Analysis
-
max time kernel
325s -
max time network
328s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
-
submitted
03-06-2024 16:13
General
-
Target
EzCrack.exe
-
Size
78KB
-
MD5
9efc872f4f99869fd6befd84076b1f02
-
SHA1
6bb6931b260936082028812f079f5b4543e599e0
-
SHA256
4e8aad0b31678291ca4b4dae74385c6a0d424b7c49a439f045573f93908a764c
-
SHA512
cfc949b9db32db43a9f0ab9dd5c59624999c8df84aaeb953251198958a10dd744e273f560f4b16cd150c5bff1d66e6014f198ca0ea3f85e5afe189fe78e8c381
-
SSDEEP
1536:dRNd9tEnU5G+eiIhLK7AiVqbDoxTBH/d1Pq63FBN77OCXnG73E:drdARhLIVqbDSH/dVPN3OCXGDE
Malware Config
Extracted
xworm
-
Install_directory
%Temp%
-
install_file
ApplicationFrameHost.exe
-
pastebin_url
https://pastebin.com/raw/gf3CpGLZ
-
telegram
https://api.telegram.org/bot7330774245:AAFjajgEdSRi37pBSVsgsnILKxiBDZzP_f4/sendMessage?chat_id=5561074001
Signatures
-
Contains code to disable Windows Defender 1 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
Detect Xworm Payload 6 IoCs
-
XenArmor Suite
XenArmor is as suite of password recovery tools for various application.
-
Xworm
Xworm is a remote access trojan written in C#.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
ACProtect 1.3x - 1.4x DLL software 5 IoCs
Detects file using ACProtect software.
-
Drops startup file 2 IoCs
-
Executes dropped EXE 6 IoCs
-
Loads dropped DLL 5 IoCs
-
Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
UPX packed file 5 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in Program Files directory 64 IoCs
-
Drops file in Windows directory 7 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies data under HKEY_USERS 5 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 17 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 52 IoCs
-
Suspicious use of SendNotifyMessage 32 IoCs
-
Suspicious use of SetWindowsHookEx 4 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\EzCrack.exe"C:\Users\Admin\AppData\Local\Temp\EzCrack.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\EzCrack.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'EzCrack.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ApplicationFrameHost.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'ApplicationFrameHost.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "ApplicationFrameHost" /tr "C:\Users\Admin\AppData\Local\Temp\ApplicationFrameHost.exe"2⤵
- Creates scheduled task(s)
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c Cd %temp% && All-In-One.exe OutPut.json2⤵
-
C:\Users\Admin\AppData\Local\Temp\All-In-One.exeAll-In-One.exe OutPut.json3⤵
- Executes dropped EXE
- Loads dropped DLL
- Accesses Microsoft Outlook accounts
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\MsiExec.exeMsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F06417080FF}2⤵
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\MsiExec.exeMsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A90000000001}2⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\MsiExec.exeMsiExec.exe /I{00203668-8170-44A0-BE44-B632FA4D780F}2⤵
- Enumerates connected drives
