Analysis

  • max time kernel
    33s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07/01/2024, 19:21

General

  • Target

    a169003918d23a41e228f8030b458f9e.exe

  • Size

    314KB

  • MD5

    a169003918d23a41e228f8030b458f9e

  • SHA1

    cdea2fbc475659219ca14fc9d26f2a361c5c2162

  • SHA256

    cfe2b6781d8cbc4cd1bc34c2a5ee42c966ce0ba9d84c6ef69942d5a050111860

  • SHA512

    6095e63a6d8f0ba4a1b924213db29cd283800f08f32b6a948376b3a875573a0a75ac260ccbad397f12be20313d4f855c4b668d7db2c7e1ce075f349a88b85c5a

  • SSDEEP

    6144:CpJXjd9rDT+YyQBmBf4DYSfok1AAUaIxQOwUFk:STd9DDyQBmvIpCAdI5u

Malware Config

Signatures

  • Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 2 IoCs
  • Modifies Installed Components in the registry 2 TTPs 7 IoCs
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 25 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Enumerates connected drives 3 TTPs 12 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Installs/modifies Browser Helper Object 2 TTPs 1 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

  • Drops file in Windows directory 10 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 64 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 8 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 9 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\a169003918d23a41e228f8030b458f9e.exe
    "C:\Users\Admin\AppData\Local\Temp\a169003918d23a41e228f8030b458f9e.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2836
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /Q /C "C:\Users\Admin\AppData\Local\Temp\ac8zt2\install.bat"
      2⤵
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:2112
      • C:\Windows\SysWOW64\regsvr32.exe
        regsvr32.exe /s etlrlws.dll
        3⤵
        • Loads dropped DLL
        • Modifies Internet Explorer settings
        • Modifies registry class
        PID:4984
      • C:\Windows\SysWOW64\regsvr32.exe
        C:\Windows\system32\regsvr32.exe /s C:\Windows\drnpfdxqvm.dll
        3⤵
        • Loads dropped DLL
        • Installs/modifies Browser Helper Object
        • Modifies registry class
        PID:3104
      • C:\Users\Admin\AppData\Local\Temp\ac8zt2\eotk.exe
        eotk.exe resot
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        PID:4396
      • C:\Users\Admin\AppData\Local\Temp\ac8zt2\fmsxwqs.exe
        fmsxwqs.exe reg
        3⤵
        • Executes dropped EXE
        PID:3392
      • C:\Users\Admin\AppData\Local\Temp\ac8zt2\eotk.exe
        eotk.exe C:\Windows\altvxvm.dll altvxvm
        3⤵
        • Adds autorun key to be loaded by Explorer.exe on startup
        • Executes dropped EXE
        • Modifies registry class
        PID:3472
      • C:\Users\Admin\AppData\Local\Temp\ac8zt2\eotk.exe
        eotk.exe C:\Windows\bokpkov.dll bokpkov
        3⤵
        • Adds autorun key to be loaded by Explorer.exe on startup
        • Executes dropped EXE
        • Modifies registry class
        PID:4800
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /Q /C C:\Users\Admin\AppData\Local\Temp\nsj5130.tmp.bat "C:\Users\Admin\AppData\Local\Temp\a169003918d23a41e228f8030b458f9e.exe"
      2⤵
        PID:4712
    • C:\Windows\explorer.exe
      explorer.exe
      1⤵
      • Modifies Installed Components in the registry
      • Enumerates connected drives
      • Checks SCSI registry key(s)
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:948
    • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
      "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
      1⤵
      • Suspicious use of SetWindowsHookEx
      PID:2796
    • C:\Windows\explorer.exe
      explorer.exe
      1⤵
      • Modifies Installed Components in the registry
      • Enumerates connected drives
      • Checks SCSI registry key(s)
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1252
    • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
      "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
      1⤵
      • Suspicious use of SetWindowsHookEx
      PID:3832
    • C:\Windows\explorer.exe
      explorer.exe
      1⤵
      • Modifies Installed Components in the registry
      • Enumerates connected drives
      • Checks SCSI registry key(s)
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2040
    • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
      "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
      1⤵
      • Suspicious use of SetWindowsHookEx
      PID:1688
    • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
      "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
      1⤵
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:4400
    • C:\Windows\explorer.exe
      explorer.exe
      1⤵
        PID:2204
      • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
        "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
        1⤵
        • Suspicious use of SetWindowsHookEx
        PID:1432
      • C:\Windows\explorer.exe
        explorer.exe
        1⤵
        • Modifies Installed Components in the registry
        • Enumerates connected drives
        • Checks SCSI registry key(s)
        • Modifies registry class
        • Suspicious use of SendNotifyMessage
        PID:3252
      • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
        "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
        1⤵
        • Suspicious use of SetWindowsHookEx
        PID:712
      • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
        "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
        1⤵
        • Modifies Internet Explorer settings
        • Modifies registry class
        • Suspicious use of SetWindowsHookEx
        PID:3916
      • C:\Windows\explorer.exe
        explorer.exe
        1⤵
        • Modifies Installed Components in the registry
        • Enumerates connected drives
        • Checks SCSI registry key(s)
        • Modifies registry class
        PID:4972
      • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
        "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
        1⤵
        • Suspicious use of SetWindowsHookEx
        PID:4104
      • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
        "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
        1⤵
          PID:2112
        • C:\Windows\explorer.exe
          explorer.exe
          1⤵
          • Modifies Installed Components in the registry
          • Modifies registry class
          PID:1164
        • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
          "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
          1⤵
            PID:4712
          • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
            "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
            1⤵
              PID:4956
            • C:\Windows\explorer.exe
              explorer.exe
              1⤵
                PID:2268
              • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                1⤵
                  PID:1648
                • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                  "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                  1⤵
                    PID:4648
                  • C:\Windows\explorer.exe
                    explorer.exe
                    1⤵
                      PID:2696
                    • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                      "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                      1⤵
                        PID:64
                      • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                        "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                        1⤵
                          PID:3272
                        • C:\Windows\explorer.exe
                          explorer.exe
                          1⤵
                            PID:2384
                          • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                            "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                            1⤵
                              PID:1352
                            • C:\Windows\explorer.exe
                              explorer.exe
                              1⤵
                                PID:4512
                              • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                1⤵
                                  PID:1480
                                • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                  "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                  1⤵
                                    PID:3068
                                  • C:\Windows\explorer.exe
                                    explorer.exe
                                    1⤵
                                      PID:1968
                                    • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                      "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                      1⤵
                                        PID:4228
                                      • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                        "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                        1⤵
                                          PID:2000
                                        • C:\Windows\explorer.exe
                                          explorer.exe
                                          1⤵
                                            PID:3768
                                          • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                            "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                            1⤵
                                              PID:2728
                                            • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                              "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                              1⤵
                                                PID:4136
                                              • C:\Windows\explorer.exe
                                                explorer.exe
                                                1⤵
                                                  PID:4368
                                                • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                  "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                  1⤵
                                                    PID:912
                                                  • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                    "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                    1⤵
                                                      PID:1980
                                                    • C:\Windows\explorer.exe
                                                      explorer.exe
                                                      1⤵
                                                        PID:1484
                                                      • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                        "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                        1⤵
                                                          PID:2000
                                                        • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                          "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                          1⤵
                                                            PID:4592
                                                          • C:\Windows\explorer.exe
                                                            explorer.exe
                                                            1⤵
                                                              PID:4224
                                                            • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                              "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                              1⤵
                                                                PID:684
                                                              • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                                "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                                1⤵
