Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
20-12-2022 13:26
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20220812-en
General
-
Target
file.exe
-
Size
218KB
-
MD5
16b1904a41d5a106d93914dd3e6e71be
-
SHA1
4f2a08f73cfe51f363760578588b19765eb36ec8
-
SHA256
5234114873c908014335c999b048382d2f1e68ef3cf98ff14e30e04a269126f7
-
SHA512
3a75d7d713b6382cc4720003bb8cfc7e2814ad9478ef7d6ded0f5b3bdfc59d6e5a7fda10fab7cd9a2231f57683e199fe7954e0e4ec19fc54c6ff8b42a2928e9a
-
SSDEEP
3072:+NCxFYH1LI/4GHR7uvUZi6eVwCll7c58u7b/fOp2NHCDml:+02VLk40AUQcsc58mHkECa
Malware Config
Extracted
systembc
109.205.214.18:443
Signatures
-
Detects Smokeloader packer 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4756-133-0x0000000002190000-0x0000000002199000-memory.dmp family_smokeloader -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Blocklisted process makes network request 2 IoCs
Processes:
rundll32.exeflow pid process 52 4284 rundll32.exe 75 4284 rundll32.exe -
Downloads MZ/PE file
-
Executes dropped EXE 3 IoCs
Processes:
F801.exe421B.exegamnfns.exepid process 2804 F801.exe 3920 421B.exe 4508 gamnfns.exe -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 4284 rundll32.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
rundll32.exedescription pid process target process PID 4284 set thread context of 996 4284 rundll32.exe rundll32.exe -
Drops file in Program Files directory 19 IoCs
Processes:
rundll32.exedescription ioc process File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\cloud_icon.png rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\s_agreement_filetype.svg rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\PMP\QRCode.pmp rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\cryptocme.sig rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\create_form.gif rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\hi_contrast\aic_file_icons_highcontrast.png rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\back-arrow-disabled.svg rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\en_US\stopwords.ENU rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\forms_super.gif rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\logsession.dll rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\hi_contrast\aic_file_icons_retina_thumb_highContrast_wob.png rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Onix32.dll rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\back-arrow-focus.svg rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\reviews_joined.gif rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\CPDF_Full.aapp rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Certificates_R.aapp rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\back-arrow-default.svg rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\main.css rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\widevinecdmadapter.dll rundll32.exe -
Drops file in Windows directory 2 IoCs
Processes:
421B.exedescription ioc process File created C:\Windows\Tasks\gamnfns.job 421B.exe File opened for modification C:\Windows\Tasks\gamnfns.job 421B.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 4880 2804 WerFault.exe F801.exe 4868 3920 WerFault.exe 421B.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
file.exedescription ioc process Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI file.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI file.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI file.exe -
Checks processor information in registry 2 TTPs 25 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 rundll32.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information rundll32.exe -
Processes:
description ioc process Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Toolbar Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1" Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser Set value (data) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 -
Modifies registry class 30 IoCs
Processes:
rundll32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 Set value (data) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff Set value (data) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\WorkFolders Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff rundll32.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ Set value (data) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff Set value (data) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff Set value (data) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = ffffffff Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f44471a0359723fa74489c55595fe6b30ee0000 Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic" Set value (data) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff Set value (data) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 50003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014000000 Set value (data) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 4e0031000000000094556073100054656d7000003a0009000400efbe6b55586c945561732e00000000000000000000000000000000000000000000000000aceb1d01540065006d007000000014000000 Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "1" Set value (data) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 820074001c0043465346160031000000000000000000100041707044617461000000741a595e96dfd3488d671733bcee28bac5cdfadf9f6756418947c5c76bc0b67f400009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004100700070004400610074006100000042000000 Set value (data) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
pid process 2632 -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
file.exepid process 4756 file.exe 4756 file.exe 2632 2632 2632 2632 2632 2632 2632 2632 2632 2632 2632 2632 2632 2632 2632 2632 2632 2632 2632 2632 2632 2632 2632 2632 2632 2632 2632 2632 2632 2632 2632 2632 2632 2632 2632 2632 2632 2632 2632 2632 2632 2632 2632 2632 2632 2632 2632 2632 2632 2632 2632 2632 2632 2632 2632 2632 2632 2632 2632 2632 2632 2632 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
pid process 2632 -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
file.exepid process 4756 file.exe -
Suspicious use of AdjustPrivilegeToken 22 IoCs
Processes:
description pid process Token: SeShutdownPrivilege 2632 Token: SeCreatePagefilePrivilege 2632 Token: SeShutdownPrivilege 2632 Token: SeCreatePagefilePrivilege 2632 Token: SeShutdownPrivilege 2632 Token: SeCreatePagefilePrivilege 2632 Token: SeShutdownPrivilege 2632 Token: SeCreatePagefilePrivilege 2632 Token: SeShutdownPrivilege 2632 Token: SeCreatePagefilePrivilege 2632 Token: SeShutdownPrivilege 2632 Token: SeCreatePagefilePrivilege 2632 Token: SeShutdownPrivilege 2632 Token: SeCreatePagefilePrivilege 2632 Token: SeShutdownPrivilege 2632 Token: SeCreatePagefilePrivilege 2632 Token: SeShutdownPrivilege 2632 Token: SeCreatePagefilePrivilege 2632 Token: SeShutdownPrivilege 2632 Token: SeCreatePagefilePrivilege 2632 Token: SeShutdownPrivilege 2632 Token: SeCreatePagefilePrivilege 2632 -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
rundll32.exepid process 996 rundll32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
pid process 2632 2632 -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
F801.exerundll32.exedescription pid process target process PID 2632 wrote to memory of 2804 2632 F801.exe PID 2632 wrote to memory of 2804 2632 F801.exe PID 2632 wrote to memory of 2804 2632 F801.exe PID 2804 wrote to memory of 4284 2804 F801.exe rundll32.exe PID 2804 wrote to memory of 4284 2804 F801.exe rundll32.exe PID 2804 wrote to memory of 4284 2804 F801.exe rundll32.exe PID 2632 wrote to memory of 3920 2632 421B.exe PID 2632 wrote to memory of 3920 2632 421B.exe PID 2632 wrote to memory of 3920 2632 421B.exe PID 4284 wrote to memory of 996 4284 rundll32.exe rundll32.exe PID 4284 wrote to memory of 996 4284 rundll32.exe rundll32.exe PID 4284 wrote to memory of 996 4284 rundll32.exe rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\F801.exeC:\Users\Admin\AppData\Local\Temp\F801.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Qsedeqtedeooeo.tmp",Wufaiiuuye2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 141303⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2804 -s 5322⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 2804 -ip 28041⤵
-
C:\Users\Admin\AppData\Local\Temp\421B.exeC:\Users\Admin\AppData\Local\Temp\421B.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3920 -s 4922⤵
- Program crash
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\ProgramData\qxqth\gamnfns.exeC:\ProgramData\qxqth\gamnfns.exe start1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 3920 -ip 39201⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k LocalService1⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" "c:\program files (x86)\windowspowershell\modules\3difr.dll",eR5bZlk5VVFa2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\WindowsPowerShell\Modules\3difr.dllFilesize
797KB
MD5f974b1983e6fbdd3a284c072d5dd9eb1
SHA1795f2f80d41d7aa0d07b35b4271a6042f93f66ba
SHA2566f36f042885a2ce32472b83dcd41b94702e53b0efc5fbbf8c648c974731ed938
SHA512a0237f7507e3f520fb8a2af70631658b5d5ce88d622009a4ee1e16221188e1d11cf349accb9815e256f949edc61dcad1cbe82146ca7dc867021074ed020a3878
-
C:\Program Files (x86)\WindowsPowerShell\Modules\3difr.dllFilesize
797KB
MD5f974b1983e6fbdd3a284c072d5dd9eb1
SHA1795f2f80d41d7aa0d07b35b4271a6042f93f66ba
SHA2566f36f042885a2ce32472b83dcd41b94702e53b0efc5fbbf8c648c974731ed938
SHA512a0237f7507e3f520fb8a2af70631658b5d5ce88d622009a4ee1e16221188e1d11cf349accb9815e256f949edc61dcad1cbe82146ca7dc867021074ed020a3878
-
C:\ProgramData\qxqth\gamnfns.exeFilesize
218KB
MD5cdc67700f25eaed1417264c4bdec03d3
SHA156639e9414e6ee8394d940d62778475ddf071290
SHA256fdd4cca0516be799c954e96be26b2d04e42ea0bac1edb00604412914bae2f100
SHA512a2b38a1d4d0cb57532f3feb2efa1fb345c03df9114dfb2dcc93286e19b96eb5e182bd79d070a0e4fccf1980f47effc9b511dbb0074bba69bee80098317e08038
-
C:\ProgramData\qxqth\gamnfns.exeFilesize
218KB
MD5cdc67700f25eaed1417264c4bdec03d3
SHA156639e9414e6ee8394d940d62778475ddf071290
SHA256fdd4cca0516be799c954e96be26b2d04e42ea0bac1edb00604412914bae2f100
SHA512a2b38a1d4d0cb57532f3feb2efa1fb345c03df9114dfb2dcc93286e19b96eb5e182bd79d070a0e4fccf1980f47effc9b511dbb0074bba69bee80098317e08038
-
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\DeploymentConfiguration.xmlFilesize
614B
MD554cec4437128f703c259efb3dc734386
SHA19b15ebe33a771a7e12cd966fd8b583da06914015
SHA256d44d8ffc6e0261e32c4b5c77573a0daa0b4066d4e160c2cd5b5728199f63dfb4
SHA512c1793acc8f6dc9997fd0261d501ffed200f3c039c9b77e554a031262925878b56727bd84cf5fbeeccb481c1d4511f37e940a8f8436054c8f08adb8e5f46773ea
-
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\Fwroes.tmpFilesize
2.3MB
MD54f738cde1a0491b140bfab4af53ff5a7
SHA1a14ed3d4fbc6a44cc1674bdb1c0336edf2095284
SHA2569b4eb077bc1a8513882b4d7242ff2ee6b68ec537b079257e1cea85b7c12b671f
SHA512dfb866c900607cabb37f70132b615ab30fc2466bc21c2e0359c81c66b22dfb13661f24898fa3dcb711d3b39b683b8f02c3d8663e03f74cefea8d16de5434a490
-
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\Fwroes.tmpFilesize
2.1MB
MD57d93fedf6fe60db2b1286f5726e7fc73
SHA139243f074cec5d3251dbf32275feb8b2a0359f49
SHA25647e7ca8b11a520a080c26d2d8d4368937711ce8203ab7cf176df5260175379ee
SHA512f173e010fb97a7deda30f9150e180eb4583bc03d31ee8e8710fd406f47c6e14879ee5776c29fff55a92dcb50a26844d98b9f7e232e9680ae8151cd4475b8b86c
-
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\Microsoft.DesktopAppInstaller_2019.125.2243.0_neutral_~_8wekyb3d8bbwe.xmlFilesize
26KB
MD52bc8ee174a90308d275eda81bf42d95e
SHA1284647d3ee515e4794d1984d2f01989f33121d2d
SHA256d8bd4c83debd08b1a21d24b3c4a445512ef1931717c01e113fbfc20f47157ea8
SHA512fe5d552cbfea372817d64c69f22cbf1a02d1b7ef27ef4a0acf68247a2794f58d09b0147ef110a0267bda87c6712ba18dc261a8c9c7e3ed4c1352bb324ed42327
-
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe.xmlFilesize
5KB
MD51944801cae061223e36fcce6aed6bfba
SHA1b465c53f3e6ae74fac368f36cbfc5842ce085e14
SHA256b903a7f4408a27d0b7a7c6316d04952508d67058216dffeca4293c9352727959
SHA51282b0e3b1105a5d802839c3ea78b4e2dd800b819ee678d016b2f47203ceb27a638d195909ec1d0efbf46edbf910409d7ab4a05146fc902ef335b36bf14339498f
-
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\Microsoft.MicrosoftEdgeDevToolsClient_1000.19041.1023.0_neutral_neutral_8wekyb3d8bbwe.xmlFilesize
1KB
MD5cf0330a44354655f192bc5f1976564e5
SHA1d993f0dbfdb68552bbf3381d07fb2b26b79e16aa
SHA2569727e4d3cf3fcc5dcc364cd990f41a4be98d227b0ce975fa97cef0ef8eaa5b78
SHA51236aeacbb9b0d6ed2a51d23376ab6e583c258c128bf3de0069523441dda98a68a65592792ebd883a7ea8f21768da91c9826a4551cf9e02c01480110941b6e401a
-
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\Microsoft.MixedReality.Portal_2000.19081.1301.0_neutral_split.scale-100_8wekyb3d8bbwe.xmlFilesize
855B
MD5dae188e1f4d8d97d8d65164eb0dda551
SHA178b54e226446825c56d15a19a3ed4b587a8842a2
SHA2565bae5febdf75a2fe0b73791d603c7c9ac5de0d00dffc909b5dbc86bcd6dd15f2
SHA512941d94c42572abcb937258e99a5d1b520c9f85ce741e81e81e7a299287ae9e8fb763fdc70b661a812c780f4b6997b84c8147791ac56f1510a87966c68ab23b22
-
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\MicrosoftOutlook2016CAWin64.xmlFilesize
1KB
MD54b6a6960b925c7bd5b83d8a4196e24e4
SHA1f1bb8a50ffb8cce0804db90d2e3ecdbbbe3f460b
SHA2565f45e2be37f33052a97235462325f5ae32d3713bdaa6eeeea49e92f0e9fc6ed0
SHA51221f420212c86df357ad83079876d969bab0d089ac506d3dcfb1cfcb134f118a741491454e79538bf5c8d4d2b2ab1fc14d07d0cc3f263874396bd9546bf3b71b1
-
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\SystemIndex.1.gthrFilesize
9KB
MD5965a2a9ee2ded00e2e95a74587e92b01
SHA13cb498c851d41846c973cad384d5a00a8a4ace9f
SHA2565ce6ff5166d4f60940f300391ce63f469bc9d81f9a75299f9d5e4af019d40437
SHA512185e998ae35d4ae62a500d27f4a98e9154f446842e9898a79cc7c5ac6ec7d05469dc1b8b648ddad60210ece5ec87334c8c2e239de40c2e49a6dd8db3d329430b
-
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\edb.jcpFilesize
8KB
MD52367dfc292b40e5d0a9fe8eda3ccf108
SHA179d410f12bd34d9546fbcacb3d796d1f33286ce3
SHA256c5b73b03e8764d923248910bdfb27f28e84fe16973e4d2492dedae01ee921552
SHA512977ad803262d100a944e789f2dcad9fa1b038808efc39980bf1b56fbc854bfd7e59b97c36c918032057bcfc267751e056b98148c8b91c5fd0fd31ac38ba6ec3e
-
C:\Users\Admin\AppData\Local\Temp\421B.exeFilesize
218KB
MD5cdc67700f25eaed1417264c4bdec03d3
SHA156639e9414e6ee8394d940d62778475ddf071290
SHA256fdd4cca0516be799c954e96be26b2d04e42ea0bac1edb00604412914bae2f100
SHA512a2b38a1d4d0cb57532f3feb2efa1fb345c03df9114dfb2dcc93286e19b96eb5e182bd79d070a0e4fccf1980f47effc9b511dbb0074bba69bee80098317e08038
-
C:\Users\Admin\AppData\Local\Temp\421B.exeFilesize
218KB
MD5cdc67700f25eaed1417264c4bdec03d3
SHA156639e9414e6ee8394d940d62778475ddf071290
SHA256fdd4cca0516be799c954e96be26b2d04e42ea0bac1edb00604412914bae2f100
SHA512a2b38a1d4d0cb57532f3feb2efa1fb345c03df9114dfb2dcc93286e19b96eb5e182bd79d070a0e4fccf1980f47effc9b511dbb0074bba69bee80098317e08038
-
C:\Users\Admin\AppData\Local\Temp\F801.exeFilesize
1.1MB
MD53967f9e696a6bf35357fd4a240c4018e
SHA1999bf859c09e824863ce2cd5222ef200f18bc95b
SHA256e1d8c775765a124d8ea8b8281582fbc2b3aec1e943d7a05e8d7459889971303a
SHA5120cc1f3d64120d9b00389ad45197393fa7fff01da006c3f6624f731e82c268a78dcdc26e13dd26e742984185b3c23c77c072132dc95c9de2696869538837b3103
-
C:\Users\Admin\AppData\Local\Temp\F801.exeFilesize
1.1MB
MD53967f9e696a6bf35357fd4a240c4018e
SHA1999bf859c09e824863ce2cd5222ef200f18bc95b
SHA256e1d8c775765a124d8ea8b8281582fbc2b3aec1e943d7a05e8d7459889971303a
SHA5120cc1f3d64120d9b00389ad45197393fa7fff01da006c3f6624f731e82c268a78dcdc26e13dd26e742984185b3c23c77c072132dc95c9de2696869538837b3103
-
C:\Users\Admin\AppData\Local\Temp\Qsedeqtedeooeo.tmpFilesize
797KB
MD524925b25552a7d8f1d3292071e545920
SHA1f786e1d40df30f6fed0301d60c823b655f2d6eac
SHA2569931503a3ab908d2840dae6a7cb77a5abc5e77cc67af405d1329b7dfc3fe800b
SHA512242dbf94b06e67fdf0aac29b2f38ce4929d156c42e2413565f203cda1fdb6458e34b26eeb0151fe4f1914432be28b16d648affa63f20c7b480c54e2d9360fb26
-
C:\Users\Admin\AppData\Local\Temp\Qsedeqtedeooeo.tmpFilesize
797KB
MD524925b25552a7d8f1d3292071e545920
SHA1f786e1d40df30f6fed0301d60c823b655f2d6eac
SHA2569931503a3ab908d2840dae6a7cb77a5abc5e77cc67af405d1329b7dfc3fe800b
SHA512242dbf94b06e67fdf0aac29b2f38ce4929d156c42e2413565f203cda1fdb6458e34b26eeb0151fe4f1914432be28b16d648affa63f20c7b480c54e2d9360fb26
-
\??\c:\program files (x86)\windowspowershell\modules\3difr.dllFilesize
797KB
MD5f974b1983e6fbdd3a284c072d5dd9eb1
SHA1795f2f80d41d7aa0d07b35b4271a6042f93f66ba
SHA2566f36f042885a2ce32472b83dcd41b94702e53b0efc5fbbf8c648c974731ed938
SHA512a0237f7507e3f520fb8a2af70631658b5d5ce88d622009a4ee1e16221188e1d11cf349accb9815e256f949edc61dcad1cbe82146ca7dc867021074ed020a3878
-
memory/996-160-0x000001D0FF990000-0x000001D0FFAD0000-memory.dmpFilesize
1.2MB
-
memory/996-163-0x0000000000100000-0x0000000000319000-memory.dmpFilesize
2.1MB
-
memory/996-164-0x000001D0FF560000-0x000001D0FF78A000-memory.dmpFilesize
2.2MB
-
memory/996-159-0x00007FF744736890-mapping.dmp
-
memory/996-161-0x000001D0FF990000-0x000001D0FFAD0000-memory.dmpFilesize
1.2MB
-
memory/2804-144-0x0000000000400000-0x000000000053E000-memory.dmpFilesize
1.2MB
-
memory/2804-136-0x0000000000000000-mapping.dmp
-
memory/2804-142-0x00000000021CF000-0x00000000022BD000-memory.dmpFilesize
952KB
-
memory/2804-143-0x00000000022C0000-0x00000000023F0000-memory.dmpFilesize
1.2MB
-
memory/3920-154-0x0000000000400000-0x000000000045F000-memory.dmpFilesize
380KB
-
memory/3920-171-0x0000000000400000-0x000000000045F000-memory.dmpFilesize
380KB
-
memory/3920-153-0x00000000004E0000-0x00000000004E9000-memory.dmpFilesize
36KB
-
memory/3920-152-0x0000000000539000-0x000000000054A000-memory.dmpFilesize
68KB
-
memory/3920-168-0x0000000000539000-0x000000000054A000-memory.dmpFilesize
68KB
-
memory/3920-149-0x0000000000000000-mapping.dmp
-
memory/3976-187-0x0000000003AB0000-0x00000000041D5000-memory.dmpFilesize
7.1MB
-
memory/3976-175-0x0000000003AB0000-0x00000000041D5000-memory.dmpFilesize
7.1MB
-
memory/4200-184-0x0000000000000000-mapping.dmp
-
memory/4284-162-0x0000000004F59000-0x0000000004F5B000-memory.dmpFilesize
8KB
-
memory/4284-158-0x0000000004EE0000-0x0000000005020000-memory.dmpFilesize
1.2MB
-
memory/4284-147-0x0000000004EE0000-0x0000000005020000-memory.dmpFilesize
1.2MB
-
memory/4284-148-0x0000000004EE0000-0x0000000005020000-memory.dmpFilesize
1.2MB
-
memory/4284-155-0x0000000004EE0000-0x0000000005020000-memory.dmpFilesize
1.2MB
-
memory/4284-146-0x0000000005D70000-0x0000000006495000-memory.dmpFilesize
7.1MB
-
memory/4284-145-0x0000000005D70000-0x0000000006495000-memory.dmpFilesize
7.1MB
-
memory/4284-165-0x0000000005D70000-0x0000000006495000-memory.dmpFilesize
7.1MB
-
memory/4284-156-0x0000000004EE0000-0x0000000005020000-memory.dmpFilesize
1.2MB
-
memory/4284-157-0x0000000004EE0000-0x0000000005020000-memory.dmpFilesize
1.2MB
-
memory/4284-139-0x0000000000000000-mapping.dmp
-
memory/4508-170-0x0000000000400000-0x000000000045F000-memory.dmpFilesize
380KB
-
memory/4508-169-0x00000000004B2000-0x00000000004C3000-memory.dmpFilesize
68KB
-
memory/4756-132-0x00000000004F9000-0x0000000000509000-memory.dmpFilesize
64KB
-
memory/4756-135-0x0000000000400000-0x000000000045F000-memory.dmpFilesize
380KB
-
memory/4756-134-0x0000000000400000-0x000000000045F000-memory.dmpFilesize
380KB
-
memory/4756-133-0x0000000002190000-0x0000000002199000-memory.dmpFilesize
36KB