Analysis
-
max time kernel
151s -
max time network
151s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
21-12-2021 13:55
Static task
static1
Behavioral task
behavioral1
Sample
bd4c3123f7780eebb986923c6811985a6d2dd518b00d8d1bbba035c72505f49e.exe
Resource
win10-en-20211208
General
-
Target
bd4c3123f7780eebb986923c6811985a6d2dd518b00d8d1bbba035c72505f49e.exe
-
Size
133KB
-
MD5
2c1a0dcfae1f2014e492f72d9245d654
-
SHA1
3302cc147cf879a92d8e3022e01bb394c5f18aff
-
SHA256
bd4c3123f7780eebb986923c6811985a6d2dd518b00d8d1bbba035c72505f49e
-
SHA512
16fede2805a305b57b890943826dbc0056143302a6596260afba20e9a2088454aa352fc5594a682577c6181de36e9c86fe3bece410f963a49268936866451a8f
Malware Config
Extracted
smokeloader
2020
http://host-data-coin-11.com/
http://file-coin-host-12.com/
http://srtuiyhuali.at/
http://fufuiloirtu.com/
http://amogohuigotuli.at/
http://novohudosovu.com/
http://brutuilionust.com/
http://bubushkalioua.com/
http://dumuilistrati.at/
http://verboliatsiaeeees.com/
Extracted
redline
install
62.182.156.187:56323
Extracted
redline
1
86.107.197.138:38133
Extracted
tofsee
mubrikych.top
oxxyfix.xyz
Extracted
amadey
2.86
2.56.56.210/notAnoob/index.php
Extracted
redline
runpe
142.202.242.172:7667
Signatures
-
Detect Neshta Payload 16 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\7DEA.exe family_neshta C:\Users\Admin\AppData\Local\Temp\7DEA.exe family_neshta C:\Users\Admin\AppData\Local\Temp\8201.exe family_neshta C:\Users\Admin\AppData\Local\Temp\8201.exe family_neshta C:\Windows\svchost.com family_neshta C:\odt\OFFICE~1.EXE family_neshta C:\Windows\svchost.com family_neshta C:\Windows\svchost.com family_neshta C:\Windows\svchost.com family_neshta C:\Windows\svchost.com family_neshta C:\Windows\svchost.com family_neshta C:\Windows\svchost.com family_neshta C:\Windows\svchost.com family_neshta C:\Windows\svchost.com family_neshta C:\Windows\svchost.com family_neshta C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe family_neshta -
Modifies system executable filetype association 2 TTPs 1 IoCs
Processes:
7DEA.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" 7DEA.exe -
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 8 IoCs
Processes:
resource yara_rule behavioral1/memory/2960-133-0x0000000000FC0000-0x0000000001038000-memory.dmp family_redline behavioral1/memory/1600-196-0x0000000000400000-0x0000000000420000-memory.dmp family_redline behavioral1/memory/1600-197-0x000000000041932E-mapping.dmp family_redline behavioral1/memory/1448-214-0x0000000000400000-0x0000000000420000-memory.dmp family_redline behavioral1/memory/1448-216-0x0000000000419326-mapping.dmp family_redline behavioral1/memory/1156-272-0x000002156CEF0000-0x000002156CF0B000-memory.dmp family_redline behavioral1/memory/4720-339-0x0000000000419326-mapping.dmp family_redline behavioral1/memory/4720-345-0x0000000005720000-0x0000000005D26000-memory.dmp family_redline -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Arkei Stealer Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/692-188-0x0000000000A60000-0x0000000000A7C000-memory.dmp family_arkei behavioral1/memory/692-191-0x0000000000400000-0x000000000081B000-memory.dmp family_arkei -
Creates new service(s) 1 TTPs
-
Downloads MZ/PE file
-
Executes dropped EXE 29 IoCs
Processes:
F0F3.exe48C9.exe4F04.exe5B68.exe48C9.exe60B9.exe651F.exe6CFF.exe79A3.exe7DEA.exe6CFF.exe8201.exeminecraftPorable.exe651F.exesvchost.comsvchost.com8201.exesvchost.comsvchost.comsvchost.comsvchost.comsvchost.exe9543_1~1.EXEsvchost.comsvchost.comleakless.exetkools.exe9ABB.exesvchost.compid process 3748 F0F3.exe 1092 48C9.exe 2960 4F04.exe 692 5B68.exe 1912 48C9.exe 3256 60B9.exe 3080 651F.exe 372 6CFF.exe 1492 79A3.exe 2016 7DEA.exe 1600 6CFF.exe 3964 8201.exe 2416 minecraftPorable.exe 1448 651F.exe 3888 svchost.com 2868 svchost.com 1156 8201.exe 1272 svchost.com 2172 svchost.com 1220 svchost.com 2996 svchost.com 1268 svchost.exe 2028 9543_1~1.EXE 1664 svchost.com 3220 svchost.com 3168 leakless.exe 2712 tkools.exe 1280 9ABB.exe 4288 svchost.com -
Modifies Windows Firewall 1 TTPs
-
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\9ABB.exe vmprotect C:\Users\Admin\AppData\Local\Temp\9ABB.exe vmprotect -
Deletes itself 1 IoCs
Processes:
pid process 2720 -
Loads dropped DLL 3 IoCs
Processes:
5B68.exepid process 692 5B68.exe 692 5B68.exe 692 5B68.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
explorer.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe Key opened \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe Key opened \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
4F04.exe9ABB.exepid process 2960 4F04.exe 1280 9ABB.exe -
Suspicious use of SetThreadContext 5 IoCs
Processes:
bd4c3123f7780eebb986923c6811985a6d2dd518b00d8d1bbba035c72505f49e.exe48C9.exe6CFF.exe651F.exe9ABB.exedescription pid process target process PID 3916 set thread context of 3488 3916 bd4c3123f7780eebb986923c6811985a6d2dd518b00d8d1bbba035c72505f49e.exe bd4c3123f7780eebb986923c6811985a6d2dd518b00d8d1bbba035c72505f49e.exe PID 1092 set thread context of 1912 1092 48C9.exe 48C9.exe PID 372 set thread context of 1600 372 6CFF.exe 6CFF.exe PID 3080 set thread context of 1448 3080 651F.exe 651F.exe PID 1280 set thread context of 4720 1280 9ABB.exe RegSvcs.exe -
Drops file in Program Files directory 64 IoCs
Processes:
svchost.com7DEA.exesvchost.comdescription ioc process File opened for modification C:\PROGRA~2\WI54FB~1\wmpshare.exe svchost.com File opened for modification C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE 7DEA.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe 7DEA.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~2.EXE svchost.com File opened for modification C:\PROGRA~2\WINDOW~2\wabmig.exe 7DEA.exe File opened for modification C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE svchost.com File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe svchost.com File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE 7DEA.exe File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe 7DEA.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE svchost.com File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~2.EXE 7DEA.exe File opened for modification C:\PROGRA~2\WINDOW~2\wab.exe 7DEA.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmplayer.exe svchost.com File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE 7DEA.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE 7DEA.exe File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe svchost.com File opened for modification C:\PROGRA~2\WINDOW~2\WinMail.exe 7DEA.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmlaunch.exe svchost.com File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXE svchost.com File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXE svchost.com File opened for modification C:\PROGRA~2\WINDOW~2\wabmig.exe svchost.com File opened for modification C:\PROGRA~2\WI54FB~1\setup_wm.exe svchost.com File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~4.EXE svchost.com File opened for modification C:\PROGRA~2\WINDOW~4\ACCESS~1\wordpad.exe 7DEA.exe File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE 7DEA.exe File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe svchost.com File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE 7DEA.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe svchost.com File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe svchost.com File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXE 7DEA.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE svchost.com File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe svchost.com File opened for modification C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe svchost.com File opened for modification C:\PROGRA~3\9543_1~1.EXE svchost.com File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE svchost.com File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe 7DEA.exe File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe 7DEA.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe svchost.com File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE 7DEA.exe File opened for modification C:\PROGRA~2\WINDOW~2\wab.exe svchost.com File opened for modification C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe 7DEA.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE svchost.com File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE 7DEA.exe File opened for modification C:\PROGRA~2\WI54FB~1\setup_wm.exe 7DEA.exe File opened for modification C:\PROGRA~2\INTERN~1\ExtExport.exe svchost.com File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE svchost.com File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE svchost.com File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe 7DEA.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXE svchost.com File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE svchost.com File opened for modification C:\PROGRA~2\WI54FB~1\wmplayer.exe 7DEA.exe File opened for modification C:\PROGRA~3\PACKAG~1\{F4220~1\VC_RED~1.EXE svchost.com File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXE 7DEA.exe File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE 7DEA.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmpconfig.exe svchost.com File opened for modification C:\PROGRA~2\WINDOW~4\ACCESS~1\wordpad.exe svchost.com File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe svchost.com File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE 7DEA.exe File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe 7DEA.exe File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE 7DEA.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmprph.exe 7DEA.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe svchost.com File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE svchost.com File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE 7DEA.exe -
Drops file in Windows directory 23 IoCs
Processes:
svchost.comsvchost.com7DEA.exesvchost.comsvchost.comsvchost.comsvchost.comsvchost.com8201.exesvchost.comsvchost.comsvchost.exedescription ioc process File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com 7DEA.exe File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com 8201.exe File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys 8201.exe File opened for modification C:\Windows\directx.sys svchost.exe File opened for modification C:\Windows\svchost.com svchost.exe File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys svchost.com -
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 9 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
bd4c3123f7780eebb986923c6811985a6d2dd518b00d8d1bbba035c72505f49e.exeF0F3.exe48C9.exedescription ioc process Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI bd4c3123f7780eebb986923c6811985a6d2dd518b00d8d1bbba035c72505f49e.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI bd4c3123f7780eebb986923c6811985a6d2dd518b00d8d1bbba035c72505f49e.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI F0F3.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI F0F3.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI F0F3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 48C9.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 48C9.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI bd4c3123f7780eebb986923c6811985a6d2dd518b00d8d1bbba035c72505f49e.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 48C9.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
5B68.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 5B68.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 5B68.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 4416 timeout.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
chrome.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe -
GoLang User-Agent 1 IoCs
Uses default user-agent string defined by GoLang HTTP packages.
