Analysis
-
max time kernel
147s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
18-05-2024 17:34
Behavioral task
behavioral1
Sample
vamicheatloader.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
vamicheatloader.exe
Resource
win10v2004-20240508-en
General
-
Target
vamicheatloader.exe
-
Size
77KB
-
MD5
b074da06d9857ac5261d62b2446774a4
-
SHA1
7137511fab7f416097aafba40cb0b6becf6c9d6e
-
SHA256
d75b041e9c687214d97c0110be211d91d0242115475171620a8791f6e79bfc58
-
SHA512
04faf087159d02915d9981f4666b2dcc1441f6212f9fe8ef8750e1b69436159ac1063c9a2191f59c77864b7688955e3f5e9db7fe0c5f50791bcbb52c49fa3367
-
SSDEEP
1536:+dWwWpRvrlUSvelsuFXvnd4hbAbYUU0XXS06YTUgOrEKvN:I2TSSmnZvGAbD5iST/Or9N
Malware Config
Extracted
xworm
rooms-belkin.gl.at.ply.gg:48066
-
Install_directory
%AppData%
-
install_file
svchost.exe
Signatures
-
Detect Xworm Payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/2188-1-0x0000000001120000-0x000000000113A000-memory.dmp family_xworm C:\Users\Admin\AppData\Roaming\svchost.exe family_xworm behavioral1/memory/2576-36-0x0000000001320000-0x000000000133A000-memory.dmp family_xworm behavioral1/memory/2324-39-0x0000000000130000-0x000000000014A000-memory.dmp family_xworm -
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepid process 2680 powershell.exe 2720 powershell.exe 2696 powershell.exe 2532 powershell.exe -
Drops startup file 2 IoCs
Processes:
vamicheatloader.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk vamicheatloader.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk vamicheatloader.exe -
Executes dropped EXE 2 IoCs
Processes:
svchost.exesvchost.exepid process 2576 svchost.exe 2324 svchost.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
vamicheatloader.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe" vamicheatloader.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 2 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Processes:
iexplore.exeIEXPLORE.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{26A89711-153D-11EF-AB95-422D877631E1} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\SearchScopes iexplore.exe Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\MINIE iexplore.exe -
Suspicious behavior: EnumeratesProcesses 33 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exevamicheatloader.exepid process 2680 powershell.exe 2720 powershell.exe 2696 powershell.exe 2532 powershell.exe 2188 vamicheatloader.exe 2188 vamicheatloader.exe 2188 vamicheatloader.exe 2188 vamicheatloader.exe 2188 vamicheatloader.exe 2188 vamicheatloader.exe 2188 vamicheatloader.exe 2188 vamicheatloader.exe 2188 vamicheatloader.exe 2188 vamicheatloader.exe 2188 vamicheatloader.exe 2188 vamicheatloader.exe 2188 vamicheatloader.exe 2188 vamicheatloader.exe 2188 vamicheatloader.exe 2188 vamicheatloader.exe 2188 vamicheatloader.exe 2188 vamicheatloader.exe 2188 vamicheatloader.exe 2188 vamicheatloader.exe 2188 vamicheatloader.exe 2188 vamicheatloader.exe 2188 vamicheatloader.exe 2188 vamicheatloader.exe 2188 vamicheatloader.exe 2188 vamicheatloader.exe 2188 vamicheatloader.exe 2188 vamicheatloader.exe 2188 vamicheatloader.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
Processes:
vamicheatloader.exepowershell.exepowershell.exepowershell.exepowershell.exesvchost.exesvchost.exeAUDIODG.EXEdescription pid process Token: SeDebugPrivilege 2188 vamicheatloader.exe Token: SeDebugPrivilege 2680 powershell.exe Token: SeDebugPrivilege 2720 powershell.exe Token: SeDebugPrivilege 2696 powershell.exe Token: SeDebugPrivilege 2532 powershell.exe Token: SeDebugPrivilege 2188 vamicheatloader.exe Token: SeDebugPrivilege 2576 svchost.exe Token: SeDebugPrivilege 2324 svchost.exe Token: 33 2576 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 2576 AUDIODG.EXE Token: 33 2576 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 2576 AUDIODG.EXE -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
iexplore.exepid process 2436 iexplore.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
vamicheatloader.exeiexplore.exeIEXPLORE.EXEAcroRd32.exepid process 2188 vamicheatloader.exe 2436 iexplore.exe 2436 iexplore.exe 2816 IEXPLORE.EXE 2816 IEXPLORE.EXE 2692 AcroRd32.exe 2692 AcroRd32.exe -
Suspicious use of WriteProcessMemory 25 IoCs
Processes:
vamicheatloader.exetaskeng.exeiexplore.exedescription pid process target process PID 2188 wrote to memory of 2680 2188 vamicheatloader.exe powershell.exe PID 2188 wrote to memory of 2680 2188 vamicheatloader.exe powershell.exe PID 2188 wrote to memory of 2680 2188 vamicheatloader.exe powershell.exe PID 2188 wrote to memory of 2720 2188 vamicheatloader.exe powershell.exe PID 2188 wrote to memory of 2720 2188 vamicheatloader.exe powershell.exe PID 2188 wrote to memory of 2720 2188 vamicheatloader.exe powershell.exe PID 2188 wrote to memory of 2696 2188 vamicheatloader.exe powershell.exe PID 2188 wrote to memory of 2696 2188 vamicheatloader.exe powershell.exe PID 2188 wrote to memory of 2696 2188 vamicheatloader.exe powershell.exe PID 2188 wrote to memory of 2532 2188 vamicheatloader.exe powershell.exe PID 2188 wrote to memory of 2532 2188 vamicheatloader.exe powershell.exe PID 2188 wrote to memory of 2532 2188 vamicheatloader.exe powershell.exe PID 2188 wrote to memory of 1196 2188 vamicheatloader.exe schtasks.exe PID 2188 wrote to memory of 1196 2188 vamicheatloader.exe schtasks.exe PID 2188 wrote to memory of 1196 2188 vamicheatloader.exe schtasks.exe PID 2224 wrote to memory of 2576 2224 taskeng.exe svchost.exe PID 2224 wrote to memory of 2576 2224 taskeng.exe svchost.exe PID 2224 wrote to memory of 2576 2224 taskeng.exe svchost.exe PID 2224 wrote to memory of 2324 2224 taskeng.exe svchost.exe PID 2224 wrote to memory of 2324 2224 taskeng.exe svchost.exe PID 2224 wrote to memory of 2324 2224 taskeng.exe svchost.exe PID 2436 wrote to memory of 2816 2436 iexplore.exe IEXPLORE.EXE PID 2436 wrote to memory of 2816 2436 iexplore.exe IEXPLORE.EXE PID 2436 wrote to memory of 2816 2436 iexplore.exe IEXPLORE.EXE PID 2436 wrote to memory of 2816 2436 iexplore.exe IEXPLORE.EXE -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\vamicheatloader.exe"C:\Users\Admin\AppData\Local\Temp\vamicheatloader.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\vamicheatloader.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'vamicheatloader.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\svchost.exe"2⤵
- Creates scheduled task(s)
-
C:\Windows\system32\taskeng.exetaskeng.exe {71F1D75E-A203-4508-8204-34D363347F09} S-1-5-21-481678230-3773327859-3495911762-1000:UIBNQNMA\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\svchost.exeC:\Users\Admin\AppData\Roaming\svchost.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\svchost.exeC:\Users\Admin\AppData\Roaming\svchost.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\SendUnlock.gif1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2436 CREDAT:275457 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x01⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x46c1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x11⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD5edacfd2e1b6fa83d22d58e4d06eeb01b
SHA1a867b3f2958b575f9b00d7e5babaeea16ca25669
SHA2565b739c9fcf6df1c3a62a715e7b134ab7a6e33493a542a1482e53ea5addb63811
SHA5120b843132c5c783d99cbbed7df452083d213ca502496a56a6f936299d9702ba6b6d79fad0ad084cdd08255e6f3cb161a9c6fe5924097547c92ee7a9ae2fd2dbf6
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD552fd8d3ec9b05f4177a6844027ebe658
SHA1b4db39f6a80457110d020ae5d90075c4b977de19
SHA2566e4abca2ffc64b77966f23ec51be0fca2efdda2d74502a5130bead2db3314cfb
SHA5120a6bc984bbea9cb7738e4922759b1f1ba152347b267308a4dbd88a3112c269f6dcf2b3284d7066006187e143432cb67946b52f7f9968c18281aa54a85709db16
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD55bf69d838259336b51f40426995528b6
SHA164e876042f415f5982f8d0b7e41c852c08d8b2d4
SHA2563b5048c5ebb6583fd9980e4767c7117ecb0b18483e8c0f67830af917e7cd32df
SHA5125620991e4b13d042e23d775b448fabaa16b6670737ab27d90e03683ec43c189c380461aa6dc785c195a08bdde4a13453d0c6b43b8c49835ce1235378849ef0ac
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD5ec81d114b1682938d9643dc9abfc0e8f
SHA17570f19f18e7018cc50b71e14ee37bfcae208e45
SHA256898bb276276fe802e4e12d7b3caf86cf6cd0c757b32e60d886cc30e30e01ab57
SHA51287bdf1009d151ee93eb180ec16cf393575871785fd089d64beb833fad5ac1beb72988a6da3a4a2299cff8b1e7e2338fd6a1b7d932ca11ac056bf59fe31af9ee8
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD5864e535ffd10b364f46be52347e31596
SHA1811b0df2de4a5de8cd5993a809a71a0050b79bed
SHA256885e612fb7f4e376a5b43f2fa3004effafb7194e1467d2733e1330ddf83478da
SHA51285872e593eaae552359e30d3d708463cd147f511e7289e12ab831288f9301f21e9be0ebc8ac41f8c5b65758c9fe0fc6cdfda801f12dcafeeb8b37c63371a8d7b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD5720624c789d80905b185ba51c1e98b03
SHA1f22652a328a7cb9554888640e22d5fa909af6947
SHA256488f47e968a7e0cbc2f39bb9feb3a654391b1381bbd3b80be1008d98e82c75ce
SHA51203a0fdad531000a7ea24b3227471844353ad1a0ef6cc3b433b97593fc41c29222647c6ce6804d67a98c91ae1844c870c9c9bee9790b01c618e836ea8db905fd1
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD5833e30c9d0d7ae1145353acc6f12b6c9
SHA13d96ed031d08afb03f01aed7e26180b295b16caa
SHA2562f81b84ec2c75ff62be1ed58e298f8eb48df23e6a366650e7c47b4cd74b071e1
SHA512057d457a1241d81a92dc2f73d4172707e3498223ab3de8844737c75045e7fc95a8423c3274bed78b3c31e0b8e3bfb5c1e6b680ceebc089f55c1312d591d9cb55
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD5c6fa6744e1277bc799b87f0f302b2f56
SHA1f2c8dec0305226339170a2e424eaf0c1bb4bd565
SHA256b8baad021e7cedcf41cd45cf49e6421c4be368a1ebc0bf9045104fa94bee5849
SHA5121758471b58a5f01246d5e8d2f172fd140c177ba4f3dfdb1b441bf0489ebd254d516e937dbd78f3ca50e8cacaa3569cd5323b15d9265d80a67003227217931fad
-
C:\Users\Admin\AppData\Local\Temp\Cab35F2.tmpFilesize
68KB
MD529f65ba8e88c063813cc50a4ea544e93
SHA105a7040d5c127e68c25d81cc51271ffb8bef3568
SHA2561ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa
-
C:\Users\Admin\AppData\Local\Temp\Tar3652.tmpFilesize
177KB
MD5435a9ac180383f9fa094131b173a2f7b
SHA176944ea657a9db94f9a4bef38f88c46ed4166983
SHA25667dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA5121a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msFilesize
7KB
MD5e1e06afacaaee044f0d15ca6193b7b7f
SHA16f8ab6047fd6a49ae3a27f308e8814a841759b9f
SHA256f7e3c938068fdedb5ede0db35f7251c7dfe559e3375ccd4487c133f9b4928c42
SHA5126ece49289b8c954864cbdab9f1c7a07011769b39d35a46723ef67abde34dbd50dbca574276abe6dc6b1b5deab4d55d5b905416428310bdbd844240ea139842be
-
C:\Users\Admin\AppData\Roaming\svchost.exeFilesize
77KB
MD5b074da06d9857ac5261d62b2446774a4
SHA17137511fab7f416097aafba40cb0b6becf6c9d6e
SHA256d75b041e9c687214d97c0110be211d91d0242115475171620a8791f6e79bfc58
SHA51204faf087159d02915d9981f4666b2dcc1441f6212f9fe8ef8750e1b69436159ac1063c9a2191f59c77864b7688955e3f5e9db7fe0c5f50791bcbb52c49fa3367
-
\??\PIPE\srvsvcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/2188-0-0x000007FEF5D13000-0x000007FEF5D14000-memory.dmpFilesize
4KB
-
memory/2188-32-0x000007FEF5D10000-0x000007FEF66FC000-memory.dmpFilesize
9.9MB
-
memory/2188-31-0x000007FEF5D13000-0x000007FEF5D14000-memory.dmpFilesize
4KB
-
memory/2188-485-0x000007FEF5D10000-0x000007FEF66FC000-memory.dmpFilesize
9.9MB
-
memory/2188-2-0x000007FEF5D10000-0x000007FEF66FC000-memory.dmpFilesize
9.9MB
-
memory/2188-1-0x0000000001120000-0x000000000113A000-memory.dmpFilesize
104KB
-
memory/2324-39-0x0000000000130000-0x000000000014A000-memory.dmpFilesize
104KB
-
memory/2576-36-0x0000000001320000-0x000000000133A000-memory.dmpFilesize
104KB
-
memory/2680-8-0x0000000001D90000-0x0000000001D98000-memory.dmpFilesize
32KB
-
memory/2680-7-0x000000001B690000-0x000000001B972000-memory.dmpFilesize
2.9MB
-
memory/2720-15-0x0000000002290000-0x0000000002298000-memory.dmpFilesize
32KB
-
memory/2720-14-0x000000001B760000-0x000000001BA42000-memory.dmpFilesize
2.9MB