Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
-
submitted
21-04-2024 08:35
General
-
Target
6b7baa1db0d2ed5c12dfb8f289449384ff821110f9b490379c5fcd9190090f4e.exe
-
Size
405KB
-
MD5
dfe244414c8461175241ce54707eb6b6
-
SHA1
1c94e583b7058d01dad42d56ef5ddf17b64b5778
-
SHA256
6b7baa1db0d2ed5c12dfb8f289449384ff821110f9b490379c5fcd9190090f4e
-
SHA512
a8b872308f2e4d51bf99617bad931117921a4332d2a4b2e84c6e45bf42829999a95883b146dca93894ffbd5bcd0f03cb682468457ac2ff1cefcb43155f4225c9
-
SSDEEP
12288:eN6XS66ZeKgLaIGVkwpU0uNqFrNNkpICQzlG:26CNe0IGVl+qHul
Malware Config
Extracted
stealc
http://185.172.128.209
-
url_path
/3cd2b41cbde8fc9c.php
Signatures
-
Glupteba
Glupteba is a modular loader written in Golang with various components.
-
Glupteba payload 19 IoCs
-
Modifies firewall policy service 2 TTPs 1 IoCs
-
Stealc
Stealc is an infostealer written in C++.
-
UAC bypass 3 TTPs 1 IoCs
-
Windows security bypass 2 TTPs 7 IoCs
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
-
Downloads MZ/PE file
-
Modifies Windows Firewall 2 TTPs 2 IoCs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 5 IoCs
-
Executes dropped EXE 14 IoCs
-
Loads dropped DLL 6 IoCs
-
Themida packer 6 IoCs
Detects Themida, an advanced Windows software protection system.
-
UPX packed file 4 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 8 IoCs
-
Adds Run key to start application 2 TTPs 3 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled 1 TTPs 3 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Manipulates WinMonFS driver. 1 IoCs
Roottkits write to WinMonFS to hide directories/files from being detected.
-
Drops file in System32 directory 14 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
-
Suspicious use of SetThreadContext 3 IoCs
-
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 2 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
-
Drops file in Windows directory 6 IoCs
-
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies data under HKEY_USERS 64 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: MapViewOfSection 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 22 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 1 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\6b7baa1db0d2ed5c12dfb8f289449384ff821110f9b490379c5fcd9190090f4e.exe"C:\Users\Admin\AppData\Local\Temp\6b7baa1db0d2ed5c12dfb8f289449384ff821110f9b490379c5fcd9190090f4e.exe"1⤵
- UAC bypass
- Windows security bypass
- Checks computer location settings
- Windows security modification
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\6b7baa1db0d2ed5c12dfb8f289449384ff821110f9b490379c5fcd9190090f4e.exe" -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"2⤵
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Pictures\uIw3QMTkSde6pKxRdVN5APvx.exe"C:\Users\Admin\Pictures\uIw3QMTkSde6pKxRdVN5APvx.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Pictures\uIw3QMTkSde6pKxRdVN5APvx.exe"C:\Users\Admin\Pictures\uIw3QMTkSde6pKxRdVN5APvx.exe"4⤵
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes6⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- Manipulates WinMonFS driver.
