Analysis
-
max time kernel
1450s -
max time network
1469s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
22-05-2022 18:18
Static task
static1
General
-
Target
иуеr.exe
-
Size
25KB
-
MD5
ae72c198c0825712f203e258571c0e87
-
SHA1
066ef64d5f5bb96e1714247c97aaf291907a7b3f
-
SHA256
7237dd5e4e0c1f2bb79a3ede0919cddf1cac7f1095deb1070275ac4669691c65
-
SHA512
a48c90badd2346df3e8f1cb1807b9f22177835aba52f2718ed8bc0c00fd4f5020958fe6e8b02c23c1c7380b68c96b1ad17dee51a536a0a26e4f98598354604a1
Malware Config
Extracted
C:\Users\Admin\AppData\Local\Temp\3582-490\@Please_Read_Me@.txt
wannacry
12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw
Extracted
njrat
Njrat 0.7 Golden By Hassan Amiri
gay
7.tcp.eu.ngrok.io:14345
Windows Update
-
reg_key
Windows Update
-
splitter
|Hassan|
Signatures
-
Detect Neshta Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\.exe family_neshta C:\Users\Admin\AppData\Local\Temp\.exe family_neshta -
Modifies system executable filetype association 2 TTPs 2 IoCs
Processes:
.exeEXE~1description ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" .exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" EXE~1 -
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Processes:
resource yara_rule \bonzi\clippy.exe aspack_v212_v242 C:\bonzi\clippy.exe aspack_v212_v242 -
Executes dropped EXE 51 IoCs
Processes:
Dllhost.exeServer.exeServer.exeServer.exe.exeServer.exeServer.exeServer.exeServer.exe.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exeServer.exe.exeBonziBuddy_original.exeServer.exe.exe.exetaskdl.exe@WanaDecryptor@.exetaskse.exetaskhsvc.exereg.exesvchost.com@WANAD~1.EXE@WanaDecryptor@.exetaskdl.exetaskse.exetaskdl.exeServer.exesvchost.comtaskse.exe@WanaDecryptor@.exeServer.exeServer.exesvchost.comEXE~1Server.exeServer.exesvchost.comEXE~1svchost.compid process 1876 Dllhost.exe 324 Server.exe 1328 Server.exe 604 Server.exe 1640 .exe 1108 Server.exe 668 Server.exe 2020 Server.exe 1904 Server.exe 1340 .exe 1660 Server.exe 2004 Server.exe 956 Server.exe 1732 Server.exe 1912 Server.exe 1492 Server.exe 684 Server.exe 1632 Server.exe 2032 Server.exe 1812 Server.exe 556 .exe 1808 BonziBuddy_original.exe 1816 Server.exe 2024 .exe 1280 .exe 1060 taskdl.exe 1756 @WanaDecryptor@.exe 1196 taskse.exe 572 taskhsvc.exe 1124 reg.exe 2004 svchost.com 960 @WANAD~1.EXE 1076 @WanaDecryptor@.exe 1196 taskse.exe 1464 taskdl.exe 1872 taskse.exe 1076 @WanaDecryptor@.exe 1644 taskdl.exe 1660 Server.exe 904 svchost.com 1608 taskse.exe 1096 @WanaDecryptor@.exe 2016 Server.exe 1252 Server.exe 1496 svchost.com 2004 EXE~1 1080 Server.exe 1784 Server.exe 1660 svchost.com 1036 EXE~1 1916 svchost.com -
Modifies extensions of user files 12 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
.exedescription ioc process File renamed C:\Users\Admin\Pictures\ConvertSearch.raw.WNCRYT => C:\Users\Admin\Pictures\ConvertSearch.raw.WNCRY .exe File renamed C:\Users\Admin\Pictures\DebugFormat.tif.WNCRYT => C:\Users\Admin\Pictures\DebugFormat.tif.WNCRY .exe File renamed C:\Users\Admin\Pictures\MoveStep.tif.WNCRYT => C:\Users\Admin\Pictures\MoveStep.tif.WNCRY .exe File renamed C:\Users\Admin\Pictures\SetComplete.tif.WNCRYT => C:\Users\Admin\Pictures\SetComplete.tif.WNCRY .exe File created C:\Users\Admin\Pictures\ConvertSearch.raw.WNCRYT .exe File opened for modification C:\Users\Admin\Pictures\ConvertSearch.raw.WNCRY .exe File created C:\Users\Admin\Pictures\DebugFormat.tif.WNCRYT .exe File opened for modification C:\Users\Admin\Pictures\DebugFormat.tif.WNCRY .exe File created C:\Users\Admin\Pictures\MoveStep.tif.WNCRYT .exe File opened for modification C:\Users\Admin\Pictures\MoveStep.tif.WNCRY .exe File created C:\Users\Admin\Pictures\SetComplete.tif.WNCRYT .exe File opened for modification C:\Users\Admin\Pictures\SetComplete.tif.WNCRY .exe -
Drops startup file 3 IoCs
Processes:
Dllhost.exe.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java update.exe Dllhost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java update.exe Dllhost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SDB9F2.tmp .exe -
Loads dropped DLL 64 IoCs
Processes:
.exe.exe.execscript.execmd.exe@WanaDecryptor@.exetaskhsvc.exesvchost.comsvchost.compid process 556 .exe 556 .exe 556 .exe 556 .exe 556 .exe 2024 .exe 2024 .exe 2024 .exe 2024 .exe 2024 .exe 2024 .exe 2024 .exe 2024 .exe 2024 .exe 1280 .exe 1280 .exe 684 cscript.exe 1280 .exe 1280 .exe 1096 cmd.exe 1096 cmd.exe 1756 @WanaDecryptor@.exe 1756 @WanaDecryptor@.exe 572 taskhsvc.exe 572 taskhsvc.exe 572 taskhsvc.exe 572 taskhsvc.exe 572 taskhsvc.exe 572 taskhsvc.exe 2004 svchost.com 2004 svchost.com 2004 svchost.com 2004 svchost.com 2004 svchost.com 2004 svchost.com 2004 svchost.com 2004 svchost.com 2004 svchost.com 2004 svchost.com 2004 svchost.com 2004 svchost.com 2004 svchost.com 2004 svchost.com 2004 svchost.com 2004 svchost.com 2004 svchost.com 2004 svchost.com 2004 svchost.com 2004 svchost.com 2004 svchost.com 2004 svchost.com 1280 .exe 1280 .exe 1280 .exe 1280 .exe 1280 .exe 1280 .exe 1280 .exe 1280 .exe 1280 .exe 1280 .exe 1280 .exe 1280 .exe 904 svchost.com -
Modifies file permissions 1 TTPs 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
Dllhost.exereg.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "\"C:\\Windows\\Dllhost.exe\" .." Dllhost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update = "\"C:\\Windows\\Dllhost.exe\" .." Dllhost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\imwdfmkdy117 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\3582-490\\tasksche.exe\"" reg.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
WScript.exedescription ioc process File opened (read-only) \??\H: WScript.exe File opened (read-only) \??\I: WScript.exe File opened (read-only) \??\L: WScript.exe File opened (read-only) \??\U: WScript.exe File opened (read-only) \??\X: WScript.exe File opened (read-only) \??\E: WScript.exe File opened (read-only) \??\N: WScript.exe File opened (read-only) \??\Q: WScript.exe File opened (read-only) \??\R: WScript.exe File opened (read-only) \??\Y: WScript.exe File opened (read-only) \??\Z: WScript.exe File opened (read-only) \??\A: WScript.exe File opened (read-only) \??\G: WScript.exe File opened (read-only) \??\J: WScript.exe File opened (read-only) \??\K: WScript.exe File opened (read-only) \??\S: WScript.exe File opened (read-only) \??\F: WScript.exe File opened (read-only) \??\M: WScript.exe File opened (read-only) \??\O: WScript.exe File opened (read-only) \??\P: WScript.exe File opened (read-only) \??\T: WScript.exe File opened (read-only) \??\V: WScript.exe File opened (read-only) \??\W: WScript.exe File opened (read-only) \??\B: WScript.exe -
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
Processes:
.exe@WANAD~1.EXEdescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@WanaDecryptor@.bmp" .exe Set value (str) \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@WanaDecryptor@.bmp" @WANAD~1.EXE -
Drops file in Program Files directory 64 IoCs
Processes:
.exesvchost.comdescription ioc process File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Resource\Icons\SC_REA~1.EXE .exe File opened for modification C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE .exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\TextConv\WksConv\Wkconv.exe .exe File opened for modification C:\PROGRA~2\WI54FB~1\wmpshare.exe .exe File opened for modification C:\PROGRA~2\WINDOW~4\ImagingDevices.exe .exe File opened for modification C:\PROGRA~2\WINDOW~1\wab.exe svchost.com File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe .exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\ACCICONS.EXE .exe File opened for modification C:\PROGRA~2\WINDOW~1\wab.exe .exe File opened for modification C:\PROGRA~2\WI54FB~1\setup_wm.exe .exe File opened for modification C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE .exe File opened for modification C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE .exe File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE .exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\ink\mip.exe svchost.com File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe svchost.com File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE .exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE .exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\FLTLDR.EXE .exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\ODeploy.exe .exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\Setup.exe .exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~4.EXE .exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE .exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\CNFNOT32.EXE .exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\IECONT~1.EXE .exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\NAMECO~1.EXE .exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\ONENOTE.EXE .exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\WINWORD.EXE .exe File opened for modification C:\PROGRA~2\WI54FB~1\wmlaunch.exe .exe File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe svchost.com File opened for modification C:\PROGRA~2\WI54FB~1\wmpconfig.exe svchost.com File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXE .exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\BCSSync.exe .exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSQRY32.EXE .exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\OIS.EXE .exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\POWERPNT.EXE .exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\SELFCERT.EXE .exe File opened for modification C:\PROGRA~2\WI4223~1\sidebar.exe .exe File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE .exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE .exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE .exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~1.EXE .exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\ONENOTEM.EXE .exe File opened for modification C:\PROGRA~2\WINDOW~1\WinMail.exe svchost.com File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe .exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE .exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\CLVIEW.EXE .exe File opened for modification C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE .exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXE .exe File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE .exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSTORE.EXE .exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\PPTICO.EXE .exe File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE .exe File opened for modification C:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe .exe File opened for modification C:\PROGRA~2\WI54FB~1\WMPDMC.exe svchost.com File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\EQUATION\EQNEDT32.EXE .exe File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe .exe File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe .exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\VPREVIEW.EXE .exe File opened for modification C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE .exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe .exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE .exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXE .exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\misc.exe .exe File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE .exe -
Drops file in Windows directory 15 IoCs
Processes:
svchost.comEXE~1иуеr.exesvchost.comDllhost.exesvchost.comsvchost.com.exesvchost.comdescription ioc process File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys EXE~1 File created C:\Windows\Dllhost.exe иуеr.exe File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com EXE~1 File opened for modification C:\Windows\Dllhost.exe Dllhost.exe File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com .exe File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys svchost.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 384 vssadmin.exe -
Processes:
mshta.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Main mshta.exe -
Modifies registry class 2 IoCs
Processes:
.exeEXE~1description ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" .exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" EXE~1 -
Modifies registry key 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
taskmgr.exeDllhost.exepid process 1960 taskmgr.exe 1960 taskmgr.exe 1960 taskmgr.exe 1960 taskmgr.exe 1960 taskmgr.exe 1960 taskmgr.exe 1960 taskmgr.exe 1960 taskmgr.exe 1960 taskmgr.exe 1960 taskmgr.exe 1960 taskmgr.exe 1960 taskmgr.exe 1960 taskmgr.exe 1960 taskmgr.exe 1960 taskmgr.exe 1876 Dllhost.exe 1876 Dllhost.exe 1876 Dllhost.exe 1876 Dllhost.exe 1876 Dllhost.exe 1876 Dllhost.exe 1876 Dllhost.exe 1876 Dllhost.exe 1876 Dllhost.exe 1876 Dllhost.exe 1876 Dllhost.exe 1876 Dllhost.exe 1876 Dllhost.exe 1876 Dllhost.exe 1876 Dllhost.exe 1876 Dllhost.exe 1876 Dllhost.exe 1876 Dllhost.exe 1876 Dllhost.exe 1876 Dllhost.exe 1876 Dllhost.exe 1876 Dllhost.exe 1876 Dllhost.exe 1876 Dllhost.exe 1876 Dllhost.exe 1876 Dllhost.exe 1876 Dllhost.exe 1876 Dllhost.exe 1876 Dllhost.exe 1876 Dllhost.exe 1876 Dllhost.exe 1876 Dllhost.exe 1876 Dllhost.exe 1876 Dllhost.exe 1876 Dllhost.exe 1876 Dllhost.exe 1876 Dllhost.exe 1876 Dllhost.exe 1876 Dllhost.exe 1876 Dllhost.exe 1876 Dllhost.exe 1876 Dllhost.exe 1876 Dllhost.exe 1876 Dllhost.exe 1876 Dllhost.exe 1876 Dllhost.exe 1876 Dllhost.exe 1876 Dllhost.exe 1876 Dllhost.exe -
Suspicious behavior: GetForegroundWindowSpam 4 IoCs
Processes:
Dllhost.exetaskmgr.exetaskmgr.exetaskmgr.exepid process 1876 Dllhost.exe 1960 taskmgr.exe 1088 taskmgr.exe 2004 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
