Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows11-21h2_x64 -
resource
win11-20240221-en -
resource tags
-
submitted
28-03-2024 21:04
General
-
Target
f4ddc32a5112ba367c194ff4619caed816b1f5941772a50b81f4ddc59db84270.exe
-
Size
259KB
-
MD5
eb37bf9e55ec9794c37a1cd473b70272
-
SHA1
58de7f346f3dcb915a1f1a5a73a13fae77233c7c
-
SHA256
f4ddc32a5112ba367c194ff4619caed816b1f5941772a50b81f4ddc59db84270
-
SHA512
d37a023d4f6712a0a2aa850d4490cb5e6da56075360e9f6d184adde4645e0afd87ed33e23ae7c9fd51f89948956595724108d466915266adc007c0fa587ffb31
-
SSDEEP
6144:OVCijwGD8jFkyIhFxq261Ew8f998oD+3:/wr8j+FZq2nXz5q
Malware Config
Extracted
smokeloader
pub1
Extracted
smokeloader
2022
http://trad-einmyus.com/index.php
http://tradein-myus.com/index.php
http://trade-inmyus.com/index.php
Extracted
djvu
http://sajdfue.com/test1/get.php
-
extension
.vook
-
offline_id
1eSPzWRaNslCgtjBZfL5pzvovoiaVI4IZSnvAwt1
-
payload_url
http://sdfjhuz.com/dl/build2.exe
http://sajdfue.com/files/1/build3.exe
-
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. Do not ask assistants from youtube and recovery data sites for help in recovering your data. They can use your free decryption quota and scam you. Our contact is emails in this text document only. You can get and look video overview decrypt tool: https://wetransfer.com/downloads/3ed7a617738550b0a00c5aa231c0752020240316170955/d71ce1 Price of private key and decrypt software is $999. Discount 50% available if you contact us first 72 hours, that's price for you is $499. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0857PsawqS
Extracted
redline
LogsDiller Cloud (TG: @logsdillabot)
5.42.65.0:29587
Signatures
-
DcRat 4 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Detected Djvu ransomware 9 IoCs
-
Djvu Ransomware
Ransomware which is a variant of the STOP family.
-
Glupteba
Glupteba is a modular loader written in Golang with various components.
-
Glupteba payload 8 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Downloads MZ/PE file
-
Modifies Installed Components in the registry 2 TTPs 1 IoCs
-
Modifies Windows Firewall 2 TTPs 1 IoCs
-
Deletes itself 1 IoCs
-
Executes dropped EXE 13 IoCs
-
Modifies file permissions 1 TTPs 1 IoCs
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
UPX packed file 4 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 3 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 2 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Manipulates WinMonFS driver. 1 IoCs
Roottkits write to WinMonFS to hide directories/files from being detected.
-
Drops file in System32 directory 7 IoCs
-
Suspicious use of SetThreadContext 4 IoCs
-
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
-
Drops file in Windows directory 4 IoCs
-
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
-
Checks SCSI registry key(s) 3 TTPs 61 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 12 IoCs
-
Modifies Internet Explorer settings 1 TTPs 6 IoCs
-
Modifies data under HKEY_USERS 64 IoCs
-
Modifies registry class 64 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 43 IoCs
-
Suspicious use of SendNotifyMessage 64 IoCs
-
Suspicious use of SetWindowsHookEx 9 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\f4ddc32a5112ba367c194ff4619caed816b1f5941772a50b81f4ddc59db84270.exe"C:\Users\Admin\AppData\Local\Temp\f4ddc32a5112ba367c194ff4619caed816b1f5941772a50b81f4ddc59db84270.exe"1⤵