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV17⤵
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F6⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f6⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV17⤵
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F6⤵
- Creates scheduled task(s)
-
C:\Windows\windefender.exe"C:\Windows\windefender.exe"6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.execmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)7⤵
-
C:\Windows\SysWOW64\sc.exesc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)8⤵
- Launches sc.exe
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Pictures\N6bMhQCMmOqNNw86o2Hy4iC0.exe"C:\Users\Admin\Pictures\N6bMhQCMmOqNNw86o2Hy4iC0.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Pictures\N6bMhQCMmOqNNw86o2Hy4iC0.exe"C:\Users\Admin\Pictures\N6bMhQCMmOqNNw86o2Hy4iC0.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes6⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Pictures\4A2XlB3XpHnqxCd2ruG1mePF.exe"C:\Users\Admin\Pictures\4A2XlB3XpHnqxCd2ruG1mePF.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\u190.0.exe"C:\Users\Admin\AppData\Local\Temp\u190.0.exe"4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4452 -s 10205⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\Qg_Appv5.exe"C:\Users\Admin\AppData\Local\Temp\Qg_Appv5.exe"4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Uninstallcheck_alpha\ptInst.exeC:\Users\Admin\AppData\Local\Temp\Uninstallcheck_alpha\ptInst.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Roaming\Uninstallcheck_alpha\ptInst.exeC:\Users\Admin\AppData\Roaming\Uninstallcheck_alpha\ptInst.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe7⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe8⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Pictures\rOKQrf2ftbZp2SuDxiZBUYiu.exe"C:\Users\Admin\Pictures\rOKQrf2ftbZp2SuDxiZBUYiu.exe"3⤵
- Modifies firewall policy service
- Windows security bypass
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4452 -ip 44521⤵
-
C:\Windows\System32\mousocoreworker.exeC:\Windows\System32\mousocoreworker.exe -Embedding1⤵
-
C:\Windows\windefender.exeC:\Windows\windefender.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
6Virtualization/Sandbox Evasion
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logFilesize
2KB
MD5a6ea7bfcd3aac150c0caef765cb52281
SHA1037dc22c46a0eb0b9ad4c74088129e387cffe96b
SHA256f019af2e5e74cdf13c963910500f9436c66b6f2901f5056d72f82310f20113b9
SHA512c8d2d373b48a26cf6eec1f5cfc05819011a3fc49d863820ad07b6442dd6d5f64e27022a9e4c381eb58bf7f6b19f8e77d508734ff803073ec2fb32da9081b6f23
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
21KB
MD5537aca00545d2449b57c090371b90174
SHA1415a6182209817b9b58063f91bfec8066901fb71
SHA25650d1349044e5d4694b94736e419aeeb9320ec979db9401f60ff3f58241935d5b
SHA5127d6ca2e1a10412027019c2fa406f6c2b4efa1c4ba94bea48eaf5579a1b97b373d8ba2f89d91663146f6c9e9cb9e050c6a57ac55b4ca49a3b27bc281bd10b59a6
-
C:\Users\Admin\AppData\Local\Temp\Qg_Appv5.exeFilesize
7.6MB
MD5862bf3003dca41d88ac49a6846149623
