Analysis
-
max time kernel
129s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
14-07-2023 23:45
Static task
static1
Behavioral task
behavioral1
Sample
09c9bc026f600cb19848ba96858b3dbfe13f03358dc0703818d3bfa3d632d416.exe
Resource
win10v2004-20230703-en
General
-
Target
09c9bc026f600cb19848ba96858b3dbfe13f03358dc0703818d3bfa3d632d416.exe
-
Size
374KB
-
MD5
aaf3d68aeea347268ede50e621ca21ce
-
SHA1
0e7c0e38a200a9ea3af663dfd33941cc5e1657c9
-
SHA256
09c9bc026f600cb19848ba96858b3dbfe13f03358dc0703818d3bfa3d632d416
-
SHA512
61416225031cbb74114ee61e3f7ce697e73423c75a0f2e96f51557b3d289ad868034e2e07ead926cd12a95b524ed37cf1626dc75dc99c47fac9cb8f843002bd0
-
SSDEEP
6144:TGLsY7ein4IiPnD2sB8qQi69nygVfjx+ZlrLM3N2qPkaG+C+Bsq:qgkf4IiPD26dT24brLcNhPtZ5
Malware Config
Extracted
systembc
adstat477d.xyz:4044
demstat577d.xyz:4044
Extracted
smokeloader
2022
http://serverxlogs21.xyz/statweb255/
http://servxblog79.xyz/statweb255/
http://demblog289.xyz/statweb255/
http://admlogs77x.online/statweb255/
http://blogxstat38.xyz/statweb255/
http://blogxstat25.xyz/statweb255/
Extracted
C:\info.hta
class='mark'>[email protected]</span></div>
http://www.w3.org/TR/html4/strict.dtd'>
Extracted
C:\Users\Admin\Desktop\info.hta
Signatures
-
Detect rhadamanthys stealer shellcode 6 IoCs
Processes:
resource yara_rule behavioral1/memory/500-139-0x00000000024D0000-0x00000000028D0000-memory.dmp family_rhadamanthys behavioral1/memory/500-140-0x00000000024D0000-0x00000000028D0000-memory.dmp family_rhadamanthys behavioral1/memory/500-141-0x00000000024D0000-0x00000000028D0000-memory.dmp family_rhadamanthys behavioral1/memory/500-142-0x00000000024D0000-0x00000000028D0000-memory.dmp family_rhadamanthys behavioral1/memory/500-154-0x00000000024D0000-0x00000000028D0000-memory.dmp family_rhadamanthys behavioral1/memory/500-157-0x00000000024D0000-0x00000000028D0000-memory.dmp family_rhadamanthys -
Phobos
Phobos ransomware appeared at the beginning of 2019.
-
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
09c9bc026f600cb19848ba96858b3dbfe13f03358dc0703818d3bfa3d632d416.exedescription pid process target process PID 500 created 3128 500 09c9bc026f600cb19848ba96858b3dbfe13f03358dc0703818d3bfa3d632d416.exe Explorer.EXE -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 4 IoCs
Processes:
bcdedit.exebcdedit.exebcdedit.exebcdedit.exepid process 388 bcdedit.exe 4356 bcdedit.exe 4316 bcdedit.exe 412 bcdedit.exe -
Renames multiple (479) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Processes:
wbadmin.exewbadmin.exepid process 2672 wbadmin.exe 5044 wbadmin.exe -
Downloads MZ/PE file
-
Modifies Windows Firewall 1 TTPs 2 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
U85-i%aI2.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\Control Panel\International\Geo\Nation U85-i%aI2.exe -
Drops startup file 3 IoCs
Processes:
U85-i%aI2.exedescription ioc process File created \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\U85-i%aI2.exe U85-i%aI2.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini U85-i%aI2.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id[2C79BA2A-3483].[[email protected]].8base U85-i%aI2.exe -
Executes dropped EXE 7 IoCs
Processes:
24CF.exeU85-i%aI2.exe425j0S.exeU85-i%aI2.exe24CF.exeC8F8.exeCA80.exepid process 1976 24CF.exe 2060 U85-i%aI2.exe 4172 425j0S.exe 3172 U85-i%aI2.exe 4592 24CF.exe 4724 C8F8.exe 3900 CA80.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 9 IoCs
Processes:
certreq.exeexplorer.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\Software\Microsoft\Office\11.0\Outlook\Profiles\Outlook certreq.exe Key opened \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\Software\Microsoft\Office\12.0\Outlook\Profiles\Outlook certreq.exe Key opened \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook certreq.exe Key opened \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe Key opened \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\Software\Microsoft\Office\10.0\Outlook\Profiles\Outlook certreq.exe Key opened \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook certreq.exe Key opened \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook certreq.exe Key opened \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe Key opened \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
U85-i%aI2.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\U85-i%aI2 = "C:\\Users\\Admin\\AppData\\Local\\U85-i%aI2.exe" U85-i%aI2.exe Set value (str) \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\U85-i%aI2 = "C:\\Users\\Admin\\AppData\\Local\\U85-i%aI2.exe" U85-i%aI2.exe -
Drops desktop.ini file(s) 64 IoCs
Processes:
U85-i%aI2.exedescription ioc process File opened for modification C:\Users\Public\Libraries\desktop.ini U85-i%aI2.exe File opened for modification C:\Users\Public\Music\desktop.ini U85-i%aI2.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini U85-i%aI2.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini U85-i%aI2.exe File opened for modification C:\Users\Admin\Music\desktop.ini U85-i%aI2.exe File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini U85-i%aI2.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini U85-i%aI2.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini U85-i%aI2.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI U85-i%aI2.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini U85-i%aI2.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini U85-i%aI2.exe File opened for modification C:\Users\Admin\OneDrive\desktop.ini U85-i%aI2.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini U85-i%aI2.exe File opened for modification C:\Users\Public\desktop.ini U85-i%aI2.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini U85-i%aI2.exe File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini U85-i%aI2.exe File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini U85-i%aI2.exe File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini U85-i%aI2.exe File opened for modification C:\Program Files\desktop.ini U85-i%aI2.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini U85-i%aI2.exe File opened for modification C:\Users\Admin\3D Objects\desktop.ini U85-i%aI2.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini U85-i%aI2.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini U85-i%aI2.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini U85-i%aI2.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini U85-i%aI2.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini U85-i%aI2.