Overview

overview

10

Static

static

1

target.vbs

windows10-1703-x64

10

Analysis

  • max time kernel
    891s
  • max time network
    863s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    13-07-2024 19:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    target.vbs

  • Size

    1B

  • MD5

    7215ee9c7d9dc229d2921a40e899ec5f

  • SHA1

    b858cb282617fb0956d960215c8e84d1ccf909c6

  • SHA256

    36a9e7f1c95b82ffb99743e0c5c4ce95d83c9a430aac59f84ef3cbfab6145068

  • SHA512

    f90ddd77e400dfe6a3fcf479b00b1ee29e7015c5bb8cd70f5f15b4886cc339275ff553fc8a053f8ddc7324f45168cffaf81f8c3ac93996f6536eef38e5e40768

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 2 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Enumerates connected drives 3 TTPs 6 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 19 IoCs
  • Checks SCSI registry key(s) 3 TTPs 64 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 4 IoCs
  • Kills process with taskkill 1 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 25 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Runs regedit.exe 2 IoCs
  • Suspicious behavior: AddClipboardFormatListener 6 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 27 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\target.vbs"
    1⤵
      PID:1900
    • C:\Windows\regedit.exe
      "C:\Windows\regedit.exe"
      1⤵
      • Runs regedit.exe
      • Suspicious behavior: GetForegroundWindowSpam
      PID:4484
    • C:\Windows\regedit.exe
      "C:\Windows\regedit.exe" /f
      1⤵
      • Runs regedit.exe
      PID:4252
    • C:\Windows\system32\taskmgr.exe
      "C:\Windows\system32\taskmgr.exe" /7
      1⤵
      • Drops file in Windows directory
      • Checks SCSI registry key(s)
      • Checks processor information in registry
      • Modifies Internet Explorer settings
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:4296
      • C:\Windows\explorer.exe
        "C:\Windows\explorer.exe" /danger
        2⤵
          PID:2980
        • C:\Windows\explorer.exe
          "C:\Windows\explorer.exe" /danger
          2⤵
            PID:4396
          • C:\Windows\explorer.exe
            "C:\Windows\explorer.exe" /danger
            2⤵
              PID:3724
            • C:\Windows\system32\taskmgr.exe
              "C:\Windows\system32\taskmgr.exe" /1
              2⤵
              • Drops file in Windows directory
              • Checks SCSI registry key(s)
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:3808
              • C:\Windows\system32\taskmgr.exe
                "C:\Windows\system32\taskmgr.exe" /1
                3⤵
                • Drops file in Windows directory
                • Checks SCSI registry key(s)
                • Modifies Internet Explorer settings
                • Suspicious behavior: GetForegroundWindowSpam
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:628
                • C:\Windows\explorer.exe
                  "C:\Windows\explorer.exe"
                  4⤵
                  • Modifies visibility of file extensions in Explorer
                  • Modifies visiblity of hidden/system files in Explorer
                  • Boot or Logon Autostart Execution: Active Setup
                  • Enumerates connected drives
                  • Drops file in Windows directory
                  • Checks SCSI registry key(s)
                  • Modifies Internet Explorer settings
                  • Modifies registry class
                  • Suspicious behavior: AddClipboardFormatListener
                  • Suspicious behavior: GetForegroundWindowSpam
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of SetWindowsHookEx
                  • Suspicious use of WriteProcessMemory
                  PID:3644
                  • C:\Windows\system32\cmd.exe
                    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\EXPLORERKILLER.bat" "
                    5⤵
                    • Suspicious use of WriteProcessMemory
                    PID:3488
                    • C:\Windows\system32\Taskmgr.exe
                      taskmgr
                      6⤵
                      • Drops file in Windows directory
                      • Checks SCSI registry key(s)
                      PID:1384
                  • C:\Windows\System32\notepad.exe
                    "C:\Windows\System32\notepad.exe"
                    5⤵
                      PID:3164
                    • C:\Windows\system32\cmd.exe
                      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\EXPLORERKILLER.bat" "
                      5⤵
                      • Suspicious use of WriteProcessMemory
                      PID:3600
                      • C:\Windows\system32\Taskmgr.exe
                        taskmgr
                        6⤵
                        • Drops file in Windows directory
                        • Checks SCSI registry key(s)
                        • Modifies Internet Explorer settings
                        • Suspicious use of SetWindowsHookEx
                        • Suspicious use of WriteProcessMemory
                        PID:68
                        • C:\Windows\system32\notepad.exe
                          "C:\Windows\system32\notepad.exe"
                          7⤵
                            PID:1408
                      • C:\Windows\system32\cmd.exe
