ammyyadmin | fab5850b79de211ba1d789f80a4684657b3a79c849d46761decb2de95931162b

Analysis

max time kernel
111s
max time network
153s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
20-09-2023 16:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4a94bfa09b99674b406eefa0fc0f8c5e.exe
Size

508KB
MD5

4a94bfa09b99674b406eefa0fc0f8c5e
SHA1

583055372661a2a359586a3fc2cdbaecc951659c
SHA256

fab5850b79de211ba1d789f80a4684657b3a79c849d46761decb2de95931162b
SHA512

6463035915777cb01b89863eaee6ffe14ea211ac3640f1a6c8bc78f2d2b3692fdee3ff427cd4e5dad6591900f62b6eeba80abe434ff23d2402f2f401fe5e0dec
SSDEEP

12288:EndeNz+MiYZmsSOgetN5ONjUrhGkOjkLtxOqaF5:EnYNzECS4N5ONjUdGR6POHf

Score

10^/10

ammyyadmin flawedammyy phobos rhadamanthys smokeloader backdoor collection evasion persistence ransomware rat spyware stealer trojan

Malware Config

Extracted

Family

smokeloader

Version

2022

http://servermlogs27.xyz/statweb255/

http://servmblog45.xyz/statweb255/

http://demblog575.xyz/statweb255/

http://admlogs85x.xyz/statweb255/

http://blogmstat389.xyz/statweb255/

http://blogmstat255.xyz/statweb255/

rc4.i32

Extracted

Path

C:\Users\Public\Desktop\info.hta

Ransom Note

All your files have been encrypted! All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail [email protected] Or write us to the Tox: 78E21CFF7AA85F713C1530AEF2E74E62830BEE77238F4B0A73E5E3251EAD56427BF9F7A1A074 Write this ID in the title of your message A1EE4869-3483 You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the tool that will decrypt all your files. Free decryption as guarantee Before paying you can send us up to 3 files for free decryption. The total size of files must be less than 4Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) How to obtain Bitcoins The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price. https://localbitcoins.com/buy_bitcoins Also you can find other places to buy Bitcoins and beginners guide here: http://www.coindesk.com/information/how-can-i-buy-bitcoins/ Attention! Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Emails

[email protected]

Extracted

Path

C:\info.hta

Ransom Note

<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01//EN' 'http://www.w3.org/TR/html4/strict.dtd'> <html> <head> <meta charset='windows-1251'> <title>cartilage</title> <HTA:APPLICATION ICON='msiexec.exe' SINGLEINSTANCE='yes' SysMenu="no"> <script language='JScript'> window.moveTo(50, 50); window.resizeTo(screen.width - 100, screen.height - 100); </script> <style type='text/css'> body { font: 15px Tahoma, sans-serif; margin: 10px; line-height: 25px; background: #C6B5C4; } img { display:inline-block; } .bold { font-weight: bold; } .mark { background: #B5CC8E; padding: 2px 5px; } .header { text-align: center; font-size: 30px; line-height: 50px; font-weight: bold; margin-bottom:20px; } .info { background: #e6ecf2; border-left: 10px solid #B58CB2; } .alert { background: #FFE4E4; border-left: 10px solid #FFA07A; } .private { border: 1px dashed #000; background: #FFFFEF; } .note { height: auto; padding-bottom: 1px; margin: 15px 0; } .note .title { font-weight: bold; text-indent: 10px; height: 30px; line-height: 30px; padding-top: 10px; } .note .mark { background: #A2A2B5; } .note ul { margin-top: 0; } .note pre { margin-left: 15px; line-height: 13px; font-size: 13px; } .footer { position:fixed; bottom:0; right:0; text-align: right; } </style> </head> <body> <div class='header'> <img src='data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAEAAAABACAQAAAAAYLlVAAAABGdBTUEAALGPC/xhBQAAACBjSFJNAAB6JQAAgIMAAPn/AACA6QAAdTAAAOpgAAA6mAAAF2+SX8VGAAAAAmJLR0QA/4ePzL8AAAAJcEhZcwAACxMAAAsTAQCanBgAAAAHdElNRQfjAwwMJwSFwIn8AAADNklEQVRo3u2ZTUhUURTHfzozmprmZ1pYEmkfJNEmiwwkSEyFECIQpEUboYhqFYHQXlcti9rUKldWBEUiuQpbtDDNzD5G8qM0HRXLRtO5LdJx3puPd++8+xyIztm88zgf/3veufeee18SdimDI1RxnL0U4gbAzxhDdPGCfpZs+49JWTTyFB8iAq8wTju1pDgXvopOliIGX+d57rHPieBuLvLNIvgaD1KvP/x1FiTDCwQTNOkFcJVfCuEFgq+c0he+minF8AJBH2WRnCUph8/nIZVhb2d5w1smEbjYSTn7SQ/TucsFlnWkPxBW6Xc4RkbIoHKooSNshsxRbT98Eb0mtyM04oqgmR6hUNvtrwrnWDa4nOVMVF0XLfw2aPuosBfezQPTmNpiVtFmnpj0W+wBKMFrcPeJ3RYWNfwwWHSSZgdAHX6Du5uWFpl0myqm1KiQrASgnNQQaZFOS4t5nhvkAnbZAbDHIE0wIGHzmsUQKdXkQwlACtsN8ijfJay8zBjkovgBbCLPlAG/hNUcswa5IH4Ayasdzxr5pBbWRRYMstGHYg04QAkH4FbQFSwTCKbdI7mzWVipbMceKtiCCFqO0OeY1caRbAaKOcgOCpQ+WWTyM8EwvfjkTfJoYZDFONqwaPyTHs7LbktlPNMYep2XuE22dfhsHjkS/i+3Wn/SK2EdoE72UeuyGH8rxbbLLjqlkRlb4TAzDo5fIJiOvRTnR+ju9VJuwveC/wASDsD+2h5KUyyQTVZiALzjFt3MsY16mtmqx2mt9BbUw4EQuzpGpVcCLQB8nDBZXmJFDoCeInzFS9ObxwzLmeoBMGA4/QBM4t1IAOHXDi7Zqwg9ACrCWotS8xnQWQCHOGsafzOFOhzLT8NxmoI3RZncULjG1ARA8DHYupxUucbUtxd4ghnw4JI30wdARHneMABx0j8FYD3xCkdefQByKFl9KsOjy6nKNBR0cZRCTjOk1JhrBCCY5r3pZtSS9bZkueSqmljVgPoPDa0Algk4HD8QG8AXph0G8Dk2AC89DgPosFKodvR83G/dtiRzTevtUChP0SCTpBQuM+bI6Bvk51gl96X/FFvzCh9oW0v+H2zO2tYtz/EgAAAAJXRFWHRkYXRlOmNyZWF0ZQAyMDE5LTAzLTEyVDEyOjM5OjA0KzAwOjAwG6lIYwAAACV0RVh0ZGF0ZTptb2RpZnkAMjAxOS0wMy0xMlQxMjozOTowNCswMDowMGr08N8AAAAASUVORK5CYII='> <div>All your files have been encrypted!</div> </div> <div class='bold'>All your files have been encrypted due to a security problem with your PC.</div> <div class='bold'>If you want to restore them, write us to the e-mail <span class='mark'>[email protected]</span></div> <div class='bold'>Or write us to the Tox: <span class='mark'>78E21CFF7AA85F713C1530AEF2E74E62830BEE77238F4B0A73E5E3251EAD56427BF9F7A1A074</span></div> <div class='bold'>Write this ID in the title of your message <span class='mark'>A1EE4869-3483</span></div> <div> You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the tool that will decrypt all your files. </div> <div class='note info'> <div class='title'>Free decryption as guarantee</div> <ul>Before paying you can send us up to 3 files for free decryption. The total size of files must be less than 4Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) </ul> </div> <div class='note info'> <div class='title'>How to obtain Bitcoins</div> <ul> The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price. <br><a href='https://localbitcoins.com/buy_bitcoins'>https://localbitcoins.com/buy_bitcoins</a> <br> Also you can find other places to buy Bitcoins and beginners guide here: <br><a href='http://www.coindesk.com/information/how-can-i-buy-bitcoins/'>http://www.coindesk.com/information/how-can-i-buy-bitcoins/</a> </ul> </div> <div class='note alert'> <div class='title'>Attention!</div> <ul> <li>Do not rename encrypted files.</li> <li>Do not try to decrypt your data using third party software, it may cause permanent data loss.</li> <li>Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.</li> </ul> </div> </body> </html>

Emails

class='mark'>[email protected]</span></div>

URLs

http://www.w3.org/TR/html4/strict.dtd'>

Signatures

Ammyy Admin
Remote admin tool with various capabilities.
rat ammyyadmin

AmmyyAdmin payload 5 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\478B.tmp\svchost.exe	family_ammyyadmin
C:\Users\Admin\AppData\Local\Temp\478B.tmp\svchost.exe	family_ammyyadmin
\Users\Admin\AppData\Local\Temp\478B.tmp\svchost.exe	family_ammyyadmin
\Users\Admin\AppData\Local\Temp\478B.tmp\svchost.exe	family_ammyyadmin
C:\Users\Admin\AppData\Local\Temp\478B.tmp\svchost.exe	family_ammyyadmin

Detect rhadamanthys stealer shellcode 6 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1764-22-0x00000000020A0000-0x00000000024A0000-memory.dmp	family_rhadamanthys
behavioral1/memory/1764-24-0x00000000020A0000-0x00000000024A0000-memory.dmp	family_rhadamanthys
behavioral1/memory/1764-23-0x00000000020A0000-0x00000000024A0000-memory.dmp	family_rhadamanthys
behavioral1/memory/1764-25-0x00000000020A0000-0x00000000024A0000-memory.dmp	family_rhadamanthys
behavioral1/memory/1764-36-0x00000000020A0000-0x00000000024A0000-memory.dmp	family_rhadamanthys
behavioral1/memory/1764-38-0x00000000020A0000-0x00000000024A0000-memory.dmp	family_rhadamanthys

FlawedAmmyy RAT
Remote-access trojan based on leaked code for the Ammyy remote admin software.
trojan flawedammyy
Phobos
Phobos ransomware appeared at the beginning of 2019.
ransomware phobos
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

4a94bfa09b99674b406eefa0fc0f8c5e.exe

description pid process target process

PID 1764 created 1200 1764 4a94bfa09b99674b406eefa0fc0f8c5e.exe Explorer.EXE
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Modifies boot configuration data using bcdedit 1 TTPs 4 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exebcdedit.exebcdedit.exe

pid process

3028 bcdedit.exe
1604 bcdedit.exe
2600 bcdedit.exe
2632 bcdedit.exe
Renames multiple (306) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Deletes backup catalog 3 TTPs 2 IoCs
Uses wbadmin.exe to inhibit system recovery.
ransomware

Command and Scripting Interpreter
T1059

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

wbadmin.exewbadmin.exe

pid process

1668 wbadmin.exe
1488 wbadmin.exe
Modifies Windows Firewall 1 TTPs 2 IoCs
evasion

