Analysis
-
max time kernel
100s -
max time network
110s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
29-03-2024 13:12
Static task
static1
Behavioral task
behavioral1
Sample
944704d6eaf814cbeeb67c321251c959ec9bc6e0616aff436d1e17d5574d5353.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral2
Sample
944704d6eaf814cbeeb67c321251c959ec9bc6e0616aff436d1e17d5574d5353.exe
Resource
win11-20240221-en
General
-
Target
944704d6eaf814cbeeb67c321251c959ec9bc6e0616aff436d1e17d5574d5353.exe
-
Size
203KB
-
MD5
eb016da9d7abf324a337572e29acabe3
-
SHA1
d663cb7bb5db5304ff879c455a126936974cd9e3
-
SHA256
944704d6eaf814cbeeb67c321251c959ec9bc6e0616aff436d1e17d5574d5353
-
SHA512
14db0ef09d49ad3894a4af30134c5c1f6dbe102c56d0890a842c15775302ec4b10a9a07fb507d4e199adc7433c849489325e363f6baf38acb8f4a734d6154054
-
SSDEEP
6144:LAZQlW4KTuGQo6H5DKN8zfygUvGlcEkLqiB3:kWlW4KaG7N8zfqvOeh
Malware Config
Extracted
smokeloader
pub1
Extracted
smokeloader
2022
http://trad-einmyus.com/index.php
http://tradein-myus.com/index.php
http://trade-inmyus.com/index.php
Extracted
djvu
http://sajdfue.com/test1/get.php
-
extension
.vook
-
offline_id
1eSPzWRaNslCgtjBZfL5pzvovoiaVI4IZSnvAwt1
-
payload_url
http://sdfjhuz.com/dl/build2.exe
http://sajdfue.com/files/1/build3.exe
-
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. Do not ask assistants from youtube and recovery data sites for help in recovering your data. They can use your free decryption quota and scam you. Our contact is emails in this text document only. You can get and look video overview decrypt tool: https://wetransfer.com/downloads/3ed7a617738550b0a00c5aa231c0752020240316170955/d71ce1 Price of private key and decrypt software is $999. Discount 50% available if you contact us first 72 hours, that's price for you is $499. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: support@freshingmail.top Reserve e-mail address to contact us: datarestorehelpyou@airmail.cc Your personal ID: 0857PsawqS
Extracted
lumma
https://resergvearyinitiani.shop/api
Signatures
-
Detected Djvu ransomware 9 IoCs
Processes:
resource yara_rule behavioral1/memory/5116-21-0x0000000002330000-0x000000000244B000-memory.dmp family_djvu behavioral1/memory/832-22-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/832-24-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/832-25-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/832-26-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/832-36-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/2888-42-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/2888-43-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/2888-45-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu -
Djvu Ransomware
Ransomware which is a variant of the STOP family.
-
Glupteba payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/2064-347-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Downloads MZ/PE file
-
Modifies Installed Components in the registry 2 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
netsh.exepid process 5792 netsh.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
AB64.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation AB64.exe -
Deletes itself 1 IoCs
Processes:
pid process 3608 -
Executes dropped EXE 7 IoCs
Processes:
AB64.exeAB64.exeAB64.exeAB64.exe3565.exe758D.exe9153.exepid process 5116 AB64.exe 832 AB64.exe 3008 AB64.exe 2888 AB64.exe 4068 3565.exe 2740 758D.exe 2064 9153.exe -
Modifies file permissions 1 TTPs 1 IoCs
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
