Analysis
-
max time kernel
150s -
max time network
143s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
18-05-2021 10:05
Behavioral task
behavioral1
Sample
b243cf67bf384a80b8de34c6e8b351bb3f6cbe2c24ef4c7168489ce0bde00e1d.exe
Resource
win7v20210408
General
-
Target
b243cf67bf384a80b8de34c6e8b351bb3f6cbe2c24ef4c7168489ce0bde00e1d.exe
-
Size
2.5MB
-
MD5
5b5ac97705245c79b7dc5553ea9ef725
-
SHA1
8c43d1de280dc53dad5c95d765ef78b52a81c62d
-
SHA256
b243cf67bf384a80b8de34c6e8b351bb3f6cbe2c24ef4c7168489ce0bde00e1d
-
SHA512
8715ae2dac65df613e5ad5715b4240a947597918caa890e4b1610166f73b75736fb536330d14e6a5fa1395f80fb37ea35aa98bf328a6d1b71354aa789a93443c
Malware Config
Extracted
njrat
0.7d
HacKed
mywin7man.p-e.kr:200
7321baaff10c1ea75810eb114d0daa00
-
reg_key
7321baaff10c1ea75810eb114d0daa00
-
splitter
|'|'|
Extracted
darkcomet
777
mywin7man.ddns.net:400
mywin7man.p-e.kr:400
DC_MUTEX-ETJWHM7
-
InstallPath
windowscra.exe
-
gencode
Pi9Netx9cyRC
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
MicroUpdate
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
b243cf67bf384a80b8de34c6e8b351bb3f6cbe2c24ef4c7168489ce0bde00e1d.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\windowscra.exe" b243cf67bf384a80b8de34c6e8b351bb3f6cbe2c24ef4c7168489ce0bde00e1d.exe -
Modifies firewall policy service 2 TTPs 6 IoCs
Processes:
windowscra.exeiexplore.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile windowscra.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" windowscra.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" windowscra.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile iexplore.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" iexplore.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" iexplore.exe -
Disables RegEdit via registry modification
-
Executes dropped EXE 6 IoCs
Processes:
100.EXEviprsm.exe200.EXENJRAT V0.7D.EXEwindowscra.exewinlogon.exepid process 2140 100.EXE 2428 viprsm.exe 2352 200.EXE 2660 NJRAT V0.7D.EXE 196 windowscra.exe 2140 winlogon.exe -
Modifies Windows Firewall 1 TTPs
-
Drops startup file 2 IoCs
Processes:
winlogon.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7321baaff10c1ea75810eb114d0daa00.exe winlogon.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7321baaff10c1ea75810eb114d0daa00.exe winlogon.exe -
Adds Run key to start application 2 TTPs 5 IoCs
Processes:
iexplore.exewinlogon.exeb243cf67bf384a80b8de34c6e8b351bb3f6cbe2c24ef4c7168489ce0bde00e1d.exewindowscra.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\windowscra.exe" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\7321baaff10c1ea75810eb114d0daa00 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\winlogon.exe\" .." winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\7321baaff10c1ea75810eb114d0daa00 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\winlogon.exe\" .." winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\windowscra.exe" b243cf67bf384a80b8de34c6e8b351bb3f6cbe2c24ef4c7168489ce0bde00e1d.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\windowscra.exe" windowscra.exe -
Drops file in System32 directory 2 IoCs
Processes:
100.EXEdescription ioc process File created C:\Windows\SysWOW64\viprsm.exe 100.EXE File opened for modification C:\Windows\SysWOW64\viprsm.exe 100.EXE -
Suspicious use of SetThreadContext 1 IoCs
Processes:
windowscra.exedescription pid process target process PID 196 set thread context of 3476 196 windowscra.exe iexplore.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
viprsm.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz viprsm.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 viprsm.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
iexplore.exepid process 3476 iexplore.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
b243cf67bf384a80b8de34c6e8b351bb3f6cbe2c24ef4c7168489ce0bde00e1d.exewindowscra.exeiexplore.exedescription pid process Token: SeIncreaseQuotaPrivilege 3876 b243cf67bf384a80b8de34c6e8b351bb3f6cbe2c24ef4c7168489ce0bde00e1d.exe Token: SeSecurityPrivilege 3876 b243cf67bf384a80b8de34c6e8b351bb3f6cbe2c24ef4c7168489ce0bde00e1d.exe Token: SeTakeOwnershipPrivilege 3876 b243cf67bf384a80b8de34c6e8b351bb3f6cbe2c24ef4c7168489ce0bde00e1d.exe Token: SeLoadDriverPrivilege 3876 b243cf67bf384a80b8de34c6e8b351bb3f6cbe2c24ef4c7168489ce0bde00e1d.exe Token: SeSystemProfilePrivilege 3876 b243cf67bf384a80b8de34c6e8b351bb3f6cbe2c24ef4c7168489ce0bde00e1d.exe Token: SeSystemtimePrivilege 3876 b243cf67bf384a80b8de34c6e8b351bb3f6cbe2c24ef4c7168489ce0bde00e1d.exe Token: SeProfSingleProcessPrivilege 3876 b243cf67bf384a80b8de34c6e8b351bb3f6cbe2c24ef4c7168489ce0bde00e1d.exe Token: SeIncBasePriorityPrivilege 3876 b243cf67bf384a80b8de34c6e8b351bb3f6cbe2c24ef4c7168489ce0bde00e1d.exe Token: SeCreatePagefilePrivilege 3876 b243cf67bf384a80b8de34c6e8b351bb3f6cbe2c24ef4c7168489ce0bde00e1d.exe Token: SeBackupPrivilege 3876 b243cf67bf384a80b8de34c6e8b351bb3f6cbe2c24ef4c7168489ce0bde00e1d.exe Token: SeRestorePrivilege 3876 b243cf67bf384a80b8de34c6e8b351bb3f6cbe2c24ef4c7168489ce0bde00e1d.exe Token: SeShutdownPrivilege 3876 b243cf67bf384a80b8de34c6e8b351bb3f6cbe2c24ef4c7168489ce0bde00e1d.exe Token: SeDebugPrivilege 3876 b243cf67bf384a80b8de34c6e8b351bb3f6cbe2c24ef4c7168489ce0bde00e1d.exe Token: SeSystemEnvironmentPrivilege 3876 b243cf67bf384a80b8de34c6e8b351bb3f6cbe2c24ef4c7168489ce0bde00e1d.exe Token: SeChangeNotifyPrivilege 3876 b243cf67bf384a80b8de34c6e8b351bb3f6cbe2c24ef4c7168489ce0bde00e1d.exe Token: SeRemoteShutdownPrivilege 3876 b243cf67bf384a80b8de34c6e8b351bb3f6cbe2c24ef4c7168489ce0bde00e1d.exe Token: SeUndockPrivilege 3876 b243cf67bf384a80b8de34c6e8b351bb3f6cbe2c24ef4c7168489ce0bde00e1d.exe Token: SeManageVolumePrivilege 3876 b243cf67bf384a80b8de34c6e8b351bb3f6cbe2c24ef4c7168489ce0bde00e1d.exe Token: SeImpersonatePrivilege 3876 b243cf67bf384a80b8de34c6e8b351bb3f6cbe2c24ef4c7168489ce0bde00e1d.exe Token: SeCreateGlobalPrivilege 3876 b243cf67bf384a80b8de34c6e8b351bb3f6cbe2c24ef4c7168489ce0bde00e1d.exe Token: 33 3876 b243cf67bf384a80b8de34c6e8b351bb3f6cbe2c24ef4c7168489ce0bde00e1d.exe Token: 34 3876 b243cf67bf384a80b8de34c6e8b351bb3f6cbe2c24ef4c7168489ce0bde00e1d.exe Token: 35 3876 b243cf67bf384a80b8de34c6e8b351bb3f6cbe2c24ef4c7168489ce0bde00e1d.exe Token: 36 3876 b243cf67bf384a80b8de34c6e8b351bb3f6cbe2c24ef4c7168489ce0bde00e1d.exe Token: SeIncreaseQuotaPrivilege 196 windowscra.exe Token: SeSecurityPrivilege 196 windowscra.exe Token: SeTakeOwnershipPrivilege 196 windowscra.exe Token: SeLoadDriverPrivilege 196 windowscra.exe Token: SeSystemProfilePrivilege 196 windowscra.exe Token: SeSystemtimePrivilege 196 windowscra.exe Token: SeProfSingleProcessPrivilege 196 windowscra.exe Token: SeIncBasePriorityPrivilege 196 windowscra.exe Token: SeCreatePagefilePrivilege 196 windowscra.exe Token: SeBackupPrivilege 196 windowscra.exe Token: SeRestorePrivilege 196 windowscra.exe Token: SeShutdownPrivilege 196 windowscra.exe Token: SeDebugPrivilege 196 windowscra.exe Token: SeSystemEnvironmentPrivilege 196 windowscra.exe Token: SeChangeNotifyPrivilege 196 windowscra.exe Token: SeRemoteShutdownPrivilege 196 windowscra.exe Token: SeUndockPrivilege 196 windowscra.exe Token: SeManageVolumePrivilege 196 windowscra.exe Token: SeImpersonatePrivilege 196 windowscra.exe Token: SeCreateGlobalPrivilege 196 windowscra.exe Token: 33 196 windowscra.exe Token: 34 196 windowscra.exe Token: 35 196 windowscra.exe Token: 36 196 windowscra.exe Token: SeIncreaseQuotaPrivilege 3476 iexplore.exe Token: SeSecurityPrivilege 3476 iexplore.exe Token: SeTakeOwnershipPrivilege 3476 iexplore.exe Token: SeLoadDriverPrivilege 3476 iexplore.exe Token: SeSystemProfilePrivilege 3476 iexplore.exe Token: SeSystemtimePrivilege 3476 iexplore.exe Token: SeProfSingleProcessPrivilege 3476 iexplore.exe Token: SeIncBasePriorityPrivilege 3476 iexplore.exe Token: SeCreatePagefilePrivilege 3476 iexplore.exe Token: SeBackupPrivilege 3476 iexplore.exe Token: SeRestorePrivilege 3476 iexplore.exe Token: SeShutdownPrivilege 3476 iexplore.exe Token: SeDebugPrivilege 3476 iexplore.exe Token: SeSystemEnvironmentPrivilege 3476 iexplore.exe Token: SeChangeNotifyPrivilege 3476 iexplore.exe Token: SeRemoteShutdownPrivilege 3476 iexplore.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
iexplore.exepid process 3476 iexplore.exe -
Suspicious use of WriteProcessMemory 44 IoCs
Processes:
b243cf67bf384a80b8de34c6e8b351bb3f6cbe2c24ef4c7168489ce0bde00e1d.exewindowscra.exeiexplore.exe200.EXEwinlogon.exedescription pid process target process PID 3876 wrote to memory of 2140 3876 b243cf67bf384a80b8de34c6e8b351bb3f6cbe2c24ef4c7168489ce0bde00e1d.exe 100.EXE PID 3876 wrote to memory of 2140 3876 b243cf67bf384a80b8de34c6e8b351bb3f6cbe2c24ef4c7168489ce0bde00e1d.exe 100.EXE PID 3876 wrote to memory of 2140 3876 b243cf67bf384a80b8de34c6e8b351bb3f6cbe2c24ef4c7168489ce0bde00e1d.exe 100.EXE PID 3876 wrote to memory of 2352 3876 b243cf67bf384a80b8de34c6e8b351bb3f6cbe2c24ef4c7168489ce0bde00e1d.exe 200.EXE PID 3876 wrote to memory of 2352 3876 b243cf67bf384a80b8de34c6e8b351bb3f6cbe2c24ef4c7168489ce0bde00e1d.exe 200.EXE PID 3876 wrote to memory of 2352 3876 b243cf67bf384a80b8de34c6e8b351bb3f6cbe2c24ef4c7168489ce0bde00e1d.exe 200.EXE PID 3876 wrote to memory of 2660 3876 b243cf67bf384a80b8de34c6e8b351bb3f6cbe2c24ef4c7168489ce0bde00e1d.exe NJRAT V0.7D.EXE PID 3876 wrote to memory of 2660 3876 b243cf67bf384a80b8de34c6e8b351bb3f6cbe2c24ef4c7168489ce0bde00e1d.exe NJRAT V0.7D.EXE PID 3876 wrote to memory of 196 3876 b243cf67bf384a80b8de34c6e8b351bb3f6cbe2c24ef4c7168489ce0bde00e1d.exe windowscra.exe PID 3876 wrote to memory of 196 3876 b243cf67bf384a80b8de34c6e8b351bb3f6cbe2c24ef4c7168489ce0bde00e1d.exe windowscra.exe PID 3876 wrote to memory of 196 3876 b243cf67bf384a80b8de34c6e8b351bb3f6cbe2c24ef4c7168489ce0bde00e1d.exe windowscra.exe PID 196 wrote to memory of 3476 196 windowscra.exe iexplore.exe PID 196 wrote to memory of 3476 196 windowscra.exe iexplore.exe PID 196 wrote to memory of 3476 196 windowscra.exe iexplore.exe PID 196 wrote to memory of 3476 196 windowscra.exe iexplore.exe PID 196 wrote to memory of 3476 196 windowscra.exe iexplore.exe PID 3476 wrote to memory of 1272 3476 iexplore.exe notepad.exe PID 3476 wrote to memory of 1272 3476 iexplore.exe notepad.exe PID 3476 wrote to memory of 1272 3476 iexplore.exe notepad.exe PID 3476 wrote to memory of 1272 3476 iexplore.exe notepad.exe PID 3476 wrote to memory of 1272 3476 iexplore.exe notepad.exe PID 3476 wrote to memory of 1272 3476 iexplore.exe notepad.exe PID 3476 wrote to memory of 1272 3476 iexplore.exe notepad.exe PID 3476 wrote to memory of 1272 3476 iexplore.exe notepad.exe PID 3476 wrote to memory of 1272 3476 iexplore.exe notepad.exe PID 3476 wrote to memory of 1272 3476 iexplore.exe notepad.exe PID 3476 wrote to memory of 1272 3476 iexplore.exe notepad.exe PID 3476 wrote to memory of 1272 3476 iexplore.exe notepad.exe PID 3476 wrote to memory of 1272 3476 iexplore.exe notepad.exe PID 3476 wrote to memory of 1272 3476 iexplore.exe notepad.exe PID 3476 wrote to memory of 1272 3476 iexplore.exe notepad.exe PID 3476 wrote to memory of 1272 3476 iexplore.exe notepad.exe PID 3476 wrote to memory of 1272 3476 iexplore.exe notepad.exe PID 3476 wrote to memory of 1272 3476 iexplore.exe notepad.exe PID 3476 wrote to memory of 1272 3476 iexplore.exe notepad.exe PID 3476 wrote to memory of 1272 3476 iexplore.exe notepad.exe PID 3476 wrote to memory of 1272 3476 iexplore.exe notepad.exe PID 3476 wrote to memory of 1272 3476 iexplore.exe notepad.exe PID 2352 wrote to memory of 2140 2352 200.EXE winlogon.exe PID 2352 wrote to memory of 2140 2352 200.EXE winlogon.exe PID 2352 wrote to memory of 2140 2352 200.EXE winlogon.exe PID 2140 wrote to memory of 2616 2140 winlogon.exe netsh.exe PID 2140 wrote to memory of 2616 2140 winlogon.exe netsh.exe PID 2140 wrote to memory of 2616 2140 winlogon.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b243cf67bf384a80b8de34c6e8b351bb3f6cbe2c24ef4c7168489ce0bde00e1d.exe"C:\Users\Admin\AppData\Local\Temp\b243cf67bf384a80b8de34c6e8b351bb3f6cbe2c24ef4c7168489ce0bde00e1d.exe"1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\100.EXE"C:\Users\Admin\AppData\Local\Temp\100.EXE"2⤵
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Users\Admin\AppData\Local\Temp\200.EXE"C:\Users\Admin\AppData\Local\Temp\200.EXE"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\winlogon.exe"C:\Users\Admin\AppData\Local\Temp\winlogon.exe"3⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\winlogon.exe" "winlogon.exe" ENABLE4⤵
-
C:\Users\Admin\AppData\Local\Temp\NJRAT V0.7D.EXE"C:\Users\Admin\AppData\Local\Temp\NJRAT V0.7D.EXE"2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\windowscra.exe"C:\Users\Admin\AppData\Local\Temp\windowscra.exe"2⤵
- Modifies firewall policy service
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"3⤵
- Modifies firewall policy service
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\notepad.exenotepad4⤵
-
C:\Windows\SysWOW64\viprsm.exeC:\Windows\SysWOW64\viprsm.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\100.EXEMD5
489a50015452c6201699353cef028220
SHA19865b0fc144dab7bb949cb37702f3eb16b2446c9
SHA25608b48f85ec3c8fe70872fb0863c072c0dc50f78406110a582c1b20161b486b81
SHA512e1adadb18ac0b76559e78116124da8b3ed81bdc1f39f41fdf73d85989c222963ce2328da349fe6b290a68b07af42e9fc3495d770136ebaa7d87a12b9a1dafe65
-
C:\Users\Admin\AppData\Local\Temp\100.EXEMD5
489a50015452c6201699353cef028220
SHA19865b0fc144dab7bb949cb37702f3eb16b2446c9
SHA25608b48f85ec3c8fe70872fb0863c072c0dc50f78406110a582c1b20161b486b81
SHA512e1adadb18ac0b76559e78116124da8b3ed81bdc1f39f41fdf73d85989c222963ce2328da349fe6b290a68b07af42e9fc3495d770136ebaa7d87a12b9a1dafe65
-
C:\Users\Admin\AppData\Local\Temp\200.EXEMD5
4a01ee2707136d0cb5b3ed3254afeef5
SHA1873ea51f801940f1299d3a3d40877655d45376dd
SHA256128a1d5c2012008c835ca05a385647121dda7b5e9811297e9eeb2a270ebcea78
SHA5125813162e0620001f353932a3c16bc45d728a62dde9530a1523ff58c2c6d04e88fc9363bffeb0f6ca6cda06d3fd161005588a1f804b03713c35d1a8b886937e0d
-
C:\Users\Admin\AppData\Local\Temp\200.EXEMD5
4a01ee2707136d0cb5b3ed3254afeef5
SHA1873ea51f801940f1299d3a3d40877655d45376dd
SHA256128a1d5c2012008c835ca05a385647121dda7b5e9811297e9eeb2a270ebcea78
SHA5125813162e0620001f353932a3c16bc45d728a62dde9530a1523ff58c2c6d04e88fc9363bffeb0f6ca6cda06d3fd161005588a1f804b03713c35d1a8b886937e0d
-
C:\Users\Admin\AppData\Local\Temp\NJRAT V0.7D.EXEMD5
720e7ceaa5c49f653c2b2eed7f51ab36
SHA1781f1142def97b626d1e2f50b8e300f76696557c
SHA256d684b56fd5fcd4ce421548a6a3211e1d33722371b862ecfbcd76f78b68d955c5
SHA51231251117aa992263dae9af5069448b78ac687bc4f29d4c34c06013a94d7359498a653548eccc5f7ddab2c543da2aad3f99490c7ac4f1baa9a57edaadd0a1f2bd
-
C:\Users\Admin\AppData\Local\Temp\NJRAT V0.7D.EXEMD5
720e7ceaa5c49f653c2b2eed7f51ab36
SHA1781f1142def97b626d1e2f50b8e300f76696557c
SHA256d684b56fd5fcd4ce421548a6a3211e1d33722371b862ecfbcd76f78b68d955c5
SHA51231251117aa992263dae9af5069448b78ac687bc4f29d4c34c06013a94d7359498a653548eccc5f7ddab2c543da2aad3f99490c7ac4f1baa9a57edaadd0a1f2bd
-
C:\Users\Admin\AppData\Local\Temp\windowscra.exeMD5
5b5ac97705245c79b7dc5553ea9ef725
SHA18c43d1de280dc53dad5c95d765ef78b52a81c62d
SHA256b243cf67bf384a80b8de34c6e8b351bb3f6cbe2c24ef4c7168489ce0bde00e1d
SHA5128715ae2dac65df613e5ad5715b4240a947597918caa890e4b1610166f73b75736fb536330d14e6a5fa1395f80fb37ea35aa98bf328a6d1b71354aa789a93443c
-
C:\Users\Admin\AppData\Local\Temp\windowscra.exeMD5
5b5ac97705245c79b7dc5553ea9ef725
SHA18c43d1de280dc53dad5c95d765ef78b52a81c62d
SHA256b243cf67bf384a80b8de34c6e8b351bb3f6cbe2c24ef4c7168489ce0bde00e1d
SHA5128715ae2dac65df613e5ad5715b4240a947597918caa890e4b1610166f73b75736fb536330d14e6a5fa1395f80fb37ea35aa98bf328a6d1b71354aa789a93443c
-
C:\Users\Admin\AppData\Local\Temp\winlogon.exeMD5
4a01ee2707136d0cb5b3ed3254afeef5
SHA1873ea51f801940f1299d3a3d40877655d45376dd
SHA256128a1d5c2012008c835ca05a385647121dda7b5e9811297e9eeb2a270ebcea78
SHA5125813162e0620001f353932a3c16bc45d728a62dde9530a1523ff58c2c6d04e88fc9363bffeb0f6ca6cda06d3fd161005588a1f804b03713c35d1a8b886937e0d
-
C:\Users\Admin\AppData\Local\Temp\winlogon.exeMD5
4a01ee2707136d0cb5b3ed3254afeef5
SHA1873ea51f801940f1299d3a3d40877655d45376dd
SHA256128a1d5c2012008c835ca05a385647121dda7b5e9811297e9eeb2a270ebcea78
SHA5125813162e0620001f353932a3c16bc45d728a62dde9530a1523ff58c2c6d04e88fc9363bffeb0f6ca6cda06d3fd161005588a1f804b03713c35d1a8b886937e0d
-
C:\Windows\SysWOW64\viprsm.exeMD5
489a50015452c6201699353cef028220
SHA19865b0fc144dab7bb949cb37702f3eb16b2446c9
SHA25608b48f85ec3c8fe70872fb0863c072c0dc50f78406110a582c1b20161b486b81
SHA512e1adadb18ac0b76559e78116124da8b3ed81bdc1f39f41fdf73d85989c222963ce2328da349fe6b290a68b07af42e9fc3495d770136ebaa7d87a12b9a1dafe65
-
C:\Windows\SysWOW64\viprsm.exeMD5
489a50015452c6201699353cef028220
SHA19865b0fc144dab7bb949cb37702f3eb16b2446c9
SHA25608b48f85ec3c8fe70872fb0863c072c0dc50f78406110a582c1b20161b486b81
SHA512e1adadb18ac0b76559e78116124da8b3ed81bdc1f39f41fdf73d85989c222963ce2328da349fe6b290a68b07af42e9fc3495d770136ebaa7d87a12b9a1dafe65
-
memory/196-128-0x0000000000000000-mapping.dmp
-
memory/196-136-0x0000000000750000-0x000000000089A000-memory.dmpFilesize
1.3MB
-
memory/1272-135-0x0000000000000000-mapping.dmp
-
memory/1272-137-0x0000000002DD0000-0x0000000002DD1000-memory.dmpFilesize
4KB
-
memory/2140-139-0x0000000000000000-mapping.dmp
-
memory/2140-142-0x00000000014F0000-0x00000000014F1000-memory.dmpFilesize
4KB
-
memory/2140-115-0x0000000000000000-mapping.dmp
-
memory/2352-126-0x0000000000B00000-0x0000000000C4A000-memory.dmpFilesize
1.3MB
-
memory/2352-118-0x0000000000000000-mapping.dmp
-
memory/2616-143-0x0000000000000000-mapping.dmp
-
memory/2660-122-0x0000000000000000-mapping.dmp
-
memory/2660-138-0x00000000029C7000-0x00000000029CF000-memory.dmpFilesize
32KB
-
memory/2660-127-0x00000000029C0000-0x00000000029C2000-memory.dmpFilesize
8KB
-
memory/3476-132-0x000000000048F888-mapping.dmp
-
memory/3476-131-0x0000000000400000-0x0000000000684000-memory.dmpFilesize
2.5MB
-
memory/3876-114-0x0000000002530000-0x0000000002531000-memory.dmpFilesize
4KB