Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
26-05-2024 01:01
Behavioral task
behavioral1
Sample
086072e97dedb1ebff0dac070acfbd1410fdacee2e62ff2b8a0bcd286c31c529.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
086072e97dedb1ebff0dac070acfbd1410fdacee2e62ff2b8a0bcd286c31c529.exe
Resource
win10v2004-20240426-en
General
-
Target
086072e97dedb1ebff0dac070acfbd1410fdacee2e62ff2b8a0bcd286c31c529.exe
-
Size
160KB
-
MD5
7e488e4928dd33d8aaf738da2baaba46
-
SHA1
6caa45286b4f92555cb4cb5f2ff8ccdb37e09a1e
-
SHA256
086072e97dedb1ebff0dac070acfbd1410fdacee2e62ff2b8a0bcd286c31c529
-
SHA512
643e834c0281803f44e85e8a3e50f0795a2f41c1bfdd62873cc509536e8752b736729a7ab6c8af4177ae0bbe90229d31f5fffe1d1d4539b710d9aa94acce931b
-
SSDEEP
3072:JDDDDDDDDDDDDDDDDDDDE45d/t6sVkgZqltP3368DCH2C+7cSFaCaqWGnW:D5d/zugZqll33n7CKW
Malware Config
Extracted
C:\Users\gqtDmx4Hj.README.txt
http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/
http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/
http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/
http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/
http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/
http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/
http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/
https://twitter.com/hashtag/lockbit?f=live
http://lockbit75naln4yj44rg6ez6vjmdcrt7up4kxmmmuvilcg4ak3zihxid.onion
http://lockbit5eevg7vec4vwwtzgkl4kulap6oxbic2ye4mnmlq6njnpc47qd.onion
http://lockbit74beza5z3e3so7qmjnvlgoemscp7wtp33xo7xv7f7xtlqbkqd.onion
http://lockbit7a2g6ve7etbcy6iyizjnuleffz4szgmxaawcbfauluavi5jqd.onion
http://lockbitaa46gwjck2xzmi2xops6x4x3aqn6ez7yntitero2k7ae6yoyd.onion
http://lockbitb42tkml3ipianjbs6e33vhcshb7oxm2stubfvdzn3y2yqgbad.onion
http://lockbitcuo23q7qrymbk6dsp2sadltspjvjxgcyp4elbnbr6tcnwq7qd.onion
Signatures
-
Renames multiple (194) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Deletes itself 1 IoCs
Processes:
4B43.tmppid process 1136 4B43.tmp -
Executes dropped EXE 1 IoCs
Processes:
4B43.tmppid process 1136 4B43.tmp -
Loads dropped DLL 1 IoCs
Processes:
086072e97dedb1ebff0dac070acfbd1410fdacee2e62ff2b8a0bcd286c31c529.exepid process 1688 086072e97dedb1ebff0dac070acfbd1410fdacee2e62ff2b8a0bcd286c31c529.exe -
Drops desktop.ini file(s) 2 IoCs
Processes:
086072e97dedb1ebff0dac070acfbd1410fdacee2e62ff2b8a0bcd286c31c529.exedescription ioc process File opened for modification C:\$Recycle.Bin\S-1-5-21-268080393-3149932598-1824759070-1000\desktop.ini 086072e97dedb1ebff0dac070acfbd1410fdacee2e62ff2b8a0bcd286c31c529.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-268080393-3149932598-1824759070-1000\desktop.ini 086072e97dedb1ebff0dac070acfbd1410fdacee2e62ff2b8a0bcd286c31c529.exe -