Dllhost.exeAUDIODG.EXEWScript.exetaskmgr.exedescription pid process Token: SeDebugPrivilege 1876 Dllhost.exe Token: 33 1876 Dllhost.exe Token: SeIncBasePriorityPrivilege 1876 Dllhost.exe Token: 33 1876 Dllhost.exe Token: SeIncBasePriorityPrivilege 1876 Dllhost.exe Token: 33 1876 Dllhost.exe Token: SeIncBasePriorityPrivilege 1876 Dllhost.exe Token: 33 1876 Dllhost.exe Token: SeIncBasePriorityPrivilege 1876 Dllhost.exe Token: 33 1876 Dllhost.exe Token: SeIncBasePriorityPrivilege 1876 Dllhost.exe Token: 33 1876 Dllhost.exe Token: SeIncBasePriorityPrivilege 1876 Dllhost.exe Token: 33 1876 Dllhost.exe Token: SeIncBasePriorityPrivilege 1876 Dllhost.exe Token: 33 1876 Dllhost.exe Token: SeIncBasePriorityPrivilege 1876 Dllhost.exe Token: 33 1876 Dllhost.exe Token: SeIncBasePriorityPrivilege 1876 Dllhost.exe Token: 33 1876 Dllhost.exe Token: SeIncBasePriorityPrivilege 1876 Dllhost.exe Token: 33 1876 Dllhost.exe Token: SeIncBasePriorityPrivilege 1876 Dllhost.exe Token: 33 1172 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1172 AUDIODG.EXE Token: 33 1172 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1172 AUDIODG.EXE Token: 33 1564 WScript.exe Token: SeIncBasePriorityPrivilege 1564 WScript.exe Token: 33 1876 Dllhost.exe Token: SeIncBasePriorityPrivilege 1876 Dllhost.exe Token: 33 1876 Dllhost.exe Token: SeIncBasePriorityPrivilege 1876 Dllhost.exe Token: 33 1876 Dllhost.exe Token: SeIncBasePriorityPrivilege 1876 Dllhost.exe Token: 33 1876 Dllhost.exe Token: SeIncBasePriorityPrivilege 1876 Dllhost.exe Token: 33 1876 Dllhost.exe Token: SeIncBasePriorityPrivilege 1876 Dllhost.exe Token: 33 1876 Dllhost.exe Token: SeIncBasePriorityPrivilege 1876 Dllhost.exe Token: 33 1876 Dllhost.exe Token: SeIncBasePriorityPrivilege 1876 Dllhost.exe Token: 33 1876 Dllhost.exe Token: SeIncBasePriorityPrivilege 1876 Dllhost.exe Token: SeDebugPrivilege 1960 taskmgr.exe Token: 33 1876 Dllhost.exe Token: SeIncBasePriorityPrivilege 1876 Dllhost.exe Token: 33 1876 Dllhost.exe Token: SeIncBasePriorityPrivilege 1876 Dllhost.exe Token: 33 1876 Dllhost.exe Token: SeIncBasePriorityPrivilege 1876 Dllhost.exe Token: 33 1876 Dllhost.exe Token: SeIncBasePriorityPrivilege 1876 Dllhost.exe Token: 33 1876 Dllhost.exe Token: SeIncBasePriorityPrivilege 1876 Dllhost.exe Token: 33 1876 Dllhost.exe Token: SeIncBasePriorityPrivilege 1876 Dllhost.exe Token: 33 1876 Dllhost.exe Token: SeIncBasePriorityPrivilege 1876 Dllhost.exe Token: 33 1876 Dllhost.exe Token: SeIncBasePriorityPrivilege 1876 Dllhost.exe Token: 33 1876 Dllhost.exe Token: SeIncBasePriorityPrivilege 1876 Dllhost.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
taskmgr.exetaskmgr.exepid process 1960 taskmgr.exe 1960 taskmgr.exe 1960 taskmgr.exe 1960 taskmgr.exe 1960 taskmgr.exe 1960 taskmgr.exe 1960 taskmgr.exe 1960 taskmgr.exe 1960 taskmgr.exe 1960 taskmgr.exe 1960 taskmgr.exe 1960 taskmgr.exe 1960 taskmgr.exe 1960 taskmgr.exe 1960 taskmgr.exe 1960 taskmgr.exe 1960 taskmgr.exe 1960 taskmgr.exe 1960 taskmgr.exe 1960 taskmgr.exe 1960 taskmgr.exe 1960 taskmgr.exe 1960 taskmgr.exe 1960 taskmgr.exe 1960 taskmgr.exe 1960 taskmgr.exe 1960 taskmgr.exe 1960 taskmgr.exe 1960 taskmgr.exe 1960 taskmgr.exe 1960 taskmgr.exe 1960 taskmgr.exe 1960 taskmgr.exe 1960 taskmgr.exe 1960 taskmgr.exe 1960 taskmgr.exe 1960 taskmgr.exe 1960 taskmgr.exe 1960 taskmgr.exe 1960 taskmgr.exe 1960 taskmgr.exe 1196 taskmgr.exe 1196 taskmgr.exe 1196 taskmgr.exe 1196 taskmgr.exe 1196 taskmgr.exe 1196 taskmgr.exe 1196 taskmgr.exe 1196 taskmgr.exe 1196 taskmgr.exe 1196 taskmgr.exe 1196 taskmgr.exe 1196 taskmgr.exe 1196 taskmgr.exe 1196 taskmgr.exe 1196 taskmgr.exe 1196 taskmgr.exe 1196 taskmgr.exe 1196 taskmgr.exe 1196 taskmgr.exe 1196 taskmgr.exe 1196 taskmgr.exe 1196 taskmgr.exe 1196 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
taskmgr.exetaskmgr.exepid process 1960 taskmgr.exe 1960 taskmgr.exe 1960 taskmgr.exe 1960 taskmgr.exe 1960 taskmgr.exe 1960 taskmgr.exe 1960 taskmgr.exe 1960 taskmgr.exe 1960 taskmgr.exe 1960 taskmgr.exe 1960 taskmgr.exe 1960 taskmgr.exe 1960 taskmgr.exe 1960 taskmgr.exe 1960 taskmgr.exe 1960 taskmgr.exe 1960 taskmgr.exe 1960 taskmgr.exe 1960 taskmgr.exe 1960 taskmgr.exe 1960 taskmgr.exe 1960 taskmgr.exe 1960 taskmgr.exe 1960 taskmgr.exe 1960 taskmgr.exe 1960 taskmgr.exe 1960 taskmgr.exe 1960 taskmgr.exe 1960 taskmgr.exe 1960 taskmgr.exe 1960 taskmgr.exe 1960 taskmgr.exe 1960 taskmgr.exe 1960 taskmgr.exe 1960 taskmgr.exe 1960 taskmgr.exe 1960 taskmgr.exe 1960 taskmgr.exe 1960 taskmgr.exe 1960 taskmgr.exe 1960 taskmgr.exe 1196 taskmgr.exe 1196 taskmgr.exe 1196 taskmgr.exe 1196 taskmgr.exe 1196 taskmgr.exe 1196 taskmgr.exe 1196 taskmgr.exe 1196 taskmgr.exe 1196 taskmgr.exe 1196 taskmgr.exe 1196 taskmgr.exe 1196 taskmgr.exe 1196 taskmgr.exe 1196 taskmgr.exe 1196 taskmgr.exe 1196 taskmgr.exe 1196 taskmgr.exe 1196 taskmgr.exe 1196 taskmgr.exe 1196 taskmgr.exe 1196 taskmgr.exe 1196 taskmgr.exe 1196 taskmgr.exe -
Suspicious use of SetWindowsHookEx 10 IoCs
Processes:
BonziBuddy_original.exe@WanaDecryptor@.exetaskse.exe@WANAD~1.EXE@WanaDecryptor@.exe@WanaDecryptor@.exepid process 1808 BonziBuddy_original.exe 1756 @WanaDecryptor@.exe 1756 @WanaDecryptor@.exe 1196 taskse.exe 1196 taskse.exe 960 @WANAD~1.EXE 960 @WANAD~1.EXE 1076 @WanaDecryptor@.exe 1076 @WanaDecryptor@.exe 1096 @WanaDecryptor@.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
иуеr.exeDllhost.exetaskeng.exe.exeWScript.exedescription pid process target process PID 1052 wrote to memory of 1876 1052 иуеr.exe Dllhost.exe PID 1052 wrote to memory of 1876 1052 иуеr.exe Dllhost.exe PID 1052 wrote to memory of 1876 1052 иуеr.exe Dllhost.exe PID 1876 wrote to memory of 2040 1876 Dllhost.exe schtasks.exe PID 1876 wrote to memory of 2040 1876 Dllhost.exe schtasks.exe PID 1876 wrote to memory of 2040 1876 Dllhost.exe schtasks.exe PID 1420 wrote to memory of 324 1420 taskeng.exe Server.exe PID 1420 wrote to memory of 324 1420 taskeng.exe Server.exe PID 1420 wrote to memory of 324 1420 taskeng.exe Server.exe PID 1420 wrote to memory of 1328 1420 taskeng.exe Server.exe PID 1420 wrote to memory of 1328 1420 taskeng.exe Server.exe PID 1420 wrote to memory of 1328 1420 taskeng.exe Server.exe PID 1420 wrote to memory of 604 1420 taskeng.exe Server.exe PID 1420 wrote to memory of 604 1420 taskeng.exe Server.exe PID 1420 wrote to memory of 604 1420 taskeng.exe Server.exe PID 1876 wrote to memory of 1640 1876 Dllhost.exe .exe PID 1876 wrote to memory of 1640 1876 Dllhost.exe .exe PID 1876 wrote to memory of 1640 1876 Dllhost.exe .exe PID 1876 wrote to memory of 1640 1876 Dllhost.exe .exe PID 1640 wrote to memory of 1564 1640 .exe WScript.exe PID 1640 wrote to memory of 1564 1640 .exe WScript.exe PID 1640 wrote to memory of 1564 1640 .exe WScript.exe PID 1640 wrote to memory of 1564 1640 .exe WScript.exe PID 1564 wrote to memory of 1704 1564 WScript.exe mshta.exe PID 1564 wrote to memory of 1704 1564 WScript.exe mshta.exe PID 1564 wrote to memory of 1704 1564 WScript.exe mshta.exe PID 1564 wrote to memory of 1704 1564 WScript.exe mshta.exe PID 1420 wrote to memory of 1108 1420 taskeng.exe Server.exe PID 1420 wrote to memory of 1108 1420 taskeng.exe Server.exe PID 1420 wrote to memory of 1108 1420 taskeng.exe Server.exe PID 1420 wrote to memory of 668 1420 taskeng.exe Server.exe PID 1420 wrote to memory of 668 1420 taskeng.exe Server.exe PID 1420 wrote to memory of 668 1420 taskeng.exe Server.exe PID 1420 wrote to memory of 2020 1420 taskeng.exe Server.exe PID 1420 wrote to memory of 2020 1420 taskeng.exe Server.exe PID 1420 wrote to memory of 2020 1420 taskeng.exe Server.exe PID 1420 wrote to memory of 1904 1420 taskeng.exe Server.exe PID 1420 wrote to memory of 1904 1420 taskeng.exe Server.exe PID 1420 wrote to memory of 1904 1420 taskeng.exe Server.exe PID 1876 wrote to memory of 1340 1876 Dllhost.exe .exe PID 1876 wrote to memory of 1340 1876 Dllhost.exe .exe PID 1876 wrote to memory of 1340 1876 Dllhost.exe .exe PID 1876 wrote to memory of 1340 1876 Dllhost.exe .exe PID 1420 wrote to memory of 1660 1420 taskeng.exe Server.exe PID 1420 wrote to memory of 1660 1420 taskeng.exe Server.exe PID 1420 wrote to memory of 1660 1420 taskeng.exe Server.exe PID 1420 wrote to memory of 2004 1420 taskeng.exe Server.exe PID 1420 wrote to memory of 2004 1420 taskeng.exe Server.exe PID 1420 wrote to memory of 2004 1420 taskeng.exe Server.exe PID 1420 wrote to memory of 956 1420 taskeng.exe Server.exe PID 1420 wrote to memory of 956 1420 taskeng.exe Server.exe PID 1420 wrote to memory of 956 1420 taskeng.exe Server.exe PID 1420 wrote to memory of 1732 1420 taskeng.exe Server.exe PID 1420 wrote to memory of 1732 1420 taskeng.exe Server.exe PID 1420 wrote to memory of 1732 1420 taskeng.exe Server.exe PID 1420 wrote to memory of 1912 1420 taskeng.exe Server.exe PID 1420 wrote to memory of 1912 1420 taskeng.exe Server.exe PID 1420 wrote to memory of 1912 1420 taskeng.exe Server.exe PID 1420 wrote to memory of 1492 1420 taskeng.exe Server.exe PID 1420 wrote to memory of 1492 1420 taskeng.exe Server.exe PID 1420 wrote to memory of 1492 1420 taskeng.exe Server.exe PID 1420 wrote to memory of 684 1420 taskeng.exe Server.exe PID 1420 wrote to memory of 684 1420 taskeng.exe Server.exe PID 1420 wrote to memory of 684 1420 taskeng.exe Server.exe -
