hxxps://drive[.]google[.]com/file/d/1WKy_Fzp9NKGTRgkLgLjHKiulJg1ObSYh/view

Analysis

max time kernel
112s
max time network
110s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
17-11-2024 00:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://drive.google.com/file/d/1WKy_Fzp9NKGTRgkLgLjHKiulJg1ObSYh/view

Score

8^/10

discovery

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 5 IoCs

pid	Process
5784	Halloween.exe
1536	Halloween.exe
4732	dec.exe
3504	Halloween.exe
3748	dec.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	dec.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	dec.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
4	drive.google.com
7	drive.google.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	msedge.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
516	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2472	msedge.exe
2472	msedge.exe
1484	msedge.exe
1484	msedge.exe
3112	identity_helper.exe
3112	identity_helper.exe
1732	msedge.exe
1732	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
5780	OpenWith.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeRestorePrivilege	5188	7zG.exe
Token: 35	5188	7zG.exe
Token: SeSecurityPrivilege	5188	7zG.exe
Token: SeSecurityPrivilege	5188	7zG.exe

Suspicious use of FindShellTrayWindow 42 IoCs

pid	Process
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
5188	7zG.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe

Suspicious use of SetWindowsHookEx 46 IoCs

pid	Process
5292	OpenWith.exe
5780	OpenWith.exe
5780	OpenWith.exe
5780	OpenWith.exe
5780	OpenWith.exe
5780	OpenWith.exe
5780	OpenWith.exe
5780	OpenWith.exe
5780	OpenWith.exe
5780	OpenWith.exe
5780	OpenWith.exe
5780	OpenWith.exe
5780	OpenWith.exe
5780	OpenWith.exe
5780	OpenWith.exe
5780	OpenWith.exe
5780	OpenWith.exe
5780	OpenWith.exe
5780	OpenWith.exe
5780	OpenWith.exe
5780	OpenWith.exe
5780	OpenWith.exe
5780	OpenWith.exe
5780	OpenWith.exe
5780	OpenWith.exe
5780	OpenWith.exe
5780	OpenWith.exe
5780	OpenWith.exe
5780	OpenWith.exe
5780	OpenWith.exe
5780	OpenWith.exe
5780	OpenWith.exe
5780	OpenWith.exe
5780	OpenWith.exe
5780	OpenWith.exe
5780	OpenWith.exe
5780	OpenWith.exe
5780	OpenWith.exe
5780	OpenWith.exe
5780	OpenWith.exe
5780	OpenWith.exe
5780	OpenWith.exe
5932	AcroRd32.exe
5932	AcroRd32.exe
5932	AcroRd32.exe
5932	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1484 wrote to memory of 3024	1484	msedge.exe	83
PID 1484 wrote to memory of 3024	1484	msedge.exe	83
PID 1484 wrote to memory of 60	1484	msedge.exe	84
PID 1484 wrote to memory of 60	1484	msedge.exe	84
PID 1484 wrote to memory of 60	1484	msedge.exe	84
PID 1484 wrote to memory of 60	1484	msedge.exe	84
PID 1484 wrote to memory of 60	1484	msedge.exe	84
PID 1484 wrote to memory of 60	1484	msedge.exe	84
PID 1484 wrote to memory of 60	1484	msedge.exe	84
PID 1484 wrote to memory of 60	1484	msedge.exe	84
PID 1484 wrote to memory of 60	1484	msedge.exe	84
PID 1484 wrote to memory of 60	1484	msedge.exe	84
PID 1484 wrote to memory of 60	1484	msedge.exe	84
PID 1484 wrote to memory of 60	1484	msedge.exe	84
PID 1484 wrote to memory of 60	1484	msedge.exe	84
PID 1484 wrote to memory of 60	1484	msedge.exe	84
PID 1484 wrote to memory of 60	1484	msedge.exe	84
PID 1484 wrote to memory of 60	1484	msedge.exe	84
PID 1484 wrote to memory of 60	1484	msedge.exe	84
PID 1484 wrote to memory of 60	1484	msedge.exe	84
PID 1484 wrote to memory of 60	1484	msedge.exe	84
PID 1484 wrote to memory of 60	1484	msedge.exe	84
PID 1484 wrote to memory of 60	1484	msedge.exe	84
PID 1484 wrote to memory of 60	1484	msedge.exe	84
PID 1484 wrote to memory of 60	1484	msedge.exe	84
PID 1484 wrote to memory of 60	1484	msedge.exe	84
PID 1484 wrote to memory of 60	1484	msedge.exe	84
PID 1484 wrote to memory of 60	1484	msedge.exe	84
PID 1484 wrote to memory of 60	1484	msedge.exe	84
PID 1484 wrote to memory of 60	1484	msedge.exe	84
PID 1484 wrote to memory of 60	1484	msedge.exe	84
PID 1484 wrote to memory of 60	1484	msedge.exe	84
PID 1484 wrote to memory of 60	1484	msedge.exe	84
PID 1484 wrote to memory of 60	1484	msedge.exe	84
PID 1484 wrote to memory of 60	1484	msedge.exe	84
PID 1484 wrote to memory of 60	1484	msedge.exe	84
PID 1484 wrote to memory of 60	1484	msedge.exe	84
PID 1484 wrote to memory of 60	1484	msedge.exe	84
PID 1484 wrote to memory of 60	1484	msedge.exe	84
PID 1484 wrote to memory of 60	1484	msedge.exe	84
PID 1484 wrote to memory of 60	1484	msedge.exe	84
