Analysis
-
max time kernel
270s -
max time network
295s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
01-11-2022 00:22
Static task
static1
Behavioral task
behavioral1
Sample
PPPPPPPPPPPPPPP.exe
Resource
win7-20220812-en
General
-
Target
PPPPPPPPPPPPPPP.exe
-
Size
60KB
-
MD5
94406fab156e3ed962899d6a473683c5
-
SHA1
08ef787ee7264e87abdb1933102ae94a8056a587
-
SHA256
422c3df285fbd86303eb0448583550d7584a330095c60ada442cb1beb97cf670
-
SHA512
c5ae7834d4722e7ca702258203f718a00403d76455cfe5e75743f116a4bd0c37ec33dcf89c6f779e8247519ae65e12523fe6bc7aede28a360fbf4687e1b2bba2
-
SSDEEP
768:DlH3iOcmCQkUF7Q3n8Q37RGC5fBPcKX0hT6tUTNtg3333rIX72s2H3eI2:DlHyOcmCD27c8oN5JPcQQhg3333rdX9
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1420-100-0x0000000010000000-0x000000001019F000-memory.dmp purplefox_rootkit behavioral1/memory/1420-112-0x0000000000400000-0x0000000000547000-memory.dmp purplefox_rootkit -
Gh0st RAT payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/1420-100-0x0000000010000000-0x000000001019F000-memory.dmp family_gh0strat behavioral1/memory/1420-112-0x0000000000400000-0x0000000000547000-memory.dmp family_gh0strat -
Processes:
PPPPPPPPPPPPPPP.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" PPPPPPPPPPPPPPP.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" PPPPPPPPPPPPPPP.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" PPPPPPPPPPPPPPP.exe -
Downloads MZ/PE file
-
Executes dropped EXE 6 IoCs
Processes:
k4.exek4.exeunzip.exedllhosts.exedllhosts.exek4.exepid process 1292 k4.exe 1476 k4.exe 1724 unzip.exe 1884 dllhosts.exe 1420 dllhosts.exe 1764 k4.exe -
Processes:
resource yara_rule behavioral1/memory/1420-92-0x0000000000400000-0x0000000000547000-memory.dmp upx behavioral1/memory/1420-97-0x0000000000400000-0x0000000000547000-memory.dmp upx behavioral1/memory/1420-98-0x0000000000400000-0x0000000000547000-memory.dmp upx behavioral1/memory/1420-112-0x0000000000400000-0x0000000000547000-memory.dmp upx -
Drops startup file 3 IoCs
Processes:
unzip.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\startup\ unzip.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\startup\dev.lnk unzip.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\startup\dev.lnk unzip.exe -
Loads dropped DLL 8 IoCs
Processes:
PPPPPPPPPPPPPPP.exedllhosts.exeWerFault.exepid process 1988 PPPPPPPPPPPPPPP.exe 1884 dllhosts.exe 1292 WerFault.exe 1292 WerFault.exe 1292 WerFault.exe 1292 WerFault.exe 1292 WerFault.exe 1292 WerFault.exe -
Processes:
PPPPPPPPPPPPPPP.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" PPPPPPPPPPPPPPP.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