Processes:
description flow ioc HTTP User-Agent header 102 Go-http-client/1.1 -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 4632 taskkill.exe -
Modifies registry class 6 IoCs
Processes:
8201.exe9543_1~1.EXE5B68.exe7DEA.exechrome.exe8201.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings 8201.exe Key created \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings 9543_1~1.EXE Key created \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings 5B68.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" 7DEA.exe Key created \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings chrome.exe Key created \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings 8201.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
bd4c3123f7780eebb986923c6811985a6d2dd518b00d8d1bbba035c72505f49e.exepid process 3488 bd4c3123f7780eebb986923c6811985a6d2dd518b00d8d1bbba035c72505f49e.exe 3488 bd4c3123f7780eebb986923c6811985a6d2dd518b00d8d1bbba035c72505f49e.exe 2720 2720 2720 2720 2720 2720 2720 2720 2720 2720 2720 2720 2720 2720 2720 2720 2720 2720 2720 2720 2720 2720 2720 2720 2720 2720 2720 2720 2720 2720 2720 2720 2720 2720 2720 2720 2720 2720 2720 2720 2720 2720 2720 2720 2720 2720 2720 2720 2720 2720 2720 2720 2720 2720 2720 2720 2720 2720 2720 2720 2720 2720 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
pid process 2720 -
Suspicious behavior: MapViewOfSection 7 IoCs
Processes:
bd4c3123f7780eebb986923c6811985a6d2dd518b00d8d1bbba035c72505f49e.exeF0F3.exe48C9.exepid process 3488 bd4c3123f7780eebb986923c6811985a6d2dd518b00d8d1bbba035c72505f49e.exe 3748 F0F3.exe 1912 48C9.exe 2720 2720 2720 2720 -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs
Processes:
chrome.exepid process 1800 chrome.exe 1800 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
651F.exe6CFF.exe8201.exe4F04.exe6CFF.exedescription pid process Token: SeShutdownPrivilege 2720 Token: SeCreatePagefilePrivilege 2720 Token: SeShutdownPrivilege 2720 Token: SeCreatePagefilePrivilege 2720 Token: SeShutdownPrivilege 2720 Token: SeCreatePagefilePrivilege 2720 Token: SeDebugPrivilege 3080 651F.exe Token: SeDebugPrivilege 372 6CFF.exe Token: SeShutdownPrivilege 2720 Token: SeCreatePagefilePrivilege 2720 Token: SeShutdownPrivilege 2720 Token: SeCreatePagefilePrivilege 2720 Token: SeShutdownPrivilege 2720 Token: SeCreatePagefilePrivilege 2720 Token: SeShutdownPrivilege 2720 Token: SeCreatePagefilePrivilege 2720 Token: SeShutdownPrivilege 2720 Token: SeCreatePagefilePrivilege 2720 Token: SeShutdownPrivilege 2720 Token: SeCreatePagefilePrivilege 2720 Token: SeShutdownPrivilege 2720 Token: SeCreatePagefilePrivilege 2720 Token: SeDebugPrivilege 1156 8201.exe Token: SeShutdownPrivilege 2720 Token: SeCreatePagefilePrivilege 2720 Token: SeShutdownPrivilege 2720 Token: SeCreatePagefilePrivilege 2720 Token: SeShutdownPrivilege 2720 Token: SeCreatePagefilePrivilege 2720 Token: SeShutdownPrivilege 2720 Token: SeCreatePagefilePrivilege 2720 Token: SeShutdownPrivilege 2720 Token: SeCreatePagefilePrivilege 2720 Token: SeShutdownPrivilege 2720 Token: SeCreatePagefilePrivilege 2720 Token: SeShutdownPrivilege 2720 Token: SeCreatePagefilePrivilege 2720 Token: SeShutdownPrivilege 2720 Token: SeCreatePagefilePrivilege 2720 Token: SeShutdownPrivilege 2720 Token: SeCreatePagefilePrivilege 2720 Token: SeShutdownPrivilege 2720 Token: SeCreatePagefilePrivilege 2720 Token: SeDebugPrivilege 2960 4F04.exe Token: SeShutdownPrivilege 2720 Token: SeCreatePagefilePrivilege 2720 Token: SeShutdownPrivilege 2720 Token: SeCreatePagefilePrivilege 2720 Token: SeShutdownPrivilege 2720 Token: SeCreatePagefilePrivilege 2720 Token: SeShutdownPrivilege 2720 Token: SeCreatePagefilePrivilege 2720 Token: SeShutdownPrivilege 2720 Token: SeCreatePagefilePrivilege 2720 Token: SeShutdownPrivilege 2720 Token: SeCreatePagefilePrivilege 2720 Token: SeShutdownPrivilege 2720 Token: SeCreatePagefilePrivilege 2720 Token: SeShutdownPrivilege 2720 Token: SeCreatePagefilePrivilege 2720 Token: SeDebugPrivilege 1600 6CFF.exe Token: SeShutdownPrivilege 2720 Token: SeCreatePagefilePrivilege 2720 Token: SeShutdownPrivilege 2720 -
Suspicious use of FindShellTrayWindow 27 IoCs
Processes:
chrome.exepid process 1800 chrome.exe 1800 chrome.exe 1800 chrome.exe 1800 chrome.exe 1800 chrome.exe 1800 chrome.exe 1800 chrome.exe 1800 chrome.exe 1800 chrome.exe 1800 chrome.exe 1800 chrome.exe 1800 chrome.exe 1800 chrome.exe 1800 chrome.exe 1800 chrome.exe 1800 chrome.exe 1800 chrome.exe 1800 chrome.exe 1800 chrome.exe 1800 chrome.exe 1800 chrome.exe 1800 chrome.exe 1800 chrome.exe 1800 chrome.exe 1800 chrome.exe 1800 chrome.exe 1800 chrome.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
chrome.exepid process 1800 chrome.exe 1800 chrome.exe 1800 chrome.exe 1800 chrome.exe 1800 chrome.exe 1800 chrome.exe 1800 chrome.exe 1800 chrome.exe 1800 chrome.exe 1800 chrome.exe 1800 chrome.exe 1800 chrome.exe 1800 chrome.exe 1800 chrome.exe 1800 chrome.exe 1800 chrome.exe 1800 chrome.exe 1800 chrome.exe 1800 chrome.exe 1800 chrome.exe 1800 chrome.exe 1800 chrome.exe 1800 chrome.exe 1800 chrome.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
bd4c3123f7780eebb986923c6811985a6d2dd518b00d8d1bbba035c72505f49e.exe48C9.exe6CFF.exe651F.exe79A3.execmd.exedescription pid process target process PID 3916 wrote to memory of 3488 3916 bd4c3123f7780eebb986923c6811985a6d2dd518b00d8d1bbba035c72505f49e.exe bd4c3123f7780eebb986923c6811985a6d2dd518b00d8d1bbba035c72505f49e.exe PID 3916 wrote to memory of 3488 3916 bd4c3123f7780eebb986923c6811985a6d2dd518b00d8d1bbba035c72505f49e.exe bd4c3123f7780eebb986923c6811985a6d2dd518b00d8d1bbba035c72505f49e.exe PID 3916 wrote to memory of 3488 3916 bd4c3123f7780eebb986923c6811985a6d2dd518b00d8d1bbba035c72505f49e.exe bd4c3123f7780eebb986923c6811985a6d2dd518b00d8d1bbba035c72505f49e.exe PID 3916 wrote to memory of 3488 3916 bd4c3123f7780eebb986923c6811985a6d2dd518b00d8d1bbba035c72505f49e.exe bd4c3123f7780eebb986923c6811985a6d2dd518b00d8d1bbba035c72505f49e.exe PID 3916 wrote to memory of 3488 3916 bd4c3123f7780eebb986923c6811985a6d2dd518b00d8d1bbba035c72505f49e.exe bd4c3123f7780eebb986923c6811985a6d2dd518b00d8d1bbba035c72505f49e.exe PID 3916 wrote to memory of 3488 3916 bd4c3123f7780eebb986923c6811985a6d2dd518b00d8d1bbba035c72505f49e.exe bd4c3123f7780eebb986923c6811985a6d2dd518b00d8d1bbba035c72505f49e.exe PID 2720 wrote to memory of 3748 2720 F0F3.exe PID 2720 wrote to memory of 3748 2720 F0F3.exe PID 2720 wrote to memory of 3748 2720 F0F3.exe PID 2720 wrote to memory of 1092 2720 48C9.exe PID 2720 wrote to memory