Analysis
-
max time kernel
80s -
max time network
163s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
31-03-2024 21:58
General
-
Target
53a139ef0f6f800b6a3754956978aef2eb8fe2a234355930af8d213c70effbc3.exe
-
Size
203KB
-
MD5
270a63cbb8bd0c8b1383667a43dee48c
-
SHA1
43c3ac691834a1f60cbc40da1796650c4ad8ef64
-
SHA256
53a139ef0f6f800b6a3754956978aef2eb8fe2a234355930af8d213c70effbc3
-
SHA512
39cb957788e849e53d83af28174c001c18df8cc84900f544d7351580be07e24aad5c76114146df64e4c0ade0b7759b4e415fabf26b6a63ff9aea312420179588
-
SSDEEP
3072:a/oto3wTvPkiobSODnloOhtuIbW9aBV8sGi1MdWJ:a/P3wTvPkiS5nCOvYgmsG
Malware Config
Extracted
smokeloader
pub1
Extracted
smokeloader
2022
http://trad-einmyus.com/index.php
http://tradein-myus.com/index.php
http://trade-inmyus.com/index.php
Extracted
djvu
http://sajdfue.com/test1/get.php
-
extension
.vook
-
offline_id
1eSPzWRaNslCgtjBZfL5pzvovoiaVI4IZSnvAwt1
-
payload_url
http://sdfjhuz.com/dl/build2.exe
http://sajdfue.com/files/1/build3.exe
-
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. Do not ask assistants from youtube and recovery data sites for help in recovering your data. They can use your free decryption quota and scam you. Our contact is emails in this text document only. You can get and look video overview decrypt tool: https://wetransfer.com/downloads/3ed7a617738550b0a00c5aa231c0752020240316170955/d71ce1 Price of private key and decrypt software is $999. Discount 50% available if you contact us first 72 hours, that's price for you is $499. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0857PsawqS
Extracted
lumma
https://resergvearyinitiani.shop/api
Signatures
-
DcRat 4 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Detected Djvu ransomware 9 IoCs
-
Djvu Ransomware
Ransomware which is a variant of the STOP family.
-
Glupteba
Glupteba is a modular loader written in Golang with various components.
-
Glupteba payload 7 IoCs
-
Lumma Stealer
An infostealer written in C++ first seen in August 2022.
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Downloads MZ/PE file
-
Modifies Installed Components in the registry 2 TTPs 2 IoCs
-
Modifies Windows Firewall 2 TTPs 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Deletes itself 1 IoCs
-
Executes dropped EXE 6 IoCs
-
Modifies file permissions 1 TTPs 1 IoCs
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
UPX packed file 1 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 4 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext 2 IoCs
-
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies registry class 21 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 47 IoCs
-
Suspicious use of FindShellTrayWindow 34 IoCs
-
Suspicious use of SendNotifyMessage 23 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 46 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\53a139ef0f6f800b6a3754956978aef2eb8fe2a234355930af8d213c70effbc3.exe"C:\Users\Admin\AppData\Local\Temp\53a139ef0f6f800b6a3754956978aef2eb8fe2a234355930af8d213c70effbc3.exe"1⤵
- DcRat
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2556.bat" "1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 12⤵
-
