Analysis
-
max time kernel
151s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
28-11-2022 10:31
Behavioral task
behavioral1
Sample
f58d67a10f6215929f26e33bae086571fb9779c3adef3e81efbcb2fd6dec7975.exe
Resource
win7-20220812-en
General
-
Target
f58d67a10f6215929f26e33bae086571fb9779c3adef3e81efbcb2fd6dec7975.exe
-
Size
2.0MB
-
MD5
27c16af0dc1ca5114f02274e888859d3
-
SHA1
4dd821ebcb09acbfd94178e36f120b761362b4a3
-
SHA256
f58d67a10f6215929f26e33bae086571fb9779c3adef3e81efbcb2fd6dec7975
-
SHA512
cea40e3fcf7cad69a9cb0aff50b3b6df65a499ce12ba883558a00aebb4e46a7ebc768dc44cb42315e9fe27755865ee313edc81b2157012c174de9076c46b54ab
-
SSDEEP
24576:CzGZ0XTB9109be930wzdHkh6wFXRDZEZnTuZOklkQQfn+3CvzuvUBMclcLSwU:CaSB910Q3LzdHEPqZ+OzsSSvUmMcWwU
Malware Config
Extracted
pony
http://coc.zz.vc/gate.php
Extracted
cybergate
2.6
VLC
ligtv.mooo.com:83
***MUTEX***
-
enable_keylogger
true
-
enable_message_box
false
-
ftp_directory
./logs/
-
ftp_interval
30
-
injected_process
explorer.exe
-
install_dir
java
-
install_file
update.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
texto da mensagem
-
message_box_title
tÃtulo da mensagem
-
password
123456
-
regkey_hkcu
HKCU
-
regkey_hklm
HKLM
Signatures
-
Processes:
SystemFiles2.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" SystemFiles2.exe -
Processes:
SystemFiles2.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0" SystemFiles2.exe -
NirSoft WebBrowserPassView 2 IoCs
Password recovery tool for various web browsers
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\SystemFiles2.exe WebBrowserPassView C:\Users\Admin\AppData\Local\Temp\SystemFiles2.exe WebBrowserPassView -
Nirsoft 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\SystemFiles2.exe Nirsoft C:\Users\Admin\AppData\Local\Temp\SystemFiles2.exe Nirsoft -
Adds policy Run key to start application 2 TTPs 4 IoCs
Processes:
SystemFiles4.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run SystemFiles4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Program Files (x86)\\java\\update.exe" SystemFiles4.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run SystemFiles4.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Program Files (x86)\\java\\update.exe" SystemFiles4.exe -
Executes dropped EXE 8 IoCs
Processes:
SystemFiles1.exeSystemFiles2.exeSystemFiles3.exeSystemFiles4.exeSystemFiles5.exeNFWCHK.exeSystemFiles4.exeupdate.exepid process 2144 SystemFiles1.exe 4388 SystemFiles2.exe 756 SystemFiles3.exe 4876 SystemFiles4.exe 4796 SystemFiles5.exe 3924 NFWCHK.exe 3460 SystemFiles4.exe 616 update.exe -
Modifies Installed Components in the registry 2 TTPs 4 IoCs
Processes:
SystemFiles4.exeexplorer.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{I60D8Q76-RX4N-L6KL-143G-OH436R54QBJG} SystemFiles4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{I60D8Q76-RX4N-L6KL-143G-OH436R54QBJG}\StubPath = "C:\\Program Files (x86)\\java\\update.exe Restart" SystemFiles4.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{I60D8Q76-RX4N-L6KL-143G-OH436R54QBJG} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{I60D8Q76-RX4N-L6KL-143G-OH436R54QBJG}\StubPath = "C:\\Program Files (x86)\\java\\update.exe" explorer.exe -
Processes:
