Overview

overview

10

Static

static

3

file.exe

windows7-x64

10

file.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231201-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231201-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07-12-2023 21:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    file.exe

  • Size

    289KB

  • MD5

    c0c30336ab2e19b7d54e6cb284d12069

  • SHA1

    2d48312b4d4e689070f6a31daa8c36826c70a1f8

  • SHA256

    69ca858a2840e88685b4ba36d161a4dec20f946a28c2e64a0bb68493174c9151

  • SHA512

    7f6f442ad9596f0269290b9e13136be77f5df30887d1bce04edfd0b8fab3ae48551203d2bde24ffdf24ae12ebb7db9d199b9c5e40f0c5580b07661e5acd92729

  • SSDEEP

    3072:SPSM39q1Vnb7iXx0+AgH+B9CTf6qNRqIZapPwOeTRWL:aNNc7i4gHC0Ty/IMpoT

Score
10/10
gluptebasmokeloaderpub1backdoorcollectiondiscoverydropperevasionloaderpersistencerootkitspywarestealerthemidatrojanupx

Malware Config

Extracted

Family

smokeloader

Version

2022

C2

http://onualituyrs.org/

http://sumagulituyo.org/

http://snukerukeutit.org/

http://lightseinsteniki.org/

http://liuliuoumumy.org/

http://stualialuyastrelia.net/

http://kumbuyartyty.net/

http://criogetikfenbut.org/

http://tonimiuyaytre.org/

http://tyiuiunuewqy.org/

http://humydrole.com/tmp/index.php

http://trunk-co.ru/tmp/index.php

http://weareelight.com/tmp/index.php

http://pirateking.online/tmp/index.php

http://piratia.pw/tmp/index.php

http://go-piratia.ru/tmp/index.php
rc4.i32
rc4.i32
rc4.i32
rc4.i32

Extracted

Family

smokeloader

Botnet

pub1

Signatures

  • Glupteba

    Glupteba is a modular loader written in Golang with various components.

    loaderdropperglupteba
  • Glupteba payload 15 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • Downloads MZ/PE file
  • Modifies Windows Firewall 1 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 9 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Themida packer 4 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Manipulates WinMonFS driver. 1 IoCs

    Roottkits write to WinMonFS to hide directories/files from being detected.

    rootkitevasion
  • Drops file in System32 directory 7 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

    Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

  • Drops file in Windows directory 4 IoCs
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Program crash 2 IoCs
  • Checks SCSI registry key(s) 3 TTPs 6 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies data under HKEY_USERS 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 50 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\file.exe
    "C:\Users\Admin\AppData\Local\Temp\file.exe"
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    PID:2212
  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\AC1E.dll
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4176
    • C:\Windows\SysWOW64\regsvr32.exe
      /s C:\Users\Admin\AppData\Local\Temp\AC1E.dll
      2⤵
      • Loads dropped DLL
      PID:4400
  • C:\Users\Admin\AppData\Local\Temp\AE81.exe
    C:\Users\Admin\AppData\Local\Temp\AE81.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:680
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:380
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 680 -s 352
      2⤵
      • Program crash
      PID:3616
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 204 -p 680 -ip 680
    1⤵
      PID:4024
    • C:\Users\Admin\AppData\Local\Temp\BAA7.exe
      C:\Users\Admin\AppData\Local\Temp\BAA7.exe
      1⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Checks whether UAC is enabled
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious use of AdjustPrivilegeToken
      PID:3464
    • C:\Users\Admin\AppData\Local\Temp\C324.exe
      C:\Users\Admin\AppData\Local\Temp\C324.exe
      1⤵
      • Executes dropped EXE
      • Checks SCSI registry key(s)
      • Suspicious behavior: MapViewOfSection
      PID:3560
    • C:\Users\Admin\AppData\Local\Temp\CC1E.exe
      C:\Users\Admin\AppData\Local\Temp\CC1E.exe
      1⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:5048
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        2⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1176
      • C:\Users\Admin\AppData\Local\Temp\CC1E.exe
        "C:\Users\Admin\AppData\Local\Temp\CC1E.exe"
        2⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Checks for VirtualBox DLLs, possible anti-VM trick
        • Drops file in Windows directory
        • Modifies data under HKEY_USERS
        • Suspicious use of WriteProcessMemory
        PID:1596
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell -nologo -noprofile
          3⤵
          • Drops file in System32 directory
          • Modifies data under HKEY_USERS
          • Suspicious use of AdjustPrivilegeToken
          PID:1036
        • C:\Windows\system32\cmd.exe
          C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1948
          • C:\Windows\system32\netsh.exe
            netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
            4⤵
            • Modifies Windows Firewall
            PID:2964
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell -nologo -noprofile
          3⤵
          • Drops file in System32 directory
          • Modifies data under HKEY_USERS
          • Suspicious use of AdjustPrivilegeToken
          PID:3880
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell -nologo -noprofile
          3⤵
          • Drops file in System32 directory
          • Modifies data under HKEY_USERS
          • Suspicious use of AdjustPrivilegeToken
          PID:3460
        • C:\Windows\rss\csrss.exe
          C:\Windows\rss\csrss.exe
          3⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Manipulates WinMonFS driver.
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4324
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -nologo -noprofile
            4⤵
            • Drops file in System32 directory
            • Modifies data under HKEY_USERS
            • Suspicious use of AdjustPrivilegeToken
            PID:1464
          • C:\Windows\SYSTEM32\schtasks.exe
            schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
            4⤵
            • Creates scheduled task(s)
            PID:392
          • C:\Windows\SYSTEM32\schtasks.exe
            schtasks /delete /tn ScheduledUpdate /f
            4⤵
              PID:2804
            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              powershell -nologo -noprofile
              4⤵
              • Drops file in System32 directory
              • Modifies data under HKEY_USERS
              • Suspicious use of AdjustPrivilegeToken
              PID:1848
            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              powershell -nologo -noprofile
              4⤵
              • Drops file in System32 directory
              • Suspicious use of AdjustPrivilegeToken
              PID:1948
            • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
              C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
              4⤵
              • Executes dropped EXE
              PID:3984
            • C:\Windows\SYSTEM32\schtasks.exe
              schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
              4⤵
              • Creates scheduled task(s)
              PID:3892
            • C:\Windows\windefender.exe
              "C:\Windows\windefender.exe"
              4⤵
              • Executes dropped EXE
              • Suspicious use of WriteProcessMemory
              PID:2024
              • C:\Windows\SysWOW64\cmd.exe
                cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
                5⤵
                  PID:1756
                  • C:\Windows\SysWOW64\sc.exe
                    sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
                    6⤵
                    • Launches sc.exe
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2396
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 5048 -s 828
            2⤵
            • Program crash
            PID:4708
        • C:\Windows\SysWOW64\explorer.exe
          C:\Windows\SysWOW64\explorer.exe
          1⤵
          • Accesses Microsoft Outlook profiles
          • outlook_office_path
          • outlook_win_path
          PID:4488
        • C:\Windows\explorer.exe
          C:\Windows\explorer.exe
          1⤵
            PID:3308
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 5048 -ip 5048
            1⤵
              PID:4868
            • C:\Windows\windefender.exe
              C:\Windows\windefender.exe
              1⤵
              • Executes dropped EXE
              • Modifies data under HKEY_USERS
              PID:2284

            Network

            MITRE ATT&CK Enterprise v15

            Reconnaissance

            Resource Development

            Initial Access

            Execution

            Scheduled Task/Job

            1
            T1053

            Persistence

            Boot or Logon Autostart Execution

            1
            T1547

            Registry Run Keys / Startup Folder

            1
            T1547.001

            Create or Modify System Process

            1
            T1543

            Windows Service

            1
            T1543.003

            Scheduled Task/Job

            1
            T1053

            Privilege Escalation

            Boot or Logon Autostart Execution

            1
            T1547

            Registry Run Keys / Startup Folder

            1
            T1547.001

            Create or Modify System Process

            1
            T1543

            Windows Service

            1
            T1543.003

            Scheduled Task/Job

            1
            T1053

            Defense Evasion

            Modify Registry

            1
            T1112

            Virtualization/Sandbox Evasion

            1
            T1497

            Credential Access

            Unsecured Credentials

            2
            T1552

            Credentials In Files

            2
            T1552.001

            Discovery

            Peripheral Device Discovery

            1
            T1120

            Query Registry

            5
            T1012

            System Information Discovery

            4
            T1082

            Virtualization/Sandbox Evasion

            1
            T1497

            Lateral Movement

            Collection

            Data from Local System

            2
            T1005

            Email Collection

            1
            T1114

            Command and Control

            Exfiltration

            Impact

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\AC1E.dll
              Filesize

