Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
300s -
max time network
294s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system -
submitted
17/09/2023, 07:03
Static task
static1
Behavioral task
behavioral1
Sample
32c9c069c7fe9ffdd9086b957e45c03993863730cd1eed4815e226dc1b7b436e.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
32c9c069c7fe9ffdd9086b957e45c03993863730cd1eed4815e226dc1b7b436e.exe
Resource
win10-20230915-en
General
-
Target
32c9c069c7fe9ffdd9086b957e45c03993863730cd1eed4815e226dc1b7b436e.exe
-
Size
476KB
-
MD5
76f37b780edf118a0364fab327167a0c
-
SHA1
78dbbff57068378e4709afea5ba35561eb157ef5
-
SHA256
32c9c069c7fe9ffdd9086b957e45c03993863730cd1eed4815e226dc1b7b436e
-
SHA512
f677065ad4a920fbd819dae3eff010f35b794ac3d2f2031acbad8162fa4cb9d398420ba5d665b4260f0a17832d149e617d097be5c4986ea7a31a33fd3878b7b3
-
SSDEEP
12288:y5QaO7SIsbbv4/lDv0zMrcoZPPPKW1ICFBCGw:ravv4tDKMrVPKsIkCGw
Malware Config
Extracted
C:\Users\Admin\Desktop\info.hta
Extracted
C:\info.hta
class='mark'>[email protected]</span></div>
http://www.w3.org/TR/html4/strict.dtd'>
Signatures
-
Ammyy Admin
Remote admin tool with various capabilities.
-
AmmyyAdmin payload 5 IoCs
resource yara_rule behavioral1/files/0x0005000000018fff-3161.dat family_ammyyadmin behavioral1/files/0x0005000000018fff-3160.dat family_ammyyadmin behavioral1/files/0x0005000000018fff-3157.dat family_ammyyadmin behavioral1/files/0x0005000000018fff-3155.dat family_ammyyadmin behavioral1/files/0x0005000000018fff-3173.dat family_ammyyadmin -
Detect rhadamanthys stealer shellcode 4 IoCs
resource yara_rule behavioral1/memory/2096-18-0x0000000002360000-0x0000000002760000-memory.dmp family_rhadamanthys behavioral1/memory/2096-20-0x0000000002360000-0x0000000002760000-memory.dmp family_rhadamanthys behavioral1/memory/2096-21-0x0000000002360000-0x0000000002760000-memory.dmp family_rhadamanthys behavioral1/memory/2096-30-0x0000000002360000-0x0000000002760000-memory.dmp family_rhadamanthys -
Phobos
Phobos ransomware appeared at the beginning of 2019.
-
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
description pid Process procid_target PID 2096 created 1224 2096 32c9c069c7fe9ffdd9086b957e45c03993863730cd1eed4815e226dc1b7b436e.exe 14 -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
pid Process 436 bcdedit.exe 1960 bcdedit.exe -
Renames multiple (314) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
pid Process 1740 wbadmin.exe -
Downloads MZ/PE file
-
Modifies Windows Firewall 1 TTPs 2 IoCs
pid Process 1820 netsh.exe 2560 netsh.exe -
Deletes itself 1 IoCs
pid Process 2824 certreq.exe -
Drops startup file 3 IoCs
description ioc Process File created \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\K7q2469.exe K7q2469.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini K7q2469.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id[9956592F-3483].[[email protected]].8base K7q2469.exe -
Executes dropped EXE 15 IoCs
pid Process 2556 y5SaZzr.exe 2676 QyQ{w6.exe 2848 y5SaZzr.exe 1028 K7q2469.exe 852 K7q2469.exe 1036 K7q2469.exe 2932 K7q2469.exe 792 K7q2469.exe 1676 7B29.exe 2084 7B29.exe 2132 8586.exe 3012 svchost.exe 2580 8586.exe 3040 8586.exe 224 8586.exe -
Loads dropped DLL 7 IoCs
pid Process 2656 Process not Found 1676 7B29.exe 1648 explorer.exe 1648 explorer.exe 2132 8586.exe 2132 8586.exe 2132 8586.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 9 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Office\10.0\Outlook\Profiles\Outlook certreq.exe Key opened \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Office\11.0\Outlook\Profiles\Outlook certreq.exe Key opened \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook certreq.exe Key opened \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Office\12.0\Outlook\Profiles\Outlook certreq.exe Key opened \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook certreq.exe Key opened \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook certreq.exe Key opened \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe Key opened \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe Key opened \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\K7q2469 = "C:\\Users\\Admin\\AppData\\Local\\K7q2469.exe" K7q2469.exe Set value (str) \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Run\K7q2469 = "C:\\Users\\Admin\\AppData\\Local\\K7q2469.exe" K7q2469.exe Set value (str) \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Run\socks5 = "powershell.exe -windowstyle hidden -Command \"& 'C:\\Users\\Admin\\AppData\\Local\\Temp\\8586.exe'\"" 8586.exe -
Drops desktop.ini file(s) 64 IoCs
description ioc Process File opened for modification C:\Users\Public\Libraries\desktop.ini K7q2469.exe File opened for modification C:\Users\Public\Pictures\Sample Pictures\desktop.ini K7q2469.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini K7q2469.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini K7q2469.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini K7q2469.exe File opened for modification C:\Users\Public\Desktop\desktop.ini K7q2469.exe File opened for modification C:\Program Files\Microsoft Games\Solitaire\desktop.ini K7q2469.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\801M4P4S\desktop.ini K7q2469.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini K7q2469.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini K7q2469.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini K7q2469.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini K7q2469.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini K7q2469.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini K7q2469.exe File opened for modification C:\Program Files\Microsoft Games\Hearts\desktop.ini K7q2469.exe File opened for modification C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini K7q2469.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\KGR8FNXC\desktop.ini K7q2469.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini K7q2469.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini K7q2469.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\OW945HRI\desktop.ini K7q2469.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.ini K7q2469.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini K7q2469.exe File opened for modification C:\Program Files (x86)\desktop.ini K7q2469.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\desktop.ini K7q2469.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games\Desktop.ini K7q2469.exe File opened for modification C:\Users\Public\Music\desktop.ini K7q2469.exe File opened for modification C:\Users\Admin\Videos\desktop.ini K7q2469.exe File opened for modification C:\Users\Public\desktop.ini K7q2469.exe File opened for modification C:\Users\Public\Documents\desktop.ini K7q2469.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini K7q2469.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini K7q2469.exe File opened for modification C:\Users\Admin\Searches\desktop.ini K7q2469.exe File opened for modification C:\Program Files\desktop.ini K7q2469.