Analysis
-
max time kernel
287s -
max time network
296s -
platform
windows10-1703_x64 -
resource
win10-20240221-en -
resource tags
arch:x64arch:x86image:win10-20240221-enlocale:en-usos:windows10-1703-x64system -
submitted
26-02-2024 21:44
Static task
static1
General
-
Target
24b2f4d166acaa53e399d79b0942811e.jpg
-
Size
11KB
-
MD5
5196c2a576b01221d14d6841b085212d
-
SHA1
ddcfe273c74c38c95bf24d13b6eb95808e175336
-
SHA256
1e4ff97d7c0f8c32e9b5a7b4fbb05e69f91c10c88d5ee58c8a1d2ce9805759bc
-
SHA512
08a42fc2074f137354fd00efe7c2bbc6b3b48040ee068529dccdc7f7cee890388347f06441b34a3af6f8dcb9aeceddd5b5240fbbe5ce5d7c689489e78e0bc266
-
SSDEEP
192:0f1E4Yittld8GRbkqCUqDtGy+GL3DRyXNtpaaes6jBchxJJsgG5NGOmvveca:0f64Y+ld8IbkHc0L3DRotsk6jBclJw5f
Malware Config
Extracted
vidar
8
ab8ba484d8a6c9be7d043c05bea0aa9f
https://t.me/neoschats
https://steamcommunity.com/profiles/76561199644883218
-
profile_id_v2
ab8ba484d8a6c9be7d043c05bea0aa9f
-
user_agent
Mozilla/5.0 (Linux; Android 11; M2102J20SG) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.99 Mobile Safari/537.36 EdgA/97.0.1072.78
Extracted
gcleaner
185.172.128.90
5.42.64.3
5.42.65.115
Extracted
njrat
0.7d
HacKed
18.ip.gl.ply.gg:43389
4ac5522ba6619835b9ac056e603570c4
-
reg_key
4ac5522ba6619835b9ac056e603570c4
-
splitter
|'|'|
Extracted
lumma
https://technologyenterdo.shop/api
https://detectordiscusser.shop/api
https://turkeyunlikelyofw.shop/api
https://associationokeo.shop/api
Signatures
-
Detect Vidar Stealer 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1572-693-0x0000000003F30000-0x0000000003F64000-memory.dmp family_vidar_v7 behavioral1/memory/1572-694-0x0000000000400000-0x00000000022E2000-memory.dmp family_vidar_v7 behavioral1/memory/1572-711-0x0000000000400000-0x00000000022E2000-memory.dmp family_vidar_v7 -
Detect ZGRat V1 5 IoCs
Processes:
resource yara_rule C:\Users\Admin\Desktop\1978044967a8e1c7f632630bc906c6d66b0e64c3563455da5a4b029d00cc9019\1978044967a8e1c7f632630bc906c6d66b0e64c3563455da5a4b029d00cc9019.exe family_zgrat_v1 C:\Users\Admin\Desktop\1978044967a8e1c7f632630bc906c6d66b0e64c3563455da5a4b029d00cc9019\1978044967a8e1c7f632630bc906c6d66b0e64c3563455da5a4b029d00cc9019.exe family_zgrat_v1 behavioral1/memory/896-707-0x00000000001F0000-0x0000000000590000-memory.dmp family_zgrat_v1 C:\Program Files\Windows Security\BrowserCore\winlogon.exe family_zgrat_v1 C:\Windows\SysWOW64\XPSViewer\de-DE\ApplicationFrameHost.exe family_zgrat_v1 -
Downloads MZ/PE file
-
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
netsh.exepid process 3088 netsh.exe -
Executes dropped EXE 13 IoCs
Processes:
00034b98e4fa0f708fd27b7d3fec587058729f096c882f8f8b45bfcef7381ebd.exe1249e91509e86189a4366623642f4f145bdeaae21e1ff8408a8e43ca7e3f996e.exe1978044967a8e1c7f632630bc906c6d66b0e64c3563455da5a4b029d00cc9019.exee31f4f05884e97c569d6641257f40c4634004565874178c122817538e89948bd.exe1249e91509e86189a4366623642f4f145bdeaae21e1ff8408a8e43ca7e3f996e.exee31f4f05884e97c569d6641257f40c4634004565874178c122817538e89948bd.exeef798468db36b921f6c2830f5eb95c6e31b5e118f10a0aea9e944960cdf96a16.exeserver.exeserver.exeApplicationFrameHost.exeApplicationFrameHost.exeApplicationFrameHost.exeApplicationFrameHost.exepid process 1572 00034b98e4fa0f708fd27b7d3fec587058729f096c882f8f8b45bfcef7381ebd.exe 3016 1249e91509e86189a4366623642f4f145bdeaae21e1ff8408a8e43ca7e3f996e.exe 896 1978044967a8e1c7f632630bc906c6d66b0e64c3563455da5a4b029d00cc9019.exe 1440 e31f4f05884e97c569d6641257f40c4634004565874178c122817538e89948bd.exe 1600 1249e91509e86189a4366623642f4f145bdeaae21e1ff8408a8e43ca7e3f996e.exe 3472 e31f4f05884e97c569d6641257f40c4634004565874178c122817538e89948bd.exe 1580 ef798468db36b921f6c2830f5eb95c6e31b5e118f10a0aea9e944960cdf96a16.exe 704 server.exe 3212 server.exe 2824 ApplicationFrameHost.exe 2008 ApplicationFrameHost.exe 3020 ApplicationFrameHost.exe 3388 ApplicationFrameHost.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
server.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1903027113-674645041-2759338396-1000\Software\Microsoft\Windows\CurrentVersion\Run\4ac5522ba6619835b9ac056e603570c4 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\4ac5522ba6619835b9ac056e603570c4 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." server.exe -
Drops file in System32 directory 3 IoCs
Processes:
1978044967a8e1c7f632630bc906c6d66b0e64c3563455da5a4b029d00cc9019.exedescription ioc process File created C:\Windows\SysWOW64\XPSViewer\de-DE\ApplicationFrameHost.exe 1978044967a8e1c7f632630bc906c6d66b0e64c3563455da5a4b029d00cc9019.exe File opened for modification C:\Windows\SysWOW64\XPSViewer\de-DE\ApplicationFrameHost.exe 1978044967a8e1c7f632630bc906c6d66b0e64c3563455da5a4b029d00cc9019.exe File created C:\Windows\SysWOW64\XPSViewer\de-DE\6dd19aba3e2428 1978044967a8e1c7f632630bc906c6d66b0e64c3563455da5a4b029d00cc9019.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
1249e91509e86189a4366623642f4f145bdeaae21e1ff8408a8e43ca7e3f996e.exee31f4f05884e97c569d6641257f40c4634004565874178c122817538e89948bd.exeef798468db36b921f6c2830f5eb95c6e31b5e118f10a0aea9e944960cdf96a16.exeserver.exedescription pid process target process PID 3016 set thread context of 1600 3016 1249e91509e86189a4366623642f4f145bdeaae21e1ff8408a8e43ca7e3f996e.exe 1249e91509e86189a4366623642f4f145bdeaae21e1ff8408a8e43ca7e3f996e.exe PID 1440 set thread context of 3472 1440 e31f4f05884e97c569d6641257f40c4634004565874178c122817538e89948bd.exe e31f4f05884e97c569d6641257f40c4634004565874178c122817538e89948bd.exe PID 1580 set thread context of 2660 1580 ef798468db36b921f6c2830f5eb95c6e31b5e118f10a0aea9e944960cdf96a16.exe RegAsm.exe PID 704 set thread context of 3212 704 server.exe server.exe -
Drops file in Program Files directory 4 IoCs
Processes:
1978044967a8e1c7f632630bc906c6d66b0e64c3563455da5a4b029d00cc9019.exedescription ioc process File created C:\Program Files (x86)\Windows Portable Devices\smss.exe 1978044967a8e1c7f632630bc906c6d66b0e64c3563455da5a4b029d00cc9019.exe File created C:\Program Files (x86)\Windows Portable Devices\69ddcba757bf72 1978044967a8e1c7f632630bc906c6d66b0e64c3563455da5a4b029d00cc9019.exe File created C:\Program Files\Windows Security\BrowserCore\winlogon.exe 1978044967a8e1c7f632630bc906c6d66b0e64c3563455da5a4b029d00cc9019.exe File created C:\Program Files\Windows Security\BrowserCore\cc11b995f2a76d 1978044967a8e1c7f632630bc906c6d66b0e64c3563455da5a4b029d00cc9019.exe -
Drops file in Windows directory 4 IoCs
Processes:
1978044967a8e1c7f632630bc906c6d66b0e64c3563455da5a4b029d00cc9019.exetaskmgr.exedescription ioc process File created C:\Windows\SKB\LanguageModels\5940a34987c991 1978044967a8e1c7f632630bc906c6d66b0e64c3563455da5a4b029d00cc9019.exe File created C:\Windows\rescache\_merged\1601268389\3877292338.pri taskmgr.exe File created C:\Windows\rescache\_merged\4183903823\810424605.pri taskmgr.exe File created C:\Windows\SKB\LanguageModels\dllhost.exe 1978044967a8e1c7f632630bc906c6d66b0e64c3563455da5a4b029d00cc9019.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2008 1572 WerFault.exe 00034b98e4fa0f708fd27b7d3fec587058729f096c882f8f8b45bfcef7381ebd.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
