cerber | 40902f482be77455af14009ca7ec71c8b1b78cc12af7d51319cc47f92387026f

Analysis

max time kernel
150s
max time network
142s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
24-06-2024 09:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

40902f482be77455af14009ca7ec71c8b1b78cc12af7d51319cc47f92387026f.exe
Size

267KB
MD5

58d6f1f73af65c56b5686a8fd43462f7
SHA1

8db860773719ee42c4aff6ac811d539f0ea8c13b
SHA256

40902f482be77455af14009ca7ec71c8b1b78cc12af7d51319cc47f92387026f
SHA512

c103bcb985eb974246974d84565e5cc2962dd9221a12a0a4e0e97a742a3815a6d73314bf0771b6dd794a9306c37a400bf484b57b500aab9165add22c5b4936b9
SSDEEP

6144:P9KOQS4qFSHLougzUhU0oxIVoVr9VygKhnWOerfsR:PsqFsgz20wa5V5KU5DA

Score

10^/10

cerber discovery evasion persistence ransomware spyware stealer trojan

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.txt

Family

cerber

Ransom Note

C E R B E R R A N S O M W A R E ######################################################################### Cannot you find the files you need? Is the content of the files that you looked for not readable? It is normal because the files' names, as well as the data in your files have been encrypted. Great!!! You have turned to be a part of a big community #Cerber_Ransomware. ######################################################################### !!! If you are reading this message it means the software !!! "Cerber Rans0mware" has been removed from your computer. ######################################################################### What is encryption? ------------------- Encryption is a reversible modification of information for security reasons but providing full access to it for authorized users. To become an authorized user and keep the modification absolutely reversible (in other words to have a possibility to decrypt your files) you should have an individual private key. But not only it. It is required also to have the special decryption software (in your case "Cerber Decryptor" software) for safe and complete decryption of all your files and data. ######################################################################### Everything is clear for me but what should I do? ------------------------------------------------ The first step is reading these instructions to the end. Your files have been encrypted with the "Cerber Ransomware" software; the instructions ("# DECRYPT MY FILES #.html" and "# DECRYPT MY FILES #.txt") in the folders with your encrypted files are not viruses, they will help you. After reading this text the most part of people start searching in the Internet the words the "Cerber Ransomware" where they find a lot of ideas, recommendations and instructions. It is necessary to realize that we are the ones who closed the lock on your files and we are the only ones who have this secret key to open them. !!! Any attempts to get back your files with the third-party tools can !!! be fatal for your encrypted files. The most part of the third-party software change data within the encrypted file to restore it but this causes damage to the files. Finally it will be impossible to decrypt your files. When you make a puzzle but some items are lost, broken or not put in its place - the puzzle items will never match, the same way the third-party software will ruin your files completely and irreversibly. You should realize that any intervention of the third-party software to restore files encrypted with the "Cerber Ransomware" software may be fatal for your files. ######################################################################### !!! There are several plain steps to restore your files but if you do !!! not follow them we will not be able to help you, and we will not try !!! since you have read this warning already. ######################################################################### For your information the software to decrypt your files (as well as the private key provided together) are paid products. After purchase of the software package you will be able to: 1. decrypt all your files; 2. work with your documents; 3. view your photos and other media; 4. continue your usual and comfortable work at the computer. If you understand all importance of the situation then we propose to you to go directly to your personal page where you will receive the complete instructions and guarantees to restore your files. ######################################################################### There is a list of temporary addresses to go on your personal page below: _______________________________________________________________________ | | 1. http://cerberhhyed5frqa.wewiso.top/77BA-8295-5336-006D-FF58 | | 2. http://cerberhhyed5frqa.we34re.top/77BA-8295-5336-006D-FF58 | | 3. http://cerberhhyed5frqa.ad34ft.win/77BA-8295-5336-006D-FF58 | | 4. http://cerberhhyed5frqa.xmfu59.win/77BA-8295-5336-006D-FF58 | | 5. http://cerberhhyed5frqa.zgf48j.win/77BA-8295-5336-006D-FF58 |_______________________________________________________________________ ######################################################################### What should you do with these addresses? ---------------------------------------- If you read the instructions in TXT format (if you have instruction in HTML (the file with an icon of your Internet browser) then the easiest way is to run it): 1. take a look at the first address (in this case it is http://cerberhhyed5frqa.wewiso.top/77BA-8295-5336-006D-FF58); 2. select it with the mouse cursor holding the left mouse button and moving the cursor to the right; 3. release the left mouse button and press the right one; 4. select "Copy" in the appeared menu; 5. run your Internet browser (if you do not know what it is run the Internet Explorer); 6. move the mouse cursor to the address bar of the browser (this is the place where the site address is written); 7. click the right mouse button in the field where the site address is written; 8. select the button "Insert" in the appeared menu; 9. then you will see the address http://cerberhhyed5frqa.wewiso.top/77BA-8295-5336-006D-FF58 appeared there; 10. press ENTER; 11. the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address if falling. If for some reason the site cannot be opened check the connection to the Internet; if the site still cannot be opened take a look at the instructions on omitting the point about working with the addresses in the HTML instructions. If you browse the instructions in HTML format: 1. click the left mouse button on the first address (in this case it is http://cerberhhyed5frqa.wewiso.top/77BA-8295-5336-006D-FF58); 2. in a new tab or window of your web browser the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address. If for some reason the site cannot be opened check the connection to the Internet. ######################################################################### Unfortunately these sites are short-term since the antivirus companies are interested in you do not have a chance to restore your files but continue to buy their products. Unlike them we are ready to help you always. If you need our help but the temporary sites are not available: 1. run your Internet browser (if you do not know what it is run the Internet Explorer); 2. enter or copy the address https://www.torproject.org/download/download-easy.html.en into the address bar of your browser and press ENTER; 3. wait for the site loading; 4. on the site you will be offered to download Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed; 5. run Tor Browser; 6. connect with the button "Connect" (if you use the English version); 7. a normal Internet browser window will be opened after the initialization; 8. type or copy the address ________________________________________________________ | | | http://cerberhhyed5frqa.onion/77BA-8295-5336-006D-FF58 | |________________________________________________________| in this browser address bar; 9. press ENTER; 10. the site should be loaded; if for some reason the site is not loading wait for a moment and try again. If you have any problems during installation or operation of Tor Browser, please, visit https://www.youtube.com/ and type request in the search bar "install tor browser windows" and you will find a lot of training videos about Tor Browser installation and operation. If TOR address is not available for a long period (2-3 days) it means you are late; usually you have about 2-3 weeks after reading the instructions to restore your files. ######################################################################### Additional information: You will find the instructions for restoring your files in those folders where you have your encrypted files only. The instructions are made in two file formats - HTML and TXT for your convenience. Unfortunately antivirus companies cannot protect or restore your files but they can make the situation worse removing the instructions how to restore your encrypted files. The instructions are not viruses; they have informative nature only, so any claims on the absence of any instruction files you can send to your antivirus company. ######################################################################### Cerber Ransomware Project is not malicious and is not intended to harm a person and his/her information data. The project is created for the sole purpose of instruction regarding information security, as well as certification of antivirus software for their suitability for data protection. Together we make the Internet a better and safer place. ######################################################################### If you look through this text in the Internet and realize that something is wrong with your files but you do not have any instructions to restore your files, please, contact your antivirus support. ######################################################################### Remember that the worst situation already happened and now it depends on your determination and speed of your actions the further life of your files.

