Analysis
-
max time kernel
101s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
29-03-2024 07:27
General
-
Target
4a3dd76c8825fb7dfb54fa98cca857b4a2ad0391eebfe74f92d0fe6f4fdb03e1.exe
-
Size
203KB
-
MD5
982a9f4eb6b6d45494c229728abc0562
-
SHA1
7ecd82d81511c1c778a882c4ac2457f9a45b91f0
-
SHA256
4a3dd76c8825fb7dfb54fa98cca857b4a2ad0391eebfe74f92d0fe6f4fdb03e1
-
SHA512
844f81bac1ef583b37c238465c70ce9448b9e8465c1d4822fae8052ad22de56b84d70e4a8218be6c09370232629fb1d47fe8043621bb1e37ac3464f69bae4364
-
SSDEEP
3072:QYM3LqhgTikJM9rNxsr+Zm/rQSsK1LBg3V6HQ+sfwM199HIg:QYThgTikixNyj/roKXg3yNM1rHIg
Malware Config
Extracted
smokeloader
pub1
Extracted
smokeloader
2022
http://trad-einmyus.com/index.php
http://tradein-myus.com/index.php
http://trade-inmyus.com/index.php
Extracted
djvu
http://sajdfue.com/test1/get.php
-
extension
.vook
-
offline_id
1eSPzWRaNslCgtjBZfL5pzvovoiaVI4IZSnvAwt1
-
payload_url
http://sdfjhuz.com/dl/build2.exe
http://sajdfue.com/files/1/build3.exe
-
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. Do not ask assistants from youtube and recovery data sites for help in recovering your data. They can use your free decryption quota and scam you. Our contact is emails in this text document only. You can get and look video overview decrypt tool: https://wetransfer.com/downloads/3ed7a617738550b0a00c5aa231c0752020240316170955/d71ce1 Price of private key and decrypt software is $999. Discount 50% available if you contact us first 72 hours, that's price for you is $499. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: support@freshingmail.top Reserve e-mail address to contact us: datarestorehelpyou@airmail.cc Your personal ID: 0857PsawqS
Extracted
redline
LogsDiller Cloud (TG: @logsdillabot)
5.42.65.0:29587
Extracted
lumma
https://resergvearyinitiani.shop/api
https://affordcharmcropwo.shop/api
Signatures
-
DcRat 4 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Detected Djvu ransomware 9 IoCs
-
Djvu Ransomware
Ransomware which is a variant of the STOP family.
-
Glupteba
Glupteba is a modular loader written in Golang with various components.
-
Glupteba payload 3 IoCs
-
Lumma Stealer
An infostealer written in C++ first seen in August 2022.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Downloads MZ/PE file
-
Modifies Installed Components in the registry 2 TTPs 2 IoCs
-
Modifies Windows Firewall 2 TTPs 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Deletes itself 1 IoCs
-
Executes dropped EXE 9 IoCs
-
Modifies file permissions 1 TTPs 1 IoCs
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
UPX packed file 1 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 4 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext 4 IoCs
-
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies data under HKEY_USERS 64 IoCs
-
Modifies registry class 22 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 32 IoCs
-
Suspicious use of SendNotifyMessage 22 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\4a3dd76c8825fb7dfb54fa98cca857b4a2ad0391eebfe74f92d0fe6f4fdb03e1.exe"C:\Users\Admin\AppData\Local\Temp\4a3dd76c8825fb7dfb54fa98cca857b4a2ad0391eebfe74f92d0fe6f4fdb03e1.exe"1⤵
- DcRat
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9FF9.bat" "1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 12⤵
-