- DcRat
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\A345.bat" "1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 12⤵
-
C:\Users\Admin\AppData\Local\Temp\C8B0.exeC:\Users\Admin\AppData\Local\Temp\C8B0.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\C8B0.exeC:\Users\Admin\AppData\Local\Temp\C8B0.exe2⤵
- DcRat
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Local\6687078c-243e-451b-8fc5-a048ef4cc5e3" /deny *S-1-1-0:(OI)(CI)(DE,DC)3⤵
- Modifies file permissions
-
C:\Users\Admin\AppData\Local\Temp\C8B0.exe"C:\Users\Admin\AppData\Local\Temp\C8B0.exe" --Admin IsNotAutoStart IsNotTask3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\C8B0.exe"C:\Users\Admin\AppData\Local\Temp\C8B0.exe" --Admin IsNotAutoStart IsNotTask4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1652 -s 2405⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 352 -p 1652 -ip 16521⤵
-
C:\Users\Admin\AppData\Local\Temp\D2D3.exeC:\Users\Admin\AppData\Local\Temp\D2D3.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 328 -s 8402⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 328 -ip 3281⤵
-
C:\Users\Admin\AppData\Local\Temp\34A.exeC:\Users\Admin\AppData\Local\Temp\34A.exe1⤵
- Executes dropped EXE
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\57D.bat" "1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 12⤵
-
C:\Users\Admin\AppData\Local\Temp\2DB7.exeC:\Users\Admin\AppData\Local\Temp\2DB7.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeC:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe2⤵
-
C:\Users\Admin\AppData\Local\Temp\3CCC.exeC:\Users\Admin\AppData\Local\Temp\3CCC.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\3CCC.exe"C:\Users\Admin\AppData\Local\Temp\3CCC.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"3⤵
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes4⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Manipulates WinMonFS driver.
- Drops file in Windows directory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- DcRat
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll4⤵
- Executes dropped EXE
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- DcRat
- Creates scheduled task(s)
-
C:\Windows\windefender.exe"C:\Windows\windefender.exe"4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.execmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)5⤵
-
C:\Windows\SysWOW64\sc.exesc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)6⤵
- Launches sc.exe
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 436 -p 3968 -ip 39681⤵
-
C:\Windows\windefender.exeC:\Windows\windefender.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Defense Evasion
File and Directory Permissions Modification
1Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
3Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\PenWorkspace\DiscoverCacheData.datFilesize
1022B
MD501e11dc055eef1f9a1f3c644422d3141
SHA1a0b35538f262281a9a6347b27918d889cf205128
SHA25613a1b057046110fb3f24d017430d516b85497bfc265e085b93cf7c853e96f238
SHA51262b97067c331623cfd8e031f7293682547f1b7bf38bc3bba76974640038cc0330514549272e21c6e8da74b81f35d7d7bb66c0624f7a58b25413571ac330f3f1b
-