Windows Service
T1543.003

Processes:

netsh.exenetsh.exe

pid process

1576 netsh.exe
2800 netsh.exe
Deletes itself 1 IoCs

Processes:

certreq.exe

pid process

2524 certreq.exe

description	pid	process	target process
PID 1764 created 1200	1764	4a94bfa09b99674b406eefa0fc0f8c5e.exe	Explorer.EXE

pid	process
3028	bcdedit.exe
1604	bcdedit.exe
2600	bcdedit.exe
2632	bcdedit.exe

pid	process
1668	wbadmin.exe
1488	wbadmin.exe

pid	process
1576	netsh.exe
2800	netsh.exe

pid	process
2524	certreq.exe

Drops startup file 3 IoCs

Processes:

l4DTmqz{4W.exe

description	ioc	process
File created	\??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\l4DTmqz{4W.exe	l4DTmqz{4W.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	l4DTmqz{4W.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id[A1EE4869-3483].[[email protected]].8base	l4DTmqz{4W.exe

Executes dropped EXE 7 IoCs

Processes:

l4DTmqz{4W.exe144QX9s.exel4DTmqz{4W.exel4DTmqz{4W.exe144QX9s.exel4DTmqz{4W.exel4DTmqz{4W.exe

pid process

748 l4DTmqz{4W.exe
2804 144QX9s.exe
2848 l4DTmqz{4W.exe
2696 l4DTmqz{4W.exe
1932 144QX9s.exe
1988 l4DTmqz{4W.exe
980 l4DTmqz{4W.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
748	l4DTmqz{4W.exe
2804	144QX9s.exe
2848	l4DTmqz{4W.exe
2696	l4DTmqz{4W.exe
1932	144QX9s.exe
1988	l4DTmqz{4W.exe
980	l4DTmqz{4W.exe

Accesses Microsoft Outlook profiles 1 TTPs 9 IoCs

collection

Email Collection

T1114

Processes:

certreq.exeexplorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Office\10.0\Outlook\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Office\12.0\Outlook\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Office\11.0\Outlook\Profiles\Outlook	certreq.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

l4DTmqz{4W.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\l4DTmqz{4W = "C:\\Users\\Admin\\AppData\\Local\\l4DTmqz{4W.exe"	l4DTmqz{4W.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Windows\CurrentVersion\Run\l4DTmqz{4W = "C:\\Users\\Admin\\AppData\\Local\\l4DTmqz{4W.exe"	l4DTmqz{4W.exe

Drops desktop.ini file(s) 57 IoCs

Processes:

l4DTmqz{4W.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2F3386PL\desktop.ini	l4DTmqz{4W.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini	l4DTmqz{4W.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\OXRRPXTH\desktop.ini	l4DTmqz{4W.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-86725733-3001458681-3405935542-1000\desktop.ini	l4DTmqz{4W.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini	l4DTmqz{4W.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini	l4DTmqz{4W.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	l4DTmqz{4W.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games\Desktop.ini	l4DTmqz{4W.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	l4DTmqz{4W.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI	l4DTmqz{4W.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Ringtones\desktop.ini	l4DTmqz{4W.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\PNLMEYHC\desktop.ini	l4DTmqz{4W.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\ZM14P5Y5\desktop.ini	l4DTmqz{4W.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2TCNB3QR\desktop.ini	l4DTmqz{4W.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	l4DTmqz{4W.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\desktop.ini	l4DTmqz{4W.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\desktop.ini	l4DTmqz{4W.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	l4DTmqz{4W.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	l4DTmqz{4W.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	l4DTmqz{4W.exe
File opened for modification	C:\Program Files\desktop.ini	l4DTmqz{4W.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	l4DTmqz{4W.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	l4DTmqz{4W.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	l4DTmqz{4W.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\desktop.ini	l4DTmqz{4W.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JY0EDUNO\desktop.ini	l4DTmqz{4W.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.ini	l4DTmqz{4W.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	l4DTmqz{4W.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	l4DTmqz{4W.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini	l4DTmqz{4W.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\87U71MEJ\desktop.ini	l4DTmqz{4W.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	l4DTmqz{4W.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini	l4DTmqz{4W.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	l4DTmqz{4W.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	l4DTmqz{4W.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-86725733-3001458681-3405935542-1000\desktop.ini	l4DTmqz{4W.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\desktop.ini	l4DTmqz{4W.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini	l4DTmqz{4W.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	l4DTmqz{4W.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	l4DTmqz{4W.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\8VE3RER5\desktop.ini	l4DTmqz{4W.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	l4DTmqz{4W.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\desktop.ini	l4DTmqz{4W.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\desktop.ini	l4DTmqz{4W.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini	l4DTmqz{4W.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	l4DTmqz{4W.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	l4DTmqz{4W.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	l4DTmqz{4W.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini	l4DTmqz{4W.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\desktop.ini	l4DTmqz{4W.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	l4DTmqz{4W.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	l4DTmqz{4W.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	l4DTmqz{4W.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\desktop.ini	l4DTmqz{4W.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	l4DTmqz{4W.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini	l4DTmqz{4W.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	l4DTmqz{4W.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

4a94bfa09b99674b406eefa0fc0f8c5e.exel4DTmqz{4W.exe144QX9s.exel4DTmqz{4W.exe

description	pid	process	target process
PID 2188 set thread context of 1764	2188	4a94bfa09b99674b406eefa0fc0f8c5e.exe	4a94bfa09b99674b406eefa0fc0f8c5e.exe
PID 748 set thread context of 2696	748	l4DTmqz{4W.exe	l4DTmqz{4W.exe
PID 2804 set thread context of 1932	2804	144QX9s.exe	144QX9s.exe
PID 1988 set thread context of 980	1988	l4DTmqz{4W.exe	l4DTmqz{4W.exe

Drops file in Program Files directory 64 IoCs

Processes:

l4DTmqz{4W.exe

description	ioc	process
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Hong_Kong.id[A1EE4869-3483].[[email protected]].8base	l4DTmqz{4W.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Jamaica.id[A1EE4869-3483].[[email protected]].8base	l4DTmqz{4W.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsTemplates\Status Report.fdt.id[A1EE4869-3483].[[email protected]].8base	l4DTmqz{4W.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\Microsoft.Build.Conversion.v3.5.resources.dll	l4DTmqz{4W.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_glass_100_f6f6f6_1x400.png.id[A1EE4869-3483].[[email protected]].8base	l4DTmqz{4W.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0153095.WMF.id[A1EE4869-3483].[[email protected]].8base	l4DTmqz{4W.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\CONTACT.JPG.id[A1EE4869-3483].[[email protected]].8base	l4DTmqz{4W.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_choosecolor.gif	l4DTmqz{4W.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\de-DE\settings.html	l4DTmqz{4W.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\1033\ApothecaryMergeLetter.dotx.id[A1EE4869-3483].[[email protected]].8base	l4DTmqz{4W.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Magadan.id[A1EE4869-3483].[[email protected]].8base	l4DTmqz{4W.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\triggerEvaluators.exsd.id[A1EE4869-3483].[[email protected]].8base	l4DTmqz{4W.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-text.xml.id[A1EE4869-3483].[[email protected]].8base	l4DTmqz{4W.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\org-netbeans-modules-profiler-oql.jar.id[A1EE4869-3483].[[email protected]].8base	l4DTmqz{4W.exe
File opened for modification	C:\Program Files\Java\jre7\lib\ext\localedata.jar	l4DTmqz{4W.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\btn_search_up_BIDI.png	l4DTmqz{4W.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\symbol.txt.id[A1EE4869-3483].[[email protected]].8base	l4DTmqz{4W.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0101859.BMP	l4DTmqz{4W.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105588.WMF	l4DTmqz{4W.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152884.WMF.id[A1EE4869-3483].[[email protected]].8base	l4DTmqz{4W.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SPACE_01.MID	l4DTmqz{4W.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\GRAPH_COL.HXT.id[A1EE4869-3483].[[email protected]].8base	l4DTmqz{4W.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\it-IT\msaddsr.dll.mui	l4DTmqz{4W.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\System.Data.Linq.Resources.dll	l4DTmqz{4W.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ast\LC_MESSAGES\vlc.mo.id[A1EE4869-3483].[[email protected]].8base	l4DTmqz{4W.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Search.api	l4DTmqz{4W.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.151\goopdateres_sv.dll.id[A1EE4869-3483].[[email protected]].8base	l4DTmqz{4W.exe
File created	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0205582.WMF.id[A1EE4869-3483].[[email protected]].8base	l4DTmqz{4W.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OARTCONV.DLL.id[A1EE4869-3483].[[email protected]].8base	l4DTmqz{4W.exe
File created	C:\Program Files\Java\jre7\bin\kinit.exe.id[A1EE4869-3483].[[email protected]].8base	l4DTmqz{4W.exe
File created	C:\Program Files\Java\jre7\lib\zi\Atlantic\Reykjavik.id[A1EE4869-3483].[[email protected]].8base	l4DTmqz{4W.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BREEZE\BREEZE.ELM	l4DTmqz{4W.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BS00076_.WMF.id[A1EE4869-3483].[[email protected]].8base	l4DTmqz{4W.exe
File created	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD10302_.GIF.id[A1EE4869-3483].[[email protected]].8base	l4DTmqz{4W.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\ENVELOPR.DLL.IDX_DLL	l4DTmqz{4W.exe
File created	C:\Program Files\7-Zip\7z.exe.id[A1EE4869-3483].[[email protected]].8base	l4DTmqz{4W.exe
File created	C:\Program Files\7-Zip\7zG.exe.id[A1EE4869-3483].[[email protected]].8base	l4DTmqz{4W.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\FreeCell.exe	l4DTmqz{4W.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\OPHPROXY.DLL	l4DTmqz{4W.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\ACWIZRC.DLL.id[A1EE4869-3483].[[email protected]].8base	l4DTmqz{4W.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\RECALL.DLL.id[A1EE4869-3483].[[email protected]].8base	l4DTmqz{4W.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\LogoBeta.png	l4DTmqz{4W.exe
File created	C:\Program Files\Java\jre7\lib\zi\Europe\Amsterdam.id[A1EE4869-3483].[[email protected]].8base	l4DTmqz{4W.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00103_.GIF.id[A1EE4869-3483].[[email protected]].8base	l4DTmqz{4W.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0195320.WMF.id[A1EE4869-3483].[[email protected]].8base	l4DTmqz{4W.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsViewTemplate.html	l4DTmqz{4W.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\es-ES\js\cpu.js	l4DTmqz{4W.exe
File created	C:\Program Files\Java\jdk1.7.0_80\include\win32\jawt_md.h.id[A1EE4869-3483].[[email protected]].8base	l4DTmqz{4W.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Sitka.id[A1EE4869-3483].[[email protected]].8base	l4DTmqz{4W.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office.en-us\promointl.dll.id[A1EE4869-3483].[[email protected]].8base	l4DTmqz{4W.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0175428.JPG.id[A1EE4869-3483].[[email protected]].8base	l4DTmqz{4W.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Microsoft.Office.InfoPath.Client.Internal.CLRHost.dll	l4DTmqz{4W.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\tipresx.dll.mui	l4DTmqz{4W.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\INDUST\PREVIEW.GIF	l4DTmqz{4W.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\FONTSCHM.INI	l4DTmqz{4W.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\es\System.Xml.Linq.Resources.dll	l4DTmqz{4W.exe
File created	C:\Program Files\Java\jdk1.7.0_80\include\jdwpTransport.h.id[A1EE4869-3483].[[email protected]].8base	l4DTmqz{4W.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\images\calendar_ring_docked.png	l4DTmqz{4W.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\EMAIL.DPV	l4DTmqz{4W.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\de-DE\WMPDMC.exe.mui	l4DTmqz{4W.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Africa\Ceuta	l4DTmqz{4W.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\de-DE\TipRes.dll.mui	l4DTmqz{4W.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099191.JPG.id[A1EE4869-3483].[[email protected]].8base	l4DTmqz{4W.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105490.WMF	l4DTmqz{4W.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