                        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\EXPLORERKILLER.bat" "
                        5⤵
                          PID:4832
                          • C:\Windows\system32\taskkill.exe
                            taskkill /f /im explorer.exe
                            6⤵
                            • Kills process with taskkill
                            PID:3712
                          • C:\Windows\system32\Taskmgr.exe
                            taskmgr
                            6⤵
                            • Drops file in Windows directory
                            • Checks SCSI registry key(s)
                            PID:1948
                • C:\Windows\explorer.exe
                  explorer.exe
                  1⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Enumerates connected drives
                  • Drops file in Windows directory
                  • Checks SCSI registry key(s)
                  • Modifies registry class
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of FindShellTrayWindow
                  • Suspicious use of SendNotifyMessage
                  PID:1256
                • C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
                  "C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca
                  1⤵
                  • Drops file in Windows directory
                  • Enumerates system info in registry
                  • Modifies Internet Explorer settings
                  • Modifies registry class
                  • Suspicious use of SetWindowsHookEx
                  PID:4132
                • C:\Windows\explorer.exe
                  C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
                  1⤵
                  • Modifies Internet Explorer settings
                  • Modifies registry class
                  • Suspicious behavior: AddClipboardFormatListener
                  • Suspicious use of SetWindowsHookEx
                  PID:2976
                • C:\Windows\System32\rundll32.exe
                  C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding
                  1⤵
                    PID:3432
                  • C:\Windows\System32\rundll32.exe
                    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {3eef301f-b596-4c0b-bd92-013beafce793} -Embedding
                    1⤵
                      PID:8
                    • C:\Windows\explorer.exe
                      C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
                      1⤵
                      • Modifies visibility of file extensions in Explorer
                      • Modifies visiblity of hidden/system files in Explorer
                      • Enumerates connected drives
                      • Drops file in Windows directory
                      • Modifies Internet Explorer settings
                      • Modifies registry class
                      • Suspicious behavior: AddClipboardFormatListener
                      • Suspicious behavior: GetForegroundWindowSpam
                      • Suspicious use of SetWindowsHookEx
                      • Suspicious use of WriteProcessMemory
                      PID:4784
                      • C:\Windows\explorer.exe
                        "C:\Windows\explorer.exe" /danger
                        2⤵
                          PID:3476
                        • C:\Windows\System32\notepad.exe
                          "C:\Windows\System32\notepad.exe"
                          2⤵
                          • Modifies registry class
                          • Suspicious use of SetWindowsHookEx
                          PID:3572
                      • C:\Windows\System32\rundll32.exe
                        C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                        1⤵
                          PID:1996
                        • C:\Windows\explorer.exe
                          C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
                          1⤵
                          • Modifies Internet Explorer settings
                          • Modifies registry class
                          • Suspicious behavior: AddClipboardFormatListener
                          • Suspicious use of SetWindowsHookEx
                          PID:2652
                        • C:\Windows\explorer.exe
                          C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
                          1⤵
                          • Modifies Internet Explorer settings
                          • Modifies registry class
                          • Suspicious behavior: AddClipboardFormatListener
                          • Suspicious use of SetWindowsHookEx
                          PID:2392
                        • C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
                          "C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca
                          1⤵
                          • Drops file in Windows directory
                          • Enumerates system info in registry
                          • Modifies Internet Explorer settings
                          • Modifies registry class
                          • Suspicious use of SetWindowsHookEx
                          PID:984

                        Network

                        MITRE ATT&CK Matrix ATT&CK v13

                        Initial Access

                        Execution

                        Persistence

                        Boot or Logon Autostart Execution

                        1
                        T1547

                        Active Setup

                        1
                        T1547.014

                        Privilege Escalation

                        Boot or Logon Autostart Execution

                        1
                        T1547

                        Active Setup

                        1
                        T1547.014

                        Defense Evasion

                        Hide Artifacts

                        2
                        T1564

                        Hidden Files and Directories

                        2
                        T1564.001

                        Modify Registry

                        4
                        T1112

                        Credential Access

                        Discovery

                        Query Registry

                        4
                        T1012

                        Peripheral Device Discovery

                        2
                        T1120

                        System Information Discovery

                        4
                        T1082

                        Lateral Movement

                        Collection

                        Exfiltration

                        Command and Control

                        Impact

                        Resource Development

                        Reconnaissance

                        Replay Monitor

                        Loading Replay Monitor...

                        Downloads

                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\1033\StructuredQuerySchema.bin
                          Filesize

                          403KB

                          MD5

                          b4d3016a1cccde90a62b685149c832f9

                          SHA1

                          5d6c4ba3474e6544bd24343da564e90bba89f6f7

                          SHA256

                          df6afa046a72bb55e8984cf9e2870dc62112e4b81d4fef5a94c98e1c4386e373

                          SHA512

                          abf5e15b40fa03eb9390854199b9feaf0132aac756c5f07d45c81f58c8b4d909833a996a19ccfef7abb905ddb9206591b1eda49a4674bc75a7c5a9c6372590e7

                          Download Submit
                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db
                          Filesize

                          28KB

                          MD5

                          e52d3bbe23e08bf8753ad2ace0643154

                          SHA1

                          849737bb0537adf0ab9099f48b6daa39f4c99433

                          SHA256

                          95345670a82e5776d0d4961b917f091105e2f625accdea79995e3598a1345cec

                          SHA512

                          b35351b72bf9269be2fab367fdf99a4454209ae07ba951b4fe0a6b1fd4bc4bbc93cde33c66c16a21632f4465a7ba8467848c234e1935752c5efbac28f39a955f

                          Download Submit
                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PRICache\1601268389\715946058.pri
                          Filesize

                          171KB

                          MD5

                          30ec43ce86e297c1ee42df6209f5b18f

                          SHA1

                          fe0a5ea6566502081cb23b2f0e91a3ab166aeed6

                          SHA256

                          8ccddf0c77743a42067782bc7782321330406a752f58fb15fb1cd446e1ef0ee4

                          SHA512

                          19e5a7197a92eeef0482142cfe0fb46f16ddfb5bf6d64e372e7258fa6d01cf9a1fac9f7258fd2fd73c0f8a064b8d79b51a1ec6d29bbb9b04cdbd926352388bae

                          Download Submit
                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PRICache\4183903823\2290032291.pri
                          Filesize

                          2KB

                          MD5

                          b8da5aac926bbaec818b15f56bb5d7f6

                          SHA1

                          2b5bf97cd59e82c7ea96c31cf9998fbbf4884dc5

                          SHA256

                          5be5216ae1d0aed64986299528f4d4fe629067d5f4097b8e4b9d1c6bcf4f3086

                          SHA512

                          c39a28d58fb03f4f491bf9122a86a5cbe7677ec2856cf588f6263fa1f84f9ffc1e21b9bcaa60d290356f9018fb84375db532c8b678cf95cc0a2cc6ed8da89436

                          Download Submit
                        • C:\Users\Admin\AppData\Local\Packages\microsoft.windows.cortana_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\MOQY2KJ2\microsoft.windows[1].xml
                          Filesize

                          719B

                          MD5

                          eed9a3c00abaf6da37eeb7f59e7b0aa5

                          SHA1

                          64e50868965a862301170dd399eed2bb7e1738dd

                          SHA256

                          18351d0dc33a95d54aab9d14bce1498043503b21d5e1fafe3ac8c644edca2625

                          SHA512

                          c5f20e5dcdd27b6c762344a53550c0fff3714136f5f57d1b2b8e6155eafd5e483568a531cd696ce54a373ba679319f1e8e0775ab2cc9328fa12ac70abec44798

                          Download Submit
                        • C:\Users\Admin\Desktop\ClearFormat.ods
                          Filesize

                          313KB

                          MD5

                          a010c0362dd5ccbcfa7940d892740ce7

                          SHA1

                          68d812c7ad140a09e8b4b375ae32debdcd9c4f17

                          SHA256

                          05a027379092eb464a90f0851883bd3711f1d6e7bdbd493a9d23c5e77cdd6d77

                          SHA512

                          b8b95c54aac8f98c65eaaca39240a925b530ec4704740175542b1d20f1e54cbc4dee2c4990a60470b90b1a0a05fb3a9627387ec98cdc96d13f92dafe98ff4769

                          Download Submit
                        • C:\Users\Admin\Desktop\CompleteRead.wmv
                          Filesize

                          452KB

                          MD5

                          5d5d3b068301e79e0e3193693bae264e

                          SHA1

                          42a4e930c865c75f48003bd10b5d2f0488952b0f

                          SHA256

                          d49e8a64677054f6423a9bca344416bba7dcc3cfe6683520abb3bbac83dd7224

                          SHA512

                          2572600a24963336c0f4f6bb46f4b655c3f6a23f516870fa214aa0f239d9cd35bd8734e0d69e79ed85653a421305380a2af0c67c4b9b7d0531cf17fff86508b3

                          Download Submit
                        • C:\Users\Admin\Desktop\ConnectOpen.xltm
                          Filesize

                          499KB

                          MD5

                          4e7e0eb64eb4ff647007fc091b3d8228

                          SHA1

                          7da1da12d8ea58f7de299a593dc5aa59885911d4

                          SHA256

                          c043c9ef911dee15eb70f430912634c5c013974fc1cf63446aafa94d8a25936c

                          SHA512

                          459a6aa4ffdf0086ad8f710b757e699e8777258abc1dfd6174e732018450823b4e3bdbf327787f7910257b6a616c0813ec535bc4c62fb35b6711669ad82eb752

                          Download Submit
                        • C:\Users\Admin\Desktop\EXPLORERKILLER.bat
                          Filesize

                          55B

                          MD5

                          eeff6d2fcc5bf3f0bdd8431e0a674ca3

                          SHA1

                          bf069d43b07e285aee087027b4e47b2ec9dac640

                          SHA256

                          208aadbb60b7883f3684a81f193e3ad2d2dbde06d512a35a31e36bf59b75d406

                          SHA512

                          d720e21a84ee27ae9983505f45a24fa1c8d48cf0c95e4d82c2669fb395cc1ef13b221d21fb060d2aa5c4a54187c7682e7ab16a838a05f6ffacc0cc21631789cf

                          Download Submit
                        • C:\Users\Admin\Desktop\EXPLORERKILLER.bat
                          Filesize

                          60B

                          MD5

                          6c23697e2d2339cd047d0beea66b0ef7

                          SHA1

                          976ab4aa1e4d5ab35b36fbb509d7bbd6d0e40be0

                          SHA256

                          ac181caa60888f29ebc102064cdead8ff9f1e537448e1ffd8997ee5d8f44d753

                          SHA512

                          436c96800011ec1b39593b8fa42f7b001a02f609a6c52f7f5ce1db1dbea25480c496b9c354607f1a11497a5a34e88c004cdf4a5d10bcc461592090111ff635c4

                          Download Submit
                        • C:\Users\Admin\Desktop\EXPLORERKILLER.bat
                          Filesize

                          60B

                          MD5

                          d78fb3777c4c69adc3914f278edcaadc

                          SHA1

                          831b5305403f7db812a627bf85e05656241c9f60

                          SHA256

                          a5457ce1fcad1853fe3230cdd6d8e0f2e41a0aa8084271d3cc207f293d6fd601

                          SHA512

                          07e768401a12282adcf4257764e2f0871414b90ca9d958dddc82e039cc98cc8dcaac70ee2dddc8eb8cbc8081c3b8cfceb1b727071fea3b2a49da5c11b571cd0a

                          Download Submit
                        • C:\Users\Admin\Desktop\EnableComplete.dotm
                          Filesize

                          615KB

                          MD5

                          cf8eaeed02f1775dbaf7ae39f1d8b6e2

                          SHA1

                          0693cb626f1850b250cd7984e75d006d9dda7c61

                          SHA256

                          4dc516d4d2626f75a75e88310f5844118877cb74f659a4c844f41fc1b9aba97e

                          SHA512

                          c89035d1ef5612ea05f9d9ae4a02436f9f361945ccb4c0988d5fb4c8702ff34a06616966640078dcee753625ed765b97ebc52f315fd1a37cbd6bd373d6211811

                          Download Submit
                        • C:\Users\Admin\Desktop\GrantGet.tiff
                          Filesize

                          661KB

                          MD5

                          a690e018fa19fde6cf8dd3a899187e82

                          SHA1

                          dd1e43ef0ca0c8e4ed6de65080b45a312a69e26d

                          SHA256

                          fc415143e299c9054e6023fd72c7d0fea4ec592dece50086b5c42f121f34f1d5

                          SHA512

                          3355c3d175162e79b372bd297acd59cc57e914aa570c8bd64b0efe8ed9754dfe379bf2cb580b54ae73867705084b4b700c871ee1e04ed3d2a818e26ea801ac4f

                          Download Submit
                        • C:\Users\Admin\Desktop\GrantUndo.ico
                          Filesize

                          592KB

                          MD5

                          9ce34be67b0ed2ac2624aab13e10935c

                          SHA1

                          5df93dfaa11d386c6161b207d282dd039f4c0a5f

                          SHA256

                          699c41fbb748aaa0d9c756a0c3b584ba8a03cc5bb14b25005e2d28792bf85923

                          SHA512

                          3b62186d9589554999d4b0d6fe7f0ef6a634132e1e4f03e93936df78271e4f5e1ce60f6c2b4ef4633601fbb2504ed5f028e510db6135fc9844429bbb5e48fa23

                          Download Submit
                        • C:\Users\Admin\Desktop\InstallBlock.asp
                          Filesize

