Analysis
-
max time kernel
86s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
29-03-2024 02:56
General
-
Target
e9839a31cca5038608b57f6e13e75f43aa845a2f892c917a77b3c4f0bcc35c7e.exe
-
Size
259KB
-
MD5
b05a74505fa03339578dff002ba57c69
-
SHA1
b9851e84dbd2c8b2ecccb30452ddccb0496ef974
-
SHA256
e9839a31cca5038608b57f6e13e75f43aa845a2f892c917a77b3c4f0bcc35c7e
-
SHA512
616337efd4b6a84f0590226b52d8c7398723afe43bb1fc879089a7474b7fd8949e16353bb4ff713da4295dbc4885d5eb34d9483d7441b726592371bb8f285dd3
-
SSDEEP
3072:NCEgl6HLc0iImEkhg569+wjkabBB2n2qr4j54wCxe9yFfqdwiB9ez/WnQEbK3Zk:NsUrc06Fue/kZr4j5vwbb0WWnQEbe
Malware Config
Extracted
smokeloader
pub1
Extracted
smokeloader
2022
http://trad-einmyus.com/index.php
http://tradein-myus.com/index.php
http://trade-inmyus.com/index.php
Extracted
djvu
http://sajdfue.com/test1/get.php
-
extension
.vook
-
offline_id
1eSPzWRaNslCgtjBZfL5pzvovoiaVI4IZSnvAwt1
-
payload_url
http://sdfjhuz.com/dl/build2.exe
http://sajdfue.com/files/1/build3.exe
-
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. Do not ask assistants from youtube and recovery data sites for help in recovering your data. They can use your free decryption quota and scam you. Our contact is emails in this text document only. You can get and look video overview decrypt tool: https://wetransfer.com/downloads/3ed7a617738550b0a00c5aa231c0752020240316170955/d71ce1 Price of private key and decrypt software is $999. Discount 50% available if you contact us first 72 hours, that's price for you is $499. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: support@freshingmail.top Reserve e-mail address to contact us: datarestorehelpyou@airmail.cc Your personal ID: 0857PsawqS
Extracted
redline
LogsDiller Cloud (TG: @logsdillabot)
5.42.65.0:29587
Extracted
vidar
8.6
5739ef2bbcd39fcd59c5746bfe4238c5
https://steamcommunity.com/profiles/76561199658817715
https://t.me/sa9ok
-
profile_id_v2
5739ef2bbcd39fcd59c5746bfe4238c5
-
user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
Extracted
lumma
https://resergvearyinitiani.shop/api
https://affordcharmcropwo.shop/api
Signatures
-
DcRat 4 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Detect Vidar Stealer 5 IoCs
-
Detected Djvu ransomware 18 IoCs
-
Djvu Ransomware
Ransomware which is a variant of the STOP family.
-
Glupteba
Glupteba is a modular loader written in Golang with various components.
-
Glupteba payload 2 IoCs
-
Lumma Stealer
An infostealer written in C++ first seen in August 2022.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
Detect binaries embedding considerable number of MFA browser extension IDs. 1 IoCs
-
Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs. 1 IoCs
-
Detects Windows executables referencing non-Windows User-Agents 6 IoCs
-
Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers. 1 IoCs
-
Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion 4 IoCs
-
Detects executables Discord URL observed in first stage droppers 2 IoCs
-
Detects executables containing URLs to raw contents of a Github gist 6 IoCs
-
Detects executables containing artifacts associated with disabling Widnows Defender 2 IoCs
-
Detects executables referencing many varying, potentially fake Windows User-Agents 2 IoCs
-
UPX dump on OEP (original entry point) 1 IoCs
-
Downloads MZ/PE file
-
Modifies Installed Components in the registry 2 TTPs 5 IoCs
-
Modifies Windows Firewall 2 TTPs 1 IoCs
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Deletes itself 1 IoCs
-
Executes dropped EXE 12 IoCs
-