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini U85-i%aI2.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini U85-i%aI2.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini U85-i%aI2.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini U85-i%aI2.exe File opened for modification C:\Program Files (x86)\desktop.ini U85-i%aI2.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini U85-i%aI2.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini U85-i%aI2.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini U85-i%aI2.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini U85-i%aI2.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini U85-i%aI2.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini U85-i%aI2.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini U85-i%aI2.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini U85-i%aI2.exe File opened for modification C:\Users\Public\Pictures\desktop.ini U85-i%aI2.exe File opened for modification C:\Users\Public\Videos\desktop.ini U85-i%aI2.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini U85-i%aI2.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini U85-i%aI2.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini U85-i%aI2.exe File opened for modification C:\Users\Public\Desktop\desktop.ini U85-i%aI2.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini U85-i%aI2.exe File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini U85-i%aI2.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini U85-i%aI2.exe File opened for modification C:\Users\Public\Downloads\desktop.ini U85-i%aI2.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-3011986978-2180659500-3669311805-1000\desktop.ini U85-i%aI2.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini U85-i%aI2.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini U85-i%aI2.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini U85-i%aI2.exe File opened for modification C:\$Recycle.Bin\S-1-5-21-3011986978-2180659500-3669311805-1000\desktop.ini U85-i%aI2.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini U85-i%aI2.exe File opened for modification C:\Users\Admin\Videos\desktop.ini U85-i%aI2.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini U85-i%aI2.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini U85-i%aI2.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini U85-i%aI2.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini U85-i%aI2.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini U85-i%aI2.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini U85-i%aI2.exe File opened for modification C:\Users\Public\Documents\desktop.ini U85-i%aI2.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini U85-i%aI2.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
24CF.exedescription pid process target process PID 1976 set thread context of 4592 1976 24CF.exe 24CF.exe -
Drops file in Program Files directory 64 IoCs
Processes:
U85-i%aI2.exedescription ioc process File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\System.Runtime.InteropServices.WindowsRuntime.dll U85-i%aI2.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-uisupport.xml U85-i%aI2.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailAppList.targetsize-80.png U85-i%aI2.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxA-Google.scale-125.png U85-i%aI2.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\icons_retina.png U85-i%aI2.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\th.pak U85-i%aI2.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\sl-si\ui-strings.js U85-i%aI2.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PREVIEWTEMPLATE2.POTX U85-i%aI2.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\DEEPBLUE\THMBNAIL.PNG.id[2C79BA2A-3483].[[email protected]].8base U85-i%aI2.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Logos\SplashScreen\PaintSplashScreen.scale-100.png U85-i%aI2.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\meetings-chat-upsell.png U85-i%aI2.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\ExchangeLargeTile.scale-100.png U85-i%aI2.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\LTR\contrast-black\SmallTile.scale-200.png U85-i%aI2.exe File created C:\Program Files\Java\jdk1.8.0_66\db\bin\sysinfo.id[2C79BA2A-3483].[[email protected]].8base U85-i%aI2.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-jvmstat_zh_CN.jar U85-i%aI2.exe File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN095.XML.id[2C79BA2A-3483].[[email protected]].8base U85-i%aI2.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteSectionLargeTile.scale-150.png U85-i%aI2.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteSectionMedTile.scale-100.png U85-i%aI2.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxMailSplashLogo.scale-200.png U85-i%aI2.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\System.Printing.resources.dll U85-i%aI2.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Work\contrast-black\LargeTile.scale-125.png U85-i%aI2.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-white\StoreLogo.scale-100_contrast-white.png U85-i%aI2.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxCalendarLargeTile.scale-125.png U85-i%aI2.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\nunit_schema_2.5.xsd U85-i%aI2.exe File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Garamond-TrebuchetMs.xml.id[2C79BA2A-3483].[[email protected]].8base U85-i%aI2.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_Retail-ul-oob.xrm-ms U85-i%aI2.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libsamplerate_plugin.dll U85-i%aI2.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_filter\libblendbench_plugin.dll U85-i%aI2.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\Store\AppIcon.targetsize-256.png U85-i%aI2.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_listview-hover.svg.id[2C79BA2A-3483].[[email protected]].8base U85-i%aI2.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\vstoee90.tlb U85-i%aI2.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioStdR_OEM_Perp-ul-phn.xrm-ms U85-i%aI2.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\SAEXT.DLL U85-i%aI2.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\api-ms-win-crt-string-l1-1-0.dll U85-i%aI2.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxBlockMap.xml U85-i%aI2.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxManifest.xml U85-i%aI2.