chaos | 79c0f9223e6861b8bf5f6f3ef860bc517e8fcb544efee34bb5f2cc9867af75a7

Resubmissions

09-04-2024 21:00

240409-ztcbesed8x 10

13-10-2021 12:07

211013-paebkaeah7 9

Analysis

max time kernel
294s
max time network
296s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
09-04-2024 21:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

trabajo escuela.exe
Size

614KB
MD5

535994874b99eea69b30569bc7176440
SHA1

e10245fd72b3ff5f219b18fb292fb3b33ae3a3e5
SHA256

79c0f9223e6861b8bf5f6f3ef860bc517e8fcb544efee34bb5f2cc9867af75a7
SHA512

12bb6e3737f545ecbef371e079d6764d8e35ff8f940258b430f16e07d34e214c030f6ce0518461639178209fe2da62941a1de763fc25490c0e02e8e064da596f
SSDEEP

12288:YctEagGmcl4gBF1BRnI6hAVebOe1qOX+t4Z3Fy0RMDbXScaTRM:ZR+cl7X1BRnI6hmebOe1qMuJXifu

Score

10^/10

chaos evasion ransomware spyware stealer

Malware Config

Signatures

Chaos
Ransomware family first seen in June 2021.
ransomware chaos

Chaos Ransomware 2 IoCs

resource	yara_rule
behavioral2/files/0x000800000001abdc-14.dat	family_chaos
behavioral2/memory/4420-16-0x0000000000DE0000-0x0000000000E8A000-memory.dmp	family_chaos

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
3792	bcdedit.exe
3820	bcdedit.exe

Renames multiple (175) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Deletes backup catalog 3 TTPs 1 IoCs

Uses wbadmin.exe to inhibit system recovery.

ransomware

Command and Scripting Interpreter

T1059

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
2112	wbadmin.exe

Drops startup file 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.url	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	svchost.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LEER IMPORTANTE.txt	svchost.exe

Executes dropped EXE 2 IoCs

pid	Process
4420	CRYpt0r V3.0.exe
2280	svchost.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops desktop.ini file(s) 35 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	svchost.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-873560699-1074803302-2326074425-1000\desktop.ini	svchost.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\7kijwxp85.jpg"	svchost.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\INF\netrasa.PNF	svchost.exe
File created	C:\Windows\INF\netsstpa.PNF	svchost.exe
File created	C:\Windows\INF\netsstpa.PNF	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004A	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\DeviceDesc	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\DeviceDesc	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0034	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Capabilities	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Mfg	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0058	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0016	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\300A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\DeviceDesc	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0038	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0016	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\ConfigFlags	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Mfg	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0034	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0034	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004E	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051	svchost.exe

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
5028	vssadmin.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache	svchost.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings	OpenWith.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2280	svchost.exe

Suspicious behavior: EnumeratesProcesses 29 IoCs

pid	Process
4420	CRYpt0r V3.0.exe
4420	CRYpt0r V3.0.exe
4420	CRYpt0r V3.0.exe
4420	CRYpt0r V3.0.exe
4420	CRYpt0r V3.0.exe
4420	CRYpt0r V3.0.exe
4420	CRYpt0r V3.0.exe
4420	CRYpt0r V3.0.exe
4420	CRYpt0r V3.0.exe
4420	CRYpt0r V3.0.exe
4420	CRYpt0r V3.0.exe
4420	CRYpt0r V3.0.exe
4420	CRYpt0r V3.0.exe
2280	svchost.exe
2280	svchost.exe
2280	svchost.exe
2280	svchost.exe
2280	svchost.exe
2280	svchost.exe
2280	svchost.exe
2280	svchost.exe
2280	svchost.exe
2280	svchost.exe
2280	svchost.exe
2280	svchost.exe
2280	svchost.exe
2280	svchost.exe
2280	svchost.exe
2280	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4360	OpenWith.exe

Suspicious behavior: LoadsDriver 6 IoCs

pid	Process
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
640	Process not Found