              3.0MB

              MD5

              3a750b231ca7d49b77a2811578e223ac

              SHA1

              dbf0520ff8919405d4ffaa620dfce2db63e56367

              SHA256

              f75b0fc647b7f0a05d07ec3fe7b8880d6099074151e889108eff670a4dc675c2

              SHA512

              05751db3d113250df57bcf99dae3fe2b04737adfd29384caf17002fcbd272aca85675fb33a25083315fb0f4f2c5524f6c425c3f42f1afc7eceda154aa54578d9

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\AC1E.dll
              Filesize

              3.0MB

              MD5

              3a750b231ca7d49b77a2811578e223ac

              SHA1

              dbf0520ff8919405d4ffaa620dfce2db63e56367

              SHA256

              f75b0fc647b7f0a05d07ec3fe7b8880d6099074151e889108eff670a4dc675c2

              SHA512

              05751db3d113250df57bcf99dae3fe2b04737adfd29384caf17002fcbd272aca85675fb33a25083315fb0f4f2c5524f6c425c3f42f1afc7eceda154aa54578d9

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\AE81.exe
              Filesize

              1.1MB

              MD5

              8d6db1c0be603e301e14d59ef24d7b06

              SHA1

              4d31f48256ed1320605284c119dffadd14dcc510

              SHA256

              e6bc630ef036093b32773f92b3204391b31285dcd173f12ce2acb7830f812de2

              SHA512

              53abdf54aabd735dfccd02045f47381136bd37b5bc1d7d6c8ec164b228b8b4d73c4847d2798619e9bae86e3317eee39b7bf40cea1fe4f31451fa4b2d8b2f22e2

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\AE81.exe
              Filesize

              1.1MB

              MD5

              8d6db1c0be603e301e14d59ef24d7b06

              SHA1

              4d31f48256ed1320605284c119dffadd14dcc510

              SHA256

              e6bc630ef036093b32773f92b3204391b31285dcd173f12ce2acb7830f812de2

              SHA512

              53abdf54aabd735dfccd02045f47381136bd37b5bc1d7d6c8ec164b228b8b4d73c4847d2798619e9bae86e3317eee39b7bf40cea1fe4f31451fa4b2d8b2f22e2

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\BAA7.exe
              Filesize

              4.6MB

              MD5

              18522f12bc42b23be611bd4d961d7bff

              SHA1

              6c37991adeb58df30b3476acddb97ac7152d2662

              SHA256

              ad68b573ce00db5608871f4a64c1f92bf77f63be5f149d7cbb176d24d63d12fd

              SHA512

              019df8189e2889fb500c849faee9984f2bb42ac74ffe843eb6f964febdea48a3ef8963f02d38f233a4abd8156dee543a14da786dfa5e6025e3ab34f0020dafb3

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\BAA7.exe
              Filesize

              4.6MB

              MD5

              18522f12bc42b23be611bd4d961d7bff

              SHA1

              6c37991adeb58df30b3476acddb97ac7152d2662

              SHA256

              ad68b573ce00db5608871f4a64c1f92bf77f63be5f149d7cbb176d24d63d12fd

              SHA512

              019df8189e2889fb500c849faee9984f2bb42ac74ffe843eb6f964febdea48a3ef8963f02d38f233a4abd8156dee543a14da786dfa5e6025e3ab34f0020dafb3

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\C324.exe
              Filesize

              288KB

              MD5

              5afea8c4d508d57246dfb27921848565

              SHA1

              a98d3afd28397afd3b4e95cce844c706c34840c2

              SHA256

              5c0fe21dd80b3ce63cd5b70a282a802ffcc18ce692af110a853d4e1a8ac0739b

              SHA512

              cad2602a2092336f1e26ea3db15aea4251f3fdfd6785e234ff15b59f04b65b67d6cb3e8f3003a4bf42c32f9430c7679366550adf314098c87e6cb81a1d93fc03

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\C324.exe
              Filesize

