b88a8426264cc88a6e19f31a2a8a15c58e9004e1f8e157e8ad87f471e1bcecef

Analysis

max time kernel
145s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
01/12/2022, 10:24

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

b88a8426264cc88a6e19f31a2a8a15c58e9004e1f8e157e8ad87f471e1bcecef.exe
Size

752KB
MD5

d38b262cf9b321b990f19a4791170422
SHA1

6b5b195570825dbe82da855661df468595b5cc32
SHA256

b88a8426264cc88a6e19f31a2a8a15c58e9004e1f8e157e8ad87f471e1bcecef
SHA512

02ba352b14f4045ac08804397c03ff37f0aee908d8cb7990fa8e8980ddf42d01987bfaf068f5e0c9d06d93985b603eb11bc816ca0e9e871a5e0420ac3d8ca548
SSDEEP

12288:f2Pn6uN/0s4ZO5XqwTLxY/q6r1LtZYsHGllHx4wgK/225+Mctm8sC3rSd/AE1Qbm:ePPNssdVlO1LtGl1GZt3GdIEWUEi

Score

8^/10

discovery upx

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
3256	sup.exe
4152	instsrv.exe
1900	svchost.exe
2012	csrss.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3212-132-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/3212-136-0x0000000000400000-0x0000000000423000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	b88a8426264cc88a6e19f31a2a8a15c58e9004e1f8e157e8ad87f471e1bcecef.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	C:\RECYCLER\S-1-5-21-606747145-1085031214-725345543-500\Desktop.ini	b88a8426264cc88a6e19f31a2a8a15c58e9004e1f8e157e8ad87f471e1bcecef.exe
File opened for modification	C:\RECYCLER\S-1-5-21-606747145-1085031214-725345543-500\Desktop.ini	b88a8426264cc88a6e19f31a2a8a15c58e9004e1f8e157e8ad87f471e1bcecef.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\mIRC\DateUsed	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\mIRC\DateUsed\ = "1670084708"	csrss.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\mIRC	csrss.exe

Modifies registry class 40 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\ = "URL:IRC Protocol"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\Shell	csrss.exe
Key created	\REGISTRY\MACHINE\Software\Classes\irc\Shell\open\ddeexec	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.chat	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\DefaultIcon	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\DefaultIcon\ = "\"C:\\RECYCLER\\S-1-5-21-606747145-1085031214-725345543-500\\csrss.exe\""	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.chat\ = "ChatFile"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec\ = "%1"	csrss.exe
Key created	\REGISTRY\MACHINE\Software\Classes\irc	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\Shell\open\command	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\Shell\open\ddeexec\Topic\ = "Connect"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec\Topic	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec\Topic\ = "Connect"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\URL Protocol	csrss.exe
Key created	\REGISTRY\MACHINE\Software\Classes\irc\Shell\open\ddeexec\Application	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.cha	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.cha\ = "ChatFile"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec\Application	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\DefaultIcon\ = "\"C:\\RECYCLER\\S-1-5-21-606747145-1085031214-725345543-500\\csrss.exe\""	csrss.exe
Key created	\REGISTRY\MACHINE\Software\Classes\irc\Shell\open\ddeexec\ifexec	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\Shell\open\ddeexec\ifexec\ = "%1"	csrss.exe
Key created	\REGISTRY\MACHINE\Software\Classes\irc\Shell\open\ddeexec\Topic	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec\ifexec\ = "%1"	csrss.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\EditFlags = 02000000	csrss.exe
Key created	\REGISTRY\MACHINE\Software\Classes\irc\Shell\open\command	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\irc	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\Shell\open	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\Shell\open\command\ = "\"C:\\RECYCLER\\S-1-5-21-606747145-1085031214-725345543-500\\csrss.exe\" -noconnect"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\ = "Chat File"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\command	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\command\ = "\"C:\\RECYCLER\\S-1-5-21-606747145-1085031214-725345543-500\\csrss.exe\" -noconnect"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec\Application\ = "svchost"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec\ifexec	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell\open	csrss.exe
Key created	\REGISTRY\MACHINE\Software\Classes\irc\DefaultIcon	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\Shell\open\ddeexec\ = "%1"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\Shell\open\ddeexec\Application\ = "svchost"	csrss.exe