144QX9s.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	144QX9s.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	144QX9s.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	144QX9s.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

certreq.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	certreq.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	certreq.exe

Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exe

pid process

1832 vssadmin.exe
1764 vssadmin.exe

pid	process
1832	vssadmin.exe
1764	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

4a94bfa09b99674b406eefa0fc0f8c5e.exe4a94bfa09b99674b406eefa0fc0f8c5e.execertreq.exel4DTmqz{4W.exe144QX9s.exe144QX9s.exeExplorer.EXEl4DTmqz{4W.exel4DTmqz{4W.exe

pid	process
2188	4a94bfa09b99674b406eefa0fc0f8c5e.exe
2188	4a94bfa09b99674b406eefa0fc0f8c5e.exe
1764	4a94bfa09b99674b406eefa0fc0f8c5e.exe
1764	4a94bfa09b99674b406eefa0fc0f8c5e.exe
1764	4a94bfa09b99674b406eefa0fc0f8c5e.exe
1764	4a94bfa09b99674b406eefa0fc0f8c5e.exe
2524	certreq.exe
2524	certreq.exe
2524	certreq.exe
2524	certreq.exe
748	l4DTmqz{4W.exe
748	l4DTmqz{4W.exe
748	l4DTmqz{4W.exe
2804	144QX9s.exe
1932	144QX9s.exe
1932	144QX9s.exe
1200	Explorer.EXE
1988	l4DTmqz{4W.exe
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE
2696	l4DTmqz{4W.exe
1200	Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1200 Explorer.EXE

Suspicious behavior: MapViewOfSection 11 IoCs

Processes:

144QX9s.exeExplorer.EXE

pid	process
1932	144QX9s.exe
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 51 IoCs

Processes:

4a94bfa09b99674b406eefa0fc0f8c5e.exel4DTmqz{4W.exe144QX9s.exel4DTmqz{4W.exel4DTmqz{4W.exevssvc.exeWMIC.exewbengine.exe

description	pid	process
Token: SeDebugPrivilege	2188	4a94bfa09b99674b406eefa0fc0f8c5e.exe
Token: SeDebugPrivilege	748	l4DTmqz{4W.exe
Token: SeDebugPrivilege	2804	144QX9s.exe
Token: SeDebugPrivilege	1988	l4DTmqz{4W.exe
Token: SeDebugPrivilege	2696	l4DTmqz{4W.exe
Token: SeBackupPrivilege	2084	vssvc.exe
Token: SeRestorePrivilege	2084	vssvc.exe
Token: SeAuditPrivilege	2084	vssvc.exe
Token: SeIncreaseQuotaPrivilege	896	WMIC.exe
Token: SeSecurityPrivilege	896	WMIC.exe
Token: SeTakeOwnershipPrivilege	896	WMIC.exe
Token: SeLoadDriverPrivilege	896	WMIC.exe
Token: SeSystemProfilePrivilege	896	WMIC.exe
Token: SeSystemtimePrivilege	896	WMIC.exe
Token: SeProfSingleProcessPrivilege	896	WMIC.exe
Token: SeIncBasePriorityPrivilege	896	WMIC.exe
Token: SeCreatePagefilePrivilege	896	WMIC.exe
Token: SeBackupPrivilege	896	WMIC.exe
Token: SeRestorePrivilege	896	WMIC.exe
Token: SeShutdownPrivilege	896	WMIC.exe
Token: SeDebugPrivilege	896	WMIC.exe
Token: SeSystemEnvironmentPrivilege	896	WMIC.exe
Token: SeRemoteShutdownPrivilege	896	WMIC.exe
Token: SeUndockPrivilege	896	WMIC.exe
Token: SeManageVolumePrivilege	896	WMIC.exe
Token: 33	896	WMIC.exe
Token: 34	896	WMIC.exe
Token: 35	896	WMIC.exe
Token: SeIncreaseQuotaPrivilege	896	WMIC.exe
Token: SeSecurityPrivilege	896	WMIC.exe
Token: SeTakeOwnershipPrivilege	896	WMIC.exe
Token: SeLoadDriverPrivilege	896	WMIC.exe
Token: SeSystemProfilePrivilege	896	WMIC.exe
Token: SeSystemtimePrivilege	896	WMIC.exe
Token: SeProfSingleProcessPrivilege	896	WMIC.exe
Token: SeIncBasePriorityPrivilege	896	WMIC.exe
Token: SeCreatePagefilePrivilege	896	WMIC.exe
Token: SeBackupPrivilege	896	WMIC.exe
Token: SeRestorePrivilege	896	WMIC.exe
Token: SeShutdownPrivilege	896	WMIC.exe
Token: SeDebugPrivilege	896	WMIC.exe
Token: SeSystemEnvironmentPrivilege	896	WMIC.exe
Token: SeRemoteShutdownPrivilege	896	WMIC.exe
Token: SeUndockPrivilege	896	WMIC.exe
Token: SeManageVolumePrivilege	896	WMIC.exe
Token: 33	896	WMIC.exe
Token: 34	896	WMIC.exe
Token: 35	896	WMIC.exe
Token: SeBackupPrivilege	892	wbengine.exe
Token: SeRestorePrivilege	892	wbengine.exe
Token: SeSecurityPrivilege	892	wbengine.exe

Suspicious use of FindShellTrayWindow 9 IoCs

Processes:

Explorer.EXE

pid	process
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE

Suspicious use of SendNotifyMessage 8 IoCs

Processes:

Explorer.EXE

pid process

1200 Explorer.EXE
1200 Explorer.EXE
1200 Explorer.EXE
1200 Explorer.EXE
1200 Explorer.EXE
1200 Explorer.EXE
1200 Explorer.EXE
1200 Explorer.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

4a94bfa09b99674b406eefa0fc0f8c5e.exe4a94bfa09b99674b406eefa0fc0f8c5e.exel4DTmqz{4W.exe144QX9s.exel4DTmqz{4W.exel4DTmqz{4W.execmd.execmd.exe

description	pid	process	target process
PID 2188 wrote to memory of 2588	2188	4a94bfa09b99674b406eefa0fc0f8c5e.exe	4a94bfa09b99674b406eefa0fc0f8c5e.exe
PID 2188 wrote to memory of 2588	2188	4a94bfa09b99674b406eefa0fc0f8c5e.exe	4a94bfa09b99674b406eefa0fc0f8c5e.exe
PID 2188 wrote to memory of 2588	2188	4a94bfa09b99674b406eefa0fc0f8c5e.exe	4a94bfa09b99674b406eefa0fc0f8c5e.exe
PID 2188 wrote to memory of 2588	2188	4a94bfa09b99674b406eefa0fc0f8c5e.exe	4a94bfa09b99674b406eefa0fc0f8c5e.exe
PID 2188 wrote to memory of 1764	2188	4a94bfa09b99674b406eefa0fc0f8c5e.exe	4a94bfa09b99674b406eefa0fc0f8c5e.exe
PID 2188 wrote to memory of 1764	2188	4a94bfa09b99674b406eefa0fc0f8c5e.exe	4a94bfa09b99674b406eefa0fc0f8c5e.exe
PID 2188 wrote to memory of 1764	2188	4a94bfa09b99674b406eefa0fc0f8c5e.exe	4a94bfa09b99674b406eefa0fc0f8c5e.exe
PID 2188 wrote to memory of 1764	2188	4a94bfa09b99674b406eefa0fc0f8c5e.exe	4a94bfa09b99674b406eefa0fc0f8c5e.exe
PID 2188 wrote to memory of 1764	2188	4a94bfa09b99674b406eefa0fc0f8c5e.exe	4a94bfa09b99674b406eefa0fc0f8c5e.exe
PID 2188 wrote to memory of 1764	2188	4a94bfa09b99674b406eefa0fc0f8c5e.exe	4a94bfa09b99674b406eefa0fc0f8c5e.exe
PID 2188 wrote to memory of 1764	2188	4a94bfa09b99674b406eefa0fc0f8c5e.exe	4a94bfa09b99674b406eefa0fc0f8c5e.exe
PID 2188 wrote to memory of 1764	2188	4a94bfa09b99674b406eefa0fc0f8c5e.exe	4a94bfa09b99674b406eefa0fc0f8c5e.exe
PID 2188 wrote to memory of 1764	2188	4a94bfa09b99674b406eefa0fc0f8c5e.exe	4a94bfa09b99674b406eefa0fc0f8c5e.exe
PID 1764 wrote to memory of 2524	1764	4a94bfa09b99674b406eefa0fc0f8c5e.exe	certreq.exe
PID 1764 wrote to memory of 2524	1764	4a94bfa09b99674b406eefa0fc0f8c5e.exe	certreq.exe
PID 1764 wrote to memory of 2524	1764	4a94bfa09b99674b406eefa0fc0f8c5e.exe	certreq.exe
PID 1764 wrote to memory of 2524	1764	4a94bfa09b99674b406eefa0fc0f8c5e.exe	certreq.exe
PID 1764 wrote to memory of 2524	1764	4a94bfa09b99674b406eefa0fc0f8c5e.exe	certreq.exe
PID 1764 wrote to memory of 2524	1764	4a94bfa09b99674b406eefa0fc0f8c5e.exe	certreq.exe
PID 748 wrote to memory of 2848	748	l4DTmqz{4W.exe	l4DTmqz{4W.exe
PID 748 wrote to memory of 2848	748	l4DTmqz{4W.exe	l4DTmqz{4W.exe
PID 748 wrote to memory of 2848	748	l4DTmqz{4W.exe	l4DTmqz{4W.exe
PID 748 wrote to memory of 2848	748	l4DTmqz{4W.exe	l4DTmqz{4W.exe
PID 748 wrote to memory of 2696	748	l4DTmqz{4W.exe	l4DTmqz{4W.exe
PID 748 wrote to memory of 2696	748	l4DTmqz{4W.exe	l4DTmqz{4W.exe
PID 748 wrote to memory of 2696	748	l4DTmqz{4W.exe	l4DTmqz{4W.exe
PID 748 wrote to memory of 2696	748	l4DTmqz{4W.exe	l4DTmqz{4W.exe
PID 748 wrote to memory of 2696	748	l4DTmqz{4W.exe	l4DTmqz{4W.exe
PID 748 wrote to memory of 2696	748	l4DTmqz{4W.exe	l4DTmqz{4W.exe
PID 748 wrote to memory of 2696	748	l4DTmqz{4W.exe	l4DTmqz{4W.exe
PID 748 wrote to memory of 2696	748	l4DTmqz{4W.exe	l4DTmqz{4W.exe
PID 748 wrote to memory of 2696	748	l4DTmqz{4W.exe	l4DTmqz{4W.exe
PID 748 wrote to memory of 2696	748	l4DTmqz{4W.exe	l4DTmqz{4W.exe
PID 2804 wrote to memory of 1932	2804	144QX9s.exe	144QX9s.exe
PID 2804 wrote to memory of 1932	2804	144QX9s.exe	144QX9s.exe
PID 2804 wrote to memory of 1932	2804	144QX9s.exe	144QX9s.exe
PID 2804 wrote to memory of 1932	2804	144QX9s.exe	144QX9s.exe
PID 748 wrote to memory of 2696	748	l4DTmqz{4W.exe	l4DTmqz{4W.exe
PID 2804 wrote to memory of 1932	2804	144QX9s.exe	144QX9s.exe
PID 2804 wrote to memory of 1932	2804	144QX9s.exe	144QX9s.exe
PID 2804 wrote to memory of 1932	2804	144QX9s.exe	144QX9s.exe
PID 1988 wrote to memory of 980	1988	l4DTmqz{4W.exe	l4DTmqz{4W.exe
PID 1988 wrote to memory of 980	1988	l4DTmqz{4W.exe	l4DTmqz{4W.exe
PID 1988 wrote to memory of 980	1988	l4DTmqz{4W.exe	l4DTmqz{4W.exe
PID 1988 wrote to memory of 980	1988	l4DTmqz{4W.exe	l4DTmqz{4W.exe
PID 1988 wrote to memory of 980	1988	l4DTmqz{4W.exe	l4DTmqz{4W.exe
PID 1988 wrote to memory of 980	1988	l4DTmqz{4W.exe	l4DTmqz{4W.exe
PID 1988 wrote to memory of 980	1988	l4DTmqz{4W.exe	l4DTmqz{4W.exe
PID 1988 wrote to memory of 980	1988	l4DTmqz{4W.exe	l4DTmqz{4W.exe
PID 1988 wrote to memory of 980	1988	l4DTmqz{4W.exe	l4DTmqz{4W.exe
PID 1988 wrote to memory of 980	1988	l4DTmqz{4W.exe	l4DTmqz{4W.exe
PID 1988 wrote to memory of 980	1988	l4DTmqz{4W.exe	l4DTmqz{4W.exe
PID 2696 wrote to memory of 756	2696	l4DTmqz{4W.exe	cmd.exe
PID 2696 wrote to memory of 756	2696	l4DTmqz{4W.exe	cmd.exe
PID 2696 wrote to memory of 756	2696	l4DTmqz{4W.exe	cmd.exe
PID 2696 wrote to memory of 756	2696	l4DTmqz{4W.exe	cmd.exe
PID 2696 wrote to memory of 1976	2696	l4DTmqz{4W.exe	cmd.exe
PID 2696 wrote to memory of 1976	2696	l4DTmqz{4W.exe	cmd.exe
PID 2696 wrote to memory of 1976	2696	l4DTmqz{4W.exe	cmd.exe
PID 2696 wrote to memory of 1976	2696	l4DTmqz{4W.exe	cmd.exe
PID 756 wrote to memory of 1576	756	cmd.exe	netsh.exe
PID 756 wrote to memory of 1576	756	cmd.exe	netsh.exe
PID 756 wrote to memory of 1576	756	cmd.exe	netsh.exe
PID 1976 wrote to memory of 1832	1976	cmd.exe	vssadmin.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

