Analysis
-
max time kernel
138s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
14-07-2023 08:06
Static task
static1
Behavioral task
behavioral1
Sample
a662ba3492a7d218908f5d851841ed96.exe
Resource
win7-20230712-en
Behavioral task
behavioral2
Sample
a662ba3492a7d218908f5d851841ed96.exe
Resource
win10v2004-20230703-en
General
-
Target
a662ba3492a7d218908f5d851841ed96.exe
-
Size
374KB
-
MD5
a662ba3492a7d218908f5d851841ed96
-
SHA1
d292b20fd69fc5eb70075fb8ed3e7da940ca0b41
-
SHA256
c21da75b52a0bc699a83bf0eebc5216573533962d425f875191af178c19bab94
-
SHA512
38d41c8d44ab23c5cb6ea384404592f5dde3b3707bb8d3e3bf75d6e858b0c2d18e1fe27ba963ef2cefd6dad06ed1e4fd394a5f065bd5aa03b5f91b28201f72a5
-
SSDEEP
6144:eLXTm1bNgmdZQBEaR73L/RqEb+xms6DuPa25QkI/7qi2PKuDYDYm1kThqBAtmaqz:ezoOmdZy33zRqESYluPPmkIl2iwmYBh+
Malware Config
Extracted
systembc
adstat477d.xyz:4044
demstat577d.xyz:4044
Extracted
smokeloader
2022
http://serverxlogs21.xyz/statweb255/
http://servxblog79.xyz/statweb255/
http://demblog289.xyz/statweb255/
http://admlogs77x.online/statweb255/
http://blogxstat38.xyz/statweb255/
http://blogxstat25.xyz/statweb255/
Extracted
C:\info.hta
class='mark'>[email protected]</span></div>
http://www.w3.org/TR/html4/strict.dtd'>
Extracted
C:\users\public\desktop\info.hta
Signatures
-
Detect rhadamanthys stealer shellcode 6 IoCs
Processes:
resource yara_rule behavioral2/memory/1940-139-0x0000000002570000-0x0000000002970000-memory.dmp family_rhadamanthys behavioral2/memory/1940-140-0x0000000002570000-0x0000000002970000-memory.dmp family_rhadamanthys behavioral2/memory/1940-141-0x0000000002570000-0x0000000002970000-memory.dmp family_rhadamanthys behavioral2/memory/1940-142-0x0000000002570000-0x0000000002970000-memory.dmp family_rhadamanthys behavioral2/memory/1940-154-0x0000000002570000-0x0000000002970000-memory.dmp family_rhadamanthys behavioral2/memory/1940-157-0x0000000002570000-0x0000000002970000-memory.dmp family_rhadamanthys -
Phobos
Phobos ransomware appeared at the beginning of 2019.
-
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
a662ba3492a7d218908f5d851841ed96.exedescription pid process target process PID 1940 created 3088 1940 a662ba3492a7d218908f5d851841ed96.exe Explorer.EXE -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 4 IoCs
Processes:
bcdedit.exebcdedit.exebcdedit.exebcdedit.exepid process 3220 bcdedit.exe 3408 bcdedit.exe 2772 bcdedit.exe 1892 bcdedit.exe -
Renames multiple (491) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Processes:
wbadmin.exewbadmin.exepid process 3692 wbadmin.exe 4412 wbadmin.exe -
Downloads MZ/PE file
-
Modifies Windows Firewall 1 TTPs 2 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
XfLd%9.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\Control Panel\International\Geo\Nation XfLd%9.exe -
Drops startup file 3 IoCs
Processes:
XfLd%9.exedescription ioc process File created \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\XfLd%9.exe XfLd%9.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini XfLd%9.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id[4E633C4D-3483].[[email protected]].8base XfLd%9.exe -
Executes dropped EXE 6 IoCs
Processes:
XfLd%9.exeZ69s9.exeK5UnDT.exeK5UnDT.exeXfLd%9.exe29D5.exepid process 3392 XfLd%9.exe 1812 Z69s9.exe 4736 K5UnDT.exe 3864 K5UnDT.exe 4608 XfLd%9.exe 2836 29D5.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 9 IoCs
Processes:
certreq.exeexplorer.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\Software\Microsoft\Office\11.0\Outlook\Profiles\Outlook certreq.exe Key opened \REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\Software\Microsoft\Office\12.0\Outlook\Profiles\Outlook certreq.exe Key opened \REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook certreq.exe Key opened \REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook certreq.exe Key opened \REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe Key opened \REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe Key opened \REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\Software\Microsoft\Office\10.0\Outlook\Profiles\Outlook certreq.exe Key opened \REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook certreq.exe Key opened \REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
XfLd%9.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XfLd%9 = "C:\\Users\\Admin\\AppData\\Local\\XfLd%9.exe" XfLd%9.exe Set value (str) \REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XfLd%9 = "C:\\Users\\Admin\\AppData\\Local\\XfLd%9.exe" XfLd%9.exe -
Drops desktop.ini file(s) 64 IoCs
Processes:
XfLd%9.exedescription ioc process File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini XfLd%9.exe File opened for modification C:\Users\Admin\3D Objects\desktop.ini XfLd%9.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini XfLd%9.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini XfLd%9.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini XfLd%9.exe File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini XfLd%9.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini XfLd%9.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini XfLd%9.exe File opened for modification C:\Users\Public\Videos\desktop.ini XfLd%9.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini XfLd%9.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini XfLd%9.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini XfLd%9.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini XfLd%9.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini XfLd%9.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini XfLd%9.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini XfLd%9.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini XfLd%9.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini XfLd%9.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini XfLd%9.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini XfLd%9.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini XfLd%9.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini XfLd%9.exe File opened for modification C:\Users\Admin\OneDrive\desktop.ini XfLd%9.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini XfLd%9.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI XfLd%9.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini XfLd%9.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini XfLd%9.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini XfLd%9.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini XfLd%9.