of 1092 2720 48C9.exe PID 2720 wrote to memory of 1092 2720 48C9.exe PID 2720 wrote to memory of 2960 2720 4F04.exe PID 2720 wrote to memory of 2960 2720 4F04.exe PID 2720 wrote to memory of 2960 2720 4F04.exe PID 2720 wrote to memory of 692 2720 5B68.exe PID 2720 wrote to memory of 692 2720 5B68.exe PID 2720 wrote to memory of 692 2720 5B68.exe PID 1092 wrote to memory of 1912 1092 48C9.exe 48C9.exe PID 1092 wrote to memory of 1912 1092 48C9.exe 48C9.exe PID 1092 wrote to memory of 1912 1092 48C9.exe 48C9.exe PID 1092 wrote to memory of 1912 1092 48C9.exe 48C9.exe PID 1092 wrote to memory of 1912 1092 48C9.exe 48C9.exe PID 1092 wrote to memory of 1912 1092 48C9.exe 48C9.exe PID 2720 wrote to memory of 3256 2720 60B9.exe PID 2720 wrote to memory of 3256 2720 60B9.exe PID 2720 wrote to memory of 3256 2720 60B9.exe PID 2720 wrote to memory of 3080 2720 651F.exe PID 2720 wrote to memory of 3080 2720 651F.exe PID 2720 wrote to memory of 3080 2720 651F.exe PID 2720 wrote to memory of 372 2720 6CFF.exe PID 2720 wrote to memory of 372 2720 6CFF.exe PID 2720 wrote to memory of 372 2720 6CFF.exe PID 372 wrote to memory of 1600 372 6CFF.exe 6CFF.exe PID 372 wrote to memory of 1600 372 6CFF.exe 6CFF.exe PID 372 wrote to memory of 1600 372 6CFF.exe 6CFF.exe PID 3080 wrote to memory of 1448 3080 651F.exe 651F.exe PID 3080 wrote to memory of 1448 3080 651F.exe 651F.exe PID 3080 wrote to memory of 1448 3080 651F.exe 651F.exe PID 2720 wrote to memory of 2360 2720 explorer.exe PID 2720 wrote to memory of 2360 2720 explorer.exe PID 2720 wrote to memory of 2360 2720 explorer.exe PID 2720 wrote to memory of 2360 2720 explorer.exe PID 2720 wrote to memory of 1492 2720 79A3.exe PID 2720 wrote to memory of 1492 2720 79A3.exe PID 2720 wrote to memory of 2016 2720 7DEA.exe PID 2720 wrote to memory of 2016 2720 7DEA.exe PID 2720 wrote to memory of 2016 2720 7DEA.exe PID 2720 wrote to memory of 2104 2720 explorer.exe PID 2720 wrote to memory of 2104 2720 explorer.exe PID 2720 wrote to memory of 2104 2720 explorer.exe PID 1492 wrote to memory of 2144 1492 79A3.exe cmd.exe PID 1492 wrote to memory of 2144 1492 79A3.exe cmd.exe PID 372 wrote to memory of 1600 372 6CFF.exe 6CFF.exe PID 372 wrote to memory of 1600 372 6CFF.exe 6CFF.exe PID 372 wrote to memory of 1600 372 6CFF.exe 6CFF.exe PID 372 wrote to memory of 1600 372 6CFF.exe 6CFF.exe PID 372 wrote to memory of 1600 372 6CFF.exe 6CFF.exe PID 2720 wrote to memory of 3964 2720 8201.exe PID 2720 wrote to memory of 3964 2720 8201.exe PID 2720 wrote to memory of 3964 2720 8201.exe PID 2144 wrote to memory of 2416 2144 cmd.exe minecraftPorable.exe PID 2144 wrote to memory of 2416 2144 cmd.exe minecraftPorable.exe PID 3080 wrote to memory of 1448 3080 651F.exe 651F.exe -
outlook_office_path 1 IoCs
Processes:
explorer.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe -
outlook_win_path 1 IoCs
Processes:
explorer.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\bd4c3123f7780eebb986923c6811985a6d2dd518b00d8d1bbba035c72505f49e.exe"C:\Users\Admin\AppData\Local\Temp\bd4c3123f7780eebb986923c6811985a6d2dd518b00d8d1bbba035c72505f49e.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\bd4c3123f7780eebb986923c6811985a6d2dd518b00d8d1bbba035c72505f49e.exe"C:\Users\Admin\AppData\Local\Temp\bd4c3123f7780eebb986923c6811985a6d2dd518b00d8d1bbba035c72505f49e.exe"2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\F0F3.exeC:\Users\Admin\AppData\Local\Temp\F0F3.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\48C9.exeC:\Users\Admin\AppData\Local\Temp\48C9.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\48C9.exeC:\Users\Admin\AppData\Local\Temp\48C9.exe2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\4F04.exeC:\Users\Admin\AppData\Local\Temp\4F04.exe1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\5B68.exeC:\Users\Admin\AppData\Local\Temp\5B68.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Modifies registry class
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Windows\System32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\5B68.exe" & exit2⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\System32\cmd.exe /c timeout /t 5 & del /f /q C:\Users\Admin\AppData\Local\Temp\5B68.exe & exit3⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 54⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Local\Temp\60B9.exeC:\Users\Admin\AppData\Local\Temp\60B9.exe1⤵
- Executes dropped EXE
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\ynecqnkv\2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\System32\cmd.exe /C mkdir C:\Windows\SysWOW64\ynecqnkv\3⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\aawmosiz.exe" C:\Windows\SysWOW64\ynecqnkv\2⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\System32\cmd.exe /C move /Y C:\Users\Admin\AppData\Local\Temp\aawmosiz.exe C:\Windows\SysWOW64\ynecqnkv\3⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Windows\System32\sc.exe" create ynecqnkv binPath= "C:\Windows\SysWOW64\ynecqnkv\aawmosiz.exe /d\"C:\Users\Admin\AppData\Local\Temp\60B9.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\Windows\SysWOW64\sc.exeC:\Windows\System32\sc.exe create ynecqnkv binPath= C:\Windows\SysWOW64\ynecqnkv\aawmosiz.exe /d\"C:\Users\Admin\AppData\Local\Temp\60B9.exe\" type= own start= auto DisplayName= wifi support3⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Windows\System32\sc.exe" description ynecqnkv "wifi internet conection"2⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\Windows\SysWOW64\sc.exeC:\Windows\System32\sc.exe description ynecqnkv wifi internet conection3⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Windows\System32\sc.exe" start ynecqnkv2⤵
-
C:\Windows\SysWOW64\sc.exeC:\Windows\System32\sc.exe start ynecqnkv3⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\Windows\SysWOW64\netsh.exeC:\Windows\System32\netsh.exe advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul3⤵
-
C:\Users\Admin\AppData\Local\Temp\651F.exeC:\Users\Admin\AppData\Local\Temp\651F.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\651F.exeC:\Users\Admin\AppData\Local\Temp\651F.exe2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\6CFF.exeC:\Users\Admin\AppData\Local\Temp\6CFF.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\6CFF.exeC:\Users\Admin\AppData\Local\Temp\6CFF.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
-
C:\Users\Admin\AppData\Local\Temp\79A3.exeC:\Users\Admin\AppData\Local\Temp\79A3.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /C C:\Users\Admin\AppData\Local\\minecraftPorable.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\minecraftPorable.exeC:\Users\Admin\AppData\Local\\minecraftPorable.exe3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\leakless-34a05a9dc363ec03e25d5dcc5ff915d2\leakless.exeC:\Users\Admin\AppData\Local\Temp\leakless-34a05a9dc363ec03e25d5dcc5ff915d2\leakless.exe 53b9ec25522ad49c12aa6efbec50c126 127.0.0.1:49938 "C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-popup-blocking --disable-renderer-backgrounding --disable-sync "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --disable-default-apps --disable-background-networking --disable-breakpad --disable-blink-features=AutomationControlled --mute-audio --no-startup-window --disable-dev-shm-usage --metrics-recording-only --enable-features=NetworkService,NetworkServiceInProcess --disable-prompt-on-repost --remote-debugging-port=0 --force-color-profile=srgb --disable-ipc-flooding-protection --disable-hang-monitor --enable-automation --use-mock-keychain --disable-features=site-per-process,TranslateUI --disable-background-timer-throttling --disable-component-extensions-with-background-pages --disable-client-side-phishing-detection --no-first-run --disable-backgrounding-occluded-windows4⤵
- Executes dropped EXE
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-popup-blocking --disable-renderer-backgrounding --disable-sync "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --disable-default-apps --disable-background-networking --disable-breakpad --disable-blink-features=AutomationControlled --mute-audio --no-startup-window --disable-dev-shm-usage --metrics-recording-only --enable-features=NetworkService,NetworkServiceInProcess --disable-prompt-on-repost --remote-debugging-port=0 --force-color-profile=srgb --disable-ipc-flooding-protection --disable-hang-monitor --enable-automation --use-mock-keychain --disable-features=site-per-process,TranslateUI --disable-background-timer-throttling --disable-component-extensions-with-background-pages --disable-client-side-phishing-detection --no-first-run --disable-backgrounding-occluded-windows5⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xdc,0xe0,0xe4,0xb8,0xe8,0x7ff8d2534f50,0x7ff8d2534f60,0x7ff8d2534f706⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1624,13877167432357308502,4664822764436164580,131072 --enable-features=NetworkService,NetworkServiceInProcess --disable-features=TranslateUI,site-per-process --disable-breakpad --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1636 /prefetch:26⤵
- Modifies registry class
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1624,13877167432357308502,4664822764436164580,131072 --enable-features=NetworkService,NetworkServiceInProcess --disable-features=TranslateUI,site-per-process --lang=en-US --service-sandbox-type=utility --mute-audio --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --mojo-platform-channel-handle=2300 /prefetch:86⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --disable-background-timer-throttling --disable-breakpad --enable-automation --force-color-profile=srgb --remote-debugging-port=0 --field-trial-handle=1624,13877167432357308502,4664822764436164580,131072 --enable-features=NetworkService,NetworkServiceInProcess --disable-features=TranslateUI,site-per-process --disable-blink-features=AutomationControlled --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=4 --mojo-platform-channel-handle=2940 /prefetch:16⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --disable-background-timer-throttling --disable-breakpad --enable-automation --force-color-profile=srgb --remote-debugging-port=0 --field-trial-handle=1624,13877167432357308502,4664822764436164580,131072 --enable-features=NetworkService,NetworkServiceInProcess --disable-features=TranslateUI,site-per-process --disable-gpu-compositing --disable-blink-features=AutomationControlled --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --mojo-platform-channel-handle=4336 /prefetch:16⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1624,13877167432357308502,4664822764436164580,131072 --enable-features=NetworkService,NetworkServiceInProcess --disable-features=TranslateUI,site-per-process --lang=en-US --service-sandbox-type=none --mute-audio --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --mojo-platform-channel-handle=4752 /prefetch:86⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1624,13877167432357308502,4664822764436164580,131072 --enable-features=NetworkService,NetworkServiceInProcess --disable-features=TranslateUI,site-per-process --lang=en-US --service-sandbox-type=utility --mute-audio --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --mojo-platform-channel-handle=5412 /prefetch:86⤵
-
C:\Windows\system32\taskkill.exetaskkill /t /f /pid 18005⤵
- Kills process with taskkill
-
C:\Users\Admin\AppData\Local\Temp\7DEA.exeC:\Users\Admin\AppData\Local\Temp\7DEA.exe1⤵
- Modifies system executable filetype association
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\8201.exeC:\Users\Admin\AppData\Local\Temp\8201.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Modifies registry class
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\8201.exe"2⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Local\Temp\3582-490\8201.exeC:\Users\Admin\AppData\Local\Temp\3582-490\8201.exe3⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\PROGRA~3\9543_1~1.EXE"4⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\PROGRA~3\9543_1~1.EXEC:\PROGRA~3\9543_1~1.EXE5⤵
- Executes dropped EXE
- Modifies registry class
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\A0383E~1\tkools.exe"6⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Local\Temp\A0383E~1\tkools.exeC:\Users\Admin\AppData\Local\Temp\A0383E~1\tkools.exe7⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\9ABB.exeC:\Users\Admin\AppData\Local\Temp\9ABB.exe1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s BITS1⤵
- Executes dropped EXE
- Drops file in Windows directory
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exeMD5
8ffc3bdf4a1903d9e28b99d1643fc9c7
SHA1919ba8594db0ae245a8abd80f9f3698826fc6fe5
SHA2568268d3fefe8ca96a25a73690d14bacf644170ab5e9e70d2f8eeb350a4c83f9f6
SHA5120b94ead97374d74eaee87e7614ddd3911d2cf66d4c49abbfd06b02c03e5dd56fd00993b4947e8a4bcd9d891fa39cab18cc6b61efc7d0812e91eb3aea9cd1a427
-
C:\PROGRA~3\9543_1~1.EXEMD5
47d324d0398317af1f842dd2a271c3f0
SHA1045937d0083abe615ce4780684f500dfde4c550b
SHA2560247ed2604b2aea96511a96de88d6925040d26bc7239ab05968caf64210b1b50
