Resubmissions
27-01-2023 19:10
230127-xvglescg25 1027-01-2023 17:57
230127-wjv41adg9z 1027-01-2023 17:47
230127-wcvjwsdg7x 10Analysis
-
max time kernel
600s -
max time network
602s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
-
submitted
27-01-2023 19:10
General
-
Target
Doge-Miner203.exe
-
Size
6.1MB
-
MD5
d7e6fd264bc937e3646de58e551a29db
-
SHA1
1db4664777b17e004f71cee4002f9ccc430413e4
-
SHA256
463d5d683ca55e95f8701d36543d6208fae366e065bc71fe663351450a4f8c24
-
SHA512
cc133bd0599c0a994c65c2ddc047dd7bec3d4032201feba63ac8f4a35582a31f2eed5d3bfe385fefda7e76d3e95415b1ccf1923a9b74a1792dc36c8f7caee837
-
SSDEEP
98304:tGFp32YKbG4vUdQUbSZ/I2jeYXyxd4494Wc9f:tEMbqQ5Z/pjVifXuT
Malware Config
Extracted
darkcomet
1++Dec_Code111
dgorijan20785.hopto.org:35799
DC_MUTEX-LBKFSQL
-
gencode
5RZrbWYF4XYM
-
install
false
-
offline_keylogger
true
-
password
hhhhhh
-
persistence
false
Extracted
darkcomet
New-July-July4-02
dgorijan20785.hopto.org:35800
DC_MUTEX-JFYU2BC
-
gencode
UkVkDi2EZxxn
-
install
false
-
offline_keylogger
true
-
password
hhhhhh
-
persistence
false
Extracted
warzonerat
dgorijan20785.hopto.org:5199
45.74.4.244:5199
dgorijan20785.hopto.org:5200
Extracted
darkcomet
New-July-July4-0
45.74.4.244:35800
DC_MUTEX-RT27KF0
-
gencode
cKUHbX2GsGhs
-
install
false
-
offline_keylogger
true
-
password
hhhhhh
-
persistence
false
Extracted
asyncrat
0.5.6A
45.74.4.244:6606
45.74.4.244:7707
45.74.4.244:8808
servtle284
-
delay
5
-
install
true
-
install_file
wintskl.exe
-
install_folder
%AppData%
Extracted
darkcomet
1++Dec_Pure_1
dgorijan20785.hopto.org:35799
DC_MUTEX-JP69GTU
-
gencode
ZrXR6g2JfYyE
-
install
false
-
offline_keylogger
true
-
password
hhhhhh
-
persistence
false
Signatures
-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
-
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
-
Modifies WinLogon for persistence 2 TTPs 54 IoCs
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Async RAT payload 1 IoCs
-
Warzone RAT payload 26 IoCs
-
Drops file in Drivers directory 8 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 30 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Checks computer location settings 2 TTPs 29 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 2 IoCs
-
Loads dropped DLL 6 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 2 IoCs
-
Adds Run key to start application 2 TTPs 15 IoCs
-
Suspicious use of SetThreadContext 36 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 1 IoCs
-
NTFS ADS 1 IoCs
-
Runs ping.exe 1 TTPs 64 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of SetWindowsHookEx 7 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Doge-Miner203.exe"C:\Users\Admin\AppData\Local\Temp\Doge-Miner203.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c ping 127.0.0.1 -n 38 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\notepad.exe,"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 383⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\notepad.exe,"3⤵
- Modifies WinLogon for persistence
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c ping 127.0.0.1 -n 40 > nul && copy "C:\Users\Admin\AppData\Local\Temp\Doge-Miner203.exe" "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\notepad.exe" && ping 127.0.0.1 -n 40 > nul && "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\notepad.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 403⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 403⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\notepad.exe"C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\notepad.exe"3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"4⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"4⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"4⤵
- Drops file in Drivers directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\CPUMON.EXE"C:\Users\Admin\AppData\Local\Temp\CPUMON.EXE"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\CPUMON.EXE"C:\Users\Admin\AppData\Local\Temp\CPUMON.EXE"6⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\USBDRV.EXE"C:\Users\Admin\AppData\Local\Temp\USBDRV.EXE"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"6⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"6⤵
- Drops file in Drivers directory
-
C:\Users\Admin\AppData\Local\Temp\MSCALC.EXE"C:\Users\Admin\AppData\Local\Temp\MSCALC.EXE"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c ping 127.0.0.1 -n 38 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\wincalc.exe.exe,"6⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 387⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\wincalc.exe.exe,"7⤵
- Modifies WinLogon for persistence
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c ping 127.0.0.1 -n 37 > nul && copy "C:\Users\Admin\AppData\Local\Temp\MSCALC.EXE" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\wincalc.exe.exe" && ping 127.0.0.1 -n 37 > nul && "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\wincalc.exe.exe"6⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 377⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 377⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\wincalc.exe.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\wincalc.exe.exe"7⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"8⤵
-
C:\Users\Admin\AppData\Local\Temp\calc.exe"C:\Users\Admin\AppData\Local\Temp\calc.exe"8⤵
- Executes dropped EXE
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Temp\calc.exe"C:\Users\Admin\AppData\Local\Temp\calc.exe"9⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c ping 127.0.0.1 -n 35 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\wincalc.exe.exe,"8⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 359⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\wincalc.exe.exe,"9⤵
- Modifies WinLogon for persistence
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c ping 127.0.0.1 -n 37 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\wincalc.exe.exe,"8⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 379⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\wincalc.exe.exe,"9⤵
- Modifies WinLogon for persistence
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c ping 127.0.0.1 -n 35 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\wincalc.exe.exe,"8⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 359⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\wincalc.exe.exe,"9⤵
- Modifies WinLogon for persistence
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c ping 127.0.0.1 -n 38 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\wincalc.exe.exe,"8⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 389⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\wincalc.exe.exe,"9⤵
- Modifies WinLogon for persistence
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c ping 127.0.0.1 -n 39 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\wincalc.exe.exe,"8⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 399⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\wincalc.exe.exe,"9⤵
- Modifies WinLogon for persistence
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c ping 127.0.0.1 -n 35 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\wincalc.exe.exe,"8⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 359⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\wincalc.exe.exe,"9⤵
- Modifies WinLogon for persistence
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c ping 127.0.0.1 -n 38 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\wincalc.exe.exe,"8⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 389⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\wincalc.exe.exe,"9⤵
- Modifies WinLogon for persistence
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c ping 127.0.0.1 -n 36 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\wincalc.exe.exe,"8⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 369⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\wincalc.exe.exe,"9⤵
- Modifies WinLogon for persistence
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c ping 127.0.0.1 -n 36 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\wincalc.exe.exe,"8⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 369⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\wincalc.exe.exe,"9⤵
