Analysis
-
max time kernel
74s -
max time network
148s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
13-05-2021 06:12
Static task
static1
Behavioral task
behavioral1
Sample
2a8e8e9ba3a837db56a178f5330ee982a08bb083fcb907cba34ccaae9f7e289f.exe
Resource
win7v20210408
General
-
Target
2a8e8e9ba3a837db56a178f5330ee982a08bb083fcb907cba34ccaae9f7e289f.exe
-
Size
406KB
-
MD5
43349e08c310568c4d852900a9de2124
-
SHA1
f7a8cb308703af8abee75ed61ee61843bf778873
-
SHA256
2a8e8e9ba3a837db56a178f5330ee982a08bb083fcb907cba34ccaae9f7e289f
-
SHA512
75e82f2218e02d21d5fbd50c5d6e3b75372738d57180e29800f89ce0d329bbe0696b2252e88c99c8147482dc42983cfcb395712f59bfcc81c159f27e8c6281c1
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
Crypted.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" Crypted.exe -
Modifies firewall policy service 2 TTPs 6 IoCs
Processes:
Crypted.exemsdcsc.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" Crypted.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" Crypted.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" msdcsc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" msdcsc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" msdcsc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" Crypted.exe -
Disables Task Manager via registry modification
-
Executes dropped EXE 2 IoCs
Processes:
Crypted.exemsdcsc.exepid process 2596 Crypted.exe 3884 msdcsc.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\Crypted.exe upx C:\Users\Admin\AppData\Local\Temp\Crypted.exe upx behavioral2/memory/2596-120-0x00000000024B0000-0x000000000353E000-memory.dmp upx C:\Users\Admin\Documents\MSDCSC\msdcsc.exe upx C:\Users\Admin\Documents\MSDCSC\msdcsc.exe upx behavioral2/memory/3884-129-0x00000000023A0000-0x000000000342E000-memory.dmp upx -
Deletes itself 1 IoCs
Processes:
Crypted.exepid process 2596 Crypted.exe -
Processes:
Crypted.exemsdcsc.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" Crypted.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" Crypted.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" msdcsc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" Crypted.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" Crypted.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc Crypted.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" msdcsc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" msdcsc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" msdcsc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" msdcsc.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc msdcsc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" Crypted.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" Crypted.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" msdcsc.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
Crypted.exemsdcsc.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" Crypted.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" msdcsc.exe -
Processes:
Crypted.exemsdcsc.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Crypted.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" msdcsc.exe -
Enumerates connected drives 3 TTPs 22 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msdcsc.exedescription ioc process File opened (read-only) \??\E: msdcsc.exe File opened (read-only) \??\G: msdcsc.exe File opened (read-only) \??\R: msdcsc.exe File opened (read-only) \??\H: msdcsc.exe File opened (read-only) \??\M: msdcsc.exe File opened (read-only) \??\Z: msdcsc.exe File opened (read-only) \??\U: msdcsc.exe File opened (read-only) \??\F: msdcsc.exe File opened (read-only) \??\J: msdcsc.exe File opened (read-only) \??\N: msdcsc.exe File opened (read-only) \??\Q: msdcsc.exe File opened (read-only) \??\S: msdcsc.exe File opened (read-only) \??\T: msdcsc.exe File opened (read-only) \??\V: msdcsc.exe File opened (read-only) \??\W: msdcsc.exe File opened (read-only) \??\I: msdcsc.exe File opened (read-only) \??\K: msdcsc.exe File opened (read-only) \??\L: msdcsc.exe File opened (read-only) \??\O: msdcsc.exe File opened (read-only) \??\P: msdcsc.exe File opened (read-only) \??\X: msdcsc.exe File opened (read-only) \??\Y: msdcsc.exe -
Drops autorun.inf file 1 TTPs
Malware can abuse Windows Autorun to spread further via attached volumes.
-
Drops file in Windows directory 1 IoCs
Processes:
Crypted.exedescription ioc process File opened for modification C:\Windows\SYSTEM.INI Crypted.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 16 IoCs
Processes:
Crypted.exemsdcsc.exepid process 2596 Crypted.exe 2596 Crypted.exe 3884 msdcsc.exe 3884 msdcsc.exe 3884 msdcsc.exe 3884 msdcsc.exe 3884 msdcsc.exe 3884 msdcsc.exe 3884 msdcsc.exe 3884 msdcsc.exe 3884 msdcsc.exe 3884 msdcsc.exe 3884 msdcsc.exe 3884 msdcsc.exe 3884 msdcsc.exe 3884 msdcsc.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
msdcsc.exepid process 3884 msdcsc.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
Crypted.exemsdcsc.exedescription pid process Token: SeDebugPrivilege 2596 Crypted.exe Token: SeDebugPrivilege 2596 Crypted.exe Token: SeDebugPrivilege 2596 Crypted.exe Token: SeDebugPrivilege 2596 Crypted.exe Token: SeDebugPrivilege 2596 Crypted.exe Token: SeDebugPrivilege 2596 Crypted.exe Token: SeDebugPrivilege 2596 Crypted.exe Token: SeDebugPrivilege 2596 Crypted.exe Token: SeDebugPrivilege 2596 Crypted.exe Token: SeDebugPrivilege 2596 Crypted.exe Token: SeDebugPrivilege 2596 Crypted.exe Token: SeDebugPrivilege 2596 Crypted.exe Token: SeDebugPrivilege 2596 Crypted.exe Token: SeDebugPrivilege 2596 Crypted.exe Token: SeDebugPrivilege 2596 Crypted.exe Token: SeDebugPrivilege 2596 Crypted.exe Token: SeDebugPrivilege 2596 Crypted.exe Token: SeDebugPrivilege 2596 Crypted.exe Token: SeDebugPrivilege 2596 Crypted.exe Token: SeDebugPrivilege 2596 Crypted.exe Token: SeDebugPrivilege 2596 Crypted.exe Token: SeDebugPrivilege 2596 Crypted.exe Token: SeIncreaseQuotaPrivilege 2596 Crypted.exe Token: SeDebugPrivilege 2596 Crypted.exe Token: SeSecurityPrivilege 2596 Crypted.exe Token: SeDebugPrivilege 2596 Crypted.exe Token: SeTakeOwnershipPrivilege 2596 Crypted.exe Token: SeDebugPrivilege 2596 Crypted.exe Token: SeLoadDriverPrivilege 2596 Crypted.exe Token: SeDebugPrivilege 2596 Crypted.exe Token: SeSystemProfilePrivilege 2596 Crypted.exe Token: SeDebugPrivilege 2596 Crypted.exe Token: SeDebugPrivilege 2596 Crypted.exe Token: SeSystemtimePrivilege 2596 Crypted.exe Token: SeDebugPrivilege 2596 Crypted.exe Token: SeProfSingleProcessPrivilege 2596 Crypted.exe Token: SeDebugPrivilege 2596 Crypted.exe Token: SeIncBasePriorityPrivilege 2596 Crypted.exe Token: SeDebugPrivilege 2596 Crypted.exe Token: SeCreatePagefilePrivilege 2596 Crypted.exe Token: SeDebugPrivilege 2596 Crypted.exe Token: SeBackupPrivilege 2596 Crypted.exe Token: SeDebugPrivilege 2596 Crypted.exe Token: SeRestorePrivilege 2596 Crypted.exe Token: SeDebugPrivilege 2596 Crypted.exe Token: SeShutdownPrivilege 2596 Crypted.exe Token: SeDebugPrivilege 2596 Crypted.exe Token: SeDebugPrivilege 2596 Crypted.exe Token: SeDebugPrivilege 2596 Crypted.exe Token: SeSystemEnvironmentPrivilege 2596 Crypted.exe Token: SeChangeNotifyPrivilege 2596 Crypted.exe Token: SeDebugPrivilege 2596 Crypted.exe Token: SeRemoteShutdownPrivilege 2596 Crypted.exe Token: SeUndockPrivilege 2596 Crypted.exe Token: SeManageVolumePrivilege 2596 Crypted.exe Token: SeImpersonatePrivilege 2596 Crypted.exe Token: SeCreateGlobalPrivilege 2596 Crypted.exe Token: 33 2596 Crypted.exe Token: 34 2596 Crypted.exe Token: 35 2596 Crypted.exe Token: 36 2596 Crypted.exe Token: SeDebugPrivilege 2596 Crypted.exe Token: SeDebugPrivilege 3884 msdcsc.exe Token: SeDebugPrivilege 3884 msdcsc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