AB64.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\53323aa3-bcff-4f91-bef4-6695745fec05\\AB64.exe\" --AutoStart" AB64.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 2 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
explorer.exedescription ioc process File opened (read-only) \??\D: explorer.exe File opened (read-only) \??\F: explorer.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
Processes:
flow ioc 104 raw.githubusercontent.com 105 raw.githubusercontent.com 113 drive.google.com 114 drive.google.com -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 45 api.2ip.ua 46 api.2ip.ua -
Suspicious use of SetThreadContext 2 IoCs
Processes:
AB64.exeAB64.exedescription pid process target process PID 5116 set thread context of 832 5116 AB64.exe AB64.exe PID 3008 set thread context of 2888 3008 AB64.exe AB64.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4508 2888 WerFault.exe AB64.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
944704d6eaf814cbeeb67c321251c959ec9bc6e0616aff436d1e17d5574d5353.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 944704d6eaf814cbeeb67c321251c959ec9bc6e0616aff436d1e17d5574d5353.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 944704d6eaf814cbeeb67c321251c959ec9bc6e0616aff436d1e17d5574d5353.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 944704d6eaf814cbeeb67c321251c959ec9bc6e0616aff436d1e17d5574d5353.exe -
Modifies registry class 9 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ explorer.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-275798769-4264537674-1142822080-1000\{10181D4E-09C2-46B7-8124-0E70C2323EBF} explorer.exe Key created \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ explorer.exe Key created \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
944704d6eaf814cbeeb67c321251c959ec9bc6e0616aff436d1e17d5574d5353.exepid process 4568 944704d6eaf814cbeeb67c321251c959ec9bc6e0616aff436d1e17d5574d5353.exe 4568 944704d6eaf814cbeeb67c321251c959ec9bc6e0616aff436d1e17d5574d5353.exe 3608 3608 3608 3608 3608 3608 3608 3608 3608 3608 3608 3608 3608 3608 3608 3608 3608 3608 3608 3608 3608 3608 3608 3608 3608 3608 3608 3608 3608 3608 3608 3608 3608 3608 3608 3608 3608 3608 3608 3608 3608 3608 3608 3608 3608 3608 3608 3608 3608 3608 3608 3608 3608 3608 3608 3608 3608 3608 3608 3608 3608 3608 -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
944704d6eaf814cbeeb67c321251c959ec9bc6e0616aff436d1e17d5574d5353.exepid process 4568 944704d6eaf814cbeeb67c321251c959ec9bc6e0616aff436d1e17d5574d5353.exe -
Suspicious use of AdjustPrivilegeToken 20 IoCs
Processes:
758D.exepowershell.exeexplorer.exedescription pid process Token: SeShutdownPrivilege 3608 Token: SeCreatePagefilePrivilege 3608 Token: SeShutdownPrivilege 3608 Token: SeCreatePagefilePrivilege 3608 Token: SeShutdownPrivilege 3608 Token: SeCreatePagefilePrivilege 3608 Token: SeShutdownPrivilege 3608 Token: SeCreatePagefilePrivilege 3608 Token: SeDebugPrivilege 2740 758D.exe Token: SeDebugPrivilege 5212 powershell.exe Token: SeShutdownPrivilege 3608 Token: SeCreatePagefilePrivilege 3608 Token: SeShutdownPrivilege 676 explorer.exe Token: SeCreatePagefilePrivilege 676 explorer.exe Token: SeShutdownPrivilege 676 explorer.exe Token: SeCreatePagefilePrivilege 676 explorer.exe Token: SeShutdownPrivilege 676 explorer.exe Token: SeCreatePagefilePrivilege 676 explorer.exe Token: SeShutdownPrivilege 676 explorer.exe Token: SeCreatePagefilePrivilege 676 explorer.exe -
Suspicious use of FindShellTrayWindow 7 IoCs
Processes:
explorer.exepid process 676 explorer.exe 676 explorer.exe 676 explorer.exe 676 explorer.exe 676 explorer.exe 676 explorer.exe 676 explorer.exe -
Suspicious use of SendNotifyMessage 9 IoCs
Processes:
explorer.exepid process 676 explorer.exe 676 explorer.exe 676 explorer.exe 676 explorer.exe 676 explorer.exe 676 explorer.exe 676 explorer.exe 676 explorer.exe 676 explorer.exe -
Suspicious use of WriteProcessMemory 48 IoCs
Processes:
cmd.exeAB64.exeAB64.exeAB64.execmd.exe9153.exedescription pid process target process PID 3608 wrote to memory of 216 3608 cmd.exe PID 3608 wrote to memory of 216 3608 cmd.exe PID 216 wrote to memory of 5908 216 cmd.exe reg.exe PID 216 wrote to memory of 5908 216 cmd.exe reg.exe PID 3608 wrote to memory of 5116 3608 AB64.exe PID 3608 wrote to memory of 5116 3608 AB64.exe PID 3608 wrote to memory of 5116 3608 AB64.exe PID 5116 wrote to memory of 832 5116 AB64.exe AB64.exe PID 5116 wrote to memory of 832 5116 AB64.exe AB64.exe PID 5116 wrote to memory of 832 5116 AB64.exe AB64.exe PID 5116 wrote to memory of 832 5116 AB64.exe AB64.exe PID 5116 wrote to memory of 832 5116 AB64.exe AB64.exe PID 5116 wrote to memory of 832 5116 AB64.exe AB64.exe PID 5116 wrote to memory of 832 5116 AB64.exe AB64.exe PID 5116 wrote to memory of 832 5116 AB64.exe AB64.exe PID 5116 wrote to memory of 832 5116 AB64.exe AB64.exe PID 5116 wrote to memory of 832 5116 AB64.exe AB64.exe PID 832 wrote to memory of 3816 832 AB64.exe icacls.exe PID 832 wrote to memory of 3816 832 AB64.exe icacls.exe PID 832 wrote to memory of 3816 832 AB64.exe icacls.exe PID 832 wrote to memory of 3008 832 AB64.exe AB64.exe PID 832 wrote to memory of 3008 832 AB64.exe AB64.exe PID 832 wrote to memory of 3008 832 AB64.exe AB64.exe PID 3008 wrote to memory of 2888 3008 AB64.exe AB64.exe PID 3008 wrote to memory of 2888 3008 AB64.exe AB64.exe PID 3008 wrote to memory of 2888 3008 AB64.exe AB64.exe PID 3008 wrote to memory of 2888 3008 AB64.exe AB64.exe PID 3008 wrote to memory of 2888 3008 AB64.exe AB64.exe PID 3008 wrote to memory of 2888 3008 AB64.exe AB64.exe PID 3008 wrote to memory of 2888 3008 AB64.exe AB64.exe PID 3008 wrote to memory of 2888 3008 AB64.exe AB64.exe PID 3008 wrote to memory of 2888 3008 AB64.exe AB64.exe PID 3008 wrote to memory of 2888 3008 AB64.exe AB64.exe PID 3608 wrote to memory of 4068 3608 3565.exe PID 3608 wrote to memory of 4068 3608 3565.exe PID 3608 wrote to memory of 4068 3608 3565.exe PID 3608 wrote to memory of 1936 3608 cmd.exe PID 3608 wrote to memory of 1936 3608 cmd.exe PID 1936 wrote to memory of 2736 1936 cmd.exe reg.exe PID 1936 wrote to memory of 2736 1936 cmd.exe reg.exe PID 3608 wrote to memory of 2740 3608 758D.exe PID 3608 wrote to memory of 2740 3608 758D.exe PID 3608 wrote to memory of 2064 3608 9153.exe PID 3608 wrote to memory of 2064 3608 9153.exe PID 3608 wrote to memory of 2064 3608 9153.exe PID 2064 wrote to memory of 5212 2064 9153.exe powershell.exe PID 2064 wrote to memory of 5212 2064 9153.exe powershell.exe PID 2064 wrote to memory of 5212 2064 9153.exe powershell.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\944704d6eaf814cbeeb67c321251c959ec9bc6e0616aff436d1e17d5574d5353.exe"C:\Users\Admin\AppData\Local\Temp\944704d6eaf814cbeeb67c321251c959ec9bc6e0616aff436d1e17d5574d5353.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8C61.bat" "1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 12⤵
-
C:\Users\Admin\AppData\Local\Temp\AB64.exeC:\Users\Admin\AppData\Local\Temp\AB64.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\AB64.exeC:\Users\Admin\AppData\Local\Temp\AB64.exe2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Local\53323aa3-bcff-4f91-bef4-6695745fec05" /deny *S-1-1-0:(OI)(CI)(DE,DC)3⤵
- Modifies file permissions
-
C:\Users\Admin\AppData\Local\Temp\AB64.exe"C:\Users\Admin\AppData\Local\Temp\AB64.exe" --Admin IsNotAutoStart IsNotTask3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\AB64.exe"C:\Users\Admin\AppData\Local\Temp\AB64.exe" --Admin IsNotAutoStart IsNotTask4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2888 -s 5685⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2888 -ip 28881⤵
-
C:\Users\Admin\AppData\Local\Temp\3565.exeC:\Users\Admin\AppData\Local\Temp\3565.exe1⤵
- Executes dropped EXE
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3F97.bat" "1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 12⤵
-
C:\Users\Admin\AppData\Local\Temp\758D.exeC:\Users\Admin\AppData\Local\Temp\758D.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeC:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe2⤵
-
C:\Users\Admin\AppData\Local\Temp\9153.exeC:\Users\Admin\AppData\Local\Temp\9153.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\9153.exe"C:\Users\Admin\AppData\Local\Temp\9153.exe"2⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"3⤵
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes4⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Defense Evasion
Modify Registry
2Impair Defenses
1Disable or Modify System Firewall
1File and Directory Permissions Modification
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53Filesize
471B
MD559e81183e22d6940a35f6ed67fd7284f
SHA1f89e79506bb55e28e917700270d43ced58a3f359
SHA2561f5e75b95a0642292425b320843958d8f55ff50f8a5556ac85d325b14e62521d
SHA512afffc6628906c57cf29ecac595978793c182389734178dc2c73bf839a42f877cd6541fd5419670b415f14ed7a3c3e0256b48f9f43636c2d96f513fe1d2326257
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53Filesize
412B
MD59ef41884b64a9364e7148f03fef07f1e
SHA149a551bcd0a11da8fd579ab1750b1bd2d1ee90c4
SHA2561702f74485a32c3a75fe47241347118c72da60c0d8f257604f952bbad9738200
SHA5122acfb11b2c5afa964e02335aa0d4934aa1a1849b02482696fb2e53d46bc2238a97aeb5a1ec5c9d590b4c1c25e18ee0b5571b2ad8ae3782050a8e433943fdedf8
-
C:\Users\Admin\AppData\Local\Temp\3565.exeFilesize
6.5MB
MD59e52aa572f0afc888c098db4c0f687ff
SHA1ef7c2bb222e69ad0e10c8686eb03dcbee7933c2b
SHA2564a40f9d491f09521f4b0c6076a0eb488f6d8e1cf4b67aa6569c2ccce13556443
SHA512d0991e682ae8c954721e905753b56c01f91b85313beb9996331793c3efa8acc13d574ef5ba44853ecc3e05822931ed655bad1924fa11b774a43e015f42185f62
-
C:\Users\Admin\AppData\Local\Temp\758D.exeFilesize
30.6MB
MD5ff35671d54d612772b0c22c141a3056e
SHA1d005a27cd48556bf17eb9c2b43af49b67347cc0e
SHA2562f625ea35f82332c639049c4a849f39cd2b74acb013880d156a2f647497c2512
SHA5129a40a657f196036ef07c410db225f7a023f7299abc078cefd5d97489e7359ce9c640d72b98fedbf3f11ebaba1987b0acd5c7892b1ba5b5ae18709037df45790e
-
C:\Users\Admin\AppData\Local\Temp\8C61.batFilesize
77B
MD555cc761bf3429324e5a0095cab002113
SHA12cc1ef4542a4e92d4158ab3978425d517fafd16d
SHA256d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a
SHA51233f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155
-
C:\Users\Admin\AppData\Local\Temp\9153.exeFilesize
4.1MB
MD5f3023cf0027501c0057cc293d3c792ef
SHA1fce12239da0220dde68c849b94d8c670af1b5e77
SHA2567a61ec57a9de30633d3d8d8ce8708cc5c68179c2d42dd49dff3412914b9e52d5
SHA5126dfb815413d92745c6845046be2f0ac6325d7ab7510e757916d9c116b144634785ee82d5fc07af7f46310d3bd5b09b8bc9c79aca9d0c0b09fd09f112099fba07
-
C:\Users\Admin\AppData\Local\Temp\AB64.exeFilesize
732KB
MD5749217bd5f268d2f54c5d02d627fe10e
SHA1e81514968944cfbed9d6423511110b7b0c512427
SHA2560b1256495e7d8847609ec5e99abe92c92a0126e7d54fbd1e862649f27699a5cc
SHA512eb9df2906b2be66d9b0076d7aff44900dff0b76cf0fddc8b6da08084d53b05aacf2e09664a085a0f8358889a2f667811445b9fc10f0075ae1fdf879b97366388
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ykioacwz.ur2.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
memory/832-24-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/832-25-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/832-26-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/832-36-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/832-22-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/2064-347-0x0000000000400000-0x0000000000D1C000-memory.dmpFilesize
9.1MB
-
memory/2740-417-0x00007FF7E7F60000-0x00007FF7E9EAC000-memory.dmpFilesize
31.3MB
-
memory/2740-343-0x00007FF7E7F60000-0x00007FF7E9EAC000-memory.dmpFilesize
31.3MB
-
memory/2888-45-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/2888-43-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/2888-42-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/3008-39-0x0000000002220000-0x00000000022B4000-memory.dmpFilesize
592KB
-
memory/3608-337-0x0000000002500000-0x0000000002501000-memory.dmpFilesize
4KB
-
memory/3608-4-0x0000000004340000-0x0000000004356000-memory.dmpFilesize
88KB
-
memory/4068-85-0x0000000004480000-0x0000000004580000-memory.dmpFilesize
1024KB
-
memory/4068-102-0x0000000004580000-0x0000000004581000-memory.dmpFilesize
4KB
-
memory/4068-63-0x0000000003800000-0x0000000003801000-memory.dmpFilesize
4KB
-
memory/4068-64-0x0000000000AA0000-0x0000000001785000-memory.dmpFilesize
12.9MB
-
memory/4068-65-0x0000000000AA0000-0x0000000001785000-memory.dmpFilesize
12.9MB
-
memory/4068-66-0x0000000003810000-0x0000000003811000-memory.dmpFilesize
4KB
-
memory/4068-67-0x0000000004480000-0x0000000004580000-memory.dmpFilesize
1024KB
-
memory/4068-68-0x0000000004480000-0x0000000004580000-memory.dmpFilesize
1024KB
-
memory/4068-69-0x0000000004480000-0x0000000004580000-memory.dmpFilesize
1024KB
-
memory/4068-70-0x0000000004480000-0x0000000004580000-memory.dmpFilesize
1024KB
-
memory/4068-71-0x0000000004480000-0x0000000004580000-memory.dmpFilesize
1024KB
-
memory/4068-72-0x0000000004480000-0x0000000004580000-memory.dmpFilesize
1024KB
-
memory/4068-73-0x0000000004480000-0x0000000004580000-memory.dmpFilesize
1024KB
-
memory/4068-74-0x0000000004480000-0x0000000004580000-memory.dmpFilesize
1024KB
-
memory/4068-75-0x0000000004480000-0x0000000004580000-memory.dmpFilesize
1024KB
-
memory/4068-76-0x0000000004480000-0x0000000004580000-memory.dmpFilesize
1024KB
-
memory/4068-77-0x0000000004480000-0x0000000004580000-memory.dmpFilesize
1024KB
-
memory/4068-78-0x0000000004480000-0x0000000004580000-memory.dmpFilesize
1024KB
-
memory/4068-79-0x0000000004480000-0x0000000004580000-memory.dmpFilesize
1024KB
-
memory/4068-80-0x0000000004480000-0x0000000004580000-memory.dmpFilesize
1024KB
-
memory/4068-81-0x0000000004480000-0x0000000004580000-memory.dmpFilesize
1024KB
-
memory/4068-82-0x0000000004480000-0x0000000004580000-memory.dmpFilesize
1024KB
-
memory/4068-83-0x0000000004480000-0x0000000004580000-memory.dmpFilesize
1024KB
-
memory/4068-84-0x0000000004480000-0x0000000004580000-memory.dmpFilesize
1024KB
-
memory/4068-61-0x00000000037E0000-0x00000000037E1000-memory.dmpFilesize
4KB
-
memory/4068-86-0x0000000004480000-0x0000000004580000-memory.dmpFilesize
1024KB
-
memory/4068-91-0x0000000004480000-0x0000000004580000-memory.dmpFilesize
1024KB
-
memory/4068-92-0x0000000004480000-0x0000000004580000-memory.dmpFilesize
1024KB
-
memory/4068-93-0x0000000004480000-0x0000000004580000-memory.dmpFilesize
1024KB
-
memory/4068-94-0x0000000004480000-0x0000000004580000-memory.dmpFilesize
1024KB
-
memory/4068-95-0x0000000004480000-0x0000000004580000-memory.dmpFilesize
1024KB
-
memory/4068-98-0x0000000004480000-0x0000000004580000-memory.dmpFilesize
1024KB
-
memory/4068-97-0x0000000004480000-0x0000000004580000-memory.dmpFilesize
1024KB
-
memory/4068-100-0x0000000004480000-0x0000000004580000-memory.dmpFilesize
1024KB
-
memory/4068-99-0x0000000004480000-0x0000000004580000-memory.dmpFilesize
1024KB
-
memory/4068-96-0x0000000004480000-0x0000000004580000-memory.dmpFilesize
1024KB
-
memory/4068-101-0x0000000004480000-0x0000000004580000-memory.dmpFilesize
1024KB
-
memory/4068-62-0x00000000037F0000-0x00000000037F1000-memory.dmpFilesize
4KB
-
memory/4068-103-0x0000000004580000-0x0000000004581000-memory.dmpFilesize
4KB
-
memory/4068-106-0x0000000004580000-0x0000000004581000-memory.dmpFilesize
4KB
-
memory/4068-104-0x0000000004580000-0x0000000004581000-memory.dmpFilesize
4KB
-
memory/4068-105-0x0000000004580000-0x0000000004581000-memory.dmpFilesize
4KB
-
memory/4068-107-0x0000000004580000-0x0000000004581000-memory.dmpFilesize
4KB
-
memory/4068-108-0x0000000004580000-0x0000000004581000-memory.dmpFilesize
4KB
-
memory/4068-109-0x0000000004580000-0x0000000004581000-memory.dmpFilesize
4KB
-
memory/4068-110-0x0000000004580000-0x0000000004581000-memory.dmpFilesize
4KB
-
memory/4068-111-0x0000000004580000-0x0000000004581000-memory.dmpFilesize
4KB
-
memory/4068-112-0x0000000004580000-0x0000000004581000-memory.dmpFilesize
4KB
-
memory/4068-113-0x0000000004580000-0x0000000004581000-memory.dmpFilesize
4KB
-
memory/4068-114-0x0000000004580000-0x0000000004581000-memory.dmpFilesize
4KB
-
memory/4068-115-0x0000000004580000-0x0000000004581000-memory.dmpFilesize
4KB
-
memory/4068-116-0x0000000004580000-0x0000000004581000-memory.dmpFilesize
4KB
-
memory/4068-117-0x0000000004580000-0x0000000004581000-memory.dmpFilesize
4KB
-
memory/4068-118-0x0000000004580000-0x0000000004581000-memory.dmpFilesize
4KB
-
memory/4068-119-0x0000000004580000-0x0000000004581000-memory.dmpFilesize
4KB
-
memory/4068-120-0x0000000004580000-0x0000000004581000-memory.dmpFilesize
4KB
-
memory/4068-121-0x0000000004580000-0x0000000004581000-memory.dmpFilesize
4KB
-
memory/4068-122-0x0000000004580000-0x0000000004581000-memory.dmpFilesize
4KB
-
memory/4068-123-0x0000000004580000-0x0000000004581000-memory.dmpFilesize
4KB
-
memory/4068-124-0x0000000004580000-0x0000000004581000-memory.dmpFilesize
4KB
-
memory/4068-60-0x00000000037D0000-0x00000000037D1000-memory.dmpFilesize
4KB
-
memory/4068-59-0x00000000037A0000-0x00000000037A1000-memory.dmpFilesize
4KB
-
memory/4068-57-0x0000000003790000-0x0000000003791000-memory.dmpFilesize
4KB
-
memory/4068-58-0x0000000000AA0000-0x0000000001785000-memory.dmpFilesize
12.9MB
-
memory/4068-52-0x0000000000AA0000-0x0000000001785000-memory.dmpFilesize
12.9MB
-
memory/4568-5-0x0000000000400000-0x0000000000536000-memory.dmpFilesize
1.2MB
-
memory/4568-3-0x00000000005C0000-0x00000000005CB000-memory.dmpFilesize
44KB
-
memory/4568-2-0x0000000000400000-0x0000000000536000-memory.dmpFilesize
1.2MB
-
memory/4568-1-0x0000000000600000-0x0000000000700000-memory.dmpFilesize
1024KB
-
memory/4768-414-0x0000000001070000-0x00000000010BB000-memory.dmpFilesize
300KB
-
memory/4768-416-0x0000000001070000-0x00000000010BB000-memory.dmpFilesize
300KB
-
memory/5116-20-0x0000000002290000-0x0000000002325000-memory.dmpFilesize
596KB
-
memory/5116-21-0x0000000002330000-0x000000000244B000-memory.dmpFilesize
1.1MB