Analysis

  • max time kernel
    149s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    23-12-2024 12:27

General

  • Target

    2024-12-23_b3ba7afb650fbc73d5d7ba46d5e9f091_darkgate_neshta_ramnit_ransomlock.exe

  • Size

    4.5MB

  • MD5

    b3ba7afb650fbc73d5d7ba46d5e9f091

  • SHA1

    4f8f13afcd80d83cbe952774fee437ce32e87730

  • SHA256

    f6f84b418926af4185426db6f6ad92aff970457e1ea707413fd95137a32a908d

  • SHA512

    f86ec814fa90698baebba871a48fbbdb10b543c6cb839eba4288c2aa4865db357f371bd5dfaa95423a4f5e8c04c3a6809ad13579d88fecf69e672515d7db41ba

  • SSDEEP

    49152:8AR/SCICrtvMLtAvVfJVgbhWss4lTDRLOyR0MKGKPhGi:NdAc6yVfJVg0ss4lZiGti

Malware Config

Signatures

  • Detect Neshta payload 40 IoCs
  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

  • Modiloader family
  • Neshta

    Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

  • Neshta family
  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

  • Ramnit family
  • ModiLoader First Stage 1 IoCs
  • ASPack v2.12-2.42 1 IoCs

    Detects executables packed with ASPack v2.12-2.42

  • Executes dropped EXE 64 IoCs
  • Loads dropped DLL 64 IoCs
  • Modifies system executable filetype association 2 TTPs 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • UPX packed file 12 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 63 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 61 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Kills process with taskkill 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 59 IoCs
  • Modifies registry class 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 10 IoCs
  • Suspicious use of SendNotifyMessage 7 IoCs
  • Suspicious use of SetWindowsHookEx 15 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-12-23_b3ba7afb650fbc73d5d7ba46d5e9f091_darkgate_neshta_ramnit_ransomlock.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-12-23_b3ba7afb650fbc73d5d7ba46d5e9f091_darkgate_neshta_ramnit_ransomlock.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2432
    • C:\Users\Admin\AppData\Local\Temp\1.exe
      "C:\Users\Admin\AppData\Local\Temp\1.exe"
      2⤵
      • Executes dropped EXE
      PID:2656
    • C:\Users\Admin\AppData\Local\Temp\MousePad.exe
      "C:\Users\Admin\AppData\Local\Temp\MousePad.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2740
    • C:\Users\Admin\AppData\Local\Temp\headache.exe
      "C:\Users\Admin\AppData\Local\Temp\headache.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Modifies system executable filetype association
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:3068
      • C:\Users\Admin\AppData\Local\Temp\3582-490\headache.exe
        "C:\Users\Admin\AppData\Local\Temp\3582-490\headache.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2688
        • C:\Users\Admin\AppData\Local\Temp\3582-490\headacheSrv.exe
          C:\Users\Admin\AppData\Local\Temp\3582-490\headacheSrv.exe
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Drops file in Program Files directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2296
          • C:\Program Files (x86)\Microsoft\DesktopLayer.exe
            "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:2988
            • C:\Program Files\Internet Explorer\iexplore.exe
              "C:\Program Files\Internet Explorer\iexplore.exe"
              6⤵
              • Modifies Internet Explorer settings
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:1948
              • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1948 CREDAT:275457 /prefetch:2
                7⤵
                • System Location Discovery: System Language Discovery
                • Modifies Internet Explorer settings
                • Suspicious use of SetWindowsHookEx
                PID:2640
              • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1948 CREDAT:734212 /prefetch:2
                7⤵
                • System Location Discovery: System Language Discovery
                • Modifies Internet Explorer settings
                PID:1440
    • C:\Users\Admin\AppData\Local\Temp\screenscrew.exe
      "C:\Users\Admin\AppData\Local\Temp\screenscrew.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2780
      • C:\Windows\svchost.com
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\SCREEN~1.EXE"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2880
        • C:\Users\Admin\AppData\Local\Temp\3582-490\SCREEN~1.EXE
          C:\Users\Admin\AppData\Local\Temp\3582-490\SCREEN~1.EXE
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          PID:1232
    • C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\20min.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2016
      • C:\Users\Admin\AppData\Local\Temp\20min.exe
        C:\Users\Admin\AppData\Local\Temp\20min.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:2336
    • C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\EARTHQ~1.EXE"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      PID:1680
    • C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\BLACK&~1.EXE"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2528
      • C:\Users\Admin\AppData\Local\Temp\BLACK&~1.EXE
        C:\Users\Admin\AppData\Local\Temp\BLACK&~1.EXE
        3⤵
        • Executes dropped EXE
        PID:2744
    • C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Blank.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      PID:2132
      • C:\Users\Admin\AppData\Local\Temp\Blank.exe
        C:\Users\Admin\AppData\Local\Temp\Blank.exe
        3⤵
        • Executes dropped EXE
        PID:1736
    • C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Bubbler.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      PID:1296
      • C:\Users\Admin\AppData\Local\Temp\Bubbler.exe
        C:\Users\Admin\AppData\Local\Temp\Bubbler.exe
        3⤵
        • Executes dropped EXE
        PID:1312
    • C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\DESKSC~1.EXE"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      PID:2948
      • C:\Users\Admin\AppData\Local\Temp\DESKSC~1.EXE
        C:\Users\Admin\AppData\Local\Temp\DESKSC~1.EXE
        3⤵
        • Executes dropped EXE
        PID:1932
    • C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\DSCROL~1.EXE"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      PID:836
      • C:\Users\Admin\AppData\Local\Temp\DSCROL~1.EXE
        C:\Users\Admin\AppData\Local\Temp\DSCROL~1.EXE
        3⤵
        • Executes dropped EXE
        PID:2232
    • C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Flip.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      PID:1356
      • C:\Users\Admin\AppData\Local\Temp\Flip.exe
        C:\Users\Admin\AppData\Local\Temp\Flip.exe
        3⤵
        • Executes dropped EXE
        PID:1436
    • C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\halyava.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      PID:2520
      • C:\Users\Admin\AppData\Local\Temp\halyava.exe
        C:\Users\Admin\AppData\Local\Temp\halyava.exe
        3⤵
        • Executes dropped EXE
        PID:908
    • C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Hello.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      PID:952
      • C:\Users\Admin\AppData\Local\Temp\Hello.exe
        C:\Users\Admin\AppData\Local\Temp\Hello.exe
        3⤵
        • Executes dropped EXE
        PID:2116
    • C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Invert.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      PID:2128
      • C:\Users\Admin\AppData\Local\Temp\Invert.exe
        C:\Users\Admin\AppData\Local\Temp\Invert.exe