- Modifies WinLogon for persistence
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c ping 127.0.0.1 -n 35 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\wincalc.exe.exe,"8⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 359⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\wincalc.exe.exe,"9⤵
- Modifies WinLogon for persistence
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c ping 127.0.0.1 -n 38 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\wincalc.exe.exe,"8⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 389⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Local\Temp\WINLOGONS.EXE"C:\Users\Admin\AppData\Local\Temp\WINLOGONS.EXE"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\WINLOGONS.EXE"C:\Users\Admin\AppData\Local\Temp\WINLOGONS.EXE"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- Suspicious use of SetWindowsHookEx
- outlook_office_path
- outlook_win_path
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"7⤵
-
C:\Users\Admin\AppData\Local\Temp\WINRARL.EXE"C:\Users\Admin\AppData\Local\Temp\WINRARL.EXE"5⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe6⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe6⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe6⤵
- Drops file in Drivers directory
-
C:\Users\Admin\AppData\Local\Temp\ADOBESERV.EXE"C:\Users\Admin\AppData\Local\Temp\ADOBESERV.EXE"7⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==8⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe8⤵
-
C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE"C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE"7⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==8⤵
-
C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXEC:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE8⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXEC:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE8⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE"C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE"7⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==8⤵
-
C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXEC:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE8⤵
- Drops file in Drivers directory
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE"C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE"7⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==8⤵
-
C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXEC:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE8⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE"C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE"7⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==8⤵
-
C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXEC:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE8⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"9⤵
-
C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE"C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE"7⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==8⤵
-
C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXEC:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE8⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\CPUMON.EXE"C:\Users\Admin\AppData\Local\Temp\CPUMON.EXE"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\CPUMON.EXE"C:\Users\Admin\AppData\Local\Temp\CPUMON.EXE"6⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\MSCALC.EXE"C:\Users\Admin\AppData\Local\Temp\MSCALC.EXE"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c ping 127.0.0.1 -n 36 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\wincalc.exe.exe,"6⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 367⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\wincalc.exe.exe,"7⤵
- Modifies WinLogon for persistence
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c ping 127.0.0.1 -n 37 > nul && copy "C:\Users\Admin\AppData\Local\Temp\MSCALC.EXE" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\wincalc.exe.exe" && ping 127.0.0.1 -n 37 > nul && "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\wincalc.exe.exe"6⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 377⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 377⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\wincalc.exe.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\wincalc.exe.exe"7⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"8⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"8⤵
-
C:\Users\Admin\AppData\Local\Temp\calc.exe"C:\Users\Admin\AppData\Local\Temp\calc.exe"8⤵
- Executes dropped EXE
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Temp\calc.exe"C:\Users\Admin\AppData\Local\Temp\calc.exe"9⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c ping 127.0.0.1 -n 39 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\wincalc.exe.exe,"8⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 399⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\wincalc.exe.exe,"9⤵
- Modifies WinLogon for persistence
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"8⤵
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c ping 127.0.0.1 -n 38 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\wincalc.exe.exe,"8⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 389⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\wincalc.exe.exe,"9⤵
- Modifies WinLogon for persistence
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c ping 127.0.0.1 -n 39 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\wincalc.exe.exe,"8⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 399⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\wincalc.exe.exe,"9⤵
- Modifies WinLogon for persistence
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"8⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"8⤵
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c ping 127.0.0.1 -n 35 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\wincalc.exe.exe,"8⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 359⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\wincalc.exe.exe,"9⤵
- Modifies WinLogon for persistence
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c ping 127.0.0.1 -n 38 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\wincalc.exe.exe,"8⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 389⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\wincalc.exe.exe,"9⤵
- Modifies WinLogon for persistence
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c ping 127.0.0.1 -n 39 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\wincalc.exe.exe,"8⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 399⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\wincalc.exe.exe,"9⤵
- Modifies WinLogon for persistence
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"8⤵
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c ping 127.0.0.1 -n 38 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\wincalc.exe.exe,"8⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 389⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\wincalc.exe.exe,"9⤵
- Modifies WinLogon for persistence
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c ping 127.0.0.1 -n 39 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\wincalc.exe.exe,"8⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 399⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\wincalc.exe.exe,"9⤵
- Modifies WinLogon for persistence
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c ping 127.0.0.1 -n 35 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\wincalc.exe.exe,"8⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 359⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\wincalc.exe.exe,"9⤵
- Modifies WinLogon for persistence
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c ping 127.0.0.1 -n 36 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\wincalc.exe.exe,"8⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 369⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\wincalc.exe.exe,"9⤵
- Modifies WinLogon for persistence