resource yara_rule behavioral2/memory/4876-160-0x0000000024010000-0x0000000024072000-memory.dmp upx behavioral2/memory/4876-165-0x0000000024080000-0x00000000240E2000-memory.dmp upx behavioral2/memory/4224-168-0x0000000024080000-0x00000000240E2000-memory.dmp upx behavioral2/memory/4224-172-0x0000000024080000-0x00000000240E2000-memory.dmp upx behavioral2/memory/4876-174-0x00000000240F0000-0x0000000024152000-memory.dmp upx behavioral2/memory/4876-180-0x0000000024160000-0x00000000241C2000-memory.dmp upx behavioral2/memory/3460-183-0x0000000024160000-0x00000000241C2000-memory.dmp upx behavioral2/memory/3460-186-0x0000000024160000-0x00000000241C2000-memory.dmp upx behavioral2/memory/3460-188-0x0000000024160000-0x00000000241C2000-memory.dmp upx -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
f58d67a10f6215929f26e33bae086571fb9779c3adef3e81efbcb2fd6dec7975.exeSystemFiles2.exeSystemFiles4.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation f58d67a10f6215929f26e33bae086571fb9779c3adef3e81efbcb2fd6dec7975.exe Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation SystemFiles2.exe Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation SystemFiles4.exe -
Loads dropped DLL 2 IoCs
Processes:
regsvr32.exeSystemFiles2.exepid process 3152 regsvr32.exe 4388 SystemFiles2.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
SystemFiles2.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0" SystemFiles2.exe -
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
SystemFiles3.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts SystemFiles3.exe -
Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
Processes:
SystemFiles3.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook SystemFiles3.exe -
Adds Run key to start application 2 TTPs 8 IoCs
Processes:
SystemFiles2.exeSystemFiles4.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Google Update = "\"C:\\Users\\Admin\\AppData\\Roaming\\msdcsc.exe\"" SystemFiles2.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run SystemFiles2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Google Update = "\"C:\\Users\\Admin\\AppData\\Roaming\\msdcsc.exe\"" SystemFiles2.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run SystemFiles4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Program Files (x86)\\java\\update.exe" SystemFiles4.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run SystemFiles4.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Program Files (x86)\\java\\update.exe" SystemFiles4.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SystemFiles2.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
SystemFiles2.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" SystemFiles2.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 7 bot.whatismyipaddress.com -
Drops file in System32 directory 1 IoCs
Processes:
SystemFiles2.exedescription ioc process File opened for modification C:\Windows\SysWOW64\MSWINSCK.OCX SystemFiles2.exe -
Drops file in Program Files directory 4 IoCs
Processes:
SystemFiles4.exeSystemFiles4.exedescription ioc process File created C:\Program Files (x86)\java\update.exe SystemFiles4.exe File opened for modification C:\Program Files (x86)\java\update.exe SystemFiles4.exe File opened for modification C:\Program Files (x86)\java\update.exe SystemFiles4.exe File opened for modification C:\Program Files (x86)\java\ SystemFiles4.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1424 616 WerFault.exe update.exe -
Modifies registry class 64 IoCs
Processes:
