcuts-custom.exe
Token: SeSystemProfilePrivilege	1856	WPS-0A6AB1D6FA31sshortcuts-custom.exe
Token: SeSystemtimePrivilege	1856	WPS-0A6AB1D6FA31sshortcuts-custom.exe
Token: SeProfSingleProcessPrivilege	1856	WPS-0A6AB1D6FA31sshortcuts-custom.exe
Token: SeIncBasePriorityPrivilege	1856	WPS-0A6AB1D6FA31sshortcuts-custom.exe
Token: SeCreatePagefilePrivilege	1856	WPS-0A6AB1D6FA31sshortcuts-custom.exe
Token: SeCreatePermanentPrivilege	1856	WPS-0A6AB1D6FA31sshortcuts-custom.exe
Token: SeBackupPrivilege	1856	WPS-0A6AB1D6FA31sshortcuts-custom.exe
Token: SeRestorePrivilege	1856	WPS-0A6AB1D6FA31sshortcuts-custom.exe
Token: SeShutdownPrivilege	1856	WPS-0A6AB1D6FA31sshortcuts-custom.exe
Token: SeDebugPrivilege	1856	WPS-0A6AB1D6FA31sshortcuts-custom.exe
Token: SeAuditPrivilege	1856	WPS-0A6AB1D6FA31sshortcuts-custom.exe
Token: SeSystemEnvironmentPrivilege	1856	WPS-0A6AB1D6FA31sshortcuts-custom.exe
Token: SeChangeNotifyPrivilege	1856	WPS-0A6AB1D6FA31sshortcuts-custom.exe
Token: SeRemoteShutdownPrivilege	1856	WPS-0A6AB1D6FA31sshortcuts-custom.exe
Token: SeUndockPrivilege	1856	WPS-0A6AB1D6FA31sshortcuts-custom.exe
Token: SeSyncAgentPrivilege	1856	WPS-0A6AB1D6FA31sshortcuts-custom.exe
Token: SeEnableDelegationPrivilege	1856	WPS-0A6AB1D6FA31sshortcuts-custom.exe
Token: SeManageVolumePrivilege	1856	WPS-0A6AB1D6FA31sshortcuts-custom.exe
Token: SeImpersonatePrivilege	1856	WPS-0A6AB1D6FA31sshortcuts-custom.exe
Token: SeCreateGlobalPrivilege	1856	WPS-0A6AB1D6FA31sshortcuts-custom.exe
Token: SeCreateTokenPrivilege	1856	WPS-0A6AB1D6FA31sshortcuts-custom.exe
Token: SeAssignPrimaryTokenPrivilege	1856	WPS-0A6AB1D6FA31sshortcuts-custom.exe
Token: SeLockMemoryPrivilege	1856	WPS-0A6AB1D6FA31sshortcuts-custom.exe
Token: SeIncreaseQuotaPrivilege	1856	WPS-0A6AB1D6FA31sshortcuts-custom.exe
Token: SeMachineAccountPrivilege	1856	WPS-0A6AB1D6FA31sshortcuts-custom.exe
Token: SeTcbPrivilege	1856	WPS-0A6AB1D6FA31sshortcuts-custom.exe
Token: SeSecurityPrivilege	1856	WPS-0A6AB1D6FA31sshortcuts-custom.exe
Token: SeTakeOwnershipPrivilege	1856	WPS-0A6AB1D6FA31sshortcuts-custom.exe
Token: SeLoadDriverPrivilege	1856	WPS-0A6AB1D6FA31sshortcuts-custom.exe
Token: SeSystemProfilePrivilege	1856	WPS-0A6AB1D6FA31sshortcuts-custom.exe
Token: SeSystemtimePrivilege	1856	WPS-0A6AB1D6FA31sshortcuts-custom.exe
Token: SeProfSingleProcessPrivilege	1856	WPS-0A6AB1D6FA31sshortcuts-custom.exe
Token: SeIncBasePriorityPrivilege	1856	WPS-0A6AB1D6FA31sshortcuts-custom.exe
Token: SeCreatePagefilePrivilege	1856	WPS-0A6AB1D6FA31sshortcuts-custom.exe
Token: SeCreatePermanentPrivilege	1856	WPS-0A6AB1D6FA31sshortcuts-custom.exe
Token: SeBackupPrivilege	1856	WPS-0A6AB1D6FA31sshortcuts-custom.exe
Token: SeRestorePrivilege	1856	WPS-0A6AB1D6FA31sshortcuts-custom.exe
Token: SeShutdownPrivilege	1856	WPS-0A6AB1D6FA31sshortcuts-custom.exe
Token: SeDebugPrivilege	1856	WPS-0A6AB1D6FA31sshortcuts-custom.exe
Token: SeAuditPrivilege	1856	WPS-0A6AB1D6FA31sshortcuts-custom.exe
Token: SeSystemEnvironmentPrivilege	1856	WPS-0A6AB1D6FA31sshortcuts-custom.exe
Token: SeChangeNotifyPrivilege	1856	WPS-0A6AB1D6FA31sshortcuts-custom.exe
Token: SeRemoteShutdownPrivilege	1856	WPS-0A6AB1D6FA31sshortcuts-custom.exe
Token: SeUndockPrivilege	1856	WPS-0A6AB1D6FA31sshortcuts-custom.exe
Token: SeSyncAgentPrivilege	1856	WPS-0A6AB1D6FA31sshortcuts-custom.exe
Token: SeEnableDelegationPrivilege	1856	WPS-0A6AB1D6FA31sshortcuts-custom.exe
Token: SeManageVolumePrivilege	1856	WPS-0A6AB1D6FA31sshortcuts-custom.exe
Token: SeImpersonatePrivilege	1856	WPS-0A6AB1D6FA31sshortcuts-custom.exe
Token: SeCreateGlobalPrivilege	1856	WPS-0A6AB1D6FA31sshortcuts-custom.exe
Token: SeCreateTokenPrivilege	1856	WPS-0A6AB1D6FA31sshortcuts-custom.exe
Token: SeAssignPrimaryTokenPrivilege	1856	WPS-0A6AB1D6FA31sshortcuts-custom.exe
Token: SeLockMemoryPrivilege	1856	WPS-0A6AB1D6FA31sshortcuts-custom.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

WPS-0A6AB1D6FA31sshortcuts-custom.exe

pid process

1856 WPS-0A6AB1D6FA31sshortcuts-custom.exe
1856 WPS-0A6AB1D6FA31sshortcuts-custom.exe

Suspicious use of WriteProcessMemory 63 IoCs

Processes:

msiexec.exeWPS-0A6AB1D6FA31sshortcuts-custom.exeWsTaskLoad.exeTaskLoad.exeQQMusic.exeWallPaper.exe

description	pid	process	target process
PID 3032 wrote to memory of 2380	3032	msiexec.exe	MsiExec.exe
PID 3032 wrote to memory of 2380	3032	msiexec.exe	MsiExec.exe
PID 3032 wrote to memory of 2380	3032	msiexec.exe	MsiExec.exe
PID 3032 wrote to memory of 2380	3032	msiexec.exe	MsiExec.exe
PID 3032 wrote to memory of 2380	3032	msiexec.exe	MsiExec.exe
PID 3032 wrote to memory of 2380	3032	msiexec.exe	MsiExec.exe
PID 3032 wrote to memory of 2380	3032	msiexec.exe	MsiExec.exe
PID 1856 wrote to memory of 1460	1856	WPS-0A6AB1D6FA31sshortcuts-custom.exe	WPS-0A6AB1D6FA31sshortcuts-custom.exe
PID 1856 wrote to memory of 1460	1856	WPS-0A6AB1D6FA31sshortcuts-custom.exe	WPS-0A6AB1D6FA31sshortcuts-custom.exe
PID 1856 wrote to memory of 1460	1856	WPS-0A6AB1D6FA31sshortcuts-custom.exe	WPS-0A6AB1D6FA31sshortcuts-custom.exe
PID 1856 wrote to memory of 1460	1856	WPS-0A6AB1D6FA31sshortcuts-custom.exe	WPS-0A6AB1D6FA31sshortcuts-custom.exe
PID 1856 wrote to memory of 1460	1856	WPS-0A6AB1D6FA31sshortcuts-custom.exe	WPS-0A6AB1D6FA31sshortcuts-custom.exe
PID 1856 wrote to memory of 1460	1856	WPS-0A6AB1D6FA31sshortcuts-custom.exe	WPS-0A6AB1D6FA31sshortcuts-custom.exe
PID 1856 wrote to memory of 1460	1856	WPS-0A6AB1D6FA31sshortcuts-custom.exe	WPS-0A6AB1D6FA31sshortcuts-custom.exe
PID 3032 wrote to memory of 2788	3032	msiexec.exe	MsiExec.exe
PID 3032 wrote to memory of 2788	3032	msiexec.exe	MsiExec.exe
PID 3032 wrote to memory of 2788	3032	msiexec.exe	MsiExec.exe
PID 3032 wrote to memory of 2788	3032	msiexec.exe	MsiExec.exe
PID 3032 wrote to memory of 2788	3032	msiexec.exe	MsiExec.exe
PID 3032 wrote to memory of 2788	3032	msiexec.exe	MsiExec.exe
PID 3032 wrote to memory of 2788	3032	msiexec.exe	MsiExec.exe
PID 3032 wrote to memory of 2364	3032	msiexec.exe	WsTaskLoad.exe
PID 3032 wrote to memory of 2364	3032	msiexec.exe	WsTaskLoad.exe
PID 3032 wrote to memory of 2364	3032	msiexec.exe	WsTaskLoad.exe
PID 3032 wrote to memory of 2364	3032	msiexec.exe	WsTaskLoad.exe
PID 2364 wrote to memory of 1008	2364	WsTaskLoad.exe	TaskLoad.exe
PID 2364 wrote to memory of 1008	2364	WsTaskLoad.exe	TaskLoad.exe
PID 2364 wrote to memory of 1008	2364	WsTaskLoad.exe	TaskLoad.exe
PID 2364 wrote to memory of 1008	2364	WsTaskLoad.exe	TaskLoad.exe
PID 1008 wrote to memory of 1756	1008	TaskLoad.exe	QQMusic.exe
PID 1008 wrote to memory of 1756	1008	TaskLoad.exe	QQMusic.exe
PID 1008 wrote to memory of 1756	1008	TaskLoad.exe	QQMusic.exe
PID 1008 wrote to memory of 1756	1008	TaskLoad.exe	QQMusic.exe
PID 1756 wrote to memory of 2032	1756	QQMusic.exe	QQMusic.exe
PID 1756 wrote to memory of 2032	1756	QQMusic.exe	QQMusic.exe
PID 1756 wrote to memory of 2032	1756	QQMusic.exe	QQMusic.exe
PID 1756 wrote to memory of 2032	1756	QQMusic.exe	QQMusic.exe
PID 1008 wrote to memory of 1360	1008	TaskLoad.exe	TaskLoad.exe
PID 1008 wrote to memory of 1360	1008	TaskLoad.exe	TaskLoad.exe
PID 1008 wrote to memory of 1360	1008	TaskLoad.exe	TaskLoad.exe
PID 1008 wrote to memory of 1360	1008	TaskLoad.exe	TaskLoad.exe
PID 1756 wrote to memory of 2512	1756	QQMusic.exe	rundll32.exe
PID 1756 wrote to memory of 2512	1756	QQMusic.exe	rundll32.exe
PID 1756 wrote to memory of 2512	1756	QQMusic.exe	rundll32.exe
PID 1756 wrote to memory of 2512	1756	QQMusic.exe	rundll32.exe
PID 1756 wrote to memory of 2512	1756	QQMusic.exe	rundll32.exe
PID 1756 wrote to memory of 2512	1756	QQMusic.exe	rundll32.exe
PID 1756 wrote to memory of 2512	1756	QQMusic.exe	rundll32.exe
PID 1756 wrote to memory of 2608	1756	QQMusic.exe	rundll32.exe
PID 1756 wrote to memory of 2608	1756	QQMusic.exe	rundll32.exe
PID 1756 wrote to memory of 2608	1756	QQMusic.exe	rundll32.exe
PID 1756 wrote to memory of 2608	1756	QQMusic.exe	rundll32.exe
PID 1756 wrote to memory of 2608	1756	QQMusic.exe	rundll32.exe
PID 1756 wrote to memory of 2608	1756	QQMusic.exe	rundll32.exe
PID 1756 wrote to memory of 2608	1756	QQMusic.exe	rundll32.exe
PID 1756 wrote to memory of 2416	1756	QQMusic.exe	WallPaper.exe
PID 1756 wrote to memory of 2416	1756	QQMusic.exe	WallPaper.exe
PID 1756 wrote to memory of 2416	1756	QQMusic.exe	WallPaper.exe
PID 1756 wrote to memory of 2416	1756	QQMusic.exe	WallPaper.exe
PID 2416 wrote to memory of 2812	2416	WallPaper.exe	WallPaper.exe
PID 2416 wrote to memory of 2812	2416	WallPaper.exe	WallPaper.exe
PID 2416 wrote to memory of 2812	2416	WallPaper.exe	WallPaper.exe
PID 2416 wrote to memory of 2812	2416	WallPaper.exe	WallPaper.exe

