b44af07de17ed16af4d6699b9462bee6855a0a0207ec787d41f00fbed81e1c13

Analysis

max time kernel
95s
max time network
125s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22/11/2024, 19:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

locker.exe
Size

2.3MB
MD5

66c6dfe570b7e10fc9b62614a6bb0476
SHA1

75ca6a5a47105af2855ace988f2e86fb8d54f56a
SHA256

b44af07de17ed16af4d6699b9462bee6855a0a0207ec787d41f00fbed81e1c13
SHA512

90659304debcbe88595c469e1846ff2f8544da480dcd75ba591079eabfa8e9cca9535f8f8130114f33f5c4317a95c735c26386bbd357a9451b9af2391762db54
SSDEEP

24576:w/F1XGA9DHYdqQiF/swJ0r6ck59yjFGWG04J2ksswOGpyCP5WfWr:w91XRlYdqxF/QU5EH6wOVCBW

Score

10^/10

credential_access discovery execution ransomware spyware stealer

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://i.imgur.com/DQ6FCxz.png

Signatures

Renames multiple (8784) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Blocklisted process makes network request 1 IoCs

flow	pid	Process
39	5108	powershell.exe

Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
credential_access stealer

Windows Credential Manager
T1555.004

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\R3ADM3.txt	locker.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\R3ADM3.txt	locker.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2380	powershell.exe
5108	powershell.exe

Drops desktop.ini file(s) 31 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	locker.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	locker.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	locker.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	locker.exe
File opened for modification	C:\Program Files\desktop.ini	locker.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	locker.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	locker.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	locker.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	locker.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	locker.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	locker.exe
File opened for modification	C:\Users\Public\desktop.ini	locker.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	locker.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	locker.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	locker.exe
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	locker.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	locker.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	locker.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	locker.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	locker.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	locker.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	locker.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	locker.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	locker.exe
File opened for modification	C:\Users\Admin\3D Objects\desktop.ini	locker.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	locker.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	locker.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	locker.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	locker.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	locker.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	locker.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Wallpaper.png"	powershell.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-64_contrast-white.png	locker.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\Office365LogoWLockup.scale-180.png	locker.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\hr-hr\R3ADM3.txt	locker.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Diagnostics\Simple\R3ADM3.txt	locker.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\am.pak	locker.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\LayersControl\ThumbAerial.png	locker.exe
File created	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\R3ADM3.txt	locker.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\nl\R3ADM3.txt	locker.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\ro-RO\View3d\3DViewerProductDescription-universal.xml	locker.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Square44x44Logo.targetsize-24.png	locker.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-16_altform-unplated_contrast-high.png	locker.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\MediumTile.scale-100_contrast-black.png	locker.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Download_on_the_App_Store_Badge_pl_135x40.svg	locker.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\css\R3ADM3.txt	locker.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.contrast-white_scale-180.png	locker.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\dialogs\stream_config_window.html	locker.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\SlowMotionPage.xbf	locker.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\MSEnv\R3ADM3.txt	locker.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\VisualElements\Logo.png	locker.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\R3ADM3.txt	locker.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-20.png	locker.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\AppIcon.targetsize-80_contrast-white.png	locker.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Trust Protection Lists\manifest.json	locker.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL001.XML	locker.exe
File opened for modification	C:\Program Files\Microsoft Office\root\rsod\onenote.x-none.msi.16.x-none.tree.dat	locker.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\NavigationIcons\nav_icons_trending.targetsize-48.png	locker.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\resources.45e00f56.pri	locker.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-60_contrast-white.png	locker.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\fr-FR\MSFT_PackageManagementSource.strings.psd1	locker.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteSectionMedTile.scale-150.png	locker.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.contrast-white_targetsize-40.png	locker.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Advanced-Light.scale-150.png	locker.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\zh-cn\ui-strings.js	locker.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\ru-ru\ui-strings.js	locker.exe
File opened for modification	C:\Program Files\7-Zip\Lang\co.txt	locker.exe
File opened for modification	C:\Program Files\Internet Explorer\it-IT\ieinstal.exe.mui	locker.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\as_IN\LC_MESSAGES\R3ADM3.txt	locker.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\ja-JP\wmpnssui.dll.mui	locker.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Sticker_OwlEye.png	locker.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-100_8wekyb3d8bbwe\microsoft.system.package.metadata\R3ADM3.txt	locker.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.targetsize-64_altform-lightunplated.png	locker.exe
File created	C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.46.11001.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\R3ADM3.txt	locker.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\distribute_form.gif	locker.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioProVL_KMS_Client-ul.xrm-ms	locker.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\sr-Cyrl-BA\msipc.dll.mui	locker.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\LibrarySquare150x150Logo.scale-100_contrast-white.png	locker.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example3.Diagnostics\1.1.1\Diagnostics\Simple\R3ADM3.txt	locker.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\ru-ru\R3ADM3.txt	locker.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsLargeTile.contrast-black_scale-200.png	locker.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-48_altform-lightunplated.png	locker.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\LinkedInboxLargeTile.scale-150.png	locker.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\LTR\R3ADM3.txt	locker.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\images\themes\R3ADM3.txt	locker.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\ar-ae\R3ADM3.txt	locker.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.shared.Office.x-none.msi.16.x-none.xml	locker.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\OsfInstallerConfigOnLogon.xml	locker.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\RIPPLE\R3ADM3.txt	locker.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.SkypeApp_14.53.77.0_neutral_split.scale-125_kzf8qxf38zg5c\Assets\Images\SkypeLargeTile.scale-125.png	locker.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-80.png	locker.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\FetchingMail.scale-100.png	locker.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\StoreLogo.scale-125.png	locker.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\es-es\R3ADM3.txt	locker.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-32_contrast-white.png	locker.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxCalendarLogoExtensions.scale-32.png	locker.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\R3ADM3.txt	locker.exe
File created	C:\Windows\R3ADM3.txt	locker.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
5108	powershell.exe
5108	powershell.exe
2380	powershell.exe
2380	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	5108	powershell.exe
Token: SeDebugPrivilege	2380	powershell.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1616 wrote to memory of 5108	1616	locker.exe	95
PID 1616 wrote to memory of 5108	1616	locker.exe	95
PID 1616 wrote to memory of 2380	1616	locker.exe	97
PID 1616 wrote to memory of 2380	1616	locker.exe	97
PID 2380 wrote to memory of 3412	2380	powershell.exe	99
PID 2380 wrote to memory of 3412	2380	powershell.exe	99
PID 3412 wrote to memory of 2984	3412	csc.exe	100
PID 3412 wrote to memory of 2984	3412	csc.exe	100