                                                                  PID:744
                                                                • C:\Windows\explorer.exe
                                                                  explorer.exe
                                                                  1⤵
                                                                    PID:3928
                                                                  • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                                    "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                                    1⤵
                                                                      PID:856
                                                                    • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                                      "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                                      1⤵
                                                                        PID:2008
                                                                      • C:\Windows\explorer.exe
                                                                        explorer.exe
                                                                        1⤵
                                                                          PID:2576
                                                                        • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                                          "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                                          1⤵
                                                                            PID:1752
                                                                          • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                                            "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                                            1⤵
                                                                              PID:4240
                                                                            • C:\Windows\explorer.exe
                                                                              explorer.exe
                                                                              1⤵
                                                                                PID:1392
                                                                              • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                                                "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                                                1⤵
                                                                                  PID:2348
                                                                                • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                                                  "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                                                  1⤵
                                                                                    PID:3176
                                                                                  • C:\Windows\explorer.exe
                                                                                    explorer.exe
                                                                                    1⤵
                                                                                      PID:964
                                                                                    • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                                                      "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                                                      1⤵
                                                                                        PID:2000
                                                                                      • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                                                        "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                                                        1⤵
                                                                                          PID:4924
                                                                                        • C:\Windows\explorer.exe
                                                                                          explorer.exe
                                                                                          1⤵
                                                                                            PID:4336
                                                                                          • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                                                            "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                                                            1⤵
                                                                                              PID:2060
                                                                                            • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                                                              "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                                                              1⤵
                                                                                                PID:4104
                                                                                              • C:\Windows\explorer.exe
                                                                                                explorer.exe
                                                                                                1⤵
                                                                                                  PID:3240
                                                                                                • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                                                                  "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                                                                  1⤵
                                                                                                    PID:3000
                                                                                                  • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                                                                    "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                                                                    1⤵
                                                                                                      PID:1476
                                                                                                    • C:\Windows\explorer.exe
                                                                                                      explorer.exe
                                                                                                      1⤵
                                                                                                        PID:4512
                                                                                                      • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                                                                        "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                                                                        1⤵
                                                                                                          PID:4920
                                                                                                        • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                                                                          "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                                                                          1⤵
                                                                                                            PID:2948
                                                                                                          • C:\Windows\explorer.exe
                                                                                                            explorer.exe
                                                                                                            1⤵
                                                                                                              PID:8
                                                                                                            • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                                                                              "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                                                                              1⤵
                                                                                                                PID:3308
                                                                                                              • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                                                                                "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                                                                                1⤵
                                                                                                                  PID:684
                                                                                                                • C:\Windows\explorer.exe
                                                                                                                  explorer.exe
                                                                                                                  1⤵
                                                                                                                    PID:4980
                                                                                                                  • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                                                                                    "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                                                                                    1⤵
                                                                                                                      PID:4164
                                                                                                                    • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                                                                                      "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                                                                                      1⤵
                                                                                                                        PID:3856
                                                                                                                      • C:\Windows\explorer.exe
                                                                                                                        explorer.exe
                                                                                                                        1⤵
                                                                                                                          PID:3748
                                                                                                                        • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                                                                                          "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                                                                                          1⤵
                                                                                                                            PID:3620