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\MsiExec.exeMsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F06417080FF}2⤵
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\MsiExec.exeMsiExec.exe /X{09CCBE8E-B964-30EF-AE84-6537AB4197F9}2⤵
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\MsiExec.exeMsiExec.exe /X{90140000-0015-0409-0000-0000000FF1CE}2⤵
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\MsiExec.exeMsiExec.exe /X{90140000-0016-0409-0000-0000000FF1CE}2⤵
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\MsiExec.exeMsiExec.exe /X{90140000-0044-0409-0000-0000000FF1CE}2⤵
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\MsiExec.exeMsiExec.exe /I{BF08E976-B92E-4336-B56F-2171179476C4}2⤵
- Enumerates connected drives
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\taskeng.exetaskeng.exe {1225A951-D76C-491E-8D1F-C09911CDBBAC} S-1-5-21-268080393-3149932598-1824759070-1000:UHRQKJCP\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ApplicationFrameHost.exeC:\Users\Admin\AppData\Local\Temp\ApplicationFrameHost.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\ApplicationFrameHost.exeC:\Users\Admin\AppData\Local\Temp\ApplicationFrameHost.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\ApplicationFrameHost.exeC:\Users\Admin\AppData\Local\Temp\ApplicationFrameHost.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\ApplicationFrameHost.exeC:\Users\Admin\AppData\Local\Temp\ApplicationFrameHost.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\ApplicationFrameHost.exeC:\Users\Admin\AppData\Local\Temp\ApplicationFrameHost.exe2⤵
- Executes dropped EXE
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7feef289758,0x7feef289768,0x7feef2897782⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1120 --field-trial-handle=1216,i,2212606665277317634,17262867843632674206,131072 /prefetch:22⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1524 --field-trial-handle=1216,i,2212606665277317634,17262867843632674206,131072 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1604 --field-trial-handle=1216,i,2212606665277317634,17262867843632674206,131072 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2264 --field-trial-handle=1216,i,2212606665277317634,17262867843632674206,131072 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2296 --field-trial-handle=1216,i,2212606665277317634,17262867843632674206,131072 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=2920 --field-trial-handle=1216,i,2212606665277317634,17262867843632674206,131072 /prefetch:22⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1292 --field-trial-handle=1216,i,2212606665277317634,17262867843632674206,131072 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3428 --field-trial-handle=1216,i,2212606665277317634,17262867843632674206,131072 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3592 --field-trial-handle=1216,i,2212606665277317634,17262867843632674206,131072 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3640 --field-trial-handle=1216,i,2212606665277317634,17262867843632674206,131072 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 1C17078618B6120EC4C0D915DB8CF547 C2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding A552098053A84ED9ACC759C181DFA8292⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000003A4" "00000000000004C0"1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Credential Access