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RNNGBMMH\desktop.ini K7q2469.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini K7q2469.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini K7q2469.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\21HTV0YV\desktop.ini K7q2469.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\BTQU2WY3\desktop.ini K7q2469.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini K7q2469.exe File opened for modification C:\$Recycle.Bin\S-1-5-21-3185155662-718608226-894467740-1000\desktop.ini K7q2469.exe File opened for modification C:\Program Files\Microsoft Games\Chess\desktop.ini K7q2469.exe File opened for modification C:\Program Files\Microsoft Games\Purble Place\desktop.ini K7q2469.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini K7q2469.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini K7q2469.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini K7q2469.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini K7q2469.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini K7q2469.exe File opened for modification C:\Users\Admin\Favorites\Links for United States\desktop.ini K7q2469.exe File opened for modification C:\Users\Admin\Music\desktop.ini K7q2469.exe File opened for modification C:\Program Files\Microsoft Games\Mahjong\desktop.ini K7q2469.exe File opened for modification C:\ProgramData\Microsoft\Windows\Ringtones\desktop.ini K7q2469.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini K7q2469.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini K7q2469.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini K7q2469.exe File opened for modification C:\Users\Public\Recorded TV\desktop.ini K7q2469.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\MTONL7NE\desktop.ini K7q2469.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini K7q2469.exe File opened for modification C:\Users\Admin\Links\desktop.ini K7q2469.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\desktop.ini K7q2469.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini K7q2469.exe File opened for modification C:\Users\Public\Videos\desktop.ini K7q2469.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini K7q2469.exe File opened for modification C:\Users\Public\Music\Sample Music\desktop.ini K7q2469.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini K7q2469.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 svchost.exe -
Suspicious use of SetThreadContext 6 IoCs
description pid Process procid_target PID 2568 set thread context of 2096 2568 32c9c069c7fe9ffdd9086b957e45c03993863730cd1eed4815e226dc1b7b436e.exe 29 PID 2556 set thread context of 2848 2556 y5SaZzr.exe 37 PID 1028 set thread context of 852 1028 K7q2469.exe 39 PID 1036 set thread context of 792 1036 K7q2469.exe 42 PID 1676 set thread context of 2084 1676 7B29.exe 54 PID 2132 set thread context of 224 2132 8586.exe 91 -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Novokuznetsk.id[9956592F-3483].[[email protected]].8base K7q2469.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.commands.nl_zh_4.4.0.v20140623020002.jar.id[9956592F-3483].[[email protected]].8base K7q2469.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_box_divider_left.png K7q2469.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21518_.GIF K7q2469.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsViewAttachmentIconsMask.bmp K7q2469.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\it-IT\js\library.js K7q2469.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\js\weather.js K7q2469.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSO.DLL.id[9956592F-3483].[[email protected]].8base K7q2469.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_divider.png K7q2469.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\micaut.dll.mui K7q2469.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\tabskb.dll K7q2469.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-masterfs-nio2.xml K7q2469.exe File created C:\Program Files\Java\jre7\bin\servertool.exe.id[9956592F-3483].[[email protected]].8base K7q2469.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Etc\GMT-8 K7q2469.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe K7q2469.exe File created C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD14710_.GIF.id[9956592F-3483].[[email protected]].8base K7q2469.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SpringGreen\TAB_OFF.GIF K7q2469.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_right_pressed.png K7q2469.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx.zh_CN_5.5.0.165303.jar.id[9956592F-3483].[[email protected]].8base K7q2469.exe File created C:\Program Files\Java\jre7\lib\zi\America\Lima.id[9956592F-3483].[[email protected]].8base K7q2469.exe File opened for modification C:\Program Files\SplitOpen.easmx K7q2469.exe File created C:\Program Files (x86)\Microsoft Office\Office14\RECALL.DLL.id[9956592F-3483].[[email protected]].8base K7q2469.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\logo.png K7q2469.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Pushpin.eftx K7q2469.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\attention.gif.id[9956592F-3483].[[email protected]].8base K7q2469.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\it-IT\css\clock.css K7q2469.exe File created C:\Program Files\VideoLAN\VLC\plugins\access\libcdda_plugin.dll.id[9956592F-3483].[[email protected]].8base K7q2469.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02094_.WMF K7q2469.exe File created C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14654_.GIF.id[9956592F-3483].[[email protected]].8base K7q2469.exe File created C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21324_.GIF.id[9956592F-3483].[[email protected]].8base K7q2469.exe File created C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\TASKREQ.CFG.id[9956592F-3483].[[email protected]].8base K7q2469.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\1423861240811.profile.gz K7q2469.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-masterfs.xml K7q2469.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\UIAutomationTypes.resources.dll K7q2469.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00171_.GIF K7q2469.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\DataType\Status.accft K7q2469.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_corner_bottom_left.png K7q2469.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\MSO.ACL K7q2469.exe File created C:\Program Files\7-Zip\Lang\an.txt.id[9956592F-3483].[[email protected]].8base K7q2469.exe File opened for modification C:\Program Files\Common Files\System\ado\msado20.tlb K7q2469.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\messages_fr.properties K7q2469.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\Cordoba.id[9956592F-3483].[[email protected]].8base K7q2469.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Khandyga K7q2469.exe File created C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14753_.GIF.id[9956592F-3483].