                                                                                                                          • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                                                                                            "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                                                                                            1⤵
                                                                                                                              PID:4224
                                                                                                                            • C:\Windows\explorer.exe
                                                                                                                              explorer.exe
                                                                                                                              1⤵
                                                                                                                                PID:1460
                                                                                                                              • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                                                                                                "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                                                                                                1⤵
                                                                                                                                  PID:1988
                                                                                                                                • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                                                                                                  "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                                                                                                  1⤵
                                                                                                                                    PID:1172
                                                                                                                                  • C:\Windows\explorer.exe
                                                                                                                                    explorer.exe
                                                                                                                                    1⤵
                                                                                                                                      PID:2376
                                                                                                                                    • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                                                                                                      "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                                                                                                      1⤵
                                                                                                                                        PID:3748
                                                                                                                                      • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                                                                                                        "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                                                                                                        1⤵
                                                                                                                                          PID:2572
                                                                                                                                        • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                                                                                                          "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                                                                                                          1⤵
                                                                                                                                            PID:4708
                                                                                                                                          • C:\Windows\explorer.exe
                                                                                                                                            explorer.exe
                                                                                                                                            1⤵
                                                                                                                                              PID:452
                                                                                                                                            • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                                                                                                              "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                                                                                                              1⤵
                                                                                                                                                PID:3924
                                                                                                                                              • C:\Windows\explorer.exe
                                                                                                                                                explorer.exe
                                                                                                                                                1⤵
                                                                                                                                                  PID:4104
                                                                                                                                                • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                                                                                                                  "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                                                                                                                  1⤵
                                                                                                                                                    PID:1588
                                                                                                                                                  • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                                                                                                                    "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                                                                                                                    1⤵
                                                                                                                                                      PID:4388
                                                                                                                                                    • C:\Windows\explorer.exe
                                                                                                                                                      explorer.exe
                                                                                                                                                      1⤵
                                                                                                                                                        PID:1992
                                                                                                                                                      • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                                                                                                                        "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                                                                                                                        1⤵
                                                                                                                                                          PID:1884
                                                                                                                                                        • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                                                                                                                          "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                                                                                                                          1⤵
                                                                                                                                                            PID:3732
                                                                                                                                                          • C:\Windows\explorer.exe
                                                                                                                                                            explorer.exe
                                                                                                                                                            1⤵
                                                                                                                                                              PID:4592
                                                                                                                                                            • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                                                                                                                              "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                                                                                                                              1⤵
                                                                                                                                                                PID:4308
                                                                                                                                                              • C:\Windows\explorer.exe
                                                                                                                                                                explorer.exe
                                                                                                                                                                1⤵
                                                                                                                                                                  PID:1012
                                                                                                                                                                • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                                                                                                                                  "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                                                                                                                                  1⤵
                                                                                                                                                                    PID:4412