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

Processes:

TaskLoad.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	TaskLoad.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	TaskLoad.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	TaskLoad.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	TaskLoad.exe

C:\Users\Admin\AppData\Local\Temp\WPS-0A6AB1D6FA31sshortcuts-custom.exe
"C:\Users\Admin\AppData\Local\Temp\WPS-0A6AB1D6FA31sshortcuts-custom.exe"
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1856

C:\Users\Admin\AppData\Local\Temp\WPS-0A6AB1D6FA31sshortcuts-custom.exe
"C:\Users\Admin\AppData\Local\Temp\WPS-0A6AB1D6FA31sshortcuts-custom.exe" /i "C:\Users\Admin\AppData\Roaming\WSP Desktop\WSP Desktop 4.1.0\install\9106702\XXXXXXXXX.msi" AI_EUIMSI=1 APPDIR="C:\Users\Admin\AppData\Roaming\WSP Desktop" SECONDSEQUENCE="1" CLIENTPROCESSID="1856" CHAINERUIPROCESSID="1856Chainer" ACTION="INSTALL" EXECUTEACTION="INSTALL" CLIENTUILEVEL="0" ADDLOCAL="MainFeature" PRIMARYFOLDER="APPDIR" ROOTDRIVE="C:\" AI_SETUPEXEPATH="C:\Users\Admin\AppData\Local\Temp\WPS-0A6AB1D6FA31sshortcuts-custom.exe" SETUPEXEDIR="C:\Users\Admin\AppData\Local\Temp\" EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1692893385 " TARGETDIR="C:\" AI_SETUPEXEPATH_ORIGINAL="C:\Users\Admin\AppData\Local\Temp\WPS-0A6AB1D6FA31sshortcuts-custom.exe" AI_INSTALL="1"
2⤵
- Enumerates connected drives
PID:1460

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3032

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 86F17D8496855F5325FC46E9ADD0CF29 C
2⤵
- Loads dropped DLL
PID:2380

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding A3DB54C179C3DD6A27A44D240E71B2C7
2⤵
- Loads dropped DLL
PID:2788

C:\Users\Admin\AppData\Roaming\WSP Desktop\WsTaskLoad.exe
"C:\Users\Admin\AppData\Roaming\WSP Desktop\WsTaskLoad.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2364

C:\Users\Public\Documents\TaskLoad.exe
C:\Users\Public\Documents\TaskLoad.exe
3⤵
- UAC bypass
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1008

C:\Users\Public\Documents\RECSLLE.BIN\system\QQMusic.exe
"C:\Users\Public\Documents\RECSLLE.BIN\system\QQMusic.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1756

C:\Users\Public\Documents\RECSLLE.BIN\system\QQMusic.exe
"C:\Users\Public\Documents\RECSLLE.BIN\system\QQMusic.exe"
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2032

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" advpack.dll,LaunchINFSectionEx C:\Users\Admin\AppData\Roaming\apple\Runinf.inf ,DefaultInstall,,32
5⤵
- Adds Run key to start application
- Drops file in Windows directory
PID:2512

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" advpack.dll,LaunchINFSectionEx C:\Users\Admin\AppData\Roaming\apple\Runinf.inf ,DefaultInstall,,32
5⤵
- Adds Run key to start application
- Drops file in Windows directory
PID:2608

C:\Users\Public\Documents\RECSLLE.BIN\WallPaper.exe
"C:\Users\Public\Documents\RECSLLE.BIN\WallPaper.exe"
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2416

C:\Users\Public\Documents\RECSLLE.BIN\WallPaper.exe
"C:\Users\Public\Documents\RECSLLE.BIN\WallPaper.exe"
6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2812

C:\Users\Public\Documents\TaskLoad.exe
"C:\Users\Public\Documents\TaskLoad.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1360

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:1076

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000005E4" "00000000000003B0"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:1656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f773738.rbs

Filesize
54KB

MD5
9ce01dea52f3b8f31564b7316230242a

SHA1
8da3010a1315fa3f4668d1604ca4324e7a9af9e4

SHA256
5eae6f29b070d362ddee3df437c94eae363104bbd957ae0c4335e98a206913af

SHA512
c094c86489f3fc31604af68aa2e881c13daaa804dfa51480749cf2e806cfeaf57cbebde3ca68cee28995df5cf906fdddb5aa770dc0ea2cee989d5408bc4aaa15

Download Submit
C:\ProgramData\vcruntime140.dll

Filesize
78KB

MD5
1b171f9a428c44acf85f89989007c328

SHA1
6f25a874d6cbf8158cb7c491dcedaa81ceaebbae

SHA256
9d02e952396bdff3abfe5654e07b7a713c84268a225e11ed9a3bf338ed1e424c

SHA512
99a06770eea07f36abc4ae0cecb2ae13c3acb362b38b731c3baed045bf76ea6b61efe4089cd2efac27701e9443388322365bdb039cd388987b24d4a43c973bd1

Download Submit
C:\SkySky\_1.dll

Filesize
44KB

MD5
d3aa0ddbe70c03c83718687c7b457f2b

SHA1
f67cd39ec5aec879b604dfe3bc005e173d339749

SHA256
76220671d937a57e8aebd6c1a81d26dc8bbbfa6468c182c5a119fdd5590bb0d1

SHA512
f964c5c284dd90900352b7551a52472d294353739900913ca71e702756eb1af423489a408d9c110353350725c4a894cbcb0bde550fe534e065e53a9f436c8dfa

Download Submit
C:\SkySky\_2

Filesize
118KB

MD5
d9a720694c95a3c56175c9bf84f79118

SHA1
c5b95a42610361a7c27767a85282eb2b9eebdf58

SHA256
e3d13178d51f49b88c7cac365cda3e78525c282660a6d16ab6136de4730c595e

SHA512
53f9e51714089ad00284bc79541cf531028fe12200eb62888d9f13d2f95dde18133b90d58db6460730aee3e93da40301cd82cddf0b04c5186b7daebc7c0d7e2a

Download Submit
C:\SkySky\_2.dll

Filesize
44KB

MD5
93d6e392d4988351d4c3700e45c02ce6

SHA1
bc0bb1f01167e15413c54a52f54b4e9b085403b4

SHA256
74163fabd8f98f96bb64216bcb9ebacbcae7d114df061a141ba1700c714ef544

SHA512
f4a8687789fa3161d18e1a09252aa0894ab14d99414482787251b9213a726105cbd123ecb12efc8ee4483a777bc0297604c52d0e22c1438a0d3182ff26f61c12

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_1856\banner.jpg

Filesize
2KB

MD5
daf14d3480c7aa73a53415ff483b10a1

SHA1
db240a22410ac7536f5c833ca98322cca4180c3d

SHA256
0d2715e6689ea0cccc6cdfad328dab66f61df466fbbaf043cef2d05f9ad420c4

SHA512
7741a04025317179eaf14f7843f313f0e8922fd219c1d45db91e65e58229a1c948fb12120806507162d064b03dd4a45a8380210545a8a61910e622f0b3c736c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_1856\dialog.jpg