dllhosts.exedescription ioc process File opened (read-only) \??\F: dllhosts.exe File opened (read-only) \??\I: dllhosts.exe File opened (read-only) \??\L: dllhosts.exe File opened (read-only) \??\M: dllhosts.exe File opened (read-only) \??\T: dllhosts.exe File opened (read-only) \??\E: dllhosts.exe File opened (read-only) \??\Q: dllhosts.exe File opened (read-only) \??\V: dllhosts.exe File opened (read-only) \??\B: dllhosts.exe File opened (read-only) \??\G: dllhosts.exe File opened (read-only) \??\K: dllhosts.exe File opened (read-only) \??\O: dllhosts.exe File opened (read-only) \??\P: dllhosts.exe File opened (read-only) \??\S: dllhosts.exe File opened (read-only) \??\U: dllhosts.exe File opened (read-only) \??\W: dllhosts.exe File opened (read-only) \??\X: dllhosts.exe File opened (read-only) \??\Y: dllhosts.exe File opened (read-only) \??\Z: dllhosts.exe File opened (read-only) \??\H: dllhosts.exe File opened (read-only) \??\J: dllhosts.exe File opened (read-only) \??\N: dllhosts.exe File opened (read-only) \??\R: dllhosts.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
dllhosts.exedescription pid process target process PID 1884 set thread context of 1420 1884 dllhosts.exe dllhosts.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1292 1884 WerFault.exe dllhosts.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
dllhosts.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 dllhosts.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz dllhosts.exe -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 1156 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 33 IoCs
Processes:
dllhosts.exepid process 1420 dllhosts.exe 1420 dllhosts.exe 1420 dllhosts.exe 1420 dllhosts.exe 1420 dllhosts.exe 1420 dllhosts.exe 1420 dllhosts.exe 1420 dllhosts.exe 1420 dllhosts.exe 1420 dllhosts.exe 1420 dllhosts.exe 1420 dllhosts.exe 1420 dllhosts.exe 1420 dllhosts.exe 1420 dllhosts.exe 1420 dllhosts.exe 1420 dllhosts.exe 1420 dllhosts.exe 1420 dllhosts.exe 1420 dllhosts.exe 1420 dllhosts.exe 1420 dllhosts.exe 1420 dllhosts.exe 1420 dllhosts.exe 1420 dllhosts.exe 1420 dllhosts.exe 1420 dllhosts.exe 1420 dllhosts.exe 1420 dllhosts.exe 1420 dllhosts.exe 1420 dllhosts.exe 1420 dllhosts.exe 1420 dllhosts.exe -
Suspicious behavior: SetClipboardViewer 1 IoCs
Processes:
mmc.exepid process 1660 mmc.exe -
Suspicious use of AdjustPrivilegeToken 18 IoCs
Processes:
taskkill.exemmc.exemmc.exek4.exedllhosts.exedescription pid process Token: SeDebugPrivilege 1156 taskkill.exe Token: 33 1456 mmc.exe Token: SeIncBasePriorityPrivilege 1456 mmc.exe Token: 33 1456 mmc.exe Token: SeIncBasePriorityPrivilege 1456 mmc.exe Token: 33 1660 mmc.exe Token: SeIncBasePriorityPrivilege 1660 mmc.exe Token: 33 1660 mmc.exe Token: SeIncBasePriorityPrivilege 1660 mmc.exe Token: SeLoadDriverPrivilege 1764 k4.exe Token: 33 1420 dllhosts.exe Token: SeIncBasePriorityPrivilege 1420 dllhosts.exe Token: 33 1420 dllhosts.exe Token: SeIncBasePriorityPrivilege 1420 dllhosts.exe Token: 33 1420 dllhosts.exe Token: SeIncBasePriorityPrivilege 1420 dllhosts.exe Token: 33 1420 dllhosts.exe Token: SeIncBasePriorityPrivilege 1420 dllhosts.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
