Analysis
-
max time kernel
4294213s -
max time network
142s -
platform
windows7_x64 -
resource
win7-20220311-en -
submitted
28-03-2022 21:52
Static task
static1
Behavioral task
behavioral1
Sample
main.exe
Resource
win7-20220311-en
Behavioral task
behavioral2
Sample
main.exe
Resource
win10v2004-en-20220113
General
-
Target
main.exe
-
Size
29.8MB
-
MD5
05eddf246ff3900650373bab2a45f8f1
-
SHA1
4b1aa434604bacd73857ee1058610ff442ed124f
-
SHA256
69db77173df272098da80c4bdff6147536b851809cfb2116fc0085bfc885a663
-
SHA512
8ff0d35ee7478dfe8a9371029d5080259d9e98548ab1119364c8a9d9292931fa0d7d85f95ede68242a682b22acac6e6499bf2c65a4d91ac04209d62e01684188
Malware Config
Extracted
redline
1877
hawler.duckdns.org:56199
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/1600-79-0x0000000000860000-0x0000000001084000-memory.dmp family_redline behavioral1/memory/1600-80-0x0000000000860000-0x0000000001084000-memory.dmp family_redline -
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger Payload 5 IoCs
Processes:
resource yara_rule behavioral1/memory/1504-54-0x0000000000C20000-0x00000000029F2000-memory.dmp family_snakekeylogger \Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\svshost.exe family_snakekeylogger behavioral1/memory/1540-64-0x0000000000B50000-0x0000000000B84000-memory.dmp family_snakekeylogger C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\svshost.exe family_snakekeylogger C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\svshost.exe family_snakekeylogger -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Executes dropped EXE 7 IoCs
Processes:
svchost.exesvshost.exeupdate.execsrss.exeNashy.exeNashy.exeNashy.exepid process 988 svchost.exe 1540 svshost.exe 1764 update.exe 1600 csrss.exe 808 Nashy.exe 1644 Nashy.exe 320 Nashy.exe -
Modifies Windows Firewall 1 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
csrss.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion csrss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion csrss.exe -
Drops startup file 2 IoCs
Processes:
Nashy.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDMan.exe Nashy.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDMan.exe Nashy.exe -
Loads dropped DLL 5 IoCs
Processes:
main.exeupdate.exepid process 1504 main.exe 1504 main.exe 1504 main.exe 1504 main.exe 1764 update.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule \Users\Admin\AppData\Roaming\Microsoft\csrss.exe themida C:\Users\Admin\AppData\Roaming\Microsoft\csrss.exe themida behavioral1/memory/1600-79-0x0000000000860000-0x0000000001084000-memory.dmp themida behavioral1/memory/1600-80-0x0000000000860000-0x0000000001084000-memory.dmp themida -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
svshost.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 svshost.exe Key opened \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 svshost.exe Key opened \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 svshost.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 6 IoCs
Processes:
main.exeNashy.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Windows\CurrentVersion\Run\Internet Explorer = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Internet Explorer\\svchost.exe" main.exe Set value (str) \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Windows\CurrentVersion\Run\One Drive = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Internet Explorer\\svshost.exe" main.exe Set value (str) \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Windows\CurrentVersion\Run\Google Chrome Updater = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Internet Explorer\\update.exe" main.exe Set value (str) \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Process = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\csrss.exe" main.exe Set value (str) \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Nashy.exe\" .." Nashy.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\java update.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Nashy.exe\" .." Nashy.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
csrss.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA csrss.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 6 checkip.dyndns.org 12 freegeoip.app 13 freegeoip.app -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
csrss.exepid process 1600 csrss.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
main.exepid process 1504 main.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
svshost.exeNashy.exepid process 1540 svshost.exe 808 Nashy.exe 808 Nashy.exe 808 Nashy.exe 808 Nashy.exe 808 Nashy.exe 808 Nashy.exe 808 Nashy.exe 808 Nashy.exe 808 Nashy.exe 808 Nashy.exe 808 Nashy.exe 808 Nashy.exe 808 Nashy.exe 808 Nashy.exe 808 Nashy.exe 808 Nashy.exe 808 Nashy.exe 808 Nashy.exe 808 Nashy.exe 808 Nashy.exe 808 Nashy.exe 808 Nashy.exe 808 Nashy.exe 808 Nashy.exe 808 Nashy.exe 808 Nashy.exe 808 Nashy.exe 808 Nashy.exe 808 Nashy.exe 808 Nashy.exe 808 Nashy.exe 808 Nashy.exe 808 Nashy.exe 808 Nashy.exe 808 Nashy.exe 808 Nashy.exe 808 Nashy.exe 808 Nashy.exe 808 Nashy.exe 808 Nashy.exe 808 Nashy.exe 808 Nashy.exe 808 Nashy.exe 808 Nashy.exe 808 Nashy.exe 808 Nashy.exe 808 Nashy.exe 808 Nashy.exe 808 Nashy.exe 808 Nashy.exe 808 Nashy.exe 808 Nashy.exe 808 Nashy.exe 808 Nashy.exe 808 Nashy.exe 808 Nashy.exe 808 Nashy.exe 808 Nashy.exe 808 Nashy.exe 808 Nashy.exe 808 Nashy.exe 808 Nashy.exe 808 Nashy.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
svshost.execsrss.exeNashy.exeNashy.exeNashy.exedescription pid process Token: SeDebugPrivilege 1540 svshost.exe Token: SeDebugPrivilege 1600 csrss.exe Token: SeDebugPrivilege 808 Nashy.exe Token: SeDebugPrivilege 1644 Nashy.exe Token: SeDebugPrivilege 320 Nashy.exe -
Suspicious use of WriteProcessMemory 43 IoCs
Processes:
main.exeupdate.exeNashy.exesvshost.exetaskeng.exedescription pid process target process PID 1504 wrote to memory of 988 1504 main.exe svchost.exe PID 1504 wrote to memory of 988 1504 main.exe svchost.exe PID 1504 wrote to memory of 988 1504 main.exe svchost.exe PID 1504 wrote to memory of 988 1504 main.exe svchost.exe PID 1504 wrote to memory of 1540 1504 main.exe svshost.exe PID 1504 wrote to memory of 1540 1504 main.exe svshost.exe PID 1504 wrote to memory of 1540 1504 main.exe svshost.exe PID 1504 wrote to memory of 1540 1504 main.exe svshost.exe PID 1504 wrote to memory of 1764 1504 main.exe update.exe PID 1504 wrote to memory of 1764 1504 main.exe update.exe PID 1504 wrote to memory of 1764 1504 main.exe update.exe PID 1504 wrote to memory of 1764 1504 main.exe update.exe PID 1504 wrote to memory of 1764 1504 main.exe update.exe PID 1504 wrote to memory of 1764 1504 main.exe update.exe PID 1504 wrote to memory of 1764 1504 main.exe update.exe PID 1504 wrote to memory of 1600 1504 main.exe csrss.exe PID 1504 wrote to memory of 1600 1504 main.exe csrss.exe PID 1504 wrote to memory of 1600 1504 main.exe csrss.exe PID 1504 wrote to memory of 1600 1504 main.exe csrss.exe PID 1764 wrote to memory of 960 1764 update.exe netsh.exe PID 1764 wrote to memory of 960 1764 update.exe netsh.exe PID 1764 wrote to memory of 960 1764 update.exe netsh.exe PID 1764 wrote to memory of 960 1764 update.exe netsh.exe PID 1764 wrote to memory of 808 1764 update.exe Nashy.exe PID 1764 wrote to memory of 808 1764 update.exe Nashy.exe PID 1764 wrote to memory of 808 1764 update.exe Nashy.exe PID 1764 wrote to memory of 808 1764 update.exe Nashy.exe PID 808 wrote to memory of 1108 808 Nashy.exe schtasks.exe PID 808 wrote to memory of 1108 808 Nashy.exe schtasks.exe PID 808 wrote to memory of 1108 808 Nashy.exe schtasks.exe PID 808 wrote to memory of 1108 808 Nashy.exe schtasks.exe PID 1540 wrote to memory of 1496 1540 svshost.exe netsh.exe PID 1540 wrote to memory of 1496 1540 svshost.exe netsh.exe PID 1540 wrote to memory of 1496 1540 svshost.exe netsh.exe PID 1540 wrote to memory of 1496 1540 svshost.exe netsh.exe PID 1512 wrote to memory of 1644 1512 taskeng.exe Nashy.exe PID 1512 wrote to memory of 1644 1512 taskeng.exe Nashy.exe PID 1512 wrote to memory of 1644 1512 taskeng.exe Nashy.exe PID 1512 wrote to memory of 1644 1512 taskeng.exe Nashy.exe PID 1512 wrote to memory of 320 1512 taskeng.exe Nashy.exe PID 1512 wrote to memory of 320 1512 taskeng.exe Nashy.exe PID 1512 wrote to memory of 320 1512 taskeng.exe Nashy.exe PID 1512 wrote to memory of 320 1512 taskeng.exe Nashy.exe -
outlook_office_path 1 IoCs
Processes:
svshost.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 svshost.exe -
outlook_win_path 1 IoCs
Processes:
svshost.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 svshost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\main.exe"C:\Users\Admin\AppData\Local\Temp\main.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\svchost.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\svshost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\svshost.exe"2⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
-
C:\Windows\SysWOW64\netsh.exe"netsh" wlan show profile3⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\update.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\update.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\update.exe" "update.exe" ENABLE3⤵
-
C:\Users\Admin\AppData\Roaming\Nashy.exe"C:\Users\Admin\AppData\Roaming\Nashy.exe"3⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn java_update.exe /tr C:\Users\Admin\AppData\Roaming\Nashy.exe4⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\Microsoft\csrss.exe"C:\Users\Admin\AppData\Roaming\Microsoft\csrss.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskeng.exetaskeng.exe {D8F1084C-56AE-4C19-9263-A6D8E7F1A8B3} S-1-5-21-2199625441-3471261906-229485034-1000:DRLQIXCW\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Nashy.exeC:\Users\Admin\AppData\Roaming\Nashy.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\Nashy.exeC:\Users\Admin\AppData\Roaming\Nashy.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\svchost.exeFilesize
30KB
MD5cd01b6f8a2e8fe00f0449df391c2f331
SHA1f3b8e7a655b312863b7b32129cb2a89a29bfc3d9
SHA2560de434935d1308a30cf592be774296e2d14bb5780b21a69ed36c6d4c77976840
SHA512752fcfce2d7f34d9be5a3bfd88169820d4b37131da67118bd7990763a4ed31890e072696da8e0840915d05054d9e491353b35ed76ac92bdb9a58a152b775cfb5
-
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\svchost.exeFilesize
30KB
MD5cd01b6f8a2e8fe00f0449df391c2f331
SHA1f3b8e7a655b312863b7b32129cb2a89a29bfc3d9
SHA2560de434935d1308a30cf592be774296e2d14bb5780b21a69ed36c6d4c77976840
SHA512752fcfce2d7f34d9be5a3bfd88169820d4b37131da67118bd7990763a4ed31890e072696da8e0840915d05054d9e491353b35ed76ac92bdb9a58a152b775cfb5
-
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\svshost.exeFilesize
171KB
MD5c9e64773ed0c170edc9a82e7ade64a4b
SHA107fb7b49207ba40f5620ced4b61dbceab1223185
SHA2568ff58b0569d87e4dd65124eb0e7e3bed83fe723e4726d3627958aa4914688e53
SHA5129b7eb0e2a1cb2e1c94580dd47b2ed312de497fa4888b3c8f49bead5c406e8e06c99ccfa503fc4194c361e6759b8795abc266618c5222efe5dbd9442d3c866cdc
-
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\svshost.exeFilesize
171KB
MD5c9e64773ed0c170edc9a82e7ade64a4b
SHA107fb7b49207ba40f5620ced4b61dbceab1223185
SHA2568ff58b0569d87e4dd65124eb0e7e3bed83fe723e4726d3627958aa4914688e53
SHA5129b7eb0e2a1cb2e1c94580dd47b2ed312de497fa4888b3c8f49bead5c406e8e06c99ccfa503fc4194c361e6759b8795abc266618c5222efe5dbd9442d3c866cdc
-
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\update.exeFilesize
89KB
MD566379ef40063ccde19bbc3ac718d5161
SHA13e1f05f41309d57f7e3f42bc88fc68c83e2fcd5a
SHA2565331ac560de3a551bab998560159171eda960d3f6861ae882ca02216b043b27a
SHA512d71a1b2d88aa825d26a5be2bc0b28bf04443eb8ed36df5768d390a53deb7ee320c88b697b7be98c507383714ff2ca3be9947548f45552ac4375797b9851c257a
-
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\update.exeFilesize
89KB
MD566379ef40063ccde19bbc3ac718d5161
SHA13e1f05f41309d57f7e3f42bc88fc68c83e2fcd5a
SHA2565331ac560de3a551bab998560159171eda960d3f6861ae882ca02216b043b27a
SHA512d71a1b2d88aa825d26a5be2bc0b28bf04443eb8ed36df5768d390a53deb7ee320c88b697b7be98c507383714ff2ca3be9947548f45552ac4375797b9851c257a
-
C:\Users\Admin\AppData\Roaming\Microsoft\csrss.exeFilesize
3.0MB
MD59868cccd61dfd71cf70648324b02ffb1
SHA129c14c7576a229d7751693f7819425416dcd7cc7
SHA2568786f2138dd203ad356814abffc716882b593f630f0ab46be144609777e8ef68
SHA51259616302c9980971a3553a0d7c031f03550f4050339015c3b597fe0917502b495645248feef4047631618fae48990e4cf15bde170c7eea31d2f50501f360878e
-
C:\Users\Admin\AppData\Roaming\Nashy.exeFilesize
89KB
MD566379ef40063ccde19bbc3ac718d5161
SHA13e1f05f41309d57f7e3f42bc88fc68c83e2fcd5a
SHA2565331ac560de3a551bab998560159171eda960d3f6861ae882ca02216b043b27a
SHA512d71a1b2d88aa825d26a5be2bc0b28bf04443eb8ed36df5768d390a53deb7ee320c88b697b7be98c507383714ff2ca3be9947548f45552ac4375797b9851c257a
-
C:\Users\Admin\AppData\Roaming\Nashy.exeFilesize
89KB
MD566379ef40063ccde19bbc3ac718d5161
SHA13e1f05f41309d57f7e3f42bc88fc68c83e2fcd5a
SHA2565331ac560de3a551bab998560159171eda960d3f6861ae882ca02216b043b27a
SHA512d71a1b2d88aa825d26a5be2bc0b28bf04443eb8ed36df5768d390a53deb7ee320c88b697b7be98c507383714ff2ca3be9947548f45552ac4375797b9851c257a
-
C:\Users\Admin\AppData\Roaming\Nashy.exeFilesize
89KB
MD566379ef40063ccde19bbc3ac718d5161
SHA13e1f05f41309d57f7e3f42bc88fc68c83e2fcd5a
SHA2565331ac560de3a551bab998560159171eda960d3f6861ae882ca02216b043b27a
SHA512d71a1b2d88aa825d26a5be2bc0b28bf04443eb8ed36df5768d390a53deb7ee320c88b697b7be98c507383714ff2ca3be9947548f45552ac4375797b9851c257a
-
C:\Users\Admin\AppData\Roaming\Nashy.exeFilesize
89KB
MD566379ef40063ccde19bbc3ac718d5161
SHA13e1f05f41309d57f7e3f42bc88fc68c83e2fcd5a
SHA2565331ac560de3a551bab998560159171eda960d3f6861ae882ca02216b043b27a
SHA512d71a1b2d88aa825d26a5be2bc0b28bf04443eb8ed36df5768d390a53deb7ee320c88b697b7be98c507383714ff2ca3be9947548f45552ac4375797b9851c257a
-
\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\svchost.exeFilesize
30KB
MD5cd01b6f8a2e8fe00f0449df391c2f331
SHA1f3b8e7a655b312863b7b32129cb2a89a29bfc3d9
SHA2560de434935d1308a30cf592be774296e2d14bb5780b21a69ed36c6d4c77976840
SHA512752fcfce2d7f34d9be5a3bfd88169820d4b37131da67118bd7990763a4ed31890e072696da8e0840915d05054d9e491353b35ed76ac92bdb9a58a152b775cfb5
-
\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\svshost.exeFilesize
171KB
MD5c9e64773ed0c170edc9a82e7ade64a4b
SHA107fb7b49207ba40f5620ced4b61dbceab1223185
SHA2568ff58b0569d87e4dd65124eb0e7e3bed83fe723e4726d3627958aa4914688e53
SHA5129b7eb0e2a1cb2e1c94580dd47b2ed312de497fa4888b3c8f49bead5c406e8e06c99ccfa503fc4194c361e6759b8795abc266618c5222efe5dbd9442d3c866cdc
-
\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\update.exeFilesize
89KB
MD566379ef40063ccde19bbc3ac718d5161
SHA13e1f05f41309d57f7e3f42bc88fc68c83e2fcd5a
SHA2565331ac560de3a551bab998560159171eda960d3f6861ae882ca02216b043b27a
SHA512d71a1b2d88aa825d26a5be2bc0b28bf04443eb8ed36df5768d390a53deb7ee320c88b697b7be98c507383714ff2ca3be9947548f45552ac4375797b9851c257a
-
\Users\Admin\AppData\Roaming\Microsoft\csrss.exeFilesize
3.0MB
MD59868cccd61dfd71cf70648324b02ffb1
SHA129c14c7576a229d7751693f7819425416dcd7cc7
SHA2568786f2138dd203ad356814abffc716882b593f630f0ab46be144609777e8ef68
SHA51259616302c9980971a3553a0d7c031f03550f4050339015c3b597fe0917502b495645248feef4047631618fae48990e4cf15bde170c7eea31d2f50501f360878e
-
\Users\Admin\AppData\Roaming\Nashy.exeFilesize
89KB
MD566379ef40063ccde19bbc3ac718d5161
SHA13e1f05f41309d57f7e3f42bc88fc68c83e2fcd5a
SHA2565331ac560de3a551bab998560159171eda960d3f6861ae882ca02216b043b27a
SHA512d71a1b2d88aa825d26a5be2bc0b28bf04443eb8ed36df5768d390a53deb7ee320c88b697b7be98c507383714ff2ca3be9947548f45552ac4375797b9851c257a
-
memory/320-96-0x0000000000000000-mapping.dmp
-
memory/320-99-0x000000006F500000-0x000000006FAAB000-memory.dmpFilesize
5.7MB
-
memory/808-88-0x000000006F500000-0x000000006FAAB000-memory.dmpFilesize
5.7MB
-
memory/808-83-0x0000000000000000-mapping.dmp
-
memory/960-81-0x0000000000000000-mapping.dmp
-
memory/988-61-0x0000000001010000-0x0000000001020000-memory.dmpFilesize
64KB
-
memory/988-65-0x0000000075561000-0x0000000075563000-memory.dmpFilesize
8KB
-
memory/988-56-0x0000000000000000-mapping.dmp
-
memory/1108-89-0x0000000000000000-mapping.dmp
-
memory/1496-90-0x0000000000000000-mapping.dmp
-
memory/1504-54-0x0000000000C20000-0x00000000029F2000-memory.dmpFilesize
29.8MB
-
memory/1540-64-0x0000000000B50000-0x0000000000B84000-memory.dmpFilesize
208KB
-
memory/1540-60-0x0000000000000000-mapping.dmp
-
memory/1600-80-0x0000000000860000-0x0000000001084000-memory.dmpFilesize
8.1MB
-
memory/1600-79-0x0000000000860000-0x0000000001084000-memory.dmpFilesize
8.1MB
-
memory/1600-76-0x0000000077260000-0x00000000773E0000-memory.dmpFilesize
1.5MB
-
memory/1600-71-0x0000000000000000-mapping.dmp
-
memory/1644-92-0x0000000000000000-mapping.dmp
-
memory/1644-95-0x000000006F500000-0x000000006FAAB000-memory.dmpFilesize
5.7MB
-
memory/1764-75-0x000000006F500000-0x000000006FAAB000-memory.dmpFilesize
5.7MB
-
memory/1764-67-0x0000000000000000-mapping.dmp