Analysis
-
max time kernel
257s -
max time network
301s -
platform
windows10-1703_x64 -
resource
win10-20231220-en -
resource tags
arch:x64arch:x86image:win10-20231220-enlocale:en-usos:windows10-1703-x64system -
submitted
29-01-2024 12:18
Static task
static1
Behavioral task
behavioral1
Sample
4363463463464363463463463.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
4363463463464363463463463.exe
Resource
win10-20231220-en
Behavioral task
behavioral3
Sample
4363463463464363463463463.exe
Resource
win10v2004-20231222-en
Behavioral task
behavioral4
Sample
4363463463464363463463463.exe
Resource
win11-20231215-en
General
-
Target
4363463463464363463463463.exe
-
Size
10KB
-
MD5
2a94f3960c58c6e70826495f76d00b85
-
SHA1
e2a1a5641295f5ebf01a37ac1c170ac0814bb71a
-
SHA256
2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce
-
SHA512
fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f
-
SSDEEP
192:xlwayyHOXGc20L7BIW12n/ePSjiTlzkGu8stYcFwVc03KY:xlwwHe/20PKn/cLTlHuptYcFwVc03K
Malware Config
Extracted
redline
@RLREBORN Cloud (TG: @FATHEROFCARDERS)
141.95.211.148:46011
Extracted
redline
Exodus
93.123.39.68:1334
Extracted
asyncrat
Venom RAT + HVNC + Stealer + Grabber v6.0.2
Default
93.123.39.68:4449
kszghixltbdczq
-
delay
1
-
install
true
-
install_file
chromeupdate.exe
-
install_folder
%AppData%
Extracted
djvu
http://habrafa.com/test1/get.php
-
extension
.cdcc
-
offline_id
LBxKKiegnAy53rpqH3Pj2j46vwldiEt9kqHSuMt1
-
payload_url
http://brusuax.com/dl/build2.exe
http://habrafa.com/files/1/build3.exe
-
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-iVcrVFVRqu Price of private key and decrypt software is $1999. Discount 50% available if you contact us first 72 hours, that's price for you is $999. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: support@freshingmail.top Reserve e-mail address to contact us: datarestorehelpyou@airmail.cc Your personal ID: 0846ASdw
Extracted
xworm
91.92.249.37:9049
aMtkXNimPlkESDx9
Extracted
vidar
7.6
1b9d7ec5a25ab9d78c31777a0016a097
https://t.me/tvrugrats
https://steamcommunity.com/profiles/76561199627279110
-
profile_id_v2
1b9d7ec5a25ab9d78c31777a0016a097
Extracted
amadey
3.85
http://45.9.74.141
http://45.9.74.166
-
install_dir
c2868ed41c
-
install_file
bstyoops.exe
-
strings_key
8709db734eb892ca90360229fc73d3ae
-
url_paths
/b7djSDcPcZ/index.php
Extracted
lumma
https://gearboomchocolateowfs.site/api
Signatures
-
Detect Vidar Stealer 3 IoCs
Processes:
resource yara_rule behavioral2/memory/2328-1045-0x0000000000400000-0x0000000000643000-memory.dmp family_vidar_v7 behavioral2/memory/2328-1050-0x0000000000400000-0x0000000000643000-memory.dmp family_vidar_v7 behavioral2/memory/2328-1077-0x0000000000400000-0x0000000000643000-memory.dmp family_vidar_v7 -
Detect Xworm Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\Files\first.exe family_xworm C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\first.exe family_xworm -
Detected Djvu ransomware 13 IoCs
Processes:
resource yara_rule behavioral2/memory/5656-843-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/5656-845-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/5656-846-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/5656-897-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/3760-906-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/3760-905-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/3760-913-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/3760-914-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/3760-1012-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/3760-1016-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/3760-1017-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/3760-1053-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/3760-1073-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu -
Djvu Ransomware
Ransomware which is a variant of the STOP family.
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
Otte-Locker.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "empty" Otte-Locker.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/1788-19-0x0000000000400000-0x0000000000452000-memory.dmp family_redline C:\Users\Admin\AppData\Local\Temp\Files\build.exe family_redline -
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
SectopRAT payload 1 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\Files\build.exe family_sectoprat -
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
ghjkl.exedescription pid process target process PID 5556 created 2504 5556 ghjkl.exe sihost.exe -
Processes:
miner.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" miner.exe -
Async RAT payload 1 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\adasda.exe asyncrat -
Disables Task Manager via registry modification
-
Downloads MZ/PE file
-
.NET Reactor proctector 2 IoCs
Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
Processes:
resource yara_rule behavioral2/memory/2436-9-0x00000000024F0000-0x0000000002552000-memory.dmp net_reactor behavioral2/memory/2436-15-0x00000000049B0000-0x0000000004A10000-memory.dmp net_reactor -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
btcgood.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000\Control Panel\International\Geo\Nation btcgood.exe -
Drops startup file 3 IoCs
Processes:
first.exeKarLocker_exe.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\first.exe first.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\first.exe first.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Update.lnk KarLocker_exe.exe -
Executes dropped EXE 62 IoCs
Processes:
rdxx1.exeup.exeKarLocker_exe.exebuild.exeadasda.exeVLTKTanthuTN.exechromeupdate.exebuildz.exebuildz.exeaoiido.exefirst.exebuildz.exebuildz.exebuild2.exebuild2.exebuild3.exebuild3.exerty45.exea3e34cb.exebstyoops.exebstyoops.exemstsca.exemstsca.exerty37.exeInstallSetup2.exeBroomSetup.exensx64D.tmp382498393934ena-rr.exeghjkl.exeBLduscfibj.exeghjkl.exeghjkl.exeghjkl.exeBLduscfibj.exebstyoops.exemstsca.execrypted.exeminer.exesoft.exesvchost.exesoft.exemstsca.exeStringIds.exeStringIds.exebtcgood.exetpeinf.exe4cb9bd85-d4ed-437e-8b95-23c9ba13cc80.exeuniv.exeWatchDog.exebuild3.exekb^fr_ouverture.exedsdasda.exefortnite2.exepeinf.execp.exeOtte-Locker.exenetwora.exef4438ed05971a15d70c9683dc9e1a55c583ea8c61039e9e85eb391ca6e3fa0ae.exef4438ed05971a15d70c9683dc9e1a55c583ea8c61039e9e85eb391ca6e3fa0ae.exemstsca.exebstyoops.exeTrumTrum.exepid process 2436 rdxx1.exe 2412 up.exe 4792 KarLocker_exe.exe 5564 build.exe 3108 adasda.exe 988 VLTKTanthuTN.exe 5532 chromeupdate.exe 64 buildz.exe 5656 buildz.exe 5832 aoiido.exe 5984 first.exe 2000 buildz.exe 3760 buildz.exe 4676 build2.exe 2328 build2.exe 5288 build3.exe 5840 build3.exe 4824 rty45.exe 1048 a3e34cb.exe 4084 bstyoops.exe 2460 bstyoops.exe 3248 mstsca.exe 3544 mstsca.exe 5608 rty37.exe 5516 InstallSetup2.exe 1208 BroomSetup.exe 5716 nsx64D.tmp 6032 382498393934ena-rr.exe 5020 ghjkl.exe 5728 BLduscfibj.exe 1796 ghjkl.exe 5752 ghjkl.exe 5556 ghjkl.exe 528 BLduscfibj.exe 5808 bstyoops.exe 428 mstsca.exe 5764 crypted.exe 6008 miner.exe 5860 soft.exe 532 svchost.exe 424 soft.exe 5580 mstsca.exe 5376 StringIds.exe 1068 StringIds.exe 4588 btcgood.exe 4784 tpeinf.exe 5296 4cb9bd85-d4ed-437e-8b95-23c9ba13cc80.exe 3260 univ.exe 5016 WatchDog.exe 4192 build3.exe 5996 kb^fr_ouverture.exe 6136 dsdasda.exe 2556 fortnite2.exe 2760 peinf.exe 3032 cp.exe 4976 Otte-Locker.exe 700 networa.exe 928 f4438ed05971a15d70c9683dc9e1a55c583ea8c61039e9e85eb391ca6e3fa0ae.exe 4428 f4438ed05971a15d70c9683dc9e1a55c583ea8c61039e9e85eb391ca6e3fa0ae.exe 1120 mstsca.exe 5380 bstyoops.exe 5112 TrumTrum.exe -
Loads dropped DLL 2 IoCs
Processes:
InstallSetup2.exepid process 5516 InstallSetup2.exe 5516 InstallSetup2.exe -
Modifies file permissions 1 TTPs 1 IoCs
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\Files\a3e34cb.exe vmprotect C:\Users\Admin\AppData\Local\Temp\Files\a3e34cb.exe vmprotect behavioral2/memory/1048-1132-0x0000000000280000-0x0000000000F16000-memory.dmp vmprotect behavioral2/memory/1048-1137-0x0000000000280000-0x0000000000F16000-memory.dmp vmprotect C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exe vmprotect C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exe vmprotect C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exe vmprotect behavioral2/memory/4084-1146-0x0000000000A60000-0x00000000016F6000-memory.dmp vmprotect C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exe vmprotect -
Accesses Microsoft Outlook profiles 1 TTPs 5 IoCs
Processes:
btcgood.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 btcgood.exe Key opened \REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000\SOFTWARE\Microsoft\Office\12.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 btcgood.exe Key opened \REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000\SOFTWARE\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 btcgood.exe Key opened \REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 btcgood.exe Key opened \REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 btcgood.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
first.exebuildz.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000\Software\Microsoft\Windows\CurrentVersion\Run\first = "C:\\Users\\Admin\\AppData\\Roaming\\first.exe" first.exe Set value (str) \REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\55758f16-6f62-4763-b1c4-03b84cdabc6d\\buildz.exe\" --AutoStart" buildz.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
miner.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA miner.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" miner.exe -
Drops desktop.ini file(s) 1 IoCs
Processes:
Otte-Locker.exedescription ioc process File created C:\Users\Admin\Downloads\desktop.ini Otte-Locker.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
KarLocker_exe.exedescription ioc process File opened (read-only) \??\r: KarLocker_exe.exe File opened (read-only) \??\w: KarLocker_exe.exe File opened (read-only) \??\e: KarLocker_exe.exe File opened (read-only) \??\i: KarLocker_exe.exe File opened (read-only) \??\k: KarLocker_exe.exe File opened (read-only) \??\q: KarLocker_exe.exe File opened (read-only) \??\y: KarLocker_exe.exe File opened (read-only) \??\z: KarLocker_exe.exe File opened (read-only) \??\b: KarLocker_exe.exe File opened (read-only) \??\g: KarLocker_exe.exe File opened (read-only) \??\m: KarLocker_exe.exe File opened (read-only) \??\o: KarLocker_exe.exe File opened (read-only) \??\x: KarLocker_exe.exe File opened (read-only) \??\h: KarLocker_exe.exe File opened (read-only) \??\l: KarLocker_exe.exe File opened (read-only) \??\s: KarLocker_exe.exe File opened (read-only) \??\u: KarLocker_exe.exe File opened (read-only) \??\t: KarLocker_exe.exe File opened (read-only) \??\v: KarLocker_exe.exe File opened (read-only) \??\a: KarLocker_exe.exe File opened (read-only) \??\j: KarLocker_exe.exe File opened (read-only) \??\n: KarLocker_exe.exe File opened (read-only) \??\p: KarLocker_exe.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs
-
Looks up external IP address via web service 5 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 71 ip-api.com 287 api.ipify.org 288 api.ipify.org 53 api.2ip.ua 68 api.2ip.ua -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
VLTKTanthuTN.exedescription ioc process File opened for modification \??\PhysicalDrive0 VLTKTanthuTN.exe -
AutoIT Executable 3 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\Files\KarLocker_exe.exe autoit_exe C:\Users\Admin\AppData\Local\Temp\Files\KarLocker_exe.exe autoit_exe C:\Users\Admin\AppData\Local\Temp\x.exe autoit_exe -
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
Processes:
KarLocker_exe.exeOtte-Locker.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wl.jpg" KarLocker_exe.exe Set value (str) \REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000\Control Panel\Desktop\Wallpaper Otte-Locker.exe -
Suspicious use of SetThreadContext 15 IoCs
Processes:
rdxx1.exebuildz.exeaoiido.exebuildz.exebuild2.exebuild3.exemstsca.exeghjkl.exeBLduscfibj.execrypted.exesoft.exemstsca.exeStringIds.exedsdasda.exef4438ed05971a15d70c9683dc9e1a55c583ea8c61039e9e85eb391ca6e3fa0ae.exedescription pid process target process PID 2436 set thread context of 1788 2436 rdxx1.exe RegAsm.exe PID 64 set thread context of 5656 64 buildz.exe buildz.exe PID 5832 set thread context of 4648 5832 aoiido.exe RegAsm.exe PID 2000 set thread context of 3760 2000 buildz.exe buildz.exe PID 4676 set thread context of 2328 4676 build2.exe build2.exe PID 5288 set thread context of 5840 5288 build3.exe build3.exe PID 3248 set thread context of 3544 3248 mstsca.exe mstsca.exe PID 5020 set thread context of 5556 5020 ghjkl.exe ghjkl.exe PID 5728 set thread context of 528 5728 BLduscfibj.exe BLduscfibj.exe PID 5764 set thread context of 5632 5764 crypted.exe RegAsm.exe PID 5860 set thread context of 424 5860 soft.exe soft.exe PID 428 set thread context of 5580 428 mstsca.exe mstsca.exe PID 5376 set thread context of 1068 5376 StringIds.exe StringIds.exe PID 6136 set thread context of 4548 6136 dsdasda.exe RegAsm.exe PID 928 set thread context of 4428 928 f4438ed05971a15d70c9683dc9e1a55c583ea8c61039e9e85eb391ca6e3fa0ae.exe f4438ed05971a15d70c9683dc9e1a55c583ea8c61039e9e85eb391ca6e3fa0ae.exe -
Drops file in Windows directory 4 IoCs
Processes:
382498393934ena-rr.exesvchost.exedescription ioc process File created C:\Windows\System\svchost.exe 382498393934ena-rr.exe File opened for modification C:\Windows\System\svchost.exe 382498393934ena-rr.exe File created C:\Windows\System\xxx1.bak svchost.exe File created C:\Windows\System\xxx1.bak 382498393934ena-rr.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 8 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 4256 4648 WerFault.exe RegAsm.exe 5420 2328 WerFault.exe build2.exe 64 5556 WerFault.exe ghjkl.exe 6012 5556 WerFault.exe ghjkl.exe 3076 5996 WerFault.exe kb^fr_ouverture.exe 2788 4428 WerFault.exe f4438ed05971a15d70c9683dc9e1a55c583ea8c61039e9e85eb391ca6e3fa0ae.exe 5416 5016 WerFault.exe WatchDog.exe 3764 3032 WerFault.exe cp.exe -
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
up.exef4438ed05971a15d70c9683dc9e1a55c583ea8c61039e9e85eb391ca6e3fa0ae.exedescription ioc process Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI up.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI up.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI f4438ed05971a15d70c9683dc9e1a55c583ea8c61039e9e85eb391ca6e3fa0ae.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI f4438ed05971a15d70c9683dc9e1a55c583ea8c61039e9e85eb391ca6e3fa0ae.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI f4438ed05971a15d70c9683dc9e1a55c583ea8c61039e9e85eb391ca6e3fa0ae.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI up.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
nsx64D.tmpdescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 nsx64D.tmp Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString nsx64D.tmp -
Creates scheduled task(s) 1 TTPs 6 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 5396 schtasks.exe 5948 schtasks.exe 4588 schtasks.exe 5244 schtasks.exe 6008 schtasks.exe 5852 schtasks.exe -
Delays execution with timeout.exe 2 IoCs
Processes:
timeout.exetimeout.exepid process 5412 timeout.exe 4592 timeout.exe -
Modifies Control Panel 1 IoCs
Processes:
KarLocker_exe.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000\Control Panel\Desktop KarLocker_exe.exe -
Processes:
up.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch up.exe Set value (str) \REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" up.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
first.exepid process 5984 first.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
up.exeKarLocker_exe.exeRegAsm.exebuild.exepid process 2412 up.exe 2412 up.exe 2412 up.exe 2412 up.exe 2412 up.exe 2412 up.exe 2412 up.exe 2412 up.exe 4792 KarLocker_exe.exe 4792 KarLocker_exe.exe 4792 KarLocker_exe.exe 4792 KarLocker_exe.exe 4792 KarLocker_exe.exe 4792 KarLocker_exe.exe 4792 KarLocker_exe.exe 4792 KarLocker_exe.exe 4792 KarLocker_exe.exe 4792 KarLocker_exe.exe 1788 RegAsm.exe 4792 KarLocker_exe.exe 4792 KarLocker_exe.exe 4792 KarLocker_exe.exe 4792 KarLocker_exe.exe 4792 KarLocker_exe.exe 4792 KarLocker_exe.exe 4792 KarLocker_exe.exe 4792 KarLocker_exe.exe 4792 KarLocker_exe.exe 4792 KarLocker_exe.exe 4792 KarLocker_exe.exe 4792 KarLocker_exe.exe 4792 KarLocker_exe.exe 4792 KarLocker_exe.exe 4792 KarLocker_exe.exe 4792 KarLocker_exe.exe 4792 KarLocker_exe.exe 4792 KarLocker_exe.exe 4792 KarLocker_exe.exe 4792 KarLocker_exe.exe 5564 build.exe 4792 KarLocker_exe.exe 4792 KarLocker_exe.exe 4792 KarLocker_exe.exe 4792 KarLocker_exe.exe 4792 KarLocker_exe.exe 4792 KarLocker_exe.exe 4792 KarLocker_exe.exe 4792 KarLocker_exe.exe 4792 KarLocker_exe.exe 4792 KarLocker_exe.exe 1788 RegAsm.exe 1788 RegAsm.exe 1788 RegAsm.exe 5564 build.exe 4792 KarLocker_exe.exe 4792 KarLocker_exe.exe 4792 KarLocker_exe.exe 4792 KarLocker_exe.exe 4792 KarLocker_exe.exe 4792 KarLocker_exe.exe 4792 KarLocker_exe.exe 4792 KarLocker_exe.exe 4792 KarLocker_exe.exe 4792 KarLocker_exe.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
VLTKTanthuTN.exepid process 988 VLTKTanthuTN.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
f4438ed05971a15d70c9683dc9e1a55c583ea8c61039e9e85eb391ca6e3fa0ae.exepid process 4428 f4438ed05971a15d70c9683dc9e1a55c583ea8c61039e9e85eb391ca6e3fa0ae.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
4363463463464363463463463.exeup.exebuild.exeRegAsm.exeadasda.exeVLTKTanthuTN.exechromeupdate.exefirst.exepowershell.exepowershell.exeghjkl.exeBLduscfibj.exeBLduscfibj.exepowershell.exedescription pid process Token: SeDebugPrivilege 32 4363463463464363463463463.exe Token: SeShutdownPrivilege 2412 up.exe Token: SeDebugPrivilege 2412 up.exe Token: SeDebugPrivilege 5564 build.exe Token: SeDebugPrivilege 1788 RegAsm.exe Token: SeDebugPrivilege 3108 adasda.exe Token: SeDebugPrivilege 988 VLTKTanthuTN.exe Token: SeDebugPrivilege 5532 chromeupdate.exe Token: SeDebugPrivilege 5984 first.exe Token: SeDebugPrivilege 5812 powershell.exe Token: SeIncreaseQuotaPrivilege 5812 powershell.exe Token: SeSecurityPrivilege 5812 powershell.exe Token: SeTakeOwnershipPrivilege 5812 powershell.exe Token: SeLoadDriverPrivilege 5812 powershell.exe Token: SeSystemProfilePrivilege 5812 powershell.exe Token: SeSystemtimePrivilege 5812 powershell.exe Token: SeProfSingleProcessPrivilege 5812 powershell.exe Token: SeIncBasePriorityPrivilege 5812 powershell.exe Token: SeCreatePagefilePrivilege 5812 powershell.exe Token: SeBackupPrivilege 5812 powershell.exe Token: SeRestorePrivilege 5812 powershell.exe Token: SeShutdownPrivilege 5812 powershell.exe Token: SeDebugPrivilege 5812 powershell.exe Token: SeSystemEnvironmentPrivilege 5812 powershell.exe Token: SeRemoteShutdownPrivilege 5812 powershell.exe Token: SeUndockPrivilege 5812 powershell.exe Token: SeManageVolumePrivilege 5812 powershell.exe Token: 33 5812 powershell.exe Token: 34 5812 powershell.exe Token: 35 5812 powershell.exe Token: 36 5812 powershell.exe Token: SeDebugPrivilege 8 powershell.exe Token: SeIncreaseQuotaPrivilege 8 powershell.exe Token: SeSecurityPrivilege 8 powershell.exe Token: SeTakeOwnershipPrivilege 8 powershell.exe Token: SeLoadDriverPrivilege 8 powershell.exe Token: SeSystemProfilePrivilege 8 powershell.exe Token: SeSystemtimePrivilege 8 powershell.exe Token: SeProfSingleProcessPrivilege 8 powershell.exe Token: SeIncBasePriorityPrivilege 8 powershell.exe Token: SeCreatePagefilePrivilege 8 powershell.exe Token: SeBackupPrivilege 8 powershell.exe Token: SeRestorePrivilege 8 powershell.exe Token: SeShutdownPrivilege 8 powershell.exe Token: SeDebugPrivilege 8 powershell.exe Token: SeSystemEnvironmentPrivilege 8 powershell.exe Token: SeRemoteShutdownPrivilege 8 powershell.exe Token: SeUndockPrivilege 8 powershell.exe Token: SeManageVolumePrivilege 8 powershell.exe Token: 33 8 powershell.exe Token: 34 8 powershell.exe Token: 35 8 powershell.exe Token: 36 8 powershell.exe Token: SeDebugPrivilege 5984 first.exe Token: SeDebugPrivilege 5020 ghjkl.exe Token: SeDebugPrivilege 5728 BLduscfibj.exe Token: SeDebugPrivilege 528 BLduscfibj.exe Token: SeDebugPrivilege 3120 powershell.exe Token: SeIncreaseQuotaPrivilege 3120 powershell.exe Token: SeSecurityPrivilege 3120 powershell.exe Token: SeTakeOwnershipPrivilege 3120 powershell.exe Token: SeLoadDriverPrivilege 3120 powershell.exe Token: SeSystemProfilePrivilege 3120 powershell.exe Token: SeSystemtimePrivilege 3120 powershell.exe -
Suspicious use of FindShellTrayWindow 42 IoCs
Processes:
up.exenetwora.exepid process 2412 up.exe 2412 up.exe 2412 up.exe 700 networa.exe 700 networa.exe 700 networa.exe 700 networa.exe 700 networa.exe 700 networa.exe 700 networa.exe 700 networa.exe 700 networa.exe 700 networa.exe 700 networa.exe 700 networa.exe 700 networa.exe 700 networa.exe 700 networa.exe 700 networa.exe 700 networa.exe 700 networa.exe 700 networa.exe 700 networa.exe 700 networa.exe 700 networa.exe 700 networa.exe 700 networa.exe 700 networa.exe 700 networa.exe 700 networa.exe 700 networa.exe 700 networa.exe 700 networa.exe 700 networa.exe 700 networa.exe 700 networa.exe 700 networa.exe 700 networa.exe 700 networa.exe 700 networa.exe 700 networa.exe 700 networa.exe -
Suspicious use of SendNotifyMessage 42 IoCs
Processes:
up.exenetwora.exepid process 2412 up.exe 2412 up.exe 2412 up.exe 700 networa.exe 700 networa.exe 700 networa.exe 700 networa.exe 700 networa.exe 700 networa.exe 700 networa.exe 700 networa.exe 700 networa.exe 700 networa.exe 700 networa.exe 700 networa.exe 700 networa.exe 700 networa.exe 700 networa.exe 700 networa.exe 700 networa.exe 700 networa.exe 700 networa.exe 700 networa.exe 700 networa.exe 700 networa.exe 700 networa.exe 700 networa.exe 700 networa.exe 700 networa.exe 700 networa.exe 700 networa.exe 700 networa.exe 700 networa.exe 700 networa.exe 700 networa.exe 700 networa.exe 700 networa.exe 700 networa.exe 700 networa.exe 700 networa.exe 700 networa.exe 700 networa.exe -
Suspicious use of SetWindowsHookEx 10 IoCs
Processes:
up.exeVLTKTanthuTN.exechromeupdate.exeBroomSetup.exepid process 2412 up.exe 2412 up.exe 2412 up.exe 2412 up.exe 988 VLTKTanthuTN.exe 5532 chromeupdate.exe 988 VLTKTanthuTN.exe 988 VLTKTanthuTN.exe 1208 BroomSetup.exe 988 VLTKTanthuTN.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
4363463463464363463463463.exerdxx1.exebuild.exeadasda.execmd.execmd.exebuildz.exeaoiido.exebuildz.exedescription pid process target process PID 32 wrote to memory of 2436 32 4363463463464363463463463.exe rdxx1.exe PID 32 wrote to memory of 2436 32 4363463463464363463463463.exe rdxx1.exe PID 32 wrote to memory of 2436 32 4363463463464363463463463.exe rdxx1.exe PID 2436 wrote to memory of 1788 2436 rdxx1.exe RegAsm.exe PID 2436 wrote to memory of 1788 2436 rdxx1.exe RegAsm.exe PID 2436 wrote to memory of 1788 2436 rdxx1.exe RegAsm.exe PID 2436 wrote to memory of 1788 2436 rdxx1.exe RegAsm.exe PID 2436 wrote to memory of 1788 2436 rdxx1.exe RegAsm.exe PID 2436 wrote to memory of 1788 2436 rdxx1.exe RegAsm.exe PID 2436 wrote to memory of 1788 2436 rdxx1.exe RegAsm.exe PID 2436 wrote to memory of 1788 2436 rdxx1.exe RegAsm.exe PID 32 wrote to memory of 2412 32 4363463463464363463463463.exe up.exe PID 32 wrote to memory of 2412 32 4363463463464363463463463.exe up.exe PID 32 wrote to memory of 2412 32 4363463463464363463463463.exe up.exe PID 32 wrote to memory of 4792 32 4363463463464363463463463.exe KarLocker_exe.exe PID 32 wrote to memory of 4792 32 4363463463464363463463463.exe KarLocker_exe.exe PID 32 wrote to memory of 4792 32 4363463463464363463463463.exe KarLocker_exe.exe PID 32 wrote to memory of 5564 32 4363463463464363463463463.exe build.exe PID 32 wrote to memory of 5564 32 4363463463464363463463463.exe build.exe PID 32 wrote to memory of 5564 32 4363463463464363463463463.exe build.exe PID 5564 wrote to memory of 3108 5564 build.exe adasda.exe PID 5564 wrote to memory of 3108 5564 build.exe adasda.exe PID 32 wrote to memory of 988 32 4363463463464363463463463.exe VLTKTanthuTN.exe PID 32 wrote to memory of 988 32 4363463463464363463463463.exe VLTKTanthuTN.exe PID 32 wrote to memory of 988 32 4363463463464363463463463.exe VLTKTanthuTN.exe PID 3108 wrote to memory of 5280 3108 adasda.exe cmd.exe PID 3108 wrote to memory of 5280 3108 adasda.exe cmd.exe PID 3108 wrote to memory of 5308 3108 adasda.exe cmd.exe PID 3108 wrote to memory of 5308 3108 adasda.exe cmd.exe PID 5280 wrote to memory of 5396 5280 cmd.exe schtasks.exe PID 5280 wrote to memory of 5396 5280 cmd.exe schtasks.exe PID 5308 wrote to memory of 5412 5308 cmd.exe timeout.exe PID 5308 wrote to memory of 5412 5308 cmd.exe timeout.exe PID 5308 wrote to memory of 5532 5308 cmd.exe chromeupdate.exe PID 5308 wrote to memory of 5532 5308 cmd.exe chromeupdate.exe PID 32 wrote to memory of 64 32 4363463463464363463463463.exe buildz.exe PID 32 wrote to memory of 64 32 4363463463464363463463463.exe buildz.exe PID 32 wrote to memory of 64 32 4363463463464363463463463.exe buildz.exe PID 64 wrote to memory of 5656 64 buildz.exe buildz.exe PID 64 wrote to memory of 5656 64 buildz.exe buildz.exe PID 64 wrote to memory of 5656 64 buildz.exe buildz.exe PID 64 wrote to memory of 5656 64 buildz.exe buildz.exe PID 64 wrote to memory of 5656 64 buildz.exe buildz.exe PID 64 wrote to memory of 5656 64 buildz.exe buildz.exe PID 64 wrote to memory of 5656 64 buildz.exe buildz.exe PID 64 wrote to memory of 5656 64 buildz.exe buildz.exe PID 64 wrote to memory of 5656 64 buildz.exe buildz.exe PID 64 wrote to memory of 5656 64 buildz.exe buildz.exe PID 32 wrote to memory of 5832 32 4363463463464363463463463.exe aoiido.exe PID 32 wrote to memory of 5832 32 4363463463464363463463463.exe aoiido.exe PID 32 wrote to memory of 5832 32 4363463463464363463463463.exe aoiido.exe PID 5832 wrote to memory of 5968 5832 aoiido.exe RegAsm.exe PID 5832 wrote to memory of 5968 5832 aoiido.exe RegAsm.exe PID 5832 wrote to memory of 5968 5832 aoiido.exe RegAsm.exe PID 5832 wrote to memory of 4648 5832 aoiido.exe RegAsm.exe PID 5832 wrote to memory of 4648 5832 aoiido.exe RegAsm.exe PID 5832 wrote to memory of 4648 5832 aoiido.exe RegAsm.exe PID 5656 wrote to memory of 5996 5656 buildz.exe icacls.exe PID 5656 wrote to memory of 5996 5656 buildz.exe icacls.exe PID 5656 wrote to memory of 5996 5656 buildz.exe icacls.exe PID 5832 wrote to memory of 4648 5832 aoiido.exe RegAsm.exe PID 5832 wrote to memory of 4648 5832 aoiido.exe RegAsm.exe PID 5832 wrote to memory of 4648 5832 aoiido.exe RegAsm.exe PID 5832 wrote to memory of 4648 5832 aoiido.exe RegAsm.exe -
System policy modification 1 TTPs 1 IoCs
Processes:
miner.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" miner.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
outlook_office_path 1 IoCs
Processes:
btcgood.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 btcgood.exe -
outlook_win_path 1 IoCs
Processes:
btcgood.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 btcgood.exe
Processes
-
c:\windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\SysWOW64\dialer.exe"C:\Windows\system32\dialer.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe"C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Files\rdxx1.exe"C:\Users\Admin\AppData\Local\Temp\Files\rdxx1.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\Files\up.exe"C:\Users\Admin\AppData\Local\Temp\Files\up.exe"2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\Files\KarLocker_exe.exe"C:\Users\Admin\AppData\Local\Temp\Files\KarLocker_exe.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\Files\build.exe"C:\Users\Admin\AppData\Local\Temp\Files\build.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\adasda.exe"C:\Users\Admin\AppData\Local\Temp\adasda.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpBB41.tmp.bat""4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\timeout.exetimeout 35⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Roaming\chromeupdate.exe"C:\Users\Admin\AppData\Roaming\chromeupdate.exe"5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "chromeupdate" /tr '"C:\Users\Admin\AppData\Roaming\chromeupdate.exe"' & exit4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "chromeupdate" /tr '"C:\Users\Admin\AppData\Roaming\chromeupdate.exe"'5⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\Files\VLTKTanthuTN.exe"C:\Users\Admin\AppData\Local\Temp\Files\VLTKTanthuTN.exe"2⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\Files\buildz.exe"C:\Users\Admin\AppData\Local\Temp\Files\buildz.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Files\buildz.exe"C:\Users\Admin\AppData\Local\Temp\Files\buildz.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Local\55758f16-6f62-4763-b1c4-03b84cdabc6d" /deny *S-1-1-0:(OI)(CI)(DE,DC)4⤵
- Modifies file permissions
-
C:\Users\Admin\AppData\Local\Temp\Files\buildz.exe"C:\Users\Admin\AppData\Local\Temp\Files\buildz.exe" --Admin IsNotAutoStart IsNotTask4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\Files\aoiido.exe"C:\Users\Admin\AppData\Local\Temp\Files\aoiido.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4648 -s 11484⤵
- Program crash
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\Files\first.exe"C:\Users\Admin\AppData\Local\Temp\Files\first.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'first.exe'3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Files\first.exe'3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\Files\rty45.exe"C:\Users\Admin\AppData\Local\Temp\Files\rty45.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Files\a3e34cb.exe"C:\Users\Admin\AppData\Local\Temp\Files\a3e34cb.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exe"C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exe"3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "bstyoops.exe" /P "Admin:N"&&CACLS "bstyoops.exe" /P "Admin:R" /E&&echo Y|CACLS "..\c2868ed41c" /P "Admin:N"&&CACLS "..\c2868ed41c" /P "Admin:R" /E&&Exit4⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\c2868ed41c" /P "Admin:R" /E5⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\c2868ed41c" /P "Admin:N"5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"5⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "bstyoops.exe" /P "Admin:R" /E5⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "bstyoops.exe" /P "Admin:N"5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"5⤵
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN bstyoops.exe /TR "C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exe" /F4⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\Files\rty37.exe"C:\Users\Admin\AppData\Local\Temp\Files\rty37.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Files\InstallSetup2.exe"C:\Users\Admin\AppData\Local\Temp\Files\InstallSetup2.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exeC:\Users\Admin\AppData\Local\Temp\BroomSetup.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "4⤵
-
C:\Windows\SysWOW64\chcp.comchcp 12515⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F5⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\nsx64D.tmpC:\Users\Admin\AppData\Local\Temp\nsx64D.tmp3⤵
- Executes dropped EXE
- Checks processor information in registry
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\nsx64D.tmp" & del "C:\ProgramData\*.dll"" & exit4⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 55⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Local\Temp\Files\382498393934ena-rr.exe"C:\Users\Admin\AppData\Local\Temp\Files\382498393934ena-rr.exe"2⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \3⤵
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /create /sc minute /ED "11/02/2024" /mo 7 /tn "Timer" /tr c:\windows\system\svchost.exe /ru SYSTEM3⤵
- Creates scheduled task(s)
-
C:\Windows\System\svchost.exe"C:\Windows\System\svchost.exe" formal3⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \4⤵
-
C:\Users\Admin\AppData\Local\Temp\Files\ghjkl.exe"C:\Users\Admin\AppData\Local\Temp\Files\ghjkl.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\BLduscfibj.exe"C:\Users\Admin\AppData\Local\Temp\BLduscfibj.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\BLduscfibj.exeC:\Users\Admin\AppData\Local\Temp\BLduscfibj.exe4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\Files\ghjkl.exeC:\Users\Admin\AppData\Local\Temp\Files\ghjkl.exe3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Files\ghjkl.exeC:\Users\Admin\AppData\Local\Temp\Files\ghjkl.exe3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Files\ghjkl.exeC:\Users\Admin\AppData\Local\Temp\Files\ghjkl.exe3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5556 -s 5164⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5556 -s 5364⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\Files\crypted.exe"C:\Users\Admin\AppData\Local\Temp\Files\crypted.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\Files\miner.exe"C:\Users\Admin\AppData\Local\Temp\Files\miner.exe"2⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- System policy modification
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Files\miner.exe'; Add-MpPreference -ExclusionProcess 'miner'; Add-MpPreference -ExclusionPath 'C:\Users\Admin'"3⤵
-
C:\Users\Admin\AppData\Local\Temp\4cb9bd85-d4ed-437e-8b95-23c9ba13cc80.exe"C:\Users\Admin\AppData\Local\Temp\4cb9bd85-d4ed-437e-8b95-23c9ba13cc80.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Files\soft.exe"C:\Users\Admin\AppData\Local\Temp\Files\soft.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\Files\soft.exe"C:\Users\Admin\AppData\Local\Temp\Files\soft.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Files\btcgood.exe"C:\Users\Admin\AppData\Local\Temp\Files\btcgood.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\Files\btcgood.exe"3⤵
-
C:\Windows\system32\PING.EXEping 1.1.1.1 -n 1 -w 30004⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Local\Temp\Files\tpeinf.exe"C:\Users\Admin\AppData\Local\Temp\Files\tpeinf.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Files\univ.exe"C:\Users\Admin\AppData\Local\Temp\Files\univ.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Files\WatchDog.exe"C:\Users\Admin\AppData\Local\Temp\Files\WatchDog.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5016 -s 14003⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\Files\build3.exe"C:\Users\Admin\AppData\Local\Temp\Files\build3.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Files\build3.exe"C:\Users\Admin\AppData\Local\Temp\Files\build3.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\Files\kb^fr_ouverture.exe"C:\Users\Admin\AppData\Local\Temp\Files\kb^fr_ouverture.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5996 -s 7243⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\Files\dsdasda.exe"C:\Users\Admin\AppData\Local\Temp\Files\dsdasda.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\Files\fortnite2.exe"C:\Users\Admin\AppData\Local\Temp\Files\fortnite2.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Files\peinf.exe"C:\Users\Admin\AppData\Local\Temp\Files\peinf.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Files\cp.exe"C:\Users\Admin\AppData\Local\Temp\Files\cp.exe"2⤵