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4420	CRYpt0r V3.0.exe
Token: SeDebugPrivilege	2280	svchost.exe
Token: SeBackupPrivilege	2904	vssvc.exe
Token: SeRestorePrivilege	2904	vssvc.exe
Token: SeAuditPrivilege	2904	vssvc.exe
Token: SeIncreaseQuotaPrivilege	1068	WMIC.exe
Token: SeSecurityPrivilege	1068	WMIC.exe
Token: SeTakeOwnershipPrivilege	1068	WMIC.exe
Token: SeLoadDriverPrivilege	1068	WMIC.exe
Token: SeSystemProfilePrivilege	1068	WMIC.exe
Token: SeSystemtimePrivilege	1068	WMIC.exe
Token: SeProfSingleProcessPrivilege	1068	WMIC.exe
Token: SeIncBasePriorityPrivilege	1068	WMIC.exe
Token: SeCreatePagefilePrivilege	1068	WMIC.exe
Token: SeBackupPrivilege	1068	WMIC.exe
Token: SeRestorePrivilege	1068	WMIC.exe
Token: SeShutdownPrivilege	1068	WMIC.exe
Token: SeDebugPrivilege	1068	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1068	WMIC.exe
Token: SeRemoteShutdownPrivilege	1068	WMIC.exe
Token: SeUndockPrivilege	1068	WMIC.exe
Token: SeManageVolumePrivilege	1068	WMIC.exe
Token: 33	1068	WMIC.exe
Token: 34	1068	WMIC.exe
Token: 35	1068	WMIC.exe
Token: 36	1068	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1068	WMIC.exe
Token: SeSecurityPrivilege	1068	WMIC.exe
Token: SeTakeOwnershipPrivilege	1068	WMIC.exe
Token: SeLoadDriverPrivilege	1068	WMIC.exe
Token: SeSystemProfilePrivilege	1068	WMIC.exe
Token: SeSystemtimePrivilege	1068	WMIC.exe
Token: SeProfSingleProcessPrivilege	1068	WMIC.exe
Token: SeIncBasePriorityPrivilege	1068	WMIC.exe
Token: SeCreatePagefilePrivilege	1068	WMIC.exe
Token: SeBackupPrivilege	1068	WMIC.exe
Token: SeRestorePrivilege	1068	WMIC.exe
Token: SeShutdownPrivilege	1068	WMIC.exe
Token: SeDebugPrivilege	1068	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1068	WMIC.exe
Token: SeRemoteShutdownPrivilege	1068	WMIC.exe
Token: SeUndockPrivilege	1068	WMIC.exe
Token: SeManageVolumePrivilege	1068	WMIC.exe
Token: 33	1068	WMIC.exe
Token: 34	1068	WMIC.exe
Token: 35	1068	WMIC.exe
Token: 36	1068	WMIC.exe
Token: SeBackupPrivilege	4328	wbengine.exe
Token: SeRestorePrivilege	4328	wbengine.exe
Token: SeSecurityPrivilege	4328	wbengine.exe
Token: SeShutdownPrivilege	2564	svchost.exe
Token: SeCreatePagefilePrivilege	2564	svchost.exe
Token: SeLoadDriverPrivilege	2564	svchost.exe
Token: SeLoadDriverPrivilege	2564	svchost.exe
Token: SeLoadDriverPrivilege	2564	svchost.exe
Token: SeLoadDriverPrivilege	2564	svchost.exe
Token: SeLoadDriverPrivilege	2564	svchost.exe
Token: SeLoadDriverPrivilege	2564	svchost.exe
Token: SeLoadDriverPrivilege	2564	svchost.exe
Token: SeLoadDriverPrivilege	2564	svchost.exe
Token: SeLoadDriverPrivilege	2564	svchost.exe
Token: SeLoadDriverPrivilege	2564	svchost.exe
Token: SeLoadDriverPrivilege	2564	svchost.exe
Token: SeLoadDriverPrivilege	2564	svchost.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4360	OpenWith.exe
3060	OpenWith.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 4472 wrote to memory of 4420	4472	trabajo escuela.exe	72
PID 4472 wrote to memory of 4420	4472	trabajo escuela.exe	72
PID 4420 wrote to memory of 2280	4420	CRYpt0r V3.0.exe	74
PID 4420 wrote to memory of 2280	4420	CRYpt0r V3.0.exe	74
PID 2280 wrote to memory of 660	2280	svchost.exe	76
PID 2280 wrote to memory of 660	2280	svchost.exe	76
PID 660 wrote to memory of 5028	660	cmd.exe	78
PID 660 wrote to memory of 5028	660	cmd.exe	78
PID 660 wrote to memory of 1068	660	cmd.exe	81
PID 660 wrote to memory of 1068	660	cmd.exe	81
PID 2280 wrote to memory of 4988	2280	svchost.exe	83
PID 2280 wrote to memory of 4988	2280	svchost.exe	83
PID 4988 wrote to memory of 3792	4988	cmd.exe	85
PID 4988 wrote to memory of 3792	4988	cmd.exe	85
PID 4988 wrote to memory of 3820	4988	cmd.exe	86
PID 4988 wrote to memory of 3820	4988	cmd.exe	86
PID 2280 wrote to memory of 3700	2280	svchost.exe	87
PID 2280 wrote to memory of 3700	2280	svchost.exe	87
PID 3700 wrote to memory of 2112	3700	cmd.exe	89
PID 3700 wrote to memory of 2112	3700	cmd.exe	89
PID 2280 wrote to memory of 1008	2280	svchost.exe	93
PID 2280 wrote to memory of 1008	2280	svchost.exe	93

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\trabajo escuela.exe
"C:\Users\Admin\AppData\Local\Temp\trabajo escuela.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4472
- C:\Users\Admin\AppData\Local\Temp\CRYpt0r V3.0.exe
  "C:\Users\Admin\AppData\Local\Temp\CRYpt0r V3.0.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4420
- - C:\Users\Admin\AppData\Roaming\svchost.exe
    "C:\Users\Admin\AppData\Roaming\svchost.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Drops desktop.ini file(s)
    - Sets desktop wallpaper using registry
    - Modifies registry class
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2280
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete
      4⤵
      Suspicious use of WriteProcessMemory
      PID:660
    - - C:\Windows\system32\vssadmin.exe
        
        vssadmin delete shadows /all /quiet
        5⤵
        Interacts with shadow copies
        
        PID:5028
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic shadowcopy delete
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1068
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4988
    - - C:\Windows\system32\bcdedit.exe
        
        bcdedit /set {default} bootstatuspolicy ignoreallfailures
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:3792
    - - C:\Windows\system32\bcdedit.exe
        
        bcdedit /set {default} recoveryenabled no
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:3820
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3700
    - - C:\Windows\system32\wbadmin.exe
        
        wbadmin delete catalog -quiet
        5⤵
        Deletes backup catalog
        
        PID:2112
  - - C:\Windows\system32\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\LEER IMPORTANTE.txt
      4⤵
      PID:1008

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2904

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4328

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:3488

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
PID:1708

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4360

C:\Windows\System32\SystemSettingsBroker.exe
C:\Windows\System32\SystemSettingsBroker.exe -Embedding
1⤵
PID:4644

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s RmSvc
1⤵
PID:2588

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s SstpSvc
1⤵
PID:3628

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -s DsmSvc
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:3172

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s NetSetupSvc
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2564

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s RasMan
1⤵
PID:4864

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db

Filesize
14KB

MD5
88a10b4186719522a6eb68dbfd83bb30

SHA1
c296e7b33b23f7e390326e5fea5ae00c56a80e31

SHA256
9d88f33147f8f0c71257b83d9000e58a498d3849d28dcc5841f44b2c8be8bfac

SHA512
4af4c9d1e59ff5714e47fc209cda0d830bd20501a623a24fc41fb58aeaf119539faffb4e347da3a80b902d24d5c921fafd3ac01784001962f6bd5e3e9b1eec90

