Overview

overview

10

Static

static

1

RNSM00335.7z

windows7-x64

10

Analysis

  • max time kernel
    132s
  • max time network
    133s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    11-11-2024 20:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    RNSM00335.7z

  • Size

    10.9MB

  • MD5

    516de23b832b9ab382824d9ee7284cc5

  • SHA1

    6c8bdbe461a4411a3a9e9fb55c82975d7d46c5ef

  • SHA256

    78513de1a3f011868e975a9bce64cea9a520a2bd7609d862fed94ae3518f22ea

  • SHA512

    f9df547b6577fffe1728b7cb100f8c1b4835b3f52304afb6021c2af228de78448cad374c1327cfd34dc4dc86d3878d87514510c5cdca4b7f39d748179331db90

  • SSDEEP

    196608:YoHzR0FpxAbMJikHBxdg6j6glUoKMMD6Kk2c+7RB62mrvs2WSrqKGlrvTZz3umT/:YempxnJimB3/j6roPsB6vjs2xr7WrvFD

Score
10/10
gandcrabadwarebackdoorbootkitcredential_accessdefense_evasiondiscoveryevasionexecutionimpactpersistenceprivilege_escalationransomwarespywarestealertrojanupx

Malware Config

Extracted

Path

C:\$Recycle.Bin\KRAB-DECRYPT.txt

Ransom Note
---= GANDCRAB V4 =--- Attention! All your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. The server with your key is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- | 0. Download Tor browser - https://www.torproject.org/ | 1. Install Tor browser | 2. Open Tor Browser | 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/397b1f26cba10859 | 4. Follow the instructions on this page ---------------------------------------------------------------------------------------- On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. ATTENTION! IN ORDER TO PREVENT DATA DAMAGE: * DO NOT MODIFY ENCRYPTED FILES * DO NOT CHANGE DATA BELOW ---BEGIN GANDCRAB KEY--- lAQAAFNUhjZDJGxJKA8RhljAnulX1Z/yYgKWeYx1KhIRN4R3HHF+eXosjfB/NHP1ZDz8n6SbQaz1QJnmaMBbIuYa8z2bs/wXPlnHPKW8CqwXyzsBAAcGfHA3nKbZO711F7dziXaitGElXH/3rDyJj6OI1wDJ1JJO993d8lXzGfEII6hAY+PNxuqAkGPZ9MtlmCnfCMuNDkXZqIhuncPtC6lY+m4R1yQGNHN45suz6aCeZwJcWiBxVT1CmybkyGkCyvMx8iF0yS7Gvn/GoaGK7xCIJ4go59g2RRt+qX93+FvhVJ0YCEX8Ps2QBaZjUBnPJ6I3zFNWW+QxEzvOOgPdKh75f71c9Kbmdw8U2al7Vorwiz448CRKW3kusoJlCpQk9gGKHWaOzvad3PaUCgADYSVXr8lT3Abk+9PahfEpkUXVtPpgPUT6SBnbN4z5vhAyh9uqoqaZLgXz47WMpQvAhB+bOsQDVF5jZcb5nxznwlEOgUxHkgg6FSR/j7riFGdLK0YfkyBhTgmSaywNRSbFjMvzGSNxCW9BhHRHsHMG30Jk/8KvyoewjpFATDf2JOeE7lg4lt907/DRlENIXvFwI4ISJ3UFLgy5yL0nFXU8SABE9aXRpJ10kHZ41KZsaTyqtV9LXTSypMT+Yx1nHEAY2ALN6/gszKvlutycAHTiIjR18WMXrFQF88lI7p8nrOp3zm5lxu6amopdVKaCmXKnPoc6h0S6oCKgtxsSkaqFOQgTWjkjaoOwfKNaWCFpQRe0rszP2D/yFKvekDBZfPv+kYaNzQsPRr2vvzkFfWrYIEe7j3CEQFSRCW8b0T74eMvyhY94JMnUS/sfsv+3mnOujKl8smK5oiW+Ef6JL/c73SCJ5W8/F6ckQZRgwg54aBCTh7UGG5Pap/txAFOXs1AYlITbOagh7nKzxdU0kqmiQuBbdd7EmmUdTSscmcZYh73mK94yBmsL0Y8meZSOtKtR519ZdF+9XepvGz7niU/hdtCEayAtWdAuMfAnYGeDENls3c84B9VvrplhRnWsafAftKO94LZzd5ulvpzGOiSy/NETex4lRku51rdBHU3P0ZmRrc0Gm4uj2OjS343QUx9Lmi13B/JF4xsmos3Bz46F97M3VKpqnHxSAqlnQ2K/ju8y/cWgE7wPOKXoALYpXvBNJNq25ri6Rt/H7sj9wCceJazwd1asJ6EUt8SzfknK/XCZGgniExtVtvddbTV74YuJ3A2j30PvcuirC2B28w3OoTBsjdMD2FjZTwkvZXeTSqNCSa7IOCZ12dkrDgI9Flda0s11G+Zar9233cZw5z3JOAZ2LFc+j64WoyDNlzBVDp0mHVfd6qPvBbi+E+4jq9PkVvKcqh56IwPX2Ic/ucnGaJhPC7etEN22oKHXtzi3wz2Efo3insCp6Iu6+K3k/4LHvLGzLHirbsGmygaqJGQi+7VxvAV04b+gFJDe15eNJp0XUBlSoR3r2wEVk4+rMTJQsVa9HCeszUa2A2Lg9Xm/8WrQ6PXa+Qc0rdYj3RG4GxGBXkZpcAWui0W5rESJ8zHAW06iPbdc/eUxBQJHs+R36zeUm2PhzrYZBOHUYhYDUrgnNHxUfwyRiYj9WtAWSQEWruJpXKT0nFt3MNGU0BoRYuCATBRjBJm7pfumToaiZ7W0RaZK9y8kZyGamL3L0J0CbdxOVlCe1bzP5v9zyD1Z11m2pVr7EXnA0W8paHuiVt7FRtGeJWRsAQqolfN7kKQ8X2xlK6btkDKyYFNbB9BFGo87p3ldrYm94bOwblNRcMzSmjKYyfMs6gOVos1suyog+sEHr23L9dxSPazdB1Kww5nZP00JDCwpcET1kRNZwFNeFVjEbnuhbgVvzo3cs3bxuakNGGnZn9+4La05mTxU+Vqjz3CTc5C/JEfp+r97/ovgHuKLn05oZoY1UnmtmswJuvFYn0ZA/ZoQCFiOMmU5BZnjZOOPiLiccW3b3Sqb3JAxUVPH+DJ9spe2epxjL11uzTo/IQSLL8EDNnAaBl4FKwIHzC0Rpg5WhyMvkA+j2fzlflfNV7R42yh3RU/9TY/MeM3BEtSW3xCUEJ2mq8TaMNnQrrdHyFpwU4Axo2YHkGJx43ZZOnUKPkn3Wy0b5SpTztjEdwP+lDE+hmYQVgGXwhZJttsH8E7A3t02/EMHB+JMakvdNTMMoemCFFCJXUCJA0TYpdPpoPz1m5sikB9KWjMG8hsoWIFszOeo9goI/Nyqwg5xXCNsqV8= ---END GANDCRAB KEY--- ---BEGIN PC DATA--- wfKD6iudumBkmpL8IRr4U4exEVaoOXLtwDwmOrT1y1YWvOiWMx5GYaRdvZZUTpRRtHYd7m5WsbfSTHCHhh5qBJzzs9MC7736UkGSDDniUJJG8/LFF//kmGmoAZAGLo2j5/wd2UrxMJK+iqKhTkS3ArgAxrZOOOiXrbnhbWMkLHQnbYuWlMClYZxYU6SDxpopRo5r292AV1KIZBZV4APBuUHcKSIr2MWMI0O1MKIP2IpKLE2TS5wLmpQodXZhP6M/UPrO1sZzkDbgjYlAG3g8l65nVd0/CBUxKQ7KDJYrtX0vSmnFXg/ykfgtJNiwqfCnqbr85+Bi4LF7kU/BsuKl/zA2E+sgGohYPlrSBibtrRHeEdwbqCcE4oG4b6a1Y8ZyGoyp2Q2iuJRzTRoqGlPQJIAJppFrwNIoDBPOnKw+A+5ZALufjGEwg7NrKg3qxA9Kxg7zZifpABFE3vbLM+ah1wYZLXRgRl+KCjmo1jngAX95mSffmizzQU1nmrIqlsew6HIMVY3pdDfwfAscdcBnP3FNhn9WQ3XC06ZCEvXtdUj8BYRMbJHzHp8Oar+NRZwP9okRV/rusrPFzMP9PHYGh9gzrewdRb9tHf+DbmDW4OIcXpReLdQo9FRha1KO2vpgy2mFLQkzlAtXfjb5QmECiQ== ---END PC DATA---
URLs

