Analysis
-
max time kernel
153s -
max time network
191s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
04-12-2022 22:59
Static task
static1
Behavioral task
behavioral1
Sample
9f932b1a95863ee39911bd5ea8d49ff17b0930f34ebcebae70d7f2ea6b130a2c.exe
Resource
win7-20220901-en
General
-
Target
9f932b1a95863ee39911bd5ea8d49ff17b0930f34ebcebae70d7f2ea6b130a2c.exe
-
Size
220KB
-
MD5
2b8767529bdf678f3b6adb26da46f393
-
SHA1
d375c1af8dda778fbfb2898447838ffe245a9f8d
-
SHA256
9f932b1a95863ee39911bd5ea8d49ff17b0930f34ebcebae70d7f2ea6b130a2c
-
SHA512
57bd41e3284fa5ce51544a0301dfc677ca82ac1149240fffc6d5fe6a36ac2ae82a5b9ff948b3c66ac535bbf3e9b01b7133e2e6109d09fb831b689e95bdf3f27b
-
SSDEEP
6144:vU5B0NZ2oFsETmEY83TN5ZZDbDBH+RBE0/F:QOtFsoVYAjmhF
Malware Config
Signatures
-
Modifies firewall policy service 2 TTPs 10 IoCs
Processes:
reg.exereg.exereg.exereg.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe = "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\AppLaunch.exe:*:Enabled:Windows Messanger" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\ZSBSJ5MBR9.exe = "C:\\Users\\Admin\\AppData\\Roaming\\ZSBSJ5MBR9.exe:*:Enabled:Windows Messanger" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe -
Executes dropped EXE 3 IoCs
Processes:
explorer.exelsam.exespolsv.exepid process 4500 explorer.exe 2420 lsam.exe 2140 spolsv.exe -
Processes:
resource yara_rule behavioral2/memory/1380-141-0x0000000000400000-0x0000000000473000-memory.dmp upx behavioral2/memory/1380-143-0x0000000000400000-0x0000000000473000-memory.dmp upx behavioral2/memory/1380-144-0x0000000000400000-0x0000000000473000-memory.dmp upx behavioral2/memory/1380-145-0x0000000000400000-0x0000000000473000-memory.dmp upx -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
9f932b1a95863ee39911bd5ea8d49ff17b0930f34ebcebae70d7f2ea6b130a2c.exeexplorer.exelsam.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation 9f932b1a95863ee39911bd5ea8d49ff17b0930f34ebcebae70d7f2ea6b130a2c.exe Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation explorer.exe Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation lsam.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
lsam.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\Users\\Admin\\AppData\\Local\\Temp\\System\\lsam.exe" lsam.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
explorer.exespolsv.exedescription pid process target process PID 4500 set thread context of 1380 4500 explorer.exe AppLaunch.exe PID 2140 set thread context of 5068 2140 spolsv.exe AppLaunch.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry key 1 TTPs 4 IoCs
Processes:
reg.exereg.exereg.exereg.exepid process 2216 reg.exe 2380 reg.exe 2312 reg.exe 1424 reg.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
