Analysis
-
max time kernel
151s -
max time network
136s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
21-12-2021 13:34
Static task
static1
Behavioral task
behavioral1
Sample
caa4d00cd9bd3b6230ecaeb012dd5fb1d1f02d78ee0ad2bf041ccded184a3482.exe
Resource
win10-en-20211208
General
-
Target
caa4d00cd9bd3b6230ecaeb012dd5fb1d1f02d78ee0ad2bf041ccded184a3482.exe
-
Size
134KB
-
MD5
d8e3bba7e361c5d23a661d62afa53dd9
-
SHA1
58a0ddd2d4dee2a729b956294337656ce8f7c469
-
SHA256
caa4d00cd9bd3b6230ecaeb012dd5fb1d1f02d78ee0ad2bf041ccded184a3482
-
SHA512
4c3dbd47bb8be0b8500c60b6395ab45de076a2a951be9eb29cd8769172649b6d27b9b9d7fb7c0e301001c2045f621f7a5046d14d70e305a0a5aa063b7401a8d7
Malware Config
Extracted
smokeloader
2020
http://host-data-coin-11.com/
http://file-coin-host-12.com/
http://srtuiyhuali.at/
http://fufuiloirtu.com/
http://amogohuigotuli.at/
http://novohudosovu.com/
http://brutuilionust.com/
http://bubushkalioua.com/
http://dumuilistrati.at/
http://verboliatsiaeeees.com/
Extracted
redline
1
86.107.197.138:38133
Extracted
redline
install
62.182.156.187:56323
Extracted
tofsee
mubrikych.top
oxxyfix.xyz
Extracted
amadey
2.86
2.56.56.210/notAnoob/index.php
Extracted
redline
runpe
142.202.242.172:7667
Signatures
-
Detect Neshta Payload 19 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\19FF.exe family_neshta C:\Users\Admin\AppData\Local\Temp\19FF.exe family_neshta C:\odt\OFFICE~1.EXE family_neshta C:\Windows\svchost.com family_neshta C:\Windows\svchost.com family_neshta C:\Windows\svchost.com family_neshta C:\Windows\svchost.com family_neshta C:\Users\Admin\AppData\Local\Temp\1D4C.exe family_neshta C:\Users\Admin\AppData\Local\Temp\1D4C.exe family_neshta C:\Windows\svchost.com family_neshta C:\Windows\svchost.com family_neshta C:\Windows\svchost.com family_neshta C:\Windows\svchost.com family_neshta C:\Windows\svchost.com family_neshta C:\Windows\svchost.com family_neshta C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE family_neshta C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE family_neshta C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe family_neshta C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe family_neshta -
Modifies system executable filetype association 2 TTPs 1 IoCs
Processes:
19FF.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" 19FF.exe -
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 5 IoCs
Processes:
resource yara_rule behavioral1/memory/4088-168-0x0000000000419326-mapping.dmp family_redline behavioral1/memory/4088-167-0x0000000000400000-0x0000000000420000-memory.dmp family_redline behavioral1/memory/3988-182-0x0000000000400000-0x0000000000420000-memory.dmp family_redline behavioral1/memory/3988-183-0x000000000041932E-mapping.dmp family_redline behavioral1/memory/3868-247-0x0000021871F60000-0x0000021871F7B000-memory.dmp family_redline -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil
suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil
-
Arkei Stealer Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/3240-161-0x0000000000C60000-0x0000000000C7C000-memory.dmp family_arkei behavioral1/memory/3240-163-0x0000000000400000-0x000000000081B000-memory.dmp family_arkei -
Creates new service(s) 1 TTPs
-
Downloads MZ/PE file
-
Executes dropped EXE 29 IoCs
Processes:
942D.exeEACA.exeF0B7.exeFBE3.exeEACA.exe78.exe4EE.exeC51.exe15A9.exe4EE.exe19FF.exeminecraftPorable.exeC51.exe1D4C.exesvchost.comsvchost.com1D4C.exesvchost.comsvchost.comsvchost.comleakless.exesvchost.comsvchost.com9543_1~1.EXEsvchost.comsvchost.comtkools.exe3123.exesvchost.compid process 2904 942D.exe 2080 EACA.exe 3612 F0B7.exe 3240 FBE3.exe 3036 EACA.exe 2872 78.exe 1160 4EE.exe 1140 C51.exe 2096 15A9.exe 4088 4EE.exe 3964 19FF.exe 3308 minecraftPorable.exe 3988 C51.exe 1804 1D4C.exe 3768 svchost.com 2636 svchost.com 3868 1D4C.exe 3708 svchost.com 500 svchost.com 4012 svchost.com 2332 leakless.exe 2252 svchost.com 2616 svchost.com 1456 9543_1~1.EXE 2884 svchost.com 2704 svchost.com 1528 tkools.exe 4068 3123.exe 4484 svchost.com -
Modifies Windows Firewall 1 TTPs
-
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\3123.exe vmprotect C:\Users\Admin\AppData\Local\Temp\3123.exe vmprotect behavioral1/memory/4068-296-0x00000000012E0000-0x0000000001D9A000-memory.dmp vmprotect -
Deletes itself 1 IoCs
Processes:
pid process 3040 -
Loads dropped DLL 3 IoCs
Processes:
FBE3.exepid process 3240 FBE3.exe 3240 FBE3.exe 3240 FBE3.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
explorer.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe Key opened \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe Key opened \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
3123.exepid process 4068 3123.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
caa4d00cd9bd3b6230ecaeb012dd5fb1d1f02d78ee0ad2bf041ccded184a3482.exeEACA.exe4EE.exeC51.exedescription pid process target process PID 68 set thread context of 3712 68 caa4d00cd9bd3b6230ecaeb012dd5fb1d1f02d78ee0ad2bf041ccded184a3482.exe caa4d00cd9bd3b6230ecaeb012dd5fb1d1f02d78ee0ad2bf041ccded184a3482.exe PID 2080 set thread context of 3036 2080 EACA.exe EACA.exe PID 1160 set thread context of 4088 1160 4EE.exe 4EE.exe PID 1140 set thread context of 3988 1140 C51.exe C51.exe -
Drops file in Program Files directory 64 IoCs
Processes:
svchost.com19FF.exesvchost.comsvchost.comsvchost.comdescription ioc process File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE svchost.com File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE 19FF.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXE 19FF.exe File opened for modification C:\PROGRA~2\WINDOW~4\ACCESS~1\wordpad.exe svchost.com File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXE svchost.com File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE 19FF.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmplayer.exe 19FF.exe File opened for modification C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe 19FF.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE svchost.com File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE svchost.com File opened for modification C:\PROGRA~2\WINDOW~2\WinMail.exe svchost.com File opened for modification C:\PROGRA~2\WI54FB~1\wmlaunch.exe svchost.com File opened for modification C:\PROGRA~2\WI54FB~1\wmlaunch.exe 19FF.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe svchost.com File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE svchost.com File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~2.EXE svchost.com File opened for modification C:\PROGRA~2\WINDOW~2\WinMail.exe 19FF.exe File opened for modification C:\PROGRA~2\WI8A19~1\ImagingDevices.exe 19FF.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe 19FF.exe File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE svchost.com File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe svchost.com File opened for modification C:\PROGRA~2\WI54FB~1\wmplayer.exe svchost.com File opened for modification C:\PROGRA~2\WINDOW~4\ACCESS~1\wordpad.exe 19FF.exe File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE 19FF.exe File opened for modification C:\PROGRA~2\INTERN~1\ExtExport.exe 19FF.exe File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe 19FF.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe 19FF.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE 19FF.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe svchost.com File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\armsvc.exe 19FF.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE svchost.com File opened for modification C:\PROGRA~2\WINDOW~2\wabmig.exe svchost.com File opened for modification C:\PROGRA~3\9543_1~1.EXE svchost.com File opened for modification C:\PROGRA~2\WI54FB~1\wmpshare.exe svchost.com File opened for modification C:\PROGRA~3\9543_1~1.EXE svchost.com File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe 19FF.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE svchost.com File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE 19FF.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXE svchost.com File opened for modification C:\PROGRA~3\9543_1~1.EXE svchost.com File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE svchost.com File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~4.EXE svchost.com File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE svchost.com File opened for modification C:\PROGRA~3\9543_1~1.EXE svchost.com File opened for modification C:\PROGRA~2\INTERN~1\ExtExport.exe svchost.com File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe 19FF.exe File opened for modification C:\PROGRA~2\WINDOW~2\wab.exe 19FF.exe File opened for modification C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE 19FF.exe File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe 19FF.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~1.EXE svchost.com File opened for modification C:\PROGRA~2\WI54FB~1\setup_wm.exe 19FF.exe File opened for modification C:\PROGRA~2\WI8A19~1\ImagingDevices.exe svchost.com File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe svchost.com File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXE svchost.com File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE svchost.com File opened for modification C:\PROGRA~2\WI54FB~1\setup_wm.exe svchost.com File opened for modification C:\PROGRA~2\WI54FB~1\wmprph.exe svchost.com File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE 19FF.exe File opened for modification C:\PROGRA~3\PACKAG~1\{F4220~1\VC_RED~1.EXE 19FF.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE svchost.com File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe svchost.com File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE svchost.com File opened for modification C:\PROGRA~2\WINDOW~2\wab.exe svchost.com File opened for modification C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe svchost.com -
Drops file in Windows directory 23 IoCs
Processes:
svchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.com1D4C.exesvchost.comsvchost.com19FF.exesvchost.comsvchost.comdescription ioc process File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys 1D4C.exe File opened for modification C:\Windows\svchost.com 1D4C.exe File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com 19FF.exe File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com svchost.com -
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 9 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
942D.exeEACA.execaa4d00cd9bd3b6230ecaeb012dd5fb1d1f02d78ee0ad2bf041ccded184a3482.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 942D.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI EACA.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI EACA.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI caa4d00cd9bd3b6230ecaeb012dd5fb1d1f02d78ee0ad2bf041ccded184a3482.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI caa4d00cd9bd3b6230ecaeb012dd5fb1d1f02d78ee0ad2bf041ccded184a3482.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 942D.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI EACA.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI caa4d00cd9bd3b6230ecaeb012dd5fb1d1f02d78ee0ad2bf041ccded184a3482.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 942D.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
FBE3.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 FBE3.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString FBE3.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 4604 timeout.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
chrome.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe -
GoLang User-Agent 1 IoCs
Uses default user-agent string defined by GoLang HTTP packages.