Download Submit
C:\Users\Admin\AppData\Local\Temp\CRYpt0r V3.0.exe

Filesize
652KB

MD5
f04e2d871aac9bca6b4cbb87a7c4b583

SHA1
17d06a123d289510e9bbeb9d2ec89da4caa8f9d5

SHA256
24761b824fa4baf33ef574f1fff99a72ab5b7e2272aecf365d39b65748b01f6d

SHA512
c6624289766aeb87d9a3387130c3afc9c1ddb8f6d1ccc789f14af2d7858303629c1ac75fc89eeceb3069d0e94a0a9242c4ce705f3ec846e8f5be2566f095074a

Download Submit
C:\Users\Admin\Desktop\AssertConfirm.wps.cry

Filesize
1004KB

MD5
5d150c14105f9f38b44d2f268e84da46

SHA1
ca185122431ed9295df40fa63a4dc3a4f59ded77

SHA256
f309bc8877f0121dfcf1da56765c22d4e1e383f66b4f131ac4971c25a4acc9fa

SHA512
fafb55e246def43954078fea870c20e3c205f4c7d25b307c0aa5fa3836f008be981a82403a74437a99dd4b76e8f4fdc74801a54c815db0c04f215ba3740c2960

Download Submit
C:\Users\Admin\Desktop\ConfirmPop.snd

Filesize
797KB

MD5
2d8c386b376f6720a39132b4f8ec6726

SHA1
946d6a0b28290365dd315de658b7c2702d0eacb5

SHA256
3e26d9d255340c1e867eb6348ac580c5328a3101e8e21b7153176e60cb3dd42d

SHA512
c4ccd0ea8824c7bfe4ad18a20db9dac9194054723d96c34ef7a0d263ce47203b28ba8735dc0454eba903c85303d982731dee9bad8e47ddf951d4970fbc0a495d

Download Submit
C:\Users\Admin\Desktop\ConvertToRemove.m4v.cry

Filesize
824KB

MD5
f5252e2e04457d4330d7ab91ebe89974

SHA1
a83e18acf4fb4c81c990dc947db2e6fff78cc596

SHA256
ffc63e38d8f134bc99f6e52b70b6c227a62280498ac339df1a4eaeb89fbccf20

SHA512
3e8aac98004a0683751e9510247f3fb826a2fdb8d3ef572d8718ca55792bbced5866b3b9752ed7317e707b0b7e322548171969b365e173da2b0b99b296e078c4

Download Submit
C:\Users\Admin\Desktop\FindEnable.tiff

Filesize
595KB

MD5
2ff1bad41fdec927512700d24413f025

SHA1
70415cbdb5b6728faa385c99b94984d2eb4f6abf

SHA256
bd3c18965890c9cf2939c9335371c98763f19789074eb01d9670b47598ac8df9

SHA512
3f5ea1436ac6776a9078d2c04d113c0347d0a1830ec3dddaf1f75372bcd436bbf10fda63cf21bebb9c3493818edb7e88b23ff0209a3ec832724319736c471082

Download Submit
C:\Users\Admin\Desktop\ImportConvertTo.jfif.cry

Filesize
524KB

MD5
4fa1f0556b17426b2f7b518999bf50d8

SHA1
5d40b638b1d43e0f6117d749fe2650cf1588515c

SHA256
4d62f4cf253c2b35f4c723c007e9e364e7964c762b5e016f6717045c8c97d235

SHA512
5d37e3de3858c3bfe2554d52af8a99f498bf9bb89d2b55429de8cb968cc199f635a9bccf9ec0d459debb015ffbe47da88e7d0cbc32f647aad3b06f704f22311d