- Executes dropped EXE
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3032 -s 11363⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\Files\Otte-Locker.exe"C:\Users\Admin\AppData\Local\Temp\Files\Otte-Locker.exe"2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
-
C:\Users\Admin\AppData\Local\Temp\Files\networa.exe"C:\Users\Admin\AppData\Local\Temp\Files\networa.exe"2⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\AppData\Local\Temp\Files\f4438ed05971a15d70c9683dc9e1a55c583ea8c61039e9e85eb391ca6e3fa0ae.exe"C:\Users\Admin\AppData\Local\Temp\Files\f4438ed05971a15d70c9683dc9e1a55c583ea8c61039e9e85eb391ca6e3fa0ae.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\Files\f4438ed05971a15d70c9683dc9e1a55c583ea8c61039e9e85eb391ca6e3fa0ae.exe"C:\Users\Admin\AppData\Local\Temp\Files\f4438ed05971a15d70c9683dc9e1a55c583ea8c61039e9e85eb391ca6e3fa0ae.exe"3⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4428 -s 4964⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\Files\TrumTrum.exe"C:\Users\Admin\AppData\Local\Temp\Files\TrumTrum.exe"2⤵
- Executes dropped EXE
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /C choice /C Y /N /D Y /T 0 &Del C:\Users\Admin\AppData\Local\Temp\Files\TrumTrum.exe3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 04⤵
-
C:\Users\Admin\AppData\Local\Temp\Files\buildz.exe"C:\Users\Admin\AppData\Local\Temp\Files\buildz.exe" --Admin IsNotAutoStart IsNotTask1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\552bd6dd-d75d-4424-bf43-99655cc4dd15\build2.exe"C:\Users\Admin\AppData\Local\552bd6dd-d75d-4424-bf43-99655cc4dd15\build2.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\552bd6dd-d75d-4424-bf43-99655cc4dd15\build2.exe"C:\Users\Admin\AppData\Local\552bd6dd-d75d-4424-bf43-99655cc4dd15\build2.exe"3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2328 -s 20644⤵
- Program crash
-
C:\Users\Admin\AppData\Local\552bd6dd-d75d-4424-bf43-99655cc4dd15\build3.exe"C:\Users\Admin\AppData\Local\552bd6dd-d75d-4424-bf43-99655cc4dd15\build3.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\552bd6dd-d75d-4424-bf43-99655cc4dd15\build3.exe"C:\Users\Admin\AppData\Local\552bd6dd-d75d-4424-bf43-99655cc4dd15\build3.exe"3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"4⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exeC:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exeC:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Executes dropped EXE
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAOwAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAcgBvAGMAZQBzAHMAIABTAHQAcgBpAG4AZwBJAGQAcwAuAGUAeABlADsA1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Detail\gkxvbr\StringIds.exeC:\Users\Admin\AppData\Local\Detail\gkxvbr\StringIds.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Detail\gkxvbr\StringIds.exeC:\Users\Admin\AppData\Local\Detail\gkxvbr\StringIds.exe2⤵
- Executes dropped EXE
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe3⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe4⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe3⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x3f81⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exeC:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exe1⤵
- Executes dropped EXE
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAOwAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAcgBvAGMAZQBzAHMAIABTAHQAcgBpAG4AZwBJAGQAcwAuAGUAeABlADsA1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Pre-OS Boot
1Bootkit
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Defense Evasion
Modify Registry
6Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1File and Directory Permissions Modification
1Pre-OS Boot
1Bootkit
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751Filesize
717B
MD560fe01df86be2e5331b0cdbe86165686
SHA12a79f9713c3f192862ff80508062e64e8e0b29bd
SHA256c08ccbc876cd5a7cdfa9670f9637da57f6a1282198a9bc71fc7d7247a6e5b7a8
SHA512ef9f9a4dedcbfe339f4f3d07fb614645596c6f2b15608bdccdad492578b735f7cb075bdaa07178c764582ee345857ec4665f90342694e6a60786bb3d9b3a3d23
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EAFilesize
1KB
MD59b9526db66a852552eeb3c7da35ed1a5
SHA1a1f455926a46057db6c4b671a3039d8f69846acc
SHA256cad2972ff89f0c5f4191632bb97e5d8e8adf02db81e7b30288bbf1a51aae8961
SHA51241c5019c58cc95821bb80e00c398f04771cc6dbaae9564d9c934a9dba60031c110e4a8832b61cbe33b0cb54b33daa184f5748adc9de8fd0156f51f48166588aa
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9E40F4660010397EE9DB08855BE67C64Filesize
503B
MD5e33a1090cec368d3f93d35f420169b4c
SHA1f7714b986a7d90b00f7a8b18a017e2df3f141e42
SHA256e167df1a2db12f5d2b0e6ebad2c2d484822a8dee426e2a0239ce83442f1b5d67
SHA51275481a472eea5ae103ff926c4bfc36dff3c6e700c27fbf003b25c2375601248b131c6341558b70fc3df925f26d790782e11d0d582f3508edc85bbf3e99e8bb00
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464Filesize
724B
MD58202a1cd02e7d69597995cabbe881a12
SHA18858d9d934b7aa9330ee73de6c476acf19929ff6
SHA25658f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA51297ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751Filesize
192B
MD530be1841fd0b10ad63da9c97e79c20f4
SHA10e0070ec2a1eef886107b33680c0b853af1e85a9
SHA25695a9bbfb3b74c1b694b4b491ad592763b9c0d5ef161f096c762089f2322257b0
SHA5125c0394b6d76226b427ba1930ffade7fc5d1315deff2ca5044ae6ac9d8ac112a42a76b7b40075c37817ae954379340da9bad98b10cdfc3d696c3e6920adcdd33d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EAFilesize
410B
MD57207391ab4736350a3b855c7b719dec5
SHA1be9bdf06707cb857164d5cfae2c4c73ba7a76509
SHA2562d4900b63a33acebe87e3c40f04d3602f417a4432f898f11d81d65dd0c3bbe3d
SHA512b065c1226cac9d6ca459c6543e5aeefa5bd4c441abf9080b64c3a3630ff77770a103b43f3259cc8eae92f3e88129e5a9aef0398b5368c5a9cc40514c59295503
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9E40F4660010397EE9DB08855BE67C64Filesize
548B
MD5f2454a57f4ab90f051397ebcd9bc8c55
SHA1e166ef26ae0ccfb103a349589978ed4e27976a22
SHA256ef024601cc59b4fec757e6c626b79bc3f7017b42fc605ac936a641cc08ffef56
SHA51232a96e8f5bf501bd5e9a1e871b320063350298f5c0a9b261c6423d3bbd47ca68512bad2776e16d125c342ca26ed285bf48b82a4c1d76b386f8f48c33e0efd9d9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464Filesize
392B
MD5bc8fd7189bd3a814d71a942273dc6899
SHA1b69a7b604bd572c405d2a7692d196efdcdb90027
SHA256ab9ab2084c7e14927e90d2abe8ccaff88c77d005082a7f0c245018874cb051d3
SHA512c4f0f3be5220beed85bca41788013bf753ea20365768cab86f0fd1bef92ccd12a9bd7c1cb36a4a4df04214210cee8da6a7dbd42d7a1581e3da8ad728de1fd573
-
C:\Users\Admin\AppData\Local\552bd6dd-d75d-4424-bf43-99655cc4dd15\build2.exeFilesize
250KB
MD54e7ff9884eb2d48c0f3214d118b0dc7e
SHA1eca847a42c66bada026cf22bc42ee8d170d4c144
SHA256ae3a2042d10308347970f9c7d9da075d964cbee2df5a52321adcc8013c6e196e
SHA512e1fb1d00501c9d926e337d3e5c30df9a222f30cfdd83d3d2c22b24ae123025f834990a23ed76a60bf6fe03bb4d76bda33d0015352f28324ba794928a6ad25ea3
-
C:\Users\Admin\AppData\Local\552bd6dd-d75d-4424-bf43-99655cc4dd15\build2.exeFilesize
71KB
MD5d8a949420fd5e7cbf06325bce3f87edc
SHA1563e84ec08ed3426dff78d23fdd0e071434d61ce
SHA256e2b8f39c6cf9236266f2fc9d713068b1c254b1a885c1a092da3ad7de3a3f91d7
SHA512f16360a42ad11b092965b4c68b43d8f808d49f8f8492d0e0ff987242a84fef706f5fcf378b28d727446408ac409d48cba7236d322c657690d33f134ae0492abd
-
C:\Users\Admin\AppData\Local\552bd6dd-d75d-4424-bf43-99655cc4dd15\build2.exeFilesize
212KB
MD5f1d2ad861b8d3aa947d8687b97d39a19
SHA1b443413e6ddd63af9295bc932eb6cb35e2322a1c
SHA256f784193b3854267d4f9166341fff05214f7392779116f39344b0aa451a6fad26
SHA512ac9eb5031bae85c19e8f6f513a154c69c54b11c29e954f88c10d2ffe3ded35c99552d2a1bdf5a3f68376a67291efa76695ca292001249ce561c7a167accaa63b
-
C:\Users\Admin\AppData\Local\552bd6dd-d75d-4424-bf43-99655cc4dd15\build3.exeFilesize
299KB
MD541b883a061c95e9b9cb17d4ca50de770
SHA11daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319
-
C:\Users\Admin\AppData\Local\55758f16-6f62-4763-b1c4-03b84cdabc6d\buildz.exeFilesize
269KB
MD50ddc8db410aa80d61975e66e016bffbe
SHA1bde025807ca510fc056391e2652c873972036e37
SHA256d85da0cbd23bb99269f79584b000cb011660b810bb5ce2c1f83c9cc2a9e38b9a
SHA5121893b361ce60ffaede7edef24a80fb31e19dc93676a890c80d11f9a3f709a96e95a147fe8b644f5d03b07331e0c902f2de8209ffe66fe1aef83f7361caaceaec
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
3KB
MD58592ba100a78835a6b94d5949e13dfc1
SHA163e901200ab9a57c7dd4c078d7f75dcd3b357020
SHA256fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c
SHA51287f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\InstallUtil.exe.logFilesize
1KB
MD51d1ad81054ca4f7e1705e47dbbd38096
SHA1f43f4579bd5c6d61d2e3559801e4b92d2b0274ec
SHA25685774d8a9602cdd6dd90cf987551e9cc49a4d46610f071b8386706155dcaf079