Unsecured Credentials
5Credentials In Files
4Credentials in Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Config.Msi\f7963d3.rbsFilesize
2KB
MD5b6eb615b7c1ba56c60c4ad9f0092d53b
SHA1b5fded065943dff3f88e44a5d2c12310d39e8e1c
SHA2562c73667f865826aa0594164d0053e3a7f65f830aa4c177e9836f89d020358c18
SHA51279ad410ba155c9f94f896e4aef6f04230cae5c9e0b2e18b1a7376ad0556fd7492cedef0cea5dfacaf15af0fff10a65fa59f6908aa03e701dcab94962c00afd43
-
C:\Config.Msi\f7963d7.rbsFilesize
2KB
MD51e5088865c8ae5740bbc9840b396cf89
SHA1addd2416e52610b3590674fee2bb888a1b9b0be2
SHA2563237d431e477b162693d16bbefdb3c699fac0f0271f0170f12bbb2780f7db976
SHA51294c6e9efc58d3c7d3fc59d0d52f0f2804c1e383a9093c49e739333836bbf1945b95a97945ebeb4bd00ce758b03ff2723a42862a9f578a353d3cfbf64819c2af9
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\2b6291c5-6889-4ab1-881f-ec595e345ed2.tmpFilesize
280KB
MD5793fd59cefa15b3d9ed6ce3fa5a0c8f9
SHA192379cf424046484103e49e00642c491512cd20c
SHA256086143e163c81cbc9b5b63a90a87f5ecc30e9eead8801805068f333fc92b5e05
SHA5123995033ecb42cd5a524ae3ff92b8e8f847235a8605e924ccb279fb62feaa06f18d464b44efb9047110c4359663532c8899b51b88e8a477a5c86720b68e839d6d
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_1Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\PreferencesFilesize
5KB
MD5bdcc9b4876754e7202624880af385ffb
SHA1bf5a963752e6ac77fa422834ed743bddb2a4c260
SHA2565a7c3546fd30086fd07e78ec4effddc626b6c685338aca2f07298ab85ddbe28d
SHA512a83a7f556a3e129772d30d5cbcbe89a270883e4c2a6cb7883cf1d9ed67eb7f50a93f5ead134295ee6bd2c1a8f617f8646cb5df852f47b8a5e6165e3509cc3093
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmpFilesize
16B
MD518e723571b00fb1694a3bad6c78e4054
SHA1afcc0ef32d46fe59e0483f9a3c891d3034d12f32
SHA2568af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa
SHA51243bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local StateFilesize
280KB
MD5dde0344a98a7d9242face36413db4f3c
SHA1c91399de52bce96140b061dff41f16bc93de226d
SHA256fa305b788c2682e7f9dc3a73fd1579f1326b093a4fe47445b805a7370d51c15d
SHA51208712685f62d7612059eacfbf15f9785125aac2b723eb51d579fc318ce7ff0395a84f442827d8e01fe366cf5c6cc11ad6f66a1b4aa6cf5e94ebacaf019afff1e
-
C:\Users\Admin\AppData\Local\Temp\All-In-One.exeFilesize
5.1MB
MD5a48e3197ab0f64c4684f0828f742165c
SHA1f935c3d6f9601c795f2211e34b3778fad14442b4
SHA256baecc747370a4c396ef5403a3a2b286465d8fe4677bf1bfd23b8164ef5c22bbb
SHA512e0b0b73c39850a30aac89f84f721c79f863612f596d6ff3df0860a9faf743a81364656773c99708e9c0656c74b6a278b6bf7e648f7ff1b9080f9a21e10515a59
-
C:\Users\Admin\AppData\Local\Temp\ApplicationFrameHost.exeFilesize
78KB
MD59efc872f4f99869fd6befd84076b1f02
SHA16bb6931b260936082028812f079f5b4543e599e0
SHA2564e8aad0b31678291ca4b4dae74385c6a0d424b7c49a439f045573f93908a764c
