Analysis
-
max time kernel
25s -
max time network
211s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
09-05-2023 08:08
Behavioral task
behavioral1
Sample
aurora.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
aurora.exe
Resource
win10v2004-20230220-en
General
-
Target
aurora.exe
-
Size
5.6MB
-
MD5
2072ab80f4f0b576590d6e2f66bc12a3
-
SHA1
92b9c99e858cd242983fad131e25028c9197a10f
-
SHA256
7e284862240837599b6916df7747947d45d8fa44979ff4bcf57703971e75c14b
-
SHA512
1f2fcf07f41af804aa94cdb3bd97cb7af35d12ba10f9e795052d1d68720f96933bb3a64c9397f1142c26ba392b6f988ac569ebfcddb5b5da85d82339a80bdeec
-
SSDEEP
49152:8ugM5SSiHPRpy67X9g31TGsev6imuMmS5cNDw7wBVAAp5ESxRlMmCaCfAm5K6Q0+:DMTlK1+gcEiMeCom5Kaw
Malware Config
Extracted
aurora
94.142.138.71:456
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
runtime.exepid process 3068 runtime.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
aurora.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\runtime_2 = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\config\\runtime.exe" aurora.exe Set value (str) \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\runtime_3 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\config\\runtime.exe" aurora.exe Set value (str) \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\runtime_1 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\config\\runtime.exe" aurora.exe -
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exepid process 1308 schtasks.exe 4976 schtasks.exe 560 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
powershell.exepowershell.exepowershell.exepid process 736 powershell.exe 736 powershell.exe 1168 powershell.exe 1168 powershell.exe 3080 powershell.exe 3080 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
powershell.exepowershell.exepowershell.exeWMIC.exeWMIC.exedescription pid process Token: SeDebugPrivilege 736 powershell.exe Token: SeDebugPrivilege 1168 powershell.exe Token: SeDebugPrivilege 3080 powershell.exe Token: SeIncreaseQuotaPrivilege 5064 WMIC.exe Token: SeSecurityPrivilege 5064 WMIC.exe Token: SeTakeOwnershipPrivilege 5064 WMIC.exe Token: SeLoadDriverPrivilege 5064 WMIC.exe Token: SeSystemProfilePrivilege 5064 WMIC.exe Token: SeSystemtimePrivilege 5064 WMIC.exe Token: SeProfSingleProcessPrivilege 5064 WMIC.exe Token: SeIncBasePriorityPrivilege 5064 WMIC.exe Token: SeCreatePagefilePrivilege 5064 WMIC.exe Token: SeBackupPrivilege 5064 WMIC.exe Token: SeRestorePrivilege 5064 WMIC.exe Token: SeShutdownPrivilege 5064 WMIC.exe Token: SeDebugPrivilege 5064 WMIC.exe Token: SeSystemEnvironmentPrivilege 5064 WMIC.exe Token: SeRemoteShutdownPrivilege 5064 WMIC.exe Token: SeUndockPrivilege 5064 WMIC.exe Token: SeManageVolumePrivilege 5064 WMIC.exe Token: 33 5064 WMIC.exe Token: 34 5064 WMIC.exe Token: 35 5064 WMIC.exe Token: 36 5064 WMIC.exe Token: SeIncreaseQuotaPrivilege 5064 WMIC.exe Token: SeSecurityPrivilege 5064 WMIC.exe Token: SeTakeOwnershipPrivilege 5064 WMIC.exe Token: SeLoadDriverPrivilege 5064 WMIC.exe Token: SeSystemProfilePrivilege 5064 WMIC.exe Token: SeSystemtimePrivilege 5064 WMIC.exe Token: SeProfSingleProcessPrivilege 5064 WMIC.exe Token: SeIncBasePriorityPrivilege 5064 WMIC.exe Token: SeCreatePagefilePrivilege 5064 WMIC.exe Token: SeBackupPrivilege 5064 WMIC.exe Token: SeRestorePrivilege 5064 WMIC.exe Token: SeShutdownPrivilege 5064 WMIC.exe Token: SeDebugPrivilege 5064 WMIC.exe Token: SeSystemEnvironmentPrivilege 5064 WMIC.exe Token: SeRemoteShutdownPrivilege 5064 WMIC.exe Token: SeUndockPrivilege 5064 WMIC.exe Token: SeManageVolumePrivilege 5064 WMIC.exe Token: 33 5064 WMIC.exe Token: 34 5064 