Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    108s
  • max time network
    133s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    19/09/2022, 16:14

General

  • Target

    5c1ceb3424899fb127a8d613743a7da75b5d20ac3b17847759eecb05b28ec181.exe

  • Size

    135KB

  • MD5

    7813e5030b0092e14d1fb0209ce922ec

  • SHA1

    2f8b63c5084acdeb7d96c1c26a71aef2cdaa0694

  • SHA256

    5c1ceb3424899fb127a8d613743a7da75b5d20ac3b17847759eecb05b28ec181

  • SHA512

    eb7f0c0853312973ee8faa86f5b4d50d0ac102ddf5a0d177eff2ced87ca99a5f99af5880a3f469361fc5e0b9c2e834da04f5dd92db69b1389c008ac1c417e238

  • SSDEEP

    3072:WwxVMhOC/dTDbq91+mno3t4QZQ3rfvlJk7xFRaSG2yQM:WTfFDbRnOTrf9JyS52c

Score
6/10

Malware Config

Signatures

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Drops file in System32 directory 45 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Views/modifies file attributes 1 TTPs 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5c1ceb3424899fb127a8d613743a7da75b5d20ac3b17847759eecb05b28ec181.exe
    "C:\Users\Admin\AppData\Local\Temp\5c1ceb3424899fb127a8d613743a7da75b5d20ac3b17847759eecb05b28ec181.exe"
    1⤵
    • Drops file in System32 directory
    • Suspicious use of WriteProcessMemory
    PID:1988
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Windows\system32\5y.vbs"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1712
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\WINDOWS\system32\hao.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:984
        • C:\Windows\SysWOW64\reg.exe
          Reg Add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\ClassicStartMenu" /v "{871C5380-42A0-1069-A2EA-08002B30309D}" /t "REG_DWORD" /d "1" /f
          4⤵
            PID:816
          • C:\Windows\SysWOW64\reg.exe
            Reg Add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel" /v "{871C5380-42A0-1069-A2EA-08002B30309D}" /t "REG_DWORD" /d "1" /f
            4⤵
              PID:1324
            • C:\Windows\SysWOW64\rundll32.exe
              RUNDLL32 SETUPAPI.DLL,InstallHinfSection DefaultInstall 128 C:\TmpInf.inf
              4⤵
              • Adds Run key to start application
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:1068
              • C:\Windows\SysWOW64\runonce.exe
                "C:\Windows\system32\runonce.exe" -r
                5⤵
                • Checks processor information in registry
                • Suspicious use of WriteProcessMemory
                PID:1076
                • C:\Windows\SysWOW64\grpconv.exe
                  "C:\Windows\System32\grpconv.exe" -o
                  6⤵
                    PID:520
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /S /D /c" echo y"
                4⤵
                  PID:1204
                • C:\Windows\SysWOW64\cacls.exe
                  cacls "C:\Users\Admin\╫└├µ\*.lnk" /p everyone:f
                  4⤵
                    PID:1464
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /S /D /c" echo y"
                    4⤵
                      PID:868
                    • C:\Windows\SysWOW64\cacls.exe
                      cacls "C:\Users\Admin\╫└├µ\*.url" /p everyone:f
                      4⤵
                        PID:1180
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /S /D /c" echo y"
                        4⤵
                          PID:2012
                        • C:\Windows\SysWOW64\cacls.exe
                          cacls "C:\Documents and Settings\All Users\╫└├µ\*.lnk" /p everyone:f
                          4⤵
                            PID:1284
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /S /D /c" echo y"
                            4⤵
                              PID:1968
                            • C:\Windows\SysWOW64\cacls.exe
                              cacls "C:\Documents and Settings\All Users\╫└├µ\*.url" /p everyone:f
                              4⤵
                                PID:1052
                              • C:\Windows\SysWOW64\cmd.exe
                                C:\Windows\system32\cmd.exe /S /D /c" echo y"
                                4⤵
                                  PID:288
                                • C:\Windows\SysWOW64\cacls.exe
                                  cacls "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*.lnk" /p everyone:f
                                  4⤵
                                    PID:2000
                                  • C:\Windows\SysWOW64\cmd.exe
                                    C:\Windows\system32\cmd.exe /S /D /c" echo y"
                                    4⤵
                                      PID:832
                                    • C:\Windows\SysWOW64\cacls.exe
                                      cacls "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*.url" /p everyone:f
                                      4⤵
                                        PID:1632
                                      • C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                        "C:\Program Files (x86)\Internet Explorer\iexplore.exe" http://www.7802.com/index1.html
                                        4⤵
                                          PID:1120
                                          • C:\Program Files\Internet Explorer\IEXPLORE.EXE
                                            "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://www.7802.com/index1.html
                                            5⤵
                                            • Modifies Internet Explorer settings
                                            • Suspicious use of FindShellTrayWindow
                                            • Suspicious use of SetWindowsHookEx
                                            PID:284
                                            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                                              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:284 CREDAT:275457 /prefetch:2
                                              6⤵
                                              • Modifies Internet Explorer settings
                                              • Suspicious use of SetWindowsHookEx
                                              PID:1644
                                        • C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                          "C:\Program Files (x86)\Internet Explorer\iexplore.exe" http://fzlsisi.com/fenlei.htm
                                          4⤵
                                            PID:1704
                                            • C:\Program Files\Internet Explorer\IEXPLORE.EXE
                                              "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://fzlsisi.com/fenlei.htm
                                              5⤵
                                              • Modifies Internet Explorer settings
                                              • Suspicious use of FindShellTrayWindow
                                              • Suspicious use of SetWindowsHookEx
                                              PID:576
                                              • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                                                "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:576 CREDAT:275457 /prefetch:2
                                                6⤵
                                                • Modifies Internet Explorer settings
                                                • Suspicious use of SetWindowsHookEx
                                                PID:1576
                                          • C:\Windows\SysWOW64\attrib.exe
                                            attrib "C:\Users\Admin\╫└├µ\Internet Expleror.lnk" +R +S
                                            4⤵
                                            • Views/modifies file attributes
                                            PID:1468
                                          • C:\Windows\SysWOW64\attrib.exe
                                            attrib "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*.lnk" +R +S
                                            4⤵
                                            • Views/modifies file attributes