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Store.Purchase\Controls\SuccessControl.xaml U85-i%aI2.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Cartridges\msjet.xsl.id[2C79BA2A-3483].[[email protected]].8base U85-i%aI2.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\fr-FR\PSGet.Resource.psd1.id[2C79BA2A-3483].[[email protected]].8base U85-i%aI2.exe File created C:\Program Files\Java\jre1.8.0_66\lib\ext\sunjce_provider.jar.id[2C79BA2A-3483].[[email protected]].8base U85-i%aI2.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\MicrosoftDataStreamerforExcel.dll.config U85-i%aI2.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\ko-kr\ui-strings.js.id[2C79BA2A-3483].[[email protected]].8base U85-i%aI2.exe File created C:\Program Files\7-Zip\Lang\va.txt.id[2C79BA2A-3483].[[email protected]].8base U85-i%aI2.exe File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Violet II.xml.id[2C79BA2A-3483].[[email protected]].8base U85-i%aI2.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Standard2019MSDNR_Retail-ul-oob.xrm-ms U85-i%aI2.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Services.Store.Engagement_10.0.18101.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\Autogen\JSByteCodeCache_64 U85-i%aI2.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\duplicate.svg U85-i%aI2.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\css\main.css U85-i%aI2.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.renderers.swt.nl_ja_4.4.0.v20140623020002.jar U85-i%aI2.exe File created C:\Program Files\Microsoft Office\root\Licenses16\PublisherVL_MAK-ul-oob.xrm-ms.id[2C79BA2A-3483].[[email protected]].8base U85-i%aI2.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Assertions\BeLessThan.ps1 U85-i%aI2.exe File created C:\Program Files\VideoLAN\VLC\plugins\codec\libflac_plugin.dll.id[2C79BA2A-3483].[[email protected]].8base U85-i%aI2.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\it-IT\rtscom.dll.mui U85-i%aI2.exe File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\hu.pak.id[2C79BA2A-3483].[[email protected]].8base U85-i%aI2.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\META-INF\MANIFEST.MF U85-i%aI2.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.scale-100_contrast-white.png U85-i%aI2.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\GenericMailBadge.scale-400.png U85-i%aI2.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\fi-fi\ui-strings.js U85-i%aI2.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe.id[2C79BA2A-3483].[[email protected]].8base U85-i%aI2.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\TimerSmallTile.contrast-white_scale-100.png U85-i%aI2.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\hr-hr\ui-strings.js U85-i%aI2.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\hu-hu\ui-strings.js U85-i%aI2.exe File created C:\Program Files\VideoLAN\VLC\locale\et\LC_MESSAGES\vlc.mo.id[2C79BA2A-3483].[[email protected]].8base U85-i%aI2.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\images\themes\dark\share_icons.png U85-i%aI2.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 3 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exepid pid_target process target process 4872 500 WerFault.exe 09c9bc026f600cb19848ba96858b3dbfe13f03358dc0703818d3bfa3d632d416.exe 3240 3172 WerFault.exe U85-i%aI2.exe 3268 4724 WerFault.exe C8F8.exe -
Checks SCSI registry key(s) 3 TTPs 7 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
vds.exe24CF.exedescription ioc process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 24CF.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 24CF.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 24CF.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 vds.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
certreq.exedescription ioc process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 certreq.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString certreq.exe -
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exepid process 828 vssadmin.exe 4624 vssadmin.exe -
Modifies registry class 3 IoCs
Processes:
Explorer.EXEU85-i%aI2.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings U85-i%aI2.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
09c9bc026f600cb19848ba96858b3dbfe13f03358dc0703818d3bfa3d632d416.execertreq.exe24CF.exeU85-i%aI2.exeExplorer.EXEpid process 500 09c9bc026f600cb19848ba96858b3dbfe13f03358dc0703818d3bfa3d632d416.exe 500 09c9bc026f600cb19848ba96858b3dbfe13f03358dc0703818d3bfa3d632d416.exe 500 09c9bc026f600cb19848ba96858b3dbfe13f03358dc0703818d3bfa3d632d416.exe 500 09c9bc026f600cb19848ba96858b3dbfe13f03358dc0703818d3bfa3d632d416.exe 2148 certreq.exe 2148 certreq.exe 2148 certreq.exe 2148 certreq.exe 4592 24CF.exe 4592 24CF.exe 2060 U85-i%aI2.exe 2060 U85-i%aI2.exe 2060 U85-i%aI2.exe 2060 U85-i%aI2.exe 3128 Explorer.EXE 3128 Explorer.EXE 3128 Explorer.EXE 3128 Explorer.EXE 3128 Explorer.EXE 3128 Explorer.EXE 3128 Explorer.EXE 3128 Explorer.EXE 3128 Explorer.EXE 3128 Explorer.EXE 2060 U85-i%aI2.exe 2060 U85-i%aI2.exe 3128 Explorer.EXE 3128 Explorer.EXE 3128 Explorer.EXE 3128 Explorer.EXE 3128 Explorer.EXE 3128 Explorer.EXE 3128 Explorer.EXE 3128 Explorer.EXE 3128 Explorer.EXE 3128 Explorer.EXE 2060 U85-i%aI2.exe 2060 U85-i%aI2.exe 3128 Explorer.EXE 3128 Explorer.EXE 3128 Explorer.EXE 3128 Explorer.EXE 3128 Explorer.EXE 3128 Explorer.EXE 3128 Explorer.EXE 3128 Explorer.EXE 3128 Explorer.EXE 3128 Explorer.EXE 2060 U85-i%aI2.exe 2060 U85-i%aI2.exe 3128 Explorer.EXE 3128 Explorer.EXE 3128 Explorer.EXE 3128 Explorer.EXE 3128 Explorer.EXE 3128 Explorer.EXE 3128 Explorer.EXE 3128 Explorer.EXE 3128 Explorer.EXE 3128 Explorer.EXE 2060 U85-i%aI2.exe 2060 U85-i%aI2.exe 3128 Explorer.EXE 3128 Explorer.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 3128 Explorer.EXE -
Suspicious behavior: MapViewOfSection 31 IoCs
Processes:
24CF.exeExplorer.EXEpid process 4592 24CF.exe 3128 Explorer.EXE 3128 Explorer.EXE 3128 Explorer.EXE 3128 Explorer.EXE 3128 Explorer.EXE 3128 Explorer.EXE 3128 Explorer.EXE 3128 Explorer.EXE 3128 Explorer.EXE 3128 Explorer.EXE 3128 Explorer.EXE 3128 Explorer.EXE 3128 Explorer.EXE 3128 Explorer.EXE 3128 Explorer.EXE 3128 Explorer.EXE 3128 Explorer.EXE 3128 Explorer.EXE 3128 Explorer.EXE 3128 Explorer.EXE 3128 Explorer.EXE 3128 Explorer.EXE 3128 Explorer.EXE 3128 Explorer.EXE 3128 Explorer.EXE 3128 Explorer.EXE 3128 Explorer.EXE 3128 Explorer.EXE 3128 Explorer.EXE 3128 Explorer.EXE -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