SHA512ecfffe8d7eab4e627adc71ddc13cc9aaaf814fb76f9eaf9cfc11f9ecb6c4d3a653a7be67b803f47859bb0f475cf5eced2e9491c660bed4cc7cf6c7210c210823
-
C:\PROGRA~3\9543_1~1.EXEMD5
47d324d0398317af1f842dd2a271c3f0
SHA1045937d0083abe615ce4780684f500dfde4c550b
SHA2560247ed2604b2aea96511a96de88d6925040d26bc7239ab05968caf64210b1b50
SHA512ecfffe8d7eab4e627adc71ddc13cc9aaaf814fb76f9eaf9cfc11f9ecb6c4d3a653a7be67b803f47859bb0f475cf5eced2e9491c660bed4cc7cf6c7210c210823
-
C:\PROGRA~3\9543_1~1.EXEMD5
47d324d0398317af1f842dd2a271c3f0
SHA1045937d0083abe615ce4780684f500dfde4c550b
SHA2560247ed2604b2aea96511a96de88d6925040d26bc7239ab05968caf64210b1b50
SHA512ecfffe8d7eab4e627adc71ddc13cc9aaaf814fb76f9eaf9cfc11f9ecb6c4d3a653a7be67b803f47859bb0f475cf5eced2e9491c660bed4cc7cf6c7210c210823
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\651F.exe.logMD5
41fbed686f5700fc29aaccf83e8ba7fd
SHA15271bc29538f11e42a3b600c8dc727186e912456
SHA256df4e9d012687cdabd15e86bf37be15d6c822e1f50dde530a02468f0006586437
SHA512234b2235c1ced25810a4121c5eabcbf9f269e82c126a1adc363ee34478173f8b462e90eb53f5f11533641663350b90ec1e2360fd805b10c041fab12f4da7a034
-
C:\Users\Admin\AppData\Local\Temp\3582-490\7DEA.exeMD5
f997fc9407991062241af5442395f248
SHA165e35087a12acb4e7cf06fefd944c812300c53ef
SHA256aafd6e7487c5c216557edd7a6d58fd7e24a5d8f37d0081cc79949173b0822623
SHA51232d9b1c9c08085d803979d472b7a8f20e4e710c2fc9113abb6126116d5e693d7d7f3183d11ecae01e504c30c3bc9b79ad88448574e7c9e78c7f0ce0516a70d7b
-
C:\Users\Admin\AppData\Local\Temp\3582-490\8201.exeMD5
f997fc9407991062241af5442395f248
SHA165e35087a12acb4e7cf06fefd944c812300c53ef
SHA256aafd6e7487c5c216557edd7a6d58fd7e24a5d8f37d0081cc79949173b0822623
SHA51232d9b1c9c08085d803979d472b7a8f20e4e710c2fc9113abb6126116d5e693d7d7f3183d11ecae01e504c30c3bc9b79ad88448574e7c9e78c7f0ce0516a70d7b
-
C:\Users\Admin\AppData\Local\Temp\3582-490\8201.exeMD5
f997fc9407991062241af5442395f248
SHA165e35087a12acb4e7cf06fefd944c812300c53ef
SHA256aafd6e7487c5c216557edd7a6d58fd7e24a5d8f37d0081cc79949173b0822623
SHA51232d9b1c9c08085d803979d472b7a8f20e4e710c2fc9113abb6126116d5e693d7d7f3183d11ecae01e504c30c3bc9b79ad88448574e7c9e78c7f0ce0516a70d7b
-
C:\Users\Admin\AppData\Local\Temp\48C9.exeMD5
2c1a0dcfae1f2014e492f72d9245d654
SHA13302cc147cf879a92d8e3022e01bb394c5f18aff
SHA256bd4c3123f7780eebb986923c6811985a6d2dd518b00d8d1bbba035c72505f49e
SHA51216fede2805a305b57b890943826dbc0056143302a6596260afba20e9a2088454aa352fc5594a682577c6181de36e9c86fe3bece410f963a49268936866451a8f
-
C:\Users\Admin\AppData\Local\Temp\48C9.exeMD5
2c1a0dcfae1f2014e492f72d9245d654
SHA13302cc147cf879a92d8e3022e01bb394c5f18aff
SHA256bd4c3123f7780eebb986923c6811985a6d2dd518b00d8d1bbba035c72505f49e
SHA51216fede2805a305b57b890943826dbc0056143302a6596260afba20e9a2088454aa352fc5594a682577c6181de36e9c86fe3bece410f963a49268936866451a8f
-
C:\Users\Admin\AppData\Local\Temp\48C9.exeMD5
2c1a0dcfae1f2014e492f72d9245d654
SHA13302cc147cf879a92d8e3022e01bb394c5f18aff
SHA256bd4c3123f7780eebb986923c6811985a6d2dd518b00d8d1bbba035c72505f49e
SHA51216fede2805a305b57b890943826dbc0056143302a6596260afba20e9a2088454aa352fc5594a682577c6181de36e9c86fe3bece410f963a49268936866451a8f
-
C:\Users\Admin\AppData\Local\Temp\4F04.exeMD5
59094e421f8439c4821cb0495bfd8347
SHA1ddfa7d36c87eef41e7d176e1af6ff63b37b286dc
SHA25662c9783a27cb9e571bc11445b831f00333197d3c4671c08f04f785d85569499e
SHA5124c942cc684b2186e37259e3f56b51d065926a616fc61c41df3a460f39c96ebf521492925cdef8bfd305532809f39fd12261c0f44a21769d224581c2e178c3c1f
-
C:\Users\Admin\AppData\Local\Temp\4F04.exeMD5
59094e421f8439c4821cb0495bfd8347
SHA1ddfa7d36c87eef41e7d176e1af6ff63b37b286dc
SHA25662c9783a27cb9e571bc11445b831f00333197d3c4671c08f04f785d85569499e
SHA5124c942cc684b2186e37259e3f56b51d065926a616fc61c41df3a460f39c96ebf521492925cdef8bfd305532809f39fd12261c0f44a21769d224581c2e178c3c1f
-
C:\Users\Admin\AppData\Local\Temp\5B68.exeMD5
4196ab9275b38952e33be3b85fcfba56
SHA1dada6e74d96ee7fd39c52658071d47faed356bd9
SHA25631098dc3c81c829f57c1102c13e394425cc6556e617506ee8feb2742838a165d
SHA512a794fd046545adca5e536d68ef8e3aadf29327776e768a6c64826766eeb0d62ff69dc3909b52fa4b5cb4e0cc058f122f9f81217d31d43fdedf141e943e91ec87
-
C:\Users\Admin\AppData\Local\Temp\5B68.exeMD5
4196ab9275b38952e33be3b85fcfba56
SHA1dada6e74d96ee7fd39c52658071d47faed356bd9
SHA25631098dc3c81c829f57c1102c13e394425cc6556e617506ee8feb2742838a165d
SHA512a794fd046545adca5e536d68ef8e3aadf29327776e768a6c64826766eeb0d62ff69dc3909b52fa4b5cb4e0cc058f122f9f81217d31d43fdedf141e943e91ec87
-
C:\Users\Admin\AppData\Local\Temp\60B9.exeMD5
25a4ae1edc111049cf65a377dcfe49e7
SHA145e15e673bb3d7ec6338424130ae96358ce58a1b
SHA256d186f2b298fd054bb50597cb2be85f102ab6aceeb1ff8ad3b1f7c735cda2ceea
SHA5128812880bd0fc95957a12bb16eb3b91101d53989ffd2ec54b43503890c7bad2b3e3dcbe70cb74cb6973483d0b09d01e30573e4d4f890effb780b65a6144780d7a
-
C:\Users\Admin\AppData\Local\Temp\60B9.exeMD5
25a4ae1edc111049cf65a377dcfe49e7
SHA145e15e673bb3d7ec6338424130ae96358ce58a1b
SHA256d186f2b298fd054bb50597cb2be85f102ab6aceeb1ff8ad3b1f7c735cda2ceea
SHA5128812880bd0fc95957a12bb16eb3b91101d53989ffd2ec54b43503890c7bad2b3e3dcbe70cb74cb6973483d0b09d01e30573e4d4f890effb780b65a6144780d7a
-
C:\Users\Admin\AppData\Local\Temp\651F.exeMD5
224016e7d9a073ce240c6df108ba0ebb
SHA1e5289609b29c0ab6b399e100c9f87fc39b29ac61
SHA2569c55d8b1e171b21b41833dcbab1b07157f3bd3a12a06578c9063a211bb0bc61e
SHA512a8f705f75dc0e1b98e22ecaa2995d763b1bbf231c5e0ad4a24390fde1ab6ebb27dc6aac3fcc27026090e90c98a96c47a39c9220e3d119f7072921b89a058e0fa
-
C:\Users\Admin\AppData\Local\Temp\651F.exeMD5
224016e7d9a073ce240c6df108ba0ebb
SHA1e5289609b29c0ab6b399e100c9f87fc39b29ac61
SHA2569c55d8b1e171b21b41833dcbab1b07157f3bd3a12a06578c9063a211bb0bc61e
SHA512a8f705f75dc0e1b98e22ecaa2995d763b1bbf231c5e0ad4a24390fde1ab6ebb27dc6aac3fcc27026090e90c98a96c47a39c9220e3d119f7072921b89a058e0fa
-
C:\Users\Admin\AppData\Local\Temp\651F.exeMD5
224016e7d9a073ce240c6df108ba0ebb
SHA1e5289609b29c0ab6b399e100c9f87fc39b29ac61
SHA2569c55d8b1e171b21b41833dcbab1b07157f3bd3a12a06578c9063a211bb0bc61e
SHA512a8f705f75dc0e1b98e22ecaa2995d763b1bbf231c5e0ad4a24390fde1ab6ebb27dc6aac3fcc27026090e90c98a96c47a39c9220e3d119f7072921b89a058e0fa
-
C:\Users\Admin\AppData\Local\Temp\6CFF.exeMD5
f497ff63ca89d5513a63de1dc1bae58f
SHA1ca6b819d4c0d27d5d737f2dc70109b87b6344bef
SHA256ce9422ae9f6eb554748eaf832be6aced3f5ac556ed53734573c43a6e34198241
SHA5126729da8220b548fa8b9d9f23ae39330a5dcb4ac22597121ce56dca6d433ac061502d6c270032135b321d6f4d79b4f0e7299efa961f8c7a3a49508be06cbab02a
-
C:\Users\Admin\AppData\Local\Temp\6CFF.exeMD5
f497ff63ca89d5513a63de1dc1bae58f
SHA1ca6b819d4c0d27d5d737f2dc70109b87b6344bef