                                            PID:1656
                                          • C:\Windows\SysWOW64\attrib.exe
                                            attrib "C:\Users\Admin\í╕┐¬╩╝í╣▓╦╡Ñ\═°╓╖╓«╝╥.lnk" +R +S
                                            4⤵
                                            • Views/modifies file attributes
                                            PID:1856
                                          • C:\Windows\SysWOW64\attrib.exe
                                            attrib "C:\Users\Admin\╫└├µ\╠╘▒ª╣║╬∩.lnk" +R +S
                                            4⤵
                                            • Views/modifies file attributes
                                            PID:952
                                          • C:\Windows\SysWOW64\attrib.exe
                                            attrib "C:\Users\Admin\╫└├µ\├Γ╖╤╡τ╙░.lnk" +R +S
                                            4⤵
                                            • Views/modifies file attributes
                                            PID:864
                                          • C:\Windows\SysWOW64\attrib.exe
                                            attrib "C:\Users\Admin\╫└├µ\╨í╙╬╧╖.lnk" +R +S
                                            4⤵
                                            • Views/modifies file attributes
                                            PID:1964
                                          • C:\Windows\SysWOW64\attrib.exe
                                            attrib "C:\Users\Admin\í╕┐¬╩╝í╣▓╦╡Ñ\╠╘▒ª╣║╬∩.lnk" +R +S
                                            4⤵
                                            • Views/modifies file attributes
                                            PID:1596
                                          • C:\Windows\SysWOW64\attrib.exe
                                            attrib "C:\Users\Admin\í╕┐¬╩╝í╣▓╦╡Ñ\├Γ╖╤╡τ╙░.lnk" +R +S
                                            4⤵
                                            • Views/modifies file attributes
                                            PID:1740
                                          • C:\Windows\SysWOW64\attrib.exe
                                            attrib "C:\Users\Admin\í╕┐¬╩╝í╣▓╦╡Ñ\╨í╙╬╧╖.lnk" +R +S
                                            4⤵
                                            • Views/modifies file attributes
                                            PID:1552
                                          • C:\Windows\SysWOW64\cmd.exe
                                            C:\Windows\system32\cmd.exe /S /D /c" echo y"
                                            4⤵
                                              PID:1696
                                            • C:\Windows\SysWOW64\cacls.exe
                                              cacls "C:\Users\Admin\╫└├µ\Internet Expleror.lnk" /p everyone:R
                                              4⤵
                                                PID:1996
                                              • C:\Windows\SysWOW64\cmd.exe
                                                C:\Windows\system32\cmd.exe /S /D /c" echo y"
                                                4⤵
                                                  PID:1440
                                                • C:\Windows\SysWOW64\cacls.exe
                                                  cacls "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\╞⌠╢» Internet Expleror Σ»└└╞≈.lnk" /p everyone:R
                                                  4⤵
                                                    PID:1872
                                                  • C:\Windows\SysWOW64\cmd.exe
                                                    C:\Windows\system32\cmd.exe /S /D /c" echo y"
                                                    4⤵
                                                      PID:1976
                                                    • C:\Windows\SysWOW64\cacls.exe
                                                      cacls "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\╨í╙╬╧╖.lnk" /p everyone:R
                                                      4⤵
                                                        PID:1736
                                                      • C:\Windows\SysWOW64\cmd.exe
                                                        C:\Windows\system32\cmd.exe /S /D /c" echo y"
                                                        4⤵
                                                          PID:816
                                                        • C:\Windows\SysWOW64\cacls.exe
                                                          cacls "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\├Γ╖╤╡τ╙░.lnk" /p everyone:R
                                                          4⤵
                                                            PID:1324
                                                          • C:\Windows\SysWOW64\cmd.exe
                                                            C:\Windows\system32\cmd.exe /S /D /c" echo y"
                                                            4⤵
                                                              PID:2020
                                                            • C:\Windows\SysWOW64\cacls.exe
                                                              cacls "C:\Users\Admin\╫└├µ\╨í╙╬╧╖.lnk" /p everyone:R
                                                              4⤵
                                                                PID:1396
                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                C:\Windows\system32\cmd.exe /S /D /c" echo y"
                                                                4⤵
                                                                  PID:1768
                                                                • C:\Windows\SysWOW64\cacls.exe
                                                                  cacls "C:\Users\Admin\╫└├µ\╠╘▒ª╣║╬∩.lnk" /p everyone:R
                                                                  4⤵
                                                                    PID:1076
                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                    C:\Windows\system32\cmd.exe /S /D /c" echo y"
                                                                    4⤵
                                                                      PID:1068
                                                                    • C:\Windows\SysWOW64\cacls.exe
                                                                      cacls "C:\Users\Admin\í╕┐¬╩╝í╣▓╦╡Ñ\Internet Expleror.lnk" /p everyone:R
                                                                      4⤵
                                                                        PID:1708
                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                        C:\Windows\system32\cmd.exe /S /D /c" echo y"
                                                                        4⤵
                                                                          PID:2032
                                                                        • C:\Windows\SysWOW64\cacls.exe
                                                                          cacls "C:\Users\Admin\í╕┐¬╩╝í╣▓╦╡Ñ\╨í╙╬╧╖.lnk" /p everyone:R
                                                                          4⤵
                                                                            PID:1204
                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                            C:\Windows\system32\cmd.exe /S /D /c" echo y"
                                                                            4⤵
                                                                              PID:688
                                                                            • C:\Windows\SysWOW64\cacls.exe
                                                                              cacls "C:\Users\Admin\í╕┐¬╩╝í╣▓╦╡Ñ\├Γ╖╤╡τ╙░.lnk" /p everyone:R
                                                                              4⤵
                                                                                PID:768