msdcsc.exepid process 3884 msdcsc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
2a8e8e9ba3a837db56a178f5330ee982a08bb083fcb907cba34ccaae9f7e289f.exeCrypted.exemsdcsc.execmd.exedescription pid process target process PID 3968 wrote to memory of 2596 3968 2a8e8e9ba3a837db56a178f5330ee982a08bb083fcb907cba34ccaae9f7e289f.exe Crypted.exe PID 3968 wrote to memory of 2596 3968 2a8e8e9ba3a837db56a178f5330ee982a08bb083fcb907cba34ccaae9f7e289f.exe Crypted.exe PID 3968 wrote to memory of 2596 3968 2a8e8e9ba3a837db56a178f5330ee982a08bb083fcb907cba34ccaae9f7e289f.exe Crypted.exe PID 2596 wrote to memory of 700 2596 Crypted.exe fontdrvhost.exe PID 2596 wrote to memory of 704 2596 Crypted.exe fontdrvhost.exe PID 2596 wrote to memory of 960 2596 Crypted.exe dwm.exe PID 2596 wrote to memory of 2576 2596 Crypted.exe sihost.exe PID 2596 wrote to memory of 2640 2596 Crypted.exe svchost.exe PID 2596 wrote to memory of 2840 2596 Crypted.exe taskhostw.exe PID 2596 wrote to memory of 2504 2596 Crypted.exe Explorer.EXE PID 2596 wrote to memory of 3324 2596 Crypted.exe ShellExperienceHost.exe PID 2596 wrote to memory of 3344 2596 Crypted.exe SearchUI.exe PID 2596 wrote to memory of 3540 2596 Crypted.exe RuntimeBroker.exe PID 2596 wrote to memory of 3800 2596 Crypted.exe DllHost.exe PID 2596 wrote to memory of 1724 2596 Crypted.exe DllHost.exe PID 2596 wrote to memory of 2688 2596 Crypted.exe cmd.exe PID 2596 wrote to memory of 2688 2596 Crypted.exe cmd.exe PID 2596 wrote to memory of 2688 2596 Crypted.exe cmd.exe PID 2596 wrote to memory of 3884 2596 Crypted.exe msdcsc.exe PID 2596 wrote to memory of 3884 2596 Crypted.exe msdcsc.exe PID 2596 wrote to memory of 3884 2596 Crypted.exe msdcsc.exe PID 3884 wrote to memory of 700 3884 msdcsc.exe fontdrvhost.exe PID 3884 wrote to memory of 704 3884 msdcsc.exe fontdrvhost.exe PID 3884 wrote to memory of 960 3884 msdcsc.exe dwm.exe PID 3884 wrote to memory of 2576 3884 msdcsc.exe sihost.exe PID 3884 wrote to memory of 2640 3884 msdcsc.exe svchost.exe PID 3884 wrote to memory of 2840 3884 msdcsc.exe taskhostw.exe PID 3884 wrote to memory of 2504 3884 msdcsc.exe Explorer.EXE PID 3884 wrote to memory of 3324 3884 msdcsc.exe ShellExperienceHost.exe PID 3884 wrote to memory of 3344 3884 msdcsc.exe SearchUI.exe PID 3884 wrote to memory of 3540 3884 msdcsc.exe RuntimeBroker.exe PID 3884 wrote to memory of 3800 3884 msdcsc.exe DllHost.exe PID 3884 wrote to memory of 1724 3884 msdcsc.exe DllHost.exe PID 3884 wrote to memory of 2688 3884 msdcsc.exe cmd.exe PID 3884 wrote to memory of 2688 3884 msdcsc.exe cmd.exe PID 3884 wrote to memory of 3428 3884 msdcsc.exe Conhost.exe PID 3884 wrote to memory of 3740 3884 msdcsc.exe iexplore.exe PID 3884 wrote to memory of 3740 3884 msdcsc.exe iexplore.exe PID 3884 wrote to memory of 3740 3884 msdcsc.exe iexplore.exe PID 3884 wrote to memory of 3712 3884 msdcsc.exe explorer.exe PID 3884 wrote to memory of 3712 3884 msdcsc.exe explorer.exe PID 2688 wrote to memory of 3372 2688 cmd.exe attrib.exe PID 2688 wrote to memory of 3372 2688 cmd.exe attrib.exe PID 2688 wrote to memory of 3372 2688 cmd.exe attrib.exe PID 3884 wrote to memory of 700 3884 msdcsc.exe fontdrvhost.exe PID 3884 wrote to memory of 704 3884 msdcsc.exe fontdrvhost.exe PID 3884 wrote to memory of 960 3884 msdcsc.exe dwm.exe PID 3884 wrote to memory of 2576 3884 msdcsc.exe sihost.exe PID 3884 wrote to memory of 2640 3884 msdcsc.exe svchost.exe PID 3884 wrote to memory of 2840 3884 msdcsc.exe taskhostw.exe PID 3884 wrote to memory of 2504 3884 msdcsc.exe Explorer.EXE PID 3884 wrote to memory of 3324 3884 msdcsc.exe ShellExperienceHost.exe PID 3884 wrote to memory of 3344 3884 msdcsc.exe SearchUI.exe PID 3884 wrote to memory of 3540 3884 msdcsc.exe RuntimeBroker.exe PID 3884 wrote to memory of 3800 3884 msdcsc.exe DllHost.exe PID 3884 wrote to memory of 700 3884 msdcsc.exe fontdrvhost.exe PID 3884 wrote to memory of 704 3884 msdcsc.exe fontdrvhost.exe PID 3884 wrote to memory of 960 3884 msdcsc.exe dwm.exe PID 3884 wrote to memory of 2576 3884 msdcsc.exe sihost.exe PID 3884 wrote to memory of 2640 3884 msdcsc.exe svchost.exe PID 3884 wrote to memory of 2840 3884 msdcsc.exe taskhostw.exe PID 3884 wrote to memory of 2504 3884 msdcsc.exe Explorer.EXE PID 3884 wrote to memory of 3324 3884 msdcsc.exe ShellExperienceHost.exe PID 3884 wrote to memory of 3344 3884 msdcsc.exe SearchUI.exe -
System policy modification 1 TTPs 2 IoCs
Processes:
Crypted.exemsdcsc.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Crypted.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" msdcsc.exe -
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc1⤵PID:2640
-
c:\windows\system32\sihost.exesihost.exe1⤵PID:2576
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:2504
-
C:\Users\Admin\AppData\Local\Temp\2a8e8e9ba3a837db56a178f5330ee982a08bb083fcb907cba34ccaae9f7e289f.exe"C:\Users\Admin\AppData\Local\Temp\2a8e8e9ba3a837db56a178f5330ee982a08bb083fcb907cba34ccaae9f7e289f.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3968 -
C:\Users\Admin\AppData\Local\Temp\Crypted.exe"C:\Users\Admin\AppData\Local\Temp\Crypted.exe"3⤵
- Modifies WinLogon for persistence
- Modifies firewall policy service
- Executes dropped EXE
- Deletes itself
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2596 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "4⤵
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵PID:3428
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h5⤵
- Views/modifies file attributes
PID:3372 -
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"4⤵
- Modifies firewall policy service
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3884 -
C:\Windows\explorer.exe"C:\Windows\explorer.exe"5⤵PID:3712
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"5⤵PID:3740
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3540
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3800
-
C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca1⤵PID:3344
-
C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe"C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca1⤵PID:3324
-
c:\windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2840
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:960
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:704
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:700
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵PID:1724
Network
MITRE ATT&CK Enterprise v6
Persistence
Hidden Files and Directories
2Modify Existing Service
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Bypass User Account Control
1Disabling Security Tools
3Hidden Files and Directories
2Modify Registry
7Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Crypted.exeMD5
06f5d39b957927fbf88e7bd337a54c95
SHA11e61377c60f65ef7c9fb92e95e0dc9ad0b02aa99
SHA25637dc1ca88af5f3c14f1dd19326b50b60c14eff8a0b0f45323faf8eb948769fa5
SHA51242b04d9d3404dbd17e59b3508fe38d16295e2e949db19708ce3b5d4c5cca62e1e2971988fd8d8d8bdbdccba1a0bdc4a8582d1fb16b1778028d6557e921bdeb98
-
C:\Users\Admin\AppData\Local\Temp\Crypted.exeMD5
06f5d39b957927fbf88e7bd337a54c95
SHA11e61377c60f65ef7c9fb92e95e0dc9ad0b02aa99
SHA25637dc1ca88af5f3c14f1dd19326b50b60c14eff8a0b0f45323faf8eb948769fa5
SHA51242b04d9d3404dbd17e59b3508fe38d16295e2e949db19708ce3b5d4c5cca62e1e2971988fd8d8d8bdbdccba1a0bdc4a8582d1fb16b1778028d6557e921bdeb98
-
C:\Users\Admin\AppData\Local\Temp\tmpcmd.batMD5
b774ae3fb1da087e1f83b4f7b2060e5a
SHA197eb9be49ac3af9c851c9e1e84e32bfd53e325a8
SHA256adaf4a84b41e410b02e261cfd0fe7739d98647eab73c3badd32ac6e39f26351b
SHA512f75d0f95f7306d26a12b414bfe37b97fbd37546cb3c6e403def7077329ddffb4b45d5c5f0ba0e7bb6d72851d2d691b0a85267beead42f7cbf2e8c3d45a3b4701
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeMD5
06f5d39b957927fbf88e7bd337a54c95
SHA11e61377c60f65ef7c9fb92e95e0dc9ad0b02aa99
SHA25637dc1ca88af5f3c14f1dd19326b50b60c14eff8a0b0f45323faf8eb948769fa5
SHA51242b04d9d3404dbd17e59b3508fe38d16295e2e949db19708ce3b5d4c5cca62e1e2971988fd8d8d8bdbdccba1a0bdc4a8582d1fb16b1778028d6557e921bdeb98
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeMD5
06f5d39b957927fbf88e7bd337a54c95
SHA11e61377c60f65ef7c9fb92e95e0dc9ad0b02aa99
SHA25637dc1ca88af5f3c14f1dd19326b50b60c14eff8a0b0f45323faf8eb948769fa5
SHA51242b04d9d3404dbd17e59b3508fe38d16295e2e949db19708ce3b5d4c5cca62e1e2971988fd8d8d8bdbdccba1a0bdc4a8582d1fb16b1778028d6557e921bdeb98
-
C:\Windows\SYSTEM.INIMD5
351fae79cf197c26b423b438a88ab92b
SHA15c1983b2dd413883df7ab45498622dfd79b6a402
SHA2569ccfe517a8394cf2395c1eb7e32c96eeb61b941c6cafcf8776f4436b05d48d12
SHA5129a9ea3668590f4ba6843eac2d85627b896a889005e64ed8d3fa219f867cd71f29e24f6f94b129786b1c9665a2b75d49b14dd4d186f8debdb62e87eb284001db9
-
memory/2596-120-0x00000000024B0000-0x000000000353E000-memory.dmpFilesize
16.6MB
-
memory/2596-123-0x0000000000AC0000-0x0000000000BFC000-memory.dmpFilesize
1.2MB
-
memory/2596-117-0x0000000000000000-mapping.dmp
-
memory/2596-127-0x0000000000AC0000-0x0000000000BFC000-memory.dmpFilesize
1.2MB
-
memory/2596-126-0x0000000000AC0000-0x0000000000BFC000-memory.dmpFilesize
1.2MB
-
memory/2688-121-0x0000000000000000-mapping.dmp
-
memory/2688-136-0x0000000000E80000-0x0000000000E81000-memory.dmpFilesize
4KB
-
memory/3372-134-0x0000000000000000-mapping.dmp
-
memory/3884-122-0x0000000000000000-mapping.dmp
-
memory/3884-129-0x00000000023A0000-0x000000000342E000-memory.dmpFilesize
16.6MB
-
memory/3884-132-0x0000000004210000-0x0000000004211000-memory.dmpFilesize
4KB
-
memory/3884-131-0x00000000041C0000-0x00000000041C2000-memory.dmpFilesize
8KB
-
memory/3884-130-0x0000000000A60000-0x0000000000A61000-memory.dmpFilesize
4KB
-
memory/3968-116-0x0000000002C54000-0x0000000002C55000-memory.dmpFilesize
4KB
-
memory/3968-115-0x0000000002C52000-0x0000000002C54000-memory.dmpFilesize
8KB
-
memory/3968-114-0x0000000002C50000-0x0000000002C52000-memory.dmpFilesize
8KB