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
Processes:
086072e97dedb1ebff0dac070acfbd1410fdacee2e62ff2b8a0bcd286c31c529.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\gqtDmx4Hj.bmp" 086072e97dedb1ebff0dac070acfbd1410fdacee2e62ff2b8a0bcd286c31c529.exe Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\gqtDmx4Hj.bmp" 086072e97dedb1ebff0dac070acfbd1410fdacee2e62ff2b8a0bcd286c31c529.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 12 IoCs
Processes:
086072e97dedb1ebff0dac070acfbd1410fdacee2e62ff2b8a0bcd286c31c529.exe4B43.tmppid process 1688 086072e97dedb1ebff0dac070acfbd1410fdacee2e62ff2b8a0bcd286c31c529.exe 1688 086072e97dedb1ebff0dac070acfbd1410fdacee2e62ff2b8a0bcd286c31c529.exe 1688 086072e97dedb1ebff0dac070acfbd1410fdacee2e62ff2b8a0bcd286c31c529.exe 1688 086072e97dedb1ebff0dac070acfbd1410fdacee2e62ff2b8a0bcd286c31c529.exe 1688 086072e97dedb1ebff0dac070acfbd1410fdacee2e62ff2b8a0bcd286c31c529.exe 1688 086072e97dedb1ebff0dac070acfbd1410fdacee2e62ff2b8a0bcd286c31c529.exe 1136 4B43.tmp 1136 4B43.tmp 1136 4B43.tmp 1136 4B43.tmp 1136 4B43.tmp 1136 4B43.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies Control Panel 2 IoCs
Processes:
086072e97dedb1ebff0dac070acfbd1410fdacee2e62ff2b8a0bcd286c31c529.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\Desktop 086072e97dedb1ebff0dac070acfbd1410fdacee2e62ff2b8a0bcd286c31c529.exe Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\Desktop\WallpaperStyle = "10" 086072e97dedb1ebff0dac070acfbd1410fdacee2e62ff2b8a0bcd286c31c529.exe -
Modifies registry class 5 IoCs
Processes:
086072e97dedb1ebff0dac070acfbd1410fdacee2e62ff2b8a0bcd286c31c529.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.gqtDmx4Hj 086072e97dedb1ebff0dac070acfbd1410fdacee2e62ff2b8a0bcd286c31c529.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.gqtDmx4Hj\ = "gqtDmx4Hj" 086072e97dedb1ebff0dac070acfbd1410fdacee2e62ff2b8a0bcd286c31c529.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\gqtDmx4Hj\DefaultIcon 086072e97dedb1ebff0dac070acfbd1410fdacee2e62ff2b8a0bcd286c31c529.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\gqtDmx4Hj 086072e97dedb1ebff0dac070acfbd1410fdacee2e62ff2b8a0bcd286c31c529.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\gqtDmx4Hj\DefaultIcon\ = "C:\\ProgramData\\gqtDmx4Hj.ico" 086072e97dedb1ebff0dac070acfbd1410fdacee2e62ff2b8a0bcd286c31c529.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