C:\Users\Admin\AppData\Local\Temp\3DB1.exeC:\Users\Admin\AppData\Local\Temp\3DB1.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3DB1.exeC:\Users\Admin\AppData\Local\Temp\3DB1.exe2⤵
- DcRat
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Local\1cd7a9ad-88e6-46e0-a432-7b856a7689b1" /deny *S-1-1-0:(OI)(CI)(DE,DC)3⤵
- Modifies file permissions
-
C:\Users\Admin\AppData\Local\Temp\3DB1.exe"C:\Users\Admin\AppData\Local\Temp\3DB1.exe" --Admin IsNotAutoStart IsNotTask3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3DB1.exe"C:\Users\Admin\AppData\Local\Temp\3DB1.exe" --Admin IsNotAutoStart IsNotTask4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 112 -s 5685⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 112 -ip 1121⤵
-
C:\Users\Admin\AppData\Local\Temp\657D.exeC:\Users\Admin\AppData\Local\Temp\657D.exe1⤵
- Executes dropped EXE
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\67FF.bat" "1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1400 --field-trial-handle=2432,i,12161922670941700748,3348345705955601576,262144 --variations-seed-version /prefetch:81⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=3508 --field-trial-handle=2432,i,12161922670941700748,3348345705955601576,262144 --variations-seed-version /prefetch:31⤵
-
C:\Users\Admin\AppData\Local\Temp\8329.exeC:\Users\Admin\AppData\Local\Temp\8329.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\8329.exe"C:\Users\Admin\AppData\Local\Temp\8329.exe"2⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"3⤵
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes4⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe3⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- DcRat
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll4⤵
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- DcRat
- Creates scheduled task(s)
-
C:\Windows\windefender.exe"C:\Windows\windefender.exe"4⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)5⤵
-
C:\Windows\SysWOW64\sc.exesc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)6⤵
- Launches sc.exe
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Users\Admin\AppData\Roaming\shgvicjC:\Users\Admin\AppData\Roaming\shgvicj1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\windefender.exeC:\Windows\windefender.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Defense Evasion
Modify Registry
2Impair Defenses
1Disable or Modify System Firewall
1File and Directory Permissions Modification
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53Filesize
471B
MD5998bb0326f3b0f09e3807b631dc5d7b8
SHA11266cdd46c71687067d517a8873fbc892216b5b9
SHA25686d01464baba49c3a243770da3f12642373f82f6502d88e8b54fde107a638434
SHA5126122adabd9b20c12d9b39a9708aabd1862c62a06ea12a22f4a4d9679d177b6b19907a06c5b6091f121cdd8d056d7d0716c56a8ace5209e5355ad135ce3c953ac
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53Filesize
412B
MD52c27dca4dbcf8531709f844bd6290764
SHA1dca33423ee5fc8bddc967dd3e15e0d9e2c1bdfd6
SHA2561fe40f3f830832eaf8c270431d066f02de554bc84a8f0658e0a73580f96afa57
SHA512c1880664d6550a7c9e950eb9e0c1326ed1f1b29dde66f7c5e8ee696ec15325461531d3b904bf9918d40eb47a36d1e4834e1e8fa47db326f12d5f22932208c6af
-
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\TV3VV50F\microsoft.windows[1].xmlFilesize
97B
MD55b984c298841d3dc3a3a0f8a819790bc