                                                                        Network

                                                                        MITRE ATT&CK Enterprise v6

                                                                        Replay Monitor

                                                                        Loading Replay Monitor...

                                                                        Downloads

                                                                        • C:\TmpInf.inf

                                                                          Filesize

                                                                          58B

                                                                          MD5

                                                                          ef482bb78b8fff6cf20ec2ff9a677a93

                                                                          SHA1

                                                                          7613c5c62b89e63dc686c0f4007c4a77a4a77335

                                                                          SHA256

                                                                          7fc3b374408af4dac1e4c39fc1218c98cb692241fd2a753ed169627e70f1536d

                                                                          SHA512

                                                                          b4f00ef86cf8fa09517eb09d16d448d45363b87973fe346b3b6b6e9c3c41e087ede8c1a9aa0934fc1abd4d0fb01b853ec501c3bca5483a539c8d28607fd45166

                                                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

                                                                          Filesize

                                                                          60KB

                                                                          MD5

                                                                          6c6a24456559f305308cb1fb6c5486b3

                                                                          SHA1

                                                                          3273ac27d78572f16c3316732b9756ebc22cb6ed

                                                                          SHA256

                                                                          efc3c579bd619ceab040c4b8c1b821b2d82c64fddd9e80a00ec0d7f6577ed973

                                                                          SHA512

                                                                          587d4a9175a6aa82cd8bb1c11ca6508f95cd218f76ac322ddbd1bc7146a0e25f8937ee426a6fb0fb0bb045cedb24d8c8a9edfe9f654112f293d8701220f726b4

                                                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                                          Filesize