Runs .reg file with regedit 1 IoCs

pid	Process
3760	regedit.exe

Runs net.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2012	csrss.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2012	csrss.exe
2012	csrss.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 3212 wrote to memory of 3256	3212	b88a8426264cc88a6e19f31a2a8a15c58e9004e1f8e157e8ad87f471e1bcecef.exe	81
PID 3212 wrote to memory of 3256	3212	b88a8426264cc88a6e19f31a2a8a15c58e9004e1f8e157e8ad87f471e1bcecef.exe	81
PID 3212 wrote to memory of 3256	3212	b88a8426264cc88a6e19f31a2a8a15c58e9004e1f8e157e8ad87f471e1bcecef.exe	81
PID 3256 wrote to memory of 1840	3256	sup.exe	82
PID 3256 wrote to memory of 1840	3256	sup.exe	82
PID 3256 wrote to memory of 1840	3256	sup.exe	82
PID 1840 wrote to memory of 4260	1840	cmd.exe	84
PID 1840 wrote to memory of 4260	1840	cmd.exe	84
PID 1840 wrote to memory of 4260	1840	cmd.exe	84
PID 4260 wrote to memory of 540	4260	net.exe	85
PID 4260 wrote to memory of 540	4260	net.exe	85
PID 4260 wrote to memory of 540	4260	net.exe	85
PID 1840 wrote to memory of 4152	1840	cmd.exe	86
PID 1840 wrote to memory of 4152	1840	cmd.exe	86
PID 1840 wrote to memory of 4152	1840	cmd.exe	86
PID 1840 wrote to memory of 3760	1840	cmd.exe	87
PID 1840 wrote to memory of 3760	1840	cmd.exe	87
PID 1840 wrote to memory of 3760	1840	cmd.exe	87
PID 1840 wrote to memory of 4332	1840	cmd.exe	88
PID 1840 wrote to memory of 4332	1840	cmd.exe	88
PID 1840 wrote to memory of 4332	1840	cmd.exe	88
PID 4332 wrote to memory of 4188	4332	net.exe	89
PID 4332 wrote to memory of 4188	4332	net.exe	89
PID 4332 wrote to memory of 4188	4332	net.exe	89
PID 1900 wrote to memory of 2012	1900	svchost.exe	91
PID 1900 wrote to memory of 2012	1900	svchost.exe	91
PID 1900 wrote to memory of 2012	1900	svchost.exe	91

C:\Users\Admin\AppData\Local\Temp\b88a8426264cc88a6e19f31a2a8a15c58e9004e1f8e157e8ad87f471e1bcecef.exe
"C:\Users\Admin\AppData\Local\Temp\b88a8426264cc88a6e19f31a2a8a15c58e9004e1f8e157e8ad87f471e1bcecef.exe"
1⤵
- Checks computer location settings
- Drops desktop.ini file(s)
- Suspicious use of WriteProcessMemory
PID:3212
- C:\RECYCLER\S-1-5-21-606747145-1085031214-725345543-500\sup.exe
  "C:\RECYCLER\S-1-5-21-606747145-1085031214-725345543-500\sup.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3256
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bt2755.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1840
  - - C:\Windows\SysWOW64\net.exe
      net stop "Windows Firewall/Internet Connection Sharing (ICS)"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4260
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Windows Firewall/Internet Connection Sharing (ICS)"
        5⤵
        
        PID:540
  - - C:\RECYCLER\S-1-5-21-606747145-1085031214-725345543-500\instsrv.exe
      instsrv.exe svchost C:\RECYCLER\S-1-5-21-606747145-1085031214-725345543-500\svchost.exe
      4⤵
      Executes dropped EXE
      PID:4152
  - - C:\Windows\SysWOW64\regedit.exe
      regedit -s a.reg
      4⤵
      Runs .reg file with regedit
      PID:3760
  - - C:\Windows\SysWOW64\net.exe
      net start svchost
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4332
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 start svchost
        5⤵
        
        PID:4188

C:\RECYCLER\S-1-5-21-606747145-1085031214-725345543-500\svchost.exe
C:\RECYCLER\S-1-5-21-606747145-1085031214-725345543-500\svchost.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1900
- C:\RECYCLER\S-1-5-21-606747145-1085031214-725345543-500\csrss.exe
  C:\RECYCLER\S-1-5-21-606747145-1085031214-725345543-500\csrss.exe
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Modifies registry class
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:2012

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\RECYCLER\S-1-5-21-606747145-1085031214-725345543-500\a.reg

Filesize
556B

MD5
5ee7fe7e4463ecabdb6236033d2c3a05

SHA1
ea831d9104dae3eaf30ab8f90dbd34eedc9145a3

SHA256
236da3230ac60deed70eeb38f92a9d60a0eca2f9ee960f0127802ba768ee8fde

SHA512
e15a864ee16c243460516b16e26ad791f202f66f949a8ea824709d70846f78061d603fdc1c77835d8f772edf3459e01bb4ea2f593e16c07ec4fe891eb133b87b

Download Submit
C:\RECYCLER\S-1-5-21-606747145-1085031214-725345543-500\aliases.ini

Filesize
11B

MD5
2218df9cdffc814a3dc25c81dd8619dd

SHA1
0290f796218937f61331adc8803788e7cd4c2299

SHA256
455831b583cfa9549746bcd296a60f5191d2eff7829d469e029b68768c5e56d1

SHA512
7aa4c745dfce7b2c38c4930e8275885727a19480597f685f89ab0e536175c31a2d5ee61cfd84b483f73eb211970a1a4fefcc59d8ef97b9af7bf09b7dcf932efa

Download Submit
C:\RECYCLER\S-1-5-21-606747145-1085031214-725345543-500\control.ini

Filesize
61B

MD5
f5d1a3af67f05f5af2b0fca009887a97

SHA1
bddaa45a9849524c4648fb778b7e0601d35ecbed

SHA256
d846844887cfecb6cfbf1fa51dd2380cd203b21d154e1938df15567c256f97a5

SHA512
21d84f8fb1cc2c3abda0452704f45e3c79092b33e7bb3a5fdc3973cacc53014681ba7977df60818f0375353fdac4e58977048c4db275c1c689f6ed4aef2a3496

Download Submit
C:\RECYCLER\S-1-5-21-606747145-1085031214-725345543-500\csrss.exe

Filesize
579KB

MD5
def8c81af6b9eca2309b735bff710aaf

SHA1
7b1e9bda9d2cf0f6e626f5d8eb186280edbaf20c

SHA256
babda4e7c14e753ce01212ad1efa9d2718d1edaaec3d11e6d2676689645a3171

SHA512
64bb4ae41507a5d0a6657caec00ead3ad964e5ae969b04eda5ea933a4215621f6c2e5af9f21df2ddd33636b1af1116b00634e5831723430cf80bab2aa9d9b01c

Download Submit
C:\RECYCLER\S-1-5-21-606747145-1085031214-725345543-500\csrss.exe

Filesize
579KB

MD5
def8c81af6b9eca2309b735bff710aaf

SHA1
7b1e9bda9d2cf0f6e626f5d8eb186280edbaf20c

SHA256
babda4e7c14e753ce01212ad1efa9d2718d1edaaec3d11e6d2676689645a3171

SHA512
64bb4ae41507a5d0a6657caec00ead3ad964e5ae969b04eda5ea933a4215621f6c2e5af9f21df2ddd33636b1af1116b00634e5831723430cf80bab2aa9d9b01c

Download Submit
C:\RECYCLER\S-1-5-21-606747145-1085031214-725345543-500\fullname.txt

Filesize
96KB

MD5
c0fcd3962beeda650319f1e24ead7708

SHA1
5cfd0ad4007a5b844ea7ff24da2ae0c6361d0d77

SHA256
7b55a4755bbf2d6d2b09f16781e7639a879d6cd81c4269f62c3201581f592c54

SHA512
fd3ca25b6376f80d4edae158a4eccaa99ad92194756f78c84f1b9a28183d64996a607474ee3c0f902f3e5e1016bf81cd7192703070074e7d76f34fb8e8ada1c6

Download Submit
C:\RECYCLER\S-1-5-21-606747145-1085031214-725345543-500\identd.txt

Filesize
54KB

MD5
81e6744d784e944665869cb2e6bb2b2e

SHA1
b2c80810dcfcd32a80a7575238882a5bf084657d

SHA256
23bbfe315125a2b4b89219e851d8e9513788c2700a1a3b574abc79fc81c0ac57

SHA512
05d4bff56cdb118c080632f01e0c00c8930148be39021c011738d9e1d1a602b87965070c56ade94d3bb94958bbff1fa678ff6c4c31f7745e3194a96a7f0753b5

Download Submit
C:\RECYCLER\S-1-5-21-606747145-1085031214-725345543-500\instsrv.exe