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c ping 127.0.0.1 -n 39 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\wincalc.exe.exe,"8⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 399⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\wincalc.exe.exe,"9⤵
- Modifies WinLogon for persistence
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c ping 127.0.0.1 -n 36 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\wincalc.exe.exe,"8⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 369⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\wincalc.exe.exe,"9⤵
- Modifies WinLogon for persistence
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c ping 127.0.0.1 -n 37 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\wincalc.exe.exe,"8⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 379⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\wincalc.exe.exe,"9⤵
- Modifies WinLogon for persistence
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c ping 127.0.0.1 -n 37 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\wincalc.exe.exe,"8⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 379⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\wincalc.exe.exe,"9⤵
- Modifies WinLogon for persistence
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"8⤵
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c ping 127.0.0.1 -n 39 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\wincalc.exe.exe,"8⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 399⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\wincalc.exe.exe,"9⤵
- Modifies WinLogon for persistence
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c ping 127.0.0.1 -n 37 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\wincalc.exe.exe,"8⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 379⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\wincalc.exe.exe,"9⤵
- Modifies WinLogon for persistence
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c ping 127.0.0.1 -n 37 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\wincalc.exe.exe,"8⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 379⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\wincalc.exe.exe,"9⤵
- Modifies WinLogon for persistence
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c ping 127.0.0.1 -n 37 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\wincalc.exe.exe,"8⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 379⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\wincalc.exe.exe,"9⤵
- Modifies WinLogon for persistence
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"8⤵
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c ping 127.0.0.1 -n 38 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\wincalc.exe.exe,"8⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 389⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\wincalc.exe.exe,"9⤵
- Modifies WinLogon for persistence
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c ping 127.0.0.1 -n 36 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\wincalc.exe.exe,"8⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 369⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\wincalc.exe.exe,"9⤵
- Modifies WinLogon for persistence
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c ping 127.0.0.1 -n 38 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\wincalc.exe.exe,"8⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 389⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\wincalc.exe.exe,"9⤵
- Modifies WinLogon for persistence
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c ping 127.0.0.1 -n 38 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\wincalc.exe.exe,"8⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 389⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\wincalc.exe.exe,"9⤵
- Modifies WinLogon for persistence
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c ping 127.0.0.1 -n 35 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\wincalc.exe.exe,"8⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 359⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\wincalc.exe.exe,"9⤵
- Modifies WinLogon for persistence
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c ping 127.0.0.1 -n 38 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\wincalc.exe.exe,"8⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 389⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\wincalc.exe.exe,"9⤵
- Modifies WinLogon for persistence
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c ping 127.0.0.1 -n 39 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\wincalc.exe.exe,"8⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 399⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\wincalc.exe.exe,"9⤵
- Modifies WinLogon for persistence
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c ping 127.0.0.1 -n 36 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\wincalc.exe.exe,"8⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 369⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\wincalc.exe.exe,"9⤵
- Modifies WinLogon for persistence
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c ping 127.0.0.1 -n 36 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\wincalc.exe.exe,"8⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 369⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\wincalc.exe.exe,"9⤵
- Modifies WinLogon for persistence
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c ping 127.0.0.1 -n 36 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\wincalc.exe.exe,"8⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 369⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\wincalc.exe.exe,"9⤵
- Modifies WinLogon for persistence
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c ping 127.0.0.1 -n 36 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\wincalc.exe.exe,"8⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 369⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\wincalc.exe.exe,"9⤵
- Modifies WinLogon for persistence
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c ping 127.0.0.1 -n 37 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\wincalc.exe.exe,"8⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 379⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c ping 127.0.0.1 -n 39 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\wincalc.exe.exe,"8⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 399⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c ping 127.0.0.1 -n 39 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\wincalc.exe.exe,"8⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 399⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c ping 127.0.0.1 -n 39 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\wincalc.exe.exe,"8⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 399⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c ping 127.0.0.1 -n 39 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\wincalc.exe.exe,"8⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 399⤵
- Runs ping.exe
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"8⤵
-
C:\Users\Admin\AppData\Local\Temp\USBDRV.EXE"C:\Users\Admin\AppData\Local\Temp\USBDRV.EXE"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"6⤵
- Drops file in Drivers directory
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\WINLOGONS.EXE"C:\Users\Admin\AppData\Local\Temp\WINLOGONS.EXE"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\WINLOGONS.EXE"C:\Users\Admin\AppData\Local\Temp\WINLOGONS.EXE"6⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\WINRARL.EXE"C:\Users\Admin\AppData\Local\Temp\WINRARL.EXE"5⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe6⤵
- Drops file in Drivers directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\ADOBESERV.EXE"C:\Users\Admin\AppData\Local\Temp\ADOBESERV.EXE"7⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==8⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe8⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE"C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE"7⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==8⤵
-
