599b40aa7b210e6c8204c658da233a7bfe8d3f144860a93a4db498b69969679e

Analysis

max time kernel
151s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
15-03-2024 21:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Gruel.exe
Size

100KB
MD5

b0feccddd78039aed7f1d68dae4d73d3
SHA1

8fcffb3ae7af33b9b83af4c5acbb044f888eeabf
SHA256

5714efd4746f7796bbc52a272f8e354f67edfb50129d5fdaa1396e920956d0d6
SHA512

b02b9476eeb9c43fcfef56949f867c1c88f152d65f3961a2838b8bff02df2383945aefb9a8c517ac78d79b5a9163c7677f5b6238f4624b1966994c9c09eb428d
SSDEEP

1536:ThBfyxwMz14BSSQGRwmkwmGDAzGC6TaPAlbv/g:1BKxwMz14wSQGGUDAATaPAlbv/g

Score

7^/10

persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

rundll32.exerundll32.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	rundll32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	rundll32.exe

Modifies system executable filetype association 2 TTPs 5 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

Processes:

Gruel.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Gruel.exe\" %1"	Gruel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Gruel.exe\" %1"	Gruel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Gruel.exe\" %1"	Gruel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Gruel.exe\" %1"	Gruel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Gruel.exe\" %1"	Gruel.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Gruel.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MediaPath = "C:\\Rundll32.exe"	Gruel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Rundll32 = "C:\\Rundll32.exe"	Gruel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnceEX\DevicePath = "C:\\Rundll32.exe"	Gruel.exe

Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

Gruel.exe

description ioc process

File opened (read-only) \??\D: Gruel.exe
Drops file in Windows directory 1 IoCs

Processes:

Gruel.exe

description ioc process

File created C:\windows\Program Files\Kazaa\My Shared Folder\Norton 2003 Pro.exe Gruel.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File opened (read-only)	\??\D:	Gruel.exe

description	ioc	process
File created	C:\windows\Program Files\Kazaa\My Shared Folder\Norton 2003 Pro.exe	Gruel.exe

Modifies Control Panel 2 IoCs

evasion

Processes:

rundll32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop\Pattern Upgrade = "TRUE"	rundll32.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

Processes:

explorer.exeGruel.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "kIlLeRgUaTe 1.03, I mAke ThIs vIrUs BeCaUsE I dOn'T hAvE NoThInG tO dO!!"	Gruel.exe

Modifies registry class 37 IoCs

Processes:

Gruel.exeGruel.exeexplorer.exeGruel.exerundll32.exerundll32.exerundll32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	Gruel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8C6D8BD6-116B-4D4E-B1C2-87098DB509BB}\ShellEx\PropertySheetHandlers	Gruel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8C6D8BD6-116B-4D4E-B1C2-87098DB509BB}\Shell\Open\Command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Gruel.exe\" %1"	Gruel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8C6D8BD6-116B-4D4E-B1C2-87098DB509BB}	Gruel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8C6D8BD6-116B-4D4E-B1C2-87098DB509BB}\DefaultIcon	Gruel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8C6D8BD6-116B-4D4E-B1C2-87098DB509BB}\Shell	Gruel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Gruel.exe\" %1"	Gruel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Gruel.exe\" %1"	Gruel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Gruel.exe\" %1"	Gruel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8C6D8BD6-116B-4D4E-B1C2-87098DB509BB}\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Gruel.exe,0"	Gruel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8C6D8BD6-116B-4D4E-B1C2-87098DB509BB}\ShellEx	Gruel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8C6D8BD6-116B-4D4E-B1C2-87098DB509BB}\InProcServer32\ThreadingModel = "Apartment"	Gruel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8C6D8BD6-116B-4D4E-B1C2-87098DB509BB}\Shell\Open\Command	Gruel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8C6D8BD6-116B-4D4E-B1C2-87098DB509BB}\ShellFolder	Gruel.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Gruel.exe\" %1"	Gruel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8C6D8BD6-116B-4D4E-B1C2-87098DB509BB}\Shell\Open\Command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Gruel.exe\" %1"	Gruel.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8C6D8BD6-116B-4D4E-B1C2-87098DB509BB}\Shell\Open	Gruel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8C6D8BD6-116B-4D4E-B1C2-87098DB509BB}\Shell\Open\Command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Gruel.exe\" %1"	Gruel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htafile\Shell\Open\Command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Gruel.exe\" %1"	Gruel.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8C6D8BD6-116B-4D4E-B1C2-87098DB509BB}\ = "kIlLeRgUaTe 1.03"	Gruel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8C6D8BD6-116B-4D4E-B1C2-87098DB509BB}\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Gruel.exe,0"	Gruel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8C6D8BD6-116B-4D4E-B1C2-87098DB509BB}\InProcServer32\ = "Shell32.dll"	Gruel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Gruel.exe\" %1"	Gruel.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8C6D8BD6-116B-4D4E-B1C2-87098DB509BB}\InProcServer32	Gruel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	Gruel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8C6D8BD6-116B-4D4E-B1C2-87098DB509BB}\ShellEx\PropertySheetHandlers\{8C6D8BD6-116B-4D4E-B1C2-87098DB509BB}	Gruel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8C6D8BD6-116B-4D4E-B1C2-87098DB509BB}\InfoTip = "kIlLeRgUaTe 1.03"	Gruel.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8C6D8BD6-116B-4D4E-B1C2-87098DB509BB}\ShellFolder\Attributes = 00000000	Gruel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8C6D8BD6-116B-4D4E-B1C2-87098DB509BB}\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Gruel.exe,0"	Gruel.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

explorer.exe

pid process

5552 explorer.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

AUDIODG.EXE

description pid process

Token: 33 5624 AUDIODG.EXE
Token: SeIncBasePriorityPrivilege 5624 AUDIODG.EXE
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Gruel.exeexplorer.exe

pid process

4912 Gruel.exe
5552 explorer.exe
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

Gruel.exeGruel.exeGruel.exe

pid process

4912 Gruel.exe
1340 Gruel.exe
368 Gruel.exe

pid	process
5552	explorer.exe

description	pid	process
Token: 33	5624	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	5624	AUDIODG.EXE

pid	process
4912	Gruel.exe
5552	explorer.exe

pid	process
4912	Gruel.exe
1340	Gruel.exe
368	Gruel.exe

Suspicious use of WriteProcessMemory 41 IoCs

Processes:

Gruel.exerundll32.exerundll32.exerundll32.exe

description	pid	process	target process
PID 4912 wrote to memory of 3984	4912	Gruel.exe	rundll32.exe
PID 4912 wrote to memory of 3984	4912	Gruel.exe	rundll32.exe
PID 4912 wrote to memory of 3984	4912	Gruel.exe	rundll32.exe
PID 4912 wrote to memory of 4376	4912	Gruel.exe	rundll32.exe
PID 4912 wrote to memory of 4376	4912	Gruel.exe	rundll32.exe
PID 4912 wrote to memory of 4376	4912	Gruel.exe	rundll32.exe
PID 4376 wrote to memory of 3092	4376	rundll32.exe	RunDll32.exe
PID 4376 wrote to memory of 3092	4376	rundll32.exe	RunDll32.exe
PID 4912 wrote to memory of 4052	4912	Gruel.exe	rundll32.exe
PID 4912 wrote to memory of 4052	4912	Gruel.exe	rundll32.exe
PID 4912 wrote to memory of 4052	4912	Gruel.exe	rundll32.exe
PID 4912 wrote to memory of 3380	4912	Gruel.exe	rundll32.exe
PID 4912 wrote to memory of 3380	4912	Gruel.exe	rundll32.exe
PID 4912 wrote to memory of 3380	4912	Gruel.exe	rundll32.exe
PID 4912 wrote to memory of 2568	4912	Gruel.exe	rundll32.exe
PID 4912 wrote to memory of 2568	4912	Gruel.exe	rundll32.exe
PID 4912 wrote to memory of 2568	4912	Gruel.exe	rundll32.exe
PID 4912 wrote to memory of 2368	4912	Gruel.exe	rundll32.exe
PID 4912 wrote to memory of 2368	4912	Gruel.exe	rundll32.exe
PID 4912 wrote to memory of 2368	4912	Gruel.exe	rundll32.exe
PID 2568 wrote to memory of 1340	2568	rundll32.exe	Gruel.exe
PID 2568 wrote to memory of 1340	2568	rundll32.exe	Gruel.exe
PID 2568 wrote to memory of 1340	2568	rundll32.exe	Gruel.exe
PID 4912 wrote to memory of 1372	4912	Gruel.exe	rundll32.exe
PID 4912 wrote to memory of 1372	4912	Gruel.exe	rundll32.exe
PID 4912 wrote to memory of 1372	4912	Gruel.exe	rundll32.exe
PID 4912 wrote to memory of 4772	4912	Gruel.exe	rundll32.exe
PID 4912 wrote to memory of 4772	4912	Gruel.exe	rundll32.exe
PID 4912 wrote to memory of 4772	4912	Gruel.exe	rundll32.exe
PID 4912 wrote to memory of 3180	4912	Gruel.exe	rundll32.exe
PID 4912 wrote to memory of 3180	4912	Gruel.exe	rundll32.exe
PID 4912 wrote to memory of 3180	4912	Gruel.exe	rundll32.exe
PID 1372 wrote to memory of 368	1372	rundll32.exe	Gruel.exe
PID 1372 wrote to memory of 368	1372	rundll32.exe	Gruel.exe
PID 1372 wrote to memory of 368	1372	rundll32.exe	Gruel.exe
PID 4912 wrote to memory of 1364	4912	Gruel.exe	rundll32.exe
PID 4912 wrote to memory of 1364	4912	Gruel.exe	rundll32.exe
PID 4912 wrote to memory of 1364	4912	Gruel.exe	rundll32.exe
PID 4912 wrote to memory of 4588	4912	Gruel.exe	rundll32.exe
PID 4912 wrote to memory of 4588	4912	Gruel.exe	rundll32.exe
PID 4912 wrote to memory of 4588	4912	Gruel.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\Gruel.exe
"C:\Users\Admin\AppData\Local\Temp\Gruel.exe"
1⤵
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4912

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe shell32.dll,Control_RunDLL mmsys.cpl @1
2⤵
PID:3984

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe shell32.dll,Control_RunDLL netcpl.cpl
2⤵
- Suspicious use of WriteProcessMemory
PID:4376

C:\Windows\system32\RunDll32.exe
C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL netcpl.cpl
3⤵
PID:3092

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe shell32.dll,Control_RunDLL mmsys.cpl,,0
2⤵
PID:4052

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe shell32.dll,Control_RunDLL main.cpl @0
2⤵
PID:3380

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe shell32.dll,Control_RunDLL modem.cpl
2⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2568

C:\Users\Admin\AppData\Local\Temp\Gruel.exe
"C:\Users\Admin\AppData\Local\Temp\Gruel.exe" C:\Windows\system32\rundll32.exe
3⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1340

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe shell32.dll,Control_RunDLL main.cpl @1
2⤵
PID:2368

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe shell32.dll,Control_RunDLL sysdm.cpl @1
2⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1372

C:\Users\Admin\AppData\Local\Temp\Gruel.exe
"C:\Users\Admin\AppData\Local\Temp\Gruel.exe" C:\Windows\System32\SystemPropertiesComputerName.exe
3⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:368

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe shell32.dll,Control_RunDLL appwiz.cpl,,1
2⤵
- Modifies registry class
PID:4772

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe shell32.dll,Control_RunDLL timedate.cpl
2⤵
PID:3180

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe shell32.dll,Control_RunDLL desk.cpl,,0
2⤵
- Modifies Control Panel
PID:1364

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe shell32.dll,Control_RunDLL inetcpl.cpl,,0
2⤵
PID:4588