http://gandcrabmfe6mnef.onion/397b1f26cba10859

Signatures

  • Gandcrab

    Gandcrab is a Trojan horse that encrypts files on a computer.

    ransomwarebackdoorgandcrab
  • Gandcrab family
    gandcrab
  • UAC bypass 3 TTPs 3 IoCs
    evasiontrojan
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Renames multiple (307) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Drops file in Drivers directory 2 IoCs
  • Credentials from Password Stores: Windows Credential Manager 1 TTPs

    Suspicious access to Credentials History.

    credential_accessstealer
  • Drops startup file 5 IoCs
  • Event Triggered Execution: Component Object Model Hijacking 1 TTPs

    Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    persistenceprivilege_escalation
  • Executes dropped EXE 15 IoCs
  • Loads dropped DLL 24 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 18 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Drops desktop.ini file(s) 3 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Installs/modifies Browser Helper Object 2 TTPs 13 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

    stealeradware
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • AutoIT Executable 13 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 1 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • UPX packed file 15 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 61 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 3 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • NSIS installer 4 IoCs
    installer
  • Checks processor information in registry 2 TTPs 5 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 34 IoCs
    adwarespyware
  • Modifies Internet Explorer start page 1 TTPs 3 IoCs
    stealer
  • Modifies registry class 64 IoCs
  • Modifies system certificate store 2 TTPs 2 IoCs
    evasionspywaretrojan
  • Runs ping.exe 1 TTPs 3 IoCs
  • Suspicious behavior: CmdExeWriteProcessMemorySpam 6 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 63 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookAW 1 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 4 IoCs
    evasion
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Program Files\7-Zip\7zFM.exe
    "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\RNSM00335.7z"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:1640
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /4
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:2828
  • C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2644
    • C:\Users\Admin\Desktop\00335\HEUR-Trojan-Ransom.MSIL.Agent.gen-b0c104f601f520cacd657a54bb611b166b077d6743c96cfde7918a9143229815.exe
      HEUR-Trojan-Ransom.MSIL.Agent.gen-b0c104f601f520cacd657a54bb611b166b077d6743c96cfde7918a9143229815.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: CmdExeWriteProcessMemorySpam
      • Suspicious use of AdjustPrivilegeToken
      PID:2144
    • C:\Users\Admin\Desktop\00335\HEUR-Trojan-Ransom.Win32.Agent.gen-8aa936f217e1035aace2615d3067ef1999956c3c481c1acc728260d5fd7947ac.exe
      HEUR-Trojan-Ransom.Win32.Agent.gen-8aa936f217e1035aace2615d3067ef1999956c3c481c1acc728260d5fd7947ac.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious behavior: CmdExeWriteProcessMemorySpam
      • Suspicious behavior: EnumeratesProcesses
      PID:2300
      • C:\Program Files (x86)\Microexcel\bin\microexcel.exe
        "C:\Program Files (x86)\Microexcel\bin\microexcel.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious use of SetWindowsHookAW
        • Suspicious use of SetWindowsHookEx
        PID:1424
        • C:\Windows\splwow64.exe
          C:\Windows\splwow64.exe 12288
          4⤵
            PID:2824
      • C:\Users\Admin\Desktop\00335\HEUR-Trojan-Ransom.Win32.Foreign.gen-5931df88879e9f85851591a26d2b14fad0c4f3599a5222f06c154414cdcf79fe.exe
        HEUR-Trojan-Ransom.Win32.Foreign.gen-5931df88879e9f85851591a26d2b14fad0c4f3599a5222f06c154414cdcf79fe.exe
        2⤵
        • Drops startup file
        • Executes dropped EXE
        • Adds Run key to start application
        • Writes to the Master Boot Record (MBR)
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: CmdExeWriteProcessMemorySpam
        PID:2656
      • C:\Users\Admin\Desktop\00335\Trojan-Ransom.Win32.Blocker.ledh-108b94748485294b5abd12973b6e416e6aed041b20f890c4f962adc765f6c700.exe
        Trojan-Ransom.Win32.Blocker.ledh-108b94748485294b5abd12973b6e416e6aed041b20f890c4f962adc765f6c700.exe
        2⤵
        • UAC bypass
        • Drops file in Drivers directory
        • Drops startup file
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Checks whether UAC is enabled
        • Drops desktop.ini file(s)
        • Enumerates connected drives
        • Installs/modifies Browser Helper Object
        • Drops file in Program Files directory
        • System Location Discovery: System Language Discovery
        • Modifies Internet Explorer settings
        • Modifies Internet Explorer start page
        • Modifies registry class
        • Suspicious behavior: CmdExeWriteProcessMemorySpam
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of WriteProcessMemory
        • System policy modification
        PID:1712
        • C:\Users\Admin\Desktop\00335\Trojan-Ransom.Win32.Blocker.ledh-108b94748485294b5abd12973b6e416e6aed041b20f890c4f962adc765f6c700.exe
          C:\Users\Admin\Desktop\00335\Trojan-Ransom.Win32.Blocker.ledh-108b94748485294b5abd12973b6e416e6aed041b20f890c4f962adc765f6c700.exe /nstart
          3⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          PID:1048
        • C:\Users\Admin\AppData\Local\Temp\isruqkt\tcmusii.exe
          C:\Users\Admin\AppData\Local\Temp\isruqkt\tcmusii.exe /nys
          3⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:284
          • C:\Windows\system32\cmd.exe
            cmd /c C:\Users\Admin\AppData\Local\Temp\HVXPAko.bat
            4⤵
              PID:1700
              • C:\Windows\system32\PING.EXE
                ping -n 1 127.0.0.1
                5⤵
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:2284
          • C:\Users\Admin\AppData\Local\Temp\qaaadrc.exe
            C:\Users\Admin\AppData\Local\Temp\qaaadrc.exe /HomeRegAccess10
            3⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            PID:2396
          • C:\Users\Admin\AppData\Local\Temp\acsmqdz.exe