C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXEC:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE8⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXEC:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE8⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"9⤵
-
C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE"C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE"7⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==8⤵
-
C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXEC:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE8⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE"C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE"7⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==8⤵
-
C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXEC:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE8⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE"C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE"7⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==8⤵
-
C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXEC:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE8⤵
- Executes dropped EXE
- Checks computer location settings
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "'wintskl"' /tr "'C:\Users\Admin\AppData\Roaming\wintskl.exe"'9⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp831C.tmp.bat""9⤵
-
C:\Windows\SysWOW64\timeout.exetimeout 310⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Roaming\wintskl.exe"C:\Users\Admin\AppData\Roaming\wintskl.exe"10⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==11⤵
-
C:\Users\Admin\AppData\Roaming\wintskl.exeC:\Users\Admin\AppData\Roaming\wintskl.exe11⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE"C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE"7⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==8⤵
-
C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXEC:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE8⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- NTFS ADS
-
C:\Users\Admin\Documents\wintsklt.exe"C:\Users\Admin\Documents\wintsklt.exe"9⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==10⤵
-
C:\Users\Admin\Documents\wintsklt.exeC:\Users\Admin\Documents\wintsklt.exe10⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\ADOBESERV.EXE"C:\Users\Admin\AppData\Local\Temp\ADOBESERV.EXE"7⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==8⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe8⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe8⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe8⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe8⤵
-
C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE"C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE"7⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==8⤵
-
C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXEC:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXE8⤵
- Drops file in Drivers directory
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE"C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE"7⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==8⤵
-
C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXEC:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXE8⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE"C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE"7⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==8⤵
-
C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXEC:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXE8⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE"C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE"7⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==8⤵
-
C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXEC:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE8⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXEC:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE8⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXEC:\Users\Admin\AppData\Local\Temp\WINPLAY.EXE8⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE"C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE"7⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==8⤵
-
C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXEC:\Users\Admin\AppData\Local\Temp\WINCPUL.EXE8⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"9⤵
-
C:\Users\Admin\AppData\Local\Temp\winnote.exe"C:\Users\Admin\AppData\Local\Temp\winnote.exe"4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\winnote.exe"C:\Users\Admin\AppData\Local\Temp\winnote.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c ping 127.0.0.1 -n 37 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\notepad.exe,"4⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 375⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\notepad.exe,"5⤵
- Modifies WinLogon for persistence
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c ping 127.0.0.1 -n 39 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\notepad.exe,"4⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 395⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\notepad.exe,"5⤵
- Modifies WinLogon for persistence
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c ping 127.0.0.1 -n 35 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\notepad.exe,"4⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 355⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\notepad.exe,"5⤵
- Modifies WinLogon for persistence
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c ping 127.0.0.1 -n 37 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\notepad.exe,"4⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 375⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\notepad.exe,"5⤵
- Modifies WinLogon for persistence
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c ping 127.0.0.1 -n 38 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\notepad.exe,"4⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 385⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\notepad.exe,"5⤵
- Modifies WinLogon for persistence
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c ping 127.0.0.1 -n 38 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\notepad.exe,"4⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 385⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\notepad.exe,"5⤵
- Modifies WinLogon for persistence
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c ping 127.0.0.1 -n 36 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\notepad.exe,"4⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 365⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\notepad.exe,"5⤵
- Modifies WinLogon for persistence
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c ping 127.0.0.1 -n 38 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\notepad.exe,"4⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 385⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\notepad.exe,"5⤵
- Modifies WinLogon for persistence
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c ping 127.0.0.1 -n 39 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\notepad.exe,"4⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 395⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\notepad.exe,"5⤵
- Modifies WinLogon for persistence
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c ping 127.0.0.1 -n 35 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\notepad.exe,"4⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 355⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\notepad.exe,"5⤵
- Modifies WinLogon for persistence
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c ping 127.0.0.1 -n 38 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\notepad.exe,"4⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 385⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\notepad.exe,"5⤵
- Modifies WinLogon for persistence
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c ping 127.0.0.1 -n 35 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\notepad.exe,"4⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 355⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\notepad.exe,"5⤵