                          243KB

                          MD5

                          1f04394922dacae1d6cac5e97de640c5

                          SHA1

                          fb91c7b4fa30ff7d01c83a7d28b2e7b782c43c95

                          SHA256

                          1bed7df4eff18fbc71e5da1009702c607aa71cad5098b05cadc8ea01d93172ad

                          SHA512

                          76016e9b4b9e8feefa24eeeb528f48bdf8e183a9f04bd9969becd6ba0fc3c52a3a10989073006600ba5aaea5fe73e09c9359d7a45b9e512da8b2b9379c37ae00

                          Download Submit
                        • C:\Users\Admin\Desktop\InstallCheckpoint.mpv2
                          Filesize

                          267KB

                          MD5

                          8aae68246b694ccec32e861807231164

                          SHA1

                          b5a5f084fd041b8e30a10f94273c7ef216367f00

                          SHA256

                          2e6daa0462c63b43ed4544d7828e9c3731a7b0b7539cc24338ce842445f6cb2a

                          SHA512

                          506bc6caab1f60303d6d2e5e3091e193fce394d977af64bfb8426d337e4eb4a077f7b0bd9ffb33aae2170c5f4f109dfc968b515a9fd28c537f872ca588239fec

                          Download Submit
                        • C:\Users\Admin\Desktop\LimitUnpublish.bin
                          Filesize

                          522KB

                          MD5

                          66880efbe11ae8c7facdae655381ecd9

                          SHA1

                          6a71410b80cf450e1fa44a0068d8df12c7969c14

                          SHA256

                          2e19b7610ccee05c0cc04ebb70a1901f6a8ebe790378ac1bb3cb2b48ab414339

                          SHA512

                          c85709d796d9606555713251772e6a5edab601e38ce02bb2ee56efb337bb49aad094aada4a5b26029d9a6a7f9af1ca0b9913d510a9865bd25aa784601bdf5d17

                          Download Submit
                        • C:\Users\Admin\Desktop\OpenConnect.ttc
                          Filesize

                          568KB

                          MD5

                          5fc5e9085f0c2eb02bbebc67bcd22830

                          SHA1

                          33b6b3a1d04b8340e78cbd3c05730054143c732d

                          SHA256

                          9b4865cf3c9db37a738ab5a07b424d3b9c3af09100958944a187fbc401178530

                          SHA512

                          0e323b6209be19f4c117a31d4d00efdc87c9b89643224df4f386aaddb7c81ad67529fe111af1b600d0bd4133ff220df3c34a25628f1ab3314fff3fb5d82671c6

                          Download Submit
                        • C:\Users\Admin\Desktop\ProtectFind.iso
                          Filesize

                          638KB

                          MD5

                          bf0a21f5297631fa956f634723b9d066

                          SHA1

                          5ac462e211bcd01b40d93fd421fe281044435106

                          SHA256

                          a81294b3d182f0b241e88f8196199a15034a9ddbe13886f48d19e6767435e6a3

                          SHA512

                          4c3c380dcb209aa1370291488c93fdbd752b2ba74b81524aa264d0ffc464d14556d551cd5ead706029d9cc4d8b4c694a715f623a892ed2f9890a2a22b0e531dd

                          Download Submit
                        • C:\Users\Admin\Desktop\ResetUnlock.search-ms
                          Filesize

                          684KB

                          MD5

                          61ad26b9384ea604722f1c00a4a7c77f

                          SHA1

                          35a2564ad696917678f9633632be0c74700ab55e

                          SHA256

                          9fd1afeff1cab226de1abd14f59768464505102a4556fbda78061b7541816d55

                          SHA512

                          6267b0038f0778103dce753015b902d1a88fe1c28d0874c52f0b385c49c9f4ad1b997ecff0566acb86323bc3c0456df93bcc6f855599f3e1ad0e452a92441715

                          Download Submit
                        • C:\Users\Admin\Desktop\SaveUse.ini
                          Filesize

                          406KB

                          MD5

                          3c21ad0b859ffc8c9d1a3969e0e06540

                          SHA1

                          2e29089525a794e05378d00594e4164fce022b0a

                          SHA256

                          eb747ce874b043e69b42bb8bd677573c1314f7c516c571dcf705699781338404

                          SHA512

                          33803d413f50695ff4db5b69451ea4e583b5aa2b942b6bcfc23355460c2eec508afca95c9a391b85ddf1ff4e9e7032470c0bcb18e436404a2386e13baa4ba195

                          Download Submit
                        • C:\Users\Admin\Desktop\SearchUnregister.raw
                          Filesize