            C:\Users\Admin\AppData\Local\Temp\acsmqdz.exe /HomeRegAccess10
            3⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            PID:768
          • C:\Windows\system32\Rundll32.exe
            Rundll32.exe setupapi,InstallHinfSection DefaultInstall 132 C:\Users\Admin\AppData\Local\Temp\~zhxrbdx.inf
            3⤵
            • Adds Run key to start application
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            PID:1748
            • C:\Windows\system32\runonce.exe
              "C:\Windows\system32\runonce.exe" -r
              4⤵
              • Checks processor information in registry
              PID:2372
              • C:\Windows\System32\grpconv.exe
                "C:\Windows\System32\grpconv.exe" -o
                5⤵
                  PID:2320
            • C:\Windows\system32\cmd.exe
              cmd /c C:\Users\Admin\AppData\Local\Temp\LKQ3jqV.bat
              3⤵
                PID:1344
                • C:\Windows\system32\PING.EXE
                  ping -n 1 127.0.0.1
                  4⤵
                  • System Network Configuration Discovery: Internet Connection Discovery
                  • Runs ping.exe
                  PID:1504
              • C:\Windows\system32\cmd.exe
                cmd /c C:\Users\Admin\AppData\Local\Temp\JXYuyTe.bat
                3⤵
                  PID:2916
                  • C:\Windows\system32\PING.EXE
                    ping -n 1 127.0.0.1
                    4⤵
                    • System Network Configuration Discovery: Internet Connection Discovery
                    • Runs ping.exe
                    PID:2016
              • C:\Users\Admin\Desktop\00335\Trojan-Ransom.Win32.GandCrypt.emx-48855186730beac2ad2caa4cae0dd8a1fb7e8101887f738ee0bd3703f4f67086.exe
                Trojan-Ransom.Win32.GandCrypt.emx-48855186730beac2ad2caa4cae0dd8a1fb7e8101887f738ee0bd3703f4f67086.exe
                2⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • System Location Discovery: System Language Discovery
                • Suspicious behavior: CmdExeWriteProcessMemorySpam
                PID:804
                • C:\Users\Admin\Desktop\00335\Trojan-Ransom.Win32.GandCrypt.emx-48855186730beac2ad2caa4cae0dd8a1fb7e8101887f738ee0bd3703f4f67086.exe
                  "C:\Users\Admin\Desktop\00335\Trojan-Ransom.Win32.GandCrypt.emx-48855186730beac2ad2caa4cae0dd8a1fb7e8101887f738ee0bd3703f4f67086.exe"
                  3⤵
                  • Drops startup file
                  • Executes dropped EXE
                  • Enumerates connected drives
                  • Drops file in Program Files directory
                  • System Location Discovery: System Language Discovery
                  • Checks processor information in registry
                  • Modifies system certificate store
                  PID:2896
                  • C:\Windows\SysWOW64\wbem\wmic.exe
                    "C:\Windows\system32\wbem\wmic.exe" shadowcopy delete
                    4⤵
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2908
              • C:\Users\Admin\Desktop\00335\Trojan-Ransom.Win32.PornoAsset.cxlm-cf513a5b6d1a0ba7f963754b96ae0877f0246bce5e69bd71414a313c12678e37.exe
                Trojan-Ransom.Win32.PornoAsset.cxlm-cf513a5b6d1a0ba7f963754b96ae0877f0246bce5e69bd71414a313c12678e37.exe
                2⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • System Location Discovery: System Language Discovery
                • Suspicious behavior: CmdExeWriteProcessMemorySpam
                • Suspicious use of WriteProcessMemory
                PID:1984
                • C:\Users\Admin\Desktop\00335\Trojan-Ransom.Win32.PornoAsset.cxlm-cf513a5b6d1a0ba7f963754b96ae0877f0246bce5e69bd71414a313c12678e37.exe
                  C:\Users\Admin\Desktop\00335\Trojan-Ransom.Win32.PornoAsset.cxlm-cf513a5b6d1a0ba7f963754b96ae0877f0246bce5e69bd71414a313c12678e37.exe
                  3⤵
                  • Executes dropped EXE
                  • Loads dropped DLL
                  • Adds Run key to start application
                  • Drops file in System32 directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of WriteProcessMemory
                  PID:2124
                  • C:\Windows\SysWOW64\WinHost32.exe
                    C:\Windows\System32\WinHost32.exe
                    4⤵
                    • Executes dropped EXE
                    • Suspicious use of SetThreadContext
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of WriteProcessMemory
                    PID:824
                    • C:\Windows\SysWOW64\WinHost32.exe
                      C:\Windows\SysWOW64\WinHost32.exe
                      5⤵
                      • Executes dropped EXE
                      • System Location Discovery: System Language Discovery
                      PID:1936
                  • C:\Windows\SysWOW64\cmd.exe
                    /c del C:\Users\Admin\Desktop\00335\Trojan-Ransom.Win32.PornoAsset.cxlm-cf513a5b6d1a0ba7f963754b96ae0877f0246bce5e69bd71414a313c12678e37.exe >> NUL
                    4⤵
                    • System Location Discovery: System Language Discovery
                    PID:2796
            • C:\Windows\system32\vssvc.exe
              C:\Windows\system32\vssvc.exe
              1⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:2160
            • C:\Windows\system32\NOTEPAD.EXE
              "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\KRAB-DECRYPT.txt
              1⤵
                PID:1912
              • C:\Program Files (x86)\Internet Explorer\iexplore.exe
                "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
                1⤵
                • System Location Discovery: System Language Discovery
                PID:2196
                • C:\Program Files\Internet Explorer\IEXPLORE.EXE
                  "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
                  2⤵
                  • Modifies Internet Explorer settings
                  • Suspicious use of SetWindowsHookEx
                  PID:1280
                  • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1280 CREDAT:275457 /prefetch:2
                    3⤵
                    • System Location Discovery: System Language Discovery
                    • Modifies Internet Explorer settings
                    • Suspicious use of SetWindowsHookEx
                    PID:1764