outlook_office_path 1 IoCs

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

outlook_win_path 1 IoCs

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1200

C:\Users\Admin\AppData\Local\Temp\4a94bfa09b99674b406eefa0fc0f8c5e.exe
"C:\Users\Admin\AppData\Local\Temp\4a94bfa09b99674b406eefa0fc0f8c5e.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2188

C:\Users\Admin\AppData\Local\Temp\4a94bfa09b99674b406eefa0fc0f8c5e.exe
C:\Users\Admin\AppData\Local\Temp\4a94bfa09b99674b406eefa0fc0f8c5e.exe
3⤵
PID:2588

C:\Users\Admin\AppData\Local\Temp\4a94bfa09b99674b406eefa0fc0f8c5e.exe
C:\Users\Admin\AppData\Local\Temp\4a94bfa09b99674b406eefa0fc0f8c5e.exe
3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1764

C:\Windows\system32\certreq.exe
"C:\Windows\system32\certreq.exe"
2⤵
- Deletes itself
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:2524

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
PID:2848

C:\Windows\explorer.exe
C:\Windows\explorer.exe
2⤵
PID:1856

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:1196

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:3044

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:3060

C:\Windows\explorer.exe
C:\Windows\explorer.exe
2⤵
PID:2544

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:224

C:\Windows\explorer.exe
C:\Windows\explorer.exe
2⤵
PID:2704

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:864

C:\Windows\explorer.exe
C:\Windows\explorer.exe
2⤵
PID:1716

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:980

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:2500

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:2476

C:\Windows\explorer.exe
C:\Windows\explorer.exe
2⤵
PID:1804

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:1740

C:\Users\Admin\AppData\Local\Temp\478B.tmp\svchost.exe
C:\Users\Admin\AppData\Local\Temp\478B.tmp\svchost.exe -debug
3⤵
PID:1248

C:\Windows\SysWOW64\ctfmon.exe
ctfmon.exe
4⤵
PID:2736

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\478B.tmp\aa_nts.dll",run
4⤵
PID:2424

C:\Users\Admin\AppData\Local\Microsoft\l4DTmqz{4W.exe
"C:\Users\Admin\AppData\Local\Microsoft\l4DTmqz{4W.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:748

C:\Users\Admin\AppData\Local\Microsoft\l4DTmqz{4W.exe
C:\Users\Admin\AppData\Local\Microsoft\l4DTmqz{4W.exe
2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2696

C:\Users\Admin\AppData\Local\Microsoft\l4DTmqz{4W.exe
"C:\Users\Admin\AppData\Local\Microsoft\l4DTmqz{4W.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1988

C:\Users\Admin\AppData\Local\Microsoft\l4DTmqz{4W.exe
C:\Users\Admin\AppData\Local\Microsoft\l4DTmqz{4W.exe
4⤵
- Executes dropped EXE
PID:980

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:756

C:\Windows\system32\netsh.exe
netsh advfirewall set currentprofile state off
4⤵
- Modifies Windows Firewall
PID:1576

C:\Windows\system32\netsh.exe
netsh firewall set opmode mode=disable
4⤵
- Modifies Windows Firewall
PID:2800

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:1976

C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
4⤵
- Interacts with shadow copies
PID:1832

C:\Windows\System32\Wbem\WMIC.exe
wmic shadowcopy delete
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:896

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} bootstatuspolicy ignoreallfailures
4⤵
- Modifies boot configuration data using bcdedit
PID:3028

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} recoveryenabled no
4⤵
- Modifies boot configuration data using bcdedit
PID:1604

C:\Windows\system32\wbadmin.exe
wbadmin delete catalog -quiet
4⤵
- Deletes backup catalog
PID:1668

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\info.hta"
3⤵
PID:1376

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\users\public\desktop\info.hta"
3⤵
PID:2972

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\info.hta"
3⤵
PID:2752

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "F:\info.hta"
3⤵
PID:1304

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
3⤵
PID:1612

C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
4⤵
- Interacts with shadow copies
PID:1764

C:\Windows\System32\Wbem\WMIC.exe
wmic shadowcopy delete
4⤵
PID:2824

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} recoveryenabled no
4⤵
- Modifies boot configuration data using bcdedit
PID:2600

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} bootstatuspolicy ignoreallfailures
4⤵
- Modifies boot configuration data using bcdedit
PID:2632

C:\Windows\system32\wbadmin.exe
wbadmin delete catalog -quiet
4⤵
- Deletes backup catalog
PID:1488

C:\Users\Admin\AppData\Local\Microsoft\l4DTmqz{4W.exe
C:\Users\Admin\AppData\Local\Microsoft\l4DTmqz{4W.exe
2⤵
- Executes dropped EXE
PID:2848

C:\Users\Admin\AppData\Local\Microsoft\144QX9s.exe
"C:\Users\Admin\AppData\Local\Microsoft\144QX9s.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2804

C:\Users\Admin\AppData\Local\Microsoft\144QX9s.exe
C:\Users\Admin\AppData\Local\Microsoft\144QX9s.exe
2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1932

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2084

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:892

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:588

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
PID:1932

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Impact

Inhibit System Recovery

T1490

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPsWW.cab.id[A1EE4869-3483].[[email protected]].8base
Filesize
143.1MB

MD5
dbce6cd0779870cf5c3c75050383cba9

SHA1
c364a12c964654292ab0948a444919777d408c96

SHA256
1f2a8e2afddc51d470036ddde9c08cfeb95de1d0216f29e408431853f81a01fb

SHA512
06fbd09dc5ed0dec9c5ebe828fac76f4bd230ffccd6cd5933f96183886608bff92dadd8b2b990671b3f730bb39e8af53e9c7728f04f57e90e963af8b5c4cc720

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
108c76248e75ae671a0973addc2bf2f2

SHA1
4b616c040a8f6b21d9a47a0fd815edbad5e3e330

SHA256
560dfa82bcfcbee5a6455bd73f297a4ba7bb0ae4ca93723f981b617652fb1bde

SHA512
960be07d43aece6cb848f33ceac0c27285f60b49ddb0796918a33f8d77bd443b9286792f9e526e00a5e340139da318a1d5278712a5bb7ac18db6adc93b8a3a10

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize
242B

MD5
bde95da4e865d6ff9bed1771e1aed4ca

SHA1
95eecc737f654872913b980bdcdd901cac83aa1f

SHA256
41098c56b6a526fa7dd7aa1b434b2bd46d38daa5ce1d410603fa1bba124d91e6

SHA512
ba80139b4341e22e198b909691ab09bfdde6bfe5b6671be52ed073cdedb00ad929a32d2ce7a9ff51e15eff239360856c0c330db55f54c8cc0c2b6aa4dd726650

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\144QX9s.exe
Filesize
296KB

MD5
a4d5cb9bca2d05b1dee2faff0eddae20

SHA1
8d8dade29177d6c5b69b9f4afe6cb0527ac1cf81

SHA256
de12fc947954ab72028cdac54b5455daf449fa27c975d9e431ad87ed4c413a79

SHA512
b0cd3a6589d6f726b99a0796d99a923ee1fc0f2504374af363706857b48c4d926023aa762fd299b7a566c75369f736297b8caad499ad599ad0d2f464ce9002a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\144QX9s.exe
Filesize
296KB

MD5
a4d5cb9bca2d05b1dee2faff0eddae20

SHA1
8d8dade29177d6c5b69b9f4afe6cb0527ac1cf81

SHA256
de12fc947954ab72028cdac54b5455daf449fa27c975d9e431ad87ed4c413a79

SHA512
b0cd3a6589d6f726b99a0796d99a923ee1fc0f2504374af363706857b48c4d926023aa762fd299b7a566c75369f736297b8caad499ad599ad0d2f464ce9002a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\144QX9s.exe
Filesize
296KB

MD5
a4d5cb9bca2d05b1dee2faff0eddae20

SHA1
8d8dade29177d6c5b69b9f4afe6cb0527ac1cf81

SHA256
de12fc947954ab72028cdac54b5455daf449fa27c975d9e431ad87ed4c413a79

SHA512
b0cd3a6589d6f726b99a0796d99a923ee1fc0f2504374af363706857b48c4d926023aa762fd299b7a566c75369f736297b8caad499ad599ad0d2f464ce9002a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\l4DTmqz{4W.exe
Filesize
307KB