              288KB

              MD5

              5afea8c4d508d57246dfb27921848565

              SHA1

              a98d3afd28397afd3b4e95cce844c706c34840c2

              SHA256

              5c0fe21dd80b3ce63cd5b70a282a802ffcc18ce692af110a853d4e1a8ac0739b

              SHA512

              cad2602a2092336f1e26ea3db15aea4251f3fdfd6785e234ff15b59f04b65b67d6cb3e8f3003a4bf42c32f9430c7679366550adf314098c87e6cb81a1d93fc03

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\CC1E.exe
              Filesize

              4.2MB

              MD5

              3166cd084b520b24580f746386d16b28

              SHA1

              8e57cf9b937ac200c3749c426ed3f949bfc0e297

              SHA256

              50d664b8c2f334e726a03fa773a830860c0cf7920793aeedaa6fdf780374c206

              SHA512

              bc8015b5554e9a186b3a24db23dd743ad21fe39642a574a2309743398d64ce7c38b37a2aac5e21bbabc791a2d484395b14d87675498f3169158239432fbead69

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\CC1E.exe
              Filesize

              4.2MB

              MD5

              3166cd084b520b24580f746386d16b28

              SHA1

              8e57cf9b937ac200c3749c426ed3f949bfc0e297

              SHA256

              50d664b8c2f334e726a03fa773a830860c0cf7920793aeedaa6fdf780374c206

              SHA512

              bc8015b5554e9a186b3a24db23dd743ad21fe39642a574a2309743398d64ce7c38b37a2aac5e21bbabc791a2d484395b14d87675498f3169158239432fbead69

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\CC1E.exe
              Filesize

              4.2MB

              MD5

              3166cd084b520b24580f746386d16b28

              SHA1

              8e57cf9b937ac200c3749c426ed3f949bfc0e297

              SHA256

              50d664b8c2f334e726a03fa773a830860c0cf7920793aeedaa6fdf780374c206

              SHA512

              bc8015b5554e9a186b3a24db23dd743ad21fe39642a574a2309743398d64ce7c38b37a2aac5e21bbabc791a2d484395b14d87675498f3169158239432fbead69

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lnbgtz20.jjk.ps1
              Filesize

              60B

              MD5

              d17fe0a3f47be24a6453e9ef58c94641

              SHA1

              6ab83620379fc69f80c0242105ddffd7d98d5d9d

              SHA256

              96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

              SHA512

              5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
              Filesize

              281KB

              MD5

              d98e33b66343e7c96158444127a117f6

              SHA1

              bb716c5509a2bf345c6c1152f6e3e1452d39d50d

              SHA256

              5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

              SHA512

              705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
              Filesize

              281KB

              MD5

              d98e33b66343e7c96158444127a117f6

              SHA1

              bb716c5509a2bf345c6c1152f6e3e1452d39d50d

              SHA256

              5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

              SHA512

              705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

              Download Submit

            • C:\Users\Admin\AppData\Roaming\jjibccg
              Filesize

              288KB

              MD5

              5afea8c4d508d57246dfb27921848565

              SHA1

              a98d3afd28397afd3b4e95cce844c706c34840c2

              SHA256

              5c0fe21dd80b3ce63cd5b70a282a802ffcc18ce692af110a853d4e1a8ac0739b

              SHA512

              cad2602a2092336f1e26ea3db15aea4251f3fdfd6785e234ff15b59f04b65b67d6cb3e8f3003a4bf42c32f9430c7679366550adf314098c87e6cb81a1d93fc03

              Download Submit

            • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
              Filesize

              2KB

              MD5

              3d086a433708053f9bf9523e1d87a4e8

              SHA1

              b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28

              SHA256

              6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69

              SHA512

              931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

              Download Submit

            • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
              Filesize

              19KB

              MD5

              ed82a3107e3f115799924e5e7cb8dbc3

              SHA1

              4a36a265c360adee437a86a9cbc58544df83e890

              SHA256

              2dc6eb62b3a4550c8fde2819d9b13c1d1ae6f23265ca8bda70571346fe5c97f8

              SHA512

              ca8fad7001f337efe47c3335c5f1c9811a32870e95b0d45ace436d170fd681fd8f706cf1d9142b825181df4bc6835b195c2a1c62805305e54c73a0a5cd734d6c