URLs

http://cerberhhyed5frqa.wewiso.top/77BA-8295-5336-006D-FF58

http://cerberhhyed5frqa.we34re.top/77BA-8295-5336-006D-FF58

http://cerberhhyed5frqa.ad34ft.win/77BA-8295-5336-006D-FF58

http://cerberhhyed5frqa.xmfu59.win/77BA-8295-5336-006D-FF58

http://cerberhhyed5frqa.zgf48j.win/77BA-8295-5336-006D-FF58

http://cerberhhyed5frqa.onion/77BA-8295-5336-006D-FF58

Extracted

Path

C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.html

Ransom Note

<!DOCTYPE html> <html lang="en"> <head> <meta charset="utf-8"> <title>Cerber Ransomware</title> <style> a { color: #47c; text-decoration: none; } a:hover { text-decoration: underline; } body { background-color: #e7e7e7; color: #333; font-family: "Helvetica Neue", Helvetica, "Segoe UI", Arial, freesans, sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol"; font-size: 16px; line-height: 1.6; margin: 0; padding: 0; } hr { background-color: #e7e7e7; border: 0 none; border-bottom: 1px solid #c7c7c7; height: 5px; margin: 30px 0; } li { padding: 0 0 7px 7px; } ol { padding-left: 3em; } .container { background-color: #fff; border: 1px solid #c7c7c7; margin: 40px; padding: 40px 40px 20px 40px; } .info, .tor { background-color: #efe; border: 1px solid #bda; display: block; padding: 0px 20px; } .logo { font-size: 12px; font-weight: bold; line-height: 1; margin: 0; } .tor { padding: 10px 0; text-align: center; } .warning { background-color: #f5e7e7; border: 1px solid #ebccd1; color: #a44; display: block; padding: 15px 10px; text-align: center; } </style> </head> <body> <div class="container"> <h3>C E R B E R   R A N S O M W A R E</h3> <hr> Cannot you find the files you need? Is the content of the files that you looked for not readable? It is normal because the files' names, as well as the data in your files have been encrypted. Great!!! You have turned to be a part of a big community #Cerber_Ransomware. <hr> If you are reading this message it means the software "Cerber Rans0mware" has been removed from your computer. <hr> <h3>What is encryption?</h3> Encryption is a reversible modification of information for security reasons but providing full access to it for authorized users. To become an authorized user and keep the modification absolutely reversible (in other words to have a possibility to decrypt your files) you should have an individual private key. But not only it. It is required also to have the special decryption software (in your case "Cerber Decryptor" software) for safe and complete decryption of all your files and data. <hr> <h3>Everything is clear for me but what should I do?</h3> The first step is reading these instructions to the end. Your files have been encrypted with the "Cerber Ransomware" software; the instructions ("# DECRYPT MY FILES #.html" and "# DECRYPT MY FILES #.txt") in the folders with your encrypted files are not viruses, they will help you. After reading this text the most part of people start searching in the Internet the words the "Cerber Ransomware" where they find a lot of ideas, recommendations and instructions. It is necessary to realize that we are the ones who closed the lock on your files and we are the only ones who have this secret key to open them. Any attempts to get back your files with the third-party tools can be fatal for your encrypted files. The most part of the third-party software change data within the encrypted file to restore it but this causes damage to the files. Finally it will be impossible to decrypt your files. When you make a puzzle but some items are lost, broken or not put in its place - the puzzle items will never match, the same way the third-party software will ruin your files completely and irreversibly. You should realize that any intervention of the third-party software to restore files encrypted with the "Cerber Ransomware" software may be fatal for your files. <hr> There are several plain steps to restore your files but if you do not follow them we will not be able to help you, and we will not try since you have read this warning already. <hr> For your information the software to decrypt your files (as well as the private key provided together) are paid products. After purchase of the software package you will be able to: <ol> <li>decrypt all your files;</li> <li>work with your documents;</li> <li>view your photos and other media;</li> <li>continue your usual and comfortable work at the computer.</li> </ol> If you understand all importance of the situation then we propose to you to go directly to your personal page where you will receive the complete instructions and guarantees to restore your files. <hr> <div class="info"> There is a list of temporary addresses to go on your personal page below: <ol> <li><a href="http://cerberhhyed5frqa.wewiso.top/77BA-8295-5336-006D-FF58" target="_blank">http://cerberhhyed5frqa.wewiso.top/77BA-8295-5336-006D-FF58</a></li> <li><a href="http://cerberhhyed5frqa.we34re.top/77BA-8295-5336-006D-FF58" target="_blank">http://cerberhhyed5frqa.we34re.top/77BA-8295-5336-006D-FF58</a></li> <li><a href="http://cerberhhyed5frqa.ad34ft.win/77BA-8295-5336-006D-FF58" target="_blank">http://cerberhhyed5frqa.ad34ft.win/77BA-8295-5336-006D-FF58</a></li> <li><a href="http://cerberhhyed5frqa.xmfu59.win/77BA-8295-5336-006D-FF58" target="_blank">http://cerberhhyed5frqa.xmfu59.win/77BA-8295-5336-006D-FF58</a></li> <li><a href="http://cerberhhyed5frqa.zgf48j.win/77BA-8295-5336-006D-FF58" target="_blank">http://cerberhhyed5frqa.zgf48j.win/77BA-8295-5336-006D-FF58</a></li> </ol> </div> <hr> <h3>What should you do with these addresses?</h3> If you read the instructions in TXT format (if you have instruction in HTML (the file with an icon of your Internet browser) then the easiest way is to run it): <ol> <li>take a look at the first address (in this case it is <a href="http://cerberhhyed5frqa.wewiso.top/77BA-8295-5336-006D-FF58" target="_blank">http://cerberhhyed5frqa.wewiso.top/77BA-8295-5336-006D-FF58</a>);</li> <li>select it with the mouse cursor holding the left mouse button and moving the cursor to the right;</li> <li>release the left mouse button and press the right one;</li> <li>select "Copy" in the appeared menu;</li> <li>run your Internet browser (if you do not know what it is run the Internet Explorer);</li> <li>move the mouse cursor to the address bar of the browser (this is the place where the site address is written);</li> <li>click the right mouse button in the field where the site address is written;</li> <li>select the button "Insert" in the appeared menu;</li> <li>then you will see the address <a href="http://cerberhhyed5frqa.wewiso.top/77BA-8295-5336-006D-FF58" target="_blank">http://cerberhhyed5frqa.wewiso.top/77BA-8295-5336-006D-FF58</a> appeared there;</li> <li>press ENTER;</li> <li>the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address if falling.</li> </ol> If for some reason the site cannot be opened check the connection to the Internet; if the site still cannot be opened take a look at the instructions on omitting the point about working with the addresses in the HTML instructions. If you browse the instructions in HTML format: <ol> <li>click the left mouse button on the first address (in this case it is <a href="http://cerberhhyed5frqa.wewiso.top/77BA-8295-5336-006D-FF58" target="_blank">http://cerberhhyed5frqa.wewiso.top/77BA-8295-5336-006D-FF58</a>);</li> <li>in a new tab or window of your web browser the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address.</li> </ol> If for some reason the site cannot be opened check the connection to the Internet. <hr> Unfortunately these sites are short-term since the antivirus companies are interested in you do not have a chance to restore your files but continue to buy their products. Unlike them we are ready to help you always. If you need our help but the temporary sites are not available: <ol> <li>run your Internet browser (if you do not know what it is run the Internet Explorer);</li> <li>enter or copy the address <a href="https://www.torproject.org/download/download-easy.html.en" target="_blank">https://www.torproject.org/download/download-easy.html.en</a> into the address bar of your browser and press ENTER;</li> <li>wait for the site loading;</li> <li>on the site you will be offered to download Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed;</li> <li>run Tor Browser;</li> <li>connect with the button "Connect" (if you use the English version);</li> <li>a normal Internet browser window will be opened after the initialization;</li> <li>type or copy the address http://cerberhhyed5frqa.onion/77BA-8295-5336-006D-FF58 in this browser address bar;</li> <li>press ENTER;</li> <li>the site should be loaded; if for some reason the site is not loading wait for a moment and try again.</li> </ol> If you have any problems during installation or operation of Tor Browser, please, visit <a href="https://www.youtube.com/results?search_query=install+tor+browser+windows" target="_blank">https://www.youtube.com/</a> and type request in the search bar "install tor browser windows" and you will find a lot of training videos about Tor Browser installation and operation. If TOR address is not available for a long period (2-3 days) it means you are late; usually you have about 2-3 weeks after reading the instructions to restore your files. <hr> <h3>Additional information:</h3> You will find the instructions for restoring your files in those folders where you have your encrypted files only. The instructions are made in two file formats - HTML and TXT for your convenience. Unfortunately antivirus companies cannot protect or restore your files but they can make the situation worse removing the instructions how to restore your encrypted files. The instructions are not viruses; they have informative nature only, so any claims on the absence of any instruction files you can send to your antivirus company. <hr> Cerber Ransomware Project is not malicious and is not intended to harm a person and his/her information data. The project is created for the sole purpose of instruction regarding information security, as well as certification of antivirus software for their suitability for data protection. Together we make the Internet a better and safer place. <hr> If you look through this text in the Internet and realize that something is wrong with your files but you do not have any instructions to restore your files, please, contact your antivirus support. <hr> Remember that the worst situation already happened and now it depends on your determination and speed of your actions the further life of your files. </div> </body> </html>

Signatures

Cerber
Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
ransomware cerber
Contacts a large (2049) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run = "\"C:\\Users\\Admin\\AppData\\Roaming\\{50245C20-2B3C-C8AF-5CF7-BEB8122EA60A}\\verclsid.exe\""	40902f482be77455af14009ca7ec71c8b1b78cc12af7d51319cc47f92387026f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run = "\"C:\\Users\\Admin\\AppData\\Roaming\\{50245C20-2B3C-C8AF-5CF7-BEB8122EA60A}\\verclsid.exe\""	verclsid.exe