SHA512cfc949b9db32db43a9f0ab9dd5c59624999c8df84aaeb953251198958a10dd744e273f560f4b16cd150c5bff1d66e6014f198ca0ea3f85e5afe189fe78e8c381
-
C:\Users\Admin\AppData\Local\Temp\External\ComponentsExt\api-ms-win-crt-conio-l1-1-0_not.dllFilesize
18KB
MD56ea692f862bdeb446e649e4b2893e36f
SHA184fceae03d28ff1907048acee7eae7e45baaf2bd
SHA2569ca21763c528584bdb4efebe914faaf792c9d7360677c87e93bd7ba7bb4367f2
SHA5129661c135f50000e0018b3e5c119515cfe977b2f5f88b0f5715e29df10517b196c81694d074398c99a572a971ec843b3676d6a831714ab632645ed25959d5e3e7
-
C:\Users\Admin\AppData\Local\Temp\External\ComponentsExt\api-ms-win-crt-convert-l1-1-0.dllFilesize
21KB
MD572e28c902cd947f9a3425b19ac5a64bd
SHA19b97f7a43d43cb0f1b87fc75fef7d9eeea11e6f7
SHA2563cc1377d495260c380e8d225e5ee889cbb2ed22e79862d4278cfa898e58e44d1
SHA51258ab6fedce2f8ee0970894273886cb20b10d92979b21cda97ae0c41d0676cc0cd90691c58b223bce5f338e0718d1716e6ce59a106901fe9706f85c3acf7855ff
-
C:\Users\Admin\AppData\Local\Temp\External\ComponentsExt\api-ms-win-crt-environment-l1-1-0.dllFilesize
18KB
MD5ac290dad7cb4ca2d93516580452eda1c
SHA1fa949453557d0049d723f9615e4f390010520eda
SHA256c0d75d1887c32a1b1006b3cffc29df84a0d73c435cdcb404b6964be176a61382
SHA512b5e2b9f5a9dd8a482169c7fc05f018ad8fe6ae27cb6540e67679272698bfca24b2ca5a377fa61897f328b3deac10237cafbd73bc965bf9055765923aba9478f8
-
C:\Users\Admin\AppData\Local\Temp\External\ComponentsExt\api-ms-win-crt-filesystem-l1-1-0.dllFilesize
19KB
MD5aec2268601470050e62cb8066dd41a59
SHA1363ed259905442c4e3b89901bfd8a43b96bf25e4
SHA2567633774effe7c0add6752ffe90104d633fc8262c87871d096c2fc07c20018ed2
SHA5120c14d160bfa3ac52c35ff2f2813b85f8212c5f3afbcfe71a60ccc2b9e61e51736f0bf37ca1f9975b28968790ea62ed5924fae4654182f67114bd20d8466c4b8f
-
C:\Users\Admin\AppData\Local\Temp\External\ComponentsExt\api-ms-win-crt-heap-l1-1-0.dllFilesize
18KB
MD593d3da06bf894f4fa21007bee06b5e7d
SHA11e47230a7ebcfaf643087a1929a385e0d554ad15
SHA256f5cf623ba14b017af4aec6c15eee446c647ab6d2a5dee9d6975adc69994a113d
SHA51272bd6d46a464de74a8dac4c346c52d068116910587b1c7b97978df888925216958ce77be1ae049c3dccf5bf3fffb21bc41a0ac329622bc9bbc190df63abb25c6
-
C:\Users\Admin\AppData\Local\Temp\External\ComponentsExt\api-ms-win-crt-locale-l1-1-0.dllFilesize
18KB
MD5a2f2258c32e3ba9abf9e9e38ef7da8c9
SHA1116846ca871114b7c54148ab2d968f364da6142f
SHA256565a2eec5449eeeed68b430f2e9b92507f979174f9c9a71d0c36d58b96051c33
SHA512e98cbc8d958e604effa614a3964b3d66b6fc646bdca9aa679ea5e4eb92ec0497b91485a40742f3471f4ff10de83122331699edc56a50f06ae86f21fad70953fe
-
C:\Users\Admin\AppData\Local\Temp\External\ComponentsExt\api-ms-win-crt-math-l1-1-0.dllFilesize
28KB
MD58b0ba750e7b15300482ce6c961a932f0
SHA171a2f5d76d23e48cef8f258eaad63e586cfc0e19
SHA256bece7bab83a5d0ec5c35f0841cbbf413e01ac878550fbdb34816ed55185dcfed
SHA512fb646cdcdb462a347ed843312418f037f3212b2481f3897a16c22446824149ee96eb4a4b47a903ca27b1f4d7a352605d4930df73092c380e3d4d77ce4e972c5a
-
C:\Users\Admin\AppData\Local\Temp\External\ComponentsExt\api-ms-win-crt-multibyte-l1-1-0.dllFilesize
25KB
MD535fc66bd813d0f126883e695664e7b83
SHA12fd63c18cc5dc4defc7ea82f421050e668f68548
SHA25666abf3a1147751c95689f5bc6a259e55281ec3d06d3332dd0ba464effa716735
SHA51265f8397de5c48d3df8ad79baf46c1d3a0761f727e918ae63612ea37d96adf16cc76d70d454a599f37f9ba9b4e2e38ebc845df4c74fc1e1131720fd0dcb881431
-
C:\Users\Admin\AppData\Local\Temp\External\ComponentsExt\api-ms-win-crt-runtime-l1-1-0.dllFilesize
22KB
MD541a348f9bedc8681fb30fa78e45edb24
SHA166e76c0574a549f293323dd6f863a8a5b54f3f9b
SHA256c9bbc07a033bab6a828ecc30648b501121586f6f53346b1cd0649d7b648ea60b
SHA5128c2cb53ccf9719de87ee65ed2e1947e266ec7e8343246def6429c6df0dc514079f5171acd1aa637276256c607f1063144494b992d4635b01e09ddea6f5eef204
-
C:\Users\Admin\AppData\Local\Temp\External\ComponentsExt\api-ms-win-crt-stdio-l1-1-0.dllFilesize
23KB
MD5fefb98394cb9ef4368da798deab00e21
SHA1316d86926b558c9f3f6133739c1a8477b9e60740
SHA256b1e702b840aebe2e9244cd41512d158a43e6e9516cd2015a84eb962fa3ff0df7
SHA51257476fe9b546e4cafb1ef4fd1cbd757385ba2d445d1785987afb46298acbe4b05266a0c4325868bc4245c2f41e7e2553585bfb5c70910e687f57dac6a8e911e8
-
C:\Users\Admin\AppData\Local\Temp\External\ComponentsExt\api-ms-win-crt-string-l1-1-0.dllFilesize
22KB
MD5404604cd100a1e60dfdaf6ecf5ba14c0
SHA158469835ab4b916927b3cabf54aee4f380ff6748
SHA25673cc56f20268bfb329ccd891822e2e70dd70fe21fc7101deb3fa30c34a08450c
SHA512da024ccb50d4a2a5355b7712ba896df850cee57aa4ada33aad0bae6960bcd1e5e3cee9488371ab6e19a2073508fbb3f0b257382713a31bc0947a4bf1f7a20be4
-
C:\Users\Admin\AppData\Local\Temp\External\ComponentsExt\api-ms-win-crt-time-l1-1-0.dllFilesize
20KB
MD5849f2c3ebf1fcba33d16153692d5810f
SHA11f8eda52d31512ebfdd546be60990b95c8e28bfb
SHA25669885fd581641b4a680846f93c2dd21e5dd8e3ba37409783bc5b3160a919cb5d
SHA51244dc4200a653363c9a1cb2bdd3da5f371f7d1fb644d1ce2ff5fe57d939b35130ac8ae27a3f07b82b3428233f07f974628027b0e6b6f70f7b2a8d259be95222f5
-
C:\Users\Admin\AppData\Local\Temp\External\ComponentsExt\api-ms-win-crt-utility-l1-1-0.dllFilesize
18KB
MD5b52a0ca52c9c207874639b62b6082242
SHA16fb845d6a82102ff74bd35f42a2844d8c450413b
SHA256a1d1d6b0cb0a8421d7c0d1297c4c389c95514493cd0a386b49dc517ac1b9a2b0
SHA51218834d89376d703bd461edf7738eb723ad8d54cb92acc9b6f10cbb55d63db22c2a0f2f3067fe2cc6feb775db397030606608ff791a46bf048016a1333028d0a4
-
C:\Users\Admin\AppData\Local\Temp\External\ComponentsExt\freebl3.dllFilesize
324KB
MD504a2ba08eb17206b7426cb941f39250b
SHA1731ac2b533724d9f540759d84b3e36910278edba
SHA2568e5110ce03826f680f30013985be49ebd8fc672de113fc1d9a566eced149b8c4
SHA512e6e90b4becf472b2e8f716dbb962cd7de61676fcce342c735fccdc01268b5a221139bc9be0e0c9722e9978aefaae79c10bc49c43392aa05dd12244b3147aeffc
-
C:\Users\Admin\AppData\Local\Temp\External\ComponentsExt\mozglue.dllFilesize
135KB
MD5591533ca4655646981f759d95f75ae3d
SHA1b4a02f18e505a1273f7090a9d246bc953a2cb792
SHA2564434f4223d24fb6e2f5840dd6c1eedef2875e11abe24e4b0e9bc1507f8f6fd47
SHA512915b124ad595ee78feab8f3c9be7e80155445e58ed4c88b89665df5fb7e0a04e973374a01f97bb67aaa733a8ce2e91a9f92605ec96251906e0fb2750a719b579
-
C:\Users\Admin\AppData\Local\Temp\External\ComponentsExt\msvcp140.dllFilesize
429KB
MD5109f0f02fd37c84bfc7508d4227d7ed5
SHA1ef7420141bb15ac334d3964082361a460bfdb975
SHA256334e69ac9367f708ce601a6f490ff227d6c20636da5222f148b25831d22e13d4
SHA51246eb62b65817365c249b48863d894b4669e20fcb3992e747cd5c9fdd57968e1b2cf7418d1c9340a89865eadda362b8db51947eb4427412eb83b35994f932fd39
-
C:\Users\Admin\AppData\Local\Temp\External\ComponentsExt\nss3.dllFilesize
1.2MB
MD5fc57d044bfd635997415c5f655b5fffa
SHA11b5162443d985648ef64e4aab42089ad4c25f856
SHA25617f8c55eba797bbc80c8c32ca1a3a7588415984386be56f4b4cdefd4176fb4c3
SHA512f5a944230000730bc0aad10e6607e3389d9d82a0a4ab1b72a19d32e94e8572789d46fb4acd75ad48f17e2bbc27389d432086696f2ccc899850ff9177d6823efb
-
C:\Users\Admin\AppData\Local\Temp\External\ComponentsExt\softokn3.dllFilesize
140KB
MD51b304dad157edc24e397629c0b688a3e
SHA1ae151af384675125dfbdc96147094cff7179b7da
SHA2568f0c9ac7134773d11d402e49daa90958fe00205e83a7389f7a58da03892d20cb
SHA5122dc625dbdf2aae4ade600cca688eb5280200e8d7c2dfc359590435afe0926b3a7446cc56a66023ee834366132a68ae68da51a5079e4f107201e2050f5c5512ad
-
C:\Users\Admin\AppData\Local\Temp\External\ComponentsExt\vcruntime140.dllFilesize
81KB
MD57587bf9cb4147022cd5681b015183046
SHA1f2106306a8f6f0da5afb7fc765cfa0757ad5a628
SHA256c40bb03199a2054dabfc7a8e01d6098e91de7193619effbd0f142a7bf031c14d
SHA5120b63e4979846ceba1b1ed8470432ea6aa18cca66b5f5322d17b14bc0dfa4b2ee09ca300a016e16a01db5123e4e022820698f46d9bad1078bd24675b4b181e91f
-
C:\Users\Admin\AppData\Local\Temp\External\Components\nspr4.dllFilesize
72KB
MD572414dfb0b112c664d2c8d1215674e09
SHA150a1e61309741e92fe3931d8eb606f8ada582c0a
SHA25669e73fea2210adc2ae0837ac98b46980a09fe91c07f181a28fda195e2b9e6b71
SHA51241428624573b4a191b33657ed9ad760b500c5640f3d62b758869a17857edc68f90bc10d7a5e720029519c0d49b5ca0fa8579743e80b200ef331e41efde1dc8c9
-
C:\Users\Admin\AppData\Local\Temp\External\Components\nss3.dllFilesize
172KB
MD57ddbd64d87c94fd0b5914688093dd5c2
SHA1d49d1f79efae8a5f58e6f713e43360117589efeb
SHA256769703fb1ba6c95fb6c889e8a9baaea309e62d0f3ca444d01cc6b495c0f722d1
SHA51260eaad58c3c4894f1673723eb28ddb42b681ff7aafe7a29ff8bf87a2da6595c16d1f8449096accdb89bd6cda6454eb90470e71dde7c5bd16abd0f80e115cfa2d
-
C:\Users\Admin\AppData\Local\Temp\External\Components\plc4.dllFilesize
8KB
MD5c73ec58b42e66443fafc03f3a84dcef9
SHA15e91f467fe853da2c437f887162bccc6fd9d9dbe
SHA2562dc0171b83c406db6ec9389b438828246b282862d2b8bdf2f5b75aec932a69f7
SHA5126318e831d8f38525e2e49b5a1661440cd8b1f3d2afc6813bb862c21d88d213c4675a8ec2a413b14fbdca896c63b65a7da6ec9595893b352ade8979e7e86a7fcf
-
C:\Users\Admin\AppData\Local\Temp\External\Components\plds4.dllFilesize
6KB
MD5ee44d5d780521816c906568a8798ed2f
SHA12da1b06d5de378cbfc7f2614a0f280f59f2b1224
SHA25650b2735318233d6c87b6efccccc23a0e3216d2870c67f2f193cc1c83c7c879fc
SHA512634a1cd2baaef29b4fe7c7583c04406bb2ea3a3c93294b31f621652844541e7c549da1a31619f657207327604c261976e15845571ee1efe5416f1b021d361da8
-
C:\Users\Admin\AppData\Local\Temp\External\Components\softokn3.dllFilesize
155KB
MD5e846285b19405b11c8f19c1ed0a57292
SHA12c20cf37394be48770cd6d396878a3ca70066fd0
SHA256251f0094b6b6537df3d3ce7c2663726616f06cfb9b6de90efabd67de2179a477
SHA512b622ff07ae2f77e886a93987a9a922e80032e9041ed41503f0e38abb8c344eb922d154ade29e52454d0a1ad31596c4085f4bd942e4412af9f0698183acd75db7
-
C:\Users\Admin\AppData\Local\Temp\License.XenArmorFilesize
104B
MD5774a9a7b72f7ed97905076523bdfe603
SHA1946355308d2224694e0957f4ebf6cdba58327370
SHA25676e56835b1ac5d7a8409b7333826a2353401cf67f3bd95c733adc6aa8d9fec81
SHA512c5c77c6827c72901494b3a368593cb9a990451664b082761294a845c0cd9441d37e5e9ac0e82155cb4d97f29507ffc8e26d6ff74009666c3075578aa18b28675
-
C:\Users\Admin\AppData\Local\Temp\MSI60B6.tmpFilesize
84KB
MD594ee5f4e1500435f1d8eba5a54c231ed
SHA1d8ab879fd681cdbf7cfab010523ab7c950b68e87
SHA2565fec0c3e5c0dafcb9950eb84e2b5e59a679877bd128bb9cf7290b47ed76f9495
SHA51210ea6ff3497d13b2f8e4f20e833297603f68f90ff42ac6224933d04aea8fd28365383b414acb513c155e032b642df33cd948ecb321bd337494de62a1b2f523a7
-
C:\Users\Admin\AppData\Local\Temp\MSI6134.tmpFilesize
156KB
MD5a44986470c4513447017ebf68fd2903b
SHA1d5816fd82873fc9b1b35131624daf70fb86c2e72
SHA256b75408cd4961060f0ebc89340d37fb94c42509c17d7540464f6a13e6a94c57c5
SHA5121b28e5f30049d8b50e1d4245b988a995a5901a250f8af3fea21a6b9155c7529ba6720784f7da0f63ad2be33b118c5a8f6c734939d8c49711d20486dd89ea0b84
-
C:\Users\Admin\AppData\Local\Temp\MSI97733.LOGFilesize
19KB
MD5476934d4262444a8bca5c4b4c046b761
SHA168a433be5cae96fefe74d623f32bf902e89edb63
SHA256d27ad2c16ad73fdd6ec5125fd60f3b8ac3c8401ce2e6736c12137d5df76e90da
SHA512d2b616d3d2f2dc1c103ad3a1e8bd0dfbdedf60abb6a4aca16510718a4db734648ac29e643085fef5b83538014b582a256d9ce63d4f5a9d57704fbfcaf15dd720
-
C:\Users\Admin\AppData\Local\Temp\OutPut.jsonFilesize
59B
MD5c5c15e7b1aac854b1e92a4d1c2fb59b6
SHA11c10b459171d26546eafac69d5647e744d6002c8
SHA256c148de684bfb4400bbb5e4239a4e5f28c7b068160de8ad852f7606365ce623a2
SHA51285be142ac152717148fc5819494457c61b9a2c7b30643a3d98415305b79ade5d3ddb65ce7f6a684ad2973fbad72f5e05409344c0d445fb0e542d352305fdb42f
-
C:\Users\Admin\AppData\Local\Temp\XenManager.dllFilesize
2.0MB
MD57a5c53a889c4bf3f773f90b85af5449e
SHA125b2928c310b3068b629e9dca38c7f10f6adc5b6
SHA256baa9c3a0d0524263c4f848056b3f1da3b4bb913162362cbcabe77ce76a39870c
SHA512f5943687d7e098790581bf56ac6fec3b7e9b83d0e29301077a8bc48768c5a0e9f54f53d926f9847885f6035a2b31e456e4e45ccf1c70be27229c46e79876e2ed
-
C:\Users\Admin\AppData\Local\Temp\settings.dbFilesize
20KB
MD556b941f65d270f2bf397be196fcf4406
SHA1244f2e964da92f7ef7f809e5ce0b3191aeab084a
SHA25600c020ba1cce022364976f164c575993cb3b811c61b5b4e05a8a0c3d1b560c0c
SHA51252ad8c7ed497a5b8eed565b3abcbf544841f3c8c9ec3ca8f686846a2afd15ac4ac8b16abf1cb14aeca1a2fb31f3086ad17206ec4af28e77bae600dca15e8deab
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msFilesize
7KB
MD5a341c176fff642eb2e12265c3c3f2293
SHA160b2da46e99c7af70b74d338423631d2db798458
SHA2566c66c31aa2da0e0f65b287c12614848acfe619822a20ebc24e5f9cad584f394c
SHA5127122c123956907142a5ede4f82962bbcffde3323f6ea68189fa4d6c943e53227b6d2bf6461bf590959ad6d5bca54d8f08ee05a98d5db83b0de25d41772660180
-
C:\Windows\Installer\MSI2BE7.tmpFilesize
68KB
MD54702d4edf75e421b33a1824ce4ae94b6
SHA11839583bcc72719e78b8ae4802d13ff62fc49eac
SHA256204bb250a1589a98225a488f9fa2175cfe0ee8a73a276141e54db6230f0d6425
SHA5127b110c36f09368a864555741c9eef6364c2d7ce3a3e92f359cc97b86b1a4387291d190012dab869bfebaa69ce4f76dd261af7bf3a9d53734089d3ab98c161e44
-
C:\Windows\Installer\MSI2C74.tmpFilesize
74KB
MD5a1ef1809aae0a2176a52d2431d5acddb
SHA11b96ac9f2d800b7b0ee8968b0e42565e946ab32b
SHA25690e4dfec9480e2d778cf0f02a5f3ee93613f839075207463a6522cc1ed200661
SHA51228dba85f85f56441c14427e28fca2586a76c9282d3d89eedfbaf951971acacf1d1413b7ed9dba951d84b0ae281f6b6d90757ef54aa69d1b662bb30699b599c48
-
C:\Windows\Installer\MSI2CC3.tmpFilesize
363KB
MD54a843a97ae51c310b573a02ffd2a0e8e
SHA1063fa914ccb07249123c0d5f4595935487635b20
SHA256727ecf287fb6f4953ee7748913dd559b4f8d3a022fa2ca55bc51cf5886c52086
SHA512905c081552d95b523ecf1155b6c7e157652e5ff00cda30c1c21124d266eb7d305c3398d6832316f403dc45d1b639f1a5a67aea29922cd1a032f52e5247ec55d2
-
\??\PIPE\srvsvcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\Users\Admin\AppData\Local\Temp\tmpF5D4.tmpFilesize
100KB
MD51b942faa8e8b1008a8c3c1004ba57349
SHA1cd99977f6c1819b12b33240b784ca816dfe2cb91
SHA256555ccb7ecd9ae52a75135fdd81ab443a49d5785b0621ed6468d28c4234e46ccc
SHA5125aee3d59478d41ddd5885c99b394c9c4983064e2b3528db1a3f7fc289662bced4f57d072517bbe7573c6d1789435e987ef1aa9cc91f372bcfd30bc016675fa43
-
memory/1028-220-0x0000000000EA0000-0x0000000000EBA000-memory.dmpFilesize
104KB
-
memory/1680-37-0x00000000012A0000-0x00000000012BA000-memory.dmpFilesize
104KB
-
memory/1844-218-0x0000000000340000-0x000000000035A000-memory.dmpFilesize
104KB
-
memory/2576-407-0x0000000001300000-0x000000000131A000-memory.dmpFilesize
104KB
-
memory/2672-8-0x0000000002770000-0x0000000002778000-memory.dmpFilesize
32KB
-
memory/2672-7-0x000000001B510000-0x000000001B7F2000-memory.dmpFilesize
2.9MB
-
memory/2676-14-0x000000001B6C0000-0x000000001B9A2000-memory.dmpFilesize
2.9MB
-
memory/2676-15-0x0000000002810000-0x0000000002818000-memory.dmpFilesize
32KB
-
memory/3056-39-0x0000000000C40000-0x0000000000C4A000-memory.dmpFilesize
40KB
-
memory/3056-222-0x000000001DFE0000-0x000000001E4B4000-memory.dmpFilesize
4.8MB
-
memory/3056-405-0x000000001A820000-0x000000001A82A000-memory.dmpFilesize
40KB
-
memory/3056-40-0x0000000000FF0000-0x000000000102A000-memory.dmpFilesize
232KB
-
memory/3056-0-0x000007FEF55D3000-0x000007FEF55D4000-memory.dmpFilesize
4KB
-
memory/3056-221-0x000000001A7E0000-0x000000001A7EE000-memory.dmpFilesize
56KB
-
memory/3056-2-0x000007FEF55D0000-0x000007FEF5FBC000-memory.dmpFilesize
9.9MB
-
memory/3056-45-0x0000000000CE0000-0x0000000000CEC000-memory.dmpFilesize
48KB
-
memory/3056-1-0x0000000001030000-0x000000000104A000-memory.dmpFilesize
104KB
-
memory/3056-438-0x000000001D970000-0x000000001DCC0000-memory.dmpFilesize
3.3MB
-
memory/3056-439-0x000000001A8C0000-0x000000001A8F6000-memory.dmpFilesize
216KB
-
memory/3056-440-0x000000001A8F0000-0x000000001A8FA000-memory.dmpFilesize
40KB
-
memory/3056-444-0x000000001AAA0000-0x000000001AAAA000-memory.dmpFilesize
40KB
-
memory/3056-38-0x0000000000C30000-0x0000000000C3A000-memory.dmpFilesize
40KB
-
memory/3056-32-0x000007FEF55D3000-0x000007FEF55D4000-memory.dmpFilesize
4KB
-
memory/3056-33-0x000007FEF55D0000-0x000007FEF5FBC000-memory.dmpFilesize
9.9MB