Modifies file permissions 1 TTPs 1 IoCs
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
UPX packed file 1 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 10 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory 6 IoCs
-
Suspicious use of SetThreadContext 5 IoCs
-
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
-
Drops file in Windows directory 2 IoCs
-
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies Internet Explorer settings 1 TTPs 6 IoCs
-
Modifies data under HKEY_USERS 64 IoCs
-
Modifies registry class 64 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 64 IoCs
-
Suspicious use of SetWindowsHookEx 8 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\e9839a31cca5038608b57f6e13e75f43aa845a2f892c917a77b3c4f0bcc35c7e.exe"C:\Users\Admin\AppData\Local\Temp\e9839a31cca5038608b57f6e13e75f43aa845a2f892c917a77b3c4f0bcc35c7e.exe"1⤵
- DcRat
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9049.bat" "1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 12⤵
-
C:\Users\Admin\AppData\Local\Temp\9D99.exeC:\Users\Admin\AppData\Local\Temp\9D99.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\9D99.exeC:\Users\Admin\AppData\Local\Temp\9D99.exe2⤵
- DcRat
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Local\035e78d8-2d9c-498f-bd88-b2b123e078ef" /deny *S-1-1-0:(OI)(CI)(DE,DC)3⤵
- Modifies file permissions
-
C:\Users\Admin\AppData\Local\Temp\9D99.exe"C:\Users\Admin\AppData\Local\Temp\9D99.exe" --Admin IsNotAutoStart IsNotTask3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\9D99.exe"C:\Users\Admin\AppData\Local\Temp\9D99.exe" --Admin IsNotAutoStart IsNotTask4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\aa744570-9aeb-4678-8d93-4549a00eb816\build2.exe"C:\Users\Admin\AppData\Local\aa744570-9aeb-4678-8d93-4549a00eb816\build2.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\aa744570-9aeb-4678-8d93-4549a00eb816\build2.exe"C:\Users\Admin\AppData\Local\aa744570-9aeb-4678-8d93-4549a00eb816\build2.exe"6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1268 -s 20647⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\AA4C.exeC:\Users\Admin\AppData\Local\Temp\AA4C.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3736 -s 8362⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3736 -ip 37361⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1268 -ip 12681⤵
-
C:\Users\Admin\AppData\Local\Temp\D506.exeC:\Users\Admin\AppData\Local\Temp\D506.exe1⤵
- Executes dropped EXE
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D94D.bat" "1⤵
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 12⤵
-
C:\Users\Admin\AppData\Local\Temp\56F.exeC:\Users\Admin\AppData\Local\Temp\56F.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeC:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe2⤵
-
C:\Users\Admin\AppData\Local\Temp\135A.exeC:\Users\Admin\AppData\Local\Temp\135A.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\135A.exe"C:\Users\Admin\AppData\Local\Temp\135A.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"3⤵
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes4⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- DcRat
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Modifies data under HKEY_USERS
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll4⤵
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- DcRat
- Creates scheduled task(s)
-
C:\Windows\windefender.exe"C:\Windows\windefender.exe"4⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)5⤵
-
C:\Windows\SysWOW64\sc.exesc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)6⤵
- Launches sc.exe
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of SendNotifyMessage
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of SendNotifyMessage
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\windefender.exeC:\Windows\windefender.exe1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1500 -s 35722⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Defense Evasion
Modify Registry
3Impair Defenses
1Disable or Modify System Firewall
1File and Directory Permissions Modification
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EAFilesize
1KB
MD52a789d6b366b95c47c2e68c27f863f81
SHA11b123bd94179f5b8746bc960691ddb9546855e05
SHA256ba4990d90cdd27ce932e39c10e178659436aeb5a290faa47f4825da9eca6bc94
SHA512027180aabc65ae3ca35f83161b11d289d87af854656483ac2cf703d94f695c4d5bce0fce1901278ab4cbfc985c9b9aa1f455c889913834c4b1734a365c7f8e3b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53Filesize
471B
MD54305f3b83ea7e48583ca9863f6a51c75
SHA183587d71d6baeca1bc553f67a84c399789c91cb5
SHA2562251e0ab16b12b3590efe8b9793dc002345123f8a9dd98c4c31c957995b99273
SHA51294c77f16fa66618ed073af0157d191efd39b9ef78ff7113a224117c8156594b36076b40ab7aafb8ec534dd82a069339486b693c8d672e431e2330be4a4c4eea5
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464Filesize
724B
MD58202a1cd02e7d69597995cabbe881a12
SHA18858d9d934b7aa9330ee73de6c476acf19929ff6
SHA25658f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA51297ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EAFilesize
410B
MD5575b969011d8f91970278924c3743895
SHA1da7c4b5e380f3b0e3ef568d42f0d076fc87b1852
SHA256aaab513c7912a63667011f6045db02a762e35db84b8fc262f7a026ff50f0f8d6
SHA512f203a4c0865752703e38d854ace992449d062e3ec65a6b3af5dda4eee253a7785dc441800fa65172b8b8a7e5dc5ded5e5f65ec056fb804ebed6e99bee0f1b2c5
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53Filesize
412B
MD5feb1889f3276db5b76ae78fb005deef6
SHA1a2eba183d70421524c811e4006fc2733cb51fea0
SHA2563b63cb544427ca38135568c1c8ddf4d490b65de0338bedf37dc872091b33977b
SHA5123bf2cfce86b4f63f64aac8c223a1400673307034de0169d7dd949184c0340382b15392cf324e78ff5f313d9796864c44071e1d061c76aaaa8165416ef0e4d22f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464Filesize
392B
MD5fa67213a3d650c30a88fba4e10ad754b
SHA1e63c52fef18101618bea214de5268d9468b3c795
SHA2560adcbf2848b61004fde1db5bd5713fcec6642517f25a7db8ff0c19f4036b0665
SHA5120e77bfec0682d8ecc332eeb41c43015e6eb3645d73a7411e51c9f3504aad7430f269fe2a8312ed37eb6766bbef77bb10d3cae0e2eb48b8f59f3370fe362a1819
-
C:\Users\Admin\AppData\Local\Microsoft\PenWorkspace\DiscoverCacheData.datFilesize
1022B
MD529a68b111b09263c1be555310b6b9b31
SHA15ca3933082bb405b20abdf7c1f4fa3382bcbbcbf
SHA256854058f31e23e7edb25502f4781f21b7907b73ed963ea3c36153106727cffdb9
SHA512d8768d40ec6ec2adee6ea81b588dfd30abb08392e31cbdcc028ed61b231c94ce08201aacf578bef4bba852f2f94d1242c24f21241fdfc449a0dff6b261a0ddac
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\TokenBroker\Cache\fbaf94e759052658216786bfbabcdced1b67a5c2.tbresFilesize
2KB
MD5dce35e3a41ba54a72d987d7374129ecf
SHA15e159da21efdeccb3c6457b9c7bd7a7263daee57
SHA2560f0f2f71a68976863f5171c639d75a195fe255e6debb652826e4efa11fe631eb
SHA512c934589c5f361c410374246ac5c9f9af43012597f65d8ee5c7c85bc79b2a3faab92eed5adaf02d4424d5365579218ecae1742f65e42552668992f78d50a73060
-
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\39XIXV5T\microsoft.windows[1].xmlFilesize
96B
MD529e3c94dfa03b794f03e17d8b45295d9
SHA11a598a72d3d486f77e861f98abcd2f4a8e936365
SHA2567ff0263086f28cc1d842d07a23128b955780d3c8b85b130228c7f65ce2b4262a
SHA512e2180d73f45da32ac4fb355546103496d73cdf7cb966c60f6a414bc7052e46431177e9009bdfd730d2fe6955b986392720fe3bdc8afbc0388f1b70e438a4ef9c
-
C:\Users\Admin\AppData\Local\Temp\135A.exeFilesize
4.1MB
MD5e445c438749eab1cc57d98407a83875a
SHA14b67b8f084aaf3a7a89534b32beab4e5faef674d
SHA256f5cb5ace2b7d35f46c14eb827cf041dba371d5b9b9c8c7ef8ca4af01faebab37
SHA5121e338586df2dcf4a77f9605860e18c5feb6f0cdabf7165877a53996af944aac361a4ca1faa2cce791a0d1336458965888d05af495bb6e2faac6031ed3cd160d4
-
C:\Users\Admin\AppData\Local\Temp\56F.exeFilesize
30.6MB
MD5ff35671d54d612772b0c22c141a3056e
SHA1d005a27cd48556bf17eb9c2b43af49b67347cc0e
SHA2562f625ea35f82332c639049c4a849f39cd2b74acb013880d156a2f647497c2512
SHA5129a40a657f196036ef07c410db225f7a023f7299abc078cefd5d97489e7359ce9c640d72b98fedbf3f11ebaba1987b0acd5c7892b1ba5b5ae18709037df45790e
-
C:\Users\Admin\AppData\Local\Temp\9049.batFilesize
77B
MD555cc761bf3429324e5a0095cab002113
SHA12cc1ef4542a4e92d4158ab3978425d517fafd16d
SHA256d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a
SHA51233f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155
-
C:\Users\Admin\AppData\Local\Temp\9D99.exeFilesize
759KB
MD546a230d9be88dd7dca63ab0ec41c0b14
SHA18072cc39226b6b18164eb58a81ce7433fae55c58
SHA25659b4a0b07d2a7901e49e8cc55c2eae5b457fde6e8b25295374a3e4ee37e207b5
SHA5128c21b6c8f33608e47ead31e1e731a7cd4791d53a05f4574143156f067669a4ced8b48ffcd4f13f5d9cf9eb63dfa7873d8f491b4a02e05370fd03ca210adf9a28
-
C:\Users\Admin\AppData\Local\Temp\AA4C.exeFilesize
392KB
MD589ec2c6bf09ed9a38bd11acb2a41cd1b
SHA1408549982b687ca8dd5efb0e8b704a374bd8909d
SHA256da1e155c46ca6b23409d059b6d85341c0b86c92d2c69dbda85eef3894313662d
SHA512c565dbb25dd35ae8dce2a4cf15640053aca8b99c5c78db23648e6618ef316362b77142c6524b47089a7ea05632adee091ec5e82ed95aeb86d2331b8c5f8cc56a
-
C:\Users\Admin\AppData\Local\Temp\D506.exeFilesize
6.5MB
MD59e52aa572f0afc888c098db4c0f687ff
SHA1ef7c2bb222e69ad0e10c8686eb03dcbee7933c2b
SHA2564a40f9d491f09521f4b0c6076a0eb488f6d8e1cf4b67aa6569c2ccce13556443
SHA512d0991e682ae8c954721e905753b56c01f91b85313beb9996331793c3efa8acc13d574ef5ba44853ecc3e05822931ed655bad1924fa11b774a43e015f42185f62
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5lm2irhl.5yu.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeFilesize
281KB
MD5d98e33b66343e7c96158444127a117f6
SHA1bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA2565de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5
-
C:\Users\Admin\AppData\Local\aa744570-9aeb-4678-8d93-4549a00eb816\build2.exeFilesize
277KB
MD58dae8b6a6be6e3527183594d1c26a2d3
SHA1b87e40cee60869a36e79c88c8a3a34baf0bc4889
SHA256afce72cd3bc717c784962083066e3ede2b0aaadbe0908ec7360096c923774fa5
SHA5120bf065700db647efba39a13a58242a595907e6c11885575cf0bdad9e23ab40583c8a6535464e46d75d075e20d88b7a6305a761df9da787fdc8728483dd48f96e
-
C:\Users\Admin\AppData\Local\aa744570-9aeb-4678-8d93-4549a00eb816\build3.exeFilesize
1KB
MD5d90c6fbc596956110435056b522305d4
SHA1503d8fd3b016573b5b0c700cd185c82ef233b8dd
SHA25610bc18ac44e2ad7364ec8bfcf370abc1508de5ed10cd425b2704adbad844b8c3
SHA51284ca83b9e92af279d1c716a16c3cb139458b4930c4a433ac86c14ac1a2a17f430a659aa7d2f1867d3b2c28bd9f3063fde4fc39fc088c8fedb47c277e5944ea7e
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logFilesize
2KB
MD5968cb9309758126772781b83adb8a28f
SHA18da30e71accf186b2ba11da1797cf67f8f78b47c
