Analysis
-
max time kernel
425s -
max time network
428s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
22-05-2024 16:25
General
-
Target
https://samples.vx-underground.org/Samples/VirusSign%20Collection/2024.05/Virussign.2024.05.17.7z
Malware Config
Signatures
-
Glupteba
Glupteba is a modular loader written in Golang with various components.
-
Glupteba payload 10 IoCs
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 5 IoCs
-
Modifies Windows Firewall 2 TTPs 1 IoCs
-
Checks BIOS information in registry 2 TTPs 15 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Executes dropped EXE 14 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 7 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled 1 TTPs 5 IoCs
-
Manipulates WinMonFS driver. 1 IoCs
Roottkits write to WinMonFS to hide directories/files from being detected.
-
Writes to the Master Boot Record (MBR) 1 TTPs 5 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Drops file in System32 directory 64 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
-
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
-
Drops file in Program Files directory 64 IoCs
-
Drops file in Windows directory 64 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs
Using powershell.exe command.
-
Program crash 1 IoCs
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies Internet Explorer settings 1 TTPs 46 IoCs
-
Modifies data under HKEY_USERS 64 IoCs
-
Modifies registry class 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 3 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
-
Suspicious use of AdjustPrivilegeToken 21 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 24 IoCs
-
Suspicious use of SetWindowsHookEx 25 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://samples.vx-underground.org/Samples/VirusSign%20Collection/2024.05/Virussign.2024.05.17.7z1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff85d2746f8,0x7ff85d274708,0x7ff85d2747182⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,9695521878577849696,15647778139683925862,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2140 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2128,9695521878577849696,15647778139683925862,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2184 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2128,9695521878577849696,15647778139683925862,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2976 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,9695521878577849696,15647778139683925862,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,9695521878577849696,15647778139683925862,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,9695521878577849696,15647778139683925862,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5240 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,9695521878577849696,15647778139683925862,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5304 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,9695521878577849696,15647778139683925862,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3484 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,9695521878577849696,15647778139683925862,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3484 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2128,9695521878577849696,15647778139683925862,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5084 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,9695521878577849696,15647778139683925862,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4876 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,9695521878577849696,15647778139683925862,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5684 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,9695521878577849696,15647778139683925862,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5296 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2128,9695521878577849696,15647778139683925862,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2096 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\Virussign.2024.05.17.7z"1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Desktop\virussign.com_0a31fbd7aee778221d827c4247be3002.exe"C:\Users\Admin\Desktop\virussign.com_0a31fbd7aee778221d827c4247be3002.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\resources\themes\explorer.exec:\windows\resources\themes\explorer.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe SE3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\resources\svchost.exec:\windows\resources\svchost.exe4⤵
- Modifies visiblity of hidden/system files in Explorer
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe PR5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Desktop\virussign.com_0235af7bca7910567869f3866c460fe4.exe"C:\Users\Admin\Desktop\virussign.com_0235af7bca7910567869f3866c460fe4.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4520 -s 7602⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4520 -ip 45201⤵
-
C:\Users\Admin\Desktop\virussign.com_18a553ef1d258cebe523621e65c5d61c.exe"C:\Users\Admin\Desktop\virussign.com_18a553ef1d258cebe523621e65c5d61c.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Desktop\virussign.com_18a553ef1d258cebe523621e65c5d61c.exe"C:\Users\Admin\Desktop\virussign.com_18a553ef1d258cebe523621e65c5d61c.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"3⤵
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes4⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Manipulates WinMonFS driver.
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll4⤵
- Executes dropped EXE
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
-
C:\Users\Admin\Desktop\virussign.com_252b38cda7c4334e3c3e8ec58cc65e1b.exe"C:\Users\Admin\Desktop\virussign.com_252b38cda7c4334e3c3e8ec58cc65e1b.exe"1⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
-
C:\Program Files\Internet Explorer\IEXPLORE.exe"C:\Program Files\Internet Explorer\IEXPLORE" 212.33.237.86/images/1/report.php2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:60 CREDAT:17410 /prefetch:23⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Desktop\virussign.com_546d717c3d23bd4f9cfd981ffafb7f5d.exe"C:\Users\Admin\Desktop\virussign.com_546d717c3d23bd4f9cfd981ffafb7f5d.exe"1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
-
C:\Program Files\Internet Explorer\IEXPLORE.exe"C:\Program Files\Internet Explorer\IEXPLORE" 212.33.237.86/images/1/report.php2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1324 CREDAT:17410 /prefetch:23⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Desktop\virussign.com_4ed609f1ef9a674c1dcf53a8a5556a61.exe"C:\Users\Admin\Desktop\virussign.com_4ed609f1ef9a674c1dcf53a8a5556a61.exe"1⤵
- Executes dropped EXE
-
C:\Users\Admin\Desktop\virussign.com_8be37dac0447afc8db8d553c519c5b1b.exe"C:\Users\Admin\Desktop\virussign.com_8be37dac0447afc8db8d553c519c5b1b.exe"1⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Pre-OS Boot
1Bootkit
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
4Pre-OS Boot
1Bootkit
1Virtualization/Sandbox Evasion
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\7-Zip\7z.exe-Filesize
9.2MB
MD53b76c22c8db02c5c1fe9dd0398dbc324
SHA1dea3e29f6e6b8f21a590bf41d015e2e3b09e2091
SHA256b88a559ccfbb224cf3b6d11422b36f5b47d16a69d9429bb1ae6c7efce57dd682
SHA512c9ea73a14ce70209df6907f40c748a3e092f90de910c0be539e9cd5beb72e44b34792286b949c993116ea751c8c6c5054ca0e49426ba01b45a82a3523b5d8b74
-
C:\Program Files\7-Zip\7zG.exeFilesize
9.3MB
MD5f356f0af615ff1bc5caf36a409b40b3f
SHA105b73a979f4992b84d22bd0cbf0897de02795700
SHA25697c43f4b3c68c3faf43325813042f8da2baa0c6b48dadc62d015275224726124
SHA512db7d006df7d1241c659842fd822758283e4d09feddec50c7cb41b755be861f6a1c952989ad9d7dda77c53659f9329665edf294bd3b4ec83f31fa4b69061543c6
-
C:\Program Files\7-Zip\Uninstall.exeFilesize
8.7MB
MD5cb8664ebf0438410ec6498dfb329f6ec
SHA1e9d9ec8be4c99582adaf9a68c5b145b18b4182ab
SHA256d4e7a5889be6e240000747c39fef6a0c0635d3668399fabe210ec48cc0a1a491
SHA512300c6c7a0ae78700f643d251f3e1167ea6a621f50fc20e108a17280f79713a3c56de76e5f8a4012b6bfa2a1506cb73cff7836f9d7bf9582e57fe077dd15a9589
-
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exeFilesize
8.9MB
MD52f66a104d1924d7b4a6c9f94159c6e4c
SHA1b75a71a53b5dc86e8cfa0cad79b02a4b0636145e
SHA2560f7af9b2ef9acec72d9c72fc7cb16fe412dd58a2c9a29640fcbf676ef6a2aa2c
SHA5127b905233d26ca7e72084fa11b17acc77cf9ab7f7acab0373b0d0a31175ac70a91685d55e8e17c6fc7dd28c71eca472f40232ec988bd5bd6ebc9430678cce78d5
-
C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exeFilesize
8.7MB
MD5db467c4df5d52efb0a4939c7537ae1e9
SHA14db7fae97112dc6bcd894a5eaeb17de8c545002c
SHA256c8e3c6b68103e9ae682e77832d0a02c81658114c169775402badcf6449521ab3
SHA5127d915df68e9262f6488c8ad569db328ef5a75d139f3b8d81b0dbdc66242385bd00dee11efab5d05e0f30b08196ff2ec2c3e34fa39e5c5eee8b7cd8a6faa18edc
-
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exeFilesize
12.7MB
MD5d460ea15cddf64c21bc832594b1d04c3
SHA1a3f24ae7b337b0bcead1136c684e57318bf8a83c
SHA25647190ef66c5eb13be79875986073f28a7c8f23bdd19aae39a247698875ea3ef8
SHA512a02e9542fc195e09f6b2f79a44e5709445e57ea7838c98c737e84f3dbf83469f4e10f4d456cb06d3256c6fe1e614ce7be93929f191eeaab169d2af3823f13600
-
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exeFilesize
9.0MB
MD54197d9aafbb91b2a496c39a9caa534c5
SHA10d6e5008b47b81afc1e0b1f99c7aa4a7a62416d5
SHA256fb65cbce88eb30c644529c80ff5fad7069d750b756f627a0615c08aec5b46edf
SHA5129fc8c4f6f9e1163d44519059a4829359fa54883bfd8a0eea522a5715c555712cdab794ce963ae8a8e584d2e7a6d29821f8a89e6cf5f0a745715c155a4a875999
-
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exeFilesize
32.1MB
MD585d73c28e122a5886a04c32e6d128b2f
SHA1cc6d0090f756d42506c6328f43b4b8c703ebf373
SHA256e5503b78bab784ba41aa2d7099614aefba363ce9a372cb51568fd1d90ddd139b
SHA512b4a6bc6b1528dea611753db35f87be66810da313e06659abfd65cf46eee2f743d11b1a85b95a3616485b479604e3ed05acb06038d6472e0a4e3e7ba0d8fa0d06
-
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exeFilesize
10.8MB
MD5b4a70e4b84aac437e7a7c561ec9cb2ed
SHA16389913e9d243c932d5dc44b04895874edd6ba48
SHA256bb1729bd8322debd07d8568450e891f879ceed8b0eba1b1237495634651eb645
SHA51278c4015bd1673bcac94775b81213534fee3a8bb433723b5c20cbcc80b4ae1fac847aebf83f4234570142e000f2b861f3db91a36d8fea996b02e901aadd7a1506
-
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXEFilesize
9.2MB
MD58c71666ca935fa2fcdec381d213867a9
SHA1c43647e7e0423bb9ae466bb8106ad4e761bd9ac5
SHA2569035f67508ebfabee363fb60c78c1e5ba5ffbdfa2ce6b95e71152c01b00f6823
SHA51275db6abe9471b33a3835cc66c72820a1b22ddd7efb69b73aebfbd08b30a3a9e9ea01cedc54d34f5323a5b146db9aca75bc53a9f40cb2bdfbaf1f3d9c7bd17d78
-
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXEFilesize
8.9MB
MD58f27791f069d9a0890d11a2452ff88b6
SHA15b9326ee023277e03c1131dd5a27cf5618921a52
SHA25672adb528d7c847820bd255e8e4e841a388d217427e759ef1947418a6cf1dc925
SHA512ac4e9c2170af788515f3bfdc99d8c23c5115a60d35580cad2aadd1086b279a1872c5413677ed40e0b6a4058574bd8de629b9b993523ceb45e69cdad9df9a3d31
-
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exeFilesize
8.7MB
MD5c821f5cca0bef39e4decb6762638b2cc
SHA105b8b4721d4c138b56e47562fd4a4406f1f8cbfa
SHA25695a9232ef2db5c03de28b40cba23a557702f756b896b5179d4f1e5be461d6808
SHA512bfdb4b0775fa33df852626df86b01b7eb651957fb7c3f525c882b771442fa0d4cf359b53041dd260fe0ce6b5d5218812769d7f379ae3749cd7bbb04129a3c5f6
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exeFilesize
10.1MB
MD5a53f3f825314384e06365a79e4e49da3
SHA1a244e2333a9806862913599883584483887d1bdc
SHA256962f2c30eb3f99a17ce4137a3fcb7f458fda80205865d3f5d2c06f6240c376d9
SHA512b3f2b060939e7118767017ded8dd22bb0d4c250259092ded6f988bff3eef468526f95c7bcbf0f2d4092d9be03e3c410f10646f96cfd30508a134795aa47f2617
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exeFilesize
10.3MB
MD5a8506821a5cacc54100ed3289dabd610
SHA1197e8e3031ef4add09514aac24e731b782f45c0a
SHA256025e1c7b57b46b4d522f4459f561559e8f444876fd403b2940ffd387d80a2264
SHA51226eb0dd6fb424e1a431a60ab0a10b97f6884e2abf28c737d64a72fecb76a68555c21f17163432ac40203a90ee9596e405d0fcb3ff50154fffb2580e537d6862b
-
C:\Program Files\dotnet\dotnet.exeFilesize
8.8MB
MD575bd0dce629f396bcffa12fbf11c98fa
SHA17a0ea00d0d7affc097a13ded66898335a2faf28e
SHA256678f5f25e67663c35db4ab04e068fe75ef9c5b4dacfc9867d395e8ff7b28f19d
SHA5127ae2a6d7a0ede4b6994b97093efb65267b2760716558a3128106cfab53d503afdb208a021b21a47166f05c90a1107e5f57a5acde7db112e7f91196a07b771bf2
-
C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\createdump.exeFilesize
8.7MB
MD597fb3133a7b694eae0089df4beafde9f
SHA1d5ad11a30ddd53afadbbc113aa469b3815a5b2b6
SHA256a25d0ddd58375da52b8b576617acb34f090b3aeb08fe9e8e194d15e18d691521
SHA5127614ee71d74eedf2477191d6f6b9adca697d28e11f8c27054bb812c4ceea7d4651da507e7753fff637eb05860bc8bcc0006161f69056f4f6a062b7f6351cc6b7
-
C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\createdump.exeFilesize
8.7MB
MD58605c7a76bbfbc927b594a8b195cd067
SHA195314a6dc478dbcdc5644ce9032f8d76eee33e3a
SHA2564c0b841f967ff6e442bc882a6905b3f90baf99ec67d5866fab5ea0ba5d5a5a2f
SHA5128267dcab17dc6b9f3f80be285610c63002ef92b4585575b249b6c4ec6b35f1a3df654b246aea46a49af622d9ee78a58f1a9f7e0f4109ff8eb919f2e1a7f9d152
-
C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\createdump.exeFilesize
8.7MB
MD5a592409005c358a238250cb371d1918f
SHA187a14444c6262d8fe54ef96109e02d0f9feea758
SHA2568a1ebe48840c1332810a7fdcbdc591f5dfeef038f18c2111598460aff1f3e146
SHA51250088d1b09b8ffabac07d6d9cbb253b9c471e685fc84d0903abc186f5e8b9f2eb9aed916d71e1cafa84b69e537150bf960df554845f7b68b3c7743075e7c5dce
-
C:\ProgramData\mntempFilesize
16B
MD554fd8ae71831d9afc54c3b3a9cad01e8
SHA1c8cd04c1fd27990aaaf98c16d28d9fddaa61beb5
SHA256143ac77670384287b780c744a95ce45e95b28747cdc93a75069be8ffb8da2962
SHA512de6fb3af41c9b3831625935c29998f106bd9361edb13a1b9ce02f5295298b17771e9bf01dec7ca749ff00b517de9e6ea77935185c1081a1795cbf0e69af17f40
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD54b4f91fa1b362ba5341ecb2836438dea
SHA19561f5aabed742404d455da735259a2c6781fa07
SHA256d824b742eace197ddc8b6ed5d918f390fde4b0fbf0e371b8e1f2ed40a3b6455c
SHA512fef22217dcdd8000bc193e25129699d4b8f7a103ca4fe1613baf73ccf67090d9fbae27eb93e4bb8747455853a0a4326f2d0c38df41c8d42351cdcd4132418dac
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5eaa3db555ab5bc0cb364826204aad3f0
SHA1a4cdfaac8de49e6e6e88b335cfeaa7c9e3c563ca
SHA256ef7baeb1b2ab05ff3c5fbb76c2759db49294654548706c7c8e87f0cde855b86b
SHA512e13981da51b52c15261ecabb98af32f9b920651b46b10ce0cc823c5878b22eb1420258c80deef204070d1e0bdd3a64d875ac2522e3713a3cf11657aa55aeccd4
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_1Filesize
264KB
MD5ae2d01ac1241a952a944e719afe5b8be
SHA1e093272be99d539e528545ce396e0ec91f50110d
SHA2568e3f21a953b3e4fe761c17a676d9f719491e9c660998489ae2541ac6f3705721
SHA5127c323647f06992f08bbec450dd58d09e9f06c4d5d7cccd390f623e66bf0eba279ec8f598fdaa8849acabceb5d0c847cc981f5e12e0c45b6be00c7a9c5d04a036
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
194B
MD5c753a51b344f5e0b7614e6b335efce1a
SHA1ecab6c44f7f65a04b594d3c1f5ccc151e1fbbea5
SHA256b9be628c5d1925240917e40326ded59765a86dfc8580b59d2e51f9925f3fc494
SHA512c579bb93537ef2b84bf17b99354eaf60da7719432451d916f15084675ab7fa9c5b24c8e370108b0fec1244d2a8ff44e1ace16fca9abf18c5a12f91f8801a68c5
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD59222706885cf0c7b5ff09f2f5437280c
SHA1ae0507e5e58eda703077e74c10db2545ce268695
SHA256719951400d70cf9bb39221f066df093e4fd66b66e58b8acb2c6d068a9a31bd32
SHA512e940ff8bb401bce79998ae7dcb29cc201342d64d28111a75a4b6445157032548490932bec17d32ff4d82890a82b2b34720ebeff6af4da4531b6bf1e3114f3cdd
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD55bcc7f24c21c78701f20685139fc3bf9
SHA196c8fcf47208a6beab894b6d5fd6c082e681f6a4
SHA256ef93b9951e73a8d336eb5dc0d2eca29d4a32cc4a018c7e856535aed2d765badf
SHA512bb9cd1268293d71e8ff2d1228394ba82f974d1f3f027c4b632f01936bc5d2685a81e969417d52f77bfdcbb40464e115b536fd47af021639f1eff9f13eb01a85d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD509ecfe90e36b7ca9c92a5b6c67c11523
SHA1369d5e12b73e93a45f1ee83af0f3892da1ca9243
SHA256c35f98d474ecab1dc83b538b0512f89f356b27dc8ce2a185c61d37d55a9ee80b
SHA512c3decf211009d49a3720ae568f6d981ccdc889c9e9f67967c128137e3cc0a6c725806bd352894bee7ed8b44ec870cfa6b843e14347fb6c9eab2058b3b26ca9d6
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD52c91dd57bdaa7a55e4a92fa2dce6ef67
SHA14dc5d693f20a586b99fbf1d48f1baf854b517e1d
SHA256b60c72450f44ce68fee28fbd91ab682e60a7e98df1955fe85041559d9d7b9caf
SHA512aa53fd40a1224e537b6ab47ca9728a2e6df8c00a458ebd8484485f7ba242caf248e094666cb7efe32613e66b7040ff6bcacd4737517bc2217bcf3702dc81aec9
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD53e9306e6c74c51a3673dbf7fab386057
SHA120835e4f5d9ff6bffcd575fb8e6bfe48512428ef
SHA256a485ca61d9468d767f6f5ed8b357d02bba11446e8b60cd0cff85cfae873adcfa
SHA512a7b21d6569c1b8a4ad38f4baa87b727e6a4a1f9d58afbe2af80989a9d04e6c35d964621c8c41a9d37125684da8c71a284c219adfe746448ac83e6cceb8df1b20
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{6C3B47C7-1858-11EF-A084-5A63B3EA338B}.datFilesize
5KB
MD5d3405fbfbeb4defa5f6bbc991b626310
SHA182f6d5aa7410b43be24b94fe7fefd06e98bd056a
SHA2564b11d727fcc6fab1a511b56cfe410816bc9efbea5c00896e334d369167338554
SHA51256e302d7c71618394ce827a266b7e47b30328f295904c06d087dfafb02a3a8cdc1be98b1ca8093cd0160df23241f699c5fc05d5bc3c3c0cf34c6b7916f5de508
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Last Active\RecoveryStore.{7F170F1E-0D27-11EF-A07C-EEF0A8BAFE32}.datFilesize
5KB
MD5513f3bbef1bb7f75c254efffbe850ca0
SHA1c9b2d9a1d146023f7a879f6de9b5bdcf3ae34fb0
SHA256c1699c86cbcdd6bfef9731d44705bd7cb451e7466536184319e8a5a00dae22ca
SHA5127dbe4414fdca5e24008d6e22304ee9406c957cb06f56e4c6531650fa0b118a1f347f72a206b81bad008844142e1a01c54d89c666b15a7531c37fd34a9383850a
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Last Active\{6C3B47CA-1858-11EF-A084-5A63B3EA338B}.datFilesize
4KB
MD5f16fc319154cfa4401062002ce601ace
SHA1e5453dfeb46e506ce0029cc72ff314311dc8e90e
SHA2566c3b1afff10013c53d30351cc1b09e951eb607c6cf49ad61a88b8d79a73572a6
SHA51287209f2914160f66a4cd38f14e448b7f9cc5c2c8a252a229e1ea6de26b90ff0b3ef1ed9302301c2efeadbd693e13a69e6c48c09f80c848884c4e834208654798
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tjkj0byo.yo5.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeFilesize
281KB
MD5d98e33b66343e7c96158444127a117f6
SHA1bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA2565de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5
-
C:\Users\Admin\AppData\Local\Temp\~DFCE1E3464BBEB9DDC.TMPFilesize
20KB
MD59cf95d12997541b9fd585fb5d6ffc366
SHA13f9983a97cf219147bb4e82ff652bdfc6fa059c0
SHA25624bee0a97efe65cdd8a1f2745d55403084291182b2d2eab572f0f03c695225df
SHA5125ecd35902a11402af3d381ee274cad17bc7c4f7eba6d397a1890378fdb61bd6d9f7b90a36475ac4c58c7e650013cd88d16b7dad3e7f46cfa3b3cb4fade03ae1b
-
C:\Users\Admin\Desktop\virussign.com_0235af7bca7910567869f3866c460fe4.exeFilesize
9.1MB
MD50235af7bca7910567869f3866c460fe4
SHA1f8d0be426eb73564fadb67490209c844c8677f0d
SHA2564273722b48dc99b099e866d5a3e1f9d2eed6e6c0cce9cdfac12e42fe194ce380
SHA5123443cad22ffb13bb2b462ab08e2903f354f453619038ea48744d1545342148da06559c61a6c0bfdc34f21038ecd8507fc9fc228de96edcec2f99df20956caa73
-
C:\Users\Admin\Desktop\virussign.com_0a31fbd7aee778221d827c4247be3002.exeFilesize
3.6MB
MD50a31fbd7aee778221d827c4247be3002
SHA1db3db9b03f3b088a5d1dcc366f216c21898b8ed0
SHA256cfff021f5d10073a98e8536752d33492ddc99ef854c26cb3cea85f81fe97a9f5
SHA51266c048a5f9d709c609bfd07420da859b1a4a312bd65e4cc0f34b857d1ad89ffad020d0ea9cce5c64a3edd1c62e7e8d36711e0b4526ea74da5a10091704ec5b6c
-
C:\Users\Admin\Desktop\virussign.com_18a553ef1d258cebe523621e65c5d61c.exeFilesize
4.1MB
MD518a553ef1d258cebe523621e65c5d61c
SHA14bd6447ea3c6f42e47e207b30d039c169d0722ac
SHA256b8f82a1752d1752e01cb87e4651174c0b628b125aca23c0fde9f3336c2904664
SHA51276789a726e92b754e7bd632c222a9cc53d2af19aa3a7dd89ecb90a6cc049613b814dc1c9016481689b1784446c9c5c7e1792f471e26f520a6c7f8330700306c7
-
C:\Users\Admin\Desktop\virussign.com_252b38cda7c4334e3c3e8ec58cc65e1b.exeFilesize
8.6MB
MD5252b38cda7c4334e3c3e8ec58cc65e1b
SHA12997bb9d33779ec54663dc48b65986666004179c
SHA2564f9238687f0d54325cf8db7a0c0bf493ae1639282997587bf7dd29060655d705
SHA5127a134fa3636a1c08149b4103e76c30ec7616e8284d2e2cdccdf71330383ed8cac180988b3d2b111817773b98399a01b66e042d1821cb4e7f65ddf42e4904ab5e
-
C:\Users\Admin\Desktop\virussign.com_546d717c3d23bd4f9cfd981ffafb7f5d.exeFilesize
17.7MB
MD59216d761a7cc20d50dbd07c58da5505f
SHA13d70c10637a8d8ead15ea5bf179b43e59005724b
SHA25648e58bead4228fa9493c69a4b85a9185f389871a00525a88e6a7d340e48fe558
SHA5124d57c3574ad0f7569fc696aaf41597582e5e9149cf9cf6bcab684008922a7ef39669dc288337e26f172d496a51a4ba5f9463a8776966d68a57f6d6b2bd3a4f0f
-
C:\Users\Admin\Desktop\virussign.com_546d717c3d23bd4f9cfd981ffafb7f5d.exeFilesize
9.0MB
MD5546d717c3d23bd4f9cfd981ffafb7f5d
SHA1ace6d5521818577d9e74e657359f4b20bf32106a
SHA256f5eca5371fd47162f26656f099022cde3ee777f25e07ad329329272c98f4a6a4
SHA5122f5d2c3000ee5a30124cb5af472d6159f564a7bdfc568dcfe531401e905cad74aee6a8353f3227b83904b01eca11e126c155d2f18df3ce3ed19c9633a1b696da
-
C:\Windows\Resources\Themes\explorer.exeFilesize
3.6MB
MD5443c530f332e89938cb2864ed4ae8c83
SHA17bdfae499b722bb3036b3c5e2febd28662ccc4b8
SHA256ff724558cd74a406f818a72872dce567b947255a4ed34c01378ead4ffacb302e
SHA5129dfa081b94c725dcd915bc76123d365f7b9c380778ae516c95cfe5a33c20143362b4c07b408780caae56e68987cc24e17604f7cf2a755ae0e6c0ccbfa8361046
-
C:\Windows\Resources\spoolsv.exeFilesize
3.6MB
MD5a421bbe6c3909d83f0753da2b701fdda
SHA1487c56e7d5fc8e4160c8ed1e88796f015e9476c8
SHA256c878171d81fe33e4954cf09904dffab4e2d8b28c8ee7f50aa8762ea99cef3178
SHA51272306b97d471733eb2e90f4c02ceab3611acd869a9d67b48c6b92a698693f374b05d7cabd52b570636383ad75cb76ce6a8319e4d542df59ed26976303ce4ecec
-
C:\Windows\Resources\svchost.exeFilesize
3.6MB
MD50956f6aa04621462b2c3fcf4f5163237
SHA1e872b17dca5877fffdcf8a031fe3ffa239deb904
SHA256c1f3b4f88a47dad0d38558a88fa19a8f910cad60894024de2bc16257372e4de2
SHA512618b11d4bf48256a0adb516ead682a5a55727b0d390481c05b61c7e784e29bc7e53a8f0fc4eeb4ea7c73e55a82de00a9967e9ccd44cf3af38e02fabbd78b0aa5
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logFilesize
2KB
MD5968cb9309758126772781b83adb8a28f
SHA18da30e71accf186b2ba11da1797cf67f8f78b47c
SHA25692099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA5124bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD578874e7c73a7f3d44d5ece8e56d003c6
SHA13cd01a7215b5b8794224606949d4f3107058537b
SHA256f2c09ff6c04208928d588440acd36cba2b0d78fe8ec8d610f3d418a30fd2cc1c
SHA512730e9225f70f7d8cdbc6d0f4a04c72c3ab709787f2b1a01abea2a48fdba9b719d59b22ef56cbad72d985ebd7d717f55c0ee55cbc04c1d2b5892d8de223391d86
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD5b5584a1dee205b8032e58c5933e3187e
SHA19c0dd08efd5c74ec216f9231d6e5710b00862161
SHA256203de9dc07d16c5b14610730535b88582e0338019ef9a429cd460d7a287b6cf2
SHA5121cec5a65ac289f8f1fc072e5e7e89af3cdebb02554953e45ea10dad00338742a6d0ff8efc8c4019fa07e79980c56206596f5b035055bb253c8c4ea4528b2b5d3
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD59e574f1d33eeab5f3aae6a38b0029b60
SHA1af70c3a931c7911ba95862f9c43826e186213366
SHA25666e60692fd82ea24d73d2a6cbb18651f61321925bec28dbeb39b30d22879fefd
SHA5127d9a5d73aa4f79884771bde99f4f929808b9fa87732543ae9b50eef0ffc707ec6ee482f972456c096e03cce6141852a7600b4791166475947c12709094a23289
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD597b0601a447b3740f172a78992940a12
SHA188ab2fcf5b61f566fbec8fb00c09ff77f2f45209
SHA256d5a0fd6097e60e4b54b7999aeb3fbe053020a806c3b505c1ba642982c697811a
SHA51205d68c4678ea0a4d6e5fd0b4e826028f2af03bcb9247444a4d397f762ebff32133999adbd6201eb5dbf027bed366819bd5e7c257f1ee1dac80cf473a4981de64
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD5cfb0be32e407fce8ab3f40c732b392f5
SHA169ccfd771dec76e6350dd074fb0e0ad9dba0d008
SHA256c60085f2550984c563bca41c778c06e2e2bfaed8a6c60d687da27d07fdfdd53c
SHA51248e9df3fc029f6085ec00ece48ebe6963366f79da42a2a77f5b2651e1c8665346b5da4e6dc65aad5ec1da1efb1c672e279bb840f7eb6d5b3e6ca5a56d459be74
-
C:\Windows\SysWOW64\xdccPrograms\7zFM.exeFilesize
6.3MB
MD5f52c1db8d694bb7ff57a3dc65b88c487
SHA18fbb6e59e956ab402ea0b64731d32787e7101345
SHA2565c7fae491d20c9feb4d566ff3fc4b5f614f29619263383a356f90ad0c6a6b004
SHA512fe51a8e5616701c619369f630d9e9ea85b1a12192d2d8b304b73ad942d1df5083d9f15d5640934186af44c14024e1c7453ae9df6381ecb42a25ba21ed1e8c768
-
\??\pipe\LOCAL\crashpad_4264_PWSTPWEMVRQUZNWMMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/1236-380-0x000000006FCF0000-0x000000006FD3C000-memory.dmpFilesize
304KB
-
memory/1236-381-0x000000006FE50000-0x00000000701A4000-memory.dmpFilesize
3.3MB
-
memory/1236-378-0x0000000005790000-0x0000000005AE4000-memory.dmpFilesize
3.3MB
-
memory/1532-223-0x0000000000400000-0x0000000000C23000-memory.dmpFilesize
8.1MB
-
memory/2224-393-0x0000000000400000-0x0000000000D1C000-memory.dmpFilesize
9.1MB
-
memory/2356-329-0x0000000000400000-0x0000000000D1C000-memory.dmpFilesize
9.1MB
-
memory/2592-218-0x0000000000400000-0x0000000000C23000-memory.dmpFilesize
8.1MB
-
memory/2888-421-0x0000000005970000-0x0000000005984000-memory.dmpFilesize
80KB
-
memory/2888-408-0x000000006FC50000-0x000000006FC9C000-memory.dmpFilesize
304KB
-
memory/2888-404-0x0000000005AE0000-0x0000000005E34000-memory.dmpFilesize
3.3MB
-
memory/2888-409-0x000000006FDB0000-0x0000000070104000-memory.dmpFilesize
3.3MB
-
memory/2888-406-0x0000000005FD0000-0x000000000601C000-memory.dmpFilesize
304KB
-
memory/2888-419-0x00000000071A0000-0x0000000007243000-memory.dmpFilesize
652KB
-
memory/2888-420-0x00000000074C0000-0x00000000074D1000-memory.dmpFilesize
68KB
-
memory/2992-311-0x0000000006FD0000-0x0000000007073000-memory.dmpFilesize
652KB
-
memory/2992-293-0x0000000005780000-0x0000000005AD4000-memory.dmpFilesize
3.3MB
-
memory/2992-301-0x0000000070460000-0x00000000707B4000-memory.dmpFilesize
3.3MB
-
memory/2992-313-0x0000000007320000-0x0000000007334000-memory.dmpFilesize
80KB
-
memory/2992-300-0x000000006FCF0000-0x000000006FD3C000-memory.dmpFilesize
304KB
-
memory/2992-312-0x00000000072D0000-0x00000000072E1000-memory.dmpFilesize
68KB
-
memory/3280-13790-0x0000000000400000-0x0000000000D43000-memory.dmpFilesize
9.3MB
-
memory/3280-18075-0x0000000000400000-0x0000000000D43000-memory.dmpFilesize
9.3MB
-
memory/3336-541-0x0000000006160000-0x0000000006174000-memory.dmpFilesize
80KB
-
memory/3336-435-0x000000006FC50000-0x000000006FC9C000-memory.dmpFilesize
304KB
-
memory/3336-436-0x000000006FDB0000-0x0000000070104000-memory.dmpFilesize
3.3MB
-
memory/3336-446-0x00000000078A0000-0x0000000007943000-memory.dmpFilesize
652KB
-
memory/3336-502-0x0000000006120000-0x0000000006131000-memory.dmpFilesize
68KB
-
memory/3680-244-0x0000000004F90000-0x0000000004FB2000-memory.dmpFilesize
136KB
-
memory/3680-258-0x0000000006010000-0x000000000605C000-memory.dmpFilesize
304KB
-
memory/3680-278-0x0000000007750000-0x00000000077E6000-memory.dmpFilesize
600KB
-
memory/3680-280-0x0000000007690000-0x000000000769E000-memory.dmpFilesize
56KB
-
memory/3680-243-0x0000000005060000-0x0000000005688000-memory.dmpFilesize
6.2MB
-
memory/3680-281-0x00000000076B0000-0x00000000076C4000-memory.dmpFilesize
80KB
-
memory/3680-277-0x0000000007640000-0x000000000764A000-memory.dmpFilesize
40KB
-
memory/3680-282-0x00000000076F0000-0x000000000770A000-memory.dmpFilesize
104KB
-
memory/3680-245-0x0000000005790000-0x00000000057F6000-memory.dmpFilesize
408KB
-
memory/3680-283-0x00000000076E0000-0x00000000076E8000-memory.dmpFilesize
32KB
-
memory/3680-276-0x0000000007550000-0x00000000075F3000-memory.dmpFilesize
652KB
-
memory/3680-246-0x0000000005800000-0x0000000005866000-memory.dmpFilesize
408KB
-
memory/3680-256-0x0000000005930000-0x0000000005C84000-memory.dmpFilesize
3.3MB
-
memory/3680-275-0x0000000007530000-0x000000000754E000-memory.dmpFilesize
120KB
-
memory/3680-265-0x00000000702B0000-0x0000000070604000-memory.dmpFilesize
3.3MB
-
memory/3680-264-0x000000006FCF0000-0x000000006FD3C000-memory.dmpFilesize
304KB
-
memory/3680-263-0x00000000074F0000-0x0000000007522000-memory.dmpFilesize
200KB
-
memory/3680-261-0x00000000079A0000-0x000000000801A000-memory.dmpFilesize
6.5MB
-
memory/3680-262-0x0000000007340000-0x000000000735A000-memory.dmpFilesize
104KB
-
memory/3680-260-0x00000000072A0000-0x0000000007316000-memory.dmpFilesize
472KB
-
memory/3680-279-0x0000000007650000-0x0000000007661000-memory.dmpFilesize
68KB
-
memory/3680-259-0x0000000006520000-0x0000000006564000-memory.dmpFilesize
272KB
-
memory/3680-242-0x00000000049F0000-0x0000000004A26000-memory.dmpFilesize
216KB
-
memory/3680-257-0x0000000005F70000-0x0000000005F8E000-memory.dmpFilesize
120KB
-
memory/4336-190-0x0000000000400000-0x0000000000C23000-memory.dmpFilesize
8.1MB
-
memory/4336-222-0x0000000000400000-0x0000000000C23000-memory.dmpFilesize
8.1MB
-
memory/4336-387-0x0000000000400000-0x0000000000C23000-memory.dmpFilesize
8.1MB
-
memory/4380-331-0x0000000070460000-0x00000000707B4000-memory.dmpFilesize
3.3MB
-
memory/4380-330-0x000000006FCF0000-0x000000006FD3C000-memory.dmpFilesize
304KB
-
memory/4444-352-0x000000006FCF0000-0x000000006FD3C000-memory.dmpFilesize
304KB
-
memory/4444-353-0x0000000070460000-0x00000000707B4000-memory.dmpFilesize
3.3MB
-
memory/4452-221-0x0000000000400000-0x0000000000C23000-memory.dmpFilesize
8.1MB
-
memory/4452-180-0x0000000000400000-0x0000000000C23000-memory.dmpFilesize
8.1MB
-
memory/4508-11360-0x0000000000400000-0x0000000000BBB000-memory.dmpFilesize
7.7MB
-
memory/4508-11473-0x0000000000400000-0x0000000000BBB000-memory.dmpFilesize
7.7MB
-
memory/4520-236-0x0000000000400000-0x0000000000D1F000-memory.dmpFilesize
9.1MB
-
memory/4844-219-0x0000000000400000-0x0000000000C23000-memory.dmpFilesize
8.1MB
-
memory/4844-212-0x0000000000400000-0x0000000000C23000-memory.dmpFilesize
8.1MB
-
memory/5108-3792-0x0000000000400000-0x0000000000D1C000-memory.dmpFilesize
9.1MB
-
memory/5108-5839-0x0000000000400000-0x0000000000D1C000-memory.dmpFilesize
9.1MB
-
memory/5108-7301-0x0000000000400000-0x0000000000D1C000-memory.dmpFilesize
9.1MB
-
memory/5108-4893-0x0000000000400000-0x0000000000D1C000-memory.dmpFilesize
9.1MB
-
memory/5108-4345-0x0000000000400000-0x0000000000D1C000-memory.dmpFilesize
9.1MB
-
memory/5108-1739-0x0000000000400000-0x0000000000D1C000-memory.dmpFilesize
9.1MB
-
memory/5108-2578-0x0000000000400000-0x0000000000D1C000-memory.dmpFilesize
9.1MB
-
memory/5108-530-0x0000000000400000-0x0000000000D1C000-memory.dmpFilesize
9.1MB