Filesize
31KB

MD5
9f7acaad365af0d1a3cd9261e3208b9b

SHA1
b4c7049562e770093e707ac1329cb37ad6313a37

SHA256
f7b0a444b590eb8a6b46cedf544bcb3117c85cab02b599b45d61b8a590095c9c

SHA512
6847bb10cf08f7e594907b5d160768e60468b14a62cdd87ad33dcc0bc2b523549c1c91e9854069ca11ee074e43a6f41f11351201626922c02aaea41fd32c2a54

Download Submit
C:\RECYCLER\S-1-5-21-606747145-1085031214-725345543-500\instsrv.exe

Filesize
31KB

MD5
9f7acaad365af0d1a3cd9261e3208b9b

SHA1
b4c7049562e770093e707ac1329cb37ad6313a37

SHA256
f7b0a444b590eb8a6b46cedf544bcb3117c85cab02b599b45d61b8a590095c9c

SHA512
6847bb10cf08f7e594907b5d160768e60468b14a62cdd87ad33dcc0bc2b523549c1c91e9854069ca11ee074e43a6f41f11351201626922c02aaea41fd32c2a54

Download Submit
C:\RECYCLER\S-1-5-21-606747145-1085031214-725345543-500\mirc.ico

Filesize
5KB

MD5
e09aa9787af5cc53fd7525dd6693cf10

SHA1
57445d0779a66c61741822c0a7988573efee13d7

SHA256
c7f023fc4c85680f5c334fef09155e81861634108140a5716a1395dd7cd62266

SHA512
b71a8c0939d545afa173f107f99314848c6104928b77d6f39d6e4486ca2b65797cecff0f877160edf6ca1d21dca95b7f1be53221811c945f7c4be6e77a4d1f8c

Download Submit
C:\RECYCLER\S-1-5-21-606747145-1085031214-725345543-500\mirc.ini

Filesize
2KB

MD5
c1448370682f97b6759fd67f440f8a06

SHA1
d27b17e9cc27ae2b8067ef56cfdc4292ab766be4

SHA256
ebf1649eadda1f0da52426bbb25259cbc89000d88e32edc695675cd74f29d994

SHA512
110bf82f63e3e0d98d2bbb560528bd66228a326fb17acdcacfed8d6475ba744982c96b607b24a324a0ea49c5d2f4357b39e2a70e62d27a5df06e638c4c79c402

Download Submit
C:\RECYCLER\S-1-5-21-606747145-1085031214-725345543-500\nicks.txt

Filesize
54KB

MD5
81e6744d784e944665869cb2e6bb2b2e

SHA1
b2c80810dcfcd32a80a7575238882a5bf084657d

SHA256
23bbfe315125a2b4b89219e851d8e9513788c2700a1a3b574abc79fc81c0ac57

SHA512
05d4bff56cdb118c080632f01e0c00c8930148be39021c011738d9e1d1a602b87965070c56ade94d3bb94958bbff1fa678ff6c4c31f7745e3194a96a7f0753b5

Download Submit
C:\RECYCLER\S-1-5-21-606747145-1085031214-725345543-500\remote.ini

Filesize
80B

MD5
3d3a70af91132f9ff90a2061287ba6b9

SHA1
43976df5f88967e193751b27d569c113cbf9ffce

SHA256
5509c55903dc9cf88faa4a1fa5996f7c5855de0b48c22dc6e9a09ef647f034c2

SHA512
987c558f3b18793ddc9695307f1fb693624b1ffd8598d3b6c932d6b3c155da5d76ba1c4b52c3544cf6330ea1a32fdd4185dd484c7f84f43bbe618abdfec31ce4

Download Submit
C:\RECYCLER\S-1-5-21-606747145-1085031214-725345543-500\script.ini

Filesize
9KB

MD5
0c1bd1b89a838df7c53c8b1308e004a3

SHA1
4c1d5729d75066b788ee99d0a28bf8385a349099

SHA256
209929060f32ed229bb30897ebced22f8ef615fc603caf57086b4a93b7ce2f35

SHA512
a1681297ee92c4d9445b910fd117d02cfafd6f7a8f1ef3cecb8030ba9babcb143acda01c45b35c4641242633daf232c52a18f5ebec592f387ea6b5a2b2165f0b

Download Submit
C:\RECYCLER\S-1-5-21-606747145-1085031214-725345543-500\servers.ini

Filesize
1KB

MD5
af1a64313634b37ff3b1ed370ce26e24

SHA1
1476aa12e363070a6278226ac46b3d94b5522848

SHA256
c053af0fe69090a7e25a8172f6af80fd7a0ee4e826073c8749f0ce8e820d9ad7

SHA512
1bff18ba6c529af4ad3c71c7f8d5c4f3513c89c061ba64abbc17d7ff9ee330774fc0e953c18998fff93bd865cbbbf7e4a569ac3d5f0c2c732c7a03c849a7b22e

Download Submit
C:\RECYCLER\S-1-5-21-606747145-1085031214-725345543-500\sup.exe

Filesize
146KB

MD5
8ecf1b30f5fbb12a2fe138364d351a26

SHA1
ff0b828a9df228cf05898d6db9982a1fedbc0584

SHA256
22a51f140a738f69da01c21ab6fcf9a5ec653da1e4a73ad107e1a0faffba16fb

SHA512
1971ea29934fb3c09c53d41db23616f2d3b89bba81db51ce7f09840489f0d471dd8bfe5b09d335020f11047af744c4c4c5ab3d896f9b8d222b6b93c419201560

Download Submit
C:\RECYCLER\S-1-5-21-606747145-1085031214-725345543-500\sup.exe

Filesize
146KB

MD5
8ecf1b30f5fbb12a2fe138364d351a26

SHA1
ff0b828a9df228cf05898d6db9982a1fedbc0584

SHA256
22a51f140a738f69da01c21ab6fcf9a5ec653da1e4a73ad107e1a0faffba16fb

SHA512
1971ea29934fb3c09c53d41db23616f2d3b89bba81db51ce7f09840489f0d471dd8bfe5b09d335020f11047af744c4c4c5ab3d896f9b8d222b6b93c419201560

Download Submit
C:\RECYCLER\S-1-5-21-606747145-1085031214-725345543-500\svchost.exe

Filesize
8KB

MD5
4635935fc972c582632bf45c26bfcb0e

SHA1
7c5329229042535fe56e74f1f246c6da8cea3be8

SHA256
abd4afd71b3c2bd3f741bbe3cec52c4fa63ac78d353101d2e7dc4de2725d1ca1

SHA512
167503133b5a0ebd9f8b2971bca120e902497eb21542d6a1f94e52ae8e5b6bde1e4cae1a2c905870a00d772e0df35f808701e2cfbd26dcbb130a5573fa590060

Download Submit
C:\RECYCLER\S-1-5-21-606747145-1085031214-725345543-500\svchost.exe

Filesize
8KB

MD5
4635935fc972c582632bf45c26bfcb0e

SHA1
7c5329229042535fe56e74f1f246c6da8cea3be8

SHA256
abd4afd71b3c2bd3f741bbe3cec52c4fa63ac78d353101d2e7dc4de2725d1ca1

SHA512
167503133b5a0ebd9f8b2971bca120e902497eb21542d6a1f94e52ae8e5b6bde1e4cae1a2c905870a00d772e0df35f808701e2cfbd26dcbb130a5573fa590060

Download Submit
C:\RECYCLER\S-1-5-21-606747145-1085031214-725345543-500\users.ini

Filesize
283B

MD5
e7d7a4d5ddbb0502973e9e72bdea0d0c

SHA1
a1a134b74d786e54faacd899d6ee34446b5662ff

SHA256
6ef8d737e8dc6f761b10d5ae2120c5dcf6774ad4ffb2b11c33e27125aa915d6e

SHA512
8e1bd2f0970e551fb55ff69765feaae05585b5456ab3e2c19ca984b54f927976c163b41cc5878e1997a67e15800460d595a5a01b46270fa61673370f422c02b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\bt2755.bat

Filesize
220B

MD5
df6887d17e2c9912e637347ec7ca20b5

SHA1
dfcd2ad7429ac5ad537e6b7d10004cd7c9168066

SHA256
f331858ea0c53b1a2b1fa301f5e74dddc7888dd874bd3968007dae4e4808d39c

SHA512
b79559945d4ca0d78fb12ff15d397e4bbd4e0bae6eba96721bffc246b3c423e5cd2bd1aacaeed12f5740e111cd8dafcef9c97a497022da0deff44770464e885f

Download Submit
memory/3212-132-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3212-136-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download