                                                                                                                                                                  Network

                                                                                                                                                                        MITRE ATT&CK Enterprise v15

                                                                                                                                                                        Replay Monitor

                                                                                                                                                                        Loading Replay Monitor...

                                                                                                                                                                        Downloads

                                                                                                                                                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53

                                                                                                                                                                          Filesize

                                                                                                                                                                          471B

                                                                                                                                                                          MD5

                                                                                                                                                                          18f610e65c179e9fdfc685edbdf34f95

                                                                                                                                                                          SHA1

                                                                                                                                                                          ec89ec05c5fb9ab51d48d15cec871323d6821aff

                                                                                                                                                                          SHA256

                                                                                                                                                                          6eab4d9a5e5697d8e2eb72b03524632ed17def1a6283853499288d0a1e6b3d1c

                                                                                                                                                                          SHA512

                                                                                                                                                                          12a0bac528cbca464644e5b6126b3729132d158bfad3645b989a3a234e3ccf31bc0a4fb8f495e5d7aa7e8d084bf1cc16a0c725a296f02b8857f4ab2ebf547021

                                                                                                                                                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53

                                                                                                                                                                          Filesize

                                                                                                                                                                          412B

                                                                                                                                                                          MD5

                                                                                                                                                                          7f3b3a14cfaf12d9141e17827dacb2e6

                                                                                                                                                                          SHA1

                                                                                                                                                                          23b3146e75a2b5902b59039cf2694638d63c5577

                                                                                                                                                                          SHA256

                                                                                                                                                                          55f64cc8ce3e8a58e2253ce253ff18615ff22cd11e64fd32bb268a0ed829d0ce

                                                                                                                                                                          SHA512

                                                                                                                                                                          89977bb96a97157da211ff169535de43196a3d65e0bf50e791df52b6325cff15b67f51b2b1aa783a793965bedb8aedb2f52a6e24aab3baf278d1224f80fc4ac7

                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\TokenBroker\Cache\fbaf94e759052658216786bfbabcdced1b67a5c2.tbres

                                                                                                                                                                          Filesize

                                                                                                                                                                          2KB

                                                                                                                                                                          MD5

                                                                                                                                                                          e64affa349fb7e8c8d0c8a1965c039ff

                                                                                                                                                                          SHA1

                                                                                                                                                                          36c40b40cdf02fbd4b6b00322197da70852d43ab

                                                                                                                                                                          SHA256

                                                                                                                                                                          9f620ecbb15c02dc7022ad90734766c8d87c38367fcf1ce596bf5f198cce05a1

                                                                                                                                                                          SHA512

                                                                                                                                                                          7e729cba695a400019fc13fabaa7826e8b692a7ae9b97e74b6f79903b423167399a531f3d1b0385ef4c1ff10f3fa0b7c2fc4237bfeff16ff4d9b7a8281543bb0

                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\V50TXLKS\microsoft.windows[1].xml

                                                                                                                                                                          Filesize

                                                                                                                                                                          97B

                                                                                                                                                                          MD5

                                                                                                                                                                          0dd9849d7dcb276fe7952fbef01f27d2

                                                                                                                                                                          SHA1

                                                                                                                                                                          696b4212cc8a84291f88203695dbfe81567db0b9

                                                                                                                                                                          SHA256

                                                                                                                                                                          ab905cb2e3d901f2d2e2abbe041717c3c220c2fbf8f5a6b84554246918e1ccd0

                                                                                                                                                                          SHA512

                                                                                                                                                                          7c9ee87c2c2a4bb137141e1fdf4d5f64e3873c734dc3848bc98d9f4c5511c11124a700ce84c927ad8d76f6afbd3f8fa653a70f744927517249fda132767ca715

                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\ac8zt2\altvxvm.dll

                                                                                                                                                                          Filesize

                                                                                                                                                                          224KB

                                                                                                                                                                          MD5

                                                                                                                                                                          5adbeca70b6fd47a7a7d226b6c07db35

                                                                                                                                                                          SHA1

                                                                                                                                                                          adf21cc56d6a2875f0f3163e019663a69a62883e

                                                                                                                                                                          SHA256

                                                                                                                                                                          fabab4b8a1627aa01f94997b5243322b9bb527d05890474bf638f16debc2478b

                                                                                                                                                                          SHA512

                                                                                                                                                                          326301d81ada859305dde00c78e08c487432f06d1029ef2a78422e331c1526806df2f6f163b864df323ca7ebe3079bf9a90c94e86bda196ab8c7d4bb6f3c51c9

                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\ac8zt2\bokpkov.dll

                                                                                                                                                                          Filesize

                                                                                                                                                                          212KB

                                                                                                                                                                          MD5

                                                                                                                                                                          0f2a9b99c1ee35460fa8342abeb811cf

                                                                                                                                                                          SHA1

                                                                                                                                                                          aed04b62c5f190b42e3e097a4b4f0e4050b1d379

                                                                                                                                                                          SHA256

                                                                                                                                                                          dc72b09de1605b453f29c2be22698d609ec250664b13f7efba67d5f7583a60cc

                                                                                                                                                                          SHA512

                                                                                                                                                                          70c69cbcd8bcb35e5e1854c18f0a3dfa205a7e84bfdeb766935b86636741392d4093df9bedbc3b02aaf94989e0eae79539f66954911b8919b2dc26a9c44ada7a

