Analysis

  • max time kernel
    146s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27-02-2024 03:36

General

  • Target

    a81de519432b6d76d9b881cff0cf9cef.exe

  • Size

    304KB

  • MD5

    a81de519432b6d76d9b881cff0cf9cef

  • SHA1

    e35a6446307b3e55db9097cee2cdeec87e6145b6

  • SHA256

    bd8c7e7ef7ae77f7f99f3408108fd9757f71141e6e990cee3d16a4d4bb17d2ce

  • SHA512

    eb10557925254fa38759998c04dab4429e8a90574a6cd4aa3e0c3fea109c4dd80dd23781a5a92a5d4501d4befb057053d3c1e33f40181db379a932f06cf41730

  • SSDEEP

    6144:qR1VpFoIbQFCgMWt14yRjfT/OlaazY660vT+YZj+0Ccdak:qR1VpWIUw/k14ojfifd60rbZQcck

Score
10/10

Malware Config

Signatures

  • Detect Lumma Stealer payload V4 44 IoCs
  • Lumma Stealer

    An infostealer written in C++ first seen in August 2022.

  • Modifies security service 2 TTPs 22 IoCs
  • Executes dropped EXE 20 IoCs
  • Drops file in System32 directory 22 IoCs
  • Suspicious use of SetThreadContext 11 IoCs
  • Runs .reg file with regedit 11 IoCs
  • Suspicious use of SetWindowsHookEx 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a81de519432b6d76d9b881cff0cf9cef.exe
    "C:\Users\Admin\AppData\Local\Temp\a81de519432b6d76d9b881cff0cf9cef.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:864
    • C:\Users\Admin\AppData\Local\Temp\a81de519432b6d76d9b881cff0cf9cef.exe
      "C:\Users\Admin\AppData\Local\Temp\a81de519432b6d76d9b881cff0cf9cef.exe"
      2⤵
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:3904
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c c:\a.bat
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1764
        • C:\Windows\SysWOW64\regedit.exe
          REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
          4⤵
          • Modifies security service
          • Runs .reg file with regedit
          PID:1004
      • C:\Windows\SysWOW64\netX.exe
        C:\Windows\system32\netX.exe 1136 "C:\Users\Admin\AppData\Local\Temp\a81de519432b6d76d9b881cff0cf9cef.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:5044
        • C:\Windows\SysWOW64\netX.exe
          C:\Windows\SysWOW64\netX.exe
          4⤵
          • Executes dropped EXE
          • Drops file in System32 directory
          • Suspicious use of WriteProcessMemory
          PID:4172
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c c:\a.bat
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:2616
            • C:\Windows\SysWOW64\regedit.exe
              REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
              6⤵
              • Modifies security service
              • Runs .reg file with regedit
              PID:2344
          • C:\Windows\SysWOW64\netX.exe
            C:\Windows\system32\netX.exe 1168 "C:\Windows\SysWOW64\netX.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:5052
            • C:\Windows\SysWOW64\netX.exe
              "C:\Windows\SysWOW64\netX.exe" €s¦ˆ
              6⤵
              • Executes dropped EXE
              • Drops file in System32 directory
              • Suspicious use of WriteProcessMemory
              PID:2100
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c c:\a.bat
                7⤵
                • Suspicious use of WriteProcessMemory
                PID:872
                • C:\Windows\SysWOW64\regedit.exe
                  REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
                  8⤵
                  • Modifies security service
                  • Runs .reg file with regedit
                  PID:4944
              • C:\Windows\SysWOW64\netX.exe
                C:\Windows\system32\netX.exe 1136 "C:\Windows\SysWOW64\netX.exe"
                7⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • Suspicious use of SetWindowsHookEx
                • Suspicious use of WriteProcessMemory
                PID:4016
                • C:\Windows\SysWOW64\netX.exe
                  "C:\Windows\SysWOW64\netX.exe" €
                  8⤵
                  • Executes dropped EXE
                  • Drops file in System32 directory
                  • Suspicious use of WriteProcessMemory
                  PID:3256
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c c:\a.bat
                    9⤵
                    • Suspicious use of WriteProcessMemory
                    PID:3160
                    • C:\Windows\SysWOW64\regedit.exe
                      REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
                      10⤵
                      • Modifies security service
                      • Runs .reg file with regedit
                      PID:4000
                  • C:\Windows\SysWOW64\netX.exe
                    C:\Windows\system32\netX.exe 1136 "C:\Windows\SysWOW64\netX.exe"
                    9⤵
                    • Executes dropped EXE
                    • Suspicious use of SetThreadContext
                    • Suspicious use of SetWindowsHookEx
                    PID:4088
                    • C:\Windows\SysWOW64\netX.exe
                      "C:\Windows\SysWOW64\netX.exe" €H‡ÿ‘
                      10⤵
                      • Executes dropped EXE
                      • Drops file in System32 directory
                      PID:1948
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c c:\a.bat
                        11⤵
                          PID:2456
                          • C:\Windows\SysWOW64\regedit.exe
                            REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
                            12⤵
                            • Modifies security service
                            • Runs .reg file with regedit
                            PID:3956
                        • C:\Windows\SysWOW64\netX.exe
                          C:\Windows\system32\netX.exe 1140 "C:\Windows\SysWOW64\netX.exe"
                          11⤵
                          • Executes dropped EXE
                          • Suspicious use of SetThreadContext
                          • Suspicious use of SetWindowsHookEx
                          PID:4244
                          • C:\Windows\SysWOW64\netX.exe
                            "C:\Windows\SysWOW64\netX.exe" €Y;Úc
                            12⤵
                            • Executes dropped EXE
                            • Drops file in System32 directory
                            PID:552
                            • C:\Windows\SysWOW64\cmd.exe
                              C:\Windows\system32\cmd.exe /c c:\a.bat
                              13⤵
                                PID:4996
                                • C:\Windows\SysWOW64\regedit.exe
                                  REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
                                  14⤵
                                  • Modifies security service
                                  • Runs .reg file with regedit
                                  PID:2324
                              • C:\Windows\SysWOW64\netX.exe
                                C:\Windows\system32\netX.exe 1144 "C:\Windows\SysWOW64\netX.exe"
                                13⤵
                                • Executes dropped EXE
                                • Suspicious use of SetThreadContext
                                • Suspicious use of SetWindowsHookEx
                                PID:4084
                                • C:\Windows\SysWOW64\netX.exe
                                  C:\Windows\SysWOW64\netX.exe
                                  14⤵
                                  • Executes dropped EXE
                                  • Drops file in System32 directory
                                  PID:1096
                                  • C:\Windows\SysWOW64\cmd.exe
