Analysis
-
max time kernel
145s -
max time network
306s -
platform
windows10-1703_x64 -
resource
win10-20240221-en -
resource tags
-
submitted
29-03-2024 01:45
General
-
Target
261fdc86bd8ccc62299a6f57194d59167a751f3b8b8649f8a252d39ca3a31226.exe
-
Size
227KB
-
MD5
7b09acb6cc6425fade98408ec43bfcd3
-
SHA1
681ec6f05ccc78aa5e519b1fb13cab4455fb2638
-
SHA256
261fdc86bd8ccc62299a6f57194d59167a751f3b8b8649f8a252d39ca3a31226
-
SHA512
74621bef98d9c8ce9e33cf1731c16bbe4d3fda2fca06ed03b09f9b5237e4747f0ac0229f70afa852d8c4d1d3baf5b0411e76f568619a038cef39ae55611c6bc3
-
SSDEEP
3072:/lWhcm24zbcZ87k2gW9YEBkWbnkxvWAhJ7MQUune3UUpS6eC2OiH:/Scm24zbcZ12gXEeWb0/n76EeEaS64
Malware Config
Extracted
smokeloader
pub1
Extracted
smokeloader
2022
http://trad-einmyus.com/index.php
http://tradein-myus.com/index.php
http://trade-inmyus.com/index.php
Extracted
djvu
http://sajdfue.com/test1/get.php
-
extension
.vook
-
offline_id
1eSPzWRaNslCgtjBZfL5pzvovoiaVI4IZSnvAwt1
-
payload_url
http://sdfjhuz.com/dl/build2.exe
http://sajdfue.com/files/1/build3.exe
-
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. Do not ask assistants from youtube and recovery data sites for help in recovering your data. They can use your free decryption quota and scam you. Our contact is emails in this text document only. You can get and look video overview decrypt tool: https://wetransfer.com/downloads/3ed7a617738550b0a00c5aa231c0752020240316170955/d71ce1 Price of private key and decrypt software is $999. Discount 50% available if you contact us first 72 hours, that's price for you is $499. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: support@freshingmail.top Reserve e-mail address to contact us: datarestorehelpyou@airmail.cc Your personal ID: 0857PsawqS
Extracted
redline
LogsDiller Cloud (TG: @logsdillabot)
5.42.65.0:29587
Extracted
vidar
8.6
5739ef2bbcd39fcd59c5746bfe4238c5
https://steamcommunity.com/profiles/76561199658817715
https://t.me/sa9ok
-
profile_id_v2
5739ef2bbcd39fcd59c5746bfe4238c5
-
user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
Extracted
lumma
https://resergvearyinitiani.shop/api
Signatures
-
DcRat 4 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Detect Vidar Stealer 5 IoCs
-
Detected Djvu ransomware 16 IoCs
-
Djvu Ransomware
Ransomware which is a variant of the STOP family.
-
Glupteba
Glupteba is a modular loader written in Golang with various components.
-
Glupteba payload 2 IoCs
-
Lumma Stealer
An infostealer written in C++ first seen in August 2022.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
Windows security bypass 2 TTPs 7 IoCs
-
Downloads MZ/PE file
-
Modifies Installed Components in the registry 2 TTPs 1 IoCs
-
Modifies Windows Firewall 2 TTPs 1 IoCs
-
Deletes itself 1 IoCs
-
Executes dropped EXE 12 IoCs
-
Modifies file permissions 1 TTPs 1 IoCs
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
UPX packed file 1 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 7 IoCs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 2 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory 4 IoCs
-
Suspicious use of SetThreadContext 5 IoCs
-
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
-
Drops file in Windows directory 5 IoCs
-
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
-
Checks SCSI registry key(s) 3 TTPs 29 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 2 IoCs
-
Modifies Internet Explorer settings 1 TTPs 1 IoCs
-
Modifies data under HKEY_USERS 64 IoCs
-
Modifies registry class 29 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 44 IoCs
-