MD5
6ed7b74cc62ec5c085f97373348d5bc0

SHA1
279b8f4f87be08afa2debe4b1c11a4b0738eefcf

SHA256
2a270618cf65fcfb6476269b7c7bdbae84552d15a3da3e8907425e20ace4548a

SHA512
417975b9ea6ed0fb9971e1ac4338cf9b2929ba0800345f7bc51207bb4addb90a55bf81819c129061c54dfdb29d14a6603955c81e46b6831a1cc9666ce5b239a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\l4DTmqz{4W.exe
Filesize
307KB

MD5
6ed7b74cc62ec5c085f97373348d5bc0

SHA1
279b8f4f87be08afa2debe4b1c11a4b0738eefcf

SHA256
2a270618cf65fcfb6476269b7c7bdbae84552d15a3da3e8907425e20ace4548a

SHA512
417975b9ea6ed0fb9971e1ac4338cf9b2929ba0800345f7bc51207bb4addb90a55bf81819c129061c54dfdb29d14a6603955c81e46b6831a1cc9666ce5b239a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\l4DTmqz{4W.exe
Filesize
307KB

MD5
6ed7b74cc62ec5c085f97373348d5bc0

SHA1
279b8f4f87be08afa2debe4b1c11a4b0738eefcf

SHA256
2a270618cf65fcfb6476269b7c7bdbae84552d15a3da3e8907425e20ace4548a

SHA512
417975b9ea6ed0fb9971e1ac4338cf9b2929ba0800345f7bc51207bb4addb90a55bf81819c129061c54dfdb29d14a6603955c81e46b6831a1cc9666ce5b239a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\l4DTmqz{4W.exe
Filesize
307KB

MD5
6ed7b74cc62ec5c085f97373348d5bc0

SHA1
279b8f4f87be08afa2debe4b1c11a4b0738eefcf

SHA256
2a270618cf65fcfb6476269b7c7bdbae84552d15a3da3e8907425e20ace4548a

SHA512
417975b9ea6ed0fb9971e1ac4338cf9b2929ba0800345f7bc51207bb4addb90a55bf81819c129061c54dfdb29d14a6603955c81e46b6831a1cc9666ce5b239a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\l4DTmqz{4W.exe
Filesize
307KB

MD5
6ed7b74cc62ec5c085f97373348d5bc0

SHA1
279b8f4f87be08afa2debe4b1c11a4b0738eefcf

SHA256
2a270618cf65fcfb6476269b7c7bdbae84552d15a3da3e8907425e20ace4548a

SHA512
417975b9ea6ed0fb9971e1ac4338cf9b2929ba0800345f7bc51207bb4addb90a55bf81819c129061c54dfdb29d14a6603955c81e46b6831a1cc9666ce5b239a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\l4DTmqz{4W.exe
Filesize
307KB

MD5
6ed7b74cc62ec5c085f97373348d5bc0

SHA1
279b8f4f87be08afa2debe4b1c11a4b0738eefcf

SHA256
2a270618cf65fcfb6476269b7c7bdbae84552d15a3da3e8907425e20ace4548a

SHA512
417975b9ea6ed0fb9971e1ac4338cf9b2929ba0800345f7bc51207bb4addb90a55bf81819c129061c54dfdb29d14a6603955c81e46b6831a1cc9666ce5b239a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\478B.tmp\aa_nts.dll
Filesize
902KB

MD5
480a66902e6e7cdafaa6711e8697ff8c

SHA1
6ac730962e7c1dba9e2ecc5733a506544f3c8d11

SHA256
7eaaaa6010bbcd6bb8c9ad08d4b0966c7aedc9b2ac24758f170012ac36e508b5

SHA512
7d010cd47b7d1adf66f9c97afc6c3805997aa5c7cc6ff13eddee81f24cf2b95a3fe375ec5b3d6185c0bc8840b4ad91ae143c73a39af26391cc182ab6a1793ba5

Download Submit
C:\Users\Admin\AppData\Local\Temp\478B.tmp\aa_nts.msg
Filesize
46B

MD5
3f05819f995b4dafa1b5d55ce8d1f411

SHA1
404449b79a16bfc4f64f2fd55cd73d5d27a85d71

SHA256
7e0bf0cbd06a087500a9c3b50254df3a8a2c2980921ab6a62ab1121941c80fc0

SHA512
34abb7df8b3a68e1649ff0d2762576a4d4e65da548e74b1aa65c2b82c1b89f90d053ecddac67c614ca6084dc5b2cb552949250fb70f49b536f1bcb0057717026

Download Submit
C:\Users\Admin\AppData\Local\Temp\478B.tmp\svchost.exe
Filesize
798KB

MD5
90aadf2247149996ae443e2c82af3730

SHA1
050b7eba825412b24e3f02d76d7da5ae97e10502

SHA256
ee573647477339784dcef81024de1be1762833a20e5cc2b89a93e47d05b86b6a

SHA512
eec32bb82b230dd309c29712e72d4469250e651449e127479d178eddbafd5a46ec8048a753bc2c1a0fdf1dc3ed72a9453ca66fb49cbf0f95a12704e5427182be

Download Submit
C:\Users\Admin\AppData\Local\Temp\478B.tmp\svchost.exe
Filesize
798KB

MD5
90aadf2247149996ae443e2c82af3730

SHA1
050b7eba825412b24e3f02d76d7da5ae97e10502

SHA256
ee573647477339784dcef81024de1be1762833a20e5cc2b89a93e47d05b86b6a

SHA512
eec32bb82b230dd309c29712e72d4469250e651449e127479d178eddbafd5a46ec8048a753bc2c1a0fdf1dc3ed72a9453ca66fb49cbf0f95a12704e5427182be

Download Submit
C:\Users\Admin\AppData\Local\Temp\478B.tmp\svchost.exe
Filesize
798KB

MD5
90aadf2247149996ae443e2c82af3730

SHA1
050b7eba825412b24e3f02d76d7da5ae97e10502

SHA256
ee573647477339784dcef81024de1be1762833a20e5cc2b89a93e47d05b86b6a

SHA512
eec32bb82b230dd309c29712e72d4469250e651449e127479d178eddbafd5a46ec8048a753bc2c1a0fdf1dc3ed72a9453ca66fb49cbf0f95a12704e5427182be

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar968A.tmp
Filesize
163KB

MD5
9441737383d21192400eca82fda910ec

SHA1
725e0d606a4fc9ba44aa8ffde65bed15e65367e4

SHA256
bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

SHA512
7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrara2q.default-release\cookies.sqlite.id[A1EE4869-3483].[[email protected]].8base
Filesize
96KB

MD5
fe4db74287e8f4866c4e7c3600f5ee35

SHA1
c7b184ec72b998aae1c0c90e87f53bef88a8b589

SHA256
e364ad91a5477ccef6e83b98cf2ceef17109891c537bcbd852ced351c6a3e4ea

SHA512
640a86dab0911f197dee112a2d2e6c39de1ce033fb77b30f0c3295936da5505de2c3ce86240cb1e799de7e76f15dedcfc1518f7701f269ea88f29d12466f76e0

Download Submit
C:\Users\Admin\AppData\Roaming\adrbvve
Filesize
296KB

MD5
a4d5cb9bca2d05b1dee2faff0eddae20

SHA1
8d8dade29177d6c5b69b9f4afe6cb0527ac1cf81

SHA256
de12fc947954ab72028cdac54b5455daf449fa27c975d9e431ad87ed4c413a79

SHA512
b0cd3a6589d6f726b99a0796d99a923ee1fc0f2504374af363706857b48c4d926023aa762fd299b7a566c75369f736297b8caad499ad599ad0d2f464ce9002a6

Download Submit
C:\Users\Admin\AppData\Roaming\fdvusga
Filesize
438KB

MD5
988027a5bb564cff855145a254420e7e

SHA1
e316075075e446162661c66dca8bfdaf92290f38

SHA256
973a6ee6c4f9533f298f41458e66a6462384bf2d9363bec2e462a8b076e49b5d

SHA512
d4e5c1acd8c905065c3d029472a7cf2747fe137d2397bcf4e7f7ea6a85f441f643dfc2606ba9ed21b5b54913f90c3d8d54ad959dcb72ead92278b0550b8d6ea0

Download Submit
C:\Users\Admin\Desktop\ApproveWatch.wdp.id[A1EE4869-3483].[[email protected]].8base
Filesize
188KB

MD5
a30a34d72d9aae8298db56d89995c338

SHA1
c4b8a9df1dd2ef1f47e3ae924cffb5c771b4abfe

SHA256
21821a3b92ad8a7d5048e1ab4e8df1b6bca6c66224ec2ef239643fbadaf0d392

SHA512
0544f8bed2444367b8110bfb102793b74259119dddfc5a93aef46bce54d5ce02c516a1c7405a78570840fab88a52516a5d66a1350bebbd71f2506fa3bd51ebe8

Download Submit
C:\Users\Admin\Desktop\ClearConvertTo.vst.id[A1EE4869-3483].[[email protected]].8base
Filesize
225KB

MD5
c741793def722131d86331245240b808

SHA1
1b0578a3dc745b549d311a57d82d3889af2f8806

SHA256
16dcaa5917ee48ff4e0a6b43a743d88531c91266b351150a5a31e3f280d66ee0

SHA512
4810ba252900de3466e85aeb50b4669a02185a25e47686dcbf46eda506b0ef1955e554f4c33e4fa09b44ec9fc26e90b1ea9db71ea84c2daada43f2be4190f827

Download Submit
C:\Users\Admin\Desktop\ClearEdit.wpl.id[A1EE4869-3483].[[email protected]].8base
Filesize
505KB

MD5
1e48c890946ab0e631cae7dfd8e0c043

SHA1
f3b0915f3615b801218b04cbdb80b7d16ba5878e

SHA256
1cefdaf14b384c077c3418a9221526c7dfdc264b08b810b9d669e9108fd7f197

SHA512
c732b6e937a47056e9a044b8708631ec15a058770fc01832dc6ca4b161819b07edaee4a28aff1947d8c0f6d02ef934a551d45ef97e7ea51114b71c888888f5d2

Download Submit
C:\Users\Admin\Desktop\DenyEnter.docx.id[A1EE4869-3483].[[email protected]].8base
Filesize
298KB

MD5
c72c7ef0910b75a2b0c3e8d22842c749

SHA1
352ff70812f4e540d5b04a8eeabc1026803819cc

SHA256
85e1abf16d96e8d6ac5590a58fad842791e1b47c572f7bcece3a10074bbd4a37

SHA512
2470b0141506ee164d8925a11b18ab65f2008ece30269822d797eb8c6266d628826ac0de7139aae74a4740fcc4958205e00df3490b74c3a17f28e73ccaf55071

Download Submit
C:\Users\Admin\Desktop\DisconnectCheckpoint.pps.id[A1EE4869-3483].[[email protected]].8base
Filesize
432KB

MD5
4fbb76d34ed0edeeb526334cc3fcb87e

SHA1
3dac1a5815a4c96aa56a60a460e5c538bc129244

SHA256
cd4f8f2e34ecb657f597eb4400b97b511c2aa8455336f45a09616fc51400adf9

SHA512
02056626183a725a751709a11cfce044e94728f81213878efcd224e8e3d4743951acb8cf9b717d061fc3f9baa65c6c1fb98b955ab2080b732c2959b571b91975

Download Submit
C:\Users\Admin\Desktop\EnterInstall.js.id[A1EE4869-3483].[[email protected]].8base
Filesize
286KB

MD5
333ab36b1497932ad1c7fb3c8c0af2c7

SHA1
88289f0099330af22e961f4eecbccf9aa00cc24f

SHA256
a454d4b48a3ec5113bc6f1c5c1978813c4fdbb030f060b6e45460790386ea3ed

SHA512
ded01235128f33a37d243658dbd46b41aa37058ec55729a667d8c8284bb0084a865eaed91774c96734209783b9126c37f003a9d9889038cfe3808c0412fe911b

Download Submit
C:\Users\Admin\Desktop\ExportWrite.shtml.id[A1EE4869-3483].[[email protected]].8base
Filesize
237KB

MD5
b467e5f241aa5ec6683f5b973d528fed

SHA1
062ffbe2122cfdbf338da1238af7bc78e873b035

SHA256
4b5c823e84071620084d1710d4dbb4e11fc6eb7f157dc6f977ffaf60238bce1b

SHA512
c525536c5a39e6feab0d88bb932e65bc99744547ccfc4623126aac1134cc6f246a9593b6b5c499c568c55d5b0ff18a954488df4dff685f5bcc3c96d6ee12bfd7

Download Submit
C:\Users\Admin\Desktop\GetBlock.aifc.id[A1EE4869-3483].[[email protected]].8base
Filesize
322KB

MD5
b6ef84406347b238ab96311354c48598

SHA1
21010ca6ba3d608f3c518ab0a2b3672fd99721b2

SHA256
4254ed40f9fceccaee629ad7b343468931646a0a8ab87936dea784df5b755e19

SHA512
6bd1f4b3ec659f66699eb7e9013a9e81b11845e58210c2a5c942eaf571fac614f67befa157761387ccd94a5a99766a5648b88882500c3fd63895b9549c857137

Download Submit
C:\Users\Admin\Desktop\GrantOut.otf.id[A1EE4869-3483].[[email protected]].8base
Filesize
201KB

MD5
16c3f040a11c195de7d455fee64cb12f

SHA1
d005d4301569120e6408237bff32b7a91de23c85

SHA256
73010f9d4378310de919cc4ba52bd95976430ac65d3c561b9c900f75821655cf

SHA512
26b7be6a88b7af11ffddd3b9ac79379e4ff68026658ad2f9fb76e9b96349a1da33f6c1559b5281a729d41638fa329cbb09d5817b70ba2aa17401923e006b6370

Download Submit
C:\Users\Admin\Desktop\InitializeDebug.rar.id[A1EE4869-3483].[[email protected]].8base
Filesize
408KB

MD5
b80cee422fddee56d94cfe80eaeea2cb

SHA1
af1df3c36d1e2dce1e03194eda7a92df28f26ad4

SHA256
0dc6fec06079e9c1cb7047e0cc3de6f44ca8b268386c645d35ab6a4d81c24d05

SHA512
f559be89b8b5d7eecbe51dde8a68e7ee7446d7dc741a82dddb6993aea089b44f891d8f9f388827cb8e81fd7b80d93416fc038526578903001055fa65ff744118

Download Submit
C:\Users\Admin\Desktop\MountHide.MTS.id[A1EE4869-3483].[[email protected]].8base
Filesize
694KB

MD5
df825fbb6560355551a8ee871306a8c7

SHA1
6cc531d73f385b26680af37131a2e4beb0816cdc

SHA256
7cc6ce2720f3a0466e3eb93d1abd29b3e469b124fa8af3b0e68e84048366fb10

SHA512
69d82143a67b57a9449f14364b17e6c6ce2b73d5af3cec43546ab36e996217d46ef1f91901fcda04f09bd2f72966b36a974ee368439fdc9fb81a80f9bcf4eae7

Download Submit
C:\Users\Admin\Desktop\PingRestore.mov.id[A1EE4869-3483].[[email protected]].8base
Filesize
274KB

MD5
a6e51d999dd0ef852fd4609d2dcb2fba

SHA1
098e0b5633222bf824a13baf17211c7ad3a523ec

SHA256
27157502b5776bc6a1d09d7a3f62082a7778326b45917a9b5a860eb0ccb130a8

SHA512
ba639564b3278be73df2d419c4236436d169c472dfb620bb8c2e705631a862179bae9dd1a1837a3e75a0af8a98f858fadb7f987e489a2fad52156a2d8a282544

Download Submit
C:\Users\Admin\Desktop\PopReceive.wax.id[A1EE4869-3483].[[email protected]].8base
Filesize
176KB

MD5
09776aa24bc1a7102a5f69ff99bb2478

SHA1
5a5aca358b9bce9d0e6248c2e6ec6dd1ad03f05a

SHA256
9e3b5646746ddccce96a62ff3d9a1d0b2f72186f885e25e53d2a17bcb5746f0e

SHA512
3e1002da20171f39f308fdd7d6f6d26475b2ffa808e5b2acf48817778a7d5f607d9c8ea358049f0d64721ff83650686eaca949f403d69640b14e10c4adbe171a

Download Submit
C:\Users\Admin\Desktop\PopStart.midi.id[A1EE4869-3483].[[email protected]].8base
Filesize
395KB

MD5
b4cececf7b9c136c5134d4c037b9b292

SHA1
2a4019443bc5777f4bad63f12bcb3965b638b1f2

SHA256
72fdec8f7d6559bd0d34af2148e413ba566e6b4cd7134e6df0f0b849c63acecd

SHA512
e2e35c045c9159102b8b36b4d454904350d10bf40475236bbff8e5c09eef074cd8403b072d3b0e00d428d5414cdcf34e205a4af04b4674d6ac6255314c4744c7

Download Submit
C:\Users\Admin\Desktop\PublishUpdate.jtx.id[A1EE4869-3483].[[email protected]].8base
Filesize
262KB

MD5
5a59729b9348d80d02659f7f44dab85a

SHA1
9b98b9246bcaec772bc73a370674960fb4d5b682

SHA256
c18c8bf4ea1ad25fc8663e924a0d9fd776dccb800edffbe77dae929fbec885da

SHA512
c82a227293c8e801873227221378b4261689ed6acffebfee3e31fb5d6a58791064c2f16edd5923b5eca36781eef78d6e47446d42f1df437f98cf0efba950776c

Download Submit
C:\Users\Admin\Desktop\ReadLimit.rar.id[A1EE4869-3483].[[email protected]].8base
Filesize
359KB

MD5
43fefdedf1fa9769a4afcfe57dbfc852

SHA1
9bc387be60e5170a59366c1e2450d0d1f8a74388

SHA256
bfded70fc72e4017ea5e16ada413bf2b82cca68288ce8a664912790ab08e62d4

SHA512
62869927a2fc9ce61ea493fb00990e1c487f39f1f43bc24c2dc8d1b6be6a3d9cb2074f83b4bd25364adf49362c25ae6e26914d5ce5934de2ad10f51ca510da59

Download Submit
C:\Users\Admin\Desktop\RedoRepair.dwfx.id[A1EE4869-3483].[[email protected]].8base
Filesize
310KB

MD5
60fcf8a1645e99f5acf61c2dcb307118

SHA1
c0f20d9092155a80d610376a3160eb2af4bf0ba6

SHA256
b1537f412a47f6ff428ed9e02dd4a4f94d2f203f88de684d43488ed409c3dd23

SHA512
cda3a7253652c488154859c8f73dd406d4f02593880cf95c618a2f0b679202168e3d58836de9af7aa5510d20799a402645f77190e15c2c2d402ac886c0032b4b

Download Submit
C:\Users\Admin\Desktop\RepairProtect.docx.id[A1EE4869-3483].[[email protected]].8base
Filesize
456KB

MD5
fe04ed7660de9ae78c0510daf402b2f3

SHA1
059016ebbac9df3fa73f804fffd49c080d8a86be

SHA256
98fd54c006828190962035ca6d5d3f40d02c588df4b08a0e5bd5b4eece38419c

SHA512
ec3984c4c295f061c44f1da00e5e0036842ce885ec971de55c26f4e3f2028e4908e98f5cf8799a17704dbe0b36c349417ebe734a8ab0d496ff1f9185588c8100

Download Submit
C:\Users\Admin\Desktop\RepairSelect.mp3.id[A1EE4869-3483].[[email protected]].8base
Filesize
347KB

MD5
8e2dd9cdb787efdc8d2bd0139947d89c

SHA1
670ffc134aefececb6e4af84136e49d2ae68a12b

SHA256
5941762e9cc14f120135ff297c838168c9d471760442ae98b36a5df434a6cebd

SHA512
aae324eaac4e3a99d0cd253e1f69c62209fb71caeb850ec614115b10265e9c7b296d7795201dc568a9d7d8cecc62aa25742becceb95101a93afa788b0b255775

Download Submit
C:\Users\Admin\Desktop\ResetConnect.png.id[A1EE4869-3483].[[email protected]].8base
Filesize
371KB

MD5
f61b191ce5fcd0a60d6c3ee6fa0f62ac

SHA1
63a0ba45888d03cf6376143f7f567a0ce3ff7686

SHA256
f5d90f589e644e1568d3626d17d56b0cb6f8950b536f44d5a839b4c3434f2c6d

SHA512
0f5fb60deeb7c65db258239590dde90c9850857aea06eefce5dbd7cc4434e3758b3671f7b6cd7f227f08bfc149132b5c92c643680af26192aeb088770cd9d323

Download Submit
C:\Users\Admin\Desktop\RestorePublish.ogg.id[A1EE4869-3483].[[email protected]].8base
Filesize
249KB

MD5
bdd514e62c26a3729d637007ce6ac042

SHA1
d57d0aa2679555a60dacd8843e159cc23fb01e64

SHA256
7b888ced0d0cb1a1146479abc515000c4fa44275c25f6accf1594d68265fb53d

SHA512
8d8c0bbc55bc56797296a40d791c37a4e465bd400986df9754ff015ccde351a227a360d4de53572fbe19d013a2a8b71df3bfad107a63ff0dde98e21f17ac9c9c

Download Submit
C:\Users\Admin\Desktop\SelectOut.jpeg.id[A1EE4869-3483].[[email protected]].8base
Filesize
444KB

MD5
358fcf4b271dfa85deadb77a4f9affb3

SHA1
09d04b9eff3c5a28ed893ccff73604a4b3659844

SHA256
868e9e889b0897138b410844d46c4cc2ca065a1645ea4d9e2fcb8111fc4f231e

SHA512
692bbde367784a4fc8b5f1c360c1084a2ee2c809948c3b264938c7d19547d4d40f0afe49b78757c14f9ed2489f782dda776dd4050dcae272e10c7b9cca491b26

Download Submit
C:\Users\Admin\Desktop\SendUnregister.TTS.id[A1EE4869-3483].[[email protected]].8base
Filesize
481KB