              Network

              MITRE ATT&CK Enterprise v15

              Reconnaissance

              Resource Development

              Initial Access

              Execution

              Windows Management Instrumentation

              1
              T1047

              Persistence

              Boot or Logon Autostart Execution

              1
              T1547

              Registry Run Keys / Startup Folder

              1
              T1547.001

              Browser Extensions

              1
              T1176

              Event Triggered Execution

              1
              T1546

              Component Object Model Hijacking

              1
              T1546.015

              Pre-OS Boot

              1
              T1542

              Bootkit

              1
              T1542.003

              Privilege Escalation

              Abuse Elevation Control Mechanism

              1
              T1548

              Bypass User Account Control

              1
              T1548.002

              Boot or Logon Autostart Execution

              1
              T1547

              Registry Run Keys / Startup Folder

              1
              T1547.001

              Event Triggered Execution

              1
              T1546

              Component Object Model Hijacking

              1
              T1546.015

              Defense Evasion

              Abuse Elevation Control Mechanism

              1
              T1548

              Bypass User Account Control

              1
              T1548.002

              Impair Defenses

              1
              T1562

              Disable or Modify Tools

              1
              T1562.001

              Indicator Removal

              1
              T1070

              File Deletion

              1
              T1070.004

              Modify Registry

              7
              T1112

              Pre-OS Boot

              1
              T1542

              Bootkit

              1
              T1542.003

              Subvert Trust Controls

              1
              T1553

              Install Root Certificate

              1
              T1553.004

              Credential Access

              Credentials from Password Stores

              2
              T1555

              Credentials from Web Browsers

              1
              T1555.003

              Windows Credential Manager

              1
              T1555.004

              Unsecured Credentials

              1
              T1552

              Credentials In Files

              1
              T1552.001

              Discovery

              Peripheral Device Discovery

              1
              T1120

              Query Registry

              3
              T1012

              Remote System Discovery

              1
              T1018

              System Information Discovery

              4
              T1082

              System Location Discovery

              1
              T1614

              System Language Discovery

              1
              T1614.001

              System Network Configuration Discovery

              1
              T1016

              Internet Connection Discovery

              1
              T1016.001

              Lateral Movement

              Collection

              Data from Local System

              1
              T1005

              Command and Control

              Exfiltration

              Impact

              Inhibit System Recovery

              1
              T1490

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\$Recycle.Bin\KRAB-DECRYPT.txt
                Filesize

                8KB

                MD5

                457a75eef0949d73a541b6a8e2dfb7d9

                SHA1

                9d4e48e89c1def7dccaec1d8ae5d037a55593c92

                SHA256

                2cc0385973941a0bcbc8b6a75f0eec0b0c8e41f4ed49c67d4a426bb5d6b3f864

                SHA512

                7805376e6b1f33cc08becf653034b29bdc886816119bce60c97f4167012f175caf5f9124fdeea49cbe7a1e5ed668e1ea1a1c3960b6f4c368a7136e203dd05358

                Download Submit

              • C:\Program Files (x86)\Microexcel\bin\microexcel.iwr
                Filesize

                621KB

                MD5

                5a937f81b5666ec6de4793b7c9727698

                SHA1

                137e89755598369b9384f827a3c1ff2e148c626d

                SHA256

                3ca7fe620880a3312d44920a10fab0b390ff2c286b6b6728cb8c9f6deac7287b

                SHA512

                d69825dd54ebc14d08f82e7cd302bbf0699485e32b3e90bcb511b7f964c1f78f804523202b976563842722b4100958f722bd45ad50fdb47527d58bdea4ccc59a

                Download Submit

              • C:\Program Files (x86)\Microexcel\bin\microexcel_zh.dwr
                Filesize

                145KB

                MD5

                d8215f1461a639184dea0f3e5c71fe92

                SHA1

                fb38382e2694c08fa370bdac5e42f3959224d09d

                SHA256

                6f01a4f8b82cb69d5dec8391c30c71245c43a2ea0f1d68ba276e2735236b1320

                SHA512

                792499e01f7a3cf59e5551243799166817428783bf47c75415073261b48c18a8eb0a0af45ce4167de55db8396742233b6bd42592732be01516c1c57b499a4510

                Download Submit

              • C:\Program Files (x86)\Microexcel\bin\ofres12.dll
                Filesize

                4KB

                MD5

                15f5574da7b34f59ee52b500388b4dd5

                SHA1

                747073468ae667e242c0d36bfa459e0e21caccea

                SHA256

                ec734454234d14d9da5ab1902bfa06879f00acf2fca1552f1501d150d282fc68

                SHA512

                ad5d54a4c8344c9c11a916ee16a8db6f5ac3aab2318fe53ffebddd195bab437dcf048c3aa4a659bf37b6f90946c1ee41bb62a7e3e9c3f7fb5f12535397d2666d

                Download Submit

              • C:\Program Files (x86)\Microexcel\bin\pmw.dat
                Filesize

                3KB

                MD5

                bed9d56a373592048e90c9bb3ef6eb89

                SHA1

                737a2b07649480a864e80137c35f16500d8a8f19

                SHA256

                bbe334dcbd22dfcd13923f2335b2ce3592b5542932ba33de841b56900eca1db1

                SHA512

                25dec02cacc466e10e08a2f27d2627f726a6bc51ab2ca77ccb3b521f658c007f46e48357093cdc0f332858ceffba58265172fac5675760e2c0cccba6219b4282

                Download Submit

              • C:\Program Files (x86)\Microexcel\soft.ini
                Filesize

                211B

                MD5

                11826f4300cc66ef691059f5fdae90fc

                SHA1

                cf4731275e65c28e25be7d6f62af20e9347e1992

                SHA256

                970dfa7d3d16597e10a5dd435f5321134c9c4f67636983c57273a7bb0cb535ec

                SHA512

                0c404b6c703a107c2428b654b0d97b2cf9410f27bb6a24821652e8fae9b4a03afc86f6df1dbf82d8cfe11fbd5b42669d99a9bbe93ce826a8050903e1aaf5173e

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\1048doaquow
                Filesize