PID 1484 wrote to memory of 60	1484	msedge.exe	84
PID 1484 wrote to memory of 2472	1484	msedge.exe	85
PID 1484 wrote to memory of 2472	1484	msedge.exe	85
PID 1484 wrote to memory of 3680	1484	msedge.exe	86
PID 1484 wrote to memory of 3680	1484	msedge.exe	86
PID 1484 wrote to memory of 3680	1484	msedge.exe	86
PID 1484 wrote to memory of 3680	1484	msedge.exe	86
PID 1484 wrote to memory of 3680	1484	msedge.exe	86
PID 1484 wrote to memory of 3680	1484	msedge.exe	86
PID 1484 wrote to memory of 3680	1484	msedge.exe	86
PID 1484 wrote to memory of 3680	1484	msedge.exe	86
PID 1484 wrote to memory of 3680	1484	msedge.exe	86
PID 1484 wrote to memory of 3680	1484	msedge.exe	86
PID 1484 wrote to memory of 3680	1484	msedge.exe	86
PID 1484 wrote to memory of 3680	1484	msedge.exe	86
PID 1484 wrote to memory of 3680	1484	msedge.exe	86
PID 1484 wrote to memory of 3680	1484	msedge.exe	86
PID 1484 wrote to memory of 3680	1484	msedge.exe	86
PID 1484 wrote to memory of 3680	1484	msedge.exe	86
PID 1484 wrote to memory of 3680	1484	msedge.exe	86
PID 1484 wrote to memory of 3680	1484	msedge.exe	86
PID 1484 wrote to memory of 3680	1484	msedge.exe	86
PID 1484 wrote to memory of 3680	1484	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://drive.google.com/file/d/1WKy_Fzp9NKGTRgkLgLjHKiulJg1ObSYh/view
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1484
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffa58846f8,0x7fffa5884708,0x7fffa5884718
  2⤵
  PID:3024
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,12676265698765919229,3885872807229327766,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2208 /prefetch:2
  2⤵
  PID:60
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2112,12676265698765919229,3885872807229327766,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2288 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2472
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2112,12676265698765919229,3885872807229327766,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2844 /prefetch:8
  2⤵
  PID:3680
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,12676265698765919229,3885872807229327766,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:1
  2⤵
  PID:636
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,12676265698765919229,3885872807229327766,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:1
  2⤵
  PID:4900
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,12676265698765919229,3885872807229327766,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4072 /prefetch:1
  2⤵
  PID:4804
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,12676265698765919229,3885872807229327766,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5716 /prefetch:8
  2⤵
  PID:388
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,12676265698765919229,3885872807229327766,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5716 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2112,12676265698765919229,3885872807229327766,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4660 /prefetch:8
  2⤵
  PID:4956
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,12676265698765919229,3885872807229327766,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3628 /prefetch:1
  2⤵
  PID:1768
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2112,12676265698765919229,3885872807229327766,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5240 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1732
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,12676265698765919229,3885872807229327766,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5384 /prefetch:1
  2⤵
  PID:1072
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,12676265698765919229,3885872807229327766,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5768 /prefetch:1
  2⤵
  PID:4024
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,12676265698765919229,3885872807229327766,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5756 /prefetch:1
  2⤵
  PID:2296
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,12676265698765919229,3885872807229327766,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6272 /prefetch:1
  2⤵
  PID:4936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,12676265698765919229,3885872807229327766,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4992 /prefetch:1
  2⤵
  PID:5448