[[email protected]].8base K7q2469.exe File created C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\REPLTMPL.CFG.id[9956592F-3483].[[email protected]].8base K7q2469.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\flyout.html K7q2469.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\203x8subpicture.png K7q2469.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\org-netbeans-modules-profiler-selector-ui.jar.id[9956592F-3483].[[email protected]].8base K7q2469.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\requests\vlm.xml K7q2469.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt55.ths.id[9956592F-3483].[[email protected]].8base K7q2469.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\REFINED\REFINED.ELM K7q2469.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00257_.WMF K7q2469.exe File created C:\Program Files (x86)\Microsoft Office\Office14\OUTLCTL.DLL.id[9956592F-3483].[[email protected]].8base K7q2469.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\10.png K7q2469.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-util.xml.id[9956592F-3483].[[email protected]].8base K7q2469.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\UIAutomationTypes.resources.dll K7q2469.exe File opened for modification C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\msmgdsrv.dll.id[9956592F-3483].[[email protected]].8base K7q2469.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01368_.WMF K7q2469.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\San_Luis.id[9956592F-3483].[[email protected]].8base K7q2469.exe File created C:\Program Files\Java\jre7\lib\zi\EST5EDT.id[9956592F-3483].[[email protected]].8base K7q2469.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\Wkconv.exe K7q2469.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\TN01165_.WMF.id[9956592F-3483].[[email protected]].8base K7q2469.exe File created C:\Program Files (x86)\Microsoft Office\Office14\1033\GRINTL32.DLL.id[9956592F-3483].[[email protected]].8base K7q2469.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\flower_s.png K7q2469.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI y5SaZzr.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI y5SaZzr.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI y5SaZzr.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 certreq.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString certreq.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 2248 vssadmin.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Main mshta.exe Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Main mshta.exe Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Main mshta.exe Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Main mshta.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2568 32c9c069c7fe9ffdd9086b957e45c03993863730cd1eed4815e226dc1b7b436e.exe 2096 32c9c069c7fe9ffdd9086b957e45c03993863730cd1eed4815e226dc1b7b436e.exe 2096 32c9c069c7fe9ffdd9086b957e45c03993863730cd1eed4815e226dc1b7b436e.exe 2096 32c9c069c7fe9ffdd9086b957e45c03993863730cd1eed4815e226dc1b7b436e.exe 2096 32c9c069c7fe9ffdd9086b957e45c03993863730cd1eed4815e226dc1b7b436e.exe 2824 certreq.exe 2824 certreq.exe 2824 certreq.exe 2824 certreq.exe 2848 y5SaZzr.exe 2848 y5SaZzr.exe 1036 K7q2469.exe 1036 K7q2469.exe 1224 Explorer.EXE 1224 Explorer.EXE 1224 Explorer.EXE 1224 Explorer.EXE 1224 Explorer.EXE 1224 Explorer.EXE 1224 Explorer.EXE 1224 Explorer.EXE 1224 Explorer.EXE 1224 Explorer.EXE 1224 Explorer.EXE 1224 Explorer.EXE 1224 Explorer.EXE 1224 Explorer.EXE 1224 Explorer.EXE 1224 Explorer.EXE 852 K7q2469.exe 1224 Explorer.EXE 1224 Explorer.EXE 1224 Explorer.EXE 1224 Explorer.EXE 1224 Explorer.EXE 852 K7q2469.exe 1224 Explorer.EXE 1224 Explorer.EXE 1224 Explorer.EXE 1224 Explorer.EXE 1224 Explorer.EXE 852 K7q2469.exe 1224 Explorer.EXE 1224 Explorer.EXE 1224 Explorer.EXE 1224 Explorer.EXE 1224 Explorer.EXE 1224 Explorer.EXE 852 K7q2469.exe 1224 Explorer.EXE 1224 Explorer.EXE 1224 Explorer.EXE 1224 Explorer.EXE 852 K7q2469.exe 1224 Explorer.EXE 1224 Explorer.EXE 1224 Explorer.EXE 1224 Explorer.EXE 1224 Explorer.EXE 852 K7q2469.exe 1224 Explorer.EXE 1224 Explorer.EXE 1224 Explorer.EXE 1224 Explorer.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1224 Explorer.EXE -
Suspicious behavior: MapViewOfSection 33 IoCs
pid Process 2848 y5SaZzr.exe 1224 Explorer.EXE 1224 Explorer.EXE 1224 Explorer.EXE 1224 Explorer.EXE 1224 Explorer.EXE 1224 Explorer.EXE 1224 Explorer.EXE 1224 Explorer.EXE 1224 Explorer.EXE 1224 Explorer.EXE 1224 Explorer.EXE 1224 Explorer.EXE 1224 Explorer.EXE 1224 Explorer.EXE 1224 Explorer.EXE 1224 Explorer.EXE 1224 Explorer.EXE 1224 Explorer.EXE 1224 Explorer.EXE 1224 Explorer.EXE 1224 Explorer.EXE 1224 Explorer.EXE 1224 Explorer.EXE 1224 Explorer.EXE 1224 Explorer.EXE 1224 Explorer.EXE 1224 Explorer.EXE 1224 Explorer.EXE 1224 Explorer.EXE 1224 Explorer.EXE 1648 explorer.exe 1648 explorer.exe -
Suspicious use of AdjustPrivilegeToken 61 IoCs
description pid Process Token: SeDebugPrivilege 2568 32c9c069c7fe9ffdd9086b957e45c03993863730cd1eed4815e226dc1b7b436e.exe Token: SeDebugPrivilege 2556 y5SaZzr.exe Token: SeDebugPrivilege 1028 K7q2469.exe Token: SeDebugPrivilege 1036 K7q2469.exe Token: SeDebugPrivilege 852 K7q2469.exe Token: SeBackupPrivilege 856 vssvc.exe Token: SeRestorePrivilege 856 vssvc.exe Token: SeAuditPrivilege 856 vssvc.exe Token: SeDebugPrivilege 2676 QyQ{w6.exe Token: SeDebugPrivilege 1676 7B29.exe Token: SeIncreaseQuotaPrivilege 3020 WMIC.exe Token: SeSecurityPrivilege 3020 WMIC.exe Token: SeTakeOwnershipPrivilege 3020 WMIC.exe Token: SeLoadDriverPrivilege 3020 WMIC.exe Token: SeSystemProfilePrivilege 3020 WMIC.exe Token: SeSystemtimePrivilege 3020 WMIC.exe Token: SeProfSingleProcessPrivilege 3020 WMIC.exe Token: SeIncBasePriorityPrivilege 3020 WMIC.exe Token: SeCreatePagefilePrivilege 3020 WMIC.exe Token: SeBackupPrivilege 3020 WMIC.exe Token: SeRestorePrivilege 3020 WMIC.exe Token: SeShutdownPrivilege 3020 WMIC.exe Token: SeDebugPrivilege 3020 WMIC.exe Token: SeSystemEnvironmentPrivilege 3020 WMIC.exe Token: SeRemoteShutdownPrivilege 3020 WMIC.exe Token: SeUndockPrivilege 3020 WMIC.exe Token: SeManageVolumePrivilege 3020 WMIC.exe Token: 33 3020 WMIC.exe Token: 34 3020 WMIC.exe Token: 35 3020 WMIC.exe Token: SeIncreaseQuotaPrivilege 3020 WMIC.exe Token: SeSecurityPrivilege 3020 WMIC.exe Token: SeTakeOwnershipPrivilege 3020 WMIC.exe Token: SeLoadDriverPrivilege 3020 WMIC.exe Token: SeSystemProfilePrivilege 3020 WMIC.exe Token: SeSystemtimePrivilege 3020 WMIC.exe Token: SeProfSingleProcessPrivilege 3020 WMIC.exe Token: SeIncBasePriorityPrivilege 3020 WMIC.exe Token: SeCreatePagefilePrivilege 3020 WMIC.exe Token: SeBackupPrivilege 3020 WMIC.exe Token: SeRestorePrivilege 3020 WMIC.exe Token: SeShutdownPrivilege 3020 WMIC.exe Token: SeDebugPrivilege 3020 WMIC.exe Token: SeSystemEnvironmentPrivilege 3020 WMIC.exe Token: SeRemoteShutdownPrivilege 3020 WMIC.exe Token: SeUndockPrivilege 3020 WMIC.exe Token: SeManageVolumePrivilege 3020 WMIC.exe Token: 33 3020 WMIC.exe Token: 34 3020 WMIC.exe Token: 35 3020 WMIC.exe Token: SeBackupPrivilege 1508 wbengine.exe Token: SeRestorePrivilege 1508 wbengine.exe Token: SeSecurityPrivilege 1508 wbengine.exe Token: SeShutdownPrivilege 1224 Explorer.EXE Token: SeDebugPrivilege 2132 8586.exe Token: SeShutdownPrivilege 1224 Explorer.EXE Token: SeShutdownPrivilege 1224 Explorer.EXE Token: SeShutdownPrivilege 1224 Explorer.EXE Token: SeShutdownPrivilege 1224 Explorer.EXE Token: SeShutdownPrivilege 1224 Explorer.EXE Token: SeShutdownPrivilege 1224 Explorer.EXE -