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini XfLd%9.exe File opened for modification C:\Users\Admin\Searches\desktop.ini XfLd%9.exe File opened for modification C:\Users\Public\Desktop\desktop.ini XfLd%9.exe File opened for modification C:\Program Files (x86)\desktop.ini XfLd%9.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini XfLd%9.exe File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini XfLd%9.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini XfLd%9.exe File opened for modification C:\Users\Public\Pictures\desktop.ini XfLd%9.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini XfLd%9.exe File opened for modification C:\Users\Admin\Documents\desktop.ini XfLd%9.exe File opened for modification C:\Users\Admin\Links\desktop.ini XfLd%9.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini XfLd%9.exe File opened for modification C:\Users\Public\desktop.ini XfLd%9.exe File opened for modification C:\Users\Public\Documents\desktop.ini XfLd%9.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini XfLd%9.exe File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini XfLd%9.exe File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini XfLd%9.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini XfLd%9.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini XfLd%9.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini XfLd%9.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini XfLd%9.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini XfLd%9.exe File opened for modification C:\Users\Admin\Music\desktop.ini XfLd%9.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini XfLd%9.exe File opened for modification C:\$Recycle.Bin\S-1-5-21-1420546310-613437930-2990200354-1000\desktop.ini XfLd%9.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini XfLd%9.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini XfLd%9.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini XfLd%9.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini XfLd%9.exe File opened for modification C:\Users\Public\Music\desktop.ini XfLd%9.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-1420546310-613437930-2990200354-1000\desktop.ini XfLd%9.exe File opened for modification C:\Users\Public\Libraries\desktop.ini XfLd%9.exe File opened for modification C:\Users\Public\Downloads\desktop.ini XfLd%9.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini XfLd%9.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini XfLd%9.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
K5UnDT.exedescription pid process target process PID 4736 set thread context of 3864 4736 K5UnDT.exe K5UnDT.exe -
Drops file in Program Files directory 64 IoCs
Processes:
XfLd%9.exedescription ioc process File created C:\Program Files\Java\jre1.8.0_66\bin\j2pcsc.dll.id[4E633C4D-3483].[[email protected]].8base XfLd%9.exe File created C:\Program Files\Microsoft Office\root\Licenses16\Access2019VL_MAK_AE-pl.xrm-ms.id[4E633C4D-3483].[[email protected]].8base XfLd%9.exe File created C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_OEM_Perp-ul-phn.xrm-ms.id[4E633C4D-3483].[[email protected]].8base XfLd%9.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\System.Printing.resources.dll XfLd%9.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\LiveTile\3px.png XfLd%9.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_folder-disabled_32.svg XfLd%9.exe File created C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessEntryR_PrepidBypass-ul-oob.xrm-ms.id[4E633C4D-3483].[[email protected]].8base XfLd%9.exe File opened for modification C:\Program Files\Microsoft Office\root\Templates\1033\StudentReport.dotx XfLd%9.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.34.28001.0_x64__8wekyb3d8bbwe\Assets\GameBar_StoreLogo.scale-200.png XfLd%9.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_filter_18.svg XfLd%9.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\nb-no\ui-strings.js XfLd%9.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.de-de.dll XfLd%9.exe File created C:\Program Files\Microsoft Office\root\Licenses16\MondoR_O16ConsumerPerp_Bypass30-ul-oob.xrm-ms.id[4E633C4D-3483].[[email protected]].8base XfLd%9.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\api-ms-win-crt-convert-l1-1-0.dll.id[4E633C4D-3483].[[email protected]].8base XfLd%9.exe File opened for modification C:\Program Files (x86)\Windows Media Player\Media Renderer\DMR_48.png XfLd%9.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\ja-jp\ui-strings.js.id[4E633C4D-3483].[[email protected]].8base XfLd%9.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\System.Runtime.Serialization.Xml.dll XfLd%9.exe File opened for modification C:\Program Files (x86)\Windows Media Player\de-DE\mpvis.dll.mui XfLd%9.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\System\mfcm140u.dll XfLd%9.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneMusic_10.19071.19011.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\iheart-radio.scale-125_contrast-black.png XfLd%9.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\duplicate.svg XfLd%9.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\zh-cn\ui-strings.js.id[4E633C4D-3483].[[email protected]].8base XfLd%9.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.net.nl_zh_4.4.0.v20140623020002.jar.id[4E633C4D-3483].[[email protected]].8base XfLd%9.exe File created C:\Program Files\Java\jre1.8.0_66\lib\psfont.properties.ja.id[4E633C4D-3483].[[email protected]].8base XfLd%9.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\IFDPINTL.DLL XfLd%9.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\sl-sl\ui-strings.js XfLd%9.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\nl-nl\ui-strings.js.id[4E633C4D-3483].[[email protected]].8base XfLd%9.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\javax.servlet.jsp_2.2.0.v201112011158.jar.id[4E633C4D-3483].[[email protected]].8base XfLd%9.exe File created C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libi420_rgb_sse2_plugin.dll.id[4E633C4D-3483].[[email protected]].8base XfLd%9.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\PlaceholderCollectionHero.png XfLd%9.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\CardUIBkg.scale-200.HCWhite.png XfLd%9.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.targetsize-40_altform-unplated.png XfLd%9.exe File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectProO365R_SubTest-ppd.xrm-ms.id[4E633C4D-3483].