Analysis
-
max time kernel
255s -
max time network
353s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
06-12-2022 00:05
Static task
static1
Behavioral task
behavioral1
Sample
8f9cd57db574bc54883668459c530ee81a0e748fd4778b07009e5bda3f5f6176.exe
Resource
win7-20221111-en
General
-
Target
8f9cd57db574bc54883668459c530ee81a0e748fd4778b07009e5bda3f5f6176.exe
-
Size
488KB
-
MD5
32119bc05a71df1acbcd331912e81343
-
SHA1
285d81aa2c4196aa41184c0cc791fd5b7aab3d91
-
SHA256
8f9cd57db574bc54883668459c530ee81a0e748fd4778b07009e5bda3f5f6176
-
SHA512
0a98ab9f2748e12c2fda307d5df101917dc6292434739989dec96cc1b2177056ef468941509763018218c675117c4f541b624d1a5a97977f03e53658e0eb1aa4
-
SSDEEP
6144:fiQ+CGTCCkfVHKPikyX862ZAMB6gjaUVQJqtHnnW6H0TeXp5PfiioJwm26N8j6uM:fiQ+Chdy6gugQ+HW6hpxvoJwr1KaJbt
Malware Config
Signatures
-
Modifies firewall policy service 2 TTPs 6 IoCs
Processes:
reg.exereg.exereg.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\Windows Updates\NoZ.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Windows Updates\\NoZ.exe:*:Enabled:Windows Messanger" reg.exe -
Adds policy Run key to start application 2 TTPs 2 IoCs
Processes:
audiadag.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run audiadag.exe Set value (str) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Microsoft® Windows® Operating System = "C:\\Users\\Admin\\AppData\\Local\\Temp\\System\\audiadag.exe" audiadag.exe -
Blocklisted process makes network request 1 IoCs
Processes:
rundll32.exeflow pid process 6 340 rundll32.exe -
Executes dropped EXE 3 IoCs
Processes:
explorer.exeaudiadag.exeWmiprvsd.exepid process 672 explorer.exe 872 audiadag.exe 1160 Wmiprvsd.exe -
Deletes itself 1 IoCs
Processes:
explorer.exepid process 672 explorer.exe -
Loads dropped DLL 3 IoCs
Processes:
8f9cd57db574bc54883668459c530ee81a0e748fd4778b07009e5bda3f5f6176.exeexplorer.exeaudiadag.exepid process 1240 8f9cd57db574bc54883668459c530ee81a0e748fd4778b07009e5bda3f5f6176.exe 672 explorer.exe 872 audiadag.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
audiadag.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\Users\\Admin\\AppData\\Local\\Temp\\System\\audiadag.exe" audiadag.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
explorer.exeWmiprvsd.exedescription pid process target process PID 672 set thread context of 340 672 explorer.exe rundll32.exe PID 1160 set thread context of 1036 1160 Wmiprvsd.exe rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry key 1 TTPs 4 IoCs
Processes:
reg.exereg.exereg.exereg.exepid process 1252 reg.exe 1332 reg.exe 1648 reg.exe 1772 reg.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
explorer.exeaudiadag.exeWmiprvsd.exepid process 672 explorer.exe 872 audiadag.exe 1160 Wmiprvsd.exe 672 explorer.exe 1160 Wmiprvsd.exe 672 explorer.exe 1160 Wmiprvsd.exe 672 explorer.exe 1160 Wmiprvsd.exe 672 explorer.exe 1160 Wmiprvsd.exe 672 explorer.exe 1160 Wmiprvsd.exe 672 explorer.exe 1160 Wmiprvsd.exe 672 explorer.exe 1160 Wmiprvsd.exe 672 explorer.exe 872 audiadag.exe 1160 Wmiprvsd.exe 672 explorer.exe 872 audiadag.exe 1160 Wmiprvsd.exe 672 explorer.exe 872 audiadag.exe 1160 Wmiprvsd.exe 672 explorer.exe 872 audiadag.exe 1160 Wmiprvsd.exe 672 explorer.exe 872 audiadag.exe 1160 Wmiprvsd.exe 672 explorer.exe 872 audiadag.exe 1160 Wmiprvsd.exe 672 explorer.exe 872 audiadag.exe 1160 Wmiprvsd.exe 672 explorer.exe 872 audiadag.exe 1160 Wmiprvsd.exe 672 explorer.exe 872 audiadag.exe 1160 Wmiprvsd.exe 672 explorer.exe 872 audiadag.exe 1160 Wmiprvsd.exe 672 explorer.exe 872 audiadag.exe 1160 Wmiprvsd.exe 672 explorer.exe 872 audiadag.exe 1160 Wmiprvsd.exe 672 explorer.exe 872 audiadag.exe 1160 Wmiprvsd.exe 672 explorer.exe 872 audiadag.exe 1160 Wmiprvsd.exe 672 explorer.exe 872 audiadag.exe 1160 Wmiprvsd.exe 672 explorer.exe 872 audiadag.exe -
Suspicious use of AdjustPrivilegeToken 39 IoCs
Processes:
8f9cd57db574bc54883668459c530ee81a0e748fd4778b07009e5bda3f5f6176.exeexplorer.exeaudiadag.exerundll32.exeWmiprvsd.exedescription pid process Token: SeDebugPrivilege 1240 8f9cd57db574bc54883668459c530ee81a0e748fd4778b07009e5bda3f5f6176.exe Token: SeDebugPrivilege 672 explorer.exe Token: SeDebugPrivilege 872 audiadag.exe Token: 1 340 rundll32.exe Token: SeCreateTokenPrivilege 340 rundll32.exe Token: SeAssignPrimaryTokenPrivilege 340 rundll32.exe Token: SeLockMemoryPrivilege 340 rundll32.exe Token: SeIncreaseQuotaPrivilege 340 rundll32.exe Token: SeMachineAccountPrivilege 340 rundll32.exe Token: SeTcbPrivilege 340 rundll32.exe Token: SeSecurityPrivilege 340 rundll32.exe Token: SeTakeOwnershipPrivilege 340 rundll32.exe Token: SeLoadDriverPrivilege 340 rundll32.exe Token: SeSystemProfilePrivilege 340 rundll32.exe Token: SeSystemtimePrivilege 340 rundll32.exe Token: SeProfSingleProcessPrivilege 340 rundll32.exe Token: SeIncBasePriorityPrivilege 340 rundll32.exe Token: SeCreatePagefilePrivilege 340 rundll32.exe Token: SeCreatePermanentPrivilege 340 rundll32.exe Token: SeBackupPrivilege 340 rundll32.exe Token: SeRestorePrivilege 340 rundll32.exe Token: SeShutdownPrivilege 340 rundll32.exe Token: SeDebugPrivilege 340 rundll32.exe Token: SeAuditPrivilege 340 rundll32.exe Token: SeSystemEnvironmentPrivilege 340 rundll32.exe Token: SeChangeNotifyPrivilege 340 rundll32.exe Token: SeRemoteShutdownPrivilege 340 rundll32.exe Token: SeUndockPrivilege 340 rundll32.exe Token: SeSyncAgentPrivilege 340 rundll32.exe Token: SeEnableDelegationPrivilege 340 rundll32.exe Token: SeManageVolumePrivilege 340 rundll32.exe Token: SeImpersonatePrivilege 340 rundll32.exe Token: SeCreateGlobalPrivilege 340 rundll32.exe Token: 31 340 rundll32.exe Token: 32 340 rundll32.exe Token: 33 340 rundll32.exe Token: 34 340 rundll32.exe Token: 35 340 rundll32.exe Token: SeDebugPrivilege 1160 Wmiprvsd.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
Processes:
rundll32.exerundll32.exepid process 340 rundll32.exe 340 rundll32.exe 1036 rundll32.exe 1036 rundll32.exe 340 rundll32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
8f9cd57db574bc54883668459c530ee81a0e748fd4778b07009e5bda3f5f6176.exeexplorer.exeaudiadag.exerundll32.exeWmiprvsd.execmd.execmd.execmd.execmd.exedescription pid process target process PID 1240 wrote to memory of 672 1240 8f9cd57db574bc54883668459c530ee81a0e748fd4778b07009e5bda3f5f6176.exe explorer.exe PID 1240 wrote to memory of 672 1240 8f9cd57db574bc54883668459c530ee81a0e748fd4778b07009e5bda3f5f6176.exe explorer.exe PID 1240 wrote to memory of 672 1240 8f9cd57db574bc54883668459c530ee81a0e748fd4778b07009e5bda3f5f6176.exe explorer.exe PID 1240 wrote to memory of 672 1240 8f9cd57db574bc54883668459c530ee81a0e748fd4778b07009e5bda3f5f6176.exe explorer.exe PID 672 wrote to memory of 340 672 explorer.exe rundll32.exe PID 672 wrote to memory of 340 672 explorer.exe rundll32.exe PID 672 wrote to memory of 340 672 explorer.exe rundll32.exe PID 672 wrote to memory of 340 672 explorer.exe rundll32.exe PID 672 wrote to memory of 340 672 explorer.exe rundll32.exe PID 672 wrote to memory of 340 672 explorer.exe rundll32.exe PID 672 wrote to memory of 340 672 explorer.exe rundll32.exe PID 672 wrote to memory of 340 672 explorer.exe rundll32.exe PID 672 wrote to memory of 340 672 explorer.exe rundll32.exe PID 672 wrote to memory of 340 672 explorer.exe rundll32.exe PID 672 wrote to memory of 340 672 explorer.exe rundll32.exe PID 672 wrote to memory of 872 672 explorer.exe audiadag.exe PID 672 wrote to memory of 872 672 explorer.exe audiadag.exe PID 672 wrote to memory of 872 672 explorer.exe audiadag.exe PID 672 wrote to memory of 872 672 explorer.exe audiadag.exe PID 872 wrote to memory of 1160 872 audiadag.exe Wmiprvsd.exe PID 872 wrote to memory of 1160 872 audiadag.exe Wmiprvsd.exe PID 872 wrote to memory of 1160 872 audiadag.exe Wmiprvsd.exe PID 872 wrote to memory of 1160 872 audiadag.exe Wmiprvsd.exe PID 340 wrote to memory of 1224 340 rundll32.exe cmd.exe PID 340 wrote to memory of 1224 340 rundll32.exe cmd.exe PID 340 wrote to memory of 1224 340 rundll32.exe cmd.exe PID 340 wrote to memory of 1224 340 rundll32.exe cmd.exe PID 1160 wrote to memory of 1036 1160 Wmiprvsd.exe rundll32.exe PID 1160 wrote to memory of 1036 1160 Wmiprvsd.exe rundll32.exe PID 1160 wrote to memory of 1036 1160 Wmiprvsd.exe rundll32.exe PID 1160 wrote to memory of 1036 1160 Wmiprvsd.exe rundll32.exe PID 1160 wrote to memory of 1036 1160 Wmiprvsd.exe rundll32.exe PID 1160 wrote to memory of 1036 1160 Wmiprvsd.exe rundll32.exe PID 1160 wrote to memory of 1036 1160 Wmiprvsd.exe rundll32.exe PID 340 wrote to memory of 1360 340 rundll32.exe cmd.exe PID 340 wrote to memory of 1360 340 rundll32.exe cmd.exe PID 340 wrote to memory of 1360 340 rundll32.exe cmd.exe PID 340 wrote to memory of 1360 340 rundll32.exe cmd.exe PID 1160 wrote to memory of 1036 1160 Wmiprvsd.exe rundll32.exe PID 340 wrote to memory of 1232 340 rundll32.exe cmd.exe PID 340 wrote to memory of 1232 340 rundll32.exe cmd.exe PID 340 wrote to memory of 1232 340 rundll32.exe cmd.exe PID 340 wrote to memory of 1232 340 rundll32.exe cmd.exe PID 340 wrote to memory of 272 340 rundll32.exe cmd.exe PID 340 wrote to memory of 272 340 rundll32.exe cmd.exe PID 340 wrote to memory of 272 340 rundll32.exe cmd.exe PID 340 wrote to memory of 272 340 rundll32.exe cmd.exe PID 1160 wrote to memory of 1036 1160 Wmiprvsd.exe rundll32.exe PID 1160 wrote to memory of 1036 1160 Wmiprvsd.exe rundll32.exe PID 1160 wrote to memory of 1036 1160 Wmiprvsd.exe rundll32.exe PID 1224 wrote to memory of 1252 1224 cmd.exe reg.exe PID 1224 wrote to memory of 1252 1224 cmd.exe reg.exe PID 1224 wrote to memory of 1252 1224 cmd.exe reg.exe PID 1224 wrote to memory of 1252 1224 cmd.exe reg.exe PID 1360 wrote to memory of 1332 1360 cmd.exe reg.exe PID 1360 wrote to memory of 1332 1360 cmd.exe reg.exe PID 1360 wrote to memory of 1332 1360 cmd.exe reg.exe PID 1360 wrote to memory of 1332 1360 cmd.exe reg.exe PID 1232 wrote to memory of 1648 1232 cmd.exe reg.exe PID 1232 wrote to memory of 1648 1232 cmd.exe reg.exe PID 1232 wrote to memory of 1648 1232 cmd.exe reg.exe PID 1232 wrote to memory of 1648 1232 cmd.exe reg.exe PID 272 wrote to memory of 1772 272 cmd.exe reg.exe PID 272 wrote to memory of 1772 272 cmd.exe reg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8f9cd57db574bc54883668459c530ee81a0e748fd4778b07009e5bda3f5f6176.exe"C:\Users\Admin\AppData\Local\Temp\8f9cd57db574bc54883668459c530ee81a0e748fd4778b07009e5bda3f5f6176.exe"1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe"2⤵
- Executes dropped EXE
- Deletes itself
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\System32\rundll32.exe3⤵
- Blocklisted process makes network request
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f5⤵
- Modifies firewall policy service
- Modifies registry key
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\SysWOW64\rundll32.exe" /t REG_SZ /d "C:\Windows\SysWOW64\rundll32.exe:*:Enabled:Windows Messanger" /f4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\SysWOW64\rundll32.exe" /t REG_SZ /d "C:\Windows\SysWOW64\rundll32.exe:*:Enabled:Windows Messanger" /f5⤵
- Modifies registry key
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Windows Updates\NoZ.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Windows Updates\NoZ.exe:*:Enabled:Windows Messanger" /f4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Windows Updates\NoZ.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Windows Updates\NoZ.exe:*:Enabled:Windows Messanger" /f5⤵
- Modifies firewall policy service
- Modifies registry key
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f5⤵
- Modifies firewall policy service
- Modifies registry key
-
C:\Users\Admin\AppData\Local\Temp\System\audiadag.exe"C:\Users\Admin\AppData\Local\Temp\System\audiadag.exe"3⤵
- Adds policy Run key to start application
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\System\Wmiprvsd.exeC:\Users\Admin\AppData\Local\Temp\System\Wmiprvsd.exe4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\System32\rundll32.exe5⤵
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\SysInfo.txtFilesize
102B
MD5c45c0cf1e981b3ea16f378e15694160a
SHA1e4c5e9751ec3e82fb1c647230a258425951b41dc
SHA25613aa86eaa22a8a3abedb1c381444aa3f36e09b2ba3a7dae8624a0e72d94e6fe0
SHA512f37fdb0ccc245e71c015112e6896858cffde590460a7e0c7fb62c8555b8ab622b73650da8f38cd2faf6d9e79df3c99780e5820d6de69ba7e79ba868fe43ba070
-
C:\Users\Admin\AppData\Local\Temp\System\Wmiprvsd.exeFilesize
488KB
MD532119bc05a71df1acbcd331912e81343
SHA1285d81aa2c4196aa41184c0cc791fd5b7aab3d91
SHA2568f9cd57db574bc54883668459c530ee81a0e748fd4778b07009e5bda3f5f6176
SHA5120a98ab9f2748e12c2fda307d5df101917dc6292434739989dec96cc1b2177056ef468941509763018218c675117c4f541b624d1a5a97977f03e53658e0eb1aa4
-
C:\Users\Admin\AppData\Local\Temp\System\Wmiprvsd.exeFilesize
488KB
MD532119bc05a71df1acbcd331912e81343
SHA1285d81aa2c4196aa41184c0cc791fd5b7aab3d91
SHA2568f9cd57db574bc54883668459c530ee81a0e748fd4778b07009e5bda3f5f6176
SHA5120a98ab9f2748e12c2fda307d5df101917dc6292434739989dec96cc1b2177056ef468941509763018218c675117c4f541b624d1a5a97977f03e53658e0eb1aa4
-
C:\Users\Admin\AppData\Local\Temp\System\audiadag.exeFilesize
9KB
MD53b3515ae5be07674b71c2c1f74e298e2
SHA1ce336fc83661eeedb00de087ea53a2ccc60d1fec
SHA25666b40ba0578f18ae39e2c7d5e33ae05d315bd9172517dd27b464efdcb4f965d8
SHA51218c29eb0344f4b50c32c74744e69ab3ca34fe5a4394cef75d4fea4fe8e0c7138651f57ee86c1a28d06bbfc790c5b69ac661fc9e93f9977d788c11870af0ef02b
-
C:\Users\Admin\AppData\Local\Temp\System\audiadag.exeFilesize
9KB
MD53b3515ae5be07674b71c2c1f74e298e2
SHA1ce336fc83661eeedb00de087ea53a2ccc60d1fec
SHA25666b40ba0578f18ae39e2c7d5e33ae05d315bd9172517dd27b464efdcb4f965d8
SHA51218c29eb0344f4b50c32c74744e69ab3ca34fe5a4394cef75d4fea4fe8e0c7138651f57ee86c1a28d06bbfc790c5b69ac661fc9e93f9977d788c11870af0ef02b
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exeFilesize
488KB
MD532119bc05a71df1acbcd331912e81343
SHA1285d81aa2c4196aa41184c0cc791fd5b7aab3d91
SHA2568f9cd57db574bc54883668459c530ee81a0e748fd4778b07009e5bda3f5f6176
SHA5120a98ab9f2748e12c2fda307d5df101917dc6292434739989dec96cc1b2177056ef468941509763018218c675117c4f541b624d1a5a97977f03e53658e0eb1aa4
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exeFilesize
488KB
MD532119bc05a71df1acbcd331912e81343
SHA1285d81aa2c4196aa41184c0cc791fd5b7aab3d91
SHA2568f9cd57db574bc54883668459c530ee81a0e748fd4778b07009e5bda3f5f6176
SHA5120a98ab9f2748e12c2fda307d5df101917dc6292434739989dec96cc1b2177056ef468941509763018218c675117c4f541b624d1a5a97977f03e53658e0eb1aa4
-
\Users\Admin\AppData\Local\Temp\System\Wmiprvsd.exeFilesize
488KB
MD532119bc05a71df1acbcd331912e81343
SHA1285d81aa2c4196aa41184c0cc791fd5b7aab3d91
SHA2568f9cd57db574bc54883668459c530ee81a0e748fd4778b07009e5bda3f5f6176
SHA5120a98ab9f2748e12c2fda307d5df101917dc6292434739989dec96cc1b2177056ef468941509763018218c675117c4f541b624d1a5a97977f03e53658e0eb1aa4
-
\Users\Admin\AppData\Local\Temp\System\audiadag.exeFilesize
9KB
MD53b3515ae5be07674b71c2c1f74e298e2
SHA1ce336fc83661eeedb00de087ea53a2ccc60d1fec
SHA25666b40ba0578f18ae39e2c7d5e33ae05d315bd9172517dd27b464efdcb4f965d8
SHA51218c29eb0344f4b50c32c74744e69ab3ca34fe5a4394cef75d4fea4fe8e0c7138651f57ee86c1a28d06bbfc790c5b69ac661fc9e93f9977d788c11870af0ef02b
-
\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exeFilesize
488KB
MD532119bc05a71df1acbcd331912e81343
SHA1285d81aa2c4196aa41184c0cc791fd5b7aab3d91
SHA2568f9cd57db574bc54883668459c530ee81a0e748fd4778b07009e5bda3f5f6176
SHA5120a98ab9f2748e12c2fda307d5df101917dc6292434739989dec96cc1b2177056ef468941509763018218c675117c4f541b624d1a5a97977f03e53658e0eb1aa4
-
memory/272-93-0x0000000000000000-mapping.dmp
-
memory/340-98-0x0000000000401000-0x0000000000468000-memory.dmpFilesize
412KB
-
memory/340-66-0x0000000000400000-0x0000000000470000-memory.dmpFilesize
448KB
-
memory/340-67-0x0000000000400000-0x0000000000470000-memory.dmpFilesize
448KB
-
memory/340-70-0x0000000000400000-0x0000000000470000-memory.dmpFilesize
448KB
-
memory/340-69-0x0000000000400000-0x0000000000470000-memory.dmpFilesize
448KB
-
memory/340-71-0x00000000004013BC-mapping.dmp
-
memory/672-57-0x0000000000000000-mapping.dmp
-
memory/672-73-0x0000000074000000-0x00000000745AB000-memory.dmpFilesize
5.7MB
-
memory/672-61-0x0000000074000000-0x00000000745AB000-memory.dmpFilesize
5.7MB
-
memory/872-78-0x0000000000000000-mapping.dmp
-
memory/872-111-0x0000000074000000-0x00000000745AB000-memory.dmpFilesize
5.7MB
-
memory/872-101-0x0000000074000000-0x00000000745AB000-memory.dmpFilesize
5.7MB
-
memory/1036-97-0x00000000004013BC-mapping.dmp
-
memory/1160-110-0x0000000074000000-0x00000000745AB000-memory.dmpFilesize
5.7MB
-
memory/1160-84-0x0000000000000000-mapping.dmp
-
memory/1160-103-0x0000000074000000-0x00000000745AB000-memory.dmpFilesize
5.7MB
-
memory/1224-87-0x0000000000000000-mapping.dmp
-
memory/1232-92-0x0000000000000000-mapping.dmp
-
memory/1240-54-0x0000000074DA1000-0x0000000074DA3000-memory.dmpFilesize
8KB
-
memory/1240-62-0x0000000074000000-0x00000000745AB000-memory.dmpFilesize
5.7MB
-
memory/1240-55-0x0000000074000000-0x00000000745AB000-memory.dmpFilesize
5.7MB
-
memory/1252-96-0x0000000000000000-mapping.dmp
-
memory/1332-99-0x0000000000000000-mapping.dmp
-
memory/1360-89-0x0000000000000000-mapping.dmp
-
memory/1648-104-0x0000000000000000-mapping.dmp
-
memory/1772-108-0x0000000000000000-mapping.dmp