Filesize
36KB

MD5
abf1076064505dee794fa7aed67252b8

SHA1
358d4e501bb3007feece82a4039cc1050f23fab4

SHA256
fb0d133f05de6aa6a7a3491ae532191a60c438b35d9ff7bfec9e63131f6f0c73

SHA512
9a4680a8d186c1d7550b5e03cbdd095b0c88b2e0249a3af75fa0253d2c9a6f0aa1dd570ecf1a273683a14e6c7b5fb11678be3da439a3bf23eab790372e96e321

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI96C3.tmp

Filesize
436KB

MD5
5788efa607d26332d6d7f5e6a1f6bd6f

SHA1
e7749843cc3e89bc81649087de4ad44c93d48bc6

SHA256
9fc2608c9e5ef5a88dd91c82660fa297144ba6bbf4602140d638de7233a4625d

SHA512
ce472ca4f956da4160cfd9b9051455974e24dd8b23a0b7b197afd1f7552e37980809e523bedc0d4c2f4c9cb6ef300b221e6404e6e6a1b789b67756550ddd2104

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI986A.tmp

Filesize
436KB

MD5
5788efa607d26332d6d7f5e6a1f6bd6f

SHA1
e7749843cc3e89bc81649087de4ad44c93d48bc6

SHA256
9fc2608c9e5ef5a88dd91c82660fa297144ba6bbf4602140d638de7233a4625d

SHA512
ce472ca4f956da4160cfd9b9051455974e24dd8b23a0b7b197afd1f7552e37980809e523bedc0d4c2f4c9cb6ef300b221e6404e6e6a1b789b67756550ddd2104

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI98E7.tmp

Filesize
436KB

MD5
5788efa607d26332d6d7f5e6a1f6bd6f

SHA1
e7749843cc3e89bc81649087de4ad44c93d48bc6

SHA256
9fc2608c9e5ef5a88dd91c82660fa297144ba6bbf4602140d638de7233a4625d

SHA512
ce472ca4f956da4160cfd9b9051455974e24dd8b23a0b7b197afd1f7552e37980809e523bedc0d4c2f4c9cb6ef300b221e6404e6e6a1b789b67756550ddd2104

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI98E7.tmp

Filesize
436KB

MD5
5788efa607d26332d6d7f5e6a1f6bd6f

SHA1
e7749843cc3e89bc81649087de4ad44c93d48bc6

SHA256
9fc2608c9e5ef5a88dd91c82660fa297144ba6bbf4602140d638de7233a4625d

SHA512
ce472ca4f956da4160cfd9b9051455974e24dd8b23a0b7b197afd1f7552e37980809e523bedc0d4c2f4c9cb6ef300b221e6404e6e6a1b789b67756550ddd2104

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI9975.tmp

Filesize
436KB

MD5
5788efa607d26332d6d7f5e6a1f6bd6f

SHA1
e7749843cc3e89bc81649087de4ad44c93d48bc6

SHA256
9fc2608c9e5ef5a88dd91c82660fa297144ba6bbf4602140d638de7233a4625d

SHA512
ce472ca4f956da4160cfd9b9051455974e24dd8b23a0b7b197afd1f7552e37980809e523bedc0d4c2f4c9cb6ef300b221e6404e6e6a1b789b67756550ddd2104

Download Submit
C:\Users\Admin\AppData\Roaming\Consys21.png

Filesize
159KB

MD5
c19e58eeb25b77a90dc1d795183025cc

SHA1
8b78faec5892cead2436b8e77b6a2f49e6149de9

SHA256
8087639cd4f3f39b1fd4779787474ccee3aecb057bc82a9922aa51436b85e44f

SHA512
5d17f1111172616b0cd404339687d62ba158f5a2d92a9d10f2c322cc88b65a5183ee0fc84af092aff51e5b9b8aff8bf6b351516e5684cc4d287dbf0fa78447b6

Download Submit
C:\Users\Admin\AppData\Roaming\WSP Desktop\WSP Desktop 4.1.0\install\9106702\Finkit\ManicTime\ManicTime.xml

Filesize
3KB

MD5
dfe8def4e493eae4ce53296cb2e035ba

SHA1
a68ed8826e8641b2913b2f5af9d0cf4ec0d9f1b1

SHA256
af0b40b517b1fd802f9e19cd6c15fd15be4e9ea259f747a8456253c7329f3792

SHA512
cf8e8176bc9e5f7b5ad7f6b0479e9b1722a5a0463277b134f873bc27fccd01f3f5d8888053ece1118e207c92b622dee1519c25549c82b2624853e44b9d4ed4c1

Download Submit
C:\Users\Admin\AppData\Roaming\WSP Desktop\WSP Desktop 4.1.0\install\9106702\Log\WsTaskLoad.txt

Filesize
1KB

MD5
453729547709a58340ddea05babd3459

SHA1
a52943f31cbd10e92e99a566febadf484586eb30

SHA256
552adc3311d2d926dff357385667015962562fbb682ff938224a2a82ba965ab9

SHA512
96b88ac11146fb0b405628ab2f09a878629febb841ffde6ba7e057202e881e6a7969df9a8c32d17653dd7702ed1ba8b9ca7ce008f1a709e8e074add2d567e566

Download Submit
C:\Users\Admin\AppData\Roaming\WSP Desktop\WSP Desktop 4.1.0\install\9106702\Plugins\Packages\ManicTime.Client.Core\Lib\ClientPlugins.Core.dll

Filesize
34KB

MD5
b7617c1cc8709d153bfa98999fd52142

SHA1
2013f5a34b9c41cd401a2a2240e86f80414bf241

SHA256
1cf721ddfbbc82026851287746ff41c29557c560d2f4fdf9d5f9cdcf4ed7a17a

SHA512
93a9e5f592a69bd40b419ffb274cee2c6cc4c5faa83ebee9935c29c52184fdaa33dafa865bd1572fa41bee46ff0070459317cd70e9b337bca40c76f914ee843e

Download Submit
C:\Users\Admin\AppData\Roaming\WSP Desktop\WSP Desktop 4.1.0\install\9106702\Plugins\Packages\ManicTime.Client.Core\PluginSpec.json

Filesize
259B

MD5
11569f07eddc7bb827cfccf2c5a64ea2

SHA1
2d6e1be03b11c82b8aad5972ec07077cca6d3175

SHA256
7f44fd1d510a61edd6f698543d6c7b3e8e53d5cd926f1ee97980e543eef32ca4

SHA512
a7aeb62d4fe2b1d0521d3e2145dcdb518ca3a5688d0d61b81540ea0aa3fec7d2bd4127fc008b58708e89d71d4cd411081d29903e3fab352bca21f8e663b60092

Download Submit
C:\Users\Admin\AppData\Roaming\WSP Desktop\WSP Desktop 4.1.0\install\9106702\Plugins\Packages\ManicTime.Common.Core\Lib\CommonPlugins.Core.dll

Filesize
18KB

MD5
c36fb96168945d126b91df1022831bff

SHA1
0f297965ed507d5ae7e84387db54d6fddbc11a03

SHA256
8ed4518099a8892891fb3b686d928eb2bad461a70e5f3f128023bab0cc95b88e

SHA512
92d0ab52cb3dc4fb6022a2c11530e38359419e23391a7e9d136d4c4f88708d0bb715dd896bb70e34c0bf526a21595915b3c4bd2adf47b98bdf3d3365153b404b

Download Submit
C:\Users\Admin\AppData\Roaming\WSP Desktop\WSP Desktop 4.1.0\install\9106702\Plugins\Packages\ManicTime.Common.Core\PluginSpec.json

Filesize
259B

MD5
ce9769a5396de4354adc96015ced3e5b

SHA1
bc5f545f03b8afbc2c34098fa9840547a23b47c2

SHA256
64a96f8f91bde12638a063bf8691aabc4b8ecf9a822cbfe8aa7d00b05742ab6a

SHA512
379aac2793e590ad63bbd762dc117c8e983cba31a666665cfac5c9fad0aac064f98951bf784006193ca5267d4131973ca8093c56b5725485570feb8de1cbf690

Download Submit
C:\Users\Admin\AppData\Roaming\WSP Desktop\WSP Desktop 4.1.0\install\9106702\Plugins\Packages\ManicTime.DocumentTracker.Acrobat\Lib\Plugins.Acrobat.dll

Filesize
61KB

MD5
d801e6dbea38a3b8998e1f811ddf858e

SHA1
6d85b1178b89849e54db58d744697e8a81321fe2

SHA256
be7f6230931d8a9b2a437d3ef52a7809eba8cc2f2bbaa7420eff0ac051610215

SHA512
452335fbf7bf09c759c0ba1ed622769f5f0312cc4a83f51bb5ef07b069dc1711a452c4a12e76d0e5063fd9d711f159c7e545e91035f8b7f615d60f77f9b0cc31

Download Submit
C:\Users\Admin\AppData\Roaming\WSP Desktop\WSP Desktop 4.1.0\install\9106702\Plugins\Packages\ManicTime.DocumentTracker.Acrobat\Lib\Plugins.Common.dll

Filesize
88KB

MD5
be6dca4f68b731afd770ec22e12a087b

SHA1
ab7616d156c62dba96ed55ecf7bc4ba6db3e893a

SHA256
2b58e3033c18a6ca8c91c5c48f8e3f082e0c4fdb0e9c72f5ca8e6e42eac0437a

SHA512
0d8c0b92d3cfbbbcde9a7f75bc9c1554eff6cacbb65574e323186059f0b1d0c9e342b03ecce5a04ad0ab808e870c7c3aa647187f6927a9de5141efc83669086b

Download Submit
C:\Users\Admin\AppData\Roaming\WSP Desktop\WSP Desktop 4.1.0\install\9106702\Plugins\Packages\ManicTime.DocumentTracker.Acrobat\PluginIcon.png

Filesize
1KB

MD5
7049a9bea7f237c31661bc48c5d61cf9

SHA1
caef3fa9b2cce81d0bb4b5126c23a71a5a9c6aea

SHA256
0a8829dfa5c01a1d9d8a8c3a16074689c9d02cbb3f7191ccfbda514a30f80a05

SHA512
6bbeff8a48d7cba39f774e0de69935b42243a79adcfb7de2eca52e3c07e9f5ae6d21e7321633014afb709468ffa36cbf62406f1be33be821946ecc71464aa4b1