[[email protected]].8base XfLd%9.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access\libscreen_plugin.dll XfLd%9.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.VCLibs.140.00.UWPDesktop_14.0.27629.0_x64__8wekyb3d8bbwe\mfc140kor.dll XfLd%9.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.simpleconfigurator.manipulator.nl_zh_4.4.0.v20140623020002.jar.id[4E633C4D-3483].[[email protected]].8base XfLd%9.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-core-windows.xml XfLd%9.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\EVRGREEN\PREVIEW.GIF.id[4E633C4D-3483].[[email protected]].8base XfLd%9.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteAppList.targetsize-48.png XfLd%9.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-black_targetsize-80_altform-unplated.png XfLd%9.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\themes\dark\rhp_world_icon.png.id[4E633C4D-3483].[[email protected]].8base XfLd%9.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\System.Security.Cryptography.Cng.dll XfLd%9.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\contrast-white\MixedRealityPortalSplashScreen.scale-200_contrast-white.png XfLd%9.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\it-it\AppStore_icon.svg.id[4E633C4D-3483].[[email protected]].8base XfLd%9.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Resources\1033\msmdsrvi_xl.rll.id[4E633C4D-3483].[[email protected]].8base XfLd%9.exe File opened for modification C:\Program Files (x86)\Windows Media Player\Media Renderer\DMR_120.png XfLd%9.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\PackageManagement.psd1 XfLd%9.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarAppList.targetsize-40_altform-unplated.png XfLd%9.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\en\DatabaseCompare_k_col.hxk XfLd%9.exe File created C:\Program Files\Mozilla Firefox\browser\VisualElements\PrivateBrowsing_70.png.id[4E633C4D-3483].[[email protected]].8base XfLd%9.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubLargeTile.scale-200.png XfLd%9.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\fr-ma\ui-strings.js.id[4E633C4D-3483].[[email protected]].8base XfLd%9.exe File created C:\Program Files\Microsoft Office\root\Licenses16\Personal2019DemoR_BypassTrial180-ul-oob.xrm-ms.id[4E633C4D-3483].[[email protected]].8base XfLd%9.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\sl-si\ui-strings.js.id[4E633C4D-3483].[[email protected]].8base XfLd%9.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\META-INF\eclipse.inf.id[4E633C4D-3483].[[email protected]].8base XfLd%9.exe File created C:\Program Files\VideoLAN\VLC\lua\playlist\koreus.luac.id[4E633C4D-3483].[[email protected]].8base XfLd%9.exe File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\System.ValueTuple.dll.id[4E633C4D-3483].[[email protected]].8base XfLd%9.exe File opened for modification C:\Program Files\Microsoft Office\root\rsod\proof.es-es.msi.16.es-es.boot.tree.dat XfLd%9.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access\libhttp_plugin.dll XfLd%9.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\it-IT\ShapeCollector.exe.mui XfLd%9.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\PROOF\MSWDS_FR.LEX.id[4E633C4D-3483].[[email protected]].8base XfLd%9.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\images\themes\dark\s_radio_unselected_18.svg XfLd%9.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\zh-cn_get.svg.id[4E633C4D-3483].[[email protected]].8base XfLd%9.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_US\en_US.aff XfLd%9.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 7 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 4424 1940 WerFault.exe a662ba3492a7d218908f5d851841ed96.exe 3052 4608 WerFault.exe XfLd%9.exe 5064 4608 WerFault.exe XfLd%9.exe 2356 4608 WerFault.exe XfLd%9.exe 5056 2836 WerFault.exe 29D5.exe 216 2836 WerFault.exe 29D5.exe 2008 2836 WerFault.exe 29D5.exe -
Checks SCSI registry key(s) 3 TTPs 7 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
vds.exeK5UnDT.exedescription ioc process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI K5UnDT.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI K5UnDT.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI K5UnDT.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 vds.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
certreq.exedescription ioc process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 certreq.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString certreq.exe -
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exepid process 4040 vssadmin.exe 184 vssadmin.exe -
Modifies registry class 3 IoCs
Processes:
Explorer.EXEXfLd%9.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings XfLd%9.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
a662ba3492a7d218908f5d851841ed96.execertreq.exeK5UnDT.exeExplorer.EXEXfLd%9.exepid process 1940 a662ba3492a7d218908f5d851841ed96.exe 1940 a662ba3492a7d218908f5d851841ed96.exe 1940 a662ba3492a7d218908f5d851841ed96.exe 1940 a662ba3492a7d218908f5d851841ed96.exe 1332 certreq.exe 1332 certreq.exe 1332 certreq.exe 1332 certreq.exe 3864 K5UnDT.exe 3864 K5UnDT.exe 3088 Explorer.EXE 3088 Explorer.EXE 3088 Explorer.EXE 3088 Explorer.EXE 3088 Explorer.EXE 3088 Explorer.EXE 3088 Explorer.EXE 3088 Explorer.EXE 3392 XfLd%9.exe 3392 XfLd%9.exe 3088 Explorer.EXE 3088 Explorer.EXE 3088 Explorer.EXE 3088 Explorer.EXE 3088 Explorer.EXE 3088 Explorer.EXE 3088 Explorer.EXE 3088 Explorer.EXE 3088 Explorer.EXE 3088 Explorer.EXE 3392 XfLd%9.exe 3392 XfLd%9.exe 3088 Explorer.EXE 3088 Explorer.EXE 3088 Explorer.EXE 3088 Explorer.EXE 3088 Explorer.EXE 3088 Explorer.EXE 3088 Explorer.EXE 3088 Explorer.EXE 3088 Explorer.EXE 3088 Explorer.EXE 3088 Explorer.EXE 3088 Explorer.EXE 3392 XfLd%9.exe 3392 XfLd%9.exe 3088 Explorer.EXE 3088 Explorer.EXE 3088 Explorer.EXE 3088 Explorer.EXE 3088 Explorer.EXE 3088 Explorer.EXE 3088 Explorer.EXE 3088 Explorer.EXE 3392 XfLd%9.exe 3392 XfLd%9.exe 3088 Explorer.EXE 3088 Explorer.EXE 3088 Explorer.EXE 3088 Explorer.EXE 3088 Explorer.EXE 3088 Explorer.EXE 3088 Explorer.EXE 3088 Explorer.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 3088 Explorer.EXE -
Suspicious behavior: MapViewOfSection 31 IoCs
Processes:
K5UnDT.exeExplorer.EXEpid process 3864 K5UnDT.exe 3088 Explorer.EXE 3088 Explorer.EXE 3088 Explorer.EXE 3088 Explorer.EXE 3088 Explorer.EXE 3088 Explorer.EXE 3088 Explorer.EXE 3088 Explorer.EXE 3088 Explorer.EXE 3088 Explorer.EXE 3088 Explorer.EXE 3088 Explorer.EXE 3088 Explorer.EXE 3088 Explorer.EXE 3088 Explorer.EXE 3088 Explorer.EXE 3088 Explorer.EXE 3088 Explorer.EXE 3088 Explorer.EXE 3088 Explorer.EXE 3088 Explorer.EXE 3088 Explorer.EXE 3088 Explorer.EXE 3088 Explorer.EXE 3088 Explorer.EXE 3088 Explorer.EXE 3088 Explorer.EXE 3088 Explorer.EXE 3088 Explorer.EXE 3088 Explorer.EXE -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
XfLd%9.exevssvc.exeWMIC.exewbengine.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 3392 XfLd%9.exe Token: SeBackupPrivilege 2548 vssvc.exe Token: SeRestorePrivilege 2548 vssvc.exe Token: SeAuditPrivilege 2548 vssvc.exe Token: SeIncreaseQuotaPrivilege 3780 WMIC.exe Token: SeSecurityPrivilege 3780 WMIC.exe Token: SeTakeOwnershipPrivilege 3780 WMIC.exe Token: SeLoadDriverPrivilege 3780 WMIC.exe Token: SeSystemProfilePrivilege 3780 WMIC.exe Token: SeSystemtimePrivilege 3780 WMIC.exe Token: SeProfSingleProcessPrivilege 3780 WMIC.exe Token: SeIncBasePriorityPrivilege 3780 WMIC.exe Token: SeCreatePagefilePrivilege 3780 WMIC.exe Token: SeBackupPrivilege 3780 WMIC.exe Token: SeRestorePrivilege 3780 WMIC.exe Token: SeShutdownPrivilege 3780 WMIC.exe Token: SeDebugPrivilege 3780 WMIC.exe Token: SeSystemEnvironmentPrivilege 3780 WMIC.exe Token: SeRemoteShutdownPrivilege 3780 WMIC.exe Token: SeUndockPrivilege 3780 WMIC.exe Token: SeManageVolumePrivilege 3780 WMIC.exe Token: 33 3780 WMIC.exe Token: 34 3780 WMIC.exe Token: 35 3780 WMIC.exe Token: 36 3780 WMIC.exe Token: SeIncreaseQuotaPrivilege 3780 WMIC.exe Token: SeSecurityPrivilege 3780 WMIC.exe Token: SeTakeOwnershipPrivilege 3780 WMIC.exe Token: SeLoadDriverPrivilege 3780 WMIC.exe Token: SeSystemProfilePrivilege 3780 WMIC.exe Token: SeSystemtimePrivilege 3780 WMIC.exe Token: SeProfSingleProcessPrivilege 3780 WMIC.exe Token: SeIncBasePriorityPrivilege 3780 WMIC.exe Token: SeCreatePagefilePrivilege 3780 WMIC.exe Token: SeBackupPrivilege 3780 WMIC.exe Token: SeRestorePrivilege 3780 WMIC.exe Token: SeShutdownPrivilege 3780 WMIC.exe Token: SeDebugPrivilege 3780 WMIC.exe Token: SeSystemEnvironmentPrivilege 3780 WMIC.exe Token: SeRemoteShutdownPrivilege 3780 WMIC.exe Token: SeUndockPrivilege 3780 WMIC.exe Token: SeManageVolumePrivilege 3780 WMIC.exe Token: 33 3780 WMIC.exe Token: 34 3780 WMIC.exe Token: 35 3780 WMIC.exe Token: 36 3780 WMIC.exe Token: SeBackupPrivilege 2544 wbengine.exe Token: SeRestorePrivilege 2544 wbengine.exe Token: SeSecurityPrivilege 2544 wbengine.exe Token: SeShutdownPrivilege 3088 Explorer.EXE Token: SeCreatePagefilePrivilege 3088 Explorer.EXE Token: SeShutdownPrivilege 3088 Explorer.EXE Token: SeCreatePagefilePrivilege 3088 Explorer.EXE Token: SeShutdownPrivilege 3088 Explorer.EXE Token: SeCreatePagefilePrivilege 3088 Explorer.EXE Token: SeShutdownPrivilege 3088 Explorer.EXE Token: SeCreatePagefilePrivilege 3088 Explorer.EXE Token: SeShutdownPrivilege 3088 Explorer.EXE Token: SeCreatePagefilePrivilege 3088 Explorer.EXE Token: SeShutdownPrivilege 3088 Explorer.EXE Token: SeCreatePagefilePrivilege 3088 Explorer.EXE Token: SeShutdownPrivilege 3088 Explorer.EXE Token: SeCreatePagefilePrivilege 3088 Explorer.EXE Token: SeShutdownPrivilege 3088 Explorer.EXE -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
Explorer.EXEpid process 3088 Explorer.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
a662ba3492a7d218908f5d851841ed96.exeK5UnDT.exeXfLd%9.execmd.execmd.exeExplorer.EXEdescription pid process target process PID 1940 wrote to memory of 1332 1940 a662ba3492a7d218908f5d851841ed96.exe certreq.exe PID 1940 wrote to memory of 1332 1940 a662ba3492a7d218908f5d851841ed96.exe certreq.exe PID 1940 wrote to memory of 1332 1940 a662ba3492a7d218908f5d851841ed96.exe certreq.exe PID 1940 wrote to memory of 1332 1940 a662ba3492a7d218908f5d851841ed96.exe certreq.exe PID 4736 wrote to memory of 3864 4736 K5UnDT.exe K5UnDT.exe PID 4736 wrote to memory of 3864 4736 K5UnDT.exe K5UnDT.exe PID 4736 wrote to memory of 3864 4736 K5UnDT.exe K5UnDT.exe PID 4736 wrote to memory of 3864 4736 K5UnDT.exe K5UnDT.exe PID 4736 wrote to memory of 3864 4736 K5UnDT.exe K5UnDT.exe PID 4736 wrote to memory of 3864 4736 K5UnDT.exe K5UnDT.exe PID 3392 wrote to memory of 4520 3392 XfLd%9.exe cmd.exe PID 3392 wrote to memory of 4520 3392 XfLd%9.exe cmd.exe PID 3392 wrote to memory of 4700 3392 XfLd%9.exe cmd.exe PID 3392 wrote to memory of 4700 3392 XfLd%9.exe cmd.exe PID 4700 wrote to memory of 1360 4700 cmd.exe netsh.exe PID 4700 wrote to memory of 1360 4700 cmd.exe netsh.exe PID 4520 wrote to memory of 4040 4520 cmd.exe vssadmin.exe PID 4520 wrote to memory of 4040 4520 cmd.exe vssadmin.exe PID 4520 wrote to memory of 3780 4520 cmd.exe WMIC.exe PID 4520 wrote to memory of 3780 4520 cmd.exe WMIC.exe PID 4520 wrote to memory of 3220 4520 cmd.exe bcdedit.exe PID 4520 wrote to memory of 3220 4520 cmd.exe bcdedit.exe PID 4520 wrote to memory of 3408 4520 cmd.exe bcdedit.exe PID 4520 wrote to memory of 3408 4520 cmd.exe bcdedit.exe PID 4520 wrote to memory of 3692 4520 cmd.exe wbadmin.exe PID 4520 wrote to memory of 3692 4520 cmd.exe wbadmin.exe PID 4700 wrote to memory of 2720 4700 cmd.exe netsh.exe PID 4700 wrote to memory of 2720 4700 cmd.exe netsh.exe PID 3088 wrote to memory of 2836 3088 Explorer.EXE 29D5.exe PID 3088 wrote to memory of 2836 3088 Explorer.EXE 29D5.exe PID 3088 wrote to memory of 2836 3088 Explorer.EXE 29D5.exe PID 3088 wrote to memory of 3708 3088 Explorer.EXE explorer.exe PID 3088 wrote to memory of 3708 3088 Explorer.EXE explorer.exe PID 3088 wrote to memory of 3708 3088 Explorer.EXE explorer.exe PID 3088 wrote to memory of 3708 3088 Explorer.EXE explorer.exe PID 3088 wrote to memory of 396 3088 Explorer.EXE explorer.exe PID 3088 wrote to memory of 396 3088 Explorer.EXE explorer.exe PID 3088 wrote to memory of 396 3088 Explorer.EXE explorer.exe PID 3088 wrote to memory of 1132 3088 Explorer.EXE explorer.exe PID 3088 wrote to memory of 1132 3088 Explorer.EXE explorer.exe PID 3088 wrote to memory of 1132 3088 Explorer.EXE explorer.exe PID 3088 wrote to memory of 1132 3088 Explorer.EXE explorer.exe PID 3088 wrote to memory of 3708 3088 Explorer.EXE explorer.exe PID 3088 wrote to memory of 3708 3088 Explorer.EXE explorer.exe PID 3088 wrote to memory of 3708 3088 Explorer.EXE explorer.exe PID 3088 wrote to memory of 3708 3088 Explorer.EXE explorer.exe PID 3088 wrote to memory of 1436 3088 Explorer.EXE explorer.exe PID 3088 wrote to memory of 1436 3088 Explorer.EXE explorer.exe PID 3088 wrote to memory of 1436 3088 