Deletes itself 1 IoCs

pid	Process
2860	cmd.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\verclsid.lnk	40902f482be77455af14009ca7ec71c8b1b78cc12af7d51319cc47f92387026f.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\verclsid.lnk	verclsid.exe

Executes dropped EXE 4 IoCs

pid	Process
2300	verclsid.exe
2056	verclsid.exe
2392	verclsid.exe
1428	verclsid.exe

Loads dropped DLL 8 IoCs

pid	Process
1944	40902f482be77455af14009ca7ec71c8b1b78cc12af7d51319cc47f92387026f.exe
1944	40902f482be77455af14009ca7ec71c8b1b78cc12af7d51319cc47f92387026f.exe
2696	40902f482be77455af14009ca7ec71c8b1b78cc12af7d51319cc47f92387026f.exe
2300	verclsid.exe
2300	verclsid.exe
2392	verclsid.exe
2392	verclsid.exe
2056	verclsid.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\verclsid = "\"C:\\Users\\Admin\\AppData\\Roaming\\{50245C20-2B3C-C8AF-5CF7-BEB8122EA60A}\\verclsid.exe\""	40902f482be77455af14009ca7ec71c8b1b78cc12af7d51319cc47f92387026f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\verclsid = "\"C:\\Users\\Admin\\AppData\\Roaming\\{50245C20-2B3C-C8AF-5CF7-BEB8122EA60A}\\verclsid.exe\""	40902f482be77455af14009ca7ec71c8b1b78cc12af7d51319cc47f92387026f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\verclsid = "\"C:\\Users\\Admin\\AppData\\Roaming\\{50245C20-2B3C-C8AF-5CF7-BEB8122EA60A}\\verclsid.exe\""	verclsid.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\verclsid = "\"C:\\Users\\Admin\\AppData\\Roaming\\{50245C20-2B3C-C8AF-5CF7-BEB8122EA60A}\\verclsid.exe\""	verclsid.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	verclsid.exe

Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
7	ip-api.com
3	ipinfo.io

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmpEBB6.bmp"	verclsid.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1944 set thread context of 2696	1944	40902f482be77455af14009ca7ec71c8b1b78cc12af7d51319cc47f92387026f.exe	28
PID 2300 set thread context of 2056	2300	verclsid.exe	35
PID 2392 set thread context of 1428	2392	verclsid.exe	43

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\	40902f482be77455af14009ca7ec71c8b1b78cc12af7d51319cc47f92387026f.exe
File opened for modification	C:\Windows\	verclsid.exe
File opened for modification	C:\Windows\	verclsid.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral1/files/0x0006000000016d64-77.dat	nsis_installer_1
behavioral1/files/0x0006000000016d64-77.dat	nsis_installer_2

Kills process with taskkill 2 IoCs

evasion

pid	Process
2892	taskkill.exe
2756	taskkill.exe

Modifies Control Panel 4 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Desktop	verclsid.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Desktop\SCRNSAVE.EXE = "\"C:\\Users\\Admin\\AppData\\Roaming\\{50245C20-2B3C-C8AF-5CF7-BEB8122EA60A}\\verclsid.exe\""	verclsid.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Desktop	40902f482be77455af14009ca7ec71c8b1b78cc12af7d51319cc47f92387026f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Desktop\SCRNSAVE.EXE = "\"C:\\Users\\Admin\\AppData\\Roaming\\{50245C20-2B3C-C8AF-5CF7-BEB8122EA60A}\\verclsid.exe\""	40902f482be77455af14009ca7ec71c8b1b78cc12af7d51319cc47f92387026f.exe

Modifies Internet Explorer settings 1 TTPs 59 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{E541DCC1-3209-11EF-A18A-FED6C5E8D4AB} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000760f6fb6d7365248881a38bcea68cf8b00000000020000000000106600000001000020000000d2c6ad34f6472d0f7636a0cd0be5d5f19a07ff71cc4f918021b03de6c8f9f5d5000000000e80000000020000200000004c7e01039eb4d2a6a4b439b5213cbac3f8626c54fb9b575e750fe6994668ba4520000000ff14d2c4b8ed9ab69a85138deae111a4ddae4fff86e5c32ae8cfd7a8af698abc40000000d352bff51ed9c4fd4dd849e743565e577e50ec573ba34288ac6192d1e7da36eb3822a2c4fd12c51bf137416feec02b49c8e7eea9a908dbcdd32cfbdb896c406b	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 809048b616c6da01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{E54DC3A1-3209-11EF-A18A-FED6C5E8D4AB} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000760f6fb6d7365248881a38bcea68cf8b00000000020000000000106600000001000020000000c49c7b8b314fb312daa5b0e856c44edb1a0af828cd9b470a4a823c2f0a69def2000000000e8000000002000020000000e4a4a4a197457137085f48b006fe97e61e2ad830b73079335d825c580822c3a090000000055136240a2d55bee0288561e462ce53de3073ad8802140a0caf70453910ae8ba08a5962fabb24842867c5bff90b7b1bbc8423fb569459af1805147789b057d29eb11b931fd390d4740bfa540feef9b3949802a33a6fa5b105b378c7039d38eaad28d7fac80125f0449dfa35957b0f97b06b3debb4812cc36dccc485bc9e5b55c46c559fd43f568630b5ce7352be6316400000009166b16bf283a8a6f70407b42937640c5b252202c7bea24553743a1ab35728c4c383f9e9c25aa513e7b8f39fc83bf00632ab5ac05ca07e8ab67ff2d6e8580a3d	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
2036	PING.EXE
2364	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2056	verclsid.exe
2056	verclsid.exe
2056	verclsid.exe
2056	verclsid.exe
2056	verclsid.exe
2056	verclsid.exe
2056	verclsid.exe
2056	verclsid.exe
2056	verclsid.exe
2056	verclsid.exe
2056	verclsid.exe
2056	verclsid.exe
2056	verclsid.exe
2056	verclsid.exe
2056	verclsid.exe
2056	verclsid.exe
2056	verclsid.exe
2056	verclsid.exe
2056	verclsid.exe
2056	verclsid.exe
2056	verclsid.exe
2056	verclsid.exe
2056	verclsid.exe
2056	verclsid.exe
2056	verclsid.exe
2056	verclsid.exe
2056	verclsid.exe
2056	verclsid.exe
2056	verclsid.exe
2056	verclsid.exe
2056	verclsid.exe
2056	verclsid.exe
2056	verclsid.exe
2056	verclsid.exe
2056	verclsid.exe
2056	verclsid.exe
2056	verclsid.exe
2056	verclsid.exe
2056	verclsid.exe
2056	verclsid.exe
2056	verclsid.exe
2056	verclsid.exe
2056	verclsid.exe
2056	verclsid.exe
2056	verclsid.exe
2056	verclsid.exe
2056	verclsid.exe
2056	verclsid.exe
2056	verclsid.exe
2056	verclsid.exe
2056	verclsid.exe
2056	verclsid.exe
2056	verclsid.exe
2056	verclsid.exe
2056	verclsid.exe
2056	verclsid.exe
2056	verclsid.exe
2056	verclsid.exe
2056	verclsid.exe
2056	verclsid.exe
2056	verclsid.exe
2056	verclsid.exe
2056	verclsid.exe
2056	verclsid.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeDebugPrivilege	2696	40902f482be77455af14009ca7ec71c8b1b78cc12af7d51319cc47f92387026f.exe
Token: SeDebugPrivilege	2892	taskkill.exe
Token: SeDebugPrivilege	2056	verclsid.exe
Token: SeDebugPrivilege	1428	verclsid.exe
Token: 33	2620	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2620	AUDIODG.EXE
Token: 33	2620	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2620	AUDIODG.EXE
Token: SeDebugPrivilege	2756	taskkill.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
1312	iexplore.exe
824	iexplore.exe
1312	iexplore.exe