        3⤵
        • Executes dropped EXE
        PID:1760
    • C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\myWeb.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      PID:1156
      • C:\Users\Admin\AppData\Local\Temp\myWeb.exe
        C:\Users\Admin\AppData\Local\Temp\myWeb.exe
        3⤵
        • Executes dropped EXE
        PID:2148
    • C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Patterns.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      PID:2440
      • C:\Users\Admin\AppData\Local\Temp\Patterns.exe
        C:\Users\Admin\AppData\Local\Temp\Patterns.exe
        3⤵
        • Executes dropped EXE
        PID:896
    • C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\STRETC~1.EXE"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      PID:1768
      • C:\Users\Admin\AppData\Local\Temp\STRETC~1.EXE
        C:\Users\Admin\AppData\Local\Temp\STRETC~1.EXE
        3⤵
        • Executes dropped EXE
        PID:812
    • C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\PUSKA_~1.EXE"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      PID:1572
      • C:\Users\Admin\AppData\Local\Temp\PUSKA_~1.EXE
        C:\Users\Admin\AppData\Local\Temp\PUSKA_~1.EXE
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of FindShellTrayWindow
        PID:2736
    • C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\430A~1.EXE"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      PID:2656
      • C:\Users\Admin\AppData\Local\Temp\430A~1.EXE
        C:\Users\Admin\AppData\Local\Temp\430A~1.EXE
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        PID:2556
    • C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\BURP.EXE"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      PID:2808
      • C:\Users\Admin\AppData\Local\Temp\BURP.EXE
        C:\Users\Admin\AppData\Local\Temp\BURP.EXE
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:2720
    • C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Viagra.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      PID:2868
      • C:\Users\Admin\AppData\Local\Temp\Viagra.exe
        C:\Users\Admin\AppData\Local\Temp\Viagra.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        PID:2004
    • C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\ANTIPUSK.EXE"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      PID:1272
      • C:\Users\Admin\AppData\Local\Temp\ANTIPUSK.EXE
        C:\Users\Admin\AppData\Local\Temp\ANTIPUSK.EXE
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        PID:1324
    • C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\PUSKDLL.DLL
      2⤵
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      PID:1820
    • C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Porno!.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      PID:652
    • C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\krutilka.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      PID:2332
      • C:\Users\Admin\AppData\Local\Temp\krutilka.exe
        C:\Users\Admin\AppData\Local\Temp\krutilka.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        PID:1588
        • C:\Users\Admin\AppData\Local\Temp\krutilkaSrv.exe
          C:\Users\Admin\AppData\Local\Temp\krutilkaSrv.exe
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          PID:1016
          • C:\Program Files (x86)\Microsoft\DesktopLayer.exe
            "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            PID:1812
            • C:\Program Files\Internet Explorer\iexplore.exe
              "C:\Program Files\Internet Explorer\iexplore.exe"
              6⤵
              • Modifies Internet Explorer settings
              • Suspicious use of SetWindowsHookEx
              PID:704
              • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:704 CREDAT:275457 /prefetch:2
                7⤵
                • System Location Discovery: System Language Discovery
                • Modifies Internet Explorer settings
                PID:2712
    • C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Aforizm.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      PID:604
      • C:\Users\Admin\AppData\Local\Temp\Aforizm.exe
        C:\Users\Admin\AppData\Local\Temp\Aforizm.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:2864
    • C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\GECCO.EXE"
      2⤵
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      PID:776
      • C:\Users\Admin\AppData\Local\Temp\GECCO.EXE
        C:\Users\Admin\AppData\Local\Temp\GECCO.EXE
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:2464
    • C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\FILE_ID.DIZ
      2⤵
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      PID:2436
    • C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Flipped.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      PID:2680
    • C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\E1F4~1.EXE"
      2⤵
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      PID:3052
      • C:\Users\Admin\AppData\Local\Temp\E1F4~1.EXE
        C:\Users\Admin\AppData\Local\Temp\E1F4~1.EXE
        3⤵
        • Executes dropped EXE
        PID:2728
    • C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Stub.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      PID:3024
      • C:\Users\Admin\AppData\Local\Temp\Stub.exe
        C:\Users\Admin\AppData\Local\Temp\Stub.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2976
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /f /im "Stub.exe"
          4⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:844
    • C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\DROPPI~1.EXE"
      2⤵
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      PID:816
      • C:\Users\Admin\AppData\Local\Temp\DROPPI~1.EXE
        C:\Users\Admin\AppData\Local\Temp\DROPPI~1.EXE
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:2536
        • C:\Users\Admin\AppData\Local\Temp\DROPPI~1Srv.exe
          C:\Users\Admin\AppData\Local\Temp\DROPPI~1Srv.exe
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:700
          • C:\Program Files (x86)\Microsoft\DesktopLayer.exe
            "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
            5⤵
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            PID:2080
            • C:\Program Files\Internet Explorer\iexplore.exe
              "C:\Program Files\Internet Explorer\iexplore.exe"
              6⤵
              • Modifies Internet Explorer settings
              • Suspicious use of SetWindowsHookEx
              PID:2928
              • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2928 CREDAT:275457 /prefetch:2
                7⤵
                • System Location Discovery: System Language Discovery
                • Modifies Internet Explorer settings
                PID:2856
    • C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\ERROR.EXE"
      2⤵
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      PID:2612
      • C:\Users\Admin\AppData\Local\Temp\ERROR.EXE
        C:\Users\Admin\AppData\Local\Temp\ERROR.EXE
        3⤵
        • System Location Discovery: System Language Discovery
        PID:316
    • C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\MouseFX.exe"
      2⤵
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      PID:1812
      • C:\Users\Admin\AppData\Local\Temp\MouseFX.exe
        C:\Users\Admin\AppData\Local\Temp\MouseFX.exe
        3⤵
          PID:2508

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\MSOCache\ALLUSE~1\{90140~1\DW20.EXE