Suspicious use of SendNotifyMessage 23 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\261fdc86bd8ccc62299a6f57194d59167a751f3b8b8649f8a252d39ca3a31226.exe"C:\Users\Admin\AppData\Local\Temp\261fdc86bd8ccc62299a6f57194d59167a751f3b8b8649f8a252d39ca3a31226.exe"1⤵
- DcRat
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\365D.bat" "1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 12⤵
-
C:\Users\Admin\AppData\Local\Temp\52FE.exeC:\Users\Admin\AppData\Local\Temp\52FE.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\52FE.exeC:\Users\Admin\AppData\Local\Temp\52FE.exe2⤵
- DcRat
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Local\1e502c14-5b6f-44ae-bcb7-c8fa8c2da064" /deny *S-1-1-0:(OI)(CI)(DE,DC)3⤵
- Modifies file permissions
-
C:\Users\Admin\AppData\Local\Temp\52FE.exe"C:\Users\Admin\AppData\Local\Temp\52FE.exe" --Admin IsNotAutoStart IsNotTask3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\52FE.exe"C:\Users\Admin\AppData\Local\Temp\52FE.exe" --Admin IsNotAutoStart IsNotTask4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\ec22730e-7db2-4d32-af14-dbaedfdde3b9\build2.exe"C:\Users\Admin\AppData\Local\ec22730e-7db2-4d32-af14-dbaedfdde3b9\build2.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\ec22730e-7db2-4d32-af14-dbaedfdde3b9\build2.exe"C:\Users\Admin\AppData\Local\ec22730e-7db2-4d32-af14-dbaedfdde3b9\build2.exe"6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2552 -s 20287⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\5DCD.exeC:\Users\Admin\AppData\Local\Temp\5DCD.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2448 -s 8042⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\F8E5.exeC:\Users\Admin\AppData\Local\Temp\F8E5.exe1⤵
- Executes dropped EXE
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FB86.bat" "1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 12⤵
-
C:\Users\Admin\AppData\Local\Temp\9AD4.exeC:\Users\Admin\AppData\Local\Temp\9AD4.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeC:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe2⤵
-
C:\Users\Admin\AppData\Local\Temp\AF09.exeC:\Users\Admin\AppData\Local\Temp\AF09.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\AF09.exe"C:\Users\Admin\AppData\Local\Temp\AF09.exe"2⤵
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\System32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"3⤵
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes4⤵
- Modifies Windows Firewall
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- DcRat
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll4⤵
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- DcRat
- Creates scheduled task(s)
-
C:\Windows\windefender.exe"C:\Windows\windefender.exe"4⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)5⤵
-
C:\Windows\SysWOW64\sc.exesc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)6⤵
- Launches sc.exe
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\windefender.exeC:\Windows\windefender.exe1⤵
-
C:\Users\Admin\AppData\Roaming\vjuefudC:\Users\Admin\AppData\Roaming\vjuefud1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Defense Evasion
Impair Defenses
3Disable or Modify Tools
2Disable or Modify System Firewall
1Modify Registry
5File and Directory Permissions Modification
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EAFilesize
1KB
MD52a789d6b366b95c47c2e68c27f863f81
SHA11b123bd94179f5b8746bc960691ddb9546855e05
SHA256ba4990d90cdd27ce932e39c10e178659436aeb5a290faa47f4825da9eca6bc94
SHA512027180aabc65ae3ca35f83161b11d289d87af854656483ac2cf703d94f695c4d5bce0fce1901278ab4cbfc985c9b9aa1f455c889913834c4b1734a365c7f8e3b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464Filesize
724B
MD58202a1cd02e7d69597995cabbe881a12
SHA18858d9d934b7aa9330ee73de6c476acf19929ff6
SHA25658f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA51297ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EAFilesize
410B
MD5e5461aebff93d76045c86cd59b1c6f30
SHA10dec63aa66dc9018320cbf4a9d557b70c76c020b
SHA2567f3ad455f10d8b6cba7f89cd36557df888feabff370ee8960bf1ce97ecda48e9
SHA51271b3277495fe0bbb5cd19720eea5b88ac360019732069f594e9d97cd1782b3b0b9b6038f696a7e96bbac3887eec5a0d452e996d74501749292213a382746d8bf
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464Filesize
392B
MD5ab5e87e078d209c484610d3526d0efd6
SHA139de2f4a2c270f89f6bba605bc53451d38c9bccd
SHA256897d1adcbf675e59a21441a02c43ea5fd32a93b63da64f0c83c61ef1b1605a66
SHA5126e3d45bd42a0df19aae41332a56b2f9fb26c01e6749dcbefa00dd63414ebc98380860394ec1805d4ce4610a5ef33f8d004bf4d2a6362d3843105f7c9aa62d9d7
-
C:\Users\Admin\AppData\Local\Microsoft\PenWorkspace\DiscoverCacheData.datFilesize
985B
MD5a8979a843da747bd96201a507ce9b5ab
SHA1de2a3911c6049aa7377b0bfd37aa1bf0ad672d8e
SHA2562827ce22797773d2004f709dc7599c2c5fead30e31b3ffc5afc20fbb0a5b04c7
SHA512e899b644f32feeca0a09fa5ae47751c38bc49cf95870ade1594907ac995325b943c9baba09ef920971429d8de4108133a5cc55f6c0667ec7ef29b02c204ae302
-
C:\Users\Admin\AppData\Local\Temp\365D.batFilesize
77B
MD555cc761bf3429324e5a0095cab002113
SHA12cc1ef4542a4e92d4158ab3978425d517fafd16d
SHA256d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a
SHA51233f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155
-
C:\Users\Admin\AppData\Local\Temp\52FE.exeFilesize
759KB
MD58fc47a2e0522045212012582f2a93237
SHA11d32e4ca7f3dba186a6b51c8b6b3d35fc33d76a4
SHA2563446214e3bc72a5c67cdc3caed85f1611133fe4dad33fc398ab6d4402d3aa20c
SHA512c6c35796ab378aff8437da960675d45c189eb09546cdfc8a5701be7275004b2d13fd38f695f92f17a783697236c054a7e64da9ea771e233dbcb1c6abb0cd52ef
-
C:\Users\Admin\AppData\Local\Temp\5DCD.exeFilesize
392KB
MD589ec2c6bf09ed9a38bd11acb2a41cd1b
SHA1408549982b687ca8dd5efb0e8b704a374bd8909d
SHA256da1e155c46ca6b23409d059b6d85341c0b86c92d2c69dbda85eef3894313662d
SHA512c565dbb25dd35ae8dce2a4cf15640053aca8b99c5c78db23648e6618ef316362b77142c6524b47089a7ea05632adee091ec5e82ed95aeb86d2331b8c5f8cc56a
-
C:\Users\Admin\AppData\Local\Temp\9AD4.exeFilesize
30.6MB
MD5ff35671d54d612772b0c22c141a3056e
SHA1d005a27cd48556bf17eb9c2b43af49b67347cc0e
SHA2562f625ea35f82332c639049c4a849f39cd2b74acb013880d156a2f647497c2512
SHA5129a40a657f196036ef07c410db225f7a023f7299abc078cefd5d97489e7359ce9c640d72b98fedbf3f11ebaba1987b0acd5c7892b1ba5b5ae18709037df45790e
-
C:\Users\Admin\AppData\Local\Temp\AF09.exeFilesize
4.1MB
MD5e445c438749eab1cc57d98407a83875a
SHA14b67b8f084aaf3a7a89534b32beab4e5faef674d
SHA256f5cb5ace2b7d35f46c14eb827cf041dba371d5b9b9c8c7ef8ca4af01faebab37
SHA5121e338586df2dcf4a77f9605860e18c5feb6f0cdabf7165877a53996af944aac361a4ca1faa2cce791a0d1336458965888d05af495bb6e2faac6031ed3cd160d4
-
C:\Users\Admin\AppData\Local\Temp\F8E5.exeFilesize
6.5MB
MD59e52aa572f0afc888c098db4c0f687ff
SHA1ef7c2bb222e69ad0e10c8686eb03dcbee7933c2b
SHA2564a40f9d491f09521f4b0c6076a0eb488f6d8e1cf4b67aa6569c2ccce13556443
SHA512d0991e682ae8c954721e905753b56c01f91b85313beb9996331793c3efa8acc13d574ef5ba44853ecc3e05822931ed655bad1924fa11b774a43e015f42185f62
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kyz14itg.oaf.ps1Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeFilesize
281KB
MD5d98e33b66343e7c96158444127a117f6
SHA1bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA2565de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5
-
C:\Users\Admin\AppData\Local\ec22730e-7db2-4d32-af14-dbaedfdde3b9\build2.exeFilesize
277KB
MD58dae8b6a6be6e3527183594d1c26a2d3
SHA1b87e40cee60869a36e79c88c8a3a34baf0bc4889
SHA256afce72cd3bc717c784962083066e3ede2b0aaadbe0908ec7360096c923774fa5
SHA5120bf065700db647efba39a13a58242a595907e6c11885575cf0bdad9e23ab40583c8a6535464e46d75d075e20d88b7a6305a761df9da787fdc8728483dd48f96e
-
C:\Users\Admin\AppData\Roaming\vjuefudFilesize
227KB
MD57b09acb6cc6425fade98408ec43bfcd3
SHA1681ec6f05ccc78aa5e519b1fb13cab4455fb2638
SHA256261fdc86bd8ccc62299a6f57194d59167a751f3b8b8649f8a252d39ca3a31226
SHA51274621bef98d9c8ce9e33cf1731c16bbe4d3fda2fca06ed03b09f9b5237e4747f0ac0229f70afa852d8c4d1d3baf5b0411e76f568619a038cef39ae55611c6bc3
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logFilesize
2KB
MD51c19c16e21c97ed42d5beabc93391fc5
SHA18ad83f8e0b3acf8dfbbf87931e41f0d664c4df68
SHA2561bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05
SHA5127d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
18KB
MD5303b10da53b4a23043386f077f93083a
SHA1f6d74de533dd36e47e2e967a2d37c9bfe4ec8750
SHA256effcccfa47a40ad78ac491312fbb3aac10f5d2de08fc84955332e8c545bf445b
SHA512204fa46a77086872f1d44e683ad58256e5a447111b8ca72fe80d9ff881d2cd7ff4a1e42ff1aff1bd2a2ba5e84174bc3bdefcd08856575bd491f597aa28cb281a
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
18KB
MD5443f5ee7f79b4134203568499abcae5a
SHA171db3046c7c6a03d16748913d4279037c14aa5d4
SHA256be5308f24dba52b18b87adb5c9cb5eaba285d5450b2e3197fd846b132625a120
SHA512babf0f5c403a36aca245803eb61fe8490c69e0b727fa4be95d207c1c7865b74805a3734a0ed035f1c8a480653d0dc3c9078991f0ad187d7cde26fce7342bacac
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
18KB
MD5978ef34c6f32d203f1296fe8e411b236
SHA1a5bffd4f8b47d4f7940ecbc2d9811c5a0b00c2d2
SHA25629759eba4b6dfd5b9397dc94b1a6cdf70015c6d9262869359bd8ec7d581c6a41
SHA512e26999f840a4ae693ec406a0fa82da254082148023255ad93e159fe24859885bcc2781654a39a8da3113c0031070c4ff89fb86cddd20eca7b90019cd60f89136
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
18KB
MD5e577346dda37545b36eec315035946a7
SHA14f49dbfd68b335d71c6128948a113eaaa296d0a5
SHA256e25b218ed45d1781adb652ebcf7b4b171ed1aea1295c0368eaa0648190903edc
SHA512706dbac15b9bb0967ddf8d0876aa9ff302c0e4e5d5802c3e11e1a1604b8053da35f94646632b401edea8de55cd3011e3c6218bc8f189f5dbfd0a5b75e5631f58
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
18KB
MD56394c0f04539fd762fff4d9347a0625b
SHA1d8a7fc15797598b16e134818d77f3ce991691a9a
SHA2566cedebc946b4e01805d0f3414aed9dcb3db111412c4ed5b71bb31244039259ca
SHA512782c217719444ab24f3ed4697eab0e82f2cf583f19d7fa5b4a0703efc13995f9a3d56e83db8e4ffce4e086ac8de2b89ac3a5d1ebfd40d0698cb298c52ead07ef
-
C:\Windows\windefender.exeFilesize
2.0MB
MD58e67f58837092385dcf01e8a2b4f5783
SHA1012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA51240d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec
-
memory/1704-93-0x00000000007C0000-0x00000000007F1000-memory.dmpFilesize
196KB
-
memory/1704-92-0x0000000000830000-0x0000000000930000-memory.dmpFilesize
1024KB
-
memory/2448-60-0x0000000004F20000-0x0000000004F30000-memory.dmpFilesize
64KB
-
memory/2448-68-0x00000000029B0000-0x00000000049B0000-memory.dmpFilesize
32.0MB
-
memory/2448-59-0x00000000729C0000-0x00000000730AE000-memory.dmpFilesize
6.9MB
-
memory/2448-112-0x0000000004F20000-0x0000000004F30000-memory.dmpFilesize
64KB
-
memory/2448-61-0x0000000000F30000-0x0000000000F31000-memory.dmpFilesize
4KB
-
memory/2448-111-0x00000000729C0000-0x00000000730AE000-memory.dmpFilesize
6.9MB
-
memory/2448-113-0x00000000029B0000-0x00000000049B0000-memory.dmpFilesize
32.0MB
-
memory/2448-58-0x0000000000610000-0x0000000000674000-memory.dmpFilesize
400KB
-
memory/2552-91-0x0000000000400000-0x0000000000644000-memory.dmpFilesize
2.3MB
-
memory/2552-110-0x0000000000400000-0x0000000000644000-memory.dmpFilesize
2.3MB
-
memory/2552-96-0x0000000000400000-0x0000000000644000-memory.dmpFilesize
2.3MB
-
memory/2552-97-0x0000000000400000-0x0000000000644000-memory.dmpFilesize
2.3MB
-
memory/2892-4-0x0000000001190000-0x00000000011A6000-memory.dmpFilesize
88KB
-
memory/2892-221-0x0000000000FF0000-0x0000000000FF1000-memory.dmpFilesize
4KB
-
memory/2972-77-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/2972-118-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/2972-73-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/2972-98-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/2972-76-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/2972-55-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/2972-56-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/2972-46-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/2972-45-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/2972-44-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/3228-332-0x00007FF7B4590000-0x00007FF7B64DC000-memory.dmpFilesize
31.3MB
-
memory/3436-166-0x0000000003F60000-0x0000000004060000-memory.dmpFilesize
1024KB
-
memory/3436-161-0x0000000003F60000-0x0000000004060000-memory.dmpFilesize
1024KB
-
memory/3436-173-0x0000000003F60000-0x0000000004060000-memory.dmpFilesize
1024KB
-
memory/3436-154-0x0000000003F60000-0x0000000004060000-memory.dmpFilesize
1024KB
-
memory/3436-156-0x0000000003F60000-0x0000000004060000-memory.dmpFilesize
1024KB
-
memory/3436-172-0x0000000003F60000-0x0000000004060000-memory.dmpFilesize
1024KB
-
memory/3436-171-0x0000000003F60000-0x0000000004060000-memory.dmpFilesize
1024KB
-
memory/3436-170-0x0000000003F60000-0x0000000004060000-memory.dmpFilesize
1024KB
-
memory/3436-169-0x0000000003F60000-0x0000000004060000-memory.dmpFilesize
1024KB
-
memory/3436-168-0x0000000003F60000-0x0000000004060000-memory.dmpFilesize
1024KB
-
memory/3436-167-0x0000000003F60000-0x0000000004060000-memory.dmpFilesize
1024KB
-
memory/3436-165-0x0000000003F60000-0x0000000004060000-memory.dmpFilesize
1024KB
-
memory/3436-130-0x0000000000F20000-0x0000000001C05000-memory.dmpFilesize
12.9MB
-
memory/3436-135-0x0000000000A70000-0x0000000000A71000-memory.dmpFilesize
4KB
-
memory/3436-136-0x0000000000A80000-0x0000000000A81000-memory.dmpFilesize
4KB
-
memory/3436-138-0x0000000000E90000-0x0000000000E91000-memory.dmpFilesize
4KB
-
memory/3436-141-0x0000000000EB0000-0x0000000000EB1000-memory.dmpFilesize
4KB
-
memory/3436-140-0x0000000000F20000-0x0000000001C05000-memory.dmpFilesize
12.9MB
-
memory/3436-139-0x0000000000EA0000-0x0000000000EA1000-memory.dmpFilesize
4KB
-
memory/3436-137-0x0000000000A90000-0x0000000000A91000-memory.dmpFilesize
4KB
-
memory/3436-142-0x0000000000F20000-0x0000000001C05000-memory.dmpFilesize
12.9MB
-
memory/3436-143-0x0000000000F20000-0x0000000001C05000-memory.dmpFilesize
12.9MB
-
memory/3436-147-0x0000000000EC0000-0x0000000000F00000-memory.dmpFilesize
256KB
-
memory/3436-146-0x0000000000EC0000-0x0000000000F00000-memory.dmpFilesize
256KB
-
memory/3436-145-0x0000000000EC0000-0x0000000000F00000-memory.dmpFilesize
256KB
-
memory/3436-144-0x0000000000EC0000-0x0000000000F00000-memory.dmpFilesize