Suspicious use of SetWindowsHookEx 14 IoCs

pid	Process
1312	iexplore.exe
1312	iexplore.exe
824	iexplore.exe
824	iexplore.exe
1312	iexplore.exe
1312	iexplore.exe
980	IEXPLORE.EXE
980	IEXPLORE.EXE
1876	IEXPLORE.EXE
1876	IEXPLORE.EXE
1344	IEXPLORE.EXE
1344	IEXPLORE.EXE
1876	IEXPLORE.EXE
1876	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1944 wrote to memory of 2696	1944	40902f482be77455af14009ca7ec71c8b1b78cc12af7d51319cc47f92387026f.exe	28
PID 1944 wrote to memory of 2696	1944	40902f482be77455af14009ca7ec71c8b1b78cc12af7d51319cc47f92387026f.exe	28
PID 1944 wrote to memory of 2696	1944	40902f482be77455af14009ca7ec71c8b1b78cc12af7d51319cc47f92387026f.exe	28
PID 1944 wrote to memory of 2696	1944	40902f482be77455af14009ca7ec71c8b1b78cc12af7d51319cc47f92387026f.exe	28
PID 1944 wrote to memory of 2696	1944	40902f482be77455af14009ca7ec71c8b1b78cc12af7d51319cc47f92387026f.exe	28
PID 1944 wrote to memory of 2696	1944	40902f482be77455af14009ca7ec71c8b1b78cc12af7d51319cc47f92387026f.exe	28
PID 1944 wrote to memory of 2696	1944	40902f482be77455af14009ca7ec71c8b1b78cc12af7d51319cc47f92387026f.exe	28
PID 1944 wrote to memory of 2696	1944	40902f482be77455af14009ca7ec71c8b1b78cc12af7d51319cc47f92387026f.exe	28
PID 1944 wrote to memory of 2696	1944	40902f482be77455af14009ca7ec71c8b1b78cc12af7d51319cc47f92387026f.exe	28
PID 1944 wrote to memory of 2696	1944	40902f482be77455af14009ca7ec71c8b1b78cc12af7d51319cc47f92387026f.exe	28
PID 2696 wrote to memory of 2300	2696	40902f482be77455af14009ca7ec71c8b1b78cc12af7d51319cc47f92387026f.exe	29
PID 2696 wrote to memory of 2300	2696	40902f482be77455af14009ca7ec71c8b1b78cc12af7d51319cc47f92387026f.exe	29
PID 2696 wrote to memory of 2300	2696	40902f482be77455af14009ca7ec71c8b1b78cc12af7d51319cc47f92387026f.exe	29
PID 2696 wrote to memory of 2300	2696	40902f482be77455af14009ca7ec71c8b1b78cc12af7d51319cc47f92387026f.exe	29
PID 2696 wrote to memory of 2860	2696	40902f482be77455af14009ca7ec71c8b1b78cc12af7d51319cc47f92387026f.exe	30
PID 2696 wrote to memory of 2860	2696	40902f482be77455af14009ca7ec71c8b1b78cc12af7d51319cc47f92387026f.exe	30
PID 2696 wrote to memory of 2860	2696	40902f482be77455af14009ca7ec71c8b1b78cc12af7d51319cc47f92387026f.exe	30
PID 2696 wrote to memory of 2860	2696	40902f482be77455af14009ca7ec71c8b1b78cc12af7d51319cc47f92387026f.exe	30
PID 2860 wrote to memory of 2892	2860	cmd.exe	32
PID 2860 wrote to memory of 2892	2860	cmd.exe	32
PID 2860 wrote to memory of 2892	2860	cmd.exe	32
PID 2860 wrote to memory of 2892	2860	cmd.exe	32
PID 2860 wrote to memory of 2036	2860	cmd.exe	34
PID 2860 wrote to memory of 2036	2860	cmd.exe	34
PID 2860 wrote to memory of 2036	2860	cmd.exe	34
PID 2860 wrote to memory of 2036	2860	cmd.exe	34
PID 2300 wrote to memory of 2056	2300	verclsid.exe	35
PID 2300 wrote to memory of 2056	2300	verclsid.exe	35
PID 2300 wrote to memory of 2056	2300	verclsid.exe	35
PID 2300 wrote to memory of 2056	2300	verclsid.exe	35
PID 2300 wrote to memory of 2056	2300	verclsid.exe	35
PID 2300 wrote to memory of 2056	2300	verclsid.exe	35
PID 2300 wrote to memory of 2056	2300	verclsid.exe	35
PID 2300 wrote to memory of 2056	2300	verclsid.exe	35
PID 2300 wrote to memory of 2056	2300	verclsid.exe	35
PID 2300 wrote to memory of 2056	2300	verclsid.exe	35
PID 2436 wrote to memory of 2392	2436	taskeng.exe	42
PID 2436 wrote to memory of 2392	2436	taskeng.exe	42
PID 2436 wrote to memory of 2392	2436	taskeng.exe	42
PID 2436 wrote to memory of 2392	2436	taskeng.exe	42
PID 2392 wrote to memory of 1428	2392	verclsid.exe	43
PID 2392 wrote to memory of 1428	2392	verclsid.exe	43
PID 2392 wrote to memory of 1428	2392	verclsid.exe	43
PID 2392 wrote to memory of 1428	2392	verclsid.exe	43
PID 2392 wrote to memory of 1428	2392	verclsid.exe	43
PID 2392 wrote to memory of 1428	2392	verclsid.exe	43
PID 2392 wrote to memory of 1428	2392	verclsid.exe	43
PID 2392 wrote to memory of 1428	2392	verclsid.exe	43
PID 2392 wrote to memory of 1428	2392	verclsid.exe	43
PID 2392 wrote to memory of 1428	2392	verclsid.exe	43
PID 2056 wrote to memory of 1312	2056	verclsid.exe	44
PID 2056 wrote to memory of 1312	2056	verclsid.exe	44
PID 2056 wrote to memory of 1312	2056	verclsid.exe	44
PID 2056 wrote to memory of 1312	2056	verclsid.exe	44
PID 2056 wrote to memory of 2064	2056	verclsid.exe	45
PID 2056 wrote to memory of 2064	2056	verclsid.exe	45
PID 2056 wrote to memory of 2064	2056	verclsid.exe	45
PID 2056 wrote to memory of 2064	2056	verclsid.exe	45
PID 1312 wrote to memory of 980	1312	iexplore.exe	47
PID 1312 wrote to memory of 980	1312	iexplore.exe	47
PID 1312 wrote to memory of 980	1312	iexplore.exe	47
PID 1312 wrote to memory of 980	1312	iexplore.exe	47
PID 824 wrote to memory of 1344	824	iexplore.exe	48
PID 824 wrote to memory of 1344	824	iexplore.exe	48

C:\Users\Admin\AppData\Local\Temp\40902f482be77455af14009ca7ec71c8b1b78cc12af7d51319cc47f92387026f.exe
"C:\Users\Admin\AppData\Local\Temp\40902f482be77455af14009ca7ec71c8b1b78cc12af7d51319cc47f92387026f.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1944
- C:\Users\Admin\AppData\Local\Temp\40902f482be77455af14009ca7ec71c8b1b78cc12af7d51319cc47f92387026f.exe
  "C:\Users\Admin\AppData\Local\Temp\40902f482be77455af14009ca7ec71c8b1b78cc12af7d51319cc47f92387026f.exe"
  2⤵
  - Adds policy Run key to start application
  - Drops startup file
  - Loads dropped DLL
  - Adds Run key to start application
  - Modifies Control Panel
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2696
- - C:\Users\Admin\AppData\Roaming\{50245C20-2B3C-C8AF-5CF7-BEB8122EA60A}\verclsid.exe
    "C:\Users\Admin\AppData\Roaming\{50245C20-2B3C-C8AF-5CF7-BEB8122EA60A}\verclsid.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Drops file in Windows directory
    - Suspicious use of WriteProcessMemory
    PID:2300
  - - C:\Users\Admin\AppData\Roaming\{50245C20-2B3C-C8AF-5CF7-BEB8122EA60A}\verclsid.exe
      "C:\Users\Admin\AppData\Roaming\{50245C20-2B3C-C8AF-5CF7-BEB8122EA60A}\verclsid.exe"
      4⤵
      Adds policy Run key to start application
      Drops startup file
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Checks whether UAC is enabled
      Sets desktop wallpaper using registry
      Modifies Control Panel
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2056
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.html
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1312
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1312 CREDAT:275457 /prefetch:2
        6⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:980
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1312 CREDAT:275458 /prefetch:2
        6⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:1876
    - - C:\Windows\system32\NOTEPAD.EXE
        
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.txt
        5⤵
        
        PID:2064
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\# DECRYPT MY FILES #.vbs"
        5⤵
        
        PID:1680
    - - C:\Windows\system32\cmd.exe
        
        /d /c taskkill /t /f /im "verclsid.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Roaming\{50245C20-2B3C-C8AF-5CF7-BEB8122EA60A}\verclsid.exe" > NUL
        5⤵
        