SHA512a37abc8304bb8ab453f465cd635ba04d0381d1a3471806af337a4cc7d85dd0a3deaebea3875fdaf7b6d2032c03f9d7a8777145d1b5b09caf80858cf9a0407e65
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD542e4d73a54e4cccecd0e1d4b90671a88
SHA14ad1063beabb1d9fe56772677958adf5644c1ce6
SHA256a773a65f2ba94b723ce63e7c042b8a6afa6f7ac50de716550d61239e9284da7e
SHA51274590d579982f4b957dabea0cc81699a7a1dae3269b17ee34ca21c8be229ddcdb185e783b50468a8b6066109214c97dff39527e81e1809a215c277d65ba70ff0
-
C:\Users\Admin\AppData\Local\Temp\136442398.exeFilesize
564B
MD55da4c1420f84ec727d1b6bdd0d46e62e
SHA1280d08d142f7386283f420444ec48e1cdbfd61bb
SHA2563c8cc37a98346bd0123b35e5ccd87bd07d69914dae04f8b49f61c150d96e9d1f
SHA5127c51a628831d0236e8d314c71732b8a62e06334431d10f7c293c49b23665b2a6a1ddbc4772009010955b5228ea4a5cd97fb93581ce391ee1792e8a198b76111a
-
C:\Users\Admin\AppData\Local\Temp\Files\InstallSetup2.exeFilesize
2.0MB
MD56319510f0bc82261b3b88b7f8921184d
SHA1651b742121c9e5fe984a29580324306b0d14cb76
SHA256fd3e41d4a4df236d5e99426b5ce4ecefd8b0a3ec43a33d5720daa3f74683fc4b
SHA512ab837f6a748320460dade66df9f1ddc229002f0e626445a0e62a4207daac83fe0a43c479a705c1a7e5dbb678611b01eac32fae9d49d91d4b51f4e18614a3443f
-
C:\Users\Admin\AppData\Local\Temp\Files\KarLocker_exe.exeFilesize
26KB
MD544936fc511ff011ddc908bb0ebba90d7
SHA139123dbb10898db32c01e119389411f9e74b2670
SHA2566cb44095426be64819014dd2ecf4527908244573d959081ded911cf5004a30b0
SHA512c9f1f1d4bee518cba8e8d470d2e43eaddd84a45914c67f18fc4c7e18157d46d2e34d3ea330015b5284dd9ce4521889dd0c930025e28a238c372bd7a442db9418
-
C:\Users\Admin\AppData\Local\Temp\Files\KarLocker_exe.exeFilesize
35KB
MD55ddea15d80d52e340a1bb455e18fcc04
SHA148dcede754a4cd4e027b1cfdceba154e7307aeab
SHA256e2f96d35a5052abef9991c59d38ddff4b75339266521d5ac7d561ea013eeef3c
SHA512489f327349d29f3b47787980ad584847b1ead975265a6bc87e608ae758b9ae24d38cf719119d00e7a4058e41448d57a2e49be97898d6299d23561a8ef27d0794
-
C:\Users\Admin\AppData\Local\Temp\Files\VLTKTanthuTN.exeFilesize
378KB
MD5da6a11dd0df069625c0d1d1e0547df8f
SHA129f6004a38fba620ab21ae80bda4c14c5c37cdc4
SHA256bb46c0d742ca3951bfc055ea56e1c59fb83406cfbb65754e2608712df72d482c
SHA51238b2381a0405ecd9cd5a13694c3322087d814dca4fafe2a83fefbafaf2cf17865a06b8098f0c415ba9c524dc334afd05f2ab021bc2b7830b5dbc76a8e5818095
-
C:\Users\Admin\AppData\Local\Temp\Files\VLTKTanthuTN.exeFilesize
331KB
MD53334560095bb7e9648f6d9cc7d8ea64e
SHA1e9070e26e9c08fbbc7acdf014b31194181ab0b9c
SHA2566002b48385fd6907c04bc206850ce0f23c782c87a14bbd14873a3233ab2694fc
SHA512d48a93a1a2908e2345154e077721410d17f3cd311ea9abe508d376fdea0af9826d37e8aac5411ca6b20ffbf5edbbe132e4128d673fd0ca3af540fe880b8c4d6f
-
C:\Users\Admin\AppData\Local\Temp\Files\a3e34cb.exeFilesize
466KB
MD5b502c88cba1fcab4c0abcf1fc6a42507
SHA101c2dc13b5369eb1bf2ea6b6b577c0b9a8c144f8
SHA256858e1293c2d3f2276a229ba0350d0c7dbc9eb0d818e39196bafd60ac5a532a0b
SHA512773989abb24b3129543c722edbb948df8b6208140d0c5f24b19b36479deb6a4a5982e9307cfa0f093d692aecf8a27e9d8716056b2a9a091145bc81ea5f761298
-
C:\Users\Admin\AppData\Local\Temp\Files\a3e34cb.exeFilesize
606KB
MD587b2ec6d927dd11c771490639bcd3c4c
SHA1e4f88295c3c3d461ff8d91dd973c82ad9d597a15
SHA25649dbeefda9954d0584c02dc837a2c5d2433a64d5dd8a8be8019209da01cd43e1
SHA512d5218146fd50ed187bba5f056a6a705ce8731583764ad1fbb2079bdd8290f23befcab43625bff3a21c121ef466e76a1564fee158e6f38ab83b726387f3235b2e
-
C:\Users\Admin\AppData\Local\Temp\Files\aoiido.exeFilesize
102KB
MD5a6568ca8e73549cf3a36cdf77b204467
SHA1ab4c6ed908eff9db3bc89bbe9fd99365bff114ff
SHA256d1905585a37030decac5405b60e674510a9b993ef9796cd38e807c012bd380d5
SHA512e71ca88e9e9decbf9155f3bff695c78e8f3c02aa4d225c38e81626aff24237199559d3cf99eca87cd6bd082ccfa4441c91bf567cb67b0ec25a98513f8fa12662
-
C:\Users\Admin\AppData\Local\Temp\Files\aoiido.exeFilesize
142KB
MD5cf1b4abab13a6eef91da5e4aaa8d17f9
SHA1a0756c25b07ffada98b94fb0d70e36a837017752
SHA2569679ad06592ac96b1581919636c4ad37738069a710479cccf03b1e3aab3dba4c
SHA51235e705b8c22336263fd245155a43d66b1be53c09d9a941c16b3cd3dc15f40942e2c5fc95f76def828d14f9fcbb7e12d18495227bff4cb0f63d9ebdb2f3ab1d46
-
C:\Users\Admin\AppData\Local\Temp\Files\build.exeFilesize
95KB
MD557935225dcb95b6ed9894d5d5e8b46a8
SHA11daf36a8db0b79be94a41d27183e4904a1340990
SHA25679d7b0f170471f44ed6c07ddb4c4c9bb20c97235aef23ac052e692cb558a156d
SHA5121b6362bdb7f6b177773357f5fe8e7d7ee44716fd8e63e663e446f4e204af581491d05345c12cd9cca91fd249383817da21ef2241011cdc251b7e299560ea48c0
-
C:\Users\Admin\AppData\Local\Temp\Files\buildz.exeFilesize
231KB
MD526ada285c17cb8bddfd2494e44dd2970
SHA1c064a00304dd10795784f4e7f8e045df300b28a9
SHA256adaff9382e35b733835ad88f6401445a6424a0c83e530e6fd56fb110247975db
SHA512b31e4ce1023a123c024b15d1eca74aed0f95963406cb2afd456f942c021ca4faec579fb05173d848589e7269c9a4fe85eda4144e980ae15deac3b9923feda428
-
C:\Users\Admin\AppData\Local\Temp\Files\buildz.exeFilesize
310KB
MD524f00accbe018a8dae98ca0bc9439f04
SHA1ed35b94e1035cca0f3d8383dbf82cf0e6758bce5
SHA2561d1e20161a73cf0a6ef44db2ea1dff63b59682551e3e57884e1d9b4d8c562a1b
SHA512570eeab9a021425716100a279112d50c857eed380141855fe85d90bbcb00ad48ea5eb56c966dd59eff800435d3b924759fcbedb15837e8fd2ade041607bdade5
-
C:\Users\Admin\AppData\Local\Temp\Files\buildz.exeFilesize
442KB
MD5bc9855a5a36f9908b72d51fdde46c60b
SHA171cc53b12b483951f5be3dd636b007e07188b7a5
SHA256544a8137bc91d99ea2bd954b3bd95e4977a2c0baa6fb9e5f9edb40568d7864b8
SHA51230591a28a1aeb656aec30e440b6a57f829bf090ee4ed9b0cf6524bd03d506e8a42f8ab5c1d6f05f6eec5940d4a980f971a7aaa7470942cdd1a62e7f7c89051b1
-
C:\Users\Admin\AppData\Local\Temp\Files\buildz.exeFilesize
243KB
MD5627a45cfc89a314e6f649d7ae0980d49
SHA1669b7b008833c629f2d1b7f8a8e8e45f96bf3f9a
SHA25694602817d055a3ed52d287e0a4d09b3e1f040cedba574f4a85769058b72ce486
SHA51247aa8bab4ce30c136388704589590d9ac85cc359fa36e2f77978a08f7eb38b887a09ded0598fc07ea0dfcb5960198cc0eea38da7d2c3f4e7d0e7c5a991cfe9b0
-
C:\Users\Admin\AppData\Local\Temp\Files\buildz.exeFilesize
402KB
MD598f395cf827905b83a13d525656d4858
SHA1d68b6c78c99e9300cfd199ac96d7df0769f40b38
SHA2562d267f697ed2a0b9cacd539d92b9cffa871d6a02c0e6c93c3f7e4c1cfd40ca1a
SHA5124e61cc7836210da57e4cb5f4ec55581c68c7d70c9d8514b798357657d02611644ceb2beefbcf2fbac76faa54a37b6d34e3cd5ee65a73ec0617d4b8b07afa40e7
-
C:\Users\Admin\AppData\Local\Temp\Files\first.exeFilesize
66KB
MD58063f5bf899b386530ad3399f0c5f2a1
SHA1901454bb522a8076399eac5ea8c0573ff25dd8b8
SHA25612aa47db9b5a1c6fddc382e09046d0f48fbdce4b0736b1d5cfcf6f1018fdd621
SHA512c9e4e9e5efb7e5def5ae35047e4a6b6a80174eade2a2d64137f00e20d14e348c5852f9c1bac24d5dee4a6d43049b51517f677d504fbb9a413704eb9985f44f9f
-
C:\Users\Admin\AppData\Local\Temp\Files\rdxx1.exeFilesize
471KB
MD5810da00c69d55e89dca3bfe9a6f6a420
SHA1ca02bdce48ac20f7b40ab720079009894f369990
SHA25664a21d074850a4e8dd28a846e8f9e5d72d5549dc68d9ded2e9bff99f730f4d80
SHA512453f25595db97195c6211a07c821977e1db5015906865fcbb535172c5fc1733a131eafc512dc896f4c8726c9d58cf2aa6b354d7e33ae3afd9371a0c5432b3034
-
C:\Users\Admin\AppData\Local\Temp\Files\rty37.exeFilesize
320KB
MD5330c785538ad50c0c427948051b558d3
SHA13d595131262989c65acfad4daa08764fea39ba9e
SHA256bcdf45549969aa03cc13d69af9ba1bf39c650b06bf504d454000625339ef9ace
SHA5123b89485d52d824b867f62a2966a14701dc728cd4c9272a15017098ac38ebf1ad4ac63193b2a2d63448709af287afa6fad785823833e9d59064fa24a9a6fdd981
-
C:\Users\Admin\AppData\Local\Temp\Files\rty37.exeFilesize
189KB
MD533733d7bff28768baa769753c3b5822d
SHA1f91d94dd7cb790e3e137d0e395700a3eb49cbd5d
SHA25622ec203e47b56e83c06f0324743df03d0dbe4be755044daae9e4a7924b5b3059
SHA5126b495a2658109c74fbe37962cdf4fb0f4c08cd50a29f12f91f51f930733207643ab2c02f9234b621171f4739a3d7f6aeae1b88360e16442e5358ed6bafb3921d
-
C:\Users\Admin\AppData\Local\Temp\Files\rty37.exeFilesize
715KB
MD548e844928e88cc7ae64c64134382e37e
SHA18493a54908383272c24a924ad372c7ecb825742a
SHA256ffcc8e8a8b9fe0c6baf266253296bc0b99f0658035fd05fdef2e3c0fe5e31946
SHA512351760bd23941c9ec133f17e71ef00e55b59813e6c7ed9b3105697f4f33054a98a488f0a837645def9991c2d331b5b4bcc1107d7bdb4d1ca57dc29676365e4e2
-
C:\Users\Admin\AppData\Local\Temp\Files\rty45.exeFilesize
715KB
MD5d7c215d443e28dc0fe78c36909d1356a
SHA1eceedf94f82d252f20ad8eb3dd64fcb9a6c09495
SHA256d9cba8aea678e19b497b36f3d5f9869dbd042e45759039444581a5234c59ee7f
SHA512ac66fb796d4025b5b3afc34f4329a6f8bda4688613582543d9b3ae96430ad925152bc2854129cb6070587b7e69a8260f2c84954f55476772296b3e5a4cc247af
-
C:\Users\Admin\AppData\Local\Temp\Files\up.exeFilesize
227KB
MD56def0f34727916be28d91c6d1ed69385
SHA1a51329df201d9c2e2f9d0c991c9582a7b8d7f656
SHA256f8de6275031cf692a0a7f03609bbcc6d4ed4542ee5d09267acb5e918ba63ca54
SHA512f72268c3c3b20b79fcca63d672a62b9671c5abd64922efb3cbda9db74320f35e81a792f2c06adbec31a9931a690121e1f6e608e3c6e230282983dfd1bc8628d8
-
C:\Users\Admin\AppData\Local\Temp\Files\up.exeFilesize
287KB
MD5608b057d56c7b101be8c4201d0b7eabc
SHA16e323cc1e1911926f6b1832a425a3d76cb759096
SHA256d7443fd5de14b045f15564e2805d6f27d35292c7cd7c3caed9eeae62dfac8fdc
SHA512c0d9d3c5ee729b573b4e632dc0e54b8eb4211a2e6e262b7aeab5ea2f7c7debfecd1385bcde22883e4160ba9667f37f7b29905dcb9cde795996c4edcf976d2978
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qo4wnlgj.x2h.ps1Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
C:\Users\Admin\AppData\Local\Temp\adasda.exeFilesize
73KB
MD525b6389bbaa746df85d53714d4a6d477
SHA186e6443e902f180f32fb434e06ecf45d484582e3
SHA2564b02692bf468a164e333bbfc961c5974d0a95009a72ea8bff2e9cb677eae4f56
SHA5126ad22c119b548f0e8ed5adb6c9f48c33b356340a7309c8185bec817f2562ae99760ff79e131c89bce2be122b6385bee610704f37edb7f1656a1b9d4782a1fcf4
-
C:\Users\Admin\AppData\Local\Temp\aut9337.tmpFilesize
9KB
MD5b46c2ba64b3a2930982208c46b7ddfb4
SHA1604270b17b17fcd5c0bc6bd057314ced89161e14
SHA256fc8c9890163e02c62f0b77026359569947690509807966747b22d3b0dcd75ce5
SHA512b862277268c80a6dfc5f3a77b3f181d6d0547a6da22e7cb325fa990fc4d1ef870187d99f27cef08e0f2381fa16cbab8f9513637c0e839db2997a3bddd58bb94f
-
C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exeFilesize
174KB
MD5d0dedd44982014c9e0c9b622884a3f94
SHA16e4815a4e1e3ec68f01e8cb371899e33bced5a69
SHA2564c1603058385e2be98ddbae5d5f6a1ed347ff7fbaf264b89b5039217543e6461
SHA512f6a555fe165c34ecd6337d7ee918df43003822b33b4dbe0bba0c6d3b1fb857db52316ba3d00fc27a227303f650f2764a38e86d6f8c38b1d0019cbf16f059d828
-
C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exeFilesize
225KB
MD5dc4d3949d0e03f71b6bc2c1ea8701981
SHA1923c4c634d8b68aa84ce00ea7849779f902ad01d
SHA256c64b306ecc4db445d6cc3f249a9a611cde2d6535213ee818014d7f5170b62f73
SHA512f9072e72a3b36fd2b23860f2a87236e395b6c6660ead24bc3f04f22bfe58417f2ea9d4019b884c039385aa75054638234e3d7b286589c39238c116e8ec319c30
-
C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exeFilesize
249KB
MD588633d9eada7d332e010a52202a205d0
SHA1c71682aa6e2d90bf7984617d7b5f4b768c654a52
SHA256e678b4bba9f3d1f88cc060a8bb1c06f03057dbf01fbe231038b73b74d5b7cd17
SHA512b891896362f331d3e2e33deb878fdb6fffe836b1945de303dc31dd45415246ba28fe60a2c555d17b9bd49df250cfa7947b0a4e6a9aed9a9f4a584cb165098181
-
C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exeFilesize
296KB
MD52722f18f10af9fbc654abf84c5d1e251
SHA1aac7cf907edf61160b0cf170728761a28266fa84
SHA256aa3d1313160645f7bfdf4026ff6003f1f946ee968c2e709a95609b1364fd0547
SHA5123feeba72cd8930079fe9456ab66a07b556eeadcd38261a90f725421d53539f9e5db82c0d8facd405ec457e764b7827595ede78adff34202b442e2cd8c23356f5
-
C:\Users\Admin\AppData\Local\Temp\ketix.iniFilesize
6KB
MD55c087b281ac0709c8f1066b7aeaff078
SHA16952ef067cf521d795c58645e52f8c2a9bfc3b24
SHA2564fef04e01d00862f6ccab97aca296cc0a4d6bd91e8553d0dc1b42570e86f2dae
SHA5126e755fa799f768d36e0c294b1ffa83b00e9bbb00388c06638b558dc34ffd1a3623a08e9b04243dfd8d1f31ba7554d6357193f8d2079e2ef1fa9708db5b4ff5f4
-
C:\Users\Admin\AppData\Local\Temp\nsg37D.tmp\INetC.dllFilesize
25KB
MD540d7eca32b2f4d29db98715dd45bfac5
SHA1124df3f617f562e46095776454e1c0c7bb791cc7
SHA25685e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9
SHA5125fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d
-
C:\Users\Admin\AppData\Local\Temp\tmpA672.tmpFilesize
46KB
MD502d2c46697e3714e49f46b680b9a6b83
SHA184f98b56d49f01e9b6b76a4e21accf64fd319140
SHA256522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9
SHA51260348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac
-
C:\Users\Admin\AppData\Local\Temp\tmpA688.tmpFilesize
92KB
MD5866be5bae2191b2ff383393e4139c8d9
SHA10027e20b3f9ead15b83407a743b40bce79f8b042
SHA256110b310d47a1abf69a5650e22e8c384c79055393277f06f62070a4c13efd3956
SHA512a851e9a7adf2d6d2fac3eda5ba72f921bf68411a33e5b6cb64633b026b18703f772d45d7308d39e569069d6c189c3e247513ada2fee2c29ea9ba5aea391d1065
-
C:\Users\Admin\AppData\Local\Temp\tmpA6B3.tmpFilesize
96KB
MD5d367ddfda80fdcf578726bc3b0bc3e3c
SHA123fcd5e4e0e5e296bee7e5224a8404ecd92cf671
SHA2560b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0
SHA51240e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77
-
C:\Users\Admin\AppData\Local\Temp\tmpBB41.tmp.batFilesize
156B
MD5ba88e8c102a7600a364a9cb4cbd981c8
SHA1754df1d1d44621b8524111dcf28190342e22fc32
SHA2566a0aa5c9d9a4b4b34d5ebb643c3b54766adfce485a7d1133ca16132bc5ab8451
SHA512679e8f22a03bdc1c39920ac66fbb2dcd34fdeb15707d7fa82b52d98afc564d0a4a23a988b84538afe18b7cd69e4d7be5edfb52ead3d4e1cc0ffd561f5501d331
-
C:\Users\Admin\AppData\Local\Temp\x.exeFilesize
207KB
MD5e58bc672182ff5d49163488aafe539c5
SHA156c533acf8e9280b683a9859be5e0f192c51d643
SHA25625f692ab50320f852057e67d6043cee23b503fefe7aa0e06714fa00eed6f773f
SHA5124c69e999f2c4a74da955c74afaa904b217d139ac7326b14287f2ca3e777407994b5509b5ce320a1882c50b3ae08029ed66d43873647036107fb00b151984d35f
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeFilesize
245KB
MD5ccd75009d298a7769bbb1a78bdc89de7
SHA16f0fbcee88b8ec719a89b887654f733308a07fb7
SHA256809f6f2586003a8b922c4c61a1281a7bad6b73477875c35e31202afdb6286180
SHA512b8f716ec1a4d5bef496767b749390a8292b1408ef871b84299f4b559dff61c3e6e93f7a282ace32816c747fea1be76a90cb1850d8619f26a4bedd0462e74f656
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeFilesize
268KB
MD5b7531666df9d6ce2c35a8cf7f2425536
SHA1106b9b58dee63e023c2c6aab82bc331cee976044
SHA256fcec29bb4c04826760d3670cb19bee20aa8f276166adbd3681453f0613d35b40
SHA5128b205deb73b81689208c1a5c4e49f1d9dd0b0804998ea113c967c35a5b07b294d5bff5b6c7fcc1e7e03147541eecb3d75bde1f0b46dc3876847440ad8efbacae
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeFilesize
12KB
MD5f40c89fb25cb928c76a323d29e4cc30d
SHA1e254600e9fe67ae84371ed762ddcee023c7d5fab
SHA256b5f2611b70c79bc4c7e12427a925e29d3d532825adac587a4229bbf575cf0c96
SHA51290790edc5a7952a78c738e3d44556d83ffc56e4656fa9712f8244ee4f45830a8b2cd6a20505a74fc41eef78dbec48f6b528c1b456ff0d71daaf7424eb6087d2b
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\first.exeFilesize
43KB
MD5139a3d7355695751a731b432e78a3059
SHA1b9ff955fc66980d9299732477f94f2de4ba8c742
SHA256f27e57ca70a106189ae14946d0778b9c8f5939f2cf02e8cc30290d963cc553c9
SHA5126cd5199f60e9e3038b27f3933c85f19e9a0dabeddc47c2fd87d81cb31b434237ec28cf8f4e782785c91637d2d748bb6b24f9846d91294d67d37306b5c22300a0
-
C:\Users\Admin\AppData\Roaming\MyData\DataLogs.confFilesize
8B
MD5cf759e4c5f14fe3eec41b87ed756cea8
SHA1c27c796bb3c2fac929359563676f4ba1ffada1f5
SHA256c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761
SHA512c7f832aee13a5eb36d145f35d4464374a9e12fa2017f3c2257442d67483b35a55eccae7f7729243350125b37033e075efbc2303839fd86b81b9b4dca3626953b
-
C:\Users\Admin\AppData\Roaming\tor\cached-microdesc-consensus.tmpFilesize
2.4MB
MD5bc3cf1b6a1ad05ae318fc51b3f908908
SHA141dfe059b316c5847b51a037535f891fb88fd799
SHA256891b9a9964dae2c67d1ebf5d80a6654f81e255cc5bc1801dd6d9d283271be7ee
SHA512083fc2639d71162608587507e14966b5c562c1a0eb4282286acb07d11ffe6d46ae45299b46d919718f2718750c2ad81b60623fdeb21f3b763b43f8403add96f5
-
C:\Users\Admin\AppData\Roaming\tor\cached-microdescs.newFilesize
1.8MB
MD53c5eb4fe3da63e0905d562e23381102d
SHA18996c600946070af5b2dff947ad487ada15b4c74
SHA256da497a4c56ee27a590fc3406f1baa37993c2f2ecc769a1d6fdd103a7845010fe
SHA5124fc5df69a39bcef6972b4f277cc6ecbcdd7d6d28e08d02779fcce935e57f90968bc79bcc94605283fcec9ecb251b3769f8795818aa467cfd3a86d7541d953d7e
-
C:\Users\Admin\AppData\Roaming\ubcwceuFilesize
187KB
MD58e34d5cf7e39f355cdaa0a9ba0533901
SHA1896a0ef46306262742dc5631f225252e37266c86
SHA256f4438ed05971a15d70c9683dc9e1a55c583ea8c61039e9e85eb391ca6e3fa0ae
SHA51250b0cb12315e97636ec9de08f3d49b4ddb7ef02377936a4bf0a44c47df4a85b3fe1284a20b23c86e52e1c916be61b757afb7fe00abc028d30b38fb9ff0151d3c
-
C:\Users\Admin\Desktop\Lock.ClearCheckpoint.docFilesize
333KB
MD59437fac0b9dce627f7c1669467dae8a9
SHA14e2d4949d843f7a887c796d40ba104141481c100
SHA256e07a2d691970798d08db538710d8b03f7061a4a3c090983a3012696762d99027
SHA512d32227f9af847182401972d38f64ca3161cffe155f9671886397ae5e531012accd81e69b6f9204aebbc7776cf222ae1814ac2431530012644d0ba21e0959caf6
-
C:\Users\Admin\Desktop\Lock.ConvertOut.docmFilesize
533KB
MD55e8b26a8be8b4f2530d90aff09520274
SHA17bfd3fa9d1258069ee56075be9d6b6dc525c988a
SHA256b11ffc36e6d79d84d547fb38d42fb537f95aebb38d6401fa6fa19e242b37fe83
SHA512a5fa17a5f9652893cf3e06264482f07c1fcc5f6c560c6ebcb8885c8212063a57cd179d248f71bc3ab3b052210df1644bfdd0eaa60e54c3949c29798a8d4007c8
-
C:\Users\Admin\Desktop\Lock.SearchConvertTo.docxFilesize
399KB
MD5faf0b7b8f3639701308c13c1b2228ba7
SHA1505d83999544b32dc0f25bd644158ea74057eb67
SHA2561a72b812bf8f7716d8149dd0b05c8e877a27317e69234dba9c6e7b9f418d536c
SHA5121ff83117506228b6b652ad71844b836789499a9988308ef3316edc44e32d02be9f17b1e87da419932c084e12ca22d317aa5708a0665ad69bbedb0b4a52eab4d4
-
C:\Users\Admin\Documents\Lock.Are.docxFilesize
11KB
MD54d3e6bbe44de5513c1733b3e0c6eac64
SHA1cd3a00fc52b12f900bd4a87482d28021e2787265
SHA256ce28015b2b93deed2c7569c325e811aa9a0eef29070ae6f73e59dbdee7009fc8
SHA51211c128b5a2dfc97a57c5cb49ad31841179344bd3179db15c71f0a3bf11cb61101d1bbc2e125baa8532f383360198c7843d01e8dd63c3b2340d77351db8ad419d
-
C:\Users\Admin\Documents\Lock.Files.docxFilesize
11KB
MD55504a8fc06771bb2b66247771225e54b
SHA182ec3c3810bd920c537be4e5d969ad031a208a5e
SHA256c71f3c90632452155fb7d95b54a56729160b0df0844121a5202b312d53a38040
SHA5125091e55e84f21cf1a01994e39812bf01f28586098520833e510c4d2f551543c5f9c0896bc8ae8d53583421c5cb79f8f04ab33bf934d4a56bc16732eac3de68ab
-
C:\Users\Admin\Documents\Lock.Opened.docxFilesize
11KB
MD5eded69f7a74e47274d6e464f3afda5be
SHA19877dfe35a9d60560d785ce67f3a2d95d0611377
SHA256e0f3477b50b056bd140187350c589d1b74f3227fb5cb7458d3cacb96f179ece8
SHA51272407eb416d4f73b696ba91e5a9f5e2fc0f2faf09ad2213aa56517f3e00241afc72393ab206d4607dafaec58931db28835081ef98a95f87f2772287421fdb851
-
C:\Users\Admin\Documents\Lock.Recently.docxFilesize
11KB
MD585b621fef91bab86c769935527639bfb
SHA1b4fabd2172bf0bc588c71ef2c4d83ee461f6dc09
SHA256a32731f9f73e4edac02c27369e59b8f80098b4045fcb4e9ebec20d1491faf01a
SHA51265757fd137a5f2f9eb2731b4f62f1a91d99ba645c0be119731db1cbe7d138ca8e71ccd1543a77526764fd2ded697c0f095b6014a409ede3252e11d6a6b06153d
-
C:\Users\Admin\Documents\Lock.These.docxFilesize
11KB
MD591cb4ad1e46658fe23fb2020558b4e08
SHA16ccc73272ca2b11524b434e14914882ba50ab6a7
SHA2568946767f36f5d439bb18c8a0e23b4c7dc401a6605cbc6bd0f6a0cc16e050a1f6
SHA512c747fba9e05176878dcd70bdde21e90b43a3fae2aa9f2318600fea6f11436081470f4e35089bf7746e52027c652e00e070afaca86d96ec4ea7e96ae31e1c41b3
-
C:\Windows\System\svchost.exeFilesize
5.3MB
MD55fe4ea367cee11e92ad4644d8ac3cef7
SHA144faea4a352b7860a9eafca82bd3c9b054b6db29
SHA2561a69f2fcfe5b35bf44ea42a1efe89f18f6b0d522cbbea5c51bae93aff7d3188b
SHA5121c4499eadaf44847a7a001c2622e558bc130c9ad608b4ec977480e002cf50c9eb36a65974b86a2db69e9bc43e7d239122389a6cf1ca2849c59bc137441fb0a4f
-
memory/32-3-0x00000000057B0000-0x00000000057C0000-memory.dmpFilesize
64KB
-
memory/32-1-0x00000000738B0000-0x0000000073F9E000-memory.dmpFilesize
6.9MB
-
memory/32-2-0x0000000005590000-0x000000000562C000-memory.dmpFilesize
624KB
-
memory/32-0-0x0000000000D80000-0x0000000000D88000-memory.dmpFilesize
32KB
-
memory/1048-1137-0x0000000000280000-0x0000000000F16000-memory.dmpFilesize
12.6MB
-
memory/1048-1132-0x0000000000280000-0x0000000000F16000-memory.dmpFilesize
12.6MB
-
memory/1788-22-0x0000000005720000-0x00000000057B2000-memory.dmpFilesize
584KB
-
memory/1788-25-0x00000000738B0000-0x0000000073F9E000-memory.dmpFilesize
6.9MB
-
memory/1788-26-0x00000000058A0000-0x00000000058AA000-memory.dmpFilesize
40KB
-
memory/1788-19-0x0000000000400000-0x0000000000452000-memory.dmpFilesize
328KB
-
memory/1788-27-0x0000000006B40000-0x0000000007146000-memory.dmpFilesize
6.0MB
-
memory/1788-29-0x0000000006B20000-0x0000000006B32000-memory.dmpFilesize
72KB
-
memory/1788-30-0x00000000082D0000-0x000000000830E000-memory.dmpFilesize
248KB
-
memory/1788-28-0x00000000083A0000-0x00000000084AA000-memory.dmpFilesize
1.0MB
-
memory/1788-31-0x0000000008310000-0x000000000835B000-memory.dmpFilesize
300KB
-
memory/2328-1045-0x0000000000400000-0x0000000000643000-memory.dmpFilesize
2.3MB
-
memory/2328-1077-0x0000000000400000-0x0000000000643000-memory.dmpFilesize
2.3MB
-
memory/2328-1050-0x0000000000400000-0x0000000000643000-memory.dmpFilesize
2.3MB
-
memory/2412-69-0x0000000003220000-0x0000000003320000-memory.dmpFilesize
1024KB
-
memory/2412-49-0x0000000002290000-0x0000000002291000-memory.dmpFilesize
4KB
-
memory/2412-38-0x0000000002160000-0x0000000002161000-memory.dmpFilesize
4KB
-
memory/2412-40-0x0000000002140000-0x0000000002141000-memory.dmpFilesize
4KB
-
memory/2412-37-0x0000000031720000-0x0000000032310000-memory.dmpFilesize
11.9MB
-
memory/2412-39-0x0000000002150000-0x0000000002151000-memory.dmpFilesize
4KB
-
memory/2412-44-0x0000000002230000-0x0000000002231000-memory.dmpFilesize
4KB
-
memory/2412-41-0x0000000002180000-0x0000000002181000-memory.dmpFilesize
4KB
-
memory/2412-45-0x00000000021F0000-0x00000000021F1000-memory.dmpFilesize
4KB
-
memory/2412-50-0x0000000002400000-0x0000000002401000-memory.dmpFilesize
4KB
-
memory/2412-43-0x0000000002210000-0x0000000002211000-memory.dmpFilesize
4KB
-
memory/2412-42-0x0000000002220000-0x0000000002221000-memory.dmpFilesize
4KB
-
memory/2412-51-0x0000000003200000-0x0000000003201000-memory.dmpFilesize
4KB
-
memory/2412-52-0x0000000002440000-0x0000000002441000-memory.dmpFilesize
4KB
-
memory/2412-46-0x0000000002260000-0x0000000002261000-memory.dmpFilesize
4KB
-
memory/2412-53-0x0000000002430000-0x0000000002431000-memory.dmpFilesize
4KB
-
memory/2412-54-0x0000000002420000-0x0000000002421000-memory.dmpFilesize
4KB
-
memory/2412-47-0x0000000002250000-0x0000000002251000-memory.dmpFilesize
4KB
-
memory/2412-48-0x00000000022C0000-0x00000000022C1000-memory.dmpFilesize
4KB
-
memory/2412-55-0x0000000002460000-0x0000000002461000-memory.dmpFilesize
4KB
-
memory/2412-61-0x0000000003220000-0x0000000003320000-memory.dmpFilesize
1024KB
-
memory/2412-62-0x0000000003220000-0x0000000003320000-memory.dmpFilesize
1024KB
-
memory/2412-63-0x0000000003220000-0x0000000003320000-memory.dmpFilesize
1024KB
-
memory/2412-750-0x0000000031720000-0x0000000032310000-memory.dmpFilesize
11.9MB
-
memory/2412-59-0x0000000003220000-0x0000000003320000-memory.dmpFilesize
1024KB
-
memory/2412-64-0x0000000003220000-0x0000000003320000-memory.dmpFilesize
1024KB
-
memory/2412-65-0x0000000003220000-0x0000000003320000-memory.dmpFilesize
1024KB
-
memory/2412-72-0x0000000003220000-0x0000000003320000-memory.dmpFilesize
1024KB
-
memory/2412-73-0x0000000003220000-0x0000000003320000-memory.dmpFilesize
1024KB
-
memory/2412-58-0x00000000022B0000-0x00000000022B1000-memory.dmpFilesize
4KB
-
memory/2412-57-0x0000000002470000-0x0000000002471000-memory.dmpFilesize
4KB
-
memory/2412-56-0x0000000003210000-0x0000000003211000-memory.dmpFilesize
4KB
-
memory/2412-74-0x0000000003220000-0x0000000003320000-memory.dmpFilesize
1024KB
-
memory/2412-75-0x0000000003220000-0x0000000003320000-memory.dmpFilesize
1024KB
-
memory/2412-76-0x0000000003220000-0x0000000003320000-memory.dmpFilesize
1024KB
-
memory/2412-78-0x0000000003220000-0x0000000003320000-memory.dmpFilesize
1024KB
-
memory/2412-79-0x0000000003220000-0x0000000003320000-memory.dmpFilesize
1024KB
-
memory/2412-66-0x0000000003220000-0x0000000003320000-memory.dmpFilesize
1024KB
-
memory/2412-68-0x0000000003220000-0x0000000003320000-memory.dmpFilesize
1024KB
-
memory/2412-77-0x0000000003220000-0x0000000003320000-memory.dmpFilesize
1024KB
-
memory/2412-70-0x0000000003220000-0x0000000003320000-memory.dmpFilesize
1024KB
-
memory/2412-67-0x0000000003220000-0x0000000003320000-memory.dmpFilesize
1024KB
-
memory/2412-71-0x0000000003220000-0x0000000003320000-memory.dmpFilesize
1024KB
-
memory/2436-23-0x00000000738B0000-0x0000000073F9E000-memory.dmpFilesize
6.9MB
-
memory/2436-9-0x00000000024F0000-0x0000000002552000-memory.dmpFilesize
392KB
-
memory/2436-10-0x00000000738B0000-0x0000000073F9E000-memory.dmpFilesize
6.9MB
-
memory/2436-11-0x0000000004A70000-0x0000000004A80000-memory.dmpFilesize
64KB
-
memory/2436-13-0x0000000004A70000-0x0000000004A80000-memory.dmpFilesize
64KB
-
memory/2436-12-0x0000000004A70000-0x0000000004A80000-memory.dmpFilesize
64KB
-
memory/2436-15-0x00000000049B0000-0x0000000004A10000-memory.dmpFilesize
384KB
-
memory/2436-14-0x0000000004A80000-0x0000000004F7E000-memory.dmpFilesize
5.0MB
-
memory/2436-18-0x0000000004A70000-0x0000000004A80000-memory.dmpFilesize
64KB
-
memory/2436-24-0x0000000002560000-0x0000000004560000-memory.dmpFilesize
32.0MB
-
memory/3760-1012-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/3760-1016-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/3760-906-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/3760-1073-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/3760-1053-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/3760-1017-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/3760-905-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/3760-914-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/3760-913-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/4084-1146-0x0000000000A60000-0x00000000016F6000-memory.dmpFilesize
12.6MB
-
memory/4648-874-0x0000000000400000-0x0000000000483000-memory.dmpFilesize
524KB
-
memory/4648-883-0x0000000000400000-0x0000000000483000-memory.dmpFilesize
524KB
-
memory/5656-843-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/5656-845-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/5656-846-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/5656-897-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/5840-1093-0x0000000000410000-0x00000000004D5000-memory.dmpFilesize
788KB
-
memory/5840-1085-0x0000000000400000-0x0000000000406000-memory.dmpFilesize
24KB
-
memory/5840-1090-0x0000000000400000-0x0000000000406000-memory.dmpFilesize
24KB