Download Submit
C:\Users\Admin\AppData\Roaming\WSP Desktop\WSP Desktop 4.1.0\install\9106702\Plugins\Packages\ManicTime.DocumentTracker.Acrobat\PluginSpec.json

Filesize
362B

MD5
abcc88a9b0cba2dc24f199c2bf00ef80

SHA1
1e504e627392118d83394cd5d98b1ac73d678fda

SHA256
4d5b2479bde51b99fd6c4bd9d00caa7ac7fc4067ee724f9a294bc628d561d4aa

SHA512
7681c8697649f4fc169c4bafa015727a9fe569b533424db5653419ef99ed0b43df279f316ffc7aa600b63d1ef2c9e6f56e8cfd51b78dd19a1fb687c57933aafb

Download Submit
C:\Users\Admin\AppData\Roaming\WSP Desktop\WSP Desktop 4.1.0\install\9106702\Plugins\Packages\ManicTime.DocumentTracker.AutoCAD\Lib\Plugins.AutoCAD.dll

Filesize
69KB

MD5
8b15e915e7247a03f9bab7a7a1dbcc74

SHA1
5152e64b75640ec4f2328d6a6a66789f9bacaa36

SHA256
25081f2beb17c2dcdc3e440b67f17cdac8bd56bb0d0dc5b33fc3887971f3ab49

SHA512
6683a783a8a2ef8799430da0c75a27faf8853604c57376767a6c56e22aae6d84c23069c068c76eefdf3ad54d3f7d0be7d0faa54880eeef326395582a6ef7efc7

Download Submit
C:\Users\Admin\AppData\Roaming\WSP Desktop\WSP Desktop 4.1.0\install\9106702\Plugins\Packages\ManicTime.DocumentTracker.AutoCAD\PluginIcon.png

Filesize
1KB

MD5
2b73243394b1c24ee40b91bc4d3bf87a

SHA1
a0056cce1f979f1190d29750aef2850198de1def

SHA256
81cb034723f8b22939be5102680911a4cb939c88b0a0ab82b948d086f674ea3f

SHA512
75ed7837dfb11c962da76e1650e00bf466f3e6a67fa7f26a84cde504a065e9e7ad21ecd22e7611bd6754a00a86e89dde88bf87a1c802d0dc5ed2b04dca9b2901

Download Submit
C:\Users\Admin\AppData\Roaming\WSP Desktop\WSP Desktop 4.1.0\install\9106702\Plugins\Packages\ManicTime.DocumentTracker.AutoCAD\PluginSpec.json

Filesize
359B

MD5
b6c364f4899fdb2fd0f84c6bd6bd6ce7

SHA1
0147b84ced7ce1af5dce39c02dc2ae416c8ebf65

SHA256
7f7f987d617dc0c26deae49cee28460b908040cc783b0f3a8ac15cd8fb68e32d

SHA512
e0e4757e75bd63f24988a28eab2c81b0ce32329088ed2216828e9ed994f6115a61ff35bde25ee171ad7f294080b6db5186da3490c20f1bdde993d5fd164be7e2

Download Submit
C:\Users\Admin\AppData\Roaming\WSP Desktop\WSP Desktop 4.1.0\install\9106702\Plugins\Packages\ManicTime.DocumentTracker.BluebeamRevu\Lib\Plugins.BluebeamRevu.dll

Filesize
78KB

MD5
aec1644f4afacd0cb5459cdda7927c1f

SHA1
bdbd04bc52845835b35b370d7aa27318f9c128e7

SHA256
2f215ef0246e6200dd3c496a2f97e1bdb14dc8e2c37c41fd1dd53da987f20a44

SHA512
9c9cca56f2e214396504f5505ba1e9a7126cd76f7239f921bcc0e211f9f61f5bfe5dd6f789e3cd7466e42094b944d632baee498b27b81dde539dd4b22714e986

Download Submit
C:\Users\Admin\AppData\Roaming\WSP Desktop\WSP Desktop 4.1.0\install\9106702\Plugins\Packages\ManicTime.DocumentTracker.BluebeamRevu\PluginIcon.png

Filesize
2KB

MD5
8d09c0fc09fe05a7855a8ca7bd05601e

SHA1
028a02b5672bc97c3f80c94f19e911e487f97741

SHA256
28746b1b04979f8295582d8f376640c00f18386821c128d974850e364487c69b

SHA512
2a1afad4e23715228055953d15fc4dbe54f6449c1dc27618a3e8db3ec127adb53ac8bd43d7da3d50075c0ee59b615b10383bf065b2354619bb434969d8f4df53

Download Submit
C:\Users\Admin\AppData\Roaming\WSP Desktop\WSP Desktop 4.1.0\install\9106702\Plugins\Packages\ManicTime.DocumentTracker.BluebeamRevu\PluginSpec.json

Filesize
356B

MD5
9b5ce4e9c85cd6714e1a276d967d557e

SHA1
85dd0ca6371f2fa2966925318c909e502351b373

SHA256
c7816bf0db0b3be178ede61ef202308f5b2d9438980a49a97567f8f21cc161be

SHA512
b29abc7ee39cde3ccc0da16bf147b99b6fc171fef25561f0f3b64b88dfecb8c069297d935f983cacac832d3e908d42f893308d8a8b882b166d4e3fd531f8edec

Download Submit
C:\Users\Admin\AppData\Roaming\WSP Desktop\WSP Desktop 4.1.0\install\9106702\Plugins\Packages\ManicTime.DocumentTracker.Brave\Lib\Plugins.Brave.dll

Filesize
72KB

MD5
e486433a1be1a3d53d4f40c374af4ca9

SHA1
76ef15c8e05c81d9eaa945d5b76385498786266b

SHA256
1f824a1b731e40a45077763578d011f2f50f0aff333700902ae71dbb2e7e2119

SHA512
f79fa47e47ce47e9494a78eda8134e126a6ae066111471b6558277c55b252487f2a417070367817f658ac084414bc57ffc8999fcb7291536fba2ac573e30c3f5

Download Submit
C:\Users\Admin\AppData\Roaming\WSP Desktop\WSP Desktop 4.1.0\install\9106702\Plugins\Packages\ManicTime.DocumentTracker.Brave\Lib\Plugins.Common.dll

Filesize
88KB

MD5
cd0f34da23b77b2e7eb547de08ea7415

SHA1
af9057b14f2796ff2af23300f49c82a826b3e8bb

SHA256
e9b0f66292b9e91c30dd59d73b296cd14ca69f5db0afd45a14a51a2bfcb244cd

SHA512
e94f05f93958b01744496173a0dc7d7ae948d51666b66de864ab64d3a27275baa8d69c5f8e711d997d2587dbf7640287a2610cd615c7234d62103be83fa860ff

Download Submit
C:\Users\Admin\AppData\Roaming\WSP Desktop\WSP Desktop 4.1.0\install\9106702\Plugins\Packages\ManicTime.DocumentTracker.Brave\Lib\UIAComWrapper.dll

Filesize
181KB

MD5
e0066fc59cf8adca01f26b943d15a7cb

SHA1
6ca380019b7ae97aff97a0c04cb1abb041fde0c2

SHA256
34dd032ac0a9b03f72488cf2f6f4e5127c5c137187ee50bf7de8fef530762081

SHA512
f110b375fdb43e7fbbedf353b491a2e88c7265fa554ad453d1ed01c4ebc87014bbab7e4f383489ef62398e5b7ad11b9b2aca08831d9563acd9c65e2aa75ec5db

Download Submit
C:\Users\Admin\AppData\Roaming\WSP Desktop\WSP Desktop 4.1.0\install\9106702\Plugins\Packages\ManicTime.DocumentTracker.Brave\PluginIcon.png

Filesize
1KB

MD5
6758ca5998907ed4322f229946c73193

SHA1
edd6e619870704eac6e2082799bb0e277ead2d38

SHA256
b3df0f707462793f6b6214945b5b9d3e36b8cccc776a5d554ae79b5b95bdf7e5

SHA512
ac40d5e1836eeb499d46bf276ec539fb607d8b1897b6b5df868d7e9ece7b776f67880667bff0053e2dcea8fb636224ad77b4475c2b890d5d5f62628c1cf8a07f

Download Submit
C:\Users\Admin\AppData\Roaming\WSP Desktop\WSP Desktop 4.1.0\install\9106702\Plugins\Packages\ManicTime.DocumentTracker.Brave\PluginSpec.json

Filesize
332B

MD5
a9b5de6ebfe2d5661ca5275d4c6b67c0

SHA1
aed3ff9dc58d70bfcf7169e5e8653c25114e72e3

SHA256
da68a66bbc48e5bb83236fe1d7fb6498e40759e2268e63e70d4f08adb663dca3

SHA512
08d0099546041f468447d97add635f0116764e09f7ad6a9a857b53b2512be44bca38c16e92f7bcc1f517008638522ea95ff9c982e5899eef1e4f73ed7c1d7a99

Download Submit
C:\Users\Admin\AppData\Roaming\WSP Desktop\WSP Desktop 4.1.0\install\9106702\Plugins\Packages\ManicTime.DocumentTracker.Chrome\Lib\Plugins.Chrome.dll

Filesize
90KB

MD5
c38c97001d3def0dceccf072ae1b0f76

SHA1
df98f7173563cdfa48f8dcba78ff54e31e4ff3b0

SHA256
6b80d7454e46ff2aeb73d447fdb8936071de99b215e0a9b1001f1dca548d7304

SHA512
05dfe12b55e06fb49ad4fdcc2a1868f54f4ae5a01350f41b8ac589d6c9d318b56460f88a09626c2c44a7f41fa530ff71afaec26ee7c4e8254c681f501faf9122

Download Submit
C:\Users\Admin\AppData\Roaming\WSP Desktop\WSP Desktop 4.1.0\install\9106702\Plugins\Packages\ManicTime.DocumentTracker.Chrome\Lib\Plugins.Common.dll

