Analysis
-
max time kernel
87s -
max time network
151s -
platform
windows11-21h2_x64 -
resource
win11-20240412-en -
resource tags
-
submitted
21-04-2024 01:07
General
-
Target
6bbc0f14c2cb10dbfac7bff110a76cb7944486e41213c3e075dc9ce07d70e27a.exe
-
Size
1.8MB
-
MD5
3cde9e4f13fc330d9b4e5db0ba2fb64c
-
SHA1
d634ad4a12749509545a198039a32310e794b08a
-
SHA256
6bbc0f14c2cb10dbfac7bff110a76cb7944486e41213c3e075dc9ce07d70e27a
-
SHA512
bec255e2eb403ed4f081aa22fa80d8127b3db988f172cc5468066d7665395b702548750104749cc489d17ead11f7feee4474a03dc20d374d032f48a4ee1f5327
-
SSDEEP
24576:UIH5RkBm0kBwELvih6KhIiz+J13+hYERICdZhfP8VxAomzQVaiYY629l/o4Od:NHAkul4Khn+JZ+hYEXzhcrA9Yn/
Malware Config
Extracted
amadey
4.17
http://193.233.132.167
-
install_dir
4d0ab15804
-
install_file
chrosha.exe
-
strings_key
1a9519d7b465e1f4880fa09a6162d768
-
url_paths
/enigma/index.php
Extracted
redline
@OLEH_PSP
185.172.128.33:8970
Extracted
redline
LiveTraffic
4.184.225.183:30592
Extracted
stealc
http://52.143.157.84
-
url_path
/c73eed764cc59dcb.php
Extracted
xehook
https://unotree.ru/
https://aiwhcpoaw.ru/
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Detect Xehook Payload 1 IoCs
-
Detect ZGRat V1 2 IoCs
-
Glupteba
Glupteba is a modular loader written in Golang with various components.
-
Glupteba payload 9 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 6 IoCs
-
Stealc
Stealc is an infostealer written in C++.
-
UAC bypass 3 TTPs 1 IoCs
-
Windows security bypass 2 TTPs 2 IoCs
-
Xehook stealer
Xehook is an infostealer written in C#.
-
ZGRat
ZGRat is remote access trojan written in C#.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
-
Blocklisted process makes network request 2 IoCs
-
Creates new service(s) 1 TTPs
-
Downloads MZ/PE file
-
Modifies Windows Firewall 2 TTPs 3 IoCs
-
Stops running service(s) 3 TTPs
-
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Executes dropped EXE 19 IoCs
-
Identifies Wine through registry keys 2 TTPs 2 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL 3 IoCs
-
Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Themida packer 1 IoCs
Detects Themida, an advanced Windows software protection system.
-
Windows security modification 2 TTPs 3 IoCs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
-
Looks up external IP address via web service 5 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
-
Suspicious use of SetThreadContext 6 IoCs
-
Drops file in Windows directory 1 IoCs
-
Launches sc.exe 9 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 4 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies system certificate store 2 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 37 IoCs
-
Suspicious use of AdjustPrivilegeToken 14 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\6bbc0f14c2cb10dbfac7bff110a76cb7944486e41213c3e075dc9ce07d70e27a.exe"C:\Users\Admin\AppData\Local\Temp\6bbc0f14c2cb10dbfac7bff110a76cb7944486e41213c3e075dc9ce07d70e27a.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exeC:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1000147001\swiiiii.exe"C:\Users\Admin\AppData\Local\Temp\1000147001\swiiiii.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2396 -s 8963⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\1000148001\alexxxxxxxx.exe"C:\Users\Admin\AppData\Local\Temp\1000148001\alexxxxxxxx.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\configurationValue\Traffic.exe"C:\Users\Admin\AppData\Roaming\configurationValue\Traffic.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\configurationValue\propro.exe"C:\Users\Admin\AppData\Roaming\configurationValue\propro.exe"4⤵
- Executes dropped EXE
- Modifies system certificate store
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh wlan show profiles4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\718508534211_Desktop.zip' -CompressionLevel Optimal4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\1000149001\gold.exe"C:\Users\Admin\AppData\Local\Temp\1000149001\gold.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe"C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN NewB.exe /TR "C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe" /F3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\1000211001\ISetup8.exe"C:\Users\Admin\AppData\Local\Temp\1000211001\ISetup8.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\up8.0.exe"C:\Users\Admin\AppData\Local\Temp\up8.0.exe"4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2100 -s 13685⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\1000212001\toolspub1.exe"C:\Users\Admin\AppData\Local\Temp\1000212001\toolspub1.exe"3⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2732 -s 3884⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\1000213001\4767d2e713f2021e8fe856e3ea638b58.exe"C:\Users\Admin\AppData\Local\Temp\1000213001\4767d2e713f2021e8fe856e3ea638b58.exe"3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\1000213001\4767d2e713f2021e8fe856e3ea638b58.exe"C:\Users\Admin\AppData\Local\Temp\1000213001\4767d2e713f2021e8fe856e3ea638b58.exe"4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"5⤵
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes6⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe5⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F6⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f6⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll6⤵
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F6⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\1000214001\FirstZ.exe"C:\Users\Admin\AppData\Local\Temp\1000214001\FirstZ.exe"3⤵
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart4⤵
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart5⤵
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop UsoSvc4⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop WaaSMedicSvc4⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop wuauserv4⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop bits4⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop dosvc4⤵
- Launches sc.exe
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 04⤵
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 04⤵
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 04⤵
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 04⤵
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe delete "WSNKISKT"4⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe create "WSNKISKT" binpath= "C:\ProgramData\wikombernizc\reakuqnanrkn.exe" start= "auto"4⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop eventlog4⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start "WSNKISKT"4⤵
- Launches sc.exe
-
C:\Users\Admin\AppData\Local\Temp\1000215001\Uni400uni.exe"C:\Users\Admin\AppData\Local\Temp\1000215001\Uni400uni.exe"3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\1000215001\Uni400uni.exe" -Force4⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"4⤵
-
C:\Users\Admin\Pictures\M16Oe1rMVhgwFefAz3Hp20Gm.exe"C:\Users\Admin\Pictures\M16Oe1rMVhgwFefAz3Hp20Gm.exe"5⤵
-
C:\Users\Admin\Pictures\b6L31zoFTHlKMCZYo8IUuIXT.exe"C:\Users\Admin\Pictures\b6L31zoFTHlKMCZYo8IUuIXT.exe"5⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵
-
C:\Users\Admin\Pictures\b6L31zoFTHlKMCZYo8IUuIXT.exe"C:\Users\Admin\Pictures\b6L31zoFTHlKMCZYo8IUuIXT.exe"6⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile7⤵
-
C:\Users\Admin\Pictures\eMoyJstOzij5Aj0qH2qga5fF.exe"C:\Users\Admin\Pictures\eMoyJstOzij5Aj0qH2qga5fF.exe"5⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵
-
C:\Users\Admin\Pictures\eMoyJstOzij5Aj0qH2qga5fF.exe"C:\Users\Admin\Pictures\eMoyJstOzij5Aj0qH2qga5fF.exe"6⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile7⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"4⤵
-
C:\Users\Admin\AppData\Local\Temp\1000152001\jok.exe"C:\Users\Admin\AppData\Local\Temp\1000152001\jok.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dll, Main2⤵
- Blocklisted process makes network request
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\1000153001\swiiii.exe"C:\Users\Admin\AppData\Local\Temp\1000153001\swiiii.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\1000181001\file300un.exe"C:\Users\Admin\AppData\Local\Temp\1000181001\file300un.exe"2⤵
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\1000181001\file300un.exe" -Force3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Pictures\LLWWgkPrs0rInpg9Pdzgm7kP.exe"C:\Users\Admin\Pictures\LLWWgkPrs0rInpg9Pdzgm7kP.exe"4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\u3cc.0.exe"C:\Users\Admin\AppData\Local\Temp\u3cc.0.exe"5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 868 -s 13806⤵
- Program crash
-
C:\Users\Admin\Pictures\SmG1u9sWJQqpMjXmOR4NVlya.exe"C:\Users\Admin\Pictures\SmG1u9sWJQqpMjXmOR4NVlya.exe"4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Pictures\SmG1u9sWJQqpMjXmOR4NVlya.exe"C:\Users\Admin\Pictures\SmG1u9sWJQqpMjXmOR4NVlya.exe"5⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"6⤵
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes7⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵
-
C:\Users\Admin\Pictures\xfYaMFzhPJjwuhmNLTrslwFq.exe"C:\Users\Admin\Pictures\xfYaMFzhPJjwuhmNLTrslwFq.exe"4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Pictures\xfYaMFzhPJjwuhmNLTrslwFq.exe"C:\Users\Admin\Pictures\xfYaMFzhPJjwuhmNLTrslwFq.exe"5⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"6⤵
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes7⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵
-
C:\Users\Admin\Pictures\vro4SNWqw23P9E6JhcZ2fxo4.exe"C:\Users\Admin\Pictures\vro4SNWqw23P9E6JhcZ2fxo4.exe"4⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\1000193001\dirtquire.exe"C:\Users\Admin\AppData\Local\Temp\1000193001\dirtquire.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "Start-Process 'C:\Users\Admin\AppData\Roaming\27R3BNXGI2.exe'"4⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2396 -ip 23961⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 2732 -ip 27321⤵
-
C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exeC:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 868 -ip 8681⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2100 -ip 21001⤵
-
C:\ProgramData\wikombernizc\reakuqnanrkn.exeC:\ProgramData\wikombernizc\reakuqnanrkn.exe1⤵
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force2⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Create or Modify System Process
3Windows Service
3Scheduled Task/Job
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
3Windows Service
3Scheduled Task/Job
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
5Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Subvert Trust Controls
1Install Root Certificate
1Virtualization/Sandbox Evasion
2Credential Access
Unsecured Credentials
5Credentials In Files
4Credentials in Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\mozglue.dllFilesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
3KB
MD5ae626d9a72417b14570daa8fcd5d34a4
SHA1c103ebaf4d760df722d620df87e6f07c0486439f
SHA25652cc3f3028fab0d347a4a3fffef570b42f85748176d81a3344996d42fd1de32a
SHA512a0690bda318bdf43d6f292f88d4ea2ebeec83b95e9ebca80083dbb08e7ddcdb9735cc58b89d369a34f10acf8a114d4a207ed8d0f070c5baf87c5798e9f35bc14
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logFilesize
2KB
MD5ac4917a885cf6050b1a483e4bc4d2ea5
SHA1b1c0a9f27bd21c6bbb8e9be70db8777b4a2a640f
SHA256e39062a62c3c7617feeeff95ea8a0be51104a0d36f46e44eea22556fda74d8d9
SHA512092c67a3ecae1d187cad72a8ea1ea37cb78a0cf79c2cd7fb88953e5990669a2e871267015762fd46d274badb88ac0c1d73b00f1df7394d89bed48a3a45c2ba3d
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD5f04121553e997b1754068db1e2183242
SHA12f4169219697c946d6d2e95049b261a263d1dbb4
SHA256c2f115f454e2a16cb57d373216d6d98d79656b8d3f7f210bf507d2b295ebf07f
SHA512ba8401dccc0fd5f0a476a2e2c5aa1b77f76bca3e4bf241172eeb9fb29988cbff862ec053a6a0768edeaea6e9a65cfe8e7053381d131d9ac7445354ffda961fb0
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD52289e9ef6783edfee4e74ab1ee911992
SHA1bf9bfaecc9366a8707c619d1fee4d69f9bcfdbd5
SHA2565ab8145cd56fbfb119866f3ba11f98a1c21ef26f23cd86560106d5c8fb92bc61
SHA512aa422debe952a22e49a778f3dc8cbfc7d5168d9fe2645a3b80c44ad52ee0ef0001e82d6b1f566692e95b0a186c1f96bdad095f9c3328abc89540251fe1d3a2e2
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD51ca0032e53df57864eca5c293d705d0d
SHA1faf09dad6654035c51e5f0e373cb280cf97fde34
SHA256661aeb3b5959e598699b8d83e3f8b962ad2783c4d1ed7cd9ed8355b26e013b17
SHA512a5e92e427a6ffc7d177819d63e86adc50c34b20abb5304335933de388b46c2ffad7d993d6a478edbcdd203cca2b98d96db6f50ab917b6e21825327e164e7b437
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD5d4d41ee0d86acdaa9b79235171f0d745
SHA1f44df3201cc5579251b81794254dc2024a278320
SHA256d6135e2b921c225bd86f4b09dde4095902bf12c5cf4e9e59656d01d9ac9d8055
SHA512eecfb146f6a82af61d5ff4a3ebebd37591ab8d6a8b97b1861a7444f1c3baa1e9e3ee040e46ccaeaa7383970f7bb4d2f5fec62a1d1f1aa1f39d3d33028bd5193e
-
C:\Users\Admin\AppData\Local\Temp\1000147001\swiiiii.exeFilesize
321KB
MD51c7d0f34bb1d85b5d2c01367cc8f62ef
SHA133aedadb5361f1646cffd68791d72ba5f1424114
SHA256e9e09c5e5d03d21fca820bd9b0a0ea7b86ab9e85cdc9996f8f1dc822b0cc801c
SHA51253bf85d2b004f69bbbf7b6dc78e5f021aba71b6f814101c55d3bf76e6d058a973bc58270b6b621b2100c6e02d382f568d1e96024464e8ea81e6db8ccd948679d
-
C:\Users\Admin\AppData\Local\Temp\1000148001\alexxxxxxxx.exeFilesize
1.7MB
MD585a15f080b09acace350ab30460c8996
SHA13fc515e60e4cfa5b3321f04a96c7fb463e4b9d02
SHA2563a2006bc835a8ffe91b9ee9206f630b3172f42e090f4e8d90be620e540f5ef6b
SHA512ade5e3531dfa1a01e6c2a69deb2962cbf619e766da3d6e8e3453f70ff55ccbcbe21381c7b97a53d67e1ca88975f4409b1a42a759e18f806171d29e4c3f250e9f
-
C:\Users\Admin\AppData\Local\Temp\1000149001\gold.exeFilesize
488KB
MD582053649cadec1a338509e46ba776fbd
SHA16d8e479a6dc76d54109bb2e602b8087d55537510
SHA25630468f8b767772214c60a701ecfee11c634516c3e2de146cd07638ea00dd0b6e
SHA512e4b2b219483477a73fec5a207012f77c7167bf7b7f9adcb80ee92f87ddfe592a0d520f2afee531d1cce926ef56da2b065b13630a1cc171f48db8f7987e10897a
-
C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exeFilesize
418KB
MD50099a99f5ffb3c3ae78af0084136fab3
SHA10205a065728a9ec1133e8a372b1e3864df776e8c
SHA256919ae827ff59fcbe3dbaea9e62855a4d27690818189f696cfb5916a88c823226
SHA5125ac4f3265c7dd7d172284fb28c94f8fc6428c27853e70989f4ec4208f9897be91720e8eee1906d8e843ab05798f3279a12492a32e8a118f5621ac5e1be2031b6
-
C:\Users\Admin\AppData\Local\Temp\1000152001\jok.exeFilesize
304KB
MD58510bcf5bc264c70180abe78298e4d5b
SHA12c3a2a85d129b0d750ed146d1d4e4d6274623e28
SHA256096220045877e456edfea1adcd5bf1efd332665ef073c6d1e9474c84ca5433f6
SHA5125ff0a47f9e14e22fc76d41910b2986605376605913173d8ad83d29d85eb79b679459e2723a6ad17bc3c3b8c9b359e2be7348ee1c21fa2e8ceb7cc9220515258d
-
C:\Users\Admin\AppData\Local\Temp\1000153001\swiiii.exeFilesize
158KB
MD5586f7fecacd49adab650fae36e2db994
SHA135d9fb512a8161ce867812633f0a43b042f9a5e6
SHA256cf88d499c83da613ad5ccd8805822901bdc3a12eb9b15804aeff8c53dc05fc4e
SHA512a44a2c99d18509681505cf70a251baf2558030a8648d9c621acc72fafcb2f744e3ef664dfd0229baf7c78fb72e69f5d644c755ded4060dcafa7f711d70e94772
-
C:\Users\Admin\AppData\Local\Temp\1000181001\file300un.exeFilesize
404KB
MD515ce9e885610d5b85500ea0d139f6d21
SHA199f1392185a70453f33e15d6f5b75064217c2c18
SHA25695442c887f47bbb4b350fca87c45dc6ef95355ce86a63d7c2f50db2d92ae512e
SHA5129ee8e3fb682cf7abb5804106f841551f2f0fd8ace9842e67f3bda573772d39a6482d19e853de5a9a48d177350a3398cb814105ced01fdfb1be6db7e8bc9055b9
-
C:\Users\Admin\AppData\Local\Temp\1000193001\dirtquire.exeFilesize
273KB
MD5e795115169cc800de0392d6a675d58fd
SHA18dd75837e360ba1cb8acf5a3d348dd020a5da482
SHA25617f929c1d40a7fd6f897c0b15ca9c44b2059cbccb3037c31619d87954659478e
SHA5125fb6543e91de175bd365462a1cc87d6772e43b0effd3757b3e408b08a4de5a004de9a85e7f1d09578fa3bc6b6486c5f5016c1b879496582dbb39b2e62e168f38
-
C:\Users\Admin\AppData\Local\Temp\1000211001\ISetup8.exeFilesize
444KB
MD565dd9ca4903a1405476e4af157b59e66
SHA1f583d80be1855e9a4a3d6fac43459760a00c4e6b
SHA256fb6d72ed39abcbd3370acf30e7133a4a1e41e0d7ac2c5069b4efca126021e21c
SHA51219675b850cfe447029f574ef330a380d2044d3815500b5646c26b91a31c2467979c612bfbf0096361d04eca9e37046eb390de76778461dfccdfdc657880b80c8
-
C:\Users\Admin\AppData\Local\Temp\1000212001\toolspub1.exeFilesize
300KB
MD53bdbe965922732ae0d662c74b444bdf1
SHA1300abe798f642648d0bfeac99ae92d7edf941cb7
SHA25623b86d03dce9c537233aba35061118e238ce3f444e6ce0057bc4be310e97fb53
SHA512cfebb561e5f0b15f2ecfbfbe338391648d5ae2c6a2b50add27a6ba45ca504182ad93ea6e378c70087d1d7acd48fc10779fd8534a4b03d9e09218cb7068b4a101
-
C:\Users\Admin\AppData\Local\Temp\1000213001\4767d2e713f2021e8fe856e3ea638b58.exeFilesize
4.2MB
MD5ed8593e5f283b8088fbdc61de4dc48d2
SHA156be3c8af7b97b0e3ed033a53a8fc056528321d5
SHA256769a2271e023a176150f121941025e07722a8ac7a45efbadd1f8018b528083d3
SHA5129505a39dabf78ae5461cdff430147bc995c5cd6523dd87688338c7344903817c180adfdcff971ffd22b3d854adfa711c73812bbde59d302a064152ec8aab7023
-
C:\Users\Admin\AppData\Local\Temp\1000214001\FirstZ.exeFilesize
2.5MB
MD5ffada57f998ed6a72b6ba2f072d2690a
SHA16857b5f0c40a1cdb0411eb34aa9fe5029bcdb84f
SHA256677f393462e24fb6dba1a47b39e674f485450f91deee6076ccbad9fd5e05bd12
SHA5121de77f83a89935bb3fc3772d5190c3827d76a998785d451e2c0d11a0061cfd28f1b96eccb41b012c76ddda2021e3333a0a647489ae3c6dac10cfb8302abdf33f
-
C:\Users\Admin\AppData\Local\Temp\1000215001\Uni400uni.exeFilesize
556KB
MD5e1d8325b086f91769120381b78626e2e
SHA10eb6827878445d3e3e584b7f08067a7a4dc9e618
SHA256b925abb193e7003f4a692064148ffe7840096022a44f4d5ae4c0abb59a287934
SHA512c8c0b424c2ed7ee598997bdc0b0d2099b650a280903716891b0eaa340acf556c0642d921fcb7f654387a4a1f1ec4a32feaf8d872b51ca482a977f11e2974072c
-
C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exeFilesize
1.8MB
MD53cde9e4f13fc330d9b4e5db0ba2fb64c
SHA1d634ad4a12749509545a198039a32310e794b08a
SHA2566bbc0f14c2cb10dbfac7bff110a76cb7944486e41213c3e075dc9ce07d70e27a
SHA512bec255e2eb403ed4f081aa22fa80d8127b3db988f172cc5468066d7665395b702548750104749cc489d17ead11f7feee4474a03dc20d374d032f48a4ee1f5327
-
C:\Users\Admin\AppData\Local\Temp\Tmp2769.tmpFilesize
2KB
MD51420d30f964eac2c85b2ccfe968eebce
SHA1bdf9a6876578a3e38079c4f8cf5d6c79687ad750
SHA256f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9
SHA5126fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lzuv5hil.2sz.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\up8.0.exeFilesize
301KB
MD55d835a5d56e1b106a3928a3f96f28c0a
SHA176637a8a47e97b2eca53f849e0e95fc1a5683fa5
SHA256a676e2601f65bd27a7d0c7cc2cf9452ef9880a544c01d75692c2c211699b58fd
SHA512c5b2a3ce8afd27f6a95b29874643eb4dfd7da56550b2451fe16705865c10af6ddc3bb7c94aec5840ed4b1a5d8df630719128dbf1169b2e5c7e0e2e7998a9c6d5
-
C:\Users\Admin\AppData\Roaming\27R3BNXGI2.exeFilesize
70KB
MD5906da5a77325f9501bcb0b9485651148
SHA183839391e39268fa19435cdb653b70f6b2ae28ee
SHA25620a37e57796ab9b4b33dc2a5c14a2f303cf1b2eff45bc25d544f62db51d994a3
SHA512b051d82ebd9baa4daa3f3863ac1b7396435782a0eb2555bc601a3185629d90d49146d0c77d5b242d6224d7f7bda351d9af6d30b325f353b0db8e29cfdcb8e62a
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2718508534-2116753757-2794822388-1000\76b53b3ec448f7ccdda2063b15d2bfc3_67d0031d-6e32-4a16-a828-c69a0898a61cFilesize
2KB
MD5c670ee3e97545baa7ee0613fd228be5c
SHA1d48c8f384e4366d2673f3f9d83b9834780006840
SHA25658fc36b56ae797627ac0148a252d794626bcfde8e6c5ffb51108e4c1c8d5c91a
SHA512bcf49fdc8b7a1642da2e2f5e6c5b26202cbea79d00e3752466524a4a340e6107d402584e848b1bfd80e597bd55cc94e4d7e560dd0b8e0fd6ab7116225c71d629
-
C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dllFilesize
109KB
MD5154c3f1334dd435f562672f2664fea6b
SHA151dd25e2ba98b8546de163b8f26e2972a90c2c79
SHA2565f431129f97f3d56929f1e5584819e091bd6c854d7e18503074737fc6d79e33f
SHA5121bca69bbcdb7ecd418769e9d4befc458f9f8e3cee81feb7316bb61e189e2904f4431e4cc7d291e179a5dec441b959d428d8e433f579036f763bbad6460222841
-
C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dllFilesize
1.2MB
MD5f35b671fda2603ec30ace10946f11a90
SHA1059ad6b06559d4db581b1879e709f32f80850872
SHA25683e3df5bec15d5333935bea8b719a6d677e2fb3dc1cf9e18e7b82fd0438285c7
SHA512b5fa27d08c64727cef7fdda5e68054a4359cd697df50d70d1d90da583195959a139066a6214531bbc5f20cd4f9bc1ca3e4244396547381291a6a1d2df9cf8705
-
C:\Users\Admin\AppData\Roaming\configurationValue\Traffic.exeFilesize
541KB
MD51fc4b9014855e9238a361046cfbf6d66
SHA1c17f18c8246026c9979ab595392a14fe65cc5e9f
SHA256f38c27ecbeed9721f0885d3b2f2f767d60a5d1c0a5c98433357f570987da3e50
SHA5122af234cac24ec4a508693d9affa7f759d4b29bb3c9ddffd9e6350959fd4da26501553399d2b02a8eeae8dace6bfe9b2ce50462ce3c6547497f5b0ea6ed226b12
-
C:\Users\Admin\AppData\Roaming\configurationValue\propro.exeFilesize
304KB
MD5cc90e3326d7b20a33f8037b9aab238e4
SHA1236d173a6ac462d85de4e866439634db3b9eeba3
SHA256bd73ee49a23901f9fb235f8a5b29adc72cc637ad4b62a9760c306900cb1678b7
SHA512b5d197a05a267bf66509b6d976924cd6f5963532a9f9f22d1763701d4fba3dfa971e0058388249409884bc29216fb33a51846562a5650f81d99ce14554861521
-
C:\Users\Admin\Desktop\Microsoft Edge.lnkFilesize
2KB
MD59a95b5c0745795d185b253a1a2a0afea
SHA11bd051b225789e177123ba39c3c0df77796bc54b
SHA2566acbf4695ecdfeb85204aa177784fff7d029ccbe189c39d9bd99f33869d224e1
SHA512bb0675cb78e4820debcba9a6f72f779ddb729b17e795e56a5a590ea45fbc4bd5d954ef8266b1697ec43a6bd72586c4b63d019f92b18724bd7928a8976fecf3cd
-
C:\Users\Admin\Pictures\LLWWgkPrs0rInpg9Pdzgm7kP.exeFilesize
444KB
MD5e1de6a02960c3a776fe4cdbe821efe9b
SHA117da2036ac1d394138c7ad09735b7657968a4ef0
SHA256d5ca5f35b6d80412d3cdad4115a23a464f524bf72d6b811ace5e658075c87232
SHA5126f6b7d63f41afb8d471b9305116f9b1648454a7ee6d1401997102c4638d6a6037f3eb578f5b5ca11b9f6e87f9a236be55d1f617df5f67b39e3618d48a014e59a
-
C:\Users\Admin\Pictures\SmG1u9sWJQqpMjXmOR4NVlya.exeFilesize
4.2MB
MD512c1251ddacc8c6651573aaae2a36711
SHA1aa4a4fc95f24a847f33a0fcc22d318fe947929d0
SHA256a018166a731757f43374b0b24baecfbf31b85cf9de793b9d11b186acf887bf22
SHA512e8e9723b210254504ae06f77ed86ff5c7da0ac1ba5134cb2ab99cd42b06744cdf2379835d5e8cbd413da69b1184a0d6297d29dc8393794d8959c5a2dc94f0a69
-
C:\Users\Admin\Pictures\vro4SNWqw23P9E6JhcZ2fxo4.exeFilesize
5.5MB
MD59f8b8a866575e821310f6203c5bdc044
SHA1f39bbd5eb2f736acdf565d6b56e560a60334dd0e
SHA256277677de19193a2297c88689312d1a294edf4f81b3ff4ba8202e2cbb9c6fbeea
SHA512b8222b6c8ec092ccc352676d4bf8c90a4ecb558a8346ab2628a41071d0747e87cc0c805c5c4efaf922a5e7ff18ad78bfa59a9180670df881085f6fab3b67f209
-
C:\Users\Admin\Pictures\xTzuLqGikNWIw6dfFSm8YCO5.exeFilesize
7KB
MD55b423612b36cde7f2745455c5dd82577
SHA10187c7c80743b44e9e0c193e993294e3b969cc3d
SHA256e0840d2ea74a00dcc545d770b91d9d889e5a82c7bedf1b989e0a89db04685b09
SHA512c26a1e7e96dbd178d961c630abd8e564ef69532f386fb198eb20119a88ecab2fe885d71ac0c90687c18910ce00c445f352a5e8fbf5328f3403964f7c7802414c
-
C:\Users\Public\Desktop\Google Chrome.lnkFilesize
2KB
MD54ff8ea78c14a4f7fa6e8cf0c139bc55b
SHA1e3fa852b5c38482a5e6e1c9234a09be6d8790ab9
SHA25697b89b75fdeeb096dbf36d13b18b959e50a4246691aea349213c22ae7b19cc00
SHA51213785608d437cb3be729986de88a35df6a7ab1ed35e6fb730448a9462e02caacbad30ad5cf328ddf598e554f758f44425bbf0dc99efd3c056fae5d930569771d
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD571f5e392115005b2f81e7f0946d39778
SHA1e8856e83d85f67421c19671ed5ab2ae3710acf2f
SHA2563b30eb73062807b2b10adc5dfb55e0466af6e22054475de40b97077501c14def
SHA512b9a7902c543f9b7b443865a2b0a78025ba7b177b2832863655cbd0dd69925fd58245172bba786f37b8740682f15ee569c2f4f45a7bba035e41ee1d9cddbd2efd
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD5d591c3de30cd21cb9c77f9fec9b3b37b
SHA1492edf8d0749bd6e26d78846b476e5abb4659f29
SHA256f97cf62985bffb54b19670dfe1a82d2544011f74f373bd42a37de51c44abb3a4
SHA512ec6927f8e640f4220386b98ae084aa69e262f1535c8773f1d3dc23e3a4eb0fb8625d6a9ab6d178804bc2fa81a9c54901294e529a6ed59d631d2e83130732e2ec
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD5b353e020cf241d1f193d12f03841c9f0
SHA1bc9443751bf2f4b091c96449d1fe5f696868053b
SHA25636aeca4bd21ac2a7b069565f518924e79408992a3a0f529bbe00207b6d0abafb
SHA5124067f9031c04ebebfd37fa3905606640d99e59f68b613757ae90a6bd9b74deb09c1f488a87e122ebb8bb665335fbcf25711ebff9ebdcf4604d15aa194ad1fe17
-
C:\Windows\System32\GroupPolicy\gpt.iniFilesize
127B
MD58ef9853d1881c5fe4d681bfb31282a01
SHA1a05609065520e4b4e553784c566430ad9736f19f
SHA2569228f13d82c3dc96b957769f6081e5bac53cffca4ffde0ba1e102d9968f184a2
SHA5125ddee931a08cfea5bb9d1c36355d47155a24d617c2a11d08364ffc54e593064011dee4fea8ac5b67029cab515d3071f0ba0422bb76af492a3115272ba8feb005
-
memory/128-981-0x0000000000400000-0x0000000001DF9000-memory.dmpFilesize
26.0MB
-
memory/128-896-0x0000000000400000-0x0000000001DF9000-memory.dmpFilesize
26.0MB
-
memory/436-154-0x000000001D540000-0x000000001D57C000-memory.dmpFilesize
240KB
-
memory/436-152-0x000000001D610000-0x000000001D71A000-memory.dmpFilesize
1.0MB
-
memory/436-143-0x000000001AF60000-0x000000001AF70000-memory.dmpFilesize
64KB
-
memory/436-140-0x00007FF84B1D0000-0x00007FF84BC92000-memory.dmpFilesize
10.8MB
-
memory/436-153-0x000000001B070000-0x000000001B082000-memory.dmpFilesize
72KB
-
memory/436-126-0x0000000000050000-0x00000000000DC000-memory.dmpFilesize
560KB
-
memory/764-60-0x0000000000BD0000-0x0000000000C10000-memory.dmpFilesize
256KB
-
memory/764-58-0x0000000000BD0000-0x0000000000C10000-memory.dmpFilesize
256KB
-
memory/764-61-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/764-59-0x0000000000BD0000-0x0000000000C10000-memory.dmpFilesize
256KB
-
memory/764-57-0x0000000000BD0000-0x0000000000C10000-memory.dmpFilesize
256KB
-
memory/764-55-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/764-52-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/892-971-0x0000000000400000-0x0000000001DF9000-memory.dmpFilesize
26.0MB
-
memory/1084-970-0x0000000000400000-0x0000000001DF9000-memory.dmpFilesize
26.0MB
-
memory/1212-168-0x00007FF84B1D0000-0x00007FF84BC92000-memory.dmpFilesize
10.8MB
-
memory/1212-170-0x000002AF0F760000-0x000002AF0F770000-memory.dmpFilesize
64KB
-
memory/1212-169-0x000002AF0F760000-0x000002AF0F770000-memory.dmpFilesize
64KB
-
memory/1212-171-0x000002AF27A60000-0x000002AF27A82000-memory.dmpFilesize
136KB
-
memory/1212-180-0x000002AF0F760000-0x000002AF0F770000-memory.dmpFilesize
64KB
-
memory/1608-750-0x0000000000400000-0x0000000001DF9000-memory.dmpFilesize
26.0MB
-
memory/2376-765-0x0000000000400000-0x0000000001DF9000-memory.dmpFilesize
26.0MB
-
memory/2376-752-0x0000000000400000-0x0000000001DF9000-memory.dmpFilesize
26.0MB
-
memory/2396-56-0x00000000029B0000-0x00000000049B0000-memory.dmpFilesize
32.0MB
-
memory/2396-62-0x0000000072B50000-0x0000000073301000-memory.dmpFilesize
7.7MB
-
memory/2396-49-0x0000000072B50000-0x0000000073301000-memory.dmpFilesize
7.7MB
-
memory/2396-48-0x00000000004F0000-0x0000000000542000-memory.dmpFilesize
328KB
-
memory/2792-607-0x0000000061E00000-0x0000000061EF3000-memory.dmpFilesize
972KB
-
memory/2792-336-0x0000000000400000-0x000000000063B000-memory.dmpFilesize
2.2MB
-
memory/2792-340-0x0000000000400000-0x000000000063B000-memory.dmpFilesize
2.2MB
-
memory/2864-86-0x0000000000BE0000-0x0000000000D9C000-memory.dmpFilesize
1.7MB
-
memory/2864-95-0x0000000072B50000-0x0000000073301000-memory.dmpFilesize
7.7MB
-
memory/2864-94-0x00000000031F0000-0x00000000051F0000-memory.dmpFilesize
32.0MB
-
memory/2864-88-0x00000000056D0000-0x00000000056E0000-memory.dmpFilesize
64KB
-
memory/2864-87-0x0000000072B50000-0x0000000073301000-memory.dmpFilesize
7.7MB
-
memory/3004-211-0x0000000000400000-0x0000000000452000-memory.dmpFilesize
328KB
-
memory/3316-552-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/3412-20-0x00000000009B0000-0x0000000000E63000-memory.dmpFilesize
4.7MB
-
memory/3412-332-0x00000000009B0000-0x0000000000E63000-memory.dmpFilesize
4.7MB
-
memory/3412-861-0x00000000009B0000-0x0000000000E63000-memory.dmpFilesize
4.7MB
-
memory/3412-167-0x00000000009B0000-0x0000000000E63000-memory.dmpFilesize
4.7MB
-
memory/3412-19-0x00000000009B0000-0x0000000000E63000-memory.dmpFilesize
4.7MB
-
memory/3412-749-0x00000000009B0000-0x0000000000E63000-memory.dmpFilesize
4.7MB
-
memory/3412-25-0x0000000005420000-0x0000000005421000-memory.dmpFilesize
4KB
-
memory/3412-21-0x0000000005440000-0x0000000005441000-memory.dmpFilesize
4KB
-
memory/3412-557-0x00000000009B0000-0x0000000000E63000-memory.dmpFilesize
4.7MB
-
memory/3412-63-0x00000000009B0000-0x0000000000E63000-memory.dmpFilesize
4.7MB
-
memory/3412-958-0x00000000009B0000-0x0000000000E63000-memory.dmpFilesize
4.7MB
-
memory/3412-64-0x00000000009B0000-0x0000000000E63000-memory.dmpFilesize
4.7MB
-
memory/3412-22-0x0000000005430000-0x0000000005431000-memory.dmpFilesize
4KB
-
memory/3412-66-0x00000000009B0000-0x0000000000E63000-memory.dmpFilesize
4.7MB
-
memory/3412-65-0x00000000009B0000-0x0000000000E63000-memory.dmpFilesize
4.7MB
-
memory/3412-23-0x0000000005470000-0x0000000005471000-memory.dmpFilesize
4KB
-
memory/3412-24-0x0000000005410000-0x0000000005411000-memory.dmpFilesize
4KB
-
memory/3412-28-0x0000000005480000-0x0000000005481000-memory.dmpFilesize
4KB
-
memory/3412-27-0x0000000005490000-0x0000000005491000-memory.dmpFilesize
4KB
-
memory/3412-26-0x0000000005450000-0x0000000005451000-memory.dmpFilesize
4KB
-
memory/3584-16-0x0000000000BF0000-0x00000000010A3000-memory.dmpFilesize
4.7MB
-
memory/3584-0-0x0000000000BF0000-0x00000000010A3000-memory.dmpFilesize
4.7MB
-
memory/3584-1-0x0000000077196000-0x0000000077198000-memory.dmpFilesize
8KB
-
memory/3584-2-0x0000000000BF0000-0x00000000010A3000-memory.dmpFilesize
4.7MB
-
memory/3584-3-0x00000000053E0000-0x00000000053E1000-memory.dmpFilesize
4KB
-
memory/3584-4-0x00000000053F0000-0x00000000053F1000-memory.dmpFilesize
4KB
-
memory/3584-6-0x0000000005420000-0x0000000005421000-memory.dmpFilesize
4KB
-
memory/3584-5-0x00000000053D0000-0x00000000053D1000-memory.dmpFilesize
4KB
-
memory/3584-7-0x00000000053B0000-0x00000000053B1000-memory.dmpFilesize
4KB
-
memory/3584-8-0x00000000053C0000-0x00000000053C1000-memory.dmpFilesize
4KB
-
memory/3584-9-0x0000000005410000-0x0000000005411000-memory.dmpFilesize
4KB
-
memory/3584-10-0x0000000005440000-0x0000000005441000-memory.dmpFilesize
4KB
-
memory/3584-11-0x0000000005430000-0x0000000005431000-memory.dmpFilesize
4KB
-
memory/3872-150-0x0000000006520000-0x000000000655C000-memory.dmpFilesize
240KB
-
memory/3872-148-0x0000000006580000-0x000000000668A000-memory.dmpFilesize
1.0MB
-
memory/3872-122-0x0000000004E80000-0x0000000004F12000-memory.dmpFilesize
584KB
-
memory/3872-120-0x00000000004B0000-0x0000000000502000-memory.dmpFilesize
328KB
-
memory/3872-125-0x0000000005030000-0x000000000503A000-memory.dmpFilesize
40KB
-
memory/3872-121-0x0000000005330000-0x00000000058D6000-memory.dmpFilesize
5.6MB
-
memory/3872-151-0x0000000006690000-0x00000000066DC000-memory.dmpFilesize
304KB
-
memory/3872-149-0x00000000064C0000-0x00000000064D2000-memory.dmpFilesize
72KB
-
memory/3872-147-0x0000000006A30000-0x0000000007048000-memory.dmpFilesize
6.1MB
-
memory/3872-142-0x00000000059E0000-0x0000000005A56000-memory.dmpFilesize
472KB
-
memory/3872-144-0x00000000062B0000-0x00000000062CE000-memory.dmpFilesize
120KB
-
memory/3872-119-0x0000000072B50000-0x0000000073301000-memory.dmpFilesize
7.7MB
-
memory/3872-123-0x0000000004E20000-0x0000000004E30000-memory.dmpFilesize
64KB
-
memory/4332-720-0x0000000000400000-0x0000000001A3A000-memory.dmpFilesize
22.2MB
-
memory/4776-98-0x0000000005680000-0x0000000005690000-memory.dmpFilesize
64KB
-
memory/4776-99-0x0000000072B50000-0x0000000073301000-memory.dmpFilesize
7.7MB
-
memory/4776-91-0x0000000000400000-0x0000000000592000-memory.dmpFilesize
1.6MB
-
memory/4904-418-0x0000000000400000-0x0000000000408000-memory.dmpFilesize
32KB
-
memory/5068-748-0x0000000000400000-0x0000000001DF9000-memory.dmpFilesize
26.0MB
-
memory/5068-731-0x0000000000400000-0x0000000001DF9000-memory.dmpFilesize
26.0MB