Analysis
-
max time kernel
17s -
max time network
26s -
platform
windows10-2004_x64 -
resource
win10v2004-20230221-en -
resource tags
arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system -
submitted
20-03-2023 13:40
Behavioral task
behavioral1
Sample
Eterna.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
Eterna.exe
Resource
win10v2004-20230221-en
General
-
Target
Eterna.exe
-
Size
4.2MB
-
MD5
4b16139ce122c3d0dc2c15a04b1d5110
-
SHA1
9e3321d739ff3813e4289d6dcb177ae3beb93eb5
-
SHA256
6e5f7ac150e500bc95e33a16b8a6c6a80f750145fd428b16c83ec4e6f21dc957
-
SHA512
1df0388665e159f2dd26536150b2cab670d9fc7f58cf686dd074dd68875ad9f9793c5139b66bf0ea621b3c41afd2503455ee66c5b71ad9b497f29cde2b8f3b4d
-
SSDEEP
98304:xIC4bj8JKA9CYVzVJnUxnwsipGxnP3c4+qrUrAqFjrYolcfEBNHA40lZf:WC4bAJPFVJnUxw3UlPcIUrAqFjEEbBNy
Malware Config
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
Eterna.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Eterna.exe -
Modifies Installed Components in the registry 2 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
Eterna.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Eterna.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Eterna.exe -
Processes:
resource yara_rule behavioral2/memory/2076-133-0x00007FF7F6370000-0x00007FF7F6EA3000-memory.dmp themida behavioral2/memory/2076-134-0x00007FF7F6370000-0x00007FF7F6EA3000-memory.dmp themida behavioral2/memory/2076-135-0x00007FF7F6370000-0x00007FF7F6EA3000-memory.dmp themida behavioral2/memory/2076-136-0x00007FF7F6370000-0x00007FF7F6EA3000-memory.dmp themida behavioral2/memory/2076-137-0x00007FF7F6370000-0x00007FF7F6EA3000-memory.dmp themida behavioral2/memory/2076-147-0x00007FF7F6370000-0x00007FF7F6EA3000-memory.dmp themida -
Processes:
Eterna.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Eterna.exe -
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
explorer.exedescription ioc process File opened (read-only) \??\D: explorer.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
Eterna.exepid process 2076 Eterna.exe -
Checks SCSI registry key(s) 3 TTPs 36 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
explorer.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C explorer.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 560 vssadmin.exe -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 4992 taskkill.exe -
Modifies registry class 10 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ explorer.exe Key created \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHo = 6801000088020000 explorer.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2805025096-2326403612-4231045514-1000\{7DCC6AAE-EE72-469E-A981-C3CD240399E9} explorer.exe Key created \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
Eterna.exepid process 2076 Eterna.exe 2076 Eterna.exe -
Suspicious use of AdjustPrivilegeToken 11 IoCs
Processes:
taskkill.exeexplorer.exedescription pid process Token: SeDebugPrivilege 4992 taskkill.exe Token: SeShutdownPrivilege 3608 explorer.exe Token: SeCreatePagefilePrivilege 3608 explorer.exe Token: SeShutdownPrivilege 3608 explorer.exe Token: SeCreatePagefilePrivilege 3608 explorer.exe Token: SeShutdownPrivilege 3608 explorer.exe Token: SeCreatePagefilePrivilege 3608 explorer.exe Token: SeShutdownPrivilege 3608 explorer.exe Token: SeCreatePagefilePrivilege 3608 explorer.exe Token: SeShutdownPrivilege 3608 explorer.exe Token: SeCreatePagefilePrivilege 3608 explorer.exe -
Suspicious use of FindShellTrayWindow 8 IoCs
Processes:
explorer.exepid process 3608 explorer.exe 3608 explorer.exe 3608 explorer.exe 3608 explorer.exe 3608 explorer.exe 3608 explorer.exe 3608 explorer.exe 3608 explorer.exe -
Suspicious use of SendNotifyMessage 11 IoCs
Processes:
explorer.exepid process 3608 explorer.exe 3608 explorer.exe 3608 explorer.exe 3608 explorer.exe 3608 explorer.exe 3608 explorer.exe 3608 explorer.exe 3608 explorer.exe 3608 explorer.exe 3608 explorer.exe 3608 explorer.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
Eterna.execmd.execmd.execmd.exedescription pid process target process PID 2076 wrote to memory of 2568 2076 Eterna.exe cmd.exe PID 2076 wrote to memory of 2568 2076 Eterna.exe cmd.exe PID 2568 wrote to memory of 2168 2568 cmd.exe certutil.exe PID 2568 wrote to memory of 2168 2568 cmd.exe certutil.exe PID 2568 wrote to memory of 2704 2568 cmd.exe find.exe PID 2568 wrote to memory of 2704 2568 cmd.exe find.exe PID 2568 wrote to memory of 3600 2568 cmd.exe find.exe PID 2568 wrote to memory of 3600 2568 cmd.exe find.exe PID 2076 wrote to memory of 736 2076 Eterna.exe cmd.exe PID 2076 wrote to memory of 736 2076 Eterna.exe cmd.exe PID 736 wrote to memory of 4992 736 cmd.exe taskkill.exe PID 736 wrote to memory of 4992 736 cmd.exe taskkill.exe PID 2076 wrote to memory of 1280 2076 Eterna.exe cmd.exe PID 2076 wrote to memory of 1280 2076 Eterna.exe cmd.exe PID 1280 wrote to memory of 3608 1280 cmd.exe explorer.exe PID 1280 wrote to memory of 3608 1280 cmd.exe explorer.exe PID 2076 wrote to memory of 948 2076 Eterna.exe cmd.exe PID 2076 wrote to memory of 948 2076 Eterna.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Eterna.exe"C:\Users\Admin\AppData\Local\Temp\Eterna.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2076 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\Eterna.exe" MD5 | find /i /v "md5" | find /i /v "certutil"2⤵
- Suspicious use of WriteProcessMemory
PID:2568 -
C:\Windows\system32\certutil.execertutil -hashfile "C:\Users\Admin\AppData\Local\Temp\Eterna.exe" MD53⤵PID:2168
-
C:\Windows\system32\find.exefind /i /v "md5"3⤵PID:2704
-
C:\Windows\system32\find.exefind /i /v "certutil"3⤵PID:3600
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe2⤵
- Suspicious use of WriteProcessMemory
PID:736 -
C:\Windows\system32\taskkill.exetaskkill /f /im explorer.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4992 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c start C:\Windows\explorer.exe2⤵
- Suspicious use of WriteProcessMemory
PID:1280 -
C:\Windows\explorer.exeC:\Windows\explorer.exe3⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3608 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:948
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vssadmin delete shadows /All /Quiet2⤵PID:3936
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /All /Quiet3⤵
- Interacts with shadow copies
PID:560 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop winmgmt /Y2⤵PID:4028
-
C:\Windows\system32\net.exenet stop winmgmt /Y3⤵PID:4992
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop winmgmt /Y4⤵PID:2496
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\VCK.exe -prv 1 -map C:\ProgramData\KA.sys2⤵PID:1652
-
C:\ProgramData\VCK.exeC:\ProgramData\VCK.exe -prv 1 -map C:\ProgramData\KA.sys3⤵PID:4536
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c del C:\ProgramData\VCK.exe2⤵PID:3232
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c del C:\ProgramData\KA.sys2⤵PID:1392
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c del C:\ProgramData\drv64.dll2⤵PID:940
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:4944
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4960
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵PID:4060
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt1⤵PID:4376
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\KA.sysFilesize
20KB
MD555d14577a0a00b5a0f1d68a1f5cf36f7
SHA166f18c58849e950568fbe7875fe38958a672db65
SHA25614285c1c3cbcfaf33759cbb7798c3435bfc074a8f7addd915dcdc49b11f11bf0
SHA51228199e90f44cad0607c3b4c644421852b09faf061c4f5801ae1516272efe0944a60b088a5fba0fd1211ee1f8c8d4b81ff4790309e0ed2f20f67cb849686f57a8
-
C:\ProgramData\KA.sysFilesize
20KB
MD555d14577a0a00b5a0f1d68a1f5cf36f7
SHA166f18c58849e950568fbe7875fe38958a672db65
SHA25614285c1c3cbcfaf33759cbb7798c3435bfc074a8f7addd915dcdc49b11f11bf0
SHA51228199e90f44cad0607c3b4c644421852b09faf061c4f5801ae1516272efe0944a60b088a5fba0fd1211ee1f8c8d4b81ff4790309e0ed2f20f67cb849686f57a8
-
C:\ProgramData\VCK.exeFilesize
301KB
MD5ba13d70e03425c3a2cba08e4fb9d4a64
SHA134e76a3ae4835fd9f151017ee2ec4343f995a636
SHA256dd108f763a70e747e560de7320e7839d9502e5f9716037eeac0c0b775eb4c403
SHA512edee4e29fc514304b12aad732d82f78316dc03e924831f7687c939e8af0eee1372d8234c25f9cf79fad6fe03c06fcaf6f0a5616d61d4660d541fae5186008476
-
C:\ProgramData\VCK.exeFilesize
301KB
MD5ba13d70e03425c3a2cba08e4fb9d4a64
SHA134e76a3ae4835fd9f151017ee2ec4343f995a636
SHA256dd108f763a70e747e560de7320e7839d9502e5f9716037eeac0c0b775eb4c403
SHA512edee4e29fc514304b12aad732d82f78316dc03e924831f7687c939e8af0eee1372d8234c25f9cf79fad6fe03c06fcaf6f0a5616d61d4660d541fae5186008476
-
C:\ProgramData\drv64.dllFilesize
866KB
MD52c0bce066169333db8570c99f976bfe6
SHA17b2ae355c4aa020778c77d222801eea774d15b7c
SHA2569d794df0dbed3eefdd66bff31f373233dc1e8888793a7e479fd757e812277579
SHA51231774013cdf6305a7a9cc882a05d6dbcb3f584ca6c0926698411cf6e71a27cc1e0289f696c50c3e612bdb06d2b57d3dc968f47e0fdd872b4e168298aacec4d97
-
C:\ProgramData\drv64.dllFilesize
866KB
MD52c0bce066169333db8570c99f976bfe6
SHA17b2ae355c4aa020778c77d222801eea774d15b7c
SHA2569d794df0dbed3eefdd66bff31f373233dc1e8888793a7e479fd757e812277579
SHA51231774013cdf6305a7a9cc882a05d6dbcb3f584ca6c0926698411cf6e71a27cc1e0289f696c50c3e612bdb06d2b57d3dc968f47e0fdd872b4e168298aacec4d97
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133237968612825884.txtFilesize
75KB
MD530466909c6fd3bdb0f6d20f8bd1c4b39
SHA1f0e015ecc6e6f60ac5871f2f62a0fff521d02932
SHA25645d64a3ff61f03c84e611eeb213108e1de7877e8a802067698e518937ac08029
SHA5125f84125cc967bd7ae3fc30026472ff15c5b41122ec36f776f7c2fef7f1b07319c51d1300b657e42f0a6f116f14371ce37b89821fe837867f5d06d11e25ec2909
-
memory/2076-137-0x00007FF7F6370000-0x00007FF7F6EA3000-memory.dmpFilesize
11.2MB
-
memory/2076-147-0x00007FF7F6370000-0x00007FF7F6EA3000-memory.dmpFilesize
11.2MB
-
memory/2076-133-0x00007FF7F6370000-0x00007FF7F6EA3000-memory.dmpFilesize
11.2MB
-
memory/2076-136-0x00007FF7F6370000-0x00007FF7F6EA3000-memory.dmpFilesize
11.2MB
-
memory/2076-135-0x00007FF7F6370000-0x00007FF7F6EA3000-memory.dmpFilesize
11.2MB
-
memory/2076-134-0x00007FF7F6370000-0x00007FF7F6EA3000-memory.dmpFilesize
11.2MB
-
memory/3608-152-0x0000000004520000-0x0000000004521000-memory.dmpFilesize
4KB
-
memory/4960-162-0x0000014C83CD0000-0x0000014C83CF0000-memory.dmpFilesize
128KB
-
memory/4960-164-0x0000014C840E0000-0x0000014C84100000-memory.dmpFilesize
128KB
-
memory/4960-159-0x0000014C83D10000-0x0000014C83D30000-memory.dmpFilesize
128KB
-
memory/4960-289-0x0000014481340000-0x0000014482C6F000-memory.dmpFilesize
25.2MB