C:\Users\Admin\AppData\Local\Temp\locker.exe
"C:\Users\Admin\AppData\Local\Temp\locker.exe"
1⤵
- Drops startup file
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1616
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://i.imgur.com/DQ6FCxz.png', 'C:\Users\Admin\AppData\Local\Temp\Wallpaper.png')"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5108
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class Wallpaper { [DllImport(\"user32.dll\", CharSet = CharSet.Auto)] public static extern int SystemParametersInfo(int uAction, int uParam, string lpvParam, int fuWinIni); public static void Set(string path) { SystemParametersInfo(20, 0, path, 3); } }'; [Wallpaper]::Set('C:\Users\Admin\AppData\Local\Temp\Wallpaper.png')"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Sets desktop wallpaper using registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2380
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\szkxpuhm\szkxpuhm.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3412
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES99BA.tmp" "c:\Users\Admin\AppData\Local\Temp\szkxpuhm\CSC8791463E160B45C8999033F93BE19E3.TMP"
      4⤵
      PID:2984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Windows Credential Manager

T1555.004

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\R3ADM3.txt

Filesize
576B

MD5
f23030d9016bf550545665639ffe3329

SHA1
95195c349f6929832a1e7e3d1bd11ebfb2cbce1b

SHA256
747d06005c5539438076a0b5d3396727420aeb8c0c6348cd62324f530d0dde28

SHA512
6601c4e0af52ca5436dc12280813b0abd963a4ff1fa51af39a09d771b7898604205b74a12ad4597fa1970fc6477cae0b378887156130cf0c73a994c61924703b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
49e7d5f2a296b59afec08bc314bed998

SHA1
7f898bf195ffd46ce2d19fad0ce33155f6e47f5f

SHA256
394832dfefa5e2e6204b60708a2ca33bb9d2f529664419bc050975f4b80faefe

SHA512
f64579fdac0bfebad4c20ad575b8ea45136e295fba950da4cbf84402228a3897b2e2deb4eb4605deb5df93321b1dc15c8a878da36016d7e5e060182142fdf839

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
a9ca68519670def80e7157108711832c