                                    C:\Windows\system32\cmd.exe /c c:\a.bat
                                    15⤵
                                      PID:2128
                                      • C:\Windows\SysWOW64\regedit.exe
                                        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
                                        16⤵
                                        • Modifies security service
                                        • Runs .reg file with regedit
                                        PID:756
                                    • C:\Windows\SysWOW64\netX.exe
                                      C:\Windows\system32\netX.exe 1140 "C:\Windows\SysWOW64\netX.exe"
                                      15⤵
                                      • Executes dropped EXE
                                      • Suspicious use of SetThreadContext
                                      • Suspicious use of SetWindowsHookEx
                                      PID:3720
                                      • C:\Windows\SysWOW64\netX.exe
                                        C:\Windows\SysWOW64\netX.exe
                                        16⤵
                                        • Executes dropped EXE
                                        • Drops file in System32 directory
                                        PID:5060
                                        • C:\Windows\SysWOW64\cmd.exe
                                          C:\Windows\system32\cmd.exe /c c:\a.bat
                                          17⤵
                                            PID:5108
                                            • C:\Windows\SysWOW64\regedit.exe
                                              REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
                                              18⤵
                                              • Modifies security service
                                              • Runs .reg file with regedit
                                              PID:4804
                                          • C:\Windows\SysWOW64\netX.exe
                                            C:\Windows\system32\netX.exe 1136 "C:\Windows\SysWOW64\netX.exe"
                                            17⤵
                                            • Executes dropped EXE
                                            • Suspicious use of SetThreadContext
                                            • Suspicious use of SetWindowsHookEx
                                            PID:4948
                                            • C:\Windows\SysWOW64\netX.exe
                                              C:\Windows\SysWOW64\netX.exe
                                              18⤵
                                              • Executes dropped EXE
                                              • Drops file in System32 directory
                                              PID:4548
                                              • C:\Windows\SysWOW64\cmd.exe
                                                C:\Windows\system32\cmd.exe /c c:\a.bat
                                                19⤵
                                                  PID:2296
                                                  • C:\Windows\SysWOW64\regedit.exe
                                                    REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
                                                    20⤵
                                                    • Modifies security service
                                                    • Runs .reg file with regedit
                                                    PID:3260
                                                • C:\Windows\SysWOW64\netX.exe
                                                  C:\Windows\system32\netX.exe 1136 "C:\Windows\SysWOW64\netX.exe"
                                                  19⤵
                                                  • Executes dropped EXE
                                                  • Suspicious use of SetThreadContext
                                                  • Suspicious use of SetWindowsHookEx
                                                  PID:4396
                                                  • C:\Windows\SysWOW64\netX.exe
                                                    C:\Windows\SysWOW64\netX.exe
                                                    20⤵
                                                    • Executes dropped EXE
                                                    • Drops file in System32 directory
                                                    PID:1772
                                                    • C:\Windows\SysWOW64\cmd.exe
                                                      C:\Windows\system32\cmd.exe /c c:\a.bat
                                                      21⤵
                                                        PID:4476
                                                        • C:\Windows\SysWOW64\regedit.exe
                                                          REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
                                                          22⤵
                                                          • Modifies security service
                                                          • Runs .reg file with regedit
                                                          PID:556
                                                      • C:\Windows\SysWOW64\netX.exe
                                                        C:\Windows\system32\netX.exe 1136 "C:\Windows\SysWOW64\netX.exe"
                                                        21⤵
                                                        • Executes dropped EXE
                                                        • Suspicious use of SetThreadContext
                                                        • Suspicious use of SetWindowsHookEx
                                                        PID:3716
                                                        • C:\Windows\SysWOW64\netX.exe
                                                          C:\Windows\SysWOW64\netX.exe
                                                          22⤵
                                                          • Executes dropped EXE
                                                          • Drops file in System32 directory
                                                          PID:3868
                                                          • C:\Windows\SysWOW64\cmd.exe
                                                            C:\Windows\system32\cmd.exe /c c:\a.bat
                                                            23⤵
                                                              PID:4852
                                                              • C:\Windows\SysWOW64\regedit.exe
                                                                REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
                                                                24⤵
                                                                • Modifies security service
                                                                • Runs .reg file with regedit
                                                                PID:464
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4196 --field-trial-handle=2284,i,15722001240173834669,15048020084704567542,262144 --variations-seed-version /prefetch:8
                  1⤵
                    PID:3536

