Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows11-21h2_x64 -
resource
win11-20240221-en -
resource tags
-
submitted
28-03-2024 20:43
General
-
Target
471339a0525809eab74b55fed407ac64697dbcfdaf52b21b56cc4a47125e76a8.exe
-
Size
260KB
-
MD5
8fdbb8914b3d1d601c0557478886a731
-
SHA1
8fe3855f2448d0a11cb8191ac7b6c496be3aadec
-
SHA256
471339a0525809eab74b55fed407ac64697dbcfdaf52b21b56cc4a47125e76a8
-
SHA512
ee890542b4d67d35b71fcacb0c8fbd578fc7fcad3e852cf55281d72efed573c13e76c603e05a14a44f2a2e3b3ec1d87fc14cf0e507279cab472e14252acd4da7
-
SSDEEP
3072:sFIby+X2CcC3GnpFoTOz6++aekasG+hXexfgoCOPHAxWwAac5kEzF2cuUyX1A6Z:sm+q2CD30WTOPwktGvgYwAaH8F2N
Malware Config
Extracted
smokeloader
pub1
Extracted
smokeloader
2022
http://trad-einmyus.com/index.php
http://tradein-myus.com/index.php
http://trade-inmyus.com/index.php
Extracted
djvu
http://sajdfue.com/test1/get.php
-
extension
.vook
-
offline_id
1eSPzWRaNslCgtjBZfL5pzvovoiaVI4IZSnvAwt1
-
payload_url
http://sdfjhuz.com/dl/build2.exe
http://sajdfue.com/files/1/build3.exe
-
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. Do not ask assistants from youtube and recovery data sites for help in recovering your data. They can use your free decryption quota and scam you. Our contact is emails in this text document only. You can get and look video overview decrypt tool: https://wetransfer.com/downloads/3ed7a617738550b0a00c5aa231c0752020240316170955/d71ce1 Price of private key and decrypt software is $999. Discount 50% available if you contact us first 72 hours, that's price for you is $499. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0857PsawqS
Extracted
redline
LogsDiller Cloud (TG: @logsdillabot)
5.42.65.0:29587
Extracted
vidar
8.6
5739ef2bbcd39fcd59c5746bfe4238c5
https://steamcommunity.com/profiles/76561199658817715
https://t.me/sa9ok
-
profile_id_v2
5739ef2bbcd39fcd59c5746bfe4238c5
-
user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
Signatures
-
DcRat 6 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Detect Vidar Stealer 5 IoCs
-
Detected Djvu ransomware 16 IoCs
-
Djvu Ransomware
Ransomware which is a variant of the STOP family.
-
Glupteba
Glupteba is a modular loader written in Golang with various components.
-
Glupteba payload 4 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
Downloads MZ/PE file
-
Modifies Installed Components in the registry 2 TTPs 1 IoCs
-
Modifies Windows Firewall 2 TTPs 1 IoCs
-
Deletes itself 1 IoCs
-
Executes dropped EXE 19 IoCs
-
Modifies file permissions 1 TTPs 1 IoCs
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
UPX packed file 2 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 3 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 2 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Manipulates WinMonFS driver. 1 IoCs
Roottkits write to WinMonFS to hide directories/files from being detected.
