Analysis
-
max time kernel
123s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
19-12-2022 17:10
Static task
static1
Behavioral task
behavioral1
Sample
c51c27c86facb3ce46801e6a9f900292b5ba336760708438483e5246b7440029.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
c51c27c86facb3ce46801e6a9f900292b5ba336760708438483e5246b7440029.exe
Resource
win10v2004-20220812-en
General
-
Target
c51c27c86facb3ce46801e6a9f900292b5ba336760708438483e5246b7440029.exe
-
Size
1.1MB
-
MD5
8a4cb873c04ffe6859dd5bb381fed9b2
-
SHA1
c71cb06097a8172057c7dd0ca61c27e164c1939a
-
SHA256
c51c27c86facb3ce46801e6a9f900292b5ba336760708438483e5246b7440029
-
SHA512
352510a901636c9880afea8bdb1b9a8da63bed989b959ef1a560ec6baf59ea09ada9b04f853a838938510507b0d4d3aab484b46876a9801d7f9b138af7bd0fbd
-
SSDEEP
24576:cV/Gyl0a5nGoVsJIsk/DVdmsbzK8+2HDE0j1D3W9:u1F5nnsJvk/Tmsb2sHB7W9
Malware Config
Signatures
-
Blocklisted process makes network request 3 IoCs
Processes:
rundll32.exeflow pid process 12 4108 rundll32.exe 13 4108 rundll32.exe 52 4108 rundll32.exe -
Sets DLL path for service in the registry 2 TTPs 2 IoCs
Processes:
rundll32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\DVA\Parameters\ServiceDll = "C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\DVA.dll㌀" rundll32.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\DVA\Parameters\ServiceDll = "C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\DVA.dll" rundll32.exe -
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
rundll32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\DVA\ImagePath = "C:\\Windows\\system32\\svchost.exe -k LocalService" rundll32.exe -
Loads dropped DLL 3 IoCs
Processes:
rundll32.exesvchost.exerundll32.exepid process 4108 rundll32.exe 3468 svchost.exe 4380 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts rundll32.exe -
Accesses Microsoft Outlook profiles 1 TTPs 4 IoCs
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rundll32.exe Key opened \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rundll32.exe Key opened \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook rundll32.exe Key opened \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rundll32.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
rundll32.exedescription pid process target process PID 4108 set thread context of 204 4108 rundll32.exe rundll32.exe -
Drops file in Program Files directory 40 IoCs
Processes:
rundll32.exedescription ioc process File created C:\Program Files (x86)\WindowsPowerShell\Modules\chrome_elf.dll rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\A3DUtils.dll rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\1494870C-9912-C184-4CC9-B401-A53F4D8DE290.pdf rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\cryptocme.dll rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeXMP.dll rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\A3DUtils.dll rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\Home.aapp rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\AdobeXMP.dll rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\MPP\WindowsMedia.mpp rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\AddressBook.png rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\plugins.js rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\nppdf32.dll rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\DVA.dll rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\pmd.cer rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\plugins.js rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\IA32.api rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\SignHere.pdf rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ccme_base_non_fips.dll rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Home.aapp rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\SignHere.pdf rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\ccme_base_non_fips.dll rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\Protect_R_RHP.aapp rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\close_x.png rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\CPDF_Full.aapp rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\WindowsMedia.mpp rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\distribute_form.gif rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\close_x.png rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\open_original_form.gif rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\CPDF_Full.aapp rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\open_original_form.gif rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\cryptocme.dll rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Protect_R_RHP.aapp rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\pmd.cer rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\nppdf32.dll rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\chrome_elf.dll rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\IA32.api rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\1494870C-9912-C184-4CC9-B401-A53F4D8DE290.pdf rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\distribute_form.gif rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\server_issue.gif rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\AddressBook.png rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4468 4820 WerFault.exe c51c27c86facb3ce46801e6a9f900292b5ba336760708438483e5246b7440029.exe -
Checks processor information in registry 2 TTPs 44 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
svchost.exerundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet svchost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status svchost.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information rundll32.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString rundll32.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 svchost.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier svchost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision rundll32.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor svchost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString svchost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier svchost.exe -
Modifies registry class 5 IoCs
Processes:
rundll32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff rundll32.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
svchost.exepid process 3468 svchost.exe 3468 svchost.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
rundll32.exedescription pid process Token: SeDebugPrivilege 4108 rundll32.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
rundll32.exepid process 204 rundll32.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
c51c27c86facb3ce46801e6a9f900292b5ba336760708438483e5246b7440029.exerundll32.exesvchost.exedescription pid process target process PID 4820 wrote to memory of 4108 4820 c51c27c86facb3ce46801e6a9f900292b5ba336760708438483e5246b7440029.exe rundll32.exe PID 4820 wrote to memory of 4108 4820 c51c27c86facb3ce46801e6a9f900292b5ba336760708438483e5246b7440029.exe rundll32.exe PID 4820 wrote to memory of 4108 4820 c51c27c86facb3ce46801e6a9f900292b5ba336760708438483e5246b7440029.exe rundll32.exe PID 4108 wrote to memory of 204 4108 rundll32.exe rundll32.exe PID 4108 wrote to memory of 204 4108 rundll32.exe rundll32.exe PID 4108 wrote to memory of 204 4108 rundll32.exe rundll32.exe PID 3468 wrote to memory of 4380 3468 svchost.exe rundll32.exe PID 3468 wrote to memory of 4380 3468 svchost.exe rundll32.exe PID 3468 wrote to memory of 4380 3468 svchost.exe rundll32.exe -
outlook_office_path 1 IoCs
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rundll32.exe -
outlook_win_path 1 IoCs
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c51c27c86facb3ce46801e6a9f900292b5ba336760708438483e5246b7440029.exe"C:\Users\Admin\AppData\Local\Temp\c51c27c86facb3ce46801e6a9f900292b5ba336760708438483e5246b7440029.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4820 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Ipoetwsuqhd.tmp",Sufeidweoe2⤵
- Blocklisted process makes network request
- Sets DLL path for service in the registry
- Sets service image path in registry
- Loads dropped DLL
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:4108 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 239863⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:204 -
C:\Windows\SysWOW64\schtasks.exeschtasks /End /tn \Microsoft\Windows\Wininet\CacheTask3⤵PID:828
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask3⤵PID:632
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4820 -s 5282⤵
- Program crash
PID:4468
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4820 -ip 48201⤵PID:4720
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:4648
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k LocalService1⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3468 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" "c:\program files (x86)\windowspowershell\modules\dva.dll",mV47WFJXU2NT2⤵
- Loads dropped DLL
PID:4380
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\WindowsPowerShell\Modules\DVA.dllFilesize
726KB
MD573b31f274b20093282ef6dfd45e02052
SHA1588e215ded09878bfc986ea82f28c3a1b56992d1
SHA25639ef4edde5099d5177fee26d0ae233739c1616a92b04bed5ccc9c81563b9dc0b
SHA512cf844f25dbef95b994edee21ad587715cc8650408de165769e23a0f3df2428de7a14f729fbc573878198302c2e14afb62e7eecb4c102b5006a066cfe41108c3d
-
C:\Program Files (x86)\WindowsPowerShell\Modules\DVA.dllFilesize
726KB
MD573b31f274b20093282ef6dfd45e02052
SHA1588e215ded09878bfc986ea82f28c3a1b56992d1
SHA25639ef4edde5099d5177fee26d0ae233739c1616a92b04bed5ccc9c81563b9dc0b
SHA512cf844f25dbef95b994edee21ad587715cc8650408de165769e23a0f3df2428de7a14f729fbc573878198302c2e14afb62e7eecb4c102b5006a066cfe41108c3d
-
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\C2RManifest.powerpointmui.msi.16.en-us.xmlFilesize
27KB
MD5e9ed7134ebf28fea3f7aa5691a28438a
SHA1ea1e55c279ed9f8dae333ae436204d8d67d46adf
SHA2568fe0a353ce49d8bf91b019174a72f92c70870d8215b3afa565a01eb041569e28
SHA512535d34d3e428d421793e147e8bf1e344e9a2da449ce25103bf4d72c7b421db429304d5eaebbe305ac566b4b172984677885dcab2aa118441a3df38c57fd04dd9
-
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\CiST0000.000Filesize
240B
MD5aaafafa2062f5e73e13d15c88e85bd0b
SHA1b53df7eeed7a4de3daaa77ea8b75204521e37b72
SHA256b789f340022b08ca918bab1c1bf0b93a903c6289f4a2b566aeeaee0fdb7bbd67
SHA512b9d6d9a0af57473d4944de4b437b10d45fcb1cd86be0284e6a50f3837ee66225b63d0babb0f357e5e964e09227935be0512b0756f367cf6fa82f325fe19568b4
-
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\DiagnosticLogCSP_Collector_DeviceProvisioning_2022_8_12_19_30_52.etlFilesize
256KB
MD5283a4cf597b209e42e4beca22f43063d
SHA1a5ecff128c6c41a9882d1a5dd70300aef8811312
SHA2560722cbcf645501ff880b4900d6c4314c4a5d4f2b030a1ad78e9a03994be3ebf4
SHA5121ab412a977706a876c89577f66965121a4ca638c4c8370547b6d9f531aeffb4c8d91562844eb77fb37af260435c01506bacc2f790482c886a42a0c4312303b48
-
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\Microsoft.549981C3F5F10_1.1911.21713.0_neutral_~_8wekyb3d8bbwe.xmlFilesize
1KB
MD56c2429d1fdb4a93ebca14340b9fb8fb7
SHA1e757fc9e129850598fff1931d496fb7c7b21d4d6
SHA25652b30a2b9d6a5c18dd585e3efe81688611b45f649e4e4e2c0543eaaf473f5285
SHA512bae2b99779cc2ec27a7fcf132ba66bb698c78b01048630fa22116fda906389be66458523efb9634976455b4063f3002ee781eabdf4abfb78ee295ae74927b228
-
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\Microsoft.AccountsControl_10.0.19041.1023_neutral__cw5n1h2txyewy.xmlFilesize
13KB
MD5c7405e2e68aec89e44862595ccc0d186
SHA12cc8d73f93dd875134917795633bb606911f1069
SHA2569a9adc35b9debbd0ded2aa1684769afd7fbb09b2e1afa20b19893de5fdbabe37
SHA5120cb3190812b404ff0cc32bc0442c8e0cc26ee989fbcab7284b21dbd134664f1b38fd3cb7e9a98898dd64b445ace1a117bd00cac793336fb25a819e17c60cab22
-
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe.xmlFilesize
9KB
MD5993d82e37af681bd65f1d428b6ee281e
SHA1bb1a8402cfccd1d97ea58d6136847a4dd1ba0f65
SHA2561bc1d4525a46e58edd165a9d792f50441ea3cbcecd14022dc112e02f3d9b5bf8
SHA5124eb247e384ffa84460e43abe7563643de30f397b628c02f3e6e51c69669d5d7b8be6ebe51355586e5cd5a252652e0eef7f1bd0219b416b61e1db318db4ac833c
-
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\Microsoft.MixedReality.Portal_2000.19081.1301.0_neutral_split.scale-125_8wekyb3d8bbwe.xmlFilesize
855B
MD57ec956334fec33862a86ae1d3db724f5
SHA1009ef40b310d0068ec42c3ec85a424a147e9e712
SHA256c861b14bdbc003a3029af12487b4b01b9e3ece914afc6029b4cf59eb3156e3d7
SHA512ba478d4138c56b6a5e89a0daa58234a2c872e39684c946711b0fc972e63a91ab97bbb5e8300e03094e8fc243f8bf39e1931162bf95762142998428faf69c2af9
-
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe.xmlFilesize
15KB
MD52f71d0396b93381c1fd86bf822612868
SHA1d0801700dd00a51276f32c6ed19f5b713b5db825
SHA2560543ea8c8efce3d69431f57affc2cfa44df1b9244a25ed080e4b2014d0419026
SHA51267022ce5c41641799abff9e68cb3f049c5d932aea5c6fd8748469e2e7f51f987f1bdfc7d831a8d11a69d99a77cc363c51db8be6ad50e4014eb63a15c1f25a722
-
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\Microsoft.ScreenSketch_10.1907.2471.0_neutral_split.scale-100_8wekyb3d8bbwe.xmlFilesize
839B
MD52f6bc19cc3de731b8eaec46910edaf83
SHA161fd41f1fd1e4c6d7178a204c8ab68add839a199
SHA2566893a54cc402ac94a278294c20918a5a6d15f8bf11995a8b2388dbe9fce5b966
SHA512841a7777d1cf45ae391a101a44a25407023dd66e539e303057f0bfd01db8b37f56f9047eeccb920a5cdaa3ce44779d1703235a2db510594f70bbd2eff441b15a
-
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\MicrosoftOffice2013Office365Win64.xmlFilesize
10KB
MD546353bb25b4eb2e9d26a25744c716563
SHA1a9a9c2a1260542b5246fd642425dcc2a29a098c1
SHA2563fae1d780e8a63d73847dc38412952c238d0e3ca01a97caee718489a3d424893
SHA51209027ff22d03712258dbd10d6fe2cafbefd90e974210b09d20008d8eb6b569915064c65a7403187b0d78e79c96838cc0bba49b089acc7c7ab790866359719197
-
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\MicrosoftOffice2013Win64.xmlFilesize
66KB
MD5c08e2d9084398ad29bb453183bb2155d
SHA1285b0d897ff73444a74bf9e253d30f7cb1f4f2be
SHA2569ddc306cee7a71d98fe59c39ce5fb74cc7e36c54a55cc46f2e8136c12e890418
SHA512d032acce3071bb26d688aa4a816d09b6852c3ccb179f66a0001038b94f556a4b04401e02a4dc3b8eb7f4c4aa0fb74aa009a5db786972c56cb08d5dbeeaefad83
-
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\MicrosoftOffice2016BackupWin32.xmlFilesize
12KB
MD5ffbc41d3c63bccdca27c2c88ab0e85c4
SHA1f3923962734058dc0b91515b2981d1eb33f8a8dd
SHA256caf2eef3b42d36b4d6d4a24597557a7feada559e99abedb56287248286531dea
SHA5129da5dd978c9faa7de1552117207fb694e97f895b054a457ffe0b9444251e7203774b142ee558317136dd8f240c12f7309b137eb930417c181c404f8318a3f8fa
-
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\RegisterInboxTemplates.ps1Filesize
611B
MD505f7a98933d942ced40039a39cdb3fda
SHA1c7d59ec61f4e454b0c8e38d921fb5e7f127ee46d
SHA256a9b8f3753fb1adf3fdd9558cd49e0be28d0fd781eb192ff9e8b0cc736ee173eb
SHA512dc01d47114be1fece3b4a87498194ae8c102d863f384e4b45009d5ddc8e1bfe77ecab99bf8ea76c53177a847b312f5a743ac9f06eb4a3619b91ec2adf19d4f34
-
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\Shpetph.tmpFilesize
2.3MB
MD5afc346fde79e567a4549fcb6c99a9cca
SHA1b6bda7ba4d94b4e26f90723e4b5cf13925169856
SHA256e30a702b657b7e4f96bdf4a5d87d3958e9c03e07490cb06dd530fcaa27d83ab6
SHA5126ce60a7b178a7de1b09551f1dd6f62fc7b3b5974ce65f62f77dfeb8e4e9d4d72b055afc5d9cd38ecf43448adb1a9df8ca1f9d25cc876fb0aacc2b5666f1cf821
-
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\resource.xmlFilesize
1KB
MD566963736ebb1e54dc596701206eaed3f
SHA118bc8dfc779d407398af193f3d265ff93f253bc2
SHA256fd5f68b59aa2b3e80b1a3d97b1dc5028e0fb512d26003fffce146209fedc814b
SHA51296aef899ecfb48d1df6e8c7655d59fb80b3c65f18857692894598b78c14b5587433d5f58a2d9bbd74d635956a9e6f1948916bd354e6d438450f37ec11cc3b598
-
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\scan_settings.icoFilesize
62KB
MD58f6abfe0c274c41c3ad3c1becf2317f5
SHA16dc69b46e569ca11e3ec081293df69a6d115674c
SHA256d660f44fb7efbfdcec4cba821fea1be0977e3f66cc709b313edf9ead575994a5
SHA512ed474a6d52df65b5bf7a1bd81d54458a1258571f16b28ce043189815bf6dc57c49cb31c6f48fed9791de6b69f93331282a0c6e76e54d488ddad7e30d2333a1b2
-
C:\Users\Admin\AppData\Local\Temp\Ipoetwsuqhd.tmpFilesize
726KB
MD56ea8a6cc5fed6c664df1b3ef7c56b55d
SHA16b244d708706441095ae97294928967ddf28432b
SHA2562c7500ac5ebb0116e640747b8a5f0a2648f7d2f5f516ebb398b864cccc626fbe
SHA5124a328a66df407e4c9fa230287104771ea3b5dd8265d60314797426101a8be19d13bc57de2388f0f90b20ada82d950e156ef4267c029080a6254b80eefd8b8741
-
C:\Users\Admin\AppData\Local\Temp\Ipoetwsuqhd.tmpFilesize
726KB
MD56ea8a6cc5fed6c664df1b3ef7c56b55d
SHA16b244d708706441095ae97294928967ddf28432b
SHA2562c7500ac5ebb0116e640747b8a5f0a2648f7d2f5f516ebb398b864cccc626fbe
SHA5124a328a66df407e4c9fa230287104771ea3b5dd8265d60314797426101a8be19d13bc57de2388f0f90b20ada82d950e156ef4267c029080a6254b80eefd8b8741
-
\??\c:\program files (x86)\windowspowershell\modules\dva.dllFilesize
726KB
MD573b31f274b20093282ef6dfd45e02052
SHA1588e215ded09878bfc986ea82f28c3a1b56992d1
SHA25639ef4edde5099d5177fee26d0ae233739c1616a92b04bed5ccc9c81563b9dc0b
SHA512cf844f25dbef95b994edee21ad587715cc8650408de165769e23a0f3df2428de7a14f729fbc573878198302c2e14afb62e7eecb4c102b5006a066cfe41108c3d
-
memory/204-151-0x000001CCA7820000-0x000001CCA7A4A000-memory.dmpFilesize
2.2MB
-
memory/204-150-0x0000000000370000-0x0000000000589000-memory.dmpFilesize
2.1MB
-
memory/204-148-0x000001CCA9060000-0x000001CCA91A0000-memory.dmpFilesize
1.2MB
-
memory/204-147-0x000001CCA9060000-0x000001CCA91A0000-memory.dmpFilesize
1.2MB
-
memory/204-146-0x00007FF6935F6890-mapping.dmp
-
memory/632-179-0x0000000000000000-mapping.dmp
-
memory/828-178-0x0000000000000000-mapping.dmp
-
memory/3468-156-0x0000000003270000-0x0000000003995000-memory.dmpFilesize
7.1MB
-
memory/3468-173-0x0000000003270000-0x0000000003995000-memory.dmpFilesize
7.1MB
-
memory/3468-180-0x0000000003270000-0x0000000003995000-memory.dmpFilesize
7.1MB
-
memory/4108-145-0x0000000005770000-0x00000000058B0000-memory.dmpFilesize
1.2MB
-
memory/4108-138-0x0000000004F80000-0x00000000056A5000-memory.dmpFilesize
7.1MB
-
memory/4108-132-0x0000000000000000-mapping.dmp
-
memory/4108-144-0x0000000005770000-0x00000000058B0000-memory.dmpFilesize
1.2MB
-
memory/4108-143-0x0000000005770000-0x00000000058B0000-memory.dmpFilesize
1.2MB
-
memory/4108-142-0x0000000005770000-0x00000000058B0000-memory.dmpFilesize
1.2MB
-
memory/4108-140-0x0000000005770000-0x00000000058B0000-memory.dmpFilesize
1.2MB
-
memory/4108-141-0x0000000005770000-0x00000000058B0000-memory.dmpFilesize
1.2MB
-
memory/4108-139-0x0000000004F80000-0x00000000056A5000-memory.dmpFilesize
7.1MB
-
memory/4108-152-0x0000000004F80000-0x00000000056A5000-memory.dmpFilesize
7.1MB
-
memory/4108-149-0x00000000057E9000-0x00000000057EB000-memory.dmpFilesize
8KB
-
memory/4380-176-0x0000000004B10000-0x0000000005235000-memory.dmpFilesize
7.1MB
-
memory/4380-177-0x0000000004B10000-0x0000000005235000-memory.dmpFilesize
7.1MB
-
memory/4380-172-0x0000000000000000-mapping.dmp
-
memory/4820-135-0x0000000000400000-0x0000000000517000-memory.dmpFilesize
1.1MB
-
memory/4820-134-0x0000000002400000-0x0000000002515000-memory.dmpFilesize
1.1MB
-
memory/4820-133-0x0000000002283000-0x0000000002359000-memory.dmpFilesize
856KB