Filesize
88KB

MD5
8266ecc45d2a7a58a68065b8f5e28e53

SHA1
f5246c6939f645d9213c072251ad7229d2902fde

SHA256
7cc309118784f85b3756f996ec5aff6137b3c5d5d8f5dfb0347093927487aa79

SHA512
ab69b5ecd81bc5aeb58618314adf46118552c1d0eca1d497e3c41695dcaf3cd8bc16b4e4e92dbf67427ee0de120bfc6bced327a78d2813ea452be5f5650e07b9

Download Submit
C:\Users\Admin\AppData\Roaming\WSP Desktop\WSP Desktop 4.1.0\install\9106702\Plugins\Packages\ManicTime.DocumentTracker.Chrome\Lib\UIAComWrapper.dll

Filesize
181KB

MD5
e0066fc59cf8adca01f26b943d15a7cb

SHA1
6ca380019b7ae97aff97a0c04cb1abb041fde0c2

SHA256
34dd032ac0a9b03f72488cf2f6f4e5127c5c137187ee50bf7de8fef530762081

SHA512
f110b375fdb43e7fbbedf353b491a2e88c7265fa554ad453d1ed01c4ebc87014bbab7e4f383489ef62398e5b7ad11b9b2aca08831d9563acd9c65e2aa75ec5db

Download Submit
C:\Users\Admin\AppData\Roaming\WSP Desktop\WSP Desktop 4.1.0\install\9106702\Plugins\Packages\ManicTime.DocumentTracker.Chrome\PluginIcon.png

Filesize
1KB

MD5
6a035f37544c45ef97fcfe4a4e2835d3

SHA1
fc3e7f9612907d747c033f28cc8a07656902d96e

SHA256
fed0ea28fc4e7684147b04039e3646445dc251524aa3b1ff1674061dbcc7401a

SHA512
6d5625bec0aed6fbb25f521796b7469c793a455dfc5be1ddad23452411b636d1c7c33898a7fc2fde3b44e8ae9302230d39ac10b5387dd87fd3eb0716e0676ce0

Download Submit
C:\Users\Admin\AppData\Roaming\WSP Desktop\WSP Desktop 4.1.0\install\9106702\Plugins\Packages\ManicTime.DocumentTracker.Firefox\Lib\UIAComWrapper.dll

Filesize
181KB

MD5
e0066fc59cf8adca01f26b943d15a7cb

SHA1
6ca380019b7ae97aff97a0c04cb1abb041fde0c2

SHA256
34dd032ac0a9b03f72488cf2f6f4e5127c5c137187ee50bf7de8fef530762081

SHA512
f110b375fdb43e7fbbedf353b491a2e88c7265fa554ad453d1ed01c4ebc87014bbab7e4f383489ef62398e5b7ad11b9b2aca08831d9563acd9c65e2aa75ec5db

Download Submit
C:\Users\Admin\AppData\Roaming\WSP Desktop\WSP Desktop 4.1.0\install\9106702\Plugins\Packages\ManicTime.DocumentTracker.Socket\PluginIcon.png

Filesize
3KB

MD5
38f3669b08448f2f7112ef6ce001d769

SHA1
9896758e7b43293cff2c7ed03c027285a18db522

SHA256
b412a5e761cf6eb5769c889af97c033cdabc03b8f2bfd756252ff725f97d2c9f

SHA512
4b869de8f7deab2fdaf80026a8bca3fcf35d5fe6b0bdd0062f2866f07fd516d791064eb1e6b93e544270fc3df214d98290abfbb2e50195239c72b8fa17040c37

Download Submit
C:\Users\Admin\AppData\Roaming\WSP Desktop\WSP Desktop 4.1.0\install\9106702\PublicDocumentsFolder\tdata\0C4C5B331E3883CBs

Filesize
140B

MD5
b76a827933b2bc861e01f14922153c4d

SHA1
4bdaad89c24e4a1e4c2442948726d8acc3e87924

SHA256
5afcd1bd66f561279e29a26a06bec083fd075ce67035ccc79ac18bc7544f777d

SHA512
82e2a590183c61b9eab93f853a802c6667afb3b22391abfd72caf3df1e2d9483e89885e8a9345ccedd68cb6702ed60db720f25eb167399efd28efdec070d7958

Download Submit
C:\Users\Admin\AppData\Roaming\WSP Desktop\WSP Desktop 4.1.0\install\9106702\PublicDocumentsFolder\tdata\728B3948F0F42A8As

Filesize
208KB

MD5
5a25632fb18c449c4c7c6a2820ba599f

SHA1
01ff8049fafaf75f27bea907718c40700351c835

SHA256
3e705a03306e11bfb6945a6ce7ead76cbb09e747c345b1f15fb819ea63110822

SHA512
3fbc72b23ea1b6ffe19ea8ce214bcf919a590576324772b2589334f99d9f48734b9cc2b449a3bbe5d22e6c4c06ef76cc7e7333f00eb1f838b0e76767f52696e5

Download Submit
C:\Users\Admin\AppData\Roaming\WSP Desktop\WSP Desktop 4.1.0\install\9106702\PublicDocumentsFolder\tdata\emoji\cache_18_0

Filesize
648KB

MD5
a9d5fcb4edadcf53399f1c5f9ae5d9ae

SHA1
210377216a6869a40655c75f47a392b4600f6f44

SHA256
a917a5dcf7e329dfb760ece674de96a01ab5e2f51751de95d032c4bb5e2a1f0e

SHA512
7a47a64e1dacc0b3c621b13d9d0cc60bf98d58d2a93add9beb87ce476cce296029f028feea1970bfacbbbaae6b143e24f8245ac32bfdf6cee65089b568bf6ec4

Download Submit
C:\Users\Admin\AppData\Roaming\WSP Desktop\WSP Desktop 4.1.0\install\9106702\PublicDocumentsFolder\tdata\emoji\cache_18_1

Filesize
648KB

MD5
28c7a651b3411fff0be43767457541f3

SHA1
64cc0c0474f72deb03459a47e91e6f1b5cc5a867

SHA256
0f1d63de6e20766acc95159db99724d5babbabbb9adb1506dc1337163ec61338

SHA512
bc3a5492c72293bf0dcfa1883e586e17dd16afce06817d466c6672e9ac6c04a1c74bddaedd0753b1ddfff20bd88ab36d055643369416725be95bfb7a72f37070

Download Submit
C:\Users\Admin\AppData\Roaming\WSP Desktop\WSP Desktop 4.1.0\install\9106702\PublicDocumentsFolder\tdata\emoji\cache_18_2

Filesize
648KB

MD5
8bae1c34285e15fae092ef5afb4bdb9a

SHA1
ce7098ffafa1a0150de43e390f4489bd0a35bfd1

SHA256
48d4c29de7c7e13c65856da6963a20f41f9001dab80bb72b68d61cab7fee1d33

SHA512
927581328052659a0e65df5499b5e16624145ff61512255c64770194384d7ea5b469c3b1301e63146de7b5fc01bf6acf6e81e567806cdfed3a4b306b98e18ca4

Download Submit
C:\Users\Admin\AppData\Roaming\WSP Desktop\WSP Desktop 4.1.0\install\9106702\PublicDocumentsFolder\tdata\emoji\cache_18_3

Filesize
648KB

MD5
28dc94bc2f0fd3ce3a70f5207ec35bde

SHA1
96cd2a1b1237270b857b72ac0b4f90c7111d0099

SHA256
0b2cb32c6eda76598f5ef427a7ef9309bf3d6c2cb206ca1e37f164636ff25bc3

SHA512
8eea266f16f517bbb2908738c5d027375b3452bae4032f187094e56c6830c05487acfb781182e02aa9dbdcb9c0e8d58fb28b5d7f9aca9ed7000488cbe0029fe0

Download Submit
C:\Users\Admin\AppData\Roaming\WSP Desktop\WSP Desktop 4.1.0\install\9106702\PublicDocumentsFolder\tdata\emoji\cache_18_4

Filesize
648KB

MD5
fa7909ed2d3e1d9a593ab5fa0d66958b

SHA1
8b1baf1bbf8ecb8d34fd155746f84e6887665dc6

SHA256
8935d03aa7c5c253c92ebf8fac42aaac5f0aa04b531ad3196954e45ee2b3a389

SHA512
d43a6b169a6e2c60e63e71e3aefd05f8e8c4b691672536943ed81dc342eff372aab51e8b25e6e17d4dabe9166f3520850bef8cc03604d003c0ec01b382691748

Download Submit
C:\Users\Admin\AppData\Roaming\WSP Desktop\WSP Desktop 4.1.0\install\9106702\PublicDocumentsFolder\tdata\emoji\cache_18_5

Filesize
648KB

MD5
7076344b06be17207948f79de741e3e7

SHA1
338e2311f944087807be80dd2fb2e8584e9bdd65

SHA256
43c24b430152745f6fb61fd27d2598489e21d60ae2f0e0c89bb264f484afe899

SHA512
9a518ad991a3263117c122b7cff14e6191ee91a40c5daa75e77fd854edbe7dac2c46a4a80fe0d91d5fda1ebf9d4ef0091b3d543c8abb52900584e0f0bdabc9dd

Download Submit
C:\Users\Admin\AppData\Roaming\WSP Desktop\WSP Desktop 4.1.0\install\9106702\PublicDocumentsFolder\tdata\emoji\cache_18_6

Filesize
648KB

MD5
677eaf4328bfa07263b0518d7a538c68

SHA1
2daabe657291c7088e45d09125c10247f52b81e6

SHA256
9522b74b926f4c3989e962f815ff7f1cb93e26f68522457e4f2e3dede4a64aeb

SHA512
87b5eb241f7f854ffc2b49d83b3c40be73693dd1a6c900d2d07c047f8e689d9fc44d6198a168372a4df53532d910d045c4141b321a5f2b33e36081399362fa4b

Download Submit
C:\Users\Admin\AppData\Roaming\WSP Desktop\WSP Desktop 4.1.0\install\9106702\PublicDocumentsFolder\tdata\emoji\cache_24_0

Filesize
1.1MB

MD5
e0d699a63ecfb007d72bf4a158a1dea6

SHA1
15bae81866f8dc89d256bf6aa6fe29e6ae1099f2

SHA256
89e572bbce672b25b93c9f95b4ae3e1295da308f79c7ed0342ad40e184b5a6e4

SHA512
a397a0a64c5fe734e98ef911d929897f0fa6b4d272956d0c5eca170a7e226783b52f4eb7871bd73bbf6517a98c6ba5e93608b1f8d807b320ab97e8555719ae94

Download Submit
C:\Users\Admin\AppData\Roaming\WSP Desktop\WSP Desktop 4.1.0\install\9106702\PublicDocumentsFolder\tdata\emoji\cache_24_1

Filesize
1.1MB

MD5
bb05e538eb0fd043124c1dbd7a54f6a0

SHA1
c44c550a754d87880e3413cfa0cb3bcbe7523edb

SHA256
0255d50c8fc8f036794a3cebdf2937a94821c6cf07caee1be90cf11fbf4f4c47

SHA512
ff6a9b0862307ebe85d72a62eefc09054290995c373f3c5b248bb6f04a6246d68160f6227873bc11649b894cd011f263c0d258796dffa09afb31412d78a8be69

Download Submit
C:\Users\Admin\AppData\Roaming\WSP Desktop\WSP Desktop 4.1.0\install\9106702\PublicDocumentsFolder\tdata\emoji\cache_24_2

Filesize
1.1MB

MD5
92cf692ec1350a03271cf7241d696852

SHA1
7af420c4564b67485bb6ea043a242f366fedef12

SHA256
ebd8b64b606c941b14c0b2a20d308672ecb0bae4e7bab5bf3180c820276f1355

SHA512
f3955b98ecef489e35274f7eef8d37c0650c078e651ac167c3ced8b0109536e0b3479cbe65d5c4b71aba0b0a8cccd531e6448740f638729159c70455d104a851

Download Submit
C:\Users\Admin\AppData\Roaming\WSP Desktop\WSP Desktop 4.1.0\install\9106702\PublicDocumentsFolder\tdata\emoji\cache_24_3

Filesize
1.1MB

MD5
cf672c2191ad9aabd4c380a95bf426e0

SHA1
e0c8d175e98483242f61efcb9885a8369051a9e8

SHA256
88e08b41b3470b4c1438f95d8e72164c5d8d9471f956d4545489e4f3ebd683d2

SHA512
ec68dd9a0d7292d9a570500d3e119db2056869814f0195f2d0b69d043a50a6031a0b122c016229a92015d2b3f34cba8f9939888fb469f1f73592f004d59af351

Download Submit
C:\Users\Admin\AppData\Roaming\WSP Desktop\WSP Desktop 4.1.0\install\9106702\PublicDocumentsFolder\tdata\emoji\cache_24_4

Filesize
1.1MB

MD5
eeea43d3974ad7c693bc76ecd2f687da

SHA1
939720d7aaf86ca815d75f08bea4cdb5d588f4bd

SHA256
64caf40aea1b4605b064f7aea7bce2eb745ec6ff1bea5621fc8d0e401e804f4f

SHA512
15a2396e3b06253add6b9e117540e65a63a1acc6c48b6a52c1f9b8929aacba3addb8e11bb879b3b7d8a75278c626886877cbe0ae4ae0ba498e1b4c2c76ba4618

Download Submit
C:\Users\Admin\AppData\Roaming\WSP Desktop\WSP Desktop 4.1.0\install\9106702\PublicDocumentsFolder\tdata\emoji\cache_24_5

Filesize
1.1MB

MD5
30692e87e6b0f97e6277ede297df9e84

SHA1
9184fe68950608bf81e706bb93f8f5b6dec26030

SHA256
b9e6942fcb22fd19400980b3fe0ce66cb1b90cae0f0a3d9e263f84265c6cb371

SHA512
07c7bd39596ca10ad8e3496eed24ed6b843a1dad3ef758c0a2a12993207b281e218f88dd71a8b73e7b78fd1c0c0686864a8cb79f5f1181e5bab41d5edf927b59

Download Submit
C:\Users\Admin\AppData\Roaming\WSP Desktop\WSP Desktop 4.1.0\install\9106702\PublicDocumentsFolder\tdata\emoji\cache_24_6

Filesize
1.1MB

MD5
45da064a83b06d0619b45025a0607c79

SHA1
3cd0336619073a14ef2daef249a600ca1784af54

SHA256
9247ad81f3ce766c45a6393fc0aec29b60f351e629f6a19f7fc040241a34b07f

SHA512
0626c8625cbe2ea74d96e615db5b96eb72859e2b3eb26df6f381bb25f81ac5b1379ed690475b45eeef283c22ecb0ad95cfe39c0bc631676c669def06df523a0f

Download Submit
C:\Users\Admin\AppData\Roaming\WSP Desktop\WSP Desktop 4.1.0\install\9106702\PublicDocumentsFolder\tdata\emoji\spoiler\text

Filesize
307KB

MD5
a1d394d31c1fec5385e2f5f97bc9f24b

SHA1
bf9de814b3a2cc9c0c304f82bb8ab2939063874e

SHA256
54e94c64a37343102af3f4e2c259abf2dd7d3b331740efd3f97e45acf302b075

SHA512
70c2df087970e2ef0441ff0467da16688dfd41e5d69d613e0bb4614b5f0b4f631966baa941ed523bb8ed1708b9208df348c48fd8af167b509b7099df7bc72bd6

Download Submit
C:\Users\Admin\AppData\Roaming\WSP Desktop\WSP Desktop 4.1.0\install\9106702\PublicDocumentsFolder\tdata\key_datas

Filesize
388B

MD5
4d3c53ee7d54e14330cf75c310354880

SHA1
094596bfc0f355108282a51d6358cde7bff58555

SHA256
a59007ded96f2ae41212e4bd1eb3e8a51eadfdd8f026a3dcfdd15a8cd47397c3

SHA512
d270e032188f008bb1a4720e884f5bbdfcd5edc787754a93690ada3d0e7d7cdee2d8d71ae7b936ce5a043a19d4ede38f4ac8c6bf4cd355fdc806efc6af097f19

Download Submit
C:\Users\Admin\AppData\Roaming\WSP Desktop\WSP Desktop 4.1.0\install\9106702\PublicDocumentsFolder\tdata\settingss

Filesize
1KB

MD5
9ea2226b8cb9ee14d64d5c339fcf4411

SHA1
0e6c4f7b504022848ff9f3fa0a8016a395ecccd0

SHA256
987cf01ece351b13693c31ad67abc563a8cce5bf8a143f5f011587d601527567

SHA512
35c3ab6c03cbad8cf0d3664ba823ac3b6d770bb1f3237527f953d7e1b89fd0ec66e0f4e03a96b8898783e820cef59119d1b548693adc052889c681627c3fb0b9

Download Submit
C:\Users\Admin\AppData\Roaming\WSP Desktop\WSP Desktop 4.1.0\install\9106702\PublicDocumentsFolder\tdata\shortcuts-custom.json

Filesize
404B

MD5
874b930b4c2fddc8043f59113c044a14

SHA1
75b14a96fe1194f27913a096e484283b172b1749

SHA256
f4f666f4b831e84710983b0e9e905e87342b669f61109fd693688d89c12309d8

SHA512
f4b0337fba5c5f4d7e7a02aa5d4538334edd38f5df179e4f1701fa2f1c4d3d856a074fa55ea724c4e2a6c5a1ac1dbfc7e9966c814475c7cd2c65cd44fca14621

Download Submit
C:\Users\Admin\AppData\Roaming\WSP Desktop\WSP Desktop 4.1.0\install\9106702\PublicDocumentsFolder\tdata\shortcuts-default.json

Filesize
2KB

MD5
9ea51336a584022a602818f3ec41d3f1

SHA1
41a937af2cde93b7e816170eb3d8979559bbfa65

SHA256
520bd18518ed7babfe97d39dee292d6dd242e044f426fa9a21556dc9e22aab69

SHA512
782c08fdf9b18adedd0891a768eb9e6d515f8decf7bb32efa76be255b6c61aa169e1e5e73b7a0c8901b11080a8bcde5bb8b47b2df30f3b76bf73379595ea91f5

Download Submit
C:\Users\Admin\AppData\Roaming\WSP Desktop\WSP Desktop 4.1.0\install\9106702\PublicDocumentsFolder\tdata\usertag

Filesize
8B

MD5
46bcd1fbec9cb230942e8d832825719d

SHA1
5ce319eea7dd907529b32c95484534e9824db5be

SHA256
d463cade64d40b2935fbfc581dce1ed5471459965da09ee5e53ca0a147e76a73

SHA512
df634747a4eda012715f8e69353e5b49ff85a2c35ac38fb8aa4afa53a9b2011d486ab4ed7d4718768d51686ff7419e7f9d2f54f4551aa7ca8f2c8b091a012746

Download Submit
C:\Users\Admin\AppData\Roaming\WSP Desktop\WSP Desktop 4.1.0\install\9106702\WsTaskLoad.exe

Filesize
2.0MB

MD5
faf4a129b091a57c3ff694dc721d4f3b

SHA1
7430935f501164b46b99766ed9ab68da0db50c24

SHA256
b1d13ed7409ca47f47d200f6b26d8da6a07e645ef49ddc9a28486f46bb8c41e7

SHA512
0103d9bfa27c809f978a2ac805e5eb59e07f0f0eef8aecf2713d8af1bff0d54fbc24043435cb67f550d5afdd6f0a2bc5c0026b6e920efe2ad21b619bbfbb0583

Download Submit
C:\Users\Admin\AppData\Roaming\WSP Desktop\WSP Desktop 4.1.0\install\9106702\XXXXXXXXX.msi

Filesize
1.6MB

MD5
3c932bfa721ad55c547040080bdd2e6d

SHA1
b3492acd56b12b4e7e658b1a5eaa00a022d4f5ad

SHA256
c06b6054b0eb9d35c3a2c28f449da2fa6afb92b27a49232a01e3bcac78a2d3e5

SHA512
fea065720a33bddfdcbee5d8295f20ddc41cf577978884ae06281fbd6039efec9aca3de27c5c6fad025cd6e36c10cea72eae8163a0b59ef381423957de708939

Download Submit
C:\Users\Admin\AppData\Roaming\WSP Desktop\WSP Desktop 4.1.0\install\9106702\XXXXXXXXX.msi

