netwalker | aac978c3de17df019ea0f1df536206f73b9a46398fbb7f2a3a7d759e359c5461

Analysis

max time kernel
114s
max time network
98s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
16-12-2022 01:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ee3b0468a16789da8706d46aa361049ec51586c36899646a596b630d913e7304.ps1
Size

902KB
MD5

7770c598848339cf3562b7480856d584
SHA1

b3d39042aab832b7d2bed732c8b8e600a4cf5197
SHA256

ee3b0468a16789da8706d46aa361049ec51586c36899646a596b630d913e7304
SHA512

02af6d5910f0627074fbea72901b2f2b491f7dba58f53ae1fad1dc47230e000a7b459c8475a76aaf006629bb5822d89d4672d32fb64d073464ca41140cb134d2
SSDEEP

6144:KxYcCQ2x63Ib0NQrqxpPbI1ZVedvUhwDNGjG+zBumDKemdglhykA:KCQ2x6TdvUqDUjG+zBumDKemdgy9

Score

10^/10

netwalker ransomware

Malware Config

Extracted

Path

C:\251DD8-Readme.txt

Family

netwalker

Ransom Note

Hi! Your files are encrypted. All encrypted files for this computer has extension: .251dd8 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. Additionally, you must know that your sensitive data has been stolen by our analyst experts and if you choose to no cooperate with us, you are exposing yourself to huge penalties with lawsuits and government if we both don't find an agreement. We have seen it before; cases with multi million costs in fines and lawsuits, not to mention the company reputation and losing clients trust and the medias calling non-stop for answers. Come chat with us and you could be surprised on how fast we both can find an agreement without getting this incident public. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_251dd8: 4lALmzIUybbmda+xFKG+2GvlsNUeRIvSHW5QaaVt7QBbWLD5L9 OvgojT8Dhxp73f7txDalyEFFWn1HsQtnNe5F5RPI4nl4prkTQh 0qXYHSUUclorXMJYsuzIH3rtKOlcaOirlDSMslB4L1pqOjMlDL F8LEf6oIWHsvL7XxDmhFQNjDR2Hoclc7TyzVechXXBG2UMx8dp OIWFLcqximSuOCVPNW8tO9KtBgP22BGUbgh9ATmpz9D064eyPB 5pTgOQzWpOzFfZQiFem+/yen4Hlb9DCttqKFS7Vg==}

URLs

http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion

http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion

Signatures

Netwalker Ransomware
Ransomware family with multiple versions. Also known as MailTo.
ransomware netwalker
Modifies extensions of user files 1 IoCs
Ransomware generally changes the extension on encrypted files.
ransomware

Processes:

Explorer.EXE

description ioc process

File opened for modification C:\Users\Admin\Pictures\GroupRestore.tiff Explorer.EXE

description	ioc	process
File opened for modification	C:\Users\Admin\Pictures\GroupRestore.tiff	Explorer.EXE

Drops file in Program Files directory 64 IoCs

Processes:

Explorer.EXE

description	ioc	process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\MPP\QuickTime.mpp	Explorer.EXE
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe\js\startup.js	Explorer.EXE
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\BadgeLogo.scale-100.png	Explorer.EXE
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\RTL\contrast-white\MedTile.scale-125.png	Explorer.EXE
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\linesdistinctive.dotx	Explorer.EXE
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\triggerEvaluators.exsd	Explorer.EXE
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Fonts\PaintA.ttf	Explorer.EXE
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.targetsize-40_altform-unplated.png	Explorer.EXE
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\fi-fi\251DD8-Readme.txt	Explorer.EXE
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\7734_32x32x32.png	Explorer.EXE
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\EmptyView.scale-200.png	Explorer.EXE
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml	Explorer.EXE
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Advertising.Xaml_10.1808.3.0_x64__8wekyb3d8bbwe\Microsoft.Advertising\vpaid.js	Explorer.EXE
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\TimeAppService.winmd	Explorer.EXE
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-black_targetsize-36_altform-unplated.png	Explorer.EXE
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\BadgeLogo.scale-200.png	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\nb-no\ui-strings.js	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\pl-pl\ui-strings.js	Explorer.EXE
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\cardview-flag-dark.png	Explorer.EXE
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial4-pl.xrm-ms	Explorer.EXE
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\XboxApp.UI\Resources\Images\star_half.png	Explorer.EXE
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Car\LTR\contrast-white\LargeTile.scale-100.png	Explorer.EXE
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-GoogleCloudCacheMini.scale-125.png	Explorer.EXE
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\powered-by-foursquare.png	Explorer.EXE
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\ShareProvider_CopyLink24x24.scale-200.png	Explorer.EXE
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.contrast-black_targetsize-20.png	Explorer.EXE
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account-select\js\251DD8-Readme.txt	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\fr-fr\ui-strings.js	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\nb-no\PlayStore_icon.svg	Explorer.EXE
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ro-ro\251DD8-Readme.txt	Explorer.EXE
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\ru-ru\251DD8-Readme.txt	Explorer.EXE
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\ant-javafx.jar	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\CPDF_RHP.aapp	Explorer.EXE
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Inset.eftx	Explorer.EXE
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarBadge.scale-100.png	Explorer.EXE
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\nb-no\251DD8-Readme.txt	Explorer.EXE
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp3-ul-oob.xrm-ms	Explorer.EXE
File opened for modification	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\Store\AppIcon.targetsize-256_altform-lightunplated.png	Explorer.EXE
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-256_altform-unplated_contrast-black.png	Explorer.EXE
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteSectionGroupSmallTile.scale-100.png	Explorer.EXE
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\en-gb\locimages\offsymxb.ttf	Explorer.EXE
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\contrast-black\MixedRealityPortalAppList.targetsize-96_altform-unplated_contrast-black.png	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\distribute_form.gif	Explorer.EXE
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxCalendarAppList.targetsize-24_altform-lightunplated.png	Explorer.EXE
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNotePageWideTile.scale-400.png	Explorer.EXE
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraLargeTile.contrast-white_scale-100.png	Explorer.EXE
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.targetsize-48_altform-unplated.png	Explorer.EXE
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\AppIcon.targetsize-72_contrast-black.png	Explorer.EXE
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.scale-150_contrast-white.png	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\sv-se\ui-strings.js	Explorer.EXE
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-80_altform-unplated.png	Explorer.EXE
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\SplashScreen.scale-200_contrast-white.png	Explorer.EXE
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\resources\strings\LocalizedStrings_fr.json	Explorer.EXE
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\LinkedInboxLargeTile.scale-400.png	Explorer.EXE
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-white_targetsize-20.png	Explorer.EXE
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets\contrast-black\PeopleSmallTile.scale-200.png	Explorer.EXE
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\TrafficHub\contrast-white\SmallTile.scale-100.png	Explorer.EXE
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\br\LC_MESSAGES\vlc.mo	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\css\main.css	Explorer.EXE
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.services.nl_zh_4.4.0.v20140623020002.jar	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Microsoft.NET\RedistList\AssemblyList_4_client.xml	Explorer.EXE
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-24_contrast-black.png	Explorer.EXE
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\ExchangeBadge.scale-150.png	Explorer.EXE
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\OutlookMailWideTile.scale-100.png	Explorer.EXE

Modifies Internet Explorer settings 1 TTPs 8 IoCs

adware spyware

Modify Registry

T1112

Processes:

Explorer.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Internet Explorer\IESettingSync	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Internet Explorer\Toolbar	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	Explorer.EXE

Modifies registry class 49 IoCs

Processes:

Explorer.EXEOpenWith.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\NodeSlot = "1"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\IconSize = "48"	Explorer.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = ffffffff	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\FFlags = "1092616209"	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\GroupByKey:FMTID = "{30C8EEF4-A832-41E2-AB32-E3C3CA28FD29}"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\GroupByDirection = "1"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\NodeSlot = "2"	Explorer.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\HotKey = "0"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f80cb859f6720028040b29b5540cc05aab60000	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\Sort = 0000000000000000000000000000000002000000f4eec83032a8e241ab32e3c3ca28fd29030000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\GroupView = "4294967295"	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Pictures"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\Rev = "0"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 00000000ffffffff	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\ShowCmd = "1"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\Mode = "6"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\LogicalViewMode = "2"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\GroupByKey:PID = "2"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\MRUListEx = ffffffff	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\WorkFolders	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\Vid = "{65F125E5-7BE1-4810-BA9D-D271C8432CE3}"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0 = 3a002e80d43aad2469a5304598e1ab02f9417aa8260001002600efbe1100000053bae494d2f5d8014bc17b9ef810d9014bc17b9ef810d90114000000	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WFlags = "0"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\FFlags = "1092616193"	Explorer.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

Explorer.EXE

pid process

2728 Explorer.EXE
2728 Explorer.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exeExplorer.EXE

pid	process
1400	powershell.exe
1400	powershell.exe
1400	powershell.exe
2728	Explorer.EXE
2728	Explorer.EXE
2728	Explorer.EXE
2728	Explorer.EXE
2728	Explorer.EXE
2728	Explorer.EXE
2728	Explorer.EXE
2728	Explorer.EXE
2728	Explorer.EXE
2728	Explorer.EXE
2728	Explorer.EXE
2728	Explorer.EXE
2728	Explorer.EXE
2728	Explorer.EXE
2728	Explorer.EXE
2728	Explorer.EXE
2728	Explorer.EXE
2728	Explorer.EXE
2728	Explorer.EXE
2728	Explorer.EXE
2728	Explorer.EXE
2728	Explorer.EXE
2728	Explorer.EXE
2728	Explorer.EXE
2728	Explorer.EXE
2728	Explorer.EXE
2728	Explorer.EXE
2728	Explorer.EXE
2728	Explorer.EXE
2728	Explorer.EXE
2728	Explorer.EXE
2728	Explorer.EXE
2728	Explorer.EXE
2728	Explorer.EXE
2728	Explorer.EXE
2728	Explorer.EXE
2728	Explorer.EXE
2728	Explorer.EXE
2728	Explorer.EXE
2728	Explorer.EXE
2728	Explorer.EXE
2728	Explorer.EXE
2728	Explorer.EXE
2728	Explorer.EXE
2728	Explorer.EXE
2728	Explorer.EXE
2728	Explorer.EXE
2728	Explorer.EXE
2728	Explorer.EXE
2728	Explorer.EXE
2728	Explorer.EXE
2728	Explorer.EXE
2728	Explorer.EXE
2728	Explorer.EXE
2728	Explorer.EXE
2728	Explorer.EXE
2728	Explorer.EXE
2728	Explorer.EXE
2728	Explorer.EXE
2728	Explorer.EXE
2728	Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