                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\ac8zt2\drnpfdxqvm.dll

                                                                                                                                                                          Filesize

                                                                                                                                                                          240KB

                                                                                                                                                                          MD5

                                                                                                                                                                          a191063294b95df9c5f1734243a3abcb

                                                                                                                                                                          SHA1

                                                                                                                                                                          d6539737335d698259cf132509178fae42bcf930

                                                                                                                                                                          SHA256

                                                                                                                                                                          79c3827b60856aed73ce04a3c7fd3474a1a0f4f8caf90b2f9ce03b1e9de78026

                                                                                                                                                                          SHA512

                                                                                                                                                                          6d6b27d305d15b77a6f19f7f527cdadeb61ee33c33d6c2231d5c7a65f82d267d812717589841252aacf31968ff63b922aa14c337cfe4481307262d75750ebc37

                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\ac8zt2\eotk.exe

                                                                                                                                                                          Filesize

                                                                                                                                                                          88KB

                                                                                                                                                                          MD5

                                                                                                                                                                          b4603bf962319153e1b7e78c88d9c8ce

                                                                                                                                                                          SHA1

                                                                                                                                                                          20af0d302057e0ff5eb1fa2eb80078e1941f99de

                                                                                                                                                                          SHA256

                                                                                                                                                                          ce8050818ad6f1a97326642679076c73a66d82ce288ce51ae4fae54bce786ef2

                                                                                                                                                                          SHA512

                                                                                                                                                                          49ff00a7187413d3b4e3c2b57e858a0dcf374987971e8ca7c3c9dc4dfe658a6a0bb3e1e9e56c6b291c1cd1c23ee03409412d6c4291e9b32cb6582e34351a6a40

                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\ac8zt2\etlrlws.dll

                                                                                                                                                                          Filesize

                                                                                                                                                                          172KB

                                                                                                                                                                          MD5

                                                                                                                                                                          c93de9f81b4bcad2a3b662b816ea515b

                                                                                                                                                                          SHA1

                                                                                                                                                                          e5c560fa6fdfb544318a6fcd478ee071fa0bdb9f

                                                                                                                                                                          SHA256

                                                                                                                                                                          3993623c186dc28c79dff4a3837f889352481e8e0bbc25878498bd3738f51b34

                                                                                                                                                                          SHA512

                                                                                                                                                                          c3a676c4ecf135d36b5b42d7ee871ad5e45426a763aa190c86e4d1aa88e8ef62facd76ff3487eca97ca01e6c329826e8c03f42dddd9837833b194b79fab1bed7

                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\ac8zt2\fmsxwqs.exe

                                                                                                                                                                          Filesize

                                                                                                                                                                          96KB

                                                                                                                                                                          MD5

                                                                                                                                                                          49f1cf8df1a47e9991d3ad3eeff7180f

                                                                                                                                                                          SHA1

                                                                                                                                                                          b23470a749df6d2a33ad97116510bcce2df44a4a

                                                                                                                                                                          SHA256

                                                                                                                                                                          d38afd2ce3a785e5e580cef69db96365ac83b17591c249252c7c0e9c5103fc24

                                                                                                                                                                          SHA512

                                                                                                                                                                          d4380995748abfdc7b12f48a9f2321cefb2079834218195f6a307432c2775de5e481b1c6f94390c71b207467da032afae40ada2c85ce31b6da4ca6b25f8a7e48

                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\ac8zt2\install.bat

                                                                                                                                                                          Filesize

                                                                                                                                                                          1014B

                                                                                                                                                                          MD5

                                                                                                                                                                          b39297d67ace2dfcbe18f05a9305fcdd

                                                                                                                                                                          SHA1

                                                                                                                                                                          15ea67c95d502cc21370145d610f313928da8e40

                                                                                                                                                                          SHA256

                                                                                                                                                                          fa36cc0c0abeb34917492e91c4761f5728b09202cc22e0ce693b380a97d4a2ca

                                                                                                                                                                          SHA512

                                                                                                                                                                          7a5ea05c4b65cf9366ee71118b4ab1c12d57c678bb7903ce48a21f8e44796e94abc2e9759a4f828a8c61085388259055cc20952a1eea176b72f8834d29464cee

                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\nsd4EED.tmp\System.dll

                                                                                                                                                                          Filesize

                                                                                                                                                                          10KB

                                                                                                                                                                          MD5

                                                                                                                                                                          7d85b1f619a3023cc693a88f040826d2

                                                                                                                                                                          SHA1

                                                                                                                                                                          09f5d32f8143e7e0d9270430708db1b9fc8871a8

                                                                                                                                                                          SHA256

                                                                                                                                                                          dc198967b0fb2bc7aaab0886a700c7f4d8cb346c4f9d48b9b220487b0dfe8a18

                                                                                                                                                                          SHA512

                                                                                                                                                                          5465804c56d6251bf369609e1b44207b717228a8ac36c7992470b9daf4a231256c0ce95e0b027c4164e62d9656742a56e2b51e9347c8b17ab51ff40f32928c85

                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\nsd4EED.tmp\blowfish.dll

                                                                                                                                                                          Filesize

                                                                                                                                                                          22KB

                                                                                                                                                                          MD5

                                                                                                                                                                          5afd4a9b7e69e7c6e312b2ce4040394a

                                                                                                                                                                          SHA1

                                                                                                                                                                          fbd07adb3f02f866dc3a327a86b0f319d4a94502

                                                                                                                                                                          SHA256

                                                                                                                                                                          053b4487d22aacf8274bab448ae1d665fe7926102197b47bfba6c7ed5493b3ae

                                                                                                                                                                          SHA512

                                                                                                                                                                          f78efe9d1fa7d2ffc731d5f878f81e4dcbfaf0c561fdfbf4c133ba2ce1366c95c4672d67cae6a8bd8fcc7d04861a9da389d98361055ac46fc9793828d9776511

                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\nsj5130.tmp.bat

                                                                                                                                                                          Filesize

                                                                                                                                                                          113B

                                                                                                                                                                          MD5

                                                                                                                                                                          987bfd6d413a0f3fa5afa959c06c11ea

                                                                                                                                                                          SHA1

                                                                                                                                                                          df106fd4dff4cf812c9147a6f31a91462fa81f8e

                                                                                                                                                                          SHA256

                                                                                                                                                                          f4b94b6baeade7dc368b54bdbd36549080c13db406695051ee7f1bc3937fe97a

                                                                                                                                                                          SHA512

                                                                                                                                                                          4f76a78c2ff9e91e343b274ef2b5f7f433db8e62a0306ec1a0d16026545fb9115cfb1293151cfbe5217f9a9a0f6db43a3bf3cf16586b3eccccadb80da97806ff

                                                                                                                                                                        • memory/744-381-0x000001FF453F0000-0x000001FF45410000-memory.dmp

                                                                                                                                                                          Filesize

                                                                                                                                                                          128KB

                                                                                                                                                                        • memory/744-376-0x000001FF45020000-0x000001FF45040000-memory.dmp

                                                                                                                                                                          Filesize

                                                                                                                                                                          128KB

                                                                                                                                                                        • memory/744-378-0x000001FF44DE0000-0x000001FF44E00000-memory.dmp

                                                                                                                                                                          Filesize

                                                                                                                                                                          128KB

                                                                                                                                                                        • memory/964-457-0x0000000003F90000-0x0000000003F91000-memory.dmp

                                                                                                                                                                          Filesize

                                                                                                                                                                          4KB

                                                                                                                                                                        • memory/1164-191-0x0000000004490000-0x0000000004491000-memory.dmp

                                                                                                                                                                          Filesize

                                                                                                                                                                          4KB

                                                                                                                                                                        • memory/1392-435-0x0000000004380000-0x0000000004381000-memory.dmp

                                                                                                                                                                          Filesize

                                                                                                                                                                          4KB

                                                                                                                                                                        • memory/1484-347-0x00000000042A0000-0x00000000042A1000-memory.dmp

                                                                                                                                                                          Filesize

                                                                                                                                                                          4KB

                                                                                                                                                                        • memory/1968-285-0x0000000004560000-0x0000000004561000-memory.dmp

                                                                                                                                                                          Filesize

                                                                                                                                                                          4KB

                                                                                                                                                                        • memory/1980-332-0x000001DEAC5C0000-0x000001DEAC5E0000-memory.dmp

                                                                                                                                                                          Filesize

                                                                                                                                                                          128KB

                                                                                                                                                                        • memory/1980-336-0x000001DEAC990000-0x000001DEAC9B0000-memory.dmp

                                                                                                                                                                          Filesize

                                                                                                                                                                          128KB

                                                                                                                                                                        • memory/1980-334-0x000001DEAC580000-0x000001DEAC5A0000-memory.dmp

                                                                                                                                                                          Filesize

                                                                                                                                                                          128KB

                                                                                                                                                                        • memory/2000-291-0x0000020E7CB30000-0x0000020E7CB50000-memory.dmp

                                                                                                                                                                          Filesize

                                                                                                                                                                          128KB

                                                                                                                                                                        • memory/2000-293-0x0000020E7CAF0000-0x0000020E7CB10000-memory.dmp

                                                                                                                                                                          Filesize

                                                                                                                                                                          128KB

                                                                                                                                                                        • memory/2000-297-0x0000020E7D100000-0x0000020E7D120000-memory.dmp

                                                                                                                                                                          Filesize

                                                                                                                                                                          128KB

                                                                                                                                                                        • memory/2008-402-0x000001C9E7640000-0x000001C9E7660000-memory.dmp

                                                                                                                                                                          Filesize

                                                                                                                                                                          128KB

                                                                                                                                                                        • memory/2008-400-0x000001C9E7230000-0x000001C9E7250000-memory.dmp

                                                                                                                                                                          Filesize

                                                                                                                                                                          128KB

                                                                                                                                                                        • memory/2008-398-0x000001C9E7270000-0x000001C9E7290000-memory.dmp

                                                                                                                                                                          Filesize

                                                                                                                                                                          128KB

                                                                                                                                                                        • memory/2040-121-0x00000000043D0000-0x00000000043D1000-memory.dmp

                                                                                                                                                                          Filesize

                                                                                                                                                                          4KB

                                                                                                                                                                        • memory/2112-178-0x00000228C3E70000-0x00000228C3E90000-memory.dmp

                                                                                                                                                                          Filesize

                                                                                                                                                                          128KB

                                                                                                                                                                        • memory/2112-181-0x00000228C4280000-0x00000228C42A0000-memory.dmp

                                                                                                                                                                          Filesize

                                                                                                                                                                          128KB

                                                                                                                                                                        • memory/2112-176-0x00000228C3EB0000-0x00000228C3ED0000-memory.dmp

                                                                                                                                                                          Filesize

                                                                                                                                                                          128KB

                                                                                                                                                                        • memory/2268-215-0x0000000004A70000-0x0000000004A71000-memory.dmp

                                                                                                                                                                          Filesize

                                                                                                                                                                          4KB

                                                                                                                                                                        • memory/2576-413-0x0000000003470000-0x0000000003471000-memory.dmp

                                                                                                                                                                          Filesize

                                                                                                                                                                          4KB

                                                                                                                                                                        • memory/2696-237-0x0000000004CB0000-0x0000000004CB1000-memory.dmp

                                                                                                                                                                          Filesize

                                                                                                                                                                          4KB

                                                                                                                                                                        • memory/3068-269-0x0000017CA48A0000-0x0000017CA48C0000-memory.dmp

                                                                                                                                                                          Filesize

                                                                                                                                                                          128KB

                                                                                                                                                                        • memory/3068-271-0x0000017CA4860000-0x0000017CA4880000-memory.dmp

                                                                                                                                                                          Filesize

                                                                                                                                                                          128KB

                                                                                                                                                                        • memory/3068-274-0x0000017CA4E80000-0x0000017CA4EA0000-memory.dmp

                                                                                                                                                                          Filesize

                                                                                                                                                                          128KB

                                                                                                                                                                        • memory/3176-442-0x00000257BB240000-0x00000257BB260000-memory.dmp

                                                                                                                                                                          Filesize

                                                                                                                                                                          128KB

                                                                                                                                                                        • memory/3176-446-0x00000257BB610000-0x00000257BB630000-memory.dmp

                                                                                                                                                                          Filesize

                                                                                                                                                                          128KB

                                                                                                                                                                        • memory/3176-444-0x00000257BB200000-0x00000257BB220000-memory.dmp

                                                                                                                                                                          Filesize

                                                                                                                                                                          128KB

                                                                                                                                                                        • memory/3252-145-0x0000000004120000-0x0000000004121000-memory.dmp

                                                                                                                                                                          Filesize

                                                                                                                                                                          4KB

                                                                                                                                                                        • memory/3272-250-0x000001F6B6050000-0x000001F6B6070000-memory.dmp

                                                                                                                                                                          Filesize

                                                                                                                                                                          128KB