- Modifies WinLogon for persistence
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c ping 127.0.0.1 -n 35 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\notepad.exe,"4⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 355⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c ping 127.0.0.1 -n 38 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\notepad.exe,"4⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 385⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c ping 127.0.0.1 -n 39 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\notepad.exe,"4⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 395⤵
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\MSCALC.EXE.logFilesize
1KB
MD59a2d0ce437d2445330f2646472703087
SHA133c83e484a15f35c2caa3af62d5da6b7713a20ae
SHA25630ea2f716e85f8d14a201e3fb0897d745a01b113342dfb7a9b7ac133c4ef150c
SHA512a61d18d90bfad9ea8afdfa37537cfea3d5a3d0c161e323fa65840c283bdc87c3de85daaff5519beea2f2719eec1c68398eea8679b55ff733a61052f073162d5d
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\WINRARL.EXE.logFilesize
1KB
MD5df27a876383bd81dfbcb457a9fa9f09d
SHA11bbc4ab95c89d02ec1d217f0255205787999164e
SHA2568940500d6f057583903fde1af0287e27197410415639fc69beb39475fa5240dc
SHA512fe68271375002cfcf8585c92b948ae47cd1632919c43db4bc738e2bc85ceea6dd30880dba27df9c3317531f1017624d4bd8979e6c5fad58112c7aa1189f0b844
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logFilesize
1KB
MD54280e36a29fa31c01e4d8b2ba726a0d8
SHA1c485c2c9ce0a99747b18d899b71dfa9a64dabe32
SHA256e2486a1bdcba80dad6dd6210d7374bd70ae196a523c06ceda71370fd3ea78359
SHA512494fe5f0ade03669e5830bed93c964d69b86629440148d7b0881cf53203fd89443ebff9b4d1ee9d96244f62af6edede622d9eacba37f80f389a0d522e4ad4ea4
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logFilesize
1KB
MD54280e36a29fa31c01e4d8b2ba726a0d8
SHA1c485c2c9ce0a99747b18d899b71dfa9a64dabe32
SHA256e2486a1bdcba80dad6dd6210d7374bd70ae196a523c06ceda71370fd3ea78359
SHA512494fe5f0ade03669e5830bed93c964d69b86629440148d7b0881cf53203fd89443ebff9b4d1ee9d96244f62af6edede622d9eacba37f80f389a0d522e4ad4ea4
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\notepad.exeFilesize
6.1MB
MD5d7e6fd264bc937e3646de58e551a29db
SHA11db4664777b17e004f71cee4002f9ccc430413e4
SHA256463d5d683ca55e95f8701d36543d6208fae366e065bc71fe663351450a4f8c24
SHA512cc133bd0599c0a994c65c2ddc047dd7bec3d4032201feba63ac8f4a35582a31f2eed5d3bfe385fefda7e76d3e95415b1ccf1923a9b74a1792dc36c8f7caee837
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\notepad.exeFilesize
6.1MB
MD5d7e6fd264bc937e3646de58e551a29db
SHA11db4664777b17e004f71cee4002f9ccc430413e4
SHA256463d5d683ca55e95f8701d36543d6208fae366e065bc71fe663351450a4f8c24
SHA512cc133bd0599c0a994c65c2ddc047dd7bec3d4032201feba63ac8f4a35582a31f2eed5d3bfe385fefda7e76d3e95415b1ccf1923a9b74a1792dc36c8f7caee837
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheFilesize
53KB
MD506ad34f9739c5159b4d92d702545bd49
SHA19152a0d4f153f3f40f7e606be75f81b582ee0c17
SHA256474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba
SHA512c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
16KB
MD54ccf9b36a34ec10d277a8f80f7018af9
SHA14e72e6371f9da5d7e50134705a0f5493d06f2959
SHA256b4ae420de95cb94fe1321ab400be534dd836766f7e215a812c38ce1e0fc5c8b8
SHA5127d46f59a96eb39e493b50a9189d3e1250f10743b4bab707c4c61851c05d5ad4661a51db0f08b1becef3c22810e73b16a80d30f0e5a131a11b30fc971b28a3cfa
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
15KB
MD514b0de220a43e4594934462465dba7d3
SHA1f906e8d7fe5ce8fecd3c91af4547a22b5263c8d7
SHA2564bf190eb5672e3d7fb2b0d0cb1da48e200de307d94b4c65429a29def9081e98f
SHA51220f211d801c529a90db241c24cfba88184ea20ef5793f0fef5f1390343a51096bfe916df9c6241a38ad0215e3838a29c996a84fe31e99323c24ac34a506e1795
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
15KB
MD57140c03056ce91125d50e60a7fc68ff6
SHA1c7a0197691fc849068a9c182545fc60469ee8364
SHA25694bb3ca0074058655835e550ace7e54e4e9a219a1e36c99baa22f3a84d1c9a74
SHA51243024cf683d9281483117d5282969499a9e87bc56e7e55bca4fbf7a618f9dce84b9762fbc7316c016fd20ec852477e3041c4463ce88552fb011e377c8739f779
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
15KB
MD581f6ff47ad63e370c1277a959c190ae5
SHA154e3ee4edebde1ff54daab840b9925e49df8dd62
SHA256c6055e6f18b1c76e8d4462dd407efc5611b8ad3043ddedba55a5c5d2519f4fb1
SHA51220489c98a7e07cebb41c45648014a897a4a2352cf911ea2baf1af37ce4bb46a9168b3d6ae9b1c452ba3a2b54c8397992677777e99953ed4d7350819fa33e174f
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
528B
MD5c2be0f60f301d135da1f58043b3100f4
SHA124944ac5f62fbb4446ce31795a17d6d3897d76e6
SHA25698f4ebd2dcc793cefcb7129ba9bab7746be854d91e9ebc5453762addf6e45391
SHA5128cc4a26dc0998a282667da8e7f3a8e65c6875ce0136b2841a4a69cd07a436bc022836b54acf9338b2323690ce24b7433ce9ea86114425a27d5584cfe266d820b
-
C:\Users\Admin\AppData\Local\Temp\ADOBESERV.EXEFilesize
971KB
MD5b9627469e7f554de40844bb210bafc1b
SHA1a9e0647c640bb4e7a5a432e984e294842d03455d
SHA2565074bd7fda57cb8d31c248aedbaf2a3f922a11140c7cf14e63cfba3f99b8dac6
SHA51286db7b6c6c77f5c828483a2d50029734d0dc36e7c0b50358958d6374257a5b3b6adde148372fa6a2a666e22b03b2bc29e61821d69baaca872c5594f7f0666f7b
-
C:\Users\Admin\AppData\Local\Temp\ADOBESERV.EXEFilesize
971KB
MD5b9627469e7f554de40844bb210bafc1b
SHA1a9e0647c640bb4e7a5a432e984e294842d03455d
SHA2565074bd7fda57cb8d31c248aedbaf2a3f922a11140c7cf14e63cfba3f99b8dac6
SHA51286db7b6c6c77f5c828483a2d50029734d0dc36e7c0b50358958d6374257a5b3b6adde148372fa6a2a666e22b03b2bc29e61821d69baaca872c5594f7f0666f7b
-
C:\Users\Admin\AppData\Local\Temp\ADOBESERV.EXEFilesize
971KB
MD5b9627469e7f554de40844bb210bafc1b
SHA1a9e0647c640bb4e7a5a432e984e294842d03455d
SHA2565074bd7fda57cb8d31c248aedbaf2a3f922a11140c7cf14e63cfba3f99b8dac6
SHA51286db7b6c6c77f5c828483a2d50029734d0dc36e7c0b50358958d6374257a5b3b6adde148372fa6a2a666e22b03b2bc29e61821d69baaca872c5594f7f0666f7b
-
C:\Users\Admin\AppData\Local\Temp\ADOBESERV.EXEFilesize
971KB
MD5b9627469e7f554de40844bb210bafc1b
SHA1a9e0647c640bb4e7a5a432e984e294842d03455d
SHA2565074bd7fda57cb8d31c248aedbaf2a3f922a11140c7cf14e63cfba3f99b8dac6
SHA51286db7b6c6c77f5c828483a2d50029734d0dc36e7c0b50358958d6374257a5b3b6adde148372fa6a2a666e22b03b2bc29e61821d69baaca872c5594f7f0666f7b
-
C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXEFilesize
706KB
MD5ec686b4055ed2cb7c2cad70b4d16d129
SHA107fa122ac1ab4451cf9fa239652faa867a29540e
SHA25659baafdc73a69084baa1dd9ee4eaf50c85e2c6dadb7d1ed874db261c63a6416a
SHA51286e9c5fe00bb550603c988f91d5c44b6692c77eeeaabb7771f23d82cd73d9189abdf35520d5694237b06bc08da8cdccbe274fc3f64862e5f99d417c338d41c21
-
C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXEFilesize
706KB
MD5ec686b4055ed2cb7c2cad70b4d16d129
SHA107fa122ac1ab4451cf9fa239652faa867a29540e
SHA25659baafdc73a69084baa1dd9ee4eaf50c85e2c6dadb7d1ed874db261c63a6416a
SHA51286e9c5fe00bb550603c988f91d5c44b6692c77eeeaabb7771f23d82cd73d9189abdf35520d5694237b06bc08da8cdccbe274fc3f64862e5f99d417c338d41c21
-
C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXEFilesize
706KB
MD5ec686b4055ed2cb7c2cad70b4d16d129
SHA107fa122ac1ab4451cf9fa239652faa867a29540e
SHA25659baafdc73a69084baa1dd9ee4eaf50c85e2c6dadb7d1ed874db261c63a6416a
SHA51286e9c5fe00bb550603c988f91d5c44b6692c77eeeaabb7771f23d82cd73d9189abdf35520d5694237b06bc08da8cdccbe274fc3f64862e5f99d417c338d41c21
-
C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXEFilesize
706KB
MD5ec686b4055ed2cb7c2cad70b4d16d129
SHA107fa122ac1ab4451cf9fa239652faa867a29540e
SHA25659baafdc73a69084baa1dd9ee4eaf50c85e2c6dadb7d1ed874db261c63a6416a
SHA51286e9c5fe00bb550603c988f91d5c44b6692c77eeeaabb7771f23d82cd73d9189abdf35520d5694237b06bc08da8cdccbe274fc3f64862e5f99d417c338d41c21
-
C:\Users\Admin\AppData\Local\Temp\AUDIOPT.EXEFilesize
706KB
MD5ec686b4055ed2cb7c2cad70b4d16d129
SHA107fa122ac1ab4451cf9fa239652faa867a29540e
SHA25659baafdc73a69084baa1dd9ee4eaf50c85e2c6dadb7d1ed874db261c63a6416a
SHA51286e9c5fe00bb550603c988f91d5c44b6692c77eeeaabb7771f23d82cd73d9189abdf35520d5694237b06bc08da8cdccbe274fc3f64862e5f99d417c338d41c21
-
C:\Users\Admin\AppData\Local\Temp\CPUMON.EXEFilesize
1.5MB
MD576ffa2a4e9e69492a0f938dfd5c1e35f
SHA1d84990e27fae5197ea02216d83c983c93eb93ad5
SHA256b82c3ac7e92231430d02ff164bbc72a4f1c0bee1ec1c635404d031840a864476
