Analysis
-
max time kernel
143s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
-
submitted
30-06-2024 19:02
General
-
Target
Image Logger Hybrid V4.exe
-
Size
126KB
-
MD5
6d103c685ef0960fab6eca5bf4617583
-
SHA1
ea11a8ba30f54015d71ed646fbd14b8800fc2e3f
-
SHA256
77d041474b58f2142077c3da4fc2d64c29a40eb400410c784e2606647028fa3f
-
SHA512
2429d67cf73056d496ff4cff2b8a72e2bc643201616b969464543580bd027366e13c51fda4161e319af122fa22c088c1ec737e87e8528e09b4e450d84755732d
-
SSDEEP
3072:RMSncRzAOLeCyRuZA3A+bZ5FFOOszPAv:ySncRl3Zebv
Malware Config
Extracted
xworm
-
Install_directory
%AppData%
-
install_file
dllhost.exe
Signatures
-
Detect Xworm Payload 2 IoCs
-
Xworm
Xworm is a remote access trojan written in C#.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 4 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies data under HKEY_USERS 2 IoCs
-
Modifies registry class 47 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs
-
Suspicious use of AdjustPrivilegeToken 41 IoCs
-
Suspicious use of FindShellTrayWindow 26 IoCs
-
Suspicious use of SendNotifyMessage 24 IoCs
-
Suspicious use of SetWindowsHookEx 7 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Image Logger Hybrid V4.exe"C:\Users\Admin\AppData\Local\Temp\Image Logger Hybrid V4.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\S.EXE"C:\Users\Admin\AppData\Local\Temp\S.EXE"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NbJ09X58.bat" "3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo image.png "4⤵
-
C:\Windows\system32\findstr.exefindstr /c:"".png""4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo adasd "4⤵
-
C:\Windows\system32\findstr.exefindstr /c:""https://discord.com/api/webhooks/""4⤵
-
C:\Users\Admin\AppData\Local\Temp\TESTEE.EXE"C:\Users\Admin\AppData\Local\Temp\TESTEE.EXE"2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\TESTEE.EXE'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'TESTEE.EXE'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\dllhost.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'dllhost.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "dllhost" /tr "C:\Users\Admin\AppData\Roaming\dllhost.exe"3⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\system32\mspaint.exe"C:\Windows\system32\mspaint.exe"1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService1⤵
-
C:\Users\Admin\AppData\Roaming\dllhost.exeC:\Users\Admin\AppData\Roaming\dllhost.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\dllhost.exeC:\Users\Admin\AppData\Roaming\dllhost.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x11c,0x120,0x124,0xd0,0x128,0x7ffb0482ab58,0x7ffb0482ab68,0x7ffb0482ab782⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1760 --field-trial-handle=2056,i,15870730956994564651,10959911019665083398,131072 /prefetch:22⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2020 --field-trial-handle=2056,i,15870730956994564651,10959911019665083398,131072 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2264 --field-trial-handle=2056,i,15870730956994564651,10959911019665083398,131072 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3100 --field-trial-handle=2056,i,15870730956994564651,10959911019665083398,131072 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3108 --field-trial-handle=2056,i,15870730956994564651,10959911019665083398,131072 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4412 --field-trial-handle=2056,i,15870730956994564651,10959911019665083398,131072 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4584 --field-trial-handle=2056,i,15870730956994564651,10959911019665083398,131072 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4396 --field-trial-handle=2056,i,15870730956994564651,10959911019665083398,131072 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4296 --field-trial-handle=2056,i,15870730956994564651,10959911019665083398,131072 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4584 --field-trial-handle=2056,i,15870730956994564651,10959911019665083398,131072 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5024 --field-trial-handle=2056,i,15870730956994564651,10959911019665083398,131072 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=5060 --field-trial-handle=2056,i,15870730956994564651,10959911019665083398,131072 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4248 --field-trial-handle=2056,i,15870730956994564651,10959911019665083398,131072 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=3336 --field-trial-handle=2056,i,15870730956994564651,10959911019665083398,131072 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=5020 --field-trial-handle=2056,i,15870730956994564651,10959911019665083398,131072 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=5184 --field-trial-handle=2056,i,15870730956994564651,10959911019665083398,131072 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=5340 --field-trial-handle=2056,i,15870730956994564651,10959911019665083398,131072 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=5484 --field-trial-handle=2056,i,15870730956994564651,10959911019665083398,131072 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x2f8 0x4901⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\3adcd73a-8ac0-46da-8507-17f479cd7f3b.tmpFilesize
16KB
MD571797519a0a3c3678606e66c44ecf308
SHA10a017888014d66640ca0c767ce343eabb6e4e2f7
SHA2566a798d262f85a795cad238b4ae1d16547f31da9f5e7199e2ddba9fe472923c6b
SHA5127d29fc8867ee689ec441aa8e72792539690a5897b4a11e80ff0a7784de3a2b319cc22203bece329fa5b73f51af101130453c1f2d881127d4bb1066be381966a0
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending ReportsFilesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurityFilesize
1KB
MD56b02506675421d0e5b8f7d49c7f7b74d
SHA10a2bc9aaeaca39fd96d48b59acd1982577b51d5d
SHA25652c63b5341f7dc60c004a5152364ab9448c99e607bbcb7c9bfd175d6115e58d3
SHA5126ff5f45d2224afcc7cd4810eaa392fc5a6055600c4e7488816cc61092843980efb19840a84f9c5df421712d71d520c50f4ea0fbbf53f6bd05550e21fe1baa1a5
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\PreferencesFilesize
7KB
MD598a16dc088a288f85438e645929cfedf
SHA11667853f60414b59b62f2aaad7dbfce0ccd26cb3
SHA2567b12bd069723fd57c0ecabbf3ea92b9bd279ea30f14b0933a1fa1c9025b6494a
SHA512cb08a5b216527a0384db0c5d6a167de66e03148f6e06206804457af9595f1e483298c0562def19dbe5d457bc91e45ed6fa06267a42b5a49ae80d5ab30095e1f7
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local StateFilesize
281KB
MD545afaa1974535b2c267721b3a25ae898
SHA1f469f977dd84fe9b1897bc3aa52881c03ed2b495
SHA2560ae27379cba6c2d933d0cf9fd21c7f47cded965e2d7b9414abad71a73d296d80
SHA512cd904a512f1a10d56a6a0e401ba6589283000e10ba05723daf9c4bc96278320ac2287360583c0762a7cda6d8947538f13e9b6ae9d72f980ffe7208d333b4f5fe
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\dllhost.exe.logFilesize
654B
MD52ff39f6c7249774be85fd60a8f9a245e
SHA1684ff36b31aedc1e587c8496c02722c6698c1c4e
SHA256e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced
SHA5121d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD562623d22bd9e037191765d5083ce16a3
SHA14a07da6872672f715a4780513d95ed8ddeefd259
SHA25695d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010
SHA5129a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD554522d22658e4f8f87ecb947b71b8feb
SHA16a6144bdf9c445099f52211b6122a2ecf72b77e9
SHA256af18fc4864bc2982879aed928c960b6266f372c928f8c9632c5a4eecd64e448a
SHA51255f2c5a455be20dcb4cb93a29e5389e0422237bdd7ac40112fec6f16a36e5e19df50d25d39a6d5acb2d41a96514c7ecd8631ce8e67c4ff04997282f49d947aba
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD5b51dc9e5ec3c97f72b4ca9488bbb4462
SHA15c1e8c0b728cd124edcacefb399bbd5e25b21bd3
SHA256976f9534aa2976c85c2455bdde786a3f55d63aefdd40942eba1223c4c93590db
SHA5120e5aa6cf64c535aefb833e5757b68e1094c87424abe2615a7d7d26b1b31eff358d12e36e75ca57fd690a9919b776600bf4c5c0e5a5df55366ba62238bdf3f280
-
C:\Users\Admin\AppData\Local\Temp\Log.tmpFilesize
137B
MD5d26d273067541f10b90db1b3c7fe585b
SHA1ebd09cdc76f93e98c164e48c7e71a393de30105c
SHA2562ad19043d41f239c586afbb1a1f8efbb3fa9252079690fc86b963740c48eb217
SHA512dde6a3b1573790a30518a39e26af633ba66bb1164fb77a3a598ebb06130ff6354f7c295d57c9f70665432a464b61f785d1033fd6b3760028b2a53768b2fabdac
-
C:\Users\Admin\AppData\Local\Temp\NbJ09X58.batFilesize
2KB
MD5f588fb26f7bb8500fe4235446e808d1d
SHA10d0029a41f068d8b2ace763b57a1a7cdca6ea86b
SHA25670b6546689c6e17ce3da85e5d52f0b053fdc18579559f3477d3362e2cdaff41e
SHA512fc84adc7447cb36b43aa9c90f395126622044c83321bc2c2c6791f8f4f6099b43137e5668f2eff5c1d9edec0f5af5ae2e7b22d64dc2307404c27291349822a1e
-
C:\Users\Admin\AppData\Local\Temp\S.EXEFilesize
7KB
MD5b8d58060de9ef19140c2801ea6c979bf
SHA1f98094ff9101b483e7a0d2826884a351c734fa9b
SHA25638d7a6d3e1fee555dd526ade1d5efaf18d62bb35dbcea1505f47fd6346b432a8
SHA5123eec6801ce54fc2541374a6f97956186d17e841a35f039fce59d7b0143f31d9fe8efe33e89fd676311b79baf75b5fae04f785d493206b75e424ba8d4e56adc7d
-
C:\Users\Admin\AppData\Local\Temp\TESTEE.EXEFilesize
66KB
MD504b8f12a041a2812f433aaf8f0a897e7
SHA1b0680cf948c750266c565d21a100e8127d8bae40
SHA25694fc19b165838e67bb83583d20b11d5acc7af865aa8a1c73691addd86975ac15
SHA512018e3e534249abaa1d7da77566a3f1742e047a074ee07ae9a6cfcfa32d68f2b1bfb853360928cc9d2b28299d41803f7841aa5b5ef6431310b0b8b3ce0adf608e
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_j5m1m4f0.oth.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\image (2).pngFilesize
3KB
MD5e0c279e5e909df3fb84b28c4d93c6422
SHA1ecadd6cb2f47d02fc095219db825d933ee7405fb
SHA25638f4462d02745f53c45016e3d8869736617c28a998bc24d572cddf9c44c21818
SHA512cd3a801701104e4116e87e9e21161129aceb7bd7369af928473888bd91fc67a8ee39825586db942b1c2cdbcec20e4eb9b5f9ba961305fc7aa929057a0534cd21
-
\??\pipe\crashpad_1884_GBUFKAZRGXKVAVTJMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/1232-22-0x0000000000A70000-0x0000000000A86000-memory.dmpFilesize
88KB
-
memory/1232-78-0x00007FFB079B0000-0x00007FFB08471000-memory.dmpFilesize
10.8MB
-
memory/1232-88-0x00007FFB079B3000-0x00007FFB079B5000-memory.dmpFilesize
8KB
-
memory/1232-90-0x00007FFB079B0000-0x00007FFB08471000-memory.dmpFilesize
10.8MB
-
memory/1232-21-0x00007FFB079B3000-0x00007FFB079B5000-memory.dmpFilesize
8KB
-
memory/4588-89-0x00007FFB079B0000-0x00007FFB08471000-memory.dmpFilesize
10.8MB
-
memory/4588-24-0x00000000000B0000-0x00000000000B8000-memory.dmpFilesize
32KB
-
memory/4588-28-0x00007FFB079B0000-0x00007FFB08471000-memory.dmpFilesize
10.8MB
-
memory/4604-33-0x000001A641910000-0x000001A641932000-memory.dmpFilesize
136KB