taskmgr.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
chrome.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Modifies data under HKEY_USERS 2 IoCs
Processes:
chrome.exedescription ioc process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133534575311949351" chrome.exe -
Modifies registry class 7 IoCs
Processes:
7zG.exe1978044967a8e1c7f632630bc906c6d66b0e64c3563455da5a4b029d00cc9019.exeApplicationFrameHost.exeApplicationFrameHost.exeApplicationFrameHost.exeApplicationFrameHost.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance 7zG.exe Key created \REGISTRY\USER\S-1-5-21-1903027113-674645041-2759338396-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance 7zG.exe Key created \REGISTRY\USER\S-1-5-21-1903027113-674645041-2759338396-1000_Classes\Local Settings 1978044967a8e1c7f632630bc906c6d66b0e64c3563455da5a4b029d00cc9019.exe Key created \REGISTRY\USER\S-1-5-21-1903027113-674645041-2759338396-1000_Classes\Local Settings ApplicationFrameHost.exe Key created \REGISTRY\USER\S-1-5-21-1903027113-674645041-2759338396-1000_Classes\Local Settings ApplicationFrameHost.exe Key created \REGISTRY\USER\S-1-5-21-1903027113-674645041-2759338396-1000_Classes\Local Settings ApplicationFrameHost.exe Key created \REGISTRY\USER\S-1-5-21-1903027113-674645041-2759338396-1000_Classes\Local Settings ApplicationFrameHost.exe -
Runs ping.exe 1 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
chrome.exechrome.exe1978044967a8e1c7f632630bc906c6d66b0e64c3563455da5a4b029d00cc9019.exepid process 4312 chrome.exe 4312 chrome.exe 3976 chrome.exe 3976 chrome.exe 896 1978044967a8e1c7f632630bc906c6d66b0e64c3563455da5a4b029d00cc9019.exe 896 1978044967a8e1c7f632630bc906c6d66b0e64c3563455da5a4b029d00cc9019.exe 896 1978044967a8e1c7f632630bc906c6d66b0e64c3563455da5a4b029d00cc9019.exe 896 1978044967a8e1c7f632630bc906c6d66b0e64c3563455da5a4b029d00cc9019.exe 896 1978044967a8e1c7f632630bc906c6d66b0e64c3563455da5a4b029d00cc9019.exe 896 1978044967a8e1c7f632630bc906c6d66b0e64c3563455da5a4b029d00cc9019.exe 896 1978044967a8e1c7f632630bc906c6d66b0e64c3563455da5a4b029d00cc9019.exe 896 1978044967a8e1c7f632630bc906c6d66b0e64c3563455da5a4b029d00cc9019.exe 896 1978044967a8e1c7f632630bc906c6d66b0e64c3563455da5a4b029d00cc9019.exe 896 1978044967a8e1c7f632630bc906c6d66b0e64c3563455da5a4b029d00cc9019.exe 896 1978044967a8e1c7f632630bc906c6d66b0e64c3563455da5a4b029d00cc9019.exe 896 1978044967a8e1c7f632630bc906c6d66b0e64c3563455da5a4b029d00cc9019.exe 896 1978044967a8e1c7f632630bc906c6d66b0e64c3563455da5a4b029d00cc9019.exe 896 1978044967a8e1c7f632630bc906c6d66b0e64c3563455da5a4b029d00cc9019.exe 896 1978044967a8e1c7f632630bc906c6d66b0e64c3563455da5a4b029d00cc9019.exe 896 1978044967a8e1c7f632630bc906c6d66b0e64c3563455da5a4b029d00cc9019.exe 896 1978044967a8e1c7f632630bc906c6d66b0e64c3563455da5a4b029d00cc9019.exe 896 1978044967a8e1c7f632630bc906c6d66b0e64c3563455da5a4b029d00cc9019.exe 896 1978044967a8e1c7f632630bc906c6d66b0e64c3563455da5a4b029d00cc9019.exe 896 1978044967a8e1c7f632630bc906c6d66b0e64c3563455da5a4b029d00cc9019.exe 896 1978044967a8e1c7f632630bc906c6d66b0e64c3563455da5a4b029d00cc9019.exe 896 1978044967a8e1c7f632630bc906c6d66b0e64c3563455da5a4b029d00cc9019.exe 896 1978044967a8e1c7f632630bc906c6d66b0e64c3563455da5a4b029d00cc9019.exe 896 1978044967a8e1c7f632630bc906c6d66b0e64c3563455da5a4b029d00cc9019.exe 896 1978044967a8e1c7f632630bc906c6d66b0e64c3563455da5a4b029d00cc9019.exe 896 1978044967a8e1c7f632630bc906c6d66b0e64c3563455da5a4b029d00cc9019.exe 896 1978044967a8e1c7f632630bc906c6d66b0e64c3563455da5a4b029d00cc9019.exe 896 1978044967a8e1c7f632630bc906c6d66b0e64c3563455da5a4b029d00cc9019.exe 896 1978044967a8e1c7f632630bc906c6d66b0e64c3563455da5a4b029d00cc9019.exe 896 1978044967a8e1c7f632630bc906c6d66b0e64c3563455da5a4b029d00cc9019.exe 896 1978044967a8e1c7f632630bc906c6d66b0e64c3563455da5a4b029d00cc9019.exe 896 1978044967a8e1c7f632630bc906c6d66b0e64c3563455da5a4b029d00cc9019.exe 896 1978044967a8e1c7f632630bc906c6d66b0e64c3563455da5a4b029d00cc9019.exe 896 1978044967a8e1c7f632630bc906c6d66b0e64c3563455da5a4b029d00cc9019.exe 896 1978044967a8e1c7f632630bc906c6d66b0e64c3563455da5a4b029d00cc9019.exe 896 1978044967a8e1c7f632630bc906c6d66b0e64c3563455da5a4b029d00cc9019.exe 896 1978044967a8e1c7f632630bc906c6d66b0e64c3563455da5a4b029d00cc9019.exe 896 1978044967a8e1c7f632630bc906c6d66b0e64c3563455da5a4b029d00cc9019.exe 896 1978044967a8e1c7f632630bc906c6d66b0e64c3563455da5a4b029d00cc9019.exe 896 1978044967a8e1c7f632630bc906c6d66b0e64c3563455da5a4b029d00cc9019.exe 896 1978044967a8e1c7f632630bc906c6d66b0e64c3563455da5a4b029d00cc9019.exe 896 1978044967a8e1c7f632630bc906c6d66b0e64c3563455da5a4b029d00cc9019.exe 896 1978044967a8e1c7f632630bc906c6d66b0e64c3563455da5a4b029d00cc9019.exe 896 1978044967a8e1c7f632630bc906c6d66b0e64c3563455da5a4b029d00cc9019.exe 896 1978044967a8e1c7f632630bc906c6d66b0e64c3563455da5a4b029d00cc9019.exe 896 1978044967a8e1c7f632630bc906c6d66b0e64c3563455da5a4b029d00cc9019.exe 896 1978044967a8e1c7f632630bc906c6d66b0e64c3563455da5a4b029d00cc9019.exe 896 1978044967a8e1c7f632630bc906c6d66b0e64c3563455da5a4b029d00cc9019.exe 896 1978044967a8e1c7f632630bc906c6d66b0e64c3563455da5a4b029d00cc9019.exe 896 1978044967a8e1c7f632630bc906c6d66b0e64c3563455da5a4b029d00cc9019.exe 896 1978044967a8e1c7f632630bc906c6d66b0e64c3563455da5a4b029d00cc9019.exe 896 1978044967a8e1c7f632630bc906c6d66b0e64c3563455da5a4b029d00cc9019.exe 896 1978044967a8e1c7f632630bc906c6d66b0e64c3563455da5a4b029d00cc9019.exe 896 1978044967a8e1c7f632630bc906c6d66b0e64c3563455da5a4b029d00cc9019.exe 896 1978044967a8e1c7f632630bc906c6d66b0e64c3563455da5a4b029d00cc9019.exe 896 1978044967a8e1c7f632630bc906c6d66b0e64c3563455da5a4b029d00cc9019.exe 896 1978044967a8e1c7f632630bc906c6d66b0e64c3563455da5a4b029d00cc9019.exe 896 1978044967a8e1c7f632630bc906c6d66b0e64c3563455da5a4b029d00cc9019.exe 896 1978044967a8e1c7f632630bc906c6d66b0e64c3563455da5a4b029d00cc9019.exe 896 1978044967a8e1c7f632630bc906c6d66b0e64c3563455da5a4b029d00cc9019.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
7zFM.exetaskmgr.exepid process 4456 7zFM.exe 2216 taskmgr.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 15 IoCs
Processes:
chrome.exepid process 4312 chrome.exe 4312 chrome.exe 4312 chrome.exe 4312 chrome.exe 4312 chrome.exe 4312 chrome.exe 4312 chrome.exe 4312 chrome.exe 4312 chrome.exe 4312 chrome.exe 4312 chrome.exe 4312 chrome.exe 4312 chrome.exe 4312 chrome.exe 4312 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