      Filesize

      859KB

      MD5

      02ee6a3424782531461fb2f10713d3c1

      SHA1

      b581a2c365d93ebb629e8363fd9f69afc673123f

      SHA256

      ead58c483cb20bcd57464f8a4929079539d634f469b213054bf737d227c026dc

      SHA512

      6c9272cb1b6bde3ee887e1463ab30ea76568cb1a285d11393337b78c4ad1c3b7e6ce47646a92ab6d70bff4b02ab9d699b84af9437b720e52dcd35579fe2693ec

    • C:\MSOCache\ALLUSE~1\{90140~1\dwtrig20.exe

      Filesize

      547KB

      MD5

      cf6c595d3e5e9667667af096762fd9c4

      SHA1

      9bb44da8d7f6457099cb56e4f7d1026963dce7ce

      SHA256

      593e60cc30ae0789448547195af77f550387f6648d45847ea244dd0dd7abf03d

      SHA512

      ff4f789df9e6a6d0fbe12b3250f951fcf11e857906c65e96a30bb46266e7e1180d6103a03db2f3764e0d1346b2de7afba8259ba080057e4a268e45e8654dfa80

    • C:\MSOCache\ALLUSE~1\{9A861~1\ose.exe

      Filesize

      186KB

      MD5

      58b58875a50a0d8b5e7be7d6ac685164

      SHA1

      1e0b89c1b2585c76e758e9141b846ed4477b0662

      SHA256

      2a0aa0763fdef9c38c5dd4d50703f0c7e27f4903c139804ec75e55f8388139ae

      SHA512

      d67214077162a105d01b11a8e207fab08b45b08fbfba0615a2ea146e1dd99eea35e4f02958a1754d3192292c00caf777f186f0a362e4b8b0da51fabbdb76375b

    • C:\MSOCache\ALLUSE~1\{9A861~1\setup.exe

      Filesize

      1.1MB

      MD5

      566ed4f62fdc96f175afedd811fa0370

      SHA1

      d4b47adc40e0d5a9391d3f6f2942d1889dd2a451

      SHA256

      e17cd94c08fc0e001a49f43a0801cea4625fb9aee211b6dfebebec446c21f460

      SHA512

      cdf8f508d396a1a0d2e0fc25f2ae46398b25039a0dafa0919737cc44e3e926ebae4c3aa26f1a3441511430f1a36241f8e61c515a5d9bd98ad4740d4d0f7b8db7

    • C:\Users\Admin\AppData\Local\Temp\20min.exe

      Filesize

      84KB

      MD5

      f06f1ee47df12256990a6f81249661de

      SHA1

      4e1fed25a57e49102cf2a45862d478dc8d68cafc

      SHA256

      68b76252d3140cc1e3944898dde0d198131e1758bda1a83596e2811a18875b66

      SHA512

      c3827de7b15dda80f11504b932db790f68d4d4e3fcc27abab5c5d97f25eebac7586664872f36434c928bbb010d6cd5a3977e97b29c4f9cd7d0b49a43daf7394a

    • C:\Users\Admin\AppData\Local\Temp\3582-490\headache.exe

      Filesize

      172KB

      MD5

      7eb8c9c1701f6b347721b42ba15c0993

      SHA1

      13e62637aa5c402383f5665d20c7491c51bccbdc

      SHA256

      6d5e92ccc9d65e02d8f805e3f4e33841db34a562b3c882a137146461a56bdec2

      SHA512

      22572a6ebf16b5e260c5d99f30aaefabd88a143bc6b6a9a4d7b82a31ffeb7970d3701c697fcb4c692c6f450782982f3e43f74e3b01fe3ebf1957fc0ef0a4a072

    • C:\Users\Admin\AppData\Local\Temp\BLACK&~1.EXE

      Filesize

      14KB

      MD5

      00dd057add024c605c0414a985d31c32

      SHA1

      1d00812873ff86b33120923b705c872e13efd5cc

      SHA256

      2665f52d47ee7dfbffabcf58c0da31e311d3efa97442e85944a61bac8629e2af

      SHA512

      3eb9439c75ac9b32a121ee959aa94f11a5c73d26aa24d76bf0af149a045ad1368711797ef949ba834cb6da970005b5e829bc96fba5d841a2256022b973000226

    • C:\Users\Admin\AppData\Local\Temp\BURP.EXE

      Filesize

      311KB

      MD5

      76047996f4f4ff35476d1d961ea7ae85

      SHA1

      171026463d36aee9df90166ff3c9cb93e3b0e76b

      SHA256

      4f29dec6e66bf0aef0a30275f45eebadd50a42ad4b13b28ed8307ab4c403533e

      SHA512

      d24b64b87660dcdc9168efca1ac5c7047a27c3cafb23b81f203e6e734c855dc2d32921908e98f03191e872feb5719518dbe469762021b19b485b498db96ef5ce

    • C:\Users\Admin\AppData\Local\Temp\Blank.exe

      Filesize

      71KB

      MD5

      5c70d18d0078e484a9a0a40f8f585bbb

      SHA1

      b3f886d37be5d04bfa5ac93b5d30c9b5cab72e21

      SHA256

      81252087cbffce0278cb4fc96ef4e38902d3a2a353fa761fe1a979c7bf959dcf

      SHA512

      67020862c4409ed267819016c1a76fd08010a5e34274ab17bab76d6fda0d8792deabb509b43580c3ee7c870b770151aa196d812f1cc4040b8ac2bc286fe8c6c5

    • C:\Users\Admin\AppData\Local\Temp\Bubbler.exe

      Filesize

      67KB

      MD5

      5c8434c362e791e2d40dc47603d2b552

      SHA1

      3181705211deaa2204b4e936e196411a2f0e7b87

      SHA256

      65ee141434e58dddb67d135728d5f8dfb38ee28fc4627b4c5ce3a831c3a724ae

      SHA512

      a4907232d77278cfdbd67ba75dc6fb48f0ce162623126f57efd04ef816fe396f4eb68dca1eaa7876d3a683472f473e229e689b3f75b9fd80a2ceb369dc227110

    • C:\Users\Admin\AppData\Local\Temp\DESKSC~1.EXE

      Filesize

      8KB

      MD5

      d704b61a5521a22261ee9025259374fb

      SHA1

      a55a7211c0b2ef2d04824b897ee8ba4d20af6874

      SHA256

      8d4383f98fb673652fda948463e2cd0957ce3c6a1f7912d38245b14cc0e7c4dc

      SHA512

      105f600c76d591909c315ccdb56917badc8b03f81dfe46530db4c4fc03459bfd2b527cc1f81e9d63cbd5c7f7e2447ecfbfb541bb2dca9efd6fca5ade9a0eaa58