MD5
92aa1a51cb1f1294bcb81ae7ff335651

SHA1
740e773d1ba409dfd901b38783debfb597b77b55

SHA256
4e401083cc8528c6bff81a27a743b484af88b38a16b19b1eb23515e4b6d44270

SHA512
c5c976e801e6f0dc81f686c0bea22d599ad55e49366781490d2656da5a19e54ff44a1d58c7f6eda479b8f9f04f14ebf61c6325f29021fcd56593b93b9d725a75

Download Submit
C:\Users\Admin\Desktop\UninstallDismount.rtf.id[A1EE4869-3483].[[email protected]].8base
Filesize
469KB

MD5
30f674530e5f1fecc971ccb363ace4e8

SHA1
c0b395dcc8e00b39039c92c58fe51f501e90a187

SHA256
a5c06294e51e9954db9ea7c61457a4084ab9f8e3f68cb1d9db573e0bbb5eea07

SHA512
ec0bdbf26ebd0c4785892511d31d462ecd2ee64978228ede4ad06920eeb1ef4a61cf6e913ea20bc5aabd0a7109f3959a80711c0e77c93b8d475eea86beb13d6a

Download Submit
C:\Users\Admin\Desktop\UninstallSearch.tif.id[A1EE4869-3483].[[email protected]].8base
Filesize
213KB

MD5
0d16ef62f8f00e879d0828b348fe0dfc

SHA1
c1dd99a40452e21a16bdd3006acbb6b224150421

SHA256
530baf033106c048081fa3b6446a7354057cfb6ec16b6e984e9183a31d9bb603

SHA512
9e2a8d4161e6021ba2356fec3256ceac9754b769b23e7ad242862276383a833ea06999da62a099e92345c032e28b412d6a511ef69c6828530bf460c0d422778b

Download Submit
C:\Users\Admin\Desktop\UninstallStep.clr.id[A1EE4869-3483].[[email protected]].8base
Filesize
420KB

MD5
378b048722211c833178b40d56f0e04a

SHA1
4ec53e7829cffa6272208eb7d3687057904036ed

SHA256
7b9e781202ed8ee5c9ebea57db52a241578dd10c91dab8719252b70f1532988a

SHA512
9d91935803914d18834f16ae216128410f39a78f9c84c68b4f5d91459de90840babd89e852f6d317b217761adc784e0876232120dc193920925e0fba9a2ec149

Download Submit
C:\Users\Admin\Desktop\UninstallWatch.clr.id[A1EE4869-3483].[[email protected]].8base
Filesize
493KB

MD5
da76d548b44d3601c9be4b1637c54b61

SHA1
e32ad615ce27fd7b9725bbb0410c517fc7e74187

SHA256
c85736efaaec003b37ea42ebc7755afa7e5682bcd03891e03f3c44314e592ecf

SHA512
95d732ab97ec65bccc28eaf588c2c04f5e494447eb300038a618ea12a6e198a16ebdc58cbed3cfe034db2576bef39e619f88f96c217d326aeebcd72afa69f478

Download Submit
C:\Users\Admin\Desktop\UseShow.3gp.id[A1EE4869-3483].[[email protected]].8base
Filesize
383KB

MD5
78e87c901fd92b6f489aef05d21e6913

SHA1
7ea9cd79d7dcd213621202c7604467c22db3a826

SHA256
d975816266aa546465e00f047679db8584686500d974bd811f27c6f193a9713c

SHA512
1c9eb22e4db9ff5782a84ce0ba0a5ae4d4936f824c759b7b04842a6658dcf4c49c23dd678b9c9ec1461caf97f6403e99805127e192601a18642439c140bb37d6

Download Submit
C:\Users\Admin\Desktop\WaitRedo.vbe.id[A1EE4869-3483].[[email protected]].8base
Filesize
335KB

MD5
5152c907c64a722c28d75beea0509c8f

SHA1
bbf6ea7e5cc08dbe43ec6f9fffd569c90a7e4d2d

SHA256
474cfe54679a46edae86e1e1e3ecedcaf71a7d82900907120b914abd873e62ac

SHA512
651aaf02e93ddfffdc55093b45509c080b58330cdfc20385ad37905bd007ea960223f2458695106558823486fefcf66b787f6ede1c407290995ba762426e42be

Download Submit
C:\Users\Admin\Desktop\info.hta
Filesize
5KB

MD5
4195b3bc0546cd26306a07aa7bf9e5a2

SHA1
0c6d5507fc881c9472e941f1f241ff4cad4108c7

SHA256
b8806f0d6d0cd00a0ef4889e0f2bc7c88de3827dbe6ee5e6b9d6abe3236f3e9e

SHA512
e0490d6e8aa1735349a56290c8b63471fc07900009bc284d6e3c73db9fde99e00baea0bf7e3113aae84a3ebed2a08c84bd45783e227b33043916fc6e95762671

Download Submit
C:\Users\Admin\Desktop\info.txt
Filesize
216B

MD5
785cafecedf21b32589f303a8a490a6a

SHA1
5388d3b2a40734142918364eadc02b4429d856e3

SHA256
e455b6bfe96488ca6d4ee70ef495c8925040d22a7cba422e0db7469065daf932

SHA512
4511937134dd7809e888f9bcfcf06d24c17a06f55b5a2b9690a381fda8de9cb793a9799c91814ce43f47ca6db594b010c5feae8aff08bd3edd448967d06fc93b

Download Submit
C:\Users\Public\Desktop\Adobe Reader 9.lnk.id[A1EE4869-3483].[[email protected]].8base
Filesize
2KB

MD5
91739402509d737d3721e020b9cd82b7

SHA1
42ac7c58be7263f5b1b878f7c6cba413b20ba6ab

SHA256
38ed7b5e9af430b31990a9211dec834a4e0ab4da4bbbd7cb5c078c78647e1c80

SHA512
18cebb9c717a5f14d911bc8f8890c2aae747b57c0cbfcb5d69f23a3acdc084b1933584e7c588f7c4616558a8039bd2d6fc1b786153c440a0b67797c00909fbee

Download Submit
C:\Users\Public\Desktop\Firefox.lnk.id[A1EE4869-3483].[[email protected]].8base
Filesize
1KB

MD5
b3a7aaa79e38e3c8d491c25748c1db7a

SHA1
eb4c225b21a192d0f16400aa778433a92b0e5d03

SHA256
ce1350dcac6732300378ae2128e6be5994e61c251618b13a785a4b0dda304a82

SHA512
6971b42845175f978caec9b37982ab17b8d65ba8c0a8534bc48bb02e154f19a13925d9dece914d73b478d37034cde462eba14eb6b939f84cc7788b082c540d14

Download Submit
C:\Users\Public\Desktop\Google Chrome.lnk.id[A1EE4869-3483].[[email protected]].8base
Filesize
2KB

MD5
cb290ffae818b00c158cf81cffd1421a

SHA1
ef36b7acf0798b1c3cd560b3836515c2d9df4f73

SHA256
0a1f64a63c01aae23db8c3e96d106110883d308e225e3aaea59f0e6340afa729

SHA512
6714db448c27da164c22191b186b158393cccd57f2aa07ab0a9f18555db988ab26894c365847b310feb820658054e0971d852038117d6e84a21dd70f53617b7f

Download Submit
C:\Users\Public\Desktop\VLC media player.lnk.id[A1EE4869-3483].[[email protected]].8base
Filesize
1KB

MD5
6cff1f745d6999a5d18553a0bdcb1051

SHA1
a2a861905b698396e2da33fc703b367e9aa98fb9

SHA256
5940cd701612d5af65678e582c5c8a0e55e18e4c62414c80363f18c2c4cf133e

SHA512
844511d526c235f220955e9905d37529534be9e294c69d9bda472e331d5aac9dea376167cdf83fc7a2f4d4e832ec7897faedd52cd15b21c590c094d27cf9a3fe

Download Submit
C:\Users\Public\Desktop\info.hta
Filesize
5KB

MD5
4195b3bc0546cd26306a07aa7bf9e5a2

SHA1
0c6d5507fc881c9472e941f1f241ff4cad4108c7

SHA256
b8806f0d6d0cd00a0ef4889e0f2bc7c88de3827dbe6ee5e6b9d6abe3236f3e9e

SHA512
e0490d6e8aa1735349a56290c8b63471fc07900009bc284d6e3c73db9fde99e00baea0bf7e3113aae84a3ebed2a08c84bd45783e227b33043916fc6e95762671

Download Submit
C:\info.hta
Filesize
5KB

MD5
4195b3bc0546cd26306a07aa7bf9e5a2

SHA1
0c6d5507fc881c9472e941f1f241ff4cad4108c7

SHA256
b8806f0d6d0cd00a0ef4889e0f2bc7c88de3827dbe6ee5e6b9d6abe3236f3e9e

SHA512
e0490d6e8aa1735349a56290c8b63471fc07900009bc284d6e3c73db9fde99e00baea0bf7e3113aae84a3ebed2a08c84bd45783e227b33043916fc6e95762671

Download Submit
C:\info.hta
Filesize
5KB

MD5
4195b3bc0546cd26306a07aa7bf9e5a2

SHA1
0c6d5507fc881c9472e941f1f241ff4cad4108c7

SHA256
b8806f0d6d0cd00a0ef4889e0f2bc7c88de3827dbe6ee5e6b9d6abe3236f3e9e

SHA512
e0490d6e8aa1735349a56290c8b63471fc07900009bc284d6e3c73db9fde99e00baea0bf7e3113aae84a3ebed2a08c84bd45783e227b33043916fc6e95762671

Download Submit
F:\info.hta
Filesize
5KB

MD5
4195b3bc0546cd26306a07aa7bf9e5a2

SHA1
0c6d5507fc881c9472e941f1f241ff4cad4108c7

SHA256
b8806f0d6d0cd00a0ef4889e0f2bc7c88de3827dbe6ee5e6b9d6abe3236f3e9e

SHA512
e0490d6e8aa1735349a56290c8b63471fc07900009bc284d6e3c73db9fde99e00baea0bf7e3113aae84a3ebed2a08c84bd45783e227b33043916fc6e95762671

Download Submit
\Users\Admin\AppData\Local\Temp\478B.tmp\aa_nts.dll
Filesize
902KB

MD5
480a66902e6e7cdafaa6711e8697ff8c

SHA1
6ac730962e7c1dba9e2ecc5733a506544f3c8d11

SHA256
7eaaaa6010bbcd6bb8c9ad08d4b0966c7aedc9b2ac24758f170012ac36e508b5

SHA512
7d010cd47b7d1adf66f9c97afc6c3805997aa5c7cc6ff13eddee81f24cf2b95a3fe375ec5b3d6185c0bc8840b4ad91ae143c73a39af26391cc182ab6a1793ba5

Download Submit
\Users\Admin\AppData\Local\Temp\478B.tmp\aa_nts.dll
Filesize
902KB

MD5
480a66902e6e7cdafaa6711e8697ff8c

SHA1
6ac730962e7c1dba9e2ecc5733a506544f3c8d11

SHA256
7eaaaa6010bbcd6bb8c9ad08d4b0966c7aedc9b2ac24758f170012ac36e508b5

SHA512
7d010cd47b7d1adf66f9c97afc6c3805997aa5c7cc6ff13eddee81f24cf2b95a3fe375ec5b3d6185c0bc8840b4ad91ae143c73a39af26391cc182ab6a1793ba5