chrome.exedescription pid process Token: SeShutdownPrivilege 4312 chrome.exe Token: SeCreatePagefilePrivilege 4312 chrome.exe Token: SeShutdownPrivilege 4312 chrome.exe Token: SeCreatePagefilePrivilege 4312 chrome.exe Token: SeShutdownPrivilege 4312 chrome.exe Token: SeCreatePagefilePrivilege 4312 chrome.exe Token: SeShutdownPrivilege 4312 chrome.exe Token: SeCreatePagefilePrivilege 4312 chrome.exe Token: SeShutdownPrivilege 4312 chrome.exe Token: SeCreatePagefilePrivilege 4312 chrome.exe Token: SeShutdownPrivilege 4312 chrome.exe Token: SeCreatePagefilePrivilege 4312 chrome.exe Token: SeShutdownPrivilege 4312 chrome.exe Token: SeCreatePagefilePrivilege 4312 chrome.exe Token: SeShutdownPrivilege 4312 chrome.exe Token: SeCreatePagefilePrivilege 4312 chrome.exe Token: SeShutdownPrivilege 4312 chrome.exe Token: SeCreatePagefilePrivilege 4312 chrome.exe Token: SeShutdownPrivilege 4312 chrome.exe Token: SeCreatePagefilePrivilege 4312 chrome.exe Token: SeShutdownPrivilege 4312 chrome.exe Token: SeCreatePagefilePrivilege 4312 chrome.exe Token: SeShutdownPrivilege 4312 chrome.exe Token: SeCreatePagefilePrivilege 4312 chrome.exe Token: SeShutdownPrivilege 4312 chrome.exe Token: SeCreatePagefilePrivilege 4312 chrome.exe Token: SeShutdownPrivilege 4312 chrome.exe Token: SeCreatePagefilePrivilege 4312 chrome.exe Token: SeShutdownPrivilege 4312 chrome.exe Token: SeCreatePagefilePrivilege 4312 chrome.exe Token: SeShutdownPrivilege 4312 chrome.exe Token: SeCreatePagefilePrivilege 4312 chrome.exe Token: SeShutdownPrivilege 4312 chrome.exe Token: SeCreatePagefilePrivilege 4312 chrome.exe Token: SeShutdownPrivilege 4312 chrome.exe Token: SeCreatePagefilePrivilege 4312 chrome.exe Token: SeShutdownPrivilege 4312 chrome.exe Token: SeCreatePagefilePrivilege 4312 chrome.exe Token: SeShutdownPrivilege 4312 chrome.exe Token: SeCreatePagefilePrivilege 4312 chrome.exe Token: SeShutdownPrivilege 4312 chrome.exe Token: SeCreatePagefilePrivilege 4312 chrome.exe Token: SeShutdownPrivilege 4312 chrome.exe Token: SeCreatePagefilePrivilege 4312 chrome.exe Token: SeShutdownPrivilege 4312 chrome.exe Token: SeCreatePagefilePrivilege 4312 chrome.exe Token: SeShutdownPrivilege 4312 chrome.exe Token: SeCreatePagefilePrivilege 4312 chrome.exe Token: SeShutdownPrivilege 4312 chrome.exe Token: SeCreatePagefilePrivilege 4312 chrome.exe Token: SeShutdownPrivilege 4312 chrome.exe Token: SeCreatePagefilePrivilege 4312 chrome.exe Token: SeShutdownPrivilege 4312 chrome.exe Token: SeCreatePagefilePrivilege 4312 chrome.exe Token: SeShutdownPrivilege 4312 chrome.exe Token: SeCreatePagefilePrivilege 4312 chrome.exe Token: SeShutdownPrivilege 4312 chrome.exe Token: SeCreatePagefilePrivilege 4312 chrome.exe Token: SeShutdownPrivilege 4312 chrome.exe Token: SeCreatePagefilePrivilege 4312 chrome.exe Token: SeShutdownPrivilege 4312 chrome.exe Token: SeCreatePagefilePrivilege 4312 chrome.exe Token: SeShutdownPrivilege 4312 chrome.exe Token: SeCreatePagefilePrivilege 4312 chrome.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
chrome.exepid process 4312 chrome.exe 4312 chrome.exe 4312 chrome.exe 4312 chrome.exe 4312 chrome.exe 4312 chrome.exe 4312 chrome.exe 4312 chrome.exe 4312 chrome.exe 4312 chrome.exe 4312 chrome.exe 4312 chrome.exe 4312 chrome.exe 4312 chrome.exe 4312 chrome.exe 4312 chrome.exe 4312 chrome.exe 4312 chrome.exe 4312 chrome.exe 4312 chrome.exe 4312 chrome.exe 4312 chrome.exe 4312 chrome.exe 4312 chrome.exe 4312 chrome.exe 4312 chrome.exe 4312 chrome.exe 4312 chrome.exe 4312 chrome.exe 4312 chrome.exe 4312 chrome.exe 4312 chrome.exe 4312 chrome.exe 4312 chrome.exe 4312 chrome.exe 4312 chrome.exe 4312 chrome.exe 4312 chrome.exe 4312 chrome.exe 4312 chrome.exe 4312 chrome.exe 4312 chrome.exe 4312 chrome.exe 4312 chrome.exe 4312 chrome.exe 4312 chrome.exe 4312 chrome.exe 4312 chrome.exe 4312 chrome.exe 4312 chrome.exe 4312 chrome.exe 4312 chrome.exe 4312 chrome.exe 4312 chrome.exe 4312 chrome.exe 4312 chrome.exe 4312 chrome.exe 4312 chrome.exe 4312 chrome.exe 4312 chrome.exe 4312 chrome.exe 4312 chrome.exe 4312 chrome.exe 4312 chrome.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
chrome.exetaskmgr.exepid process 4312 chrome.exe 4312 chrome.exe 4312 chrome.exe 4312 chrome.exe 4312 chrome.exe 4312 chrome.exe 4312 chrome.exe 4312 chrome.exe 4312 chrome.exe 4312 chrome.exe 4312 chrome.exe 4312 chrome.exe 4312 chrome.exe 4312 chrome.exe 4312 chrome.exe 4312 chrome.exe 4312 chrome.exe 4312 chrome.exe 4312 chrome.exe 4312 chrome.exe 4312 chrome.exe 4312 chrome.exe 4312 chrome.exe 4312 chrome.exe 2216 taskmgr.exe 2216 taskmgr.exe 2216 taskmgr.exe 2216 taskmgr.exe 2216 taskmgr.exe 2216 taskmgr.exe 2216 taskmgr.exe 2216 taskmgr.exe 2216 taskmgr.exe 2216 taskmgr.exe 2216 taskmgr.exe 2216 taskmgr.exe 2216 taskmgr.exe 2216 taskmgr.exe 2216 taskmgr.exe 2216 taskmgr.exe 2216 taskmgr.exe 2216 taskmgr.exe 2216 taskmgr.exe 2216 taskmgr.exe 2216 taskmgr.exe 2216 taskmgr.exe 2216 taskmgr.exe 2216 taskmgr.exe 2216 taskmgr.exe 2216 taskmgr.exe 2216 taskmgr.exe 2216 taskmgr.exe 2216 taskmgr.exe 2216 taskmgr.exe 2216 taskmgr.exe 2216 taskmgr.exe 2216 taskmgr.exe 2216 taskmgr.exe 2216 taskmgr.exe 2216 taskmgr.exe 2216 taskmgr.exe 2216 taskmgr.exe 2216 taskmgr.exe 2216 taskmgr.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
chrome.exedescription pid process target process PID 4312 wrote to memory of 2012 4312 chrome.exe chrome.exe PID 4312 wrote to memory of 2012 4312 chrome.exe chrome.exe PID 4312 wrote to memory of 4476 4312 chrome.exe chrome.exe PID 4312 wrote to memory of 4476 4312 chrome.exe chrome.exe PID 4312 wrote to memory of 4476 4312 chrome.exe chrome.exe PID 4312 wrote to memory of 4476 4312 chrome.exe chrome.exe PID 4312 wrote to memory of 4476 4312 chrome.exe chrome.exe PID 4312 wrote to memory of 4476 4312 chrome.exe chrome.exe PID 4312 wrote to memory of 4476 4312 chrome.exe chrome.exe PID 4312 wrote to memory of 4476 4312 chrome.exe chrome.exe PID 4312 wrote to memory of 4476 4312 chrome.exe chrome.exe PID 4312 wrote to memory of 4476 4312 chrome.exe chrome.exe PID 4312 wrote to memory of 4476 4312 chrome.exe chrome.exe PID 4312 wrote to memory of 4476 4312 chrome.exe chrome.exe PID 4312 wrote to memory of 4476 4312 chrome.exe chrome.exe PID 4312 wrote to memory of 4476 4312 chrome.exe chrome.exe PID 4312 wrote to memory of 4476 4312 chrome.exe chrome.exe PID 4312 wrote to memory of 4476 4312 chrome.exe chrome.exe PID 4312 wrote to memory of 4476 4312 chrome.exe chrome.exe PID 4312 wrote to memory of 4476 4312 chrome.exe chrome.exe PID 4312 wrote to memory of 4476 4312 chrome.exe chrome.exe PID 4312 wrote to memory of 4476 4312 chrome.exe chrome.exe PID 4312 wrote to memory of 4476 4312 chrome.exe chrome.exe PID 4312 wrote to memory of 4476 4312 chrome.exe chrome.exe PID 4312 wrote to memory of 4476 4312 chrome.exe chrome.exe PID 4312 wrote to memory of 4476 4312 chrome.exe chrome.exe PID 4312 wrote to memory of 4476 4312 chrome.exe chrome.exe PID 4312 wrote to memory of 4476 4312 chrome.exe chrome.exe PID 4312 wrote to memory of 4476 4312 chrome.exe chrome.exe PID 4312 wrote to memory of 4476 4312 chrome.exe chrome.exe PID 4312 