WMIC.exe Token: 35 5064 WMIC.exe Token: 36 5064 WMIC.exe Token: SeIncreaseQuotaPrivilege 2296 WMIC.exe Token: SeSecurityPrivilege 2296 WMIC.exe Token: SeTakeOwnershipPrivilege 2296 WMIC.exe Token: SeLoadDriverPrivilege 2296 WMIC.exe Token: SeSystemProfilePrivilege 2296 WMIC.exe Token: SeSystemtimePrivilege 2296 WMIC.exe Token: SeProfSingleProcessPrivilege 2296 WMIC.exe Token: SeIncBasePriorityPrivilege 2296 WMIC.exe Token: SeCreatePagefilePrivilege 2296 WMIC.exe Token: SeBackupPrivilege 2296 WMIC.exe Token: SeRestorePrivilege 2296 WMIC.exe Token: SeShutdownPrivilege 2296 WMIC.exe Token: SeDebugPrivilege 2296 WMIC.exe Token: SeSystemEnvironmentPrivilege 2296 WMIC.exe Token: SeRemoteShutdownPrivilege 2296 WMIC.exe Token: SeUndockPrivilege 2296 WMIC.exe Token: SeManageVolumePrivilege 2296 WMIC.exe Token: 33 2296 WMIC.exe Token: 34 2296 WMIC.exe -
Suspicious use of WriteProcessMemory 40 IoCs
Processes:
aurora.exepowershell.exepowershell.exepowershell.execmd.execmd.execmd.execmd.execmd.exeruntime.execmd.exeConhost.exedescription pid process target process PID 2988 wrote to memory of 736 2988 aurora.exe powershell.exe PID 2988 wrote to memory of 736 2988 aurora.exe powershell.exe PID 736 wrote to memory of 1308 736 powershell.exe schtasks.exe PID 736 wrote to memory of 1308 736 powershell.exe schtasks.exe PID 2988 wrote to memory of 1168 2988 aurora.exe powershell.exe PID 2988 wrote to memory of 1168 2988 aurora.exe powershell.exe PID 1168 wrote to memory of 4976 1168 powershell.exe schtasks.exe PID 1168 wrote to memory of 4976 1168 powershell.exe schtasks.exe PID 2988 wrote to memory of 3080 2988 aurora.exe powershell.exe PID 2988 wrote to memory of 3080 2988 aurora.exe powershell.exe PID 3080 wrote to memory of 560 3080 powershell.exe schtasks.exe PID 3080 wrote to memory of 560 3080 powershell.exe schtasks.exe PID 2988 wrote to memory of 2260 2988 aurora.exe cmd.exe PID 2988 wrote to memory of 2260 2988 aurora.exe cmd.exe PID 2260 wrote to memory of 5064 2260 cmd.exe WMIC.exe PID 2260 wrote to memory of 5064 2260 cmd.exe WMIC.exe PID 2988 wrote to memory of 2204 2988 aurora.exe cmd.exe PID 2988 wrote to memory of 2204 2988 aurora.exe cmd.exe PID 2204 wrote to memory of 2296 2204 cmd.exe WMIC.exe PID 2204 wrote to memory of 2296 2204 cmd.exe WMIC.exe PID 2988 wrote to memory of 3164 2988 aurora.exe cmd.exe PID 2988 wrote to memory of 3164 2988 aurora.exe cmd.exe PID 3164 wrote to memory of 1712 3164 cmd.exe WMIC.exe PID 3164 wrote to memory of 1712 3164 cmd.exe WMIC.exe PID 2988 wrote to memory of 472 2988 aurora.exe cmd.exe PID 2988 wrote to memory of 472 2988 aurora.exe cmd.exe PID 472 wrote to memory of 4856 472 cmd.exe WMIC.exe PID 472 wrote to memory of 4856 472 cmd.exe WMIC.exe PID 2988 wrote to memory of 3888 2988 aurora.exe cmd.exe PID 2988 wrote to memory of 3888 2988 aurora.exe cmd.exe PID 3888 wrote to memory of 4968 3888 cmd.exe WMIC.exe PID 3888 wrote to memory of 4968 3888 cmd.exe WMIC.exe PID 3068 wrote to memory of 3232 3068 runtime.exe Conhost.exe PID 3068 wrote to memory of 3232 3068 runtime.exe Conhost.exe PID 2988 wrote to memory of 2836 2988 aurora.exe cmd.exe PID 2988 wrote to memory of 2836 2988 aurora.exe cmd.exe PID 2836 wrote to memory of 1092 2836 cmd.exe WMIC.exe PID 2836 wrote to memory of 1092 2836 cmd.exe WMIC.exe PID 3232 wrote to memory of 780 3232 Conhost.exe WMIC.exe PID 3232 wrote to memory of 780 3232 Conhost.exe WMIC.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\aurora.exe"C:\Users\Admin\AppData\Local\Temp\aurora.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell "" "SCHTASKS.exe /Create /SC MINUTE /ED 12/12/2030 /TN runtime_1 /TR C:\Users\Admin\AppData\Roaming\Microsoft\config\runtime.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Create /SC MINUTE /ED 12/12/2030 /TN runtime_1 /TR C:\Users\Admin\AppData\Roaming\Microsoft\config\runtime.exe3⤵