                                                                          344B

                                                                          MD5

                                                                          214176395573a10a905df624f09758fc

                                                                          SHA1

                                                                          df1d57286b49fbab6610d7d3d02ae5c449b5e130

                                                                          SHA256

                                                                          a9acb752f9429ddc02b8af082f57a374934e222f0614978837ae276c33801fde

                                                                          SHA512

                                                                          912104535ff0fbc05b0daeae7241506f4d1dd267a664c8c0e917eb5c633bcd273d21607b3a326bc377b7c0d6a02e7c1b7f586b70158f47ea96c8f5273480ea6b

                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{ABC978C1-3889-11ED-9738-7E4CDA66D2DC}.dat

                                                                          Filesize

                                                                          4KB

                                                                          MD5

                                                                          318e082f2a34a034c969189043048249

                                                                          SHA1

                                                                          64ffa066043e08de3c44565f98cefebfb033bf57

                                                                          SHA256

                                                                          3bf5f121f2340901655ceae48eec1c9a56bd046b8b31a690232018769fcd95f2

                                                                          SHA512

                                                                          a0f77a75de85baab33698653d4956c431b658a1346b35df70de225b9efb6fdf43dbddcba84970c5a2a3cc77ad3b590b66f8076119d5208bb0f21856fecf91d3c

                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{ABC99FD1-3889-11ED-9738-7E4CDA66D2DC}.dat

                                                                          Filesize

                                                                          3KB

                                                                          MD5

                                                                          b0b637ce991fc2e0088e20e3e5270e54

                                                                          SHA1

                                                                          18d595e2d50a723a7a78f4683b64be210a15ab6f

                                                                          SHA256

                                                                          33a2ba3fc66983448fc4428c2250bb21e990802a8c2ad6341d185c7683f49126

                                                                          SHA512

                                                                          17283c774057e15c5fd93916e8e6a45613ebfeca2c12750e94739b6aa8bcc6f3973b14600f40338a73390b3ef5d4629ed4429335a872e448e066336005ba1bf0

                                                                        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\VUEAJ9G2.txt

                                                                          Filesize

                                                                          606B

                                                                          MD5

                                                                          e9d4165495c90f14e3f37a3f7da96100

                                                                          SHA1

                                                                          5396a61ccc3d8d3f5e707d311fab6331e6d59947

                                                                          SHA256

                                                                          2dae621d6ff5a0bc912868047d9f5f22bd2ea68132e312bf4c827476110e7493

                                                                          SHA512

                                                                          84da65778538dbe39840941399994c2c311433a623714d063307bfe5b1d908ef723dee998ac0422d0a17888530e5cff46bb8968832ad3c626985cbec78e451db

                                                                        • C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\╞⌠╢» Internet Expleror Σ»└└╞≈.lnk

                                                                          Filesize

                                                                          800B

                                                                          MD5

                                                                          a3ab5b82d1e6714262bc167f130045c5

                                                                          SHA1

                                                                          94998582d6029b0539b26dcecd2b1050dfcc9d12

                                                                          SHA256

                                                                          5a0e9a8d8944168ae9afe2d3b50268c83f19f541d33bd6c71c2cd2ed4eea2e17

                                                                          SHA512

                                                                          1c2c7a4830072cd3625ef291b6b013e3445eed7feb91f54a51eb7b6e776061f8f2df15c60f658dacad72f646f19b384777db2ccd2f164d6682d498e978671d28

                                                                        • C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\╨í╙╬╧╖.lnk

                                                                          Filesize

                                                                          1KB

                                                                          MD5

                                                                          91cc4989f6d5a642533dfb150f97dadc

                                                                          SHA1

                                                                          61bb275bc5645e131145e4ff57c8175f9669e03c

                                                                          SHA256

                                                                          84c894e082fd9c8129332a0a516fe8e945b815ee796e801aac80533bd3897821

                                                                          SHA512

                                                                          d96205dae2feadfbd9e0029a9f097d5515fa5a9aca56811053f1faddf2631cd08152224d84e21fb27be18571891a296dda915cf615aff985ebb12228ed6ad1b5

                                                                        • C:\WINDOWS\SysWOW64\hao.bat

                                                                          Filesize

                                                                          5KB

                                                                          MD5

                                                                          64e9d4f8cd396c5b7dd0084d6c0619c5

                                                                          SHA1

                                                                          0a6e405b7d0092b1bd671c973980f8bb482201ce

                                                                          SHA256

                                                                          5302208aa85b805180cf7becb7d180f1d5729bcee241b543904be3e3eb2c0189

                                                                          SHA512

                                                                          e57c797e75baf5b387f92dbc5d46e92bd9d0709ea2aa5b70537b67006244ab56446b717b013a05cdf48d19d39150fac7003ab1f76e2c59458f451e352598fe3e