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{5BD95610-9434-43C2-886C-57852CC8A120} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
PID:5552

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x504 0x308
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5624

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1420 --field-trial-handle=2272,i,4858140932023865871,5726683989663339295,262144 --variations-seed-version /prefetch:8
1⤵
PID:5736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Rundll32.exe

Filesize
100KB

MD5
b0feccddd78039aed7f1d68dae4d73d3

SHA1
8fcffb3ae7af33b9b83af4c5acbb044f888eeabf

SHA256
5714efd4746f7796bbc52a272f8e354f67edfb50129d5fdaa1396e920956d0d6

SHA512
b02b9476eeb9c43fcfef56949f867c1c88f152d65f3961a2838b8bff02df2383945aefb9a8c517ac78d79b5a9163c7677f5b6238f4624b1966994c9c09eb428d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Themes\Custom.theme

Filesize
1KB

MD5
b4c8d7be19433b9f4aeb288df6e0ea06

SHA1
e6628922a84d47ff6f8ed18ef18a004cfe6791b9

SHA256
0ed40a0dd05c1c443ec61699a44d9e6718248373aaf3a8eb9e47b922177f8955

SHA512
a10ca80513fb1a99a378c65a3ad4dc34e69948e90ef90033ed6cd0c1c8e22d2be8d75e13fbd11d331ab881d62d83f1fd8007e85a6fe838bc5ccd96329533e6a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Themes\Custom.theme

Filesize
1KB

MD5
1348e4e8fc451e8021f935f4b1376c95

SHA1
c6fecb47e09a1a255cbe9a9f03d91d2100cd1737

SHA256
cdf0440a375c4d4a180a358ea3c87448482622fbc71833bc797ec1410e54bb01

SHA512
ef23469825048d1fdc7f693a9efce5a1bdb8472743917288fa06244c7172d933347d8403440598a9f4062b3514ee313462655e21bc1c1a8dde78cfb607796703

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Themes\Custom.theme

Filesize
1KB

MD5
7fb79143306c366914491bbb65e8eabc

SHA1
2310332215257e55238ae07cf019fa8990be237f

SHA256
f0b7c4243f9018c22a71e24650d5a1693130be7c2c1a1f2f9ac37e5325c82eee

SHA512
e51c303463af7bf9e477bd7e544509052587a1abddef99fc400e8884697d4c4243ea96363978b9fc4a37474eabf9516e41282462bac2a76222464f4fe110921a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Themes\Custom.theme

Filesize
1KB

MD5
1904c638ead423cbe9814ce2d0e474d4

SHA1
885e8819399fdebd2673d10d2cc57ea27d98b640

SHA256
ef539db1b430291058e1ad07086484301848498956788b0923f50757c5b643bc

SHA512
d3124091b978a14b47a90892c306fde8823d4322b8fa5ed3be7bd7ef22a008b2e7de79322aa7f26047fbaa406bd09305bf9825ab4b53136cb8fe3cebeb52d2e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Themes\Custom.theme

Filesize
1KB

MD5
c7a664c21d6981ded6354109242814e4

SHA1
bb0d89e31821ced06ffd2a758e98628ce9971bf7

SHA256
9a487bd0555f7ec3bc34c05a512fb734190cfbcedc7578332b346a210b3237d9

SHA512
d24f442ccc7d48163e0a8b424aecac1bb2ead46df648981f8df47bd5d4d2ba1ce51dcbd57980c8a322897f64763c7e87f36b856a59e0a72ec6476359522e4042

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Themes\Custom.theme

Filesize
1KB

MD5
ad280b492678a8635ad65784ce8fb6ac

SHA1
2cb04e1023526e72306c064f594be74a6b5a0d7f

SHA256
212003d7f4f3030f0a9d1c0c63ea4efa3ee6441cdb1050d97caca1dccd4f9ee8

SHA512
62227f793e23078465175bba7e4592a7450fa064b857c011eb7a4513ad71bdcd121ab33ca5e1d4bccf255e65d12a27e882842697db895990b863a32ae76d12af

Download Submit