                230KB

                MD5

                c4ba13458655c18ac2f0d3f1af3d4041

                SHA1

                ba2a8d206422419d37bff61ae19cbfb341d4cc12

                SHA256

                f2cd70f026c60c07243dc7c6317f82185f38b7063f48cf04f6db74f37777aa1a

                SHA512

                90f3cbc350a37d448608ec8bc2f777c6aa1dea05564b2c9d14833a4122bf69704b1f84d8e97475231774a162cc4c9fb059c114fdb80626784fd2f3e2a4adddff

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\Cab7DF8.tmp
                Filesize

                70KB

                MD5

                49aebf8cbd62d92ac215b2923fb1b9f5

                SHA1

                1723be06719828dda65ad804298d0431f6aff976

                SHA256

                b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

                SHA512

                bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\HVXPAko.bat
                Filesize

                493B

                MD5

                0e1344deb7058dc42728d5cfdce211f2

                SHA1

                f545146741ecae00e33799956186e26c81f9012a

                SHA256

                57d8d13e4edd586541969d0428e3153160ec3a05bc43e14d2e8856ec1d676b8c

                SHA512

                ffc81c0a678eb804de17a5a065dab0066522567134a8210372413cdee6ae64b7fd78b1b3935838bcd935d45fcc2edf119efe292bfa55e32c6b9d605f89c9f1bc

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\JXYuyTe.bat
                Filesize

                801B

                MD5

                95e07f506e2ad332db8f9c71d7f01623

                SHA1

                a11dbd47175d2631e8fbef47cc7a061aee1eb8fd

                SHA256

                888a45628b3c3802807899fff3b122e803894b86e15c20cc37b3d7ef70741211

                SHA512

                581a057cf121fa9e51da3339540392d8a2a4e95b32df5116fe1b07259955b7ccb7c75075126de3bbcf81e0cf6318a94993af86d1f20200dc0d711b8cefc2d066

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\LKQ3jqV.bat
                Filesize

                445B

                MD5

                e49750cfbbc9128a618570963703578e

                SHA1

                11b65a400d02e17d6d542901d25df8fc7b8280b2

                SHA256

                1c99937cd1878a5628a4a593aa3318f83ac3d0793b39ae281006db7c83234067

                SHA512

                135878f880967f93697021d97af90765450f1ee2ba65dde7fe80a0493f77f8d211a11cce149446bd9c5e0ee10efcd931e701ee26482e58402ff0e2abd84c8d4d

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\Tar7ED6.tmp
                Filesize

                181KB

                MD5

                4ea6026cf93ec6338144661bf1202cd1

                SHA1

                a1dec9044f750ad887935a01430bf49322fbdcb7

                SHA256

                8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

                SHA512

                6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\aut36E8.tmp
                Filesize

                42KB

                MD5

                ee24061654756cdf57dc7b28eed68d52

                SHA1

                64c7050412dae7b4b74da0dd280b6e992a7be8a6

                SHA256

                db6dafdc611c0ab419c53891e55adb8cc3148c6ee46114d476083bfaed8eac45

                SHA512

                640fe364dcc759d2b2a8da63b84574eb7378ad72341f1831c0b405a74bb2209240b1d71cc658b6fcb3d1aa57f39447515fc65cd7ee12334b7d80f4a8de6ec616

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\nso2B66.tmp\ioSpecial.ini
                Filesize

                645B

                MD5

                97f895ffeb881efd324708eff05be2cf

                SHA1

                6d28a1f3b5f1cb08b834ac1c15b518d7b06de758

                SHA256

                904a7e07812eb2327e84347d484de214d4d5bd4ce76d0747eb5c6e12f1cd8942

                SHA512

                a6283cb4075ea1be1d1c21b1f878c2493c0a1993ac0e9bd08510b3728e7dc03e9c1ed8c400a71c148e221c4a514794e11c3fa846de1eabfc1cb77d84ac3d736f

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\nso2B66.tmp\ioSpecial.ini
                Filesize

                644B

                MD5

                73dfbbdbc2a220fbb071559e9440d32e

                SHA1

                3a335f6986566e71728e889810d6eefcf61edeee

                SHA256

                051223543e583db80b2f792b512030b3e17c5bcb9e9bfc54158af9b49bdbc497

                SHA512

                a70099c789405d3e4244ea49591c6d0fd72524ba446a9aea72aeb2f73747ef405afda380fd19884410a8adbe7896701b801ad22cad9ed00dc2628acfe909bfc9

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\~zhxrbdx.inf
                Filesize

                32B

                MD5

                8f5f4837dd4a1680d79bbdca9cc1e08f

                SHA1

                688b5d5ef993733b97b303ed4c8409a14b230de5

                SHA256

                2bce6b9395cc74d16b9c94fd90debd9d524ffb53c6f6ae3a49b6e139671417b2

                SHA512

                bd75b564fe3c93dffdc65fe58463378f54268308ca5eaba5fc7f80458016f331a6596bfdaf63845c1d5c6c60df2a0ec2aff94d2aae7797da4f5f975f0363bd66

                Download Submit

              • C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini
                Filesize

                151B

                MD5

                988ea61855eab89ff1f69e884a6bee04

                SHA1

                5d4792d34fe3939301eefa968ab5b5e8d415aec1

                SHA256

                010436597702c768cd6f56b169a523c69a64459e5ef04fefbeaaa1bd087a6fe1

                SHA512

                eb8df971b4dfacb0772571147e32a191161848464d24ab3be690f7308378004259c03375618ffbb332316b8bf21f637ce7fe694322590d9b56af65695e3d3b9f

                Download Submit

              • C:\Users\Admin\AppData\Roaming\microexcel\microexcel.ini
                Filesize

                631B

                MD5

                1b9417c2c1b3c0b4a31f37af4d0ceacb

                SHA1

                cf0b19025bda26c6ea1e3126a7db3fe3a46dab1e

                SHA256

                10426e145a52aba69ba6f3ac43b3b8f0faeb6d202b456606e7b11ed6315a87c7

                SHA512

                651bb9f54a5dc7e165880e199ffec12eb795da376abc20018958ad1a97c6ea13d2f15ca38d6ad0c4da5d5e54c0dbdf57ebfa45ff03970e95c5454758c861f888

                Download Submit

              • C:\Users\Admin\Desktop\00335\HEUR-Trojan-Ransom.MSIL.Agent.gen-b0c104f601f520cacd657a54bb611b166b077d6743c96cfde7918a9143229815.exe
                Filesize

                208KB

                MD5

                5ae92b52b0a6df8a64a5f98700bc290f

                SHA1

                b287f6dde17eb50f33219a01bc8fe6b108f96e48

                SHA256

                b0c104f601f520cacd657a54bb611b166b077d6743c96cfde7918a9143229815

                SHA512

                18b9d28ba70f2780e059914a880a01398940236d3c514d517a501d1cb88e1d7448875d868c6a56c935677355c66cc59b73b86be79a5e261f89ec406f60e0f9bb