Suspicious use of FindShellTrayWindow 10 IoCs
pid Process 3012 svchost.exe 1224 Explorer.EXE 1224 Explorer.EXE 1224 Explorer.EXE 1224 Explorer.EXE 1224 Explorer.EXE 1224 Explorer.EXE 1224 Explorer.EXE 1224 Explorer.EXE 1224 Explorer.EXE -
Suspicious use of SendNotifyMessage 16 IoCs
pid Process 1224 Explorer.EXE 1224 Explorer.EXE 1224 Explorer.EXE 1224 Explorer.EXE 1224 Explorer.EXE 1224 Explorer.EXE 1224 Explorer.EXE 1224 Explorer.EXE 1224 Explorer.EXE 1224 Explorer.EXE 1224 Explorer.EXE 1224 Explorer.EXE 1224 Explorer.EXE 1224 Explorer.EXE 1224 Explorer.EXE 1224 Explorer.EXE -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 1224 Explorer.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2568 wrote to memory of 3036 2568 32c9c069c7fe9ffdd9086b957e45c03993863730cd1eed4815e226dc1b7b436e.exe 28 PID 2568 wrote to memory of 3036 2568 32c9c069c7fe9ffdd9086b957e45c03993863730cd1eed4815e226dc1b7b436e.exe 28 PID 2568 wrote to memory of 3036 2568 32c9c069c7fe9ffdd9086b957e45c03993863730cd1eed4815e226dc1b7b436e.exe 28 PID 2568 wrote to memory of 3036 2568 32c9c069c7fe9ffdd9086b957e45c03993863730cd1eed4815e226dc1b7b436e.exe 28 PID 2568 wrote to memory of 2096 2568 32c9c069c7fe9ffdd9086b957e45c03993863730cd1eed4815e226dc1b7b436e.exe 29 PID 2568 wrote to memory of 2096 2568 32c9c069c7fe9ffdd9086b957e45c03993863730cd1eed4815e226dc1b7b436e.exe 29 PID 2568 wrote to memory of 2096 2568 32c9c069c7fe9ffdd9086b957e45c03993863730cd1eed4815e226dc1b7b436e.exe 29 PID 2568 wrote to memory of 2096 2568 32c9c069c7fe9ffdd9086b957e45c03993863730cd1eed4815e226dc1b7b436e.exe 29 PID 2568 wrote to memory of 2096 2568 32c9c069c7fe9ffdd9086b957e45c03993863730cd1eed4815e226dc1b7b436e.exe 29 PID 2568 wrote to memory of 2096 2568 32c9c069c7fe9ffdd9086b957e45c03993863730cd1eed4815e226dc1b7b436e.exe 29 PID 2568 wrote to memory of 2096 2568 32c9c069c7fe9ffdd9086b957e45c03993863730cd1eed4815e226dc1b7b436e.exe 29 PID 2568 wrote to memory of 2096 2568 32c9c069c7fe9ffdd9086b957e45c03993863730cd1eed4815e226dc1b7b436e.exe 29 PID 2568 wrote to memory of 2096 2568 32c9c069c7fe9ffdd9086b957e45c03993863730cd1eed4815e226dc1b7b436e.exe 29 PID 2096 wrote to memory of 2824 2096 32c9c069c7fe9ffdd9086b957e45c03993863730cd1eed4815e226dc1b7b436e.exe 31 PID 2096 wrote to memory of 2824 2096 32c9c069c7fe9ffdd9086b957e45c03993863730cd1eed4815e226dc1b7b436e.exe 31 PID 2096 wrote to memory of 2824 2096 32c9c069c7fe9ffdd9086b957e45c03993863730cd1eed4815e226dc1b7b436e.exe 31 PID 2096 wrote to memory of 2824 2096 32c9c069c7fe9ffdd9086b957e45c03993863730cd1eed4815e226dc1b7b436e.exe 31 PID 2096 wrote to memory of 2824 2096 32c9c069c7fe9ffdd9086b957e45c03993863730cd1eed4815e226dc1b7b436e.exe 31 PID 2096 wrote to memory of 2824 2096 32c9c069c7fe9ffdd9086b957e45c03993863730cd1eed4815e226dc1b7b436e.exe 31 PID 2556 wrote to memory of 2848 2556 y5SaZzr.exe 37 PID 2556 wrote to memory of 2848 2556 y5SaZzr.exe 37 PID 2556 wrote to memory of 2848 2556 y5SaZzr.exe 37 PID 2556 wrote to memory of 2848 2556 y5SaZzr.exe 37 PID 2556 wrote to memory of 2848 2556 y5SaZzr.exe 37 PID 2556 wrote to memory of 2848 2556 y5SaZzr.exe 37 PID 2556 wrote to memory of 2848 2556 y5SaZzr.exe 37 PID 1028 wrote to memory of 852 1028 K7q2469.exe 39 PID 1028 wrote to memory of 852 1028 K7q2469.exe 39 PID 1028 wrote to memory of 852 1028 K7q2469.exe 39 PID 1028 wrote to memory of 852 1028 K7q2469.exe 39 PID 1028 wrote to memory of 852 1028 K7q2469.exe 39 PID 1028 wrote to memory of 852 1028 K7q2469.exe 39 PID 1028 wrote to memory of 852 1028 K7q2469.exe 39 PID 1028 wrote to memory of 852 1028 K7q2469.exe 39 PID 1028 wrote to memory of 852 1028 K7q2469.exe 39 PID 1028 wrote to memory of 852 1028 K7q2469.exe 39 PID 1028 wrote to memory of 852 1028 K7q2469.exe 39 PID 1036 wrote to memory of 2932 1036 K7q2469.exe 41 PID 1036 wrote to memory of 2932 1036 K7q2469.exe 41 PID 1036 wrote to memory of 2932 1036 K7q2469.exe 41 PID 1036 wrote to memory of 2932 1036 K7q2469.exe 41 PID 1036 wrote to memory of 792 1036 K7q2469.exe 42 PID 1036 wrote to memory of 792 1036 K7q2469.exe 42 PID 1036 wrote to memory of 792 1036 K7q2469.exe 42 PID 1036 wrote to memory of 792 1036 K7q2469.exe 42 PID 1036 wrote to memory of 792 1036 K7q2469.exe 42 PID 1036 wrote to memory of 792 1036 K7q2469.exe 42 PID 1036 wrote to memory of 792 1036 K7q2469.exe 42 PID 1036 wrote to memory of 792 1036 K7q2469.exe 42 PID 1036 wrote to memory of 792 1036 K7q2469.exe 42 PID 1036 wrote to memory of 792 1036 K7q2469.exe 42 PID 1036 wrote to memory of 792 1036 K7q2469.exe 42 PID 852 wrote to memory of 1928 852 K7q2469.exe 43 PID 852 wrote to memory of 1928 852 K7q2469.exe 43 PID 852 wrote to memory of 1928 852 K7q2469.exe 43 PID 852 wrote to memory of 1928 852 K7q2469.exe 43 PID 852 wrote to memory of 2084 852 K7q2469.exe 44 PID 852 wrote to memory of 2084 852 K7q2469.exe 44 PID 852 wrote to memory of 2084 852 K7q2469.exe 44 PID 852 wrote to memory of 2084 852 K7q2469.exe 44 PID 2084 wrote to memory of 1820 2084 cmd.exe 47 PID 2084 wrote to memory of 1820 2084 cmd.exe 47 PID 2084 wrote to memory of 1820 2084 cmd.exe 47 PID 1928 wrote to memory of 2248 1928 cmd.exe 48 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
-
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of UnmapMainImage
PID:1224 -
C:\Users\Admin\AppData\Local\Temp\32c9c069c7fe9ffdd9086b957e45c03993863730cd1eed4815e226dc1b7b436e.exe"C:\Users\Admin\AppData\Local\Temp\32c9c069c7fe9ffdd9086b957e45c03993863730cd1eed4815e226dc1b7b436e.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2568 -
C:\Users\Admin\AppData\Local\Temp\32c9c069c7fe9ffdd9086b957e45c03993863730cd1eed4815e226dc1b7b436e.exeC:\Users\Admin\AppData\Local\Temp\32c9c069c7fe9ffdd9086b957e45c03993863730cd1eed4815e226dc1b7b436e.exe3⤵PID:3036
-
-
C:\Users\Admin\AppData\Local\Temp\32c9c069c7fe9ffdd9086b957e45c03993863730cd1eed4815e226dc1b7b436e.exeC:\Users\Admin\AppData\Local\Temp\32c9c069c7fe9ffdd9086b957e45c03993863730cd1eed4815e226dc1b7b436e.exe3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2096
-
-
-
C:\Windows\system32\certreq.exe"C:\Windows\system32\certreq.exe"2⤵
- Deletes itself
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:2824
-
-
C:\Users\Admin\AppData\Local\Temp\7B29.exeC:\Users\Admin\AppData\Local\Temp\7B29.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1676 -
C:\Users\Admin\AppData\Local\Temp\7B29.exeC:\Users\Admin\AppData\Local\Temp\7B29.exe3⤵
- Executes dropped EXE
PID:2084
-
-
-
C:\Users\Admin\AppData\Local\Temp\8586.exeC:\Users\Admin\AppData\Local\Temp\8586.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2132 -
C:\Users\Admin\AppData\Local\Temp\8586.exe"C:\Users\Admin\AppData\Local\Temp\8586.exe"3⤵