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1496

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2412

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5292

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5636

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:5780
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\Desktop\Halloween.rar"
  2⤵
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:5932
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6104
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=AEC2422E6BAF23FBD10DAA1076015926 --mojo-platform-channel-handle=1744 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      PID:3236
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=198DF84EBE1BDCB0A4BB113B53EB2AD3 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=198DF84EBE1BDCB0A4BB113B53EB2AD3 --renderer-client-id=2 --mojo-platform-channel-handle=1756 --allow-no-sandbox-job /prefetch:1
      4⤵
      System Location Discovery: System Language Discovery
      PID:4852
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=B1C85715F8D1DFDD59275F25BB441FC9 --mojo-platform-channel-handle=2320 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      PID:2068
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=63F8D0A52BED93BAFE47431E0E01D921 --mojo-platform-channel-handle=1872 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      PID:5292
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=333024AF9832DCD3758A318CA7D4AF0C --mojo-platform-channel-handle=2324 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      PID:5280

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\" -an -ai#7zMap32179:76:7zEvent19433
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5188

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\readme.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:516

C:\Users\Admin\Desktop\Halloween.exe
"C:\Users\Admin\Desktop\Halloween.exe"
1⤵
- Executes dropped EXE
PID:5784

C:\Users\Admin\Desktop\Halloween.exe
"C:\Users\Admin\Desktop\Halloween.exe"
1⤵
- Executes dropped EXE
PID:1536
- C:\Windows\SYSTEM32\cmd.exe
  "cmd" /c start C:\Users\Admin\dec.exe
  2⤵
  PID:5340
- - C:\Users\Admin\dec.exe
    C:\Users\Admin\dec.exe
    3⤵
    - Executes dropped EXE
    - Drops desktop.ini file(s)
    - System Location Discovery: System Language Discovery
    PID:4732

C:\Users\Admin\Desktop\Halloween.exe
"C:\Users\Admin\Desktop\Halloween.exe"
1⤵
- Executes dropped EXE
PID:3504
- C:\Windows\SYSTEM32\cmd.exe
  "cmd" /c start C:\Users\Admin\dec.exe
  2⤵
  PID:6100
- - C:\Users\Admin\dec.exe
    C:\Users\Admin\dec.exe
    3⤵
    - Executes dropped EXE
    - Drops desktop.ini file(s)
    - System Location Discovery: System Language Discovery
    PID:3748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\dec.exe.log

Filesize
42B

MD5
84cfdb4b995b1dbf543b26b86c863adc

SHA1
d2f47764908bf30036cf8248b9ff5541e2711fa2

SHA256
d8988d672d6915b46946b28c06ad8066c50041f6152a91d37ffa5cf129cc146b

SHA512
485f0ed45e13f00a93762cbf15b4b8f996553baa021152fae5aba051e3736bcd3ca8f4328f0e6d9e3e1f910c96c4a9ae055331123ee08e3c2ce3a99ac2e177ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6960857d16aadfa79d36df8ebbf0e423

SHA1
e1db43bd478274366621a8c6497e270d46c6ed4f

SHA256
f40b812ce44e391423eb66602ac0af138a1e948aa8c4116045fef671ef21cd32

SHA512
6deb2a63055a643759dd0ae125fb2f68ec04a443dbf8b066a812b42352bbcfa4517382ed0910c190c986a864559c3453c772e153ee2e9432fb2de2e1e49ca7fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f426165d1e5f7df1b7a3758c306cd4ae

SHA1
59ef728fbbb5c4197600f61daec48556fec651c1

SHA256
b68dfc21866d0abe5c75d70acc54670421fa9b26baf98af852768676a901b841

SHA512
8d437fcb85acb0705bf080141e7a021740901248985a76299ea8c43e46ad78fb88c738322cf302f6a550caa5e79d85b36827e9b329b1094521b17cf638c015b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000d

Filesize
184KB

MD5
d9d0797ab433563e7eed0acbd05f705d

SHA1
cff17062531950a5cab579128a1b17a87ddcca6f

SHA256
36fb48d73e935cc1ba9c2c4678e64e7c195adf2ed7b8b3658b17448d38d24aa2

SHA512
2ae27ee9f82ceea056da7eb47c637b0729642ee99056c06b72c3511b9eca260e273b246ad19857e309004c9add7242f9c2edc3f92f285e7f09a88dda6f82468a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
480B

MD5
608f65461de845b38bc4a6e6dd5a1262

SHA1
ddf946eb6992f40c076988f75b86c092f435cb0c

SHA256
040393cf33600959ffb34c15546f2ec609c51d6ba114b4c06325bd8b7ddbee6e

SHA512
57aeb19c2723a75167e77730198e4529389ddf7bfe4dd49b6f1b716ae707cf2208675238862ba0bb105f9492203c1ae270e55626fe28ce13dfc96e9b026131df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
2b7f1522c4c109c660598e2f9a0386b7