Processes:
description flow ioc HTTP User-Agent header 103 Go-http-client/1.1 -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 4696 taskkill.exe -
Modifies registry class 6 IoCs
Processes:
19FF.exe78.exe1D4C.exe1D4C.exe9543_1~1.EXEFBE3.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" 19FF.exe Key created \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings 78.exe Key created \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings 1D4C.exe Key created \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings 1D4C.exe Key created \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings 9543_1~1.EXE Key created \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings FBE3.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
caa4d00cd9bd3b6230ecaeb012dd5fb1d1f02d78ee0ad2bf041ccded184a3482.exepid process 3712 caa4d00cd9bd3b6230ecaeb012dd5fb1d1f02d78ee0ad2bf041ccded184a3482.exe 3712 caa4d00cd9bd3b6230ecaeb012dd5fb1d1f02d78ee0ad2bf041ccded184a3482.exe 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
pid process 3040 -
Suspicious behavior: MapViewOfSection 7 IoCs
Processes:
caa4d00cd9bd3b6230ecaeb012dd5fb1d1f02d78ee0ad2bf041ccded184a3482.exe942D.exeEACA.exepid process 3712 caa4d00cd9bd3b6230ecaeb012dd5fb1d1f02d78ee0ad2bf041ccded184a3482.exe 2904 942D.exe 3036 EACA.exe 3040 3040 3040 3040 -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs
Processes:
chrome.exepid process 2076 chrome.exe 2076 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
4EE.exeC51.exe1D4C.exedescription pid process Token: SeShutdownPrivilege 3040 Token: SeCreatePagefilePrivilege 3040 Token: SeShutdownPrivilege 3040 Token: SeCreatePagefilePrivilege 3040 Token: SeShutdownPrivilege 3040 Token: SeCreatePagefilePrivilege 3040 Token: SeShutdownPrivilege 3040 Token: SeCreatePagefilePrivilege 3040 Token: SeShutdownPrivilege 3040 Token: SeCreatePagefilePrivilege 3040 Token: SeDebugPrivilege 1160 4EE.exe Token: SeDebugPrivilege 1140 C51.exe Token: SeShutdownPrivilege 3040 Token: SeCreatePagefilePrivilege 3040 Token: SeShutdownPrivilege 3040 Token: SeCreatePagefilePrivilege 3040 Token: SeShutdownPrivilege 3040 Token: SeCreatePagefilePrivilege 3040 Token: SeShutdownPrivilege 3040 Token: SeCreatePagefilePrivilege 3040 Token: SeShutdownPrivilege 3040 Token: SeCreatePagefilePrivilege 3040 Token: SeShutdownPrivilege 3040 Token: SeCreatePagefilePrivilege 3040 Token: SeShutdownPrivilege 3040 Token: SeCreatePagefilePrivilege 3040 Token: SeShutdownPrivilege 3040 Token: SeCreatePagefilePrivilege 3040 Token: SeShutdownPrivilege 3040 Token: SeCreatePagefilePrivilege 3040 Token: SeDebugPrivilege 3868 1D4C.exe Token: SeShutdownPrivilege 3040 Token: SeCreatePagefilePrivilege 3040 Token: SeShutdownPrivilege 3040 Token: SeCreatePagefilePrivilege 3040 Token: SeShutdownPrivilege 3040 Token: SeCreatePagefilePrivilege 3040 Token: SeShutdownPrivilege 3040 Token: SeCreatePagefilePrivilege 3040 Token: SeShutdownPrivilege 3040 Token: SeCreatePagefilePrivilege 3040 Token: SeShutdownPrivilege 3040 Token: SeCreatePagefilePrivilege 3040 Token: SeShutdownPrivilege 3040 Token: SeCreatePagefilePrivilege 3040 Token: SeShutdownPrivilege 3040 Token: SeCreatePagefilePrivilege 3040 Token: SeShutdownPrivilege 3040 Token: SeCreatePagefilePrivilege 3040 Token: SeShutdownPrivilege 3040 Token: SeCreatePagefilePrivilege 3040 Token: SeShutdownPrivilege 3040 Token: SeCreatePagefilePrivilege 3040 Token: SeShutdownPrivilege 3040 Token: SeCreatePagefilePrivilege 3040 Token: SeShutdownPrivilege 3040 Token: SeCreatePagefilePrivilege 3040 Token: SeShutdownPrivilege 3040 Token: SeCreatePagefilePrivilege 3040 Token: SeShutdownPrivilege 3040 Token: SeCreatePagefilePrivilege 3040 Token: SeShutdownPrivilege 3040 Token: SeCreatePagefilePrivilege 3040 Token: SeShutdownPrivilege 3040 -
Suspicious use of FindShellTrayWindow 27 IoCs
Processes:
chrome.exepid process 2076 chrome.exe 2076 chrome.exe 2076 chrome.exe 2076 chrome.exe 2076 chrome.exe 2076 chrome.exe 2076 chrome.exe 2076 chrome.exe 2076 chrome.exe 2076 chrome.exe 2076 chrome.exe 2076 chrome.exe 2076 chrome.exe 2076 chrome.exe 2076 chrome.exe 2076 chrome.exe 2076 chrome.exe 2076 chrome.exe 2076 chrome.exe 2076 chrome.exe 2076 chrome.exe 2076 chrome.exe 2076 chrome.exe 2076 chrome.exe 2076 chrome.exe 2076 chrome.exe 2076 chrome.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
chrome.exepid process 2076 chrome.exe 2076 chrome.exe 2076 chrome.exe 2076 chrome.exe 2076 chrome.exe 2076 chrome.exe 2076 chrome.exe 2076 chrome.exe 2076 chrome.exe 2076 chrome.exe 2076 chrome.exe 2076 chrome.exe 2076 chrome.exe 2076 chrome.exe 2076 chrome.exe 2076 chrome.exe 2076 chrome.exe 2076 chrome.exe 2076 chrome.exe 2076 chrome.exe 2076 chrome.exe 2076 chrome.exe 2076 chrome.exe 2076 chrome.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
caa4d00cd9bd3b6230ecaeb012dd5fb1d1f02d78ee0ad2bf041ccded184a3482.exeEACA.exe4EE.exeC51.exe15A9.execmd.exe78.exedescription pid process target process PID 68 wrote to memory of 3712 68 caa4d00cd9bd3b6230ecaeb012dd5fb1d1f02d78ee0ad2bf041ccded184a3482.exe caa4d00cd9bd3b6230ecaeb012dd5fb1d1f02d78ee0ad2bf041ccded184a3482.exe PID 68 wrote to memory of 3712 68 caa4d00cd9bd3b6230ecaeb012dd5fb1d1f02d78ee0ad2bf041ccded184a3482.exe caa4d00cd9bd3b6230ecaeb012dd5fb1d1f02d78ee0ad2bf041ccded184a3482.exe PID 68 wrote to memory of 3712 68 caa4d00cd9bd3b6230ecaeb012dd5fb1d1f02d78ee0ad2bf041ccded184a3482.exe caa4d00cd9bd3b6230ecaeb012dd5fb1d1f02d78ee0ad2bf041ccded184a3482.exe PID 68 wrote to memory of 3712 68 caa4d00cd9bd3b6230ecaeb012dd5fb1d1f02d78ee0ad2bf041ccded184a3482.exe caa4d00cd9bd3b6230ecaeb012dd5fb1d1f02d78ee0ad2bf041ccded184a3482.exe PID 68 wrote to memory of 3712 68 caa4d00cd9bd3b6230ecaeb012dd5fb1d1f02d78ee0ad2bf041ccded184a3482.exe caa4d00cd9bd3b6230ecaeb012dd5fb1d1f02d78ee0ad2bf041ccded184a3482.exe PID 68 wrote to memory of 3712 68 caa4d00cd9bd3b6230ecaeb012dd5fb1d1f02d78ee0ad2bf041ccded184a3482.exe caa4d00cd9bd3b6230ecaeb012dd5fb1d1f02d78ee0ad2bf041ccded184a3482.exe PID 3040 wrote to memory of 2904 3040 942D.exe PID 3040 wrote to memory of 2904 3040 942D.exe PID 3040 wrote to memory of 2904 3040 942D.exe PID 3040 wrote to memory of 2080 3040 EACA.exe PID 3040 wrote to memory of 2080 3040 EACA.exe PID 3040 wrote to memory of 2080 3040 EACA.exe PID 3040 wrote to memory of 3612 3040 F0B7.exe PID 3040 wrote to memory of 3612 3040 F0B7.exe PID 3040 wrote to memory of 3612 3040 F0B7.exe PID 3040 wrote to memory of 3240 3040 FBE3.exe PID 3040 wrote to memory of 3240 3040 FBE3.exe PID 3040 wrote to memory of 3240 3040 FBE3.exe PID 2080 wrote to memory of 3036 