- Executes dropped EXE
PID:2580
-
-
C:\Users\Admin\AppData\Local\Temp\8586.exe"C:\Users\Admin\AppData\Local\Temp\8586.exe"3⤵
- Executes dropped EXE
PID:3040
-
-
C:\Users\Admin\AppData\Local\Temp\8586.exe"C:\Users\Admin\AppData\Local\Temp\8586.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
PID:224
-
-
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
PID:2832
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe2⤵PID:2208
-
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵PID:2044
-
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵PID:964
-
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵PID:1784
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe2⤵PID:2528
-
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵PID:2156
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe2⤵PID:2340
-
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵PID:800
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe2⤵PID:2080
-
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵PID:2856
-
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵PID:2740
-
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵PID:2556
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe2⤵PID:1264
-
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵
- Loads dropped DLL
- Suspicious behavior: MapViewOfSection
PID:1648 -
C:\Users\Admin\AppData\Local\Temp\D6DF.tmp\svchost.exeC:\Users\Admin\AppData\Local\Temp\D6DF.tmp\svchost.exe -debug3⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of FindShellTrayWindow
PID:3012 -
C:\Windows\SysWOW64\ctfmon.exectfmon.exe4⤵PID:1968
-
-
-
-
C:\Users\Admin\AppData\Local\Microsoft\y5SaZzr.exe"C:\Users\Admin\AppData\Local\Microsoft\y5SaZzr.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2556 -
C:\Users\Admin\AppData\Local\Microsoft\y5SaZzr.exeC:\Users\Admin\AppData\Local\Microsoft\y5SaZzr.exe2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2848
-
-
C:\Users\Admin\AppData\Local\Microsoft\QyQ{w6.exe"C:\Users\Admin\AppData\Local\Microsoft\QyQ{w6.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2676 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe2⤵PID:2272
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe2⤵PID:1944
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe2⤵PID:2424
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe2⤵PID:1660
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe2⤵PID:1856
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe2⤵PID:2012
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe2⤵PID:1932
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe2⤵PID:2808
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe2⤵PID:2044
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe2⤵PID:1148
-
-
C:\Users\Admin\AppData\Local\Microsoft\K7q2469.exe"C:\Users\Admin\AppData\Local\Microsoft\K7q2469.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1028 -
C:\Users\Admin\AppData\Local\Microsoft\K7q2469.exeC:\Users\Admin\AppData\Local\Microsoft\K7q2469.exe2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:852 -
C:\Users\Admin\AppData\Local\Microsoft\K7q2469.exe"C:\Users\Admin\AppData\Local\Microsoft\K7q2469.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1036 -
C:\Users\Admin\AppData\Local\Microsoft\K7q2469.exeC:\Users\Admin\AppData\Local\Microsoft\K7q2469.exe4⤵
- Executes dropped EXE
PID:2932
-
-
C:\Users\Admin\AppData\Local\Microsoft\K7q2469.exeC:\Users\Admin\AppData\Local\Microsoft\K7q2469.exe4⤵
- Executes dropped EXE
PID:792
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"3⤵
- Suspicious use of WriteProcessMemory
PID:1928 -
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
PID:2248
-
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete4⤵
- Suspicious use of AdjustPrivilegeToken
PID:3020
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures4⤵
- Modifies boot configuration data using bcdedit
PID:436
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no4⤵
- Modifies boot configuration data using bcdedit
PID:1960
-
-
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet4⤵
- Deletes backup catalog
PID:1740
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"3⤵
- Suspicious use of WriteProcessMemory
PID:2084 -
C:\Windows\system32\netsh.exenetsh advfirewall set currentprofile state off4⤵
- Modifies Windows Firewall
PID:1820
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode mode=disable4⤵
- Modifies Windows Firewall
PID:2560
-
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\info.hta"3⤵
- Modifies Internet Explorer settings
PID:2712
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\users\public\desktop\info.hta"3⤵
- Modifies Internet Explorer settings
PID:216
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\info.hta"3⤵
- Modifies Internet Explorer settings
PID:1212
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "F:\info.hta"3⤵
- Modifies Internet Explorer settings
PID:2148
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:856
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1508
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵PID:1664
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵PID:1704
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Defense Evasion
Indicator Removal
3File Deletion
3Modify Registry
2Pre-OS Boot
1Bootkit
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPsWW.cab.id[9956592F-3483].[[email protected]].8base
Filesize143.1MB
MD5d27b962b4aab090c5a83b34112bfa5b9
SHA104645b95fa58ac615125755b1a9ae103716b6776
SHA256a6b57976f2d79cb1dc0d7fcdbc0f0e96bbfcbb4e63b7fae3c256344c17673de7
SHA512c8af51563d0268e297dd58c72952ecd1bffa51e8eca852349ae52891216280f8b85b5dcb8c2bef749ef9e6cb9c2e804913da935b8423f2747fd11d2bf5c88757
-
Filesize
266KB
MD57f2d5ebcb37be6c2508ec993a1efe306
SHA151d9e4348c84c5903c022d291d187ed5f95c8c0e
SHA2560c0bdd6f7e780b5bde33342e142af12d0d3b2ae40e6d5ab48a4fde3e32751a75
SHA5127b4e2609dd6172b94f6263dc225c199782aba83a102721de84c6a0d0597c55c345d2dcde9e73b5247801d7f078913172662ab858727c5646a4e7911b24643c5a
-
Filesize
266KB
MD57f2d5ebcb37be6c2508ec993a1efe306
SHA151d9e4348c84c5903c022d291d187ed5f95c8c0e
SHA2560c0bdd6f7e780b5bde33342e142af12d0d3b2ae40e6d5ab48a4fde3e32751a75
SHA5127b4e2609dd6172b94f6263dc225c199782aba83a102721de84c6a0d0597c55c345d2dcde9e73b5247801d7f078913172662ab858727c5646a4e7911b24643c5a
-
Filesize
266KB
MD57f2d5ebcb37be6c2508ec993a1efe306
SHA151d9e4348c84c5903c022d291d187ed5f95c8c0e
SHA2560c0bdd6f7e780b5bde33342e142af12d0d3b2ae40e6d5ab48a4fde3e32751a75
SHA5127b4e2609dd6172b94f6263dc225c199782aba83a102721de84c6a0d0597c55c345d2dcde9e73b5247801d7f078913172662ab858727c5646a4e7911b24643c5a
-
Filesize
266KB
MD57f2d5ebcb37be6c2508ec993a1efe306
SHA151d9e4348c84c5903c022d291d187ed5f95c8c0e
SHA2560c0bdd6f7e780b5bde33342e142af12d0d3b2ae40e6d5ab48a4fde3e32751a75
SHA5127b4e2609dd6172b94f6263dc225c199782aba83a102721de84c6a0d0597c55c345d2dcde9e73b5247801d7f078913172662ab858727c5646a4e7911b24643c5a
-
Filesize
266KB
MD57f2d5ebcb37be6c2508ec993a1efe306
SHA151d9e4348c84c5903c022d291d187ed5f95c8c0e
SHA2560c0bdd6f7e780b5bde33342e142af12d0d3b2ae40e6d5ab48a4fde3e32751a75