U85-i%aI2.exevssvc.exeWMIC.exewbengine.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 2060 U85-i%aI2.exe Token: SeBackupPrivilege 1232 vssvc.exe Token: SeRestorePrivilege 1232 vssvc.exe Token: SeAuditPrivilege 1232 vssvc.exe Token: SeIncreaseQuotaPrivilege 4508 WMIC.exe Token: SeSecurityPrivilege 4508 WMIC.exe Token: SeTakeOwnershipPrivilege 4508 WMIC.exe Token: SeLoadDriverPrivilege 4508 WMIC.exe Token: SeSystemProfilePrivilege 4508 WMIC.exe Token: SeSystemtimePrivilege 4508 WMIC.exe Token: SeProfSingleProcessPrivilege 4508 WMIC.exe Token: SeIncBasePriorityPrivilege 4508 WMIC.exe Token: SeCreatePagefilePrivilege 4508 WMIC.exe Token: SeBackupPrivilege 4508 WMIC.exe Token: SeRestorePrivilege 4508 WMIC.exe Token: SeShutdownPrivilege 4508 WMIC.exe Token: SeDebugPrivilege 4508 WMIC.exe Token: SeSystemEnvironmentPrivilege 4508 WMIC.exe Token: SeRemoteShutdownPrivilege 4508 WMIC.exe Token: SeUndockPrivilege 4508 WMIC.exe Token: SeManageVolumePrivilege 4508 WMIC.exe Token: 33 4508 WMIC.exe Token: 34 4508 WMIC.exe Token: 35 4508 WMIC.exe Token: 36 4508 WMIC.exe Token: SeIncreaseQuotaPrivilege 4508 WMIC.exe Token: SeSecurityPrivilege 4508 WMIC.exe Token: SeTakeOwnershipPrivilege 4508 WMIC.exe Token: SeLoadDriverPrivilege 4508 WMIC.exe Token: SeSystemProfilePrivilege 4508 WMIC.exe Token: SeSystemtimePrivilege 4508 WMIC.exe Token: SeProfSingleProcessPrivilege 4508 WMIC.exe Token: SeIncBasePriorityPrivilege 4508 WMIC.exe Token: SeCreatePagefilePrivilege 4508 WMIC.exe Token: SeBackupPrivilege 4508 WMIC.exe Token: SeRestorePrivilege 4508 WMIC.exe Token: SeShutdownPrivilege 4508 WMIC.exe Token: SeDebugPrivilege 4508 WMIC.exe Token: SeSystemEnvironmentPrivilege 4508 WMIC.exe Token: SeRemoteShutdownPrivilege 4508 WMIC.exe Token: SeUndockPrivilege 4508 WMIC.exe Token: SeManageVolumePrivilege 4508 WMIC.exe Token: 33 4508 WMIC.exe Token: 34 4508 WMIC.exe Token: 35 4508 WMIC.exe Token: 36 4508 WMIC.exe Token: SeBackupPrivilege 980 wbengine.exe Token: SeRestorePrivilege 980 wbengine.exe Token: SeSecurityPrivilege 980 wbengine.exe Token: SeShutdownPrivilege 3128 Explorer.EXE Token: SeCreatePagefilePrivilege 3128 Explorer.EXE Token: SeShutdownPrivilege 3128 Explorer.EXE Token: SeCreatePagefilePrivilege 3128 Explorer.EXE Token: SeShutdownPrivilege 3128 Explorer.EXE Token: SeCreatePagefilePrivilege 3128 Explorer.EXE Token: SeShutdownPrivilege 3128 Explorer.EXE Token: SeCreatePagefilePrivilege 3128 Explorer.EXE Token: SeShutdownPrivilege 3128 Explorer.EXE Token: SeCreatePagefilePrivilege 3128 Explorer.EXE Token: SeShutdownPrivilege 3128 Explorer.EXE Token: SeCreatePagefilePrivilege 3128 Explorer.EXE Token: SeShutdownPrivilege 3128 Explorer.EXE Token: SeCreatePagefilePrivilege 3128 Explorer.EXE Token: SeShutdownPrivilege 3128 Explorer.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
09c9bc026f600cb19848ba96858b3dbfe13f03358dc0703818d3bfa3d632d416.exe24CF.exeU85-i%aI2.execmd.execmd.exeExplorer.EXEdescription pid process target process PID 500 wrote to memory of 2148 500 09c9bc026f600cb19848ba96858b3dbfe13f03358dc0703818d3bfa3d632d416.exe certreq.exe PID 500 wrote to memory of 2148 500 09c9bc026f600cb19848ba96858b3dbfe13f03358dc0703818d3bfa3d632d416.exe certreq.exe PID 500 wrote to memory of 2148 500 09c9bc026f600cb19848ba96858b3dbfe13f03358dc0703818d3bfa3d632d416.exe certreq.exe PID 500 wrote to memory of 2148 500 09c9bc026f600cb19848ba96858b3dbfe13f03358dc0703818d3bfa3d632d416.exe certreq.exe PID 1976 wrote to memory of 4592 1976 24CF.exe 24CF.exe PID 1976 wrote to memory of 4592 1976 24CF.exe 24CF.exe PID 1976 wrote to memory of 4592 1976 24CF.exe 24CF.exe PID 1976 wrote to memory of 4592 1976 24CF.exe 24CF.exe PID 1976 wrote to memory of 4592 1976 24CF.exe 24CF.exe PID 1976 wrote to memory of 4592 1976 24CF.exe 24CF.exe PID 2060 wrote to memory of 1720 2060 U85-i%aI2.exe cmd.exe PID 2060 wrote to memory of 1720 2060 U85-i%aI2.exe cmd.exe PID 2060 wrote to memory of 824 2060 U85-i%aI2.exe cmd.exe PID 2060 wrote to memory of 824 2060 U85-i%aI2.exe cmd.exe PID 824 wrote to memory of 2144 824 cmd.exe netsh.exe PID 824 wrote to memory of 2144 824 cmd.exe netsh.exe PID 1720 wrote to memory of 828 1720 cmd.exe vssadmin.exe PID 1720 wrote to memory of 828 1720 cmd.exe vssadmin.exe PID 1720 wrote to memory of 4508 1720 cmd.exe WMIC.exe PID 1720 wrote to memory of 4508 1720 cmd.exe WMIC.exe PID 824 wrote to memory of 932 824 cmd.exe netsh.exe PID 824 wrote to memory of 932 824 cmd.exe netsh.exe PID 1720 wrote to memory of 388 1720 cmd.exe bcdedit.exe PID 1720 wrote to memory of 388 1720 cmd.exe bcdedit.exe PID 1720 wrote to memory of 4356 1720 cmd.exe bcdedit.exe PID 1720 wrote to memory of 4356 1720 cmd.exe bcdedit.exe PID 1720 wrote to memory of 2672 1720 cmd.exe wbadmin.exe PID 1720 wrote to memory of 2672 1720 cmd.exe wbadmin.exe PID 3128 wrote to memory of 4724 3128 Explorer.EXE C8F8.exe PID 3128 wrote to memory of 4724 3128 Explorer.EXE C8F8.exe PID 3128 wrote to memory of 4724 3128 Explorer.EXE C8F8.exe PID 3128 wrote to memory of 3900 3128 Explorer.EXE CA80.exe PID 3128 wrote to memory of 3900 3128 Explorer.EXE CA80.exe PID 3128 wrote to memory of 3900 3128 Explorer.EXE CA80.exe PID 3128 wrote to memory of 3448 3128 Explorer.EXE explorer.exe PID 3128 wrote to memory of 3448 3128 Explorer.EXE explorer.exe PID 3128 wrote to memory of 3448 3128 Explorer.EXE explorer.exe PID 3128 wrote to memory of 3448 3128 Explorer.EXE explorer.exe PID 3128 wrote to memory of 4168 3128 Explorer.EXE explorer.exe PID 3128 wrote to memory of 4168 3128 Explorer.EXE explorer.exe PID 3128 wrote to memory of 4168 3128 Explorer.EXE explorer.exe PID 3128 wrote to memory of 4684 3128 Explorer.EXE explorer.exe PID 3128 wrote to memory of 4684 3128 Explorer.EXE explorer.exe PID 3128 wrote to memory of 4684 3128 Explorer.EXE explorer.exe PID 3128 wrote to memory of 4684 3128 Explorer.EXE explorer.exe PID 3128 wrote to memory of 3800 3128 Explorer.EXE explorer.exe PID 3128 wrote to memory of 3800 3128 Explorer.EXE explorer.exe PID 3128 wrote to memory of 3800 3128 Explorer.EXE explorer.exe PID 3128 wrote to memory of 3800 3128 Explorer.EXE explorer.exe PID 3128 wrote to memory of 1572 3128 Explorer.EXE explorer.exe PID 3128 wrote to memory of 1572 3128 Explorer.EXE explorer.exe PID 3128 wrote to memory of 1572 3128 Explorer.EXE explorer.exe PID 3128 wrote to memory of 1572 3128 Explorer.EXE explorer.exe PID 3128 wrote to memory of 1956 3128 Explorer.EXE explorer.exe PID 3128 wrote to memory of 1956 3128 Explorer.EXE explorer.exe PID 3128 wrote to memory of 1956 3128 Explorer.EXE explorer.exe PID 3128 wrote to memory of 992 3128 Explorer.EXE explorer.exe PID 3128 wrote to memory of 992 3128 Explorer.EXE explorer.exe PID 3128 wrote to memory of 992 3128 Explorer.EXE explorer.exe PID 3128 wrote to memory of 992 3128 Explorer.EXE explorer.exe PID 3128 wrote to memory of 3504 3128 Explorer.EXE explorer.exe PID 3128 wrote to memory of 3504 3128 Explorer.EXE explorer.exe PID 3128 wrote to memory of 3504 3128 Explorer.EXE explorer.exe PID 3128 wrote to memory of 1520 3128 Explorer.EXE explorer.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