                  Network

                  MITRE ATT&CK Enterprise v15

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\Users\Admin\AppData\Local\Temp\1.reg

                    Filesize

                    360B

                    MD5

                    3a1a83c2ffad464e87a2f9a502b7b9f1

                    SHA1

                    4ffa65ecdd0455499c8cd6d05947605340cbf426

                    SHA256

                    73ed949fba75a20288ac2d1e367180d4c8837fd31c66143707768d5b0e3bd8b6

                    SHA512

                    8232967faaf29b8b93b5042ba2bb1fcb6d0f0f2fa0e19573b1fe49f526ba434c5e76e932829e3c71beb0903e42c293ed202b619fee8aba93efe4a99e8aec55e2

                  • C:\Users\Admin\AppData\Local\Temp\1.reg

                    Filesize

                    1KB

                    MD5

                    c2d6056624c1d37b1baf4445d8705378

                    SHA1

                    90c0b48eca9016a7d07248ecdb7b93bf3e2f1a83

                    SHA256

                    3c20257f9e5c689af57f1dbfb8106351bf4cdfbbb922cf0beff34a2ca14f5a96

                    SHA512

                    d199ce15627b85d75c9c3ec5c91fa15b2f799975034e0bd0526c096f41afea4ff6d191a106f626044fbfae264e2b0f3776fde326fc0c2d0dc8d83de66adc7c29

