5d0aca12e18047ebf796d6f50a96b4b6d335ffe1df936b2f4ab2c9ba409737a7

Analysis

max time kernel
119s
max time network
121s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
02/08/2024, 00:35

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

WinCry.exe
Size

25.0MB
MD5

2f3f0fbdb7edd5bb5dd55f2a659163d6
SHA1

b81b8f1a9425639335a8f540a6dd107523fe1fe7
SHA256

5d0aca12e18047ebf796d6f50a96b4b6d335ffe1df936b2f4ab2c9ba409737a7
SHA512

61f6a252a4b3d55cab534727a6a6efa0e7620b7bcde1990968870dca74b991e9a8bda3a1177e95a9fff1498d24bd93c1f4b50409d9bec96aad441647ccd3e325
SSDEEP

393216:oomWVe3DAnGKZKuNK0SvAn9kaK6gaaNRZbC:ooLW0UoWB6g5NRZbC

Score

10^/10

defense_evasion discovery evasion persistence ransomware trojan

Malware Config

Signatures

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WinCry.exe

Modifies boot configuration data using bcdedit 1 TTPs 11 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
2076	bcdedit.exe
624	bcdedit.exe
1948	bcdedit.exe
904	bcdedit.exe
1936	bcdedit.exe
1616	bcdedit.exe
2056	bcdedit.exe
2140	bcdedit.exe
2500	bcdedit.exe
2696	bcdedit.exe
2720	bcdedit.exe

Executes dropped EXE 4 IoCs

pid	Process
2228	vcredist2010_x86.exe
2920	Setup.exe
1376	PСSLC_Service.exe
1612	SetTimerResolutionService.exe

Loads dropped DLL 64 IoCs

pid	Process
2228	vcredist2010_x86.exe
2920	Setup.exe
2920	Setup.exe
1276	msiexec.exe
1276	msiexec.exe
1276	msiexec.exe
1276	msiexec.exe
1276	msiexec.exe
1276	msiexec.exe
1276	msiexec.exe
1276	msiexec.exe
1276	msiexec.exe
1276	msiexec.exe
1276	msiexec.exe
1276	msiexec.exe
1276	msiexec.exe
1276	msiexec.exe
1276	msiexec.exe
1276	msiexec.exe
1276	msiexec.exe
1276	msiexec.exe
1276	msiexec.exe
1276	msiexec.exe
1276	msiexec.exe
1276	msiexec.exe
1276	msiexec.exe
1276	msiexec.exe
1276	msiexec.exe
1276	msiexec.exe
1276	msiexec.exe
1276	msiexec.exe
1276	msiexec.exe
1276	msiexec.exe
1276	msiexec.exe
1276	msiexec.exe
1276	msiexec.exe
1276	msiexec.exe
1276	msiexec.exe
1276	msiexec.exe
1276	msiexec.exe
1276	msiexec.exe
1276	msiexec.exe
1276	msiexec.exe
1276	msiexec.exe
1276	msiexec.exe
1276	msiexec.exe
1276	msiexec.exe
1276	msiexec.exe
1276	msiexec.exe
1276	msiexec.exe
1276	msiexec.exe
1276	msiexec.exe
1276	msiexec.exe
1276	msiexec.exe
1276	msiexec.exe
1276	msiexec.exe
1276	msiexec.exe
1276	msiexec.exe
1276	msiexec.exe
1276	msiexec.exe
1276	msiexec.exe
1276	msiexec.exe
1276	msiexec.exe
1612	SetTimerResolutionService.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\Auto Temp Cleaner = "\"C:\\\\Windows\\TempCleaner.exe\""	WinCry.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WinCry.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WinCry.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Power Settings 1 TTPs 4 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
2656	cmd.exe
2644	powercfg.exe
2408	cmd.exe
568	powercfg.exe

Drops file in System32 directory 18 IoCs

description	ioc	Process
File opened for modification	\??\c:\Windows\SysWOW64\mfc100enu.dll	msiexec.exe
File opened for modification	\??\c:\Windows\SysWOW64\mfc100deu.dll	msiexec.exe
File opened for modification	\??\c:\Windows\SysWOW64\mfc100jpn.dll	msiexec.exe
File opened for modification	\??\c:\Windows\SysWOW64\atl100.dll	msiexec.exe
File opened for modification	\??\c:\Windows\SysWOW64\msvcr100.dll	msiexec.exe
File opened for modification	\??\c:\Windows\SysWOW64\mfc100.dll	msiexec.exe
File opened for modification	\??\c:\Windows\SysWOW64\mfc100u.dll	msiexec.exe
File opened for modification	\??\c:\Windows\SysWOW64\mfc100chs.dll	msiexec.exe
File opened for modification	\??\c:\Windows\SysWOW64\mfc100ita.dll	msiexec.exe
File opened for modification	\??\c:\Windows\SysWOW64\mfc100kor.dll	msiexec.exe
File opened for modification	\??\c:\Windows\SysWOW64\mfc100rus.dll	msiexec.exe
File opened for modification	\??\c:\Windows\SysWOW64\mfcm100.dll	msiexec.exe
File opened for modification	\??\c:\Windows\SysWOW64\mfcm100u.dll	msiexec.exe
File opened for modification	\??\c:\Windows\SysWOW64\mfc100esn.dll	msiexec.exe
File opened for modification	\??\c:\Windows\SysWOW64\vcomp100.dll	msiexec.exe
File opened for modification	\??\c:\Windows\SysWOW64\msvcp100.dll	msiexec.exe
File opened for modification	\??\c:\Windows\SysWOW64\mfc100cht.dll	msiexec.exe
File opened for modification	\??\c:\Windows\SysWOW64\mfc100fra.dll	msiexec.exe

Drops file in Windows directory 18 IoCs

description	ioc	Process
File opened for modification	\??\c:\Windows\Installer\f76e1fa.msp	msiexec.exe
File created	C:\Windows\PСSLC.Core.dll	WinCry.exe
File created	C:\Windows\PСSLC_Service.exe	WinCry.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.InstallLog	InstallUtil.exe
File created	C:\Windows\blank.ico	WinCry.exe
File created	\??\c:\Windows\Installer\f76e1f8.ipi	msiexec.exe
File opened for modification	\??\c:\Windows\Installer\	msiexec.exe
File created	\??\c:\Windows\Installer\f76e1fa.msp	msiexec.exe
File created	C:\Windows\TempCleaner.exe	WinCry.exe
File opened for modification	C:\Windows\PСSLC_Service.InstallLog	InstallUtil.exe
File opened for modification	\??\c:\Windows\Installer\f76e1fd.ipi	msiexec.exe
File created	C:\Windows\PСSLC_Service.InstallState	InstallUtil.exe
File opened for modification	C:\Windows\Installer\MSIE466.tmp	msiexec.exe
File opened for modification	\??\c:\Windows\Installer\f76e1f8.ipi	msiexec.exe
File created	\??\c:\Windows\Installer\f76e1fd.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE765.tmp	msiexec.exe
File created	C:\Windows\SetTimerResolutionService.exe	WinCry.exe
File created	C:\Windows\Logs\CBS\CbsPersist_20240802003546.cab	makecab.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2888	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vcredist2010_x86.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Setup.exe

Modifies Control Panel 13 IoCs

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Control Panel\Accessibility\ToggleKeys\Flags = "0"	WinCry.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Control Panel\Desktop\MenuShowDelay = "0"	WinCry.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Control Panel\Desktop\HungAppTimeout = "1000"	WinCry.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Control Panel\Mouse\MouseHoverTime = "0"	WinCry.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Control Panel\Desktop\AutoEndTasks = "1"	WinCry.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Control Panel\Mouse\MouseThreshold2 = "0"	WinCry.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Control Panel\Accessibility\StickyKeys\Flags = "0"	WinCry.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Control Panel\Desktop\LowLevelHooksTimeout = "1000"	WinCry.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Control Panel\Accessibility\Keyboard Response\Flags = "0"	WinCry.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Control Panel\Accessibility\MouseKeys\Flags = "0"	WinCry.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Control Panel\Desktop\WaitToKillAppTimeout = "0"	WinCry.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Control Panel\Mouse\MouseSpeed = "0"	WinCry.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Control Panel\Mouse\MouseThreshold1 = "0"	WinCry.exe

Modifies File Icons 1 IoCs

ransomware

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons	WinCry.exe

Modifies Shortcut Icons 1 IoCs

Modifies/removes arrow indicator from shortcut icons.

ransomware

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons\29 = "%windir%\\blank.ico,0"	WinCry.exe

Modifies data under HKEY_USERS 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2F	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E	msiexec.exe

Modifies registry class 22 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\1D5E3C0FEDA1E123187686FED06E995A\KB2524860 = "Servicing_Key"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1D5E3C0FEDA1E123187686FED06E995A\Patches\2D0058F6F08A743309184BE1178C95B2 = ":SP1.1;:#SP1.1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Patches\2D0058F6F08A743309184BE1178C95B2\SourceList\Net\2 = "c:\\66581948defb2530a2861fbe94e421\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\1D5E3C0FEDA1E123187686FED06E995A\FT_VCRedist_x86_KB2565063_Detection	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\1D5E3C0FEDA1E123187686FED06E995A\KB2544655 = "Servicing_Key"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\1D5E3C0FEDA1E123187686FED06E995A\KB2549743 = "Servicing_Key"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1D5E3C0FEDA1E123187686FED06E995A	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1D5E3C0FEDA1E123187686FED06E995A\SourceList\Net\2 = "c:\\66581948defb2530a2861fbe94e421\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\1D5E3C0FEDA1E123187686FED06E995A\Servicing_Key	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\1D5E3C0FEDA1E123187686FED06E995A\KB2565063 = "Servicing_Key"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\1D5E3C0FEDA1E123187686FED06E995A\VCRedist_x86_enu	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Patches\2D0058F6F08A743309184BE1178C95B2\SourceList	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Patches\2D0058F6F08A743309184BE1178C95B2\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1D5E3C0FEDA1E123187686FED06E995A\ProductName = "Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1D5E3C0FEDA1E123187686FED06E995A\Version = "167812379"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1D5E3C0FEDA1E123187686FED06E995A\Patches	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1D5E3C0FEDA1E123187686FED06E995A\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1D5E3C0FEDA1E123187686FED06E995A\SourceList\LastUsedSource = "n;2;c:\\66581948defb2530a2861fbe94e421\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Patches\2D0058F6F08A743309184BE1178C95B2\SourceList\LastUsedSource = "n;2;c:\\66581948defb2530a2861fbe94e421\\"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1D5E3C0FEDA1E123187686FED06E995A\Patches\Patches = 3200440030003000350038004600360046003000380041003700340033003300300039003100380034004200450031003100370038004300390035004200320000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1D5E3C0FEDA1E123187686FED06E995A\SourceList\Net	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\1D5E3C0FEDA1E123187686FED06E995A	msiexec.exe

Runs net.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 2 IoCs

pid	Process
2228	vcredist2010_x86.exe
1612	SetTimerResolutionService.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1644	WinCry.exe
1644	WinCry.exe
1644	WinCry.exe
1644	WinCry.exe
1644	WinCry.exe
1644	WinCry.exe
1644	WinCry.exe
1644	WinCry.exe
1644	WinCry.exe
1644	WinCry.exe
1644	WinCry.exe
1644	WinCry.exe
1644	WinCry.exe
1644	WinCry.exe
1644	WinCry.exe
1644	WinCry.exe
1644	WinCry.exe
1644	WinCry.exe
1644	WinCry.exe
1644	WinCry.exe
1644	WinCry.exe
1644	WinCry.exe
1644	WinCry.exe
1644	WinCry.exe
1644	WinCry.exe
1644	WinCry.exe
1644	WinCry.exe
1644	WinCry.exe
1644	WinCry.exe
1644	WinCry.exe
1644	WinCry.exe
1644	WinCry.exe
1644	WinCry.exe
1644	WinCry.exe
1644	WinCry.exe
1644	WinCry.exe
1644	WinCry.exe
1644	WinCry.exe
1644	WinCry.exe
1644	WinCry.exe
1644	WinCry.exe
1644	WinCry.exe
1644	WinCry.exe
1644	WinCry.exe
1644	WinCry.exe
1644	WinCry.exe
1644	WinCry.exe
1644	WinCry.exe
1644	WinCry.exe
1644	WinCry.exe
1644	WinCry.exe
1644	WinCry.exe
1644	WinCry.exe
1644	WinCry.exe
1644	WinCry.exe
1644	WinCry.exe
1644	WinCry.exe
1644	WinCry.exe
1644	WinCry.exe
1644	WinCry.exe
1644	WinCry.exe
1644	WinCry.exe
1644	WinCry.exe
1644	WinCry.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2644	powercfg.exe
Token: SeShutdownPrivilege	568	powercfg.exe
Token: SeDebugPrivilege	1644	WinCry.exe
Token: SeDebugPrivilege	2716	powershell.exe
Token: SeShutdownPrivilege	2920	Setup.exe
Token: SeIncreaseQuotaPrivilege	2920	Setup.exe
Token: SeRestorePrivilege	1276	msiexec.exe
Token: SeTakeOwnershipPrivilege	1276	msiexec.exe
Token: SeSecurityPrivilege	1276	msiexec.exe
Token: SeCreateTokenPrivilege	2920	Setup.exe
Token: SeAssignPrimaryTokenPrivilege	2920	Setup.exe
Token: SeLockMemoryPrivilege	2920	Setup.exe
Token: SeIncreaseQuotaPrivilege	2920	Setup.exe
Token: SeMachineAccountPrivilege	2920	Setup.exe
Token: SeTcbPrivilege	2920	Setup.exe
Token: SeSecurityPrivilege	2920	Setup.exe
Token: SeTakeOwnershipPrivilege	2920	Setup.exe
Token: SeLoadDriverPrivilege	2920	Setup.exe
Token: SeSystemProfilePrivilege	2920	Setup.exe
Token: SeSystemtimePrivilege	2920	Setup.exe
Token: SeProfSingleProcessPrivilege	2920	Setup.exe
Token: SeIncBasePriorityPrivilege	2920	Setup.exe
Token: SeCreatePagefilePrivilege	2920	Setup.exe
Token: SeCreatePermanentPrivilege	2920	Setup.exe
Token: SeBackupPrivilege	2920	Setup.exe
Token: SeRestorePrivilege	2920	Setup.exe
Token: SeShutdownPrivilege	2920	Setup.exe
Token: SeDebugPrivilege	2920	Setup.exe
Token: SeAuditPrivilege	2920	Setup.exe
Token: SeSystemEnvironmentPrivilege	2920	Setup.exe
Token: SeChangeNotifyPrivilege	2920	Setup.exe
Token: SeRemoteShutdownPrivilege	2920	Setup.exe
Token: SeUndockPrivilege	2920	Setup.exe
Token: SeSyncAgentPrivilege	2920	Setup.exe
Token: SeEnableDelegationPrivilege	2920	Setup.exe
Token: SeManageVolumePrivilege	2920	Setup.exe
Token: SeImpersonatePrivilege	2920	Setup.exe
Token: SeCreateGlobalPrivilege	2920	Setup.exe
Token: SeRestorePrivilege	1276	msiexec.exe
Token: SeTakeOwnershipPrivilege	1276	msiexec.exe
Token: SeRestorePrivilege	1276	msiexec.exe
Token: SeTakeOwnershipPrivilege	1276	msiexec.exe
Token: SeRestorePrivilege	1276	msiexec.exe
Token: SeTakeOwnershipPrivilege	1276	msiexec.exe
Token: SeRestorePrivilege	1276	msiexec.exe
Token: SeTakeOwnershipPrivilege	1276	msiexec.exe
Token: SeRestorePrivilege	1276	msiexec.exe
Token: SeTakeOwnershipPrivilege	1276	msiexec.exe
Token: SeRestorePrivilege	1276	msiexec.exe
Token: SeTakeOwnershipPrivilege	1276	msiexec.exe
Token: SeRestorePrivilege	1276	msiexec.exe
Token: SeTakeOwnershipPrivilege	1276	msiexec.exe
Token: SeRestorePrivilege	1276	msiexec.exe
Token: SeTakeOwnershipPrivilege	1276	msiexec.exe
Token: SeRestorePrivilege	1276	msiexec.exe
Token: SeTakeOwnershipPrivilege	1276	msiexec.exe
Token: SeRestorePrivilege	1276	msiexec.exe
Token: SeTakeOwnershipPrivilege	1276	msiexec.exe
Token: SeShutdownPrivilege	2920	Setup.exe
Token: SeIncreaseQuotaPrivilege	2920	Setup.exe
Token: SeCreateTokenPrivilege	2920	Setup.exe
Token: SeAssignPrimaryTokenPrivilege	2920	Setup.exe
Token: SeLockMemoryPrivilege	2920	Setup.exe
Token: SeIncreaseQuotaPrivilege	2920	Setup.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1644	WinCry.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1644 wrote to memory of 2720	1644	WinCry.exe	31
PID 1644 wrote to memory of 2720	1644	WinCry.exe	31
PID 1644 wrote to memory of 2720	1644	WinCry.exe	31
PID 2720 wrote to memory of 2888	2720	cmd.exe	33
PID 2720 wrote to memory of 2888	2720	cmd.exe	33
PID 2720 wrote to memory of 2888	2720	cmd.exe	33
PID 1644 wrote to memory of 2704	1644	WinCry.exe	34
PID 1644 wrote to memory of 2704	1644	WinCry.exe	34
PID 1644 wrote to memory of 2704	1644	WinCry.exe	34
PID 2704 wrote to memory of 2620	2704	cmd.exe	36
PID 2704 wrote to memory of 2620	2704	cmd.exe	36
PID 2704 wrote to memory of 2620	2704	cmd.exe	36
PID 2620 wrote to memory of 2948	2620	net.exe	37
PID 2620 wrote to memory of 2948	2620	net.exe	37
PID 2620 wrote to memory of 2948	2620	net.exe	37
PID 1644 wrote to memory of 2604	1644	WinCry.exe	39
PID 1644 wrote to memory of 2604	1644	WinCry.exe	39
PID 1644 wrote to memory of 2604	1644	WinCry.exe	39
PID 1644 wrote to memory of 2656	1644	WinCry.exe	41
PID 1644 wrote to memory of 2656	1644	WinCry.exe	41
PID 1644 wrote to memory of 2656	1644	WinCry.exe	41
PID 2656 wrote to memory of 2644	2656	cmd.exe	43
PID 2656 wrote to memory of 2644	2656	cmd.exe	43
PID 2656 wrote to memory of 2644	2656	cmd.exe	43
PID 2604 wrote to memory of 2228	2604	cmd.exe	44
PID 2604 wrote to memory of 2228	2604	cmd.exe	44
PID 2604 wrote to memory of 2228	2604	cmd.exe	44
PID 2604 wrote to memory of 2228	2604	cmd.exe	44
PID 2604 wrote to memory of 2228	2604	cmd.exe	44
PID 2604 wrote to memory of 2228	2604	cmd.exe	44
PID 2604 wrote to memory of 2228	2604	cmd.exe	44
PID 1644 wrote to memory of 2408	1644	WinCry.exe	45
PID 1644 wrote to memory of 2408	1644	WinCry.exe	45
PID 1644 wrote to memory of 2408	1644	WinCry.exe	45
PID 2408 wrote to memory of 568	2408	cmd.exe	47
PID 2408 wrote to memory of 568	2408	cmd.exe	47
PID 2408 wrote to memory of 568	2408	cmd.exe	47
PID 1644 wrote to memory of 2844	1644	WinCry.exe	51
PID 1644 wrote to memory of 2844	1644	WinCry.exe	51
PID 1644 wrote to memory of 2844	1644	WinCry.exe	51
PID 2844 wrote to memory of 2204	2844	cmd.exe	54
PID 2844 wrote to memory of 2204	2844	cmd.exe	54
PID 2844 wrote to memory of 2204	2844	cmd.exe	54
PID 2228 wrote to memory of 2920	2228	vcredist2010_x86.exe	52
PID 2228 wrote to memory of 2920	2228	vcredist2010_x86.exe	52
PID 2228 wrote to memory of 2920	2228	vcredist2010_x86.exe	52
PID 2228 wrote to memory of 2920	2228	vcredist2010_x86.exe	52
PID 2228 wrote to memory of 2920	2228	vcredist2010_x86.exe	52
PID 2228 wrote to memory of 2920	2228	vcredist2010_x86.exe	52
PID 2228 wrote to memory of 2920	2228	vcredist2010_x86.exe	52
PID 1644 wrote to memory of 2312	1644	WinCry.exe	56
PID 1644 wrote to memory of 2312	1644	WinCry.exe	56
PID 1644 wrote to memory of 2312	1644	WinCry.exe	56
PID 2312 wrote to memory of 2076	2312	cmd.exe	58
PID 2312 wrote to memory of 2076	2312	cmd.exe	58
PID 2312 wrote to memory of 2076	2312	cmd.exe	58
PID 1644 wrote to memory of 2688	1644	WinCry.exe	59
PID 1644 wrote to memory of 2688	1644	WinCry.exe	59
PID 1644 wrote to memory of 2688	1644	WinCry.exe	59
PID 2688 wrote to memory of 624	2688	cmd.exe	61
PID 2688 wrote to memory of 624	2688	cmd.exe	61
PID 2688 wrote to memory of 624	2688	cmd.exe	61
PID 1644 wrote to memory of 2052	1644	WinCry.exe	62
PID 1644 wrote to memory of 2052	1644	WinCry.exe	62

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WinCry.exe

C:\Users\Admin\AppData\Local\Temp\WinCry.exe
"C:\Users\Admin\AppData\Local\Temp\WinCry.exe"
1⤵
- UAC bypass
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Windows directory
- Modifies Control Panel
- Modifies File Icons
- Modifies Shortcut Icons
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1644
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc config TrustedInstaller start= demand
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2720
- - C:\Windows\system32\sc.exe
    sc config TrustedInstaller start= demand
    3⤵
    - Launches sc.exe
    PID:2888
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c net stop "wuauserv"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2704
- - C:\Windows\system32\net.exe
    net stop "wuauserv"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2620
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "wuauserv"
      4⤵
      PID:2948
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c start /wait "" "C:\Users\Admin\AppData\Local\Temp\vcredist2010_x86.exe" /q /norestart
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2604
- - C:\Users\Admin\AppData\Local\Temp\vcredist2010_x86.exe
    "C:\Users\Admin\AppData\Local\Temp\vcredist2010_x86.exe" /q /norestart
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    - Suspicious use of WriteProcessMemory
    PID:2228
  - - \??\c:\66581948defb2530a2861fbe94e421\Setup.exe
      c:\66581948defb2530a2861fbe94e421\Setup.exe /q /norestart
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Checks processor information in registry
      Suspicious use of AdjustPrivilegeToken
      PID:2920
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c powercfg -import "C:\Users\Admin\AppData\Local\Temp\PCDuke_Scheme.pow" 77777777-7777-7777-7777-777777777777
  2⤵
  - Power Settings
  - Suspicious use of WriteProcessMemory
  PID:2656
- - C:\Windows\system32\powercfg.exe
    powercfg -import "C:\Users\Admin\AppData\Local\Temp\PCDuke_Scheme.pow" 77777777-7777-7777-7777-777777777777
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:2644
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c powercfg -setactive 77777777-7777-7777-7777-777777777777
  2⤵
  - Power Settings
  - Suspicious use of WriteProcessMemory
  PID:2408
- - C:\Windows\system32\powercfg.exe
    powercfg -setactive 77777777-7777-7777-7777-777777777777
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:568
- C:\Windows\system32\cmd.exe
  "cmd.exe" /c cd C:\Windows\Microsoft.NET\Framework64\v4.0.30319 & InstallUtil.exe C:\Windows\PСSLC_Service.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2844
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
    InstallUtil.exe C:\Windows\PСSLC_Service.exe
    3⤵
    - Drops file in Windows directory
    PID:2204
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c bcdedit /set hypervisorlaunchtype off
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2312
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set hypervisorlaunchtype off
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:2076
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c bcdedit /set tpmbootentropy ForceDisable
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2688
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set tpmbootentropy ForceDisable
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:624
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c bcdedit /timeout 0
  2⤵
  PID:2052
- - C:\Windows\system32\bcdedit.exe
    bcdedit /timeout 0
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:1948
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c bcdedit /set bootux disabled
  2⤵
  PID:2476
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set bootux disabled
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:904
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c bcdedit /set quietboot yes
  2⤵
  PID:1516
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set quietboot yes
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:1936
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c bcdedit /set {globalsettings} custom:16000067 true
  2⤵
  PID:2352
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set {globalsettings} custom:16000067 true
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:1616
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c bcdedit /set {globalsettings} custom:16000068 true
  2⤵
  PID:2976
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set {globalsettings} custom:16000068 true
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:2056
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c bcdedit /set {globalsettings} custom:16000069 true
  2⤵
  PID:628
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set {globalsettings} custom:16000069 true
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:2140
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Enable-WindowsOptionalFeature -Online -FeatureName "DirectPlay" -All
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2716
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c setx temp "C:\Temp"
  2⤵
  PID:2300
- - C:\Windows\system32\setx.exe
    setx temp "C:\Temp"
    3⤵
    PID:2696
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c setx /m temp "C:\Temp"
  2⤵
  PID:2932
- - C:\Windows\system32\setx.exe
    setx /m temp "C:\Temp"
    3⤵
    PID:2704
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c setx tmp "C:\Temp"
  2⤵
  PID:2588
- - C:\Windows\system32\setx.exe
    setx tmp "C:\Temp"
    3⤵
    PID:3052
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c setx /m tmp "C:\Temp"
  2⤵
  PID:1728
- - C:\Windows\system32\setx.exe
    setx /m tmp "C:\Temp"
    3⤵
    PID:2656
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c setx temp "C:\\Windows\Temp"
  2⤵
  PID:704
- - C:\Windows\system32\setx.exe
    setx temp "C:\\Windows\Temp"
    3⤵
    PID:1256
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c setx /m temp "C:\\Windows\Temp"
  2⤵
  PID:536
- - C:\Windows\system32\setx.exe
    setx /m temp "C:\\Windows\Temp"
    3⤵
    PID:780
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c setx tmp "C:\\Windows\Temp"
  2⤵
  PID:1944
- - C:\Windows\system32\setx.exe
    setx tmp "C:\\Windows\Temp"
    3⤵
    PID:2496
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c setx /m tmp "C:\\Windows\Temp"
  2⤵
  PID:1432
- - C:\Windows\system32\setx.exe
    setx /m tmp "C:\\Windows\Temp"
    3⤵
    PID:1028
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c rmdir /s /q "C:\Temp"
  2⤵
  PID:1916
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c rmdir /s /q "C:\Temp"
  2⤵
  PID:2904
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c rmdir /s /q "C:\Temp"
  2⤵
  PID:2212
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c rmdir /s /q "C:\Temp"
  2⤵
  PID:2256
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c C:\Windows\SetTimerResolutionService -install
  2⤵
  PID:2524
- - C:\Windows\SetTimerResolutionService.exe
    C:\Windows\SetTimerResolutionService -install
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:1612
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c bcdedit /deletevalue useplatformclock
  2⤵
  PID:2136
- - C:\Windows\system32\bcdedit.exe
    bcdedit /deletevalue useplatformclock
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:2500
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c bcdedit /deletevalue tscsyncpolicy
  2⤵
  PID:2856
- - C:\Windows\system32\bcdedit.exe
    bcdedit /deletevalue tscsyncpolicy
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:2696
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c bcdedit /set disabledynamictick yes
  2⤵
  PID:2788
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set disabledynamictick yes
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:2720

C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20240802003546.log C:\Windows\Logs\CBS\CbsPersist_20240802003546.cab
1⤵
- Drops file in Windows directory
PID:1412

C:\Windows\PСSLC_Service.exe
"C:\Windows\PСSLC_Service.exe"
1⤵
- Executes dropped EXE
PID:1376

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:1276

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:2800

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Power Settings

T1653

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f76e1f9.rbs

Filesize
4KB

MD5
6736954cdfa21a8f36a7d37f8ed33421

SHA1
0587e26b4c8b1c7cb2151912721400d0436a521f

SHA256
0308c8b0c8b3d6d827ba8ae8a3168f0e497c68882d1cb8dc26068a9bdddcd24a

SHA512
b010e3b63bbe1c13669c2f96a09fa1951622378292984fc95ae2120d8c882b88f5aadc0b1fd39d960c38501530b5b9d0e22d10d90cf06fafb52c6b8dddf73014

Download Submit
C:\Config.Msi\f76e1fe.rbs

Filesize
29KB

MD5
34a8873518675c3e062ff9e60f082f74

SHA1
2e3a0c5d33c04168590294bf0d94d8cec0cd6a81

SHA256
b0b1074e40576f84e39fbbd7acd7863c5af83c6d70379b671c54f1a8a623fb4f

SHA512
0949c33dab04c1472d0bda5af3893f0aaf36643a4d0aed6d09676e799c28d5db9740b2228352f8dde433a73338db30f24fe366aecec7596c46d4cc9903e9f11a

Download Submit
C:\Users\Admin\AppData\Local\Temp\HFIDA88.tmp.html

Filesize
16KB

MD5
f426e58a2b4d596bb6efad0d84ab079d

SHA1
e85cfe9795c504fa343a3b560a526e64e0395b66

SHA256
cab4c8629031fafe19d941daed49e39f68261801049fe434ba7ad98072153abd

SHA512
ab648e78c1b74ec2f0842dad5e333ada9ca38b3bc631890adfa16e8d807462316e63aa8c32b0377ac2fcabd0d69588dca8babf976b95277b05e3c1c268906cf6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_20240802_003547816-MSI_vc_red.msi.txt

Filesize
1KB

MD5
37047961afa97d27a2b62e710c7f2d26

SHA1
dbe3c65c7e082710a3c5e7f1b5e35a7691d4f438

SHA256
e182ecc6aa48672a428519f2e5c755ecf91c8635dfc731d9245238272db94cef

SHA512
dd3e1cab01ac81c213fb3b1eb64c03848d7167c36d14244d71405450574ea127349a0e77d5caa1be489277c3bd3d036bc5e2c2b246cec6f7ddfebf52d304392e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_20240802_003547816-Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219-MSP0.txt

Filesize
1KB

MD5
79f55bb21d3ba7fcea58f7a69093e79b

SHA1
340fd94372a29aff1dafc0296f237a3930ce5145

SHA256
cf65e05ed1bd3324c15c66d63badbbb279b77509c0e51e41d5594b348919bef9

SHA512
e393b254b1ed10b081d1a451ed61cc0a8e2522cc3b08ce0b29113dcbb67381592bac009181caac5ca1910dcaf3416fb319740e898bc5d98c0470a0f6fcab2b25

Download Submit
C:\Users\Admin\AppData\Local\Temp\vcredist2010_x86.exe

Filesize
8.6MB

MD5
1801436936e64598bab5b87b37dc7f87

SHA1
28c54491be70c38c97849c3d8cfbfdd0d3c515cb

SHA256
67313b3d1bc86e83091e8de22981f14968f1a7fb12eb7ad467754c40cd94cc3d

SHA512
0b8f20b0f171f49eb49367f1aafa7101e1575ef055d7007197c21ab8fe8d75a966569444449858c31bd147357d2bf5a5bd623fe6c4dbabdc7d16999b3256ab8c

Download Submit
C:\Windows\PСSLC.Core.dll

Filesize
17KB

MD5
056f62d3e6802cb5d5d5c0f15f4d0853

SHA1
39de652cffa4a0bbb7deda8a9db75edf786d4d41

SHA256
0fc412ce4fa05a993b694665ca760b07ff17d4544c3f67331ea08c8d37481583

SHA512
06be4436a1d147661d8a8dabf6b6cea526ddd323e6acc87b55a60ec0f1b8b29aa908bfcf2257b95b8c364edfec72196fdd770afaeae134e67ce621bdff7752a0

Download Submit
C:\Windows\PСSLC_Service.exe

Filesize
142KB

MD5
79826972050a7445d6a27eeea6893f53

SHA1
63881f73eb5eaa5638d35847381c5c882ef064ab

SHA256
61b3587e6fe2cf22cf0321da403e49300cb385264589bc7d3029976ad9c7eac0

SHA512
cd3c6db07c2e7a17d5cc35e1c25e04e511b2e6ce328755de18f448590f2b8f44740480014b80efb824fb35e907848eaca9ae8e61055608efd722be341b337767

Download Submit
\66581948defb2530a2861fbe94e421\Setup.exe

Filesize
76KB

MD5
2af2c1a78542975b12282aca4300d515

SHA1
3216c853ed82e41dfbeb6ca48855fdcd41478507

SHA256
531eb45798728cb741043b28b8c1a4f75536dc75f92d100f55f9109d2d63f0d7

SHA512
4a70bd4b542f6001e46f827f341676c34af1ea216c50ad981dd04f547cd67f73aaa420fcbed379dc05dab199bf5ba00d899c49ff75da577613209f96226227eb

Download Submit
\??\c:\66581948defb2530a2861fbe94e421\1028\LocalizedData.xml

Filesize
29KB

MD5
7fc06a77d9aafca9fb19fafa0f919100

SHA1
e565740e7d582cd73f8d3b12de2f4579ff18bb41

SHA256
a27f809211ea1a2d5224cd01101aa3a59bf7853168e45de28a16ef7ed6acd46a

SHA512
466dcc6a5fb015be1619f5725fa62ca46eb0fb428e11f93fd9d82e5df61c3950b3fb62d4db7746cc4a2be199e5e69eaa30b6f3354e0017cfa14d127fad52f8cf

Download Submit
\??\c:\66581948defb2530a2861fbe94e421\1031\LocalizedData.xml

Filesize
40KB

MD5
b83c3803712e61811c438f6e98790369

SHA1
61a0bc59388786ced045acd82621bee8578cae5a

SHA256
2aa6e8d402e44d9ee895b18195f46bf90259de1b6f44efd46a7075b110f2dcd6

SHA512
e020f93e3a082476087e690ad051f1feb210e0915924bb4548cc9f53a7ee2760211890eb6036ce9e5e4a311abc0300e89e25efbbb894c2a621ffbc9d64cc8a38

Download Submit
\??\c:\66581948defb2530a2861fbe94e421\1033\LocalizedData.xml

Filesize
38KB

MD5
d642e322d1e8b739510ca540f8e779f9

SHA1
36279c76d9f34c09ebddc84fd33fcc7d4b9a896c

SHA256
5d90345ff74e177f6da8fb6459c1cfcac080e698215ca75feb130d0d1f2a76b9

SHA512
e1e16ae14bc7cc1608e1a08d3c92b6d0518b5fabd27f2c0eb514c87afc3d6192bf7a793a583afc65f1899f03dc419263b29174456e1ec9ab0f0110e0258e0f0d

Download Submit
\??\c:\66581948defb2530a2861fbe94e421\1036\LocalizedData.xml

Filesize
40KB

MD5
e382abc19294f779d2833287242e7bc6

SHA1
1ceae32d6b24a3832f9244f5791382865b668a72

SHA256
43f913ff28d677316f560a0f45221f35f27cfaf5fc5bd645974a82dca589edbf

SHA512
06054c8048cade36a3af54f9a07fd8fa5eb4f3228790996d2abea7ee1ee7eb563d46bd54ff97441f9610e778194082c44e66c5f566c9c50a042aba9eb9cae25e

Download Submit
\??\c:\66581948defb2530a2861fbe94e421\1040\LocalizedData.xml

Filesize
39KB

MD5
0af948fe4142e34092f9dd47a4b8c275

SHA1
b3d6dd5c126280398d9055f90e2c2c26dbae4eaa

SHA256
c4c7c0ddaa6d6a3a1dc260e9c5a24bdfaa98c427c69e8a65427dd7cac0a4b248

SHA512
d97b5fe2553ca78a3019d53e33d2db80c9fa1cf1d8d2501d9ddf0576c7e6ea38dab754fe4712123abf34b97e10b18fb4bbd1c76d3dacb87b4682e501f93423d9

Download Submit
\??\c:\66581948defb2530a2861fbe94e421\1041\LocalizedData.xml

Filesize
33KB

MD5
7fcfbc308b0c42dcbd8365ba62bada05

SHA1
18a0f0e89b36818c94de0ad795cc593d0e3e29a9

SHA256
01e7d24dd8e00b5c333e96d1bb83813e02e96f89aad0c2f28f84551d28abbbe2

SHA512
cd6f912a037e86d9e1982c73f0f8b3c4d5a9a6b5b108a7b89a46e6691e430a7cb55718de9a0c05650bb194c8d4a2e309ad6221d638cfca8e16aa5920881ba649

Download Submit
\??\c:\66581948defb2530a2861fbe94e421\1042\LocalizedData.xml

Filesize
32KB

MD5
71dfd70ae141f1d5c1366cb661b354b2

SHA1
c4b22590e6f6dd5d39e5158b831ae217ce17a776

SHA256
cccda55294aeb4af166a8c0449bca2189ddf5aa9a43d5e939dd3803e61738331

SHA512
5000d62f3de41c3fb0ed8a8e9c37dbf4eb427c4f1e3ad3823d4716c6fe62250bac11b7987a302b8a45d91aabcf332457f7aff7d99f15edeffe540639e9440e8a

Download Submit
\??\c:\66581948defb2530a2861fbe94e421\1049\LocalizedData.xml

Filesize
39KB

MD5
0eeb554d0b9f9fcdb22401e2532e9cd0

SHA1
08799520b72a1ef92ac5b94a33509d1eddf6caf8

SHA256
beef0631c17a4fb1ff0b625c50c6cb6c8ce90a1ae62c5e60e14bf3d915ad509c

SHA512
2180e46a5a2ea1f59c879b729806ca02a232c66660f29c338c1fa7fbee2afa4b13d8777d1f7b63cf831eb42f3e55282d70aa8e53f40616b8a6e4d695c36e313d

Download Submit
\??\c:\66581948defb2530a2861fbe94e421\2052\LocalizedData.xml

Filesize
30KB

MD5
52b1dc12ce4153aa759fb3bbe04d01fc

SHA1
bf21f8591c473d1fce68a9faf1e5942f486f6eba

SHA256
d1735c8cfd8e10ba019d70818c19fa865e7c72f30ab6421a3748408f85fb96c3

SHA512
418903ae9a7baebf73d055e4774ff1917fbaab9ee7ed8c120c34bb10e7303f6dd7b7dae701596d4626387a30ae1b4d329a9af49b8718b360e2ff619c56c19623

Download Submit
\??\c:\66581948defb2530a2861fbe94e421\3082\LocalizedData.xml

Filesize
39KB

MD5
5397a12d466d55d566b4209e0e4f92d3

SHA1
fcffd8961fb487995543fc173521fdf5df6e243b

SHA256
f124d318138ff084b6484deb354cca0f72296e1341bf01169792b3e060c89e89

SHA512
7708f5a2ad3e4c90c4c216600435af87a1557f60caf880a3dd9b5f482e17399af9f0b9de03ff1dbdd210583e0fec5b466e35794ac24d6d37f9bbc094e52fc77b

Download Submit
\??\c:\66581948defb2530a2861fbe94e421\DHTMLHeader.html

Filesize
15KB

MD5
cd131d41791a543cc6f6ed1ea5bd257c

SHA1
f42a2708a0b42a13530d26515274d1fcdbfe8490

SHA256
e139af8858fe90127095ac1c4685bcd849437ef0df7c416033554703f5d864bb

SHA512
a6ee9af8f8c2c7acd58dd3c42b8d70c55202b382ffc5a93772af7bf7d7740c1162bb6d38a4307b1802294a18eb52032d410e128072af7d4f9d54f415be020c9a

Download Submit
\??\c:\66581948defb2530a2861fbe94e421\ParameterInfo.xml

Filesize
21KB

MD5
13f8768c289476fdd103ff689d73cd2d

SHA1
ddebcecc02c6b1b996423d62d0def8760f031f58

SHA256
4eae293ca91b31aaa206e5a1c655714f0fe84e39f9331cb759d2236cdb915523

SHA512
c72998f30ebff8f4a757248639cf0351d03f5502be475b4cb8f02b09ad800dbbe2f9a82c7d9bde6d7bd748e0ee6e61b86e369192773fe726421a564e793a0139

Download Submit
\??\c:\66581948defb2530a2861fbe94e421\SetupEngine.dll

Filesize
789KB

MD5
63e7901d4fa7ac7766076720272060d0

SHA1
72dec0e4e12255d98ccd49937923c7b5590bbfac

SHA256
a5116ccb17b242713e5645c2374abf5827c0d2752b31553e3540c9123812e952

SHA512
de2e63bc090121484191cbf23194361d761b01c0fd332f35f0dfdfd0b11431b529e5c7f542031a0e7e26f31497d94b8baacfbf1c84c6493e66ac2ab76c11d0a0

Download Submit
\??\c:\66581948defb2530a2861fbe94e421\UiInfo.xml

Filesize
35KB

MD5
4f90fcef3836f5fc49426ad9938a1c60

SHA1
89eba3b81982d5d5c457ffa7a7096284a10de64a

SHA256
66a0299ce7ee12dd9fc2cfead3c3211e59bfb54d6c0627d044d44cef6e70367b

SHA512
4ce2731c1d32d7ca3a4f644f4b3111f06223de96c1e241fcc86f5fe665f4db18c8a241dae4e8a7e278d6afbf91b235a2c3517a40d4d22d9866880e19a7221160

Download Submit
\??\c:\66581948defb2530a2861fbe94e421\msp_kb2565063.msp

Filesize
3.8MB

MD5
9843dc93ea948cddc1f480e53bb80c2f

SHA1
d6ec9db8b8802ec85dd0b793565401b67ad8e5e0

SHA256
7c969fcda6ef09d2eb7bbbc8d81795eb60c9c69ed835fd16538369ad0a6e0f10

SHA512
79008cfdd8ae1ea27675588e7ba8123d08ce14047e5f167b3b5f6fbcdadeb45515bd72e18e59abf632ecbfbb42243fbcbebe4cbe0ed6ba195d0b2ca6d88676f9

Download Submit
\??\c:\66581948defb2530a2861fbe94e421\sqmapi.dll

Filesize
141KB

MD5
3f0363b40376047eff6a9b97d633b750

SHA1
4eaf6650eca5ce931ee771181b04263c536a948b

SHA256
bd6395a58f55a8b1f4063e813ce7438f695b9b086bb965d8ac44e7a97d35a93c

SHA512
537be86e2f171e0b2b9f462ac7f62c4342beb5d00b68451228f28677d26a525014758672466ad15ed1fd073be38142dae478df67718908eae9e6266359e1f9e8

Download Submit
\??\c:\66581948defb2530a2861fbe94e421\vc_red.cab

Filesize
4.0MB

MD5
c580a38f1a1a7d838076a1b897c37011

SHA1
c689488077d1c21820797707078af826ea676b70

SHA256
71c0acc75eecdf39051819dc7c26503583f6be6c43ab2c320853de15bece9978

SHA512
ea3a62bd312f1ddeebe5e3c7911eb3a73bc3ee184abb7e9b55bc962214f50bbf05d2499caf151d0bd00735e2021fbea9584bf3e868a1d4502b75ec3b62c7ff56

Download Submit
\??\c:\66581948defb2530a2861fbe94e421\vc_red.msi

Filesize
160KB

MD5
3ff9acea77afc124be8454269bb7143f

SHA1
8dd6ecab8576245cd6c8617c24e019325a3b2bdc

SHA256
9ecf3980b29c6aa20067f9f45c64b45ad310a3d83606cd9667895ad35f106e66

SHA512
8d51f692747cfdd59fc839918a34d2b6cbbb510c90dea83ba936b3f5f39ee4cbd48f6bb7e35ed9e0945bf724d682812532191d91c8f3c2adb6ff80a8df89ff7a

Download Submit
\Windows\SysWOW64\mfc100chs.dll

Filesize
35KB

MD5
c086a0aa8c39cb2ea09ea967d433733e

SHA1
b5139ed7a2af76ad71c1ed3625543c0c98256984

SHA256
21688ed8de2a5c9e95e25e750bd6d8a7bc5446172dae69af9df96feda022fc7e

SHA512
eaf03cf10669dd289e108370a6de7484acb0f59389eca6da907d579767de919b08a6388e635e06bb3d222dc4d9303f964634a6b8820572e796279063d192e926

Download Submit
\Windows\SysWOW64\mfc100cht.dll

Filesize
35KB

MD5
44ee19cb7dd5e5fd95c77fe9364de004

SHA1
9dde4a75e2344932f4a91d8ef9656203c2b3b655

SHA256
254e83fad56aa1a1cba3d5e0fc32509fee82482f210e238e81f7d8b117a69b8c

SHA512
2c636abf08d44eedf452edf02bf4243e76e14bb95e8a24012787ddffcce69c1d7fc4be98c4b5cd70532fe8420882e1ade228900c5f36669fdd90fe0383dde6af

Download Submit
\Windows\SysWOW64\mfc100deu.dll

Filesize
62KB

MD5
eca6624efebbe2c0c320ac942620c404

SHA1
acbeb473088cac5887e9d9823a00570a102a8705

SHA256
2bf46f1536ce621801fc621fabbe59f32ad856aa8ae085eb6e4469885c171da3

SHA512
860e7c994091418177dedc7d4e935985de0ceadc4eebb569d9e38024478daa78e621b57e722195915183c4e1935efd98c08e1e4c8cb2e7c47306ebfc097f49ad

Download Submit
\Windows\SysWOW64\mfc100enu.dll

Filesize
53KB

MD5
2a2c442f00b45e01d4c882eea69a01bc

SHA1
85145f0f784d3a4efa569deb77b54308a1a21b92

SHA256
d71db839de0bc1fcc01a125d57ced2aaea3f444a992426c316ce18c267c33a8c

SHA512
f18d9019eee843d707aa307714a15207be2ded2eceab518599fbed8a3826a1a56f815fe75fb37f36c93be13f3d90e025f790db6b3ba413bfd5cd040b2cc7dbf7

Download Submit
\Windows\SysWOW64\mfc100esn.dll

Filesize
62KB

MD5
b4e91c857c886c8731f7969d9a85665d

SHA1
a639781b1dc2c7bdd855be37fbb39b55ad5b734a

SHA256
7f3e218c1bf7bb0f00885afec8ed60c8edd48a73622feb2fce7cb282af1be900

SHA512
fbb841339b216fb677ddf798d004503a1c0c8a60d17edd502d2a893985cefba8b13febc594dcaa0ed9df823fbced0367d8c1074d7025e6bf6e6d4ec5cd1b2648

Download Submit
\Windows\SysWOW64\mfc100fra.dll

Filesize
62KB

MD5
bb21453c6707a7b5dd9f727ed375f284

SHA1
56e7a1011221b87af1b1ea766114161fb5dd4a3a

SHA256
8630d9b71a04bfcad5ed15c11cbf88f2de42abfa458bc66963e6d0d207dc01c8

SHA512
c74bbfcd5c407fa1d8189f1805e12e2261268059c3f4d7ee5d5492811d161906b27e9623be55649504b2888f3aae0ad98038f420c1969cb6693328c78ec6b1c8

Download Submit
\Windows\SysWOW64\mfc100ita.dll

Filesize
60KB

MD5
a99884aeac9c704600c6f5a44b3f7694

SHA1
1d65b58014f1ecffa3e8affa4b21ab4466732d9e

SHA256
54c711b8ec19ab39c881ba16af97dff6d1cd74c1e2fe6ff50ec51c466015aa6c

SHA512
dd2f6113b0d879c3699c97db42fbef03413dfccac9772596ace7fed5850b269ac0adc94c30439d5c37688e11ff73ffa53409d483bd2f419e16769b0213a5d46c

Download Submit
\Windows\SysWOW64\mfc100jpn.dll

Filesize
42KB

MD5
76022ed341931c473d2dfb27d56e37fd

SHA1
be2b19cc30093069e61349908153d22383feda7f

SHA256
0c7637e3ae7e2c429807194c470a1e7bd98ae02d67d543380367f142cf08173a

SHA512
0c30ac2a2a1bafb4462142ecaf059800ba262e2f82d82f229f78a0b91018d38ed101aca29ef01458dea6f9d34b8fd76940f7c8765ff8fe9d412ee3dba5419f42

Download Submit
\Windows\SysWOW64\mfc100kor.dll

Filesize
42KB

MD5
222be89e34f4bb9059b7587074c5f88b

SHA1
47eba84cf57011765a16d0d514069c9c86af16bb

SHA256
0f0e518d6b12111ed847b2f62929799d2754f6f45b21977f8929842a2cec471e

SHA512
83a3a51870b356de1330a47a79ff00032155debeed8a53b16142fed6a332b9b49e02076991d354f817410bfeb535c9c73ac872402194a822c877b4c9f7b15db8

Download Submit
memory/1376-157-0x00000000005C0000-0x00000000005CA000-memory.dmp

Filesize
40KB

Download
memory/1376-155-0x0000000000310000-0x0000000000338000-memory.dmp

Filesize
160KB

Download
memory/1644-9-0x0000000001F80000-0x0000000001F96000-memory.dmp

Filesize
88KB

Download
memory/1644-2-0x000007FEF5B00000-0x000007FEF64EC000-memory.dmp

Filesize
9.9MB

Download
memory/1644-5-0x0000000001DC0000-0x0000000001DE6000-memory.dmp

Filesize
152KB

Download
memory/1644-15-0x000007FEF5B00000-0x000007FEF64EC000-memory.dmp

Filesize
9.9MB

Download
memory/1644-17-0x000007FEF5B00000-0x000007FEF64EC000-memory.dmp

Filesize
9.9MB

Download
memory/1644-7-0x0000000001C90000-0x0000000001C98000-memory.dmp

Filesize
32KB

Download
memory/1644-16-0x000007FEF5B00000-0x000007FEF64EC000-memory.dmp

Filesize
9.9MB

Download
memory/1644-8-0x0000000001D20000-0x0000000001D2A000-memory.dmp

Filesize
40KB

Download
memory/1644-110-0x000007FEF5B03000-0x000007FEF5B04000-memory.dmp

Filesize
4KB

Download
memory/1644-296-0x000007FEF5B00000-0x000007FEF64EC000-memory.dmp

Filesize
9.9MB

Download
memory/1644-284-0x000007FEF5B00000-0x000007FEF64EC000-memory.dmp

Filesize
9.9MB

Download
memory/1644-165-0x000007FEF5B00000-0x000007FEF64EC000-memory.dmp

Filesize
9.9MB

Download
memory/1644-4-0x000000001C5C0000-0x000000001C642000-memory.dmp

Filesize
520KB

Download
memory/1644-167-0x000007FEF5B00000-0x000007FEF64EC000-memory.dmp

Filesize
9.9MB

Download
memory/1644-3-0x0000000001C70000-0x0000000001C7A000-memory.dmp

Filesize
40KB

Download
memory/1644-6-0x0000000001C80000-0x0000000001C88000-memory.dmp

Filesize
32KB

Download
memory/1644-184-0x0000000003B90000-0x0000000003B9A000-memory.dmp

Filesize
40KB

Download
memory/1644-183-0x0000000003B90000-0x0000000003B9A000-memory.dmp

Filesize
40KB

Download
memory/1644-185-0x000007FEF5B00000-0x000007FEF64EC000-memory.dmp

Filesize
9.9MB

Download
memory/1644-10-0x0000000001D30000-0x0000000001D3A000-memory.dmp

Filesize
40KB

Download
memory/1644-1-0x0000000000360000-0x0000000001C62000-memory.dmp

Filesize
25.0MB

Download
memory/1644-0-0x000007FEF5B03000-0x000007FEF5B04000-memory.dmp

Filesize
4KB

Download
memory/1644-11-0x0000000003940000-0x000000000395E000-memory.dmp

Filesize
120KB

Download
memory/1644-14-0x0000000003B90000-0x0000000003B9A000-memory.dmp

Filesize
40KB

Download
memory/1644-13-0x0000000003960000-0x0000000003988000-memory.dmp

Filesize
160KB

Download
memory/1644-12-0x000007FEF5B00000-0x000007FEF64EC000-memory.dmp

Filesize
9.9MB

Download
memory/2204-111-0x00000000007A0000-0x00000000007AA000-memory.dmp

Filesize
40KB

Download
memory/2204-99-0x0000000000930000-0x0000000000958000-memory.dmp

Filesize
160KB

Download
memory/2204-92-0x000000013F0F0000-0x000000013F0FA000-memory.dmp

Filesize
40KB

Download
memory/2716-164-0x0000000002000000-0x0000000002008000-memory.dmp

Filesize
32KB

Download
memory/2716-163-0x000000001B510000-0x000000001B7F2000-memory.dmp

Filesize
2.9MB

Download