SHA25692099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA5124bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD57cf599653aede52e7f8a36f016421d5e
SHA144cc8d97b6fa60e37059c5e3f34cee84c1afa1fd
SHA2569e114e4bc56152dc85da6ea1d6659978f69d98cc371c1524bea9a37b3a3e3b63
SHA5126469ddb07e3a413bb42e621761d43c55365f9babe44a32f4542dbbc4820fc63aa47cbfcca8c5d52a1355634e1d349537a5aab03625be907cfddf0132e7938558
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD5999a6560cc57140098a24fe5046aa68d
SHA140efbbc310d37fb3c6ed889a2f719654dd589799
SHA25618277ab2fdd6300412e0e1b75affebb9c9a7f39ffc6ac3da6ff09546a7707aaa
SHA512054df464147510720ab001f000277815ab8bcac71087bde75de1c033ea2122e7766f4bc445530715634927a8af980592859fd885898f638845100d353ec2996b
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD597be63faca20277ab32179eb76f32af3
SHA1fe48332e65cd5f389289d959f944fe98ea5536b7
SHA256f58cb5eb10a08aa72e39d7d2e2a4e4e2d8d80256e3a6977d614ff3fbd0010a99
SHA512a2c94a01f677f65bac7eb36f85b3701e41087bc2b70b0737238f5f3d9f8ce2557d48755663de0252f69ce3b03a6e5fd01f48ab173619dede9a6e12598ba355d5
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD512623f257049fc3d1e87a5bfa1b5c2c9
SHA12795eb43a71c68044c81887fa38a2c4c04dbc952
SHA256ce497215e964d4033b8039cb22d06b535233c0b14ffc0efaf32e6a3a66d17bee
SHA512f3f88f54af31697e100d4047183ecb98f116c3e086d83804a07ec050c0d476b7e9ef9205c40af4d1563f0a767a5af412539bfe4616120ab59862a3371f77d7bc
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD5146d8c48a0c94134568c6a1bd58532d0
SHA13166f56b2bccfb4cd6e5ed2e71f3ea4b5d1fbc78
SHA256c8c0b8b1d985c63d7d45964e71cc2e983b230933c10faaa108c89d7a71dbbdd1
SHA512bf155ec773d832c90934e60da4ea46615373d1b092541413504c60dfab7d6bffe66e067d1021aea5477714e2eecd1e0719cfcf239b0a673e37f3fe5e49df27ff
-
C:\Windows\windefender.exeFilesize
2.0MB
MD58e67f58837092385dcf01e8a2b4f5783
SHA1012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA51240d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec
-
memory/964-309-0x0000018CC2490000-0x0000018CC24B0000-memory.dmpFilesize
128KB
-
memory/964-313-0x0000018CC2B00000-0x0000018CC2B20000-memory.dmpFilesize
128KB
-
memory/964-311-0x0000018CC2450000-0x0000018CC2470000-memory.dmpFilesize
128KB
-
memory/1268-113-0x0000000000400000-0x0000000000644000-memory.dmpFilesize
2.3MB
-
memory/1268-105-0x0000000000400000-0x0000000000644000-memory.dmpFilesize
2.3MB
-
memory/1268-109-0x0000000000400000-0x0000000000644000-memory.dmpFilesize
2.3MB
-
memory/1268-123-0x0000000000400000-0x0000000000644000-memory.dmpFilesize
2.3MB
-
memory/1272-345-0x00007FF7EF2F0000-0x00007FF7F123C000-memory.dmpFilesize
31.3MB
-
memory/1272-248-0x00007FF7EF2F0000-0x00007FF7F123C000-memory.dmpFilesize
31.3MB
-
memory/1272-413-0x00007FF7EF2F0000-0x00007FF7F123C000-memory.dmpFilesize
31.3MB
-
memory/1308-104-0x0000000002180000-0x00000000021B1000-memory.dmpFilesize
196KB
-
memory/1308-103-0x00000000006E0000-0x00000000007E0000-memory.dmpFilesize
1024KB
-
memory/1508-522-0x0000000004830000-0x0000000004831000-memory.dmpFilesize
4KB
-
memory/1976-20-0x00000000027B0000-0x0000000002843000-memory.dmpFilesize
588KB
-
memory/1976-21-0x0000000002850000-0x000000000296B000-memory.dmpFilesize
1.1MB
-
memory/2184-391-0x00000278CC120000-0x00000278CC140000-memory.dmpFilesize
128KB
-
memory/2184-387-0x00000278CBB50000-0x00000278CBB70000-memory.dmpFilesize
128KB
-
memory/2184-388-0x00000278CBB10000-0x00000278CBB30000-memory.dmpFilesize
128KB
-
memory/2492-303-0x00000000041C0000-0x00000000041C1000-memory.dmpFilesize
4KB
-
memory/3116-188-0x0000000003F20000-0x0000000004020000-memory.dmpFilesize
1024KB
-
memory/3116-182-0x0000000003F20000-0x0000000004020000-memory.dmpFilesize
1024KB
-
memory/3116-183-0x0000000003F20000-0x0000000004020000-memory.dmpFilesize
1024KB
-
memory/3116-187-0x0000000003F20000-0x0000000004020000-memory.dmpFilesize
1024KB
-
memory/3116-193-0x0000000003F20000-0x0000000004020000-memory.dmpFilesize
1024KB
-
memory/3116-181-0x0000000003F20000-0x0000000004020000-memory.dmpFilesize
1024KB
-
memory/3116-192-0x0000000003F20000-0x0000000004020000-memory.dmpFilesize
1024KB
-
memory/3116-191-0x0000000003F20000-0x0000000004020000-memory.dmpFilesize
1024KB
-
memory/3116-180-0x0000000003F20000-0x0000000004020000-memory.dmpFilesize
1024KB
-
memory/3116-135-0x0000000000540000-0x0000000001225000-memory.dmpFilesize
12.9MB
-
memory/3116-140-0x0000000001740000-0x0000000001741000-memory.dmpFilesize
4KB
-
memory/3116-141-0x00000000017A0000-0x00000000017A1000-memory.dmpFilesize
4KB
-
memory/3116-142-0x00000000017D0000-0x00000000017D1000-memory.dmpFilesize
4KB
-
memory/3116-145-0x00000000017F0000-0x00000000017F1000-memory.dmpFilesize
4KB
-
memory/3116-144-0x0000000000540000-0x0000000001225000-memory.dmpFilesize
12.9MB
-
memory/3116-143-0x00000000017E0000-0x00000000017E1000-memory.dmpFilesize
4KB
-
memory/3116-179-0x0000000003F20000-0x0000000004020000-memory.dmpFilesize
1024KB
-
memory/3116-147-0x0000000000540000-0x0000000001225000-memory.dmpFilesize
12.9MB
-
memory/3116-149-0x0000000001810000-0x0000000001811000-memory.dmpFilesize
4KB
-
memory/3116-190-0x0000000003F20000-0x0000000004020000-memory.dmpFilesize
1024KB
-
memory/3116-189-0x0000000003F20000-0x0000000004020000-memory.dmpFilesize
1024KB
-
memory/3116-178-0x0000000003F20000-0x0000000004020000-memory.dmpFilesize
1024KB
-
memory/3116-163-0x0000000003F20000-0x0000000004020000-memory.dmpFilesize
1024KB
-
memory/3116-184-0x0000000003F20000-0x0000000004020000-memory.dmpFilesize
1024KB
-
memory/3116-146-0x0000000001800000-0x0000000001801000-memory.dmpFilesize
4KB
-
memory/3116-186-0x0000000003F20000-0x0000000004020000-memory.dmpFilesize
1024KB
-
memory/3116-164-0x0000000003F20000-0x0000000004020000-memory.dmpFilesize
1024KB
-
memory/3116-165-0x0000000003F20000-0x0000000004020000-memory.dmpFilesize
1024KB
-
memory/3116-185-0x0000000003F20000-0x0000000004020000-memory.dmpFilesize
1024KB
-
memory/3116-167-0x0000000003F20000-0x0000000004020000-memory.dmpFilesize
1024KB
-
memory/3116-168-0x0000000003F20000-0x0000000004020000-memory.dmpFilesize
1024KB
-
memory/3116-170-0x0000000003F20000-0x0000000004020000-memory.dmpFilesize
1024KB
-
memory/3116-169-0x0000000003F20000-0x0000000004020000-memory.dmpFilesize
1024KB
-
memory/3116-172-0x0000000003F20000-0x0000000004020000-memory.dmpFilesize
1024KB
-
memory/3116-171-0x0000000003F20000-0x0000000004020000-memory.dmpFilesize
1024KB
-
memory/3116-173-0x0000000003F20000-0x0000000004020000-memory.dmpFilesize
1024KB
-
memory/3116-174-0x0000000003F20000-0x0000000004020000-memory.dmpFilesize
1024KB
-
memory/3116-175-0x0000000003F20000-0x0000000004020000-memory.dmpFilesize
1024KB
-
memory/3116-176-0x0000000003F20000-0x0000000004020000-memory.dmpFilesize
1024KB
-
memory/3116-177-0x0000000003F20000-0x0000000004020000-memory.dmpFilesize
1024KB
-
memory/3444-238-0x0000000001350000-0x0000000001351000-memory.dmpFilesize
4KB
-
memory/3444-4-0x0000000003230000-0x0000000003246000-memory.dmpFilesize
88KB
-
memory/3480-1-0x0000000000D40000-0x0000000000E40000-memory.dmpFilesize
1024KB
-
memory/3480-2-0x00000000026F0000-0x00000000026FB000-memory.dmpFilesize
44KB
-
memory/3480-3-0x0000000000400000-0x0000000000AEA000-memory.dmpFilesize
6.9MB
-
memory/3480-5-0x0000000000400000-0x0000000000AEA000-memory.dmpFilesize
6.9MB
-
memory/3492-160-0x0000000007AB0000-0x0000000007FDC000-memory.dmpFilesize
5.2MB
-
memory/3492-114-0x0000000006660000-0x0000000006C78000-memory.dmpFilesize
6.1MB
-
memory/3492-162-0x00000000739B0000-0x0000000074160000-memory.dmpFilesize
7.7MB
-
memory/3492-86-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/3492-108-0x00000000055E0000-0x0000000005672000-memory.dmpFilesize
584KB
-
memory/3492-102-0x0000000005A90000-0x0000000006034000-memory.dmpFilesize
5.6MB
-
memory/3492-152-0x00000000073B0000-0x0000000007572000-memory.dmpFilesize
1.8MB
-
memory/3492-110-0x00000000739B0000-0x0000000074160000-memory.dmpFilesize
7.7MB
-
memory/3492-128-0x0000000006190000-0x00000000061F6000-memory.dmpFilesize
408KB
-
memory/3492-120-0x0000000006040000-0x000000000608C000-memory.dmpFilesize
304KB
-
memory/3492-111-0x0000000005820000-0x0000000005830000-memory.dmpFilesize
64KB
-
memory/3492-119-0x00000000058E0000-0x000000000591C000-memory.dmpFilesize
240KB
-
memory/3492-166-0x0000000007310000-0x0000000007360000-memory.dmpFilesize
320KB
-
memory/3492-117-0x0000000005880000-0x0000000005892000-memory.dmpFilesize
72KB
-
memory/3492-115-0x0000000005950000-0x0000000005A5A000-memory.dmpFilesize
1.0MB
-
memory/3492-112-0x00000000057A0000-0x00000000057AA000-memory.dmpFilesize
40KB
-
memory/3680-207-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/3680-42-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/3680-43-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/3680-202-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/3680-129-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/3680-100-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/3680-157-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/3680-161-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/3680-44-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/3680-159-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/3680-49-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/3680-50-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/3736-71-0x00000000739B0000-0x0000000074160000-memory.dmpFilesize
7.7MB
-
memory/3736-70-0x0000000000120000-0x0000000000184000-memory.dmpFilesize
400KB
-
memory/3736-79-0x0000000004C00000-0x0000000004C10000-memory.dmpFilesize
64KB
-
memory/3736-85-0x0000000004A80000-0x0000000004A81000-memory.dmpFilesize
4KB
-
memory/3736-101-0x0000000002510000-0x0000000004510000-memory.dmpFilesize
32.0MB
-
memory/3736-116-0x00000000739B0000-0x0000000074160000-memory.dmpFilesize
7.7MB
-
memory/4008-411-0x00000000009A0000-0x00000000009EB000-memory.dmpFilesize
300KB
-
memory/4008-414-0x00000000009A0000-0x00000000009EB000-memory.dmpFilesize
300KB
-
memory/4116-435-0x0000000000400000-0x0000000000ECD000-memory.dmpFilesize
10.8MB
-
memory/4136-36-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/4136-26-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/4136-25-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/4136-24-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/4136-22-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/4424-39-0x0000000000CE0000-0x0000000000D77000-memory.dmpFilesize
604KB
-
memory/4616-376-0x00000000030A0000-0x00000000030A1000-memory.dmpFilesize
4KB
-
memory/4724-260-0x0000000000400000-0x0000000000ECD000-memory.dmpFilesize
10.8MB