Explorer.EXE explorer.exe PID 3088 wrote to memory of 1436 3088 Explorer.EXE explorer.exe PID 3088 wrote to memory of 1940 3088 Explorer.EXE explorer.exe PID 3088 wrote to memory of 1940 3088 Explorer.EXE explorer.exe PID 3088 wrote to memory of 1940 3088 Explorer.EXE explorer.exe PID 3088 wrote to memory of 3856 3088 Explorer.EXE explorer.exe PID 3088 wrote to memory of 3856 3088 Explorer.EXE explorer.exe PID 3088 wrote to memory of 3856 3088 Explorer.EXE explorer.exe PID 3088 wrote to memory of 3856 3088 Explorer.EXE explorer.exe PID 3088 wrote to memory of 4424 3088 Explorer.EXE explorer.exe PID 3088 wrote to memory of 4424 3088 Explorer.EXE explorer.exe PID 3088 wrote to memory of 4424 3088 Explorer.EXE explorer.exe PID 3088 wrote to memory of 4736 3088 Explorer.EXE explorer.exe PID 3088 wrote to memory of 4736 3088 Explorer.EXE explorer.exe PID 3088 wrote to memory of 4736 3088 Explorer.EXE explorer.exe PID 3088 wrote to memory of 4736 3088 Explorer.EXE explorer.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
-
outlook_office_path 1 IoCs
Processes:
explorer.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe -
outlook_win_path 1 IoCs
Processes:
explorer.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\a662ba3492a7d218908f5d851841ed96.exe"C:\Users\Admin\AppData\Local\Temp\a662ba3492a7d218908f5d851841ed96.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1940 -s 9523⤵
- Program crash
-
C:\Windows\system32\certreq.exe"C:\Windows\system32\certreq.exe"2⤵
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\29D5.exeC:\Users\Admin\AppData\Local\Temp\29D5.exe2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2836 -s 4963⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2836 -s 5003⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2836 -s 5283⤵
- Program crash
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe2⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe2⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe2⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe2⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe2⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1940 -ip 19401⤵
-
C:\Users\Admin\AppData\Local\Microsoft\XfLd%9.exe"C:\Users\Admin\AppData\Local\Microsoft\XfLd%9.exe"1⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Microsoft\XfLd%9.exe"C:\Users\Admin\AppData\Local\Microsoft\XfLd%9.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4608 -s 4603⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4608 -s 4683⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4608 -s 4763⤵
- Program crash
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh advfirewall set currentprofile state off3⤵
- Modifies Windows Firewall
-
C:\Windows\system32\netsh.exenetsh firewall set opmode mode=disable3⤵
- Modifies Windows Firewall
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures3⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no3⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet3⤵
- Deletes backup catalog
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}2⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\users\public\desktop\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}2⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}2⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "F:\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}2⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete3⤵
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures3⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no3⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet3⤵
- Deletes backup catalog
-
C:\Users\Admin\AppData\Local\Microsoft\Z69s9.exe"C:\Users\Admin\AppData\Local\Microsoft\Z69s9.exe"1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Microsoft\K5UnDT.exe"C:\Users\Admin\AppData\Local\Microsoft\K5UnDT.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Microsoft\K5UnDT.exe"C:\Users\Admin\AppData\Local\Microsoft\K5UnDT.exe"2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Checks SCSI registry key(s)
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 372 -p 4608 -ip 46081⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 396 -p 4608 -ip 46081⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4608 -ip 46081⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2836 -ip 28361⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2836 -ip 28361⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2836 -ip 28361⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems64.dll.id[4E633C4D-3483].[[email protected]].8baseFilesize
3.2MB
MD54886df6a96daab23ee35f6697d9065e8
SHA1f8e26bdf7ccc4a7984de2f0dfb18cd4a9b4b9006
SHA256f54bd062618e502a4cc90bd8667494be2056e3df360c801bef27e668aa9f89e7
SHA512f4a1ba1d3a607f6d114df42967a9eec34911bba43c474ead4a39742acd1db3919eaba7b960e3eca2fcd3d5d59ea408328c57f43cd958e3ede0d222314bc8b22d
-
C:\Users\Admin\AppData\Local\Microsoft\K5UnDT.exeFilesize
165KB
MD5d8a652141be195333dd68e662b04c523
SHA1266363bf92a157ca769f3cce33f13363cf94eb3f
SHA25682e21c96880af14b90e7d8a688ec83c41bddcaa29ee05557b763795d1416ad39
SHA512ce0d269674d139358b5068b3df7ccbae1e5470a031d3e59ac1ab68493438e51dc733a6be5d36854257d8d5d5e822a9ad421398cc0a2f3c783d5d33b04af484ea
-
C:\Users\Admin\AppData\Local\Microsoft\K5UnDT.exeFilesize
165KB
MD5d8a652141be195333dd68e662b04c523
SHA1266363bf92a157ca769f3cce33f13363cf94eb3f
SHA25682e21c96880af14b90e7d8a688ec83c41bddcaa29ee05557b763795d1416ad39
SHA512ce0d269674d139358b5068b3df7ccbae1e5470a031d3e59ac1ab68493438e51dc733a6be5d36854257d8d5d5e822a9ad421398cc0a2f3c783d5d33b04af484ea
-
C:\Users\Admin\AppData\Local\Microsoft\K5UnDT.exeFilesize
165KB
MD5d8a652141be195333dd68e662b04c523
SHA1266363bf92a157ca769f3cce33f13363cf94eb3f
SHA25682e21c96880af14b90e7d8a688ec83c41bddcaa29ee05557b763795d1416ad39
SHA512ce0d269674d139358b5068b3df7ccbae1e5470a031d3e59ac1ab68493438e51dc733a6be5d36854257d8d5d5e822a9ad421398cc0a2f3c783d5d33b04af484ea
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x0000000000000027.db.id[4E633C4D-3483].[[email protected]].8baseFilesize
92KB
MD568d6cc7909349b771788724c64341518
SHA1266150f70fc9dc8b5b61b4abd28443982047ea60
SHA2563d345e237e08e2045f7e142ced77edbb1e8ba6b92c365527e5e1d5c98dc13c4f
SHA512d8445a8645f7a8cf9f8c69c03f7653bde308204d3727c91ba7f79db97292ab94136fad5c920be93a5fcf57da2c9487b480d3a3a0d89b6247281f7e76d6167cab
-
C:\Users\Admin\AppData\Local\Microsoft\XfLd%9.exeFilesize
165KB
MD5a2f3d796dc2c2f474188db58d5ca7593