                Download Submit

              • C:\Users\Admin\Desktop\00335\HEUR-Trojan-Ransom.Win32.Agent.gen-8aa936f217e1035aace2615d3067ef1999956c3c481c1acc728260d5fd7947ac.exe
                Filesize

                5.2MB

                MD5

                85b8278c03ab19306c6dce721f382064

                SHA1

                d742e4290d80a2b132ba65e2f8f0657586a45522

                SHA256

                8aa936f217e1035aace2615d3067ef1999956c3c481c1acc728260d5fd7947ac

                SHA512

                ac13a9061941aec363eba6e971166bc3c4165cc241d1cbbfa6ab2c10810b3c165e2f7b3ba20442fcd47b8ccaaa1e7f72453ab8150e91b801dbf53dec98a57b57

                Download Submit

              • C:\Users\Admin\Desktop\00335\HEUR-Trojan-Ransom.Win32.Foreign.gen-5931df88879e9f85851591a26d2b14fad0c4f3599a5222f06c154414cdcf79fe.exe
                Filesize

                861KB

                MD5

                32f3a45b1dc134a94341ddaee0364505

                SHA1

                cb890f3243adaac8157a823da01318737ec17032

                SHA256

                5931df88879e9f85851591a26d2b14fad0c4f3599a5222f06c154414cdcf79fe

                SHA512

                e7478fb4700830c1db3c74c19800b82c3b141ea32b80ade020d4f32308b879b7792bdc69d57b1f815b157518b54e27242b061915243d55888e2d1d28c4eb2942

                Download Submit

              • C:\Users\Admin\Desktop\00335\Trojan-Ransom.Win32.Blocker.ledh-108b94748485294b5abd12973b6e416e6aed041b20f890c4f962adc765f6c700.exe
                Filesize

                5.0MB

                MD5

                94752f085807010871dd4dd9a08ee39b

                SHA1

                e6088e7f84fbf8f67a3127086bb20c90a45b2dab

                SHA256

                108b94748485294b5abd12973b6e416e6aed041b20f890c4f962adc765f6c700

                SHA512

                3fc2e93b3f2af5fbdd8e2cb6c9cf7e59a8082293232a9c3da30e67f975d6953f065c4c72432db9d2df5ee2cfcfb8e9329eafde884a699c41d834e6ee820e131e

                Download Submit

              • C:\Users\Admin\Desktop\00335\Trojan-Ransom.Win32.GandCrypt.emx-48855186730beac2ad2caa4cae0dd8a1fb7e8101887f738ee0bd3703f4f67086.exe
                Filesize

                712KB

                MD5

                8e938fb7f02a4bf1100efff71a72bbb1

                SHA1

                0bb43310c4a0fb927db48e36e3972b58096ecf88

                SHA256

                48855186730beac2ad2caa4cae0dd8a1fb7e8101887f738ee0bd3703f4f67086

                SHA512

                6610404bfc1067d04864f6d53b86dce0f6b2527b0bc2b3646f8ef49cd8686f1d4b4b1c6b2d963cbb0f518cd7c9e75d0ec29d0403bbcc31f43576dffd9641de6b

                Download Submit

              • C:\Users\Admin\Desktop\00335\Trojan-Ransom.Win32.PornoAsset.cxlm-cf513a5b6d1a0ba7f963754b96ae0877f0246bce5e69bd71414a313c12678e37.exe
                Filesize

                86KB

                MD5

                84ed7358d79fe69b20f308bbbc685831

                SHA1

                7c526fb6202994eeb4bf0778c67b69cb0851ff4f

                SHA256

                cf513a5b6d1a0ba7f963754b96ae0877f0246bce5e69bd71414a313c12678e37

                SHA512

                a0d74ae4b1bf54188ea714c0d164ce7ca7ece48762850287ce259355a2bc49fd1b4cc1e5cd117c19c4397814df75bad2f823846570294e98c730c3a6ac84c268

                Download Submit

              • C:\Users\Admin\Documents\SoftMaker\Settings\fontfilter.ini
                Filesize

                41B

                MD5

                0e55263a9eaf5f880b8f899f8c3d216a

                SHA1

                6788e4de7ef96a077a2624ff58df3a91eb20fd69

                SHA256

                f2023a99ee4918f5fa8bcffd5111144ad56149ea4b764eb080c44e639c408467

                SHA512

                543f6f12545830ede59ffb14c6be0511a9d898b2f340fe1fdb2164088eb17a3935dd80d9994c6eafee4fa92ed5edfaf294d8548e78d7a0941d9197a9cf2af52d

                Download Submit

              • C:\Users\Admin\Documents\SoftMaker\Settings\pmw12config.ini
                Filesize

                166B

                MD5

                987dc73030e015775e58ad241c824411

                SHA1

                de8e402c205350b14ec4f4e7b27a8d5ffe3aca45

                SHA256

                11bcbc5c2fc85338499f20df6ecd295ccbd276609093fbe1d51c22b51a767faa

                SHA512

                0aee2e0d21f38198caf47d3d1aa72aa9568cb467c1c765a5c9534af264eb6936883c1c6053e699b735286376b614dde2f7176f734c41a64f124773a15ac1580d

                Download Submit

              • C:\Users\Admin\Documents\SoftMaker\Settings\pmw12config.ini
                Filesize

                554B

                MD5

                ac9ed743d2f11855dd8a6b3df18c4dd4

                SHA1

                f3afcfac95dfea8df7815a139c6c673046785494

                SHA256

                cf54b1027b16c75c2c11d410905b8fe2d64865e47036d4f8a4e3a86ae092adf8

                SHA512

                1c51721b1e9198e45934c367f953708d3ddb9ebf5668fe163fbfd969d80224bc5b841d19d3630cbacbe1ae24d1382afbce8e88b5606eff967310f24e43122087

                Download Submit

              • C:\Users\Admin\Documents\SoftMaker\Settings\pmw12tools.dat
                Filesize

                4KB

                MD5

                775c6331c482ca63a05d043c8713ff56

                SHA1

                67bf672ecd0ccee8d5376f5841167660803c1811

                SHA256

                3c1c00dbee1909dd5e60b655329dfe87ccbe7cda9af31e25cb48176bdd063cf5

                SHA512

                9b878913080ed13083dc8e5a2b6e2934b74603937849474c95db9328386d211ba2fc8f5a7758b07893516ebc192226bbad8bef8e8b182801e9009cc0debf53db

                Download Submit

              • C:\Users\Admin\Favorites\links\京东商城.url
                Filesize

                60B

                MD5

                fabd754a3ed4bb8e2fe263b4d780ee89

                SHA1

                627f57831a6cfc7576ec92046bb1b19d09e3df84

                SHA256

                b46a292e886d9b6c5c937d8319c4c8b9fa2f6316134229b2d4b185aa9544c1b2

                SHA512

                57cb82bfaf51606e66cbae7a86c03ca7047959c9c7af131e9c59441238bcfecfdba83f2c4b4666608411dda6eec97654ff4823e952ca8bce22b778699cba0279

                Download Submit

              • C:\Users\Admin\Favorites\links\免费电影.url
                Filesize

                580B

                MD5

                fa1421a8d160f9b4c9f135f937b999c8

                SHA1

                c4368a17db2c7dcfafd1cc072e559764844463ec

                SHA256

                650c73a37c108528a09dc8fff573d91a531a47873e3754210fd49377937d1ee2

                SHA512

                abc38f9ae41bf11ae90e800129e7efe7111a8152d531b9b4479c05cdb07c5f67897fded908b25351651e63a4bfee3003e98085829969dea2b16da3abab669906

                Download Submit

              • \??\PIPE\srvsvc
                MD5

                d41d8cd98f00b204e9800998ecf8427e

                SHA1

                da39a3ee5e6b4b0d3255bfef95601890afd80709

                SHA256

                e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                SHA512

                cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                Download Submit

              • \Program Files (x86)\Microexcel\bin\microexcel.exe
                Filesize

                13.4MB

                MD5

                f65f61afa85666c7a587c74caf5051d1

                SHA1

                f3525465b4a6c92286197e9c5ad10a140b5ad779

                SHA256

                d9be106e35b7fddec4b3a612345eea8836e469d4d323017aab60a5d9ecc46d7c

                SHA512

                771aeb344c411caed54891523bae17a5bcc273bddf005b9749b08512ae8e2c0c67d419a325f8e9332cdb1bb9f48b6b799112a830478b7ce8c5a6d8042839b9e6

                Download Submit

              • \Program Files (x86)\Microexcel\bin\pmw.dll
                Filesize

                48KB

                MD5

                56b043b1d270905669a52f294214840d

                SHA1

                4b316533525b3c762d59e8fdff633a509aedd5f3

                SHA256

                6bfc6adb4abec5e6b79840d472c1df7b5a16ad3dfaed6f95515a18be170e8027

                SHA512

                2a0ae2120eb87c4cb7ec4605cc6ee8e5c8499067aea90e9a170a43eb3cc0a331dcd48b70e04fb2545b717126edd2efb0c43052afe7fbb887f554a44b54b14296

                Download Submit

              • \Program Files (x86)\Microexcel\bin\uninst.exe
                Filesize

                110KB

                MD5

                60c720d2b508031d6b43eb6a052fe2d1

                SHA1

                186ea71780cbf3a3f86276ede9b81746b02d3b42

                SHA256

                5db52498f5bb241622c16e018773bf205004711f933871f78becf67c1315e351

                SHA512

                9ab2930b2259197312358ca503717fd006f7166f34a742a4cf68416dbc7c1ad207acd0040466b79d8afb79ec4c9e5ff5af3103e40b27ee5f8e8d7383aaaf380c

                Download Submit

              • \Users\Admin\AppData\Local\Temp\nso2B66.tmp\AccessControl.dll
                Filesize

                10KB

                MD5

                055f4f9260e07fc83f71877cbb7f4fad

                SHA1

                a245131af1a182de99bd74af9ff1fab17977a72f

                SHA256

                4209588362785b690d08d15cd982b8d1c62c348767ca19114234b21d5df74ddc

                SHA512

                a8e82dc4435ed938f090f43df953ddad9b0075f16218c09890c996299420162d64b1dbfbf613af37769ae796717eec78204dc786b757e8b1d13d423d4ee82e26

                Download Submit

              • \Users\Admin\AppData\Local\Temp\nso2B66.tmp\CRCCheck.dll
                Filesize

                3KB

                MD5

                ab4d03cf938fd9c748349b901314f6cd

                SHA1

                5b8fcd9a8a496c3ddf5267ac62c147359f44a93b

                SHA256

                55f7f4acf8b1eaa975fac2362633cc91d67d9749caa7916b9b6999db0f83e1c6

                SHA512

                3d2c730472fa371450e50313c28d5310d5edcf30fef5fab649151fda41721b2169884c2174cd247f09c666164ad68fa2e974f6b2c48e96fa4491758a358389aa

                Download Submit

              • \Users\Admin\AppData\Local\Temp\nso2B66.tmp\FindProcDLL.dll
                Filesize

                31KB

                MD5

                83cd62eab980e3d64c131799608c8371

                SHA1

                5b57a6842a154997e31fab573c5754b358f5dd1c

                SHA256

                a6122e80f1c51dc72770b4f56c7c482f7a9571143fbf83b19c4d141d0cb19294

                SHA512

                91cfbcc125600ec341f5571dcf1e4a814cf7673f82cf42f32155bd54791bbf32619f2bb14ae871d7996e9ddecdfcc5db40caa0979d6dfba3e73cfe8e69c163c9

                Download Submit

              • \Users\Admin\AppData\Local\Temp\nso2B66.tmp\InstallOptions.dll
                Filesize

                14KB

                MD5

                0dc0cc7a6d9db685bf05a7e5f3ea4781

                SHA1

                5d8b6268eeec9d8d904bc9d988a4b588b392213f

                SHA256

                8e287326f1cdd5ef2dcd7a72537c68cbe4299ceb1f820707c5820f3aa6d8206c

                SHA512

                814dd17ebb434f4a3356f716c783ab7f569f9ee34ce5274fa50392526925f044798f8006198ac7afe3d1c2ca83a2ca8c472ca53fec5f12bbfbbe0707abacd6b0

                Download Submit

              • \Users\Admin\AppData\Local\Temp\nso2B66.tmp\System.dll
                Filesize

                11KB

                MD5

                00a0194c20ee912257df53bfe258ee4a

                SHA1

                d7b4e319bc5119024690dc8230b9cc919b1b86b2

                SHA256

                dc4da2ccadb11099076926b02764b2b44ad8f97cd32337421a4cc21a3f5448f3

                SHA512

                3b38a2c17996c3b77ebf7b858a6c37415615e756792132878d8eddbd13cb06710b7da0e8b58104768f8e475fc93e8b44b3b1ab6f70ddf52edee111aaf5ef5667

                Download Submit

              • \Users\Admin\AppData\Local\Temp\nso2B66.tmp\inetc.dll
                Filesize

                24KB

                MD5

                1efbbf5a54eb145a1a422046fd8dfb2c

                SHA1

                ec4efd0a95bb72fd4cf47423647e33e5a3fddf26

                SHA256

                983859570099b941c19d5eb9755eda19dd21f63e8ccad70f6e93f055c329d341

                SHA512

                7fdeba8c961f3507162eb59fb8b9b934812d449cc85c924f61722a099618d771fed91cfb3944e10479280b73648a9a5cbb23482d7b7f8bfb130f23e8fd6c15fb