-
outlook_office_path 1 IoCs
Processes:
explorer.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe -
outlook_win_path 1 IoCs
Processes:
explorer.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\09c9bc026f600cb19848ba96858b3dbfe13f03358dc0703818d3bfa3d632d416.exe"C:\Users\Admin\AppData\Local\Temp\09c9bc026f600cb19848ba96858b3dbfe13f03358dc0703818d3bfa3d632d416.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 500 -s 7923⤵
- Program crash
-
C:\Windows\system32\certreq.exe"C:\Windows\system32\certreq.exe"2⤵
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\C8F8.exeC:\Users\Admin\AppData\Local\Temp\C8F8.exe2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4724 -s 4923⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\CA80.exeC:\Users\Admin\AppData\Local\Temp\CA80.exe2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
-
C:\Windows\explorer.exeC:\Windows\explorer.exe2⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe2⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe2⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe2⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe2⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 500 -ip 5001⤵
-
C:\Users\Admin\AppData\Local\Microsoft\24CF.exe"C:\Users\Admin\AppData\Local\Microsoft\24CF.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Microsoft\24CF.exe"C:\Users\Admin\AppData\Local\Microsoft\24CF.exe"2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Microsoft\U85-i%aI2.exe"C:\Users\Admin\AppData\Local\Microsoft\U85-i%aI2.exe"1⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Microsoft\U85-i%aI2.exe"C:\Users\Admin\AppData\Local\Microsoft\U85-i%aI2.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3172 -s 4683⤵
- Program crash
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh advfirewall set currentprofile state off3⤵
- Modifies Windows Firewall
-
C:\Windows\system32\netsh.exenetsh firewall set opmode mode=disable3⤵
- Modifies Windows Firewall
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures3⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no3⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet3⤵
- Deletes backup catalog
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}2⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\users\public\desktop\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}2⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}2⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "F:\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}2⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete3⤵
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures3⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no3⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet3⤵
- Deletes backup catalog
-
C:\Users\Admin\AppData\Local\Microsoft\425j0S.exe"C:\Users\Admin\AppData\Local\Microsoft\425j0S.exe"1⤵
- Executes dropped EXE
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Checks SCSI registry key(s)
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3172 -ip 31721⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4724 -ip 47241⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems64.dll.id[2C79BA2A-3483].[[email protected]].8baseFilesize
3.2MB
MD544a08337b9206a29e4c37349121218e9
SHA1e312def6a63f4c70e1c57ea1e2c4b74951d8aa38
SHA256b433a147230252e676306dd5a53ae3f8793b6a704ec09c6203da13963ed41d75
SHA512f62cc2903c2fe0f822a65191c43f35d5d4f8ed1462036ae322ec2a51fb92cdd79e9634aabfe7c97d72233c30b45ed0d4a5934790e82aaf04ce7736c8e8efa56d
-
C:\Users\Admin\AppData\Local\Microsoft\24CF.exeFilesize
164KB
MD509d7f30d2f8432be6087038562a029dd
SHA107fc20446a03a20c191e750ef21737ec948d9544
SHA2568c7319e9b6bd1ec0fa5658aaf55096a7e549b21a380de406c705969f165cb3f8
SHA512abc4670991a0a109a292d36f2b5116685374d0c85c157eefac3b44e240050b51c41839b8df4ffdad3ef6460dcd70c2b9457492c7d486fccd7a48e931cebacf7e
-
C:\Users\Admin\AppData\Local\Microsoft\24CF.exeFilesize
164KB
MD509d7f30d2f8432be6087038562a029dd
SHA107fc20446a03a20c191e750ef21737ec948d9544
SHA2568c7319e9b6bd1ec0fa5658aaf55096a7e549b21a380de406c705969f165cb3f8
SHA512abc4670991a0a109a292d36f2b5116685374d0c85c157eefac3b44e240050b51c41839b8df4ffdad3ef6460dcd70c2b9457492c7d486fccd7a48e931cebacf7e
-
C:\Users\Admin\AppData\Local\Microsoft\24CF.exeFilesize
164KB
MD509d7f30d2f8432be6087038562a029dd
SHA107fc20446a03a20c191e750ef21737ec948d9544
SHA2568c7319e9b6bd1ec0fa5658aaf55096a7e549b21a380de406c705969f165cb3f8
SHA512abc4670991a0a109a292d36f2b5116685374d0c85c157eefac3b44e240050b51c41839b8df4ffdad3ef6460dcd70c2b9457492c7d486fccd7a48e931cebacf7e
-
C:\Users\Admin\AppData\Local\Microsoft\425j0S.exeFilesize
164KB
MD56ac14216327dcfb60b33ebd914f62769
SHA1d55eba9a523347f5ee65c9e27a3dc73a1eb4cf7b
SHA25625f77a058ec8aff36602762a75066b3ba52652ce90fc823b51dc81e4b14bbeb9
SHA5126af659cfee302b0faefd85a87bc0aa3e10c40aeb18c6246cf2b335a34b40c21279f1b76ae420217f2caa3913d66e96116860ce442fad5fe465d2273de79ff3ed
-
C:\Users\Admin\AppData\Local\Microsoft\425j0S.exeFilesize
164KB
MD56ac14216327dcfb60b33ebd914f62769
SHA1d55eba9a523347f5ee65c9e27a3dc73a1eb4cf7b
SHA25625f77a058ec8aff36602762a75066b3ba52652ce90fc823b51dc81e4b14bbeb9
SHA5126af659cfee302b0faefd85a87bc0aa3e10c40aeb18c6246cf2b335a34b40c21279f1b76ae420217f2caa3913d66e96116860ce442fad5fe465d2273de79ff3ed
-
C:\Users\Admin\AppData\Local\Microsoft\PenWorkspace\DiscoverCacheData.datFilesize
1022B
MD58e361d0a2847f22c1e9548bf12f94c27
SHA10984b528f982bd872cdb1a3eece5c14c623cdbb5
SHA256961b71fdda8966e64d1e47fd88e3790e8d9b302c21d13ba8bd25598287352de6
SHA51253b5f6c9dd56040e900c0874d618eea60ba8b53b00eee16c05d8d2ea1ad37322e78f0adcf13763b664598adca591dbdddd09a4f16e632b7012980472b78ece30
-
C:\Users\Admin\AppData\Local\Microsoft\U85-i%aI2.exeFilesize
164KB
MD5de348ef9eed7ccdaed5a70ae15796a86
SHA142914d94e8024ca94e58bb4bd9cfa4d0ae524975