SHA1dc88893abba370aab576dcc9bd60b5fc7bb5dd4e
SHA256408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c
SHA5129a454f6eb65ef53baa5cff2e2dd3b4691e80acc37b78e27b4832a045420942425aa458243d3640fe9b3d5c756cfb8d65d7f828cd4b6633228a6500327c1f2b7c
-
C:\Users\Admin\AppData\Local\Microsoft\XfLd%9.exeFilesize
165KB
MD5a2f3d796dc2c2f474188db58d5ca7593
SHA1dc88893abba370aab576dcc9bd60b5fc7bb5dd4e
SHA256408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c
SHA5129a454f6eb65ef53baa5cff2e2dd3b4691e80acc37b78e27b4832a045420942425aa458243d3640fe9b3d5c756cfb8d65d7f828cd4b6633228a6500327c1f2b7c
-
C:\Users\Admin\AppData\Local\Microsoft\XfLd%9.exeFilesize
165KB
MD5a2f3d796dc2c2f474188db58d5ca7593
SHA1dc88893abba370aab576dcc9bd60b5fc7bb5dd4e
SHA256408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c
SHA5129a454f6eb65ef53baa5cff2e2dd3b4691e80acc37b78e27b4832a045420942425aa458243d3640fe9b3d5c756cfb8d65d7f828cd4b6633228a6500327c1f2b7c
-
C:\Users\Admin\AppData\Local\Microsoft\Z69s9.exeFilesize
165KB
MD5771e03d1211a93261e4b5686aa911243
SHA1d0b249fe34b8bdeac98712ac9dd37f340f287b4c
SHA25618cbb36da4425cd9d142d75e9e07b02fddeede075bf6f4c9297d014a9163e342
SHA5128aa08956338fbb5fe9f04126e09123e3fb5c512a73b00b843c517d9cd05695ff7d6df7e1bdea5621b1b660cec3e2a191ff68d10a1a12789a870dd8d49ad52ed5
-
C:\Users\Admin\AppData\Local\Microsoft\Z69s9.exeFilesize
165KB
MD5771e03d1211a93261e4b5686aa911243
SHA1d0b249fe34b8bdeac98712ac9dd37f340f287b4c
SHA25618cbb36da4425cd9d142d75e9e07b02fddeede075bf6f4c9297d014a9163e342
SHA5128aa08956338fbb5fe9f04126e09123e3fb5c512a73b00b843c517d9cd05695ff7d6df7e1bdea5621b1b660cec3e2a191ff68d10a1a12789a870dd8d49ad52ed5
-
C:\Users\Admin\AppData\Local\Temp\29D5.exeFilesize
165KB
MD5a2f3d796dc2c2f474188db58d5ca7593
SHA1dc88893abba370aab576dcc9bd60b5fc7bb5dd4e
SHA256408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c
SHA5129a454f6eb65ef53baa5cff2e2dd3b4691e80acc37b78e27b4832a045420942425aa458243d3640fe9b3d5c756cfb8d65d7f828cd4b6633228a6500327c1f2b7c
-
C:\Users\Admin\AppData\Local\Temp\29D5.exeFilesize
165KB
MD5a2f3d796dc2c2f474188db58d5ca7593
SHA1dc88893abba370aab576dcc9bd60b5fc7bb5dd4e
SHA256408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c
SHA5129a454f6eb65ef53baa5cff2e2dd3b4691e80acc37b78e27b4832a045420942425aa458243d3640fe9b3d5c756cfb8d65d7f828cd4b6633228a6500327c1f2b7c
-
C:\Users\Admin\AppData\Local\Temp\29D5.exeFilesize
165KB
MD5a2f3d796dc2c2f474188db58d5ca7593
SHA1dc88893abba370aab576dcc9bd60b5fc7bb5dd4e
SHA256408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c
SHA5129a454f6eb65ef53baa5cff2e2dd3b4691e80acc37b78e27b4832a045420942425aa458243d3640fe9b3d5c756cfb8d65d7f828cd4b6633228a6500327c1f2b7c
-
C:\Users\Admin\AppData\Local\Temp\5366\C\Program Files\WindowsApps\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe\Microsoft.Wallet.dllFilesize
5.5MB
MD5d220973f7c8ca6e1ae835eca6e547df2
SHA1bfaba046457e3278bf7f4d45d5436df10df92681
SHA256632d2eae353347497600a2322db7073194c3eefa7394505d458df23071bb8b53
SHA512266c995f635e07f272189fa0e9e44739dee23a8a17f3e9ae4dfa09c762cb5a0fafcf094e309620c6c217495be6169bc3407fdf864dcbd139f77e606f2db2a680
-
C:\Users\Admin\AppData\Local\Temp\5366\C\Program Files\WindowsApps\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe\Microsoft.Wallet.exeFilesize
18KB
MD5cfe72ed40a076ae4f4157940ce0c5d44
SHA18010f7c746a7ba4864785f798f46ec05caae7ece
SHA2566868894ab04d08956388a94a81016f03d5b7a7b1646c8a6235057a7e1e45de32
SHA512f002afa2131d250dd6148d8372ce45f84283b8e1209e91720cee7aff497503d0e566bae3a83cd326701458230ae5c0e200eec617889393dd46ac00ff357ff1b0
-
C:\Users\Admin\AppData\Local\Temp\5366\C\ProgramData\Microsoft\Windows\AppRepository\Microsoft.Wallet_2.4.18324.0_neutral_~_8wekyb3d8bbwe.xmlFilesize
1KB
MD594f90fcd2b8f7f1df69224f845d9e9b7
SHA1a09e3072cc581cf89adaf1aa20aa89b3af7bf987
SHA256a16113a66b1c36f919b5f7eaa3fb7aa8e0ba9e057823861aabea703cc06a04c0
SHA51251f4ee06a8d8bf1121083bf4383433160f16c68d1fe4c44e5d0e0529910d27ba8446c7a4bef359b990574d1d61563da30139c6d09ad0ad1a5b5c7748b8da08f3
-
C:\Users\Admin\AppData\Local\Temp\5366\C\ProgramData\Microsoft\Windows\AppRepository\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe.xmlFilesize
7KB
MD5108f130067a9df1719c590316a5245f7
SHA179bb9a86e7a50c85214cd7e21719f0cb4155f58a
SHA256c91debd34057ca5c280ca15ac542733930e1c94c7d887448eac6e3385b5a0874
SHA512d43b3861d5153c7ca54edd078c900d31599fc9f04d6883a449d62c7e86a105a3c5dfb2d232255c41505b210b063caf6325921dc074fcdf93407c9e2c985a5301
-
C:\Users\Admin\AppData\Local\Temp\5366\C\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.Wallet_2.4.18324.0_neutral_~_8wekyb3d8bbwe.xmlFilesize
1KB
MD594f90fcd2b8f7f1df69224f845d9e9b7
SHA1a09e3072cc581cf89adaf1aa20aa89b3af7bf987
SHA256a16113a66b1c36f919b5f7eaa3fb7aa8e0ba9e057823861aabea703cc06a04c0
SHA51251f4ee06a8d8bf1121083bf4383433160f16c68d1fe4c44e5d0e0529910d27ba8446c7a4bef359b990574d1d61563da30139c6d09ad0ad1a5b5c7748b8da08f3
-
C:\Users\Admin\AppData\Local\Temp\5366\C\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe.xmlFilesize
7KB
MD5108f130067a9df1719c590316a5245f7
SHA179bb9a86e7a50c85214cd7e21719f0cb4155f58a
SHA256c91debd34057ca5c280ca15ac542733930e1c94c7d887448eac6e3385b5a0874
SHA512d43b3861d5153c7ca54edd078c900d31599fc9f04d6883a449d62c7e86a105a3c5dfb2d232255c41505b210b063caf6325921dc074fcdf93407c9e2c985a5301
-
C:\Users\Admin\AppData\Local\Temp\5366\C\Windows\SysWOW64\WalletBackgroundServiceProxy.dllFilesize
10KB
MD51097d1e58872f3cf58f78730a697ce4b
SHA196db4e4763a957b28dd80ec1e43eb27367869b86
SHA25683ec0be293b19d00eca4ae51f16621753e1d2b11248786b25a1abaae6230bdef
SHA512b933eac4eaabacc51069a72b24b649b980aea251b1b87270ff4ffea12de9368d5447cdbe748ac7faf2805548b896c8499f9eceeed2f5efd0c684f94360940351
-
C:\Users\Admin\AppData\Local\Temp\5366\C\Windows\SysWOW64\WalletProxy.dllFilesize
36KB
MD5d09724c29a8f321f2f9c552de6ef6afa
SHA1d6ce3d3a973695f4f770e7fb3fcb5e2f3df592a3
SHA25623cc82878957683184fbd0e3098e9e6858978bf78d7812c6d7470ebdc79d1c5c
SHA512cc8db1b0c4bbd94dfc8a669cd6accf6fa29dc1034ce03d9dae53d6ce117bb86b432bf040fb53230b612c6e9a325e58acc8ebb600f760a8d9d6a383ce751fd6ed
-
C:\Users\Admin\AppData\Local\Temp\5366\C\Windows\SysWOW64\Windows.ApplicationModel.Wallet.dllFilesize
402KB
MD502557c141c9e153c2b7987b79a3a2dd7
SHA1a054761382ee68608b6a3b62b68138dc205f576b
SHA256207c587e769e2655669bd3ce1d28a00bcac08f023013735f026f65c0e3baa6f4
SHA512a37e29c115bcb9956b1f8fd2022f2e3966c1fa2a0efa5c2ee2d14bc5c41bfddae0deea4d481a681d13ec58e9dec41e7565f8b4eb1c10f2c44c03e58bdd2792b3
-
C:\Users\Admin\AppData\Local\Temp\5366\C\Windows\System32\WalletBackgroundServiceProxy.dllFilesize