Filesize
1.6MB

MD5
3c932bfa721ad55c547040080bdd2e6d

SHA1
b3492acd56b12b4e7e658b1a5eaa00a022d4f5ad

SHA256
c06b6054b0eb9d35c3a2c28f449da2fa6afb92b27a49232a01e3bcac78a2d3e5

SHA512
fea065720a33bddfdcbee5d8295f20ddc41cf577978884ae06281fbd6039efec9aca3de27c5c6fad025cd6e36c10cea72eae8163a0b59ef381423957de708939

Download Submit
C:\Users\Admin\AppData\Roaming\WSP Desktop\WSP Desktop 4.1.0\install\decoder.dll

Filesize
205KB

MD5
31daf181536165ef11461c18d98d04da

SHA1
9310a5837eb30fd3994f644b9913a88f945c4f98

SHA256
0e38b521210b476057892fa2085ee60d1fb79b8c77cceffdaa0e2ef5d63b0f09

SHA512
b10f62e3c1fec62c17ef00234c4f8c6fa1937cf2a3f63a1439fefe1daee3699135486fc303d1dc3b7e75d90048cf65300d3e0ded0b7d336ea08e9c9696ad6131

Download Submit
C:\Users\Admin\AppData\Roaming\WSP Desktop\WsTaskLoad.exe

Filesize
2.0MB

MD5
faf4a129b091a57c3ff694dc721d4f3b

SHA1
7430935f501164b46b99766ed9ab68da0db50c24

SHA256
b1d13ed7409ca47f47d200f6b26d8da6a07e645ef49ddc9a28486f46bb8c41e7

SHA512
0103d9bfa27c809f978a2ac805e5eb59e07f0f0eef8aecf2713d8af1bff0d54fbc24043435cb67f550d5afdd6f0a2bc5c0026b6e920efe2ad21b619bbfbb0583

Download Submit
C:\Users\Admin\AppData\Roaming\apple\Runlnk.lnk

Filesize
914B

MD5
be9d1d6b6d822bd77f25f646852b04c0

SHA1
e79fa7525553d1ca7144d2dc1005a1ac8fedeccb

SHA256
d48e97c79ee42b94f3192881af208581f149241a517934f449aaf2198f974790

SHA512
5ad1c4fc05bc818edfc6e6187996303c944c2ddd2d2392153623717118249a543bf7a35898b19e65a8893906a0b2b4038487fa5bf5aa06e65b16cfe8b7449d39

Download Submit
C:\Users\Public\Documents\RECSLLE.BIN\_1

Filesize
83KB

MD5
6f12798e2a0ced431388cb13e8d236fc

SHA1
133603eea4d3cb11a79be2a270e9325ecd70857d

SHA256
b6df9f2dd085e96fc1369442e2312c6f47ddd12ab77b103cfabb89bd167cea73

SHA512
044e7a7a76269003ac3c11ee9b08d5f157dabe6d6d3662982ad3fd028b5b025bf59ec69a1397f7597f2a4ef3f23afdd601e07a86b4b06d3a3f6beb14f14cd184

Download Submit
C:\Users\Public\Documents\RECSLLE.BIN\system\QQMusic.exe

Filesize
623KB

MD5
d9746c8d55bed7b372ccef704f96ddda

SHA1
61c6b8ba9108fc7617264bb7d58e163457946e5b

SHA256
afbfea15784c32277edf9d4c985d210c5c46baef46db1c6bed2d2a964d2b70fd

SHA512
e00d687bd7cee039c6eddddab2b89e26136f842bda19630de53220f3459a73a4bd2ba0c76267b977e265d7cdf98d21cd94d327fa143477a427ccd0a5fd57910e

Download Submit
C:\Users\Public\Documents\RECSLLE.BIN\system\Test.dll

Filesize
48KB

MD5
a38ba3a961f1363adad79bd246cf8a72

SHA1
215685b1c6ce8376268b23dd67632719ebff38b8

SHA256
c2e584914e4c621c401465598547fc48953d8209978b57ad78c75e36625f0ab2

SHA512
7eaf3bbb8dc0fdcc6b950a1053a0cd08f8e52384dad2b1fac2193dccd7cbef77a358661c57d671e32e65669137f1a62e78a6d234030267fd31513e2771711c1c

Download Submit
C:\Users\Public\Documents\RECSLLE.BIN\system\_3.dll

Filesize
48KB

MD5
6bcbad2eaa5921108fdeb1cfc561fb14

SHA1
e17c6e3338d266a89f5884e64b94abf76bea5bab

SHA256
0dc305824cca9bca3e44110bc0bd102644ec3d8d95bb014839bb00208bb77953

SHA512
a89bbafdedc2a56da8f9495b0883132327b693dba23d9241036fa4665816b20f48f576bfc64f2d9acb26af219c337188179df4031523ca98baf15bcf3cfd4957

Download Submit
C:\Users\Public\Documents\RECSLLE.BIN\system\fntestdll.dll

Filesize
108KB

MD5
4dc3df2173419a275c92f56724b450ff

SHA1
633f9ea02f758c52b39633ae595e962954e2d68b

SHA256
8b7e6d8c7851bff5d8b70016b834262f466ae57011f1449c3efed8a5c3f08704

SHA512
603ad1fd521e678dea0ea9a438c053601f4b0ef34982f883b3ef7e859ca4f7a5d5ed95bb5b1ad86ea57c74f0ff9ed831dcbf3591114ec859ad2df88495e3822a

Download Submit
C:\Verifier\OaEACA

Filesize
58KB

MD5
d3061f1f67664394011febe9f53664f2

SHA1
b0353a66c1d481cb7c49e2f2037de40fcb6a91dc

SHA256
bbd6380dc9652016eea5163fdfb933add8c3e06a88b627ec66007d19f549d4c8

SHA512
88bf39d51c5701acaa9d4117498df35937b96bed9910c09ed9f6f29eb453a115b4504689bbaddb88fef3dd70ea51ce2b3c05ffe33654cf5aa659a5f88e600777

Download Submit
C:\Windows\Installer\MSI385F.tmp

Filesize
436KB

MD5
5788efa607d26332d6d7f5e6a1f6bd6f

SHA1
e7749843cc3e89bc81649087de4ad44c93d48bc6

SHA256
9fc2608c9e5ef5a88dd91c82660fa297144ba6bbf4602140d638de7233a4625d

SHA512
ce472ca4f956da4160cfd9b9051455974e24dd8b23a0b7b197afd1f7552e37980809e523bedc0d4c2f4c9cb6ef300b221e6404e6e6a1b789b67756550ddd2104

Download Submit
C:\Windows\Installer\MSI3969.tmp

Filesize
575KB

MD5
8c1a778e0754301c97a660dbf3e8303b

SHA1
f489c45cde796de0d23ee862948f5e50379dee60

SHA256
000b773a448b107cbf3268fea3a0eec388daa71c5f911979c5d21f0cd8d6da54

SHA512
010e76ed659f73cc263ce9b2d2635d775b296c10e53ba133fba6aacde02ed409b19f4c4e2ba6df7730ddc8669c818e99773f25854a1916ccf8acf9e459482fea

Download Submit
\Users\Admin\AppData\Local\Temp\MSI96C3.tmp

Filesize
436KB

MD5
5788efa607d26332d6d7f5e6a1f6bd6f

SHA1
e7749843cc3e89bc81649087de4ad44c93d48bc6

SHA256
9fc2608c9e5ef5a88dd91c82660fa297144ba6bbf4602140d638de7233a4625d

SHA512
ce472ca4f956da4160cfd9b9051455974e24dd8b23a0b7b197afd1f7552e37980809e523bedc0d4c2f4c9cb6ef300b221e6404e6e6a1b789b67756550ddd2104

Download Submit
\Users\Admin\AppData\Local\Temp\MSI986A.tmp

Filesize
436KB

MD5
5788efa607d26332d6d7f5e6a1f6bd6f

SHA1
e7749843cc3e89bc81649087de4ad44c93d48bc6

SHA256
9fc2608c9e5ef5a88dd91c82660fa297144ba6bbf4602140d638de7233a4625d

SHA512
ce472ca4f956da4160cfd9b9051455974e24dd8b23a0b7b197afd1f7552e37980809e523bedc0d4c2f4c9cb6ef300b221e6404e6e6a1b789b67756550ddd2104

Download Submit
\Users\Admin\AppData\Local\Temp\MSI98E7.tmp

Filesize
436KB

MD5
5788efa607d26332d6d7f5e6a1f6bd6f

SHA1
e7749843cc3e89bc81649087de4ad44c93d48bc6

SHA256
9fc2608c9e5ef5a88dd91c82660fa297144ba6bbf4602140d638de7233a4625d

SHA512
ce472ca4f956da4160cfd9b9051455974e24dd8b23a0b7b197afd1f7552e37980809e523bedc0d4c2f4c9cb6ef300b221e6404e6e6a1b789b67756550ddd2104

Download Submit
\Users\Admin\AppData\Local\Temp\MSI9975.tmp

Filesize
436KB

MD5
5788efa607d26332d6d7f5e6a1f6bd6f

SHA1
e7749843cc3e89bc81649087de4ad44c93d48bc6

SHA256
9fc2608c9e5ef5a88dd91c82660fa297144ba6bbf4602140d638de7233a4625d

SHA512
ce472ca4f956da4160cfd9b9051455974e24dd8b23a0b7b197afd1f7552e37980809e523bedc0d4c2f4c9cb6ef300b221e6404e6e6a1b789b67756550ddd2104

Download Submit
\Users\Admin\AppData\Roaming\WSP Desktop\WSP Desktop 4.1.0\install\decoder.dll

Filesize
205KB

MD5
31daf181536165ef11461c18d98d04da

SHA1
9310a5837eb30fd3994f644b9913a88f945c4f98

SHA256
0e38b521210b476057892fa2085ee60d1fb79b8c77cceffdaa0e2ef5d63b0f09

SHA512
b10f62e3c1fec62c17ef00234c4f8c6fa1937cf2a3f63a1439fefe1daee3699135486fc303d1dc3b7e75d90048cf65300d3e0ded0b7d336ea08e9c9696ad6131