2080 EACA.exe EACA.exe PID 2080 wrote to memory of 3036 2080 EACA.exe EACA.exe PID 2080 wrote to memory of 3036 2080 EACA.exe EACA.exe PID 2080 wrote to memory of 3036 2080 EACA.exe EACA.exe PID 2080 wrote to memory of 3036 2080 EACA.exe EACA.exe PID 2080 wrote to memory of 3036 2080 EACA.exe EACA.exe PID 3040 wrote to memory of 2872 3040 78.exe PID 3040 wrote to memory of 2872 3040 78.exe PID 3040 wrote to memory of 2872 3040 78.exe PID 3040 wrote to memory of 1160 3040 4EE.exe PID 3040 wrote to memory of 1160 3040 4EE.exe PID 3040 wrote to memory of 1160 3040 4EE.exe PID 1160 wrote to memory of 4088 1160 4EE.exe 4EE.exe PID 1160 wrote to memory of 4088 1160 4EE.exe 4EE.exe PID 1160 wrote to memory of 4088 1160 4EE.exe 4EE.exe PID 3040 wrote to memory of 1140 3040 C51.exe PID 3040 wrote to memory of 1140 3040 C51.exe PID 3040 wrote to memory of 1140 3040 C51.exe PID 1140 wrote to memory of 3988 1140 C51.exe C51.exe PID 1140 wrote to memory of 3988 1140 C51.exe C51.exe PID 1140 wrote to memory of 3988 1140 C51.exe C51.exe PID 3040 wrote to memory of 2096 3040 15A9.exe PID 3040 wrote to memory of 2096 3040 15A9.exe PID 1160 wrote to memory of 4088 1160 4EE.exe 4EE.exe PID 1160 wrote to memory of 4088 1160 4EE.exe 4EE.exe PID 1160 wrote to memory of 4088 1160 4EE.exe 4EE.exe PID 1160 wrote to memory of 4088 1160 4EE.exe 4EE.exe PID 1160 wrote to memory of 4088 1160 4EE.exe 4EE.exe PID 2096 wrote to memory of 2300 2096 15A9.exe cmd.exe PID 2096 wrote to memory of 2300 2096 15A9.exe cmd.exe PID 3040 wrote to memory of 3964 3040 19FF.exe PID 3040 wrote to memory of 3964 3040 19FF.exe PID 3040 wrote to memory of 3964 3040 19FF.exe PID 2300 wrote to memory of 3308 2300 cmd.exe minecraftPorable.exe PID 2300 wrote to memory of 3308 2300 cmd.exe minecraftPorable.exe PID 1140 wrote to memory of 3988 1140 C51.exe C51.exe PID 1140 wrote to memory of 3988 1140 C51.exe C51.exe PID 1140 wrote to memory of 3988 1140 C51.exe C51.exe PID 1140 wrote to memory of 3988 1140 C51.exe C51.exe PID 1140 wrote to memory of 3988 1140 C51.exe C51.exe PID 3040 wrote to memory of 1804 3040 1D4C.exe PID 3040 wrote to memory of 1804 3040 1D4C.exe PID 3040 wrote to memory of 1804 3040 1D4C.exe PID 2872 wrote to memory of 3768 2872 78.exe svchost.com PID 2872 wrote to memory of 3768 2872 78.exe svchost.com PID 2872 wrote to memory of 3768 2872 78.exe svchost.com -
outlook_office_path 1 IoCs
Processes:
explorer.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe -
outlook_win_path 1 IoCs
Processes:
explorer.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\caa4d00cd9bd3b6230ecaeb012dd5fb1d1f02d78ee0ad2bf041ccded184a3482.exe"C:\Users\Admin\AppData\Local\Temp\caa4d00cd9bd3b6230ecaeb012dd5fb1d1f02d78ee0ad2bf041ccded184a3482.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\caa4d00cd9bd3b6230ecaeb012dd5fb1d1f02d78ee0ad2bf041ccded184a3482.exe"C:\Users\Admin\AppData\Local\Temp\caa4d00cd9bd3b6230ecaeb012dd5fb1d1f02d78ee0ad2bf041ccded184a3482.exe"2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\942D.exeC:\Users\Admin\AppData\Local\Temp\942D.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\EACA.exeC:\Users\Admin\AppData\Local\Temp\EACA.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\EACA.exeC:\Users\Admin\AppData\Local\Temp\EACA.exe2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\F0B7.exeC:\Users\Admin\AppData\Local\Temp\F0B7.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\FBE3.exeC:\Users\Admin\AppData\Local\Temp\FBE3.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Modifies registry class
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Windows\System32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\FBE3.exe" & exit2⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\System32\cmd.exe /c timeout /t 5 & del /f /q C:\Users\Admin\AppData\Local\Temp\FBE3.exe & exit3⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 54⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Local\Temp\78.exeC:\Users\Admin\AppData\Local\Temp\78.exe1⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\ziefile\2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\System32\cmd.exe /C mkdir C:\Windows\SysWOW64\ziefile\3⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\sgeegfbk.exe" C:\Windows\SysWOW64\ziefile\2⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Windows\System32\sc.exe" create ziefile binPath= "C:\Windows\SysWOW64\ziefile\sgeegfbk.exe /d\"C:\Users\Admin\AppData\Local\Temp\78.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\Windows\SysWOW64\sc.exeC:\Windows\System32\sc.exe create ziefile binPath= C:\Windows\SysWOW64\ziefile\sgeegfbk.exe /d\"C:\Users\Admin\AppData\Local\Temp\78.exe\" type= own start= auto DisplayName= wifi support3⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Windows\System32\sc.exe" description ziefile "wifi internet conection"2⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\Windows\SysWOW64\sc.exeC:\Windows\System32\sc.exe description ziefile wifi internet conection3⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Windows\System32\sc.exe" start ziefile2⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\Windows\SysWOW64\sc.exeC:\Windows\System32\sc.exe start ziefile3⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
-
C:\Windows\SysWOW64\netsh.exeC:\Windows\System32\netsh.exe advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul3⤵
-
C:\Users\Admin\AppData\Local\Temp\4EE.exeC:\Users\Admin\AppData\Local\Temp\4EE.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\4EE.exeC:\Users\Admin\AppData\Local\Temp\4EE.exe2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\C51.exeC:\Users\Admin\AppData\Local\Temp\C51.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\C51.exeC:\Users\Admin\AppData\Local\Temp\C51.exe2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\15A9.exeC:\Users\Admin\AppData\Local\Temp\15A9.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /C C:\Users\Admin\AppData\Local\\minecraftPorable.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\minecraftPorable.exeC:\Users\Admin\AppData\Local\\minecraftPorable.exe3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\leakless-34a05a9dc363ec03e25d5dcc5ff915d2\leakless.exeC:\Users\Admin\AppData\Local\Temp\leakless-34a05a9dc363ec03e25d5dcc5ff915d2\leakless.exe 16aa51a34690f38464409a9cef61e756 127.0.0.1:49894 "C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-backgrounding-occluded-windows --disable-sync "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --enable-features=NetworkService,NetworkServiceInProcess --disable-client-side-phishing-detection --disable-prompt-on-repost --remote-debugging-port=0 --enable-automation --use-mock-keychain --metrics-recording-only --disable-blink-features=AutomationControlled --force-color-profile=srgb --no-first-run --disable-component-extensions-with-background-pages --disable-renderer-backgrounding --disable-background-timer-throttling --disable-default-apps --disable-features=site-per-process,TranslateUI --disable-background-networking --disable-dev-shm-usage --disable-hang-monitor --disable-ipc-flooding-protection --no-startup-window --disable-breakpad --disable-popup-blocking --mute-audio4⤵