C:\Users\Admin\AppData\Local\Packages\microsoftwindows.client.cbs_cw5n1h2txyewy\AC\Microsoft\CryptnetUrlCache\Content\EAF8AA29A62AB29E614331747385D816_F9E4DC0B9D5C777357D7DB8DEF51118AFilesize
314B
MD53645f7dedd734fdad881e36a5f02bde0
SHA16c040d446dbc3e6c86c5dde3de18faea5ae4e379
SHA25648191af7a18dd55e0bf498234d397aa298e2a8d07aea33222898f828b06a4fd4
SHA512323c8147840d9581b813579869e605fb3420e7ed364fa0e5169002e1d20afe291dcbc44bf6e954370a6474c474af74b6d291044e6873499e2f08f8c96d80c49b
-
C:\Users\Admin\AppData\Local\Packages\microsoftwindows.client.cbs_cw5n1h2txyewy\AC\Microsoft\CryptnetUrlCache\MetaData\EAF8AA29A62AB29E614331747385D816_F9E4DC0B9D5C777357D7DB8DEF51118AFilesize
404B
MD5ce14a3aa23a0da5505a2b8a28b9ea9aa
SHA1af6edc16498afdf773f99d9d3fab099cd07e6a1a
SHA25637ed1b1c2456465eacc720cdadbe6e3a49e9a2944f7a8293c1941c4dc5923562
SHA512d9a4e160e47a12f55984e2e2981362f8c1931fb6e4fb33b143b46add1cafb86d756ccca0cc40aacb4c7a28af5230a6489cc1caa16541702e92cbd7e2dd1500d6
-
C:\Users\Admin\AppData\Local\Temp\2DB7.exeFilesize
30.6MB
MD5ff35671d54d612772b0c22c141a3056e
SHA1d005a27cd48556bf17eb9c2b43af49b67347cc0e
SHA2562f625ea35f82332c639049c4a849f39cd2b74acb013880d156a2f647497c2512
SHA5129a40a657f196036ef07c410db225f7a023f7299abc078cefd5d97489e7359ce9c640d72b98fedbf3f11ebaba1987b0acd5c7892b1ba5b5ae18709037df45790e
-
C:\Users\Admin\AppData\Local\Temp\34A.exeFilesize
6.5MB
MD59e52aa572f0afc888c098db4c0f687ff
SHA1ef7c2bb222e69ad0e10c8686eb03dcbee7933c2b
SHA2564a40f9d491f09521f4b0c6076a0eb488f6d8e1cf4b67aa6569c2ccce13556443
SHA512d0991e682ae8c954721e905753b56c01f91b85313beb9996331793c3efa8acc13d574ef5ba44853ecc3e05822931ed655bad1924fa11b774a43e015f42185f62
-
C:\Users\Admin\AppData\Local\Temp\3CCC.exeFilesize
4.1MB
MD5e2d0a73552562cea0dacc7d85aea31d5
SHA17006c74921473d7eb35cc63d49a6f4d67308c4af
SHA2560e52827a6f648fdba103a5a0423a55b19e70b8f142edd4f4b76ed5be7ccccb1b
SHA512a1a60e68ba0e420e38d19888e129da534150a1b6ef8578b7aaef7ecfd33a484e27f6ef8f12632312ebfb76b5ddf71698bf3c2dc36d44748ac2a837c8da971247
-
C:\Users\Admin\AppData\Local\Temp\A345.batFilesize
77B
MD555cc761bf3429324e5a0095cab002113
SHA12cc1ef4542a4e92d4158ab3978425d517fafd16d
SHA256d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a
SHA51233f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155
-
C:\Users\Admin\AppData\Local\Temp\C8B0.exeFilesize
758KB
MD5601c8193122d6d0b2327d4641128fb0f
SHA11807a55ad3ec3d575e055e7f65c7461165074a6a
SHA256429b58dfe9191bce5a00ced0ba190e2518cd8f48d7358119d61335e504169a57
SHA512d021ee206e441e152ec04329b7967ee1f6d431288060cc28a3c50b0f35bc3220dac37955188e1a7e4ba0b57a55089e6381ff490718dba528bd87eea07276e820
-
C:\Users\Admin\AppData\Local\Temp\D2D3.exeFilesize
392KB
MD589ec2c6bf09ed9a38bd11acb2a41cd1b
SHA1408549982b687ca8dd5efb0e8b704a374bd8909d
SHA256da1e155c46ca6b23409d059b6d85341c0b86c92d2c69dbda85eef3894313662d
SHA512c565dbb25dd35ae8dce2a4cf15640053aca8b99c5c78db23648e6618ef316362b77142c6524b47089a7ea05632adee091ec5e82ed95aeb86d2331b8c5f8cc56a
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ljlikas5.sfh.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeFilesize
281KB
MD5d98e33b66343e7c96158444127a117f6
SHA1bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA2565de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logFilesize
2KB
MD5ac4917a885cf6050b1a483e4bc4d2ea5
SHA1b1c0a9f27bd21c6bbb8e9be70db8777b4a2a640f
SHA256e39062a62c3c7617feeeff95ea8a0be51104a0d36f46e44eea22556fda74d8d9
SHA512092c67a3ecae1d187cad72a8ea1ea37cb78a0cf79c2cd7fb88953e5990669a2e871267015762fd46d274badb88ac0c1d73b00f1df7394d89bed48a3a45c2ba3d
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD555889e06beb0a06bec2c7e48ab110808
SHA119c8ccc3e11174bd9c29d29e3587ec227426a1e1
SHA256d9a341bf8217f6f5fce66f0145880d11ace8a1d8fff6007142c7245f2141c591
SHA512ffd57eb84629f2ef8f5ad34eacb70389b0d2c1d67011f600f389e565ca0b18b717141a531bc0621dacba2b256dfb0b22ec040faabe7c5c675eded845fe90ca98
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD571c730d3c7014e4553a168d5867e1cc6
SHA1599f25aa6214329f8c406afd8ac14c29cb171553
SHA2565d190358aa6a91155e76daa2b8fbdb57a311709683081ca734d40c24c43302ea
SHA512eab6ff3e87557e300c9e9df6ef95a2d73360f39f723a87a1b49623e1462b61f3a5ff4d72cb8572b6a515ae77c1f16d626ae31fcd17fa642002ec7d319d737cfe
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD53b3b1c4059f757070ab17759c28cf827
SHA1d96dfda65a81b33b328e3cf870d2b22626632bb4
SHA256b97ffe0184561bca04f9b6aa426cbadc20971573e46c4ef47ca19a4ed9725bcf
SHA512599fa66b973225aac2f6935978a36d21d63ae2a7c7f16622dc7e741118ed17ac2c23d1c7fd796bcf47606902feabdca329553441efc072fa76f5731271c24b58
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD5bf93b2ff5397ffe6715794c4b26b53f3
SHA1893485fd570917c42106f0f0e7ba7a28524fecdd
SHA256a252a9e93ef7ec7259f5bfea1879efe215b717cd5b7e79937bd34ceddf9aa706
SHA512a2f134260be97c000ff98de79af63aeabe703dc84138b60bf6a08ad79ee0990c881da4286252ac8c5bec0b2d2d1a3fbaebd7da69d8d417b0486168d3004d3372
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD52931c854e4279f8c9d781ca8a7c8b504
SHA1db79db322ae4387edf15df3a5e3fa8b91d697f13
SHA256806a1ab1a5c9d49e41d7599c37f336d3c1f86a56540b3246eaf793458836ebaf
SHA5127aae2032606855f59bcb0dcb1f346a648e275bfc4196cefefc6a0df79d981d11826f52aed158ee3f8ac301220f2285363c1e0003d5aa55d0633490448a73a860
-
C:\Windows\windefender.exeFilesize
2.0MB
MD58e67f58837092385dcf01e8a2b4f5783
SHA1012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA51240d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec
-
memory/224-476-0x00007FF60C1E0000-0x00007FF60E12C000-memory.dmpFilesize
31.3MB
-
memory/224-404-0x00007FF60C1E0000-0x00007FF60E12C000-memory.dmpFilesize
31.3MB
-
memory/328-76-0x0000000002FA0000-0x0000000004FA0000-memory.dmpFilesize
32.0MB
-
memory/328-70-0x0000000002E50000-0x0000000002E51000-memory.dmpFilesize
4KB
-
memory/328-69-0x0000000005690000-0x00000000056A0000-memory.dmpFilesize
64KB
-
memory/328-68-0x0000000074B90000-0x0000000075341000-memory.dmpFilesize
7.7MB
-
memory/328-67-0x0000000000980000-0x00000000009E4000-memory.dmpFilesize
400KB
-
memory/328-81-0x0000000074B90000-0x0000000075341000-memory.dmpFilesize
7.7MB
-
memory/688-786-0x0000000000400000-0x00000000008DF000-memory.dmpFilesize
4.9MB
-
memory/688-793-0x0000000000400000-0x00000000008DF000-memory.dmpFilesize
4.9MB
-
memory/840-783-0x0000000000400000-0x00000000008DF000-memory.dmpFilesize
4.9MB
-
memory/1652-47-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/1652-45-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/1652-44-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/1720-120-0x0000000003C40000-0x0000000003D40000-memory.dmpFilesize
1024KB
-
memory/1720-143-0x0000000003C40000-0x0000000003D40000-memory.dmpFilesize
1024KB
-
memory/1720-144-0x0000000003C40000-0x0000000003D40000-memory.dmpFilesize
1024KB
-
memory/1720-145-0x0000000003C40000-0x0000000003D40000-memory.dmpFilesize
1024KB
-
memory/1720-146-0x0000000003C40000-0x0000000003D40000-memory.dmpFilesize
1024KB
-
memory/1720-147-0x0000000003C40000-0x0000000003D40000-memory.dmpFilesize
1024KB
-
memory/1720-148-0x0000000003C40000-0x0000000003D40000-memory.dmpFilesize
1024KB
-
memory/1720-133-0x0000000003C40000-0x0000000003D40000-memory.dmpFilesize
1024KB
-
memory/1720-134-0x0000000003C40000-0x0000000003D40000-memory.dmpFilesize
1024KB
-
memory/1720-135-0x0000000003C40000-0x0000000003D40000-memory.dmpFilesize
1024KB
-
memory/1720-98-0x0000000000260000-0x0000000000F45000-memory.dmpFilesize
12.9MB
-
memory/1720-106-0x00000000013D0000-0x00000000013D1000-memory.dmpFilesize
4KB
-
memory/1720-109-0x0000000000260000-0x0000000000F45000-memory.dmpFilesize
12.9MB
-
memory/1720-107-0x00000000013E0000-0x00000000013E1000-memory.dmpFilesize
4KB
-
memory/1720-110-0x0000000002FF0000-0x0000000002FF1000-memory.dmpFilesize
4KB
-
memory/1720-111-0x0000000003000000-0x0000000003001000-memory.dmpFilesize
4KB
-
memory/1720-108-0x00000000015D0000-0x00000000015D1000-memory.dmpFilesize
4KB
-
memory/1720-112-0x0000000003010000-0x0000000003011000-memory.dmpFilesize
4KB
-
memory/1720-114-0x0000000003020000-0x0000000003021000-memory.dmpFilesize
4KB
-
memory/1720-117-0x0000000003C40000-0x0000000003D40000-memory.dmpFilesize
1024KB
-
memory/1720-116-0x0000000003C40000-0x0000000003D40000-memory.dmpFilesize
1024KB
-
memory/1720-119-0x0000000003C40000-0x0000000003D40000-memory.dmpFilesize
1024KB
-
memory/1720-118-0x0000000003C40000-0x0000000003D40000-memory.dmpFilesize
1024KB
-
memory/1720-115-0x0000000003C40000-0x0000000003D40000-memory.dmpFilesize
1024KB
-
memory/1720-121-0x0000000003C40000-0x0000000003D40000-memory.dmpFilesize
1024KB
-
memory/1720-123-0x0000000003C40000-0x0000000003D40000-memory.dmpFilesize
1024KB
-
memory/1720-140-0x0000000003C40000-0x0000000003D40000-memory.dmpFilesize
1024KB
-
memory/1720-125-0x0000000003C40000-0x0000000003D40000-memory.dmpFilesize
1024KB
-
memory/1720-124-0x0000000003C40000-0x0000000003D40000-memory.dmpFilesize
1024KB
-
memory/1720-122-0x0000000003C40000-0x0000000003D40000-memory.dmpFilesize
1024KB
-
memory/1720-126-0x0000000003C40000-0x0000000003D40000-memory.dmpFilesize
1024KB
-
memory/1720-127-0x0000000003C40000-0x0000000003D40000-memory.dmpFilesize
1024KB
-
memory/1720-128-0x0000000003C40000-0x0000000003D40000-memory.dmpFilesize
1024KB
-
memory/1720-129-0x0000000003C40000-0x0000000003D40000-memory.dmpFilesize
1024KB
-
memory/1720-131-0x0000000003C40000-0x0000000003D40000-memory.dmpFilesize
1024KB
-
memory/1720-132-0x0000000003C40000-0x0000000003D40000-memory.dmpFilesize
1024KB
-
memory/1720-130-0x0000000003C40000-0x0000000003D40000-memory.dmpFilesize
1024KB
-
memory/1720-136-0x0000000003C40000-0x0000000003D40000-memory.dmpFilesize
1024KB
-
memory/1720-137-0x0000000003C40000-0x0000000003D40000-memory.dmpFilesize
1024KB
-
memory/1720-139-0x0000000003C40000-0x0000000003D40000-memory.dmpFilesize
1024KB
-
memory/1720-138-0x0000000003C40000-0x0000000003D40000-memory.dmpFilesize
1024KB
-
memory/1720-142-0x0000000003C40000-0x0000000003D40000-memory.dmpFilesize
1024KB
-
memory/1720-141-0x0000000003C40000-0x0000000003D40000-memory.dmpFilesize
1024KB
-
memory/1856-21-0x00000000029F0000-0x0000000002B0B000-memory.dmpFilesize
1.1MB
-
memory/1856-20-0x0000000002770000-0x0000000002807000-memory.dmpFilesize
604KB
-
memory/2560-41-0x0000000002740000-0x00000000027DC000-memory.dmpFilesize
624KB
-
memory/3028-1-0x0000000000CF0000-0x0000000000DF0000-memory.dmpFilesize
1024KB
-
memory/3028-5-0x0000000000400000-0x0000000000AEA000-memory.dmpFilesize
6.9MB
-
memory/3028-2-0x0000000000CD0000-0x0000000000CDB000-memory.dmpFilesize
44KB
-
memory/3028-3-0x0000000000400000-0x0000000000AEA000-memory.dmpFilesize
6.9MB
-
memory/3272-342-0x0000000002810000-0x0000000002811000-memory.dmpFilesize
4KB
-
memory/3272-4-0x00000000027E0000-0x00000000027F6000-memory.dmpFilesize
88KB
-
memory/3364-647-0x0000000000400000-0x0000000000ECD000-memory.dmpFilesize
10.8MB
-
memory/3364-598-0x0000000000400000-0x0000000000ECD000-memory.dmpFilesize
10.8MB
-
memory/3680-477-0x0000000000A90000-0x0000000000ADB000-memory.dmpFilesize
300KB
-
memory/3680-473-0x0000000000A90000-0x0000000000ADB000-memory.dmpFilesize
300KB
-
memory/3940-78-0x00000000054C0000-0x00000000054CA000-memory.dmpFilesize
40KB
-
memory/3940-86-0x0000000005770000-0x00000000057BC000-memory.dmpFilesize
304KB
-
memory/3940-77-0x0000000005320000-0x00000000053B2000-memory.dmpFilesize
584KB
-
memory/3940-75-0x00000000058D0000-0x0000000005E76000-memory.dmpFilesize
5.6MB
-
memory/3940-73-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/3940-83-0x0000000005660000-0x000000000576A000-memory.dmpFilesize
1.0MB
-
memory/3940-80-0x00000000054B0000-0x00000000054C0000-memory.dmpFilesize
64KB
-
memory/3940-102-0x0000000074B90000-0x0000000075341000-memory.dmpFilesize
7.7MB
-
memory/3940-82-0x00000000064A0000-0x0000000006AB8000-memory.dmpFilesize
6.1MB
-
memory/3940-85-0x00000000055F0000-0x000000000562C000-memory.dmpFilesize
240KB
-
memory/3940-90-0x0000000007830000-0x0000000007D5C000-memory.dmpFilesize
5.2MB
-
memory/3940-79-0x0000000074B90000-0x0000000075341000-memory.dmpFilesize
7.7MB
-
memory/3940-84-0x0000000005590000-0x00000000055A2000-memory.dmpFilesize
72KB
-
memory/3940-89-0x0000000007130000-0x00000000072F2000-memory.dmpFilesize
1.8MB
-
memory/3940-88-0x0000000006F10000-0x0000000006F60000-memory.dmpFilesize
320KB
-
memory/3940-87-0x0000000005EF0000-0x0000000005F56000-memory.dmpFilesize
408KB
-
memory/4540-784-0x0000000000400000-0x0000000000ECD000-memory.dmpFilesize
10.8MB
-
memory/4540-774-0x0000000000400000-0x0000000000ECD000-memory.dmpFilesize
10.8MB
-
memory/4540-787-0x0000000000400000-0x0000000000ECD000-memory.dmpFilesize
10.8MB
-
memory/4540-791-0x0000000000400000-0x0000000000ECD000-memory.dmpFilesize
10.8MB
-
memory/4540-794-0x0000000000400000-0x0000000000ECD000-memory.dmpFilesize
10.8MB
-
memory/4540-797-0x0000000000400000-0x0000000000ECD000-memory.dmpFilesize
10.8MB
-
memory/4968-24-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/4968-22-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/4968-25-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/4968-26-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/4968-38-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/5048-641-0x000002EDBF4E0000-0x000002EDBF5E0000-memory.dmpFilesize
1024KB
-
memory/5048-629-0x000002EDAE9D0000-0x000002EDAE9F0000-memory.dmpFilesize
128KB