- Creates scheduled task(s)
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell "" "SCHTASKS.exe /Create /SC MINUTE /ED 12/12/2030 /TN runtime_2 /TR C:\Users\Admin\AppData\Local\Microsoft\config\runtime.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Create /SC MINUTE /ED 12/12/2030 /TN runtime_2 /TR C:\Users\Admin\AppData\Local\Microsoft\config\runtime.exe3⤵
- Creates scheduled task(s)
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell "" "SCHTASKS.exe /Create /SC MINUTE /ED 12/12/2030 /TN runtime_3 /TR C:\Users\Admin\AppData\Local\Temp\Microsoft\config\runtime.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Create /SC MINUTE /ED 12/12/2030 /TN runtime_3 /TR C:\Users\Admin\AppData\Local\Temp\Microsoft\config\runtime.exe3⤵
- Creates scheduled task(s)
-
C:\Windows\system32\cmd.execmd.exe /c "wmic csproduct get uuid"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exewmic csproduct get uuid3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.execmd.exe /c "wmic csproduct get uuid"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exewmic csproduct get uuid3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.execmd.exe /c "wmic csproduct get uuid"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exewmic csproduct get uuid3⤵
-
C:\Windows\system32\cmd.execmd.exe /c "wmic csproduct get uuid"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exewmic csproduct get uuid3⤵
-
C:\Windows\system32\cmd.execmd.exe /c "wmic csproduct get uuid"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exewmic csproduct get uuid3⤵
-
C:\Windows\system32\cmd.execmd.exe /c "wmic csproduct get uuid"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exewmic csproduct get uuid3⤵
-
C:\Windows\system32\cmd.execmd.exe /c "wmic csproduct get uuid"2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic csproduct get uuid3⤵
-
C:\Windows\system32\cmd.execmd.exe /c "wmic csproduct get uuid"2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic csproduct get uuid3⤵
-
C:\Windows\system32\cmd.execmd.exe /c "wmic csproduct get uuid"2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic csproduct get uuid3⤵
-
C:\Windows\system32\cmd.execmd.exe /c "wmic csproduct get uuid"2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic csproduct get uuid3⤵
-
C:\Windows\system32\cmd.execmd.exe /c "wmic csproduct get uuid"2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic csproduct get uuid3⤵
-
C:\Windows\system32\cmd.execmd.exe /c "wmic csproduct get uuid"2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic csproduct get uuid3⤵
-
C:\Windows\system32\cmd.execmd.exe /c "wmic csproduct get uuid"2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic csproduct get uuid3⤵
-
C:\Windows\system32\cmd.execmd.exe /c "wmic csproduct get uuid"2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic csproduct get uuid3⤵
-
C:\Windows\system32\cmd.execmd.exe /c "wmic csproduct get uuid"2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic csproduct get uuid3⤵
-
C:\Windows\system32\cmd.execmd.exe /c "wmic csproduct get uuid"2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic csproduct get uuid3⤵
-
C:\Windows\system32\cmd.execmd.exe /c "wmic csproduct get uuid"2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic csproduct get uuid3⤵
-