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\иуеr.exe"C:\Users\Admin\AppData\Local\Temp\иуеr.exe"1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\Dllhost.exe"C:\Windows\Dllhost.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /sc minute /mo 1 /tn Server /tr C:\Users\Admin\AppData\Local\Temp/Server.exe3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\.exe"C:\Users\Admin\AppData\Local\Temp\.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\scream\sound.vbs"4⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\scream\gif.hta"5⤵
- Modifies Internet Explorer settings
-
C:\Users\Admin\AppData\Local\Temp\.exe"C:\Users\Admin\AppData\Local\Temp\.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\.exe"C:\Users\Admin\AppData\Local\Temp\.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\bonzi\BonziBuddy_original.exe"C:\bonzi\BonziBuddy_original.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\.exe"C:\Users\Admin\AppData\Local\Temp\.exe"3⤵
- Modifies system executable filetype association
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
-
C:\Users\Admin\AppData\Local\Temp\3582-490\.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\.exe"4⤵
- Executes dropped EXE
- Modifies extensions of user files
- Drops startup file
- Loads dropped DLL
- Sets desktop wallpaper using registry
-
C:\Windows\SysWOW64\icacls.exeicacls . /grant Everyone:F /T /C /Q5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\attrib.exeattrib +h .5⤵
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Local\Temp\3582-490\taskdl.exetaskdl.exe5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.execmd /c 138691653251802.bat5⤵
-
C:\Windows\SysWOW64\cscript.execscript.exe //nologo m.vbs6⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\3582-490\@WanaDecryptor@.exe@WanaDecryptor@.exe co5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\3582-490\TaskData\Tor\taskhsvc.exeTaskData\Tor\taskhsvc.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\cmd.execmd.exe /c start /b @WanaDecryptor@.exe vs5⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\3582-490\@WanaDecryptor@.exe@WanaDecryptor@.exe vs6⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet7⤵
-
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows /all /quiet8⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete8⤵
-
C:\Users\Admin\AppData\Local\Temp\3582-490\taskse.exetaskse.exe C:\Users\Admin\AppData\Local\Temp\3582-490\@WanaDecryptor@.exe5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\3582-490\@WanaDecryptor@.exe@WanaDecryptor@.exe5⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "imwdfmkdy117" /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\3582-490\tasksche.exe\"" /f5⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "imwdfmkdy117" /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\3582-490\tasksche.exe\"" /f6⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry key
-
C:\Users\Admin\AppData\Local\Temp\3582-490\taskdl.exetaskdl.exe5⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\3582-490\taskse.exetaskse.exe C:\Users\Admin\AppData\Local\Temp\3582-490\@WanaDecryptor@.exe5⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\3582-490\@WanaDecryptor@.exe@WanaDecryptor@.exe5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\3582-490\taskdl.exetaskdl.exe5⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\3582-490\taskse.exetaskse.exe C:\Users\Admin\AppData\Local\Temp\3582-490\@WanaDecryptor@.exe5⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\3582-490\@WanaDecryptor@.exe@WanaDecryptor@.exe5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\EXE~1"3⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Local\Temp\EXE~1C:\Users\Admin\AppData\Local\Temp\EXE~14⤵
- Executes dropped EXE
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\EXE~1"3⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Local\Temp\EXE~1C:\Users\Admin\AppData\Local\Temp\EXE~14⤵
- Modifies system executable filetype association
- Executes dropped EXE
- Drops file in Windows directory
- Modifies registry class
-
C:\Windows\system32\taskeng.exetaskeng.exe {DD319580-5E04-4A7F-ACFD-0EA5AEB4A4AF} S-1-5-21-2277218442-1199762539-2004043321-1000:AUVQQRRF\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Server.exeC:\Users\Admin\AppData\Local\Temp/Server.exe2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Server.exeC:\Users\Admin\AppData\Local\Temp/Server.exe2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Server.exeC:\Users\Admin\AppData\Local\Temp/Server.exe2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Server.exeC:\Users\Admin\AppData\Local\Temp/Server.exe2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Server.exeC:\Users\Admin\AppData\Local\Temp/Server.exe2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Server.exeC:\Users\Admin\AppData\Local\Temp/Server.exe2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Server.exeC:\Users\Admin\AppData\Local\Temp/Server.exe2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Server.exeC:\Users\Admin\AppData\Local\Temp/Server.exe2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Server.exeC:\Users\Admin\AppData\Local\Temp/Server.exe2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Server.exeC:\Users\Admin\AppData\Local\Temp/Server.exe2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Server.exeC:\Users\Admin\AppData\Local\Temp/Server.exe2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Server.exeC:\Users\Admin\AppData\Local\Temp/Server.exe2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Server.exeC:\Users\Admin\AppData\Local\Temp/Server.exe2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Server.exeC:\Users\Admin\AppData\Local\Temp/Server.exe2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Server.exeC:\Users\Admin\AppData\Local\Temp/Server.exe2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Server.exeC:\Users\Admin\AppData\Local\Temp/Server.exe2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Server.exeC:\Users\Admin\AppData\Local\Temp/Server.exe2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Server.exeC:\Users\Admin\AppData\Local\Temp/Server.exe2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Server.exeC:\Users\Admin\AppData\Local\Temp/Server.exe2⤵
-