SHA5127b4e2609dd6172b94f6263dc225c199782aba83a102721de84c6a0d0597c55c345d2dcde9e73b5247801d7f078913172662ab858727c5646a4e7911b24643c5a
-
Filesize
266KB
MD57f2d5ebcb37be6c2508ec993a1efe306
SHA151d9e4348c84c5903c022d291d187ed5f95c8c0e
SHA2560c0bdd6f7e780b5bde33342e142af12d0d3b2ae40e6d5ab48a4fde3e32751a75
SHA5127b4e2609dd6172b94f6263dc225c199782aba83a102721de84c6a0d0597c55c345d2dcde9e73b5247801d7f078913172662ab858727c5646a4e7911b24643c5a
-
Filesize
896KB
MD57b4f90ff07d0fa2e763fd680b1e963c9
SHA147f1d9453dd31b2467f3f11580fba975ed69246d
SHA2565228ff83506f82456b550462d53e68f7bc82b793d99c167b6674d853aa6b68b0
SHA5125385fb7df409be3214a1de1b565694ed6e3491ff0f066709084673cc2975560895ab473dfc8a35ec25be999ea32abbc21c7732b99fa51792103f1e05f1e1ea9b
-
Filesize
896KB
MD57b4f90ff07d0fa2e763fd680b1e963c9
SHA147f1d9453dd31b2467f3f11580fba975ed69246d
SHA2565228ff83506f82456b550462d53e68f7bc82b793d99c167b6674d853aa6b68b0
SHA5125385fb7df409be3214a1de1b565694ed6e3491ff0f066709084673cc2975560895ab473dfc8a35ec25be999ea32abbc21c7732b99fa51792103f1e05f1e1ea9b
-
Filesize
254KB
MD51cadf90bf8f34a7882c2fb7b5502ecc4
SHA1691f500be4b5bdaefe80d37484ccccec775b94a2
SHA256698feaad17bb10e502197481eb6f84983e8d3579286622a97205bf81a3098263
SHA5123a2f8ffedffc418ca9e7019c2a59f0b1b155516edfc2acfb7238224a4b3d4897caf8a12ef55a327741334de0c4d07c3d467c3d21a980e6a676338f09ffff9eb1
-
Filesize
254KB
MD51cadf90bf8f34a7882c2fb7b5502ecc4
SHA1691f500be4b5bdaefe80d37484ccccec775b94a2
SHA256698feaad17bb10e502197481eb6f84983e8d3579286622a97205bf81a3098263
SHA5123a2f8ffedffc418ca9e7019c2a59f0b1b155516edfc2acfb7238224a4b3d4897caf8a12ef55a327741334de0c4d07c3d467c3d21a980e6a676338f09ffff9eb1
-
Filesize
254KB
MD51cadf90bf8f34a7882c2fb7b5502ecc4
SHA1691f500be4b5bdaefe80d37484ccccec775b94a2
SHA256698feaad17bb10e502197481eb6f84983e8d3579286622a97205bf81a3098263
SHA5123a2f8ffedffc418ca9e7019c2a59f0b1b155516edfc2acfb7238224a4b3d4897caf8a12ef55a327741334de0c4d07c3d467c3d21a980e6a676338f09ffff9eb1
-
Filesize
266KB
MD57f2d5ebcb37be6c2508ec993a1efe306
SHA151d9e4348c84c5903c022d291d187ed5f95c8c0e
SHA2560c0bdd6f7e780b5bde33342e142af12d0d3b2ae40e6d5ab48a4fde3e32751a75
SHA5127b4e2609dd6172b94f6263dc225c199782aba83a102721de84c6a0d0597c55c345d2dcde9e73b5247801d7f078913172662ab858727c5646a4e7911b24643c5a
-
Filesize
266KB
MD57f2d5ebcb37be6c2508ec993a1efe306
SHA151d9e4348c84c5903c022d291d187ed5f95c8c0e
SHA2560c0bdd6f7e780b5bde33342e142af12d0d3b2ae40e6d5ab48a4fde3e32751a75
SHA5127b4e2609dd6172b94f6263dc225c199782aba83a102721de84c6a0d0597c55c345d2dcde9e73b5247801d7f078913172662ab858727c5646a4e7911b24643c5a
-
Filesize
266KB
MD57f2d5ebcb37be6c2508ec993a1efe306
SHA151d9e4348c84c5903c022d291d187ed5f95c8c0e
SHA2560c0bdd6f7e780b5bde33342e142af12d0d3b2ae40e6d5ab48a4fde3e32751a75
SHA5127b4e2609dd6172b94f6263dc225c199782aba83a102721de84c6a0d0597c55c345d2dcde9e73b5247801d7f078913172662ab858727c5646a4e7911b24643c5a
-
Filesize
266KB
MD57f2d5ebcb37be6c2508ec993a1efe306
SHA151d9e4348c84c5903c022d291d187ed5f95c8c0e
SHA2560c0bdd6f7e780b5bde33342e142af12d0d3b2ae40e6d5ab48a4fde3e32751a75
SHA5127b4e2609dd6172b94f6263dc225c199782aba83a102721de84c6a0d0597c55c345d2dcde9e73b5247801d7f078913172662ab858727c5646a4e7911b24643c5a
-
Filesize
435KB
MD523588d1443006c07e9a91c838cfceae6
SHA14d57bad257ba01d981986ba79635c5069b7325d5
SHA256c601117ab09f58d2138630b2bff84ea1bbc2555aaa7e3e4633338924f1516450
SHA512ca085a3f228e30d1c273d6970dc132a2a754ae1ba983f70dc2b272055f5634dd720f956558f0bc18dbe8441706b7c67cac619113f95c557d5239e27839b525c1
-
Filesize
435KB
MD523588d1443006c07e9a91c838cfceae6
SHA14d57bad257ba01d981986ba79635c5069b7325d5
SHA256c601117ab09f58d2138630b2bff84ea1bbc2555aaa7e3e4633338924f1516450
SHA512ca085a3f228e30d1c273d6970dc132a2a754ae1ba983f70dc2b272055f5634dd720f956558f0bc18dbe8441706b7c67cac619113f95c557d5239e27839b525c1
-
Filesize
435KB
MD523588d1443006c07e9a91c838cfceae6
SHA14d57bad257ba01d981986ba79635c5069b7325d5
SHA256c601117ab09f58d2138630b2bff84ea1bbc2555aaa7e3e4633338924f1516450
SHA512ca085a3f228e30d1c273d6970dc132a2a754ae1ba983f70dc2b272055f5634dd720f956558f0bc18dbe8441706b7c67cac619113f95c557d5239e27839b525c1
-
Filesize
435KB
MD523588d1443006c07e9a91c838cfceae6
SHA14d57bad257ba01d981986ba79635c5069b7325d5
SHA256c601117ab09f58d2138630b2bff84ea1bbc2555aaa7e3e4633338924f1516450
SHA512ca085a3f228e30d1c273d6970dc132a2a754ae1ba983f70dc2b272055f5634dd720f956558f0bc18dbe8441706b7c67cac619113f95c557d5239e27839b525c1
-
Filesize
435KB
MD523588d1443006c07e9a91c838cfceae6
SHA14d57bad257ba01d981986ba79635c5069b7325d5
SHA256c601117ab09f58d2138630b2bff84ea1bbc2555aaa7e3e4633338924f1516450
SHA512ca085a3f228e30d1c273d6970dc132a2a754ae1ba983f70dc2b272055f5634dd720f956558f0bc18dbe8441706b7c67cac619113f95c557d5239e27839b525c1
-
Filesize
327B
MD5851dc483e8f5b8446fc0eaac2f8f173a
SHA1ae52085e6505be0984598b8b81a7e79973998e4c
SHA256577fd153c7a1dd179cc906386de4d57ee01b0eba1938f2a440d05016222c9621
SHA51200be075cb132c07e10085de80e89a0d8a28afc06f0d0be55a1b134482d164ba4c656f376dfbcacc88e7cfa8db0ee8c56c7c41df71ad9401cf7d13754a285e4c9
-
Filesize
798KB
MD590aadf2247149996ae443e2c82af3730
SHA1050b7eba825412b24e3f02d76d7da5ae97e10502
SHA256ee573647477339784dcef81024de1be1762833a20e5cc2b89a93e47d05b86b6a
SHA512eec32bb82b230dd309c29712e72d4469250e651449e127479d178eddbafd5a46ec8048a753bc2c1a0fdf1dc3ed72a9453ca66fb49cbf0f95a12704e5427182be
-
Filesize
798KB
MD590aadf2247149996ae443e2c82af3730
SHA1050b7eba825412b24e3f02d76d7da5ae97e10502
SHA256ee573647477339784dcef81024de1be1762833a20e5cc2b89a93e47d05b86b6a
SHA512eec32bb82b230dd309c29712e72d4469250e651449e127479d178eddbafd5a46ec8048a753bc2c1a0fdf1dc3ed72a9453ca66fb49cbf0f95a12704e5427182be
-
Filesize
798KB
MD590aadf2247149996ae443e2c82af3730
SHA1050b7eba825412b24e3f02d76d7da5ae97e10502
SHA256ee573647477339784dcef81024de1be1762833a20e5cc2b89a93e47d05b86b6a
SHA512eec32bb82b230dd309c29712e72d4469250e651449e127479d178eddbafd5a46ec8048a753bc2c1a0fdf1dc3ed72a9453ca66fb49cbf0f95a12704e5427182be
-
Filesize
254KB
MD51cadf90bf8f34a7882c2fb7b5502ecc4
SHA1691f500be4b5bdaefe80d37484ccccec775b94a2
SHA256698feaad17bb10e502197481eb6f84983e8d3579286622a97205bf81a3098263
SHA5123a2f8ffedffc418ca9e7019c2a59f0b1b155516edfc2acfb7238224a4b3d4897caf8a12ef55a327741334de0c4d07c3d467c3d21a980e6a676338f09ffff9eb1
-
Filesize
438KB
MD577df17cf4369ffd0b7b0a46080767e7a
SHA1e51101d73260f14a57e46eadab2c8a0dc2440971
SHA2566358a5032f2f399527a9a85b8477f0a385f09fa581aa30b0b1876e40ab50665c
SHA51254c62f7601a1d5af76d9880090671773b1ee0dad1f4b8e8ecf262011859a5e88fda3750120f3479036e6780e9774ddc2c1ce600834ff03a71da955d244808b93
-
C:\Users\Admin\Desktop\CheckpointEdit.crw.id[9956592F-3483].[[email protected]].8base
Filesize322KB
MD51b6a18c0c05111ae06105b4b9f395b02
SHA10800597434f10ebd99c64eee3327bf87fe969905
SHA256d6f2fae9f68406b15465dd3b6d6711502ebc4aee2141ec8c67e4027abc16cff7
SHA512623147d7a75cece948e977de1704966facdd990c688973997045d10be07317e46e2a3f507c4cfc71e75c08cca38134c400b60afddb25b48c679c039807bfcd70
-
C:\Users\Admin\Desktop\CompareWrite.DVR-MS.id[9956592F-3483].[[email protected]].8base
Filesize208KB
MD5f766e7b591273e7ecbde4dac333609e9