SHA127ec8f9f31d80734493d88e29e639b7562276867
SHA256c9bc2d8c025943515a1412a4cb84dd9c184b73031125619bf2cd2d2d2efc2d66
SHA512884209f3ea5207c6ad508975e139b2a16a6b861152c6861a3c1f1459973c896387e92407230ee1c90a6d4a9a49c52aa18d9d292b281a5b906f219280b7f15a93
-
C:\Users\Admin\AppData\Local\Temp\2556.batFilesize
77B
MD555cc761bf3429324e5a0095cab002113
SHA12cc1ef4542a4e92d4158ab3978425d517fafd16d
SHA256d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a
SHA51233f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155
-
C:\Users\Admin\AppData\Local\Temp\3DB1.exeFilesize
767KB
MD5215c8bca7aa1973d55402017dc00def4
SHA13285e710e81d262462daf4d5b267f9e6a6050545
SHA2563ceb4bd84e569281413cc15f67fca395a799dc41293f5e7b047c5c632d09f81b
SHA5123c58adc18abb4f93dcd30383f6bfc7e7306ee543c9bd38b80a8f0dbec6ed4d6dab6749ec87ea80d8475c1dcd8f4b10a74c8e8957ddebaa5322b4fea8a747cfb4
-
C:\Users\Admin\AppData\Local\Temp\657D.exeFilesize
6.5MB
MD59e52aa572f0afc888c098db4c0f687ff
SHA1ef7c2bb222e69ad0e10c8686eb03dcbee7933c2b
SHA2564a40f9d491f09521f4b0c6076a0eb488f6d8e1cf4b67aa6569c2ccce13556443
SHA512d0991e682ae8c954721e905753b56c01f91b85313beb9996331793c3efa8acc13d574ef5ba44853ecc3e05822931ed655bad1924fa11b774a43e015f42185f62
-
C:\Users\Admin\AppData\Local\Temp\8329.exeFilesize
4.2MB
MD5f20545112aac4d388966aa18162768b2
SHA19d2c872f30d402e467128dbcada3c69361a2909b
SHA2560958e59de7186b792e95f1f2c727317fe901cec23b17ec77704092572315f57c
SHA512f558402740241801ef3ab00ca8e84686743836d0ae6787d5e9b09000d4417e44b6b35181a0c57e85533f404d1720fc73f8a9b34a0653337f03e53ac5f7ad43ad
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ebaaaccg.ppa.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeFilesize
281KB
MD5d98e33b66343e7c96158444127a117f6
SHA1bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA2565de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5
-
C:\Users\Admin\AppData\Roaming\shgvicjFilesize
203KB
MD5270a63cbb8bd0c8b1383667a43dee48c
SHA143c3ac691834a1f60cbc40da1796650c4ad8ef64
SHA25653a139ef0f6f800b6a3754956978aef2eb8fe2a234355930af8d213c70effbc3
SHA51239cb957788e849e53d83af28174c001c18df8cc84900f544d7351580be07e24aad5c76114146df64e4c0ade0b7759b4e415fabf26b6a63ff9aea312420179588
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logFilesize
2KB
MD53d086a433708053f9bf9523e1d87a4e8
SHA1b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA2566f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD562742b7e5d24ebe9f6b9cf7f06ca4c08
SHA16a40a549332fde861223d3f51a80e4c36d102970
SHA2566995126ba25a705d580cfc5b23742f4f48f13c3e2e0ecb8adc388a04279452db
SHA512bfd2c17cd61e2c97704a8e099b10a990c4137f0fbd0ea13b718140b73e54036088c8d99f9155001d2bccc15a4b57957cf4e04e2e4400a6259483420cd1fd0909
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD53bd8dcd2cf7637c6b8461df4d1df0322
SHA166933799f19347efbc82cbd0c9193190872345b9
SHA256bf0101479128894ee221eecea2356340661785867eeb03c35b79ba3cc19ae2b2
SHA51244ca1d39af77830a7d29cc38ad51bc174b366fc80afacc5d79703011642dcbc110c02ed01115a4a66142a334865abfc445759c8873fef0d09bfe460fa1ba3543
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD57c54b7fd81f63a7f895900a8bab78400
SHA18f0461e7448dd3704a5333eccc3f6047d875b529
SHA256e77b3831ed1d81531098d3f902823c96c85573f5fde643d2c7538a17bf3c81c0
SHA512c9b9b644172fe71f765fe19298959acd9aaaac00ae40f89905e3763cc3bc57a8844519a9caa209f021e982214509aff591df7ae01025c0d008f3ab3919c0d509
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD568c863f078cac819b54751108383334d
SHA1c336b46652988366a36cbef8a280ba9ed7990295
SHA25605367934fa16f6b5ede62c1dc009f306fcfe0e956c5d1038e4c06a150270d4e0
SHA51241ce07e9e79b626e2655ed512554f4a6504189a53e20a7022116db0beff135ebd2d796cb2a75a8d42019e0b8d7a285b779472b51de5e1504ac768c121c2453f2
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD576a71051a9ebf724d69fbebffd72589a
SHA1637e5641400843e0fe2c881a8a26ded04852316a
SHA256211b58906287d65395e454118ce683bfc9ee7db3b21bed5af9c0bcc57d8400e3
SHA51287bc27a64b1a62362d603735e3b2cb032100190d710b357fc65b18f393883a71c40ead3460aacd9157b3d230668a31132c81f2d6efb85963815ecf7955d9b0b6
-
C:\Windows\windefender.exeFilesize
2.0MB
MD58e67f58837092385dcf01e8a2b4f5783
SHA1012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA51240d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec
-
memory/112-45-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/112-46-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/112-48-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/904-124-0x0000000000400000-0x0000000003125000-memory.dmpFilesize
45.1MB
-
memory/904-117-0x0000000000400000-0x0000000003125000-memory.dmpFilesize
45.1MB
-
memory/904-116-0x00000000051B0000-0x0000000005A9B000-memory.dmpFilesize
8.9MB
-
memory/904-208-0x0000000000400000-0x0000000003125000-memory.dmpFilesize
45.1MB
-
memory/1040-232-0x0000021867E20000-0x0000021867E40000-memory.dmpFilesize
128KB
-
memory/1040-235-0x0000021867BE0000-0x0000021867C00000-memory.dmpFilesize
128KB
-
memory/1040-237-0x00000218682A0000-0x00000218682C0000-memory.dmpFilesize
128KB
-
memory/1184-21-0x0000000004A70000-0x0000000004B07000-memory.dmpFilesize
604KB
-
memory/1184-22-0x0000000004B10000-0x0000000004C2B000-memory.dmpFilesize
1.1MB
-
memory/1208-169-0x0000016BE8B10000-0x0000016BE8B30000-memory.dmpFilesize
128KB
-
memory/1208-166-0x0000016BE8470000-0x0000016BE8490000-memory.dmpFilesize
128KB
-
memory/1208-164-0x0000016BE84B0000-0x0000016BE84D0000-memory.dmpFilesize
128KB
-
memory/1788-267-0x0000000000400000-0x0000000003125000-memory.dmpFilesize
45.1MB
-
memory/1788-356-0x0000000000400000-0x0000000003125000-memory.dmpFilesize
45.1MB
-
memory/2244-42-0x00000000048E0000-0x000000000497B000-memory.dmpFilesize
620KB
-
memory/2376-384-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/2376-422-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/2452-339-0x00000293CB140000-0x00000293CB160000-memory.dmpFilesize
128KB
-
memory/2452-341-0x00000293CB550000-0x00000293CB570000-memory.dmpFilesize
128KB
-
memory/2452-337-0x00000293CB180000-0x00000293CB1A0000-memory.dmpFilesize
128KB
-
memory/2868-466-0x00000144F9140000-0x00000144F9160000-memory.dmpFilesize
128KB
-
memory/2868-468-0x00000144F9560000-0x00000144F9580000-memory.dmpFilesize
128KB
-
memory/2868-463-0x00000144F9180000-0x00000144F91A0000-memory.dmpFilesize
128KB
-
memory/2888-421-0x000000000C110000-0x000000000C126000-memory.dmpFilesize
88KB
-
memory/2888-401-0x00000000035A0000-0x00000000035A1000-memory.dmpFilesize
4KB
-
memory/3088-74-0x0000000003AC0000-0x0000000003AF2000-memory.dmpFilesize
200KB
-
memory/3088-69-0x0000000003AA0000-0x0000000003AA1000-memory.dmpFilesize
4KB
-
memory/3088-101-0x0000000004620000-0x0000000004720000-memory.dmpFilesize
1024KB
-
memory/3088-103-0x0000000004620000-0x0000000004720000-memory.dmpFilesize
1024KB
-
memory/3088-105-0x0000000004620000-0x0000000004720000-memory.dmpFilesize
1024KB
-
memory/3088-107-0x0000000004620000-0x0000000004720000-memory.dmpFilesize
1024KB
-
memory/3088-109-0x0000000004720000-0x0000000004721000-memory.dmpFilesize
4KB
-
memory/3088-108-0x0000000004620000-0x0000000004720000-memory.dmpFilesize
1024KB
-
memory/3088-106-0x0000000004620000-0x0000000004720000-memory.dmpFilesize
1024KB
-
memory/3088-104-0x0000000004620000-0x0000000004720000-memory.dmpFilesize
1024KB
-
memory/3088-102-0x0000000004620000-0x0000000004720000-memory.dmpFilesize
1024KB
-
memory/3088-100-0x0000000004620000-0x0000000004720000-memory.dmpFilesize
1024KB
-
memory/3088-97-0x0000000004620000-0x0000000004720000-memory.dmpFilesize
1024KB
-
memory/3088-94-0x0000000004620000-0x0000000004720000-memory.dmpFilesize
1024KB
-
memory/3088-91-0x0000000004620000-0x0000000004720000-memory.dmpFilesize
1024KB
-
memory/3088-88-0x0000000004620000-0x0000000004720000-memory.dmpFilesize
1024KB
-
memory/3088-84-0x0000000004620000-0x0000000004720000-memory.dmpFilesize
1024KB
-
memory/3088-83-0x0000000004620000-0x0000000004720000-memory.dmpFilesize
1024KB
-
memory/3088-82-0x0000000004620000-0x0000000004720000-memory.dmpFilesize
1024KB
-
memory/3088-80-0x0000000004620000-0x0000000004720000-memory.dmpFilesize
1024KB
-
memory/3088-79-0x0000000004620000-0x0000000004720000-memory.dmpFilesize
1024KB
-
memory/3088-78-0x0000000004620000-0x0000000004720000-memory.dmpFilesize
1024KB
-
memory/3088-110-0x0000000004720000-0x0000000004721000-memory.dmpFilesize
4KB
-
memory/3088-98-0x0000000004620000-0x0000000004720000-memory.dmpFilesize
1024KB
-
memory/3088-96-0x0000000004620000-0x0000000004720000-memory.dmpFilesize
1024KB
-
memory/3088-95-0x0000000004620000-0x0000000004720000-memory.dmpFilesize
1024KB
-
memory/3088-118-0x0000000004720000-0x0000000004721000-memory.dmpFilesize
4KB
-
memory/3088-119-0x0000000000C50000-0x0000000001935000-memory.dmpFilesize
12.9MB
-
memory/3088-59-0x0000000000C50000-0x0000000001935000-memory.dmpFilesize
12.9MB
-
memory/3088-65-0x0000000001D80000-0x0000000001D81000-memory.dmpFilesize
4KB
-
memory/3088-93-0x0000000004620000-0x0000000004720000-memory.dmpFilesize
1024KB
-
memory/3088-64-0x0000000001D70000-0x0000000001D71000-memory.dmpFilesize
4KB
-
memory/3088-67-0x0000000001F70000-0x0000000001F71000-memory.dmpFilesize
4KB
-
memory/3088-68-0x0000000003A90000-0x0000000003A91000-memory.dmpFilesize
4KB
-
memory/3088-99-0x0000000004620000-0x0000000004720000-memory.dmpFilesize
1024KB
-
memory/3088-66-0x0000000000C50000-0x0000000001935000-memory.dmpFilesize
12.9MB
-
memory/3088-70-0x0000000003AB0000-0x0000000003AB1000-memory.dmpFilesize
4KB
-
memory/3088-71-0x0000000000C50000-0x0000000001935000-memory.dmpFilesize
12.9MB
-
memory/3088-92-0x0000000004620000-0x0000000004720000-memory.dmpFilesize
1024KB
-
memory/3088-73-0x0000000003AC0000-0x0000000003AF2000-memory.dmpFilesize
200KB
-