2728 Explorer.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exeExplorer.EXEvssvc.exe

description	pid	process
Token: SeDebugPrivilege	1400	powershell.exe
Token: SeDebugPrivilege	2728	Explorer.EXE
Token: SeImpersonatePrivilege	2728	Explorer.EXE
Token: SeBackupPrivilege	4988	vssvc.exe
Token: SeRestorePrivilege	4988	vssvc.exe
Token: SeAuditPrivilege	4988	vssvc.exe
Token: SeShutdownPrivilege	2728	Explorer.EXE
Token: SeCreatePagefilePrivilege	2728	Explorer.EXE
Token: SeShutdownPrivilege	2728	Explorer.EXE
Token: SeCreatePagefilePrivilege	2728	Explorer.EXE
Token: SeShutdownPrivilege	2728	Explorer.EXE
Token: SeCreatePagefilePrivilege	2728	Explorer.EXE
Token: SeShutdownPrivilege	2728	Explorer.EXE
Token: SeCreatePagefilePrivilege	2728	Explorer.EXE
Token: SeShutdownPrivilege	2728	Explorer.EXE
Token: SeCreatePagefilePrivilege	2728	Explorer.EXE
Token: SeShutdownPrivilege	2728	Explorer.EXE
Token: SeCreatePagefilePrivilege	2728	Explorer.EXE
Token: SeShutdownPrivilege	2728	Explorer.EXE
Token: SeCreatePagefilePrivilege	2728	Explorer.EXE
Token: SeShutdownPrivilege	2728	Explorer.EXE
Token: SeCreatePagefilePrivilege	2728	Explorer.EXE
Token: SeShutdownPrivilege	2728	Explorer.EXE
Token: SeCreatePagefilePrivilege	2728	Explorer.EXE
Token: SeShutdownPrivilege	2728	Explorer.EXE
Token: SeCreatePagefilePrivilege	2728	Explorer.EXE
Token: SeShutdownPrivilege	2728	Explorer.EXE
Token: SeCreatePagefilePrivilege	2728	Explorer.EXE
Token: SeShutdownPrivilege	2728	Explorer.EXE
Token: SeCreatePagefilePrivilege	2728	Explorer.EXE
Token: SeShutdownPrivilege	2728	Explorer.EXE
Token: SeCreatePagefilePrivilege	2728	Explorer.EXE
Token: SeShutdownPrivilege	2728	Explorer.EXE
Token: SeCreatePagefilePrivilege	2728	Explorer.EXE
Token: SeShutdownPrivilege	2728	Explorer.EXE
Token: SeCreatePagefilePrivilege	2728	Explorer.EXE
Token: SeShutdownPrivilege	2728	Explorer.EXE
Token: SeCreatePagefilePrivilege	2728	Explorer.EXE
Token: SeShutdownPrivilege	2728	Explorer.EXE
Token: SeCreatePagefilePrivilege	2728	Explorer.EXE
Token: SeShutdownPrivilege	2728	Explorer.EXE
Token: SeCreatePagefilePrivilege	2728	Explorer.EXE
Token: SeShutdownPrivilege	2728	Explorer.EXE
Token: SeCreatePagefilePrivilege	2728	Explorer.EXE
Token: SeShutdownPrivilege	2728	Explorer.EXE
Token: SeCreatePagefilePrivilege	2728	Explorer.EXE
Token: SeShutdownPrivilege	2728	Explorer.EXE
Token: SeCreatePagefilePrivilege	2728	Explorer.EXE
Token: SeShutdownPrivilege	2728	Explorer.EXE
Token: SeCreatePagefilePrivilege	2728	Explorer.EXE
Token: SeShutdownPrivilege	2728	Explorer.EXE
Token: SeCreatePagefilePrivilege	2728	Explorer.EXE
Token: SeShutdownPrivilege	2728	Explorer.EXE
Token: SeCreatePagefilePrivilege	2728	Explorer.EXE
Token: SeShutdownPrivilege	2728	Explorer.EXE
Token: SeCreatePagefilePrivilege	2728	Explorer.EXE
Token: SeShutdownPrivilege	2728	Explorer.EXE
Token: SeCreatePagefilePrivilege	2728	Explorer.EXE
Token: SeShutdownPrivilege	2728	Explorer.EXE
Token: SeCreatePagefilePrivilege	2728	Explorer.EXE
Token: SeShutdownPrivilege	2728	Explorer.EXE
Token: SeCreatePagefilePrivilege	2728	Explorer.EXE
Token: SeShutdownPrivilege	2728	Explorer.EXE
Token: SeCreatePagefilePrivilege	2728	Explorer.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

Explorer.EXE

pid process

2728 Explorer.EXE
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

Explorer.EXE

pid process

2728 Explorer.EXE
2728 Explorer.EXE
2728 Explorer.EXE

Suspicious use of SetWindowsHookEx 15 IoCs

Processes:

Explorer.EXEOpenWith.exe

pid	process
2728	Explorer.EXE
2728	Explorer.EXE
2728	Explorer.EXE
2728	Explorer.EXE
2728	Explorer.EXE
2728	Explorer.EXE
3224	OpenWith.exe
2728	Explorer.EXE
2728	Explorer.EXE
2728	Explorer.EXE
2728	Explorer.EXE
2728	Explorer.EXE
2728	Explorer.EXE
2728	Explorer.EXE
2728	Explorer.EXE

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

powershell.execsc.execsc.exeExplorer.EXE

description	pid	process	target process
PID 1400 wrote to memory of 2272	1400	powershell.exe	csc.exe
PID 1400 wrote to memory of 2272	1400	powershell.exe	csc.exe
PID 2272 wrote to memory of 4152	2272	csc.exe	cvtres.exe
PID 2272 wrote to memory of 4152	2272	csc.exe	cvtres.exe
PID 1400 wrote to memory of 3716	1400	powershell.exe	csc.exe
PID 1400 wrote to memory of 3716	1400	powershell.exe	csc.exe
PID 3716 wrote to memory of 2492	3716	csc.exe	cvtres.exe
PID 3716 wrote to memory of 2492	3716	csc.exe	cvtres.exe
PID 1400 wrote to memory of 2728	1400	powershell.exe	Explorer.EXE
PID 2728 wrote to memory of 4356	2728	Explorer.EXE	notepad.exe
PID 2728 wrote to memory of 4356	2728	Explorer.EXE	notepad.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\ee3b0468a16789da8706d46aa361049ec51586c36899646a596b630d913e7304.ps1
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1400
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\oqdu54px\oqdu54px.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2272
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES65F2.tmp" "c:\Users\Admin\AppData\Local\Temp\oqdu54px\CSCDC506B262A3407AB464A43D593261E.TMP"
    3⤵
    PID:4152
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ijwmiesc\ijwmiesc.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3716
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES718B.tmp" "c:\Users\Admin\AppData\Local\Temp\ijwmiesc\CSC460F2FA03D854850821284B664F8F571.TMP"
    3⤵
    PID:2492