10KB
MD51097d1e58872f3cf58f78730a697ce4b
SHA196db4e4763a957b28dd80ec1e43eb27367869b86
SHA25683ec0be293b19d00eca4ae51f16621753e1d2b11248786b25a1abaae6230bdef
SHA512b933eac4eaabacc51069a72b24b649b980aea251b1b87270ff4ffea12de9368d5447cdbe748ac7faf2805548b896c8499f9eceeed2f5efd0c684f94360940351
-
C:\Users\Admin\AppData\Local\Temp\5366\C\Windows\System32\WalletProxy.dllFilesize
36KB
MD5d09724c29a8f321f2f9c552de6ef6afa
SHA1d6ce3d3a973695f4f770e7fb3fcb5e2f3df592a3
SHA25623cc82878957683184fbd0e3098e9e6858978bf78d7812c6d7470ebdc79d1c5c
SHA512cc8db1b0c4bbd94dfc8a669cd6accf6fa29dc1034ce03d9dae53d6ce117bb86b432bf040fb53230b612c6e9a325e58acc8ebb600f760a8d9d6a383ce751fd6ed
-
C:\Users\Admin\AppData\Local\Temp\5366\C\Windows\System32\Windows.ApplicationModel.Wallet.dllFilesize
402KB
MD502557c141c9e153c2b7987b79a3a2dd7
SHA1a054761382ee68608b6a3b62b68138dc205f576b
SHA256207c587e769e2655669bd3ce1d28a00bcac08f023013735f026f65c0e3baa6f4
SHA512a37e29c115bcb9956b1f8fd2022f2e3966c1fa2a0efa5c2ee2d14bc5c41bfddae0deea4d481a681d13ec58e9dec41e7565f8b4eb1c10f2c44c03e58bdd2792b3
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_720_POS4.jpg.id[4E633C4D-3483].[[email protected]].8baseFilesize
52KB
MD526ec9f000816efe09f4f967ff56ab076
SHA15ebec883b5f4d5e77432672c271c3e3714cadb0e
SHA25622cafb077954e220e107287359febf214c275ba24e56b5ab405cd355d37a120a
SHA512ab98bd0145ca2365d9fd421dac444bba38b286074193eb38d8d02ed8a37c460c288795b697d038d443c808f84df0d21f8839ee6b41335eb873bcd990042d33b2
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rzyhfx4n.default-release\cookies.sqlite.id[4E633C4D-3483].[[email protected]].8baseFilesize
96KB
MD56640124557dc9a6cfc91acac6c726474
SHA1ca4f00d0cba5adbbdca6d8c571949201350e025f
SHA25661806e7cd53233de610add652627e221bf6532487d196581955ef05df69aaf83
SHA512d5c0c24111faf604f4e0edcbc68a394809c9404d2942027ee29f712c1d3fdb2ebcb1f5d1e7623bca3476c22ee4a8b435120f3748f667d32dd0c1e656b30a57a9
-
C:\Users\Admin\AppData\Roaming\rcevgddFilesize
165KB
MD5d8a652141be195333dd68e662b04c523
SHA1266363bf92a157ca769f3cce33f13363cf94eb3f
SHA25682e21c96880af14b90e7d8a688ec83c41bddcaa29ee05557b763795d1416ad39
SHA512ce0d269674d139358b5068b3df7ccbae1e5470a031d3e59ac1ab68493438e51dc733a6be5d36854257d8d5d5e822a9ad421398cc0a2f3c783d5d33b04af484ea
-
C:\Users\Admin\AppData\Roaming\wfiahugFilesize
438KB
MD5650e2e3933ba7e005d71842aaf5b9bac
SHA18d31ce06a3c18a51ac135efda58dc3f6e587c215
SHA2565d34c5d975766f27555e683ccfabb662886fbb1b9da42ea4670f176c5f04e105
SHA51245e437d8040cbfc574cca4d1f752561c18735f4066e59cf2e0180588a8ab8db5400a23cbf6e067f1098c35923861bc73fa5246a70bc98bff134b01bb958d775a
-
C:\Users\Admin\Desktop\info.htaFilesize
5KB
MD5af4ead8c4b4ec6ee70a6614b9d196038
SHA135b084940f356f79a45ec2f3f743d048cf6e5aa4
SHA256d7fdc29f4c08bf477e68d3fb396088f5108fbad8a72879188952c63fcec146fa
SHA512b810cd96404b1554c4b0c06de999dfe51200e38d0b5604bc1f848e74b5cc22e5310d24e3c3e0f553d1154749724cfa0cd96e29ef0aee7bb4597eaf90981b3b47
-
C:\info.htaFilesize
5KB
MD5af4ead8c4b4ec6ee70a6614b9d196038
SHA135b084940f356f79a45ec2f3f743d048cf6e5aa4
SHA256d7fdc29f4c08bf477e68d3fb396088f5108fbad8a72879188952c63fcec146fa
SHA512b810cd96404b1554c4b0c06de999dfe51200e38d0b5604bc1f848e74b5cc22e5310d24e3c3e0f553d1154749724cfa0cd96e29ef0aee7bb4597eaf90981b3b47
-
C:\info.htaFilesize
5KB
MD5af4ead8c4b4ec6ee70a6614b9d196038
SHA135b084940f356f79a45ec2f3f743d048cf6e5aa4
SHA256d7fdc29f4c08bf477e68d3fb396088f5108fbad8a72879188952c63fcec146fa
SHA512b810cd96404b1554c4b0c06de999dfe51200e38d0b5604bc1f848e74b5cc22e5310d24e3c3e0f553d1154749724cfa0cd96e29ef0aee7bb4597eaf90981b3b47
-
C:\users\public\desktop\info.htaFilesize
5KB
MD5af4ead8c4b4ec6ee70a6614b9d196038
SHA135b084940f356f79a45ec2f3f743d048cf6e5aa4
SHA256d7fdc29f4c08bf477e68d3fb396088f5108fbad8a72879188952c63fcec146fa
SHA512b810cd96404b1554c4b0c06de999dfe51200e38d0b5604bc1f848e74b5cc22e5310d24e3c3e0f553d1154749724cfa0cd96e29ef0aee7bb4597eaf90981b3b47
-
F:\info.htaFilesize
5KB
MD5af4ead8c4b4ec6ee70a6614b9d196038
SHA135b084940f356f79a45ec2f3f743d048cf6e5aa4
SHA256d7fdc29f4c08bf477e68d3fb396088f5108fbad8a72879188952c63fcec146fa
SHA512b810cd96404b1554c4b0c06de999dfe51200e38d0b5604bc1f848e74b5cc22e5310d24e3c3e0f553d1154749724cfa0cd96e29ef0aee7bb4597eaf90981b3b47
-
memory/396-4319-0x0000000000BA0000-0x0000000000BAC000-memory.dmpFilesize
48KB
-
memory/396-4320-0x0000000000BB0000-0x0000000000BB7000-memory.dmpFilesize
28KB
-
memory/396-4321-0x0000000000BA0000-0x0000000000BAC000-memory.dmpFilesize
48KB
-
memory/860-6386-0x0000000000DF0000-0x0000000000DFB000-memory.dmpFilesize
44KB
-
memory/1132-4401-0x0000000000A70000-0x0000000000A74000-memory.dmpFilesize
16KB
-
memory/1132-5405-0x0000000000A70000-0x0000000000A74000-memory.dmpFilesize
16KB
-
memory/1132-4397-0x0000000000A60000-0x0000000000A69000-memory.dmpFilesize
36KB
-
memory/1132-4408-0x0000000000A60000-0x0000000000A69000-memory.dmpFilesize
36KB
-
memory/1308-5869-0x0000000000FC0000-0x0000000000FC9000-memory.dmpFilesize
36KB
-
memory/1308-5851-0x0000000000FC0000-0x0000000000FC9000-memory.dmpFilesize
36KB
-
memory/1332-168-0x00007FF43DDC0000-0x00007FF43DEED000-memory.dmpFilesize
1.2MB
-
memory/1332-164-0x00007FF43DDC0000-0x00007FF43DEED000-memory.dmpFilesize
1.2MB
-
memory/1332-169-0x00007FF43DDC0000-0x00007FF43DEED000-memory.dmpFilesize
1.2MB
-
memory/1332-190-0x00007FFDDD3F0000-0x00007FFDDD5E5000-memory.dmpFilesize
2.0MB
-
memory/1332-188-0x00007FFDDD3F0000-0x00007FFDDD5E5000-memory.dmpFilesize
2.0MB
-
memory/1332-175-0x00007FF43DDC0000-0x00007FF43DEED000-memory.dmpFilesize
1.2MB
-
memory/1332-174-0x00007FF43DDC0000-0x00007FF43DEED000-memory.dmpFilesize
1.2MB
-
memory/1332-173-0x00007FF43DDC0000-0x00007FF43DEED000-memory.dmpFilesize
1.2MB
-
memory/1332-172-0x00007FF43DDC0000-0x00007FF43DEED000-memory.dmpFilesize
1.2MB
-
memory/1332-144-0x000002316DF40000-0x000002316DF43000-memory.dmpFilesize
12KB
-
memory/1332-171-0x00007FF43DDC0000-0x00007FF43DEED000-memory.dmpFilesize
1.2MB
-
memory/1332-158-0x000002316DF40000-0x000002316DF43000-memory.dmpFilesize
12KB
-
memory/1332-170-0x00007FFDDD3F0000-0x00007FFDDD5E5000-memory.dmpFilesize
2.0MB
-
memory/1332-159-0x000002316E300000-0x000002316E307000-memory.dmpFilesize
28KB
-
memory/1332-161-0x00007FF43DDC0000-0x00007FF43DEED000-memory.dmpFilesize
1.2MB
-
memory/1332-160-0x00007FF43DDC0000-0x00007FF43DEED000-memory.dmpFilesize
1.2MB
-
memory/1332-162-0x00007FF43DDC0000-0x00007FF43DEED000-memory.dmpFilesize
1.2MB
-
memory/1332-189-0x000002316E300000-0x000002316E305000-memory.dmpFilesize
20KB
-