Download Submit
C:\Users\Admin\Desktop\InitializeSkip.png.cry

Filesize
584KB

MD5
cb0f6009a76bb27ccb177e3b03c39a2f

SHA1
b25e38703bfd1499279c70c78e1bb9d764e26098

SHA256
1ab96461e3a39f750be52e8c39c4d3fd23c5b2d9bd3e3255ec123083b169820c

SHA512
fa8e31ca0880800945cdab08a8550c9cf6c4ea4d26d1068a686fc9ca35e02c77c194c78d10478b8cbf85b4922f7f30828795299e1ca1711b67998fd99923fccd

Download Submit
C:\Users\Admin\Desktop\MountPing.crw

Filesize
483KB

MD5
c98dc1fb830269712db8a3e5d7335d3a

SHA1
f00672d2a17eaf880e56b8db143a88fc220cbf4a

SHA256
49fc7529fbd7aefefc65ac2d0c53b97a786bfe3692bd761f296d4d18c2fc1c4e

SHA512
5709c44a2c6f69e76aeca32dbad1b29ef55ccde4b2d327607ddd0fb0f25f7e58c4763baea2062e7985e0e1d497cce999759c3fc29646d4f908e3355232fc941d

Download Submit
C:\Users\Admin\Desktop\OptimizeOut.aiff

Filesize
707KB

MD5
9dde9dc7c98465be821d0543f70437bc

SHA1
28f9fce84ac15f7083ba6a538a0be72969a2177d

SHA256
4bc6f9ae49f743cd0af7410bdd3971b6f3a4ccb45be72ccee9202a541c8500f6

SHA512
4703db9e707eb7164c658629253f04903da6b85e7a0d6b1a5a9322b560ae51b2b1bb561f05fc7c9648d744b0003cecd2664f0a306a24515be127abd2d2bca857

Download Submit
C:\Users\Admin\Desktop\OutStep.sys

Filesize
550KB

MD5
4d8f860d93fa61049172f40c6ae94c59

SHA1
e286babce3493ae65bac507c39d692910dad28a1

SHA256
bedb1d48e17a54f92009c946acd521294c1f1bf95909ffd08e9d654e16cbaa75

SHA512
04af4149635b6acbf8d0682287fc885daab74a0e6197f553c1d00427cb946522f412c45e6023260ef10f35adbc4b7c9dfe6914042999eb98997a1f7b5cd31f3d

Download Submit
C:\Users\Admin\Desktop\PingWait.dwfx

Filesize
415KB

MD5
753f3c7691e9475c945fe85be664e663

SHA1
ca14e615637d11270775c437bd48bc65c0caf121

SHA256
e84b95ffb8d400968645ee7baca553d166170956c647680f106e4a49fb25237c

SHA512
cda60c3f09bbc85cafcc976af41c5a0735861ad995883f3f9ee6a5ae620482389f3187958692b431346457b5e520f2f9a214a16a259d3ba545b3b8216444048c

Download Submit
C:\Users\Admin\Desktop\ReadOut.exe

Filesize
460KB

MD5
2d2fb5619f08bdb22f1c832200de0536

SHA1
e636acd7dbadd2c023e66c29ee0cd1fcfbab55cf

SHA256
9e705c73cce844251b3b30ab7eded59431434559b0d2360503bc855c7d71615b

SHA512
3afcc54fc4f0637efb8404f9c8e1d621ebeecb1d75171e79dad22ef99dfa72c5345b5a49252edebe81e0bbae684e4c426b94f4a525b29d2f21df5593436c6c74

Download Submit
C:\Users\Admin\Desktop\ReadRepair.js.cry

Filesize
974KB

MD5
cb67fb2d47b70bee36a470e28339945c

SHA1
54be59454aebc2cb1c578ec66e595f938bf0676d

SHA256
bc5d822c055cffe948e955922f364e0c949646521320cad7e6735c199a1607cf

SHA512
2546066b3f61aa590ce66d7e0186e3297bd829fc998521c140020103a3cfb017ea333cc40b1bab5eba4e864d5a85e2dd1c42523644e91e756f850218e9068109