regsvr32.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\CLSID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock.1\CLSID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{0DE86A52-2BAA-11CF-A229-00AA003D7352} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\0\win32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D} regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\CurVer\ = "MSWinsock.Winsock.1" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\VersionIndependentProgID\ = "MSWinsock.Winsock" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Programmable regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\FLAGS regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\HELPDIR regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Version regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Version\ = "1.0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\HELPDIR\ regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\Version = "1.0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{40FC6ED4-2438-11CF-A3DB-080036F12502} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{0DE86A57-2BAA-11CF-A229-00AA003D7352} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\0 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ProgID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus\1\ = "132497" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock.1\CLSID\ = "{248DD896-BB45-11CF-9ABC-0080C7E7B78D}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\VersionIndependentProgID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\ = "Microsoft Winsock Control 6.0" regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ = "IMSWinsockControl" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus\ = "0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}\ = "Winsock General Property Page Object" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\Version = "1.0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\ = "Microsoft WinSock Control, version 6.0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\CLSID\ = "{248DD896-BB45-11CF-9ABC-0080C7E7B78D}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock.1\ = "Microsoft WinSock Control, version 6.0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus\1 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{0DE86A53-2BAA-11CF-A229-00AA003D7352} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\Version = "1.0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Control regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ToolboxBitmap32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ = "IMSWinsockControl" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32\ = "C:\\Windows\\SysWow64\\MSWINSCK.OCX" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock.1 regsvr32.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
SystemFiles4.exepid process 4876 SystemFiles4.exe 4876 SystemFiles4.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
SystemFiles4.exepid process 3460 SystemFiles4.exe -
Suspicious use of AdjustPrivilegeToken 52 IoCs
Processes:
SystemFiles3.exeSystemFiles2.exeSystemFiles1.exeSystemFiles4.exedescription pid process Token: SeImpersonatePrivilege 756 SystemFiles3.exe Token: SeTcbPrivilege 756 SystemFiles3.exe Token: SeChangeNotifyPrivilege 756 SystemFiles3.exe Token: SeCreateTokenPrivilege 756 SystemFiles3.exe Token: SeBackupPrivilege 756 SystemFiles3.exe Token: SeRestorePrivilege 756 SystemFiles3.exe Token: SeIncreaseQuotaPrivilege 756 SystemFiles3.exe Token: SeAssignPrimaryTokenPrivilege 756 SystemFiles3.exe Token: SeBackupPrivilege 4388 SystemFiles2.exe Token: SeImpersonatePrivilege 756 SystemFiles3.exe Token: SeTcbPrivilege 756 SystemFiles3.exe Token: SeChangeNotifyPrivilege 756 SystemFiles3.exe Token: SeCreateTokenPrivilege 756 SystemFiles3.exe Token: SeBackupPrivilege 756 SystemFiles3.exe Token: SeRestorePrivilege 756 SystemFiles3.exe Token: SeIncreaseQuotaPrivilege 756 SystemFiles3.exe Token: SeAssignPrimaryTokenPrivilege 756 SystemFiles3.exe Token: SeImpersonatePrivilege 756 SystemFiles3.exe Token: SeTcbPrivilege 756 SystemFiles3.exe Token: SeChangeNotifyPrivilege 756 SystemFiles3.exe Token: SeCreateTokenPrivilege 756 SystemFiles3.exe Token: SeBackupPrivilege 756 SystemFiles3.exe Token: SeRestorePrivilege 756 SystemFiles3.exe Token: SeIncreaseQuotaPrivilege 756 SystemFiles3.exe Token: SeAssignPrimaryTokenPrivilege 756 SystemFiles3.exe Token: SeImpersonatePrivilege 756 SystemFiles3.exe Token: SeTcbPrivilege 756 SystemFiles3.exe Token: SeChangeNotifyPrivilege 756 SystemFiles3.exe Token: SeCreateTokenPrivilege 756 SystemFiles3.exe Token: SeBackupPrivilege 756 SystemFiles3.exe Token: SeRestorePrivilege 756 SystemFiles3.exe Token: SeIncreaseQuotaPrivilege 756 SystemFiles3.exe Token: SeAssignPrimaryTokenPrivilege 756 SystemFiles3.exe Token: SeImpersonatePrivilege 756 SystemFiles3.exe Token: SeTcbPrivilege 756 SystemFiles3.exe Token: SeChangeNotifyPrivilege 756 SystemFiles3.exe Token: SeCreateTokenPrivilege 756 SystemFiles3.exe Token: SeBackupPrivilege 756 SystemFiles3.exe Token: SeRestorePrivilege 756 SystemFiles3.exe Token: SeIncreaseQuotaPrivilege 756 SystemFiles3.exe Token: SeAssignPrimaryTokenPrivilege 756 SystemFiles3.exe Token: SeImpersonatePrivilege 756 SystemFiles3.exe Token: SeTcbPrivilege 756 SystemFiles3.exe Token: SeChangeNotifyPrivilege 756 SystemFiles3.exe Token: SeCreateTokenPrivilege 756 SystemFiles3.exe Token: SeBackupPrivilege 756 SystemFiles3.exe Token: SeRestorePrivilege 756 SystemFiles3.exe Token: SeIncreaseQuotaPrivilege 756 SystemFiles3.exe Token: SeAssignPrimaryTokenPrivilege 756 SystemFiles3.exe Token: SeDebugPrivilege 2144 SystemFiles1.exe Token: SeDebugPrivilege 3460 SystemFiles4.exe Token: SeDebugPrivilege 3460 SystemFiles4.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
SystemFiles4.exepid process 4876 SystemFiles4.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
Processes:
f58d67a10f6215929f26e33bae086571fb9779c3adef3e81efbcb2fd6dec7975.exeSystemFiles2.exeSystemFiles5.exepid process 2592 f58d67a10f6215929f26e33bae086571fb9779c3adef3e81efbcb2fd6dec7975.exe 4388 SystemFiles2.exe 4388 SystemFiles2.exe 4796 SystemFiles5.exe 4388 SystemFiles2.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
f58d67a10f6215929f26e33bae086571fb9779c3adef3e81efbcb2fd6dec7975.exeSystemFiles2.exeSystemFiles5.exeSystemFiles4.exedescription pid process target process PID 2592 wrote to memory of 2144 2592 f58d67a10f6215929f26e33bae086571fb9779c3adef3e81efbcb2fd6dec7975.exe SystemFiles1.exe PID 2592 wrote to memory of 2144 2592 f58d67a10f6215929f26e33bae086571fb9779c3adef3e81efbcb2fd6dec7975.exe SystemFiles1.exe PID 2592 wrote to memory of 2144 2592 f58d67a10f6215929f26e33bae086571fb9779c3adef3e81efbcb2fd6dec7975.exe SystemFiles1.exe PID 2592 wrote to memory of 4388 2592 f58d67a10f6215929f26e33bae086571fb9779c3adef3e81efbcb2fd6dec7975.exe SystemFiles2.exe PID 2592 wrote to memory of 4388 2592 f58d67a10f6215929f26e33bae086571fb9779c3adef3e81efbcb2fd6dec7975.exe SystemFiles2.exe PID 2592 wrote to memory of 4388 2592 f58d67a10f6215929f26e33bae086571fb9779c3adef3e81efbcb2fd6dec7975.exe SystemFiles2.exe PID 2592 wrote to memory of 756 2592 f58d67a10f6215929f26e33bae086571fb9779c3adef3e81efbcb2fd6dec7975.exe SystemFiles3.exe PID 2592 wrote to memory of 756 2592 f58d67a10f6215929f26e33bae086571fb9779c3adef3e81efbcb2fd6dec7975.exe SystemFiles3.exe PID 2592 wrote to memory of 756 2592 f58d67a10f6215929f26e33bae086571fb9779c3adef3e81efbcb2fd6dec7975.exe SystemFiles3.exe PID 2592 wrote to memory of 4876 2592 f58d67a10f6215929f26e33bae086571fb9779c3adef3e81efbcb2fd6dec7975.exe SystemFiles4.exe PID 2592 wrote to memory of 4876 2592 f58d67a10f6215929f26e33bae086571fb9779c3adef3e81efbcb2fd6dec7975.exe SystemFiles4.exe PID 2592 wrote to memory of 4876 2592 f58d67a10f6215929f26e33bae086571fb9779c3adef3e81efbcb2fd6dec7975.exe SystemFiles4.exe PID 2592 wrote to memory of 4796 2592 f58d67a10f6215929f26e33bae086571fb9779c3adef3e81efbcb2fd6dec7975.exe SystemFiles5.exe PID 2592 wrote to memory of 4796 2592 f58d67a10f6215929f26e33bae086571fb9779c3adef3e81efbcb2fd6dec7975.exe SystemFiles5.exe PID 2592 wrote to memory of 4796 2592 f58d67a10f6215929f26e33bae086571fb9779c3adef3e81efbcb2fd6dec7975.exe SystemFiles5.exe PID 4388 wrote to memory of 3152 4388 SystemFiles2.exe regsvr32.exe PID 4388 wrote to memory of 3152 4388 SystemFiles2.exe regsvr32.exe PID 4388 wrote to memory of 3152 4388 SystemFiles2.exe regsvr32.exe PID 4796 wrote to memory of 3924 4796 SystemFiles5.exe NFWCHK.exe PID 4796 wrote to memory of 3924 4796 SystemFiles5.exe NFWCHK.exe PID 4876 wrote to memory of 2152 4876 SystemFiles4.exe Explorer.EXE PID 4876 wrote to memory of 2152 4876 SystemFiles4.exe Explorer.EXE PID 4876 wrote to memory of 2152 4876 SystemFiles4.exe Explorer.EXE PID 4876 wrote to memory of 2152 4876 SystemFiles4.exe Explorer.EXE PID 4876 wrote to memory of 2152 4876 SystemFiles4.exe Explorer.EXE PID 4876 wrote to memory of 2152 4876 SystemFiles4.exe Explorer.EXE PID 4876 wrote to memory of 2152 4876 SystemFiles4.exe Explorer.EXE PID 4876 wrote to memory of 2152 4876 SystemFiles4.exe Explorer.EXE PID 4876 wrote to memory of 2152 4876 SystemFiles4.exe Explorer.EXE PID 4876 wrote to memory of 2152 4876 SystemFiles4.exe Explorer.EXE PID 4876 wrote to memory of 2152 4876 SystemFiles4.exe Explorer.EXE PID 4876 wrote to memory of 2152 4876 SystemFiles4.exe Explorer.EXE PID 4876 wrote to memory of 2152 4876 SystemFiles4.exe Explorer.EXE PID 4876 wrote to memory of 2152 4876 SystemFiles4.exe Explorer.EXE PID 4876 wrote to memory of 2152 4876 SystemFiles4.exe Explorer.EXE PID 4876 wrote to memory of 2152 4876 SystemFiles4.exe Explorer.EXE PID 4876 wrote to memory of 2152 4876 SystemFiles4.exe Explorer.EXE PID 4876 wrote to memory of 2152 4876 SystemFiles4.exe Explorer.EXE PID 4876 wrote to memory of 2152 4876 SystemFiles4.exe Explorer.EXE PID 4876 wrote to memory of 2152 4876 SystemFiles4.exe Explorer.EXE PID 4876 wrote to memory of 2152 4876 SystemFiles4.exe Explorer.EXE PID 4876 wrote to memory of 2152 4876 SystemFiles4.exe Explorer.EXE PID 4876 wrote to memory of 2152 4876 SystemFiles4.exe Explorer.EXE PID 4876 wrote to memory of 2152 4876 SystemFiles4.exe Explorer.EXE PID 4876 wrote to memory of 2152 4876 SystemFiles4.exe Explorer.EXE PID 4876 wrote to memory of 2152 4876 SystemFiles4.exe Explorer.EXE PID 4876 wrote to memory of 2152 4876 SystemFiles4.exe Explorer.EXE PID 4876 wrote to memory of 2152 4876 SystemFiles4.exe Explorer.EXE PID 4876 wrote to memory of 2152 4876 SystemFiles4.exe Explorer.EXE PID 4876 wrote to memory of 2152 4876 SystemFiles4.exe Explorer.EXE PID 4876 wrote to memory of 2152 4876 SystemFiles4.exe Explorer.EXE PID 4876 wrote to memory of 2152 4876 SystemFiles4.exe Explorer.EXE PID 4876 wrote to memory of 2152 4876 SystemFiles4.exe Explorer.EXE PID 4876 wrote to memory of 2152 4876 SystemFiles4.exe Explorer.EXE PID 4876 wrote to memory of 2152 4876 SystemFiles4.exe Explorer.EXE PID 4876 wrote to memory of 2152 4876 SystemFiles4.exe Explorer.EXE PID 4876 wrote to memory of 2152 4876 SystemFiles4.exe Explorer.EXE PID 4876 wrote to memory of 2152 4876 SystemFiles4.exe Explorer.EXE PID 4876 wrote to memory of 2152 4876 SystemFiles4.exe Explorer.EXE PID 4876 wrote to memory of 2152 4876 SystemFiles4.exe Explorer.EXE PID 4876 wrote to memory of 2152 4876 SystemFiles4.exe Explorer.EXE PID 4876 wrote to memory of 2152 4876 SystemFiles4.exe Explorer.EXE PID 4876 wrote to memory of 2152 4876 SystemFiles4.exe Explorer.EXE PID 4876 wrote to memory of 2152 4876 SystemFiles4.exe Explorer.EXE -
System policy modification 1 TTPs 1 IoCs
Processes:
SystemFiles2.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" SystemFiles2.exe -
outlook_win_path 1 IoCs
Processes:
SystemFiles3.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook SystemFiles3.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\f58d67a10f6215929f26e33bae086571fb9779c3adef3e81efbcb2fd6dec7975.exe"C:\Users\Admin\AppData\Local\Temp\f58d67a10f6215929f26e33bae086571fb9779c3adef3e81efbcb2fd6dec7975.exe"2⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\SystemFiles1.exe"C:\Users\Admin\AppData\Local\Temp\SystemFiles1.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\SystemFiles2.exe"C:\Users\Admin\AppData\Local\Temp\SystemFiles2.exe"3⤵
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\SysWOW64\regsvr32.exe" /s MSWINSCK.OCX4⤵
- Loads dropped DLL
- Modifies registry class
-
C:\Users\Admin\AppData\Local\Temp\SystemFiles3.exe"C:\Users\Admin\AppData\Local\Temp\SystemFiles3.exe"3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_win_path
-
C:\Users\Admin\AppData\Local\Temp\SystemFiles4.exe"C:\Users\Admin\AppData\Local\Temp\SystemFiles4.exe"3⤵
- Adds policy Run key to start application
- Executes dropped EXE
- Modifies Installed Components in the registry
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵
- Modifies Installed Components in the registry
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵
-
C:\Users\Admin\AppData\Local\Temp\SystemFiles4.exe"C:\Users\Admin\AppData\Local\Temp\SystemFiles4.exe"4⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\java\update.exe"C:\Program Files (x86)\java\update.exe"5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 616 -s 5646⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\SystemFiles5.exe"C:\Users\Admin\AppData\Local\Temp\SystemFiles5.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\Documents\Wondershare\NFWCHK.exeC:\Users\Public\Documents\Wondershare\NFWCHK.exe4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 616 -ip 6161⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\java\update.exeFilesize
290KB
MD5f14836901e0c55968202cb3d80ed660a
SHA119201beb6461eaa9b5a5bd9d5a8d926fe9fba5a2
SHA2567b27bbac7915bc63042354e0a849de269bde7885bf8863aa95af8cfad6c007ff
SHA512f6829f4bec96b3587e909c7995dc6b7e44d2ae17ba513ac2ae8042ff6effa7400a24b45d1232c5c5699679f205c1bac536a4a56d000120c9f30b00ea82f3dfce
-
C:\Program Files (x86)\java\update.exeFilesize
290KB
MD5f14836901e0c55968202cb3d80ed660a
SHA119201beb6461eaa9b5a5bd9d5a8d926fe9fba5a2
SHA2567b27bbac7915bc63042354e0a849de269bde7885bf8863aa95af8cfad6c007ff
SHA512f6829f4bec96b3587e909c7995dc6b7e44d2ae17ba513ac2ae8042ff6effa7400a24b45d1232c5c5699679f205c1bac536a4a56d000120c9f30b00ea82f3dfce
-
C:\Users\Admin\AppData\Local\Temp\SystemFiles1.exeFilesize
219KB
MD50b60800a42e138e4b1d93889e09ea983
SHA1c70abecd66083521d754d400a3960f2f41071769
SHA25633eebd8ee53639d65da114dcb16de4bcd511fa9c4f233cf19599b46614f92cb3
SHA5126a0429ba2c1b3033bdec00d16cebdc0e2b11d105851df827790bb23102a3224f2e08a5816653c21031083b497d5b43d61c8806ae08f6900299e1b084fc9d236b
-