C:\Users\Admin\AppData\Local\Temp\ADF4.exeC:\Users\Admin\AppData\Local\Temp\ADF4.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ADF4.exeC:\Users\Admin\AppData\Local\Temp\ADF4.exe2⤵
- DcRat
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Local\dac1d20f-f985-4a26-9ef6-6e7e44aa2eb3" /deny *S-1-1-0:(OI)(CI)(DE,DC)3⤵
- Modifies file permissions
-
C:\Users\Admin\AppData\Local\Temp\ADF4.exe"C:\Users\Admin\AppData\Local\Temp\ADF4.exe" --Admin IsNotAutoStart IsNotTask3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ADF4.exe"C:\Users\Admin\AppData\Local\Temp\ADF4.exe" --Admin IsNotAutoStart IsNotTask4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 412 -s 5685⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\BE70.exeC:\Users\Admin\AppData\Local\Temp\BE70.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 7922⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2312 -ip 23121⤵
-
C:\Users\Admin\AppData\Local\Temp\FC06.exeC:\Users\Admin\AppData\Local\Temp\FC06.exe1⤵
- Executes dropped EXE
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FF44.bat" "1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 12⤵
-
C:\Users\Admin\AppData\Local\Temp\32A9.exeC:\Users\Admin\AppData\Local\Temp\32A9.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeC:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe2⤵
-
C:\Users\Admin\AppData\Local\Temp\9D3B.exeC:\Users\Admin\AppData\Local\Temp\9D3B.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\9D3B.exe"C:\Users\Admin\AppData\Local\Temp\9D3B.exe"2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"3⤵
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes4⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe3⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- DcRat
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll4⤵
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- DcRat
- Creates scheduled task(s)
-
C:\Windows\windefender.exe"C:\Windows\windefender.exe"4⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)5⤵
-
C:\Windows\SysWOW64\sc.exesc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)6⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 412 -ip 4121⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\windefender.exeC:\Windows\windefender.exe1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Defense Evasion
Modify Registry
2Impair Defenses
1Disable or Modify System Firewall
1File and Directory Permissions Modification
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53Filesize
471B
MD559e81183e22d6940a35f6ed67fd7284f
SHA1f89e79506bb55e28e917700270d43ced58a3f359
SHA2561f5e75b95a0642292425b320843958d8f55ff50f8a5556ac85d325b14e62521d
SHA512afffc6628906c57cf29ecac595978793c182389734178dc2c73bf839a42f877cd6541fd5419670b415f14ed7a3c3e0256b48f9f43636c2d96f513fe1d2326257
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53Filesize
412B
MD5597c35b5607bb63e183a945ff6b079c1
SHA1ea4b8e432eac853a3137dc1cd3eced2ca392249a
SHA256ad7f8fe80355b4c304f1e59f0821496ae607b9c00d593a2e54f40998c7820f09
SHA5126bb3ef06f3f76d2134d4e210c5f049b0c8521fa9561805a437d556e15368e30235a14df351fbcee9c81a8259b577512d7ff47bae4ad0d76b83dadd6a64b6bcf6
-
C:\Users\Admin\AppData\Local\Microsoft\PenWorkspace\DiscoverCacheData.datFilesize
1022B
MD57b9d3179c37c45480f2f5be0d173e41d
SHA1f72e350337c7d1614cdfe98c6c56c4a354b9529f