                                                                        • C:\Windows\SysWOW64\5y.vbs

                                                                          Filesize

                                                                          2KB

                                                                          MD5

                                                                          1ea9a74910e8916e5009aa50da3cf7ea

                                                                          SHA1

                                                                          0953ae0f63d2c65343a7fdade9a767c70b32ffd7

                                                                          SHA256

                                                                          97c76777fdbe48fb0ad555fa26c7f82fceec059b3f7605c14bc23573fd012f35

                                                                          SHA512

                                                                          0290082a7dfd1beed055be1e46c667d5ddb1311c2feb8139dd686dd38d5eb6025b673988613918f7c8eeb73d37439bcf7407911e6d9a13a42fa91239ae8a150b

                                                                        • C:\Windows\SysWOW64\Inonet.lnk

                                                                          Filesize

                                                                          800B

                                                                          MD5

                                                                          a3ab5b82d1e6714262bc167f130045c5

                                                                          SHA1

                                                                          94998582d6029b0539b26dcecd2b1050dfcc9d12

                                                                          SHA256

                                                                          5a0e9a8d8944168ae9afe2d3b50268c83f19f541d33bd6c71c2cd2ed4eea2e17

                                                                          SHA512

                                                                          1c2c7a4830072cd3625ef291b6b013e3445eed7feb91f54a51eb7b6e776061f8f2df15c60f658dacad72f646f19b384777db2ccd2f164d6682d498e978671d28

                                                                        • C:\Windows\SysWOW64\hao.lnk

                                                                          Filesize

                                                                          949B

                                                                          MD5

                                                                          18a02e96e6f8060796b4d5f3772c9e9b

                                                                          SHA1

                                                                          8bbcefd7ef25b865bf94461c42f553154bb4698f

                                                                          SHA256

                                                                          864c6e35c52d56146166a8a9bdadb011b04198cc179b6b1902f9f05ae8ab8a26

                                                                          SHA512

                                                                          4697774150a929dac6c34e1cde3ef9a6f1ee6711c1e16b068768dfdd03b21664377cd6f54ff7f8b8c92e9379b9bb3817c354c1ab061c64ffe49b76ecd606ccef

                                                                        • C:\Windows\SysWOW64\ku.lnk

                                                                          Filesize

                                                                          945B

                                                                          MD5

                                                                          a8e22b6219720d3fab60fc8b96f8c24f

                                                                          SHA1

                                                                          c1892837d5ccd6dcb3bd4f45aa353b430313a86a

                                                                          SHA256

                                                                          ca149ca1e50c55155c410e0609b8cea09442dc153d33c9d1682eaa8519d1e89b

                                                                          SHA512

                                                                          d96706fa4883962d35c7cd89234940fb10304eba14746454f85c09b3233d7ba71ad462ac4c4333a50eed2ebc6d29c12076d3d0b4f74656fca0d27f01a8f164d1

                                                                        • C:\Windows\SysWOW64\yx.lnk

                                                                          Filesize

                                                                          1KB

                                                                          MD5

                                                                          91cc4989f6d5a642533dfb150f97dadc

                                                                          SHA1

                                                                          61bb275bc5645e131145e4ff57c8175f9669e03c

                                                                          SHA256

                                                                          84c894e082fd9c8129332a0a516fe8e945b815ee796e801aac80533bd3897821

                                                                          SHA512

                                                                          d96205dae2feadfbd9e0029a9f097d5515fa5a9aca56811053f1faddf2631cd08152224d84e21fb27be18571891a296dda915cf615aff985ebb12228ed6ad1b5

                                                                        • C:\Windows\SysWOW64\zq.lnk

                                                                          Filesize

                                                                          1KB

                                                                          MD5

                                                                          586858afd4ab25de0f002a9f046f1b66

                                                                          SHA1

                                                                          8b713dcaf0818194efa47e821c75f07a2abc406b

                                                                          SHA256

                                                                          49a14034c6e670acf765ac34a6066b5c92d7dd841848d8a9ac430f00f58609bd

                                                                          SHA512

                                                                          0f13c8ba1f1f8863c2e04a0c1d5aa0688bbf985def8bcdbd154b9cc5ef9e9653b9fdea332726d28cc505ddf72d45c326cc8fa5c683f9087b54055252059a0414

                                                                        • memory/1988-54-0x0000000075A91000-0x0000000075A93000-memory.dmp

                                                                          Filesize

                                                                          8KB