                  • C:\Users\Admin\AppData\Local\Temp\1.reg

                    Filesize

                    3KB

                    MD5

                    9e5db93bd3302c217b15561d8f1e299d

                    SHA1

                    95a5579b336d16213909beda75589fd0a2091f30

                    SHA256

                    f360fb5740172b6b4dd59c1ac30b480511665ae991196f833167e275d91f943e

                    SHA512

                    b5547e5047a3c43397ee846ff9d5979cba45ba44671db5c5df5536d9dc26262e27a8645a08e0cf35960a3601dc0f6f5fe8d47ae232c9ca44d6899e97d36fb25a

                  • C:\Users\Admin\AppData\Local\Temp\1.reg

                    Filesize

                    2KB

                    MD5

                    d8be0d42e512d922804552250f01eb90

                    SHA1

                    cda2fd8fc9c4cdf15d5e2f07a4c633e21d11c9d3

                    SHA256

                    901619f668fe541b53d809cd550460f579985c3d2f3d899a557997e778eb1d82

                    SHA512

                    f53619e1ec3c9abc833f9fca1174529fb4a4723b64f7560059cd3147d74ea8fe945a7bd0034f6fb68c0e61b6782a26908d30a749a256e019031b5a6ac088eb97

                  • C:\Users\Admin\AppData\Local\Temp\1.reg

                    Filesize

                    2KB

                    MD5

                    63ff40a70037650fd0acfd68314ffc94

                    SHA1

                    1ab29adec6714edf286485ac5889fddb1d092e93

                    SHA256

                    1e607f10a90fdbaffe26e81c9a5f320fb9c954391d2adcc55fdfdfca1601714b

                    SHA512

                    2b41ce69cd1541897fbae5497f06779ac8182ff84fbf29ac29b7c2b234753fe44e7dfc6e4c257af222d466536fa4e50e247dcb68a9e1ad7766245dedfcfb6fdc

                  • C:\Users\Admin\AppData\Local\Temp\1.reg

                    Filesize

                    3KB

                    MD5

                    752fd85212d47da8f0adc29004a573b2

                    SHA1

                    fa8fe3ff766601db46412879dc13dbec8d055965

                    SHA256

                    9faa69e9dabfb4beb40790bf12d0ae2ac0a879fb045e38c03b9e4d0ab569636e

                    SHA512

                    d7bbadb2ed764717dc01b012832e5c1debd6615bbdc121b5954e61d6364a03b2dd03718bdea26c5c2a6dbb6e33c5a7657c76862f6d8c0a916f7a0f9f8dd3b209

                  • C:\Users\Admin\AppData\Local\Temp\1.reg

                    Filesize

                    3KB

                    MD5

                    d085cde42c14e8ee2a5e8870d08aee42

                    SHA1

                    c8e967f1d301f97dbcf252d7e1677e590126f994

                    SHA256

                    a15d5dfd655de1214e0aae2292ead17eef1f1b211d39fac03276bbd6325b0d9f

                    SHA512

                    de2cebd45d3cf053df17ae43466db6a8b2d816bf4b9a8deb5b577cfedf765b5dcdc5904145809ad3ca03ccff308f8893ec1faa309dd34afcab7cc1836d698d7b

                  • C:\Users\Admin\AppData\Local\Temp\1.reg

                    Filesize

                    851B

                    MD5

                    a13ff758fc4326eaa44582bc9700aead

                    SHA1

                    a4927b4a3b84526c5c42a077ade4652ab308f83f

                    SHA256

                    c0915178e63bf84c54e9c942b5cc80327c24d84125042767d7e1e2ef3e004588

                    SHA512

                    86c336086a1d0ca689e133df8e3c3ec83eeef86649dbf8b9d367c3e543358ad54f69d1a20d56c56200e294f22b2741186db0f359051159b4e670d3e9b5861842

                  • C:\Users\Admin\AppData\Local\Temp\1.reg

                    Filesize

                    3KB

                    MD5

                    5aa228bc61037ddaf7a22dab4a04e9a1

                    SHA1

                    b50fcd8f643ea748f989a06e38c778884b3c19f2

                    SHA256

                    65c7c12f00303ec69556e7e108d2fb3881b761b5e68d12e8ae94d80ab1fd7d8b

                    SHA512

                    2ac1a9465083463a116b33039b4c4014433bda78a61e6312dde0e8f74f0a6a6881017041985871badee442a693d66385fe87cbfc60f1309f7a3c9fb59ec6f2aa

                  • C:\Users\Admin\AppData\Local\Temp\1.reg

                    Filesize

                    2KB

                    MD5

                    294976e85ad11a45853f99c1b208723f

                    SHA1

                    8d83101d69420b5af97ec517165d849d3ab498fc

                    SHA256

                    04fe02d621f3d9853840b27476da4a191fc91592a77632f9cf85d4ef0370acff

                    SHA512

                    e8193036e0e411afe75c1e23f9ce1a7f32d1297706cdd0d99c20375dd7a2bdfb23cc550015852f36816668f0d085042afe74fcfff294f90854ea70f3b929a9d6

                  • C:\Users\Admin\AppData\Local\Temp\1.reg

                    Filesize

                    1KB

                    MD5

                    f1cbbc2ce0d93c45a92edcc86780e9f0

                    SHA1

                    d893306caae2584cdeba4c80c3bfe18548fa227a

                    SHA256

                    6646122747280612f7cb0e88c16544e472aae7c20217b711bbee8f10562e49c7

                    SHA512

                    b4ba834ab846d1dc9bbeca52e54705cdbf010687a5c1c54a82fddc15c64025528ef874213a59d1be5fb7ada7abd0862235a0c924f10819fbbfb36bd2ba29adf7

                  • C:\Users\Admin\AppData\Local\Temp\1.reg

                    Filesize

                    2KB

                    MD5

                    1b2949b211ab497b739b1daf37cd4101

                    SHA1

                    12cad1063d28129ddd89e80acc2940f8dfbbaab3

                    SHA256

                    3e906a8373d1dfa40782f56710768abd4365933ad60f2ca9e974743c25b4cb6c

                    SHA512

                    a9e6555d435fe3e7a63059f20cd4c59531319421efcd90ca1d14498c28d9882ab0b7cd1af63dd50fa693b3b5a714db572d61867c56b86618423c7feaf043f2ef

                  • C:\Users\Admin\AppData\Local\Temp\1.reg

                    Filesize

                    1KB

                    MD5

                    5002319f56002f8d7ceacecf8672ce25

                    SHA1

                    3b26b6801be4768cc7582e29bc93facdf2a74be3

                    SHA256

                    f23f4854d17525744e8028db6dde6eb7d5d664b0ee1b08870c9c01b639e0124c

                    SHA512

                    8eae0fabc7f5a7e452abacf988a3632874c556af409da5e60c5e529524732b40f22d4e1d860ccceae87642875c819fc8a8120eceaabd25861f920c8c066a9aef

                  • C:\Users\Admin\AppData\Local\Temp\1.reg

                    Filesize

                    1KB

                    MD5

                    a437192517c26d96c8cee8d5a27dd560

                    SHA1

                    f665a3e5e5c141e4527509dffd30b0320aa8df6f

                    SHA256

                    d0ec3ddd0503ee6ddae52c33b6c0b8780c73b8f27ca3aadc073f7fa512702e23

                    SHA512

                    f9538163b6c41ff5419cb12a9c103c0da5afbfe6237317985d45ff243c4f15ee89a86eab2b4d02cbda1a14596d2f24d3d1cdf05bb3e5fd931fbe9be4b869aa41

                  • C:\Users\Admin\AppData\Local\Temp\1.reg

                    Filesize

                    3KB

                    MD5

                    8d6eb64e58d3f14686110fcaf1363269

                    SHA1

                    d85c0b208716b400894ba4cb569a5af4aa178a2f

                    SHA256

                    c2a1a92cfa466fb5697626723b448c1730634ae4e0e533ad6cf11e8e8ebf2cf5

                    SHA512

                    5022856e8efeab2cdda3d653c4c520f5b6bf5dfa841ffc224a3338acfa8a41fd16321a765077973be46dd6296c6a9bf8341a42c22fe4b0a7fc6edabbcbf16ee7

                  • C:\Windows\SysWOW64\netX.exe

                    Filesize

                    17KB

                    MD5

                    eef77222a3e979f58cb3b5c08cbddd68

                    SHA1

                    e20201618d329c4cee535a85c7e64511e99c0976

                    SHA256

                    c90406c4af8728ec268159452abdca3d1f670a6af3caea7daa4796129ed8820c

                    SHA512

                    32cb83cf924f937204b2cee2f5103676d74b77a05a32e7dbaf1d07395956c0f6078ec3da3383ffdf0ae8d60075f979e7e0c33e97c5a22863a87ec363dcc1a602

                  • C:\Windows\SysWOW64\netX.exe

                    Filesize

                    304KB

                    MD5

                    a81de519432b6d76d9b881cff0cf9cef

                    SHA1

                    e35a6446307b3e55db9097cee2cdeec87e6145b6

                    SHA256

                    bd8c7e7ef7ae77f7f99f3408108fd9757f71141e6e990cee3d16a4d4bb17d2ce

                    SHA512

                    eb10557925254fa38759998c04dab4429e8a90574a6cd4aa3e0c3fea109c4dd80dd23781a5a92a5d4501d4befb057053d3c1e33f40181db379a932f06cf41730

                  • C:\Windows\SysWOW64\netX.exe

                    Filesize

                    285KB

                    MD5

                    3e18bc121e44850ac941541a4ad7126e

                    SHA1

                    5e8e589d5ce5d6c119fa879b64606060a04ff0b7

                    SHA256

                    ee067497e476ac34d73c10dd72a992020bcceb2165d3454e6c7efc7eaf41027e

                    SHA512

                    ff53391ae2f51e6e3acc8e39e75d0d20268b369fa6f268cb24ab37d2ad9160f16d6323a81805becaaacd648c8d34f62d89033cfd3d3aeb47925bffd74d3f69f6

                  • \??\c:\a.bat

                    Filesize

                    5KB

                    MD5

                    0019a0451cc6b9659762c3e274bc04fb

                    SHA1

                    5259e256cc0908f2846e532161b989f1295f479b

                    SHA256

                    ce4674afd978d1401596d22a0961f90c8fb53c5bd55649684e1a999c8cf77876

                    SHA512

                    314c23ec37cb0cd4443213c019c4541df968447353b422ef6fff1e7ddf6c983c80778787408b7ca9b81e580a6a7f1589ca7f43c022e6fc16182973580ed4d904

                  • memory/552-613-0x0000000000400000-0x0000000000517000-memory.dmp

                    Filesize

                    1.1MB

                  • memory/552-725-0x0000000000400000-0x0000000000517000-memory.dmp

                    Filesize

                    1.1MB

                  • memory/552-611-0x0000000000400000-0x0000000000517000-memory.dmp

                    Filesize

                    1.1MB

                  • memory/552-610-0x0000000000400000-0x0000000000517000-memory.dmp

                    Filesize

                    1.1MB

                  • memory/1096-732-0x0000000000400000-0x0000000000517000-memory.dmp

                    Filesize

                    1.1MB

                  • memory/1096-767-0x0000000000400000-0x0000000000517000-memory.dmp

                    Filesize

                    1.1MB

                  • memory/1096-846-0x0000000000400000-0x0000000000517000-memory.dmp

                    Filesize

                    1.1MB

                  • memory/1096-731-0x0000000000400000-0x0000000000517000-memory.dmp

                    Filesize

                    1.1MB

                  • memory/1772-1209-0x0000000000400000-0x0000000000517000-memory.dmp

                    Filesize

                    1.1MB

                  • memory/1772-1098-0x0000000000400000-0x0000000000517000-memory.dmp

                    Filesize

                    1.1MB

                  • memory/1772-1094-0x0000000000400000-0x0000000000517000-memory.dmp

                    Filesize

                    1.1MB

                  • memory/1772-1095-0x0000000000400000-0x0000000000517000-memory.dmp

                    Filesize

                    1.1MB

                  • memory/1948-490-0x0000000000400000-0x0000000000517000-memory.dmp

                    Filesize

                    1.1MB

                  • memory/1948-604-0x0000000000400000-0x0000000000517000-memory.dmp

                    Filesize

                    1.1MB

                  • memory/1948-489-0x0000000000400000-0x0000000000517000-memory.dmp

                    Filesize

                    1.1MB

                  • memory/1948-493-0x0000000000400000-0x0000000000517000-memory.dmp

                    Filesize

                    1.1MB

                  • memory/2100-362-0x0000000000400000-0x0000000000517000-memory.dmp

                    Filesize

                    1.1MB

                  • memory/2100-248-0x0000000000400000-0x0000000000517000-memory.dmp

                    Filesize

                    1.1MB

                  • memory/2100-247-0x0000000000400000-0x0000000000517000-memory.dmp

                    Filesize

                    1.1MB

                  • memory/2100-252-0x0000000000400000-0x0000000000517000-memory.dmp

                    Filesize

                    1.1MB

                  • memory/3256-483-0x0000000000400000-0x0000000000517000-memory.dmp

                    Filesize

                    1.1MB

                  • memory/3256-368-0x0000000000400000-0x0000000000517000-memory.dmp

                    Filesize

                    1.1MB

                  • memory/3256-372-0x0000000000400000-0x0000000000517000-memory.dmp

                    Filesize

                    1.1MB

                  • memory/3256-369-0x0000000000400000-0x0000000000517000-memory.dmp

                    Filesize

                    1.1MB

                  • memory/3868-1220-0x0000000000400000-0x0000000000517000-memory.dmp

                    Filesize

                    1.1MB

                  • memory/3868-1216-0x0000000000400000-0x0000000000517000-memory.dmp

                    Filesize

                    1.1MB

                  • memory/3868-1215-0x0000000000400000-0x0000000000517000-memory.dmp

                    Filesize

                    1.1MB

                  • memory/3904-129-0x0000000000400000-0x0000000000517000-memory.dmp

                    Filesize

                    1.1MB

                  • memory/3904-6-0x0000000000400000-0x0000000000517000-memory.dmp

                    Filesize

                    1.1MB

                  • memory/3904-2-0x0000000000400000-0x0000000000517000-memory.dmp

                    Filesize

                    1.1MB

                  • memory/3904-3-0x0000000000400000-0x0000000000517000-memory.dmp

                    Filesize

                    1.1MB

                  • memory/3904-4-0x0000000000400000-0x0000000000517000-memory.dmp

                    Filesize

                    1.1MB

                  • memory/4172-126-0x0000000000400000-0x0000000000517000-memory.dmp

                    Filesize

                    1.1MB

                  • memory/4172-127-0x0000000000400000-0x0000000000517000-memory.dmp

                    Filesize

                    1.1MB

                  • memory/4172-131-0x0000000000400000-0x0000000000517000-memory.dmp

                    Filesize

                    1.1MB

                  • memory/4172-241-0x0000000000400000-0x0000000000517000-memory.dmp

                    Filesize

                    1.1MB

                  • memory/4548-1088-0x0000000000400000-0x0000000000517000-memory.dmp

                    Filesize

                    1.1MB

                  • memory/4548-977-0x0000000000400000-0x0000000000517000-memory.dmp

                    Filesize

                    1.1MB

                  • memory/4548-974-0x0000000000400000-0x0000000000517000-memory.dmp

                    Filesize

                    1.1MB

                  • memory/4548-973-0x0000000000400000-0x0000000000517000-memory.dmp

                    Filesize

                    1.1MB

                  • memory/5060-857-0x0000000000400000-0x0000000000517000-memory.dmp

                    Filesize

                    1.1MB

                  • memory/5060-967-0x0000000000400000-0x0000000000517000-memory.dmp

                    Filesize

                    1.1MB

                  • memory/5060-853-0x0000000000400000-0x0000000000517000-memory.dmp

                    Filesize

                    1.1MB

                  • memory/5060-852-0x0000000000400000-0x0000000000517000-memory.dmp

                    Filesize

                    1.1MB