    • C:\Users\Admin\AppData\Local\Temp\DROPPI~1.EXE

      Filesize

      205KB

      MD5

      375a2cfdd9fef84d768ec6fe4864637c

      SHA1

      e936dcde05852641ebc26f900e4be79536b46006

      SHA256

      0f3a8d1bdb5906503c3379e87c83509485d725f41e2ab46cc09bd2a4d89ed6ab

      SHA512

      a2e946074d9a926ce1e5ab8f4e65bfd637410d4a5baca71c8b1aaad5ab6eaac63d0bbd710b0554061c1b43efe67ca3374835453d86ff34607b9a0d85718f9eda

    • C:\Users\Admin\AppData\Local\Temp\EARTHQ~1.EXE

      Filesize

      5KB

      MD5

      7320032b2b46c07b4a432745829223b3

      SHA1

      23386c3d89290ecc3d47c4a626cc7cc68ad2ef5a

      SHA256

      834ae4c2ca0b332fafcc6abb2ce7d5fa4c5ffb1778fc1280fe1f09f65f1ecc9a

      SHA512

      312ce17c8b3203928ffd8eca3aa94f3b04194e89e12ff25cffb370722636994f100708e05ab9782ca90756eb92607d6126ab72ee60726d3a0a1dc2320e208684

    • C:\Users\Admin\AppData\Local\Temp\ERROR.EXE

      Filesize

      383KB

      MD5

      a4511b80eff4f5007db396d4d5945000

      SHA1

      96b46a299f8cbdae9709f9ead1263db93d75dba8

      SHA256

      88f14d21db721241a476936b0d249dd51f845c0023222aee35110fd96fa05dc2

      SHA512

      75c729fa641fc49dcee4c8255d8b6d6c5436bcbc1ee43264cba936f93d634ef2d1dcc6bfd9eed7cf68f3f04d5a683ecc5597d0c524238328852d1c036942f007

    • C:\Users\Admin\AppData\Local\Temp\GECCO.EXE

      Filesize

      1.0MB

      MD5

      42dd94809ad0c60480690c0ae0019ee8

      SHA1

      d578fb2fc7c0b08a8ebb375e920d3602a70a098d

      SHA256

      0040cd2d77e8f81db7414c284bf9828348d7b3a5a5322177fd9e8151fc00638f

      SHA512

      b8ba04feb9e2a6b15b017af6d2af55756987ac33de1c0740208ac09f402218ca585bbe0e6ce91b8aa50b0653fc8999473c1ed34c3b1a0d5e87b21ce35c19470b

    • C:\Users\Admin\AppData\Local\Temp\PUSKA_~1.EXE

      Filesize

      214KB

      MD5

      47c74a609a29a07bc46ed4b08d7b2e53

      SHA1

      5123c36d3c406ed7bbecd0fc06132351205f6cea

      SHA256

      f2a77abec4c54f4e896848622a61592e3a50a744002ef3dc50734f024207f9d9

      SHA512

      471debf83743d5726598432367a84efe02c44df8ee40274bf22815e34e2975d55bd169ea889e950c66a56e92295690cb73f009439655d091332fdb6e51133b43

    • C:\Users\Admin\AppData\Local\Temp\Porno!.exe

      Filesize

      192KB

      MD5

      7504638de13c91d3de4701bc5eba895e

      SHA1

      9db65ccbc5d16a692a5a1d7ab883786281bf3345

      SHA256

      c11a3234a6037f762a40d6694a66f2a3f99d7fb792ec9bfdd988fcc53cc08301

      SHA512

      1a0acb104b1b5d8a62a5c9450110aef4b87a399823c1cb9372f305ae98342389795283bb7b74f4a1351f9411a469a5ec0ff8dca1562ebc6d63863ba15bec4ccf

    • C:\Users\Admin\AppData\Local\Temp\Viagra.exe

      Filesize

      433KB

      MD5

      81d6608d365553332b24d7010bfa3db5

      SHA1

      84755b2ac2d7d89d7ae65beb5c1c3fc7af382153

      SHA256

      52d9642c0148b215088b1fee8da5325a3f0067fa69132e75477e67e702f3d053

      SHA512

      42af9e30321657b23bc748f1434382cae414ca22ed6f941d5258db9ed35bffa7805abe3814a849154df49544a5a670c2d874eb8dd385a914240a1efe41f5ab56

    • C:\Users\Admin\AppData\Local\Temp\krutilka.exe

      Filesize

      65KB

      MD5

      c1de9eca3223daed0bc2ae4816193d94

      SHA1

      802d287f4b04454349ca29edf759c8a17c1001fa

      SHA256

      da7ad7681972d3bad124bb4896d74cee40f5aa86d07ecfbd81050c6cc1619e8c

      SHA512

      1ffc95367e960652cd78d99b6a7a38d8056b46dca5f59ada7f4c2dc620d829a43e96610c8bfa36268e1b5037bd9ce7225a050d53fef32cfd9309af3cdc4627a0

    • C:\Windows\directx.sys

      Filesize

      48B

      MD5

      ca9da789285d8480041f990a5826b434

      SHA1

      b984cd9b3480ade14641d8fca1dd43061fc97c7a

      SHA256

      a6aa6760eb41684f489497aff3c34e48b7446f6fcf35ea687b0d05c24aeeb2d6

      SHA512

      13fc1b80b9bd6293970ab624b8479f9c13b7e42eb846ee0f0b4b9947e84235c70184a0f886b70f68265575e2a278548b3536577c439f09b279ce171403ac46e6

    • C:\Windows\directx.sys

      Filesize

      45B

      MD5

      c174d288b05a38ee8221fbcc5bd7e6d5

      SHA1

      231fc93e554939469b6182d4d3aa70bc8cda5f9a

      SHA256

      12b8369b496c50eeb7d0677ebd95b770f339e22e797ab688358eea6511314696

      SHA512

      440537220d1802a66435eac61085efeba97063643d9c2b5a1940a40e0d31158ba31d06d5d29964afffcc06725f35980ac413f05db16957074ae85b415c9f8846

    • C:\Windows\directx.sys

      Filesize

      47B

      MD5

      abdd43c95f7409f3f56fa2136aa7b019

      SHA1

      0b1e299d9c33ba0fb109530bd7d85e4e1cf2dd79

      SHA256

      7d2f33c94a25d16d1470740b86763e103c11bfb2477f61076d3663bfea762022

      SHA512

      9ac07533873d5afca79dce573dc7b47ee31b1dac2140155ddad5463574418c0d67851cb3079ee73c575145356d9e6955d32b2a8b4029078de51dbb6e558064d6