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies extensions of user files
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2728
- C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
  "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Documents\These.docx" /o ""
  2⤵
  PID:8996
- C:\Windows\system32\notepad.exe
  C:\Windows\system32\notepad.exe "C:\Users\Admin\Desktop\251DD8-Readme.txt"
  2⤵
  PID:4356

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4988

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:6052

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3224

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db

Filesize
28KB

MD5
49a8e779c9fce173afc8e68a079c0f10

SHA1
173537a401f2b124059a3af36856ac74491c4408

SHA256
7ddabf885b19a27c614fda6ca0b44e26defde5eb1a5e89668331d098a59adf64

SHA512
bf54b9bdc394a87112d26bc83e531ff41f25b22fd0bf2a29d1cb4e27ff0cdc4e03929d4f907f99c2f2302a4eeb890cb53e472a6a6825e9629907279f2fc61843

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES65F2.tmp

Filesize
1KB

MD5
329a69b4a6dc994f500747957d38b817

SHA1
e2dca7c21eb52a3652a2aa69a37be21d4ded6519

SHA256
c16d38b9f0eaafa74293f93ca07d8482f8078175d8d690a1b70769613aebb675

SHA512
c328dd9a17048ae74596bdea1b16050f09e8ed0c772ad6f917686c5247feda55779d2629f1aeaddd93ec7ea6d651c0f17c53842ce83b3576ea2e042befe53d31

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES718B.tmp

Filesize
1KB

MD5
b9662d3265cd1bd799604e8ba966d89b

SHA1
d0dde25809756756a22068064e9bc85e38f6d284

SHA256
9b0522aa1578be2b8f6b2fd2d2d6a7a45147722c7a1a3fd130bdce74e089db7e

SHA512
3e609b2ad8126b9fd8dc9b1c25ac9d11596654d48b755e6d4c2eb9170391a1c84d480a205d6e945c131f1423b280f831b065fd1d5c75f968dc5143cf24f6ef25

Download Submit
C:\Users\Admin\AppData\Local\Temp\ijwmiesc\ijwmiesc.dll

Filesize
4KB

MD5
5629985521a37dbbbd6f5e1a96073a21

SHA1
8bfbf926b98f1c6b6d4001cb868d10bf11af3d0e

SHA256
8e9ad98cf5d6acc1c16fb6622e43c799a550d6ebb17e76625775254f76c9bc27

SHA512
2a5b0f6e4ba1c2d5568bc5feb0b3d018f1e775c4e715dea6e869793e28133aa17c57fed7f5d0fc995c94b88f944b94a23a30d28434337f9f43a05f071ba2e7c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\oqdu54px\oqdu54px.dll

Filesize
6KB

MD5
802035b0caaeba998f926d8941a771ed

SHA1
6c0621d92061761e0e96052086abb58c62affe90

SHA256
fa75f79f418fdaefcf5d15d6a5bf2a3cf342d6b97f2b00d6e683f78b8362a782

SHA512
f9c72e5c772fe1c6221233507511f49bd6b7c9c7a1427d2381055390c9fcc78fb508935ae5dfb41605c1e6c084d1cc96124068556feb1bda3a4d724afb105e08

Download Submit
C:\Users\Admin\Desktop\251DD8-Readme.txt

Filesize
2KB

MD5
461b53164fe862d9b3bcce12c4f65edd

SHA1
ec2ab9151e376bce8738982e64a034b9430ca54c

SHA256
bbeb6ebf02eb0620551ca2cde32f1b8838f2a53607c11c6e4b6812c3d02e46e4

SHA512
cf2147948950214448cb275cd480ae1a90e568d05b5c85e432cf40f3f807abd64ceedac5939b93ead2e61b4a9a27ea4e4345d92fae23bf7330bc92289288b463

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ijwmiesc\CSC460F2FA03D854850821284B664F8F571.TMP