SHA256390f96b667138f3bbdf86328c251cc62278e02b4b9b1b75aa52cfe41aa6c2ade
SHA512a095d7f7c7ef1ba87d9da8abe158a8611b280b58ec39d8a300956402f63475dafc5861f9ce7ec21ea17ee21336e9ad0fd2cb7a2600552de0d57def3b4cd56768
-
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\4VHCF0PY\microsoft.windows[1].xmlFilesize
97B
MD5b00643a38637847dab98bfa6c2d53f4e
SHA1983055bd38dff9849c550ae053cd3592db217147
SHA256a64b8e9193f1537d2bb5f68c17018abf732832ebe4885933819f019ff9410841
SHA5129acf44ec12ef307e812442dfd45408a6d6db702b698ae1b47b9ea8643fb0747d38baae833e8e1b9d2b540c1bfb5e2e34698c7cf6cb73555075a17fd0da7db9e2
-
C:\Users\Admin\AppData\Local\Temp\32A9.exeFilesize
30.6MB
MD5ff35671d54d612772b0c22c141a3056e
SHA1d005a27cd48556bf17eb9c2b43af49b67347cc0e
SHA2562f625ea35f82332c639049c4a849f39cd2b74acb013880d156a2f647497c2512
SHA5129a40a657f196036ef07c410db225f7a023f7299abc078cefd5d97489e7359ce9c640d72b98fedbf3f11ebaba1987b0acd5c7892b1ba5b5ae18709037df45790e
-
C:\Users\Admin\AppData\Local\Temp\9D3B.exeFilesize
4.1MB
MD5ba5b3587a2c3f8d688e8c1d77e6ec18b
SHA1becedc93b291eff49d3579b402f2c9a21e7a86eb
SHA256bc66acc532cca746af116cc1c2bad1ccf565fb5320f8ec059428780a32b10a95
SHA5121805da9811cc3a8881a7be1ee6c193b072851be40123800464756078abfd9c06ada2211760afa41a45aa783932054bd4eaa77ed836784fc6dd2c4dd02f1f0824
-
C:\Users\Admin\AppData\Local\Temp\9FF9.batFilesize
77B
MD555cc761bf3429324e5a0095cab002113
SHA12cc1ef4542a4e92d4158ab3978425d517fafd16d
SHA256d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a
SHA51233f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155
-
C:\Users\Admin\AppData\Local\Temp\ADF4.exeFilesize
733KB
MD5cc4b213535ca360dbf9d08590939972d
SHA1a1ac443d9c2f2a809b01fc7968235a9b9992f89b
SHA25633b7a85c7b3ba67d21e108440ea3a755639875314fce7c922865e723479aeb38
SHA5129de6129de378164c5454a8833a31bbaeb9c7718d9f149a141d014c72a55d25207be7826124def4fd7e2a02e9178287e5ac912c9bc0abcbf896ebf3311ea77eb3
-
C:\Users\Admin\AppData\Local\Temp\BE70.exeFilesize
392KB
MD589ec2c6bf09ed9a38bd11acb2a41cd1b
SHA1408549982b687ca8dd5efb0e8b704a374bd8909d
SHA256da1e155c46ca6b23409d059b6d85341c0b86c92d2c69dbda85eef3894313662d
SHA512c565dbb25dd35ae8dce2a4cf15640053aca8b99c5c78db23648e6618ef316362b77142c6524b47089a7ea05632adee091ec5e82ed95aeb86d2331b8c5f8cc56a
-
C:\Users\Admin\AppData\Local\Temp\FC06.exeFilesize
6.5MB
MD59e52aa572f0afc888c098db4c0f687ff
SHA1ef7c2bb222e69ad0e10c8686eb03dcbee7933c2b
SHA2564a40f9d491f09521f4b0c6076a0eb488f6d8e1cf4b67aa6569c2ccce13556443
SHA512d0991e682ae8c954721e905753b56c01f91b85313beb9996331793c3efa8acc13d574ef5ba44853ecc3e05822931ed655bad1924fa11b774a43e015f42185f62
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bzpcozeg.mwg.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeFilesize
281KB
MD5d98e33b66343e7c96158444127a117f6
SHA1bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA2565de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logFilesize
2KB
MD53d086a433708053f9bf9523e1d87a4e8
SHA1b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA2566f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD5781bbf893c2bf0fb73d245ffb7a854cc
SHA14825c14c1569fc85f6342cae5710ab9cd0fc6ac8
SHA256e42ffbd8b3a9413b6e6f3f8e62f088245a2a0afbc3a7279584c15301050bd667
SHA5122bc9d557a57a0e03bc8f37085df5a0818dd6e6ef83b9cf8ad9466f68c94b6e8fd58464e40c8fbb1e6080959e6f35c14b7a4d3c9e5de5ec28a3ca8e09e8c6f74a
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD5a6dd85ac11ec6b325ce5638f946156c6
SHA167976397da558f8491d355dda35f2b359c693480
SHA256a86169b417d557d58c5465e5e53fcb2509bf9c8f9fc55e436ec35dcfb9885f41
SHA512de68d684ef6d6417acbaac4e155546f453ab9f82b59f345e551e6db5ac0d582efe34e0a78ec5635925d281f7ad715f84c9a0875ddefc7789d9a13cf71672ec4e
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD58f376fb10213dc6a165a76cb905090e6
SHA1c494661922540f790f51feab296e819b9bed3547
SHA2560d8be37f96c969ac661660862e69acfdcde6a291fa5db8623ba41e081e3a8f2d
SHA51213862377726edb22cd5301b0ef3f36722936c16709d4ceee6e876508bafcd91365e45aa883286f21c3c6a763db5b20028b40ca4c11df6e32488f98eb95a05191
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD588a30faaab2bb670beef0502751c6545
SHA15d4aef212baee5aaf7305346ff284399a59a20f6
SHA2568f4c35d56732258d87f0f839c96573bc2e889c2ded2312e910cdccd6a1ef69ca
SHA512a5b9e75365778372c3384e0f8253cbad16975f50ea9aea63080e4ec77323b0fecdf6a1eb77f4692c8e56b029765682cefc7ac7dc6f4153822d379a0787bf7574
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD5d7ba1080cbed8a23558f9ecae4456b67
SHA154e6db8d2f725159ea80fc044e79c54e2dbf39cc
SHA2560c10cd4541f70e4b4e72a88cd334bc5d6fccf13091eea4a4bf5c5653abc39315
SHA512443b097942cea83c00724842edd9cf0b3172139f19684ce033e71dfc11be63349f62f073c0e9852a8155a95397e9ac7ac3efcb4225e003db661627cfb60c9fab
-
C:\Windows\windefender.exeFilesize
2.0MB
MD58e67f58837092385dcf01e8a2b4f5783
SHA1012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA51240d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec
-
memory/412-406-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/412-404-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/412-403-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/1488-588-0x0000000004840000-0x0000000004841000-memory.dmpFilesize
4KB
-
memory/1572-599-0x000002338FEC0000-0x000002338FEE0000-memory.dmpFilesize
128KB
-
memory/1572-597-0x000002338F8A0000-0x000002338F8C0000-memory.dmpFilesize
128KB
-
memory/1572-595-0x000002338F8E0000-0x000002338F900000-memory.dmpFilesize
128KB
-
memory/1600-54-0x0000000006D50000-0x0000000006DA0000-memory.dmpFilesize
320KB
-
memory/1600-45-0x00000000054D0000-0x00000000054E0000-memory.dmpFilesize
64KB
-
memory/1600-49-0x0000000005520000-0x000000000555C000-memory.dmpFilesize
240KB
-
memory/1600-50-0x0000000005560000-0x00000000055AC000-memory.dmpFilesize
304KB
-
memory/1600-38-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/1600-53-0x0000000005E10000-0x0000000005E76000-memory.dmpFilesize
408KB
-
memory/1600-47-0x00000000055F0000-0x00000000056FA000-memory.dmpFilesize
1.0MB
-
memory/1600-55-0x0000000007090000-0x0000000007252000-memory.dmpFilesize
1.8MB
-
memory/1600-56-0x0000000007F30000-0x000000000845C000-memory.dmpFilesize
5.2MB
-
memory/1600-46-0x00000000063C0000-0x00000000069D8000-memory.dmpFilesize
6.1MB
-
memory/1600-48-0x0000000005490000-0x00000000054A2000-memory.dmpFilesize
72KB
-
memory/1600-84-0x0000000073AB0000-0x0000000074260000-memory.dmpFilesize
7.7MB
-
memory/1600-44-0x0000000005210000-0x000000000521A000-memory.dmpFilesize
40KB
-
memory/1600-43-0x0000000073AB0000-0x0000000074260000-memory.dmpFilesize
7.7MB
-
memory/1600-40-0x00000000057F0000-0x0000000005D94000-memory.dmpFilesize
5.6MB
-
memory/1600-42-0x0000000005240000-0x00000000052D2000-memory.dmpFilesize
584KB
-
memory/1700-26-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/1700-25-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/1700-24-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/1700-395-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/1700-22-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/1712-5-0x0000000000400000-0x0000000000536000-memory.dmpFilesize
1.2MB
-
memory/1712-1-0x0000000000560000-0x0000000000660000-memory.dmpFilesize
1024KB
-
memory/1712-3-0x0000000000400000-0x0000000000536000-memory.dmpFilesize
1.2MB
-
memory/1712-2-0x0000000002280000-0x000000000228B000-memory.dmpFilesize
44KB
-
memory/1832-661-0x000001CFD59E0000-0x000001CFD5A00000-memory.dmpFilesize
128KB
-
memory/1832-663-0x000001CFD59A0000-0x000001CFD59C0000-memory.dmpFilesize
128KB
-
memory/1832-665-0x000001CFD5FB0000-0x000001CFD5FD0000-memory.dmpFilesize
128KB
-
memory/1980-20-0x0000000002250000-0x00000000022F1000-memory.dmpFilesize
644KB
-
memory/1980-21-0x0000000002300000-0x000000000241B000-memory.dmpFilesize
1.1MB
-
memory/2136-765-0x0000000000400000-0x0000000000D1C000-memory.dmpFilesize
9.1MB
-
memory/2312-32-0x00000000003C0000-0x0000000000424000-memory.dmpFilesize
400KB
-
memory/2312-33-0x0000000073AB0000-0x0000000074260000-memory.dmpFilesize
7.7MB
-
memory/2312-34-0x0000000004F40000-0x0000000004F50000-memory.dmpFilesize
64KB
-
memory/2312-35-0x00000000027D0000-0x00000000027D1000-memory.dmpFilesize
4KB
-
memory/2312-41-0x0000000002950000-0x0000000004950000-memory.dmpFilesize
32.0MB
-
memory/2312-51-0x0000000073AB0000-0x0000000074260000-memory.dmpFilesize
7.7MB
-
memory/2356-170-0x0000000001200000-0x000000000124B000-memory.dmpFilesize
300KB
-
memory/2356-167-0x0000000001200000-0x000000000124B000-memory.dmpFilesize
300KB
-
memory/3384-431-0x00000000014A0000-0x00000000014A1000-memory.dmpFilesize
4KB
-
memory/3384-4-0x0000000003720000-0x0000000003736000-memory.dmpFilesize
88KB
-
memory/3460-467-0x0000000000400000-0x0000000000D1C000-memory.dmpFilesize
9.1MB
-
memory/3504-515-0x00000238286B0000-0x00000238286D0000-memory.dmpFilesize
128KB
-
memory/3504-512-0x0000023827FA0000-0x0000023827FC0000-memory.dmpFilesize
128KB
-
memory/3504-510-0x0000023827FE0000-0x0000023828000000-memory.dmpFilesize
128KB
-
memory/4032-616-0x0000000000400000-0x0000000000D1C000-memory.dmpFilesize
9.1MB
-
memory/4124-94-0x0000000003CE0000-0x0000000003DE0000-memory.dmpFilesize
1024KB
-
memory/4124-106-0x0000000003CE0000-0x0000000003DE0000-memory.dmpFilesize
1024KB
-
memory/4124-109-0x0000000003CE0000-0x0000000003DE0000-memory.dmpFilesize
1024KB
-
memory/4124-113-0x0000000003CE0000-0x0000000003DE0000-memory.dmpFilesize
1024KB
-
memory/4124-108-0x0000000003CE0000-0x0000000003DE0000-memory.dmpFilesize
1024KB
-
memory/4124-103-0x0000000003CE0000-0x0000000003DE0000-memory.dmpFilesize
1024KB
-
memory/4124-101-0x0000000003CE0000-0x0000000003DE0000-memory.dmpFilesize
1024KB
-
memory/4124-91-0x0000000003CE0000-0x0000000003DE0000-memory.dmpFilesize
1024KB
-
memory/4124-90-0x0000000003CE0000-0x0000000003DE0000-memory.dmpFilesize
1024KB
-
memory/4124-104-0x0000000003CE0000-0x0000000003DE0000-memory.dmpFilesize
1024KB
-
memory/4124-65-0x00000000006B0000-0x0000000001395000-memory.dmpFilesize
12.9MB
-