SHA1fcbd61d858cc784ae68ad8e738a2f75f70db3830
SHA256531ec4c29c34bd2d16f58b0915a2e6cdba4353d333ff95821304cdb3bf5141ba
SHA512531276650f498c9a018727a9261f3f8114afd9eb982ff43a8d3ff7c6cb82133332fdd5da3d036ce64d038d8554f9c5033b2719f82e97a55946263f022595614f
-
C:\Users\Admin\Desktop\CompressTest.easmx.id[9956592F-3483].[[email protected]].8base
Filesize347KB
MD5451eee752dc53cf568555af65f2a7ff8
SHA117827de90461bf9b057dbdb15777ae036ed0ac45
SHA25603325ad5f537d5b619ddefe336c232afc89b367e3286b9991de0372446a224f2
SHA51227934e779237f9e995da8690660e0e1adc1846dcd01fe913d3bc039052a013ca937ef32e5edcee3fc63cf39ff70bd71c7c0a10c9e9724c7e75d35750ca886db3
-
C:\Users\Admin\Desktop\CompressUnlock.xlsm.id[9956592F-3483].[[email protected]].8base
Filesize234KB
MD53ceefbbe5cbf18ab22ee3ccd80b71425
SHA19819b0c4a01afd036be01f840a77089832b4de65
SHA256f188044f553cf8a0b22d45a673fb14745ee8d2531db24efb1624ee903c61eeea
SHA5129c870dc901173944fdb13f11441ee39e922ced4d7824cbbfbc333d4bbc91a6bb983d7e7f27620c34380fd76bf6878efdf0103d402f8d84e5c139fd13086addd3
-
C:\Users\Admin\Desktop\DebugDismount.svgz.id[9956592F-3483].[[email protected]].8base
Filesize474KB
MD522f83bbbd28461e28d393ad3acaecef3
SHA14cd4203794079c75808ea798c9216153aefa9047
SHA25697d084ca889d37f2effd74499b497d4aeed5910d43a1e1c4e36d26db8a81b1b9
SHA512daa8fcc0a5931b1978837452ff45d876a39340c7474de3296405e7714064c9ab76bd11f15898c4e1a29ae4263b705c51093129df0ac2cf845b08d5c1edc7297e
-
C:\Users\Admin\Desktop\DenyPublish.zip.id[9956592F-3483].[[email protected]].8base
Filesize411KB
MD5f9b2178182ff497c0379f89f1607d961
SHA1a47b10941044c393b3da0e356c435c805ea60b1d
SHA256d35ce565ade15aa1fbf67e73d5fbdb879674d8fb1ac84b0e245c37cecd97e1f4
SHA5127614c7cbaff7a4c58bddb6d34f3c05fb572c35dd9768f16500eeb0ea670453e01923734203f9c80e8cf90b82219fc1efcfd09ec351cc3aca9813221e8968aa30
-
C:\Users\Admin\Desktop\DisableBlock.rtf.id[9956592F-3483].[[email protected]].8base
Filesize461KB
MD5b364301ca7094abd6ced5996a3e8bf69
SHA199aef9aec94ec86430980569c0884956ebe7852e
SHA256724fc56ba8f5a8f9def618dcc83aee1733bc1a6ea7c74743a38383f6b150682a
SHA512869174d0abdda432921aeacfbcb81e6be9b6843cb22fbbcbf7764c9b0c899bf69da9f321166f1adf8fb3ba8712493704b58e08d3465d49006eadcad482e9a490
-
C:\Users\Admin\Desktop\EnableBackup.jpeg.id[9956592F-3483].[[email protected]].8base
Filesize246KB
MD501dea04cef5267675ec42943e02303c5
SHA166f64baf14cdd440a9458751ca4e31d838977d6c
SHA256a3f9a6954426ed43886b4911eed4eb3ac4717f7f72a0d5287809cae767ce2d77
SHA5126848dabf705be2f001fe4c00234a4ec0f59129c8bc5d7927260c542b9a63249e63dc46cdadcad5cc1adf1d2a4bac11e5a68c074e23dd1a061ac8888b7d77cf9d
-
C:\Users\Admin\Desktop\ExitFormat.sys.id[9956592F-3483].[[email protected]].8base
Filesize183KB
MD50266f8b38fc5bf1157f48fd3c8beeaa1
SHA11fb39ce19183ca50c9cc1b2b7f41475ae0213fee
SHA256a749b5ed85e79100e87faf46bfcb5c1a39a260c672ce278bd060e286a3165122
SHA5129ffc630f6c627a93768e4b0c128547e863dc55137a4aabab590167aa3ad236b6f952e44c58d478ee1a490c0a2fdeb96eaeef1e2027eba42aa142398ae2b4acff
-
C:\Users\Admin\Desktop\ExpandUninstall.ini.id[9956592F-3483].[[email protected]].8base
Filesize449KB
MD597c246d6487039b51ad66062d17026c7
SHA115215c2dc0a207453ea973ed95576d8dc3a24cd1
SHA256c2543b0d24fe01440524ba670bafe4e05e8b123d2d8c632952c6d664bd5756bb
SHA512b5142c8156482064f4850880ecc9372c5b695dd810a14d449cb580c4ef384e4d9105a8b50bed3e48c6d2f4378030fde3f3395d7df917be60c7be8be18aa1cb6a
-
C:\Users\Admin\Desktop\FormatSave.ADT.id[9956592F-3483].[[email protected]].8base
Filesize670KB
MD55a2545c176f8206f97b5f03076706d2f
SHA1797acc49cb070b6cad0c26bf215b56f56cc01114
SHA256014fbe1393d68414919d7effcef1f6f6ceec592e1037e38d4702ed8691b35b68
SHA51259c28829d1be77dd23a8db95fbb434834b754360b18edc98c34ad6fe2d11514e9c533436b4a3710e94ecab43ba5f5a27c219111833e1cca097719b5f7207d30c
-
C:\Users\Admin\Desktop\JoinMount.ram.id[9956592F-3483].[[email protected]].8base
Filesize385KB
MD5aa844205345473b889f29c47ea2391e6
SHA11b8374f9ae20731558affdf5d0cfca7708ae5a6c
SHA2566ef73dae8d41e07be3c56b5a358fe4e306283b8bd7730af5e1571fbaf857120e
SHA5121e47ac88c5a544b889b9d2f71a57c1afe82a9fd6aa562efbf697b1a8f72d5c3ad06b76d0dfe72dc967b5ab0b49f51c1f1d739492fb67338e1f2014c8b246da1b
-
C:\Users\Admin\Desktop\LockConnect.mpp.id[9956592F-3483].[[email protected]].8base
Filesize297KB
MD5b5fc135765163d95604715966bfe8b8c
SHA14f26ff9b9e44aebee0308d32e9d42ae2cdbc2abc
SHA256a8288033214c6a6f50bd0bad0819d9c97f86bab83e82b9d3a7a8a4a812705c20
SHA512b2a57579de180f390c90317f72bad2f512202582f25eef569f1cf15051af500da6d979bb72a36b76ff58c7140f28e1e22c20b911f1759cc6a041b2bfbb859626
-
C:\Users\Admin\Desktop\MergeSplit.docx.id[9956592F-3483].[[email protected]].8base
Filesize196KB
MD53aef2c6775a437de77b7b9851c6ea7be
SHA136452e2683e21a14e67120cf233b46a1d950f189
SHA25667c9afe9cd9280b580f85f44575b74e60388632e92e97057a18cf594d0109628
SHA512fa6a7b0c671b3ea641e1398a53aafa81f1c5d54e0474ef80974951880427095b4a50ee67879c8d95bcf5b4789c4192b2b0077531c4aa2202d5c37126640fb530
-
C:\Users\Admin\Desktop\OutCompress.midi.id[9956592F-3483].[[email protected]].8base
Filesize360KB
MD5d3ca3959b737df357ea15e02205c5259
SHA1ced7b534f4ae1d7e0665ac0f78aca101e120bc59
SHA256b500238c2b8d984eb191044f58c22e99a83efdda65d2964c0f9cb6719aba4291
SHA5123e210814e2e0a4494d8e91d935add18bc8e3bf0f2d0b7d5656b904acdaa7bd8f30fdfdee65a7d51a3e56db4e6e87163b532201be449e15d0dd9307b472305f5e
-
C:\Users\Admin\Desktop\PublishTest.wmv.id[9956592F-3483].[[email protected]].8base
Filesize335KB
MD5294efb1e18afa252ab416026dc4deb87
SHA180f02f5f9004d5488eefe6c705d1a80bc0eaff85
SHA256b9c659d02ef8f6343683a4bc59e45645e250bba5c9230898a7a3b1133970f782
SHA5128004a7f5bcbad113558991ae436027a4b50512a4fa660ed018be4abe758412b78f9969528104375df243022264726718910ec04d95cc4d4dd7d005f7d7dcd8cd
-
C:\Users\Admin\Desktop\RedoExit.xltm.id[9956592F-3483].[[email protected]].8base
Filesize436KB
MD5d3c6240ea1a59956e15e3c4024e95eaf
SHA163874965ca14b430943fde022a8ed597a95d561f
SHA2567fa14cd75d461878b2f4fc054e5d0da2971a8c5729cf34f3ac81a4be5935e8ef
SHA512661b2d300d74a92989c988ea83fe73b060015a39fa5e6a503bee96d5e74d19e72d9a18e695d57087c5ac79f2d1b85dbddd8fa2c87ab8c522d268c0803a45eaf3
-
C:\Users\Admin\Desktop\RenameRevoke.wdp.id[9956592F-3483].[[email protected]].8base
Filesize309KB
MD5a84178182c12e5a22f85f59a66d75d46
SHA1f36a52164b522ce8b99f24676b90bef3ce7df770
SHA2568681e1dfda4d2d6d8f30fb89b933db2cf38604f8d4faa607cde7f9f12148165c
SHA512f92f0ad8538b5952bfb0b319b87452d71b53db1e956ae82bf9aceff263bb2f35d3b29b12b3447ec69f93bf582a30901dcb546e17f890911766b9c79ccb6ce852
-
C:\Users\Admin\Desktop\RequestMount.wmf.id[9956592F-3483].[[email protected]].8base
Filesize373KB
MD5dcbff5342b7684a48e149f5f2c817a8d
SHA1d213180f9527846ef299698c8271e07ebc20a728
SHA2562024ea4cb69bc36799662c72d0777f210b63424916895defa76e62cf62f076c6
SHA5122dc5db4edb63a48220295c9307ec67cfb820e4fc13814791fd252d40cb72c16bdfa2508845cbc6b95a416f22d83ead6d9208597667b0eb697cc01ec2ed138b77
-
C:\Users\Admin\Desktop\SkipResume.bmp.id[9956592F-3483].[[email protected]].8base
Filesize272KB
MD569ff1e81cb09161125da0c9995c5dc81
SHA1927f9b46535dd5bb1249a3156b345eb417a69646
SHA25645c155a9952e3e271e878b89de08d810e79961351e03b9f6f49e03dd2cfb8d14