- Executes dropped EXE
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-backgrounding-occluded-windows --disable-sync "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --enable-features=NetworkService,NetworkServiceInProcess --disable-client-side-phishing-detection --disable-prompt-on-repost --remote-debugging-port=0 --enable-automation --use-mock-keychain --metrics-recording-only --disable-blink-features=AutomationControlled --force-color-profile=srgb --no-first-run --disable-component-extensions-with-background-pages --disable-renderer-backgrounding --disable-background-timer-throttling --disable-default-apps --disable-features=site-per-process,TranslateUI --disable-background-networking --disable-dev-shm-usage --disable-hang-monitor --disable-ipc-flooding-protection --no-startup-window --disable-breakpad --disable-popup-blocking --mute-audio5⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xd8,0xdc,0xe0,0xb4,0xe4,0x7ff989ad4f50,0x7ff989ad4f60,0x7ff989ad4f706⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1620,15055473378262474661,7877001145273440141,131072 --enable-features=NetworkService,NetworkServiceInProcess --disable-features=TranslateUI,site-per-process --disable-breakpad --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1664 /prefetch:26⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1620,15055473378262474661,7877001145273440141,131072 --enable-features=NetworkService,NetworkServiceInProcess --disable-features=TranslateUI,site-per-process --lang=en-US --service-sandbox-type=utility --mute-audio --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --mojo-platform-channel-handle=2340 /prefetch:86⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --disable-background-timer-throttling --disable-breakpad --enable-automation --force-color-profile=srgb --remote-debugging-port=0 --field-trial-handle=1620,15055473378262474661,7877001145273440141,131072 --enable-features=NetworkService,NetworkServiceInProcess --disable-features=TranslateUI,site-per-process --disable-blink-features=AutomationControlled --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=4 --mojo-platform-channel-handle=3036 /prefetch:16⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --disable-background-timer-throttling --disable-breakpad --enable-automation --force-color-profile=srgb --remote-debugging-port=0 --field-trial-handle=1620,15055473378262474661,7877001145273440141,131072 --enable-features=NetworkService,NetworkServiceInProcess --disable-features=TranslateUI,site-per-process --disable-gpu-compositing --disable-blink-features=AutomationControlled --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --mojo-platform-channel-handle=4364 /prefetch:16⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1620,15055473378262474661,7877001145273440141,131072 --enable-features=NetworkService,NetworkServiceInProcess --disable-features=TranslateUI,site-per-process --lang=en-US --service-sandbox-type=none --mute-audio --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --mojo-platform-channel-handle=4924 /prefetch:86⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1620,15055473378262474661,7877001145273440141,131072 --enable-features=NetworkService,NetworkServiceInProcess --disable-features=TranslateUI,site-per-process --lang=en-US --service-sandbox-type=utility --mute-audio --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --mojo-platform-channel-handle=5320 /prefetch:86⤵
-
C:\Windows\system32\taskkill.exetaskkill /t /f /pid 20765⤵
- Kills process with taskkill
-
C:\Users\Admin\AppData\Local\Temp\19FF.exeC:\Users\Admin\AppData\Local\Temp\19FF.exe1⤵
- Modifies system executable filetype association
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
-
C:\Users\Admin\AppData\Local\Temp\1D4C.exeC:\Users\Admin\AppData\Local\Temp\1D4C.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Modifies registry class
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\1D4C.exe"2⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Local\Temp\3582-490\1D4C.exeC:\Users\Admin\AppData\Local\Temp\3582-490\1D4C.exe3⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\PROGRA~3\9543_1~1.EXE"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
-
C:\PROGRA~3\9543_1~1.EXEC:\PROGRA~3\9543_1~1.EXE5⤵
- Executes dropped EXE
- Modifies registry class
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\A0383E~1\tkools.exe"6⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\System32\cmd.exe /C move /Y C:\Users\Admin\AppData\Local\Temp\sgeegfbk.exe C:\Windows\SysWOW64\ziefile\1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
-
C:\Users\Admin\AppData\Local\Temp\A0383E~1\tkools.exeC:\Users\Admin\AppData\Local\Temp\A0383E~1\tkools.exe1⤵
- Executes dropped EXE
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\3123.exeC:\Users\Admin\AppData\Local\Temp\3123.exe1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXEMD5
3b73078a714bf61d1c19ebc3afc0e454
SHA19abeabd74613a2f533e2244c9ee6f967188e4e7e
SHA256ded54d1fcca07b6bff2bc3b9a1131eac29ff1f836e5d7a7c5c325ec5abe96e29
SHA51275959d4e8a7649c3268b551a2a378e6d27c0bfb03d2422ebeeb67b0a3f78c079473214057518930f2d72773ce79b106fd2d78405e8e3d8883459dcbb49c163c4
-
C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXEMD5
09acdc5bbec5a47e8ae47f4a348541e2
SHA1658f64967b2a9372c1c0bdd59c6fb2a18301d891
SHA2561b5c715d71384f043843ea1785a6873a9f39d2daae112ccdeffcd88b10a3a403
SHA5123867bf98e1a0e253114a98b78b047b0d8282b5abf4aaf836f31cc0e26224e2a1b802c65df9d90dc7696a6dbcb9a8e4b900f1d1299e1b11e36f095ebaf8a2e5b8
-
C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exeMD5
576410de51e63c3b5442540c8fdacbee
SHA18de673b679e0fee6e460cbf4f21ab728e41e0973
SHA2563f00404dd591c2856e6f71bd78423ed47199902e0b85f228e6c4de72c59ddffe
SHA512f7761f3878775b30cc3d756fa122e74548dfc0a27e38fa4109e34a59a009df333d074bf14a227549ae347605f271be47984c55148685faac479aeb481f7191db
-
C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exeMD5
8ffc3bdf4a1903d9e28b99d1643fc9c7
SHA1919ba8594db0ae245a8abd80f9f3698826fc6fe5
SHA2568268d3fefe8ca96a25a73690d14bacf644170ab5e9e70d2f8eeb350a4c83f9f6
SHA5120b94ead97374d74eaee87e7614ddd3911d2cf66d4c49abbfd06b02c03e5dd56fd00993b4947e8a4bcd9d891fa39cab18cc6b61efc7d0812e91eb3aea9cd1a427
-
C:\PROGRA~3\9543_1~1.EXEMD5
47d324d0398317af1f842dd2a271c3f0
SHA1045937d0083abe615ce4780684f500dfde4c550b
SHA2560247ed2604b2aea96511a96de88d6925040d26bc7239ab05968caf64210b1b50
SHA512ecfffe8d7eab4e627adc71ddc13cc9aaaf814fb76f9eaf9cfc11f9ecb6c4d3a653a7be67b803f47859bb0f475cf5eced2e9491c660bed4cc7cf6c7210c210823
-
C:\PROGRA~3\9543_1~1.EXEMD5
47d324d0398317af1f842dd2a271c3f0
SHA1045937d0083abe615ce4780684f500dfde4c550b
SHA2560247ed2604b2aea96511a96de88d6925040d26bc7239ab05968caf64210b1b50
SHA512ecfffe8d7eab4e627adc71ddc13cc9aaaf814fb76f9eaf9cfc11f9ecb6c4d3a653a7be67b803f47859bb0f475cf5eced2e9491c660bed4cc7cf6c7210c210823
-
C:\PROGRA~3\9543_1~1.EXEMD5
47d324d0398317af1f842dd2a271c3f0
SHA1045937d0083abe615ce4780684f500dfde4c550b
SHA2560247ed2604b2aea96511a96de88d6925040d26bc7239ab05968caf64210b1b50
SHA512ecfffe8d7eab4e627adc71ddc13cc9aaaf814fb76f9eaf9cfc11f9ecb6c4d3a653a7be67b803f47859bb0f475cf5eced2e9491c660bed4cc7cf6c7210c210823
-
C:\Users\Admin\AppData\Local\Temp\15A9.exeMD5
598230bc6d2ff794f9b6811fba0bb35c
SHA1e438892d567d43a4ca45a7644dac5f54d45da9b0
SHA256795716ae31ce9648606b8948aed15aa1c7cd75506d5c7fe811b8a02d52a1f8c7
SHA5124aabe98a1ce24720f9d13041cbdec9cb6893014db2e425d57ab9fb172a1863649e877fc0cc56cb36985b4ab4c3f543459e198eff41496266955a74732fc09545
-
C:\Users\Admin\AppData\Local\Temp\15A9.exeMD5
598230bc6d2ff794f9b6811fba0bb35c
SHA1e438892d567d43a4ca45a7644dac5f54d45da9b0
SHA256795716ae31ce9648606b8948aed15aa1c7cd75506d5c7fe811b8a02d52a1f8c7
SHA5124aabe98a1ce24720f9d13041cbdec9cb6893014db2e425d57ab9fb172a1863649e877fc0cc56cb36985b4ab4c3f543459e198eff41496266955a74732fc09545
-
C:\Users\Admin\AppData\Local\Temp\19FF.exeMD5
7df62e61b9b349f8f540410d6ae435fe
SHA1e92166335343fce4ee637a6e207b2521f60edb11
SHA256886b0ccaf90c375e204631606396feee470aaf07e4c2f30608f45c4d72f1fb28
SHA512433835309d04ffecd460eb588b01dbb9bfa40533b256c5daf6d1c1c8a5b14060d2c67894aeb66b74bb868709d68394c9404bf8c10656a9568d83bde4d12d60e8
-
C:\Users\Admin\AppData\Local\Temp\19FF.exeMD5
7df62e61b9b349f8f540410d6ae435fe
SHA1e92166335343fce4ee637a6e207b2521f60edb11
SHA256886b0ccaf90c375e204631606396feee470aaf07e4c2f30608f45c4d72f1fb28
SHA512433835309d04ffecd460eb588b01dbb9bfa40533b256c5daf6d1c1c8a5b14060d2c67894aeb66b74bb868709d68394c9404bf8c10656a9568d83bde4d12d60e8
-
C:\Users\Admin\AppData\Local\Temp\1D4C.exeMD5
7df62e61b9b349f8f540410d6ae435fe
SHA1e92166335343fce4ee637a6e207b2521f60edb11
SHA256886b0ccaf90c375e204631606396feee470aaf07e4c2f30608f45c4d72f1fb28
SHA512433835309d04ffecd460eb588b01dbb9bfa40533b256c5daf6d1c1c8a5b14060d2c67894aeb66b74bb868709d68394c9404bf8c10656a9568d83bde4d12d60e8
-
C:\Users\Admin\AppData\Local\Temp\1D4C.exeMD5
7df62e61b9b349f8f540410d6ae435fe
SHA1e92166335343fce4ee637a6e207b2521f60edb11
SHA256886b0ccaf90c375e204631606396feee470aaf07e4c2f30608f45c4d72f1fb28
SHA512433835309d04ffecd460eb588b01dbb9bfa40533b256c5daf6d1c1c8a5b14060d2c67894aeb66b74bb868709d68394c9404bf8c10656a9568d83bde4d12d60e8
-
C:\Users\Admin\AppData\Local\Temp\3123.exeMD5
f50a1f1c924fe3a01824d7c19ad0dd56
SHA11fae3aeb4596b343c6aeb02562f0314063056adc
SHA256af3c749fd0fcb417b8d7f3da9a8aad0d759ac5bd712d8fb0377953e43282bfc9
SHA5124d5ed128e2eba4c5c24aed96d8c6b03ff5b5f1d429eae58961972e4ae658ed707c9190626aca771ce85cb2145e9771e7729e245f2df7a81d9a2e0d3d79a04685
-
C:\Users\Admin\AppData\Local\Temp\3123.exeMD5
f50a1f1c924fe3a01824d7c19ad0dd56
SHA11fae3aeb4596b343c6aeb02562f0314063056adc
SHA256af3c749fd0fcb417b8d7f3da9a8aad0d759ac5bd712d8fb0377953e43282bfc9
SHA5124d5ed128e2eba4c5c24aed96d8c6b03ff5b5f1d429eae58961972e4ae658ed707c9190626aca771ce85cb2145e9771e7729e245f2df7a81d9a2e0d3d79a04685
-
C:\Users\Admin\AppData\Local\Temp\3582-490\19FF.exeMD5
f997fc9407991062241af5442395f248
SHA165e35087a12acb4e7cf06fefd944c812300c53ef
SHA256aafd6e7487c5c216557edd7a6d58fd7e24a5d8f37d0081cc79949173b0822623
SHA51232d9b1c9c08085d803979d472b7a8f20e4e710c2fc9113abb6126116d5e693d7d7f3183d11ecae01e504c30c3bc9b79ad88448574e7c9e78c7f0ce0516a70d7b
-
C:\Users\Admin\AppData\Local\Temp\3582-490\1D4C.exeMD5
f997fc9407991062241af5442395f248
SHA165e35087a12acb4e7cf06fefd944c812300c53ef
SHA256aafd6e7487c5c216557edd7a6d58fd7e24a5d8f37d0081cc79949173b0822623
SHA51232d9b1c9c08085d803979d472b7a8f20e4e710c2fc9113abb6126116d5e693d7d7f3183d11ecae01e504c30c3bc9b79ad88448574e7c9e78c7f0ce0516a70d7b
-
C:\Users\Admin\AppData\Local\Temp\3582-490\1D4C.exeMD5
f997fc9407991062241af5442395f248
SHA165e35087a12acb4e7cf06fefd944c812300c53ef
SHA256aafd6e7487c5c216557edd7a6d58fd7e24a5d8f37d0081cc79949173b0822623
SHA51232d9b1c9c08085d803979d472b7a8f20e4e710c2fc9113abb6126116d5e693d7d7f3183d11ecae01e504c30c3bc9b79ad88448574e7c9e78c7f0ce0516a70d7b
-
C:\Users\Admin\AppData\Local\Temp\4EE.exeMD5
224016e7d9a073ce240c6df108ba0ebb
SHA1e5289609b29c0ab6b399e100c9f87fc39b29ac61
SHA2569c55d8b1e171b21b41833dcbab1b07157f3bd3a12a06578c9063a211bb0bc61e
SHA512a8f705f75dc0e1b98e22ecaa2995d763b1bbf231c5e0ad4a24390fde1ab6ebb27dc6aac3fcc27026090e90c98a96c47a39c9220e3d119f7072921b89a058e0fa
-
C:\Users\Admin\AppData\Local\Temp\4EE.exeMD5
224016e7d9a073ce240c6df108ba0ebb
SHA1e5289609b29c0ab6b399e100c9f87fc39b29ac61
SHA2569c55d8b1e171b21b41833dcbab1b07157f3bd3a12a06578c9063a211bb0bc61e
SHA512a8f705f75dc0e1b98e22ecaa2995d763b1bbf231c5e0ad4a24390fde1ab6ebb27dc6aac3fcc27026090e90c98a96c47a39c9220e3d119f7072921b89a058e0fa
-
C:\Users\Admin\AppData\Local\Temp\4EE.exeMD5
224016e7d9a073ce240c6df108ba0ebb
SHA1e5289609b29c0ab6b399e100c9f87fc39b29ac61
SHA2569c55d8b1e171b21b41833dcbab1b07157f3bd3a12a06578c9063a211bb0bc61e
SHA512a8f705f75dc0e1b98e22ecaa2995d763b1bbf231c5e0ad4a24390fde1ab6ebb27dc6aac3fcc27026090e90c98a96c47a39c9220e3d119f7072921b89a058e0fa
-
C:\Users\Admin\AppData\Local\Temp\78.exeMD5
dc149b5524d22674aba094c3bbf31041
SHA13dab3aa66c429290fb6acb0c476782d03899118b
SHA25625847ab3d606dd3c66e7a2b8f2e731a286678672bac364c409da58019eb5ce11
SHA5120db0a93cfd767d0dae38e824660f7ca50eed9ce00911ea16b8956c8bb328501017b18b27d152115f8b21f638aaca3e271a3bbc56a9af5245ff3e357a0b45e439
-
C:\Users\Admin\AppData\Local\Temp\78.exeMD5
dc149b5524d22674aba094c3bbf31041
SHA13dab3aa66c429290fb6acb0c476782d03899118b
SHA25625847ab3d606dd3c66e7a2b8f2e731a286678672bac364c409da58019eb5ce11
SHA5120db0a93cfd767d0dae38e824660f7ca50eed9ce00911ea16b8956c8bb328501017b18b27d152115f8b21f638aaca3e271a3bbc56a9af5245ff3e357a0b45e439
-
C:\Users\Admin\AppData\Local\Temp\942D.exeMD5