memory/4124-102-0x0000000003CE0000-0x0000000003DE0000-memory.dmpFilesize
1024KB
-
memory/4124-89-0x0000000003CE0000-0x0000000003DE0000-memory.dmpFilesize
1024KB
-
memory/4124-99-0x0000000003CE0000-0x0000000003DE0000-memory.dmpFilesize
1024KB
-
memory/4124-100-0x0000000003CE0000-0x0000000003DE0000-memory.dmpFilesize
1024KB
-
memory/4124-98-0x0000000003CE0000-0x0000000003DE0000-memory.dmpFilesize
1024KB
-
memory/4124-96-0x0000000003CE0000-0x0000000003DE0000-memory.dmpFilesize
1024KB
-
memory/4124-92-0x0000000003CE0000-0x0000000003DE0000-memory.dmpFilesize
1024KB
-
memory/4124-93-0x0000000003CE0000-0x0000000003DE0000-memory.dmpFilesize
1024KB
-
memory/4124-95-0x0000000003CE0000-0x0000000003DE0000-memory.dmpFilesize
1024KB
-
memory/4124-97-0x0000000003CE0000-0x0000000003DE0000-memory.dmpFilesize
1024KB
-
memory/4124-105-0x0000000003CE0000-0x0000000003DE0000-memory.dmpFilesize
1024KB
-
memory/4124-111-0x0000000003CE0000-0x0000000003DE0000-memory.dmpFilesize
1024KB
-
memory/4124-88-0x0000000003CE0000-0x0000000003DE0000-memory.dmpFilesize
1024KB
-
memory/4124-70-0x0000000000690000-0x0000000000691000-memory.dmpFilesize
4KB
-
memory/4124-110-0x0000000003CE0000-0x0000000003DE0000-memory.dmpFilesize
1024KB
-
memory/4124-107-0x0000000003CE0000-0x0000000003DE0000-memory.dmpFilesize
1024KB
-
memory/4124-115-0x0000000003CE0000-0x0000000003DE0000-memory.dmpFilesize
1024KB
-
memory/4124-114-0x0000000003CE0000-0x0000000003DE0000-memory.dmpFilesize
1024KB
-
memory/4124-87-0x0000000003CE0000-0x0000000003DE0000-memory.dmpFilesize
1024KB
-
memory/4124-86-0x0000000003CE0000-0x0000000003DE0000-memory.dmpFilesize
1024KB
-
memory/4124-85-0x0000000003CE0000-0x0000000003DE0000-memory.dmpFilesize
1024KB
-
memory/4124-82-0x0000000003080000-0x00000000030B2000-memory.dmpFilesize
200KB
-
memory/4124-83-0x0000000003080000-0x00000000030B2000-memory.dmpFilesize
200KB
-
memory/4124-80-0x0000000003080000-0x00000000030B2000-memory.dmpFilesize
200KB
-
memory/4124-81-0x0000000003080000-0x00000000030B2000-memory.dmpFilesize
200KB
-
memory/4124-79-0x0000000003080000-0x0000000003081000-memory.dmpFilesize
4KB
-
memory/4124-112-0x0000000003CE0000-0x0000000003DE0000-memory.dmpFilesize
1024KB
-
memory/4124-77-0x0000000003060000-0x0000000003061000-memory.dmpFilesize
4KB
-
memory/4124-72-0x00000000006A0000-0x00000000006A1000-memory.dmpFilesize
4KB
-
memory/4124-74-0x0000000003040000-0x0000000003041000-memory.dmpFilesize
4KB
-
memory/4124-76-0x0000000003050000-0x0000000003051000-memory.dmpFilesize
4KB
-
memory/4124-75-0x00000000006B0000-0x0000000001395000-memory.dmpFilesize
12.9MB
-
memory/4124-73-0x00000000014A0000-0x00000000014A1000-memory.dmpFilesize
4KB
-
memory/4412-741-0x0000000004220000-0x0000000004221000-memory.dmpFilesize
4KB
-
memory/4432-748-0x000002672B720000-0x000002672B740000-memory.dmpFilesize
128KB
-
memory/4432-751-0x000002672B6E0000-0x000002672B700000-memory.dmpFilesize
128KB
-
memory/4432-753-0x000002672BD00000-0x000002672BD20000-memory.dmpFilesize
128KB
-
memory/4604-504-0x0000000003F20000-0x0000000003F21000-memory.dmpFilesize
4KB
-
memory/4636-168-0x00007FF64A8B0000-0x00007FF64C7FC000-memory.dmpFilesize
31.3MB
-
memory/4636-164-0x00007FF64A8B0000-0x00007FF64C7FC000-memory.dmpFilesize
31.3MB
-
memory/5076-652-0x0000000004AD0000-0x0000000004AD1000-memory.dmpFilesize
4KB