086072e97dedb1ebff0dac070acfbd1410fdacee2e62ff2b8a0bcd286c31c529.exepid process 1688 086072e97dedb1ebff0dac070acfbd1410fdacee2e62ff2b8a0bcd286c31c529.exe 1688 086072e97dedb1ebff0dac070acfbd1410fdacee2e62ff2b8a0bcd286c31c529.exe 1688 086072e97dedb1ebff0dac070acfbd1410fdacee2e62ff2b8a0bcd286c31c529.exe 1688 086072e97dedb1ebff0dac070acfbd1410fdacee2e62ff2b8a0bcd286c31c529.exe 1688 086072e97dedb1ebff0dac070acfbd1410fdacee2e62ff2b8a0bcd286c31c529.exe 1688 086072e97dedb1ebff0dac070acfbd1410fdacee2e62ff2b8a0bcd286c31c529.exe 1688 086072e97dedb1ebff0dac070acfbd1410fdacee2e62ff2b8a0bcd286c31c529.exe 1688 086072e97dedb1ebff0dac070acfbd1410fdacee2e62ff2b8a0bcd286c31c529.exe 1688 086072e97dedb1ebff0dac070acfbd1410fdacee2e62ff2b8a0bcd286c31c529.exe 1688 086072e97dedb1ebff0dac070acfbd1410fdacee2e62ff2b8a0bcd286c31c529.exe 1688 086072e97dedb1ebff0dac070acfbd1410fdacee2e62ff2b8a0bcd286c31c529.exe 1688 086072e97dedb1ebff0dac070acfbd1410fdacee2e62ff2b8a0bcd286c31c529.exe -
Suspicious behavior: RenamesItself 26 IoCs
Processes:
4B43.tmppid process 1136 4B43.tmp 1136 4B43.tmp 1136 4B43.tmp 1136 4B43.tmp 1136 4B43.tmp 1136 4B43.tmp 1136 4B43.tmp 1136 4B43.tmp 1136 4B43.tmp 1136 4B43.tmp 1136 4B43.tmp 1136 4B43.tmp 1136 4B43.tmp 1136 4B43.tmp 1136 4B43.tmp 1136 4B43.tmp 1136 4B43.tmp 1136 4B43.tmp 1136 4B43.tmp 1136 4B43.tmp 1136 4B43.tmp 1136 4B43.tmp 1136 4B43.tmp 1136 4B43.tmp 1136 4B43.tmp 1136 4B43.tmp -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
086072e97dedb1ebff0dac070acfbd1410fdacee2e62ff2b8a0bcd286c31c529.exevssvc.exedescription pid process Token: SeAssignPrimaryTokenPrivilege 1688 086072e97dedb1ebff0dac070acfbd1410fdacee2e62ff2b8a0bcd286c31c529.exe Token: SeBackupPrivilege 1688 086072e97dedb1ebff0dac070acfbd1410fdacee2e62ff2b8a0bcd286c31c529.exe Token: SeDebugPrivilege 1688 086072e97dedb1ebff0dac070acfbd1410fdacee2e62ff2b8a0bcd286c31c529.exe Token: 36 1688 086072e97dedb1ebff0dac070acfbd1410fdacee2e62ff2b8a0bcd286c31c529.exe Token: SeImpersonatePrivilege 1688 086072e97dedb1ebff0dac070acfbd1410fdacee2e62ff2b8a0bcd286c31c529.exe Token: SeIncBasePriorityPrivilege 1688 086072e97dedb1ebff0dac070acfbd1410fdacee2e62ff2b8a0bcd286c31c529.exe Token: SeIncreaseQuotaPrivilege 1688 086072e97dedb1ebff0dac070acfbd1410fdacee2e62ff2b8a0bcd286c31c529.exe Token: 33 1688 086072e97dedb1ebff0dac070acfbd1410fdacee2e62ff2b8a0bcd286c31c529.exe Token: SeManageVolumePrivilege 1688 086072e97dedb1ebff0dac070acfbd1410fdacee2e62ff2b8a0bcd286c31c529.exe Token: SeProfSingleProcessPrivilege 1688 086072e97dedb1ebff0dac070acfbd1410fdacee2e62ff2b8a0bcd286c31c529.exe Token: SeRestorePrivilege 1688 086072e97dedb1ebff0dac070acfbd1410fdacee2e62ff2b8a0bcd286c31c529.exe Token: SeSecurityPrivilege 1688 086072e97dedb1ebff0dac070acfbd1410fdacee2e62ff2b8a0bcd286c31c529.exe Token: SeSystemProfilePrivilege 1688 086072e97dedb1ebff0dac070acfbd1410fdacee2e62ff2b8a0bcd286c31c529.exe Token: SeTakeOwnershipPrivilege 1688 086072e97dedb1ebff0dac070acfbd1410fdacee2e62ff2b8a0bcd286c31c529.exe Token: SeShutdownPrivilege 1688 086072e97dedb1ebff0dac070acfbd1410fdacee2e62ff2b8a0bcd286c31c529.exe