Download Submit
C:\Users\Admin\Desktop\SearchGrant.potx.cry

Filesize
1.1MB

MD5
396f9436a2c6cb5d960a7113a16c92c0

SHA1
1c1ff0f0ad91c430cad4b74663ab38e6bfccfdae

SHA256
7512e9b45e0df6cb334e9c11c3d7f159e722559ef6317a625ef0af9812241ce9

SHA512
e70ca2aaf02b8f5cb9106cbba87f2a261b39a69c436d631ed11f95465100890c42c0acef1ebd20d2edfdb8af188d92a0f42a000679f9f0e2ed846468af4fd9f8

Download Submit
C:\Users\Admin\Desktop\SelectSplit.vssm

Filesize
685KB

MD5
29bb3d47453edd7d8a6ff9a1d9694c76

SHA1
f576a728311df3bd9fa7fb018a5307b4085bebe8

SHA256
27e5ce1d592e6d328581c9c699244d0a5d29e9ceefd3a2889bc92528d06a12b3

SHA512
17b89c011cf28a10ab400035de505126ffff5efcee77b6ece837f39a50e0bcdd5ac630c77fb95085c5c365aeddd6e151b707ed6604f24a5a07dcbbbec2dcc698

Download Submit
C:\Users\Admin\Desktop\SkipInvoke.avi.cry

Filesize
674KB

MD5
3d549055eb06e7d6ad72913c4e722ddb

SHA1
5a13aa81373eb8ce7db5a7dd90e270379803de8b

SHA256
cc51ce01878d2d66777e933e24a32c4f0337b9a9a821a9498fe131a2f39f41f4

SHA512
a127fb23391123744a50e8f14cb72d73a02845e2c19ee7d61c9ec2711faf59bbaf804544aff6032d925e6643dc7148bc4f626d6f76231cb59b6b2033c67b25f6

Download Submit
C:\Users\Admin\Desktop\StartDismount.cfg

Filesize
528KB

MD5
b3eb1c3656f05609b8678b4ef6fd9f98

SHA1
ec8d38252531404e826c46eeb0fcff914bd148b0

SHA256
a442dbebc3a1f95def8575fe4eb1f0ecd76844bc752f8343296cc6edcae6802f

SHA512
18dcff7193eb463c8be60e956d456e2658f61637120d0c590bade29a541a8a1e0fe18a1caf42ce1f6f9e507913124d1d16357f0de161c38e3b6a02335b285970

Download Submit
C:\Users\Admin\Desktop\SuspendEdit.M2TS

Filesize
1.2MB

MD5
d7a310227e47ec4727ebf2c95d392be7

SHA1
01ebee91710eb41faeb8c09a360c1cc329429401

SHA256
5cfae70f6bee6c734e758d716ca0423deb2b79a79498ef3b9ef03be4b81533d9

SHA512
4ab4ca6174a41a0ea47c8b8cee0f3b092e361f177b3fa87476bb408e135d4a57c856230d46a93c2d9de43df574a47ce2ee5595bbcd875ddaa37f53eb0dd533eb

Download Submit
C:\Users\Admin\Desktop\UnblockUpdate.dot.cry

Filesize
494KB

MD5
ebc2b1438cf6526b0fcb6eddba3a799c

SHA1
ed7cd600dfd81b3d0653bb59b2803c1ddaa0f7b0

SHA256
6292ead3a34a066545d3b4f2d49d919aef023ee6df9072ed816c34aae812e7ae

SHA512
17227404da7e0619ab4eebdd5ba4ba30c47329a9f13201329b6e3d8f3784de0ce0762ea8021e6a903d731e174b181bb277049d2ad57162e47e67dbce2050b00a