        PID:2720
      - C:\Windows\system32\taskkill.exe
        
        taskkill /t /f /im "verclsid.exe"
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2756
      - C:\Windows\system32\PING.EXE
        
        ping -n 1 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:2364
- - C:\Windows\SysWOW64\cmd.exe
    /d /c taskkill /t /f /im "40902f482be77455af14009ca7ec71c8b1b78cc12af7d51319cc47f92387026f.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Local\Temp\40902f482be77455af14009ca7ec71c8b1b78cc12af7d51319cc47f92387026f.exe" > NUL
    3⤵
    - Deletes itself
    - Suspicious use of WriteProcessMemory
    PID:2860
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /t /f /im "40902f482be77455af14009ca7ec71c8b1b78cc12af7d51319cc47f92387026f.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2892
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 127.0.0.1
      4⤵
      Runs ping.exe
      PID:2036

C:\Windows\system32\taskeng.exe
taskeng.exe {1452E1A8-4B8B-4806-8EBB-ABF877FA2E1C} S-1-5-21-2737914667-933161113-3798636211-1000:PUMARTNR\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2436
- C:\Users\Admin\AppData\Roaming\{50245C20-2B3C-C8AF-5CF7-BEB8122EA60A}\verclsid.exe
  C:\Users\Admin\AppData\Roaming\{50245C20-2B3C-C8AF-5CF7-BEB8122EA60A}\verclsid.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2392
- - C:\Users\Admin\AppData\Roaming\{50245C20-2B3C-C8AF-5CF7-BEB8122EA60A}\verclsid.exe
    C:\Users\Admin\AppData\Roaming\{50245C20-2B3C-C8AF-5CF7-BEB8122EA60A}\verclsid.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1428

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:824
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:824 CREDAT:275457 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1344

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}
1⤵
PID:1252

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x560
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Network Service Discovery

T1046

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.html

Filesize
12KB

MD5
77cd718ace4be4e24c799d84f13c09a9

SHA1
29ef0bfebe822c06ff4e95f9ff40d0b2acad6264

SHA256
ba185dab9ed7bf528ab4ae61ceea5d0c774ce460a7b50b21a73c6a64ec289adc

SHA512
55d8f26a405f689e54e0d1938b8923472c4ea68cafb2217e57f3828434c45717857f7fcf87a2e5386318ea1fd50765ff9956f56fa8e54e94c313d9c88f0a99ee

Download Submit
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.txt

Filesize
10KB

MD5
14483e4eb3cfd262c0b6f6dafff4d291

SHA1
0d14846d029893d28ad65282f6d29c536fbe6a64

SHA256
29f03a6f2292cf06e564669e806bf3e3c52726d89891a821af09da46b6cbe517

SHA512
ad8c7ca4e79ad8fac43a390180541b47ff01049a98e6a1993b1d6f69dbfb4d485961dcc591ec19474db46ae9592250378483947711cc8dde6bfdf476f129f4c2

Download Submit
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.url

Filesize
90B

MD5
908e6fd7d6f2d8f1c8fdf2ce0a0bf554

SHA1
9b0419dbf31a26b4542ce0b2bf901a660927be25

SHA256
19c2ea8b2c0514f4170ca5f0a310030936c04373bc4d93ceb374a8210f4dc5b0

SHA512
842de7da6f379e97bcc17254f730bda65e0958a467e77f04c5d4c59cd28f1dbb225fb42e627dc2660cda93c56818eeb06706f9c3d1f916459fc5624ac4f531b3

Download Submit
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.vbs

Filesize
231B

MD5
9d8c4bfbd009c4d6001e2125abaa8b02

SHA1
cd040558172b5fca5b200447a281843956243741

SHA256
a652297987f14317100f8c5f7eb26d1bc67eb8a64f0b39b72b5fd5046a9f29b0

SHA512
c4c84f43642b805a105acce9ebc9f01aa0e6ef553ea32be3f8b890fc7440f0b7d3ddf99b9336bce20ce7a3d9b9f6434a704651a8af425ffc8407ba39d5de735f

Download Submit
C:\Users\Admin\AppData\Roaming\10.png

Filesize
361B

MD5
29fd9e419eee2efa4ef6ce493ca51a9c

SHA1
b52385209f9741de2be13b51addb893badd8f021

SHA256
fd5a21280c250817e23e66d1546608408fb2f57410b73041327f78568afdb357

SHA512
e32f2b1e8bed1f1a80bf6de9d98aeb082673d11b11a7952d4eb5e2c0355d5b95312ab5381fd89702e8bf364202f067e378d468aefb6ff879086cb60915ba5a1d

Download Submit
C:\Users\Admin\AppData\Roaming\12.gif

Filesize
210B

MD5
a22f4f8b1ba890258a463d6ffe0d8d6f

SHA1
9a36636b558548a06f00f228327930a1608e005c

SHA256
1b5876c39a3f179c58af460f890c577a5949de12e8c01b3381093688e9f8a9f5

SHA512
bffb7bbbb9a27e6f7651c7c454e4671a617ab658366ca7e208f889628a61feeda76dbec79c261ca0b2bb2969b4aacbd5b12a3f0b816252a1f228c06792f05b48

Download Submit
C:\Users\Admin\AppData\Roaming\404-12.htm

Filesize
1KB

MD5
e207c1a73e2bc89fe048f7b26951f2be

SHA1
691e8e6185377ece49ceef5e0cbf552753c5a1d9

SHA256
8b7e3683d4c21ff8416216e0749e65a15d7a8e0085d3297411fb875781599ac6

SHA512
155b599343d25484a6372c412b14eb7605a36c262cc0876536a9aec15b9fc1c9be9206c99bcfb54f507107e699795875de9c28956b7f370dc50a11fcf7f33837

Download Submit
C:\Users\Admin\AppData\Roaming\8.gif

Filesize
918B

MD5
bf2ec0f8882f07fe7854b1f2be6d68dd

SHA1
9fd4b679e70016535eaafb240157f0ac5ab69926

SHA256
f0e9c1973b0ac41e622f099e5558bea491486180e77f36b8a3dd46da27a1b82b

SHA512
ecb948398abd7e1ddb35e5f6ac42025c62fbc82ee855dd060cb55525ada0854c7aad9b239b66d3344da164564a27c114c6f43c13cd8708db7d5f97a800777258

Download Submit
C:\Users\Admin\AppData\Roaming\Add-V

Filesize
3KB

MD5
9f4ef1bd410103a52dab480c00768ded

SHA1
6d0ad55ac9ad4a3bea21b768d7acc0942a66a30d

SHA256
fb7e6a07052c2d4dae1633cc4a1ca44b32ed4a41cc7698e7cae9d25f9ba0e84d

SHA512
b4dcf4ba77d7bebb84c0cfcc701b2c6a2819c44934c87a2fd217ec0121269c505197ff58b2158bd8398b5a6dcd7a45e50c49db4388870fecd58134ad095c35b0

Download Submit
C:\Users\Admin\AppData\Roaming\Aden

Filesize
65B

MD5
688a1654783610c0da6193abeb253bd0

SHA1
e7cf72ba1170dc78546e50620e68c3c8c40ad0ee

SHA256
0db111dae5f1b0aa5d63a81d4daa3b512d0852d36dd04e455d92cafa9ea5ae79

SHA512
7c0b0c4df63ae10e32903083e5ba1fee5a6e7ff56e18f52117726357df93ffd02cc6a856f1014b79ec1af07c2c3dc2cce9c3f49694b246b139af51874def2b8a

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe-CNS1-H-CID

Filesize
3KB

MD5
03016d6b79313a63773d97792ee13889

SHA1
53817df4ead0586b47b12ec3bb8af2e130f3c360

SHA256
38896b1f0903a9a577d129e2dfd3d4c2cdc174031c79c7fca943870a1538280e

SHA512
7bc24ec4b4d28a3eb260d636652e72884ca9c2022ad0d04cef08e7907828396c71ccafc8d7c3605c6b7a67784db6837209e48e498ea491aad1b149a2d6c73e15

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe-Japan1-5

Filesize
4KB

MD5
858f74b052990a76d06809c378ec0f37

SHA1
62268942d465eaff9f7374797f824493810f8c55

SHA256
7b719d81583d72f2b2857214beb78c679fb823542e78f8676951315c3e22e579

SHA512
29c7fe9213195fa4ec99d98469957a27cbb14335439dbf4b5424cceb75b7ec3dafcc9c66edafbc06dc480ac2f0dadf32851104608859b0a621249aa315cb2ca9

Download Submit
C:\Users\Admin\AppData\Roaming\Attributions.txt

Filesize
3KB

MD5
19ad62300dd66d6f479b13c40bae58e4

SHA1
c2393e348c48f9f3e6644f08473dfe22f889f9b2

SHA256
6505cb7369eb363a6dca90fd9dccfcb98bfd9eb9a1aaf586652f6e2950ff719d

SHA512
2bca333525c9892bd0cf13ec58d1786b67b1c63f1e7cfe688383fdba366ae8dede26f4bcaebce2b5c393987a9a2fef6c9cabf150ac0d0bc3f7d332c09aa3029d

Download Submit
C:\Users\Admin\AppData\Roaming\B5pc-UCS2

Filesize
2KB

MD5
3c261dd687fd42d4b97b2ed2befe5201

SHA1
1199a4a49ccc3e729fa6052e3e3ec67c78394a22

SHA256
9d80bf7d6122a3940dd8f1c7318a18598559b074a4d9d305c989c3b0edda8dc0

SHA512
59ca5885ba84f4f06ec10fb159682acf7ba3a60f7a92a6779629e40a88900eab525f6b1e4b8a02027f3746d02bac34dd2f85966a742fc159cd59b78d1840f2a2

Download Submit
C:\Users\Admin\AppData\Roaming\BinaryRank.mm

Filesize
3KB

MD5
3ca115b93327f03ab765fc92be558963

SHA1
4c71f90cbf580b85a3e04aff1cb29d3eb1edd4dc

SHA256
ec87c42b16bfa947732d7e350d18cd939b7b19790fd00f5296eb2fe425c6a298

SHA512
d6493f99f92324c25d4577ed13fbe27d4cb6602e57c70af7acc0796ed4242ddd06387d0d334e98332e1927f0c55fc5b9ab4e7ec34d73c36a0ad51d8db1103359

Download Submit
C:\Users\Admin\AppData\Roaming\Bl CG10 WmG4 CG3.ADO

Filesize
524B

MD5
02710317e2ed8cff32667d51f5b66075

SHA1
4864ad2b003b38295a26301488366d5ab02ce546

SHA256
d0807c59413e8607b26eda3f20989ce2baaa57ed387e8754e050ac64df39230b

SHA512
698f08773b1cd7702a96dd5a0fd3dc5185abe070dabdc2c2907ab9968bf39cd2ad67ffdec778997e60e3785b56d0ec288b66cfe6a37bfa0f69f2a3be962a1c83

Download Submit
C:\Users\Admin\AppData\Roaming\Brisbane

Filesize
189B

MD5
6a9e9573c09dad7780cd82a24071c34a

SHA1
95033332a849ac93d6fb01474452d3c477005ad7

SHA256
97cb53438a334f7b182229831077dc8f9018253233045d7dc1e38e9c9a0ed3fd

SHA512
510aa1f7d2e28c894d07c05b7faf1ed9ab5953a3326a8e883882150ce193e0b37fe9be7d42d7186f4e9ef12b7519e7523aaa3a4dfddd03b5723182c7fc156e6a

Download Submit
C:\Users\Admin\AppData\Roaming\CNS2-H

Filesize
4KB

MD5
1e30be4f56a3d653c0339a3882537d8c

SHA1
c9634164356dcebb7c5a31be4dd5070faabbb2e0

SHA256
4f61433506511cc669cf1a1d9748d02b30aea1e246d2b34e11672a28014226c9

SHA512
e392b00d1567757a2f01d120b3969d8f6d23a22f25c15cadff48250381e70c293a752704cb8e4dcc773d26aa087022de4fc78703c9890dc11b0677b60ae659cc

Download Submit
C:\Users\Admin\AppData\Roaming\Cambridge_Bay

Filesize
1KB

MD5
89de3d027493b9dbe3298a06fef9a89d

SHA1
3d8ac130c5dab1becabb0a17cae55c9aa42e50cd

SHA256
4d1380365eaceb6082c783f733af0ec9fd99e947c1c08c84fa6ff1d370b551ea

SHA512
d7699a070cc465d5d960bd3d712fe72f68b24bd6e6bca6e67b5a17fa9581bb0cb02d10bfca2c32949ef86c3156c08e8bacdb33f1bcf4b5b188f149fc52870829

Download Submit
C:\Users\Admin\AppData\Roaming\CommandTemplate.mws

Filesize
4KB

MD5
c3f6ff0818d66a2a3725998f5c44ffa4

SHA1
127417dc331619716ba8f3b3aa63d23d0c59c443

SHA256
fd5d297ec3edf6973d7c2cf834dd8fbd7ded61748ba82f3e259507f30eee09f3

SHA512
c69b0cf5e2f62a1b5be3137fda26d1d3c5cca810b845f2c51e8c5253297bffcabcedb845c322dd643cd467504f82569545f1c03626b0d60d59d604845722b6e9

Download Submit
C:\Users\Admin\AppData\Roaming\Errlog.txt

Filesize
2KB

MD5
1b5c9ac81d0db16bdef65bb8ed4401a1

SHA1
b45a09049cdabcdaa104e284bb457aabf9e02909

SHA256
79f8f465d0ad808a0c2bc0bd79cad80d1f2ec0e92df2a7b9d79d764bb0308535

SHA512
c2d6146fad4289a9f6b502872f102dbe7678bab74f744810845ed80d137620b3ea45b8141f2600cc557df27f3e79523df6ce8bc9fc2947798f2171034149076c

Download Submit
C:\Users\Admin\AppData\Roaming\GMT-9

Filesize
27B

MD5
3e5e7f59b78835b605d1559e9806d29d

SHA1
aee36c61c7e5ce1e95fc29fe97eda4254d00b323

SHA256
d1fc281b021228c2373cdc886f786432bc0b7d95110b2f0a6bdf8e57cf48be27

SHA512
1670b3e3dbd434a337803518b137aba604865ecd51d5e465b452e51a453288dd1b66b882f22a71f8420418c2a311906d2c6185d888cecf503c578194cacfb7ae

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\verclsid.lnk

Filesize
1KB

MD5
8a1ef66e6530e513262ecb465cee3abc

SHA1
2ec14b5667821216939a6b2f90ddc40c92a90cc5

SHA256
c1144952377645d9643db58dde449bc306a4ca079e88ee9b8111bc13acce9c3c

SHA512
0fc2b923441915be41c490b11b22993968dfa135be45d90f282fcc6d38b085017e8625a671a5e4806b5434e6c6c0a0661526e9b0d63b4f0c3b53e410dbfe83d4

Download Submit
C:\Users\Admin\AppData\Roaming\TsarAgeratum.n

Filesize
2KB

MD5
b949801b4a01da5e1b24c3e60a60c623

SHA1
e0ef68a0a4357b6e1953fe393e48b72239a3d645

SHA256
81f8e472a9900add1fba90f34cc8dc6585cb8f485cc99c093b6a866c61c7ac75

SHA512
40631e9e934a4e70373667d904ca70fe914c6a7513a6f837f002e3f6465127e0b0d594b240ad27a2ce1160ac4b6dc9ce312023660e6b0f2bd041e761857213c6

Download Submit
C:\Users\Admin\AppData\Roaming\Votary.U

Filesize
125KB

MD5
8a490abd45832b1583172a09e94b594e

SHA1
aed810790bbd252376c9c4cc490fe3efe0a544be

SHA256
081bbad6a6379eacdefe3cdb3e81e972a4f617c9ef85a4979250df740e9449f9

SHA512
8be82ad022fc36c305b8bdac0e377da84fccac7d7aa6403f20a6dd8a429e6b12dacf43c21340105d2201b40ed4fb2c2c35500a4897f1507d355195c55ab95314

Download Submit
C:\Users\Admin\AppData\Roaming\administration.config

Filesize
4KB

MD5
ea8786a9e8c53d4136b57da721d3a530

SHA1
ee83b68c4c9f40b3d3eb4a04f61d9952d7513a0e

SHA256
85835a7c2f33dd24fd15d48f288ef0a8e07745611a08bfe6dcb9b8f547321f2c

SHA512
b7e4095ed87a7dd922a6a5afbb02acd7e4761c03645819a6c8690b56296f8839db2e355a1bb83d243a42fad4e5400a6f873f8d6caf9a1eee9c6fd86951511016

Download Submit
C:\Users\Admin\AppData\Roaming\app_updater_learn_more_body.png

Filesize
122B

MD5
71e771fa06ec34edb44eba0cb02da889

SHA1
1e233e7b302fa65ac0f506274a21a9c1e448ed93

SHA256
95d366e926a4de1471e1d987ccb9e7082f0129f10bfe184399f4bb0932f75329

SHA512
4dc2623d8aa3c472f0c25d19aeba1222768b589065c8db97c4283c4c69e34f16a704d7eb291d10d78e91d01840e5ef59f1d4a9632958d4124fc1a854b4a91454