C:\Users\Admin\AppData\Local\Temp\SystemFiles1.exeFilesize
219KB
MD50b60800a42e138e4b1d93889e09ea983
SHA1c70abecd66083521d754d400a3960f2f41071769
SHA25633eebd8ee53639d65da114dcb16de4bcd511fa9c4f233cf19599b46614f92cb3
SHA5126a0429ba2c1b3033bdec00d16cebdc0e2b11d105851df827790bb23102a3224f2e08a5816653c21031083b497d5b43d61c8806ae08f6900299e1b084fc9d236b
-
C:\Users\Admin\AppData\Local\Temp\SystemFiles2.exeFilesize
644KB
MD559404595db8d9749dfc0af4361cb0f64
SHA176b7c2ee39563c9d736abc48e3208d96ae30a547
SHA256be22db58c5f688bcb6f9f7f8474a48e036d21dea85518f5514f2227978e2599c
SHA5122660fb00ed3f01ce65b2f0b57f8e3a4becfc9ffbaa402fcb9f287857d4035abf599c334305b0e4a97ded2e6006b3462aef8b03ab298826740f512dcb08310ff9
-
C:\Users\Admin\AppData\Local\Temp\SystemFiles2.exeFilesize
644KB
MD559404595db8d9749dfc0af4361cb0f64
SHA176b7c2ee39563c9d736abc48e3208d96ae30a547
SHA256be22db58c5f688bcb6f9f7f8474a48e036d21dea85518f5514f2227978e2599c
SHA5122660fb00ed3f01ce65b2f0b57f8e3a4becfc9ffbaa402fcb9f287857d4035abf599c334305b0e4a97ded2e6006b3462aef8b03ab298826740f512dcb08310ff9
-
C:\Users\Admin\AppData\Local\Temp\SystemFiles3.exeFilesize
81KB
MD51d8194a7572393ec1c123abdaa603b08
SHA16d57906c1e986dc3614b2e863320c66d28f27836
SHA25651bb673b478be9281b4ea14b67f97045fcce59446c8787160d3947431002fd12
SHA512c2400f1930c4731a86e3b45d577cb23a10bda802a94f0fd7e50c059221c2ec75a49d15c7cbfdfb8eeee7c77ec76e88ae60e35a108156b328df03672e1d8daeae
-
C:\Users\Admin\AppData\Local\Temp\SystemFiles3.exeFilesize
81KB
MD51d8194a7572393ec1c123abdaa603b08
SHA16d57906c1e986dc3614b2e863320c66d28f27836
SHA25651bb673b478be9281b4ea14b67f97045fcce59446c8787160d3947431002fd12
SHA512c2400f1930c4731a86e3b45d577cb23a10bda802a94f0fd7e50c059221c2ec75a49d15c7cbfdfb8eeee7c77ec76e88ae60e35a108156b328df03672e1d8daeae
-
C:\Users\Admin\AppData\Local\Temp\SystemFiles4.exeFilesize
290KB
MD5f14836901e0c55968202cb3d80ed660a
SHA119201beb6461eaa9b5a5bd9d5a8d926fe9fba5a2
SHA2567b27bbac7915bc63042354e0a849de269bde7885bf8863aa95af8cfad6c007ff
SHA512f6829f4bec96b3587e909c7995dc6b7e44d2ae17ba513ac2ae8042ff6effa7400a24b45d1232c5c5699679f205c1bac536a4a56d000120c9f30b00ea82f3dfce
-
C:\Users\Admin\AppData\Local\Temp\SystemFiles4.exeFilesize
290KB
MD5f14836901e0c55968202cb3d80ed660a
SHA119201beb6461eaa9b5a5bd9d5a8d926fe9fba5a2
SHA2567b27bbac7915bc63042354e0a849de269bde7885bf8863aa95af8cfad6c007ff
SHA512f6829f4bec96b3587e909c7995dc6b7e44d2ae17ba513ac2ae8042ff6effa7400a24b45d1232c5c5699679f205c1bac536a4a56d000120c9f30b00ea82f3dfce
-
C:\Users\Admin\AppData\Local\Temp\SystemFiles4.exeFilesize
290KB
MD5f14836901e0c55968202cb3d80ed660a
SHA119201beb6461eaa9b5a5bd9d5a8d926fe9fba5a2
SHA2567b27bbac7915bc63042354e0a849de269bde7885bf8863aa95af8cfad6c007ff
SHA512f6829f4bec96b3587e909c7995dc6b7e44d2ae17ba513ac2ae8042ff6effa7400a24b45d1232c5c5699679f205c1bac536a4a56d000120c9f30b00ea82f3dfce
-
C:\Users\Admin\AppData\Local\Temp\SystemFiles5.exeFilesize
757KB
MD57edfb48f6a937f5f3a28c822d2439ef1
SHA1fc738054aa28a406e3cb7676594aec37cd0a96b2
SHA256ef42c03aa7d498c830de6a434f8ffb5eed00179283a8434dc355890ccf30c048
SHA51241e4e01b0787c0d2e807ac84c8b0001428592b3d811f6308fa7d24194ece4d1bd5f2978c43f65c5a62f29da9ec2fe697a6bddbb181fd932a2fcf02169df34daa
-
C:\Users\Admin\AppData\Local\Temp\SystemFiles5.exeFilesize
757KB
MD57edfb48f6a937f5f3a28c822d2439ef1
SHA1fc738054aa28a406e3cb7676594aec37cd0a96b2
SHA256ef42c03aa7d498c830de6a434f8ffb5eed00179283a8434dc355890ccf30c048
SHA51241e4e01b0787c0d2e807ac84c8b0001428592b3d811f6308fa7d24194ece4d1bd5f2978c43f65c5a62f29da9ec2fe697a6bddbb181fd932a2fcf02169df34daa
-
C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txtFilesize