Download Submit
C:\Users\Admin\Desktop\UndoInvoke.docm.cry

Filesize
464KB

MD5
23bbc2e8497a6bbe050aa6d577df19c9

SHA1
d5bdacb087cab25e5abc3d209ac74324857b31c6

SHA256
6a134c67b0284e73b243a752a8c7c54034451ea63f549259b613b907d2cbf229

SHA512
37fd871d0b78ae9a3005edc6a5c8a410ba7da6ba5828d93ef616fea7759f09e7810ae83890a04e074821e25970c12eb0e177d31aef8be09be6d3d876af1f9f28

Download Submit
C:\Users\Admin\Desktop\UndoUninstall.pcx

Filesize
303KB

MD5
0ab488911c72edbd59fea128abe86b1c

SHA1
702b69835b1d169f29a78a46faa03dc48105df83

SHA256
3fc022d46c3625cd9db849b99c7f0e675a64aa6132a322716e85e05e9f93ce7d

SHA512
d5278645ba6a6e83e02f819f0b657f29c99ea4ea31e3319f738854b5b9044d59a3ff531d495a31854ef7a88e73720c7dc2e78924c6363610d6a64f5635c8d943

Download Submit
C:\Users\Admin\Desktop\UnlockInstall.html.cry

Filesize
764KB

MD5
ceff7a61b56cb0f9b6b27b919bf86da0

SHA1
edf23f7a7c4d83a465aa29dd72b9cc0f990fcb6f

SHA256
fc21ab59049547f45b3d37f8012036c0d4749dc5af6374d2d2ade8301ab154e9

SHA512
3ec3a1241778aa3976228dd2c77367bdec910fcf3ac2a8d0ab961b99caaec4058318c3b365357dfc572a4969f18bfb105efab7ee1e880fde9709e394d5e9f9e7

Download Submit
C:\Users\Admin\Desktop\WriteGet.tmp

Filesize
820KB

MD5
67b764dd6fb4768ccfee73eb7ff8d42b

SHA1
ef91ac370ddd3e9e54acbceb632208cf5cd8a9cc

SHA256
cad8c551362131da5b4b6da95b4d35168e537bc77e3eb49abe86dae9effe7de6

SHA512
e85b6aade7cc65251b82df7b93ad28fb3df1207b4fae82a9077b179993e24d89b636c2b575b19eec7baefabbb79949296c7b656e176129c3be9ca61221fc1a9d

Download Submit
C:\Users\Admin\Desktop\desktop.ini.cry

Filesize
584B

MD5
e43b8bf0caeb3c5f20e115ad0aa983ec

SHA1
bc83c09acfb23951d02d87579af8a38c8e398aef

SHA256
9c469e0d868136f4a3ad5bdb4c7617dc57239ff0436d55a52d3d60be164b1657

SHA512
69c564b2ebd1b3aa0200b3b6c223f0a0e02eb49f8e3dc0bd06947ef4bc7b23c1f5673df4383fd4bab0dc4c89a907a61627562f962e921255017c7caeb54e4663

Download Submit
C:\Users\Admin\Documents\LEER IMPORTANTE.txt

Filesize
1KB

MD5
c330fe6230777cc10704e18bc35f4b5a

SHA1
03003156eefe7b2224afc900d58e15ac62f43fea

SHA256
fc668aa6ea357639d9cf3320018dededde311a70b8d12932907dfa0416c4dc14

SHA512
bd719db8e6e73f8c7feae0fb1b5b4592c789468f34aa7dfb7ce603e2c2fe3f43542687c533fb542e8f6fbf652ab5d8e818f91049d93343971038f648ddb5bc10

Download Submit
C:\Users\Public\Desktop\Acrobat Reader DC.lnk.cry

Filesize
2KB

MD5
cc4091e6c2db6f03d6ebfc8890dde1c5

SHA1
85307f8977006c22a1539ba12671fbf63f529b60

SHA256
ef022cb2cc127b3f15c91cd1d55d26e00a7618bbb4f2b9fa01f1d1761c5cce2d

SHA512
9eafea4dc88c8a27454e8ea49adc9bc57e137c7638fda67f1eb133004388947e4b67c58da0c6b8c4dd843a76662cb65e21a7bcc15dc1177fef0bc592fcdeaf84

Download Submit
C:\Users\Public\Desktop\Firefox.lnk.cry

Filesize
1KB

MD5
378d5eb396bad59cedb775b654b73f86

SHA1
834ab43c146714970afdd0a56baf7bcf950907bc

SHA256
da5307b682e417bddd90c7dc18f40e14e0b6eceee588113156f09b7f355a11c7

SHA512
c45465a3c95a0e7c0423d616ea4e20172d2db285595edf6a0d23e06e8fce9c0c943abd20f1f44f7f08eb42fc1c17e27e3134183172ffc48949e2840de82073a6

Download Submit
C:\Users\Public\Desktop\Google Chrome.lnk.cry

Filesize
3KB

MD5
b245b38a50b993f1e40d8fbe0ce21c5e

SHA1
d8bffc3eb2a28b3450a4aef2cb612cc9250ced22

SHA256
9489d2a66984e5879f368739808338c624e912ccb13504e2add902ca1da885d6

SHA512
64d875e9e9340ac6009b3d55aee48540ff1f05c883585bb1892089dbdb3ed1f5f6b5f3701d54366689d363b923effe168f17c4a10d42d5912ec26a11777c1153

Download Submit
C:\Users\Public\Desktop\VLC media player.lnk.cry

Filesize
1KB

MD5
c03a3e5a7de96efe82841a33eac11911

SHA1
c89ede970cd4ce5c22cd79b0826e940f6242b8c5

SHA256
68bfea7bf00adf9deee2c9b7754b490f69924e8662623787ae5e122f10ccd5d6

SHA512
1d0d9454952d93334035ccef330db8ef33b4453ea59d7d749e00ba32b19c7aaf3d84260da0f5d1a6e5476dc520f5c1f27f4660cb89b5ce3c00a667523c9630fa

Download Submit
C:\Users\Public\Desktop\desktop.ini.cry

Filesize
436B

MD5
6ab77bdbbb388fe4ec77f870aa56fdb0

SHA1
8adf4658c4b07d69472fa6dc906e681a8994ecf6

SHA256
90387bd1479a7b410dcce6011f3c45545843f1c99820b5131c53e6d0b850e1c3

SHA512
4af4966d015a31726179e3835ddd514e0cc5936eb309cffdccfe4d947ca6dc56edb9f7d6805d8be4297983722f2ad08fb894728bd1646d9907d4b19258b45e01

Download Submit
C:\Windows\INF\netrasa.PNF

Filesize
22KB

MD5
80648b43d233468718d717d10187b68d

SHA1
a1736e8f0e408ce705722ce097d1adb24ebffc45

SHA256
8ab9a39457507e405ade5ef9d723e0f89bc46d8d8b33d354b00d95847f098380

SHA512
eec0ac7e7abcf87b3f0f4522b0dd95c658327afb866ceecff3c9ff0812a521201d729dd71d43f3ac46536f8435d4a49ac157b6282077c7c1940a6668f3b3aea9

Download Submit
memory/2280-25-0x00007FFC74E60000-0x00007FFC7584C000-memory.dmp

Filesize
9.9MB

Download
memory/2280-27-0x000000001C100000-0x000000001C200000-memory.dmp

Filesize
1024KB

Download
memory/2280-430-0x00007FFC74E60000-0x00007FFC7584C000-memory.dmp

Filesize
9.9MB

Download
memory/2280-431-0x000000001C100000-0x000000001C200000-memory.dmp

Filesize
1024KB

Download
memory/4420-24-0x00007FFC74E60000-0x00007FFC7584C000-memory.dmp

Filesize
9.9MB

Download
memory/4420-17-0x00007FFC74E60000-0x00007FFC7584C000-memory.dmp

Filesize
9.9MB

Download
memory/4420-16-0x0000000000DE0000-0x0000000000E8A000-memory.dmp

Filesize
680KB

Download