a8a8787a0f769aa7cbdb2d11fb779dc2
SHA156e4829e297cfe75df0c4980a7dd924cb044832c
SHA256fa0af253c647552fb1ce6e8fd60919b79a66368c162432575a0d237ad8e36239
SHA51234371059a59571c4d85506c330308e5f255e9153b8adf3a2e5d9c1afd6244415ff057809a3cc294567fb84f42bb3728205fc65e8500adaa77414bf36c6996690
-
C:\Users\Admin\AppData\Local\Temp\942D.exeMD5
a8a8787a0f769aa7cbdb2d11fb779dc2
SHA156e4829e297cfe75df0c4980a7dd924cb044832c
SHA256fa0af253c647552fb1ce6e8fd60919b79a66368c162432575a0d237ad8e36239
SHA51234371059a59571c4d85506c330308e5f255e9153b8adf3a2e5d9c1afd6244415ff057809a3cc294567fb84f42bb3728205fc65e8500adaa77414bf36c6996690
-
C:\Users\Admin\AppData\Local\Temp\A0383E~1\tkools.exeMD5
47d324d0398317af1f842dd2a271c3f0
SHA1045937d0083abe615ce4780684f500dfde4c550b
SHA2560247ed2604b2aea96511a96de88d6925040d26bc7239ab05968caf64210b1b50
SHA512ecfffe8d7eab4e627adc71ddc13cc9aaaf814fb76f9eaf9cfc11f9ecb6c4d3a653a7be67b803f47859bb0f475cf5eced2e9491c660bed4cc7cf6c7210c210823
-
C:\Users\Admin\AppData\Local\Temp\A0383E~1\tkools.exeMD5
47d324d0398317af1f842dd2a271c3f0
SHA1045937d0083abe615ce4780684f500dfde4c550b
SHA2560247ed2604b2aea96511a96de88d6925040d26bc7239ab05968caf64210b1b50
SHA512ecfffe8d7eab4e627adc71ddc13cc9aaaf814fb76f9eaf9cfc11f9ecb6c4d3a653a7be67b803f47859bb0f475cf5eced2e9491c660bed4cc7cf6c7210c210823
-
C:\Users\Admin\AppData\Local\Temp\C51.exeMD5
f497ff63ca89d5513a63de1dc1bae58f
SHA1ca6b819d4c0d27d5d737f2dc70109b87b6344bef
SHA256ce9422ae9f6eb554748eaf832be6aced3f5ac556ed53734573c43a6e34198241
SHA5126729da8220b548fa8b9d9f23ae39330a5dcb4ac22597121ce56dca6d433ac061502d6c270032135b321d6f4d79b4f0e7299efa961f8c7a3a49508be06cbab02a
-
C:\Users\Admin\AppData\Local\Temp\C51.exeMD5
f497ff63ca89d5513a63de1dc1bae58f
SHA1ca6b819d4c0d27d5d737f2dc70109b87b6344bef
SHA256ce9422ae9f6eb554748eaf832be6aced3f5ac556ed53734573c43a6e34198241
SHA5126729da8220b548fa8b9d9f23ae39330a5dcb4ac22597121ce56dca6d433ac061502d6c270032135b321d6f4d79b4f0e7299efa961f8c7a3a49508be06cbab02a
-
C:\Users\Admin\AppData\Local\Temp\C51.exeMD5
f497ff63ca89d5513a63de1dc1bae58f
SHA1ca6b819d4c0d27d5d737f2dc70109b87b6344bef
SHA256ce9422ae9f6eb554748eaf832be6aced3f5ac556ed53734573c43a6e34198241
SHA5126729da8220b548fa8b9d9f23ae39330a5dcb4ac22597121ce56dca6d433ac061502d6c270032135b321d6f4d79b4f0e7299efa961f8c7a3a49508be06cbab02a
-
C:\Users\Admin\AppData\Local\Temp\EACA.exeMD5
d8e3bba7e361c5d23a661d62afa53dd9
SHA158a0ddd2d4dee2a729b956294337656ce8f7c469
SHA256caa4d00cd9bd3b6230ecaeb012dd5fb1d1f02d78ee0ad2bf041ccded184a3482
SHA5124c3dbd47bb8be0b8500c60b6395ab45de076a2a951be9eb29cd8769172649b6d27b9b9d7fb7c0e301001c2045f621f7a5046d14d70e305a0a5aa063b7401a8d7
-
C:\Users\Admin\AppData\Local\Temp\EACA.exeMD5
d8e3bba7e361c5d23a661d62afa53dd9
SHA158a0ddd2d4dee2a729b956294337656ce8f7c469
SHA256caa4d00cd9bd3b6230ecaeb012dd5fb1d1f02d78ee0ad2bf041ccded184a3482
SHA5124c3dbd47bb8be0b8500c60b6395ab45de076a2a951be9eb29cd8769172649b6d27b9b9d7fb7c0e301001c2045f621f7a5046d14d70e305a0a5aa063b7401a8d7
-
C:\Users\Admin\AppData\Local\Temp\EACA.exeMD5
d8e3bba7e361c5d23a661d62afa53dd9
SHA158a0ddd2d4dee2a729b956294337656ce8f7c469
SHA256caa4d00cd9bd3b6230ecaeb012dd5fb1d1f02d78ee0ad2bf041ccded184a3482
SHA5124c3dbd47bb8be0b8500c60b6395ab45de076a2a951be9eb29cd8769172649b6d27b9b9d7fb7c0e301001c2045f621f7a5046d14d70e305a0a5aa063b7401a8d7
-
C:\Users\Admin\AppData\Local\Temp\F0B7.exeMD5
59094e421f8439c4821cb0495bfd8347
SHA1ddfa7d36c87eef41e7d176e1af6ff63b37b286dc
SHA25662c9783a27cb9e571bc11445b831f00333197d3c4671c08f04f785d85569499e
SHA5124c942cc684b2186e37259e3f56b51d065926a616fc61c41df3a460f39c96ebf521492925cdef8bfd305532809f39fd12261c0f44a21769d224581c2e178c3c1f
-
C:\Users\Admin\AppData\Local\Temp\F0B7.exeMD5
59094e421f8439c4821cb0495bfd8347
SHA1ddfa7d36c87eef41e7d176e1af6ff63b37b286dc
SHA25662c9783a27cb9e571bc11445b831f00333197d3c4671c08f04f785d85569499e
SHA5124c942cc684b2186e37259e3f56b51d065926a616fc61c41df3a460f39c96ebf521492925cdef8bfd305532809f39fd12261c0f44a21769d224581c2e178c3c1f
-
C:\Users\Admin\AppData\Local\Temp\FBE3.exeMD5
4196ab9275b38952e33be3b85fcfba56
SHA1dada6e74d96ee7fd39c52658071d47faed356bd9
SHA25631098dc3c81c829f57c1102c13e394425cc6556e617506ee8feb2742838a165d
SHA512a794fd046545adca5e536d68ef8e3aadf29327776e768a6c64826766eeb0d62ff69dc3909b52fa4b5cb4e0cc058f122f9f81217d31d43fdedf141e943e91ec87
-
C:\Users\Admin\AppData\Local\Temp\FBE3.exeMD5
4196ab9275b38952e33be3b85fcfba56
SHA1dada6e74d96ee7fd39c52658071d47faed356bd9
SHA25631098dc3c81c829f57c1102c13e394425cc6556e617506ee8feb2742838a165d
SHA512a794fd046545adca5e536d68ef8e3aadf29327776e768a6c64826766eeb0d62ff69dc3909b52fa4b5cb4e0cc058f122f9f81217d31d43fdedf141e943e91ec87
-
C:\Users\Admin\AppData\Local\Temp\leakless-34a05a9dc363ec03e25d5dcc5ff915d2\leakless.exeMD5
3ea012e26f60ab84a7cf5ad579a83cf4
SHA13bd5db30c5a7c8f98a8ccffef341bdd185d3293f
SHA2566239686d69c87891881710569472e327dadbce031d98f08fea0f98d8c1d62399
SHA512f3272c880671a1a7a877682f1637ee8e4095990156bee13a41da79ddeb466e540268fc827ed23ac6748ce37a924dc321936e3df031700d0c551031af967457e0
-
C:\Users\Admin\AppData\Local\Temp\leakless-34a05a9dc363ec03e25d5dcc5ff915d2\leakless.exeMD5
3ea012e26f60ab84a7cf5ad579a83cf4
SHA13bd5db30c5a7c8f98a8ccffef341bdd185d3293f
SHA2566239686d69c87891881710569472e327dadbce031d98f08fea0f98d8c1d62399
SHA512f3272c880671a1a7a877682f1637ee8e4095990156bee13a41da79ddeb466e540268fc827ed23ac6748ce37a924dc321936e3df031700d0c551031af967457e0
-
C:\Users\Admin\AppData\Local\Temp\sgeegfbk.exeMD5
c95a013e9132baa39f553bbb59d1a4e2
SHA1757bf00725e4687ebbfc7c9d685f321b4f757f28
SHA2562033d6d8277329b15e3a1fb195da2b1ae81675f3b5a063a68c5c31cebceba49c
SHA512c4134012156c7525924894178d69bdb28ccfe7f52560c9e07674663983ae382d8a8b3904fe12dc2ef04238c2ab115e7841994fde212cb5148264dac5aad5f670
-
C:\Users\Admin\AppData\Local\minecraftPorable.exeMD5
2aac5969380ac91002501c385d57d236
SHA12021f919eb3226f49252d1fa86f0c9fc3aefc62b
SHA256141693c4adc242fa058339cc94308831f0bbfc8aad5772b4bc44c76d7f7238d0
SHA5120bb16fd6d1690e57214ea3ae8f72b28449ce74a05781689396be00fe9d0deb4a2da11d29e38ada1a1b0b33771d1c25a9513eb03c99547d9b93606bb741dfb0a6
-
C:\Users\Admin\AppData\Local\minecraftPorable.exeMD5
2aac5969380ac91002501c385d57d236
SHA12021f919eb3226f49252d1fa86f0c9fc3aefc62b
SHA256141693c4adc242fa058339cc94308831f0bbfc8aad5772b4bc44c76d7f7238d0
SHA5120bb16fd6d1690e57214ea3ae8f72b28449ce74a05781689396be00fe9d0deb4a2da11d29e38ada1a1b0b33771d1c25a9513eb03c99547d9b93606bb741dfb0a6
-
C:\Windows\directx.sysMD5
f67f58c20b26177e7b5635cb64c8de57
SHA1dade9fe46652fc0080caebfc87d2783748386135
SHA256b057d6f0eda3a4edb803411e73e97354511cb391140ef406c81f074e40a0b033