SHA256a2333bcbbdbf6846ea6945637f93ecc2500a32bbfa9032c4cc39021a4e41a855
SHA512605bdb115b9fc95b1c0924f01b3b62b27737d94fe97825e81ebc5f1de107a317bd47fbe88be9d2ac4e6b3c9d0d537a8b38986b24480a54495442c6206e9eb163
-
C:\Users\Admin\AppData\Local\Microsoft\U85-i%aI2.exeFilesize
164KB
MD5de348ef9eed7ccdaed5a70ae15796a86
SHA142914d94e8024ca94e58bb4bd9cfa4d0ae524975
SHA256a2333bcbbdbf6846ea6945637f93ecc2500a32bbfa9032c4cc39021a4e41a855
SHA512605bdb115b9fc95b1c0924f01b3b62b27737d94fe97825e81ebc5f1de107a317bd47fbe88be9d2ac4e6b3c9d0d537a8b38986b24480a54495442c6206e9eb163
-
C:\Users\Admin\AppData\Local\Microsoft\U85-i%aI2.exeFilesize
164KB
MD5de348ef9eed7ccdaed5a70ae15796a86
SHA142914d94e8024ca94e58bb4bd9cfa4d0ae524975
SHA256a2333bcbbdbf6846ea6945637f93ecc2500a32bbfa9032c4cc39021a4e41a855
SHA512605bdb115b9fc95b1c0924f01b3b62b27737d94fe97825e81ebc5f1de107a317bd47fbe88be9d2ac4e6b3c9d0d537a8b38986b24480a54495442c6206e9eb163
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x0000000000000026.db.id[2C79BA2A-3483].[[email protected]].8baseFilesize
92KB
MD5385723d35188faa21f941336ba7e74dd
SHA16e5a479c4b986dd1f89962913acc0ed3fa6a8643
SHA256de20b2fe5dff56099187832c83e9c96dcb0c913ed43300ea1d09b775f5a0f429
SHA512cb028bd944369b46e42e869035db3a88d0562a27351b33c4742da65e5aaba8471983a8379167f214cb417f70ab646db088b9c687a5800783183a8ac55a565f2e
-
C:\Users\Admin\AppData\Local\Temp\C8F8.exeFilesize
164KB
MD5de348ef9eed7ccdaed5a70ae15796a86
SHA142914d94e8024ca94e58bb4bd9cfa4d0ae524975
SHA256a2333bcbbdbf6846ea6945637f93ecc2500a32bbfa9032c4cc39021a4e41a855
SHA512605bdb115b9fc95b1c0924f01b3b62b27737d94fe97825e81ebc5f1de107a317bd47fbe88be9d2ac4e6b3c9d0d537a8b38986b24480a54495442c6206e9eb163
-
C:\Users\Admin\AppData\Local\Temp\C8F8.exeFilesize
164KB
MD5de348ef9eed7ccdaed5a70ae15796a86
SHA142914d94e8024ca94e58bb4bd9cfa4d0ae524975
SHA256a2333bcbbdbf6846ea6945637f93ecc2500a32bbfa9032c4cc39021a4e41a855
SHA512605bdb115b9fc95b1c0924f01b3b62b27737d94fe97825e81ebc5f1de107a317bd47fbe88be9d2ac4e6b3c9d0d537a8b38986b24480a54495442c6206e9eb163
-
C:\Users\Admin\AppData\Local\Temp\C8F8.exeFilesize
164KB
MD5de348ef9eed7ccdaed5a70ae15796a86
SHA142914d94e8024ca94e58bb4bd9cfa4d0ae524975
SHA256a2333bcbbdbf6846ea6945637f93ecc2500a32bbfa9032c4cc39021a4e41a855
SHA512605bdb115b9fc95b1c0924f01b3b62b27737d94fe97825e81ebc5f1de107a317bd47fbe88be9d2ac4e6b3c9d0d537a8b38986b24480a54495442c6206e9eb163
-
C:\Users\Admin\AppData\Local\Temp\CA80.exeFilesize
164KB
MD56ac14216327dcfb60b33ebd914f62769
SHA1d55eba9a523347f5ee65c9e27a3dc73a1eb4cf7b
SHA25625f77a058ec8aff36602762a75066b3ba52652ce90fc823b51dc81e4b14bbeb9
SHA5126af659cfee302b0faefd85a87bc0aa3e10c40aeb18c6246cf2b335a34b40c21279f1b76ae420217f2caa3913d66e96116860ce442fad5fe465d2273de79ff3ed
-
C:\Users\Admin\AppData\Local\Temp\CA80.exeFilesize
164KB
MD56ac14216327dcfb60b33ebd914f62769
SHA1d55eba9a523347f5ee65c9e27a3dc73a1eb4cf7b
SHA25625f77a058ec8aff36602762a75066b3ba52652ce90fc823b51dc81e4b14bbeb9
SHA5126af659cfee302b0faefd85a87bc0aa3e10c40aeb18c6246cf2b335a34b40c21279f1b76ae420217f2caa3913d66e96116860ce442fad5fe465d2273de79ff3ed
-
C:\Users\Admin\AppData\Local\Temp\F519\C\Program Files\WindowsApps\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe\Microsoft.Wallet.dllFilesize
5.5MB
MD5872d02e73930e4553468d82340a11871
SHA175108449838ca4ba75f6b51980945dec31de5889
SHA256ed517d013ceb532e17c940f738810159db20e6e4db6063d788df33ebc48596ea
SHA5120136b48ecef29fc990ea25280d02450867253b0719cbee0ff48f3505c2cd6612f7dd5b6ba8bd3f80fa1cf18d9a1b40e459e0b0db46e5de047879ccaa0863bad0
-
C:\Users\Admin\AppData\Local\Temp\F519\C\Program Files\WindowsApps\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe\Microsoft.Wallet.exeFilesize
18KB
MD5cfe72ed40a076ae4f4157940ce0c5d44
SHA18010f7c746a7ba4864785f798f46ec05caae7ece
SHA2566868894ab04d08956388a94a81016f03d5b7a7b1646c8a6235057a7e1e45de32
SHA512f002afa2131d250dd6148d8372ce45f84283b8e1209e91720cee7aff497503d0e566bae3a83cd326701458230ae5c0e200eec617889393dd46ac00ff357ff1b0
-
C:\Users\Admin\AppData\Local\Temp\F519\C\ProgramData\Microsoft\Windows\AppRepository\Microsoft.Wallet_2.4.18324.0_neutral_~_8wekyb3d8bbwe.xmlFilesize
1KB
MD594f90fcd2b8f7f1df69224f845d9e9b7
SHA1a09e3072cc581cf89adaf1aa20aa89b3af7bf987
SHA256a16113a66b1c36f919b5f7eaa3fb7aa8e0ba9e057823861aabea703cc06a04c0
SHA51251f4ee06a8d8bf1121083bf4383433160f16c68d1fe4c44e5d0e0529910d27ba8446c7a4bef359b990574d1d61563da30139c6d09ad0ad1a5b5c7748b8da08f3
-
C:\Users\Admin\AppData\Local\Temp\F519\C\ProgramData\Microsoft\Windows\AppRepository\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe.xmlFilesize
7KB
MD5108f130067a9df1719c590316a5245f7
SHA179bb9a86e7a50c85214cd7e21719f0cb4155f58a
SHA256c91debd34057ca5c280ca15ac542733930e1c94c7d887448eac6e3385b5a0874
SHA512d43b3861d5153c7ca54edd078c900d31599fc9f04d6883a449d62c7e86a105a3c5dfb2d232255c41505b210b063caf6325921dc074fcdf93407c9e2c985a5301
-
C:\Users\Admin\AppData\Local\Temp\F519\C\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.Wallet_2.4.18324.0_neutral_~_8wekyb3d8bbwe.xmlFilesize
1KB
MD594f90fcd2b8f7f1df69224f845d9e9b7
SHA1a09e3072cc581cf89adaf1aa20aa89b3af7bf987
SHA256a16113a66b1c36f919b5f7eaa3fb7aa8e0ba9e057823861aabea703cc06a04c0
SHA51251f4ee06a8d8bf1121083bf4383433160f16c68d1fe4c44e5d0e0529910d27ba8446c7a4bef359b990574d1d61563da30139c6d09ad0ad1a5b5c7748b8da08f3
-
C:\Users\Admin\AppData\Local\Temp\F519\C\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe.xmlFilesize
7KB
MD5108f130067a9df1719c590316a5245f7
SHA179bb9a86e7a50c85214cd7e21719f0cb4155f58a
SHA256c91debd34057ca5c280ca15ac542733930e1c94c7d887448eac6e3385b5a0874
SHA512d43b3861d5153c7ca54edd078c900d31599fc9f04d6883a449d62c7e86a105a3c5dfb2d232255c41505b210b063caf6325921dc074fcdf93407c9e2c985a5301
-
C:\Users\Admin\AppData\Local\Temp\F519\C\Windows\SysWOW64\WalletBackgroundServiceProxy.dllFilesize
10KB
MD51097d1e58872f3cf58f78730a697ce4b
SHA196db4e4763a957b28dd80ec1e43eb27367869b86
SHA25683ec0be293b19d00eca4ae51f16621753e1d2b11248786b25a1abaae6230bdef
SHA512b933eac4eaabacc51069a72b24b649b980aea251b1b87270ff4ffea12de9368d5447cdbe748ac7faf2805548b896c8499f9eceeed2f5efd0c684f94360940351
-
C:\Users\Admin\AppData\Local\Temp\F519\C\Windows\SysWOW64\WalletProxy.dllFilesize
36KB
MD5d09724c29a8f321f2f9c552de6ef6afa
SHA1d6ce3d3a973695f4f770e7fb3fcb5e2f3df592a3
SHA25623cc82878957683184fbd0e3098e9e6858978bf78d7812c6d7470ebdc79d1c5c
SHA512cc8db1b0c4bbd94dfc8a669cd6accf6fa29dc1034ce03d9dae53d6ce117bb86b432bf040fb53230b612c6e9a325e58acc8ebb600f760a8d9d6a383ce751fd6ed
-
C:\Users\Admin\AppData\Local\Temp\F519\C\Windows\SysWOW64\Windows.ApplicationModel.Wallet.dllFilesize
402KB
MD502557c141c9e153c2b7987b79a3a2dd7
SHA1a054761382ee68608b6a3b62b68138dc205f576b
SHA256207c587e769e2655669bd3ce1d28a00bcac08f023013735f026f65c0e3baa6f4
SHA512a37e29c115bcb9956b1f8fd2022f2e3966c1fa2a0efa5c2ee2d14bc5c41bfddae0deea4d481a681d13ec58e9dec41e7565f8b4eb1c10f2c44c03e58bdd2792b3
-
C:\Users\Admin\AppData\Local\Temp\F519\C\Windows\System32\WalletBackgroundServiceProxy.dllFilesize
10KB
MD51097d1e58872f3cf58f78730a697ce4b
SHA196db4e4763a957b28dd80ec1e43eb27367869b86
SHA25683ec0be293b19d00eca4ae51f16621753e1d2b11248786b25a1abaae6230bdef
SHA512b933eac4eaabacc51069a72b24b649b980aea251b1b87270ff4ffea12de9368d5447cdbe748ac7faf2805548b896c8499f9eceeed2f5efd0c684f94360940351
-
C:\Users\Admin\AppData\Local\Temp\F519\C\Windows\System32\WalletProxy.dllFilesize
36KB
MD5d09724c29a8f321f2f9c552de6ef6afa
SHA1d6ce3d3a973695f4f770e7fb3fcb5e2f3df592a3
SHA25623cc82878957683184fbd0e3098e9e6858978bf78d7812c6d7470ebdc79d1c5c
SHA512cc8db1b0c4bbd94dfc8a669cd6accf6fa29dc1034ce03d9dae53d6ce117bb86b432bf040fb53230b612c6e9a325e58acc8ebb600f760a8d9d6a383ce751fd6ed
-
C:\Users\Admin\AppData\Local\Temp\F519\C\Windows\System32\Windows.ApplicationModel.Wallet.dllFilesize
402KB
MD502557c141c9e153c2b7987b79a3a2dd7
SHA1a054761382ee68608b6a3b62b68138dc205f576b
SHA256207c587e769e2655669bd3ce1d28a00bcac08f023013735f026f65c0e3baa6f4
SHA512a37e29c115bcb9956b1f8fd2022f2e3966c1fa2a0efa5c2ee2d14bc5c41bfddae0deea4d481a681d13ec58e9dec41e7565f8b4eb1c10f2c44c03e58bdd2792b3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hw21aoqh.default-release\cookies.sqlite.id[2C79BA2A-3483].[[email protected]].8baseFilesize
96KB
MD50eae1e2ea448ef1b37d414074ae08c3a
SHA18a0565a0dfd716a8eaf44687404435998278ddac
SHA256295de4a97c04a0ab7b4930118b3621f84feb442afb40a26c72facbbf79f36e8e
SHA5128507e00bc6d6917490fe99f0b2dbee8eb46e4a02765c0beb812f215c1aa5dbb5ccdb2c960d8c89ac8952387e2d8792b7762523f99e1159f46438682727d8fe70
-
C:\Users\Admin\AppData\Roaming\cscrsajFilesize
438KB
MD513d5275e9447e5b2f86c6b8bafc34e1e
SHA1aa3b5f83cbacb5b864869a1f7a5d506a81675c6a
SHA256c4ecf1fddb23b0f49405cc82147e1def6ad2965ba8a89e99af2578a0da29620b
SHA5123274d55467b234f2618cab588ed6ff27478039da8f75f58c4576a7bc96397870b58ba85fb1dfd55ee2e02f97348eec7f3c3253f6dc03bf63b72af99b0f37604d
-
C:\Users\Admin\AppData\Roaming\udcthjsFilesize
164KB
MD509d7f30d2f8432be6087038562a029dd
SHA107fc20446a03a20c191e750ef21737ec948d9544
SHA2568c7319e9b6bd1ec0fa5658aaf55096a7e549b21a380de406c705969f165cb3f8
SHA512abc4670991a0a109a292d36f2b5116685374d0c85c157eefac3b44e240050b51c41839b8df4ffdad3ef6460dcd70c2b9457492c7d486fccd7a48e931cebacf7e
-
C:\Users\Admin\Desktop\info.htaFilesize
5KB
MD5ca175ee03c12f572db1e0fbaf1c77c89
SHA191a162fd1daa54623d9c90221853a39e60a70dc4
SHA256dfb5927098d1682a2e205f052216b7ea4d48a68e15da7371aa47ddfd4f6ad8fb
SHA512a804eee6f3703011d9cd3a1ef0745bc6ed22ddefbf54a59ac508b591f139c6d71e80017d2481d6dfde489184fc2405de2ccd4169b72b657bd7fee4253fac13b0
-
C:\info.htaFilesize
5KB
MD5ca175ee03c12f572db1e0fbaf1c77c89
SHA191a162fd1daa54623d9c90221853a39e60a70dc4
SHA256dfb5927098d1682a2e205f052216b7ea4d48a68e15da7371aa47ddfd4f6ad8fb
SHA512a804eee6f3703011d9cd3a1ef0745bc6ed22ddefbf54a59ac508b591f139c6d71e80017d2481d6dfde489184fc2405de2ccd4169b72b657bd7fee4253fac13b0
-
C:\info.htaFilesize
5KB
MD5ca175ee03c12f572db1e0fbaf1c77c89
SHA191a162fd1daa54623d9c90221853a39e60a70dc4
SHA256dfb5927098d1682a2e205f052216b7ea4d48a68e15da7371aa47ddfd4f6ad8fb
SHA512a804eee6f3703011d9cd3a1ef0745bc6ed22ddefbf54a59ac508b591f139c6d71e80017d2481d6dfde489184fc2405de2ccd4169b72b657bd7fee4253fac13b0
-
C:\users\public\desktop\info.htaFilesize
5KB
MD5ca175ee03c12f572db1e0fbaf1c77c89
SHA191a162fd1daa54623d9c90221853a39e60a70dc4
SHA256dfb5927098d1682a2e205f052216b7ea4d48a68e15da7371aa47ddfd4f6ad8fb
SHA512a804eee6f3703011d9cd3a1ef0745bc6ed22ddefbf54a59ac508b591f139c6d71e80017d2481d6dfde489184fc2405de2ccd4169b72b657bd7fee4253fac13b0
-
F:\info.htaFilesize
5KB
MD5ca175ee03c12f572db1e0fbaf1c77c89
SHA191a162fd1daa54623d9c90221853a39e60a70dc4
SHA256dfb5927098d1682a2e205f052216b7ea4d48a68e15da7371aa47ddfd4f6ad8fb
SHA512a804eee6f3703011d9cd3a1ef0745bc6ed22ddefbf54a59ac508b591f139c6d71e80017d2481d6dfde489184fc2405de2ccd4169b72b657bd7fee4253fac13b0
-
memory/500-137-0x0000000000400000-0x0000000000517000-memory.dmpFilesize
1.1MB
-
memory/500-140-0x00000000024D0000-0x00000000028D0000-memory.dmpFilesize
4.0MB
-
memory/500-141-0x00000000024D0000-0x00000000028D0000-memory.dmpFilesize
4.0MB
-
memory/500-152-0x0000000000400000-0x0000000000517000-memory.dmpFilesize
1.1MB
-
memory/500-138-0x00000000021D0000-0x00000000021D7000-memory.dmpFilesize
28KB
-
memory/500-145-0x0000000002140000-0x00000000021B1000-memory.dmpFilesize
452KB
-
memory/500-156-0x0000000000400000-0x0000000000517000-memory.dmpFilesize
1.1MB
-
memory/500-143-0x0000000000600000-0x0000000000700000-memory.dmpFilesize
1024KB
-
memory/500-154-0x00000000024D0000-0x00000000028D0000-memory.dmpFilesize
4.0MB
-
memory/500-142-0x00000000024D0000-0x00000000028D0000-memory.dmpFilesize
4.0MB
-
memory/500-139-0x00000000024D0000-0x00000000028D0000-memory.dmpFilesize
4.0MB
-
memory/500-135-0x0000000002140000-0x00000000021B1000-memory.dmpFilesize
452KB
-
memory/500-157-0x00000000024D0000-0x00000000028D0000-memory.dmpFilesize
4.0MB
-
memory/500-136-0x0000000000400000-0x0000000000517000-memory.dmpFilesize
1.1MB
-
memory/500-153-0x0000000003250000-0x0000000003286000-memory.dmpFilesize
216KB
-
memory/500-146-0x0000000003250000-0x0000000003286000-memory.dmpFilesize
216KB
-
memory/500-134-0x0000000000600000-0x0000000000700000-memory.dmpFilesize
1024KB
-
memory/880-6638-0x0000000000500000-0x000000000050B000-memory.dmpFilesize
44KB
-
memory/880-6640-0x0000000000510000-0x0000000000518000-memory.dmpFilesize
32KB
-
memory/992-5545-0x0000000001470000-0x0000000001479000-memory.dmpFilesize
36KB
-
memory/992-5521-0x0000000001480000-0x0000000001485000-memory.dmpFilesize
20KB
-
memory/992-5518-0x0000000001470000-0x0000000001479000-memory.dmpFilesize
36KB
-
memory/992-6444-0x0000000001480000-0x0000000001485000-memory.dmpFilesize
20KB
-
memory/1520-5747-0x0000000001470000-0x0000000001479000-memory.dmpFilesize
36KB
-
memory/1520-5746-0x0000000001480000-0x0000000001484000-memory.dmpFilesize
16KB
-
memory/1520-5745-0x0000000001470000-0x0000000001479000-memory.dmpFilesize
36KB
-
memory/1572-5032-0x0000000000BE0000-0x0000000000BE7000-memory.dmpFilesize
28KB
-
memory/1572-5040-0x0000000000BD0000-0x0000000000BDB000-memory.dmpFilesize
44KB
-