Download Submit
C:\Users\Admin\AppData\Roaming\archive_inactive_hovered.png

Filesize
2KB

MD5
463e6fbc5660df166f0345891e5acd12

SHA1
46ea68079e196535a545b3452661d6623ddde772

SHA256
efd501cd8d5a892ab9998418b6b5c191d606ecb153a470d63ddf6904b5f79e74

SHA512
04e7935ddec6f656c8f37dbc6cf886ff96a1a6ed71f957644218e4e529383a4b53a175477e7edb8530e88219642d3af2380eaf5a0f7df7f01d16e0c4a5be3589

Download Submit
C:\Users\Admin\AppData\Roaming\backup.png

Filesize
1KB

MD5
64aecaa396767b9065694c9e1690f100

SHA1
d22cf0f5b6a733d3b9f90b9fd44ce1329c240f88

SHA256
4936240957e15e386eefd2c4a68b1179acc81f52d05a73b77b23da37b5837f36

SHA512
acdc4a39d57089bd9526cea15388b733016a156eca2fb0e2f158dece80e33dbe7209276eb82ed2552e8a66d3615bb9855a9e66827d230b6fdbaf4962e66f3036

Download Submit
C:\Users\Admin\AppData\Roaming\bg_black_body.gif

Filesize
1KB

MD5
f023181a5fedc1cbb386394ed020950a

SHA1
4376324a67b9a8ef30f8661141c9220a9c011b95

SHA256
f08f925e31080d63ee26e3475b31c6a083f05ceaa67545c682f42e47eab98fcd

SHA512
e94d30fd321b40ff01ab44a2525d0087e695edc122d88dc7fdd2efd2d757939b20668b2c6564b1a9fa5281675c7a3174551bea8eca11a1a12db55dd71387129d

Download Submit
C:\Users\Admin\AppData\Roaming\btn-next-static.png

Filesize
3KB

MD5
20418349e7f8244ea53bc174b2ff9576

SHA1
edb9087b6d85247ea0cad0060f540b0f890a80e1

SHA256
35d36d6619e249e8bf4838098fd1770c78617e3019162aaca092f8fa37c82dcb

SHA512
b12946ca17bb23403e106d561ae42d15695efde73eb4efb4099b57824c7ba0d2e331850022405f1d5da9502b568a217c06f259600cbbacc0d1c2b7210b31081f

Download Submit
C:\Users\Admin\AppData\Roaming\cell_phone.png

Filesize
3KB

MD5
fc58057fe3cb6bb2665cc42bfb09b521

SHA1
2f5e8a19f30dd689c03729bb860d1379c588f038

SHA256
0e629059c78c8881df5e2f23bf6ab9b10ffd3194a6a7301ea001eef362bc63e7

SHA512
bf6fbc3e505115c04e267bd7c268bab2aa0f7eff63869591109d7dc606d8d5b28c963aa4dbe8dd934cdf5ad6427dd9fb6058f90e4796bc9b7cbe70ee686a71f9

Download Submit
C:\Users\Admin\AppData\Roaming\changelog.txt

Filesize
762B

MD5
d11e598eb6c13a60f7e90199e2494fbc

SHA1
83b217b64256c18466c65b82db94915263452bf5

SHA256
7e092d72dd7f39541054e6f3c8de572ea385d49b9e1269f09cb7b98a185944f2

SHA512
9352d14c008933ee11434129191cdaec45919fad313397b73f64b8bc5dbeaef08b10a0198829c7a47ba6c944adb6a0120100caefa5aa6c4eec30e1b7a3e328a1

Download Submit
C:\Users\Admin\AppData\Roaming\chmod.js

Filesize
1KB

MD5
86b436eac80e09ab73167e1c19482f3f

SHA1
df618eaecc275ad751f3e45b71618655572e072f

SHA256
f317efe6072c7e4bab43485d3b2dcb2262323159d4a4fb4a41e3561f7d3c57c3

SHA512
7e5341acc76fdc0800c18b3879f9cf23e84c8291a15fbac53995cbcb353797dee26725633a45621c48c5303cb7174c92ca1ac9ec7f4067c22aa88a6d16f2a9d9

Download Submit
C:\Users\Admin\AppData\Roaming\column.count.titlepage.xml

Filesize
893B

MD5
22c26db210377294a086cab75d4bc00a

SHA1
5c68dfc95a1b449da52bc88a266f08bd80296db7

SHA256
c3b4d092156fc9faf15c74cdeee18df6b3a56e4a79a764a0bb9397a3e43ca5ae

SHA512
9a51d52a8d2f25dd8f57a2d723b22c4adc1c14fba9ba06f0809d3f8cbf2f8f85885c670f15cf1aea27eeb479888b4c7e576fbc9a572c96680956c382aa29c857

Download Submit
C:\Users\Admin\AppData\Roaming\component.label.includes.part.label.xml

Filesize
1KB

MD5
59159241399b141689dfb8bcd7a97687

SHA1
cec2775a0afc540b4593cb616b1c6ce43ea2c7c3

SHA256
94122f4fa60f0c0a794c1f48ba7739bfbbba944fb2465b1c37bcd00bad358907

SHA512
7b12619fb230871fde5649fcac0487fb082de6139234de2a57bd6c40999e93b8217b015ec081cbbc3c80cc2803f990dedefdf84d0fa40e817ff2e607adcd66ae

Download Submit
C:\Users\Admin\AppData\Roaming\computer_server_tower.png

Filesize
997B

MD5
a748c35ba3e192f03d651ab42fe84f1e

SHA1
204beec2489330c9d9268f2cc0177e8420ebe4ee

SHA256
ffad3e6a7540761f3c75ea528ca8d92131f2ac51d1c5a578d10c3b53b2e9986d

SHA512
75511d900c6481218326a759caf37d35859b016bbdae8fea70c394d1cf246fdbbab3ce3ad8c32a7b4e3d97cb80e56eb7c3ad3f1154fe16beabcb7fe01a5d43a0

Download Submit
C:\Users\Admin\AppData\Roaming\config.ini

Filesize
875B

MD5
17e0634e2e6a8f0b9f6696403e01e814

SHA1
0a9e1ef393263b73e8c97d71f0090a7393821406

SHA256
f830ad61e83dfe77cebc7a8c137b27f0fe2f8825cac69b6f6139a6ddcb99bbd2

SHA512
4a7c0080173ed0f56813747653ea4fd526f61f6115e0532232ef4aacb148129327eb8048db17590f67d761ad9cb039f6425b162810fd80c738eb5db10fd5263e

Download Submit
C:\Users\Admin\AppData\Roaming\default.image.width.xml

Filesize
1KB

MD5
fece9f6cec2b34095490bc555f487a1c

SHA1
999a2e4adf6ab823a5f29d9a5c51b57259d8c8e9

SHA256
2168dc9fc268a623fd695b25c5309e5fe1c57a826314d0c983b142d61e33620b

SHA512
f0d0399835ccc3d6ff9fe2e6e81817adfb2c0ffd7122c8d2712b95411fdd2668901c3bbc0d98cae577172f7cfb3712e71789a527b86f53c2293cad4a560cc130

Download Submit
C:\Users\Admin\AppData\Roaming\dfrg.png

Filesize
2KB

MD5
54f817239bdf35ed1f43e660ec8d2983

SHA1
928a946eb5ec5a18f5961d02c329e6e0b04aab4f

SHA256
c98cb5674c9daed32a630e6a5f981113a5cbe4670438f8d17e0015967816a729

SHA512
b0ab5f07775fd7f07a08d02eb71e0f296063303b9de697d3516837dcf79503e1762bb539c3a826cf01dcd7c05608fee8eab502abd4fbfeea048026ccd9259332

Download Submit
C:\Users\Admin\AppData\Roaming\divide.js

Filesize
167B

MD5
13194de77e275fe71787174454c05075

SHA1
93b61619180fff398e48e352f5731cb71bf88eeb

SHA256
027981c44bb087ccdd6d77f49fc930ca697dae46ed13b39b2a76d67ab8e09b62

SHA512
69ecabf405511caca1e54a3fabc024abdb0be0dfbbf25d817bc539fb65cfc298466c033c2362db811e2272ffb48e68f720c056524a9713407fbf873841175b92

