Analysis
-
max time kernel
85s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
01-04-2024 02:04
General
-
Target
44d648bfd0f341fb9c9d10a42c0261c7455eb3fbcdd59c93ddad4211b6380452.exe
-
Size
203KB
-
MD5
2c4aebcc97030695e4eae570e2aa1f1a
-
SHA1
b43be65cd79153d07a8959d06583a87650c59699
-
SHA256
44d648bfd0f341fb9c9d10a42c0261c7455eb3fbcdd59c93ddad4211b6380452
-
SHA512
fa99384bc9b5ccb21f0859576d3a420ad6118849fe2892c53e7782096a14d3b9ceb86fb528ce362612d131194c5562ba57190315359e2573564bb2267297f8ee
-
SSDEEP
3072:bKIdo3wKvh4ZsXLK0aWcfX98+8spxn0bDU+OWJ:bK/3wKvh4ZXnX98Bs3nk
Malware Config
Extracted
smokeloader
pub1
Extracted
smokeloader
2022
http://trad-einmyus.com/index.php
http://tradein-myus.com/index.php
http://trade-inmyus.com/index.php
Extracted
djvu
http://sajdfue.com/test1/get.php
-
extension
.vook
-
offline_id
1eSPzWRaNslCgtjBZfL5pzvovoiaVI4IZSnvAwt1
-
payload_url
http://sdfjhuz.com/dl/build2.exe
http://sajdfue.com/files/1/build3.exe
-
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. Do not ask assistants from youtube and recovery data sites for help in recovering your data. They can use your free decryption quota and scam you. Our contact is emails in this text document only. You can get and look video overview decrypt tool: https://wetransfer.com/downloads/3ed7a617738550b0a00c5aa231c0752020240316170955/d71ce1 Price of private key and decrypt software is $999. Discount 50% available if you contact us first 72 hours, that's price for you is $499. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0857PsawqS
Extracted
lumma
https://resergvearyinitiani.shop/api
Signatures
-
DcRat 4 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Detected Djvu ransomware 10 IoCs
-
Djvu Ransomware
Ransomware which is a variant of the STOP family.
-
Glupteba
Glupteba is a modular loader written in Golang with various components.
-
Glupteba payload 7 IoCs
-
Lumma Stealer
An infostealer written in C++ first seen in August 2022.
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Downloads MZ/PE file
-
Modifies Installed Components in the registry 2 TTPs 1 IoCs
-
Modifies Windows Firewall 2 TTPs 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Deletes itself 1 IoCs
-
Executes dropped EXE 6 IoCs
-
Modifies file permissions 1 TTPs 1 IoCs
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
UPX packed file 2 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 2 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext 2 IoCs
-
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
-
Checks SCSI registry key(s) 3 TTPs 39 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies registry class 11 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 29 IoCs
-
Suspicious use of FindShellTrayWindow 17 IoCs
-
Suspicious use of SendNotifyMessage 11 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 46 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\44d648bfd0f341fb9c9d10a42c0261c7455eb3fbcdd59c93ddad4211b6380452.exe"C:\Users\Admin\AppData\Local\Temp\44d648bfd0f341fb9c9d10a42c0261c7455eb3fbcdd59c93ddad4211b6380452.exe"1⤵
- DcRat
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1D86.bat" "1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 12⤵