                                                                                                                                                                        • memory/3272-247-0x000001F6B5C40000-0x000001F6B5C60000-memory.dmp

                                                                                                                                                                          Filesize

                                                                                                                                                                          128KB

                                                                                                                                                                        • memory/3272-245-0x000001F6B5C80000-0x000001F6B5CA0000-memory.dmp

                                                                                                                                                                          Filesize

                                                                                                                                                                          128KB

                                                                                                                                                                        • memory/3768-306-0x0000000004EF0000-0x0000000004EF1000-memory.dmp

                                                                                                                                                                          Filesize

                                                                                                                                                                          4KB

                                                                                                                                                                        • memory/3916-155-0x0000017071FD0000-0x0000017071FF0000-memory.dmp

                                                                                                                                                                          Filesize

                                                                                                                                                                          128KB

                                                                                                                                                                        • memory/3916-156-0x00000170725E0000-0x0000017072600000-memory.dmp

                                                                                                                                                                          Filesize

                                                                                                                                                                          128KB

                                                                                                                                                                        • memory/3916-153-0x0000017072220000-0x0000017072240000-memory.dmp

                                                                                                                                                                          Filesize

                                                                                                                                                                          128KB

                                                                                                                                                                        • memory/3928-391-0x00000000031A0000-0x00000000031A1000-memory.dmp

                                                                                                                                                                          Filesize

                                                                                                                                                                          4KB

                                                                                                                                                                        • memory/4136-317-0x000001E811B60000-0x000001E811B80000-memory.dmp

                                                                                                                                                                          Filesize

                                                                                                                                                                          128KB

                                                                                                                                                                        • memory/4136-315-0x000001E811550000-0x000001E811570000-memory.dmp

                                                                                                                                                                          Filesize

                                                                                                                                                                          128KB

                                                                                                                                                                        • memory/4136-313-0x000001E811590000-0x000001E8115B0000-memory.dmp

                                                                                                                                                                          Filesize

                                                                                                                                                                          128KB

                                                                                                                                                                        • memory/4224-369-0x0000000004EF0000-0x0000000004EF1000-memory.dmp

                                                                                                                                                                          Filesize

                                                                                                                                                                          4KB

                                                                                                                                                                        • memory/4240-424-0x000001F0942A0000-0x000001F0942C0000-memory.dmp

                                                                                                                                                                          Filesize

                                                                                                                                                                          128KB

                                                                                                                                                                        • memory/4240-420-0x000001F093CC0000-0x000001F093CE0000-memory.dmp

                                                                                                                                                                          Filesize

                                                                                                                                                                          128KB

                                                                                                                                                                        • memory/4240-422-0x000001F093C80000-0x000001F093CA0000-memory.dmp

                                                                                                                                                                          Filesize

                                                                                                                                                                          128KB

                                                                                                                                                                        • memory/4368-325-0x0000000002890000-0x0000000002891000-memory.dmp

                                                                                                                                                                          Filesize

                                                                                                                                                                          4KB

                                                                                                                                                                        • memory/4400-129-0x0000020165C60000-0x0000020165C80000-memory.dmp

                                                                                                                                                                          Filesize

                                                                                                                                                                          128KB

                                                                                                                                                                        • memory/4400-131-0x0000020166280000-0x00000201662A0000-memory.dmp

                                                                                                                                                                          Filesize

                                                                                                                                                                          128KB

                                                                                                                                                                        • memory/4400-127-0x0000020165CA0000-0x0000020165CC0000-memory.dmp

                                                                                                                                                                          Filesize

                                                                                                                                                                          128KB

                                                                                                                                                                        • memory/4512-261-0x0000000002790000-0x0000000002791000-memory.dmp

                                                                                                                                                                          Filesize

                                                                                                                                                                          4KB

                                                                                                                                                                        • memory/4592-361-0x000001F3CD610000-0x000001F3CD630000-memory.dmp

                                                                                                                                                                          Filesize

                                                                                                                                                                          128KB

                                                                                                                                                                        • memory/4592-356-0x000001F3CD200000-0x000001F3CD220000-memory.dmp

                                                                                                                                                                          Filesize

                                                                                                                                                                          128KB

                                                                                                                                                                        • memory/4592-354-0x000001F3CD240000-0x000001F3CD260000-memory.dmp

                                                                                                                                                                          Filesize

                                                                                                                                                                          128KB

                                                                                                                                                                        • memory/4648-222-0x0000025979A60000-0x0000025979A80000-memory.dmp

                                                                                                                                                                          Filesize

                                                                                                                                                                          128KB

                                                                                                                                                                        • memory/4648-225-0x0000025979A20000-0x0000025979A40000-memory.dmp

                                                                                                                                                                          Filesize

                                                                                                                                                                          128KB

                                                                                                                                                                        • memory/4648-228-0x0000025979E30000-0x0000025979E50000-memory.dmp

                                                                                                                                                                          Filesize

                                                                                                                                                                          128KB

                                                                                                                                                                        • memory/4924-464-0x000002A859F60000-0x000002A859F80000-memory.dmp

                                                                                                                                                                          Filesize

                                                                                                                                                                          128KB

                                                                                                                                                                        • memory/4924-468-0x000002A85A330000-0x000002A85A350000-memory.dmp

                                                                                                                                                                          Filesize

                                                                                                                                                                          128KB

                                                                                                                                                                        • memory/4924-466-0x000002A859F20000-0x000002A859F40000-memory.dmp

                                                                                                                                                                          Filesize

                                                                                                                                                                          128KB

                                                                                                                                                                        • memory/4956-199-0x00000231C9460000-0x00000231C9480000-memory.dmp

                                                                                                                                                                          Filesize

                                                                                                                                                                          128KB

                                                                                                                                                                        • memory/4956-201-0x00000231C9420000-0x00000231C9440000-memory.dmp

                                                                                                                                                                          Filesize

                                                                                                                                                                          128KB

                                                                                                                                                                        • memory/4956-205-0x00000231C9820000-0x00000231C9840000-memory.dmp

                                                                                                                                                                          Filesize

                                                                                                                                                                          128KB

                                                                                                                                                                        • memory/4972-169-0x0000000004940000-0x0000000004941000-memory.dmp

                                                                                                                                                                          Filesize

                                                                                                                                                                          4KB