SHA51266ab40590d0bdc6d6bddd10d7ba83ccc8749d7c3ee2723c9c5f71d291757afd3334553ba7f8e033bd079928d40999facbfeb450aebbd1295651517cd2c80a410
-
C:\Users\Admin\AppData\Local\Temp\CPUMON.EXEFilesize
1.5MB
MD576ffa2a4e9e69492a0f938dfd5c1e35f
SHA1d84990e27fae5197ea02216d83c983c93eb93ad5
SHA256b82c3ac7e92231430d02ff164bbc72a4f1c0bee1ec1c635404d031840a864476
SHA51266ab40590d0bdc6d6bddd10d7ba83ccc8749d7c3ee2723c9c5f71d291757afd3334553ba7f8e033bd079928d40999facbfeb450aebbd1295651517cd2c80a410
-
C:\Users\Admin\AppData\Local\Temp\CPUMON.EXEFilesize
1.5MB
MD576ffa2a4e9e69492a0f938dfd5c1e35f
SHA1d84990e27fae5197ea02216d83c983c93eb93ad5
SHA256b82c3ac7e92231430d02ff164bbc72a4f1c0bee1ec1c635404d031840a864476
SHA51266ab40590d0bdc6d6bddd10d7ba83ccc8749d7c3ee2723c9c5f71d291757afd3334553ba7f8e033bd079928d40999facbfeb450aebbd1295651517cd2c80a410
-
C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXEFilesize
514KB
MD508e6dc43a44c34efb81e328b03652f3d
SHA1e1359be06649ec0ff40d7b0ba39148afc5ff7855
SHA256da66e7cf52d4cddb2f366b98e2e2bac4743bfaa88527b14672431cbefd8797fd
SHA512e5a1409fc3cf73458ccee11e290b76a4434da5cc093d359ed497638f327e6fe003977594749fa18657e3612a5cbb35ed603b5a5303a1e8ec7baccea0849c511c
-
C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXEFilesize
514KB
MD508e6dc43a44c34efb81e328b03652f3d
SHA1e1359be06649ec0ff40d7b0ba39148afc5ff7855
SHA256da66e7cf52d4cddb2f366b98e2e2bac4743bfaa88527b14672431cbefd8797fd
SHA512e5a1409fc3cf73458ccee11e290b76a4434da5cc093d359ed497638f327e6fe003977594749fa18657e3612a5cbb35ed603b5a5303a1e8ec7baccea0849c511c
-
C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXEFilesize
514KB
MD508e6dc43a44c34efb81e328b03652f3d
SHA1e1359be06649ec0ff40d7b0ba39148afc5ff7855
SHA256da66e7cf52d4cddb2f366b98e2e2bac4743bfaa88527b14672431cbefd8797fd
SHA512e5a1409fc3cf73458ccee11e290b76a4434da5cc093d359ed497638f327e6fe003977594749fa18657e3612a5cbb35ed603b5a5303a1e8ec7baccea0849c511c
-
C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXEFilesize
514KB
MD508e6dc43a44c34efb81e328b03652f3d
SHA1e1359be06649ec0ff40d7b0ba39148afc5ff7855
SHA256da66e7cf52d4cddb2f366b98e2e2bac4743bfaa88527b14672431cbefd8797fd
SHA512e5a1409fc3cf73458ccee11e290b76a4434da5cc093d359ed497638f327e6fe003977594749fa18657e3612a5cbb35ed603b5a5303a1e8ec7baccea0849c511c
-
C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXEFilesize
514KB
MD508e6dc43a44c34efb81e328b03652f3d
SHA1e1359be06649ec0ff40d7b0ba39148afc5ff7855
SHA256da66e7cf52d4cddb2f366b98e2e2bac4743bfaa88527b14672431cbefd8797fd
SHA512e5a1409fc3cf73458ccee11e290b76a4434da5cc093d359ed497638f327e6fe003977594749fa18657e3612a5cbb35ed603b5a5303a1e8ec7baccea0849c511c
-
C:\Users\Admin\AppData\Local\Temp\DRVVIDEO.EXEFilesize
514KB
MD508e6dc43a44c34efb81e328b03652f3d
SHA1e1359be06649ec0ff40d7b0ba39148afc5ff7855
SHA256da66e7cf52d4cddb2f366b98e2e2bac4743bfaa88527b14672431cbefd8797fd
SHA512e5a1409fc3cf73458ccee11e290b76a4434da5cc093d359ed497638f327e6fe003977594749fa18657e3612a5cbb35ed603b5a5303a1e8ec7baccea0849c511c
-
C:\Users\Admin\AppData\Local\Temp\MSCALC.EXEFilesize
455KB
MD57b6c81fb81040406d3bb5eea00a1fb59
SHA14563ed422e8103e50572646bc7b87a0aee2f5832
SHA256a8c07c82faf15edbd94798537734a186b8d18086223d71c94adc162b23d323ef
SHA5128695946c527e9999e88ffba607b42465c690c6c4a1262c3a1b4a61a4f0126282d9b26608f685beaa3ff81192248b08a65ca6702eefddba5c62e7a133f160a2c9
-
C:\Users\Admin\AppData\Local\Temp\MSCALC.EXEFilesize
455KB
MD57b6c81fb81040406d3bb5eea00a1fb59
SHA14563ed422e8103e50572646bc7b87a0aee2f5832
SHA256a8c07c82faf15edbd94798537734a186b8d18086223d71c94adc162b23d323ef
SHA5128695946c527e9999e88ffba607b42465c690c6c4a1262c3a1b4a61a4f0126282d9b26608f685beaa3ff81192248b08a65ca6702eefddba5c62e7a133f160a2c9
-
C:\Users\Admin\AppData\Local\Temp\MSCALC.EXEFilesize
455KB
MD57b6c81fb81040406d3bb5eea00a1fb59
SHA14563ed422e8103e50572646bc7b87a0aee2f5832
SHA256a8c07c82faf15edbd94798537734a186b8d18086223d71c94adc162b23d323ef
SHA5128695946c527e9999e88ffba607b42465c690c6c4a1262c3a1b4a61a4f0126282d9b26608f685beaa3ff81192248b08a65ca6702eefddba5c62e7a133f160a2c9
-
C:\Users\Admin\AppData\Local\Temp\USBDRV.EXEFilesize
655KB
MD51bb0d863a7b205323d17dcb497a51431
SHA176b137c4b913891bdba2a764349d7ccefcef9832
SHA25613dfb77a6888acc1706d9c5192b94d0ce799938053747a17272bc1a6abb3e3df
SHA512c8bcf20a5d987534f526addb3d14f4ae76b9fd5ddfbad228f34f5eb6176d76d390e2b8ec06c2ad4e9aef93e22dbe157807caa1c363ef69e029dc4aa56ccdc677
-
C:\Users\Admin\AppData\Local\Temp\USBDRV.EXEFilesize
655KB
MD51bb0d863a7b205323d17dcb497a51431
SHA176b137c4b913891bdba2a764349d7ccefcef9832
SHA25613dfb77a6888acc1706d9c5192b94d0ce799938053747a17272bc1a6abb3e3df
SHA512c8bcf20a5d987534f526addb3d14f4ae76b9fd5ddfbad228f34f5eb6176d76d390e2b8ec06c2ad4e9aef93e22dbe157807caa1c363ef69e029dc4aa56ccdc677
-
C:\Users\Admin\AppData\Local\Temp\USBDRV.EXEFilesize
655KB
MD51bb0d863a7b205323d17dcb497a51431
SHA176b137c4b913891bdba2a764349d7ccefcef9832
SHA25613dfb77a6888acc1706d9c5192b94d0ce799938053747a17272bc1a6abb3e3df
SHA512c8bcf20a5d987534f526addb3d14f4ae76b9fd5ddfbad228f34f5eb6176d76d390e2b8ec06c2ad4e9aef93e22dbe157807caa1c363ef69e029dc4aa56ccdc677
-
C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXEFilesize
519KB
MD5601292d6c082d283f03c18d7544b191b
SHA1695ad657e5bbc51c2b02bf674982a788dea95dbc
SHA2568e8475a545e6850a43356f98c1f0699a80f36fe39fd929fbb38b69f6b9702d13
SHA512bd0cf0580c1f2d167a49acc1f30ea456dff93503eb646e53eca5ff105c8d3e0981ee5a2b4411f7bbdac2d884f021bf564fa6e24e2af5a4aed2c55afdb4784d8f
-
C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXEFilesize
519KB
MD5601292d6c082d283f03c18d7544b191b
SHA1695ad657e5bbc51c2b02bf674982a788dea95dbc
SHA2568e8475a545e6850a43356f98c1f0699a80f36fe39fd929fbb38b69f6b9702d13
SHA512bd0cf0580c1f2d167a49acc1f30ea456dff93503eb646e53eca5ff105c8d3e0981ee5a2b4411f7bbdac2d884f021bf564fa6e24e2af5a4aed2c55afdb4784d8f
-
C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXEFilesize
519KB
MD5601292d6c082d283f03c18d7544b191b
SHA1695ad657e5bbc51c2b02bf674982a788dea95dbc
SHA2568e8475a545e6850a43356f98c1f0699a80f36fe39fd929fbb38b69f6b9702d13
SHA512bd0cf0580c1f2d167a49acc1f30ea456dff93503eb646e53eca5ff105c8d3e0981ee5a2b4411f7bbdac2d884f021bf564fa6e24e2af5a4aed2c55afdb4784d8f
-
C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXEFilesize
519KB
MD5601292d6c082d283f03c18d7544b191b
SHA1695ad657e5bbc51c2b02bf674982a788dea95dbc
SHA2568e8475a545e6850a43356f98c1f0699a80f36fe39fd929fbb38b69f6b9702d13
SHA512bd0cf0580c1f2d167a49acc1f30ea456dff93503eb646e53eca5ff105c8d3e0981ee5a2b4411f7bbdac2d884f021bf564fa6e24e2af5a4aed2c55afdb4784d8f
-
C:\Users\Admin\AppData\Local\Temp\WINCPUL.EXEFilesize
519KB
MD5601292d6c082d283f03c18d7544b191b
SHA1695ad657e5bbc51c2b02bf674982a788dea95dbc
SHA2568e8475a545e6850a43356f98c1f0699a80f36fe39fd929fbb38b69f6b9702d13
SHA512bd0cf0580c1f2d167a49acc1f30ea456dff93503eb646e53eca5ff105c8d3e0981ee5a2b4411f7bbdac2d884f021bf564fa6e24e2af5a4aed2c55afdb4784d8f
-
C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXEFilesize
512KB
MD52f679de5443dac203b91769a4c1c909d
SHA10c6abb07446d0bc0656b7304411de78f65d2e809
SHA256cd73963224e868c6240b66d110da419dfff6af9c411c6df4dbcb8d14b330719e
SHA51203b8360952f710c378ab2a13587a04ef3520f9fe7ed23be0ec744a039ee1ee36db4e2e8f47336faa0fdd8e064aa4b9b34d410765f19d8f525fc19596804402e0
-
C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXEFilesize
512KB
MD52f679de5443dac203b91769a4c1c909d
SHA10c6abb07446d0bc0656b7304411de78f65d2e809
SHA256cd73963224e868c6240b66d110da419dfff6af9c411c6df4dbcb8d14b330719e
SHA51203b8360952f710c378ab2a13587a04ef3520f9fe7ed23be0ec744a039ee1ee36db4e2e8f47336faa0fdd8e064aa4b9b34d410765f19d8f525fc19596804402e0
-
C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXEFilesize
512KB
MD52f679de5443dac203b91769a4c1c909d
SHA10c6abb07446d0bc0656b7304411de78f65d2e809
SHA256cd73963224e868c6240b66d110da419dfff6af9c411c6df4dbcb8d14b330719e
SHA51203b8360952f710c378ab2a13587a04ef3520f9fe7ed23be0ec744a039ee1ee36db4e2e8f47336faa0fdd8e064aa4b9b34d410765f19d8f525fc19596804402e0
-
C:\Users\Admin\AppData\Local\Temp\WINLOGONL.EXEFilesize
512KB
MD52f679de5443dac203b91769a4c1c909d
SHA10c6abb07446d0bc0656b7304411de78f65d2e809
SHA256cd73963224e868c6240b66d110da419dfff6af9c411c6df4dbcb8d14b330719e