-
Drops file in System32 directory 7 IoCs
-
Suspicious use of SetThreadContext 7 IoCs
-
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
-
Drops file in Windows directory 4 IoCs
-
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
-
Checks SCSI registry key(s) 3 TTPs 61 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 12 IoCs
-
Modifies Internet Explorer settings 1 TTPs 6 IoCs
-
Modifies data under HKEY_USERS 64 IoCs
-
Modifies registry class 57 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 43 IoCs
-
Suspicious use of SendNotifyMessage 64 IoCs
-
Suspicious use of SetWindowsHookEx 9 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\471339a0525809eab74b55fed407ac64697dbcfdaf52b21b56cc4a47125e76a8.exe"C:\Users\Admin\AppData\Local\Temp\471339a0525809eab74b55fed407ac64697dbcfdaf52b21b56cc4a47125e76a8.exe"1⤵
- DcRat
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9078.bat" "1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 12⤵
-
C:\Users\Admin\AppData\Local\Temp\9E44.exeC:\Users\Admin\AppData\Local\Temp\9E44.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\9E44.exeC:\Users\Admin\AppData\Local\Temp\9E44.exe2⤵
- DcRat
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Local\f2a4b65d-c904-4cf8-a746-a3b8e71f7ee4" /deny *S-1-1-0:(OI)(CI)(DE,DC)3⤵
- Modifies file permissions
-
C:\Users\Admin\AppData\Local\Temp\9E44.exe"C:\Users\Admin\AppData\Local\Temp\9E44.exe" --Admin IsNotAutoStart IsNotTask3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\9E44.exe"C:\Users\Admin\AppData\Local\Temp\9E44.exe" --Admin IsNotAutoStart IsNotTask4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\a08545bf-360f-478e-bd53-780b9dc16b19\build2.exe"C:\Users\Admin\AppData\Local\a08545bf-360f-478e-bd53-780b9dc16b19\build2.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\a08545bf-360f-478e-bd53-780b9dc16b19\build2.exe"C:\Users\Admin\AppData\Local\a08545bf-360f-478e-bd53-780b9dc16b19\build2.exe"6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4544 -s 20927⤵
- Program crash
-
C:\Users\Admin\AppData\Local\a08545bf-360f-478e-bd53-780b9dc16b19\build3.exe"C:\Users\Admin\AppData\Local\a08545bf-360f-478e-bd53-780b9dc16b19\build3.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\a08545bf-360f-478e-bd53-780b9dc16b19\build3.exe"C:\Users\Admin\AppData\Local\a08545bf-360f-478e-bd53-780b9dc16b19\build3.exe"6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"7⤵
- DcRat
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\A858.exeC:\Users\Admin\AppData\Local\Temp\A858.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 748 -s 7842⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 748 -ip 7481⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 208 -p 4544 -ip 45441⤵
-
C:\Users\Admin\AppData\Local\Temp\D37F.exeC:\Users\Admin\AppData\Local\Temp\D37F.exe1⤵
- Executes dropped EXE
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D584.bat" "1⤵
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 12⤵
-
C:\Users\Admin\AppData\Local\Temp\966.exeC:\Users\Admin\AppData\Local\Temp\966.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeC:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe2⤵
-
C:\Users\Admin\AppData\Local\Temp\1994.exeC:\Users\Admin\AppData\Local\Temp\1994.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\1994.exe"C:\Users\Admin\AppData\Local\Temp\1994.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"3⤵
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes4⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Manipulates WinMonFS driver.
- Drops file in Windows directory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- DcRat
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll4⤵
- Executes dropped EXE
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- DcRat
- Creates scheduled task(s)
-
C:\Windows\windefender.exe"C:\Windows\windefender.exe"4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.execmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)5⤵
-
C:\Windows\SysWOW64\sc.exesc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)6⤵
- Launches sc.exe
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\windefender.exeC:\Windows\windefender.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"3⤵
- DcRat
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Defense Evasion
Modify Registry
3Impair Defenses
1Disable or Modify System Firewall
1File and Directory Permissions Modification
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EAFilesize
1KB
MD5913d4ffe7b4dcc57225d84d352e06abc
SHA19531a176c280a1b9d544dc7ebf7b1e4107fedc63
SHA25675fd1a3412a91ff68ebb9d40936c1db5e6fa812e90e1ce89891ee9817e346126
SHA5123ad3fb9414eb63610cc61f0b352c0c075ad1067e44fbbe512eb8385160663ff818e2091abc0486f674f75d7052a1f446bf6cf908ecf77f5183f548723139d320
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464Filesize
724B
MD58202a1cd02e7d69597995cabbe881a12
SHA18858d9d934b7aa9330ee73de6c476acf19929ff6
SHA25658f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA51297ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EAFilesize
410B
MD547c9715a4f929d911cd2f930b6fc789b
SHA1a8dad8beb6073fbf26d189c31feedfe724bb8a1f
SHA256d6798e9c3a07b66340fe1190fc2afeb406c7d9113d45c4774261deedeb7d483c
SHA512ff75cdd9fce2a959168e8948e8996cac7254caaf0f23ec2f9c2334ba7e756c1269c6602241bda14b2b9818d6b731b2cb7ed5628e44a7adfd8e9dd1b3ece40de6
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464Filesize
392B
MD5ec7206ac95f96111c32f17d099201041
SHA156053a24e690c04b690972c697a0c4f6febebc42
SHA2561ad4522f1c19d98b0171aa4071759ea82e1266e2578aea01351f3e3ac0bb3f42
SHA51253816b35fca8f120cc67a0b9b07040e1dc6d05d1bdf7ce0f15231badd7b32172237a26af2e60a91b286f48b3938ce22d28e56b7cd626381894193da061376e9b
-
C:\Users\Admin\AppData\Local\Microsoft\PenWorkspace\DiscoverCacheData.datFilesize
1022B
MD5f8f9edf1081ea378f7fcdccf407cd631
SHA1df82f894dc01ec156cb1e3a80b9630b1c2442014
SHA25621210b42b1115cc408383434d5898d8f27aece11819e88b4d43ce232be3568fa
SHA512065cbce0688d3c7226021cbe85cf67af4ee4451415c836e43a54ed8927c51fd4194219268a6738cc5edd32d2292a7ccb8addc1fff6751e489a336c973882176b
-
C:\Users\Admin\AppData\Local\Temp\1994.exeFilesize
4.1MB
MD55d1e9321deb7332be15cae2971fc26c0
SHA1cd84786a761e375c257fc7165ae360b0c00a232b
SHA256750d94a7cfe19ef443791b99f172a68c077f79f7c37c03e4a1ac3f0090ea901a
SHA512a4cd617d0bbaf75d7ee143fa5a4ea8ea15a46856bfb2b6c27b7853a130b639d3493f2c6df5dc9611edaeb7fe05cb56b21b66de7ebfe945eac7d815b1b59f74d1
-
C:\Users\Admin\AppData\Local\Temp\9078.batFilesize
77B
MD555cc761bf3429324e5a0095cab002113
SHA12cc1ef4542a4e92d4158ab3978425d517fafd16d
SHA256d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a
SHA51233f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155
-
C:\Users\Admin\AppData\Local\Temp\966.exeFilesize
30.6MB
MD5ff35671d54d612772b0c22c141a3056e
SHA1d005a27cd48556bf17eb9c2b43af49b67347cc0e
SHA2562f625ea35f82332c639049c4a849f39cd2b74acb013880d156a2f647497c2512
SHA5129a40a657f196036ef07c410db225f7a023f7299abc078cefd5d97489e7359ce9c640d72b98fedbf3f11ebaba1987b0acd5c7892b1ba5b5ae18709037df45790e
-
C:\Users\Admin\AppData\Local\Temp\9E44.exeFilesize
758KB
MD56ad966859e42d5dc1f1741a1342661b5
SHA1acbb017fd42cf3ee91b2d6bb4839b8ff5c8edc86
SHA256c7b11ca29d31194bcb76dfdce3e0a58bfa674285fe55e3ca1409bd191ad8af9d
SHA512e41c255be14540c9135ee98719937d3a64bffc794ca9261fadaf876925619a89f26f4ab3671f03b5b49278db032b4cf9b28fafcdb49e6bd1679670894724857a
-
C:\Users\Admin\AppData\Local\Temp\A858.exeFilesize
392KB
MD589ec2c6bf09ed9a38bd11acb2a41cd1b
SHA1408549982b687ca8dd5efb0e8b704a374bd8909d
SHA256da1e155c46ca6b23409d059b6d85341c0b86c92d2c69dbda85eef3894313662d
SHA512c565dbb25dd35ae8dce2a4cf15640053aca8b99c5c78db23648e6618ef316362b77142c6524b47089a7ea05632adee091ec5e82ed95aeb86d2331b8c5f8cc56a
-
C:\Users\Admin\AppData\Local\Temp\D37F.exeFilesize
6.5MB
MD59e52aa572f0afc888c098db4c0f687ff
SHA1ef7c2bb222e69ad0e10c8686eb03dcbee7933c2b
SHA2564a40f9d491f09521f4b0c6076a0eb488f6d8e1cf4b67aa6569c2ccce13556443
SHA512d0991e682ae8c954721e905753b56c01f91b85313beb9996331793c3efa8acc13d574ef5ba44853ecc3e05822931ed655bad1924fa11b774a43e015f42185f62
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_a5cikfg3.orc.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeFilesize
281KB
MD5d98e33b66343e7c96158444127a117f6
SHA1bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA2565de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5
-
C:\Users\Admin\AppData\Local\a08545bf-360f-478e-bd53-780b9dc16b19\build2.exeFilesize
277KB
MD58dae8b6a6be6e3527183594d1c26a2d3
SHA1b87e40cee60869a36e79c88c8a3a34baf0bc4889
SHA256afce72cd3bc717c784962083066e3ede2b0aaadbe0908ec7360096c923774fa5
SHA5120bf065700db647efba39a13a58242a595907e6c11885575cf0bdad9e23ab40583c8a6535464e46d75d075e20d88b7a6305a761df9da787fdc8728483dd48f96e
-
C:\Users\Admin\AppData\Local\a08545bf-360f-478e-bd53-780b9dc16b19\build3.exeFilesize
299KB
MD541b883a061c95e9b9cb17d4ca50de770
SHA11daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logFilesize
2KB
MD5ac4917a885cf6050b1a483e4bc4d2ea5
SHA1b1c0a9f27bd21c6bbb8e9be70db8777b4a2a640f
SHA256e39062a62c3c7617feeeff95ea8a0be51104a0d36f46e44eea22556fda74d8d9
SHA512092c67a3ecae1d187cad72a8ea1ea37cb78a0cf79c2cd7fb88953e5990669a2e871267015762fd46d274badb88ac0c1d73b00f1df7394d89bed48a3a45c2ba3d
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD5e74252f2e93d62c94c0439b9e98cb638
SHA160811a0d0840bd8265f236562cf0aa9c7c188293
SHA256e9fee81b3789f8bd3da90551f9e3e4ef31ca4ae9faa2e8ee613c53f3ca78fbaa
SHA512c176d33a4013881872a61e28c4bf1e2cdf3935eed404e12660ce33e0a56468aa41e976aca896db426fbf44fae50877b39ff61eb066f30fdaf3663a6ff87a4fa9
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD5873d4d82cdc8995a97922d686f2d407b
SHA1bfdbf992dd9e2b93217da0b1ec0d2205fffe655b
SHA25603f979fa6148f22ac51bde4c062105c9871ec7dd907c4920ce28b70163fdb283
SHA512b9334b4c2838e04205254b3832e6e7206c3b4094c5447375ffff6fd9127fd3b93f73c674ed656a50c1a31d8887930f1dd1abc5cec4cb1a5cb537bc5330fa348f
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD544a1770fe484767a99716d3c4c60ab33
SHA13c81b490d6efc141188eab52ec5277320e04cd17
SHA256e98935534e3fceb2d49758a4e52865ff105ef135898ee09e4b277dfd10b17e5d
SHA5125fdaadca41a2a9fb00409ec9a52dd7a50d9b1f661907af3525273d8f4bcf88936d056fb98540ec81a11c4f6a90bb8a95714964dbc19856ec146f227c84dc0113
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD55916e4df472d46d6094a23de6652bb25
SHA1c13b29a9dead45ec9530d05fddcf9434a3932e61
SHA256dd470d087bf38c4bdf05964d83d7242468f1b256fda910bd9b28675ed5c77816
SHA512995580453df995eb9de587296624a9fed8784f56cb6f5978fd9b3be95bf969bf2e3d808f12a66161967cb20a2a2275b889a99bffa77481d686cb1411fec95962
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD578eb50830ac1a463db6a0da1cb2f4bc7
SHA151778c6c2e0ebe06e453392c223bc99fab072ebe
SHA256abe66a20e39c4abdf68299663761ab78d4c2c0b4527e83666739dedfdccb7c16
SHA512fb102a612250dcd185a69ddb5fba95b826bd0fe6d5513026c682ddd6dea0646fe9e6a19401b54d3fd0c185b50c29d1d1c8757ba03d39cd0b8f33ecc66b0bfb65
-
C:\Windows\windefender.exeFilesize
2.0MB
MD58e67f58837092385dcf01e8a2b4f5783
SHA1012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA51240d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec
-
memory/748-73-0x0000000004D20000-0x0000000004D21000-memory.dmpFilesize
4KB
-
memory/748-114-0x0000000073770000-0x0000000073F21000-memory.dmpFilesize
7.7MB
-
memory/748-84-0x0000000002840000-0x0000000004840000-memory.dmpFilesize
32.0MB
-
memory/748-70-0x0000000000300000-0x0000000000364000-memory.dmpFilesize
400KB
-
memory/748-71-0x0000000073770000-0x0000000073F21000-memory.dmpFilesize
7.7MB
-
memory/748-72-0x0000000004E50000-0x0000000004E60000-memory.dmpFilesize
64KB
-
memory/976-140-0x0000000000400000-0x0000000000406000-memory.dmpFilesize
24KB
-
memory/976-143-0x0000000000410000-0x0000000000413000-memory.dmpFilesize
12KB
-
memory/976-142-0x0000000000400000-0x0000000000406000-memory.dmpFilesize
24KB
-
memory/976-137-0x0000000000400000-0x0000000000406000-memory.dmpFilesize
24KB
-
memory/1484-107-0x0000000000650000-0x0000000000750000-memory.dmpFilesize
1024KB
-
memory/1484-108-0x0000000002160000-0x0000000002191000-memory.dmpFilesize
196KB
-
memory/1924-45-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/1924-87-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/1924-86-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/1924-190-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/1924-83-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/1924-52-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/1924-51-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/1924-46-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/1924-44-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/1924-128-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/2348-135-0x0000000000B00000-0x0000000000C00000-memory.dmpFilesize
1024KB
-
memory/2348-136-0x0000000000A60000-0x0000000000A64000-memory.dmpFilesize
16KB
-
memory/2372-341-0x0000000000400000-0x0000000000ECD000-memory.dmpFilesize
10.8MB
-
memory/2812-709-0x0000000000400000-0x0000000000ECD000-memory.dmpFilesize
10.8MB
-
memory/2812-690-0x0000000000400000-0x0000000000ECD000-memory.dmpFilesize
10.8MB
-
memory/2816-450-0x00007FF669A80000-0x00007FF66B9CC000-memory.dmpFilesize
31.3MB
-
memory/2816-344-0x00007FF669A80000-0x00007FF66B9CC000-memory.dmpFilesize
31.3MB
-
memory/3188-24-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/3188-22-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/3188-38-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/3188-26-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/3188-25-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/3196-4-0x0000000002D70000-0x0000000002D86000-memory.dmpFilesize
88KB
-
memory/3196-295-0x0000000002DA0000-0x0000000002DA1000-memory.dmpFilesize
4KB
-
memory/3204-5-0x0000000000400000-0x0000000000AEA000-memory.dmpFilesize
6.9MB
-
memory/3204-3-0x0000000000400000-0x0000000000AEA000-memory.dmpFilesize
6.9MB
-
memory/3204-2-0x0000000000E90000-0x0000000000E9B000-memory.dmpFilesize
44KB
-
memory/3204-1-0x0000000000EA0000-0x0000000000FA0000-memory.dmpFilesize
1024KB
-
memory/3352-146-0x0000000006950000-0x00000000069A0000-memory.dmpFilesize
320KB
-
memory/3352-98-0x0000000005FA0000-0x00000000065B8000-memory.dmpFilesize
6.1MB
-
memory/3352-196-0x0000000007900000-0x0000000007AC2000-memory.dmpFilesize
1.8MB
-
memory/3352-198-0x0000000008000000-0x000000000852C000-memory.dmpFilesize
5.2MB
-
memory/3352-105-0x0000000005320000-0x000000000536C000-memory.dmpFilesize
304KB
-
memory/3352-104-0x00000000051A0000-0x00000000051DC000-memory.dmpFilesize
240KB
-
memory/3352-76-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/3352-78-0x00000000053D0000-0x0000000005976000-memory.dmpFilesize
5.6MB
-
memory/3352-79-0x0000000004F00000-0x0000000004F92000-memory.dmpFilesize
584KB
-
memory/3352-89-0x00000000050B0000-0x00000000050C0000-memory.dmpFilesize
64KB
-
memory/3352-169-0x00000000050B0000-0x00000000050C0000-memory.dmpFilesize
64KB
-
memory/3352-88-0x0000000004ED0000-0x0000000004EDA000-memory.dmpFilesize
40KB
-
memory/3352-93-0x0000000073770000-0x0000000073F21000-memory.dmpFilesize
7.7MB
-
memory/3352-145-0x0000000005A50000-0x0000000005AB6000-memory.dmpFilesize
408KB
-
memory/3352-102-0x0000000005210000-0x000000000531A000-memory.dmpFilesize
1.0MB
-
memory/3352-174-0x0000000073770000-0x0000000073F21000-memory.dmpFilesize
7.7MB
-
memory/3352-103-0x0000000005140000-0x0000000005152000-memory.dmpFilesize
72KB
-
memory/3708-41-0x0000000002760000-0x00000000027FF000-memory.dmpFilesize
636KB
-
memory/3956-21-0x0000000002940000-0x0000000002A5B000-memory.dmpFilesize
1.1MB
-
memory/3956-20-0x0000000002730000-0x00000000027CB000-memory.dmpFilesize
620KB
-
memory/4372-714-0x0000000000400000-0x00000000008DF000-memory.dmpFilesize
4.9MB
-
memory/4544-109-0x0000000000400000-0x0000000000644000-memory.dmpFilesize
2.3MB
-
memory/4544-112-0x0000000000400000-0x0000000000644000-memory.dmpFilesize
2.3MB
-
memory/4544-113-0x0000000000400000-0x0000000000644000-memory.dmpFilesize
2.3MB
-
memory/4544-132-0x0000000000400000-0x0000000000644000-memory.dmpFilesize
2.3MB
-
memory/4604-177-0x0000000003F10000-0x0000000004010000-memory.dmpFilesize
1024KB
-
memory/4604-178-0x0000000003F10000-0x0000000004010000-memory.dmpFilesize
1024KB
-
memory/4604-185-0x0000000003F10000-0x0000000004010000-memory.dmpFilesize
1024KB
-
memory/4604-188-0x0000000003F10000-0x0000000004010000-memory.dmpFilesize
1024KB
-
memory/4604-187-0x0000000003F10000-0x0000000004010000-memory.dmpFilesize
1024KB
-
memory/4604-184-0x0000000003F10000-0x0000000004010000-memory.dmpFilesize
1024KB
-
memory/4604-191-0x0000000003F10000-0x0000000004010000-memory.dmpFilesize
1024KB
-
memory/4604-189-0x0000000003F10000-0x0000000004010000-memory.dmpFilesize
1024KB
-
memory/4604-194-0x0000000003F10000-0x0000000004010000-memory.dmpFilesize
1024KB
-
memory/4604-192-0x0000000003F10000-0x0000000004010000-memory.dmpFilesize
1024KB
-
memory/4604-193-0x0000000003F10000-0x0000000004010000-memory.dmpFilesize
1024KB
-
memory/4604-195-0x0000000003F10000-0x0000000004010000-memory.dmpFilesize
1024KB
-
memory/4604-197-0x0000000003F10000-0x0000000004010000-memory.dmpFilesize
1024KB
-
memory/4604-183-0x0000000003F10000-0x0000000004010000-memory.dmpFilesize
1024KB
-
memory/4604-182-0x0000000003F10000-0x0000000004010000-memory.dmpFilesize
1024KB
-
memory/4604-199-0x0000000003F10000-0x0000000004010000-memory.dmpFilesize
1024KB
-
memory/4604-200-0x0000000003F10000-0x0000000004010000-memory.dmpFilesize
1024KB
-
memory/4604-181-0x0000000003F10000-0x0000000004010000-memory.dmpFilesize
1024KB
-
memory/4604-180-0x0000000003F10000-0x0000000004010000-memory.dmpFilesize
1024KB
-
memory/4604-186-0x0000000003F10000-0x0000000004010000-memory.dmpFilesize
1024KB
-
memory/4604-179-0x0000000003F10000-0x0000000004010000-memory.dmpFilesize
1024KB
-
memory/4604-175-0x0000000003F10000-0x0000000004010000-memory.dmpFilesize
1024KB
-
memory/4604-176-0x0000000003F10000-0x0000000004010000-memory.dmpFilesize
1024KB
-
memory/4604-156-0x0000000000E00000-0x0000000001AE5000-memory.dmpFilesize
12.9MB
-
memory/4604-173-0x00000000032B0000-0x00000000032F0000-memory.dmpFilesize
256KB
-
memory/4604-172-0x00000000032B0000-0x00000000032F0000-memory.dmpFilesize
256KB
-
memory/4604-171-0x00000000032B0000-0x00000000032F0000-memory.dmpFilesize
256KB
-
memory/4604-161-0x0000000000C90000-0x0000000000C91000-memory.dmpFilesize
4KB
-
memory/4604-162-0x0000000000CA0000-0x0000000000CA1000-memory.dmpFilesize
4KB
-
memory/4604-170-0x00000000032B0000-0x00000000032F0000-memory.dmpFilesize
256KB
-
memory/4604-165-0x0000000000CE0000-0x0000000000CE1000-memory.dmpFilesize
4KB
-
memory/4604-168-0x0000000000E00000-0x0000000001AE5000-memory.dmpFilesize
12.9MB
-
memory/4604-167-0x00000000032A0000-0x00000000032A1000-memory.dmpFilesize
4KB
-
memory/4604-166-0x0000000003290000-0x0000000003291000-memory.dmpFilesize
4KB
-
memory/4604-164-0x0000000000E00000-0x0000000001AE5000-memory.dmpFilesize
12.9MB
-
memory/4604-163-0x0000000000CD0000-0x0000000000CD1000-memory.dmpFilesize
4KB
-
memory/4772-506-0x0000000000400000-0x0000000000ECD000-memory.dmpFilesize
10.8MB
-
memory/4904-451-0x0000000001210000-0x000000000125B000-memory.dmpFilesize
300KB
-
memory/4904-448-0x0000000001210000-0x000000000125B000-memory.dmpFilesize
300KB