Token: SeDebugPrivilege 1688 086072e97dedb1ebff0dac070acfbd1410fdacee2e62ff2b8a0bcd286c31c529.exe Token: SeBackupPrivilege 2584 vssvc.exe Token: SeRestorePrivilege 2584 vssvc.exe Token: SeAuditPrivilege 2584 vssvc.exe Token: SeBackupPrivilege 1688 086072e97dedb1ebff0dac070acfbd1410fdacee2e62ff2b8a0bcd286c31c529.exe Token: SeBackupPrivilege 1688 086072e97dedb1ebff0dac070acfbd1410fdacee2e62ff2b8a0bcd286c31c529.exe Token: SeSecurityPrivilege 1688 086072e97dedb1ebff0dac070acfbd1410fdacee2e62ff2b8a0bcd286c31c529.exe Token: SeSecurityPrivilege 1688 086072e97dedb1ebff0dac070acfbd1410fdacee2e62ff2b8a0bcd286c31c529.exe Token: SeBackupPrivilege 1688 086072e97dedb1ebff0dac070acfbd1410fdacee2e62ff2b8a0bcd286c31c529.exe Token: SeBackupPrivilege 1688 086072e97dedb1ebff0dac070acfbd1410fdacee2e62ff2b8a0bcd286c31c529.exe Token: SeSecurityPrivilege 1688 086072e97dedb1ebff0dac070acfbd1410fdacee2e62ff2b8a0bcd286c31c529.exe Token: SeSecurityPrivilege 1688 086072e97dedb1ebff0dac070acfbd1410fdacee2e62ff2b8a0bcd286c31c529.exe Token: SeBackupPrivilege 1688 086072e97dedb1ebff0dac070acfbd1410fdacee2e62ff2b8a0bcd286c31c529.exe Token: SeBackupPrivilege 1688 086072e97dedb1ebff0dac070acfbd1410fdacee2e62ff2b8a0bcd286c31c529.exe Token: SeSecurityPrivilege 1688 086072e97dedb1ebff0dac070acfbd1410fdacee2e62ff2b8a0bcd286c31c529.exe Token: SeSecurityPrivilege 1688 086072e97dedb1ebff0dac070acfbd1410fdacee2e62ff2b8a0bcd286c31c529.exe Token: SeBackupPrivilege 1688 086072e97dedb1ebff0dac070acfbd1410fdacee2e62ff2b8a0bcd286c31c529.exe Token: SeBackupPrivilege 1688 086072e97dedb1ebff0dac070acfbd1410fdacee2e62ff2b8a0bcd286c31c529.exe Token: SeSecurityPrivilege 1688 086072e97dedb1ebff0dac070acfbd1410fdacee2e62ff2b8a0bcd286c31c529.exe Token: SeSecurityPrivilege 1688 086072e97dedb1ebff0dac070acfbd1410fdacee2e62ff2b8a0bcd286c31c529.exe Token: SeBackupPrivilege 1688 086072e97dedb1ebff0dac070acfbd1410fdacee2e62ff2b8a0bcd286c31c529.exe Token: SeBackupPrivilege 1688 086072e97dedb1ebff0dac070acfbd1410fdacee2e62ff2b8a0bcd286c31c529.exe Token: SeSecurityPrivilege 1688 086072e97dedb1ebff0dac070acfbd1410fdacee2e62ff2b8a0bcd286c31c529.exe Token: SeSecurityPrivilege 1688 086072e97dedb1ebff0dac070acfbd1410fdacee2e62ff2b8a0bcd286c31c529.exe Token: SeBackupPrivilege 1688 086072e97dedb1ebff0dac070acfbd1410fdacee2e62ff2b8a0bcd286c31c529.exe Token: SeBackupPrivilege 1688 086072e97dedb1ebff0dac070acfbd1410fdacee2e62ff2b8a0bcd286c31c529.exe Token: SeSecurityPrivilege 1688 086072e97dedb1ebff0dac070acfbd1410fdacee2e62ff2b8a0bcd286c31c529.exe Token: SeSecurityPrivilege 1688 086072e97dedb1ebff0dac070acfbd1410fdacee2e62ff2b8a0bcd286c31c529.exe Token: SeBackupPrivilege 1688 086072e97dedb1ebff0dac070acfbd1410fdacee2e62ff2b8a0bcd286c31c529.exe Token: SeBackupPrivilege 1688 086072e97dedb1ebff0dac070acfbd1410fdacee2e62ff2b8a0bcd286c31c529.exe Token: SeSecurityPrivilege 1688 086072e97dedb1ebff0dac070acfbd1410fdacee2e62ff2b8a0bcd286c31c529.exe Token: SeSecurityPrivilege 1688 086072e97dedb1ebff0dac070acfbd1410fdacee2e62ff2b8a0bcd286c31c529.exe Token: SeBackupPrivilege 1688 086072e97dedb1ebff0dac070acfbd1410fdacee2e62ff2b8a0bcd286c31c529.exe Token: SeBackupPrivilege 1688 086072e97dedb1ebff0dac070acfbd1410fdacee2e62ff2b8a0bcd286c31c529.exe Token: SeSecurityPrivilege 1688 086072e97dedb1ebff0dac070acfbd1410fdacee2e62ff2b8a0bcd286c31c529.exe Token: SeSecurityPrivilege 1688 086072e97dedb1ebff0dac070acfbd1410fdacee2e62ff2b8a0bcd286c31c529.exe Token: SeBackupPrivilege 1688 086072e97dedb1ebff0dac070acfbd1410fdacee2e62ff2b8a0bcd286c31c529.exe Token: SeBackupPrivilege 1688 086072e97dedb1ebff0dac070acfbd1410fdacee2e62ff2b8a0bcd286c31c529.exe Token: SeSecurityPrivilege 1688 086072e97dedb1ebff0dac070acfbd1410fdacee2e62ff2b8a0bcd286c31c529.exe Token: SeSecurityPrivilege 1688 086072e97dedb1ebff0dac070acfbd1410fdacee2e62ff2b8a0bcd286c31c529.exe Token: SeBackupPrivilege 1688 086072e97dedb1ebff0dac070acfbd1410fdacee2e62ff2b8a0bcd286c31c529.exe Token: SeBackupPrivilege 1688 086072e97dedb1ebff0dac070acfbd1410fdacee2e62ff2b8a0bcd286c31c529.exe Token: SeSecurityPrivilege 1688 086072e97dedb1ebff0dac070acfbd1410fdacee2e62ff2b8a0bcd286c31c529.exe Token: SeSecurityPrivilege 1688 086072e97dedb1ebff0dac070acfbd1410fdacee2e62ff2b8a0bcd286c31c529.exe Token: SeBackupPrivilege 1688 086072e97dedb1ebff0dac070acfbd1410fdacee2e62ff2b8a0bcd286c31c529.exe Token: SeBackupPrivilege 1688 086072e97dedb1ebff0dac070acfbd1410fdacee2e62ff2b8a0bcd286c31c529.exe Token: SeSecurityPrivilege 1688 086072e97dedb1ebff0dac070acfbd1410fdacee2e62ff2b8a0bcd286c31c529.exe Token: SeSecurityPrivilege 1688 086072e97dedb1ebff0dac070acfbd1410fdacee2e62ff2b8a0bcd286c31c529.exe Token: SeBackupPrivilege 1688 086072e97dedb1ebff0dac070acfbd1410fdacee2e62ff2b8a0bcd286c31c529.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
086072e97dedb1ebff0dac070acfbd1410fdacee2e62ff2b8a0bcd286c31c529.exe4B43.tmpdescription pid process target process PID 1688 wrote to memory of 1136 1688 086072e97dedb1ebff0dac070acfbd1410fdacee2e62ff2b8a0bcd286c31c529.exe 4B43.tmp PID 1688 wrote to memory of 1136 1688 086072e97dedb1ebff0dac070acfbd1410fdacee2e62ff2b8a0bcd286c31c529.exe 4B43.tmp PID 1688 wrote to memory of 1136 1688 086072e97dedb1ebff0dac070acfbd1410fdacee2e62ff2b8a0bcd286c31c529.exe 4B43.tmp PID 1688 wrote to memory of 1136 1688 086072e97dedb1ebff0dac070acfbd1410fdacee2e62ff2b8a0bcd286c31c529.exe 4B43.tmp PID 1688 wrote to memory of 1136 1688 086072e97dedb1ebff0dac070acfbd1410fdacee2e62ff2b8a0bcd286c31c529.exe 4B43.tmp PID 1136 wrote to memory of 2292 1136 4B43.tmp cmd.exe PID 1136 wrote to memory of 2292 1136 4B43.tmp cmd.exe PID 1136 wrote to memory of 2292 1136 4B43.tmp cmd.exe PID 1136 wrote to memory of 2292 1136 4B43.tmp cmd.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\086072e97dedb1ebff0dac070acfbd1410fdacee2e62ff2b8a0bcd286c31c529.exe"C:\Users\Admin\AppData\Local\Temp\086072e97dedb1ebff0dac070acfbd1410fdacee2e62ff2b8a0bcd286c31c529.exe"1⤵
- Loads dropped DLL
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\4B43.tmp"C:\ProgramData\4B43.tmp"2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\4B43.tmp >> NUL3⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x14c1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\$Recycle.Bin\S-1-5-21-268080393-3149932598-1824759070-1000\desktop.iniFilesize
129B
MD58c103af87bd13aa7cacb03ea9de7c850
SHA184158bd4ca53bf89d1215db46a5a15866cbdc639
SHA256528dbcc7c7efbbc101a97ff6ac9bbf0beb4216421bf2c1e5c1a835bc8ffd75b7
SHA512facc827a679698cfcec8bda18e509a5599e73dd4bfc00121ca6281daf4f8301dafb959db01ea57edd136327b11aac11d55d1f4e8633fa20f2a06bfebedb15794
-
C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDFilesize
160KB
MD55830b1ac634d2123fcf3b675fdefd130
SHA1790ef33a35518a2020197df3c06d4f1e7d0dcea1
SHA25688e07ebed32e7ee34377138b240849330db10a4b98b8ed30fa37d9f5c6b69591
SHA5121d61f5029ea8fe43db24382b07adc2f950bb7b8b9ae955d011ffac593013f288189686838ffcc6d84a065b85eefb530e375eee5971087c17f572f00152329516
-
C:\Users\gqtDmx4Hj.README.txtFilesize
3KB
MD54201483fd14926c39df9679a489a0e1a
SHA1c3bcc611f340814fec90b4064cd4a7c33d14a13f
SHA25645f7160b036c271e7620d3252b1acf7ceece40d210268bb1b01ef7d4fe4e8cf6
SHA512849ff7bba208a334d18d15cc82074a16685f1e0be59881437f7891dba6534bebd864bb55b7a29756c18e788f4a0945a1089ef1e2850c960b63de2da6798021d1
-
F:\$RECYCLE.BIN\S-1-5-21-268080393-3149932598-1824759070-1000\DDDDDDDDDDDFilesize
129B
MD57fe55030bd2312fe538c986e7f5581bf
SHA15413074ac968dfa5a6b67a346f956a50e41cb887
SHA256c741afa3d017fad8f28c4a562daa8ce96b0c02f9b8081356a8bcd7b0dde320fc
SHA5127513f9b0a70cc38dfd201dd31c217c5f46c99fead23c80520483ba1c77a74cddce2810d29fb220d8c58ac1ae6dc5ba88d218ce4ef6f61b570db71e36131e1428
-
\ProgramData\4B43.tmpFilesize
14KB
MD5294e9f64cb1642dd89229fff0592856b
SHA197b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf
-
memory/1136-324-0x0000000000401000-0x0000000000404000-memory.dmpFilesize
12KB
-
memory/1136-326-0x0000000000400000-0x0000000000407000-memory.dmpFilesize
28KB
-
memory/1136-355-0x0000000000400000-0x0000000000407000-memory.dmpFilesize
28KB
-
memory/1136-358-0x0000000000400000-0x0000000000407000-memory.dmpFilesize
28KB
-
memory/1688-0-0x0000000000CA0000-0x0000000000CE0000-memory.dmpFilesize
256KB