C:\Windows\system32\cmd.execmd.exe /c "wmic csproduct get uuid"2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic csproduct get uuid3⤵
-
C:\Windows\system32\cmd.execmd.exe /c "wmic csproduct get uuid"2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic csproduct get uuid3⤵
-
C:\Windows\system32\cmd.execmd.exe /c "wmic csproduct get uuid"2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic csproduct get uuid3⤵
-
C:\Windows\system32\cmd.execmd.exe /c "wmic csproduct get uuid"2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic csproduct get uuid3⤵
-
C:\Windows\system32\cmd.execmd.exe /c "wmic csproduct get uuid"2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic csproduct get uuid3⤵
-
C:\Windows\system32\cmd.execmd.exe /c "wmic csproduct get uuid"2⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\config\runtime.exeC:\Users\Admin\AppData\Roaming\Microsoft\config\runtime.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd.exe /c "wmic csproduct get uuid"2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic csproduct get uuid3⤵
-
C:\Windows\system32\cmd.execmd.exe /c "wmic csproduct get uuid"2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic csproduct get uuid3⤵
-
C:\Windows\system32\cmd.execmd.exe /c "wmic csproduct get uuid"2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic csproduct get uuid3⤵
-
C:\Windows\system32\cmd.execmd.exe /c "wmic csproduct get uuid"2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic csproduct get uuid3⤵
-
C:\Windows\system32\cmd.execmd.exe /c "wmic csproduct get uuid"2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic csproduct get uuid3⤵
-
C:\Windows\system32\cmd.execmd.exe /c "wmic csproduct get uuid"2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic csproduct get uuid3⤵
-
C:\Windows\system32\cmd.execmd.exe /c "wmic csproduct get uuid"2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic csproduct get uuid3⤵
-
C:\Users\Admin\AppData\Local\Temp\Microsoft\config\runtime.exeC:\Users\Admin\AppData\Local\Temp\Microsoft\config\runtime.exe1⤵
-
C:\Windows\system32\cmd.execmd.exe /c "wmic csproduct get uuid"2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic csproduct get uuid3⤵
-
C:\Windows\system32\cmd.execmd.exe /c "wmic csproduct get uuid"2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic csproduct get uuid3⤵
-
C:\Windows\system32\cmd.execmd.exe /c "wmic csproduct get uuid"2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic csproduct get uuid3⤵
-
C:\Windows\system32\cmd.execmd.exe /c "wmic csproduct get uuid"2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic csproduct get uuid3⤵
-
C:\Windows\system32\cmd.execmd.exe /c "wmic csproduct get uuid"2⤵
-
C:\Users\Admin\AppData\Local\Microsoft\config\runtime.exeC:\Users\Admin\AppData\Local\Microsoft\config\runtime.exe1⤵
-
C:\Windows\system32\cmd.execmd.exe /c "wmic csproduct get uuid"2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic csproduct get uuid3⤵
-
C:\Windows\system32\cmd.execmd.exe /c "wmic csproduct get uuid"2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic csproduct get uuid3⤵
-
C:\Windows\system32\cmd.execmd.exe /c "wmic csproduct get uuid"2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic csproduct get uuid3⤵
-
C:\Windows\system32\cmd.execmd.exe /c "wmic csproduct get uuid"2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic csproduct get uuid3⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
- Suspicious use of WriteProcessMemory
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
64B
MD55caad758326454b5788ec35315c4c304
SHA13aef8dba8042662a7fcf97e51047dc636b4d4724
SHA25683e613b6dc8d70e3bb67c58535e014f58f3e8b2921e93b55137d799fc8c56391