SHA1
712c7cd6b994b4d6305e38bd1ad4200bd7cd7ae9

SHA256
287e331ab427ddfee942a685fb0d2c470b204183c086f2561e045637f87add85

SHA512
60b63d00b9c064c6cd82d0db160ab5835144b92d32ca36806ef9e2981ddd8b8283045df719ae6b1de8034dd5bcd63705fc4aaaaa502e43c91daf106e10b85689

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
ecdb2b20ba327a141c837b144d908ed6

SHA1
3331235051a89262c811c259c38c415b80ff1b00

SHA256
93b2b826214d21d1ae51877002339e60b23368017b93d2e1a4417001fb9b6319

SHA512
00aef122f2ee5a6cd9181adf0373364507811b9611fd604858113cfa2f7fcdb957637ad3c58e46ecc65da395a10cd4f64c622f67488c0a3b5320eb255c18b8c9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
4ffd3858aef7a5122a567a70b1d682f6

SHA1
8f8580e88e1372de589d619fa7af3c761ed7287e

SHA256
fcef585524dacab8f6e562692deca679b4bfae0fcb6de1fda45a90b6e185a7c1

SHA512
dc02c9903acad6fb314f727ec9231bab9ad2639cc4a46a14549f81308ed48216b7554ac4ce06f10f6dd602627340e5b5dc83b516765d07adbd58251961e18b7f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
e7230fd2e7eb16c4b569615514361f76

SHA1
18dc50af9a192755eb283eb4806b36025c1ac180

SHA256
74e9378baf2179252b820733ecc1b383f273b558ea040b0bfc0c7e26d2dc99ee

SHA512
6da0843e58fc1a54324500a1fec7fc6e482bb6156c38522c9194b7f87cb4a9e204c52ad656a797959de8758362e5c45b24bde4f7337353151f5b0cd4bdd474ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
0aabd0a22ab066afb80a8e1e6cd54644

SHA1
e472800cb34f77bb6e181c7906914423e6a5d056

SHA256
fdb73c5da2551d373e69900475c2ea800211619d4e4175e95158760397c0ebf6

SHA512
e1b497818a3356a730f036c795ee3be641077b561d8b6d7c87ca8c31f98669d63d85feba271b44e1771f6cc4da7fde57a5207ba9c7aa592fb18ed269013eaa68

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
1ee8d2f8afaeaa7751e8d7107aa48498

SHA1
579b910b34c9eeec0e6689a93fc24f957cc9119a

SHA256
36e5658c37b134e2171e7cb1d7296be376c0f8c3314b7d7d095e87f1f11afbac

SHA512
4e371044196a7d485f9f0adfedfb49805172fa9c930d473e3db019a3172b58f58dd12755b2ccf21567c4465ab69f4a1f510ab79012392a15be933a9df3e7a15a

Download Submit
C:\Users\Admin\Desktop\AddSuspend.cab

Filesize
738KB

MD5
4f1b8dff6c78137cf064a737c8abcc53

SHA1
9855924ee5414785379342b9e2ad5fcf241f51b8

SHA256
dae2a6cd4eda84b5c3ad367c1cef4828b8de6a2eede89552616841672d2e1802

SHA512
4a1b8c6c3b1c6d239641b60dbac9d3992d683c71796de3e9e785cbbaf205d3240107c7e6dc0ed2b1e9e4c224d19e2e043c4245dbe44315a37186e69d74f6fda1

Download Submit
C:\Users\Admin\Desktop\CheckpointConvertFrom.rar

Filesize
826KB

MD5
b14b1752bf855ff96afe90eb70e23e96

SHA1
72bb41a0c25155d08fc56c5f8b5f3bbfd9c93a6e

SHA256
db7eee827942967eedce3e7655c4173e37d5581abc99e47645a5f3d764d7cab4

SHA512
6624f674b8e2cd327ef1ee7125971b42f91f57a7af2ddaf24c3a7d06e087c9d740ed9eee901a270e7c911aaedff46f1cb1bba6a11195fa12a692bab6d31d77b5

Download Submit
C:\Users\Admin\Desktop\CopySelect.mht

Filesize
591KB

MD5
c9dddb58c6ab70b00c75c20311f06676

SHA1
5afd5919cbd0f9876336ba07aa24b7162301c60b

SHA256
49cd5a23164f299d89642b5a81445dac336681b2a52ceade9d9731d0550820d6

SHA512
fba6a4066c20f9eacdf031a44d04f7b7e60b3e358b11b33ae7242ebabe12bc9a85a4813e96327d4239bdc1a99f614979bd2f6ad6b82e2164da59c8472d2d4934

Download Submit
C:\Users\Admin\Desktop\DisableExpand.rm

Filesize
1.5MB

MD5
1bbf5990cb70233d10f81dc75022702a

SHA1
26e7922c97898866be69e85d07c90fafceddfd56

SHA256
9e6258e03e860756ab776b83bb99e3ecfe05b02e3d9efcc8e764fde2ab70fa94

SHA512
2353f3b39c4bb49d37d7dc20d1fb446a09e636fb4eab3db7a8f99047635dc7f4f0b1bc4f9b708b2a84421ebbce8ce91a0f9a34ebe6572b1ac87ede840de01dea

Download Submit
C:\Users\Admin\Desktop\EditMeasure.edrwx

Filesize
679KB

MD5
fbc0ce873f984b65fcd4ffa23a73592e

SHA1
4405e1b87f2005d41fbe8f2ce9135758132bc885

SHA256
ae4e57be258a305c7d66deac06205d4d44c66b69ac3fa7ea9947508e58d2e4d6

SHA512
2b25a1298f909e660366798d9771880256d6812667c51b066f62574c6704dbba9fc814ef951c1d3e7b07b01ff15f159684e7415b48d3445bc5c774d9b32a3eec

Download Submit
C:\Users\Admin\Desktop\EnterEdit.001

Filesize
915KB

MD5
63421c27562af4957b6df23c078d0f44

SHA1
e33bdb82dacae01e960ffc24fe4ef71f27113381

SHA256
ba61663a622f80d9814dae9366ef7b01b7ecbab9db66d0723b7b381d633dbedc

SHA512
47fe2b5675729f753066dad2b1f736b12d115ca72f95d475ab5352c3674a848358184b9ffb1b703deb2e8a8c487e09f49506e3a7dbcdf7c5a38e359cf83af573

Download Submit
C:\Users\Admin\Desktop\FormatSet.m4a

Filesize
383KB

MD5
c76e7d212020de79813088b848396cb2

SHA1
13ae3fb99ff5a9fbbea75634ea7a86f2297b7a9f

SHA256
d3291f57b42aaec11db6e241030711e031741ed0281e6bc051d6959572f2fa41

SHA512
281d86832504333f448b294e2e02c7f3af3e14e26566a816157637815b16519364387027218208f6f62f74548cea85c1b7735cc2e8ec424e3718ee79e720aa06

Download Submit
C:\Users\Admin\Desktop\GrantFormat.ppt

Filesize
597KB

MD5
7ab9a1aabc5b6451a57fc6b2df47a85e

SHA1
256990609fc1988d30cdd5c8c1a945e97c0efcc6

SHA256
b13796b3937a19213393c345bc7fd960b114f823bc92a1c0101489885791e33f

SHA512
b924726a8e38b51c1f5188e6299882596c51c0b1d5e0d65a2a8da323bde6c3f36b441f575a85882b5b0e44bd5c1f597d82bc5e1be774ce7409916b33ad34082a

Download Submit
C:\Users\Admin\Desktop\Halloween.exe

Filesize
989KB

MD5
ceb4ee56e4599a70b1a3f5cc4feeebad

SHA1
6dc37ab07b6dab8160843e87f12a7dba86a7cca6

SHA256
eb0ecb3712e7081b296f2fa4292a373c4cf1aa1351dab6755bc7148e9a6f67d3

SHA512
836cf491320a87aa4f18fa207777841babc011e7cdeb2fddc0bf647d6b9c5e9d8544fcdcda9288afc86fcb99f267feda546232d70ba60859f8e265fb24c187d1

Download Submit
C:\Users\Admin\Desktop\Halloween.rar

Filesize
515KB

MD5
33153099b3d077ac011bd19f6ed1b4a8

SHA1
4b7e1372ac544b4487a8c583877f3679ff56936a

SHA256
4c3d2c7af43689d588c096a62eba66d07894e42dd5551e769586c7d84fefc8ca

SHA512
41ca193a96517fa05c845116d7c0fe685854c87cebf57b2a822c9c9d317d865b4c6d14c65c1621958e2857ef8c41e344c2f8e920ae04163e4517b62c2230e2ff

Download Submit
C:\Users\Admin\Desktop\HideClose.M2V

Filesize
797KB

MD5
351286dde72d30819439353737abec9f

SHA1
902e3965303caa38900ef8fa9e489a5eff075b18

SHA256
8479b78886c2c95e5367b8194771d02267850a0eb97b1317f880fb21048c3fa3

SHA512
f3b2586145ff9f070dd33d35f94c8fbfe3a582397f8240a65734dcec435e46145baab35af5d07dcc361707a1c307ec45dd81f9f32f425dc3d3bd20a04b429da5

Download Submit
C:\Users\Admin\Desktop\InvokeInstall.ini

Filesize
473KB

MD5
f2ab69049af43a9c4b2e1c9cca9a2ef9

SHA1
a927f79399dfa50dba4aebf0e7c36aadc5378bd8

SHA256
834cc1c059dd71719fc6342adcf2fe9cd46f7651de14a1aea2163f8c7ad74f3a

SHA512
d33bfd81b2d508c348fa142f5649d50b9c8cb4760fc9caecafc1988b025d0bd67d0d5fbdaf8478aab2aa0f8fc0d24cdea8bed432d9828d32e92e62626a51eb0f

Download Submit
C:\Users\Admin\Desktop\JoinSwitch.xltm

Filesize
619KB

MD5
85691236ee919fc1cf93012820473a35

SHA1
dbccbe97f70bcdf5b2a14667e6fdc68e6e33e0f9

SHA256
8c029cc150ba830acafb821736859b555c59581bd893d74799b97698b7d136f4

SHA512
edca92224b305ffa46967bccc72e143040517331b63b5d931dc1c6c08bdc81e3c10859e924a49ba8ee22f311b3b5d6a843e5b909158e11a3306c73e11d12b142

Download Submit
C:\Users\Admin\Desktop\LimitRemove.mp4

Filesize
1004KB

MD5
cdeb17bd5e440eb33cf791b731dca8d9

SHA1
be0d984a6e9c2744b11dea1de6e5799800d757f0

SHA256
66a2445b6e2fca2eb79c35ff78ca6e54a72739ec26f93f9268650f3df33021ca

SHA512
e78d46fa0e537ac1b0ebbb5add78343e714d7ca97c45d6bb7eb00573a29e538682b02ab692a62b65e0e1840e1378151a64ba2ba4793f869a2e434cfd1d3060ea

Download Submit
C:\Users\Admin\Desktop\MeasureClear.dwfx

Filesize
1.0MB

MD5
9fe2dfd760cc600e16b40acab7a493bd

SHA1
84aec652428e748916df104ffa1c86f157d27dcf

SHA256
25c08bb689109eaf2a929d31a8b388959d5c5cccce2dbf3b9dc8fa2fc834c7ac

SHA512
901a7aaf118244cea78cd0cf29ee5696a9df2b4c7952fd6c9b30c928c5c37117e5d38d5e95ffa63f20d1103e86c45f4416cc5610574d5514069ea3ba661724dd

Download Submit
C:\Users\Admin\Desktop\Microsoft Edge.lnk

Filesize
4KB

MD5
275022724f8f1b6192ef36f3b999b294

SHA1
9575dd2e46c47d8597a072d8a4bbd5e653356928

SHA256
92c99cddb9e1a3275ea9cf30211dce589b18aabc17bef4d48415a5617863ad88

SHA512
104bd49240935cc7bf021d51f66e70e474b9f81314a4bb761eaba7433a917592c873876a7d537c8d8eca11fdcc5fe4aa561a829a3475053c035da56da931acd4

Download Submit
C:\Users\Admin\Desktop\MoveShow.pptx

Filesize
855KB

MD5
fff1757a4c251a437b786c6ffabf6f47

SHA1
5b5b9037881030c73e3d0c08c78a03eda87b7eaa

SHA256
34f00fb9d5b9cfc426b46572c87557093b37cf6e7c98df01b6e0c7df179cd4e2

SHA512
7abb0e89ed12381bfbc4d949241bb617925725501e35d1faf0e3a6478f52925f64eec7a46aec3f61319ce916cb9153626d7e516915c3b81222adc0369322beaf

Download Submit
C:\Users\Admin\Desktop\OpenCopy.mpeg3

Filesize
412KB

MD5
5b6dc79dd875eff64cf1db5c88bcef92

SHA1
d580c7dc6628a64f9031e75f227944e5457a60ac

SHA256
e3a306156890cea216a4badd803551be0902f52f27b0d894976c054c42063b8c

SHA512
f0a0b9e16d6a22ea6d63545a06b2236a07e0e040defa3cd82ff959caedd8e1064d45c0ce0ab1348be7d0590549bb1bd221c068c863ac10d5b76e9ce57ad0f2ad

Download Submit
C:\Users\Admin\Desktop\OpenUnblock.pps

Filesize
1.1MB

MD5
d5f545f3d0158ff17104008728aabe7a

SHA1
ea251abc8fdc2b6640d41e77ea42e19ff95e075b

SHA256
525eaf87128fcbabbb67ca30f56703fcae411b7bfef748af36b86b62564a2785

SHA512
4d54027aa22cb89d3631d9bbcc3c6d212c9254c96141f577404c7cfd5910053852e26b1bf7d6e05f68f716a4531f347aba2adcbf2b430583493a811b97f4c72f

Download Submit
C:\Users\Admin\Desktop\OutUnregister.ppsx

Filesize
708KB

MD5
a03380f6717d57a61d1ae8aa0e643c4e

SHA1
bde13d69b4b07d056365cd2e74593b29ce740a5b

SHA256
8c31daa390986c8a878b9e2203e4ebe121e528aa5ee53a88fbda0b1f919f451f

SHA512
0445bdd66c9f295043d9d3d6c5615d9c818abe2467899101af0493c72f3335c0ba538a624f898d560aee4facb1e6472f1a40d0aadcba40b51d62183b8e4ae604

Download Submit
C:\Users\Admin\Desktop\OutWait.png

Filesize
650KB

MD5
5c2863792ae58d233c6cbe98bc528fba

SHA1
b04f1b65dcc27fa042169caee1f5ea35762e05f0

SHA256
71a3bf19921ce7cc3dda3d7130491a180e733193ea551554a701cad1a56649e3

SHA512
5dd8a52a315c3d6f5822e618f6e2282937377ee79f50370902726aa2e1aabcc9d91b1e186b625335a52a8bc9d915de7982926590f539812c75b1db680b738d4c

Download Submit
C:\Users\Admin\Desktop\ProtectPush.mpv2

Filesize
442KB

MD5
49770ba440b8d4d020cb41ae457d6bb5

SHA1
27bc1deeb4aa3b9de7dc13fb1daa513b2b3d9843

SHA256
0dae918cf2f2c26c47f7c16f547a66f20ce1ab4d407f3d4c747212eb60272c02

SHA512
1967a4e341c4ea32d9e9cc066468f63f8255b8e1a02fbc1ec95823962903f7df8ad2caa433872e7f809be5a4b80563bd1b66e7a3a4982b99c521ffe82301162e

Download Submit
C:\Users\Admin\Desktop\RemoveRedo.mov

Filesize
945KB

MD5
8fbae7d755ed0527074d93f5c34902fc

SHA1
4bac90052407153461516e21a44b4b61cfea23bd

SHA256
ba7b36ba4b1d9ed9d1eab1bd8ca4646cc736d947d5343184bb82cf0b738f2146

SHA512
4d9af06a0b54e69f86c9a37c86ebc04ae64c0e8249e1c3988a4f272247ea6dd5277dceaf5c411a72f3725d774517baa215f7580a1671d2470aa17ee4029c9a5f

Download Submit
C:\Users\Admin\Desktop\SearchDisable.reg

Filesize
501KB

MD5
0b10e218ee267a6037b1fb673b8cb859

SHA1
33499d270824a9b86fcc259b67fcecc23c2084b7

SHA256
5560df37dc06e620425e1c74c603f056207f1f7934b9ce9085bc26a00c681d70

SHA512
ed5d626442263261461bceea8f41dcda11b156addbea18249217e05027024e88fa2c216cd18661995d41d5292ae24586cb8d026a92c30412b0415165f772a3e1

Download Submit
C:\Users\Admin\Desktop\SearchExit.lock

Filesize
766KB

MD5
7bb1037f78487807a52baf425aad6c0a

SHA1
f06b5918c0107e0325c2416e7f6af1f765496802

SHA256
20d0ad600d74b26605f0084ede2f63b1b9686f240b71534295fed9d8524059e1

SHA512
f4de2e32683c11251192444701b5db1739b5126946b19ab0073bb68fb3fa40e8575fa1750bc9e6a1f87d2ab7246393849a00783dcb4ef3a1b70daa91fe7c0461