memory/3088-72-0x0000000003AC0000-0x0000000003AC1000-memory.dmpFilesize
4KB
-
memory/3088-75-0x0000000003AC0000-0x0000000003AF2000-memory.dmpFilesize
200KB
-
memory/3088-90-0x0000000004620000-0x0000000004720000-memory.dmpFilesize
1024KB
-
memory/3088-89-0x0000000004620000-0x0000000004720000-memory.dmpFilesize
1024KB
-
memory/3088-76-0x0000000003AC0000-0x0000000003AF2000-memory.dmpFilesize
200KB
-
memory/3088-77-0x0000000004620000-0x0000000004720000-memory.dmpFilesize
1024KB
-
memory/3088-87-0x0000000004620000-0x0000000004720000-memory.dmpFilesize
1024KB
-
memory/3088-85-0x0000000004620000-0x0000000004720000-memory.dmpFilesize
1024KB
-
memory/3088-86-0x0000000004620000-0x0000000004720000-memory.dmpFilesize
1024KB
-
memory/3088-81-0x0000000004620000-0x0000000004720000-memory.dmpFilesize
1024KB
-
memory/3116-2-0x00000000005C0000-0x00000000005CB000-memory.dmpFilesize
44KB
-
memory/3116-3-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/3116-1-0x00000000006A0000-0x00000000007A0000-memory.dmpFilesize
1024KB
-
memory/3116-6-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/3116-8-0x00000000005C0000-0x00000000005CB000-memory.dmpFilesize
44KB
-
memory/3288-123-0x0000000000AE0000-0x0000000000AE1000-memory.dmpFilesize
4KB
-
memory/3288-4-0x0000000002A50000-0x0000000002A66000-memory.dmpFilesize
88KB
-
memory/3424-136-0x0000000005690000-0x00000000056F6000-memory.dmpFilesize
408KB
-
memory/3424-147-0x0000000005870000-0x0000000005BC4000-memory.dmpFilesize
3.3MB
-
memory/3424-154-0x0000000006F20000-0x0000000006F64000-memory.dmpFilesize
272KB
-
memory/3424-135-0x0000000004DC0000-0x0000000004DE2000-memory.dmpFilesize
136KB
-
memory/3424-134-0x0000000002820000-0x0000000002830000-memory.dmpFilesize
64KB
-
memory/3424-133-0x0000000002820000-0x0000000002830000-memory.dmpFilesize
64KB
-
memory/3424-131-0x00000000748F0000-0x00000000750A0000-memory.dmpFilesize
7.7MB
-
memory/3424-130-0x0000000004EB0000-0x00000000054D8000-memory.dmpFilesize
6.2MB
-
memory/3424-125-0x00000000027A0000-0x00000000027D6000-memory.dmpFilesize
216KB
-
memory/3424-137-0x0000000005700000-0x0000000005766000-memory.dmpFilesize
408KB
-
memory/3424-149-0x0000000005E10000-0x0000000005E5C000-memory.dmpFilesize
304KB
-
memory/3424-148-0x0000000005D30000-0x0000000005D4E000-memory.dmpFilesize
120KB
-
memory/3888-23-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/3888-27-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/3888-26-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/3888-25-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/3888-39-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/4016-423-0x0000000000400000-0x0000000003125000-memory.dmpFilesize
45.1MB
-
memory/4132-157-0x00000000047F0000-0x00000000047F1000-memory.dmpFilesize
4KB
-
memory/4572-329-0x0000000003670000-0x0000000003671000-memory.dmpFilesize
4KB
-
memory/4760-455-0x0000000003DE0000-0x0000000003DE1000-memory.dmpFilesize
4KB
-
memory/4936-215-0x0000000004DF0000-0x0000000004DF1000-memory.dmpFilesize
4KB
-
memory/5060-409-0x000002E010350000-0x000002E010370000-memory.dmpFilesize
128KB
-
memory/5060-411-0x000002E010960000-0x000002E010980000-memory.dmpFilesize
128KB
-
memory/5060-407-0x000002E010390000-0x000002E0103B0000-memory.dmpFilesize
128KB