    • C:\Windows\directx.sys

      Filesize

      48B

      MD5

      c5dcdd951acc04fe426a82e965960dda

      SHA1

      1b17cf9868de2822bf7301233672917618d40bce

      SHA256

      8bbc419c8181c116d356148de5403bea85971c5a0f9aa6a78552127d3bb61d28

      SHA512

      edb757fb7b858082a953a57548e5f96d786735f28c72dd1d103e71ff4e4cbd0c1de974737d9c20c2ac744f3d6ca4d648a9dcb1d3b3d4ade30428969a6447db76

    • C:\Windows\directx.sys

      Filesize

      48B

      MD5

      0d59b24aa20f45ec904baa2c50c0db7b

      SHA1

      d3286a9182454ff6c9184d1957e7f016dd507025

      SHA256

      a6e2fe46a70a8508d36ffce7a02c961f0ead8357a106038d58321be2207201ce

      SHA512

      8cc10071627557d60bd37c14513feafe3c527045b08f513b0aa6e1ef86ec114382bc36678a49106350a84c12e354203849f64b8c2f0d67b72289cc226c1fea8a

    • C:\Windows\directx.sys

      Filesize

      44B

      MD5

      fda4f502731bda201b6788e8497f4c53

      SHA1

      ad476d40ac9beb57281255bc38587504f597f539

      SHA256

      c44bfc4cfe40f2547ff7beabf1ce602b0481f21d9764260bad52856e28fa6b04

      SHA512

      9c5be9356982bc3e2082823edcb77d777507d8b0ceb8ffce58eb9f0ed9f1821704cdf5b634a1573e053b054dc60a8c99499560338c85b75260aed2d680666bbb

    • C:\Windows\directx.sys

      Filesize

      47B

      MD5

      9f4b8635f615b9ca53664130d4b2bf22

      SHA1

      c0305580fb4b2f16cbf3cc8342b717e94f4f42a0

      SHA256

      87e46c36eeb5e5ddd680ba26f0086e72549816162ae3ff7d4abbb0422e77bc5f

      SHA512

      a08bb2e3f731e801615e4bcc07cd202373c32d0fb0e174b9a6f206203b378bcb3925faecc9bcf690b2d8484d4ffce7edcb90b7e3b7a1261b441ec5af2112368e

    • C:\Windows\directx.sys

      Filesize

      45B

      MD5

      21d6ae7029f90c664bce7252c3a55faa

      SHA1

      d7e0029d055d7991756de8af7b6780c3b76be080

      SHA256

      b3bdd2b0422dec2799dcc60bad78629be56f0cbc0c952841af1cf63be12fd071

      SHA512

      35c181636a7cb5c604d02fe9a38e780e3c49dbabeea58246c01c9e4aa72505b35f3d66ec405a9c600cc2ceba300333ce01f1460db9bfb1a6770968a04081b5c9

    • C:\Windows\directx.sys

      Filesize

      46B

      MD5

      3bfee03ca953e08369cd4f4e2d9ddfdb

      SHA1

      3c3864e518a15a96b5b2276774d4bb27c73166aa

      SHA256

      56b0e4b578f2f4b829517d787501f8d477ae38c8ae735577cc4566b2ca29c669

      SHA512

      9b67d59b161c27971c9ec765c466492e0d28b47bb5a3e5f9a3324e03b9bf2ef46f3aa568726fa99213a7b31b3a98054af2f31529a11e65f77ec6996a243d4d98

    • C:\Windows\directx.sys

      Filesize

      45B

      MD5

      ce78a8be53539b1634aa78756399b69a

      SHA1

      121278762d71392cb961e01c6223f99c30c373c8

      SHA256

      74751b73e6dec718f46989df3011aae54b2969982a658d06528060faa87de47b

      SHA512

      8bf684a04daeaa6ae2718b61aa06e9681e9db57545218cad8f061abd60fe03ea4639d85b0d9ff86100badb49625fd4a850f9921ca40d3d065ae345fe9b91af59

    • C:\Windows\directx.sys

      Filesize

      48B

      MD5

      cd0aab597e41fcb374029f1df65b7092

      SHA1

      5930309d2b6d88e9e62aac4ca0076260f77eaa31

      SHA256

      f78f00e2e44c770730c33cfdd9aea49c13bd67d510fcbe8b9b9894168d39b957

      SHA512

      ebfd3bd7d067754a95acfa73db8980d89334fdd8cb87dd8f6943c2222d39e719125911b2c41dfa3a6a5f13ead076f535408a046356e6de5fb623a6c5080d8266

    • C:\Windows\directx.sys

      Filesize

      48B

      MD5

      8b09ebf49aa3a36bc1da0b239c6558b8

      SHA1

      fcc63e84d593a16670a4a44c62f60fd40ceb5d5d

      SHA256

      3f154869608ac18a62c7910d426133b4a43feee9e158b65ee16977d280371462

      SHA512

      bea989f0bc86359579df596e16036bc326d017d42b896fc6849e6c006ff8d9d86865143b2d1a0c76f2767fa885ab59ea7b1506ae38fff3d8c31c9b0219254eee

    • C:\Windows\directx.sys

      Filesize

      48B

      MD5

      9a1f190e77f9890ee1f6c1d2ae0dccca

      SHA1

      a000d6d3122f8742352798de0f09305efc481364

      SHA256

      05d4c50a1bdc0ac53b121ae14de84551a75416c2e2aabb377eb7abd700fddd42

      SHA512

      797421923afe9a924e07ead4d06818f8cfff17c6d7ad5a8a98819db99a8b6b0a1d2b9551bc9bb195d12951eb4a3e10f8164e9ea7af6f7eda58007107c1b54335

    • C:\Windows\directx.sys

      Filesize

      46B

      MD5

      135ac7bc37eb453e3832dc4f855ad4f3

      SHA1

      d2a32700ef1ae8e116bdec90cfb7041594d1b307

      SHA256

      2c2671e970f826a075e17e316f6cf7321a365190c1930687134a08c3a79297a9

      SHA512

      650d6ffe2343400f93c44f2379f680c4582df18c581a4d9ecd1e47a591a7ad098fda68979d24912455984223e0018098a5a4792f5c04ed32a588c1c1e1b3f0a1

    • C:\Windows\directx.sys

      Filesize

      44B

      MD5

      56e740b72f8dcf1aab85d53ddb63a7ee

      SHA1

      2dbef9cb11b778afaf5e0b3f27d0d348de80fac4

      SHA256

      ba11812098cc3c5801a4b1eba675e1e3ab22ed0979b2c7b5da74e718f86eb196

      SHA512

      622488bc0e9b02f5b3c484862f699d665125e95c0d7d0b93b28b6cdd327a82bc0b8b7f7154f9df1d333cd7707ebab103c32cbfedef63b8793db805ea22cf5822

    • C:\Windows\directx.sys

      Filesize

      46B

      MD5

      45e25a10530441eca16e2b927d8a1f26

      SHA1

      63b4729e705ccce1adb72f51cc8e60acb6575e90

      SHA256

      e8d521206c7c7f2ca8a336b519f94e23f705eea3eff6d9793b167786cf35eec6

      SHA512

      93450dc53335b01e645fc25d80b0b56342c87c7bf4e6ae778c7b05a7136fa9e780eef23dcd5c7f94af2f9e04c590ab7574d61434dcf0a2299a39e40eb58a9916

    • C:\Windows\directx.sys

      Filesize

      48B

      MD5

      a67c4f59dad32b4a05e162dfcdb95970

      SHA1

      d73b1bcc2381e4f3b8ec83a25d3839f6e65236fc

      SHA256

      84f6a51f6814de849fa083f6250eef43d6c44d10ce4f5319a4a999bea64530cb

      SHA512

      2432a578c0f77b6e30431d224750c48b2f95a6c62448377bbf0a7645d0fae040d4baa67d080f867467348f262a6df9cf222b064fb9268da08a0c3bfc387a426b

    • C:\Windows\directx.sys

      Filesize

      48B

      MD5

      eda1a1c1b267107a1a07a64ee58b2e1b

      SHA1

      6bc4cb3faac2759278b43df8dffc3a0134b3addd

      SHA256

      261f5176179b15dcb678372346f07eb8ab7b9d1ead0e8b03619242692f3b94a8

      SHA512

      1e1189de24b4dfc01df164f75e5c891e6cbfa069d5a0ad2d392fe0496c29035703099f0870cbf02ee3bd06f48aa7fa0d96f7252bc12955e6900e695e9a1789a4

    • C:\Windows\directx.sys

      Filesize

      47B

      MD5

      a53fc8e71eda60f1bc0565db9af95546

      SHA1

      bd862b7ec3e26ae667b4bba98cf42d1ba71c5b09

      SHA256

      087e833a9582574c71016fb1dc1887e4d86304b7d0528ad913537bd8495b3914

      SHA512

      51ccb99753a5eb0bbadfbe90ff119535c520b4ce6d7990cddc7ce18acd4e2e77c4becce020612f42ae20c4f7eedb783d38ef1981b1c98a61e778622d2eaf618f

    • C:\Windows\directx.sys

      Filesize

      45B

      MD5

      b541fce0f8255a19da78278e8938d535

      SHA1

      37e751748a6b3112e944c17b0e763a591c350ca0

      SHA256

      29e57547d9a1461be0152e5270479884bc1078ff87293b47b8e0058b78a55395

      SHA512

      096c0791bf625e725665b0a2bf761244aa255eb70a1fa4c21585252f81c325b275427cd35704318496bfaa20e6d4a3515388d1a17b1eb5a7b33e5fa5b06b4109

    • C:\Windows\directx.sys

      Filesize

      47B

      MD5

      7e359bdef24d4f0760b85b05a5b2c3c4

      SHA1

      fa377ce2402729bb68c09da249c5c1882acaf547

      SHA256

      3574367152f10742e7be63b461ed8b5df17d061e1f5e218344a0a50db25a8094

      SHA512

      461f5e5623cfb48c051f9710430fe6e2874432408555c42196a2377185f7aea86f5fd07d0dda60fbf566de21d92f9cb59174f4ea9248b210252aece51640cbee

    • C:\Windows\directx.sys

      Filesize

      46B

      MD5

      de1824ddd6b5fab1e5f0e4d103c40f47

      SHA1

      ce062719a266f974bfb17a8371e7419fc1989e74

      SHA256

      419597f7a9cdd954106d5000d85b427e3d311f4d37fefe75dc83b01d81ecd4d2

      SHA512

      3c2413fccbcb9f9d777a4d66c7a4969e6c0cd2e034280fc59e30a586d79dcf04ecc8d3dd58f4525c31062f87b5f1fd65492e2984cee351de9e385f298e33cb04

    • C:\Windows\directx.sys

      Filesize

      48B

      MD5

      817076cc58618b0cb92ff3ae6c5565a0

      SHA1

      ed2e6e0f3eacf3716a1841a921d4bb6be43df128

      SHA256

      7a16741573b93c405cb4938b776132abf5a3c8a3be205f33e68e6755caca432c

      SHA512

      771b50827010c76eb884e4c437ef6aed86bb13589d225db46af4ac93b9039133003730364b9446161791db3b9c30bc8267c694b0d5f089531487c1f84753fcca

    • C:\Windows\directx.sys

      Filesize

      45B

      MD5

      536f9de9cb62b5fe04601c00c6621595

      SHA1

      1e612fa28ce3c672eb44e3bda9f057c2de8e4a84

      SHA256

      66cac746e3879b021194f6742e38ba31f9f16b32f204a1e4dc26981ac305c44a

      SHA512

      84d5567a15db23a2d063950121d4bd88f440408a38d4c5d5e1e3c9be25e5599773d46c60dd1e0c4de59295477c23745bf20063b8acda0f9b4e60cada61208413

    • C:\Windows\svchost.com

      Filesize

      40KB

      MD5

      51de8a63b5a590ce6504d2fa14a23659

      SHA1

      72994aaf41378cc91e197ffa26f78b2226623751

      SHA256

      93a337038058b54f864906972ef34926be8316a49d5b72190c0134f54ed8ce21

      SHA512

      78fa2853da3220f62acf5990a1d7d9165eeee1b1256e7c9ff7887332377072d2389c99d19779fe1a0182094217e5e17a7bc7da8f568b54ca69a68f62584fda9b

    • \Users\Admin\AppData\Local\Temp\1.exe

      Filesize

      9KB

      MD5

      26abb9e459e5976f658ce80d6433f1b1

      SHA1

      3c8f02c1cf7b8ae82be3deea4b360497f6fee1c3

      SHA256

      60cc77b5d4210cef0a9032908b179142f212155426fdae48055c5f72811f7a12

      SHA512

      c2c02aa1db8036c7309100bb683ec7708fedfb129d763d86e03d9d6adc3688423ec04cb5b596eaf99300787f90d641e53350e1ceed0e8b11d6f29333e04b4ce8

    • \Users\Admin\AppData\Local\Temp\3582-490\SCREEN~1.EXE

      Filesize

      111KB

      MD5

      e87a04c270f98bb6b5677cc789d1ad1d

      SHA1

      8c14cb338e23d4a82f6310d13b36729e543ff0ca

      SHA256

      e03520794f00fb39ef3cfff012f72a5d03c60f89de28dbe69016f6ed151b5338

      SHA512

      8784f4d42908e54ecedfb06b254992c63920f43a27903ccedd336daaeed346db44e1f40e7db971735da707b5b32206be1b1571bc0d6a2d6eb90bbf9d1f69de13

    • \Users\Admin\AppData\Local\Temp\3582-490\headacheSrv.exe

      Filesize

      55KB

      MD5

      ff5e1f27193ce51eec318714ef038bef

      SHA1

      b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

      SHA256

      fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

      SHA512

      c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

    • \Users\Admin\AppData\Local\Temp\MousePad.exe

      Filesize

      32KB

      MD5

      8b74b02f17593680f4bdb4ffb578ef86

      SHA1

      c76998140974d7c14d44c998549a681c7c712164

      SHA256

      9893494bcef02c6e63e4bfce830f5d33d2af1056b220a3469bc00df059b25013

      SHA512

      225592139afe6b7dffca3b2a0b13047a5988e43ddf77fd725c137f6c8960cb987185d8f559af92faadc0275be4f31a1da51a1bb36011f9288949510af4efd554

    • \Users\Admin\AppData\Local\Temp\headache.exe

      Filesize

      212KB

      MD5

      76ce4661b60461154ffcfd8fb51b6c57

      SHA1

      b9e71d6126d7db063febd0f7306095a030ead84b

      SHA256

      6e363c4d8d13b353529b11881f5fdcc1138e93df104b24d31d3ce566ffabe8de

      SHA512

      42f970e5929039ca68649998bf727aaca3bad0a7f0563399c11904aaa5378b72b0fb2d6dcad724119cad10f9792c348aa444b94413e132fac35494d275dde3bd

    • \Users\Admin\AppData\Local\Temp\screenscrew.exe

      Filesize

      151KB

      MD5

      1c78e0c700a71e5894ed013058bdee7a

      SHA1

      62f01b0dae3f46fabd25ee38ab18581b6ab2a74d

      SHA256

      0be4b9f91a69ba196afa99e71925da5d72c9f94a2974ebcdc49d7dbb42374a93

      SHA512

      f28fb376e4bd700e62a25e760d1c8f195e0e7995f17b0fee65969241c085bc2349ff2cc2a4e3e479675c2ea445752824053730fdcc4dcf724376a0899b6c4c85