SHA256ce9422ae9f6eb554748eaf832be6aced3f5ac556ed53734573c43a6e34198241
SHA5126729da8220b548fa8b9d9f23ae39330a5dcb4ac22597121ce56dca6d433ac061502d6c270032135b321d6f4d79b4f0e7299efa961f8c7a3a49508be06cbab02a
-
C:\Users\Admin\AppData\Local\Temp\6CFF.exeMD5
f497ff63ca89d5513a63de1dc1bae58f
SHA1ca6b819d4c0d27d5d737f2dc70109b87b6344bef
SHA256ce9422ae9f6eb554748eaf832be6aced3f5ac556ed53734573c43a6e34198241
SHA5126729da8220b548fa8b9d9f23ae39330a5dcb4ac22597121ce56dca6d433ac061502d6c270032135b321d6f4d79b4f0e7299efa961f8c7a3a49508be06cbab02a
-
C:\Users\Admin\AppData\Local\Temp\79A3.exeMD5
598230bc6d2ff794f9b6811fba0bb35c
SHA1e438892d567d43a4ca45a7644dac5f54d45da9b0
SHA256795716ae31ce9648606b8948aed15aa1c7cd75506d5c7fe811b8a02d52a1f8c7
SHA5124aabe98a1ce24720f9d13041cbdec9cb6893014db2e425d57ab9fb172a1863649e877fc0cc56cb36985b4ab4c3f543459e198eff41496266955a74732fc09545
-
C:\Users\Admin\AppData\Local\Temp\79A3.exeMD5
598230bc6d2ff794f9b6811fba0bb35c
SHA1e438892d567d43a4ca45a7644dac5f54d45da9b0
SHA256795716ae31ce9648606b8948aed15aa1c7cd75506d5c7fe811b8a02d52a1f8c7
SHA5124aabe98a1ce24720f9d13041cbdec9cb6893014db2e425d57ab9fb172a1863649e877fc0cc56cb36985b4ab4c3f543459e198eff41496266955a74732fc09545
-
C:\Users\Admin\AppData\Local\Temp\7DEA.exeMD5
7df62e61b9b349f8f540410d6ae435fe
SHA1e92166335343fce4ee637a6e207b2521f60edb11
SHA256886b0ccaf90c375e204631606396feee470aaf07e4c2f30608f45c4d72f1fb28
SHA512433835309d04ffecd460eb588b01dbb9bfa40533b256c5daf6d1c1c8a5b14060d2c67894aeb66b74bb868709d68394c9404bf8c10656a9568d83bde4d12d60e8
-
C:\Users\Admin\AppData\Local\Temp\7DEA.exeMD5
7df62e61b9b349f8f540410d6ae435fe
SHA1e92166335343fce4ee637a6e207b2521f60edb11
SHA256886b0ccaf90c375e204631606396feee470aaf07e4c2f30608f45c4d72f1fb28
SHA512433835309d04ffecd460eb588b01dbb9bfa40533b256c5daf6d1c1c8a5b14060d2c67894aeb66b74bb868709d68394c9404bf8c10656a9568d83bde4d12d60e8
-
C:\Users\Admin\AppData\Local\Temp\8201.exeMD5
7df62e61b9b349f8f540410d6ae435fe
SHA1e92166335343fce4ee637a6e207b2521f60edb11
SHA256886b0ccaf90c375e204631606396feee470aaf07e4c2f30608f45c4d72f1fb28
SHA512433835309d04ffecd460eb588b01dbb9bfa40533b256c5daf6d1c1c8a5b14060d2c67894aeb66b74bb868709d68394c9404bf8c10656a9568d83bde4d12d60e8
-
C:\Users\Admin\AppData\Local\Temp\8201.exeMD5
7df62e61b9b349f8f540410d6ae435fe
SHA1e92166335343fce4ee637a6e207b2521f60edb11
SHA256886b0ccaf90c375e204631606396feee470aaf07e4c2f30608f45c4d72f1fb28
SHA512433835309d04ffecd460eb588b01dbb9bfa40533b256c5daf6d1c1c8a5b14060d2c67894aeb66b74bb868709d68394c9404bf8c10656a9568d83bde4d12d60e8
-
C:\Users\Admin\AppData\Local\Temp\9ABB.exeMD5
f50a1f1c924fe3a01824d7c19ad0dd56
SHA11fae3aeb4596b343c6aeb02562f0314063056adc
SHA256af3c749fd0fcb417b8d7f3da9a8aad0d759ac5bd712d8fb0377953e43282bfc9
SHA5124d5ed128e2eba4c5c24aed96d8c6b03ff5b5f1d429eae58961972e4ae658ed707c9190626aca771ce85cb2145e9771e7729e245f2df7a81d9a2e0d3d79a04685
-
C:\Users\Admin\AppData\Local\Temp\9ABB.exeMD5
f50a1f1c924fe3a01824d7c19ad0dd56
SHA11fae3aeb4596b343c6aeb02562f0314063056adc
SHA256af3c749fd0fcb417b8d7f3da9a8aad0d759ac5bd712d8fb0377953e43282bfc9
SHA5124d5ed128e2eba4c5c24aed96d8c6b03ff5b5f1d429eae58961972e4ae658ed707c9190626aca771ce85cb2145e9771e7729e245f2df7a81d9a2e0d3d79a04685
-
C:\Users\Admin\AppData\Local\Temp\A0383E~1\tkools.exeMD5
47d324d0398317af1f842dd2a271c3f0
SHA1045937d0083abe615ce4780684f500dfde4c550b
SHA2560247ed2604b2aea96511a96de88d6925040d26bc7239ab05968caf64210b1b50
SHA512ecfffe8d7eab4e627adc71ddc13cc9aaaf814fb76f9eaf9cfc11f9ecb6c4d3a653a7be67b803f47859bb0f475cf5eced2e9491c660bed4cc7cf6c7210c210823
-
C:\Users\Admin\AppData\Local\Temp\A0383E~1\tkools.exeMD5
47d324d0398317af1f842dd2a271c3f0
SHA1045937d0083abe615ce4780684f500dfde4c550b
SHA2560247ed2604b2aea96511a96de88d6925040d26bc7239ab05968caf64210b1b50
SHA512ecfffe8d7eab4e627adc71ddc13cc9aaaf814fb76f9eaf9cfc11f9ecb6c4d3a653a7be67b803f47859bb0f475cf5eced2e9491c660bed4cc7cf6c7210c210823
-
C:\Users\Admin\AppData\Local\Temp\F0F3.exeMD5
a8a8787a0f769aa7cbdb2d11fb779dc2
SHA156e4829e297cfe75df0c4980a7dd924cb044832c
SHA256fa0af253c647552fb1ce6e8fd60919b79a66368c162432575a0d237ad8e36239
SHA51234371059a59571c4d85506c330308e5f255e9153b8adf3a2e5d9c1afd6244415ff057809a3cc294567fb84f42bb3728205fc65e8500adaa77414bf36c6996690
-
C:\Users\Admin\AppData\Local\Temp\F0F3.exeMD5
a8a8787a0f769aa7cbdb2d11fb779dc2
SHA156e4829e297cfe75df0c4980a7dd924cb044832c
SHA256fa0af253c647552fb1ce6e8fd60919b79a66368c162432575a0d237ad8e36239
SHA51234371059a59571c4d85506c330308e5f255e9153b8adf3a2e5d9c1afd6244415ff057809a3cc294567fb84f42bb3728205fc65e8500adaa77414bf36c6996690
-
C:\Users\Admin\AppData\Local\Temp\aawmosiz.exeMD5
f2d461c4681f2d84d1bbc3cd76e81cf1
SHA181e301fabead324316d886993e8c660c692098cb
SHA256f4bc2c8a2788650999f02c04e208bea397ab57b279e326dc0c2f32c331c441b1
SHA5122a93d2f598c972004e390122b46f3d90c37997f7aa7242293583e92c0d4b3e0e2405a69195d65e67921d9411c18e7a47ae4e3f546cf5e9d461a688318836b2bd
-
C:\Users\Admin\AppData\Local\Temp\leakless-34a05a9dc363ec03e25d5dcc5ff915d2\leakless.exeMD5
3ea012e26f60ab84a7cf5ad579a83cf4
SHA13bd5db30c5a7c8f98a8ccffef341bdd185d3293f
SHA2566239686d69c87891881710569472e327dadbce031d98f08fea0f98d8c1d62399
SHA512f3272c880671a1a7a877682f1637ee8e4095990156bee13a41da79ddeb466e540268fc827ed23ac6748ce37a924dc321936e3df031700d0c551031af967457e0
-
C:\Users\Admin\AppData\Local\Temp\leakless-34a05a9dc363ec03e25d5dcc5ff915d2\leakless.exeMD5
3ea012e26f60ab84a7cf5ad579a83cf4
SHA13bd5db30c5a7c8f98a8ccffef341bdd185d3293f
SHA2566239686d69c87891881710569472e327dadbce031d98f08fea0f98d8c1d62399
SHA512f3272c880671a1a7a877682f1637ee8e4095990156bee13a41da79ddeb466e540268fc827ed23ac6748ce37a924dc321936e3df031700d0c551031af967457e0
-
C:\Users\Admin\AppData\Local\minecraftPorable.exeMD5
2aac5969380ac91002501c385d57d236
SHA12021f919eb3226f49252d1fa86f0c9fc3aefc62b
SHA256141693c4adc242fa058339cc94308831f0bbfc8aad5772b4bc44c76d7f7238d0
SHA5120bb16fd6d1690e57214ea3ae8f72b28449ce74a05781689396be00fe9d0deb4a2da11d29e38ada1a1b0b33771d1c25a9513eb03c99547d9b93606bb741dfb0a6
-
C:\Users\Admin\AppData\Local\minecraftPorable.exeMD5
2aac5969380ac91002501c385d57d236
SHA12021f919eb3226f49252d1fa86f0c9fc3aefc62b
SHA256141693c4adc242fa058339cc94308831f0bbfc8aad5772b4bc44c76d7f7238d0
SHA5120bb16fd6d1690e57214ea3ae8f72b28449ce74a05781689396be00fe9d0deb4a2da11d29e38ada1a1b0b33771d1c25a9513eb03c99547d9b93606bb741dfb0a6
-
C:\Windows\directx.sysMD5
5e9eb1fb9ad853323a0718e2ca2ea0b2
SHA148bf7c520861d10f1c9399212f2ead5a0132c5f9
SHA2560823ac493b32655cbb45effaef1da6196eed28b151c75393556fa1cce5d7cf36