SHA1b34f1d42dd0649d6b83f9a92124a554f48df0434
SHA25650c10789db130a98c63e6e7f6e23b1c89b38c5ea4678f1e06fd1796fba25c75c
SHA512fe5ab7888633dbfecca57ecd1732360796c2f19c62fc4282e2a92e9b8b440cc01e25b7a0c6a608cf9c2e9c9e3c49a8509a08851afcaef7e1afc21c0abcc2c969
-
C:\Users\Admin\AppData\Local\Temp\Uninstallcheck_alpha\WCLDll.dllFilesize
590KB
MD563206e3b4f1fa4dcfbe1f2cc5d0c4e9d
SHA1fe731b2e9c296d9ecc75ed96c2d29fe46c7cd924
SHA2568f5b8645b5e5ea48acc411b21a1b3cd56d2660ac931989b9f064c8ff82039885
SHA51232bdcce9e8e7f1ebe50e114f65f762391d52f482a112515ccb16b09653b93873528ea1a7473a2512075bf8f729997a65f455bf6599482e997b85e06a2f87f3d6
-
C:\Users\Admin\AppData\Local\Temp\Uninstallcheck_alpha\cosmetician.mpegFilesize
79KB
MD58e1bbc6d6c4d207393b59853f73945ae
SHA1b66d632eae41267175bf5332d43a785dd929d79f
SHA256b04725aaa99b27e04c02bec7d98fb4511331ea53761272325fff9c27a679e279
SHA5121b45a7be00f54498df289641745ca6ee99e11d63100fb838b96c2d9412f8b5f0ea5aa8b964f32a4f9182cd599765f5ca08b91e8e8eecd06d1c53543284a59001
-
C:\Users\Admin\AppData\Local\Temp\Uninstallcheck_alpha\msvcp140.dllFilesize
427KB
MD571a0aa2d05e9174cefd568347bd9c70f
SHA1cb9247a0fa59e47f72df7d1752424b33a903bbb2
SHA256fdb3d86c512adff90967cb860d02a4682850ab96727f0376e4d4836504c50e47
SHA5126e65520528facaa4058720eb16d6bfdcc7bb36923b7e8e6551f3526709f0fabafab123999e618438e6abe7efed4a1332547cfc988f2b24b0e3d91198b95a911a
-
C:\Users\Admin\AppData\Local\Temp\Uninstallcheck_alpha\ptInst.exeFilesize
938KB
MD5b15bac961f62448c872e1dc6d3931016
SHA11dcb61babb08fe5db711e379cb67335357a5db82
SHA256bf1a0c67b433f52ebd304553f022baa34bfbca258c932d2b4b8b956b1467bfa5
SHA512932119f7dc6710239481c80ad8baaed5c14a2085fcc514b6522671b1a4ebbaf488e43453f11d5aaf6dcef7a245db8de44d93ff255f7cf8385b7d00f31f2cc370
-
C:\Users\Admin\AppData\Local\Temp\Uninstallcheck_alpha\quersprung.vhdFilesize
1.3MB
MD53bee67dd0e04559c8fdc7761336dee47
SHA1027ef9dca01fb928db79e57b418130165f06ed5f
SHA25657745aba2885cf8bf770e7e9195697c05e35333417ca23af153367bf31cbf812
SHA51235fb66f98a57b0d14c3044a91abac3e0670d516edfd691d6670df034e8454c550d3d2e702ab90cd32b70fcba8aeb2e02b7b3a07b6a340a932738968473f77dce
-
C:\Users\Admin\AppData\Local\Temp\Uninstallcheck_alpha\vcruntime140.dllFilesize
81KB
MD516b26bc43943531d7d7e379632ed4e63
SHA1565287de39649e59e653a3612478c2186096d70a
SHA256346f72c9a7584c2ab6ce65cd38a616c77ebddc0bbab2274c4e89dd5e62237517
SHA512b5b7b4b8c5ab4276a34956e43f586272b1803ec3609253fee1bcc0a549aed7ba11d47404b023f7b67af701726bab95cca55738e7bd5bca272eca5ac71bb418cc
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lfsbmapq.m51.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\be7791d5Filesize
3.8MB
MD513418f74a7ce25cdd6997c9fcb718a0e
SHA1f4c880821fee72c37c882b1e8ebf100efcafe31c
SHA256a890935a36903669f35522c85c75e296404a4595453f060398cb64c5b0d6dfd0
SHA51259017162877bbbdf823450a946e3e54e9130d8ebbf5baba24471c68a10d1fad3452be08c693cd7a78d0bf2fcfd6d3086edeec1a379f9b53fd66bb246c128d4c1
-
C:\Users\Admin\AppData\Local\Temp\cca85f80Filesize
1.4MB
MD5acddae28ff6defbace760c365e6dfb9d
SHA105b4ace93af86bbd5519b1f3d716f364e8ee55a9
SHA256bd5b5237410c9f3b59b96b10c90682d8772ab6102351369795288517d84f1162
SHA512106224b5b4224987479712444bb2c3693b67f529e9c074e731c41871cbc7fb0a35395305c131685200a74ac8fcbf812f209a555de40af30a91225e7a6bf99f66
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeFilesize
281KB
MD5d98e33b66343e7c96158444127a117f6
SHA1bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA2565de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5
-
C:\Users\Admin\AppData\Local\Temp\u190.0.exeFilesize
283KB
MD5329bc43cda762f853095671ec1454c8f
SHA1ad03097d49c3d5f6f9527036872dc399a27ef4c2
SHA25677d2045b214ad57a071131305a0dcdcaf51fde050bd0de0ece82d7ccc43ed584
SHA512240baaaa1330186096cf71d772adfb623a49ddb9ea02ea525bacd59180f38d3209fd2ac48508ad8ff85f302a9487b0fb7ce47f9b3757c76a97d80fb14b8910b3
-
C:\Users\Admin\Pictures\4A2XlB3XpHnqxCd2ruG1mePF.exeFilesize
427KB
MD5681151d284713457933e6f9e44c15505
SHA1ddad00e4d01f81144123dbc98a98ed0978dce704
SHA2569ceb657d7af442a0b4361c2c920c278cae6bc9a6bd165984fb78a05d51c75d73
SHA5125bfe375a8246bece2601353a8f61acfa30eb551dd50d663a487072a1f016910e2b0dbef0d8b6bbc4e8ebd99e43fdae6e5d624af1070ca0ff049bb9b8af202058
-
C:\Users\Admin\Pictures\Gelj3x2fLLMK6s2i790y7sBw.exeFilesize
7KB
MD55b423612b36cde7f2745455c5dd82577
SHA10187c7c80743b44e9e0c193e993294e3b969cc3d
SHA256e0840d2ea74a00dcc545d770b91d9d889e5a82c7bedf1b989e0a89db04685b09
SHA512c26a1e7e96dbd178d961c630abd8e564ef69532f386fb198eb20119a88ecab2fe885d71ac0c90687c18910ce00c445f352a5e8fbf5328f3403964f7c7802414c
-
C:\Users\Admin\Pictures\rOKQrf2ftbZp2SuDxiZBUYiu.exeFilesize
3.9MB
MD5ffee05ea98b1d51026a44fad0841a8a9
SHA150a703329c7b9812c17a02b554cf406040079fec
SHA2564cb040696b9ffb14794955b0e56eed04fde0cae3a5ee748dd513ad42c411c823
SHA512626ddc18a906b74a231daa5bcc092a90708e0e3d42e4db645d59d19de7ef38a2d91a843f11dbc7873d379bfa14e87c5fc6d09a657e0b44abd24b9991cb971f86
-
C:\Users\Admin\Pictures\uIw3QMTkSde6pKxRdVN5APvx.exeFilesize
4.1MB
MD5db117a12dc77d05d91cb7c79917152a5
SHA1a1a4b1eeec5e78cfbaad2a106b97029530b65718
SHA25623f4ed851cba5df64e6eb490e6d049c084118fd5b67019aad8088cc720f7e2a5
SHA512196023c8a801decacb2e6f43ff1a4bf8952b6db0636e584ef130fa6d18f926da7784c8acdea731d4bff64c323f7f6f21615c078730150ee3951986935b8cf645
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logFilesize
2KB
MD53d086a433708053f9bf9523e1d87a4e8
SHA1b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA2566f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD5d1f800efb7037e242f368235cb8a1e51
SHA1890b271cf22957a07bea97970235e404e59e2a13
SHA25665b19b7dd101fed5384fa059b19ada6dac32f902adfff7779504c6037ecb3d43
SHA512b1cc462f448a344ebbd338697fb5ad54391a22357adaab216d452534e4cf9efe0aa4d466e1cf5da20b38aa87d4a9d8ecd4afab2fc0c02ade2663fe4236e728ec
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD568522a806b6aa6e101553ded1d6e2ce7
SHA1adf3fff34b0b09a78b44056e0ec51aeaa143c65e
SHA2565977c3425413737d71f331f15219e1ed0591cc84cbb0610362c1b40c663a6087
SHA5120e2f4d1d6b8ea0cf564afc544a78d5e53997b495923380d42adca2a400f45f752016108be328d831a1b16dbe1b36708b56fb83ae49899e031ce8471e4d31158a
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD56f85105c196bec0be60948a2aa8e6129
SHA1c34f356316609f221689175baa60604a36b2ed59
SHA25654358981e7edc7b704ac562824c3276b76f54ac118465c2eb34fea539c2d8039
SHA512e7ec4812eb9b6461cb095c08c3944f369a6489209256184ce5db76a61403c51f839092f40d90b3033700ac0e4549704b615ce721fe8b3f2a02d9b3ebb5dcede1
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD5b5c1401e70cb3d0487f094c72c3d5c9a
SHA1454d0a1869b28b7a9cfcaa26c6cd00e0cab2f4fc
SHA25615ced922d524259258c73e0e919fcfcf6c3320bc4e49a58639b28b1943bfcf85
SHA51267a4f001d54a25b6d80fda6d7bf3ccdde60a4e9ed812f101d7ad739e40fba3e6c4adfa83607e8bf2b4e5654cd9c697d2f0ad3e0ca7912fb272990e33e6ea8648
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD586b70be083e5503fc30482407e79c6a3
SHA1a84c477c36a1cbdc304016debe77992d5a7ad24a
SHA2561e95d2a324eefcfda9c0b23b0a541b2c8c7f3a320c7099643669e71feb9b2f36
SHA512738256c7c0079b6e7ffaccefc9a4e0b3e036436faa6afe2a27f3517ff6523767a459388802b3524f1f6256c807277fb92f7120492bb5da9f58aa82d663314d70
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD5e011135daf1ae3b93144df9a0ce4f55f
SHA1caefafc3ecd8fc91ad4f5776441512999cd74e86
SHA256d149c71702caa9d063731d4e637b05f9654f2f75ab49762a07fc5c79e3b9f680
SHA51217223fbc8ba6ec76c0bd7393b7a020c124914d0dbaaf3af024b83f9854c716ec2a7268eb4526e9e853636db6ed9220b117010c56d38a9d1374da4eb8328a3a44
-
C:\Windows\System32\GroupPolicy\gpt.iniFilesize
127B
MD58ef9853d1881c5fe4d681bfb31282a01
SHA1a05609065520e4b4e553784c566430ad9736f19f
SHA2569228f13d82c3dc96b957769f6081e5bac53cffca4ffde0ba1e102d9968f184a2
SHA5125ddee931a08cfea5bb9d1c36355d47155a24d617c2a11d08364ffc54e593064011dee4fea8ac5b67029cab515d3071f0ba0422bb76af492a3115272ba8feb005
-
C:\Windows\windefender.exeFilesize
2.0MB
MD58e67f58837092385dcf01e8a2b4f5783
SHA1012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA51240d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec
-
memory/452-165-0x0000000004730000-0x0000000004740000-memory.dmpFilesize
64KB
-
memory/452-133-0x0000000005670000-0x00000000059C4000-memory.dmpFilesize
3.3MB
-
memory/452-136-0x0000000004730000-0x0000000004740000-memory.dmpFilesize
64KB
-
memory/452-135-0x0000000004730000-0x0000000004740000-memory.dmpFilesize
64KB
-
memory/452-137-0x0000000075270000-0x0000000075A20000-memory.dmpFilesize
7.7MB
-
memory/452-152-0x000000006FF80000-0x000000006FFCC000-memory.dmpFilesize
304KB
-
memory/452-151-0x000000007F020000-0x000000007F030000-memory.dmpFilesize
64KB
-
memory/452-153-0x0000000070150000-0x00000000704A4000-memory.dmpFilesize
3.3MB
-
memory/452-164-0x0000000006D00000-0x0000000006DA3000-memory.dmpFilesize
652KB
-
memory/452-163-0x0000000004730000-0x0000000004740000-memory.dmpFilesize
64KB
-
memory/820-544-0x0000000000400000-0x00000000008DF000-memory.dmpFilesize
4.9MB
-
memory/820-535-0x0000000000400000-0x00000000008DF000-memory.dmpFilesize
4.9MB
-
memory/1312-3-0x0000023ECF670000-0x0000023ECF6CE000-memory.dmpFilesize
376KB
-
memory/1312-23-0x00007FFC37440000-0x00007FFC37F01000-memory.dmpFilesize
10.8MB
-
memory/1312-2-0x0000023ECF700000-0x0000023ECF710000-memory.dmpFilesize
64KB
-
memory/1312-1-0x00007FFC37440000-0x00007FFC37F01000-memory.dmpFilesize
10.8MB
-
memory/1312-0-0x0000023ECD990000-0x0000023ECD99E000-memory.dmpFilesize
56KB
-
memory/1396-186-0x0000000000400000-0x0000000001DEE000-memory.dmpFilesize
25.9MB
-
memory/1396-122-0x0000000003B50000-0x0000000003F4D000-memory.dmpFilesize
4.0MB
-
memory/1396-134-0x0000000000400000-0x0000000001DEE000-memory.dmpFilesize
25.9MB
-
memory/1620-460-0x0000000000400000-0x0000000001A35000-memory.dmpFilesize
22.2MB
-
memory/2092-71-0x0000000005D60000-0x0000000005D7E000-memory.dmpFilesize
120KB
-
memory/2092-91-0x00000000049B0000-0x00000000049C0000-memory.dmpFilesize
64KB
-
memory/2092-102-0x0000000075270000-0x0000000075A20000-memory.dmpFilesize
7.7MB
-
memory/2092-56-0x0000000004FF0000-0x0000000005618000-memory.dmpFilesize
6.2MB
-
memory/2092-58-0x0000000004DC0000-0x0000000004DE2000-memory.dmpFilesize
136KB
-
memory/2092-99-0x0000000007510000-0x0000000007518000-memory.dmpFilesize
32KB
-
memory/2092-64-0x0000000005690000-0x00000000056F6000-memory.dmpFilesize
408KB
-
memory/2092-98-0x00000000075C0000-0x00000000075DA000-memory.dmpFilesize
104KB
-
memory/2092-97-0x00000000074D0000-0x00000000074E4000-memory.dmpFilesize
80KB
-
memory/2092-96-0x00000000074C0000-0x00000000074CE000-memory.dmpFilesize
56KB
-
memory/2092-95-0x0000000007480000-0x0000000007491000-memory.dmpFilesize
68KB
-
memory/2092-94-0x0000000007520000-0x00000000075B6000-memory.dmpFilesize
600KB
-
memory/2092-93-0x0000000007460000-0x000000000746A000-memory.dmpFilesize
40KB
-
memory/2092-52-0x0000000075270000-0x0000000075A20000-memory.dmpFilesize
7.7MB
-
memory/2092-54-0x00000000049B0000-0x00000000049C0000-memory.dmpFilesize
64KB
-
memory/2092-92-0x0000000007370000-0x0000000007413000-memory.dmpFilesize
652KB
-
memory/2092-90-0x0000000007350000-0x000000000736E000-memory.dmpFilesize
120KB
-
memory/2092-57-0x00000000049B0000-0x00000000049C0000-memory.dmpFilesize
64KB
-
memory/2092-80-0x000000006FFD0000-0x0000000070324000-memory.dmpFilesize
3.3MB
-
memory/2092-79-0x000000006FF80000-0x000000006FFCC000-memory.dmpFilesize
304KB
-
memory/2092-78-0x0000000007310000-0x0000000007342000-memory.dmpFilesize
200KB
-
memory/2092-53-0x00000000027A0000-0x00000000027D6000-memory.dmpFilesize
216KB
-
memory/2092-76-0x0000000007150000-0x000000000716A000-memory.dmpFilesize
104KB
-
memory/2092-75-0x00000000077A0000-0x0000000007E1A000-memory.dmpFilesize
6.5MB
-
memory/2092-74-0x00000000070A0000-0x0000000007116000-memory.dmpFilesize
472KB
-
memory/2092-73-0x00000000062C0000-0x0000000006304000-memory.dmpFilesize
272KB
-
memory/2092-65-0x0000000005780000-0x00000000057E6000-memory.dmpFilesize
408KB
-
memory/2092-72-0x0000000006360000-0x00000000063AC000-memory.dmpFilesize
304KB
-
memory/2092-70-0x00000000058F0000-0x0000000005C44000-memory.dmpFilesize
3.3MB
-
memory/3344-328-0x0000000000400000-0x0000000001DEE000-memory.dmpFilesize
25.9MB
-
memory/3344-265-0x0000000000400000-0x0000000001DEE000-memory.dmpFilesize
25.9MB
-
memory/3344-123-0x0000000000400000-0x0000000001DEE000-memory.dmpFilesize
25.9MB
-
memory/3344-121-0x0000000003E50000-0x000000000473B000-memory.dmpFilesize
8.9MB
-
memory/3344-120-0x0000000003940000-0x0000000003D47000-memory.dmpFilesize
4.0MB
-
memory/3492-538-0x0000000000400000-0x0000000001DEE000-memory.dmpFilesize
25.9MB
-
memory/3492-476-0x0000000000400000-0x0000000001DEE000-memory.dmpFilesize
25.9MB
-
memory/3492-553-0x0000000000400000-0x0000000001DEE000-memory.dmpFilesize
25.9MB
-
memory/3492-548-0x0000000000400000-0x0000000001DEE000-memory.dmpFilesize
25.9MB
-
memory/3492-543-0x0000000000400000-0x0000000001DEE000-memory.dmpFilesize
25.9MB
-
memory/3492-534-0x0000000000400000-0x0000000001DEE000-memory.dmpFilesize
25.9MB
-
memory/3492-530-0x0000000000400000-0x0000000001DEE000-memory.dmpFilesize
25.9MB
-
memory/3492-518-0x0000000000400000-0x0000000001DEE000-memory.dmpFilesize
25.9MB
-
memory/3500-528-0x0000000000400000-0x00000000008DF000-memory.dmpFilesize
4.9MB
-
memory/3660-576-0x00007FFC55290000-0x00007FFC55485000-memory.dmpFilesize
2.0MB
-
memory/3660-569-0x0000000000400000-0x0000000000BEB000-memory.dmpFilesize
7.9MB
-
memory/3660-578-0x000000006F730000-0x000000006F8AB000-memory.dmpFilesize
1.5MB
-
memory/3660-575-0x000000006F730000-0x000000006F8AB000-memory.dmpFilesize
1.5MB
-
memory/3752-407-0x00007FF644850000-0x00007FF645359000-memory.dmpFilesize
11.0MB
-
memory/3752-410-0x00007FF644850000-0x00007FF645359000-memory.dmpFilesize
11.0MB
-
memory/3752-391-0x00007FF644850000-0x00007FF645359000-memory.dmpFilesize
11.0MB
-
memory/3752-405-0x00007FF644850000-0x00007FF645359000-memory.dmpFilesize
11.0MB
-
memory/3752-408-0x00007FF644850000-0x00007FF645359000-memory.dmpFilesize
11.0MB
-
memory/4196-22-0x00000000058B0000-0x00000000058C0000-memory.dmpFilesize
64KB
-
memory/4196-17-0x0000000000400000-0x0000000000408000-memory.dmpFilesize
32KB
-
memory/4196-21-0x0000000075270000-0x0000000075A20000-memory.dmpFilesize
7.7MB
-
memory/4196-77-0x00000000058B0000-0x00000000058C0000-memory.dmpFilesize
64KB
-
memory/4196-55-0x0000000075270000-0x0000000075A20000-memory.dmpFilesize
7.7MB
-
memory/4276-402-0x0000000000400000-0x0000000001DEE000-memory.dmpFilesize
25.9MB
-
memory/4276-458-0x0000000000400000-0x0000000001DEE000-memory.dmpFilesize
25.9MB
-
memory/4424-140-0x0000000075270000-0x0000000075A20000-memory.dmpFilesize
7.7MB
-
memory/4452-442-0x0000000000400000-0x0000000001A11000-memory.dmpFilesize
22.1MB
-
memory/4480-12-0x0000016694310000-0x0000016694332000-memory.dmpFilesize
136KB
-
memory/4480-5-0x00000166AC9B0000-0x00000166AC9C0000-memory.dmpFilesize
64KB
-
memory/4480-6-0x00000166AC9B0000-0x00000166AC9C0000-memory.dmpFilesize
64KB
-
memory/4480-4-0x00007FFC37440000-0x00007FFC37F01000-memory.dmpFilesize
10.8MB
-
memory/4480-20-0x00007FFC37440000-0x00007FFC37F01000-memory.dmpFilesize
10.8MB
-
memory/4836-119-0x0000000003A80000-0x0000000003E87000-memory.dmpFilesize
4.0MB
-
memory/4836-49-0x0000000003A80000-0x0000000003E87000-memory.dmpFilesize
4.0MB
-
memory/4836-50-0x0000000003E90000-0x000000000477B000-memory.dmpFilesize
8.9MB
-
memory/4836-139-0x0000000000400000-0x0000000001DEE000-memory.dmpFilesize
25.9MB
-
memory/4836-51-0x0000000000400000-0x0000000001DEE000-memory.dmpFilesize
25.9MB