Analysis
-
max time kernel
132s -
max time network
134s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
18-05-2024 17:34
Behavioral task
behavioral1
Sample
vamicheatloader.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
vamicheatloader.exe
Resource
win10v2004-20240508-en
Errors
General
-
Target
vamicheatloader.exe
-
Size
77KB
-
MD5
b074da06d9857ac5261d62b2446774a4
-
SHA1
7137511fab7f416097aafba40cb0b6becf6c9d6e
-
SHA256
d75b041e9c687214d97c0110be211d91d0242115475171620a8791f6e79bfc58
-
SHA512
04faf087159d02915d9981f4666b2dcc1441f6212f9fe8ef8750e1b69436159ac1063c9a2191f59c77864b7688955e3f5e9db7fe0c5f50791bcbb52c49fa3367
-
SSDEEP
1536:+dWwWpRvrlUSvelsuFXvnd4hbAbYUU0XXS06YTUgOrEKvN:I2TSSmnZvGAbD5iST/Or9N
Malware Config
Extracted
xworm
rooms-belkin.gl.at.ply.gg:48066
-
Install_directory
%AppData%
-
install_file
svchost.exe
Extracted
xworm
5.0
lot-feeds.gl.at.ply.gg:55815
ESm62iVh1zU7IuaI
-
Install_directory
%AppData%
-
install_file
RuntimeBroker.exe
Signatures
-
Detect Xworm Payload 4 IoCs
Processes:
resource yara_rule behavioral2/memory/3044-0-0x0000000000C60000-0x0000000000C7A000-memory.dmp family_xworm C:\Users\Admin\AppData\Local\Temp\huhady.exe family_xworm behavioral2/memory/4832-71-0x0000000000490000-0x00000000004A2000-memory.dmp family_xworm C:\Users\Admin\AppData\Roaming\svchost.exe family_xworm -
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 2 IoCs
Processes:
resource yara_rule behavioral2/memory/764-128-0x0000000000400000-0x0000000000487000-memory.dmp modiloader_stage2 behavioral2/memory/764-136-0x0000000000400000-0x0000000000487000-memory.dmp modiloader_stage2 -
Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 2232 powershell.exe 3796 powershell.exe 744 powershell.exe 1840 powershell.exe 3316 powershell.exe 3480 powershell.exe 1564 powershell.exe 5004 powershell.exe -
Modifies Installed Components in the registry 2 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
vamicheatloader.exehuhady.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation vamicheatloader.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation huhady.exe -
Drops startup file 4 IoCs
Processes:
vamicheatloader.exehuhady.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk vamicheatloader.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk vamicheatloader.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RuntimeBroker.lnk huhady.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RuntimeBroker.lnk huhady.exe -
Executes dropped EXE 7 IoCs
Processes:
huhady.exeitpndf.exeRuntimeBroker.exesvchost.exetylqcl.exeRuntimeBroker.exesvchost.exepid process 4832 huhady.exe 764 itpndf.exe 2912 RuntimeBroker.exe 376 svchost.exe 2860 tylqcl.exe 1376 RuntimeBroker.exe 4768 svchost.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\itpndf.exe upx behavioral2/memory/764-128-0x0000000000400000-0x0000000000487000-memory.dmp upx behavioral2/memory/764-136-0x0000000000400000-0x0000000000487000-memory.dmp upx -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
vamicheatloader.exehuhady.exeitpndf.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe" vamicheatloader.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "C:\\Users\\Admin\\AppData\\Roaming\\RuntimeBroker.exe" huhady.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\itpndf.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\itpndf.exe" itpndf.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 15 ip-api.com 56 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 1880 schtasks.exe 1376 schtasks.exe -
Modifies data under HKEY_USERS 15 IoCs
Processes:
LogonUI.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "233" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe -
Modifies registry class 1 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1337824034-2731376981-3755436523-1000\{6FFD71E1-2810-408C-910C-6AA6F17BB551} explorer.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exevamicheatloader.exepowershell.exepowershell.exepowershell.exepowershell.exehuhady.exeitpndf.exepid process 1840 powershell.exe 1840 powershell.exe 3316 powershell.exe 3316 powershell.exe 3480 powershell.exe 3480 powershell.exe 1564 powershell.exe 1564 powershell.exe 3044 vamicheatloader.exe 5004 powershell.exe 5004 powershell.exe 2232 powershell.exe 2232 powershell.exe 3796 powershell.exe 3796 powershell.exe 744 powershell.exe 744 powershell.exe 4832 huhady.exe 764 itpndf.exe 764 itpndf.exe 764 itpndf.exe 764 itpndf.exe 764 itpndf.exe 764 itpndf.exe 764 itpndf.exe 764 itpndf.exe 764 itpndf.exe 764 itpndf.exe 764 itpndf.exe 764 itpndf.exe 764 itpndf.exe 764 itpndf.exe 764 itpndf.exe 764 itpndf.exe 764 itpndf.exe 764 itpndf.exe 764 itpndf.exe 764 itpndf.exe 764 itpndf.exe 764 itpndf.exe 764 itpndf.exe 764 itpndf.exe 764 itpndf.exe 764 itpndf.exe 764 itpndf.exe 764 itpndf.exe 764 itpndf.exe 764 itpndf.exe 764 itpndf.exe 764 itpndf.exe 764 itpndf.exe 764 itpndf.exe 764 itpndf.exe 764 itpndf.exe 764 itpndf.exe 764 itpndf.exe 764 itpndf.exe 764 itpndf.exe 764 itpndf.exe 764 itpndf.exe 764 itpndf.exe 764 itpndf.exe 764 itpndf.exe 764 itpndf.exe -
Suspicious use of AdjustPrivilegeToken 23 IoCs
Processes:
vamicheatloader.exepowershell.exepowershell.exepowershell.exepowershell.exehuhady.exepowershell.exepowershell.exepowershell.exepowershell.exeexplorer.exeRuntimeBroker.exesvchost.exetylqcl.exeRuntimeBroker.exesvchost.exeshutdown.exedescription pid process Token: SeDebugPrivilege 3044 vamicheatloader.exe Token: SeDebugPrivilege 1840 powershell.exe Token: SeDebugPrivilege 3316 powershell.exe Token: SeDebugPrivilege 3480 powershell.exe Token: SeDebugPrivilege 1564 powershell.exe Token: SeDebugPrivilege 3044 vamicheatloader.exe Token: SeDebugPrivilege 4832 huhady.exe Token: SeDebugPrivilege 5004 powershell.exe Token: SeDebugPrivilege 2232 powershell.exe Token: SeDebugPrivilege 3796 powershell.exe Token: SeDebugPrivilege 744 powershell.exe Token: SeDebugPrivilege 4832 huhady.exe Token: SeShutdownPrivilege 2584 explorer.exe Token: SeCreatePagefilePrivilege 2584 explorer.exe Token: SeShutdownPrivilege 2584 explorer.exe Token: SeCreatePagefilePrivilege 2584 explorer.exe Token: SeDebugPrivilege 2912 RuntimeBroker.exe Token: SeDebugPrivilege 376 svchost.exe Token: SeDebugPrivilege 2860 tylqcl.exe Token: SeDebugPrivilege 1376 RuntimeBroker.exe Token: SeDebugPrivilege 4768 svchost.exe Token: SeShutdownPrivilege 32 shutdown.exe Token: SeRemoteShutdownPrivilege 32 shutdown.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
vamicheatloader.exehuhady.exeLogonUI.exepid process 3044 vamicheatloader.exe 4832 huhady.exe 4636 LogonUI.exe -
Suspicious use of WriteProcessMemory 29 IoCs
Processes:
vamicheatloader.exehuhady.exedescription pid process target process PID 3044 wrote to memory of 1840 3044 vamicheatloader.exe powershell.exe PID 3044 wrote to memory of 1840 3044 vamicheatloader.exe powershell.exe PID 3044 wrote to memory of 3316 3044 vamicheatloader.exe powershell.exe PID 3044 wrote to memory of 3316 3044 vamicheatloader.exe powershell.exe PID 3044 wrote to memory of 3480 3044 vamicheatloader.exe powershell.exe PID 3044 wrote to memory of 3480 3044 vamicheatloader.exe powershell.exe PID 3044 wrote to memory of 1564 3044 vamicheatloader.exe powershell.exe PID 3044 wrote to memory of 1564 3044 vamicheatloader.exe powershell.exe PID 3044 wrote to memory of 1880 3044 vamicheatloader.exe schtasks.exe PID 3044 wrote to memory of 1880 3044 vamicheatloader.exe schtasks.exe PID 3044 wrote to memory of 4832 3044 vamicheatloader.exe huhady.exe PID 3044 wrote to memory of 4832 3044 vamicheatloader.exe huhady.exe PID 4832 wrote to memory of 5004 4832 huhady.exe powershell.exe PID 4832 wrote to memory of 5004 4832 huhady.exe powershell.exe PID 4832 wrote to memory of 2232 4832 huhady.exe powershell.exe PID 4832 wrote to memory of 2232 4832 huhady.exe powershell.exe PID 4832 wrote to memory of 3796 4832 huhady.exe powershell.exe PID 4832 wrote to memory of 3796 4832 huhady.exe powershell.exe PID 4832 wrote to memory of 744 4832 huhady.exe powershell.exe PID 4832 wrote to memory of 744 4832 huhady.exe powershell.exe PID 4832 wrote to memory of 1376 4832 huhady.exe schtasks.exe PID 4832 wrote to memory of 1376 4832 huhady.exe schtasks.exe PID 3044 wrote to memory of 764 3044 vamicheatloader.exe itpndf.exe PID 3044 wrote to memory of 764 3044 vamicheatloader.exe itpndf.exe PID 3044 wrote to memory of 764 3044 vamicheatloader.exe itpndf.exe PID 3044 wrote to memory of 2860 3044 vamicheatloader.exe tylqcl.exe PID 3044 wrote to memory of 2860 3044 vamicheatloader.exe tylqcl.exe PID 3044 wrote to memory of 32 3044 vamicheatloader.exe shutdown.exe PID 3044 wrote to memory of 32 3044 vamicheatloader.exe shutdown.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\vamicheatloader.exe"C:\Users\Admin\AppData\Local\Temp\vamicheatloader.exe"1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\vamicheatloader.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'vamicheatloader.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\svchost.exe"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\huhady.exe"C:\Users\Admin\AppData\Local\Temp\huhady.exe"2⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\huhady.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'huhady.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'RuntimeBroker.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "RuntimeBroker" /tr "C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe"3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\itpndf.exe"C:\Users\Admin\AppData\Local\Temp\itpndf.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\tylqcl.exe"C:\Users\Admin\AppData\Local\Temp\tylqcl.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\shutdown.exeshutdown.exe /f /s /t 02⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\RuntimeBroker.exeC:\Users\Admin\AppData\Roaming\RuntimeBroker.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\svchost.exeC:\Users\Admin\AppData\Roaming\svchost.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\RuntimeBroker.exeC:\Users\Admin\AppData\Roaming\RuntimeBroker.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\svchost.exeC:\Users\Admin\AppData\Roaming\svchost.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa38c6855 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\RuntimeBroker.exe.logFilesize
654B
MD52ff39f6c7249774be85fd60a8f9a245e
SHA1684ff36b31aedc1e587c8496c02722c6698c1c4e
SHA256e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced
SHA5121d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD5156eef78ab09ed3f1bae50155c67a949
SHA1fcd424021246b9a11eb9a4fedae46a4a189749c0
SHA256585a5a7c33f57a3564c9e422f008cd7babeffa122d51c1fe982ecda02030e523
SHA51218bf31419032ba61eaa76f3b5f4095ac64de4852d7b152bb472c026e0106935deac06b30e9fd39e485675e1044c604ec87480eb0757eb92f13ff987f36529bb2
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD5a7cc007980e419d553568a106210549a
SHA1c03099706b75071f36c3962fcc60a22f197711e0
SHA256a5735921fc72189c8bf577f3911486cf031708dc8d6bc764fe3e593c0a053165
SHA512b9aaf29403c467daef80a1ae87478afc33b78f4e1ca16189557011bb83cf9b3e29a0f85c69fa209c45201fb28baca47d31756eee07b79c6312c506e8370f7666
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD5d28a889fd956d5cb3accfbaf1143eb6f
SHA1157ba54b365341f8ff06707d996b3635da8446f7
SHA25621e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45
SHA5120b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD5ce4540390cc4841c8973eb5a3e9f4f7d
SHA12293f30a6f4c9538bc5b06606c10a50ab4ecef8e
SHA256e834e1da338b9644d538cefd70176768816da2556939c1255d386931bd085105
SHA5122a3e466cb5a81d2b65256053b768a98321eb3e65ff46353eefc9864f14a391748116f050e7482ddd73a51575bf0a6fc5c673023dade62dbd8b174442bae1cc6b
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD554522d22658e4f8f87ecb947b71b8feb
SHA16a6144bdf9c445099f52211b6122a2ecf72b77e9
SHA256af18fc4864bc2982879aed928c960b6266f372c928f8c9632c5a4eecd64e448a
SHA51255f2c5a455be20dcb4cb93a29e5389e0422237bdd7ac40112fec6f16a36e5e19df50d25d39a6d5acb2d41a96514c7ecd8631ce8e67c4ff04997282f49d947aba
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD59bc110200117a3752313ca2acaf8a9e1
SHA1fda6b7da2e7b0175b391475ca78d1b4cf2147cd3
SHA256c88e4bbb64f7fa31429ebe82c1cf07785c44486f37576f783a26ac856e02a4eb
SHA5121f1af32aa18a8cbfcc65b0d4fb7e6ca2705f125eaa85789e981ee68b90c64522e954825abf460d4b4f97567715dfae8d9b0a25a4d54d10bc4c257c472f2e80fb
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD5aeceee3981c528bdc5e1c635b65d223d
SHA1de9939ed37edca6772f5cdd29f6a973b36b7d31b
SHA256b99f3c778a047e0348c92c16e0419fa29418d10d0fec61ad8283e92a094a2b32
SHA512df48285f38e9284efdbd9f8d99e2e94a46fb5465953421ab88497b73ae06895b98ea5c98796560810a6f342c31a9112ea87e03cd3e267fd8518d7585f492a8fb
-
C:\Users\Admin\AppData\Local\Temp\Log.tmpFilesize
25B
MD5c265525b01c83559e4d4bba15f733031
SHA166962ccaecf3f0f109a7bbbed14f446a6c3ebeba
SHA2567afaea8d0b8ee68df80874ca6ba0d2e267503cd89e5a5d50d7205db6d11373f2
SHA5124d3caa277a9920ba25dba8d1036246902cedb7e3d85c627759abff086d75afc2267b8f65232a1730d0559c7b894c70f02ce838e281daf8a74d9b6a41e4f8fb2f
-
C:\Users\Admin\AppData\Local\Temp\Log.tmpFilesize
64B
MD5f3584ccae36c311a42d6f94e2a55784f
SHA126a70b7a353e6b4afa7043521465c4aa80945153
SHA2563253e98d826449817ebea3b5d9e9c770ea96e0e4a1e629b9112058034a18488e
SHA512a3e366ebc159520973485caaf9980a532ca1fdfeb3c1ba1a7316f9c69e2064a4a78bad2349639c0ebcae0adc1d04dcb20c93642855ba85abcc1cc30068b8c88e
-
C:\Users\Admin\AppData\Local\Temp\Log.tmpFilesize
76B
MD5775137813b04c15648648288ae9b1f5f
SHA11342913a4e2820f61a9a61b27c370efdb129f0a6
SHA2561ed81857d278e02c03e82eb0d0329808be777f96e41e8c9612a376809e9a55ab
SHA512d0f68da3f7d8376ff9556d784873d2fa3b246879306faa1dac36645314d7137d39f759c7358965fa1a40ccad666e79f17cc7f31c9b17da1c8b710be70ac6a50d
-
C:\Users\Admin\AppData\Local\Temp\Log.tmpFilesize
90B
MD59c42c61d8a97d9ec66f60f809e344b62
SHA135ac4f1aec3e4249c471a309f864733c0e476aa6
SHA256b4e87f9c0fd2b55123bcfdcfc3ff260bec0b2a5a61ed99a97c934848875963aa
SHA512a088d0752d9d04a91afa5419fedf3170ed8ef2de1fe4eb4f55942cec1b9710d4743ef40cf01bcee32785d6c9c9587604e380dc6dc3839b86f5ae07f5fc0aab32
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_v4ad5j3k.qbn.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\huhady.exeFilesize
45KB
MD56816bd828cec3eb7012a7317bed42155
SHA129682d363e53e88339361fe541db48ab7232e074
SHA256e6cca25d0b2423b673b8bc8b38ccc048b132613bd7a19afa59dc362a6c990c31
SHA512bdcdd5be61c8093b577fe4b334c5cd7fbff0074557fa2136cefbe1c09cb57b9f51b516f7366a094e4e7a1c2a6d6815884f365fae1679ad11018023effae378c6
-
C:\Users\Admin\AppData\Local\Temp\itpndf.exeFilesize
206KB
MD50cf4fe7f1d12a7dd703e09dcfd4d733b
SHA13c01c96d2120c5567e32fcfa293dfa60daeea289
SHA25693c6910f522338836a99a7e52968718656514eed8afed1ce5a1eef8a42e37ce0
SHA512878a54fe636c2ef836db64dd58dad9870827baf3084a6d346ebe35c624a115729f8d0ded4ae1b30c8749dacb2267f7813491e7a23e8f7e320395b85fc7d928cb
-
C:\Users\Admin\AppData\Roaming\svchost.exeFilesize
77KB
MD5b074da06d9857ac5261d62b2446774a4
SHA17137511fab7f416097aafba40cb0b6becf6c9d6e
SHA256d75b041e9c687214d97c0110be211d91d0242115475171620a8791f6e79bfc58
SHA51204faf087159d02915d9981f4666b2dcc1441f6212f9fe8ef8750e1b69436159ac1063c9a2191f59c77864b7688955e3f5e9db7fe0c5f50791bcbb52c49fa3367
-
memory/764-136-0x0000000000400000-0x0000000000487000-memory.dmpFilesize
540KB
-
memory/764-128-0x0000000000400000-0x0000000000487000-memory.dmpFilesize
540KB
-
memory/1564-53-0x00000240DC570000-0x00000240DC78C000-memory.dmpFilesize
2.1MB
-
memory/1840-18-0x00007FF841560000-0x00007FF842021000-memory.dmpFilesize
10.8MB
-
memory/1840-15-0x00007FF841560000-0x00007FF842021000-memory.dmpFilesize
10.8MB
-
memory/1840-14-0x00007FF841560000-0x00007FF842021000-memory.dmpFilesize
10.8MB
-
memory/1840-10-0x000001FB783E0000-0x000001FB78402000-memory.dmpFilesize
136KB
-
memory/1840-3-0x00007FF841560000-0x00007FF842021000-memory.dmpFilesize
10.8MB
-
memory/3044-58-0x00007FF841563000-0x00007FF841565000-memory.dmpFilesize
8KB
-
memory/3044-0-0x0000000000C60000-0x0000000000C7A000-memory.dmpFilesize
104KB
-
memory/3044-59-0x00007FF841560000-0x00007FF842021000-memory.dmpFilesize
10.8MB
-
memory/3044-137-0x00000000015C0000-0x00000000015CA000-memory.dmpFilesize
40KB
-
memory/3044-2-0x00007FF841560000-0x00007FF842021000-memory.dmpFilesize
10.8MB
-
memory/3044-1-0x00007FF841563000-0x00007FF841565000-memory.dmpFilesize
8KB
-
memory/3044-172-0x00007FF841560000-0x00007FF842021000-memory.dmpFilesize
10.8MB
-
memory/4832-71-0x0000000000490000-0x00000000004A2000-memory.dmpFilesize
72KB