229KB
MD5810f6f6ae01221ad752cc4f8208b6975
SHA18ea3d1c787344a92cdde0b124ffbf3458f4aa9f9
SHA256101bdc977e963978d57df8c4a84c5444bdb3674be77503d925793afa139d9155
SHA512fff9785096e9ca5632ea043932aaadee3b8390ff09a8c02587bbfb1b94b382449ea04434a27fc76f895ca1003aa893008b5c4bb4d4400fac89641cb840cab464
-
C:\Users\Public\Documents\Wondershare\NFWCHK.exeFilesize
6KB
MD5b0ef777a6bd0ff0fcf941e530a565572
SHA1faae7333444748167976448512179ab57d9ae560
SHA256bdaae5a7c2a20a34f9c975508ffe79f94e2ce7db415b32f04dd876a07620d7b3
SHA51204c958417f76eb74725c0c559ae00aa96fb2919ae7ee5840ba31b14537d7d17955095672b4e29353f78a37261c529510e132dc5c082281c65d021b9a3ffc8daf
-
C:\Users\Public\Documents\Wondershare\NFWCHK.exeFilesize
6KB
MD5b0ef777a6bd0ff0fcf941e530a565572
SHA1faae7333444748167976448512179ab57d9ae560
SHA256bdaae5a7c2a20a34f9c975508ffe79f94e2ce7db415b32f04dd876a07620d7b3
SHA51204c958417f76eb74725c0c559ae00aa96fb2919ae7ee5840ba31b14537d7d17955095672b4e29353f78a37261c529510e132dc5c082281c65d021b9a3ffc8daf
-
C:\Windows\SysWOW64\MSWINSCK.OCXFilesize
105KB
MD59484c04258830aa3c2f2a70eb041414c
SHA1b242a4fb0e9dcf14cb51dc36027baff9a79cb823
SHA256bf7e47c16d7e1c0e88534f4ef95e09d0fd821ed1a06b0d95a389b35364b63ff5
SHA5129d0e9f0d88594746ba41ea4a61a53498619eda596e12d8ec37d01cfe8ceb08be13e3727c83d630a6d9e6d03066f62444bb94ea5a0d2ed9d21a270e612db532a0
-
C:\Windows\SysWOW64\MSWINSCK.OCXFilesize
105KB
MD59484c04258830aa3c2f2a70eb041414c
SHA1b242a4fb0e9dcf14cb51dc36027baff9a79cb823
SHA256bf7e47c16d7e1c0e88534f4ef95e09d0fd821ed1a06b0d95a389b35364b63ff5
SHA5129d0e9f0d88594746ba41ea4a61a53498619eda596e12d8ec37d01cfe8ceb08be13e3727c83d630a6d9e6d03066f62444bb94ea5a0d2ed9d21a270e612db532a0
-
C:\Windows\SysWOW64\MSWINSCK.OCXFilesize
105KB
MD59484c04258830aa3c2f2a70eb041414c
SHA1b242a4fb0e9dcf14cb51dc36027baff9a79cb823
SHA256bf7e47c16d7e1c0e88534f4ef95e09d0fd821ed1a06b0d95a389b35364b63ff5
SHA5129d0e9f0d88594746ba41ea4a61a53498619eda596e12d8ec37d01cfe8ceb08be13e3727c83d630a6d9e6d03066f62444bb94ea5a0d2ed9d21a270e612db532a0
-
memory/616-184-0x0000000000000000-mapping.dmp
-
memory/756-141-0x0000000000000000-mapping.dmp
-
memory/2144-187-0x0000000073C70000-0x0000000074221000-memory.dmpFilesize
5.7MB
-
memory/2144-158-0x0000000073C70000-0x0000000074221000-memory.dmpFilesize
5.7MB
-
memory/2144-189-0x0000000073C70000-0x0000000074221000-memory.dmpFilesize
5.7MB
-
memory/2144-134-0x0000000000000000-mapping.dmp
-
memory/3152-151-0x0000000000000000-mapping.dmp
-
memory/3460-188-0x0000000024160000-0x00000000241C2000-memory.dmpFilesize
392KB
-
memory/3460-178-0x0000000000000000-mapping.dmp
-
memory/3460-186-0x0000000024160000-0x00000000241C2000-memory.dmpFilesize
392KB
-
memory/3460-183-0x0000000024160000-0x00000000241C2000-memory.dmpFilesize
392KB
-
memory/3924-152-0x0000000000000000-mapping.dmp
-
memory/3924-171-0x00007FFF3B3A0000-0x00007FFF3BDD6000-memory.dmpFilesize
10.2MB
-
memory/4224-172-0x0000000024080000-0x00000000240E2000-memory.dmpFilesize
392KB
-
memory/4224-168-0x0000000024080000-0x00000000240E2000-memory.dmpFilesize
392KB
-
memory/4224-164-0x0000000000000000-mapping.dmp
-
memory/4388-137-0x0000000000000000-mapping.dmp
-
memory/4796-148-0x0000000000000000-mapping.dmp
-
memory/4876-174-0x00000000240F0000-0x0000000024152000-memory.dmpFilesize
392KB
-
memory/4876-180-0x0000000024160000-0x00000000241C2000-memory.dmpFilesize
392KB
-
memory/4876-145-0x0000000000000000-mapping.dmp
-
memory/4876-165-0x0000000024080000-0x00000000240E2000-memory.dmpFilesize
392KB
-
memory/4876-160-0x0000000024010000-0x0000000024072000-memory.dmpFilesize
392KB