SHA512ce596b8f03b29d954dfd5df39def090f7873c698e5a2a5633bb2a474a934192549225322cee5a80154c2746d1cf3c47ac2d4d05c58c4763059d0d15f8507a685
-
C:\Users\Admin\Desktop\UndoDebug.bmp.id[9956592F-3483].[[email protected]].8base
Filesize284KB
MD5bed91e379539888ca0364f1a689f5020
SHA1140693d65ee9e7c25bc26ee04140731df0f58eaf
SHA256c78c285d540aa0d8292587c5d4aea13754d64b33bbed1b407463d93741fbef3f
SHA5125b2c8bcdbab1cb46845d478252d0baf38b3b967aa17f971d9651451a1a83a416d88f108110247831c4ea1421a6a758662cafaf2ee6823bc84c627cee02a57fed
-
C:\Users\Admin\Desktop\UnprotectReset.xlt.id[9956592F-3483].[[email protected]].8base
Filesize423KB
MD5eb36d102b1050ac144b4445c3e5ebb25
SHA10753f4ccd3a9a8cd937dcd72958a48c82ae99e93
SHA25649a7434f000837cf2385004040269278f2e2deca64bf6d2f1c46058d24330ef4
SHA512da3dd496c61f3f4db38bec0f5c3dcd4e7bcf79771b27c09cb05ac3d261b7037576b47ce54fb6ff15388b50580178f7a54275fa20c0e9e2ccd1ba0b518947a4b0
-
C:\Users\Admin\Desktop\UnpublishMove.rtf.id[9956592F-3483].[[email protected]].8base
Filesize170KB
MD54763a19f233d809f11160b94cc149d00
SHA1923c38260deed5375c7981079e3939638db2090b
SHA256a27f9e6b78adeec34a5e87a6589bbaa56581370f2cb142187274f101c021c413
SHA512944d880d24c887d50b8e5e3e07142b8e41ad6b9b14595d6c457187d350ea42400345579727b00bb388c7972fc8a08afa979c707933b0ddd827150203a034091e
-
C:\Users\Admin\Desktop\UseConnect.vb.id[9956592F-3483].[[email protected]].8base
Filesize398KB
MD5407ed25c4e9330d31a185f21ea079135
SHA1ebc3b80ef1f8453bcd34c40959a790858e34ac42
SHA2563e1012e1c1e10d5da9f9b7489df9d25f5d408aa8299300d31a3783b15a4f332e
SHA51236b35cc7e76ad60d10045117bc477d9e25cca5f84293b3d8b4a3756ae541e6ee71fb9f46bfedc83a338d02bbbcbfd384480fe0ed03f70e9b5f2599a64272e712
-
C:\Users\Admin\Desktop\WaitConfirm.jpeg.id[9956592F-3483].[[email protected]].8base
Filesize486KB
MD5ce12fa772cb95d1957bc85f5ae59b147
SHA116f6560d39cb279daaaba2bce24afae75b5d326f
SHA25605e742b3ffb589cbb5547ce5b599efe7284d9b53627aa001d291a11811265005
SHA512e9facbccab694b7d01fe016185ee036078d7c3e766bc5554047a32883113c6965731b07eba21a52c8ab39c53cb8f9ff1cfe5e5f1c0b355955d84191d406f473f
-
C:\Users\Admin\Desktop\WaitMerge.jtx.id[9956592F-3483].[[email protected]].8base
Filesize259KB
MD506cbdbc48b3dc2fcb11257ea81cdcf33
SHA1ffc1f8aa40889a0ee747d7e80031d28b120f9286
SHA2569725f9c087b1b4b50fbe66364b6ceb4c96b71fd3d9ccb897e2695b10ca3e4b60
SHA51217783bf783e6ab95d7e6320b4b5926d2d3e0a0344e79529d65950de2f73b7a6e067ec7cd6ebfe14b14f2c289cc0072f633d1b37a77839c490048131f20cb2e19
-
C:\Users\Admin\Desktop\WaitMerge.nfo.id[9956592F-3483].[[email protected]].8base
Filesize221KB
MD5a527a1d2c709ad934cad6dd8cc2124bc
SHA141bc72eb7c98985ac8585c89528596b53db79b95
SHA25613b3c5181d943686ab629b5157a14785dc6b3f3026a9bd9f4016a05f75e06329
SHA512fe80f1fead647005e6daa96b896c93302b6179ddc37c60ccd927bddd567150081ec2b82dbcf3a50e328c655afe82f4296caf6380efc5b89403669f56001aa6a0
-
Filesize
5KB
MD5acaa5fbc5023fafdc0c5664c088bf920
SHA18083f885004c5eca99887f25e7fa539a0efeb47d
SHA2564207bf9180c960e5407aebc5344c7a8fc9b4c7b98da729fcf09182bc21134b7b
SHA5120ce2cd0d699e9f69720555aacd2a99dad8e92e5e82d674fbeb480fc2235d29bc125f7d3829770c20a84c11c8e028f11016b6dedd18953cbe7d242e7624b5b177
-
C:\Users\Public\Desktop\Adobe Reader 9.lnk.id[9956592F-3483].[[email protected]].8base
Filesize2KB
MD5c983485903cdc2152ff03c78ebdddf5e
SHA138da7a2800c761c643171f02c8b7e225ccabb0f5
SHA25648c198c7ccd03984160f127e62ab84237b0709ea5f290b51cc401da30c84814d
SHA512274f844500d1ab7bc9b8078980f737eff965fe28a567089181159a5b69f9e2fb0d9396edc881f6abe97815e28262bd3fcff60947535066e074886a3190ac2306
-
C:\Users\Public\Desktop\Firefox.lnk.id[9956592F-3483].[[email protected]].8base
Filesize1KB
MD56cfc68b769016c52e2fd1f824be62ba7
SHA1cbdc5821726d9bf6b47cf3c548c04298a5d0170d
SHA256369c30554bf61f228fb2d7422e302b6555b48d0e746504a018809f50004dbc4c
SHA512c1fb5e7bec812e725099b74f1df380f17110f8b234b8f15a34d1dea2192421b60e01a76a05b04aa46a5c0ed794b2e852b302eac33438b41355f8d80cb33508d4
-
C:\Users\Public\Desktop\Google Chrome.lnk.id[9956592F-3483].[[email protected]].8base
Filesize2KB
MD5b852e0b3ebda136e88e7e6cd7a39c550
SHA11a0d1f31ca746247930ac1fa85d61a9ec2636ee9
SHA25631ac3feca9d56879b5a13df746b55de025747523338f6d386dafb44b3152c9bc
SHA51282a8568d00984b725882d3d684c32e0a2b33ca72c6a7df59527da473bfbbc255db8b0e7602abab03828413335213ff4d55215ac67f4b3994b32e83a0d6220e39
-
C:\Users\Public\Desktop\VLC media player.lnk.id[9956592F-3483].[[email protected]].8base
Filesize1KB
MD5e2e7a0c84ffa6a7688fb7ab9f649c255
SHA1230cbce8a7a7563fea8349c4fbafd1ff5f0124a1
SHA256fb4142773c784686b123bcdfba297974556b397e8b2edd181d2fdc56f09cb55f
SHA51276e2e46bf98bb910629e2fa598062c1acd50f144eaad031db0e29edc1b4ee2507c5a5eefeea40473e6014673e1ae8168aa20fdaf50c33da0ee8fd711e08a2a2d
-
Filesize
5KB
MD5acaa5fbc5023fafdc0c5664c088bf920
SHA18083f885004c5eca99887f25e7fa539a0efeb47d
SHA2564207bf9180c960e5407aebc5344c7a8fc9b4c7b98da729fcf09182bc21134b7b
SHA5120ce2cd0d699e9f69720555aacd2a99dad8e92e5e82d674fbeb480fc2235d29bc125f7d3829770c20a84c11c8e028f11016b6dedd18953cbe7d242e7624b5b177
-
Filesize
896KB
MD57b4f90ff07d0fa2e763fd680b1e963c9
SHA147f1d9453dd31b2467f3f11580fba975ed69246d
SHA2565228ff83506f82456b550462d53e68f7bc82b793d99c167b6674d853aa6b68b0
SHA5125385fb7df409be3214a1de1b565694ed6e3491ff0f066709084673cc2975560895ab473dfc8a35ec25be999ea32abbc21c7732b99fa51792103f1e05f1e1ea9b
-
Filesize
266KB
MD57f2d5ebcb37be6c2508ec993a1efe306
SHA151d9e4348c84c5903c022d291d187ed5f95c8c0e
SHA2560c0bdd6f7e780b5bde33342e142af12d0d3b2ae40e6d5ab48a4fde3e32751a75
SHA5127b4e2609dd6172b94f6263dc225c199782aba83a102721de84c6a0d0597c55c345d2dcde9e73b5247801d7f078913172662ab858727c5646a4e7911b24643c5a
-
Filesize
435KB
MD523588d1443006c07e9a91c838cfceae6
SHA14d57bad257ba01d981986ba79635c5069b7325d5
SHA256c601117ab09f58d2138630b2bff84ea1bbc2555aaa7e3e4633338924f1516450
SHA512ca085a3f228e30d1c273d6970dc132a2a754ae1ba983f70dc2b272055f5634dd720f956558f0bc18dbe8441706b7c67cac619113f95c557d5239e27839b525c1
-
Filesize
435KB
MD523588d1443006c07e9a91c838cfceae6
SHA14d57bad257ba01d981986ba79635c5069b7325d5
SHA256c601117ab09f58d2138630b2bff84ea1bbc2555aaa7e3e4633338924f1516450
SHA512ca085a3f228e30d1c273d6970dc132a2a754ae1ba983f70dc2b272055f5634dd720f956558f0bc18dbe8441706b7c67cac619113f95c557d5239e27839b525c1
-
Filesize
435KB
MD523588d1443006c07e9a91c838cfceae6
SHA14d57bad257ba01d981986ba79635c5069b7325d5
SHA256c601117ab09f58d2138630b2bff84ea1bbc2555aaa7e3e4633338924f1516450
SHA512ca085a3f228e30d1c273d6970dc132a2a754ae1ba983f70dc2b272055f5634dd720f956558f0bc18dbe8441706b7c67cac619113f95c557d5239e27839b525c1
-
Filesize
798KB
MD590aadf2247149996ae443e2c82af3730
SHA1050b7eba825412b24e3f02d76d7da5ae97e10502
SHA256ee573647477339784dcef81024de1be1762833a20e5cc2b89a93e47d05b86b6a
SHA512eec32bb82b230dd309c29712e72d4469250e651449e127479d178eddbafd5a46ec8048a753bc2c1a0fdf1dc3ed72a9453ca66fb49cbf0f95a12704e5427182be
-
Filesize
798KB
MD590aadf2247149996ae443e2c82af3730
SHA1050b7eba825412b24e3f02d76d7da5ae97e10502
SHA256ee573647477339784dcef81024de1be1762833a20e5cc2b89a93e47d05b86b6a
SHA512eec32bb82b230dd309c29712e72d4469250e651449e127479d178eddbafd5a46ec8048a753bc2c1a0fdf1dc3ed72a9453ca66fb49cbf0f95a12704e5427182be