Download Submit
\Users\Admin\AppData\Roaming\WSP Desktop\WSP Desktop 4.1.0\install\decoder.dll

Filesize
205KB

MD5
31daf181536165ef11461c18d98d04da

SHA1
9310a5837eb30fd3994f644b9913a88f945c4f98

SHA256
0e38b521210b476057892fa2085ee60d1fb79b8c77cceffdaa0e2ef5d63b0f09

SHA512
b10f62e3c1fec62c17ef00234c4f8c6fa1937cf2a3f63a1439fefe1daee3699135486fc303d1dc3b7e75d90048cf65300d3e0ded0b7d336ea08e9c9696ad6131

Download Submit
\Users\Admin\AppData\Roaming\WSP Desktop\WSP Desktop 4.1.0\install\decoder.dll

Filesize
205KB

MD5
31daf181536165ef11461c18d98d04da

SHA1
9310a5837eb30fd3994f644b9913a88f945c4f98

SHA256
0e38b521210b476057892fa2085ee60d1fb79b8c77cceffdaa0e2ef5d63b0f09

SHA512
b10f62e3c1fec62c17ef00234c4f8c6fa1937cf2a3f63a1439fefe1daee3699135486fc303d1dc3b7e75d90048cf65300d3e0ded0b7d336ea08e9c9696ad6131

Download Submit
\Windows\Installer\MSI385F.tmp

Filesize
436KB

MD5
5788efa607d26332d6d7f5e6a1f6bd6f

SHA1
e7749843cc3e89bc81649087de4ad44c93d48bc6

SHA256
9fc2608c9e5ef5a88dd91c82660fa297144ba6bbf4602140d638de7233a4625d

SHA512
ce472ca4f956da4160cfd9b9051455974e24dd8b23a0b7b197afd1f7552e37980809e523bedc0d4c2f4c9cb6ef300b221e6404e6e6a1b789b67756550ddd2104

Download Submit
\Windows\Installer\MSI3969.tmp

Filesize
575KB

MD5
8c1a778e0754301c97a660dbf3e8303b

SHA1
f489c45cde796de0d23ee862948f5e50379dee60

SHA256
000b773a448b107cbf3268fea3a0eec388daa71c5f911979c5d21f0cd8d6da54

SHA512
010e76ed659f73cc263ce9b2d2635d775b296c10e53ba133fba6aacde02ed409b19f4c4e2ba6df7730ddc8669c818e99773f25854a1916ccf8acf9e459482fea

Download Submit
memory/1008-734-0x0000000000320000-0x000000000032A000-memory.dmp

Filesize
40KB

Download
memory/1008-743-0x00000000003D0000-0x00000000003EB000-memory.dmp

Filesize
108KB

Download
memory/1008-747-0x0000000000320000-0x000000000032A000-memory.dmp

Filesize
40KB

Download
memory/1008-754-0x0000000000400000-0x000000000060E000-memory.dmp

Filesize
2.1MB

Download
memory/1008-770-0x00000000003D0000-0x00000000003EB000-memory.dmp

Filesize
108KB

Download
memory/1008-807-0x0000000003E10000-0x0000000004313000-memory.dmp

Filesize
5.0MB

Download
memory/1008-813-0x0000000003E10000-0x0000000004313000-memory.dmp

Filesize
5.0MB

Download
memory/1008-814-0x0000000003E10000-0x0000000004313000-memory.dmp

Filesize
5.0MB

Download
memory/1008-817-0x00000000044B0000-0x00000000049B3000-memory.dmp

Filesize
5.0MB

Download
memory/1008-820-0x00000000044B0000-0x00000000049B3000-memory.dmp

Filesize
5.0MB

Download
memory/1008-746-0x00000000003D0000-0x00000000003EB000-memory.dmp

Filesize
108KB

Download
memory/1008-735-0x0000000000320000-0x000000000032A000-memory.dmp

Filesize
40KB

Download
memory/1008-880-0x00000000044B0000-0x00000000049B3000-memory.dmp

Filesize
5.0MB

Download
memory/1008-738-0x0000000003350000-0x0000000003463000-memory.dmp

Filesize
1.1MB

Download
memory/1008-881-0x00000000044B0000-0x00000000049B3000-memory.dmp

Filesize
5.0MB

Download
memory/1008-733-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/1008-748-0x00000000003D0000-0x00000000003EB000-memory.dmp

Filesize
108KB

Download
memory/1360-985-0x0000000000620000-0x000000000062A000-memory.dmp

Filesize
40KB

Download
memory/1360-935-0x0000000000620000-0x000000000062A000-memory.dmp

Filesize
40KB

Download
memory/1360-933-0x0000000000620000-0x000000000062A000-memory.dmp

Filesize
40KB

Download
memory/1360-931-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/1360-983-0x0000000000620000-0x000000000062A000-memory.dmp

Filesize
40KB

Download
memory/1360-956-0x00000000030D0000-0x00000000031E3000-memory.dmp

Filesize
1.1MB

Download
memory/1360-921-0x0000000000780000-0x00000000008EC000-memory.dmp

Filesize
1.4MB

Download
memory/1756-909-0x0000000000300000-0x000000000030C000-memory.dmp

Filesize
48KB

Download
memory/1756-905-0x00000000002D0000-0x00000000002EE000-memory.dmp

Filesize
120KB

Download
memory/1756-913-0x0000000001D40000-0x0000000001D79000-memory.dmp

Filesize
228KB

Download
memory/1756-1047-0x0000000005960000-0x0000000005E63000-memory.dmp

Filesize
5.0MB

Download
memory/1756-912-0x00000000004D0000-0x00000000004DD000-memory.dmp

Filesize
52KB

Download
memory/1756-977-0x0000000001D40000-0x0000000001D79000-memory.dmp

Filesize
228KB

Download
memory/1756-910-0x0000000000300000-0x000000000030C000-memory.dmp

Filesize
48KB

Download
memory/1756-1195-0x0000000010000000-0x000000001001E000-memory.dmp

Filesize
120KB

Download
memory/1756-908-0x0000000010000000-0x000000001001E000-memory.dmp

Filesize
120KB

Download
memory/1756-976-0x0000000004BC0000-0x00000000050C3000-memory.dmp

Filesize
5.0MB

Download
memory/1756-907-0x0000000010000000-0x000000001001E000-memory.dmp

Filesize
120KB

Download
memory/1756-906-0x00000000002F0000-0x00000000002FD000-memory.dmp

Filesize
52KB

Download
memory/1756-994-0x0000000004BC0000-0x00000000050C3000-memory.dmp

Filesize
5.0MB

Download
memory/1756-917-0x0000000001D40000-0x0000000001D79000-memory.dmp

Filesize
228KB

Download
memory/1756-904-0x0000000010000000-0x000000001001E000-memory.dmp

Filesize
120KB

Download
memory/1756-975-0x0000000001D40000-0x0000000001D79000-memory.dmp

Filesize
228KB

Download
memory/1756-955-0x0000000001D40000-0x0000000001D79000-memory.dmp

Filesize
228KB

Download
memory/1756-1066-0x0000000005960000-0x0000000005E63000-memory.dmp

Filesize
5.0MB

Download
memory/1856-56-0x00000000004B0000-0x00000000004B1000-memory.dmp

Filesize
4KB

Download
memory/1856-0-0x00000000004B0000-0x00000000004B1000-memory.dmp

Filesize
4KB

Download
memory/2032-923-0x0000000010000000-0x000000001001E000-memory.dmp

Filesize
120KB

Download
memory/2032-922-0x0000000000270000-0x000000000027D000-memory.dmp

Filesize
52KB

Download
memory/2032-934-0x00000000003F0000-0x00000000003FD000-memory.dmp

Filesize
52KB

Download
memory/2032-1200-0x0000000010000000-0x000000001001E000-memory.dmp

Filesize
120KB

Download
memory/2032-939-0x0000000000610000-0x0000000000649000-memory.dmp

Filesize
228KB

Download
memory/2032-930-0x0000000000280000-0x000000000028C000-memory.dmp

Filesize
48KB

Download
memory/2032-925-0x0000000000280000-0x000000000028C000-memory.dmp

Filesize
48KB

Download
memory/2032-924-0x0000000010000000-0x000000001001E000-memory.dmp

Filesize
120KB

Download
memory/2032-920-0x00000000001D0000-0x00000000001EE000-memory.dmp

Filesize
120KB

Download
memory/2032-943-0x0000000000610000-0x0000000000649000-memory.dmp

Filesize
228KB

Download
memory/2364-728-0x0000000003120000-0x0000000003233000-memory.dmp

Filesize
1.1MB

Download
memory/2364-737-0x0000000000400000-0x000000000060E000-memory.dmp

Filesize
2.1MB

Download
memory/2364-736-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2364-724-0x0000000000610000-0x000000000077C000-memory.dmp

Filesize
1.4MB

Download
memory/2364-725-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2416-1147-0x0000000002BF0000-0x00000000030F3000-memory.dmp

Filesize
5.0MB

Download
memory/2416-1146-0x0000000002BF0000-0x00000000030F3000-memory.dmp

Filesize
5.0MB

Download
memory/2416-1107-0x00000000003C0000-0x00000000003DB000-memory.dmp

Filesize
108KB

Download
memory/2416-1156-0x00000000002C0000-0x00000000002EE000-memory.dmp

Filesize
184KB

Download
memory/2416-1160-0x00000000003C0000-0x00000000003DB000-memory.dmp

Filesize
108KB

Download
memory/2416-1162-0x0000000002BF0000-0x00000000030F3000-memory.dmp

Filesize
5.0MB

Download
memory/2416-1041-0x00000000002C0000-0x00000000002EE000-memory.dmp

Filesize
184KB

Download
memory/2416-992-0x0000000010000000-0x0000000010022000-memory.dmp

Filesize
136KB

Download
memory/2416-1207-0x0000000010000000-0x0000000010022000-memory.dmp

Filesize
136KB

Download
memory/2812-1155-0x00000000001A0000-0x00000000001CE000-memory.dmp

Filesize
184KB

Download
memory/2812-1209-0x0000000010000000-0x0000000010022000-memory.dmp

Filesize
136KB

Download