SHA5126be2fda2afea6e779993d8a7496aba0ee565b1d82868384e26d8bde7e27182afd03248a80a6ccad62d678040656376b306e2a164342a826802d52228f2e52b51
-
C:\Windows\directx.sysMD5
f67f58c20b26177e7b5635cb64c8de57
SHA1dade9fe46652fc0080caebfc87d2783748386135
SHA256b057d6f0eda3a4edb803411e73e97354511cb391140ef406c81f074e40a0b033
SHA5126be2fda2afea6e779993d8a7496aba0ee565b1d82868384e26d8bde7e27182afd03248a80a6ccad62d678040656376b306e2a164342a826802d52228f2e52b51
-
C:\Windows\directx.sysMD5
eea3088c7cac22fca9ca7663bcf71512
SHA16754349d5ff62ddf7e531fafd4807719a19ded11
SHA2563401cd18ab2e5983e6948548e1b0bd22c24a7c6656dd3693a08fadcdda29ef1a
SHA5127c5bf3adf28f61d0cee35a2a559f5194bb35775edc25806cd2c43a917b5e34897254e73dc376a612d3a9edfdd20d0f13b5e6fff5417aac34f1bf8f0af52b80ee
-
C:\Windows\directx.sysMD5
a858dbaad3ae67af13e2f1aa6aec073a
SHA14374e080ce5bd1d4599f6d4566df88a2e4d8dc02
SHA256efe110602e37962b873d680775c0c0aab255da224ddebba201bfdcf5db6f44d3
SHA5120b97c297de264138344db5ec88c3792bb3a5cbecfdcf01f2330d8d0074aa781f36b687112e5dabd6883c7ffb76eaace766882208feaa1ce5ec4fd98aa118d3b5
-
C:\Windows\directx.sysMD5
a858dbaad3ae67af13e2f1aa6aec073a
SHA14374e080ce5bd1d4599f6d4566df88a2e4d8dc02
SHA256efe110602e37962b873d680775c0c0aab255da224ddebba201bfdcf5db6f44d3
SHA5120b97c297de264138344db5ec88c3792bb3a5cbecfdcf01f2330d8d0074aa781f36b687112e5dabd6883c7ffb76eaace766882208feaa1ce5ec4fd98aa118d3b5
-
C:\Windows\directx.sysMD5
1baf1c4e42075b429024d7b3f4ee99f2
SHA10f442777087ee5791f951babbf77433a81adc819
SHA256ad7142c38a0d3fac07dc62360a9d36d3e94a554509ef7c9d27b7f98e8680662b
SHA5120c5992129853f06b35c57a05fd8d8304de6bc7f89b99c456d022a2790da40647937eb45ac2958bc258d1089fe6c729421fb77a32dc2cd71fe84577367c81a3a4
-
C:\Windows\directx.sysMD5
1baf1c4e42075b429024d7b3f4ee99f2
SHA10f442777087ee5791f951babbf77433a81adc819
SHA256ad7142c38a0d3fac07dc62360a9d36d3e94a554509ef7c9d27b7f98e8680662b
SHA5120c5992129853f06b35c57a05fd8d8304de6bc7f89b99c456d022a2790da40647937eb45ac2958bc258d1089fe6c729421fb77a32dc2cd71fe84577367c81a3a4
-
C:\Windows\directx.sysMD5
d0b8bb96d21c59a41a893abba66d0ba5
SHA1613764f166b85a0e38db36295727f40a749ef9ed
SHA2563377af3e7dab76260934de695700b6814bb8152366f53ffb79e3116fc94d2fe5
SHA5122b8ed198cf8ba5d2d1490a737c3666565b434fd8503195f968932686c2654ea323d6c0c4795c89bc6560a39ff4e6df2cc793e1a0b71f6e2c78b242b1a509d972
-
C:\Windows\directx.sysMD5
cd29019bf5af0b107242172aa8978610
SHA1671bd3eeee185582ed06662718cd54261935a434
SHA2564c2215240ae892a83d680ba3cfd0fd2e06e9f88e48286cf8d87a6ed0067b5181
SHA51245cc8ed8673b9856e8754113a8a2cc5e7cbaa98faaf5a1eff1bb32b20e1a7c7f3b39002f7a478790b56e7156301cedcc304745ef56cc082567ac5ecbf1fe21d5
-
C:\Windows\svchost.comMD5
36fd5e09c417c767a952b4609d73a54b
SHA1299399c5a2403080a5bf67fb46faec210025b36d
SHA256980bac6c9afe8efc9c6fe459a5f77213b0d8524eb00de82437288eb96138b9a2
SHA5121813a6a5b47a9b2cd3958cf4556714ae240f2aa19d0a241b596830f0f2b89a33ec864d00ce6a791d323a58dfbff42a0fded65eefbf980c92685e25c0ec415d92
-
C:\Windows\svchost.comMD5
36fd5e09c417c767a952b4609d73a54b
SHA1299399c5a2403080a5bf67fb46faec210025b36d
SHA256980bac6c9afe8efc9c6fe459a5f77213b0d8524eb00de82437288eb96138b9a2
SHA5121813a6a5b47a9b2cd3958cf4556714ae240f2aa19d0a241b596830f0f2b89a33ec864d00ce6a791d323a58dfbff42a0fded65eefbf980c92685e25c0ec415d92
-
C:\Windows\svchost.comMD5
36fd5e09c417c767a952b4609d73a54b
SHA1299399c5a2403080a5bf67fb46faec210025b36d
SHA256980bac6c9afe8efc9c6fe459a5f77213b0d8524eb00de82437288eb96138b9a2
SHA5121813a6a5b47a9b2cd3958cf4556714ae240f2aa19d0a241b596830f0f2b89a33ec864d00ce6a791d323a58dfbff42a0fded65eefbf980c92685e25c0ec415d92
-
C:\Windows\svchost.comMD5
36fd5e09c417c767a952b4609d73a54b
SHA1299399c5a2403080a5bf67fb46faec210025b36d
SHA256980bac6c9afe8efc9c6fe459a5f77213b0d8524eb00de82437288eb96138b9a2
SHA5121813a6a5b47a9b2cd3958cf4556714ae240f2aa19d0a241b596830f0f2b89a33ec864d00ce6a791d323a58dfbff42a0fded65eefbf980c92685e25c0ec415d92
-
C:\Windows\svchost.comMD5
36fd5e09c417c767a952b4609d73a54b
SHA1299399c5a2403080a5bf67fb46faec210025b36d
SHA256980bac6c9afe8efc9c6fe459a5f77213b0d8524eb00de82437288eb96138b9a2
SHA5121813a6a5b47a9b2cd3958cf4556714ae240f2aa19d0a241b596830f0f2b89a33ec864d00ce6a791d323a58dfbff42a0fded65eefbf980c92685e25c0ec415d92
-
C:\Windows\svchost.comMD5
36fd5e09c417c767a952b4609d73a54b
SHA1299399c5a2403080a5bf67fb46faec210025b36d
SHA256980bac6c9afe8efc9c6fe459a5f77213b0d8524eb00de82437288eb96138b9a2
SHA5121813a6a5b47a9b2cd3958cf4556714ae240f2aa19d0a241b596830f0f2b89a33ec864d00ce6a791d323a58dfbff42a0fded65eefbf980c92685e25c0ec415d92
-
C:\Windows\svchost.comMD5
36fd5e09c417c767a952b4609d73a54b
SHA1299399c5a2403080a5bf67fb46faec210025b36d
SHA256980bac6c9afe8efc9c6fe459a5f77213b0d8524eb00de82437288eb96138b9a2
SHA5121813a6a5b47a9b2cd3958cf4556714ae240f2aa19d0a241b596830f0f2b89a33ec864d00ce6a791d323a58dfbff42a0fded65eefbf980c92685e25c0ec415d92
-
C:\Windows\svchost.comMD5
36fd5e09c417c767a952b4609d73a54b
SHA1299399c5a2403080a5bf67fb46faec210025b36d
SHA256980bac6c9afe8efc9c6fe459a5f77213b0d8524eb00de82437288eb96138b9a2
SHA5121813a6a5b47a9b2cd3958cf4556714ae240f2aa19d0a241b596830f0f2b89a33ec864d00ce6a791d323a58dfbff42a0fded65eefbf980c92685e25c0ec415d92
-
C:\Windows\svchost.comMD5
36fd5e09c417c767a952b4609d73a54b
SHA1299399c5a2403080a5bf67fb46faec210025b36d
SHA256980bac6c9afe8efc9c6fe459a5f77213b0d8524eb00de82437288eb96138b9a2
SHA5121813a6a5b47a9b2cd3958cf4556714ae240f2aa19d0a241b596830f0f2b89a33ec864d00ce6a791d323a58dfbff42a0fded65eefbf980c92685e25c0ec415d92
-
C:\Windows\svchost.comMD5
36fd5e09c417c767a952b4609d73a54b
SHA1299399c5a2403080a5bf67fb46faec210025b36d
SHA256980bac6c9afe8efc9c6fe459a5f77213b0d8524eb00de82437288eb96138b9a2
SHA5121813a6a5b47a9b2cd3958cf4556714ae240f2aa19d0a241b596830f0f2b89a33ec864d00ce6a791d323a58dfbff42a0fded65eefbf980c92685e25c0ec415d92
-
C:\odt\OFFICE~1.EXEMD5
02c3d242fe142b0eabec69211b34bc55
SHA1ea0a4a6d6078b362f7b3a4ad1505ce49957dc16e
SHA2562a1ed24be7e3859b46ec3ebc316789ead5f12055853f86a9656e04b4bb771842
SHA5120efb08492eaaa2e923beddc21566e98fbbef3a102f9415ff310ec616f5c84fd2ba3a7025b05e01c0bdf37e5e2f64dfd845f9254a376144cc7d827e7577dbb099
-
\??\pipe\crashpad_2076_VKEPAOBTTKFLIHBHMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/68-117-0x0000000000030000-0x0000000000039000-memory.dmpFilesize
36KB
-
memory/68-118-0x0000000000930000-0x0000000000939000-memory.dmpFilesize
36KB
-
memory/500-223-0x0000000000000000-mapping.dmp
-
memory/704-230-0x0000000000000000-mapping.dmp
-
memory/1140-153-0x0000000000000000-mapping.dmp
-
memory/1140-158-0x0000000005080000-0x0000000005081000-memory.dmpFilesize
4KB
-
memory/1140-159-0x0000000004EA0000-0x0000000004EA1000-memory.dmpFilesize