Filesize
652B

MD5
defc21461a5633c6255fe0cc7dcfe823

SHA1
763f6353374f5c240c82909a340f3df4e48c3eee

SHA256
ae9425f95f13ac9304c817ab5911eb854fec847d40b526f4566c438c8a57592b

SHA512
72a88a219c2529bec1aa162691a7b8159dfe2bc99e03b83c01fd443c7295b5d393dcf152cb465bbc79d0f440060466620584b267ac99d398d7b915267fe4f76d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ijwmiesc\ijwmiesc.0.cs

Filesize
2KB

MD5
1cae52936facd4972987d3baef367d8d

SHA1
ad2b4b58d20f290b9da416cef1ef305cf1df6781

SHA256
28b45e56fb27763b4785974e380c96eef1436fc151a802f492db25052392d400

SHA512
4ae36c0ac78177eea5a6e0fbab0f51f7d24c7a76eae75b67eab41fcace921cef256b02fb088e1afb3c445e59598fbea73270e6bca1eda32514221190daa501df

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ijwmiesc\ijwmiesc.cmdline

Filesize
369B

MD5
6f094d470b5984c42db6f5625743503c

SHA1
68291a8889ee88eb1d9501a912eca88449a22a09

SHA256
4610717490e74639ac79ec0377eb31cedab9297fd7a30c54710516fc8d52897c

SHA512
ea28bc5ec5f31730cbf5e2745ae2a9b64703a8df96287e1aba382fc9d039d479dc17e5f0504db69d6183f68c2286194eb943682b4000e6676976a5230ea869b2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\oqdu54px\CSCDC506B262A3407AB464A43D593261E.TMP

Filesize
652B

MD5
1c09fbf3aa95f692a06e8540f83a45fb

SHA1
c2db7e6982b7493924b090d0d2755016f1cdaaab

SHA256
8d758b9664703fe38a03abdf70874d035a457c87db158040b58e139ff78e1604

SHA512
8e40d9e97a14f135ac2e8c9d9aec7c839b0b9917531813238b4c0b2f7c7ca93016130cf7544884c6b0569cf9b634fc73499a5960ccc9fdb6a05df460507b2265

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\oqdu54px\oqdu54px.0.cs

Filesize
9KB

MD5
64db54f88f46e2ecc57b05a25966da8e

SHA1
488dbbbab872714609ded38db924d38971a3685f

SHA256
e2b586aa1613682b4f1b92f981fea15d0612a3e632bbd73cd7287518c9ed7cb5

SHA512
8791b75874fd7a90bf63742abe6d299bc4370ad910591207d7630901d80765f6f6a4475809f23becf112360403423d0c691744f1024af3dd89c104f2b0b9e729

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\oqdu54px\oqdu54px.cmdline

Filesize
369B

MD5
da2900a849ff4181a6ec447df308c884

SHA1
028c9d0566789886b35375d7f843674975e26411

SHA256
32e73a9db3dbe25303ca8e468f842f08e0e475de0ea494cbc2367775fbcc39db

SHA512
8a13b0629d8bb180fac22b70993fd7480a44a2cf64187f92d35d51220fcd536e9735cfe387ffa391f7ce37e5ce45d6997c021f52910c1f5fdfe88575296ba1b9

Download Submit
memory/1400-150-0x00007FFA97F70000-0x00007FFA98A31000-memory.dmp

Filesize
10.8MB

Download
memory/1400-132-0x000001C7EA450000-0x000001C7EA472000-memory.dmp

Filesize
136KB

Download
memory/1400-149-0x00007FFA97F70000-0x00007FFA98A31000-memory.dmp

Filesize
10.8MB

Download
memory/1400-133-0x00007FFA97F70000-0x00007FFA98A31000-memory.dmp

Filesize
10.8MB

Download
memory/2272-134-0x0000000000000000-mapping.dmp

Download
memory/2492-144-0x0000000000000000-mapping.dmp

Download
memory/2728-148-0x0000000002BC0000-0x0000000002BE2000-memory.dmp

Filesize
136KB

Download
memory/2728-151-0x0000000002BC0000-0x0000000002BE2000-memory.dmp

Filesize
136KB

Download
memory/3716-141-0x0000000000000000-mapping.dmp

Download
memory/4152-137-0x0000000000000000-mapping.dmp

Download
memory/4356-153-0x0000000000000000-mapping.dmp

Download