              Download Submit

            • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
              Filesize

              19KB

              MD5

              d67759bfabc7a622f6df3040c11b0991

              SHA1

              4ff42d75fdcc0ad6e53c484bd842c2166c03fef9

              SHA256

              af03739a7520a561768e688b734531588ce9cda65bb16c6e6d6b48600ceb425a

              SHA512

              1e5d5c6de32cb641bb101ad9c6d2f07aeb4ab21069497c4e46e205ac17799f2f9a645c928f1c45d28dda02549518ec2888c71a43c0367fb693cc5f158b69cbcd

              Download Submit

            • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
              Filesize

              19KB

              MD5

              ca55e6b820a54060e951b686b8e1146c

              SHA1

              cc8cbe6b52d82993a817aa44dea66ab686c2d146

              SHA256

              d11566cc9a2a81dd94f2977653f8c402954ff9ea25f3beedb5d5e95ed7efef62

              SHA512

              b1a1841f12f4a4c562bf44085a7b6a1b453009e0ba11b4a1505786bbbaa2a644d75b80e1560b7ffa2bd9091cc45c497c905cbe3ec0fdd5f10831b64305cb0017

              Download Submit

            • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
              Filesize

              19KB

              MD5

              c98dde29c05b0f21377da18f23c96f74

              SHA1

              1ce64c310def17b3c69ac442c26be0348d8dc2f2

              SHA256

              92f09855032c5d9d351b07938e6f4706826933c33604e96ad677f390745c97cc

              SHA512

              5821c92702056adf2e3ee2f28b2913b78d1571588eab6bce3438b3ccdfba6e2ab28a1257a8091d8f1b9bb1d6b93ef159277a01d9097bd9019a89149894cd7bd4

              Download Submit

            • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
              Filesize

              19KB

              MD5

              fa1a7eecbce3ff4db28bf2b433d4e6e8

              SHA1

              f6e817844f53c7de25aa9f05a6fdec5d66007fc0

              SHA256

              0dda9ba7d56f49b01ff96bb6b98ca1e3cda48d7e502e9c70516d615cd011e06b

              SHA512

              e2a4dc3cd00cb0cf7b176a886297afc69ad34c24d066d6f1937e5fc09ee6fd8a88d0d3b8e01599e0cedb19063fc8d71ff1ae90221a1de8017dd281ae901fe1b5

              Download Submit

            • C:\Windows\rss\csrss.exe
              Filesize

              4.2MB

              MD5

              3166cd084b520b24580f746386d16b28

              SHA1

              8e57cf9b937ac200c3749c426ed3f949bfc0e297

              SHA256

              50d664b8c2f334e726a03fa773a830860c0cf7920793aeedaa6fdf780374c206

              SHA512

              bc8015b5554e9a186b3a24db23dd743ad21fe39642a574a2309743398d64ce7c38b37a2aac5e21bbabc791a2d484395b14d87675498f3169158239432fbead69

              Download Submit

            • C:\Windows\rss\csrss.exe
              Filesize

              4.2MB

              MD5

              3166cd084b520b24580f746386d16b28

              SHA1

              8e57cf9b937ac200c3749c426ed3f949bfc0e297

              SHA256

              50d664b8c2f334e726a03fa773a830860c0cf7920793aeedaa6fdf780374c206

              SHA512

              bc8015b5554e9a186b3a24db23dd743ad21fe39642a574a2309743398d64ce7c38b37a2aac5e21bbabc791a2d484395b14d87675498f3169158239432fbead69