memory/1332-163-0x00007FF43DDC0000-0x00007FF43DEED000-memory.dmpFilesize
1.2MB
-
memory/1332-166-0x00007FF43DDC0000-0x00007FF43DEED000-memory.dmpFilesize
1.2MB
-
memory/1332-167-0x00007FF43DDC0000-0x00007FF43DEED000-memory.dmpFilesize
1.2MB
-
memory/1360-5633-0x0000000000EA0000-0x0000000000EA9000-memory.dmpFilesize
36KB
-
memory/1360-5667-0x0000000000EB0000-0x0000000000EB5000-memory.dmpFilesize
20KB
-
memory/1360-6409-0x0000000000EB0000-0x0000000000EB5000-memory.dmpFilesize
20KB
-
memory/1360-5668-0x0000000000EA0000-0x0000000000EA9000-memory.dmpFilesize
36KB
-
memory/1436-4822-0x00000000012A0000-0x00000000012A7000-memory.dmpFilesize
28KB
-
memory/1436-4821-0x0000000001290000-0x000000000129B000-memory.dmpFilesize
44KB
-
memory/1436-5642-0x00000000012A0000-0x00000000012A7000-memory.dmpFilesize
28KB
-
memory/1436-4823-0x0000000001290000-0x000000000129B000-memory.dmpFilesize
44KB
-
memory/1812-192-0x00000000005C0000-0x00000000005C5000-memory.dmpFilesize
20KB
-
memory/1812-193-0x0000000000400000-0x000000000049A000-memory.dmpFilesize
616KB
-
memory/1812-205-0x0000000000640000-0x0000000000740000-memory.dmpFilesize
1024KB
-
memory/1812-191-0x0000000000640000-0x0000000000740000-memory.dmpFilesize
1024KB
-
memory/1916-5972-0x0000000000B50000-0x0000000000B5B000-memory.dmpFilesize
44KB
-
memory/1916-5987-0x0000000000B60000-0x0000000000B66000-memory.dmpFilesize
24KB
-
memory/1916-6028-0x0000000000B50000-0x0000000000B5B000-memory.dmpFilesize
44KB
-
memory/1940-5846-0x0000000000920000-0x0000000000929000-memory.dmpFilesize
36KB
-
memory/1940-140-0x0000000002570000-0x0000000002970000-memory.dmpFilesize
4.0MB
-
memory/1940-153-0x0000000003300000-0x0000000003336000-memory.dmpFilesize
216KB
-
memory/1940-156-0x0000000000400000-0x00000000004CE000-memory.dmpFilesize
824KB
-
memory/1940-157-0x0000000002570000-0x0000000002970000-memory.dmpFilesize
4.0MB
-
memory/1940-152-0x0000000000400000-0x00000000004CE000-memory.dmpFilesize
824KB
-
memory/1940-146-0x0000000003300000-0x0000000003336000-memory.dmpFilesize
216KB
-
memory/1940-154-0x0000000002570000-0x0000000002970000-memory.dmpFilesize
4.0MB
-
memory/1940-4824-0x0000000000910000-0x000000000091F000-memory.dmpFilesize
60KB
-
memory/1940-4829-0x0000000000920000-0x0000000000929000-memory.dmpFilesize
36KB
-
memory/1940-4837-0x0000000000910000-0x000000000091F000-memory.dmpFilesize
60KB
-
memory/1940-145-0x0000000002210000-0x0000000002281000-memory.dmpFilesize
452KB
-
memory/1940-143-0x00000000004D0000-0x00000000005D0000-memory.dmpFilesize
1024KB
-
memory/1940-134-0x00000000004D0000-0x00000000005D0000-memory.dmpFilesize
1024KB
-
memory/1940-135-0x0000000002210000-0x0000000002281000-memory.dmpFilesize
452KB
-
memory/1940-142-0x0000000002570000-0x0000000002970000-memory.dmpFilesize
4.0MB
-
memory/1940-141-0x0000000002570000-0x0000000002970000-memory.dmpFilesize
4.0MB
-
memory/1940-136-0x0000000000400000-0x00000000004CE000-memory.dmpFilesize
824KB
-
memory/1940-137-0x0000000000400000-0x00000000004CE000-memory.dmpFilesize
824KB
-
memory/1940-138-0x00000000022B0000-0x00000000022B7000-memory.dmpFilesize
28KB
-
memory/1940-139-0x0000000002570000-0x0000000002970000-memory.dmpFilesize
4.0MB
-
memory/2104-6353-0x0000000000AE0000-0x0000000000AE7000-memory.dmpFilesize
28KB
-
memory/2104-6356-0x0000000000AD0000-0x0000000000ADD000-memory.dmpFilesize
52KB
-
memory/2104-6342-0x0000000000AD0000-0x0000000000ADD000-memory.dmpFilesize
52KB
-
memory/3088-208-0x0000000002F60000-0x0000000002F76000-memory.dmpFilesize
88KB
-
memory/3392-663-0x0000000000600000-0x000000000060F000-memory.dmpFilesize
60KB
-
memory/3392-1868-0x0000000000400000-0x000000000049A000-memory.dmpFilesize
616KB
-
memory/3392-4051-0x0000000000400000-0x000000000049A000-memory.dmpFilesize
616KB
-
memory/3392-8567-0x0000000000400000-0x000000000049A000-memory.dmpFilesize
616KB
-
memory/3392-200-0x0000000000670000-0x0000000000770000-memory.dmpFilesize
1024KB
-
memory/3392-5852-0x0000000000400000-0x000000000049A000-memory.dmpFilesize
616KB
-
memory/3392-201-0x0000000000600000-0x000000000060F000-memory.dmpFilesize
60KB
-
memory/3392-506-0x0000000000670000-0x0000000000770000-memory.dmpFilesize
1024KB
-
memory/3392-785-0x0000000000400000-0x000000000049A000-memory.dmpFilesize
616KB
-
memory/3392-202-0x0000000000400000-0x000000000049A000-memory.dmpFilesize
616KB
-
memory/3708-4044-0x0000000000AC0000-0x0000000000B2B000-memory.dmpFilesize
428KB
-
memory/3708-4582-0x0000000000B70000-0x0000000000B7A000-memory.dmpFilesize
40KB
-
memory/3708-4015-0x0000000000AC0000-0x0000000000B2B000-memory.dmpFilesize
428KB
-
memory/3708-4586-0x0000000000B60000-0x0000000000B6B000-memory.dmpFilesize
44KB
-
memory/3708-4634-0x0000000000B60000-0x0000000000B6B000-memory.dmpFilesize
44KB
-
memory/3708-4336-0x0000000000AC0000-0x0000000000B2B000-memory.dmpFilesize
428KB
-
memory/3708-4030-0x0000000000B30000-0x0000000000BA5000-memory.dmpFilesize
468KB
-
memory/3856-5070-0x0000000000B50000-0x0000000000B59000-memory.dmpFilesize
36KB
-
memory/3856-5088-0x0000000000B50000-0x0000000000B59000-memory.dmpFilesize
36KB
-
memory/3856-5868-0x0000000000B60000-0x0000000000B65000-memory.dmpFilesize
20KB
-
memory/3856-5079-0x0000000000B60000-0x0000000000B65000-memory.dmpFilesize
20KB
-
memory/3864-199-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/3864-196-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/3864-198-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/3864-209-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/4424-5407-0x0000000000780000-0x000000000078C000-memory.dmpFilesize
48KB
-
memory/4424-5406-0x0000000000790000-0x0000000000796000-memory.dmpFilesize
24KB
-
memory/4424-5404-0x0000000000780000-0x000000000078C000-memory.dmpFilesize
48KB
-
memory/4608-1980-0x00000000004F0000-0x00000000005F0000-memory.dmpFilesize
1024KB
-
memory/4608-2045-0x0000000000400000-0x000000000049A000-memory.dmpFilesize
616KB
-
memory/4736-195-0x00000000005F0000-0x00000000005F9000-memory.dmpFilesize
36KB
-
memory/4736-194-0x00000000007F0000-0x00000000008F0000-memory.dmpFilesize
1024KB
-
memory/4736-5445-0x00000000003F0000-0x00000000003F9000-memory.dmpFilesize
36KB
-
memory/4736-5436-0x0000000000600000-0x0000000000604000-memory.dmpFilesize
16KB
-
memory/4736-5433-0x00000000003F0000-0x00000000003F9000-memory.dmpFilesize
36KB
-
memory/4868-5847-0x00000000005A0000-0x00000000005C7000-memory.dmpFilesize
156KB
-
memory/4868-5848-0x00000000005D0000-0x00000000005F1000-memory.dmpFilesize
132KB
-
memory/4868-5845-0x00000000005A0000-0x00000000005C7000-memory.dmpFilesize
156KB