                Download Submit

              • \Users\Admin\AppData\Local\Temp\nso2B66.tmp\time.dll
                Filesize

                10KB

                MD5

                38977533750fe69979b2c2ac801f96e6

                SHA1

                74643c30cda909e649722ed0c7f267903558e92a

                SHA256

                b4a95a455e53372c59f91bc1b5fb9e5c8e4a10a506fa04aaf7be27048b30ae35

                SHA512

                e17069395ad4a17e24f7cd3c532670d40244bd5ae3887c82e3b2e4a68c250cd55e2d8b329d6ff0e2d758955ab7470534e6307779e49fe331c1fd2242ea73fd53

                Download Submit

              • memory/284-671-0x0000000000BA0000-0x00000000015C5000-memory.dmp

                Filesize

                10.1MB

                Download

              • memory/284-202-0x0000000000BA0000-0x00000000015C5000-memory.dmp

                Filesize

                10.1MB

                Download

              • memory/284-558-0x0000000000BA0000-0x00000000015C5000-memory.dmp

                Filesize

                10.1MB

                Download

              • memory/284-1429-0x0000000000BA0000-0x00000000015C5000-memory.dmp

                Filesize

                10.1MB

                Download

              • memory/768-409-0x0000000000960000-0x0000000001385000-memory.dmp

                Filesize

                10.1MB

                Download

              • memory/1048-557-0x0000000001340000-0x0000000001D65000-memory.dmp

                Filesize

                10.1MB

                Download

              • memory/1048-1420-0x0000000001340000-0x0000000001D65000-memory.dmp

                Filesize

                10.1MB

                Download

              • memory/1048-160-0x0000000001340000-0x0000000001D65000-memory.dmp

                Filesize

                10.1MB

                Download

              • memory/1712-195-0x0000000005B20000-0x0000000006545000-memory.dmp

                Filesize

                10.1MB

                Download

              • memory/1712-491-0x0000000001340000-0x0000000001D65000-memory.dmp

                Filesize

                10.1MB

                Download

              • memory/1712-115-0x0000000001340000-0x0000000001D65000-memory.dmp

                Filesize

                10.1MB

                Download

              • memory/1712-493-0x0000000001340000-0x0000000001D65000-memory.dmp

                Filesize

                10.1MB

                Download

              • memory/1712-198-0x0000000005B20000-0x0000000006545000-memory.dmp

                Filesize

                10.1MB

                Download

              • memory/1712-194-0x0000000005B20000-0x0000000006545000-memory.dmp

                Filesize

                10.1MB

                Download

              • memory/1712-670-0x0000000005B20000-0x0000000006545000-memory.dmp

                Filesize

                10.1MB

                Download

              • memory/1712-196-0x0000000005B20000-0x0000000006545000-memory.dmp

                Filesize

                10.1MB

                Download

              • memory/1712-1450-0x0000000001340000-0x0000000001D65000-memory.dmp

                Filesize

                10.1MB

                Download

              • memory/1936-669-0x0000000000400000-0x000000000040A000-memory.dmp

                Filesize

                40KB

                Download

              • memory/2124-151-0x0000000000400000-0x000000000040A000-memory.dmp

                Filesize

                40KB

                Download

              • memory/2124-141-0x0000000000400000-0x000000000040A000-memory.dmp

                Filesize

                40KB

                Download

              • memory/2124-125-0x0000000000400000-0x000000000040A000-memory.dmp

                Filesize

                40KB

                Download

              • memory/2124-127-0x0000000000400000-0x000000000040A000-memory.dmp

                Filesize

                40KB

                Download

              • memory/2124-129-0x0000000000400000-0x000000000040A000-memory.dmp

                Filesize

                40KB

                Download

              • memory/2124-133-0x0000000000400000-0x000000000040A000-memory.dmp

                Filesize

                40KB

                Download

              • memory/2124-131-0x0000000000400000-0x000000000040A000-memory.dmp

                Filesize

                40KB

                Download

              • memory/2124-139-0x0000000000400000-0x000000000040A000-memory.dmp

                Filesize

                40KB

                Download

              • memory/2124-135-0x0000000000400000-0x000000000040A000-memory.dmp

                Filesize

                40KB

                Download

              • memory/2124-137-0x0000000000400000-0x000000000040A000-memory.dmp

                Filesize

                40KB

                Download

              • memory/2144-123-0x0000000000C60000-0x0000000000C9A000-memory.dmp

                Filesize

                232KB

                Download

              • memory/2396-276-0x00000000001C0000-0x0000000000BE5000-memory.dmp

                Filesize

                10.1MB

                Download

              • memory/2396-201-0x00000000001C0000-0x0000000000BE5000-memory.dmp

                Filesize

                10.1MB

                Download

              • memory/2656-1401-0x0000000000400000-0x0000000000520000-memory.dmp

                Filesize

                1.1MB

                Download

              • memory/2656-116-0x0000000000400000-0x0000000000520000-memory.dmp

                Filesize

                1.1MB

                Download

              • memory/2656-490-0x0000000000400000-0x0000000000520000-memory.dmp

                Filesize

                1.1MB

                Download

              • memory/2828-12-0x0000000140000000-0x00000001405E8000-memory.dmp

                Filesize

                5.9MB

                Download

              • memory/2828-14-0x0000000140000000-0x00000001405E8000-memory.dmp

                Filesize

                5.9MB

                Download

              • memory/2828-13-0x0000000140000000-0x00000001405E8000-memory.dmp

                Filesize

                5.9MB

                Download

              • memory/2896-510-0x0000000000400000-0x0000000000426000-memory.dmp

                Filesize

                152KB

                Download

              • memory/2896-506-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

                Filesize

                4KB

                Download

              • memory/2896-504-0x0000000000400000-0x0000000000426000-memory.dmp

                Filesize

                152KB

                Download

              • memory/2896-509-0x0000000000400000-0x0000000000426000-memory.dmp

                Filesize

                152KB

                Download

              • memory/2896-498-0x0000000000400000-0x0000000000426000-memory.dmp

                Filesize

                152KB

                Download

              • memory/2896-496-0x0000000000400000-0x0000000000426000-memory.dmp

                Filesize

                152KB

                Download

              • memory/2896-577-0x0000000000400000-0x0000000000426000-memory.dmp

                Filesize

                152KB

                Download

              • memory/2896-502-0x0000000000400000-0x0000000000426000-memory.dmp

                Filesize

                152KB

                Download

              • memory/2896-500-0x0000000000400000-0x0000000000426000-memory.dmp

                Filesize

                152KB

                Download

              • memory/2896-494-0x0000000000400000-0x0000000000426000-memory.dmp

                Filesize

                152KB

                Download

              • memory/2896-507-0x0000000000400000-0x0000000000426000-memory.dmp

                Filesize

                152KB

                Download