SHA51203b8360952f710c378ab2a13587a04ef3520f9fe7ed23be0ec744a039ee1ee36db4e2e8f47336faa0fdd8e064aa4b9b34d410765f19d8f525fc19596804402e0
-
C:\Users\Admin\AppData\Local\Temp\WINLOGONS.EXEFilesize
566KB
MD58e8ef744cf8dd267c3059f748f2ae16a
SHA17e1268dfbd26c536b262bb88d5f803261cc016f5
SHA256f2d089492e0e7c3d0118611d7ae5557f4757f417764e451bc87897c3fd9d4ed9
SHA512c1a2296faa617acd61b85082c0259d99f46dd782607f3f1276ee155718dbc7e5d6d41b2869f8cc19c7e0f4bbf0e8ec770677e2811b5f67bec2d18ee88c24ad5c
-
C:\Users\Admin\AppData\Local\Temp\WINLOGONS.EXEFilesize
566KB
MD58e8ef744cf8dd267c3059f748f2ae16a
SHA17e1268dfbd26c536b262bb88d5f803261cc016f5
SHA256f2d089492e0e7c3d0118611d7ae5557f4757f417764e451bc87897c3fd9d4ed9
SHA512c1a2296faa617acd61b85082c0259d99f46dd782607f3f1276ee155718dbc7e5d6d41b2869f8cc19c7e0f4bbf0e8ec770677e2811b5f67bec2d18ee88c24ad5c
-
C:\Users\Admin\AppData\Local\Temp\WINLOGONS.EXEFilesize
566KB
MD58e8ef744cf8dd267c3059f748f2ae16a
SHA17e1268dfbd26c536b262bb88d5f803261cc016f5
SHA256f2d089492e0e7c3d0118611d7ae5557f4757f417764e451bc87897c3fd9d4ed9
SHA512c1a2296faa617acd61b85082c0259d99f46dd782607f3f1276ee155718dbc7e5d6d41b2869f8cc19c7e0f4bbf0e8ec770677e2811b5f67bec2d18ee88c24ad5c
-
C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXEFilesize
471KB
MD5caa8b858c6b22d263c3b3029461191fc
SHA189922c2d98a35d3eb00acea5e7563a63e237265f
SHA256d6517902ff7db5bf743cdadc20ca9d7f0dde0ed473400671a7245aac7156cee1
SHA5129f39093c954bf2d4a92f4c73d67b45863eeee4bbfcb657510aeda96337a0627259fb4b40b5779521f454e03710df558843385d8899c1ee5c965f46fa57f998fc
-
C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXEFilesize
471KB
MD5caa8b858c6b22d263c3b3029461191fc
SHA189922c2d98a35d3eb00acea5e7563a63e237265f
SHA256d6517902ff7db5bf743cdadc20ca9d7f0dde0ed473400671a7245aac7156cee1
SHA5129f39093c954bf2d4a92f4c73d67b45863eeee4bbfcb657510aeda96337a0627259fb4b40b5779521f454e03710df558843385d8899c1ee5c965f46fa57f998fc
-
C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXEFilesize
471KB
MD5caa8b858c6b22d263c3b3029461191fc
SHA189922c2d98a35d3eb00acea5e7563a63e237265f
SHA256d6517902ff7db5bf743cdadc20ca9d7f0dde0ed473400671a7245aac7156cee1
SHA5129f39093c954bf2d4a92f4c73d67b45863eeee4bbfcb657510aeda96337a0627259fb4b40b5779521f454e03710df558843385d8899c1ee5c965f46fa57f998fc
-
C:\Users\Admin\AppData\Local\Temp\WINPLAY.EXEFilesize
471KB
MD5caa8b858c6b22d263c3b3029461191fc
SHA189922c2d98a35d3eb00acea5e7563a63e237265f
SHA256d6517902ff7db5bf743cdadc20ca9d7f0dde0ed473400671a7245aac7156cee1
SHA5129f39093c954bf2d4a92f4c73d67b45863eeee4bbfcb657510aeda96337a0627259fb4b40b5779521f454e03710df558843385d8899c1ee5c965f46fa57f998fc
-
C:\Users\Admin\AppData\Local\Temp\WINRARL.EXEFilesize
2.1MB
MD5d047d98c07f60feceabedb071932b56a
SHA1ceb1a880d36ad0c79d75081c6004c4820d18c16d
SHA25616991ad50cc5cb86f67315832419b655c0d91a973ba31cbcf4b5af04f301e355
SHA5126438bc492f34e3ce0f1e3f578e28ba02eb648f86f00133ba46f0773cd79da3d5d9b1127aaf21cc5a87b9557671f6acbc244c3fc923aaa08524f353677afec563
-
C:\Users\Admin\AppData\Local\Temp\WINRARL.EXEFilesize
2.1MB
MD5d047d98c07f60feceabedb071932b56a
SHA1ceb1a880d36ad0c79d75081c6004c4820d18c16d
SHA25616991ad50cc5cb86f67315832419b655c0d91a973ba31cbcf4b5af04f301e355
SHA5126438bc492f34e3ce0f1e3f578e28ba02eb648f86f00133ba46f0773cd79da3d5d9b1127aaf21cc5a87b9557671f6acbc244c3fc923aaa08524f353677afec563
-
C:\Users\Admin\AppData\Local\Temp\WINRARL.EXEFilesize
2.1MB
MD5d047d98c07f60feceabedb071932b56a
SHA1ceb1a880d36ad0c79d75081c6004c4820d18c16d
SHA25616991ad50cc5cb86f67315832419b655c0d91a973ba31cbcf4b5af04f301e355
SHA5126438bc492f34e3ce0f1e3f578e28ba02eb648f86f00133ba46f0773cd79da3d5d9b1127aaf21cc5a87b9557671f6acbc244c3fc923aaa08524f353677afec563
-
C:\Users\Admin\AppData\Local\Temp\winnote.exeFilesize
76KB
MD50e362e7005823d0bec3719b902ed6d62
SHA1590d860b909804349e0cdc2f1662b37bd62f7463
SHA2562d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad
SHA512518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3
-
C:\Users\Admin\AppData\Local\Temp\winnote.exeFilesize
76KB
MD50e362e7005823d0bec3719b902ed6d62
SHA1590d860b909804349e0cdc2f1662b37bd62f7463
SHA2562d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad
SHA512518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3
-
C:\Users\Admin\AppData\Local\Temp\winnote.exeFilesize
76KB
MD50e362e7005823d0bec3719b902ed6d62
SHA1590d860b909804349e0cdc2f1662b37bd62f7463
SHA2562d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad
SHA512518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3
-
C:\Users\Admin\AppData\Local\Temp\winnote.txtFilesize
84B
MD5c8cabb6b54616a0662e0ef1c5ccef1eb
SHA1cf2d9cf73c3697b2f328c48bd623a57299b643f0
SHA256c3081001c15152e7a052c4b6af5a60c152796fb462fcd567aba081b1f3e3ad14
SHA51294befd3b09854c5ae84f4c55b0541c1d10fba496364bbdacc6668a4e5b15a337c0bd9788befc1967aaf9b4954d1235c082111b8e463e909849f361106d63dbcc
-
C:\Users\Admin\AppData\Local\Temp\winnote.txtFilesize
84B
MD5c8cabb6b54616a0662e0ef1c5ccef1eb
SHA1cf2d9cf73c3697b2f328c48bd623a57299b643f0
SHA256c3081001c15152e7a052c4b6af5a60c152796fb462fcd567aba081b1f3e3ad14
SHA51294befd3b09854c5ae84f4c55b0541c1d10fba496364bbdacc6668a4e5b15a337c0bd9788befc1967aaf9b4954d1235c082111b8e463e909849f361106d63dbcc
-
C:\Users\Admin\AppData\Local\Temp\winnote.txtFilesize
84B
MD51a3bcea083720d0c48b4cfdab9e4b0f0
SHA19277f357f6cac57c3b104a0bbc798442c814aa3d
SHA256040efd1eb920457963410e90a20f074f542cf3edf23ec9e8f006fd372f3f3972
SHA512be83082194cc43232a9e470228a106991d42e3c081092f222415f91a6c3997534f3cc18c3dacf9edb3967dbf506a95f5fb41216b8f4767295bff7b22ca8692f1
-
C:\Windows\system32\drivers\etc\hostsFilesize
21B
MD52ddca716eff6ab2f8d96dc3d39527386
SHA14c1c65fa4d6bffe17dc9e04e193adf6db9d0994f
SHA256e0802313e50e2b94580ac045356ea9cbd88106bede5525634964412a7811f52a
SHA5125b2a2f43e431d9637a87726b387819f00c9b3fa4ea7371e844dcdaeb424c32d5ab0106663d0d3f0e17a06d5890303cced8a625d06d04cbf657b6e3de207eb8e3
-
C:\Windows\system32\drivers\etc\hostsFilesize
21B
MD52ddca716eff6ab2f8d96dc3d39527386
SHA14c1c65fa4d6bffe17dc9e04e193adf6db9d0994f
SHA256e0802313e50e2b94580ac045356ea9cbd88106bede5525634964412a7811f52a
SHA5125b2a2f43e431d9637a87726b387819f00c9b3fa4ea7371e844dcdaeb424c32d5ab0106663d0d3f0e17a06d5890303cced8a625d06d04cbf657b6e3de207eb8e3
-
C:\Windows\system32\drivers\etc\hostsFilesize
21B
MD52ddca716eff6ab2f8d96dc3d39527386
SHA14c1c65fa4d6bffe17dc9e04e193adf6db9d0994f
SHA256e0802313e50e2b94580ac045356ea9cbd88106bede5525634964412a7811f52a
SHA5125b2a2f43e431d9637a87726b387819f00c9b3fa4ea7371e844dcdaeb424c32d5ab0106663d0d3f0e17a06d5890303cced8a625d06d04cbf657b6e3de207eb8e3
-
memory/216-401-0x0000000000400000-0x0000000000559000-memory.dmpFilesize
1.3MB
-
memory/216-137-0x0000000000000000-mapping.dmp
-
memory/340-259-0x0000000000000000-mapping.dmp
-
memory/384-400-0x0000000000400000-0x0000000000559000-memory.dmpFilesize
1.3MB
-
memory/384-411-0x0000000000400000-0x0000000000559000-memory.dmpFilesize
1.3MB
-
memory/628-239-0x0000000000C60000-0x0000000000CE6000-memory.dmpFilesize
536KB
-
memory/628-231-0x0000000000000000-mapping.dmp
-
memory/720-300-0x0000000000400000-0x0000000000559000-memory.dmpFilesize
1.3MB
-
memory/720-299-0x0000000000400000-0x0000000000559000-memory.dmpFilesize
1.3MB
-
memory/720-296-0x0000000000400000-0x0000000000559000-memory.dmpFilesize
1.3MB
-
memory/720-409-0x0000000000400000-0x0000000000559000-memory.dmpFilesize
1.3MB
-
memory/800-134-0x0000000005B60000-0x0000000005BF2000-memory.dmpFilesize
584KB
-
memory/800-136-0x000000000C6C0000-0x000000000C6CA000-memory.dmpFilesize
40KB
-
memory/800-135-0x0000000005CA0000-0x0000000005D3C000-memory.dmpFilesize
624KB
-
memory/800-132-0x0000000000B80000-0x000000000119A000-memory.dmpFilesize
6.1MB
-
memory/800-133-0x0000000006250000-0x00000000067F4000-memory.dmpFilesize
5.6MB
-
memory/912-257-0x0000000000000000-mapping.dmp
-
memory/1020-272-0x0000000000000000-mapping.dmp
-
memory/1252-186-0x0000000000000000-mapping.dmp
-
memory/1264-273-0x0000000000000000-mapping.dmp
-
memory/1264-203-0x0000000005E20000-0x0000000005E86000-memory.dmpFilesize
408KB
-
memory/1264-373-0x0000000000400000-0x0000000000559000-memory.dmpFilesize
1.3MB
-
memory/1264-198-0x0000000000000000-mapping.dmp
-
memory/1264-402-0x0000000000400000-0x0000000000559000-memory.dmpFilesize
1.3MB
-
memory/1264-206-0x0000000007A90000-0x000000000810A000-memory.dmpFilesize
6.5MB
-