    • memory/604-392-0x0000000001D10000-0x0000000001DFC000-memory.dmp

      Filesize

      944KB

    • memory/604-391-0x0000000001D10000-0x0000000001DFC000-memory.dmp

      Filesize

      944KB

    • memory/652-615-0x0000000000400000-0x000000000041B000-memory.dmp

      Filesize

      108KB

    • memory/700-515-0x0000000000240000-0x000000000026E000-memory.dmp

      Filesize

      184KB

    • memory/700-520-0x0000000000400000-0x000000000042E000-memory.dmp

      Filesize

      184KB

    • memory/816-502-0x00000000002D0000-0x0000000000341000-memory.dmp

      Filesize

      452KB

    • memory/816-497-0x00000000002D0000-0x0000000000341000-memory.dmp

      Filesize

      452KB

    • memory/836-596-0x0000000000400000-0x000000000041B000-memory.dmp

      Filesize

      108KB

    • memory/952-225-0x0000000000220000-0x0000000000229000-memory.dmp

      Filesize

      36KB

    • memory/952-599-0x0000000000400000-0x000000000041B000-memory.dmp

      Filesize

      108KB

    • memory/952-226-0x0000000000220000-0x0000000000229000-memory.dmp

      Filesize

      36KB

    • memory/1016-378-0x0000000000400000-0x000000000042E000-memory.dmp

      Filesize

      184KB

    • memory/1016-373-0x0000000000400000-0x000000000042E000-memory.dmp

      Filesize

      184KB

    • memory/1156-601-0x0000000000400000-0x000000000041B000-memory.dmp

      Filesize

      108KB

    • memory/1232-591-0x0000000000400000-0x000000000044A000-memory.dmp

      Filesize

      296KB

    • memory/1272-310-0x0000000000400000-0x000000000041B000-memory.dmp

      Filesize

      108KB

    • memory/1296-594-0x0000000000400000-0x000000000041B000-memory.dmp

      Filesize

      108KB

    • memory/1356-597-0x0000000000400000-0x000000000041B000-memory.dmp

      Filesize

      108KB

    • memory/1572-277-0x0000000000400000-0x000000000041B000-memory.dmp

      Filesize

      108KB

    • memory/1588-456-0x0000000000400000-0x000000000041D000-memory.dmp

      Filesize

      116KB

    • memory/1588-458-0x0000000000220000-0x000000000024E000-memory.dmp

      Filesize

      184KB

    • memory/1680-610-0x0000000000400000-0x000000000041B000-memory.dmp

      Filesize

      108KB

    • memory/1680-590-0x0000000000400000-0x000000000041B000-memory.dmp

      Filesize

      108KB

    • memory/1736-174-0x0000000000400000-0x000000000041A000-memory.dmp

      Filesize

      104KB

    • memory/1736-737-0x0000000000400000-0x000000000041A000-memory.dmp

      Filesize

      104KB

    • memory/1768-603-0x0000000000400000-0x000000000041B000-memory.dmp

      Filesize

      108KB

    • memory/1812-381-0x0000000000240000-0x0000000000241000-memory.dmp

      Filesize

      4KB

    • memory/1812-555-0x0000000000400000-0x000000000041B000-memory.dmp

      Filesize

      108KB

    • memory/1932-195-0x0000000000400000-0x0000000000408000-memory.dmp

      Filesize

      32KB

    • memory/2016-123-0x0000000000400000-0x000000000041B000-memory.dmp

      Filesize

      108KB

    • memory/2116-749-0x0000000000400000-0x0000000000409000-memory.dmp

      Filesize

      36KB

    • memory/2116-227-0x0000000000400000-0x0000000000409000-memory.dmp

      Filesize

      36KB

    • memory/2128-600-0x0000000000400000-0x000000000041B000-memory.dmp

      Filesize

      108KB

    • memory/2132-159-0x00000000001B0000-0x00000000001CA000-memory.dmp

      Filesize

      104KB

    • memory/2132-593-0x0000000000400000-0x000000000041B000-memory.dmp

      Filesize

      108KB

    • memory/2132-158-0x00000000001B0000-0x00000000001CA000-memory.dmp

      Filesize

      104KB

    • memory/2296-68-0x0000000000400000-0x000000000042E000-memory.dmp

      Filesize

      184KB

    • memory/2296-88-0x0000000000400000-0x000000000042E000-memory.dmp

      Filesize

      184KB

    • memory/2332-364-0x00000000002B0000-0x00000000002CD000-memory.dmp

      Filesize

      116KB

    • memory/2332-454-0x00000000002B0000-0x00000000002CD000-memory.dmp

      Filesize

      116KB

    • memory/2432-552-0x0000000000400000-0x000000000087B000-memory.dmp

      Filesize

      4.5MB

    • memory/2440-602-0x0000000000400000-0x000000000041B000-memory.dmp

      Filesize

      108KB

    • memory/2520-598-0x0000000000400000-0x000000000041B000-memory.dmp

      Filesize

      108KB

    • memory/2528-604-0x0000000000400000-0x000000000041B000-memory.dmp

      Filesize

      108KB

    • memory/2528-592-0x0000000000400000-0x000000000041B000-memory.dmp

      Filesize

      108KB

    • memory/2536-504-0x0000000000400000-0x0000000000471000-memory.dmp

      Filesize

      452KB

    • memory/2536-586-0x0000000000400000-0x0000000000471000-memory.dmp

      Filesize

      452KB

    • memory/2556-614-0x0000000000400000-0x000000000040C000-memory.dmp

      Filesize

      48KB

    • memory/2556-631-0x0000000000400000-0x000000000040C000-memory.dmp

      Filesize

      48KB

    • memory/2656-298-0x0000000000400000-0x000000000041B000-memory.dmp

      Filesize

      108KB

    • memory/2656-10-0x0000000000400000-0x000000000040A000-memory.dmp

      Filesize

      40KB

    • memory/2680-608-0x0000000000400000-0x000000000041B000-memory.dmp

      Filesize

      108KB

    • memory/2688-66-0x0000000000220000-0x000000000024E000-memory.dmp

      Filesize

      184KB

    • memory/2688-194-0x0000000000400000-0x000000000045B000-memory.dmp

      Filesize

      364KB

    • memory/2688-64-0x0000000000400000-0x000000000045B000-memory.dmp

      Filesize

      364KB

    • memory/2688-224-0x0000000000220000-0x000000000024E000-memory.dmp

      Filesize

      184KB

    • memory/2720-636-0x0000000000400000-0x0000000000454000-memory.dmp

      Filesize

      336KB

    • memory/2728-766-0x0000000000400000-0x000000000040B000-memory.dmp

      Filesize

      44KB

    • memory/2736-607-0x0000000000400000-0x00000000004AA000-memory.dmp

      Filesize

      680KB

    • memory/2780-588-0x0000000000400000-0x000000000041B000-memory.dmp

      Filesize

      108KB

    • memory/2780-634-0x0000000000400000-0x000000000041B000-memory.dmp

      Filesize

      108KB

    • memory/2780-612-0x0000000000400000-0x000000000041B000-memory.dmp

      Filesize

      108KB

    • memory/2808-635-0x0000000000400000-0x000000000041B000-memory.dmp

      Filesize

      108KB

    • memory/2864-764-0x0000000000400000-0x00000000004EC000-memory.dmp

      Filesize

      944KB

    • memory/2864-394-0x0000000000400000-0x00000000004EC000-memory.dmp

      Filesize

      944KB

    • memory/2868-322-0x0000000000400000-0x000000000041B000-memory.dmp

      Filesize

      108KB

    • memory/2880-125-0x0000000000400000-0x000000000041B000-memory.dmp

      Filesize

      108KB

    • memory/2948-190-0x0000000000220000-0x0000000000228000-memory.dmp

      Filesize

      32KB

    • memory/2948-595-0x0000000000400000-0x000000000041B000-memory.dmp

      Filesize

      108KB

    • memory/2948-191-0x0000000000220000-0x0000000000228000-memory.dmp

      Filesize

      32KB

    • memory/2988-99-0x0000000000400000-0x000000000042E000-memory.dmp

      Filesize

      184KB

    • memory/2988-97-0x00000000002C0000-0x00000000002C1000-memory.dmp

      Filesize

      4KB

    • memory/3024-571-0x0000000000400000-0x000000000041B000-memory.dmp

      Filesize

      108KB

    • memory/3052-457-0x0000000000220000-0x000000000022B000-memory.dmp

      Filesize

      44KB

    • memory/3052-455-0x0000000000220000-0x000000000022B000-memory.dmp

      Filesize

      44KB

    • memory/3068-446-0x00000000003D0000-0x00000000003FE000-memory.dmp

      Filesize

      184KB

    • memory/3068-517-0x00000000003D0000-0x00000000003FE000-memory.dmp

      Filesize

      184KB

    • memory/3068-58-0x0000000002C70000-0x0000000002CCB000-memory.dmp

      Filesize

      364KB

    • memory/3068-587-0x0000000000400000-0x000000000041B000-memory.dmp

      Filesize

      108KB

    • memory/3068-633-0x0000000000400000-0x000000000041B000-memory.dmp

      Filesize

      108KB

    • memory/3068-54-0x0000000002C70000-0x0000000002CCB000-memory.dmp

      Filesize

      364KB

    • memory/3068-611-0x0000000000400000-0x000000000041B000-memory.dmp

      Filesize

      108KB

    • memory/3068-192-0x0000000002C70000-0x0000000002CCB000-memory.dmp

      Filesize

      364KB