wrote to memory of 4476 4312 chrome.exe chrome.exe PID 4312 wrote to memory of 4476 4312 chrome.exe chrome.exe PID 4312 wrote to memory of 4476 4312 chrome.exe chrome.exe PID 4312 wrote to memory of 4476 4312 chrome.exe chrome.exe PID 4312 wrote to memory of 4476 4312 chrome.exe chrome.exe PID 4312 wrote to memory of 4476 4312 chrome.exe chrome.exe PID 4312 wrote to memory of 4476 4312 chrome.exe chrome.exe PID 4312 wrote to memory of 4476 4312 chrome.exe chrome.exe PID 4312 wrote to memory of 4476 4312 chrome.exe chrome.exe PID 4312 wrote to memory of 4476 4312 chrome.exe chrome.exe PID 4312 wrote to memory of 4780 4312 chrome.exe chrome.exe PID 4312 wrote to memory of 4780 4312 chrome.exe chrome.exe PID 4312 wrote to memory of 688 4312 chrome.exe chrome.exe PID 4312 wrote to memory of 688 4312 chrome.exe chrome.exe PID 4312 wrote to memory of 688 4312 chrome.exe chrome.exe PID 4312 wrote to memory of 688 4312 chrome.exe chrome.exe PID 4312 wrote to memory of 688 4312 chrome.exe chrome.exe PID 4312 wrote to memory of 688 4312 chrome.exe chrome.exe PID 4312 wrote to memory of 688 4312 chrome.exe chrome.exe PID 4312 wrote to memory of 688 4312 chrome.exe chrome.exe PID 4312 wrote to memory of 688 4312 chrome.exe chrome.exe PID 4312 wrote to memory of 688 4312 chrome.exe chrome.exe PID 4312 wrote to memory of 688 4312 chrome.exe chrome.exe PID 4312 wrote to memory of 688 4312 chrome.exe chrome.exe PID 4312 wrote to memory of 688 4312 chrome.exe chrome.exe PID 4312 wrote to memory of 688 4312 chrome.exe chrome.exe PID 4312 wrote to memory of 688 4312 chrome.exe chrome.exe PID 4312 wrote to memory of 688 4312 chrome.exe chrome.exe PID 4312 wrote to memory of 688 4312 chrome.exe chrome.exe PID 4312 wrote to memory of 688 4312 chrome.exe chrome.exe PID 4312 wrote to memory of 688 4312 chrome.exe chrome.exe PID 4312 wrote to memory of 688 4312 chrome.exe chrome.exe PID 4312 wrote to memory of 688 4312 chrome.exe chrome.exe PID 4312 wrote to memory of 688 4312 chrome.exe chrome.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\24b2f4d166acaa53e399d79b0942811e.jpg1⤵PID:2224
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4312 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffe0e3a9758,0x7ffe0e3a9768,0x7ffe0e3a97782⤵PID:2012
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1900 --field-trial-handle=1768,i,15045523588502111106,5732838287634261111,131072 /prefetch:82⤵PID:4780
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=480 --field-trial-handle=1768,i,15045523588502111106,5732838287634261111,131072 /prefetch:22⤵PID:4476
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2120 --field-trial-handle=1768,i,15045523588502111106,5732838287634261111,131072 /prefetch:82⤵PID:688
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2952 --field-trial-handle=1768,i,15045523588502111106,5732838287634261111,131072 /prefetch:12⤵PID:2180
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2944 --field-trial-handle=1768,i,15045523588502111106,5732838287634261111,131072 /prefetch:12⤵PID:4964
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3736 --field-trial-handle=1768,i,15045523588502111106,5732838287634261111,131072 /prefetch:12⤵PID:4308
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4912 --field-trial-handle=1768,i,15045523588502111106,5732838287634261111,131072 /prefetch:82⤵PID:4460
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4996 --field-trial-handle=1768,i,15045523588502111106,5732838287634261111,131072 /prefetch:82⤵PID:1836
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=3748 --field-trial-handle=1768,i,15045523588502111106,5732838287634261111,131072 /prefetch:12⤵PID:2376
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=5244 --field-trial-handle=1768,i,15045523588502111106,5732838287634261111,131072 /prefetch:12⤵PID:3784
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=5316 --field-trial-handle=1768,i,15045523588502111106,5732838287634261111,131072 /prefetch:12⤵PID:2512
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=5600 --field-trial-handle=1768,i,15045523588502111106,5732838287634261111,131072 /prefetch:12⤵PID:2332
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=5844 --field-trial-handle=1768,i,15045523588502111106,5732838287634261111,131072 /prefetch:12⤵PID:828
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=6048 --field-trial-handle=1768,i,15045523588502111106,5732838287634261111,131072 /prefetch:12⤵PID:2872
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=5484 --field-trial-handle=1768,i,15045523588502111106,5732838287634261111,131072 /prefetch:12⤵PID:3040
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=5964 --field-trial-handle=1768,i,15045523588502111106,5732838287634261111,131072 /prefetch:12⤵PID:384
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=6064 --field-trial-handle=1768,i,15045523588502111106,5732838287634261111,131072 /prefetch:12⤵PID:652
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=5256 --field-trial-handle=1768,i,15045523588502111106,5732838287634261111,131072 /prefetch:12⤵PID:1756
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --mojo-platform-channel-handle=5460 --field-trial-handle=1768,i,15045523588502111106,5732838287634261111,131072 /prefetch:12⤵PID:760
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --mojo-platform-channel-handle=5596 --field-trial-handle=1768,i,15045523588502111106,5732838287634261111,131072 /prefetch:12⤵PID:4116
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=948 --field-trial-handle=1768,i,15045523588502111106,5732838287634261111,131072 /prefetch:82⤵PID:1984
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4376 --field-trial-handle=1768,i,15045523588502111106,5732838287634261111,131072 /prefetch:82⤵PID:1872
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5280 --field-trial-handle=1768,i,15045523588502111106,5732838287634261111,131072 /prefetch:82⤵PID:2180
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5280 --field-trial-handle=1768,i,15045523588502111106,5732838287634261111,131072 /prefetch:82⤵PID:4628
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5008 --field-trial-handle=1768,i,15045523588502111106,5732838287634261111,131072 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:3976 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5484 --field-trial-handle=1768,i,15045523588502111106,5732838287634261111,131072 /prefetch:82⤵PID:1016
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5844 --field-trial-handle=1768,i,15045523588502111106,5732838287634261111,131072 /prefetch:82⤵PID:660
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵PID:3908
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe"1⤵
- Suspicious behavior: GetForegroundWindowSpam
PID:4456 -
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Documents\*\" -ad -an -ai#7zMap11011:942:7zEvent40402⤵
- Modifies registry class
PID:2032