256KB
-
memory/3436-148-0x0000000003F60000-0x0000000004060000-memory.dmpFilesize
1024KB
-
memory/3436-150-0x0000000003F60000-0x0000000004060000-memory.dmpFilesize
1024KB
-
memory/3436-151-0x0000000003F60000-0x0000000004060000-memory.dmpFilesize
1024KB
-
memory/3436-152-0x0000000003F60000-0x0000000004060000-memory.dmpFilesize
1024KB
-
memory/3436-153-0x0000000003F60000-0x0000000004060000-memory.dmpFilesize
1024KB
-
memory/3436-155-0x0000000003F60000-0x0000000004060000-memory.dmpFilesize
1024KB
-
memory/3436-157-0x0000000003F60000-0x0000000004060000-memory.dmpFilesize
1024KB
-
memory/3436-158-0x0000000003F60000-0x0000000004060000-memory.dmpFilesize
1024KB
-
memory/3436-160-0x0000000003F60000-0x0000000004060000-memory.dmpFilesize
1024KB
-
memory/3436-164-0x0000000003F60000-0x0000000004060000-memory.dmpFilesize
1024KB
-
memory/3436-159-0x0000000003F60000-0x0000000004060000-memory.dmpFilesize
1024KB
-
memory/3436-162-0x0000000003F60000-0x0000000004060000-memory.dmpFilesize
1024KB
-
memory/3436-163-0x0000000003F60000-0x0000000004060000-memory.dmpFilesize
1024KB
-
memory/3584-1-0x00000000007A0000-0x00000000008A0000-memory.dmpFilesize
1024KB
-
memory/3584-5-0x0000000000400000-0x000000000053D000-memory.dmpFilesize
1.2MB
-
memory/3584-3-0x0000000000400000-0x000000000053D000-memory.dmpFilesize
1.2MB
-
memory/3584-2-0x00000000005A0000-0x00000000005AB000-memory.dmpFilesize
44KB
-
memory/3616-581-0x0000000000400000-0x0000000000ECD000-memory.dmpFilesize
10.8MB
-
memory/3616-577-0x0000000000400000-0x0000000000ECD000-memory.dmpFilesize
10.8MB
-
memory/3824-285-0x000001BCE7EE0000-0x000001BCE7F00000-memory.dmpFilesize
128KB
-
memory/3824-280-0x000001BCE7D40000-0x000001BCE7D60000-memory.dmpFilesize
128KB
-
memory/4132-108-0x0000000007750000-0x0000000007912000-memory.dmpFilesize
1.8MB
-
memory/4132-64-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/4132-83-0x00000000051A0000-0x00000000051B2000-memory.dmpFilesize
72KB
-
memory/4132-106-0x0000000006840000-0x0000000006890000-memory.dmpFilesize
320KB
-
memory/4132-69-0x0000000004F50000-0x0000000004F5A000-memory.dmpFilesize
40KB
-
memory/4132-67-0x0000000004F70000-0x0000000005002000-memory.dmpFilesize
584KB
-
memory/4132-66-0x00000000053D0000-0x00000000058CE000-memory.dmpFilesize
5.0MB
-
memory/4132-109-0x0000000007E50000-0x000000000837C000-memory.dmpFilesize
5.2MB
-
memory/4132-89-0x0000000005240000-0x000000000528B000-memory.dmpFilesize
300KB
-
memory/4132-88-0x0000000005200000-0x000000000523E000-memory.dmpFilesize
248KB
-
memory/4132-82-0x0000000005290000-0x000000000539A000-memory.dmpFilesize
1.0MB
-
memory/4132-115-0x00000000729C0000-0x00000000730AE000-memory.dmpFilesize
6.9MB
-
memory/4132-81-0x0000000005EE0000-0x00000000064E6000-memory.dmpFilesize
6.0MB
-
memory/4132-105-0x0000000005B00000-0x0000000005B66000-memory.dmpFilesize
408KB
-
memory/4132-74-0x00000000729C0000-0x00000000730AE000-memory.dmpFilesize
6.9MB
-
memory/4244-25-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/4244-26-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/4244-24-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/4244-22-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/4244-38-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/4344-21-0x0000000002950000-0x0000000002A6B000-memory.dmpFilesize
1.1MB
-
memory/4344-20-0x00000000027B0000-0x000000000284B000-memory.dmpFilesize
620KB
-
memory/4412-41-0x0000000002610000-0x00000000026AD000-memory.dmpFilesize
628KB
-
memory/4664-258-0x00000000028B0000-0x00000000028B1000-memory.dmpFilesize
4KB