SHA5124e0d443cf81e2f49829b0a458a08294bf1bdc0e38d3a938fb8274eeb637d9a688b14c7999dd6b86a31fcec839a9e8c1a9611ed0bbae8bd59caa9dba1e8253693
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
64B
MD5446dd1cf97eaba21cf14d03aebc79f27
SHA136e4cc7367e0c7b40f4a8ace272941ea46373799
SHA256a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf
SHA512a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7
-
C:\Users\Admin\AppData\Local\Microsoft\config\runtime.exeFilesize
216.0MB
MD5ae767caced3e250d2e5758714eb4256a
SHA1adb902357fd4fda1280bb3a95c6011a38dccdcae
SHA2564006d1ae683367dbc415b050c0f0828c574c7332fc36ca4b76e228083f71305d
SHA512bf67b55a7530970ebc1424845942750b3219af052c13de652de5f6ac737a997e81ce19e0a8582004f205b45320521877311f1bc2b6d4ed118f6d4c8c0b7e0a93
-
C:\Users\Admin\AppData\Local\Microsoft\config\runtime.exeFilesize
245.2MB
MD5f48ce2ec6d1321bf5e7134b982467c10
SHA1ac32b59831570e65bf268137c77d83df66078a47
SHA256d57e0e23d6d542f8436ca25cf502b791a6a50c39051a59e693981af89087f94b
SHA5129bd847848c70d73c09a7953e62b4e35cfda76bdd99c62cff8edefb284222facb648ada4c7f0d55c54a4fa18a1f38281273652623bb95c464d07a033d5dc41f2c
-
C:\Users\Admin\AppData\Local\Temp\Microsoft\config\runtime.exeFilesize
629.9MB
MD5bf217835150d2144bca2c614a3b52c78
SHA1b460761ad2439abbdf00dc9b570f01063f45208f
SHA2568dd07066f251c12b9f560443019f03b9669775aae95194296724ac6bafd8e39f
SHA5128f78be510a1d646ca843877aaf73db8723b6751e2ac5a4d3ec4eca064e7881f043fc21de1c0e5641ce4286fe9a1a2943c8518072509cf5d73fa131df3d280dba
-
C:\Users\Admin\AppData\Local\Temp\Microsoft\config\runtime.exeFilesize
253.0MB
MD50356fa480a3a12fef43467e664bcc292
SHA1f0cf022cd9de71018298c018734ceaedd0722da8
SHA256d71b60cbe3c905080bad55feb8ca3ccc9acb2c4c146ab7606ec54c5ea8108508
SHA512db8c91895595e4ef3a2ac88c00a27fedd34fdd9178735fdf8567a2209a1eae22db49369b97a51e230cfa01d4f4efa977ae9bba62585eadc3436040721b193f57
-
C:\Users\Admin\AppData\Local\Temp\Microsoft\config\runtime.exeFilesize
248.2MB
MD53e1fa2302b2ddf0255bff6f9100bf755
SHA1979ca44a1a13a879534ba00621ad7afdaab5d964
SHA256888d00f4a158aa75280cd3670a89f1846e486a72cd0abbefede3dd01fc083eef
SHA512c71a1a60151c0752a1d6005fe5117012055ce8eee992e5f21e7d7207535ebd4f2555b51651af8eb45881027874cd3857529914c8d59a7cb0504d59b8286d019f
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_imm55nar.wuo.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Roaming\Microsoft\config\runtime.exeFilesize
513.2MB
MD549438c67142a53d63c1b06b61aa2dff2
SHA16b97c00483b6f4915545c4ba88f6f73f953d5214
SHA256a540628165b0fae778d05a7a3a9b002603be038c3a5a613f8898651370db41f3
SHA512b3474aa46e5a6a678c697b3006449089c19e1d2e86fec95ee0fbb1db4048e969b7140cd999c2cacc60acc2f3fc5288fa8d7ed7e5eef4b89cab25cfaa3abade18
-
C:\Users\Admin\AppData\Roaming\Microsoft\config\runtime.exeFilesize
564.8MB
MD545b97f733bb4869ba554ccd6e2d05ffe
SHA1b664ebbe4e20a6ad4a1ee5bad598243f4e0fa26b
SHA256320510ea4bc9024e5711a728e7de93d2a51c00c22b6f3491e299ffe423f3b49e
SHA5124e6993003ad5858f688d9f6f5edcf6903eeda4e64965097fed0799a583e225446189c7342bebb5f1c5aba65c2d832171487585aaad2df6695c66b0be8788b184
-
\??\PIPE\wkssvcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/736-135-0x000001991C420000-0x000001991C430000-memory.dmpFilesize
64KB
-
memory/736-141-0x000001991C660000-0x000001991C682000-memory.dmpFilesize
136KB
-
memory/1168-157-0x0000012CBCEE0000-0x0000012CBCEF0000-memory.dmpFilesize
64KB
-
memory/1168-156-0x0000012CBCEE0000-0x0000012CBCEF0000-memory.dmpFilesize
64KB
-
memory/3080-178-0x000001EE98FA0000-0x000001EE98FB0000-memory.dmpFilesize
64KB
-
memory/3080-177-0x000001EE98FA0000-0x000001EE98FB0000-memory.dmpFilesize
64KB