                          429KB

                          MD5

                          c0ee76000875eeb0632d45f229448280

                          SHA1

                          7259ee6f8b957562d883983a10217c3e35acad33

                          SHA256

                          97934821f7b583d3bb192f3c24518cc97ec2adba3c1ae962d58cae051b8f0834

                          SHA512

                          947401234e877813af632bf3af6ad4965e9d50dde189c74b012ea6e45e9d5d4e95e1507f6f6f23547ae2ac75f58520223a17d005ecb501a78b3be0ea8a133d41

                          Download Submit
                        • C:\Users\Admin\Desktop\SetMove.wmf
                          Filesize

                          383KB

                          MD5

                          68c409450ff2f4b13df9eaf8e2b53af5

                          SHA1

                          d0a9939f7fa4eca76a7324a6e47ed698836a5c39

                          SHA256

                          9b1ade062d09f427e2148b9b7b4ae74bcb7c857bd48be74df967744074043108

                          SHA512

                          c0de12607e10289c3fd7b06282ed15df91996298da3282982ce63629f5f1375e033d22828e5f34ce6a30be903cbf4fba6e6b892f4069b259c4e908a176fb187b

                          Download Submit
                        • C:\Users\Admin\Desktop\TraceConvert.dll
                          Filesize

                          359KB

                          MD5

                          3bcb31539783ab4e22b93caf38fad9e8

                          SHA1

                          8205db58c89afd4018953c16cdb79d5e8f80fd9a

                          SHA256

                          cc8f9e971622619826e9fd1de315f087bebdbda5dcaf924a6b22d5c6894b0f14

                          SHA512

                          fd91b2e00ed181b0cd04d416d62622a4b548d1b91fd38414176fbbebeda7262f38653e40dbcbc8cb686eedb6db0facdf9d5c12dee789d16c17f2fd4b9e77ab23

                          Download Submit
                        • C:\Users\Admin\Desktop\UnblockAdd.mpa
                          Filesize

                          290KB

                          MD5

                          6b170abe27ccc3f377f3a796874a8946

                          SHA1

                          7226c28fcd2d5c8e5865eaa157dd11a2a74a908f

                          SHA256

                          8c0a43ac17c4cb2faba4731be1c70a4db519a74d95f05c482d590101b5c5f7ee

                          SHA512

                          d078c2f90e58a64f91d3cda8450cb7a59471cde8957fa7b2f9db23425537862d14c4e08a48f2bef62635026c8ac4a837b7b0a8e28aebd8277f963e0c23c151c0

                          Download Submit
                        • C:\Users\Admin\Desktop\UnblockMerge.cr2
                          Filesize

                          545KB

                          MD5

                          44b583962be98d490fc19996f6c95bbc

                          SHA1

                          61892e3258577740adfcb0fc0faa6b94794cdfd8

                          SHA256

                          326d297f6719f1cc9cced3efb352df6f6035c585b2215da6675e720e4d9b42f0

                          SHA512

                          db4590d50a745bd19182a4f65edce2cb78b8345db2fe38eeb83282f6e233fc93993efe851e4a91eb18ffe526f115031930276cb0fd4b6c2125200f41e28f5a6e

                          Download Submit
                        • C:\Users\Admin\Desktop\WaitConnect.ps1
                          Filesize

                          336KB

                          MD5

                          63e40e879999d1703c83dfbcd08a4fde

                          SHA1

                          757b16a0328f47d704dccdc8f3fa0b67596b35a4

                          SHA256

                          d493b02448eccba5a93750c9404f661e9777aefdf73b78c2a57ae4e7a17e0369

                          SHA512

                          d763499745a6d6b9c6920b4eca6a53455688561ce79888ecd76be61cc1fb08dae388190c6e5bf020908670553b0ade0b7bc95c8975418c2cfd6e0ae33614cf74

                          Download Submit
                        • C:\Users\Admin\Desktop\WriteLock.lnk
                          Filesize

                          952KB

                          MD5

                          9d390dc1540c22d6dbad205368d470bb

                          SHA1

                          4bb9b1fb6058eaf03191f60c3b49030b10cf1cfe

                          SHA256

                          80ae288e57ae8f842694982a506bc6e54e49dda47caf94eec49b1ca89952eb81

                          SHA512

                          6b0af04b11d314955b9aca9cbaeb2e396b537d944f0d921e126f34f06308767b1efaa4c5dfa921eae640b114d07d6a8b92394c97605bd0ebc5e613043f6f7f48

                          Download Submit
                        • C:\Users\Admin\Desktop\WriteTest.mp4v
                          Filesize

                          476KB

                          MD5

                          93f50830262148fac7536ae6707804d2

                          SHA1

                          7bf9f8c73ac6e86b21f2ed088fac5b26c260bf15

                          SHA256

                          7b81df12a4d53e36b8dfbc282b680ca1026e21a0973d54e8bb4bbdcfbdefab93

                          SHA512

                          65bb5c6a1d3faba3dcb4f48a7e7d27d456da08fba018937667171a6b4f2301112d24c81410dc7c85fc26504ab38f991cf2aa592de282d43e04d0a7a8dae9365d

                          Download Submit
                        • \??\PIPE\wkssvc
                          MD5

                          d41d8cd98f00b204e9800998ecf8427e

                          SHA1

                          da39a3ee5e6b4b0d3255bfef95601890afd80709

                          SHA256

                          e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                          SHA512

                          cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                          Download Submit
                        • memory/984-104-0x0000017DBA100000-0x0000017DBA200000-memory.dmp
                          Filesize

                          1024KB

                          Download
                        • memory/984-105-0x0000017DBA100000-0x0000017DBA200000-memory.dmp
                          Filesize

                          1024KB

                          Download
                        • memory/984-129-0x0000017DBA6E0000-0x0000017DBA700000-memory.dmp
                          Filesize

                          128KB

                          Download
                        • memory/1256-28-0x0000000002F90000-0x0000000002F91000-memory.dmp
                          Filesize

                          4KB

                          Download
                        • memory/3644-224-0x0000000005FC0000-0x0000000005FD0000-memory.dmp
                          Filesize

                          64KB

                          Download
                        • memory/3644-211-0x0000000005FC0000-0x0000000005FD0000-memory.dmp
                          Filesize

                          64KB

                          Download
                        • memory/3644-171-0x0000000005FC0000-0x0000000005FD0000-memory.dmp
                          Filesize

                          64KB

                          Download
                        • memory/3644-174-0x0000000005FC0000-0x0000000005FD0000-memory.dmp
                          Filesize

                          64KB

                          Download
                        • memory/3644-179-0x0000000005FC0000-0x0000000005FD0000-memory.dmp
                          Filesize

                          64KB

                          Download
                        • memory/3644-178-0x0000000005FC0000-0x0000000005FD0000-memory.dmp
                          Filesize

                          64KB

                          Download
                        • memory/3644-177-0x0000000005FC0000-0x0000000005FD0000-memory.dmp
                          Filesize

                          64KB

                          Download
                        • memory/3644-176-0x0000000005FC0000-0x0000000005FD0000-memory.dmp
                          Filesize

                          64KB

                          Download
                        • memory/3644-182-0x0000000005FC0000-0x0000000005FD0000-memory.dmp
                          Filesize

                          64KB

                          Download
                        • memory/3644-189-0x0000000005FC0000-0x0000000005FD0000-memory.dmp
                          Filesize

                          64KB

                          Download
                        • memory/3644-188-0x0000000005FC0000-0x0000000005FD0000-memory.dmp
                          Filesize

                          64KB

                          Download
                        • memory/3644-187-0x0000000005FC0000-0x0000000005FD0000-memory.dmp
                          Filesize

                          64KB

                          Download
                        • memory/3644-191-0x0000000005F50000-0x0000000005F60000-memory.dmp
                          Filesize

                          64KB

                          Download
                        • memory/3644-186-0x0000000005FC0000-0x0000000005FD0000-memory.dmp
                          Filesize

                          64KB

                          Download
                        • memory/3644-185-0x0000000005FC0000-0x0000000005FD0000-memory.dmp
                          Filesize

                          64KB

                          Download
                        • memory/3644-201-0x0000000005FC0000-0x0000000005FD0000-memory.dmp
                          Filesize

                          64KB

                          Download
                        • memory/3644-203-0x0000000005FC0000-0x0000000005FD0000-memory.dmp
                          Filesize

                          64KB

                          Download
                        • memory/3644-202-0x0000000005FC0000-0x0000000005FD0000-memory.dmp
                          Filesize

                          64KB

                          Download
                        • memory/3644-204-0x0000000005FC0000-0x0000000005FD0000-memory.dmp
                          Filesize

                          64KB

                          Download
                        • memory/3644-205-0x0000000005FC0000-0x0000000005FD0000-memory.dmp
                          Filesize

                          64KB

                          Download
                        • memory/3644-206-0x0000000005FC0000-0x0000000005FD0000-memory.dmp
                          Filesize

                          64KB

                          Download
                        • memory/3644-207-0x0000000005FC0000-0x0000000005FD0000-memory.dmp
                          Filesize

                          64KB

                          Download
                        • memory/3644-208-0x0000000005F50000-0x0000000005F60000-memory.dmp
                          Filesize

                          64KB

                          Download
                        • memory/3644-209-0x0000000005FC0000-0x0000000005FD0000-memory.dmp
                          Filesize

                          64KB

                          Download
                        • memory/3644-214-0x0000000005FC0000-0x0000000005FD0000-memory.dmp
                          Filesize

                          64KB

                          Download
                        • memory/3644-213-0x0000000005FC0000-0x0000000005FD0000-memory.dmp
                          Filesize

                          64KB

                          Download
                        • memory/3644-212-0x0000000005FC0000-0x0000000005FD0000-memory.dmp
                          Filesize

                          64KB

                          Download
                        • memory/3644-169-0x0000000005F50000-0x0000000005F60000-memory.dmp
                          Filesize

                          64KB

                          Download
                        • memory/3644-210-0x0000000005FC0000-0x0000000005FD0000-memory.dmp
                          Filesize

                          64KB

                          Download
                        • memory/3644-217-0x0000000005FC0000-0x0000000005FD0000-memory.dmp
                          Filesize

                          64KB

                          Download
                        • memory/3644-223-0x0000000005FC0000-0x0000000005FD0000-memory.dmp
                          Filesize

                          64KB

                          Download
                        • memory/3644-222-0x0000000005FC0000-0x0000000005FD0000-memory.dmp
                          Filesize

                          64KB

                          Download
                        • memory/3644-102-0x0000000002670000-0x0000000002671000-memory.dmp
                          Filesize

                          4KB

                          Download
                        • memory/3644-221-0x0000000005FC0000-0x0000000005FD0000-memory.dmp
                          Filesize

                          64KB

                          Download
                        • memory/3644-220-0x0000000005FC0000-0x0000000005FD0000-memory.dmp
                          Filesize

                          64KB

                          Download
                        • memory/3644-227-0x0000000005FC0000-0x0000000005FD0000-memory.dmp
                          Filesize

                          64KB

                          Download
                        • memory/3644-228-0x0000000005FC0000-0x0000000005FD0000-memory.dmp
                          Filesize

                          64KB

                          Download
                        • memory/3644-229-0x0000000005FC0000-0x0000000005FD0000-memory.dmp
                          Filesize

                          64KB

                          Download
                        • memory/3644-230-0x0000000005FC0000-0x0000000005FD0000-memory.dmp
                          Filesize

                          64KB

                          Download
                        • memory/3644-232-0x0000000005FC0000-0x0000000005FD0000-memory.dmp
                          Filesize

                          64KB

                          Download
                        • memory/3644-231-0x0000000005F50000-0x0000000005F60000-memory.dmp
                          Filesize

                          64KB

                          Download
                        • memory/3644-235-0x0000000005FC0000-0x0000000005FD0000-memory.dmp
                          Filesize

                          64KB

                          Download
                        • memory/3644-239-0x0000000005FC0000-0x0000000005FD0000-memory.dmp
                          Filesize

                          64KB

                          Download
                        • memory/3644-238-0x0000000005FC0000-0x0000000005FD0000-memory.dmp
                          Filesize

                          64KB

                          Download
                        • memory/3644-237-0x0000000005FC0000-0x0000000005FD0000-memory.dmp
                          Filesize

                          64KB

                          Download
                        • memory/3644-236-0x0000000005FC0000-0x0000000005FD0000-memory.dmp
                          Filesize

                          64KB

                          Download
                        • memory/3644-242-0x0000000005F50000-0x0000000005F60000-memory.dmp
                          Filesize

                          64KB

                          Download
                        • memory/3644-243-0x0000000005FC0000-0x0000000005FD0000-memory.dmp
                          Filesize

                          64KB

                          Download
                        • memory/3644-251-0x0000000005FC0000-0x0000000005FD0000-memory.dmp
                          Filesize

                          64KB

                          Download
                        • memory/3644-254-0x0000000005FC0000-0x0000000005FD0000-memory.dmp
                          Filesize

                          64KB

                          Download
                        • memory/3644-253-0x0000000005FC0000-0x0000000005FD0000-memory.dmp
                          Filesize

                          64KB

                          Download
                        • memory/3644-250-0x0000000005FC0000-0x0000000005FD0000-memory.dmp
                          Filesize

                          64KB

                          Download
                        • memory/3644-252-0x0000000005FC0000-0x0000000005FD0000-memory.dmp
                          Filesize

                          64KB

                          Download
                        • memory/4132-55-0x000001A422A40000-0x000001A422A60000-memory.dmp
                          Filesize

                          128KB

                          Download
                        • memory/4132-35-0x000001A422720000-0x000001A422740000-memory.dmp
                          Filesize

                          128KB

                          Download
                        • memory/4132-30-0x000001A422200000-0x000001A422300000-memory.dmp
                          Filesize

                          1024KB

                          Download