4KB
-
memory/1140-156-0x00000000006E0000-0x00000000006E1000-memory.dmpFilesize
4KB
-
memory/1160-151-0x0000000005680000-0x0000000005681000-memory.dmpFilesize
4KB
-
memory/1160-152-0x0000000002ED0000-0x0000000002ED1000-memory.dmpFilesize
4KB
-
memory/1160-150-0x0000000005B90000-0x0000000005B91000-memory.dmpFilesize
4KB
-
memory/1160-143-0x0000000000000000-mapping.dmp
-
memory/1160-146-0x0000000000CF0000-0x0000000000CF1000-memory.dmpFilesize
4KB
-
memory/1160-148-0x0000000005570000-0x0000000005571000-memory.dmpFilesize
4KB
-
memory/1160-149-0x0000000005540000-0x0000000005541000-memory.dmpFilesize
4KB
-
memory/1368-253-0x0000000000000000-mapping.dmp
-
memory/1456-243-0x0000000000000000-mapping.dmp
-
memory/1528-259-0x0000000000000000-mapping.dmp
-
memory/1536-205-0x0000000000000000-mapping.dmp
-
memory/1564-260-0x0000000000610000-0x000000000067B000-memory.dmpFilesize
428KB
-
memory/1564-244-0x0000000000000000-mapping.dmp
-
memory/1564-257-0x0000000000680000-0x00000000006F4000-memory.dmpFilesize
464KB
-
memory/1724-226-0x0000000000000000-mapping.dmp
-
memory/1804-192-0x0000000000000000-mapping.dmp
-
memory/2080-127-0x0000000000000000-mapping.dmp
-
memory/2096-164-0x0000000000000000-mapping.dmp
-
memory/2252-235-0x0000000000000000-mapping.dmp
-
memory/2300-175-0x0000000000000000-mapping.dmp
-
memory/2332-232-0x0000000000000000-mapping.dmp
-
memory/2616-236-0x0000000000000000-mapping.dmp
-
memory/2636-208-0x0000000000000000-mapping.dmp
-
memory/2704-252-0x0000000000000000-mapping.dmp
-
memory/2872-140-0x0000000000000000-mapping.dmp
-
memory/2872-199-0x0000000000400000-0x0000000000818000-memory.dmpFilesize
4.1MB
-
memory/2872-198-0x00000000001C0000-0x00000000001D3000-memory.dmpFilesize
76KB
-
memory/2872-193-0x0000000000030000-0x000000000003D000-memory.dmpFilesize
52KB
-
memory/2884-248-0x0000000000000000-mapping.dmp
-
memory/2904-125-0x0000000000400000-0x00000000004D2000-memory.dmpFilesize
840KB
-
memory/2904-120-0x0000000000000000-mapping.dmp
-
memory/2904-124-0x0000000000610000-0x000000000075A000-memory.dmpFilesize
1.3MB
-
memory/3036-138-0x0000000000402F47-mapping.dmp
-
memory/3040-119-0x0000000000CD0000-0x0000000000CE6000-memory.dmpFilesize
88KB
-
memory/3040-126-0x00000000026B0000-0x00000000026C6000-memory.dmpFilesize
88KB
-
memory/3040-162-0x0000000004630000-0x0000000004646000-memory.dmpFilesize
88KB
-
memory/3240-160-0x00000000008F0000-0x0000000000901000-memory.dmpFilesize
68KB
-
memory/3240-134-0x0000000000000000-mapping.dmp
-
memory/3240-161-0x0000000000C60000-0x0000000000C7C000-memory.dmpFilesize
112KB
-
memory/3240-163-0x0000000000400000-0x000000000081B000-memory.dmpFilesize
4.1MB
-
memory/3308-181-0x0000000000000000-mapping.dmp
-
memory/3312-221-0x0000000000000000-mapping.dmp
-
memory/3548-239-0x0000000000000000-mapping.dmp
-
memory/3612-130-0x0000000000000000-mapping.dmp
-
memory/3612-133-0x0000000002C10000-0x0000000002C55000-memory.dmpFilesize
276KB
-
memory/3708-216-0x0000000000000000-mapping.dmp
-
memory/3712-116-0x0000000000402F47-mapping.dmp
-
memory/3712-115-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/3720-262-0x0000000000BE0000-0x0000000000BE7000-memory.dmpFilesize
28KB
-
memory/3720-263-0x0000000000BD0000-0x0000000000BDC000-memory.dmpFilesize
48KB
-
memory/3720-251-0x0000000000000000-mapping.dmp
-
memory/3768-201-0x0000000000000000-mapping.dmp
-
memory/3868-301-0x0000021872220000-0x0000021872221000-memory.dmpFilesize
4KB
-
memory/3868-254-0x0000021872090000-0x0000021872091000-memory.dmpFilesize
4KB
-
memory/3868-265-0x0000021872000000-0x0000021872001000-memory.dmpFilesize
4KB
-
memory/3868-264-0x0000021871FA0000-0x0000021871FA1000-memory.dmpFilesize
4KB
-
memory/3868-308-0x00000218739E0000-0x00000218739E1000-memory.dmpFilesize
4KB
-
memory/3868-215-0x000002186F7F0000-0x000002186F7F1000-memory.dmpFilesize
4KB
-
memory/3868-307-0x00000218732E0000-0x00000218732E1000-memory.dmpFilesize
4KB
-
memory/3868-303-0x00000218721A0000-0x00000218721A1000-memory.dmpFilesize
4KB
-
memory/3868-302-0x0000021871FC0000-0x0000021871FC1000-memory.dmpFilesize
4KB
-
memory/3868-222-0x000002186FB80000-0x000002186FB9F000-memory.dmpFilesize
124KB
-
memory/3868-213-0x0000000000000000-mapping.dmp
-
memory/3868-231-0x0000021871E50000-0x0000021871E52000-memory.dmpFilesize
8KB
-
memory/3868-247-0x0000021871F60000-0x0000021871F7B000-memory.dmpFilesize
108KB
-
memory/3964-177-0x0000000000000000-mapping.dmp
-
memory/3988-183-0x000000000041932E-mapping.dmp
-
memory/3988-285-0x00000000070C0000-0x00000000070C1000-memory.dmpFilesize
4KB
-
memory/3988-200-0x0000000004EB0000-0x00000000054B6000-memory.dmpFilesize
6.0MB
-
memory/3988-182-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/3988-299-0x0000000007020000-0x0000000007021000-memory.dmpFilesize
4KB
-
memory/3988-284-0x00000000069C0000-0x00000000069C1000-memory.dmpFilesize
4KB
-
memory/4012-227-0x0000000000000000-mapping.dmp
-
memory/4068-296-0x00000000012E0000-0x0000000001D9A000-memory.dmpFilesize
10.7MB
-
memory/4068-295-0x00000000008A0000-0x00000000008A1000-memory.dmpFilesize
4KB
-
memory/4068-298-0x0000000000890000-0x0000000000891000-memory.dmpFilesize
4KB
-
memory/4068-293-0x0000000000880000-0x0000000000881000-memory.dmpFilesize
4KB
-
memory/4068-266-0x0000000000000000-mapping.dmp
-
memory/4068-286-0x0000000000810000-0x0000000000811000-memory.dmpFilesize
4KB
-
memory/4068-287-0x0000000000820000-0x0000000000821000-memory.dmpFilesize
4KB
-
memory/4068-288-0x0000000000840000-0x0000000000841000-memory.dmpFilesize
4KB
-
memory/4068-289-0x0000000000850000-0x0000000000851000-memory.dmpFilesize
4KB
-
memory/4068-291-0x0000000000870000-0x0000000000871000-memory.dmpFilesize
4KB
-
memory/4088-174-0x0000000005330000-0x0000000005331000-memory.dmpFilesize
4KB
-
memory/4088-272-0x00000000056F0000-0x00000000056F1000-memory.dmpFilesize
4KB
-
memory/4088-168-0x0000000000419326-mapping.dmp
-
memory/4088-172-0x00000000057A0000-0x00000000057A1000-memory.dmpFilesize
4KB
-
memory/4088-281-0x0000000006210000-0x0000000006211000-memory.dmpFilesize
4KB
-
memory/4088-167-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/4088-190-0x0000000005190000-0x0000000005796000-memory.dmpFilesize
6.0MB
-
memory/4088-173-0x0000000005200000-0x0000000005201000-memory.dmpFilesize
4KB
-
memory/4088-180-0x00000000052D0000-0x00000000052D1000-memory.dmpFilesize
4KB
-
memory/4088-176-0x0000000005290000-0x0000000005291000-memory.dmpFilesize
4KB
-
memory/4484-304-0x0000000000000000-mapping.dmp
-
memory/4560-305-0x0000000000000000-mapping.dmp
-
memory/4604-306-0x0000000000000000-mapping.dmp
-
memory/4696-309-0x0000000000000000-mapping.dmp