SHA1
d65dd4bcfedbedb4028ea33149321ac206e3d3fb

SHA256
b467b4c23ac84f7dbf34869015eb07c723d000d4aa4a03c21dd85c9d82462c30

SHA512
4084c4c98cf6357de929c86373e0cd2dabf9339e9bf262af9299cede5315bf446ea83edbbcef5cebea70e968ed3a4a95fbfe4b13e697c68067daadb5ec129648

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES99BA.tmp

Filesize
1KB

MD5
2092fc806090b6a363df3892b5594141

SHA1
85012951f01032c09c3c9639c8cd9f91bf652e5e

SHA256
e9260c03894e83ffe91f884f277e2d3ff928a63d870a43e4a10431c7587abdb8

SHA512
3d16a90e131961317aaa41658ad35fc65e10054da5c24073a3e527ec90679a70e630d08f729aae17f6a07220da73ba95cd5d3f71f9761e3ee26992ed8dc8dea6

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4hnq0gfk.gv0.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\szkxpuhm\szkxpuhm.dll

Filesize
3KB

MD5
1974ac18249f37f2c2fa97e2e77058f8

SHA1
6467c994fb0e7c174c8f84a51a4c0302609ed08a

SHA256
f98b42824ef470c9b39645dfe07e9c27ffb66e34d2380894991420bffb6c90bb

SHA512
8c76559051b0a67acf699abb0d8491a199115b65c6a61eb6c8c0f0268b9722aa68f57d8cf3c04ab8b222a76eb18e593faf0f1d7a62cee9ea5df1b05bb1ec9467

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\szkxpuhm\CSC8791463E160B45C8999033F93BE19E3.TMP

Filesize
652B

MD5
e474a622c14031cd088b0d4df7eb8cab

SHA1
9793ff460bff77c7ac8a15cc9149920724997eae

SHA256
ade20ace7b2f532d160983e9ed5e890237584af7702631bba1f5fce042092b3d

SHA512
d40d7f8def99d663622aa13cb323e04159774234be88759714804532d24e74f2464cb8d47cba17237ee3864621ae9e21f961ff7996889eb3f6c5b78bc7b68339

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\szkxpuhm\szkxpuhm.0.cs

Filesize
312B

MD5
945a8245afef16ce6654338c6a4b1ab7

SHA1
165014157ca311751105fdf7c7c105a1a7b113a0

SHA256
331b27fcd961cc9e94bb774dfa7e1b8c5999d91f0f820924dc7c60a6610c1246

SHA512
d598cdb315ad50340efd7c52fd31ae9aef585281c3a384d84f1def0ce9782ac324087fede7c0b1157eea9b40c0fc3cbc650f646a9c93260efcfaf7bdf962be5e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\szkxpuhm\szkxpuhm.cmdline

Filesize
369B

MD5
90a2e501b5c2c2c0488c9fd1084fa584

SHA1
b2e5d43a581744511355a0dbb08384855fafff4e

SHA256
5f0b74fea8f8f84eecef20ea90ed482d6e0dd1a22a39313cdedd3ede75238c59

SHA512
0549deb718adedb6d29d185b32e4820893dc2465d61a957260849d9ed7234777f2f64d1b0fff14f377b2a35df5fa6afbb354e3a01915b9f2ec571a3c83fb6278

Download Submit
memory/2380-53661-0x00007FFE37A10000-0x00007FFE384D1000-memory.dmp

Filesize
10.8MB

Download
memory/2380-53662-0x00007FFE37A10000-0x00007FFE384D1000-memory.dmp

Filesize
10.8MB

Download
memory/2380-53664-0x00007FFE37A10000-0x00007FFE384D1000-memory.dmp

Filesize
10.8MB

Download
memory/2380-53677-0x0000019107720000-0x0000019107728000-memory.dmp

Filesize
32KB

Download
memory/2380-53680-0x00007FFE37A10000-0x00007FFE384D1000-memory.dmp

Filesize
10.8MB

Download
memory/5108-53650-0x00007FFE37A10000-0x00007FFE384D1000-memory.dmp

Filesize
10.8MB

Download
memory/5108-53646-0x00007FFE37A10000-0x00007FFE384D1000-memory.dmp

Filesize
10.8MB

Download
memory/5108-53645-0x0000020352B40000-0x0000020352B62000-memory.dmp

Filesize
136KB

Download
memory/5108-53635-0x00007FFE37A10000-0x00007FFE384D1000-memory.dmp

Filesize
10.8MB

Download
memory/5108-53634-0x00007FFE37A13000-0x00007FFE37A15000-memory.dmp

Filesize
8KB

Download