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:3020
-
C:\Users\Admin\Desktop\00034b98e4fa0f708fd27b7d3fec587058729f096c882f8f8b45bfcef7381ebd\00034b98e4fa0f708fd27b7d3fec587058729f096c882f8f8b45bfcef7381ebd.exe"C:\Users\Admin\Desktop\00034b98e4fa0f708fd27b7d3fec587058729f096c882f8f8b45bfcef7381ebd\00034b98e4fa0f708fd27b7d3fec587058729f096c882f8f8b45bfcef7381ebd.exe"1⤵
- Executes dropped EXE
PID:1572 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1572 -s 21042⤵
- Program crash
PID:2008
-
C:\Users\Admin\Desktop\1249e91509e86189a4366623642f4f145bdeaae21e1ff8408a8e43ca7e3f996e\1249e91509e86189a4366623642f4f145bdeaae21e1ff8408a8e43ca7e3f996e.exe"C:\Users\Admin\Desktop\1249e91509e86189a4366623642f4f145bdeaae21e1ff8408a8e43ca7e3f996e\1249e91509e86189a4366623642f4f145bdeaae21e1ff8408a8e43ca7e3f996e.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3016 -
C:\Users\Admin\Desktop\1249e91509e86189a4366623642f4f145bdeaae21e1ff8408a8e43ca7e3f996e\1249e91509e86189a4366623642f4f145bdeaae21e1ff8408a8e43ca7e3f996e.exe"C:\Users\Admin\Desktop\1249e91509e86189a4366623642f4f145bdeaae21e1ff8408a8e43ca7e3f996e\1249e91509e86189a4366623642f4f145bdeaae21e1ff8408a8e43ca7e3f996e.exe"2⤵
- Executes dropped EXE
PID:1600
-
C:\Users\Admin\Desktop\1978044967a8e1c7f632630bc906c6d66b0e64c3563455da5a4b029d00cc9019\1978044967a8e1c7f632630bc906c6d66b0e64c3563455da5a4b029d00cc9019.exe"C:\Users\Admin\Desktop\1978044967a8e1c7f632630bc906c6d66b0e64c3563455da5a4b029d00cc9019\1978044967a8e1c7f632630bc906c6d66b0e64c3563455da5a4b029d00cc9019.exe"1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:896 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\PsnJ6b3PSK.bat"2⤵PID:4792
-
C:\Windows\system32\chcp.comchcp 650013⤵PID:4144
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵PID:4288
-
C:\Windows\SysWOW64\XPSViewer\de-DE\ApplicationFrameHost.exe"C:\Windows\SysWOW64\XPSViewer\de-DE\ApplicationFrameHost.exe"3⤵
- Executes dropped EXE
- Modifies registry class
PID:2824 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tXGl5KOL28.bat"4⤵PID:164
-
C:\Windows\system32\chcp.comchcp 650015⤵PID:2576
-
C:\Windows\system32\PING.EXEping -n 10 localhost5⤵
- Runs ping.exe
PID:2944 -
C:\Windows\SysWOW64\XPSViewer\de-DE\ApplicationFrameHost.exe"C:\Windows\SysWOW64\XPSViewer\de-DE\ApplicationFrameHost.exe"5⤵
- Executes dropped EXE
- Modifies registry class
PID:2008 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fVfPD2qQtb.bat"6⤵PID:3208
-
C:\Windows\system32\chcp.comchcp 650017⤵PID:4272
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵PID:4640
-
C:\Windows\SysWOW64\XPSViewer\de-DE\ApplicationFrameHost.exe"C:\Windows\SysWOW64\XPSViewer\de-DE\ApplicationFrameHost.exe"7⤵
- Executes dropped EXE
- Modifies registry class
PID:3020 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nE1uIQLIWX.bat"8⤵PID:4420
-
C:\Windows\system32\chcp.comchcp 650019⤵PID:4224
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:29⤵PID:4764
-
C:\Windows\SysWOW64\XPSViewer\de-DE\ApplicationFrameHost.exe"C:\Windows\SysWOW64\XPSViewer\de-DE\ApplicationFrameHost.exe"9⤵
- Executes dropped EXE
- Modifies registry class
PID:3388 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\b5cCzjWvuk.bat"10⤵PID:2576
-
C:\Windows\system32\chcp.comchcp 6500111⤵PID:600
-
C:\Windows\system32\PING.EXEping -n 10 localhost11⤵
- Runs ping.exe
PID:2824
-
C:\Users\Admin\Desktop\e31f4f05884e97c569d6641257f40c4634004565874178c122817538e89948bd\e31f4f05884e97c569d6641257f40c4634004565874178c122817538e89948bd.exe"C:\Users\Admin\Desktop\e31f4f05884e97c569d6641257f40c4634004565874178c122817538e89948bd\e31f4f05884e97c569d6641257f40c4634004565874178c122817538e89948bd.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1440 -
C:\Users\Admin\Desktop\e31f4f05884e97c569d6641257f40c4634004565874178c122817538e89948bd\e31f4f05884e97c569d6641257f40c4634004565874178c122817538e89948bd.exeC:\Users\Admin\Desktop\e31f4f05884e97c569d6641257f40c4634004565874178c122817538e89948bd\e31f4f05884e97c569d6641257f40c4634004565874178c122817538e89948bd.exe2⤵
- Executes dropped EXE
PID:3472 -
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:704 -
C:\Users\Admin\AppData\Local\Temp\server.exeC:\Users\Admin\AppData\Local\Temp\server.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
PID:3212 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE5⤵
- Modifies Windows Firewall
PID:3088
-
C:\Users\Admin\Desktop\ef798468db36b921f6c2830f5eb95c6e31b5e118f10a0aea9e944960cdf96a16\ef798468db36b921f6c2830f5eb95c6e31b5e118f10a0aea9e944960cdf96a16.exe"C:\Users\Admin\Desktop\ef798468db36b921f6c2830f5eb95c6e31b5e118f10a0aea9e944960cdf96a16\ef798468db36b921f6c2830f5eb95c6e31b5e118f10a0aea9e944960cdf96a16.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1580 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵PID:2660
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SendNotifyMessage
PID:2216
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.9MB
MD543bbafc12e49652af85ab568e36e0df4
SHA1095b183bcd5ad3f71e8e2487d7adf195d6178c9f
SHA2564fe4fee5275b50cde3dce19ac69e6a2577f9bcb79dd2ef47e8b7fda80cf3db64
SHA51230eca3485ccfe548c5023f69df9466b3323d40daa818f4db46095a7c2079b8fdc4eb9114eaae72486378afe5ed9ac8cd7178c8cc44d50dcb75d467bd43b06776
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\3b5dcb7c-715b-473a-8c98-49bafdfaca86.tmp
Filesize5KB
MD50374b643d0827ae98bc920e025467a43
SHA1343a8241f7e4ffc8297679af7e2958c1a266d310
SHA2562f2b55a69f447fa1b424176cf355bbc593a4b7451a0a0ebec86b1e3ff3d3ac05
SHA512b6b28c4d0d1482a2e5367a1f4e4e07ca977832f08bea294f920bd051ee5489be6dabd64eb58000be0b1db71d547d4ecf7457032ab16fdeff155617378ef2db3d
-
Filesize
22KB
MD53b5537dce96f57098998e410b0202920
SHA17732b57e4e3bbc122d63f67078efa7cf5f975448
SHA256a1c54426705d6cef00e0ae98f5ad1615735a31a4e200c3a5835b44266a4a3f88
SHA512c038c334db3a467a710c624704eb5884fd40314cd57bd2fd154806a59c0be954c414727628d50e41cdfd86f5334ceefcf1363d641b2681c1137651cbbb4fd55d
-
Filesize
30KB
MD5888c5fa4504182a0224b264a1fda0e73
SHA165f058a7dead59a8063362241865526eb0148f16
SHA2567d757e510b1f0c4d44fd98cc0121da8ca4f44793f8583debdef300fb1dbd3715
SHA5121c165b9cf4687ff94a73f53624f00da24c5452a32c72f8f75257a7501bd450bff1becdc959c9c7536059e93eb87f2c022e313f145a41175e0b8663274ae6cc36
-
Filesize
77KB
MD5b15db15f746f29ffa02638cb455b8ec0
SHA175a88815c47a249eadb5f0edc1675957f860cca7
SHA2567f4d3fd0a705dbf8403298aad91d5de6972e6b5d536068eba8b24954a5a0a8c7
SHA51284e621ac534c416cf13880059d76ce842fa74bb433a274aa5d106adbda20354fa5ed751ed1d13d0c393d54ceb37fe8dbd2f653e4cb791e9f9d3d2a50a250b05f
-
Filesize
85KB
MD51f8a0089d168058204d311143b7f508b
SHA128ea4d33c0a70e0d600174deafea7d1b4ef204e3
SHA256089184b28b2f756240c1e21ef7388664ef5ca0da644f885c20a4032b7d460679
SHA51224918f186f852826c8902f207be730968985651caf4979819b356c49626a7ca4e56f9f437d8d9206ea7ff64e732cd7b6263aac6bb1c5b25eb09353db3d05df71
-
Filesize
195KB
MD5873734b55d4c7d35a177c8318b0caec7
SHA1469b913b09ea5b55e60098c95120cc9b935ddb28
SHA2564ee3aa3dc43cb3ef3f6bfb91ed8214659e9c2600a45bee9728ebbcb6f33b088d
SHA51224f05ed981e994475879ca2221b6948418c4412063b9c07f46b8de581047ddd5d73401562fa9ee54d4ce5f97a6288c54eac5de0ca29b1bb5797bdac5a1b30308
-
Filesize
105KB
MD500c4e2f14e3b4ac17116fe707e757aa3
SHA19ed778225a898d676994c69cfe2abca822fba8bc
SHA256dea41de10cf0590398e82b384df2a452fbd191be16319b5b8797580d043a618d
SHA512c9e1f19af4b88e45feb9efe11c17e653a0122985900c09c4e1aa0ffb8062d88adcaf7f729d27e06a94973a970c25d3f6ae1b6857a50ecf783eebe63600105b56
-
Filesize
246B
MD5d09812d6f8793aad8c3ddbb17dc20fa4
SHA137b5d3bc87c1b52a32ca6bcd919ec92d30711160
SHA2560d2c2eca93d10ac9b47e9605141a4b385714deb69c5b4f6c2e2bcb3317ad4924
SHA512e01a04f1afa353e20e7690f1aaf690a3655517c55dfcd8cab71b4172bd0ac09a56f8283e8de026ad9ae27209cbc474c63bf6da2b716970b228764955320a3989
-
Filesize
49KB
MD5341e42e364f6502bd0b410e9e641fb67
SHA185514e1dd5c82e690b1d4ec2ee6c38c0d70b5b9d
SHA256ffd44c580fb7b3425e25a64578160ce5961955b53fd65397d66040dc38a3b248
SHA5129586ee570338bf4efae3f0a7cf6f62e13dc1efaf312fe3ce2b4fabb9905d9110780b90d30d48493afc93371ed376b27dc0c59ff69a574011d50830c267d1fb1d
-
Filesize
249B
MD5002f8512c8ee30c1547b4a14b8e1f5f3
SHA190d96dc296b7178c6d7f12a919d042995c4b79b9
SHA256c7e55230a1fcff7d14187f85c93f36a1512b3cb88a33a1f4e9b2e97d2d62f227
SHA5126d7514b48d2313e550d3511f6c0549ea5ee2a12631f44bfb3a537e8ec7c0e18338c5545d07889b0f9fc83badd1de62b1a6cdb82ce2aec15c5750ad7fe919f2bd
-
Filesize
259B
MD55e09b125d981c90bfb737aafd83cd294
SHA1ce40f211414bbee8fe7ea5e43ea56cb2aea1039d
SHA256cc959b077069a967f9f3bff3147a8ec5dabd0daa1f6da1943823e254c2125f83
SHA512a034204c12a432ac1a2aeb3012307f29b3fb3c8191c036b84fef3e515cc0a42c0e8227e32da1abc72a199ebd95f54af579c27cbe19abc8c58c49f9d8126742ff
-
Filesize
399KB
MD5b506ec62f99a995c309271d9260b09d9
SHA11a55a80ae237af77d18ad12cf73052c2b389f939
SHA2565219955184d6ebfa93a7b67676d6ee7466915b8d5251cd6d4217998da1cc2aac
SHA512728ace9bf5f6f6afaceb35cebcf9142cd55aa1296f2dfbe4cf858a8b31fa2179200828d04ed88979f2473e430c38f5fc07618eee4e7769f833475926faba4019
-
Filesize
10KB
MD5af51004a9010d44504040dffdf122b91
SHA126801d032a2c7503e960702225f807e10aea3e6a
SHA256a4b525d348f8e88ec96f855a7a05c4937c3cb4b169675aedefed44be71cf4a63
SHA512bc19c5db0cb8de955090c06913d15a534277c0e6135f772c8846aca1ea4e3127fd31dd5094af3ba2ea9f0fd359d6828dc13e8864f8dfdeff7ba4974a941523a5
-
Filesize
456B
MD522fe12afeb4b4d577ec3a4dcbedaf921
SHA16e80fbbfd27f933963948fc2f7bf330bd4673db6
SHA256a0126bc8ffe72b0637e536fff20a41e72dedbcd4202e8fc26c366a4f9eb86dce
SHA512172e63247c8477bb8f7877b6d94ac6f1e198a3cfe25a022555349312c2a45ac9f9a5534de54fb0fbcb07672a3428af1eaf2398a52d4e6fb3b4ac5f203cf20f6f
-
Filesize
360B
MD58124f0710d5a0b611f7da1c5b4fce934
SHA107171884f81bf64e85c7480b7ec826f67150b4b7
SHA25662d8dd63c83f9a2d9b2cd2871b1e99698c9a9bef16b07ea1709c0497c829fe75
SHA512a23c09425aed56032a3e07b6b3468356fb9304cfa6bfb79f57793fa1a3e4c5aa1188ab892f1c927c62d55c2fcd77c319961d7c4e793917adecbbff38628b4d7c
-
Filesize
360B
MD554f8df1101525ff24a95c95b11d9b847
SHA175ea6d1256a4f1f0d9e71f583c7e8f86d0febf46
SHA256983353a4b9915b6509a961b2c371ea4c484ce6ff162e1434ce401110c37b458a
SHA5126304b65715ba3af6cbd7b6836e011967b1afea59a57c6f465831c98f84cf1aa28491e7d1563f8e7e504a7b982fff50ecdbcf14982f4046edb2791904a88fa380
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\JumpListIconsRecentClosed\f286019e-b01a-463d-acdc-dcc763513b2b.tmp
Filesize27KB
MD52bcbbcf34a9480cfb0a7b00041f41283
SHA1802058d337343fe841b42dd9e75134817e097088
SHA25616f200c0c0bbc13d6038b5d722b469f4920f40d89024aa6f645cdd5b3173b4fc
SHA5120aec6fe4950d952d145d69bab3c90d061e1c485c07b235140d7a286e8be3a9fc83ac832be6c371572156f17efc2fc000d47457ed4e6102ec1c4cbf46a86ab1f9
-
Filesize
1KB
MD50bb4f2fff719e2e36755f4fd2ad630ff
SHA1ec0eab793bc288ce81742b958e579eff8ea9732a
SHA256764de9d4638fc5d9a3c3544307b3b85c297f2f63e8db6ac3f91f7f60e33ac12a
SHA5128860b95709594f921e0f9fe3e11c7f185e78782546133d35e06a27494d87253e1becc9ad7ceb84f322a97adbe50e4c0d196ecaf0d5c2a77b5d356000c39019d4
-
Filesize
2KB
MD5ecae07abf78325c2b1d7c0241f48b6f6
SHA14ec70a6bd64422a349686ed0100a5c64c6f1ec8a
SHA256a3ce781f93e84a9157970d1ce49f8144692979450a2c62b21de5090bb0ae958f
SHA512d5ad10e0230e3bf9c0081a2caf35e6568418520575ca714974e747f66b2dca08ea5532bd1124bd9dc14c97ceafa00382516de22a58e349673bb3502121712cbf
-
Filesize
2KB
MD5707b1bd10c18d607f608150e7164e592
SHA19ef49bd7fe34768339d3e3f0331ec245923fa918
SHA25687966656d1ab968099bcdaf48f670054be1ce69079a99764bcae4940e22a3c0e
SHA512776f1af6cd51b01baade60a92482bfa0b37c2fb15a95218fb2078d3e3ae2a87f37278e243ca82cf0a891aa9f343253db2ed0d56f3d2cdd6525dc3fe6559e5fa6
-
Filesize
705B
MD5eac5854f41f416bde8dd58d21b532b40
SHA10c91a692f29ea2c75fae8997681b1643266386b5
SHA2564b228c180ca336906a38282187ee902f099a24c4eb95a9e116eb6015b293defa
SHA5120c1fde82ee226a6650b669744f031313a95efc4c79cef0e93f5bb56362a787aab94855f8c3641b117ee5f64f2742cdb9566069dc12ada99d7e8a989350b960d7
-
Filesize
705B
MD59cb2c3de27e22cb7cfe5322e8111a723
SHA1cca3092354f2504299a81c41a59f4a592d1b5f58
SHA256b99bcfb655d25b3aa2e9db0ffe3daa8db3ab6f338573372a64e7ad5be4ef7e14
SHA512b72428049d4abc44167310b60d8e69a4de4d7832b788ae7b01de9b0f20fb31e89875c298b9b3410b9372b333f74b77101241df9822f0ab8ad34fd30658c26eb0
-
Filesize
705B
MD50227946e5b4738f9334b7533b911c9c5
SHA145622d5f6d6fcc80858ace7f3f8c9ad90e3196e6
SHA2567a3968c0e670740d51d29541069ce038a0b258937c9e3cb1b925aa7386366859
SHA5120792f3643f198265148bad49298ec61cbad032acbbd9c9d83620fd8e267f43a4ceb0cdc9ef83c1551bbb8f775ef5538eb45a1d3c5fc5305bb3ad21ac0634d8fd
-
Filesize
705B
MD54c42b503f852efd493b85fae04427644
SHA19c9ecc091c65208ad0ccf11d826fcc54635911d6
SHA2567374e93d4e087cbe09d346853b264eb661fba0c280c2eea542aaa56b011c41d0
SHA512faa0a7da19aa7e2e5f75e490cd707ceecfbe36994771b20925bb00e37eab62f11c0854f8b92729aed66a666d6dafa3e3df520cc084c6892374e9a329741b21f7
-
Filesize
705B
MD503e85fdeb121624ab2917bde23db2919
SHA1856a2fc8cb198b4e18715739b7f6733f3b6572a8
SHA2560e230aa92540491662eaf241dfc18dc6f353726318d7d71245f0018d79a09910
SHA5126cbef4eb8ba00da8b02c0396ab06215fba7f5bebbeba1e393aca9b5928a2f50124447a01596b5d37a2e5a62dd1fa072a9053ff91a5da2602544b85c9e0466621
-
Filesize
705B
MD5709b6aa44b0e02ced1f0b202aafbf1a5
SHA1fa79d0a40f2ffc07f20253c90b02d35a48c7ccf1
SHA256d7624f384818ee3248f5a8c145a45d3512d8aaca6f82f5f6417e5fa7794cfe6e
SHA512da0b9b60d2b9d3845eda539a420b2d9b413e0c630b176152ffdb920839df70abff8a0ee178c508814ce65355fa72e8ce6768b5b189141ff9a906705ca4e8e256
-
Filesize
705B
MD52d2f6fb299cd79f470448a51e4c99193
SHA147de7df3165bb15e8e123499259fe4c2c65c23bc
SHA256e00814f42d761631f41e2d3f97a6f973780f2c8530ef4c1ab54cdf829f68c6d8
SHA5129fde31cc173faf970da5665b462936a29935735e8d6b9dd1f26aa0f9a6efe3d58bb9f25b0eff7e8723e54c2630d46ddb3105c06af6b16b706cf24611cc759161
-
Filesize
705B
MD5e625d7e3a7d1233f27678114e8358e47
SHA198990f0395f2dad91f20a0cfeff9382a1994d9eb
SHA256689864cc8dc8346afaf5d5df26b769fd5a52c6438ee2c786d5aed44f643d5e55
SHA5120c8b0abeb31a4e8d445c60e70e5415f3c0b009fcf93b170a24fe52ea050708993c291f715d094191fcbf99be0b360ecaaa48b3cb67a222955d0ef2a3ce61fa4b
-
Filesize
5KB
MD5cd65068ee541f13107a38e72bb5e0d06
SHA1500637528e3310a11a54ca8418e564a4e31d803e
SHA256ff3af23e6d258e017265f3cc31edce2a345e9122e6d02488d2c3fc0d25854c5e
SHA51229d5199fae7bf5a6713db4fb520b975e35c32a73bd6c4a3e10fbcc6328dd11b3ac3227331cbcd4c057825edb208a40205d5aecc2b81f25557f8e7631ebf69bab
-
Filesize
5KB
MD57f054668b1067e0b3e59dc1bc24aaee5
SHA155cfb91b37781775de60ce895e98bba88e75af36
SHA2562685264225faeb1cc32747a9c0744b88a929a878f365b225bb4acea1d52dbabc
SHA512b92b8e6de290ff1aedad96610b1cdbadd76453d2730dbae2c731e1c79a524225bd12ca77e9d490eebbd4f1da6c592104ec58013199366b137c3dfd253823d993
-
Filesize
6KB
MD572abdb52746805b91d3a78b766fd7190
SHA14dc8b9d7f80e4bcd6cdec817989d35fb0805a133
SHA256cb5aa20ffdce9606c3020afeea9eb785da83473b950de6192781f2145468fbd0
SHA512677e8e778a2198a22badf8b0b9fda80afd7afe8f9cc2e96fc13ca5b20977384dd9ed788ef510b09dd51732f59f31ba457eabff6c96a490da0ac0a9714ccd3094
-
Filesize
6KB
MD58463502d7e519f7ce4acc53c684ef903
SHA150f5c6f7febcac3c2d36bf20fdbdc3add7f4155d
SHA256613c7c4d0a869940890ddb1e3c83e65064f7565e598bec158eef90ef7f3d3aa9
SHA512d4a8e2ccb37e2f39ef2a1581f08b9210f4be09830700327651cb3b9118a8827d21a4b195b3ede8c38e536231ae8326067a134d2174785d2e1db5fe7742e770f4
-
Filesize
6KB
MD50304325b1c9bbea5424776b09f725e1f
SHA1e82aad096aed08619394cd333fd4aaf5d97592fe
SHA2566d18fc2d41c55d80e1488dcd638a4c38ba21850a77e91b19cce0609a3f8ed6b3
SHA5129c17232ec231d26a555d82bc2a78307c64197fe1fb30a0a2b6fb62f7dd4bc98a61736f3669f02b2c9d80341095327a1a077b236623640c76c72c453d00548f4c
-
Filesize
6KB
MD523dc9ff071e7542ad3c1c1f5b35f8d88
SHA15e8becd41a5f364efb79c9b00e5d525d53edb105
SHA25698074cc9987211d6c20b91dae4c3de071b1df0a70006710090d913768ab6bab0
SHA512d2b0497ec08ada887c09bc905c80426063ba1dc94e25fdfd8ac1475286b79738c0ead47dd2d29a4a71356a46affa3024d3c230161a48f94f66dd56736e0263d7
-
Filesize
6KB
MD57e0026af58dcae8bd3cff619826b808d
SHA134698812288ef9b3e5272151504dfc604a71cb61
SHA25698520903905e9b4e81c77c835342dded362b7c72a6a08dfe953390e0a581bf30
SHA51202f32a7336537bd2f86722d7b2a4ad94bda836f989d933b16d304b165168a72219a2284082cc361dadb225c93bac3d7d195a5660b46dcf15dbcf361716386205
-
Filesize
6KB
MD5619ffb31e63bd44505f07c97df4f718f
SHA198913d8862a4ea47c0910fbcac2f340d047819ad
SHA2560c939db0f4751b953345d6dc88229daf1c283719b0232056f5a02168fdf22d46
SHA512a900e28ada69b54a4bb089ddd0d0696f2d0dd3597abe81d3a6acd1f6aea31c401beb4650d4819346a0621a5ed52a52ade3875d9c06c402015a12ee8a685effef
-
Filesize
6KB
MD5ebf5ea4fd59f4f9b12945f8fb6183426
SHA12c2834640be97fea1b7052c829de24304ab5f9e4
SHA256df57458b88c901abc8bc86afa96aa6fb03d61cb468d9ce99e5a9771553c13268
SHA5124d280b63a391107cd5d40c392158622fa6f40e6171829829fc89962bd3e70692db70aeb0c213d8d26ff53db76ed1a4ead35894ce86c5f062ab81f8adb0d670a5
-
Filesize
255KB
MD53c2b8337d60e1f897ba6722be2f3fc7a
SHA171ee0f2bb94e44c88cba74e07445d5cce3c62f5c
SHA2568a89f94e8f4a86b5902868b3bc4cf962c0d4e27fef5b1d09ddce7a4c19c86273
SHA5122d1ba3d136150b763ccc3e1ff138b36dd5b01892cfa592c512ec553467f360ba72912dfe31d107f9fa85071532609aca2bb6c654040a982ecffde6868c075192
-
Filesize
255KB
MD5bf76896142e5ac7687cb7f439d0353c4
SHA1936ee64e945f9f7c793b8a3b376a1a3a3586366d
SHA256bc125f2b4c02eac99ee2a04e31b309eb10e42f4143a7703b5706d1a8b3a2a4b3
SHA51207a0caa1852bbc36896bd7921e7465b88037f12196aaf85d013ac324ee34b8230bf1c72adbd098ae4f20ae5e250e68063f8e18fa51d8a831cce7214a585db2c6
-
Filesize
255KB
MD53e0e2889c59bd5e49c9d953823e4029a
SHA17118fa3f255f077942adc6e292f3c6254f911e62
SHA256d8dac01ae25cbf42ffaed9f48dfba441e49585cbd6acd6d38311d68fd7fe4eb9
SHA512b3c64d7dde6c33ce25ac685935e71a863ecfb83f968461575e2bffbc0b7fc03b676459739dd94e5d0f57720486c4ff467220ba298a2044563bf1d757a926682e
-
Filesize
255KB
MD5bfd332452260e31bf9b1b3e9782ad3e5
SHA15dddb03a89dd5ed688dfad9246df82106de2e4a8
SHA2569bf974894678e38507a7ca0d935c50cd18550821367caae964b9d3613f445d6b
SHA512df142c0f739cf1cc1981b18a131cd880239b51d2bc3b3ac232386b8fae9815f873a19577fb99d6767e0689087df8963778e83cdc73214a6621e958cce29f9301
-
Filesize
255KB
MD5ab7d944bcd2acf42d6dee3dac7601721
SHA1ca78d63f4ddf38fa37dcae8a761ff2ab6afc8ab4
SHA2560affaee5972a58e6ab76e9e3ddb416fcdd7196d94c11022a542e7fb13ece525c
SHA51206b836094189bc9a0745ad9b389b2a3b2a9e5bfb3e7465babe1c05b9bac64b26d3a90810bf22602f1d31960b593870b5860aa1df1a3f55a5bc015efb471a005c
-
Filesize
255KB
MD558fc4d5237a64fb719d1724f37a956d9
SHA134b54a88aead5dda3338a1cd3e6cbc4fa08649e3
SHA256d0f8998ae4ca39972fc2efd64a127e7ac2a9fc8bd690c851a7dee85ba0d045e1
SHA512559d69fb3b62123f8ef05e0c5e4a78ad0cfe8ac1e13b424d203d02102a86479fae60d87fbba03aa5cac700282012a66d51a255fdea1470c0e7215fb06007772c
-
Filesize
105KB
MD50d686e970e5921fc419ddd1e74e3b980
SHA1c7b6f81f91383bba7c9032baf0cb803ffcc07be7
SHA2563c38f6e4803f984f17cb2acf25fc9b7b966b5bccc07dba4d7f4a865ce68b7784
SHA5124513abfab3077b708b856dce3a9a69653c281298ab2eb322aa202cd91bb2b77741495d302a49a2e983df6bd5269cdeb17c42075f0b8d4a724fc4f6d03db3b2d4
-
Filesize
97KB
MD5bba7504977fe27686538e15ac707eb9b
SHA12d202b4cf45fbd32a86cf2d71bbb0f2b9ad538bb
SHA256a60e502e49d30c56926e49eeccf4f835fe42ba66bf7b3b6f057146640cfe7a77
SHA512ef85fd6e8c7337b165c4b870e11f08faca6ab904ec09aaf96d1b5dc333540799be0be65a21032f309571b630905964c9da902fbd0220ad48ac4735f84b1fe45b
-
Filesize
264KB
MD57f5e90618bde2ccaba672d03d9e976cb
SHA1624b4625fc926f0ce01991da053719b1ce6ca243
SHA256778a86d011cc61df12d0a2a0434e38f7685652644f8cf5226eb359484052562f
SHA5126e13236dba244f176c8981ef1c5705624194c7b7219635892e5852a68e9a2b0ed4c62734c051f27925469c763dc4e4d8e5fe4eff0273693bb6e00836a01ddf6b
-
Filesize
2B
MD599914b932bd37a50b983c5e7c90ae93b
SHA1bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA25644136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA51227c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\e31f4f05884e97c569d6641257f40c4634004565874178c122817538e89948bd.exe.log
Filesize224B
MD50fd7fe88736c9a4c8ec918b1552b85ac
SHA19882bb999e92b1330bb88f202eb7367161fe4a51
SHA256d15c16c1ac146263045f35409849797dce4e74095ac9057f51fe530472af13df
SHA5120ff9ef334e4cc9fd6f1e1fdb5aa3b0a8aa13d5f674b48a74fc9ca15c8e25e1c63fd81e1c1fbed03350c4de3bd93b662cd69fd71b21b7be50a45ca1b536f8cb10
-
Filesize
1KB
MD5bb987b943ab9637f57b430c5c3c7f120
SHA106fe9081a43d23c9537f44a3cef2de6826e9cf42
SHA256651c0afdea1507e6c6be1f97f003c2f40000403504adb5c9f3d581b3349c492f
SHA5126221bbcf0a618f7cbb25238d6fbb3d75d3d03ca3df4f806b0991ab0fa43ad783acf549c81724c7e65eebebe6ca70557ff874b8d74708447a9999c0ef0558c6f5
-
Filesize
236B
MD5adba1b557a8db9ca0077fab0c8971106
SHA1b676220495ff3ed8c20a0990c6d2f6994f447afd
SHA2563880662e4c4c142041dc2335d7f86f2ffd82bcd6758ac1252cb2b8859f709b28
SHA5123d4aece24badee5a8a7fa55c1a827b4eb6ac469263344e6e1961bbf468168aed231e47aecd7d57bc47c05663ccb2dd0f79845cfbd40a81c7c140d0679a18f662
-
Filesize
188B
MD54416e3f74dacc7fa5fa5697c4517a783
SHA1a8d6a3e95be895ad7083de7e598f717db2293c0a
SHA256ed65fdf9878acf241ea25ee62b41d3edc0f4329369da6d5cb976aff84f58c818
SHA51298b6c69de9af9f2f5336e99cc32b2cf728037921dff1f59e66cd820da2aaa345a81bff5e49919883601c497e2afddeb101093bfbc0d4e4ce473863c6d7345016
-
Filesize
236B
MD5f3f9cc2ec8c9b63f225099877394ec82
SHA15a8627f71ac9db8e8e0f715f31edb5383887ea6c
SHA256a91acfd3edea8d3f1a4773319d880533314062024f5ad20ac1329d2dbd57fbda
SHA51253f3fe0a563b0e053001c3680247d4635b54dbc767c074810e1a8447c3a61f9e67247c4519094059d8a7a26ecefd20b3eca95da33d147ddc0953dcbeb8d47e9c
-
Filesize
236B
MD555e35d4f2a5c90922603862f84858c3b
SHA199d4c597cc3ce99731809d50d5b1c13281c6783e
SHA2564fe3c2978de9726ec42dfdf6b2e0e5dca04d0bf2cf53843d02ed4d8929528459
SHA512a2d4ff90a942123348bba40d78a5e07db56f9842649684bae82f367f16959cc0f872293ba1e87fbbb8762706a1926d7a1c999e0337b851c20e48000b1cae34bb
-
Filesize
188B
MD58b8f4e80cfa1a9a34653002e95df3290
SHA1f7558b18c88204bc6303487ca07d55124a4e068a
SHA2564b5b731fc3617dea657db348a77e6e70a30928330b2a43eb3513d0c45aa3edde
SHA512a387b90b7803999b4db45c29b9038b14f74a730e2e95dca78b1a62fb06b8cb8079b73a45d328515c1320cbfa7de7347fa01c2263cc63e90fa6fe9db337d1fca4
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\5d696d521de238c3.customDestinations-ms
Filesize9KB
MD5a40ad4ccf7c3bf5385e244bdbb793772
SHA196db6b8daadc1fa6b83428bbecb2c9172c163f8f
SHA256fdb3b4f56f4bab87bedf4539d2f127e90a7a925e7a108c60539fad8fac8c28b0
SHA512a02723b1d29412e7baf9808b9d4f84cfdbf2fa2be4f1cd3a42dd54c858d7081867af9a59b6eb3373f91625eec7c5bdeddf48f42b1132383c785415bef48b9080
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\5d696d521de238c3.customDestinations-ms
Filesize14KB
MD576ce6945de4e8e7a4988783f762e55b9
SHA1776b057d069676ed1f45857d461a935024c1287c
SHA25635160171a48a77917f887bce14876301588ddce865420c7fd699af86ced67d39
SHA5123ccd98483a5502fee45067a6d19f5e1ac0cdc441ccf1e1055d3d347bf2debc136cb6d5723c362be838f9e0ded852400c0413628b7f7ab7f1508c875c9e525dec
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\5d696d521de238c3.customDestinations-ms
Filesize11KB
MD55c9fe2adbd2170104db27ddf15fe3a04
SHA17464cc9ec47b09b110004d369286e449a847656d
SHA256ee84a77ee4e6136de8406a66eb5af5a309365322355b122ca4f6bd6e8ef5d95d
SHA512aee4556d99fab714d07ffd615dd062109944cd701c3d7d762ee8976212dc959448281b4ade1009cc4033919480bfa575d407baa6d54af1f8793b268fa9757eda
-
C:\Users\Admin\Desktop\00034b98e4fa0f708fd27b7d3fec587058729f096c882f8f8b45bfcef7381ebd\00034b98e4fa0f708fd27b7d3fec587058729f096c882f8f8b45bfcef7381ebd.exe
Filesize231KB
MD5cf0c5808d5b0b6d50babfe2244978480
SHA1816bb15e67acbf13172603682e279c46f26c809e
SHA25600034b98e4fa0f708fd27b7d3fec587058729f096c882f8f8b45bfcef7381ebd
SHA51218496d8bfd4b6db6d5e8aeda93da5ad372b2d9a33f3be9a6c956f8ef80baeed07b5015105558a99cc807c18dc5fca8809a0c268f96a5c7eb5d4330d2482c33e3
-
C:\Users\Admin\Desktop\1249e91509e86189a4366623642f4f145bdeaae21e1ff8408a8e43ca7e3f996e\1249e91509e86189a4366623642f4f145bdeaae21e1ff8408a8e43ca7e3f996e.exe
Filesize253KB
MD58c3e6666d0c357de91d364231296c2ca
SHA1f0898b0471770626823c04d54c3772edbe861b56
SHA2561249e91509e86189a4366623642f4f145bdeaae21e1ff8408a8e43ca7e3f996e
SHA51283563a6aeb03fb9dfa9476f8d284ed42b1a40b8b07f8c2328f7265b9a642183387fe190b759e9c0e400056b95c74acc710929a83afe440c828d5865c79237962
-
C:\Users\Admin\Desktop\1978044967a8e1c7f632630bc906c6d66b0e64c3563455da5a4b029d00cc9019\1978044967a8e1c7f632630bc906c6d66b0e64c3563455da5a4b029d00cc9019.exe
Filesize2.4MB
MD5c8563b2ecb3b0d8320758fe26142c312
SHA159aa8b78751b63dcaf0d3e70e4af994af97f19b1
SHA256222ad19ac1b1401a3c2c8a53f9d12ae00446868fd5bc995a88fb5bc0ecd313fb
SHA512170f5fe31bdca9a0a723417a7d6113a871a31bce73a11c42c2b0408939f10f9074123bd2104e874d71e400f3934c2beb9e5e3c470e92a2d8ff6c86d59163c235
-
C:\Users\Admin\Desktop\1978044967a8e1c7f632630bc906c6d66b0e64c3563455da5a4b029d00cc9019\1978044967a8e1c7f632630bc906c6d66b0e64c3563455da5a4b029d00cc9019.exe
Filesize2.3MB
MD5a2bbc22f2f79b5fbad04b8abd98347c5
SHA1542568d91718f25fb52c802fb20934b90a035c26
SHA256d71dce3927eb1e8cefd2720c003e988c2373abbba983c12f830c1411da4b318d
SHA51213d7418a4a54fe7f3784b461e1228d0a4a10106592f10f709e20675d669658eba98edd75a6fc92e59e74f3f64ba9ed1ce34e1af4b4340f2718e27035f3367475
-
C:\Users\Admin\Desktop\e31f4f05884e97c569d6641257f40c4634004565874178c122817538e89948bd\e31f4f05884e97c569d6641257f40c4634004565874178c122817538e89948bd.exe
Filesize184KB
MD5021b477ace5e87113272fd8b16830051
SHA1d55ddb61b67e53245adc5bd12822ea56f1602820
SHA256e31f4f05884e97c569d6641257f40c4634004565874178c122817538e89948bd
SHA512ef8c8ff1ff3326848becef2615bd2a629dd1eced13c9b9776d75f3a5cfd2e913324422f806264126befdd0d6908d16be081218ab61fe20ef95111cf9a41c8817
-
C:\Users\Admin\Desktop\ef798468db36b921f6c2830f5eb95c6e31b5e118f10a0aea9e944960cdf96a16\ef798468db36b921f6c2830f5eb95c6e31b5e118f10a0aea9e944960cdf96a16.exe
Filesize297KB
MD59263197aa58e0e5bce76cce8f6323a9c
SHA106cf5f4f2c3b8a7cbf8064f15f4e6f988197470b
SHA256ef798468db36b921f6c2830f5eb95c6e31b5e118f10a0aea9e944960cdf96a16
SHA512cdf2f98ac3aa9efddb8908ce1101f429bb390617638d3fdd1ad698fa03727c183879d68a4a1ee8b15a12b1f7c840b8d6df1f6fb63a95ff2ce8d0e5a40bd77fab
-
Filesize
175KB
MD5c12755111b74fb6631afd1f9780fbd4d
SHA1a72ba250311891f8aefc4d2115ea51a9335ab5a6
SHA2567da806b4feb826a1a375c4664e75ce736dfc6330a6bdf9072e61ef392e499d5d
SHA5126e786eda6008b1d6b021eac2e9070ae5a1abec30470f1fcb39a875fa104d1e431e2500bfafbbc076a09890d61323726906028f9925ec8b11c90235555f6f8179
-
Filesize
190KB
MD539790d8ff8a9e2e4924f6f3c92db6ffb
SHA1a88b4d9a44ce2dd627f594e0da56a25d083f2a43
SHA25692eec19ceb5f4483c8fbd01a2d7230731bde15a34eaf4838da8626df6ded881f
SHA5127463e3d3b0346d41779e46aec967b293fecb73eedfe86fa509bc2b338d4ed120dbefc348f31684fc36e96852772faea8b4e6d8c8b4615fe103d7d27ec002e73f
-
Filesize
2.2MB
MD54e15150cde9fb15fb2e97d82f9072edc
SHA18e495786e4754d895042d1c8b29ccec5c4705efe
SHA256fba7aa8767fd5c24507c221c74148560e35652fd72364723ec446f0ba9762a91
SHA512f3801cfaf9ffccffe7a0f8659bd8909357f408c9c9e4b23e81fdffa55722856c0c575227c983020fac198d0a47004224fae2bd5220b8436c6c1c2ff998a211f5
-
Filesize
85KB
MD58013ce48138aed1935e4e12741c428ac
SHA1333fb899d2a0be6838c295b164d9a085eb95834d
SHA256f8f085f61eb7fef3c3382cfc7ee97ecdebdec39aa21f0148d1ac7c6264612a65
SHA512e6530f02fbf07e4ee8cffbada800e2d8374a03cbe76f4828e0239f2f8cba664f9ad0daaa7065d4777e231309b4edb6233241b388a3ca82e9a5defa98d9599265
-
Filesize
286KB
MD5996010931424183f39830f3b0b490959
SHA1dd940d15a0f0a8622101200d6cc24825c40ab25f
SHA25686016e72b49fdb35331cbc631df88864badb2c3d708f24051d5853d9e196ab76
SHA512dc93402c1d58674b15e0ce2b9bfb6e2f473d8c0c9cc8f1afec32191f5706e2804c1066476122ed3d761e3fe1f1208eb435cdfde2e649fcfcf2f54919cf77dda5
-
Filesize
5.1MB
MD52cf3bc503cd59cac681f7c7cdf6f2965
SHA1bafc3373e24b06393ad2ee724f5d1dcda90dafe1
SHA2561978044967a8e1c7f632630bc906c6d66b0e64c3563455da5a4b029d00cc9019
SHA512c6e33590ef38a8c54bb56f4e137f5d4de14da7320b7a409b9f989f7bb1055610bca03b8065d3bd32038d43b2cd8c54c930b5fd09e2d766465ddcbc8f3028b0e9
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e