Download Submit
C:\Users\Admin\AppData\Roaming\download_10.ico

Filesize
2KB

MD5
bbc88107fcf2fcde4126f104e5f66b0c

SHA1
92132d73a3e0772c0d16b0232718286f98413455

SHA256
742e4862dcdc16eed03126a18af5443a82f7c6c8aa6ec256746a674393ce1e4f

SHA512
0ecaacbd0fa861a9508361e331016decb12d4b81027a4bead298c713580c745cbaf629bf5413f7782dc072f7a828c30592fc4e540a307f4ee90fcf4f865fe547

Download Submit
C:\Users\Admin\AppData\Roaming\dsc_firewall_tile.png

Filesize
3KB

MD5
c85c3670af6502eddd74d8df7be8b76f

SHA1
dda109fd01cec883e639d1a6649806406750c676

SHA256
df449aa069ebc4d1db3be6310b74df12494a7cf60dd159e36cc025297700cba2

SHA512
0f5f9d9689e541896e253637de205419035ca28b603e2f9bdc4dd9503f4a282dadb55091b3c3a87baebdcd55c6ad196948256821581b46e165b8ee346c73bc8c

Download Submit
C:\Users\Admin\AppData\Roaming\f26.png

Filesize
1KB

MD5
31a4f57993e8039d7bc4dbd31184c397

SHA1
cec7bb8a22245eb3c0277c50fcacd27d10ebe722

SHA256
8af5c3a634d4ec1ca556d442ca1fe3cbc41401a4739758adf6af0a8743d0e0dd

SHA512
aa09075a0b7f8717976450c11ac17cab24dcc1cc118b4521c53bdecc1ccf66f1febcae92e6b55936a60e278274f4b57408a15f090e460acf74769159aefd1822

Download Submit
C:\Users\Admin\AppData\Roaming\f5.png

Filesize
1KB

MD5
277b4a2390469a4f4c28fd10c39c4864

SHA1
6956f1afc8002c28bd98b434005989ee1c4decc8

SHA256
4a92521b6f7d1f9151939fda51b664f51d9a667f036f5a686b1b18f53b755424

SHA512
cff98bbf64acac33565735bc7dac87cf4429175d73c4eff3d6d0cd874ad6fb07e69fc199cdd1fab018b9a76f24dc2ad2b7d90366c812c18b3f99f6b66624bc67

Download Submit
C:\Users\Admin\AppData\Roaming\feedback.with.ids.xml

Filesize
1KB

MD5
7559d380b6511e93a042f16dd2a2a584

SHA1
e9f829322a9a9cf45def1300ddaae73dff6afb28

SHA256
758bf26e0e33ab206a047f997e71ac83f063674cfdad52698e750c7d1557fad7

SHA512
de853c14e0955ac10bdb65c579a53363e97d2c87145d57959001316b02ed6938b62c122e100e2efadca82286c7af97e5a2fbd365d580acc5a41e7ecee201786d

Download Submit
C:\Users\Admin\AppData\Roaming\function.parens.xml

Filesize
922B

MD5
054b78215f249c0bdb4a66dc5194ff6b

SHA1
b7375a86ea0bc22a5a2033ea92eb0435e5a6c0d4

SHA256
4acce89219d39f8e1f024bd6e90f93936afc4899821cf0674548f96a80815fb9

SHA512
e59c92ff9198afa690a61d789379e6cc448156c20a673e948066dbf97446bf2f11533516d92deba0b865b8b6460b785646cab9970234aada7fda02fdac15fca8

Download Submit
C:\Users\Admin\AppData\Roaming\generate.id.attributes.xml

Filesize
2KB

MD5
9c9a95e738765fc608d7c4e76b2f35cb

SHA1
9dc240f7154d9aaf682906a987f141b3dd4be7e0

SHA256
3c33893b88336ee1a3b8371c05ce32b51010b5ec73f67af002d53ca66174534c

SHA512
aab54fde37e68017852729846f7fd77db36bd38ba20ad2991ae95c534fa85c518e1d837c308db87c88412877eb5742555f512053b537b16d032d291cc3cc01d1

Download Submit
C:\Users\Admin\AppData\Roaming\generate.revhistory.link.xml

Filesize
1KB

MD5
04c0074ce629633639a33bdc86e21c85

SHA1
64bbbcfdf5fd1b4173ad1bc4430e931d25c99da0

SHA256
35daec79a472980decb4876a27a65f47cdefb9f108c08c9c5bec46adc891064d

SHA512
0e55adf0585d1574240ab174bc9374aaa9681f20c63ef6b7bfc954c1d7e1afd68accd379b1fa2ef186ecf417e248390951a42186a52017359aebc40a88963dfc

Download Submit
C:\Users\Admin\AppData\Roaming\goURL_lr_photoshop_jp.csv

Filesize
518B

MD5
124b2b68a4ebb67c538af29d59f66228

SHA1
92b4323a674644106fd5f24165e9dc277edf83be

SHA256
f2027f1449e8f6beb557a957c5856b57d981c8e229b7944ee4ffce6efe4707e4

SHA512
d2ec62e211a03f026940502c1d6a7cf73da23008746c4de5d7e13eace46f088db90b4fb71696972752e121063bc9ff8336b599a5a4c958c8e7da21dd8ee0d7bf

Download Submit
C:\Users\Admin\AppData\Roaming\green 349 bl 2.ADO

Filesize
524B

MD5
3aa186c985b906a6ec8cda0091ff2f54

SHA1
f2149771a0c1204ac7156fb8ce1f963fd11b51da

SHA256
bc610c9b6af205021efdff5ee4d1b9ad925755f109d10c94e18ca1dd816b55ff

SHA512
6c82b65b26cce8c30ec920be579d25cfe091d3e1cc37b6f3a4163afe43af051b1d94f76b63b1f5356539c80d017351c3d2027b8f78775de89da250f5cb0f3428

Download Submit
\Users\Admin\AppData\Local\Temp\nsy26D3.tmp\System.dll

Filesize
11KB

MD5
6f5257c0b8c0ef4d440f4f4fce85fb1b

SHA1
b6ac111dfb0d1fc75ad09c56bde7830232395785

SHA256
b7ccb923387cc346731471b20fc3df1ead13ec8c2e3147353c71bb0bd59bc8b1

SHA512
a3cc27f1efb52fb8ecda54a7c36ada39cefeabb7b16f2112303ea463b0e1a4d745198d413eebb3551e012c84a20dcdf4359e511e51bc3f1a60b13f1e3bad1aa8

Download Submit
\Users\Admin\AppData\Roaming\Perl.dll

Filesize
50KB

MD5
f3747b354de68c83ec083fef4d7f5105

SHA1
49702bb5aa30cb661a49fe6174734bb2b1dfeded

SHA256
37e99df1f5ffb6bf2237fa61548f9f37936cad98a3b28d2b596069d2f580bb8c

SHA512
2ba4672b3a59c13987d5aa7ac43a33045472521c14d5cf23ad92fde3ffca876f31b7e7239baba3214f39e47cd22b9b6c6581925c3007d4b31c3be14cf510ac9c

Download Submit
\Users\Admin\AppData\Roaming\{50245C20-2B3C-C8AF-5CF7-BEB8122EA60A}\verclsid.exe

Filesize
267KB

MD5
58d6f1f73af65c56b5686a8fd43462f7

SHA1
8db860773719ee42c4aff6ac811d539f0ea8c13b

SHA256
40902f482be77455af14009ca7ec71c8b1b78cc12af7d51319cc47f92387026f

SHA512
c103bcb985eb974246974d84565e5cc2962dd9221a12a0a4e0e97a742a3815a6d73314bf0771b6dd794a9306c37a400bf484b57b500aab9165add22c5b4936b9

Download Submit
memory/1428-290-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1428-289-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1944-69-0x0000000062100000-0x0000000062118000-memory.dmp

Filesize
96KB

Download
memory/1944-67-0x0000000062100000-0x0000000062118000-memory.dmp

Filesize
96KB

Download
memory/2056-285-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2056-212-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2056-203-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2056-204-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2056-205-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2056-207-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2056-208-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2300-200-0x0000000062100000-0x0000000062118000-memory.dmp

Filesize
96KB

Download
memory/2300-202-0x0000000062100000-0x0000000062118000-memory.dmp

Filesize
96KB

Download
memory/2392-287-0x0000000062100000-0x0000000062118000-memory.dmp

Filesize
96KB

Download
memory/2392-286-0x0000000062100000-0x0000000062118000-memory.dmp

Filesize
96KB

Download
memory/2696-60-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2696-58-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2696-64-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2696-71-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2696-56-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2696-70-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2696-72-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2696-73-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2696-66-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2696-62-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2696-54-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2696-91-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download