Download Submit
C:\Users\Admin\Desktop\ShowDismount.vsd

Filesize
975KB

MD5
4b55e1b4b239d76ce667b04fb7d4e609

SHA1
e7e2cc52d7f42cc753fe6debfed79d5a0566cc24

SHA256
f6d7ba1413c456311b9e7e6f38ce5a4a2c99a9963eb23129f430092fcd8c5dc4

SHA512
e5200e18b839fee4a55e4223f524a659eee342f476c80813df1e349c93e2d8c1b8271e91e8b654762f374a24c6359d2c94d3e8d491c9289cd3ac83edc398510a

Download Submit
C:\Users\Admin\Desktop\StartLock.vssx

Filesize
560KB

MD5
6c9f4d16c960d20d64b8e64566f483ec

SHA1
4693b6977d709f5c2ebccbfc35d57e4855843034

SHA256
9022be19ee68fd5f6d6511858170bb670dfce0699bc34cea2623edecdbd07b1b

SHA512
031369a0f05d56871978853f575c16b5d4f540ab5df1b46f3fbf4b5639ea0a6e974c7431b1e28490397bdb60f56660a978ec5620f51585300d560c95a63b544d

Download Submit
C:\Users\Admin\Desktop\SyncRevoke.lock

Filesize
885KB

MD5
68d75aa1e56c3b826e07742075dcfaeb

SHA1
0054ce05892f65e71f9085bb67525f5c43e36711

SHA256
4c5f3e78ad25b4585d07e2adde5f2f453d0f5d121ff838df37a5c6284b31c3a2

SHA512
6019500463083879396697bee3fb09d1ebea013310fa8c7b39698f5150a3244dd667a26cd401bc0551ac45ab223c4ee0d7017bd4aed2a4e697bef0c80fc973a5

Download Submit
C:\Users\Admin\Desktop\WaitUnregister.png

Filesize
531KB

MD5
4380e09fc319563b87277490b1d29757

SHA1
bf99a5b15b5883543a76117edab07b851596db92

SHA256
0edddb21842a49a094f5d1ec85ad03a44565d9c0e6d9b5a4cd4ee47df4c57a30

SHA512
fb09c85679cf61c734a06fc05919853cd5d1bfe4743ffd4a839a449fef0e6e44a2bdf64916e1048d44b5b700bb0a1e5dc2058a70c44340de041757374c4b9fde

Download Submit
C:\Users\Admin\Desktop\desktop.ini

Filesize
508B

MD5
66b564dd692eac6583b449c0f0212b1a

SHA1
21d6a2edbee63f2b4b73dcac360ecd07fa28a926

SHA256
cddac4881fdda49cd53ddf935e2cb9ca349c6a3d4696cb65e1765a2fd5ed1595

SHA512
0b8535216edb1d6e725e5f222e06bc576da4e1398cfec9e84989902484a1d5cb0a42b39ab4d2ce2f970d66d9a59fe0c3e897ed86039d0c69eb2ecd37773e88f2

Download Submit
C:\Users\Admin\Desktop\readme.txt

Filesize
1KB

MD5
1083d580b07ce6c07ffb11db9f105459

SHA1
c63b640fbe68766a691d28c87fd72487fef731af

SHA256
23d46c9f6a18326d642ed812444a6d15e76a631160f6ddee6ea7c155d9df45a2

SHA512
dd8f2f1c40a6e0ec0d1ab5e6b960347a2fcc127456747b88dff7f4c70bca70018e8b7116f93496594e1b0098ebb555a78279adbe821779ec7668a65c78f16713

Download Submit
C:\Users\Admin\Desktop\readme.txt

Filesize
2KB

MD5
e71ad8ca4e0343dee85ba7587f6b1492

SHA1
9b30ab2ee208074868a0ad33d428a1e9d575dd94

SHA256
dc4ab5fa0c9499faf958f8c533405017bd11eb0e1d457a664585e52c4a32fd33

SHA512
382b55d8faaab5163d258439d5d41e6b683a56ff72838e82675e6f7ea6c5a1b658c21012e411ae15ba3b8b103fa2cc5eb06d64b2a9d7d44402fe460276280f31

Download Submit
C:\Users\Admin\dec.exe

Filesize
5KB

MD5
9a8eb39019501c38ee58bcfa5c2e9d2e

SHA1
bc230963cab5ec472eee13a106b073f06ece4f21

SHA256
073b78f455acaf27488fdbcfccf4e8527e3eb7d4a90a07af534935a9957f0f79

SHA512
86483277c8745c905d887210f8bf670f5a2736b4312e26dfc686a961f79e4b38d334e3ebef4394d8b1e316704140492d94e676fa93792847f8e8f204b0ac2865

Download Submit
memory/4732-240-0x0000000000160000-0x0000000000168000-memory.dmp

Filesize
32KB

Download