Processes:
PPPPPPPPPPPPPPP.exemmc.exemmc.exepid process 1988 PPPPPPPPPPPPPPP.exe 1456 mmc.exe 1456 mmc.exe 1660 mmc.exe 1660 mmc.exe -
Suspicious use of WriteProcessMemory 57 IoCs
Processes:
PPPPPPPPPPPPPPP.execmd.execmd.exemmc.exemmc.exedllhosts.exedescription pid process target process PID 1988 wrote to memory of 1292 1988 PPPPPPPPPPPPPPP.exe k4.exe PID 1988 wrote to memory of 1292 1988 PPPPPPPPPPPPPPP.exe k4.exe PID 1988 wrote to memory of 1292 1988 PPPPPPPPPPPPPPP.exe k4.exe PID 1988 wrote to memory of 1292 1988 PPPPPPPPPPPPPPP.exe k4.exe PID 1988 wrote to memory of 1476 1988 PPPPPPPPPPPPPPP.exe k4.exe PID 1988 wrote to memory of 1476 1988 PPPPPPPPPPPPPPP.exe k4.exe PID 1988 wrote to memory of 1476 1988 PPPPPPPPPPPPPPP.exe k4.exe PID 1988 wrote to memory of 1476 1988 PPPPPPPPPPPPPPP.exe k4.exe PID 1988 wrote to memory of 1828 1988 PPPPPPPPPPPPPPP.exe cmd.exe PID 1988 wrote to memory of 1828 1988 PPPPPPPPPPPPPPP.exe cmd.exe PID 1988 wrote to memory of 1828 1988 PPPPPPPPPPPPPPP.exe cmd.exe PID 1988 wrote to memory of 1828 1988 PPPPPPPPPPPPPPP.exe cmd.exe PID 1828 wrote to memory of 1156 1828 cmd.exe taskkill.exe PID 1828 wrote to memory of 1156 1828 cmd.exe taskkill.exe PID 1828 wrote to memory of 1156 1828 cmd.exe taskkill.exe PID 1828 wrote to memory of 1156 1828 cmd.exe taskkill.exe PID 1988 wrote to memory of 1776 1988 PPPPPPPPPPPPPPP.exe cmd.exe PID 1988 wrote to memory of 1776 1988 PPPPPPPPPPPPPPP.exe cmd.exe PID 1988 wrote to memory of 1776 1988 PPPPPPPPPPPPPPP.exe cmd.exe PID 1988 wrote to memory of 1776 1988 PPPPPPPPPPPPPPP.exe cmd.exe PID 1988 wrote to memory of 384 1988 PPPPPPPPPPPPPPP.exe cmd.exe PID 1988 wrote to memory of 384 1988 PPPPPPPPPPPPPPP.exe cmd.exe PID 1988 wrote to memory of 384 1988 PPPPPPPPPPPPPPP.exe cmd.exe PID 1988 wrote to memory of 384 1988 PPPPPPPPPPPPPPP.exe cmd.exe PID 1988 wrote to memory of 1488 1988 PPPPPPPPPPPPPPP.exe WScript.exe PID 1988 wrote to memory of 1488 1988 PPPPPPPPPPPPPPP.exe WScript.exe PID 1988 wrote to memory of 1488 1988 PPPPPPPPPPPPPPP.exe WScript.exe PID 1988 wrote to memory of 1488 1988 PPPPPPPPPPPPPPP.exe WScript.exe PID 384 wrote to memory of 1916 384 cmd.exe WScript.exe PID 384 wrote to memory of 1916 384 cmd.exe WScript.exe PID 384 wrote to memory of 1916 384 cmd.exe WScript.exe PID 384 wrote to memory of 1916 384 cmd.exe WScript.exe PID 1456 wrote to memory of 1084 1456 mmc.exe cmd.exe PID 1456 wrote to memory of 1084 1456 mmc.exe cmd.exe PID 1456 wrote to memory of 1084 1456 mmc.exe cmd.exe PID 1660 wrote to memory of 1884 1660 mmc.exe dllhosts.exe PID 1660 wrote to memory of 1884 1660 mmc.exe dllhosts.exe PID 1660 wrote to memory of 1884 1660 mmc.exe dllhosts.exe PID 1660 wrote to memory of 1884 1660 mmc.exe dllhosts.exe PID 1884 wrote to memory of 1420 1884 dllhosts.exe dllhosts.exe PID 1884 wrote to memory of 1420 1884 dllhosts.exe dllhosts.exe PID 1884 wrote to memory of 1420 1884 dllhosts.exe dllhosts.exe PID 1884 wrote to memory of 1420 1884 dllhosts.exe dllhosts.exe PID 1884 wrote to memory of 1420 1884 dllhosts.exe dllhosts.exe PID 1884 wrote to memory of 1420 1884 dllhosts.exe dllhosts.exe PID 1884 wrote to memory of 1292 1884 dllhosts.exe WerFault.exe PID 1884 wrote to memory of 1292 1884 dllhosts.exe WerFault.exe PID 1884 wrote to memory of 1292 1884 dllhosts.exe WerFault.exe PID 1884 wrote to memory of 1292 1884 dllhosts.exe WerFault.exe PID 1988 wrote to memory of 840 1988 PPPPPPPPPPPPPPP.exe cmd.exe PID 1988 wrote to memory of 840 1988 PPPPPPPPPPPPPPP.exe cmd.exe PID 1988 wrote to memory of 840 1988 PPPPPPPPPPPPPPP.exe cmd.exe PID 1988 wrote to memory of 840 1988 PPPPPPPPPPPPPPP.exe cmd.exe PID 1988 wrote to memory of 1764 1988 PPPPPPPPPPPPPPP.exe k4.exe PID 1988 wrote to memory of 1764 1988 PPPPPPPPPPPPPPP.exe k4.exe PID 1988 wrote to memory of 1764 1988 PPPPPPPPPPPPPPP.exe k4.exe PID 1988 wrote to memory of 1764 1988 PPPPPPPPPPPPPPP.exe k4.exe -
System policy modification 1 TTPs 3 IoCs
Processes:
PPPPPPPPPPPPPPP.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" PPPPPPPPPPPPPPP.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" PPPPPPPPPPPPPPP.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" PPPPPPPPPPPPPPP.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\PPPPPPPPPPPPPPP.exe"C:\Users\Admin\AppData\Local\Temp\PPPPPPPPPPPPPPP.exe"1⤵
- UAC bypass
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Public\Documents\k4.exeC:/Users/Public/Documents/k4.exe2⤵
- Executes dropped EXE
-
C:\Users\Public\Documents\k4.exeC:/Users/Public/Documents/k4.exe /D2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /t /im k4.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /t /im k4.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b C:\\Users\\Public\\Documents\\MZ.txt+C:\\Users\\Public\\Documents\\TAS.txt C:\\Users\\Public\\Documents\\TASLoginBase.dll2⤵
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Public\Documents\2022060125.vbe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Public\Documents\2022060125.vbe"3⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Public\Documents\sch.vbe"2⤵
-
C:\Windows\SysWOW64\cmd.execmd /c del C:\\Users\\Public\\Documents\\TASLoginBase.dll2⤵
-
C:\Users\Public\Documents\k4.exe"C:\Users\Public\Documents\k4.exe" /E2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\mmc.exeC:\Windows\system32\mmc.exe -Embedding1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\WINDOWS\system32\cmd.exe"C:\WINDOWS\system32\cmd.exe" /c C:\Users\Public\Documents\unzip.exe -o -P Startup8888 C:\Users\Public\Documents\unzip.dat -d "C:\Users\Admin\AppData\Roaming"2⤵
-
C:\Users\Public\Documents\unzip.exeC:\Users\Public\Documents\unzip.exe -o -P Startup8888 C:\Users\Public\Documents\unzip.dat -d "C:\Users\Admin\AppData\Roaming"3⤵
- Executes dropped EXE
- Drops startup file
-
C:\Windows\system32\mmc.exeC:\Windows\system32\mmc.exe -Embedding1⤵
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\Documents\dllhosts.exe"C:\Users\Public\Documents\dllhosts.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\Documents\dllhosts.exeC:\Users\Public\Documents\dllhosts.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1884 -s 603⤵
- Loads dropped DLL
- Program crash
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Public\Documents\2022060125.vbeFilesize
180B
MD5d66c7e77096d4f4c406170b6ca0ad123
SHA19bb461061c7276ebe2a493f690d72263c0da8962
SHA256cd0a0ac1315f1f473f4a42bed62fad7033fe68a3e0cf72a7b354a7e3dd78e8a8
SHA512015788021b53eb278be1238b26a01499dcb809d93ee747bc89208f8d3570a7b0b813c70ea054e70584b536da4811f0a58ef38c96a984e6b3a54654774e5c7592
-
C:\Users\Public\Documents\MZ.txtFilesize
2B
MD5ac6ad5d9b99757c3a878f2d275ace198
SHA1439baa1b33514fb81632aaf44d16a9378c5664fc
SHA2569b8db510ef42b8ed54a3712636fda55a4f8cfcd5493e20b74ab00cd4f3979f2d
SHA512bfcdcb26b6f0c288838da7b0d338c2af63798a2ece9dcd6bc07b7cadf44477e3d5cfbba5b72446c61a1ecf74a0bccc62894ea87a40730cd1d4c2a3e15a7bb55b
-
C:\Users\Public\Documents\TAS.txtFilesize
92KB
MD5245390db827b6139081bf816f9fa095b
SHA11dbf1dfb99e55178a212bc5398c7322aa486db05
SHA2560762b64860a7f33b4e7d17f2038d7d0e08f36221b9696bd941e53074e897ac7f
SHA512ef0a5426db96c83b48e2cfc6bf760eeef9cf030dfc3d1be1e564332f92eb1dc2ecf9871872ed3a9876d7883a717f233bd73cdfb60c698e30272ede6f99374aa4
-
C:\Users\Public\Documents\TASLoginBase.dllFilesize
93KB
MD5b15697fa74cbc78d9197eacdcafb5686
SHA1882437010e9b06054a5ebf54156ed47f04653ea1
SHA2562ab8df88d746213787c04b872c7259df83b70e39ba4188fa15ef3ce34b9d0bf4
SHA512e4c9b53991b87e99d35818465154f6595001ada7e71d2b7cab4333c81997fb4aaec472a66e2b6fa66e039a1bdc40ff2458f7123330bd93421d01004cc0c58d4b
-
C:\Users\Public\Documents\dllhosts.exeFilesize
411KB
MD566557b2bd93e70a2804e983b279ab473
SHA14e58505689fd9643b5011880ce94b22cbfadf917
SHA256a63c9e3f7256e38224f7256307d954d4a6baa9f023f6ac49d8cface7b2658e31
SHA512b08d8b2872f4ebdbab7b15bd96f5d185f05030983c2d704497d30fe5f610874b5ec362f0e3e55800031edcd29b812d9b58214e76012a85df074310f36e0f33f4
-
C:\Users\Public\Documents\dllhosts.exeFilesize
411KB
MD566557b2bd93e70a2804e983b279ab473
SHA14e58505689fd9643b5011880ce94b22cbfadf917
SHA256a63c9e3f7256e38224f7256307d954d4a6baa9f023f6ac49d8cface7b2658e31
SHA512b08d8b2872f4ebdbab7b15bd96f5d185f05030983c2d704497d30fe5f610874b5ec362f0e3e55800031edcd29b812d9b58214e76012a85df074310f36e0f33f4
-
C:\Users\Public\Documents\dllhosts.exeFilesize
411KB
MD566557b2bd93e70a2804e983b279ab473
SHA14e58505689fd9643b5011880ce94b22cbfadf917
SHA256a63c9e3f7256e38224f7256307d954d4a6baa9f023f6ac49d8cface7b2658e31
SHA512b08d8b2872f4ebdbab7b15bd96f5d185f05030983c2d704497d30fe5f610874b5ec362f0e3e55800031edcd29b812d9b58214e76012a85df074310f36e0f33f4
-
C:\Users\Public\Documents\k4.exeFilesize
892KB
MD533e29221e2825001d32f78632217d250
SHA19122127fc91790a1edb78003e9b58a9b00355ed5
SHA25665d0b20a4dc4911fbb91683eb6488d3d3493fa4584bbdfb4e942f203bef0030d
SHA51201d5c6ded3a83d81371e94fefb1debabb1d003c86ab3cf7145d28fb15fcfd4f8b763f6711f99c5afd9bf90f02a7af993efa5945d4f8bb6a3649b5fd86414ae93
-
C:\Users\Public\Documents\k4.exeFilesize
892KB
MD533e29221e2825001d32f78632217d250
SHA19122127fc91790a1edb78003e9b58a9b00355ed5
SHA25665d0b20a4dc4911fbb91683eb6488d3d3493fa4584bbdfb4e942f203bef0030d
SHA51201d5c6ded3a83d81371e94fefb1debabb1d003c86ab3cf7145d28fb15fcfd4f8b763f6711f99c5afd9bf90f02a7af993efa5945d4f8bb6a3649b5fd86414ae93
-
C:\Users\Public\Documents\k4.exeFilesize
892KB
MD533e29221e2825001d32f78632217d250
SHA19122127fc91790a1edb78003e9b58a9b00355ed5
SHA25665d0b20a4dc4911fbb91683eb6488d3d3493fa4584bbdfb4e942f203bef0030d
SHA51201d5c6ded3a83d81371e94fefb1debabb1d003c86ab3cf7145d28fb15fcfd4f8b763f6711f99c5afd9bf90f02a7af993efa5945d4f8bb6a3649b5fd86414ae93
-
C:\Users\Public\Documents\k4.exeFilesize
892KB
MD533e29221e2825001d32f78632217d250
SHA19122127fc91790a1edb78003e9b58a9b00355ed5
SHA25665d0b20a4dc4911fbb91683eb6488d3d3493fa4584bbdfb4e942f203bef0030d
SHA51201d5c6ded3a83d81371e94fefb1debabb1d003c86ab3cf7145d28fb15fcfd4f8b763f6711f99c5afd9bf90f02a7af993efa5945d4f8bb6a3649b5fd86414ae93
-
C:\Users\Public\Documents\sch.vbeFilesize
179B
MD5d569f44ce5792ee816b4182e3c7bc7da
SHA1f16a402cd6030b5c7faa5c85ade3005d66d5232a
SHA25659ff328647ccee11ad437e02b6e84c12511333553837b6fa270eefd21a3eccbf
SHA512bb0f888ff00038d1787e6cce8b09b61761d93594cbfe08d2dbf650c1802938d6df7b4b854c1af97ad405fb3b1460aab339e636852d51dc6b6849d27a5af9560b
-
C:\Users\Public\Documents\unzip.datFilesize
1KB
MD5030bfec240cc95293c84c1b7d8888b48
SHA1ceea3cebec2f467be1c8b356d8022dbe0285bc5c
SHA25610df1c86ccea95c0d012135bbfe1b32cae4f13574883063a1d8c0312158ff77f
SHA512ec54405365b094230acc6c81365ab5a893ad1121ba7120227a2d96aff4f9e3c1cab9683d7e6a8459b4c54e457a0eb49f9493f25fcfd094dc6d0421875200c910
-
C:\Users\Public\Documents\unzip.exeFilesize
164KB
MD575375c22c72f1beb76bea39c22a1ed68
SHA1e1652b058195db3f5f754b7ab430652ae04a50b8
SHA2568d9b5190aace52a1db1ac73a65ee9999c329157c8e88f61a772433323d6b7a4a
SHA5121b396e78e189185eefb8c6058aa7e6dfe1b8f2dff8babfe4ffbee93805467bf45760eea6efb8d9bb2040d0eaa56841d457b1976dcfe13ed67931ade01419f55a
-
C:\Users\Public\Documents\unzip.lnkFilesize
892B
MD53d55c02372fb69460b0f774b89130dba
SHA1b50d58ef0fc2c9af80e3ecedfc76b2956ff28244
SHA25667c8871cd1491fec17ad8eba0c13203d79096a58b76e4a4d2902b8d71928ac2e
SHA5124d8850f4cb37aef07cf59396df6b55b6496b3660f70b5551f5582685e1968c1a09836ec886f6297ff8ea0114d237c829c3b7e6df635a06bbd89f4bbf20aa4080
-
C:\Users\Public\Documents\update.lnkFilesize
1KB
MD53af508a542bdfa6927737a2d91d74f40
SHA1433f04e960f68ce05358af2d672a9b649de4e3ce
SHA256e7e3e44142369b3a312005313f8569f2bcd45bcdc8ea9e141616654bcd090b60
SHA512b35ad011ca3770c1a1e2a655a614e91ebd96ce29099969c727a69e77a390b91078512ce55883d7290e4dd46c5f04f0461b2833f568d23da1fc4d91ea4633d3bc
-
C:\Users\Public\Documents\update.logFilesize
539KB
MD5d0be8152d070cd7850138f2a3241049c
SHA12b1656158a25c3bd870b6c4a863421800d28d1bf
SHA256c48ace234909809264c5c24ccb42a909b7b99f78e83f87909ee81164be21fda2
SHA512238537f65be2f9d32b6673d5b0260bf3288892b3759d3d38cdfa705fb3469db5533903bf16c741284fd6e595d3ed4bdcd79c3f259200a85a1d0a05d7e8226272
-
\Users\Public\Documents\TASLoginBase.dllFilesize
93KB
MD5b15697fa74cbc78d9197eacdcafb5686
SHA1882437010e9b06054a5ebf54156ed47f04653ea1
SHA2562ab8df88d746213787c04b872c7259df83b70e39ba4188fa15ef3ce34b9d0bf4
SHA512e4c9b53991b87e99d35818465154f6595001ada7e71d2b7cab4333c81997fb4aaec472a66e2b6fa66e039a1bdc40ff2458f7123330bd93421d01004cc0c58d4b
-
\Users\Public\Documents\dllhosts.exeFilesize
411KB
MD566557b2bd93e70a2804e983b279ab473
SHA14e58505689fd9643b5011880ce94b22cbfadf917
SHA256a63c9e3f7256e38224f7256307d954d4a6baa9f023f6ac49d8cface7b2658e31
SHA512b08d8b2872f4ebdbab7b15bd96f5d185f05030983c2d704497d30fe5f610874b5ec362f0e3e55800031edcd29b812d9b58214e76012a85df074310f36e0f33f4
-
\Users\Public\Documents\dllhosts.exeFilesize
411KB
MD566557b2bd93e70a2804e983b279ab473
SHA14e58505689fd9643b5011880ce94b22cbfadf917
SHA256a63c9e3f7256e38224f7256307d954d4a6baa9f023f6ac49d8cface7b2658e31
SHA512b08d8b2872f4ebdbab7b15bd96f5d185f05030983c2d704497d30fe5f610874b5ec362f0e3e55800031edcd29b812d9b58214e76012a85df074310f36e0f33f4
-
\Users\Public\Documents\dllhosts.exeFilesize
411KB
MD566557b2bd93e70a2804e983b279ab473
SHA14e58505689fd9643b5011880ce94b22cbfadf917
SHA256a63c9e3f7256e38224f7256307d954d4a6baa9f023f6ac49d8cface7b2658e31
SHA512b08d8b2872f4ebdbab7b15bd96f5d185f05030983c2d704497d30fe5f610874b5ec362f0e3e55800031edcd29b812d9b58214e76012a85df074310f36e0f33f4
-
\Users\Public\Documents\dllhosts.exeFilesize
411KB
MD566557b2bd93e70a2804e983b279ab473
SHA14e58505689fd9643b5011880ce94b22cbfadf917
SHA256a63c9e3f7256e38224f7256307d954d4a6baa9f023f6ac49d8cface7b2658e31
SHA512b08d8b2872f4ebdbab7b15bd96f5d185f05030983c2d704497d30fe5f610874b5ec362f0e3e55800031edcd29b812d9b58214e76012a85df074310f36e0f33f4
-
\Users\Public\Documents\dllhosts.exeFilesize
411KB
MD566557b2bd93e70a2804e983b279ab473
SHA14e58505689fd9643b5011880ce94b22cbfadf917
SHA256a63c9e3f7256e38224f7256307d954d4a6baa9f023f6ac49d8cface7b2658e31
SHA512b08d8b2872f4ebdbab7b15bd96f5d185f05030983c2d704497d30fe5f610874b5ec362f0e3e55800031edcd29b812d9b58214e76012a85df074310f36e0f33f4
-
\Users\Public\Documents\dllhosts.exeFilesize
411KB
MD566557b2bd93e70a2804e983b279ab473
SHA14e58505689fd9643b5011880ce94b22cbfadf917
SHA256a63c9e3f7256e38224f7256307d954d4a6baa9f023f6ac49d8cface7b2658e31
SHA512b08d8b2872f4ebdbab7b15bd96f5d185f05030983c2d704497d30fe5f610874b5ec362f0e3e55800031edcd29b812d9b58214e76012a85df074310f36e0f33f4
-
\Users\Public\Documents\k4.exeFilesize
892KB
MD533e29221e2825001d32f78632217d250
SHA19122127fc91790a1edb78003e9b58a9b00355ed5
SHA25665d0b20a4dc4911fbb91683eb6488d3d3493fa4584bbdfb4e942f203bef0030d
SHA51201d5c6ded3a83d81371e94fefb1debabb1d003c86ab3cf7145d28fb15fcfd4f8b763f6711f99c5afd9bf90f02a7af993efa5945d4f8bb6a3649b5fd86414ae93
-
memory/384-68-0x0000000000000000-mapping.dmp
-
memory/840-113-0x0000000000000000-mapping.dmp
-
memory/1084-79-0x0000000000000000-mapping.dmp
-
memory/1156-64-0x0000000000000000-mapping.dmp
-
memory/1292-56-0x0000000000000000-mapping.dmp
-
memory/1292-96-0x0000000000000000-mapping.dmp
-
memory/1292-58-0x000007FEFBF41000-0x000007FEFBF43000-memory.dmpFilesize
8KB
-
memory/1420-100-0x0000000010000000-0x000000001019F000-memory.dmpFilesize
1.6MB
-
memory/1420-112-0x0000000000400000-0x0000000000547000-memory.dmpFilesize
1.3MB
-
memory/1420-97-0x0000000000400000-0x0000000000547000-memory.dmpFilesize
1.3MB
-
memory/1420-98-0x0000000000400000-0x0000000000547000-memory.dmpFilesize
1.3MB
-
memory/1420-92-0x0000000000400000-0x0000000000547000-memory.dmpFilesize
1.3MB
-
memory/1420-90-0x0000000000400000-0x0000000000547000-memory.dmpFilesize
1.3MB
-
memory/1420-93-0x00000000005433C0-mapping.dmp
-
memory/1476-60-0x0000000000000000-mapping.dmp
-
memory/1488-70-0x0000000000000000-mapping.dmp
-
memory/1764-114-0x0000000000000000-mapping.dmp
-
memory/1776-65-0x0000000000000000-mapping.dmp
-
memory/1828-63-0x0000000000000000-mapping.dmp
-
memory/1884-89-0x0000000000400000-0x0000000000490000-memory.dmpFilesize
576KB
-
memory/1884-84-0x0000000000000000-mapping.dmp
-
memory/1916-74-0x0000000000000000-mapping.dmp
-
memory/1988-54-0x00000000761F1000-0x00000000761F3000-memory.dmpFilesize
8KB