memory/1572-5023-0x0000000000BD0000-0x0000000000BDB000-memory.dmpFilesize
44KB
-
memory/1908-5882-0x00000000008B0000-0x00000000008B5000-memory.dmpFilesize
20KB
-
memory/1908-5874-0x00000000008A0000-0x00000000008A9000-memory.dmpFilesize
36KB
-
memory/1908-5886-0x00000000008A0000-0x00000000008A9000-memory.dmpFilesize
36KB
-
memory/1908-6639-0x00000000008B0000-0x00000000008B5000-memory.dmpFilesize
20KB
-
memory/1956-5394-0x0000000001100000-0x0000000001109000-memory.dmpFilesize
36KB
-
memory/1956-5429-0x00000000010F0000-0x00000000010FF000-memory.dmpFilesize
60KB
-
memory/1956-6354-0x0000000001100000-0x0000000001109000-memory.dmpFilesize
36KB
-
memory/1956-5393-0x00000000010F0000-0x00000000010FF000-memory.dmpFilesize
60KB
-
memory/1976-195-0x0000000000790000-0x0000000000890000-memory.dmpFilesize
1024KB
-
memory/1976-196-0x0000000000640000-0x0000000000649000-memory.dmpFilesize
36KB
-
memory/2060-6259-0x0000000000400000-0x00000000004E3000-memory.dmpFilesize
908KB
-
memory/2060-4713-0x0000000000400000-0x00000000004E3000-memory.dmpFilesize
908KB
-
memory/2060-192-0x0000000000400000-0x00000000004E3000-memory.dmpFilesize
908KB
-
memory/2060-9245-0x0000000000400000-0x00000000004E3000-memory.dmpFilesize
908KB
-
memory/2060-191-0x0000000000570000-0x000000000057F000-memory.dmpFilesize
60KB
-
memory/2060-203-0x0000000000680000-0x0000000000780000-memory.dmpFilesize
1024KB
-
memory/2060-285-0x0000000000400000-0x00000000004E3000-memory.dmpFilesize
908KB
-
memory/2060-190-0x0000000000680000-0x0000000000780000-memory.dmpFilesize
1024KB
-
memory/2060-2327-0x0000000000400000-0x00000000004E3000-memory.dmpFilesize
908KB
-
memory/2148-689-0x00007FFFF2610000-0x00007FFFF2805000-memory.dmpFilesize
2.0MB
-
memory/2148-172-0x00007FF472B40000-0x00007FF472C6D000-memory.dmpFilesize
1.2MB
-
memory/2148-144-0x000001EF17CD0000-0x000001EF17CD3000-memory.dmpFilesize
12KB
-
memory/2148-177-0x00007FFFF2610000-0x00007FFFF2805000-memory.dmpFilesize
2.0MB
-
memory/2148-176-0x00007FF472B40000-0x00007FF472C6D000-memory.dmpFilesize
1.2MB
-
memory/2148-175-0x00007FF472B40000-0x00007FF472C6D000-memory.dmpFilesize
1.2MB
-
memory/2148-174-0x00007FF472B40000-0x00007FF472C6D000-memory.dmpFilesize
1.2MB
-
memory/2148-166-0x00007FF472B40000-0x00007FF472C6D000-memory.dmpFilesize
1.2MB
-
memory/2148-164-0x00007FF472B40000-0x00007FF472C6D000-memory.dmpFilesize
1.2MB
-
memory/2148-173-0x00007FF472B40000-0x00007FF472C6D000-memory.dmpFilesize
1.2MB
-
memory/2148-161-0x00007FF472B40000-0x00007FF472C6D000-memory.dmpFilesize
1.2MB
-
memory/2148-168-0x00007FF472B40000-0x00007FF472C6D000-memory.dmpFilesize
1.2MB
-
memory/2148-160-0x00007FF472B40000-0x00007FF472C6D000-memory.dmpFilesize
1.2MB
-
memory/2148-171-0x00007FFFF2610000-0x00007FFFF2805000-memory.dmpFilesize
2.0MB
-
memory/2148-170-0x00007FF472B40000-0x00007FF472C6D000-memory.dmpFilesize
1.2MB
-
memory/2148-670-0x000001EF17E70000-0x000001EF17E75000-memory.dmpFilesize
20KB
-
memory/2148-169-0x00007FF472B40000-0x00007FF472C6D000-memory.dmpFilesize
1.2MB
-
memory/2148-163-0x00007FF472B40000-0x00007FF472C6D000-memory.dmpFilesize
1.2MB
-
memory/2148-162-0x00007FF472B40000-0x00007FF472C6D000-memory.dmpFilesize
1.2MB
-
memory/2148-159-0x000001EF17E70000-0x000001EF17E77000-memory.dmpFilesize
28KB
-
memory/2148-158-0x000001EF17CD0000-0x000001EF17CD3000-memory.dmpFilesize
12KB
-
memory/3128-338-0x0000000002F60000-0x0000000002F76000-memory.dmpFilesize
88KB
-
memory/3172-1950-0x0000000000710000-0x0000000000810000-memory.dmpFilesize
1024KB
-
memory/3172-1984-0x0000000000400000-0x00000000004E3000-memory.dmpFilesize
908KB
-
memory/3276-6488-0x0000000000570000-0x000000000057B000-memory.dmpFilesize
44KB
-
memory/3276-6486-0x0000000000570000-0x000000000057B000-memory.dmpFilesize
44KB
-
memory/3448-4732-0x00000000006E0000-0x000000000074B000-memory.dmpFilesize
428KB
-
memory/3448-4719-0x0000000000750000-0x00000000007C5000-memory.dmpFilesize
468KB
-
memory/3448-4667-0x00000000006E0000-0x000000000074B000-memory.dmpFilesize
428KB
-
memory/3448-4949-0x00000000006E0000-0x000000000074B000-memory.dmpFilesize
428KB
-
memory/3504-6487-0x0000000000180000-0x0000000000186000-memory.dmpFilesize
24KB
-
memory/3504-5626-0x0000000000170000-0x000000000017C000-memory.dmpFilesize
48KB
-
memory/3504-5632-0x0000000000180000-0x0000000000186000-memory.dmpFilesize
24KB
-
memory/3504-5644-0x0000000000170000-0x000000000017C000-memory.dmpFilesize
48KB
-
memory/3800-4922-0x0000000000490000-0x000000000049B000-memory.dmpFilesize
44KB
-
memory/3800-4923-0x00000000004A0000-0x00000000004AA000-memory.dmpFilesize
40KB
-
memory/3800-4924-0x0000000000490000-0x000000000049B000-memory.dmpFilesize
44KB
-
memory/3900-8779-0x0000000000400000-0x00000000004E3000-memory.dmpFilesize
908KB
-
memory/4168-4858-0x00000000009C0000-0x00000000009CC000-memory.dmpFilesize
48KB
-
memory/4168-4918-0x00000000009C0000-0x00000000009CC000-memory.dmpFilesize
48KB
-
memory/4168-4833-0x00000000009D0000-0x00000000009D7000-memory.dmpFilesize
28KB
-
memory/4172-1365-0x00000000005F0000-0x00000000006F0000-memory.dmpFilesize
1024KB
-
memory/4172-201-0x0000000000530000-0x0000000000535000-memory.dmpFilesize
20KB
-
memory/4172-830-0x0000000000530000-0x0000000000535000-memory.dmpFilesize
20KB
-
memory/4172-202-0x0000000000400000-0x00000000004E3000-memory.dmpFilesize
908KB
-
memory/4172-200-0x00000000005F0000-0x00000000006F0000-memory.dmpFilesize
1024KB
-
memory/4592-197-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/4592-199-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/4592-388-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/4660-6493-0x00000000008C0000-0x00000000008CD000-memory.dmpFilesize
52KB
-
memory/4660-6497-0x00000000008C0000-0x00000000008CD000-memory.dmpFilesize
52KB
-
memory/4660-6494-0x00000000008D0000-0x00000000008D7000-memory.dmpFilesize
28KB
-
memory/4684-4919-0x0000000000600000-0x0000000000609000-memory.dmpFilesize
36KB
-
memory/4684-4920-0x0000000000610000-0x0000000000614000-memory.dmpFilesize
16KB
-
memory/4684-5627-0x0000000000610000-0x0000000000614000-memory.dmpFilesize
16KB
-
memory/4684-4921-0x0000000000600000-0x0000000000609000-memory.dmpFilesize
36KB
-
memory/5016-6393-0x00000000014A0000-0x00000000014C1000-memory.dmpFilesize
132KB
-
memory/5016-6290-0x0000000001470000-0x0000000001497000-memory.dmpFilesize
156KB
-
memory/5016-6255-0x0000000001470000-0x0000000001497000-memory.dmpFilesize
156KB
-
memory/5040-6443-0x0000000000BD0000-0x0000000000BD9000-memory.dmpFilesize
36KB
-
memory/5040-6445-0x0000000000BD0000-0x0000000000BD9000-memory.dmpFilesize
36KB