SHA5124d9e8658cce77c798f973e0211f032def8e07fe0518a898c2308308d632e6bed4429fa6c8d109bb7d7451eedacaec6834e0bde19c5bc70f6fd4edc763881a46b
-
C:\Windows\directx.sysMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
C:\Windows\directx.sysMD5
f67649ddc0009647997664ce433fea54
SHA17f0c61429c24c2d14c51eb1cd40d51214635c0ee
SHA256171924b745322cb371a7b034e424c7875466eea0d1679009fa8671624856e81a
SHA5121cf2501347ef7dcacadac7ff80a498f25120db600db1d203a7e97ddc257b6898b57068e2e5e9bc138effb3118f3231891cde8b23ff557aef916348e46da0a614
-
C:\Windows\directx.sysMD5
a858dbaad3ae67af13e2f1aa6aec073a
SHA14374e080ce5bd1d4599f6d4566df88a2e4d8dc02
SHA256efe110602e37962b873d680775c0c0aab255da224ddebba201bfdcf5db6f44d3
SHA5120b97c297de264138344db5ec88c3792bb3a5cbecfdcf01f2330d8d0074aa781f36b687112e5dabd6883c7ffb76eaace766882208feaa1ce5ec4fd98aa118d3b5
-
C:\Windows\directx.sysMD5
a858dbaad3ae67af13e2f1aa6aec073a
SHA14374e080ce5bd1d4599f6d4566df88a2e4d8dc02
SHA256efe110602e37962b873d680775c0c0aab255da224ddebba201bfdcf5db6f44d3
SHA5120b97c297de264138344db5ec88c3792bb3a5cbecfdcf01f2330d8d0074aa781f36b687112e5dabd6883c7ffb76eaace766882208feaa1ce5ec4fd98aa118d3b5
-
C:\Windows\directx.sysMD5
1baf1c4e42075b429024d7b3f4ee99f2
SHA10f442777087ee5791f951babbf77433a81adc819
SHA256ad7142c38a0d3fac07dc62360a9d36d3e94a554509ef7c9d27b7f98e8680662b
SHA5120c5992129853f06b35c57a05fd8d8304de6bc7f89b99c456d022a2790da40647937eb45ac2958bc258d1089fe6c729421fb77a32dc2cd71fe84577367c81a3a4
-
C:\Windows\directx.sysMD5
71f8fed2f7319d2cba3ceeb36f4a1d02
SHA1da59b0edd1228f1c1492ff9c90d4807daccdfc92
SHA2560f697767616914c110675dc4977f3d36cf433fbb1902d4172427814a734c2902
SHA51299e6d6f70896c2359deb9ae7d8cb5f004a4728da87e82c782069ea86766a5967b83b617fa42ffe7a398953cce4633e38af88df96c11f09e0f015655c482bf1b3
-
C:\Windows\directx.sysMD5
d0b8bb96d21c59a41a893abba66d0ba5
SHA1613764f166b85a0e38db36295727f40a749ef9ed
SHA2563377af3e7dab76260934de695700b6814bb8152366f53ffb79e3116fc94d2fe5
SHA5122b8ed198cf8ba5d2d1490a737c3666565b434fd8503195f968932686c2654ea323d6c0c4795c89bc6560a39ff4e6df2cc793e1a0b71f6e2c78b242b1a509d972
-
C:\Windows\directx.sysMD5
cd29019bf5af0b107242172aa8978610
SHA1671bd3eeee185582ed06662718cd54261935a434
SHA2564c2215240ae892a83d680ba3cfd0fd2e06e9f88e48286cf8d87a6ed0067b5181
SHA51245cc8ed8673b9856e8754113a8a2cc5e7cbaa98faaf5a1eff1bb32b20e1a7c7f3b39002f7a478790b56e7156301cedcc304745ef56cc082567ac5ecbf1fe21d5
-
C:\Windows\svchost.comMD5
36fd5e09c417c767a952b4609d73a54b
SHA1299399c5a2403080a5bf67fb46faec210025b36d
SHA256980bac6c9afe8efc9c6fe459a5f77213b0d8524eb00de82437288eb96138b9a2
SHA5121813a6a5b47a9b2cd3958cf4556714ae240f2aa19d0a241b596830f0f2b89a33ec864d00ce6a791d323a58dfbff42a0fded65eefbf980c92685e25c0ec415d92
-
C:\Windows\svchost.comMD5
36fd5e09c417c767a952b4609d73a54b
SHA1299399c5a2403080a5bf67fb46faec210025b36d
SHA256980bac6c9afe8efc9c6fe459a5f77213b0d8524eb00de82437288eb96138b9a2
SHA5121813a6a5b47a9b2cd3958cf4556714ae240f2aa19d0a241b596830f0f2b89a33ec864d00ce6a791d323a58dfbff42a0fded65eefbf980c92685e25c0ec415d92
-
C:\Windows\svchost.comMD5
36fd5e09c417c767a952b4609d73a54b
SHA1299399c5a2403080a5bf67fb46faec210025b36d
SHA256980bac6c9afe8efc9c6fe459a5f77213b0d8524eb00de82437288eb96138b9a2
SHA5121813a6a5b47a9b2cd3958cf4556714ae240f2aa19d0a241b596830f0f2b89a33ec864d00ce6a791d323a58dfbff42a0fded65eefbf980c92685e25c0ec415d92
-
C:\Windows\svchost.comMD5
36fd5e09c417c767a952b4609d73a54b
SHA1299399c5a2403080a5bf67fb46faec210025b36d
SHA256980bac6c9afe8efc9c6fe459a5f77213b0d8524eb00de82437288eb96138b9a2
SHA5121813a6a5b47a9b2cd3958cf4556714ae240f2aa19d0a241b596830f0f2b89a33ec864d00ce6a791d323a58dfbff42a0fded65eefbf980c92685e25c0ec415d92
-
C:\Windows\svchost.comMD5
36fd5e09c417c767a952b4609d73a54b
SHA1299399c5a2403080a5bf67fb46faec210025b36d
SHA256980bac6c9afe8efc9c6fe459a5f77213b0d8524eb00de82437288eb96138b9a2
SHA5121813a6a5b47a9b2cd3958cf4556714ae240f2aa19d0a241b596830f0f2b89a33ec864d00ce6a791d323a58dfbff42a0fded65eefbf980c92685e25c0ec415d92
-
C:\Windows\svchost.comMD5
36fd5e09c417c767a952b4609d73a54b
SHA1299399c5a2403080a5bf67fb46faec210025b36d
SHA256980bac6c9afe8efc9c6fe459a5f77213b0d8524eb00de82437288eb96138b9a2
SHA5121813a6a5b47a9b2cd3958cf4556714ae240f2aa19d0a241b596830f0f2b89a33ec864d00ce6a791d323a58dfbff42a0fded65eefbf980c92685e25c0ec415d92
-
C:\Windows\svchost.comMD5
36fd5e09c417c767a952b4609d73a54b
SHA1299399c5a2403080a5bf67fb46faec210025b36d
SHA256980bac6c9afe8efc9c6fe459a5f77213b0d8524eb00de82437288eb96138b9a2
SHA5121813a6a5b47a9b2cd3958cf4556714ae240f2aa19d0a241b596830f0f2b89a33ec864d00ce6a791d323a58dfbff42a0fded65eefbf980c92685e25c0ec415d92
-
C:\Windows\svchost.comMD5
36fd5e09c417c767a952b4609d73a54b
SHA1299399c5a2403080a5bf67fb46faec210025b36d
SHA256980bac6c9afe8efc9c6fe459a5f77213b0d8524eb00de82437288eb96138b9a2
SHA5121813a6a5b47a9b2cd3958cf4556714ae240f2aa19d0a241b596830f0f2b89a33ec864d00ce6a791d323a58dfbff42a0fded65eefbf980c92685e25c0ec415d92
-
C:\Windows\svchost.comMD5
36fd5e09c417c767a952b4609d73a54b
SHA1299399c5a2403080a5bf67fb46faec210025b36d
SHA256980bac6c9afe8efc9c6fe459a5f77213b0d8524eb00de82437288eb96138b9a2
SHA5121813a6a5b47a9b2cd3958cf4556714ae240f2aa19d0a241b596830f0f2b89a33ec864d00ce6a791d323a58dfbff42a0fded65eefbf980c92685e25c0ec415d92
-
C:\Windows\svchost.comMD5
36fd5e09c417c767a952b4609d73a54b
SHA1299399c5a2403080a5bf67fb46faec210025b36d
SHA256980bac6c9afe8efc9c6fe459a5f77213b0d8524eb00de82437288eb96138b9a2
SHA5121813a6a5b47a9b2cd3958cf4556714ae240f2aa19d0a241b596830f0f2b89a33ec864d00ce6a791d323a58dfbff42a0fded65eefbf980c92685e25c0ec415d92
-
C:\odt\OFFICE~1.EXEMD5
02c3d242fe142b0eabec69211b34bc55
SHA1ea0a4a6d6078b362f7b3a4ad1505ce49957dc16e
SHA2562a1ed24be7e3859b46ec3ebc316789ead5f12055853f86a9656e04b4bb771842
SHA5120efb08492eaaa2e923beddc21566e98fbbef3a102f9415ff310ec616f5c84fd2ba3a7025b05e01c0bdf37e5e2f64dfd845f9254a376144cc7d827e7577dbb099
-
\??\pipe\crashpad_1800_LPQFIQBNOTHCXCWKMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\ProgramData\sqlite3.dllMD5
e477a96c8f2b18d6b5c27bde49c990bf
SHA1e980c9bf41330d1e5bd04556db4646a0210f7409
SHA25616574f51785b0e2fc29c2c61477eb47bb39f714829999511dc8952b43ab17660
SHA512335a86268e7c0e568b1c30981ec644e6cd332e66f96d2551b58a82515316693c1859d87b4f4b7310cf1ac386cee671580fdd999c3bcb23acf2c2282c01c8798c
-
memory/372-174-0x00000000058E0000-0x00000000058E1000-memory.dmpFilesize
4KB
-
memory/372-171-0x0000000000E90000-0x0000000000E91000-memory.dmpFilesize
4KB
-
memory/372-168-0x0000000000000000-mapping.dmp
-
memory/372-175-0x0000000003080000-0x0000000003081000-memory.dmpFilesize
4KB
-
memory/588-276-0x0000000000000000-mapping.dmp
-
memory/692-188-0x0000000000A60000-0x0000000000A7C000-memory.dmpFilesize
112KB
-
memory/692-150-0x0000000000000000-mapping.dmp
-
memory/692-187-0x0000000000A40000-0x0000000000A51000-memory.dmpFilesize
68KB
-
memory/692-191-0x0000000000400000-0x000000000081B000-memory.dmpFilesize
4.1MB
-
memory/1092-153-0x0000000000860000-0x0000000000869000-memory.dmpFilesize
36KB
-
memory/1092-127-0x0000000000000000-mapping.dmp
-
memory/1156-272-0x000002156CEF0000-0x000002156CF0B000-memory.dmpFilesize
108KB
-
memory/1156-237-0x0000000000000000-mapping.dmp
-
memory/1156-239-0x0000021552840000-0x0000021552841000-memory.dmpFilesize
4KB
-
memory/1156-243-0x0000021552CF0000-0x0000021552D0F000-memory.dmpFilesize
124KB
-
memory/1156-256-0x000002156CF20000-0x000002156CF22000-memory.dmpFilesize
8KB
-
memory/1156-292-0x000002156E870000-0x000002156E871000-memory.dmpFilesize
4KB
-
memory/1220-257-0x0000000000000000-mapping.dmp
-
memory/1268-263-0x0000000000000000-mapping.dmp
-
memory/1272-244-0x0000000000000000-mapping.dmp
-
memory/1280-287-0x0000000000000000-mapping.dmp
-
memory/1280-312-0x0000000000F60000-0x0000000000F61000-memory.dmpFilesize
4KB
-
memory/1280-301-0x0000000000AF0000-0x0000000000AF1000-memory.dmpFilesize
4KB
-
memory/1428-270-0x0000000000000000-mapping.dmp
-
memory/1448-214-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/1448-216-0x0000000000419326-mapping.dmp
-
memory/1448-241-0x00000000053B0000-0x00000000059B6000-memory.dmpFilesize
6.0MB
-
memory/1492-179-0x0000000000000000-mapping.dmp
-
memory/1600-220-0x0000000005130000-0x0000000005736000-memory.dmpFilesize
6.0MB
-
memory/1600-302-0x0000000007950000-0x0000000007951000-memory.dmpFilesize
4KB
-
memory/1600-197-0x000000000041932E-mapping.dmp
-
memory/1600-196-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/1664-273-0x0000000000000000-mapping.dmp
-
memory/1788-232-0x0000000000000000-mapping.dmp
-
memory/1912-155-0x0000000000402F47-mapping.dmp
-
memory/2016-182-0x0000000000000000-mapping.dmp
-
memory/2028-267-0x0000000000000000-mapping.dmp
-
memory/2104-185-0x0000000000000000-mapping.dmp
-
memory/2104-189-0x0000000000DF0000-0x0000000000DF7000-memory.dmpFilesize
28KB
-
memory/2104-190-0x0000000000DE0000-0x0000000000DEC000-memory.dmpFilesize
48KB
-
memory/2144-186-0x0000000000000000-mapping.dmp
-
memory/2172-251-0x0000000000000000-mapping.dmp
-
memory/2360-194-0x00000000036E0000-0x000000000374B000-memory.dmpFilesize
428KB
-
memory/2360-178-0x0000000000000000-mapping.dmp
-
memory/2360-193-0x0000000003750000-0x00000000037C4000-memory.dmpFilesize
464KB
-
memory/2416-209-0x0000000000000000-mapping.dmp
-
memory/2712-285-0x0000000000000000-mapping.dmp
-
memory/2720-176-0x0000000004D30000-0x0000000004D46000-memory.dmpFilesize
88KB
-
memory/2720-119-0x0000000001280000-0x0000000001296000-memory.dmpFilesize
88KB
-
memory/2720-126-0x0000000003160000-0x0000000003176000-memory.dmpFilesize
88KB
-
memory/2804-248-0x0000000000000000-mapping.dmp
-
memory/2868-229-0x0000000000000000-mapping.dmp
-
memory/2960-134-0x00000000007E0000-0x00000000007E1000-memory.dmpFilesize
4KB
-
memory/2960-138-0x0000000000FC0000-0x0000000000FC1000-memory.dmpFilesize
4KB
-
memory/2960-145-0x00000000052A0000-0x00000000052A1000-memory.dmpFilesize
4KB
-
memory/2960-146-0x0000000073DA0000-0x0000000074324000-memory.dmpFilesize
5.5MB
-
memory/2960-135-0x0000000073A60000-0x0000000073C22000-memory.dmpFilesize
1.8MB
-
memory/2960-195-0x00000000055C0000-0x00000000055C1000-memory.dmpFilesize
4KB
-
memory/2960-130-0x0000000000000000-mapping.dmp
-
memory/2960-147-0x00000000752A0000-0x00000000765E8000-memory.dmpFilesize
19.3MB
-
memory/2960-142-0x0000000005240000-0x0000000005241000-memory.dmpFilesize
4KB
-
memory/2960-250-0x0000000006820000-0x0000000006821000-memory.dmpFilesize
4KB
-
memory/2960-140-0x0000000071AB0000-0x0000000071B30000-memory.dmpFilesize
512KB
-
memory/2960-277-0x00000000076A0000-0x00000000076A1000-memory.dmpFilesize
4KB
-
memory/2960-148-0x00000000052E0000-0x00000000052E1000-memory.dmpFilesize
4KB
-
memory/2960-149-0x000000006FD00000-0x000000006FD4B000-memory.dmpFilesize
300KB
-
memory/2960-133-0x0000000000FC0000-0x0000000001038000-memory.dmpFilesize
480KB
-
memory/2960-144-0x0000000002BA0000-0x0000000002BA1000-memory.dmpFilesize
4KB
-
memory/2960-141-0x0000000005810000-0x0000000005811000-memory.dmpFilesize
4KB
-
memory/2960-137-0x00000000744C0000-0x00000000745B1000-memory.dmpFilesize
964KB
-
memory/2960-136-0x0000000000CB0000-0x0000000000CF5000-memory.dmpFilesize
276KB
-
memory/2960-143-0x0000000005370000-0x0000000005371000-memory.dmpFilesize
4KB
-
memory/2996-261-0x0000000000000000-mapping.dmp
-
memory/3080-177-0x0000000005CA0000-0x0000000005CA1000-memory.dmpFilesize
4KB
-
memory/3080-160-0x0000000000000000-mapping.dmp
-
memory/3080-163-0x0000000000DA0000-0x0000000000DA1000-memory.dmpFilesize
4KB
-
memory/3080-173-0x00000000031A0000-0x00000000031A1000-memory.dmpFilesize
4KB
-
memory/3080-165-0x0000000005690000-0x0000000005691000-memory.dmpFilesize
4KB
-
memory/3080-166-0x0000000003010000-0x0000000003011000-memory.dmpFilesize
4KB
-
memory/3080-167-0x0000000005720000-0x0000000005721000-memory.dmpFilesize
4KB
-
memory/3168-279-0x0000000000000000-mapping.dmp
-
memory/3220-278-0x0000000000000000-mapping.dmp
-
memory/3256-215-0x0000000000930000-0x0000000000943000-memory.dmpFilesize
76KB
-
memory/3256-157-0x0000000000000000-mapping.dmp
-
memory/3256-213-0x0000000000030000-0x000000000003D000-memory.dmpFilesize
52KB
-
memory/3256-218-0x0000000000400000-0x0000000000818000-memory.dmpFilesize
4.1MB
-
memory/3488-117-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/3488-118-0x0000000000402F47-mapping.dmp
-
memory/3696-254-0x0000000000000000-mapping.dmp
-
memory/3748-124-0x00000000001D0000-0x00000000001D9000-memory.dmpFilesize
36KB
-
memory/3748-123-0x00000000006C6000-0x00000000006D7000-memory.dmpFilesize
68KB
-
memory/3748-120-0x0000000000000000-mapping.dmp
-
memory/3748-125-0x0000000000400000-0x00000000004D2000-memory.dmpFilesize
840KB
-
memory/3888-227-0x0000000000000000-mapping.dmp
-
memory/3916-115-0x0000000000030000-0x0000000000038000-memory.dmpFilesize
32KB
-
memory/3916-116-0x0000000000940000-0x0000000000A8A000-memory.dmpFilesize
1.3MB
-
memory/3964-204-0x0000000000000000-mapping.dmp
-
memory/4060-260-0x0000000000000000-mapping.dmp
-
memory/4288-321-0x0000000000000000-mapping.dmp
-
memory/4368-322-0x0000000000000000-mapping.dmp
-
memory/4416-323-0x0000000000000000-mapping.dmp
-
memory/4632-332-0x0000000000000000-mapping.dmp
-
memory/4720-339-0x0000000000419326-mapping.dmp
-
memory/4720-345-0x0000000005720000-0x0000000005D26000-memory.dmpFilesize
6.0MB