Download Submit
\Users\Admin\AppData\Local\Temp\478B.tmp\aa_nts.dll
Filesize
902KB

MD5
480a66902e6e7cdafaa6711e8697ff8c

SHA1
6ac730962e7c1dba9e2ecc5733a506544f3c8d11

SHA256
7eaaaa6010bbcd6bb8c9ad08d4b0966c7aedc9b2ac24758f170012ac36e508b5

SHA512
7d010cd47b7d1adf66f9c97afc6c3805997aa5c7cc6ff13eddee81f24cf2b95a3fe375ec5b3d6185c0bc8840b4ad91ae143c73a39af26391cc182ab6a1793ba5

Download Submit
\Users\Admin\AppData\Local\Temp\478B.tmp\aa_nts.dll
Filesize
902KB

MD5
480a66902e6e7cdafaa6711e8697ff8c

SHA1
6ac730962e7c1dba9e2ecc5733a506544f3c8d11

SHA256
7eaaaa6010bbcd6bb8c9ad08d4b0966c7aedc9b2ac24758f170012ac36e508b5

SHA512
7d010cd47b7d1adf66f9c97afc6c3805997aa5c7cc6ff13eddee81f24cf2b95a3fe375ec5b3d6185c0bc8840b4ad91ae143c73a39af26391cc182ab6a1793ba5

Download Submit
\Users\Admin\AppData\Local\Temp\478B.tmp\svchost.exe
Filesize
798KB

MD5
90aadf2247149996ae443e2c82af3730

SHA1
050b7eba825412b24e3f02d76d7da5ae97e10502

SHA256
ee573647477339784dcef81024de1be1762833a20e5cc2b89a93e47d05b86b6a

SHA512
eec32bb82b230dd309c29712e72d4469250e651449e127479d178eddbafd5a46ec8048a753bc2c1a0fdf1dc3ed72a9453ca66fb49cbf0f95a12704e5427182be

Download Submit
\Users\Admin\AppData\Local\Temp\478B.tmp\svchost.exe
Filesize
798KB

MD5
90aadf2247149996ae443e2c82af3730

SHA1
050b7eba825412b24e3f02d76d7da5ae97e10502

SHA256
ee573647477339784dcef81024de1be1762833a20e5cc2b89a93e47d05b86b6a

SHA512
eec32bb82b230dd309c29712e72d4469250e651449e127479d178eddbafd5a46ec8048a753bc2c1a0fdf1dc3ed72a9453ca66fb49cbf0f95a12704e5427182be

Download Submit
memory/224-10490-0x0000000000080000-0x0000000000089000-memory.dmp

Filesize
36KB

Download
memory/748-62-0x00000000744B0000-0x0000000074B9E000-memory.dmp

Filesize
6.9MB

Download
memory/748-61-0x0000000000170000-0x00000000001C4000-memory.dmp

Filesize
336KB

Download
memory/748-90-0x00000000744B0000-0x0000000074B9E000-memory.dmp

Filesize
6.9MB

Download
memory/748-64-0x0000000004B10000-0x0000000004B50000-memory.dmp

Filesize
256KB

Download
memory/748-65-0x0000000000510000-0x0000000000544000-memory.dmp

Filesize
208KB

Download
memory/748-63-0x00000000003C0000-0x0000000000406000-memory.dmp

Filesize
280KB

Download
memory/864-10549-0x00000000000C0000-0x00000000000C9000-memory.dmp

Filesize
36KB

Download
memory/864-10548-0x0000000000060000-0x000000000006C000-memory.dmp

Filesize
48KB

Download
memory/980-126-0x0000000000401000-0x000000000040A000-memory.dmp

Filesize
36KB

Download
memory/1196-9813-0x0000000000090000-0x0000000000094000-memory.dmp

Filesize
16KB

Download
memory/1196-10547-0x0000000000090000-0x0000000000094000-memory.dmp

Filesize
16KB

Download
memory/1196-9854-0x0000000000080000-0x0000000000089000-memory.dmp

Filesize
36KB

Download
memory/1200-284-0x000007FF59DC0000-0x000007FF59DCA000-memory.dmp

Filesize
40KB

Download
memory/1200-276-0x000007FEF5690000-0x000007FEF57D3000-memory.dmp

Filesize
1.3MB

Download
memory/1200-101-0x0000000002B10000-0x0000000002B26000-memory.dmp

Filesize
88KB

Download
memory/1716-10551-0x00000000000F0000-0x00000000000F5000-memory.dmp

Filesize
20KB

Download
memory/1764-12-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/1764-35-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/1764-36-0x00000000020A0000-0x00000000024A0000-memory.dmp

Filesize
4.0MB

Download
memory/1764-37-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/1764-6-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/1764-25-0x00000000020A0000-0x00000000024A0000-memory.dmp

Filesize
4.0MB

Download
memory/1764-14-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1764-16-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/1764-38-0x00000000020A0000-0x00000000024A0000-memory.dmp

Filesize
4.0MB

Download
memory/1764-19-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/1764-28-0x00000000001B0000-0x00000000001E6000-memory.dmp

Filesize
216KB

Download
memory/1764-20-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/1764-34-0x00000000001B0000-0x00000000001E6000-memory.dmp

Filesize
216KB

Download
memory/1764-23-0x00000000020A0000-0x00000000024A0000-memory.dmp

Filesize
4.0MB

Download
memory/1764-24-0x00000000020A0000-0x00000000024A0000-memory.dmp

Filesize
4.0MB

Download
memory/1764-22-0x00000000020A0000-0x00000000024A0000-memory.dmp

Filesize
4.0MB

Download
memory/1764-8-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/1764-10-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/1764-21-0x0000000000100000-0x0000000000107000-memory.dmp

Filesize
28KB

Download
memory/1856-9659-0x0000000000060000-0x000000000006C000-memory.dmp

Filesize
48KB

Download
memory/1856-9655-0x0000000000180000-0x00000000001EB000-memory.dmp

Filesize
428KB

Download
memory/1932-103-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1932-99-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1932-97-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1932-94-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1932-91-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1932-86-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1988-106-0x0000000074720000-0x0000000074E0E000-memory.dmp

Filesize
6.9MB

Download
memory/1988-107-0x0000000001EB0000-0x0000000001EF6000-memory.dmp

Filesize
280KB

Download
memory/1988-108-0x0000000000610000-0x0000000000650000-memory.dmp

Filesize
256KB

Download
memory/1988-124-0x0000000074720000-0x0000000074E0E000-memory.dmp

Filesize
6.9MB

Download
memory/2188-3-0x00000000049C0000-0x0000000004A00000-memory.dmp

Filesize
256KB

Download
memory/2188-4-0x0000000004660000-0x00000000046C8000-memory.dmp

Filesize
416KB

Download
memory/2188-5-0x00000000047E0000-0x000000000482C000-memory.dmp

Filesize
304KB

Download
memory/2188-0-0x0000000000C10000-0x0000000000C96000-memory.dmp

Filesize
536KB

Download
memory/2188-2-0x00000000020A0000-0x0000000002118000-memory.dmp

Filesize
480KB

Download
memory/2188-1-0x0000000074BA0000-0x000000007528E000-memory.dmp

Filesize
6.9MB

Download
memory/2188-18-0x0000000074BA0000-0x000000007528E000-memory.dmp

Filesize
6.9MB

Download
memory/2524-48-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp

Filesize
1.2MB

Download
memory/2524-52-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp

Filesize
1.2MB

Download
memory/2524-26-0x0000000000060000-0x0000000000063000-memory.dmp

Filesize
12KB

Download
memory/2524-54-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp

Filesize
1.2MB

Download
memory/2524-69-0x0000000077AB0000-0x0000000077C59000-memory.dmp

Filesize
1.7MB

Download
memory/2524-40-0x00000000000B0000-0x00000000000B7000-memory.dmp

Filesize
28KB

Download
memory/2524-42-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp

Filesize
1.2MB

Download
memory/2524-27-0x0000000000060000-0x0000000000063000-memory.dmp

Filesize
12KB

Download
memory/2524-41-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp

Filesize
1.2MB

Download
memory/2524-59-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp

Filesize
1.2MB

Download
memory/2524-376-0x00000000000B0000-0x00000000000B2000-memory.dmp

Filesize
8KB

Download
memory/2524-380-0x0000000077AB0000-0x0000000077C59000-memory.dmp

Filesize
1.7MB

Download
memory/2524-55-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp

Filesize
1.2MB

Download
memory/2524-43-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp

Filesize
1.2MB

Download
memory/2524-53-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp

Filesize
1.2MB

Download
memory/2524-44-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp

Filesize
1.2MB

Download
memory/2524-46-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp

Filesize
1.2MB

Download
memory/2524-49-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp

Filesize
1.2MB

Download
memory/2524-51-0x0000000077AB0000-0x0000000077C59000-memory.dmp

Filesize
1.7MB

Download
memory/2524-50-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp

Filesize
1.2MB

Download
memory/2544-10342-0x0000000000070000-0x0000000000079000-memory.dmp

Filesize
36KB

Download
memory/2544-10384-0x0000000000060000-0x000000000006F000-memory.dmp

Filesize
60KB

Download
memory/2696-85-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2696-83-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2696-81-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2696-92-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2696-77-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2696-95-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2696-79-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2696-71-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2696-73-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2696-273-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2696-82-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2704-10534-0x0000000000070000-0x0000000000076000-memory.dmp

Filesize
24KB

Download
memory/2704-10536-0x0000000000060000-0x000000000006C000-memory.dmp

Filesize
48KB

Download
memory/2804-80-0x00000000005C0000-0x0000000000600000-memory.dmp

Filesize
256KB

Download
memory/2804-68-0x0000000000A40000-0x0000000000A90000-memory.dmp

Filesize
320KB

Download
memory/2804-74-0x00000000744B0000-0x0000000074B9E000-memory.dmp

Filesize
6.9MB

Download
memory/2804-76-0x00000000040B0000-0x00000000040F4000-memory.dmp

Filesize
272KB

Download
memory/2804-78-0x00000000004C0000-0x00000000004F2000-memory.dmp

Filesize
200KB

Download
memory/2804-100-0x00000000744B0000-0x0000000074B9E000-memory.dmp

Filesize
6.9MB

Download
memory/2848-9347-0x00000000001F0000-0x0000000000265000-memory.dmp

Filesize
468KB

Download
memory/2848-9350-0x0000000000180000-0x00000000001EB000-memory.dmp

Filesize
428KB

Download
memory/2848-9413-0x0000000000180000-0x00000000001EB000-memory.dmp

Filesize
428KB

Download
memory/3044-10171-0x0000000000090000-0x000000000009A000-memory.dmp

Filesize
40KB

Download
memory/3044-10185-0x0000000000080000-0x000000000008B000-memory.dmp

Filesize
44KB

Download
memory/3044-10184-0x0000000000080000-0x000000000008B000-memory.dmp

Filesize
44KB

Download
memory/3060-10247-0x0000000000090000-0x0000000000097000-memory.dmp

Filesize
28KB

Download
memory/3060-10248-0x0000000000080000-0x000000000008B000-memory.dmp

Filesize
44KB

Download