memory/1264-205-0x0000000006450000-0x000000000646E000-memory.dmpFilesize
120KB
-
memory/1280-170-0x0000000000000000-mapping.dmp
-
memory/1280-174-0x0000000000FF0000-0x000000000121A000-memory.dmpFilesize
2.2MB
-
memory/1280-278-0x0000000000000000-mapping.dmp
-
memory/1288-200-0x0000000000000000-mapping.dmp
-
memory/1304-217-0x0000000000000000-mapping.dmp
-
memory/1304-235-0x0000000000400000-0x0000000000853000-memory.dmpFilesize
4.3MB
-
memory/1304-275-0x0000000000400000-0x0000000000853000-memory.dmpFilesize
4.3MB
-
memory/1480-243-0x0000000000000000-mapping.dmp
-
memory/1480-250-0x0000000000120000-0x00000000001A6000-memory.dmpFilesize
536KB
-
memory/1612-182-0x0000000000000000-mapping.dmp
-
memory/1700-179-0x0000000000000000-mapping.dmp
-
memory/1920-139-0x0000000000000000-mapping.dmp
-
memory/1936-284-0x0000000000000000-mapping.dmp
-
memory/1960-215-0x0000000000000000-mapping.dmp
-
memory/1984-283-0x0000000000000000-mapping.dmp
-
memory/2020-248-0x0000000000000000-mapping.dmp
-
memory/2020-256-0x00000000008A0000-0x000000000091C000-memory.dmpFilesize
496KB
-
memory/2164-195-0x0000000000000000-mapping.dmp
-
memory/2328-138-0x0000000000000000-mapping.dmp
-
memory/2380-148-0x0000000000000000-mapping.dmp
-
memory/2576-266-0x0000000000000000-mapping.dmp
-
memory/2640-201-0x0000000004EF0000-0x0000000004F12000-memory.dmpFilesize
136KB
-
memory/2640-193-0x0000000000000000-mapping.dmp
-
memory/2640-196-0x00000000027E0000-0x0000000002816000-memory.dmpFilesize
216KB
-
memory/2640-207-0x0000000006260000-0x000000000627A000-memory.dmpFilesize
104KB
-
memory/2640-199-0x00000000050F0000-0x0000000005718000-memory.dmpFilesize
6.2MB
-
memory/2640-202-0x0000000005720000-0x0000000005786000-memory.dmpFilesize
408KB
-
memory/2872-140-0x0000000000000000-mapping.dmp
-
memory/3252-162-0x0000000000ED0000-0x0000000000F48000-memory.dmpFilesize
480KB
-
memory/3252-158-0x0000000000000000-mapping.dmp
-
memory/3276-216-0x0000000000400000-0x0000000000853000-memory.dmpFilesize
4.3MB
-
memory/3276-293-0x0000000000400000-0x0000000000853000-memory.dmpFilesize
4.3MB
-
memory/3276-214-0x0000000000400000-0x0000000000853000-memory.dmpFilesize
4.3MB
-
memory/3276-212-0x0000000000400000-0x0000000000853000-memory.dmpFilesize
4.3MB
-
memory/3276-210-0x0000000000000000-mapping.dmp
-
memory/3276-232-0x0000000000400000-0x0000000000853000-memory.dmpFilesize
4.3MB
-
memory/3308-258-0x0000000000000000-mapping.dmp
-
memory/3412-276-0x0000000000000000-mapping.dmp
-
memory/3452-161-0x0000000000000000-mapping.dmp
-
memory/3452-169-0x0000000000FC0000-0x0000000001068000-memory.dmpFilesize
672KB
-
memory/3468-228-0x00000000000B0000-0x00000000001AA000-memory.dmpFilesize
1000KB
-
memory/3468-221-0x0000000000000000-mapping.dmp
-
memory/3508-251-0x0000000000000000-mapping.dmp
-
memory/3552-263-0x0000000000000000-mapping.dmp
-
memory/3712-184-0x0000000000000000-mapping.dmp
-
memory/3716-282-0x0000000000000000-mapping.dmp
-
memory/3740-187-0x0000000000000000-mapping.dmp
-
memory/3752-147-0x0000000000000000-mapping.dmp
-
memory/3848-141-0x0000000000000000-mapping.dmp
-
memory/3884-154-0x0000000000400000-0x0000000000A0D000-memory.dmpFilesize
6.1MB
-
memory/3884-153-0x0000000000400000-0x0000000000A0D000-memory.dmpFilesize
6.1MB
-
memory/3884-152-0x0000000000400000-0x0000000000A0D000-memory.dmpFilesize
6.1MB
-
memory/3884-150-0x0000000000400000-0x0000000000A0D000-memory.dmpFilesize
6.1MB
-
memory/3884-149-0x0000000000000000-mapping.dmp
-
memory/3884-208-0x0000000000400000-0x0000000000A0D000-memory.dmpFilesize
6.1MB
-
memory/3936-173-0x0000000000DB0000-0x0000000000E44000-memory.dmpFilesize
592KB
-
memory/3936-166-0x0000000000000000-mapping.dmp
-
memory/3960-146-0x00000000005B0000-0x0000000000BCA000-memory.dmpFilesize
6.1MB
-
memory/3960-143-0x0000000000000000-mapping.dmp
-
memory/4044-234-0x0000000000680000-0x0000000000738000-memory.dmpFilesize
736KB
-
memory/4044-227-0x0000000000000000-mapping.dmp
-
memory/4048-242-0x0000000000000000-mapping.dmp
-
memory/4148-407-0x0000000000400000-0x0000000000554000-memory.dmpFilesize
1.3MB
-
memory/4148-375-0x0000000000400000-0x0000000000554000-memory.dmpFilesize
1.3MB
-
memory/4212-269-0x0000000000000000-mapping.dmp
-
memory/4260-324-0x0000000000400000-0x0000000000554000-memory.dmpFilesize
1.3MB
-
memory/4260-329-0x0000000000400000-0x0000000000554000-memory.dmpFilesize
1.3MB
-
memory/4260-326-0x0000000000400000-0x0000000000554000-memory.dmpFilesize
1.3MB
-
memory/4260-362-0x0000000000400000-0x0000000000554000-memory.dmpFilesize
1.3MB
-
memory/4272-340-0x0000000000400000-0x00000000004C9000-memory.dmpFilesize
804KB
-
memory/4324-191-0x0000000000000000-mapping.dmp
-
memory/4368-261-0x0000000000000000-mapping.dmp
-
memory/4456-260-0x0000000000000000-mapping.dmp
-
memory/4488-197-0x0000000000000000-mapping.dmp
-
memory/4512-155-0x0000000000000000-mapping.dmp
-
memory/4512-163-0x0000000000F40000-0x00000000010CC000-memory.dmpFilesize
1.5MB
-
memory/4688-249-0x0000000000000000-mapping.dmp
-
memory/4776-244-0x0000000000480000-0x0000000000508000-memory.dmpFilesize
544KB
-
memory/4776-238-0x0000000000000000-mapping.dmp
-
memory/4788-211-0x0000000000000000-mapping.dmp
-
memory/4876-320-0x0000000000400000-0x0000000000559000-memory.dmpFilesize
1.3MB
-
memory/4876-316-0x0000000000400000-0x0000000000559000-memory.dmpFilesize
1.3MB
-
memory/4876-327-0x0000000000400000-0x0000000000559000-memory.dmpFilesize
1.3MB
-
memory/4876-312-0x0000000000400000-0x0000000000559000-memory.dmpFilesize
1.3MB
-
memory/4916-322-0x0000000000400000-0x00000000004C9000-memory.dmpFilesize
804KB
-
memory/4916-315-0x0000000000400000-0x00000000004C9000-memory.dmpFilesize
804KB
-
memory/4916-319-0x0000000000400000-0x00000000004C9000-memory.dmpFilesize
804KB
-
memory/4916-318-0x0000000000400000-0x00000000004C9000-memory.dmpFilesize
804KB
-
memory/4916-323-0x000000006BEA0000-0x000000006BED9000-memory.dmpFilesize
228KB
-
memory/4928-267-0x0000000000000000-mapping.dmp
-
memory/4956-277-0x0000000000000000-mapping.dmp
-
memory/4960-204-0x0000000000000000-mapping.dmp
-
memory/5032-142-0x0000000000000000-mapping.dmp
-
memory/5064-178-0x0000000000BF0000-0x0000000000C0A000-memory.dmpFilesize
104KB
-
memory/5064-175-0x0000000000000000-mapping.dmp
-
memory/5092-306-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/5092-309-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/5092-303-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/5092-305-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/5092-307-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/5244-377-0x0000000000400000-0x0000000000554000-memory.dmpFilesize
1.3MB
-
memory/5264-352-0x0000000000400000-0x0000000000559000-memory.dmpFilesize
1.3MB
-
memory/5264-397-0x0000000000400000-0x0000000000559000-memory.dmpFilesize
1.3MB
-
memory/5280-285-0x0000000000000000-mapping.dmp
-
memory/5288-398-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/5320-410-0x0000000000400000-0x0000000000568000-memory.dmpFilesize
1.4MB
-
memory/5320-399-0x0000000000400000-0x0000000000568000-memory.dmpFilesize
1.4MB
-
memory/5332-286-0x0000000000000000-mapping.dmp
-
memory/5348-379-0x0000000000400000-0x0000000000568000-memory.dmpFilesize
1.4MB
-
memory/5348-287-0x0000000000000000-mapping.dmp
-
memory/5348-363-0x0000000000400000-0x0000000000568000-memory.dmpFilesize
1.4MB
-
memory/5348-415-0x000000000AB80000-0x000000000AD20000-memory.dmpFilesize
1.6MB
-
memory/5392-288-0x0000000000000000-mapping.dmp
-
memory/5480-378-0x0000000000400000-0x00000000004C9000-memory.dmpFilesize
804KB
-
memory/5480-364-0x0000000000400000-0x00000000004C9000-memory.dmpFilesize
804KB
-
memory/5480-382-0x000000006BEA0000-0x000000006BED9000-memory.dmpFilesize
228KB
-
memory/5564-289-0x0000000000000000-mapping.dmp
-
memory/5588-290-0x0000000000000000-mapping.dmp
-
memory/5636-367-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/5884-368-0x0000000000400000-0x00000000004C9000-memory.dmpFilesize
804KB
-
memory/6020-390-0x0000000000400000-0x00000000004C9000-memory.dmpFilesize
804KB
-
memory/6580-408-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/6644-342-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/6720-301-0x0000000000F50000-0x0000000000F51000-memory.dmpFilesize
4KB
-
memory/6764-328-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB