Analysis
-
max time kernel
86s -
max time network
126s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
20-03-2023 03:15
Static task
static1
Behavioral task
behavioral1
Sample
asdf.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
asdf.exe
Resource
win10v2004-20230220-en
General
-
Target
asdf.exe
-
Size
259KB
-
MD5
9a0a28352da8fb0dcdc8320450a7ebf8
-
SHA1
36a7c488e2d0d6633feab2ffb33dd714ae4e5612
-
SHA256
2044f2f407beaed23a1bd832e34a48266e936090fe2b064f65d8b5c34b208dce
-
SHA512
a75a78bf88281129953032f760d6813b3f261d21893f9c35224a5a4fa32708439a832cf49f70c3a8661aa817e3281dd4f5a60c3b242b7800972474d716285eaf
-
SSDEEP
3072:IomnzVincQDKgc/7SSCbwFtOLy/ycpZxCB0LYnbfaR00n:ItZHSd4t/aGiMYu
Malware Config
Extracted
C:\Program Files\7-Zip\readme-warning.txt
makop
mammon0503@tutanota.com
mammon0503@protonmail.com
samsung00700@tutanota.com
pecunia0318@goat.si
Signatures
-
Makop
Ransomware family discovered by @VK_Intel in early 2020.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Processes:
wbadmin.exepid process 4416 wbadmin.exe -
Modifies extensions of user files 2 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
asdf.exedescription ioc process File opened for modification C:\Users\Admin\Pictures\UnpublishTrace.tiff asdf.exe File opened for modification C:\Users\Admin\Pictures\NewUndo.tiff asdf.exe -
Loads dropped DLL 2 IoCs
Processes:
asdf.exeasdf.exepid process 4188 asdf.exe 4716 asdf.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of SetThreadContext 2 IoCs
Processes:
asdf.exeasdf.exedescription pid process target process PID 4188 set thread context of 1156 4188 asdf.exe asdf.exe PID 4716 set thread context of 3824 4716 asdf.exe asdf.exe -
Drops file in Program Files directory 64 IoCs
Processes:
asdf.exedescription ioc process File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_48.49.31001.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\GamesXboxHubSplashScreen.scale-125_contrast-white.png asdf.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\resources.pri asdf.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\AppCS\Assets\PhtoMDL2.ttf asdf.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\nl-nl\readme-warning.txt asdf.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageWideTile.scale-150_contrast-black.png asdf.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarAppList.targetsize-60.png asdf.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\_Resources\index.txt asdf.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Assertions\Exist.Tests.ps1 asdf.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\fr-fr\ui-strings.js asdf.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\ru-ru\ui-strings.js asdf.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Lighting\Dark\GlowInTheDark.png asdf.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\ja-jp\ui-strings.js asdf.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64.nl_zh_4.4.0.v20140623020002.jar asdf.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\LiveTile\W6.png asdf.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\AppPackageAppList.targetsize-256_altform-unplated.png asdf.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\offsymxl.ttf asdf.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\FetchingMail-Dark.scale-125.png asdf.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Xbox.TCUI_1.23.28002.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\AppxBundleManifest.xml asdf.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\add-comment.png asdf.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-core-ui.xml asdf.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\lib\amd64\jvm.cfg asdf.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\BadgeLogo.scale-200.png asdf.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxAccountsSplashLogo.scale-180.png asdf.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteNotebookMedTile.scale-125.png asdf.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\images\themes\dark\example_icons.png asdf.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\fr-fr\readme-warning.txt asdf.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Snippets\ShouldBeNullOrEmpty.snippets.ps1xml asdf.exe File opened for modification C:\Program Files\Common Files\System\msadc\it-IT\msdaprsr.dll.mui asdf.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.swt_3.103.1.v20140903-1938.jar asdf.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-80_altform-unplated_contrast-white.png asdf.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Store.Purchase\Controls\Xbox360PurchaseHostPage.html asdf.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\da-DK\tipresx.dll.mui asdf.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-black\WideTile.scale-150_contrast-black.png asdf.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.NET.Native.Framework.2.2_2.2.27405.0_x64__8wekyb3d8bbwe\AppxMetadata\CodeIntegrity.cat asdf.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\AppxSignature.p7x asdf.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxBlockMap.xml asdf.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\rhp_world_icon.png asdf.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub2019_eula.txt asdf.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-white\SmallTile.scale-125_contrast-white.png asdf.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-36_contrast-black.png asdf.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxA-Exchange.scale-125.png asdf.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-80_altform-lightunplated.png asdf.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\readme-warning.txt asdf.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\it.pak asdf.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-black\SplashScreen.scale-100_contrast-black.png asdf.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxMailAppList.targetsize-60_altform-unplated.png asdf.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-32_altform-lightunplated.png asdf.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\resources.pri asdf.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification.zh_CN_5.5.0.165303.jar asdf.exe File created C:\Program Files\VideoLAN\VLC\locale\ff\LC_MESSAGES\readme-warning.txt asdf.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml asdf.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-64_altform-unplated.png asdf.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\dd_arrow_small.png asdf.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Excel2019VL_KMS_Client_AE-ul-oob.xrm-ms asdf.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Transit\contrast-white\SmallTile.scale-125.png asdf.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\23.png asdf.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Microsoft.Xbox.NetworkTroubleshooter.winmd asdf.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.34.28001.0_x64__8wekyb3d8bbwe\Assets\GameBar_WideTile.scale-200.png asdf.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-48_altform-unplated_devicefamily-colorfulunplated.png asdf.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\warning.gif asdf.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\he-il\ui-strings.js asdf.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\lib\derbyLocale_ja_JP.jar asdf.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-keyring-fallback_zh_CN.jar asdf.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\WordInterProviderRanker.bin asdf.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 4 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
vds.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName vds.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 1300 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
asdf.exepid process 1156 asdf.exe 1156 asdf.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
asdf.exeasdf.exepid process 4188 asdf.exe 4716 asdf.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
Processes:
vssvc.exewbengine.exeWMIC.exedescription pid process Token: SeBackupPrivilege 3864 vssvc.exe Token: SeRestorePrivilege 3864 vssvc.exe Token: SeAuditPrivilege 3864 vssvc.exe Token: SeBackupPrivilege 1672 wbengine.exe Token: SeRestorePrivilege 1672 wbengine.exe Token: SeSecurityPrivilege 1672 wbengine.exe Token: SeIncreaseQuotaPrivilege 3796 WMIC.exe Token: SeSecurityPrivilege 3796 WMIC.exe Token: SeTakeOwnershipPrivilege 3796 WMIC.exe Token: SeLoadDriverPrivilege 3796 WMIC.exe Token: SeSystemProfilePrivilege 3796 WMIC.exe Token: SeSystemtimePrivilege 3796 WMIC.exe Token: SeProfSingleProcessPrivilege 3796 WMIC.exe Token: SeIncBasePriorityPrivilege 3796 WMIC.exe Token: SeCreatePagefilePrivilege 3796 WMIC.exe Token: SeBackupPrivilege 3796 WMIC.exe Token: SeRestorePrivilege 3796 WMIC.exe Token: SeShutdownPrivilege 3796 WMIC.exe Token: SeDebugPrivilege 3796 WMIC.exe Token: SeSystemEnvironmentPrivilege 3796 WMIC.exe Token: SeRemoteShutdownPrivilege 3796 WMIC.exe Token: SeUndockPrivilege 3796 WMIC.exe Token: SeManageVolumePrivilege 3796 WMIC.exe Token: 33 3796 WMIC.exe Token: 34 3796 WMIC.exe Token: 35 3796 WMIC.exe Token: 36 3796 WMIC.exe Token: SeIncreaseQuotaPrivilege 3796 WMIC.exe Token: SeSecurityPrivilege 3796 WMIC.exe Token: SeTakeOwnershipPrivilege 3796 WMIC.exe Token: SeLoadDriverPrivilege 3796 WMIC.exe Token: SeSystemProfilePrivilege 3796 WMIC.exe Token: SeSystemtimePrivilege 3796 WMIC.exe Token: SeProfSingleProcessPrivilege 3796 WMIC.exe Token: SeIncBasePriorityPrivilege 3796 WMIC.exe Token: SeCreatePagefilePrivilege 3796 WMIC.exe Token: SeBackupPrivilege 3796 WMIC.exe Token: SeRestorePrivilege 3796 WMIC.exe Token: SeShutdownPrivilege 3796 WMIC.exe Token: SeDebugPrivilege 3796 WMIC.exe Token: SeSystemEnvironmentPrivilege 3796 WMIC.exe Token: SeRemoteShutdownPrivilege 3796 WMIC.exe Token: SeUndockPrivilege 3796 WMIC.exe Token: SeManageVolumePrivilege 3796 WMIC.exe Token: 33 3796 WMIC.exe Token: 34 3796 WMIC.exe Token: 35 3796 WMIC.exe Token: 36 3796 WMIC.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
asdf.exeasdf.execmd.exeasdf.exedescription pid process target process PID 4188 wrote to memory of 1156 4188 asdf.exe asdf.exe PID 4188 wrote to memory of 1156 4188 asdf.exe asdf.exe PID 4188 wrote to memory of 1156 4188 asdf.exe asdf.exe PID 4188 wrote to memory of 1156 4188 asdf.exe asdf.exe PID 1156 wrote to memory of 4620 1156 asdf.exe cmd.exe PID 1156 wrote to memory of 4620 1156 asdf.exe cmd.exe PID 4620 wrote to memory of 1300 4620 cmd.exe vssadmin.exe PID 4620 wrote to memory of 1300 4620 cmd.exe vssadmin.exe PID 4620 wrote to memory of 4416 4620 cmd.exe wbadmin.exe PID 4620 wrote to memory of 4416 4620 cmd.exe wbadmin.exe PID 4620 wrote to memory of 3796 4620 cmd.exe WMIC.exe PID 4620 wrote to memory of 3796 4620 cmd.exe WMIC.exe PID 4716 wrote to memory of 3824 4716 asdf.exe asdf.exe PID 4716 wrote to memory of 3824 4716 asdf.exe asdf.exe PID 4716 wrote to memory of 3824 4716 asdf.exe asdf.exe PID 4716 wrote to memory of 3824 4716 asdf.exe asdf.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\asdf.exe"C:\Users\Admin\AppData\Local\Temp\asdf.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\asdf.exe"C:\Users\Admin\AppData\Local\Temp\asdf.exe"2⤵
- Modifies extensions of user files
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\asdf.exe"C:\Users\Admin\AppData\Local\Temp\asdf.exe" n11563⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\asdf.exe"C:\Users\Admin\AppData\Local\Temp\asdf.exe" n11564⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
-
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet4⤵
- Deletes backup catalog
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Checks SCSI registry key(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\7-Zip\readme-warning.txtFilesize
1KB
MD50f44a19896202f3a9f8dd0747e54c5eb
SHA103f490800892428e0791deeccbe5fa56b0b97226
SHA256994aaeff999041819c380948d93a44265440d63d5b6e7a9cc9ef82d646fcd1ef
SHA512f5323173a37308cdaf5c8480c4a4a3536211a41d2c52eb87a0c1a187f0c590e062507cdeca3720ae67a4b3579a0aa65da3da1f57014e101336f275b921e2b5f6
-
C:\Users\Admin\AppData\Local\Temp\nsc81F7.tmp\System.dllFilesize
11KB
MD50063d48afe5a0cdc02833145667b6641
SHA1e7eb614805d183ecb1127c62decb1a6be1b4f7a8
SHA256ac9dfe3b35ea4b8932536ed7406c29a432976b685cc5322f94ef93df920fede7
SHA51271cbbcaeb345e09306e368717ea0503fe8df485be2e95200febc61bcd8ba74fb4211cd263c232f148c0123f6c6f2e3fd4ea20bdecc4070f5208c35c6920240f0
-
C:\Users\Admin\AppData\Local\Temp\nsy90AD.tmp\System.dllFilesize
11KB
MD50063d48afe5a0cdc02833145667b6641
SHA1e7eb614805d183ecb1127c62decb1a6be1b4f7a8
SHA256ac9dfe3b35ea4b8932536ed7406c29a432976b685cc5322f94ef93df920fede7
SHA51271cbbcaeb345e09306e368717ea0503fe8df485be2e95200febc61bcd8ba74fb4211cd263c232f148c0123f6c6f2e3fd4ea20bdecc4070f5208c35c6920240f0
-
C:\Users\Admin\AppData\Local\Temp\nsy90AD.tmp\System.dllFilesize
11KB
MD50063d48afe5a0cdc02833145667b6641
SHA1e7eb614805d183ecb1127c62decb1a6be1b4f7a8
SHA256ac9dfe3b35ea4b8932536ed7406c29a432976b685cc5322f94ef93df920fede7
SHA51271cbbcaeb345e09306e368717ea0503fe8df485be2e95200febc61bcd8ba74fb4211cd263c232f148c0123f6c6f2e3fd4ea20bdecc4070f5208c35c6920240f0
-
C:\Users\Admin\AppData\Roaming\843795456Filesize
57KB
MD58a9d30b739f21522b79d9c7fb582e56d
SHA1db2593c6aeda57946dd2540a3af807fd63957fce
SHA256056bbd47c7b226a83bcf053e3b05e72026828f2f996be88c236e803830b92157
SHA512f3a301aef0e49b2ef65bef5936483dcbda33b81f8a2dfcf46ab44d9b8f21a409f5b5d05973752376374ba51f018addfd6dc3a1347511f9814f35ee2f64616e66
-
C:\Users\Admin\AppData\Roaming\843795456Filesize
57KB
MD599792628d18aa0e41870a6e5d685bfb2
SHA136765c46d3a7cee7ef5034aaf7692a9e8f893be3
SHA25654fb8a7da6530096d63df4d55123de5813eae41f5185be74a5ec829aa49ec417
SHA512b723c307c0220783aac3a59c0cb1bf687701256b35990ecc758a7d7b91c05f5e02c7150d289ae715a756dc7181cc71a48960176347e2777d14eafe180f154183
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\zsadsadsad\dsffffffdd.lnkFilesize
1KB
MD5ca35ee8667aa4fcee684e8994716e35a
SHA199b97a8e7b74b8d3aed2e983b97c117f28c3efdf
SHA2563eb2b4e12219d2e117d18fac8c6185d1c978f75d3f38b3593fccf4360d7b6a59
SHA51271aa26c84450c2afe9f753d34f6297bc86490734515ae7074f26be34e7edfff517c809794f68130fa792782ef188bfe99fc7de5caf9a85729bea1570ed5a8d22
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\zsadsadsad\dsffffffdd.lnkFilesize
1KB
MD549a3f542561d13c94f79de49e708e8e6
SHA1cac978cfd97e117d26c49ea8f7bf3c927d1e1625
SHA2565a7a222312aeb17d1735e2a57bb96c9b3be07e6d21b9d7f864a107e96d4220df
SHA5128785d485aeb9b41a0accd9621a10c62559515d8be0f7c24760eb355b27daeb7796d2dd92b356563dedbf69bb8d49060950c7c26255036c2ed3e917da28b88c75
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\zsadsadsad\qasdadsdsd.lnkMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\zsadsadsad\qasdadsdsd.lnkFilesize
1KB
MD5b76bb554128b1b4a2d414e1a97df5baa
SHA1d92e788db63fc811d90fd0495b4dd686520c452c
SHA25680fef590814547c025297f43141602b96a4c79737ede6719698cf88dca7d30a6
SHA5126f84db9e2e0eb109b93a580321f7ce9ce4d9ea4d25f599359d70e0e8eeb7b287b100dad811254d5c783d788f1dda3337bb1ed060201e58b2722410a6df51a2c9
-
memory/1156-155-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/1156-17175-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/1156-211-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/1156-143-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/1156-141-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/1156-20396-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/3824-1133-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/3824-1156-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/3824-9279-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB