Analysis Overview
Threat Level: Known bad
The file https://vizija360.lt/doc.txt was found to be: Known bad.
Malicious Activity Summary
Suspicious use of NtCreateUserProcessOtherParentProcess
Rhadamanthys
Modifies Internet Explorer settings
Suspicious use of AdjustPrivilegeToken
Enumerates system info in registry
Modifies registry class
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-05 07:49
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-05 07:49
Reported
2024-04-05 08:15
Platform
win11-20240221-en
Max time kernel
320s
Max time network
323s
Command Line
Signatures
Rhadamanthys
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 1012 created 2928 | N/A | C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe | C:\Windows\system32\sihost.exe |
| PID 1012 created 2928 | N/A | C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe | C:\Windows\system32\sihost.exe |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Windows\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1" | C:\Windows\explorer.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000_Classes\Local Settings | C:\Windows\system32\control.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000_Classes\Local Settings | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots | C:\Windows\explorer.exe | N/A |
| Key created | \Registry\User\S-1-5-21-2930051783-2551506282-3430162621-1000_Classes\NotificationData | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\explorer.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\control.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\control.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\sihost.exe
sihost.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://vizija360.lt/doc.txt
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xb8,0x10c,0x7ff83b6f3cb8,0x7ff83b6f3cc8,0x7ff83b6f3cd8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1928,17888102011029067824,2691312487545442525,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1940 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1928,17888102011029067824,2691312487545442525,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2328 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1928,17888102011029067824,2691312487545442525,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2768 /prefetch:8
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,17888102011029067824,2691312487545442525,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3244 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,17888102011029067824,2691312487545442525,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,17888102011029067824,2691312487545442525,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4000 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,17888102011029067824,2691312487545442525,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4932 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,17888102011029067824,2691312487545442525,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4668 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,17888102011029067824,2691312487545442525,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4640 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1928,17888102011029067824,2691312487545442525,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5380 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1928,17888102011029067824,2691312487545442525,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5448 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1928,17888102011029067824,2691312487545442525,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=2936 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1928,17888102011029067824,2691312487545442525,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5728 /prefetch:2
C:\Windows\system32\control.exe
"C:\Windows\system32\control.exe" /name Microsoft.AdministrativeTools
C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{5BD95610-9434-43C2-886C-57852CC8A120} -Embedding
C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe
"C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe"
C:\Windows\system32\dialer.exe
"C:\Windows\system32\dialer.exe"
C:\Windows\system32\dialer.exe
"C:\Windows\system32\dialer.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | vizija360.lt | udp |
| LT | 193.46.84.144:443 | vizija360.lt | tcp |
| LT | 193.46.84.144:443 | vizija360.lt | tcp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.84.46.193.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 184.25.204.18:443 | tcp | |
| GB | 184.25.204.18:443 | tcp | |
| GB | 2.23.92.203:443 | r.bing.com | tcp |
| GB | 2.23.92.203:443 | r.bing.com | tcp |
| GB | 2.23.92.203:443 | r.bing.com | tcp |
| GB | 2.23.92.203:443 | r.bing.com | tcp |
| GB | 2.23.92.203:443 | r.bing.com | tcp |
| GB | 2.23.92.203:443 | r.bing.com | tcp |
| US | 20.189.173.5:443 | browser.pipe.aria.microsoft.com | tcp |
Files
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 19a8bcb40a17253313345edd2a0da1e7 |
| SHA1 | 86fac74b5bbc59e910248caebd1176a48a46d72e |
| SHA256 | b8024fbed11683ef4b53f5afac0ff691025b7eecca0f6a95737da1585558227e |
| SHA512 | 9f8780f49d30aad01b28189804329aeca6ad2b7ffb6be505d40bb1af7802bb62622f518cb1c43a5815bbbb46638f6c52aead3d68f14fa957d18157edb42e95c0 |
\??\pipe\LOCAL\crashpad_2848_DNREJFZRLLJGNNEZ
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 96899614360333c9904499393c6e3d75 |
| SHA1 | bbfa17cf8df01c266323965735f00f0e9e04cd34 |
| SHA256 | 486e4b4bb11f664c91c675e73cfeabe53b5009ae719459813be17814cd97e43c |
| SHA512 | 974735b40a9f92b40a37a698f7f333590f32ff45633c6e619500e74ec274bc20bf7dbc830b1685777b714d37a3ca103d741ee056f4ff45ef08c07b38a7895df7 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | f010dd370e7cc83b8ee4f75ae322b47c |
| SHA1 | 76aef080eccf1191c58fcdbee7c61d3ec3bbb830 |
| SHA256 | d133ee4a4a0a17b0122a41a30deed542f72ecfe39a84d801f2786ae0db52f1a6 |
| SHA512 | 8f84f5f80c8767ccd5121c11ed5f686b2a7068bed20bad4e4c8ce70b44312c60fff779d71b833f74807c817bd3c05ea1c18de9711d070c1fac3bb10f82125afc |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 6752a1d65b201c13b62ea44016eb221f |
| SHA1 | 58ecf154d01a62233ed7fb494ace3c3d4ffce08b |
| SHA256 | 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd |
| SHA512 | 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 378ce81c9fdac639031acb6ea58070ce |
| SHA1 | 3abd3fe629581dec0b3b4de2b33637c9b01a1121 |
| SHA256 | 8d54f3d39393bb4472a86080bd323e24aea8e2103aa6ee5ee1aacbc62893e1f4 |
| SHA512 | 117a44fea88b98c03f7db6a613d6179ef68e2ed5e7a6a67709b14550285af5e3785601198c7a631048e198eea98e141a0aa8e477a7e301ebe31b380eac9a5a36 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | b012fd06233b34b5c1e7b93163a6c3a0 |
| SHA1 | f01a8f15d9fb4f78ebce573be3680667b8aa2f1f |
| SHA256 | e562007d7fd74c349c1b608f02949a9174ab77e2343a7c17bb7a6619babf9f15 |
| SHA512 | 5c87efb71a5cdde1390fcd35b5d1a89d532c2782c0891b633c0702ee1f4f9d6b7da684f97fe65386e14b2db1974a9b8fd09e8434fdbf33206e7633d7cc6d4515 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 4a5ecda1b3118c6542b8dd7e13dfdca8 |
| SHA1 | 976e6b7ea79051b809f4b67149d6a91f912bd824 |
| SHA256 | f4aad79a804c9d0db003f9dc7bab4f2c25553093aca259655afde00ad1dd8267 |
| SHA512 | ffc39302157a1a4a85dbec1d12af1debd5a59a5962e6b8b5719dce2a2b77c52846bec99ad8ab27ff6b746a966dc51d969f3bd1ecbc5625342b7163600e866c98 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | 2888fa13172715d9525509eab78c148a |
| SHA1 | 9edbc25717ecd1879b45454b9ad022923d7b8b1c |
| SHA256 | cdb002762508846fff9b27543982c15877091a404a6c78386052c6ac6010a5a0 |
| SHA512 | 64e6e9219aef34ddaf134dc66f25780751d621d5ed7347a39d7ba22bc817960a4f2c88b74ccff3f16361fae95c87e611a0f197b0759d3dc6a4cf53bf2aad153e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 860b160272730a8b8d5bea2be4c49098 |
| SHA1 | 82f5d9689314a25bcfe140aaa62db56b403dd085 |
| SHA256 | 3a5ea6c98b2fcf64522126b1375b0ecbaf1ce7d94fc983fb1abeb25f285c1ed1 |
| SHA512 | 964251d42ad534c66c12b7825e1fea5a5a8071b049ff8a21bb90fb2e85cc8a487589c0494913424c9e3168b5c96782a4fe59a7e2418e94642a31557c8e98c10e |
memory/1012-168-0x000001F738EC0000-0x000001F738EF8000-memory.dmp
memory/1012-169-0x00007FF8269F0000-0x00007FF8274B2000-memory.dmp
memory/1012-170-0x000001F739330000-0x000001F739340000-memory.dmp
memory/1012-171-0x000001F739330000-0x000001F739340000-memory.dmp
memory/1012-172-0x000001F754810000-0x000001F75485A000-memory.dmp
memory/1012-173-0x000001F73AC50000-0x000001F73AC5E000-memory.dmp
memory/1012-174-0x000001F754860000-0x000001F754898000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 49d04ddc0be8b04759f8ac530a76e399 |
| SHA1 | 3d12d66574f098dcbd6d46ffb65e4758c0cd6518 |
| SHA256 | 2523a00e3fc97546b6c2294a509084de20ad138d102b2b901fff8a9d906122cb |
| SHA512 | 6d7d406567d338077a309c742627071cb70e66eb4ea9aaf61a3a62780f8243dabc9d934e24b430efb66925e6aae657158f88068c0b395a2019222d2dabfb5c03 |
memory/1012-197-0x000001F7535D0000-0x000001F7535D8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_i4wxqelc.d2o.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1012-206-0x000001F754B70000-0x000001F754B92000-memory.dmp
memory/1012-207-0x000001F739330000-0x000001F739340000-memory.dmp
memory/1012-208-0x000001F739330000-0x000001F739340000-memory.dmp
memory/1012-209-0x000001F754AB0000-0x000001F754AB8000-memory.dmp
memory/1012-210-0x000001F754AC0000-0x000001F754AC8000-memory.dmp
memory/1012-211-0x000001F754690000-0x000001F754698000-memory.dmp
memory/1012-212-0x000001F754F00000-0x000001F754F26000-memory.dmp
memory/1012-213-0x000001F739330000-0x000001F739340000-memory.dmp
memory/1012-214-0x000001F739330000-0x000001F739340000-memory.dmp
memory/1012-215-0x00007FF8269F0000-0x00007FF8274B2000-memory.dmp
memory/1012-217-0x000001F739330000-0x000001F739340000-memory.dmp
memory/1012-218-0x000001F754DE0000-0x000001F754E3E000-memory.dmp
memory/1012-219-0x000001F754C60000-0x000001F754C70000-memory.dmp
memory/1012-222-0x000001F754C60000-0x000001F754C70000-memory.dmp
memory/1012-221-0x000001F759FE0000-0x000001F75A3E0000-memory.dmp
memory/1012-220-0x000001F739330000-0x000001F739340000-memory.dmp
memory/1012-223-0x000001F759FE0000-0x000001F75A3E0000-memory.dmp
memory/1012-224-0x000001F759FE0000-0x000001F75A3E0000-memory.dmp
memory/1012-226-0x000001F739330000-0x000001F739340000-memory.dmp
memory/1012-225-0x00007FF84A360000-0x00007FF84A569000-memory.dmp
memory/1012-228-0x000001F759FE0000-0x000001F75A3E0000-memory.dmp
memory/1012-230-0x00007FF847B80000-0x00007FF847EF4000-memory.dmp
memory/1012-229-0x000001F739330000-0x000001F739340000-memory.dmp
memory/1012-227-0x00007FF84A170000-0x00007FF84A22D000-memory.dmp
memory/3440-231-0x00000217E1670000-0x00000217E1679000-memory.dmp
memory/3440-233-0x00000217E31C0000-0x00000217E35C0000-memory.dmp
memory/3440-234-0x00000217E31C0000-0x00000217E35C0000-memory.dmp
memory/3440-236-0x00007FF84A360000-0x00007FF84A569000-memory.dmp
memory/1012-238-0x000001F739330000-0x000001F739340000-memory.dmp
memory/3440-239-0x00007FF847B80000-0x00007FF847EF4000-memory.dmp
memory/3440-237-0x00007FF84A170000-0x00007FF84A22D000-memory.dmp
memory/1012-235-0x000001F739330000-0x000001F739340000-memory.dmp
memory/3440-240-0x00000217E31C0000-0x00000217E35C0000-memory.dmp
memory/3440-241-0x00007FF84A360000-0x00007FF84A569000-memory.dmp
memory/3440-242-0x00000217E31C0000-0x00000217E35C0000-memory.dmp
memory/3440-243-0x00007FF84A360000-0x00007FF84A569000-memory.dmp
memory/1012-244-0x000001F759FE0000-0x000001F75A3E0000-memory.dmp
memory/1012-245-0x00007FF84A360000-0x00007FF84A569000-memory.dmp
memory/1012-246-0x00007FF847B80000-0x00007FF847EF4000-memory.dmp
memory/1012-247-0x000001F757470000-0x000001F7574E6000-memory.dmp
memory/1012-248-0x000001F754CB0000-0x000001F754CCE000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db
| MD5 | 8839ce6a2d56a2d541f92d98e1782825 |
| SHA1 | cb4327a86dd32e777627c4710ef57df5daabec71 |
| SHA256 | 22c4f1ca24459343c8bc589babb9172e2c4df27e70337ee499c46d492dbecf19 |
| SHA512 | fe5a6dcbc1476d2992d64d53c0e0cd70731b6aa1d75f18282012f243b81bc16da9922de49de40e2b7296dcc09c80cde795f6144af0f50f49bd659ecfdaf22631 |
memory/1012-254-0x000001F754CF0000-0x000001F754D00000-memory.dmp
memory/1012-257-0x000001F75A3E0000-0x000001F75A7E0000-memory.dmp
memory/1012-256-0x000001F75A3E0000-0x000001F75A7E0000-memory.dmp
memory/1012-259-0x000001F75A3E0000-0x000001F75A7E0000-memory.dmp
memory/1012-260-0x00007FF84A170000-0x00007FF84A22D000-memory.dmp
memory/1012-258-0x00007FF84A360000-0x00007FF84A569000-memory.dmp
memory/1012-261-0x00007FF847B80000-0x00007FF847EF4000-memory.dmp
memory/3956-264-0x0000021FB0DA0000-0x0000021FB11A0000-memory.dmp
memory/3956-265-0x0000021FB0DA0000-0x0000021FB11A0000-memory.dmp
memory/3956-267-0x00007FF84A170000-0x00007FF84A22D000-memory.dmp
memory/3956-266-0x00007FF84A360000-0x00007FF84A569000-memory.dmp
memory/3956-269-0x0000021FB0DA0000-0x0000021FB11A0000-memory.dmp
memory/3956-270-0x00007FF84A360000-0x00007FF84A569000-memory.dmp
memory/3956-268-0x00007FF847B80000-0x00007FF847EF4000-memory.dmp
memory/3956-271-0x0000021FB0DA0000-0x0000021FB11A0000-memory.dmp
memory/3956-272-0x00007FF84A360000-0x00007FF84A569000-memory.dmp
memory/1012-273-0x000001F754CF0000-0x000001F754D00000-memory.dmp
memory/1012-274-0x000001F75A3E0000-0x000001F75A7E0000-memory.dmp
memory/1012-275-0x00007FF84A360000-0x00007FF84A569000-memory.dmp
memory/1012-277-0x000001F754E50000-0x000001F754E62000-memory.dmp
memory/1012-278-0x000001F757530000-0x000001F75756C000-memory.dmp