-
C:\Users\Admin\AppData\Local\Temp\2B90.exeC:\Users\Admin\AppData\Local\Temp\2B90.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\2B90.exeC:\Users\Admin\AppData\Local\Temp\2B90.exe2⤵
- DcRat
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Local\f7cf1203-7268-4a58-a24c-376f28916960" /deny *S-1-1-0:(OI)(CI)(DE,DC)3⤵
- Modifies file permissions
-
C:\Users\Admin\AppData\Local\Temp\2B90.exe"C:\Users\Admin\AppData\Local\Temp\2B90.exe" --Admin IsNotAutoStart IsNotTask3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\2B90.exe"C:\Users\Admin\AppData\Local\Temp\2B90.exe" --Admin IsNotAutoStart IsNotTask4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 5685⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4396 -ip 43961⤵
-
C:\Users\Admin\AppData\Local\Temp\A361.exeC:\Users\Admin\AppData\Local\Temp\A361.exe1⤵
- Executes dropped EXE
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\A6EC.bat" "1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 12⤵
-
C:\Users\Admin\AppData\Local\Temp\D570.exeC:\Users\Admin\AppData\Local\Temp\D570.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\D570.exe"C:\Users\Admin\AppData\Local\Temp\D570.exe"2⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"3⤵
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes4⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe3⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- DcRat
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll4⤵
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- DcRat
- Creates scheduled task(s)
-
C:\Windows\windefender.exe"C:\Windows\windefender.exe"4⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)5⤵
-
C:\Windows\SysWOW64\sc.exesc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)6⤵
- Launches sc.exe
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\windefender.exeC:\Windows\windefender.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Defense Evasion
File and Directory Permissions Modification
1Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53Filesize
471B
MD5998bb0326f3b0f09e3807b631dc5d7b8
SHA11266cdd46c71687067d517a8873fbc892216b5b9
SHA25686d01464baba49c3a243770da3f12642373f82f6502d88e8b54fde107a638434
SHA5126122adabd9b20c12d9b39a9708aabd1862c62a06ea12a22f4a4d9679d177b6b19907a06c5b6091f121cdd8d056d7d0716c56a8ace5209e5355ad135ce3c953ac
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53Filesize
412B
MD54772fc81869b15d4c63da69bfaaa3bd5
SHA1614066d20086236c07e71e61df4877168dc4caf7
SHA256f771be64aff4c8819e1d599531017d2d62b1f65518d74874148a45fdabdfae11
SHA51211b346999814d15dacbeb6c8c61555db9bcd3af4ba32e5ec81d23dcfdf5cebe6ac348a6f20fee4e2f3fdb30988a476250a7485d653e0fdc96bf15e47f99250b7
-
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\SL9YLD9N\microsoft.windows[1].xmlFilesize
97B
MD5bb7934efe1e99dde2a4be53178ce8fd7
SHA149e6b2f364b597c34832d1878259d5eb671f21a4
SHA25611904522eefd80ce753b37f72e745a251ea2a9bd65cbccbc8993944280db3426
SHA51223ae797546cd1b9884c23e593c371e99ec872b54d5f0856729137ad78507e6e120de7bc75aa7dd7c7556217a628bcf8824175ea0982d6c3236cd22b15455c1d6
-
C:\Users\Admin\AppData\Local\Temp\1D86.batFilesize
77B
MD555cc761bf3429324e5a0095cab002113
SHA12cc1ef4542a4e92d4158ab3978425d517fafd16d
SHA256d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a
SHA51233f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155
-
C:\Users\Admin\AppData\Local\Temp\2B90.exeFilesize
731KB
MD502f6623bb1baf86fff2187d3133a0f4b
SHA17fc70dc931668f080f7c6a32404f4ecef7a6c1fc
SHA256d08ffd814756737222e2812019ec4b6ffeb2714e19d611c15a308ae3902868d0
SHA512c36cc942834274d3078edab9e9975237f323c14d480ebca5b151ce885067b2863fd255d49b6929d26b48548a23b6d7c3bf42d3b0548e82bf3a93afa852b682ae
-
C:\Users\Admin\AppData\Local\Temp\A361.exeFilesize
6.5MB
MD59e52aa572f0afc888c098db4c0f687ff
SHA1ef7c2bb222e69ad0e10c8686eb03dcbee7933c2b
SHA2564a40f9d491f09521f4b0c6076a0eb488f6d8e1cf4b67aa6569c2ccce13556443
SHA512d0991e682ae8c954721e905753b56c01f91b85313beb9996331793c3efa8acc13d574ef5ba44853ecc3e05822931ed655bad1924fa11b774a43e015f42185f62
-
C:\Users\Admin\AppData\Local\Temp\D570.exeFilesize
4.1MB
MD51e578aee6185835cb342b85f99e140df
SHA16ea67ddc96b09150c291ff5ea059e98075bf3823
SHA2560d21b306a868051b31ffac63da269967fc9edd9d680f2e2879d1b8377d2d0e84
SHA5127dcbebe9ca2cd209841aa413d67adecb2a27f65a3d59d510801e51b04555ec5d24641149743f5af2ff7a0edb92ba24a293df213661c4dd161b36e1c3fc47eafb
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mqh10ins.wuc.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeFilesize
281KB
MD5d98e33b66343e7c96158444127a117f6
SHA1bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA2565de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logFilesize
2KB
MD53d086a433708053f9bf9523e1d87a4e8
SHA1b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA2566f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD5ae120c5ba43eeb22999dcaf329066f52
SHA18499930f44bb932d66a25f0d17acf25c85569738
SHA256147f57219d3525df832e09d330bcf568ddbfbf50291faa943c5ec51920692c9e
SHA512842719910963aa08d012d1adfadabad40ea825480f8f61181c35b094edb0d3762f782a817f801ff13711925c08aefc8aa30d0d4cf8391348a3f7b2f05369bee3
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD5830b03fa58fea767a673adb2be9c5586
SHA182a8ce6dde1bb716317d533ff5755098d3dfd8bc
SHA25696d481e1d71c4862e3c0bc285103a7e0104978cb0986a0ff324c5ab89ab79f24
SHA5127d503bbf4f277e40f99a26e0f2b8cae07a51b42ddced10e9ae15f2b4fd7e4b5597b7575130404b6cdde2ea2b33a92ca8b785c7aa27e5d8a9a3c652648068ab37
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD547e911fd23e218f0454cdef64a35cffc
SHA1d20d9e36ec44aa477a1534fbf6b1050f30c0330b
SHA25698d2a26caa66c651b3133856d1f35bf1ee7835a305ca4c1453c9fbf6fc999473
SHA5120072b8fb37c757b6d78226322e467c7e4acb2be875bb4c982418c60e67a5ad3312e8177a904a8f3781e8886cbc1b5ea284286c036faa23b821ca776d437fc3f8
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD59b1f7d55123171ac23257a0f2459a34f
SHA193ef624acc8c3438061f0160cacfd864baa4fd50
SHA25604c50e38f2c5b97fc96c3a1eb4d51d3178cedf9a76c972e7cfed1b2d5edf1f3d
SHA5126aa49f351cfabba6414411da3b422a86eab28dda7d2184d580cc01968ea035a8ea4c10068af5eeb12092a5217b955b54a30f07ec0fed32937a02973ef0c3fa8f
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD5a6bff97b957fc3e32768292fdc309952
SHA1314953d0f201f79d3b305f493e3f1801a7fd942c
SHA256f9c659d039a56e7a100593d3d780ed7c7b365dbbd2635b7705ae0cfc5e4dc622
SHA512b6fcdee0f99e2c3c0b9eb1ec1b3b2f35f576da16590049a0a8a36ab7ed44b6236c1afab034e0e8661fbd6d6c72aad632f3b733dc3c241955945c1c73221088c9
-
C:\Windows\windefender.exeFilesize
2.0MB
MD58e67f58837092385dcf01e8a2b4f5783
SHA1012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA51240d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec
-
memory/544-244-0x0000000004AA0000-0x0000000004AA1000-memory.dmpFilesize
4KB
-
memory/1208-411-0x000001BEF2BF0000-0x000001BEF2C10000-memory.dmpFilesize
128KB
-
memory/1208-414-0x000001BEF2BB0000-0x000001BEF2BD0000-memory.dmpFilesize
128KB
-
memory/1208-416-0x000001BEF2FC0000-0x000001BEF2FE0000-memory.dmpFilesize
128KB
-
memory/1336-496-0x0000000002FD0000-0x0000000002FD1000-memory.dmpFilesize
4KB
-
memory/1348-304-0x00000000043A0000-0x00000000043A1000-memory.dmpFilesize
4KB
-
memory/1496-528-0x0000000000400000-0x00000000008DF000-memory.dmpFilesize
4.9MB
-
memory/1524-20-0x0000000000760000-0x0000000000801000-memory.dmpFilesize
644KB
-
memory/1524-21-0x00000000022F0000-0x000000000240B000-memory.dmpFilesize
1.1MB
-
memory/1868-22-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/1868-36-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/1868-26-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/1868-25-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/1868-24-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/1936-1-0x0000000000910000-0x0000000000A10000-memory.dmpFilesize
1024KB
-
memory/1936-5-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/1936-3-0x00000000008A0000-0x00000000008AB000-memory.dmpFilesize
44KB
-
memory/1936-2-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/2168-553-0x0000000004690000-0x0000000004691000-memory.dmpFilesize
4KB
-
memory/2416-223-0x0000000000400000-0x0000000000D1C000-memory.dmpFilesize
9.1MB
-
memory/2416-188-0x0000000000400000-0x0000000000D1C000-memory.dmpFilesize
9.1MB
-
memory/2612-539-0x0000025F60380000-0x0000025F603A0000-memory.dmpFilesize
128KB
-
memory/2612-541-0x0000025F60790000-0x0000025F607B0000-memory.dmpFilesize
128KB
-
memory/2612-537-0x0000025F603C0000-0x0000025F603E0000-memory.dmpFilesize
128KB
-
memory/2840-73-0x00000000037F0000-0x0000000003822000-memory.dmpFilesize
200KB
-
memory/2840-80-0x0000000004340000-0x0000000004440000-memory.dmpFilesize
1024KB
-
memory/2840-84-0x0000000004340000-0x0000000004440000-memory.dmpFilesize
1024KB
-
memory/2840-85-0x0000000004340000-0x0000000004440000-memory.dmpFilesize
1024KB
-
memory/2840-86-0x0000000004340000-0x0000000004440000-memory.dmpFilesize
1024KB
-
memory/2840-87-0x0000000004340000-0x0000000004440000-memory.dmpFilesize
1024KB
-
memory/2840-89-0x0000000004340000-0x0000000004440000-memory.dmpFilesize
1024KB
-
memory/2840-88-0x0000000004340000-0x0000000004440000-memory.dmpFilesize
1024KB
-
memory/2840-91-0x0000000004340000-0x0000000004440000-memory.dmpFilesize
1024KB
-
memory/2840-90-0x0000000004340000-0x0000000004440000-memory.dmpFilesize
1024KB
-
memory/2840-81-0x0000000004340000-0x0000000004440000-memory.dmpFilesize
1024KB
-
memory/2840-92-0x0000000004340000-0x0000000004440000-memory.dmpFilesize
1024KB
-
memory/2840-93-0x0000000004340000-0x0000000004440000-memory.dmpFilesize
1024KB
-
memory/2840-94-0x0000000004340000-0x0000000004440000-memory.dmpFilesize
1024KB
-
memory/2840-95-0x0000000004340000-0x0000000004440000-memory.dmpFilesize
1024KB
-
memory/2840-96-0x0000000004340000-0x0000000004440000-memory.dmpFilesize
1024KB
-
memory/2840-97-0x0000000004340000-0x0000000004440000-memory.dmpFilesize
1024KB
-
memory/2840-98-0x0000000004340000-0x0000000004440000-memory.dmpFilesize
1024KB
-
memory/2840-99-0x0000000004340000-0x0000000004440000-memory.dmpFilesize
1024KB
-
memory/2840-100-0x0000000004340000-0x0000000004440000-memory.dmpFilesize
1024KB
-
memory/2840-101-0x0000000004340000-0x0000000004440000-memory.dmpFilesize
1024KB
-
memory/2840-102-0x0000000004340000-0x0000000004440000-memory.dmpFilesize
1024KB
-
memory/2840-103-0x0000000004340000-0x0000000004440000-memory.dmpFilesize
1024KB
-
memory/2840-104-0x0000000004340000-0x0000000004440000-memory.dmpFilesize
1024KB
-
memory/2840-105-0x0000000004440000-0x0000000004441000-memory.dmpFilesize
4KB
-
memory/2840-106-0x0000000004440000-0x0000000004441000-memory.dmpFilesize
4KB
-
memory/2840-108-0x0000000004440000-0x0000000004441000-memory.dmpFilesize
4KB
-
memory/2840-109-0x0000000004440000-0x0000000004441000-memory.dmpFilesize
4KB
-
memory/2840-110-0x0000000004440000-0x0000000004441000-memory.dmpFilesize
4KB
-
memory/2840-107-0x0000000004440000-0x0000000004441000-memory.dmpFilesize
4KB
-
memory/2840-111-0x0000000004440000-0x0000000004441000-memory.dmpFilesize
4KB
-
memory/2840-112-0x0000000004440000-0x0000000004441000-memory.dmpFilesize
4KB
-
memory/2840-113-0x0000000004440000-0x0000000004441000-memory.dmpFilesize
4KB
-
memory/2840-115-0x0000000004440000-0x0000000004441000-memory.dmpFilesize
4KB
-
memory/2840-114-0x0000000004440000-0x0000000004441000-memory.dmpFilesize
4KB
-
memory/2840-116-0x0000000004440000-0x0000000004441000-memory.dmpFilesize
4KB
-
memory/2840-117-0x0000000004440000-0x0000000004441000-memory.dmpFilesize
4KB
-
memory/2840-118-0x0000000004440000-0x0000000004441000-memory.dmpFilesize
4KB
-
memory/2840-119-0x0000000004440000-0x0000000004441000-memory.dmpFilesize
4KB
-
memory/2840-120-0x0000000004440000-0x0000000004441000-memory.dmpFilesize
4KB
-
memory/2840-121-0x0000000004440000-0x0000000004441000-memory.dmpFilesize
4KB
-
memory/2840-122-0x0000000004440000-0x0000000004441000-memory.dmpFilesize
4KB
-
memory/2840-123-0x0000000004440000-0x0000000004441000-memory.dmpFilesize
4KB
-
memory/2840-124-0x0000000004440000-0x0000000004441000-memory.dmpFilesize
4KB
-
memory/2840-82-0x0000000004340000-0x0000000004440000-memory.dmpFilesize
1024KB
-
memory/2840-56-0x0000000000960000-0x0000000001645000-memory.dmpFilesize
12.9MB
-
memory/2840-83-0x0000000004340000-0x0000000004440000-memory.dmpFilesize
1024KB
-
memory/2840-79-0x0000000004340000-0x0000000004440000-memory.dmpFilesize
1024KB
-
memory/2840-78-0x0000000004340000-0x0000000004440000-memory.dmpFilesize
1024KB
-
memory/2840-77-0x0000000004340000-0x0000000004440000-memory.dmpFilesize
1024KB
-
memory/2840-76-0x0000000004340000-0x0000000004440000-memory.dmpFilesize
1024KB
-
memory/2840-75-0x0000000004340000-0x0000000004440000-memory.dmpFilesize
1024KB
-
memory/2840-61-0x0000000003650000-0x0000000003651000-memory.dmpFilesize
4KB
-
memory/2840-63-0x00000000036A0000-0x00000000036A1000-memory.dmpFilesize
4KB
-
memory/2840-62-0x0000000003670000-0x0000000003671000-memory.dmpFilesize
4KB
-
memory/2840-74-0x0000000004340000-0x0000000004440000-memory.dmpFilesize
1024KB
-
memory/2840-65-0x0000000000960000-0x0000000001645000-memory.dmpFilesize
12.9MB
-
memory/2840-72-0x00000000037F0000-0x0000000003822000-memory.dmpFilesize
200KB
-
memory/2840-71-0x00000000037F0000-0x0000000003822000-memory.dmpFilesize
200KB
-
memory/2840-70-0x00000000037F0000-0x0000000003822000-memory.dmpFilesize
200KB
-
memory/2840-66-0x00000000036C0000-0x00000000036C1000-memory.dmpFilesize
4KB
-
memory/2840-67-0x00000000037E0000-0x00000000037E1000-memory.dmpFilesize
4KB
-
memory/2840-64-0x00000000036B0000-0x00000000036B1000-memory.dmpFilesize
4KB
-
memory/2840-69-0x0000000000960000-0x0000000001645000-memory.dmpFilesize
12.9MB
-
memory/2840-68-0x0000000000960000-0x0000000001645000-memory.dmpFilesize
12.9MB
-
memory/3464-169-0x0000000002D20000-0x0000000002D21000-memory.dmpFilesize
4KB
-
memory/3464-4-0x0000000003050000-0x0000000003066000-memory.dmpFilesize
88KB
-
memory/3988-283-0x0000000000400000-0x0000000000D1C000-memory.dmpFilesize
9.1MB
-
memory/3988-371-0x0000000000400000-0x0000000000D1C000-memory.dmpFilesize
9.1MB
-
memory/4396-42-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/4396-43-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/4396-45-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/4444-325-0x000001A9B7430000-0x000001A9B7450000-memory.dmpFilesize
128KB
-
memory/4444-324-0x000001A9B7020000-0x000001A9B7040000-memory.dmpFilesize
128KB
-
memory/4444-322-0x000001A9B7060000-0x000001A9B7080000-memory.dmpFilesize
128KB
-
memory/4660-404-0x00000000044A0000-0x00000000044A1000-memory.dmpFilesize
4KB
-
memory/4804-462-0x0000000000400000-0x0000000000D1C000-memory.dmpFilesize
9.1MB
-
memory/4804-518-0x0000000000400000-0x0000000000D1C000-memory.dmpFilesize
9.1MB
-
memory/4804-552-0x0000000000400000-0x0000000000D1C000-memory.dmpFilesize
9.1MB
-
memory/4848-39-0x0000000000860000-0x0000000000900000-memory.dmpFilesize
640KB
-
memory/4892-253-0x00000168D29B0000-0x00000168D29D0000-memory.dmpFilesize
128KB
-
memory/4892-250-0x00000168D25E0000-0x00000168D2600000-memory.dmpFilesize
128KB
-
memory/4892-252-0x00000168D25A0000-0x00000168D25C0000-memory.dmpFilesize
128KB
-
memory/4976-529-0x0000000004BA0000-0x0000000004BA1000-memory.dmpFilesize
4KB
-
memory/5016-504-0x0000017F73580000-0x0000017F735A0000-memory.dmpFilesize
128KB
-
memory/5016-507-0x0000017F73540000-0x0000017F73560000-memory.dmpFilesize
128KB
-
memory/5016-509-0x0000017F73950000-0x0000017F73970000-memory.dmpFilesize
128KB
-
memory/5112-561-0x000002B35C710000-0x000002B35C730000-memory.dmpFilesize
128KB
-
memory/5112-563-0x000002B35C6D0000-0x000002B35C6F0000-memory.dmpFilesize
128KB
-
memory/5112-565-0x000002B35CD20000-0x000002B35CD40000-memory.dmpFilesize
128KB