explorer.exelsam.exespolsv.exepid process 4500 explorer.exe 2420 lsam.exe 4500 explorer.exe 2140 spolsv.exe 2420 lsam.exe 4500 explorer.exe 2140 spolsv.exe 2420 lsam.exe 4500 explorer.exe 2140 spolsv.exe 2420 lsam.exe 4500 explorer.exe 2140 spolsv.exe 2420 lsam.exe 4500 explorer.exe 2140 spolsv.exe 2420 lsam.exe 4500 explorer.exe 2140 spolsv.exe 2420 lsam.exe 4500 explorer.exe 2140 spolsv.exe 2420 lsam.exe 4500 explorer.exe 2140 spolsv.exe 2420 lsam.exe 4500 explorer.exe 2140 spolsv.exe 2420 lsam.exe 4500 explorer.exe 2140 spolsv.exe 2420 lsam.exe 4500 explorer.exe 2140 spolsv.exe 2420 lsam.exe 4500 explorer.exe 2140 spolsv.exe 2420 lsam.exe 4500 explorer.exe 2140 spolsv.exe 2420 lsam.exe 4500 explorer.exe 2140 spolsv.exe 2420 lsam.exe 4500 explorer.exe 2140 spolsv.exe 2420 lsam.exe 4500 explorer.exe 2140 spolsv.exe 2420 lsam.exe 4500 explorer.exe 2140 spolsv.exe 2420 lsam.exe 4500 explorer.exe 2140 spolsv.exe 2420 lsam.exe 4500 explorer.exe 2140 spolsv.exe 2420 lsam.exe 4500 explorer.exe 2140 spolsv.exe 2420 lsam.exe 4500 explorer.exe 2140 spolsv.exe -
Suspicious use of AdjustPrivilegeToken 39 IoCs
Processes:
9f932b1a95863ee39911bd5ea8d49ff17b0930f34ebcebae70d7f2ea6b130a2c.exeexplorer.exeAppLaunch.exelsam.exespolsv.exedescription pid process Token: SeDebugPrivilege 2080 9f932b1a95863ee39911bd5ea8d49ff17b0930f34ebcebae70d7f2ea6b130a2c.exe Token: SeDebugPrivilege 4500 explorer.exe Token: 1 1380 AppLaunch.exe Token: SeCreateTokenPrivilege 1380 AppLaunch.exe Token: SeAssignPrimaryTokenPrivilege 1380 AppLaunch.exe Token: SeLockMemoryPrivilege 1380 AppLaunch.exe Token: SeIncreaseQuotaPrivilege 1380 AppLaunch.exe Token: SeMachineAccountPrivilege 1380 AppLaunch.exe Token: SeTcbPrivilege 1380 AppLaunch.exe Token: SeSecurityPrivilege 1380 AppLaunch.exe Token: SeTakeOwnershipPrivilege 1380 AppLaunch.exe Token: SeLoadDriverPrivilege 1380 AppLaunch.exe Token: SeSystemProfilePrivilege 1380 AppLaunch.exe Token: SeSystemtimePrivilege 1380 AppLaunch.exe Token: SeProfSingleProcessPrivilege 1380 AppLaunch.exe Token: SeIncBasePriorityPrivilege 1380 AppLaunch.exe Token: SeCreatePagefilePrivilege 1380 AppLaunch.exe Token: SeCreatePermanentPrivilege 1380 AppLaunch.exe Token: SeBackupPrivilege 1380 AppLaunch.exe Token: SeRestorePrivilege 1380 AppLaunch.exe Token: SeShutdownPrivilege 1380 AppLaunch.exe Token: SeDebugPrivilege 1380 AppLaunch.exe Token: SeAuditPrivilege 1380 AppLaunch.exe Token: SeSystemEnvironmentPrivilege 1380 AppLaunch.exe Token: SeChangeNotifyPrivilege 1380 AppLaunch.exe Token: SeRemoteShutdownPrivilege 1380 AppLaunch.exe Token: SeUndockPrivilege 1380 AppLaunch.exe Token: SeSyncAgentPrivilege 1380 AppLaunch.exe Token: SeEnableDelegationPrivilege 1380 AppLaunch.exe Token: SeManageVolumePrivilege 1380 AppLaunch.exe Token: SeImpersonatePrivilege 1380 AppLaunch.exe Token: SeCreateGlobalPrivilege 1380 AppLaunch.exe Token: 31 1380 AppLaunch.exe Token: 32 1380 AppLaunch.exe Token: 33 1380 AppLaunch.exe Token: 34 1380 AppLaunch.exe Token: 35 1380 AppLaunch.exe Token: SeDebugPrivilege 2420 lsam.exe Token: SeDebugPrivilege 2140 spolsv.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
Processes:
AppLaunch.exeAppLaunch.exepid process 1380 AppLaunch.exe 1380 AppLaunch.exe 1380 AppLaunch.exe 5068 AppLaunch.exe 5068 AppLaunch.exe -
Suspicious use of WriteProcessMemory 49 IoCs
Processes:
9f932b1a95863ee39911bd5ea8d49ff17b0930f34ebcebae70d7f2ea6b130a2c.exeexplorer.exeAppLaunch.execmd.execmd.execmd.execmd.exelsam.exespolsv.exedescription pid process target process PID 2080 wrote to memory of 4500 2080 9f932b1a95863ee39911bd5ea8d49ff17b0930f34ebcebae70d7f2ea6b130a2c.exe explorer.exe PID 2080 wrote to memory of 4500 2080 9f932b1a95863ee39911bd5ea8d49ff17b0930f34ebcebae70d7f2ea6b130a2c.exe explorer.exe PID 2080 wrote to memory of 4500 2080 9f932b1a95863ee39911bd5ea8d49ff17b0930f34ebcebae70d7f2ea6b130a2c.exe explorer.exe PID 4500 wrote to memory of 1380 4500 explorer.exe AppLaunch.exe PID 4500 wrote to memory of 1380 4500 explorer.exe AppLaunch.exe PID 4500 wrote to memory of 1380 4500 explorer.exe AppLaunch.exe PID 4500 wrote to memory of 1380 4500 explorer.exe AppLaunch.exe PID 4500 wrote to memory of 1380 4500 explorer.exe AppLaunch.exe PID 4500 wrote to memory of 1380 4500 explorer.exe AppLaunch.exe PID 4500 wrote to memory of 1380 4500 explorer.exe AppLaunch.exe PID 4500 wrote to memory of 1380 4500 explorer.exe AppLaunch.exe PID 4500 wrote to memory of 2420 4500 explorer.exe lsam.exe PID 4500 wrote to memory of 2420 4500 explorer.exe lsam.exe PID 4500 wrote to memory of 2420 4500 explorer.exe lsam.exe PID 1380 wrote to memory of 4268 1380 AppLaunch.exe cmd.exe PID 1380 wrote to memory of 4268 1380 AppLaunch.exe cmd.exe PID 1380 wrote to memory of 4268 1380 AppLaunch.exe cmd.exe PID 1380 wrote to memory of 1284 1380 AppLaunch.exe cmd.exe PID 1380 wrote to memory of 1284 1380 AppLaunch.exe cmd.exe PID 1380 wrote to memory of 1284 1380 AppLaunch.exe cmd.exe PID 1380 wrote to memory of 3988 1380 AppLaunch.exe cmd.exe PID 1380 wrote to memory of 3988 1380 AppLaunch.exe cmd.exe PID 1380 wrote to memory of 3988 1380 AppLaunch.exe cmd.exe PID 1380 wrote to memory of 4152 1380 AppLaunch.exe cmd.exe PID 1380 wrote to memory of 4152 1380 AppLaunch.exe cmd.exe PID 1380 wrote to memory of 4152 1380 AppLaunch.exe cmd.exe PID 4268 wrote to memory of 2380 4268 cmd.exe reg.exe PID 4268 wrote to memory of 2380 4268 cmd.exe reg.exe PID 4268 wrote to memory of 2380 4268 cmd.exe reg.exe PID 3988 wrote to memory of 2312 3988 cmd.exe reg.exe PID 3988 wrote to memory of 2312 3988 cmd.exe reg.exe PID 3988 wrote to memory of 2312 3988 cmd.exe reg.exe PID 4152 wrote to memory of 2216 4152 cmd.exe reg.exe PID 4152 wrote to memory of 2216 4152 cmd.exe reg.exe PID 4152 wrote to memory of 2216 4152 cmd.exe reg.exe PID 1284 wrote to memory of 1424 1284 cmd.exe reg.exe PID 1284 wrote to memory of 1424 1284 cmd.exe reg.exe PID 1284 wrote to memory of 1424 1284 cmd.exe reg.exe PID 2420 wrote to memory of 2140 2420 lsam.exe spolsv.exe PID 2420 wrote to memory of 2140 2420 lsam.exe spolsv.exe PID 2420 wrote to memory of 2140 2420 lsam.exe spolsv.exe PID 2140 wrote to memory of 5068 2140 spolsv.exe AppLaunch.exe PID 2140 wrote to memory of 5068 2140 spolsv.exe AppLaunch.exe PID 2140 wrote to memory of 5068 2140 spolsv.exe AppLaunch.exe PID 2140 wrote to memory of 5068 2140 spolsv.exe AppLaunch.exe PID 2140 wrote to memory of 5068 2140 spolsv.exe AppLaunch.exe PID 2140 wrote to memory of 5068 2140 spolsv.exe AppLaunch.exe PID 2140 wrote to memory of 5068 2140 spolsv.exe AppLaunch.exe PID 2140 wrote to memory of 5068 2140 spolsv.exe AppLaunch.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9f932b1a95863ee39911bd5ea8d49ff17b0930f34ebcebae70d7f2ea6b130a2c.exe"C:\Users\Admin\AppData\Local\Temp\9f932b1a95863ee39911bd5ea8d49ff17b0930f34ebcebae70d7f2ea6b130a2c.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f5⤵
- Modifies firewall policy service
- Modifies registry key
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe" /t REG_SZ /d "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe:*:Enabled:Windows Messanger" /f4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe" /t REG_SZ /d "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe:*:Enabled:Windows Messanger" /f5⤵
- Modifies firewall policy service
- Modifies registry key
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f5⤵
- Modifies firewall policy service
- Modifies registry key
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\ZSBSJ5MBR9.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\ZSBSJ5MBR9.exe:*:Enabled:Windows Messanger" /f4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\ZSBSJ5MBR9.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\ZSBSJ5MBR9.exe:*:Enabled:Windows Messanger" /f5⤵
- Modifies firewall policy service
- Modifies registry key
-
C:\Users\Admin\AppData\Local\Temp\System\lsam.exe"C:\Users\Admin\AppData\Local\Temp\System\lsam.exe"3⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\System\spolsv.exe"C:\Users\Admin\AppData\Local\Temp\System\spolsv.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe5⤵
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\SysInfo.txtFilesize
102B
MD5029a6f5aa81356b56a20e48e3a8b0000
SHA1f991d6237acc68b0d8332409071ac63b602298ca
SHA256177871646137e558b8746ee66f634f7d29a56112dbbcb4eed8bba87136b08568
SHA5129d0d1aa7244cc8ba54ada413ce54e03e3d128b59fb7c80d7518c5d1944e870e9d666a418d8656ca703ee88059c05c70aa9845b38b5a536025e091681c6f1d780
-
C:\Users\Admin\AppData\Local\Temp\System\lsam.exeFilesize
25KB
MD539b9e0ce01f0a0b715241051b26f765b
SHA1e64bef34105060532a57ad4d1bc0a91e0f1413d1
SHA2568a1774770a9d2d651e01c38cff95cbe2014cf0fa09fc7c8d69bd96b9e2e443a4
SHA5123c79f33e9ac36d6911320929ea591387ba532ad872667bc2d76551cc5260772d8e7db6528ac11fbfa013c3cd8c3c1506c3cb35402122ebbcbd34a2ee726261e4
-
C:\Users\Admin\AppData\Local\Temp\System\lsam.exeFilesize
25KB
MD539b9e0ce01f0a0b715241051b26f765b
SHA1e64bef34105060532a57ad4d1bc0a91e0f1413d1
SHA2568a1774770a9d2d651e01c38cff95cbe2014cf0fa09fc7c8d69bd96b9e2e443a4
SHA5123c79f33e9ac36d6911320929ea591387ba532ad872667bc2d76551cc5260772d8e7db6528ac11fbfa013c3cd8c3c1506c3cb35402122ebbcbd34a2ee726261e4
-
C:\Users\Admin\AppData\Local\Temp\System\spolsv.exeFilesize
220KB
MD52b8767529bdf678f3b6adb26da46f393
SHA1d375c1af8dda778fbfb2898447838ffe245a9f8d
SHA2569f932b1a95863ee39911bd5ea8d49ff17b0930f34ebcebae70d7f2ea6b130a2c
SHA51257bd41e3284fa5ce51544a0301dfc677ca82ac1149240fffc6d5fe6a36ac2ae82a5b9ff948b3c66ac535bbf3e9b01b7133e2e6109d09fb831b689e95bdf3f27b
-
C:\Users\Admin\AppData\Local\Temp\System\spolsv.exeFilesize
220KB
MD52b8767529bdf678f3b6adb26da46f393
SHA1d375c1af8dda778fbfb2898447838ffe245a9f8d
SHA2569f932b1a95863ee39911bd5ea8d49ff17b0930f34ebcebae70d7f2ea6b130a2c
SHA51257bd41e3284fa5ce51544a0301dfc677ca82ac1149240fffc6d5fe6a36ac2ae82a5b9ff948b3c66ac535bbf3e9b01b7133e2e6109d09fb831b689e95bdf3f27b
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exeFilesize
220KB
MD52b8767529bdf678f3b6adb26da46f393
SHA1d375c1af8dda778fbfb2898447838ffe245a9f8d
SHA2569f932b1a95863ee39911bd5ea8d49ff17b0930f34ebcebae70d7f2ea6b130a2c
SHA51257bd41e3284fa5ce51544a0301dfc677ca82ac1149240fffc6d5fe6a36ac2ae82a5b9ff948b3c66ac535bbf3e9b01b7133e2e6109d09fb831b689e95bdf3f27b
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exeFilesize
220KB
MD52b8767529bdf678f3b6adb26da46f393
SHA1d375c1af8dda778fbfb2898447838ffe245a9f8d
SHA2569f932b1a95863ee39911bd5ea8d49ff17b0930f34ebcebae70d7f2ea6b130a2c
SHA51257bd41e3284fa5ce51544a0301dfc677ca82ac1149240fffc6d5fe6a36ac2ae82a5b9ff948b3c66ac535bbf3e9b01b7133e2e6109d09fb831b689e95bdf3f27b
-
memory/1284-153-0x0000000000000000-mapping.dmp
-
memory/1380-143-0x0000000000400000-0x0000000000473000-memory.dmpFilesize
460KB
-
memory/1380-141-0x0000000000400000-0x0000000000473000-memory.dmpFilesize
460KB
-
memory/1380-144-0x0000000000400000-0x0000000000473000-memory.dmpFilesize
460KB
-
memory/1380-145-0x0000000000400000-0x0000000000473000-memory.dmpFilesize
460KB
-
memory/1380-140-0x0000000000000000-mapping.dmp
-
memory/1424-159-0x0000000000000000-mapping.dmp
-
memory/2080-137-0x0000000074FF0000-0x00000000755A1000-memory.dmpFilesize
5.7MB
-
memory/2080-133-0x0000000074FF0000-0x00000000755A1000-memory.dmpFilesize
5.7MB
-
memory/2080-132-0x0000000074FF0000-0x00000000755A1000-memory.dmpFilesize
5.7MB
-
memory/2140-173-0x0000000074FF0000-0x00000000755A1000-memory.dmpFilesize
5.7MB
-
memory/2140-162-0x0000000000000000-mapping.dmp
-
memory/2140-176-0x0000000074FF0000-0x00000000755A1000-memory.dmpFilesize
5.7MB
-
memory/2216-158-0x0000000000000000-mapping.dmp
-
memory/2312-157-0x0000000000000000-mapping.dmp
-
memory/2380-156-0x0000000000000000-mapping.dmp
-
memory/2420-161-0x0000000074FF0000-0x00000000755A1000-memory.dmpFilesize
5.7MB
-
memory/2420-149-0x0000000000000000-mapping.dmp
-
memory/2420-175-0x0000000074FF0000-0x00000000755A1000-memory.dmpFilesize
5.7MB
-
memory/3988-154-0x0000000000000000-mapping.dmp
-
memory/4152-155-0x0000000000000000-mapping.dmp
-
memory/4268-152-0x0000000000000000-mapping.dmp
-
memory/4500-139-0x0000000074FF0000-0x00000000755A1000-memory.dmpFilesize
5.7MB
-
memory/4500-174-0x0000000074FF0000-0x00000000755A1000-memory.dmpFilesize
5.7MB
-
memory/4500-134-0x0000000000000000-mapping.dmp
-
memory/5068-164-0x0000000000000000-mapping.dmp