              Download Submit

            • C:\Windows\windefender.exe
              Filesize

              2.0MB

              MD5

              8e67f58837092385dcf01e8a2b4f5783

              SHA1

              012c49cfd8c5d06795a6f67ea2baf2a082cf8625

              SHA256

              166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa

              SHA512

              40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

              Download Submit

            • C:\Windows\windefender.exe
              Filesize

              2.0MB

              MD5

              8e67f58837092385dcf01e8a2b4f5783

              SHA1

              012c49cfd8c5d06795a6f67ea2baf2a082cf8625

              SHA256

              166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa

              SHA512

              40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

              Download Submit

            • C:\Windows\windefender.exe
              Filesize

              2.0MB

              MD5

              8e67f58837092385dcf01e8a2b4f5783

              SHA1

              012c49cfd8c5d06795a6f67ea2baf2a082cf8625

              SHA256

              166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa

              SHA512

              40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

              Download Submit

            • memory/380-57-0x0000000005D80000-0x0000000005DF6000-memory.dmp

              Filesize

              472KB

              Download

            • memory/380-68-0x0000000007820000-0x00000000079E2000-memory.dmp

              Filesize

              1.8MB

              Download

            • memory/380-37-0x0000000004EF0000-0x0000000004F3C000-memory.dmp

              Filesize

              304KB

              Download

            • memory/380-36-0x0000000004EB0000-0x0000000004EEC000-memory.dmp

              Filesize

              240KB

              Download

            • memory/380-120-0x00000000747F0000-0x0000000074FA0000-memory.dmp

              Filesize

              7.7MB

              Download

            • memory/380-115-0x00000000747F0000-0x0000000074FA0000-memory.dmp

              Filesize

              7.7MB

              Download

            • memory/380-34-0x00000000050D0000-0x00000000051DA000-memory.dmp

              Filesize

              1.0MB

              Download

            • memory/380-31-0x0000000002A00000-0x0000000002A12000-memory.dmp

              Filesize

              72KB

              Download

            • memory/380-29-0x00000000055E0000-0x0000000005BF8000-memory.dmp

              Filesize

              6.1MB

              Download

            • memory/380-38-0x00000000051E0000-0x0000000005246000-memory.dmp

              Filesize

              408KB

              Download

            • memory/380-28-0x0000000004FB0000-0x0000000004FC0000-memory.dmp

              Filesize

              64KB

              Download

            • memory/380-58-0x0000000006060000-0x000000000607E000-memory.dmp

              Filesize

              120KB

              Download

            • memory/380-27-0x00000000747F0000-0x0000000074FA0000-memory.dmp

              Filesize

              7.7MB

              Download

            • memory/380-26-0x0000000000400000-0x000000000042E000-memory.dmp

              Filesize

              184KB

              Download

            • memory/380-69-0x0000000007F20000-0x000000000844C000-memory.dmp

              Filesize

              5.2MB

              Download

            • memory/380-66-0x0000000006230000-0x0000000006280000-memory.dmp

              Filesize

              320KB

              Download

            • memory/1176-166-0x00000000045B0000-0x00000000045C0000-memory.dmp

              Filesize

              64KB

              Download

            • memory/1176-149-0x0000000006E10000-0x0000000006E2A000-memory.dmp

              Filesize

              104KB

              Download

            • memory/1176-131-0x00000000045B0000-0x00000000045C0000-memory.dmp

              Filesize

              64KB

              Download

            • memory/1176-132-0x0000000004BF0000-0x0000000005218000-memory.dmp

              Filesize

              6.2MB

              Download

            • memory/1176-129-0x00000000747D0000-0x0000000074F80000-memory.dmp

              Filesize

              7.7MB

              Download

            • memory/1176-130-0x00000000045B0000-0x00000000045C0000-memory.dmp

              Filesize

              64KB

              Download

            • memory/1176-150-0x0000000006FD0000-0x0000000007002000-memory.dmp

              Filesize

              200KB

              Download

            • memory/1176-138-0x00000000052D0000-0x00000000052F2000-memory.dmp

              Filesize

              136KB

              Download

            • memory/1176-165-0x0000000007010000-0x000000000702E000-memory.dmp

              Filesize

              120KB

              Download

            • memory/1176-155-0x000000007FB60000-0x000000007FB70000-memory.dmp

              Filesize

              64KB

              Download

            • memory/1176-152-0x00000000743D0000-0x000000007441C000-memory.dmp

              Filesize

              304KB

              Download

            • memory/1176-154-0x00000000701A0000-0x00000000704F4000-memory.dmp

              Filesize

              3.3MB

              Download

            • memory/1176-127-0x0000000004490000-0x00000000044C6000-memory.dmp

              Filesize

              216KB

              Download

            • memory/1176-139-0x0000000005370000-0x00000000053D6000-memory.dmp

              Filesize

              408KB

              Download

            • memory/1176-144-0x00000000055C0000-0x0000000005914000-memory.dmp

              Filesize

              3.3MB

              Download

            • memory/1176-167-0x0000000007030000-0x00000000070D3000-memory.dmp

              Filesize

              652KB

              Download

            • memory/1176-148-0x0000000007470000-0x0000000007AEA000-memory.dmp

              Filesize

              6.5MB

              Download

            • memory/1176-147-0x0000000006970000-0x00000000069B4000-memory.dmp

              Filesize

              272KB

              Download

            • memory/1176-146-0x0000000005B00000-0x0000000005B4C000-memory.dmp

              Filesize

              304KB

              Download

            • memory/1176-145-0x0000000005A50000-0x0000000005A6E000-memory.dmp

              Filesize

              120KB

              Download

            • memory/1596-291-0x0000000000400000-0x0000000000D1C000-memory.dmp

              Filesize

              9.1MB

              Download

            • memory/2024-409-0x0000000000400000-0x00000000008DF000-memory.dmp

              Filesize

              4.9MB

              Download

            • memory/2212-1-0x0000000000A00000-0x0000000000B00000-memory.dmp

              Filesize

              1024KB

              Download

            • memory/2212-3-0x0000000000400000-0x000000000086B000-memory.dmp

              Filesize

              4.4MB

              Download

            • memory/2212-2-0x00000000008E0000-0x00000000008EB000-memory.dmp

              Filesize

              44KB

              Download

            • memory/2212-5-0x0000000000400000-0x000000000086B000-memory.dmp

              Filesize

              4.4MB

              Download

            • memory/2284-416-0x0000000000400000-0x00000000008DF000-memory.dmp

              Filesize

              4.9MB

              Download

            • memory/2284-412-0x0000000000400000-0x00000000008DF000-memory.dmp

              Filesize

              4.9MB

              Download

            • memory/3308-83-0x00000000005A0000-0x00000000005A7000-memory.dmp

              Filesize

              28KB

              Download

            • memory/3308-87-0x0000000000590000-0x000000000059C000-memory.dmp

              Filesize

              48KB

              Download

            • memory/3308-82-0x0000000000590000-0x000000000059C000-memory.dmp

              Filesize

              48KB

              Download

            • memory/3464-51-0x00000000776C4000-0x00000000776C6000-memory.dmp

              Filesize

              8KB

              Download

            • memory/3464-49-0x0000000075F50000-0x0000000076040000-memory.dmp

              Filesize

              960KB

              Download

            • memory/3464-125-0x0000000000260000-0x0000000000DA0000-memory.dmp

              Filesize

              11.2MB

              Download

            • memory/3464-126-0x0000000075F50000-0x0000000076040000-memory.dmp

              Filesize

              960KB

              Download

            • memory/3464-56-0x00000000035E0000-0x00000000035EA000-memory.dmp

              Filesize

              40KB

              Download

            • memory/3464-55-0x0000000007E50000-0x0000000007EE2000-memory.dmp

              Filesize

              584KB

              Download

            • memory/3464-54-0x0000000008320000-0x00000000088C4000-memory.dmp

              Filesize

              5.6MB

              Download

            • memory/3464-53-0x0000000000260000-0x0000000000DA0000-memory.dmp

              Filesize

              11.2MB

              Download

            • memory/3464-47-0x0000000075F50000-0x0000000076040000-memory.dmp

              Filesize

              960KB

              Download

            • memory/3464-46-0x0000000075F50000-0x0000000076040000-memory.dmp

              Filesize

              960KB

              Download

            • memory/3464-45-0x0000000075F50000-0x0000000076040000-memory.dmp

              Filesize

              960KB

              Download

            • memory/3464-44-0x0000000075F50000-0x0000000076040000-memory.dmp

              Filesize

              960KB

              Download

            • memory/3464-42-0x0000000000260000-0x0000000000DA0000-memory.dmp

              Filesize

              11.2MB

              Download

            • memory/3512-107-0x0000000003020000-0x0000000003036000-memory.dmp

              Filesize

              88KB

              Download

            • memory/3512-4-0x0000000002F10000-0x0000000002F26000-memory.dmp

              Filesize

              88KB

              Download

            • memory/3560-64-0x0000000000AA0000-0x0000000000BA0000-memory.dmp

              Filesize

              1024KB

              Download

            • memory/3560-65-0x00000000008E0000-0x00000000008EB000-memory.dmp

              Filesize

              44KB

              Download

            • memory/3560-110-0x0000000000400000-0x000000000086B000-memory.dmp

              Filesize

              4.4MB

              Download

            • memory/3560-67-0x0000000000400000-0x000000000086B000-memory.dmp

              Filesize

              4.4MB

              Download

            • memory/4324-415-0x0000000000400000-0x0000000000D1C000-memory.dmp

              Filesize

              9.1MB

              Download

            • memory/4324-401-0x0000000000400000-0x0000000000D1C000-memory.dmp

              Filesize

              9.1MB

              Download

            • memory/4324-413-0x0000000000400000-0x0000000000D1C000-memory.dmp

              Filesize

              9.1MB

              Download

            • memory/4324-417-0x0000000000400000-0x0000000000D1C000-memory.dmp

              Filesize

              9.1MB

              Download

            • memory/4324-410-0x0000000000400000-0x0000000000D1C000-memory.dmp

              Filesize

              9.1MB

              Download

            • memory/4324-419-0x0000000000400000-0x0000000000D1C000-memory.dmp

              Filesize

              9.1MB

              Download

            • memory/4324-421-0x0000000000400000-0x0000000000D1C000-memory.dmp

              Filesize

              9.1MB

              Download

            • memory/4400-188-0x0000000024010000-0x0000000024061000-memory.dmp

              Filesize

              324KB

              Download

            • memory/4400-35-0x0000000000980000-0x0000000000A93000-memory.dmp

              Filesize

              1.1MB

              Download

            • memory/4400-187-0x00000000002F0000-0x0000000000301000-memory.dmp

              Filesize

              68KB

              Download

            • memory/4400-182-0x00000000038F0000-0x00000000039FA000-memory.dmp

              Filesize

              1.0MB

              Download

            • memory/4400-179-0x00000000038F0000-0x00000000039FA000-memory.dmp

              Filesize

              1.0MB

              Download

            • memory/4400-175-0x00000000037E0000-0x00000000038E5000-memory.dmp

              Filesize

              1.0MB

              Download

            • memory/4400-173-0x00000000027D0000-0x00000000037D4000-memory.dmp

              Filesize

              16.0MB

              Download

            • memory/4400-172-0x0000000000980000-0x0000000000A93000-memory.dmp

              Filesize

              1.1MB

              Download

            • memory/4400-111-0x0000000010000000-0x00000000102FB000-memory.dmp

              Filesize

              3.0MB

              Download

            • memory/4400-17-0x00000000003F0000-0x00000000003F6000-memory.dmp

              Filesize

              24KB

              Download

            • memory/4400-18-0x0000000010000000-0x00000000102FB000-memory.dmp

              Filesize

              3.0MB

              Download

            • memory/4400-25-0x0000000002690000-0x00000000027C2000-memory.dmp

              Filesize

              1.2MB

              Download

            • memory/4400-30-0x0000000000980000-0x0000000000A93000-memory.dmp

              Filesize

              1.1MB

              Download

            • memory/4488-77-0x0000000000A00000-0x0000000000A75000-memory.dmp

              Filesize

              468KB

              Download

            • memory/4488-78-0x0000000000750000-0x00000000007BB000-memory.dmp

              Filesize

              428KB

              Download

            • memory/4488-106-0x0000000000750000-0x00000000007BB000-memory.dmp

              Filesize

              428KB

              Download

            • memory/4488-76-0x0000000000750000-0x00000000007BB000-memory.dmp

              Filesize

              428KB

              Download

            • memory/5048-194-0x0000000000400000-0x0000000000D1C000-memory.dmp

              Filesize

              9.1MB

              Download

            • memory/5048-80-0x0000000002970000-0x0000000002D76000-memory.dmp

              Filesize

              4.0MB

              Download

            • memory/5048-79-0x0000000002D80000-0x000000000366B000-memory.dmp

              Filesize

              8.9MB

              Download

            • memory/5048-153-0x0000000000400000-0x0000000000D1C000-memory.dmp

              Filesize

              9.1MB

              Download

            • memory/5048-81-0x0000000000400000-0x0000000000D1C000-memory.dmp

              Filesize

              9.1MB

              Download

            • memory/5048-151-0x0000000002D80000-0x000000000366B000-memory.dmp

              Filesize

              8.9MB

              Download

            • memory/5048-114-0x0000000000400000-0x0000000000D1C000-memory.dmp

              Filesize

              9.1MB

              Download

            • memory/5048-122-0x0000000000400000-0x0000000000D1C000-memory.dmp

              Filesize

              9.1MB

              Download