C:\Users\Admin\AppData\Local\Temp\Server.exeC:\Users\Admin\AppData\Local\Temp/Server.exe2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Server.exeC:\Users\Admin\AppData\Local\Temp/Server.exe2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Server.exeC:\Users\Admin\AppData\Local\Temp/Server.exe2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Server.exeC:\Users\Admin\AppData\Local\Temp/Server.exe2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Server.exeC:\Users\Admin\AppData\Local\Temp/Server.exe2⤵
- Executes dropped EXE
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x5641⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Public\Desktop\@WANAD~1.EXE"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
-
C:\Users\Public\Desktop\@WANAD~1.EXEC:\Users\Public\Desktop\@WANAD~1.EXE2⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
- Suspicious use of SetWindowsHookEx
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Windows\system32\taskmgr.exe" /41⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
-
C:\Windows\SysWOW64\taskmgr.exeC:\Windows\system32\taskmgr.exe /42⤵
- Suspicious behavior: GetForegroundWindowSpam
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Windows\system32\taskmgr.exe" /41⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\Windows\SysWOW64\taskmgr.exeC:\Windows\system32\taskmgr.exe /42⤵
- Suspicious behavior: GetForegroundWindowSpam
Network
MITRE ATT&CK Matrix ATT&CK v6
Persistence
Change Default File Association
1Registry Run Keys / Startup Folder
1Scheduled Task
1Hidden Files and Directories
1Defense Evasion
Modify Registry
5File Deletion
2File Permissions Modification
1Hidden Files and Directories
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\.exeFilesize
54.9MB
MD5b1940cff31a3a1f51d6eb4492657be9b
SHA12562282b0538fb8647621b29435d19c757d7b309
SHA256556444ff1fee8aa32d1418c409535909c3c0cb0adaa87488ca0c03ee3b5e8006
SHA51281b6d263dfe65ccc702bcb85feee6c1f1c78c4a2cb62c3a52c6dd520511297d773fa4dca471132df1f1e3fd1a6fb00851ec4670c48df44572990553f54f4c77c
-
C:\Users\Admin\AppData\Local\Temp\.exeFilesize
77.8MB
MD597893da3ea0e186290435246020bf018
SHA19a898f7e782cde4d1c98793a70faf363627a1596
SHA25627dcecbb8e47c6f20f54466d4f14afade78c9518f614c6555fe64b9f37efb6fd
SHA512ea54c3b9011e7ea3e024b88da20de7d282393455b504937e4a48e4a7f963d48391f9bd46cf31fb4ae3e63464f8d9467a48581217cf587fcee1d137e5edf6e9c8
-
C:\Users\Admin\AppData\Local\Temp\.exeFilesize
77.8MB
MD597893da3ea0e186290435246020bf018
SHA19a898f7e782cde4d1c98793a70faf363627a1596
SHA25627dcecbb8e47c6f20f54466d4f14afade78c9518f614c6555fe64b9f37efb6fd
SHA512ea54c3b9011e7ea3e024b88da20de7d282393455b504937e4a48e4a7f963d48391f9bd46cf31fb4ae3e63464f8d9467a48581217cf587fcee1d137e5edf6e9c8
-
C:\Users\Admin\AppData\Local\Temp\.exeFilesize
3.4MB
MD580d2cfccef17caa46226147c1b0648e6
SHA14540c60c99594ebd49e0ede7d2070b00f5fb021b
SHA25691afb972e14584bc1e23802e2b26813f57b802689fe61a540fdaf162cecd7493
SHA512d0c245182b1f984f244a49267ead57296002f31d4ce36102508b604f85aa32a879a80f628312e1332f04104af35da0947b3c0e0eec35385bbac7540345f8a99b
-
C:\Users\Admin\AppData\Local\Temp\.exeFilesize
3.4MB
MD580d2cfccef17caa46226147c1b0648e6
SHA14540c60c99594ebd49e0ede7d2070b00f5fb021b
SHA25691afb972e14584bc1e23802e2b26813f57b802689fe61a540fdaf162cecd7493
SHA512d0c245182b1f984f244a49267ead57296002f31d4ce36102508b604f85aa32a879a80f628312e1332f04104af35da0947b3c0e0eec35385bbac7540345f8a99b
-
C:\Users\Admin\AppData\Local\Temp\.exeFilesize
14.7MB
MD55719586f93a577d0116043fc1f5eec32
SHA1239c82f2c4c7fe86ca82b0fcb0f23e3a8cfed338
SHA256f0b481c95d762e5dd7575a22b520f32af3a1ed83f917abf2872c5ae3825dafb7
SHA5123d6c24c305cda9aeac879a165d917d2579735b2bf1948b7ec72ca22e4a2ce18ee6e7de9c55072f483711c74636400321ac4191c8b08b92188757ac463fc59695
-
C:\Users\Admin\AppData\Local\Temp\.exeFilesize
14.7MB
MD55719586f93a577d0116043fc1f5eec32
SHA1239c82f2c4c7fe86ca82b0fcb0f23e3a8cfed338
SHA256f0b481c95d762e5dd7575a22b520f32af3a1ed83f917abf2872c5ae3825dafb7
SHA5123d6c24c305cda9aeac879a165d917d2579735b2bf1948b7ec72ca22e4a2ce18ee6e7de9c55072f483711c74636400321ac4191c8b08b92188757ac463fc59695
-
C:\Users\Admin\AppData\Local\Temp\.exeFilesize
54.9MB
MD5b1940cff31a3a1f51d6eb4492657be9b
SHA12562282b0538fb8647621b29435d19c757d7b309
SHA256556444ff1fee8aa32d1418c409535909c3c0cb0adaa87488ca0c03ee3b5e8006
SHA51281b6d263dfe65ccc702bcb85feee6c1f1c78c4a2cb62c3a52c6dd520511297d773fa4dca471132df1f1e3fd1a6fb00851ec4670c48df44572990553f54f4c77c
-
C:\Users\Admin\AppData\Local\Temp\3582-490\.exeFilesize
3.4MB
MD584c82835a5d21bbcf75a61706d8ab549
SHA15ff465afaabcbf0150d1a3ab2c2e74f3a4426467
SHA256ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa
SHA51290723a50c20ba3643d625595fd6be8dcf88d70ff7f4b4719a88f055d5b3149a4231018ea30d375171507a147e59f73478c0c27948590794554d031e7d54b7244
-
C:\Users\Admin\AppData\Local\Temp\3582-490\.exeFilesize
3.4MB
MD584c82835a5d21bbcf75a61706d8ab549
SHA15ff465afaabcbf0150d1a3ab2c2e74f3a4426467
SHA256ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa
SHA51290723a50c20ba3643d625595fd6be8dcf88d70ff7f4b4719a88f055d5b3149a4231018ea30d375171507a147e59f73478c0c27948590794554d031e7d54b7244
-
C:\Users\Admin\AppData\Local\Temp\3582-490\b.wnryFilesize
1.4MB
MD5c17170262312f3be7027bc2ca825bf0c
SHA1f19eceda82973239a1fdc5826bce7691e5dcb4fb
SHA256d5e0e8694ddc0548d8e6b87c83d50f4ab85c1debadb106d6a6a794c3e746f4fa
SHA512c6160fd03ad659c8dd9cf2a83f9fdcd34f2db4f8f27f33c5afd52aced49dfa9ce4909211c221a0479dbbb6e6c985385557c495fc04d3400ff21a0fbbae42ee7c
-
C:\Users\Admin\AppData\Local\Temp\3582-490\c.wnryFilesize
780B
MD58124a611153cd3aceb85a7ac58eaa25d
SHA1c1d5cd8774261d810dca9b6a8e478d01cd4995d6
SHA2560ceb451c1dbefaa8231eeb462e8ce639863eb5b8ae4fa63a353eb6e86173119e
SHA512b9c8dfb5d58c95628528cc729d2394367c5e205328645ca6ef78a3552d9ad9f824ae20611a43a6e01daaffeffdc9094f80d772620c731e4192eb0835b8ed0f17
-
C:\Users\Admin\AppData\Local\Temp\3582-490\msg\m_bulgarian.wnryFilesize
46KB
MD595673b0f968c0f55b32204361940d184
SHA181e427d15a1a826b93e91c3d2fa65221c8ca9cff
SHA25640b37e7b80cf678d7dd302aaf41b88135ade6ddf44d89bdba19cf171564444bd
SHA5127601f1883edbb4150a9dc17084012323b3bfa66f6d19d3d0355cf82b6a1c9dce475d758da18b6d17a8b321bf6fca20915224dbaedcb3f4d16abfaf7a5fc21b92
-
C:\Users\Admin\AppData\Local\Temp\3582-490\msg\m_chinese (simplified).wnryFilesize
53KB
MD50252d45ca21c8e43c9742285c48e91ad
SHA15c14551d2736eef3a1c1970cc492206e531703c1
SHA256845d0e178aeebd6c7e2a2e9697b2bf6cf02028c50c288b3ba88fe2918ea2834a
SHA5121bfcf6c0e7c977d777f12bd20ac347630999c4d99bd706b40de7ff8f2f52e02560d68093142cc93722095657807a1480ce3fb6a2e000c488550548c497998755
-
C:\Users\Admin\AppData\Local\Temp\3582-490\msg\m_chinese (traditional).wnryFilesize
77KB
MD52efc3690d67cd073a9406a25005f7cea
SHA152c07f98870eabace6ec370b7eb562751e8067e9
SHA2565c7f6ad1ec4bc2c8e2c9c126633215daba7de731ac8b12be10ca157417c97f3a
SHA5120766c58e64d9cda5328e00b86f8482316e944aa2c26523a3c37289e22c34be4b70937033bebdb217f675e40db9fecdce0a0d516f9065a170e28286c2d218487c
-
C:\Users\Admin\AppData\Local\Temp\3582-490\msg\m_croatian.wnryFilesize
38KB
MD517194003fa70ce477326ce2f6deeb270
SHA1e325988f68d327743926ea317abb9882f347fa73
SHA2563f33734b2d34cce83936ce99c3494cd845f1d2c02d7f6da31d42dfc1ca15a171
SHA512dcf4ccf0b352a8b271827b3b8e181f7d6502ca0f8c9dda3dc6e53441bb4ae6e77b49c9c947cc3ede0bf323f09140a0c068a907f3c23ea2a8495d1ad96820051c
-
C:\Users\Admin\AppData\Local\Temp\3582-490\msg\m_czech.wnryFilesize
39KB
MD5537efeecdfa94cc421e58fd82a58ba9e
SHA13609456e16bc16ba447979f3aa69221290ec17d0
SHA2565afa4753afa048c6d6c39327ce674f27f5f6e5d3f2a060b7a8aed61725481150
SHA512e007786ffa09ccd5a24e5c6504c8de444929a2faaafad3712367c05615b7e1b0fbf7fbfff7028ed3f832ce226957390d8bf54308870e9ed597948a838da1137b
-
C:\Users\Admin\AppData\Local\Temp\3582-490\msg\m_danish.wnryFilesize
36KB
MD52c5a3b81d5c4715b7bea01033367fcb5
SHA1b548b45da8463e17199daafd34c23591f94e82cd
SHA256a75bb44284b9db8d702692f84909a7e23f21141866adf3db888042e9109a1cb6
SHA512490c5a892fac801b853c348477b1140755d4c53ca05726ac19d3649af4285c93523393a3667e209c71c80ac06ffd809f62dd69ae65012dcb00445d032f1277b3
-
C:\Users\Admin\AppData\Local\Temp\Server.exeFilesize
25KB
MD5ae72c198c0825712f203e258571c0e87
SHA1066ef64d5f5bb96e1714247c97aaf291907a7b3f
SHA2567237dd5e4e0c1f2bb79a3ede0919cddf1cac7f1095deb1070275ac4669691c65
SHA512a48c90badd2346df3e8f1cb1807b9f22177835aba52f2718ed8bc0c00fd4f5020958fe6e8b02c23c1c7380b68c96b1ad17dee51a536a0a26e4f98598354604a1
-
C:\Users\Admin\AppData\Local\Temp\Server.exeFilesize
25KB
MD5ae72c198c0825712f203e258571c0e87
SHA1066ef64d5f5bb96e1714247c97aaf291907a7b3f
SHA2567237dd5e4e0c1f2bb79a3ede0919cddf1cac7f1095deb1070275ac4669691c65
SHA512a48c90badd2346df3e8f1cb1807b9f22177835aba52f2718ed8bc0c00fd4f5020958fe6e8b02c23c1c7380b68c96b1ad17dee51a536a0a26e4f98598354604a1
-
C:\Users\Admin\AppData\Local\Temp\Server.exeFilesize
25KB
MD5ae72c198c0825712f203e258571c0e87
SHA1066ef64d5f5bb96e1714247c97aaf291907a7b3f
SHA2567237dd5e4e0c1f2bb79a3ede0919cddf1cac7f1095deb1070275ac4669691c65
SHA512a48c90badd2346df3e8f1cb1807b9f22177835aba52f2718ed8bc0c00fd4f5020958fe6e8b02c23c1c7380b68c96b1ad17dee51a536a0a26e4f98598354604a1
-
C:\Users\Admin\AppData\Local\Temp\Server.exeFilesize
25KB
MD5ae72c198c0825712f203e258571c0e87
SHA1066ef64d5f5bb96e1714247c97aaf291907a7b3f
SHA2567237dd5e4e0c1f2bb79a3ede0919cddf1cac7f1095deb1070275ac4669691c65
SHA512a48c90badd2346df3e8f1cb1807b9f22177835aba52f2718ed8bc0c00fd4f5020958fe6e8b02c23c1c7380b68c96b1ad17dee51a536a0a26e4f98598354604a1
-
C:\Users\Admin\AppData\Local\Temp\Server.exeFilesize
25KB
MD5ae72c198c0825712f203e258571c0e87
SHA1066ef64d5f5bb96e1714247c97aaf291907a7b3f
SHA2567237dd5e4e0c1f2bb79a3ede0919cddf1cac7f1095deb1070275ac4669691c65
SHA512a48c90badd2346df3e8f1cb1807b9f22177835aba52f2718ed8bc0c00fd4f5020958fe6e8b02c23c1c7380b68c96b1ad17dee51a536a0a26e4f98598354604a1
-
C:\Users\Admin\AppData\Local\Temp\Server.exeFilesize
25KB
MD5ae72c198c0825712f203e258571c0e87
SHA1066ef64d5f5bb96e1714247c97aaf291907a7b3f
SHA2567237dd5e4e0c1f2bb79a3ede0919cddf1cac7f1095deb1070275ac4669691c65
SHA512a48c90badd2346df3e8f1cb1807b9f22177835aba52f2718ed8bc0c00fd4f5020958fe6e8b02c23c1c7380b68c96b1ad17dee51a536a0a26e4f98598354604a1
-
C:\Users\Admin\AppData\Local\Temp\Server.exeFilesize
25KB
MD5ae72c198c0825712f203e258571c0e87
SHA1066ef64d5f5bb96e1714247c97aaf291907a7b3f
SHA2567237dd5e4e0c1f2bb79a3ede0919cddf1cac7f1095deb1070275ac4669691c65
SHA512a48c90badd2346df3e8f1cb1807b9f22177835aba52f2718ed8bc0c00fd4f5020958fe6e8b02c23c1c7380b68c96b1ad17dee51a536a0a26e4f98598354604a1
-
C:\Users\Admin\AppData\Local\Temp\Server.exeFilesize
25KB
MD5ae72c198c0825712f203e258571c0e87
SHA1066ef64d5f5bb96e1714247c97aaf291907a7b3f
SHA2567237dd5e4e0c1f2bb79a3ede0919cddf1cac7f1095deb1070275ac4669691c65
SHA512a48c90badd2346df3e8f1cb1807b9f22177835aba52f2718ed8bc0c00fd4f5020958fe6e8b02c23c1c7380b68c96b1ad17dee51a536a0a26e4f98598354604a1
-
C:\Users\Admin\AppData\Local\Temp\Server.exeFilesize
25KB
MD5ae72c198c0825712f203e258571c0e87
SHA1066ef64d5f5bb96e1714247c97aaf291907a7b3f
SHA2567237dd5e4e0c1f2bb79a3ede0919cddf1cac7f1095deb1070275ac4669691c65
SHA512a48c90badd2346df3e8f1cb1807b9f22177835aba52f2718ed8bc0c00fd4f5020958fe6e8b02c23c1c7380b68c96b1ad17dee51a536a0a26e4f98598354604a1
-
C:\Users\Admin\AppData\Local\Temp\Server.exeFilesize
25KB
MD5ae72c198c0825712f203e258571c0e87
SHA1066ef64d5f5bb96e1714247c97aaf291907a7b3f
SHA2567237dd5e4e0c1f2bb79a3ede0919cddf1cac7f1095deb1070275ac4669691c65
SHA512a48c90badd2346df3e8f1cb1807b9f22177835aba52f2718ed8bc0c00fd4f5020958fe6e8b02c23c1c7380b68c96b1ad17dee51a536a0a26e4f98598354604a1
-
C:\Users\Admin\AppData\Local\Temp\Server.exeFilesize
25KB
MD5ae72c198c0825712f203e258571c0e87
SHA1066ef64d5f5bb96e1714247c97aaf291907a7b3f
SHA2567237dd5e4e0c1f2bb79a3ede0919cddf1cac7f1095deb1070275ac4669691c65
SHA512a48c90badd2346df3e8f1cb1807b9f22177835aba52f2718ed8bc0c00fd4f5020958fe6e8b02c23c1c7380b68c96b1ad17dee51a536a0a26e4f98598354604a1
-
C:\Users\Admin\AppData\Local\Temp\Server.exeFilesize
25KB
MD5ae72c198c0825712f203e258571c0e87
SHA1066ef64d5f5bb96e1714247c97aaf291907a7b3f
SHA2567237dd5e4e0c1f2bb79a3ede0919cddf1cac7f1095deb1070275ac4669691c65
SHA512a48c90badd2346df3e8f1cb1807b9f22177835aba52f2718ed8bc0c00fd4f5020958fe6e8b02c23c1c7380b68c96b1ad17dee51a536a0a26e4f98598354604a1
-
C:\Users\Admin\AppData\Local\Temp\Server.exeFilesize
25KB
MD5ae72c198c0825712f203e258571c0e87
SHA1066ef64d5f5bb96e1714247c97aaf291907a7b3f
SHA2567237dd5e4e0c1f2bb79a3ede0919cddf1cac7f1095deb1070275ac4669691c65
SHA512a48c90badd2346df3e8f1cb1807b9f22177835aba52f2718ed8bc0c00fd4f5020958fe6e8b02c23c1c7380b68c96b1ad17dee51a536a0a26e4f98598354604a1
-
C:\Users\Admin\AppData\Local\Temp\Server.exeFilesize
25KB
MD5ae72c198c0825712f203e258571c0e87
SHA1066ef64d5f5bb96e1714247c97aaf291907a7b3f
SHA2567237dd5e4e0c1f2bb79a3ede0919cddf1cac7f1095deb1070275ac4669691c65
SHA512a48c90badd2346df3e8f1cb1807b9f22177835aba52f2718ed8bc0c00fd4f5020958fe6e8b02c23c1c7380b68c96b1ad17dee51a536a0a26e4f98598354604a1
-
C:\Users\Admin\AppData\Local\Temp\Server.exeFilesize
25KB
MD5ae72c198c0825712f203e258571c0e87
SHA1066ef64d5f5bb96e1714247c97aaf291907a7b3f
SHA2567237dd5e4e0c1f2bb79a3ede0919cddf1cac7f1095deb1070275ac4669691c65
SHA512a48c90badd2346df3e8f1cb1807b9f22177835aba52f2718ed8bc0c00fd4f5020958fe6e8b02c23c1c7380b68c96b1ad17dee51a536a0a26e4f98598354604a1
-
C:\Users\Admin\AppData\Local\Temp\Server.exeFilesize
25KB
MD5ae72c198c0825712f203e258571c0e87
SHA1066ef64d5f5bb96e1714247c97aaf291907a7b3f
SHA2567237dd5e4e0c1f2bb79a3ede0919cddf1cac7f1095deb1070275ac4669691c65
SHA512a48c90badd2346df3e8f1cb1807b9f22177835aba52f2718ed8bc0c00fd4f5020958fe6e8b02c23c1c7380b68c96b1ad17dee51a536a0a26e4f98598354604a1
-
C:\Users\Admin\AppData\Local\Temp\Server.exeFilesize
25KB
MD5ae72c198c0825712f203e258571c0e87
SHA1066ef64d5f5bb96e1714247c97aaf291907a7b3f
SHA2567237dd5e4e0c1f2bb79a3ede0919cddf1cac7f1095deb1070275ac4669691c65
SHA512a48c90badd2346df3e8f1cb1807b9f22177835aba52f2718ed8bc0c00fd4f5020958fe6e8b02c23c1c7380b68c96b1ad17dee51a536a0a26e4f98598354604a1
-
C:\Users\Admin\AppData\Local\Temp\Server.exeFilesize
25KB
MD5ae72c198c0825712f203e258571c0e87
SHA1066ef64d5f5bb96e1714247c97aaf291907a7b3f
SHA2567237dd5e4e0c1f2bb79a3ede0919cddf1cac7f1095deb1070275ac4669691c65
SHA512a48c90badd2346df3e8f1cb1807b9f22177835aba52f2718ed8bc0c00fd4f5020958fe6e8b02c23c1c7380b68c96b1ad17dee51a536a0a26e4f98598354604a1
-
C:\Users\Admin\AppData\Local\Temp\Server.exeFilesize
25KB
MD5ae72c198c0825712f203e258571c0e87
SHA1066ef64d5f5bb96e1714247c97aaf291907a7b3f
SHA2567237dd5e4e0c1f2bb79a3ede0919cddf1cac7f1095deb1070275ac4669691c65
SHA512a48c90badd2346df3e8f1cb1807b9f22177835aba52f2718ed8bc0c00fd4f5020958fe6e8b02c23c1c7380b68c96b1ad17dee51a536a0a26e4f98598354604a1
-
C:\Windows\Dllhost.exeFilesize
25KB
MD5ae72c198c0825712f203e258571c0e87
SHA1066ef64d5f5bb96e1714247c97aaf291907a7b3f
SHA2567237dd5e4e0c1f2bb79a3ede0919cddf1cac7f1095deb1070275ac4669691c65
SHA512a48c90badd2346df3e8f1cb1807b9f22177835aba52f2718ed8bc0c00fd4f5020958fe6e8b02c23c1c7380b68c96b1ad17dee51a536a0a26e4f98598354604a1
-
C:\Windows\Dllhost.exeFilesize
25KB
MD5ae72c198c0825712f203e258571c0e87
SHA1066ef64d5f5bb96e1714247c97aaf291907a7b3f
SHA2567237dd5e4e0c1f2bb79a3ede0919cddf1cac7f1095deb1070275ac4669691c65
SHA512a48c90badd2346df3e8f1cb1807b9f22177835aba52f2718ed8bc0c00fd4f5020958fe6e8b02c23c1c7380b68c96b1ad17dee51a536a0a26e4f98598354604a1
-
C:\bonzi\BonziBuddy_original.exeFilesize
126KB
MD5ff8e3bef2b1c444e59d21d5291c81d96
SHA1a838dc974a49dc0fad824cedcf794c8c9651d410
SHA25650a65ffcb48cb6ba99ccf79d855696cfdfb28ff21d0f71666c8fae9dfedf878e
SHA512b872737dd5f1f114785bf948fa8018aed228be99dafd07bf850bab1a4772564f59ed2cc60faedbf3eaf84f12908e1ed2bf07a526484edc6ded0692ce575e4927
-
C:\bonzi\BonziBuddy_original.exeFilesize
126KB
MD5ff8e3bef2b1c444e59d21d5291c81d96
SHA1a838dc974a49dc0fad824cedcf794c8c9651d410
SHA25650a65ffcb48cb6ba99ccf79d855696cfdfb28ff21d0f71666c8fae9dfedf878e
SHA512b872737dd5f1f114785bf948fa8018aed228be99dafd07bf850bab1a4772564f59ed2cc60faedbf3eaf84f12908e1ed2bf07a526484edc6ded0692ce575e4927
-
C:\bonzi\blue.exeFilesize
120KB
MD5c3c1f4ff433df26b896deddacb5817f0
SHA145152ae046f3e2d5e274feb6a04fa6af59a68740
SHA256bc8f7334495c673dd646d092afdabbfb84edb5282a25d9d8b1d3ceadc019478b
SHA512faecab59d8ab00cead2037ee30435fffb25494b5889ac5dd003fec5f3a0244a2e450425838456ff5ef11b8c674eb85b21ca68c636cdec593bbef5ecf2aba0561
-
C:\bonzi\clippy.exeFilesize
228KB
MD5038bf1f54a35164fedb79e2319e1bc49
SHA1e92cdbb5bab92ea3f2d6b0f8f40a5b5df199c6a9
SHA256655a8c2bed8e2d85b24525aa426e5d647f15ddfa156967d64f144c497e8c9665
SHA5125928082b8fef2a491eb84ed4ba01c8428cd96425c8c2d433dc6ef80d9c0d4866bb9c20871c6d1268824e435f42526e4e1eb468fe451f0ef02710edb35c08f1c6
-
C:\bonzi\netscape\NAVIGA~1.EXEFilesize
7.9MB
MD5ac9cdd36906387f84557acddb219f405
SHA12539465a3c843d70615810afc7bccb7a5929e096
SHA256b529c4308f6c2ffefa022bb8b4c1456778f3a15bc0634cb109436a72fa5b3aff
SHA5120204726358b6a319c1c3cae7f6c67e415139fe2c99169de6bcec6029bae3299601b8d01fe804410448863361680fc74e0939bc2d91ab14adb889623c592e4250
-
C:\bonzi\netscape\XPICLE~1.EXEFilesize
76KB
MD5b643add42d6f45f601eaeea2fa93f3a5
SHA1502ebcbf5f228a8819c12416e1468985871966ec
SHA2563f9c5a116ecea24e2e8f83132edc74d44ce3746facb854fee6f2a81011f828c8
SHA512ddbfb4f1057a21fea4805615ea65ad12681fb59879401a462493eea3e76dafd07c927d0d6820d72fba629693e60fe3f804e1998c9bd63704da0e3c33426a7ab6
-
C:\bonzi\netscape\updater.exeFilesize
132KB
MD5b3f10bc05c5dd33be9ebe2c9b097b809
SHA1d4ff4292903610271830709db9605d8a6ecf2c90
SHA256153b85c26c8a6158d669184629357e69418e3774115490166b18c5ecbaeca3e2
SHA51211840ac48d8453fdaaa4b9114e65e076ee2222b9ace9c0a8fe896613b44f3775ab0a71776339efa116d590dabb648b51c1f7d2d370b7ea37431631872a8bc2e9
-
C:\bonzi\optimize.exeFilesize
618KB
MD55ffeadad118403d9496653dce94300cc
SHA1c96574ebffd8fc82bc6b4bf40bf306b5602b38e7
SHA2569bee3eb4c6544d6e69543440bec4f1f246fad1e17067bb6e8bfd6daac7ce475f
SHA51276726b8a982c53cac62068a9b9531918b0230537e526f517634d14cf9459fde69303c83067cbee50b4005b9fe55108ace1a2eda980922c46925cfc8aabe59e3c
-
C:\scream\gif.htaFilesize
1KB
MD574e44289c376074367616125c02c3dde
SHA12564f2335abd6e8beff609734f222e8d1071524f
SHA256306e5356eddaf0f9c3a81435bb3649adfad37f0dc78bc6d7d495c19977ee874f
SHA512ff1aa8c4c7b8f3aff603bfbe99382bf7f8b1e2536fa47b480ca1bb4a68752d319d6fac4b8d70e75e61fbb13aa2340b1ba90f1dbe38e6895278bf8c0fcea64598
-
C:\scream\sound.mp3Filesize
371KB
MD5d2f68278782d53444009c6b840c3fab2
SHA1df5772a086c57c644708fb09daa5ed0b49d8b277
SHA25677fbbaa29ef9163a352a57a48d2cbbb35f499a51545e257846d809639262d09c
SHA512aab55a72136bfb37d8174b499dc76e2c7321c67bc5187c117def1b50caab72bf969e7d117887569bb8a5ec9ac8dc3cb50a4bbac10fc223645cc3677d1c70f568
-
C:\scream\sound.vbsFilesize
310B
MD5f96daee32c46bdc2cf56072569fd556b
SHA19d45104e279c7866b65d6cb1775f6612d23c0863
SHA2566cbf377b3b2369be137810746491e2f1044f7a53d6a3090646592b6cb77eacca
SHA5124aae0071250ec569ba1274fd012c407707d39b4b8e3fd0a23406eccdb0a866aa833634f7529101f81b250a0961142b54733e0b8370f5741fe48068f384f79dae
-
C:\scream\tenor.gifFilesize
14.1MB
MD5f6d57210f7d5c4c0bf5d857c375e618b
SHA1404e56949c04eb815d8c1403ab5ba166e2b2f095
SHA256f9663446ed05d86f44344f48e228e0623baaa223097b23ff064ee0287fdea92f
SHA512672bea0743d91027b2a5a3238ea5fe4f76746681b422de14c02fbca6778534a7cb0ab244c4cd3043de895442f072d043021797c43c5d8413032494bafc94bfd9
-
\Users\Admin\AppData\Local\Temp\3582-490\.exeFilesize
3.4MB
MD584c82835a5d21bbcf75a61706d8ab549
SHA15ff465afaabcbf0150d1a3ab2c2e74f3a4426467
SHA256ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa
SHA51290723a50c20ba3643d625595fd6be8dcf88d70ff7f4b4719a88f055d5b3149a4231018ea30d375171507a147e59f73478c0c27948590794554d031e7d54b7244
-
\bonzi\BonziBuddy_original.exeFilesize
126KB
MD5ff8e3bef2b1c444e59d21d5291c81d96
SHA1a838dc974a49dc0fad824cedcf794c8c9651d410
SHA25650a65ffcb48cb6ba99ccf79d855696cfdfb28ff21d0f71666c8fae9dfedf878e
SHA512b872737dd5f1f114785bf948fa8018aed228be99dafd07bf850bab1a4772564f59ed2cc60faedbf3eaf84f12908e1ed2bf07a526484edc6ded0692ce575e4927
-
\bonzi\BonziBuddy_original.exeFilesize
126KB
MD5ff8e3bef2b1c444e59d21d5291c81d96
SHA1a838dc974a49dc0fad824cedcf794c8c9651d410
SHA25650a65ffcb48cb6ba99ccf79d855696cfdfb28ff21d0f71666c8fae9dfedf878e
SHA512b872737dd5f1f114785bf948fa8018aed228be99dafd07bf850bab1a4772564f59ed2cc60faedbf3eaf84f12908e1ed2bf07a526484edc6ded0692ce575e4927
-
\bonzi\BonziBuddy_original.exeFilesize
126KB
MD5ff8e3bef2b1c444e59d21d5291c81d96
SHA1a838dc974a49dc0fad824cedcf794c8c9651d410
SHA25650a65ffcb48cb6ba99ccf79d855696cfdfb28ff21d0f71666c8fae9dfedf878e
SHA512b872737dd5f1f114785bf948fa8018aed228be99dafd07bf850bab1a4772564f59ed2cc60faedbf3eaf84f12908e1ed2bf07a526484edc6ded0692ce575e4927
-
\bonzi\BonziBuddy_original.exeFilesize
126KB
MD5ff8e3bef2b1c444e59d21d5291c81d96
SHA1a838dc974a49dc0fad824cedcf794c8c9651d410
SHA25650a65ffcb48cb6ba99ccf79d855696cfdfb28ff21d0f71666c8fae9dfedf878e
SHA512b872737dd5f1f114785bf948fa8018aed228be99dafd07bf850bab1a4772564f59ed2cc60faedbf3eaf84f12908e1ed2bf07a526484edc6ded0692ce575e4927
-
\bonzi\BonziBuddy_original.exeFilesize
126KB
MD5ff8e3bef2b1c444e59d21d5291c81d96
SHA1a838dc974a49dc0fad824cedcf794c8c9651d410
SHA25650a65ffcb48cb6ba99ccf79d855696cfdfb28ff21d0f71666c8fae9dfedf878e
SHA512b872737dd5f1f114785bf948fa8018aed228be99dafd07bf850bab1a4772564f59ed2cc60faedbf3eaf84f12908e1ed2bf07a526484edc6ded0692ce575e4927
-
\bonzi\BonziBuddy_original.exeFilesize
126KB
MD5ff8e3bef2b1c444e59d21d5291c81d96
SHA1a838dc974a49dc0fad824cedcf794c8c9651d410
SHA25650a65ffcb48cb6ba99ccf79d855696cfdfb28ff21d0f71666c8fae9dfedf878e
SHA512b872737dd5f1f114785bf948fa8018aed228be99dafd07bf850bab1a4772564f59ed2cc60faedbf3eaf84f12908e1ed2bf07a526484edc6ded0692ce575e4927
-
\bonzi\blue.exeFilesize
120KB
MD5c3c1f4ff433df26b896deddacb5817f0
SHA145152ae046f3e2d5e274feb6a04fa6af59a68740
SHA256bc8f7334495c673dd646d092afdabbfb84edb5282a25d9d8b1d3ceadc019478b
SHA512faecab59d8ab00cead2037ee30435fffb25494b5889ac5dd003fec5f3a0244a2e450425838456ff5ef11b8c674eb85b21ca68c636cdec593bbef5ecf2aba0561
-
\bonzi\clippy.exeFilesize
228KB
MD5038bf1f54a35164fedb79e2319e1bc49
SHA1e92cdbb5bab92ea3f2d6b0f8f40a5b5df199c6a9
SHA256655a8c2bed8e2d85b24525aa426e5d647f15ddfa156967d64f144c497e8c9665
SHA5125928082b8fef2a491eb84ed4ba01c8428cd96425c8c2d433dc6ef80d9c0d4866bb9c20871c6d1268824e435f42526e4e1eb468fe451f0ef02710edb35c08f1c6
-
\bonzi\netscape\NAVIGA~1.EXEFilesize
7.9MB
MD5ac9cdd36906387f84557acddb219f405
SHA12539465a3c843d70615810afc7bccb7a5929e096
SHA256b529c4308f6c2ffefa022bb8b4c1456778f3a15bc0634cb109436a72fa5b3aff
SHA5120204726358b6a319c1c3cae7f6c67e415139fe2c99169de6bcec6029bae3299601b8d01fe804410448863361680fc74e0939bc2d91ab14adb889623c592e4250
-
\bonzi\netscape\XPICLE~1.EXEFilesize
76KB
MD5b643add42d6f45f601eaeea2fa93f3a5
SHA1502ebcbf5f228a8819c12416e1468985871966ec
SHA2563f9c5a116ecea24e2e8f83132edc74d44ce3746facb854fee6f2a81011f828c8
SHA512ddbfb4f1057a21fea4805615ea65ad12681fb59879401a462493eea3e76dafd07c927d0d6820d72fba629693e60fe3f804e1998c9bd63704da0e3c33426a7ab6
-
\bonzi\netscape\updater.exeFilesize
132KB
MD5b3f10bc05c5dd33be9ebe2c9b097b809
SHA1d4ff4292903610271830709db9605d8a6ecf2c90
SHA256153b85c26c8a6158d669184629357e69418e3774115490166b18c5ecbaeca3e2
SHA51211840ac48d8453fdaaa4b9114e65e076ee2222b9ace9c0a8fe896613b44f3775ab0a71776339efa116d590dabb648b51c1f7d2d370b7ea37431631872a8bc2e9
-
\bonzi\optimize.exeFilesize
618KB
MD55ffeadad118403d9496653dce94300cc
SHA1c96574ebffd8fc82bc6b4bf40bf306b5602b38e7
SHA2569bee3eb4c6544d6e69543440bec4f1f246fad1e17067bb6e8bfd6daac7ce475f
SHA51276726b8a982c53cac62068a9b9531918b0230537e526f517634d14cf9459fde69303c83067cbee50b4005b9fe55108ace1a2eda980922c46925cfc8aabe59e3c
-
memory/324-62-0x0000000000000000-mapping.dmp
-
memory/324-65-0x0000000000EF0000-0x0000000000EF8000-memory.dmpFilesize
32KB
-
memory/324-66-0x00000000003D0000-0x00000000003E2000-memory.dmpFilesize
72KB
-
memory/384-202-0x0000000000000000-mapping.dmp
-
memory/556-130-0x0000000000000000-mapping.dmp
-
memory/572-209-0x0000000071F80000-0x000000007219C000-memory.dmpFilesize
2.1MB
-
memory/572-208-0x0000000072240000-0x00000000722C2000-memory.dmpFilesize
520KB
-
memory/572-197-0x0000000071F80000-0x000000007219C000-memory.dmpFilesize
2.1MB
-
memory/572-194-0x0000000000000000-mapping.dmp
-
memory/572-199-0x0000000071EC0000-0x0000000071EE2000-memory.dmpFilesize
136KB
-
memory/572-198-0x0000000071EF0000-0x0000000071F72000-memory.dmpFilesize
520KB
-
memory/572-200-0x0000000000150000-0x000000000044E000-memory.dmpFilesize
3.0MB
-
memory/572-196-0x0000000072240000-0x00000000722C2000-memory.dmpFilesize
520KB
-
memory/572-212-0x0000000000150000-0x000000000044E000-memory.dmpFilesize
3.0MB
-
memory/572-211-0x0000000071EC0000-0x0000000071EE2000-memory.dmpFilesize
136KB
-
memory/572-210-0x0000000071EF0000-0x0000000071F72000-memory.dmpFilesize
520KB
-
memory/604-70-0x0000000000000000-mapping.dmp
-
memory/668-87-0x0000000000000000-mapping.dmp
-
memory/684-121-0x0000000000940000-0x0000000000948000-memory.dmpFilesize
32KB
-
memory/684-187-0x0000000000000000-mapping.dmp
-
memory/684-119-0x0000000000000000-mapping.dmp
-
memory/956-108-0x0000000000000000-mapping.dmp
-
memory/960-206-0x0000000000000000-mapping.dmp
-
memory/1036-242-0x0000000000000000-mapping.dmp
-
memory/1052-54-0x0000000000360000-0x0000000000368000-memory.dmpFilesize
32KB
-
memory/1052-56-0x000007FEFBE51000-0x000007FEFBE53000-memory.dmpFilesize
8KB
-
memory/1052-55-0x0000000000480000-0x0000000000492000-memory.dmpFilesize
72KB
-
memory/1060-185-0x0000000000000000-mapping.dmp
-
memory/1076-220-0x0000000000000000-mapping.dmp
-
memory/1076-214-0x0000000000000000-mapping.dmp
-
memory/1080-237-0x0000000000000000-mapping.dmp
-
memory/1080-238-0x00000000013C0000-0x00000000013C8000-memory.dmpFilesize
32KB
-
memory/1088-226-0x0000000000000000-mapping.dmp
-
memory/1096-190-0x0000000000000000-mapping.dmp
-
memory/1096-229-0x0000000000000000-mapping.dmp
-
memory/1108-85-0x0000000000000000-mapping.dmp
-
memory/1124-204-0x0000000000000000-mapping.dmp
-
memory/1124-217-0x0000000000000000-mapping.dmp
-
memory/1196-213-0x0000000000000000-mapping.dmp
-
memory/1196-192-0x0000000000000000-mapping.dmp
-
memory/1252-232-0x0000000000000000-mapping.dmp
-
memory/1252-233-0x0000000001190000-0x0000000001198000-memory.dmpFilesize
32KB
-
memory/1280-154-0x0000000000000000-mapping.dmp
-
memory/1280-172-0x0000000010000000-0x0000000010010000-memory.dmpFilesize
64KB
-
memory/1328-68-0x0000000000000000-mapping.dmp
-
memory/1340-98-0x0000000000000000-mapping.dmp
-
memory/1448-169-0x0000000000000000-mapping.dmp
-
memory/1464-218-0x0000000000000000-mapping.dmp
-
memory/1492-118-0x0000000000030000-0x0000000000038000-memory.dmpFilesize
32KB
-
memory/1492-116-0x0000000000000000-mapping.dmp
-
memory/1496-234-0x0000000000000000-mapping.dmp
-
memory/1564-82-0x00000000749A0000-0x0000000074CB2000-memory.dmpFilesize
3.1MB
-
memory/1564-76-0x0000000000000000-mapping.dmp
-
memory/1568-201-0x0000000000000000-mapping.dmp
-
memory/1608-228-0x0000000000000000-mapping.dmp
-
memory/1632-122-0x0000000000000000-mapping.dmp
-
memory/1640-74-0x00000000763E1000-0x00000000763E3000-memory.dmpFilesize
8KB
-
memory/1640-72-0x0000000000000000-mapping.dmp
-
memory/1644-222-0x0000000000000000-mapping.dmp
-
memory/1660-240-0x0000000000000000-mapping.dmp
-
memory/1660-224-0x0000000000250000-0x0000000000262000-memory.dmpFilesize
72KB
-
memory/1660-102-0x0000000000000000-mapping.dmp
-
memory/1660-223-0x0000000000000000-mapping.dmp
-
memory/1660-104-0x0000000000C20000-0x0000000000C28000-memory.dmpFilesize
32KB
-
memory/1684-186-0x0000000000000000-mapping.dmp
-
memory/1704-81-0x0000000000000000-mapping.dmp
-
memory/1732-111-0x0000000000000000-mapping.dmp
-
memory/1740-203-0x0000000000000000-mapping.dmp
-
memory/1756-189-0x0000000000000000-mapping.dmp
-
memory/1784-239-0x0000000000000000-mapping.dmp
-
memory/1808-146-0x0000000000400000-0x000000000046F000-memory.dmpFilesize
444KB
-
memory/1808-139-0x0000000000000000-mapping.dmp
-
memory/1808-142-0x0000000000400000-0x000000000046F000-memory.dmpFilesize
444KB
-
memory/1812-127-0x0000000000000000-mapping.dmp
-
memory/1812-129-0x0000000000CF0000-0x0000000000CF8000-memory.dmpFilesize
32KB
-
memory/1816-147-0x0000000000000000-mapping.dmp
-
memory/1864-170-0x0000000000000000-mapping.dmp
-
memory/1872-219-0x0000000000000000-mapping.dmp
-
memory/1876-60-0x0000000001110000-0x0000000001118000-memory.dmpFilesize
32KB
-
memory/1876-67-0x000000001AB80000-0x000000001AB8A000-memory.dmpFilesize
40KB
-
memory/1876-101-0x0000000000C50000-0x0000000000C5E000-memory.dmpFilesize
56KB
-
memory/1876-57-0x0000000000000000-mapping.dmp
-
memory/1904-96-0x00000000001A0000-0x00000000001A8000-memory.dmpFilesize
32KB
-
memory/1904-94-0x0000000000000000-mapping.dmp
-
memory/1904-97-0x0000000000250000-0x0000000000262000-memory.dmpFilesize
72KB
-
memory/1912-115-0x0000000000240000-0x0000000000252000-memory.dmpFilesize
72KB
-
memory/1912-113-0x0000000000000000-mapping.dmp
-
memory/1960-215-0x0000000000000000-mapping.dmp
-
memory/1960-90-0x0000000000480000-0x0000000000490000-memory.dmpFilesize
64KB
-
memory/2004-107-0x00000000012A0000-0x00000000012A8000-memory.dmpFilesize
32KB
-
memory/2004-105-0x0000000000000000-mapping.dmp
-
memory/2004-236-0x0000000000000000-mapping.dmp
-
memory/2004-245-0x0000000000000000-mapping.dmp
-
memory/2016-231-0x0000000000000000-mapping.dmp
-
memory/2020-93-0x00000000000C0000-0x00000000000C8000-memory.dmpFilesize
32KB
-
memory/2020-91-0x0000000000000000-mapping.dmp
-
memory/2024-149-0x0000000000000000-mapping.dmp
-
memory/2032-124-0x0000000000000000-mapping.dmp
-
memory/2032-126-0x0000000000340000-0x0000000000348000-memory.dmpFilesize
32KB
-
memory/2040-61-0x0000000000000000-mapping.dmp